@ECHO OFF
REM ===TEST PING=========
@ECHO ================================================ >>Net-Service-Query-Report.txt
@ECHO NETWORK SERVICE SCAN REPORT >>Net-Service-Query-Report.txt
(DATE /T && TIME /T) >>Net-Service-Query-Report.txt
@ECHO ================================================ >>Net-Service-Query-Report.txt
FOR /F %%Z IN (PEERS.TXT) DO (
(PING -n 1 %%Z|FIND /C "Received = 1") >PING.STAT
FOR /F %%P IN (PING.STAT) DO (
IF %%P EQU 1 (
ECHO %%Z >> PING.UP
) ELSE ( ECHO %%Z >> PING.DOWN )
)
DEL PING.STAT
)
FOR /F %%A IN (PING.UP) DO (
REM 2ND FOR LOOP START
FOR /F %%B IN (SERVICES.TXT) DO (
SC \\%%A QUERY %%B >SERVICES.TMP0
TYPE SERVICES.TMP0|FIND /C "FAILED 1060:" >SERVICES.TMP1
TYPE SERVICES.TMP0|FIND /C "FAILED 1722:" >SERVICES.TMP2
TYPE SERVICES.TMP0|FIND /C "FAILED 5:" >SERVICES.TMP3
TYPE SERVICES.TMP0|FIND "STATE" >SERVICES.TMP
FOR /F %%S IN (SERVICES.TMP1) DO (
IF %%S EQU 1 (
@ECHO X X X NOT INSTALLED >SERVICES.TMP
)
)
FOR /F %%U IN (SERVICES.TMP2) DO (
IF %%U EQU 1 (
@ECHO X X X NO RPC AVAILIABLE >SERVICES.TMP
) )
FOR /F %%W IN (SERVICES.TMP3) DO (
IF %%W EQU 1 (
@ECHO X X X AUTHENTICATION FAILURE >SERVICES.TMP
) )
REM 3RD FOR LOOP START
FOR /F "TOKENS=4*" %%C IN (SERVICES.TMP) DO (
(@ECHO %%B - %%C %%D) >> SERVICES.STATE )
REM 3RD FOR LOOP END
)
REM 2ND FOR LOOP END
DEL /F /Q SERVICES.TMP*
@ECHO. >>Net-Service-Query-Report.txt
@ECHO ------------------------------------------------ >>Net-Service-Query-Report.txt
@ECHO IP::::%%A >>Net-Service-Query-Report.txt
@ECHO ------------------------------------------------ >>Net-Service-Query-Report.txt
TYPE SERVICES.STATE >>Net-Service-Query-Report.txt
(@ECHO RUNNING SERVICES : && TYPE SERVICES.STATE|FIND /C "RUNNING") >SERVICES.RUNCOUNT
(@ECHO STOPPED SERVICES : && TYPE SERVICES.STATE|FIND /C "STOPPED") >SERVICES.STOPCOUNT
(@ECHO TOTAL SERVICES : && TYPE SERVICES.STATE|FIND /C " ") >SERVICES.COUNT
(@ECHO NOT INSTALLED SERVICES : && TYPE SERVICES.STATE|FIND /C "NOT INSTALLED") >SERVICES.NOTINSTALLEDCOUNT
(@ECHO NO RPC - FIREWALL : && TYPE SERVICES.STATE|FIND /C "NO RPC") >SERVICES.NORPCCOUNT
(@ECHO
AUTHENTICATION FAILURE/NON-WINDOWS OS : && TYPE
SERVICES.STATE|FIND /C "AUTHENTICATION FAILURE")
>SERVICES.AUTHFAILCOUNT
@ECHO ******************* SYTEM SUMMARY ********************* >>Net-Service-Query-Report.txt
TYPE SERVICES.COUNT >>Net-Service-Query-Report.txt
TYPE SERVICES.RUNCOUNT >>Net-Service-Query-Report.txt
TYPE SERVICES.STOPCOUNT >>Net-Service-Query-Report.txt
TYPE SERVICES.NOTINSTALLEDCOUNT >>Net-Service-Query-Report.txt
TYPE SERVICES.NORPCCOUNT >>Net-Service-Query-Report.txt
TYPE SERVICES.AUTHFAILCOUNT >>Net-Service-Query-Report.txt
DEL /F /Q SERVICES.*COUNT SERVICES.STATE
)
@ECHO. >>Net-Service-Query-Report.txt
ECHO ################### SCAN SUMMARY ################# >>Net-Service-Query-Report.txt
@ECHO TOTAL MACHINES SCANNED : >>Net-Service-Query-Report.txt
TYPE PEERS.TXT|FIND /C "." >>Net-Service-Query-Report.txt
@ECHO TOTAL MACHINES UP : >>Net-Service-Query-Report.txt
TYPE PING.UP|FIND /C "." >>Net-Service-Query-Report.txt
@ECHO TOTAL MACHINES DOWN : >>Net-Service-Query-Report.txt
TYPE PING.DOWN|FIND /C "." >>Net-Service-Query-Report.txt
@ECHO MACHINES DOWN : >>Net-Service-Query-Report.txt
TYPE PING.DOWN >>Net-Service-Query-Report.txt
DEL /F /Q PING.*
Tuesday, February 20, 2007
LAN Scan with batch scripting
Thursday, February 15, 2007
Cisco IOS User Management
The fundamental level of security in Cisco IOS devices is password. Passwords are set for router lines and privilege levels from 1 to 15. For more fine grained control we can add administrative users and assign privilege levels for them instead of directly using prvilege level passwords.
This will add a user to the router's local user database:
