Debian

Using a Standard Debian / Ubuntu Kernel on DELL PERCraid Servers

Submitted by craige on August 5, 2006 - 17:23

Assumptions:
This article assumes you have already installed Debian or Ubuntu from one of the many aacraid / PERCraid / megaraid installation CD's that are available online but now want to switch to a supported Debian / Ubuntu packaged kernel to take adavantage of security updates etc.

You will need to install the below packages. I have chosen the kernel-image-2.6.686-smp as Debian is installed on a dual PIII DELL PowerEdge 2450. You will need to choose the appropriate Debian / Ubuntu kernel package that suits your hardware. irqbalance is only for SMP machines:

$ sudo apt-get install initrd-tools irqbalance kernel-image-2.6-686-smp module-i
nit-tools

initrd-tools provides us with mkinitrd which we will need to make an initrd image
kernel-image-2.6-686-smp provides us with a packaged kernel for which we will build the initrd image and replace the existing installation kernel.

As all of the aacraid / PERCraid / Megaraid installation disks I have come across are based on a 2.4 Linux kernel and use lilo, you will most likely need to:

$ sudo vi /etc/lilo.conf

and add an initrd line as per below to the section for the installed kernel

     initrd=/initrd.img

which should result in a completed section for the installed kernel looking something like this:

 image=/vmlinuz
    label=Linux
    read-only
    initrd=/initrd.img

Now edit /etc/mkinitrd/modules to include the module you need for PERCraid:

$ sudo vi /etc/mkinitrd/modules

As the version of PERCraid in the PowerEdge 2450 is Perc2/DC I need to include the megaraid driver and added the below lines to the bottom of /etc/mkinitrd/modules:

#
# Driver for DELL Perc2/DC in DELL PowerEdge 2450
#
megaraid

You will now need to make an initrd image that includes the megaraid driver for the kernel you have installed. In this example, the kernel that the Debian package installed was version 2.6.8-3-686-smp so I ran the following command to build the initrd image:

$ sudo mkinitrd -o /boot/initrd.img-2.6.8-3-686-smp 2.6.8-3-686-smp

You will need to substitute the version above to the versions on your system. To be on the safe side, I keep a copy of the install kernel hanging around so I end up with the following kernels on the file system:

$ ls -l /vmlinuz*
/vmlinuz -> boot/vmlinuz-2.6.8-3-686-smp
/vmlinuz-PERCraid -> /boot/bzImage-PERCraid-2.4.18

I then also add this kernel to /etc/lilo.conf as per below:

 image=/vmlinuz.PERCraid
        label=PERCraid
        read-only
        optional

Make sure that your lilo.conf includes a delay statement and "install=text " then update lilo:

$ sudo lilo
Added Linux *
Added PERCraid
$

Now reboot and make sure your PERcraid rescue CD is handy incase you made a mistake. If everything has been completed correctly then you should be booting into the supported kernel with the initrd image ensuring that PERCraid is handled correctly.

Creating an Ubuntu/Debian PPTP Client

Submitted by craige on June 27, 2006 - 21:09

To configure Ubuntu or Debian as a PPTP client, you will need to install the pptp-linux package first:

$ sudo apt-get install pptp-linux

Now you will need to edit the options.pptp file

sudo vi /etc/ppp/options.pptp

and insert the below line:

lock noauth nobsdcomp nodeflate

Next you will need to modify chap-secrets

$ sudo vi /etc/ppp/chap-secrets

add this line:

$DOMAIN\\$USERNAME PPTP $PASSWORD *

where:
$DOMAIN is the VPN domain name
$USERNAME is your VPN username
$PASSWORD is your VPN password

A completed chap-secrets on a default Dapper setup would look something similar to this:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

MYVPN\\myusername PPTP mypassword *

You will then need to create a tunnel configuration file:

$ sudo vi /etc/ppp/peers/$TUNNEL

where $TUNNEL is the name you wish to give this VPN connection. Now:

$ sudo vi /etc/ppp/peers/MyVPN

and add the following lines:

pty "pptp $SERVER --nolaunchpppd"
name $DOMAIN\\$USERNAME
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam $TUNNEL

where $SERVER is the IP address or hostname of the VPN gateway
where $DOMAIN, $USERNAME and $TUNNEL are as defined earlier.
the resulting file will look something like this:

pty "pptp myvpnserver --nolaunchpppd"
name MYVPN\\myusername
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam MyVPN

