RHEL 7 Two-Factor SSH Via Google Authenticator

650x300xgoogle-authenticator-header.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.194erIegOZ.jpg

In this post,  I am going to walk you through the process of installing and configuring two- factor SSH authentication via Google Authenticator. My base system is running a fresh install of RHEL 7.2

Installation Steps

The first step on my system was to install autoreconf, automake, and libtool. These packages are required by the bootstrap.sh script that we will need to in a couple more steps.

# yum -y install autoconf automake libtool

Now, we are going to install Git.

#yum -y install git

One more dependency to knock out. Install pam-devel as shown below.

# yum -y install pam-devel

Next, we clone the google-authenticator Git repo. In this example, I am cloning to /root

# git clone https://github.com/google/google-authenticator.git
Cloning into ‘google-authenticator’…
remote: Counting objects: 1435, done.
remote: Total 1435 (delta 0), reused 0 (delta 0), pack-reused 1435
Receiving objects: 100% (1435/1435), 2.32 MiB | 0 bytes/s, done.
Resolving deltas: 100% (758/758), done.

Now change directory as shown below and run bootstrap.sh.

# cd /root/google-authenticator/libpam

# ./bootstrap.sh

Now run the following commands to finalize the module installs.

# ./configure

#make

#make install

Assuming that you do not run into any errors, the following modules will be installed.

  • /usr/local/lib/security/pam_google_authenticator.so
  • /usr/local/lib/security/pam_google_authenticator.la

Continue reading

RHEL7: Registering a System with the Red Hat Network Using Subscription Manager

howto-draw-octopuses-tutorials_html_101880e

Note that I am about to give you the simpletons version of registering a system. Expect nothing fancy below. In  this post I will do my best to keep it brief.

If you need to register newly build RHEL 7 system using Subscription Manger rather than the ‘rhn_register’ command (which is pretty much deprecated) you will need to run the command as shown below. Including the option  “–auto-attach is pretty much the simplest method to register with RHN, as you  do not need to keep track of any of your subscription names.

[root@rhel7 ~]#  subscription-manager register –username <username> –password <password> –auto-attach

Once auto-attached you can log into rhn.redhat.com, and use the WebUI to pick and choose any additional subscriptions that you want to attach.

Once you have attached as many subscriptions as your heart desires (or you are licensed for) ,you can then run the following command to see each and every yum repository that you have access to, even if they are disabled.

[root@rhel7 ~]# yum repolist all

Depending on the number of repos that you have access to, so you might want to narrow the list down a bit, as shown below.

[root@rhel7 ~]# yum repolist all | grep -i openstack-6

rhel-7-server-openstack-6.0-debug-rpms/7Server/x86_64                           disabled
rhel-7-server-openstack-6.0-installer-debug-rpms/7Server/x86_64             disabled
rhel-7-server-openstack-6.0-installer-rpms/7Server/x86_64                        disabled
rhel-7-server-openstack-6.0-installer-source-rpms/7Server/x86_64            disabled
rhel-7-server-openstack-6.0-rpms/7Server/x86_64                                      disabled
rhel-7-server-openstack-6.0-source-rpms/7Server/x86_64                          disabled

Now you can enable the repos that you need with the command below. Note that the enable option accepts wildcards, but also note the discrepancy in the repo names in the command output above, and in the command below. If you are not passing a wildcard option on the enable command, then you will need to modify the repo names before you can run your command with any bit of success.

[root@rhel7 ~]# subscription-manager repos –enable rhel-7-server-openstack-6.0*
Repository ‘rhel-7-server-openstack-6.0-rpms’ is enabled for this system.
Repository ‘rhel-7-server-openstack-6.0-source-rpms’ is enabled for this system.
Repository ‘rhel-7-server-openstack-6.0-debug-rpms’ is enabled for this system.
Repository ‘rhel-7-server-openstack-6.0-installer-debug-rpms’ is enabled for this system.
Repository ‘rhel-7-server-openstack-6.0-installer-source-rpms’ is enabled for this system.
Repository ‘rhel-7-server-openstack-6.0-installer-rpms’ is enabled for this system.

RHEL7 – How to Set Your Hostname in Redhat Enterprise Linux 7

name-badge

Setting a server’s hostname used to be as simple as running the ‘hostname’ command and adding a “HOSTNAME” entry in /etc/sysconfig/network. However things have changed quite a bit in RHEL7. Apparently, systemd now controls setting a server’s hostname. The ‘hostname‘ command no longer works to set your hostname, however the command is still available just to confuse you.

Now in RHEL 7 you use the command ‘hostnamectl‘. Below is an example of how it works.

Here I have logged into my a RHEL 7.1 VM. You can see that the system appears to have the hostname of node1.

[root@node1 ~]# hostname
node1

However upon further inspection, I find that this is not the case. Rather, the server has a static hostname of localhost.localdomain.

[root@node1 ~]# hostnamectl
Static hostname: localhost.localdomain
Transient hostname: node1
Icon name: computer-vm
Chassis: vm
Machine ID: 4c26a2a3101947bfa2ec7d9c16824ca4
Boot ID: f58707942bd1458da48680025b6f1a53
Virtualization: vmware
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.1:GA:server
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64

So lets set the hostname permanently using ‘hostnamectl’.

[root@node1 ~]# hostnamectl set-hostname node1.packy.lab.localdomain

As you can see the hostname shows correct in the output of the ‘hostname’ command

[root@node1 ~]# hostname
node1.packy.lab.localdomain

… and in the output from ‘hostnamectl’

[root@node1 ~]# hostnamectl
Static hostname: node1.packy.lab.localdomain
Icon name: computer-vm
Chassis: vm
Machine ID: 4c26a2a3101947bfa2ec7d9c16824ca4
Boot ID: f58707942bd1458da48680025b6f1a53
Virtualization: vmware
Operating System: Employee SKU
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.1:GA:server
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64

Fedora21 – Quick and Dirty with Firewalld

firewall

Hey, are you new to Firewalld like most of us?

Unless you have been using Firewalld in the last few releases of Fedora, as some out there have, then you probably could probably use a few pointers to get you started on your way to configuring your Linux firewalls the “new-fangled fancy way”. This is especially the case if you plan on moving to RHEL7 anytime soon — as Firewalld is the default there. So put on your big boy (or girl) pants and say goodbye to your old friend IPTABLES.

According to this page. Firewalld is…

“The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network zones to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly”

Wow, how fancy. So how do we use it? Well let’s take a stab at enabling HTTP access to our Fedora21 workstation.

First thing first, lets figure out what our default done is on our workstation.

$ sudo firewall-cmd –get-default-zone
FedoraWorkstation

Ok, thats a bit strange, in RHEL you should expect PUBLIC to be your default zone.  Now that we know what zone we need to mess with let’s make sure that its applied to the proper interfaces.

$ sudo firewall-cmd –get-active-zone
FedoraWorkstation
interfaces: enp4s0 enp5s4 macvtap0 tun0 virbr0

The first two interfaces above are our physical interfaces, so we are good here. Now lets apply the rule, and make sure its permanent.

$ sudo firewall-cmd –permanent –zone=FedoraWorkstation –add-service http
success

Now lets check our rules. Note HTTP is missing.

$ sudo firewall-cmd –list-services
dhcpv6-client mdns samba-client ssh

Since we have only applied this new rule to our permanent config and not to our running config, we need to restart firewalld to see the updated rule.

 $ sudo firewall-cmd –reload

Now your can view the updated rules…

$ sudo firewall-cmd –list-services
dhcpv6-client http mdns samba-client ssh