RouterA(config)#username safeer password $my&pass12#$
Assign privilege level 10 to the safeer:
RouterA(config)#username safeer privilege 10
Alternatively, we can combine the two commands as:
RouterA(config)#username safeer privilege 10 password $my&pass12#$
By default Cisco Devices are configured to use password only authentication. To change this and instruct the device to use local user database do as follows:
To enable user based authentication for vty line (telnet)
RouterA(config)#line vty 0 197
RouterA(configline)#login local
Now login to the router through telnet
[safeer@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
User Access Verification
Username: safeer
Password:
RouterA#show privilege
Your current privilege level is 10
Now suppose that the router is not configured to accept usernames by default. You have the telnet password and a username password pair. In this situation you can use the "login" command to instruct the router to promt for a password:
[safeer@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
User Access Verification
Password:
RouterA>show privilege
Your current privilege level is 1
RouterA>login
Username: safeer
Password:
RouterA#show privilege
Current privilege level is 15
This will add a user to the router's local user database:
RouterA(config)#username safeer password $my&pass12#$
Assign privilege level 10 to the safeer:
RouterA(config)#username safeer privilege 10
Alternatively, we can combine the two commands as:
RouterA(config)#username safeer privilege 10 password $my&pass12#$
By default Cisco Devices are configured to use password only authentication. To change this and instruct the device to use local user database do as follows:
To enable user based authentication for vty line (telnet)
RouterA(config)#line vty 0 197
RouterA(configline)#login local
Now login to the router through telnet
[safeer@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
User Access Verification
Username: safeer
Password:
RouterA#show privilege
Your current privilege level is 10
Now suppose that the router is not configured to accept usernames by default. You have the telnet password and a username password pair. In this situation you can use the "login" command to instruct the router to promt for a password:
[safeer@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
User Access Verification
Password:
RouterA>show privilege
Your current privilege level is 1
RouterA>login
Username: safeer
Password:
RouterA#show privilege
Current privilege level is 15
Wednesday, February 14, 2007
Cisco IOS Access Privilege Levels
In Cisco IOS's prior to 10.3 only two levels of access privilege was there: user exec mode or level 1 and full privilege mode or level15. When there is only one administrator to mange all the devices, this do not create any problem. But in a NOC (Network Operations Centre) environment where there are a number of administrators with different levels of privileges, this is insufficient. This is where the access privilege levels come into use.
There are 15 levels of privilege in Cisco IOS from level 1 to level 15. For all the levels in between , we can assign commands that users at each privilege level can use.
Configuration
To access a router you have to use a router line. Most common router lines are:
Console- connecting through the routers console port
Auxilary- connect to the routers auxilary port (most probably through a dial up connection)
Vty-Virtual tele type, connecting by telnet from another machine
Whichever line you use, you will be prompted for the corresponding line password. Once given the password you will get access to privilege level 1 ie;User exec mode (default, can be changed)
The first thing to do is set password for each level of privilege.