The last step you'll need to take is to create a file in /etc/ppp/ip-up.d with the same name as your "peers" file that sets the route to the other network automatically for you:

$ sudo vi /etc/ppp/ip-up.d/MyVPN

which in this example for a class C network will look something like this:

#!/bin/sh  

route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0

Finalise the process by making the file executable:

$ sudo chmod a+x /etc/ppp/ip-up.d/MyVPN

Provide all your settings are correct, you should be able to start the PPTP connection by running:

$ sudo pon MYVPN

You can now run the ifconfig and route -n commands and perhaps ping a host at the other end to make sure the connection is good. The output of which will look similar to this:

$ ifconfig 
eth0    Link encap:Ethernet  HWaddr 00:AA:11:BB:22:CC
           inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
           inet6 addr: fe80::20e:35ff:fefc:e95/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:16780 errors:0 dropped:0 overruns:0 frame:0
           TX packets:14489 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:11422112 (10.8 MiB)  TX bytes:1604047 (1.5 MiB)
           Interrupt:5 Base address:0x8000 Memory:e0210000-e0210fff

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:56159 errors:0 dropped:0 overruns:0 frame:0
           TX packets:56159 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:25007982 (23.8 MiB)  TX bytes:25007982 (23.8 MiB)  

ppp0   Link encap:Point-to-Point Protocol
           inet addr:192.168.1.2  P-t-P:192.168.1.1  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1496  Metric:1
           RX packets:7 errors:0 dropped:0 overruns:0 frame:0
           TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:3
           RX bytes:88 (88.0 b)  TX bytes:82 (82.0 b) 

$ route -n 
Kernel IP routing table 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
192.168.1.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0 
192.168.0.0     0.0.0.0        255.255.255.0   U     0      0        0 eth0 
192.168.1.0    0.0.0.0         255.255.255.0   U     0      0        0 ppp0 
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0 
$ ping remote-server 
PING remote-server.remote.com.au (192.168.1.101) 56(84) bytes of data. 
64 bytes from remote-server.remote.com.au (192.168.1.101): icmp_seq=1 ttl=254 t
ime=765 ms 
64 bytes from remote-server.remote.com.au (192.168.1.101): icmp_seq=2 ttl=254 t
ime=41.2 ms

Happy PPTP-ing :)

Setting up Your Own x.509 Certificate Authority

Submitted by craige on April 12, 2006 - 11:07

This document details how to setup an OpenSSL Certificate Authority that you can then use to create certificates for internal use, such as IPSec x.509 Virtual Private Networks (VPNs). The steps below are specific for Debian or Ubuntu servers but may be adapted for other Linux distributions.

 

Firstly we need to edit openssl.cnf and change a few defaults: 

$ vi /etc/ssl/openssl.cnf

Change default_days from 365 to 3650 for 10 years of certificate life.

default_days    = 3650                  # how long to certify for

For internal use, this longevity does not present a great security risk and certificates can be revoked at any time. For convenience I like to set a number of fields below the [ req_distinguished_name ] section. The examples below are for a fictional company in Sydney, Australia, change or add these lines as required:

countryName_default             = AU

stateOrProvinceName_default     = New South Wales

localityName_default            = Sydney

0.organizationName_default      = Your Company Pty Ltd

organizationalUnitName_default  = Your Dept.

commonName_default              = Your Company Pty Ltd

emailAddress_default            = somecontact@yourcompany.com

Filling the above in will save a little typing time when generating certificates. Now you need to make a directory for your Certificate Authority and change into it. My preference is to create it under /etc/ssl as follows:

$ sudo mkdir /etc/ssl/YourCompanyCA
$ cd /etc/ssl/YourCompanyCA

At this point I would recommend copying the script /usr/lib/ssl/misc/CA.sh to /etc/ssl/CA.sh and modifying it to create a CA certificate that lasts more than 10 years - 20 years is a nice figure. You will also need to replace demoCA with the directory you created above. I make the following changes:

