How to Manage Password Aging in Solaris, AIX, and Linux

LogoIts possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.

So today we are going to configure a user password not to expire.

Lets start with Solaris. First lets unlock the account just in case.

passwd -d username

Now you can turn off password aging for a user with the command below.

passwd -x -1 username

You can then verify your config with the following.

passwd -s dmadmin

The output of the command above should look similar to what I have below. In this example our user id is myuser.

#passwd -s myuser
myuser  PS

Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.

#passwd -s myuser1
myuser1  PS    09/30/13     7    28     7

Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.

passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username

So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.

chuser account_locked=false username
chuser maxage=0 username
lsuser -f USERNAME | fgrep expires

Related articles

SuperUser in Linux
How to Unlock an account in Linux
How to Reset a Password on Unix
Much Todo About Linux/RHEL Passwords
Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files
How to disable an user account in Linux

Sudosh Make Me a Sandwich: Install and Configure Sudosh in Solaris 9/10

SandwichWelcome to the way-back machine again. This time we are going to take a look at installing and configuring sudosh on Solaris with the purpose of using sudosh as a replacement for sudo (at least sudo to root). Using sudosh in this manner allows us to still allow users to become root, but also allows us to track each and every command that they run once they become root.

Note that there are a couple of ways to install sudosh: from source or from a package. I chose installing from a native solaris package for a couple of reasons.

  1. I found a package
  2. I would need a C compliler otherwise to compile it
  3. I had many systems on which to install sudosh

So the first think that I did was to install the package. Below I have dropped the package in /tmp and have gunzipped it.

# pkgadd -d ./sudosh2-1.0.2-sol10-sparc-local

Now, lets not be stupid, lets back up the sudoers file first.

# cd /usr/local/etc/

# cp sudoers sudoers.20140114

Now we can run visudo and modify the current sudoers file. First you should add the command alias below as it keeps things neat and simple.

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Now lets referece the alias that we created above in the User Privilege Section. Rinse and repeat for any user or group that is allowed to become root.

systems ALL=(ALL)       SUDOSH

Now we are going to make a modification to /usr/local/etc/sudosh.conf. Note that this step is not required. I am changing the default syslog facility used so that sudosh will log using the same facility as regular auth events.

syslog.priority         = LOG_INFO
syslog.facility         = LOG_AUTH

Now I am modifying my syslog.conf to ensure that all log messages of DEBUG level or higher are forwarded to my remote syslog hosts. This includes my sudosh events which have a priority of INFO. Note that spacing is very important in the solaris syslog.conf

#loghost
*.debug @loghost1
*.debug @loghost2

Since this is Solaris 10, we can restart syslog via svcadm

# svcadm restart svc:/system/system-log:default

 

FYI – Relevant xkcd here

 

Related articles

Sudo
Preparing a SUN/ORACLE Solaris server for SAN access – SAN step 4
Sun First Ever UltraSPARC-based Laptop

Disable SSH for SFTP Users in UNIX and Linux

Lego_IronManSFTP is a file transfer mechanism that is an extension of the SSH (Secure Shell) protocol and by design they share the same configuration file (/etc/ssh/sshd_config). By default when a user is given access to a server via SSH they also gain access to a server via SFTP. however it is pretty easy to disallow SFTP access with a couple short lines added to the end of the sshd_config.

In this example we could create a Unix group of "no-sftp" and add whatever users we want to into this group. Then drop the two lines below into the sshd_config and block sftp access

Match Group no-sftp
Subsystem   sftp  /bin/false

However lets consider the opposite scenario…

You have users that you want to be able to use SFTP to transfer files but you do not want to allow the user to login to the server. You can't just drop a couple lines in the sshd_config to allow sftp but not ssh, because ssh does not work this way. You also cannot just change the users shell to something like /bin/false, as this will also block SFTP access as well as SSH access. Note: It is for this very reason that I personally choose never to choose to use SFTP as a file transfer protocol… this is why we have VSFTP. By using a separate daemon with a separate config file you have a lot more control over your environment.

So how do you disable ssh only for these users you ask? Well lets look at Linux and Solaris first.

First drop the script below into /usr/local/bin/sftponly and make it executable.