Press RETURN to get started!
User Access Verification
Password:
RouterA>enable \\User exec mode, go to privleged exec mode-level 15
password:
RouterA#configure terminal \\Enter configure command mode
RouterA(config)#enable [password|seccret] [level X] password
where X is any number between 1 to 15.
If "level X" is omitted, level 15 will be taken as default
If "eanble password" is the command, password will be stored as plain text.
If "enable secret" is used, password will be stored with reversible encryption. "enable secret" takes precedence over "eanble password".
Eg:
RouterA(config)#enable secret level 7 &2lvl7pass$#!
which set the level 7 password to "&2lvl7pass$#!"
If you hav'nt set the password for a particular privilege level, you cant access that level. Suppose you hav'nt set password for level 9, then:
RouterA>enable 9
%Password not set
RouterA>
After this we can assign commands to different privilege levels.
RouterA(config)#privilege mode level levelnum command
where mode is the command mode from any one of the following:
exec,config,line,inteface,router etc..
Eg:
Suppose we have to allow an administrator at level 7 to change the ip address of the router interfaces.
RouterA(config)#privilege exec level 7 configure terminal
RouterA(config)#privilege configure level 7 interface
RouterA(config)#privilege interface level 7 ip address
Command 1: By default every user is logged into exec mode, now to configure ip address on interface, the user should have permission go to configure mode from exec mode using the command "configure terminal"
Command 2: From configure mode user has to go to inrerface mode for which he need the permission to use the command "interface"
Command 3: Now since the user has the permission to go to the interface mode, he should be granted the permission to set the ip address from there.
now let the administrator at level 7 login into the router through telnet
[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
Welcome to RouterA
password:
RouterA>show privilege
Your current privilege level is 1
admin7 has logged into router through telnet. Now go to the privilege level 7
RouterA>enable 7
password:
RouterA#show privilege
Your current privilege level is 7
RouterA#configure terminal
RouterA(config)#interface eth1
RouterA(config-if)#?
Interface configuration commands:
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
RouterA(config-if)#ip address 192.168.2.25 255.255.255.0
When a a command is assigned for a particular privilege level, all the privilege levels above that will automatically get the permission to use that command. In the previous example administrators above level 7 (8-14) will also be able to go to interface mode to set the ip address.
Similarly, administrator at level7 will have the permission to use all the commands configured for privilege levels lower that 7.
If you have passwords for differnt privilege levels you can switch between them using the enable and disable commands
RouterA#show privilege
Your current privilege level is 7
RouterA#enable 12
password:
RouterA#show privilege
Your current privilege level is 12
RouterA#disable 4
password:
RouterA#show privilege
Your current privilege level is 4
RouterA#enable 1
password:
RouterA>show privilege
Your current privilege level is 1
enable commnad can be used to go to privilege levels above or below the current level, but disable can be used only to go to a lower level. For enable the default privlege level is 15 and for disable it is level 1. This values will be used if you do not provide the level option.
The default privilege level for the router lines (console, auxilary,vty) is set to level 1. This behaviour can be reset as follows:
Suppose you want to change the default privilege level for telnet access to level 5. Beware, this will allow anybody with telent password to directly go to the privilege level 5. If you do not know what exactly do you need, never do this!
RouterA#configure terminal
RouterA(config)#line vty 0 197
RouterA(config-line)#privilege level 5
[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
Welcome to RouterA
password:
RouterA#show privilege
Your current privilege level is 5
There are 15 levels of privilege in Cisco IOS from level 1 to level 15. For all the levels in between , we can assign commands that users at each privilege level can use.
Configuration
To access a router you have to use a router line. Most common router lines are:
Console- connecting through the routers console port
Auxilary- connect to the routers auxilary port (most probably through a dial up connection)
Vty-Virtual tele type, connecting by telnet from another machine
Whichever line you use, you will be prompted for the corresponding line password. Once given the password you will get access to privilege level 1 ie;User exec mode (default, can be changed)
The first thing to do is set password for each level of privilege.
Press RETURN to get started!
