Tuesday, December 21, 2004

Password History on SUSE Linux

Password history on SUSE I thought would be a lot like RedHat I read through pam_unix.so readme and it works just like it does on RedHat or Fedora Core unfortunately default config for SUSE 8.X - 9.X is to make use of pam_unix2.so which doesn't support password history.

To get around this problem I found SUSE makes use of pam_pwcheck much like RedHat uses pam_stack albiet pam_stack is far better and much more extensible pam_pwcheck can be told to remember NNN number of passwords with the "remember=" directive. To make the change system wide you'll need to do the following:

edit /etc/security/pam_pwcheck.conf
append remember=XXX to the uncommented line at the bottom of the file

umask 077 && touch /etc/security/opasswd and you should be off and running

posted by mrchase @ 8:17 PM   0 comments

Remote syslogging on OS X 10.3.7

10.3.7 was suppsed to fix the remote syslog problem unfortunately for us it didn't.

I've found the whole pipe to be broken, but to make remote syslog work for us on Mac OS X 10.3.7 The following was necessary:

1) In /etc/rc remove the "-s" flag from syslogd
2) Change any @host.domain entries in /etc/syslog.conf to their respective IP addresses and then everything worked fine.

To test to make sure you are logging remotely and locally try
/usr/bin/logger -p daemon.info "This is a test"

To make sure syslog has open files locally use
/usr/sbin/lsof | grep syslogd

posted by mrchase @ 8:12 PM   0 comments

Disabling ipv6 on Mac OS X 10.3.X

Found out that if you try to "ssh localhost" as to perform troubleshooting you either need to add the ipv6 address for interface lo0 or disable ipv6 altogether. I opted for the larger hammer I initially tried "ifconfig lo0 inet6 down" and the like these commands do nothing for you. After looking in /System/Library/StartupItems for a minute I found "ip6".

ip6 was exactly what I was loooking for, so the magic incantation goes like this:

/usr/sbin/ip6 -d lo0

which will stop ip6 on the interface specified because ip6 -x didn't get me there.

posted by mrchase @ 8:06 PM   0 comments

Thursday, December 16, 2004

openssh 3.9 scp authorized_keys command= and from=

I recently wanted to combine the from directive and command directive in the ssh_authorized_keys file to ensure a particular user keypair was constrained to only scp a particular file.

I found the magic incantation in the authoirzed_keys file to be

from="192.168.1.1",command="scp -f /etc/some/file" ssh_rsa

Then no matter what scp file is specified by the user only the file identifed in the authoirzed_keys file will be transfer.

posted by mrchase @ 11:46 AM   0 comments