#!/bin/bash
if [[ "$2" = *sftp-server ]]
then
        exec /bin/bash "$@"
else
        echo "User '$LOGNAME' is only allowed access via sftp."
        exit 1
fi

Now for any user that you need to block ssh access, just change their shell to /usr/local/bin/sftponly, and if they come in via any other method then SFTP they will be booted right off the box. But if they come in via SFTP its business as usual.

Now AIX is a bit different – here there is actually a built in mechanism for dealing with such a situation. Here you change the user's login shell to /usr/sbin/sftp-server which pretty much does the same thing (in regards to blocking ssh access) but without the fancy error message.

Note that this is obviously not an ideal solution, but if you are like me and you are stuck with a piss poor configuration and need to block SSH access without re-inventing the wheel, or breaking any existing processes.. and you need to do so quickly and easily this is the best solution for the money.

Related articles

Install and Configure SNMP on the Asus RT-AC66U Router
HomeLab: Simple DHCP Service Configuration on a Cisco Router
Secure File Transfer Protocol (sftp)
How to set up Chroot Sftp?
Options for file sharing via SSH in OS X

 

Solaris 9 Scan for New SAN Luns & and Vertias Volume Manager Quick Start

Radar1Today we are going to take a little trip into the past and learn about how to add disks to Solaris 9, put them under Veritas control, and, create a volume group and a volume. This information will come in very handy if you acidentally time travel back 10 years and are forced to get a job as a UNIX Admin.

First off note that you may not need to run the command shown directly below, as Solaris may actually see the disks without performing a lip. This was not the case for me so I needed to perform a lip on each path. First I needed to find my paths as shown below.

# luxadm -e port

Found path to 2 HBA ports

/devices/pci@1d,700000/SUNW,qlc@1/fp@0,0:devctl                    CONNECTED/devices/pci@1d,700000/SUNW,qlc@1,1/fp@0,0:devctl                  CONNECTED

Then I forcelip'd each port.

# luxadm -e forcelip /devices/pci@1d,700000/SUNW,qlc@1/fp@0,0:devctl

# luxadm -e forcelip /devices/pci@1d,700000/SUNW,qlc@1,1/fp@0,0:devctl

Then run the configuration command to find your new disks. My new luns are the ones that are unconfigured.

# cfgadm -o show_FCP_dev -alAp_Id                          Type         Receptacle   Occupant     Conditionc3                             fc-fabric    connected    configured   unknownc3::50000972085ea995           disk         connected    unconfigured unknownc3::50060e8005be5830,0         disk         connected    configured   unknownc3::50060e8005be5830,1         disk         connected    configured   unknownc4                             fc-fabric    connected    configured   unknownc4::50000972085ea990           disk         connected    unconfigured unknownc4::50060e8005be5820,0         disk         connected    configured   unknownc4::50060e8005be5820,1         disk         connected    configured   unknown

Now lets configure the two disks so that we can use them

# cfgadm -c configure c3::50000972085ea99# cfgadm -c configure c4::50000972085ea9905

Now Vertias should see the disks, so lets check.

# vxdisk -e -o alldgs listDEVICE       TYPE           DISK        GROUP        STATUS               OS_NATIVE_NAME   ATTR        disk_4       auto:none      -            -           online invalid       c1t0d0s2         -                   -            disk_7       auto:none      -            -           online invalid       c1t1d0s2         -            emc0_061a    auto           -            -           nolabel              c3t50000972085EA995d5s2 tdev         emc0_061b    auto           -            -           nolabel              c3t50000972085EA995d6s2 tdev         emc0_061c    auto           -            -           nolabel              c3t50000972085EA995d7s2 tdev         emc0_061d    auto           -            -           nolabel              c3t50000972085EA995d8s2 tdev         emc0_061e    auto           -            -           nolabel              c3t50000972085EA995d9s2 tdev         emc0_0616    auto           -            -           nolabel              c3t50000972085EA995d1s2 tdev         emc0_0617    auto           -            -           nolabel              c3t50000972085EA995d2s2 tdev         emc0_0618    auto           -            -           nolabel              c3t50000972085EA995d3s2 tdev         emc0_0619    auto           -            -           nolabel              c3t50000972085EA995d4s2 tdev   

Each lun that's presented above will be used for a specific filesystem/mount. In this specific instance I was given these two lun ids for a new mount 061D,061E. The rest will be used later to mirror existing mounts.