User Access Verification
Password:
RouterA>enable \\User exec mode, go to privleged exec mode-level 15
password:
RouterA#configure terminal \\Enter configure command mode
RouterA(config)#enable [password|seccret] [level X] password
where X is any number between 1 to 15.
If "level X" is omitted, level 15 will be taken as default
If "eanble password" is the command, password will be stored as plain text.
If "enable secret" is used, password will be stored with reversible encryption. "enable secret" takes precedence over "eanble password".
Eg:
RouterA(config)#enable secret level 7 &2lvl7pass$#!
which set the level 7 password to "&2lvl7pass$#!"
If you hav'nt set the password for a particular privilege level, you cant access that level. Suppose you hav'nt set password for level 9, then:
RouterA>enable 9
%Password not set
RouterA>
After this we can assign commands to different privilege levels.
RouterA(config)#privilege mode level levelnum command
where mode is the command mode from any one of the following:
exec,config,line,inteface,router etc..
Eg:
Suppose we have to allow an administrator at level 7 to change the ip address of the router interfaces.
RouterA(config)#privilege exec level 7 configure terminal
RouterA(config)#privilege configure level 7 interface
RouterA(config)#privilege interface level 7 ip address
Command 1: By default every user is logged into exec mode, now to configure ip address on interface, the user should have permission go to configure mode from exec mode using the command "configure terminal"
Command 2: From configure mode user has to go to inrerface mode for which he need the permission to use the command "interface"
Command 3: Now since the user has the permission to go to the interface mode, he should be granted the permission to set the ip address from there.
now let the administrator at level 7 login into the router through telnet
[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
Welcome to RouterA
password:
RouterA>show privilege
Your current privilege level is 1
admin7 has logged into router through telnet. Now go to the privilege level 7
RouterA>enable 7
password:
RouterA#show privilege
Your current privilege level is 7
RouterA#configure terminal
RouterA(config)#interface eth1
RouterA(config-if)#?
Interface configuration commands:
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
RouterA(config-if)#ip address 192.168.2.25 255.255.255.0
When a a command is assigned for a particular privilege level, all the privilege levels above that will automatically get the permission to use that command. In the previous example administrators above level 7 (8-14) will also be able to go to interface mode to set the ip address.
Similarly, administrator at level7 will have the permission to use all the commands configured for privilege levels lower that 7.
If you have passwords for differnt privilege levels you can switch between them using the enable and disable commands
RouterA#show privilege
Your current privilege level is 7
RouterA#enable 12
password:
RouterA#show privilege
Your current privilege level is 12
RouterA#disable 4
password:
RouterA#show privilege
Your current privilege level is 4
RouterA#enable 1
password:
RouterA>show privilege
Your current privilege level is 1
enable commnad can be used to go to privilege levels above or below the current level, but disable can be used only to go to a lower level. For enable the default privlege level is 15 and for disable it is level 1. This values will be used if you do not provide the level option.
The default privilege level for the router lines (console, auxilary,vty) is set to level 1. This behaviour can be reset as follows:
Suppose you want to change the default privilege level for telnet access to level 5. Beware, this will allow anybody with telent password to directly go to the privilege level 5. If you do not know what exactly do you need, never do this!
RouterA#configure terminal
RouterA(config)#line vty 0 197
RouterA(config-line)#privilege level 5
[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.
Welcome to RouterA
password:
RouterA#show privilege
Your current privilege level is 5
Monday, February 12, 2007
Network Cabling
For ethernet network connctivity UTP Cat 5 ( unshielded twisted pair category 5) cables are used. It contains 4 sets of twisted pair copper cables encased in a single jacket. The twisting is done inorder to reduce cross-talk which create deisturbance in the communication signal. To identify, each twisted pair is given a colouring scheme as follows.