/etc/ssl/YourCompanyCA $ sudo cp /usr/lib/ssl/misc/CA.sh /etc/ssl/CA.sh
/etc/ssl/YourCompanyCA $ sudo vi /etc/ssl/CA.sh

DAYS="-days 7300"

CATOP=./MyCompanyCA

Now we need to create the CA Certificate. Apart from setting the certificate password, you can take the defaults because you set them earlier:

/etc/ssl/YourCompanyCA $ sudo /etc/ssl/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...............++++++
writing new private key to './YourCompanyCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [New South Wales]:
Locality Name (eg, city) [Sydney]:
Organization Name (eg, company) [Your Company Pty Ltd]:
Organizational Unit Name (eg, section) [Your Dept]:
Common Name (eg, YOUR name) [Your Company Pty Ltd]:
Email Address [somecontact@yourcompany.com]:
/etc/ssl/YourCompanyCA $

Now we will need to create a CRL file which will be needed on any VPN gateways you might have. This will need to be updated any time a certificate is revoked:

/etc/ssl/YourCompanyCA $ openssl ca -gencrl -out crl.pem

Now you have a your very own functioning Certificate Authority and you're ready to generate certificates for what ever purpose you may have.

Making a Debian or Ubuntu Machine an LDAP Authentication Client

Submitted by craige on January 17, 2005 - 18:51

This document details the steps required to make an Ubuntu or Debian machine an LDAP client for authentication purposes.

 

- About Ubuntu Linux
- About Debian GNU/Linux
- About OpenLDAP

 

So you've got an LDAP server floating around and you'd like to have your Ubuntu or Debian client authenticate against it. It's assumed here that you already have an LDAP server and you or your admin can provide the answers to some of the questions asked upon configuration. Firstly, you'll need to open up your favourite package manager and install libpam-ldap and libnss-ldap: 

$ apt-get install libpam-ldap libnss-ldap

This command will bring down all the required libraries to enable you to have your machine authenticating against the LDAP server of your dreams. Once the packages start being unpacked you'll be hit up for a few questions:

  • IP address / hostname of the LDAP server. ie: ldap.my.domain
  • The search base of your LDAP domain. ie: dc=my,dc=domain
  • You'll be asked the version of LDAP server you're connecting to, "Version 3" ought to be safe in most cases.
  • A screen titled "Configuring LIBNSS-LDAP will appear with only the "OK" option. Select it :)
  • On the next screen you'll be asked if you want to make root the DB admin. The best answer is "yes".
  • Now you'll be asked whether the DB requires logging in, say "No"
  • You'll be asked for the root login account for LDAP. It is often something like: cn=manager,dc=my,dc=domain
  • Then you'll need to enter the LDAP password for the aforementioned LDAP account

That will see all the packages installed and the base configurations satisfied. If your LDAP server is already populated with content then at this point you should be able to run commands such as "getent passwd <username>" and if that username is unique to LDAP and you get a response then you answered all the questions correctly. Now you need to customise PAM to make it use LDAP for authentication.You'll need to run the following command: 

$ sudo vi /etc/pam.d/sudo

Once deep in the bowells of the sudo file, you need to add one line above the existing line, something like this: 

auth    sufficient      pam_ldap.so 
auth    required        pam_unix.so

(Note: From Ubuntu 5.10 (Breezy) and Debian 3.1 (Sarge) you no longer need to edit /etc/pam.d/sudo.) This process now gets repeated for four more files, so I'll show the vi command and then the changes required: 

$ sudo vi /etc/pam.d/common-account

account sufficient      pam_ldap.so
account required        pam_unix.so

$ sudo vi /etc/pam.d/common-auth

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure

$ sudo vi /etc/pam.d/common-password

password        sufficient      pam_ldap.so
password   	required   pam_unix.so nullok obscure min=4 max=8 md5

$ sudo vi /etc/pam.d/common-session

session 	sufficient      pam_ldap.so
session 	required        pam_unix.so

Last but not least we need to edit nsswitch.conf: 

$ sudo vi /etc/nsswitch.conf

and once you're in that file, run this command: 

:%s/compat/ldap files/g

Tada! If you've entered in all your local configuration information correctly, you'll have a living breathing LDAP authentication client. Enjoy :)