Now lets label these two luns. Using the information above from the vxdisk output, I grab the OS_NATIVE_NAME and use that for the format command.

# format c3t50000972085EA995d8s2 c3t50000972085EA995d9s2

Note how the format command prompts me to label the disks before I can format them. Note that I am not going to format them, just label them.

AVAILABLE DISK SELECTIONS:       0. c3t50000972085EA995d8s2 <EMC-SYMMETRIX-5874 cyl 54612 alt 2 hd 15 sec 128>          /pci@1d,700000/SUNW,qlc@1/fp@0,0/ssd@w50000972085ea995,8       1. c3t50000972085EA995d9s2 <EMC-SYMMETRIX-5874 cyl 54612 alt 2 hd 15 sec 128>          /pci@1d,700000/SUNW,qlc@1/fp@0,0/ssd@w50000972085ea995,9Specify disk (enter its number)[0]: 1selecting c3t50000972085EA995d9s2[disk formatted]Disk not labeled.  Label it now? yesformat> quit

Now use vxdisksetup, option one to initialize the luns. Excerpt below.

Select disk devices to add: [<pattern-list>,all,list,q,?] emc0_061d emc0_061e  Here are the disks selected.  Output format: [Device_Name]  emc0_061d emc0_061e

Now lets create our diskgroup – this one I shall call FDEV2_dg.  Note that the format below creates the disk group adds two disks to it. We are also giving each disk an "alias".

# vxdg init FDEV2_dg FDEV2_dg_d0=emc0_061d  FDEV2_dg_d1=emc0_061e

Now lets create a volume. This volume will me 99g

# vxassist -g FDEV2_dg make FDEV2_dg_v1 99g layout=stripe

Ok almost done – lets now slap a file system on that sucka.

# mkfs -F vxfs /dev/vx/rdsk/FDEV2_dg/FDEV2_dg_v1

Now lets the line below to /etc/vfstab.

/dev/vx/dsk/FDEV2_dg/FDEV2_dg_v1 /dev/vx/rdsk/FDEV2_dg/FDEV2_dg_v1 /u06  vxfs 2 yes suid

And lets mount it.

# mount /u06

Related articles

Symantec Storage Foundation High Availability on Solaris 10 Build Guide
You are not allowed to access to (crontab) because of pam configuration.
HomeLab: Basic Syslog Configuration on Cisco Catalyst Devices

Solaris: Password Complexity and Truncation Issues

BarbedWireSpoolWow. Look a Solaris post. So today I was forced to log into a couple
of Solaris boxes and ran into a very annoying issue that I thought I
would document for the other 5 people in the world who still use
Solaris.

Anway I was ssh'ing into the server and found that my password had expired, and I was forced to change it.

Password:
Warning: Your password has expired, please change it now.

So
this is fine, as I have a nice password that I like to use thats almost
20 characters long and includes enough character classes to make almost
any security auditor happy.

So I attempted to change my existing password  and got the following messages

New Password:
Re-enter new Password:
Warning: your longer password will be truncated to 8 characters.

Weak password: not enough different characters or classes.

What
my password is too long so Solaris truncates it and then complains that
its not complex enough? Well that's dumb.

I fought for a little while to try to come up
with a decent password, and even generated one on my Linux box to try,
but everytime it was too long and did not have enought character
classes. Finally I came up with the worlds hardest to type 8 character
password and was able to log in.

So how to you fix this truncating issue. Easy.

Edit the following file /etc/security/policy.conf and change the CRYPT_DEFAULT line from this…

#CRYPT_DEFAULT=__unix__

to this …

#CRYPT_DEFAULT=md5

Now you are not limited to 8 character passwords. Password complexity can stay the same and you are not sacrificing security for usability.

Recovering from failed vxevac

Ilovebunt3-214x300

If you have ever evacuated disks in Veritas, every so often this will happen to hang.  Usually you terminate your session or who knows what.  Kinda like Joe Girardi's willingness to sacrifice outs for no good reason every time the Yankees hottest hitter is at the plate.  It happens, you can't explain it, you move on.  Back to technology – vxtask list shows no tasks, but you get errors trying to rerun the failed evac. 

 

For example:

Plex %5 in volume rman is locked by another utility

Plex rman-01 in volume rman is locked by another utility

Subdisk rman_7_tmp-01 in plex rman-01 is locked by another utility

vxprint -hf is our best friend, as it shows you any flags that are set

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   ATT1    –

pl %5           rman   ENABLED  11719399168 -     TEMPRM   SDMVTMP –

sd rman_6-01 %5         ENABLED  1953232896 9766166272 -    SDMVDST –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_1-01 rman-01 ENABLED 1953234688 0     -        -       –

sd rman_2-01 rman-01 ENABLED 1953232896 1953234688 -   -       –

sd rman_3-01 rman-01 ENABLED 1953232896 3906467584 -   -       –

sd rman_4-01 rman-01 ENABLED 1953232896 5859700480 -   -       –

sd rman_5-01 rman-01 ENABLED 1953232896 7812933376 -   -       –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

sd rman_7_tmp-01 rman-01 ENABLED 1953232896 11719399168 – -    –

sd rman_8-01 rman-01 ENABLED 1953232896 13672632064 -  -       -

We can see that we have flags set on the temporary plex (from the failed evac), the subdisk for the temporary plex, the main plex, the subdisk in the main plex, as well as the volume itself.  We need to clear flags to be able to finish re-start our evac.  I will also cut the lines on the vxprint that don't change for the purpose of shortening this post.

vxmend -g rman_dg clear all rman %5

So we cleared the volume and temp plex flags, here's the vxprint -htf output afterwards

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl %5           rman    ENABLED  11719399168 -     TEMPRM   -       –

sd rman_6-01 %5         ENABLED  1953232896 9766166272 -    SDMVDST –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

 

So now with the flags cleared we can remove the temporary plex

vxplex -g rman_dg -o rm dis %5

 

And once again our new vxprint -htf

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

 

Great, now down to two flags, the one on the plex and the one on the source disk of our original evac.  Clearing flags from subdisks is a lot trickier than clearing flags from volumes and plexes.  Because the tutil0 flga is already set, we will need to force the clear.  We clear by setting it to "".

vxedit -g rman_dg -f set tutil0="" rman_6_tmp-01

 

Once again, vxprint -htf

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       -

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – -     –

 

And lastly, we clear the flag on the plex.  Why in this order?   Because I'm writing this up after I fixed my issues.  In the interest of not editing vxprint outputs, it's like this.  In retrospect, this could have been cleared with the first one we ran in the beginning.

vxmend -g rman_dg clear all rman rman-01

 

And finally, the way a vxprint -htf should look when all is healthy.

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   -       –

sd rman_1-01 rman-01 ENABLED 1953234688 0     -        -       –

sd rman_2-01 rman-01 ENABLED 1953232896 1953234688 -   -       –

sd rman_3-01 rman-01 ENABLED 1953232896 3906467584 -   -       –

sd rman_4-01 rman-01 ENABLED 1953232896 5859700480 -   -       –

sd rman_5-01 rman-01 ENABLED 1953232896 7812933376 -   -       –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – -     –

sd rman_7_tmp-01 rman-01 ENABLED 1953232896 11719399168 – -    –

sd rman_8-01 rman-01 ENABLED 1953232896 13672632064 -  -       –

 

At this point, feel free to proceed with your evac again.  If you're wondering what the putil and tutil fields are, here is what I found courtesy of Symantec:

http://www.symantec.com/business/support/index?page=content&id=TECH15609

 

Guest Authored By: @momkvi

 

ZFS Cheat Sheets and Quick Commands

Solaris is not dead, at least not yet, which is a good thing Solaris 10 included ZFS. What is ZFS you ask, well its a filesystem and logical volume manager in one. ZFS filesystems are built on top of virtual storage pools called zpools. A zpool is constructed of virtual devices(vdevs), which are themselves constructed of block devices: files, hard drives or partitions, or entire drives, with the last being the recommended usage.

Since I do not use ZFS commands that often, I find myself forgetting them all the time. Below is a list of sites that I have found helpful.

http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide

http://www.lildude.co.uk/zfs-cheatsheet/

http://hell.jedicoder.net/?p=45

http://pr.zoinks.org/home/technology/tech-wiki/zfs-cheat-sheet