Orange-White Orange
Green-White Green
Blue-White Blue
Brown-White Brown
Based on the type of the devices to be connected, the ends of the cable are crimped in to RJ45 jacks in 3 types as follows:
Straight through Cable
Used for connecting:
Switch/Hub to Computer
Switch/Hub to Router
Crossover Cable
Used to connect:
Switch to Switch
Switch to Hub
Computer to Cpmuter
Router direct to Computer
Rolled Cable
Used to connect:
For accessing console of a router from computer- connects one side to the computer COM port using DB9 female connector
Orange-White Orange
Green-White Green
Blue-White Blue
Brown-White Brown
Based on the type of the devices to be connected, the ends of the cable are crimped in to RJ45 jacks in 3 types as follows:
Straight through Cable
Used for connecting:
Switch/Hub to Computer
Switch/Hub to Router
Crossover Cable
Used to connect:
Switch to Switch
Switch to Hub
Computer to Cpmuter
Router direct to Computer
Rolled Cable
Used to connect:
For accessing console of a router from computer- connects one side to the computer COM port using DB9 female connector
Wednesday, February 7, 2007
SSH login without password
Loging into a remote machine using SSH protocol to administer it is a daily activity for most of the system administrators. SSH is considered as one of the highly secure remote login methods. Usually we have to supply a username and password pair to login to the remote machine. But some times it becomes necessary to login to the remote machine without entering a password. From the security point of view this practice is discouraged but if you have to do scripting which involves remote access you don't have another choice.
To achieve ssh login without password, we have to use authentication based on public keys.
Scenario:
You have a local machine "LinuxBox1" in which you have logged in as "safeer". You want to login to "LinuxBox2" as "nebu" without password. Remember that you should know the password of Nebu on LinuxBox2 at least until the set up is complete. This is not a way to impersonate as other users, you have to have privilege to use the account on the remote machine.
Now generate the public/private key pair.
[safeer@linuxbox1 ~]$ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/safeer/.ssh/id_dsa):
Created directory '/home/safeer/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/safeer/.ssh/id_dsa.
Your public key has been saved in /home/safeer/.ssh/id_dsa.pub.
The key fingerprint is:
fd:e3:b0:a5:35:09:6c:c4:14:25:ae:3d:85:dd:82:5d safeer@linuxbox1
This will create a directory .ssh in the home directory (if not already exist) and the permission will be 0700.
/home/safeer/.ssh/id_dsa is the private key for this user
/home/safeer/.ssh/id_dsa.pub is the public key
Permissions for files will be
-rw------- id_dsa
-rw-r--r-- id_dsa.pub
Leave your passphrase as blank(press return key).
Here I have used the DSA encryption algorithm to create the private/public key pair. Alternatively, you can use RSA algorithm (which actually is the default) for which the command will be "ssh-keygen -t rsa"
To login to Linuxbox2 as Nebu, append the public key /home/safeer/.ssh/id_dsa.pub to /home/nebu/.ssh/authorized_keys
(If this file is not already there create it with permission 600)
[safeer@linuxbox1 ~]$scp .ssh/id_dsa.pub nebu@linuxbox2:/home/nebu
nebu@linuxbpx2's password:
[safeer@linuxbox1 ~]$ssh nebu@linuxbox2
nebu@linuxbox2's password:
Last login: Wed Feb 7 09:25:01 2007 from linuxbox5
[nebu@linuxbox2 ~]$mkdir .ssh
[nebu@linuxbox2 ~]$chmod 0700 .ssh
[nebu@linuxbox2 ~]$cat id_dsa.pub >> .ssh/authorized_keys
[nebu@linuxbox2 ~]$chmod 0600 .ssh/authorized_keys
[nebu@linuxbox2 ~]$rm -f id_dsa.pub
Or you can use this single command:
[safeer@linuxbox1 ~]$cat .ssh/id_dsa.pub |ssh nebu@linuxbox2 "mkdir .ssh;chmod 0700 .ssh;cat >> .ssh/authorized_keys;chmod 0600 .ssh/authorized_keys"
nebu@linuxbpx2's password:
[safeer@linuxbox1 ~]$
Everything is setup now. Just try
[safeer@linuxbox1 ~]$ssh nebu@linuxbox2
Last login: Wed Feb 7 09:35:08 2007 from linuxbox1
[nebu@linuxbox2 ~]$
Now you can use ssh,scp and sftp without password.
Please note that to work this public key authentication should be enabled on the server by editing the file "/etc/ssh/sshd_config"
and add/edit the entry
# Allow Identity Auth for SSH2?
PubkeyAuthentication yes
To achieve ssh login without password, we have to use authentication based on public keys.
Scenario:
You have a local machine "LinuxBox1" in which you have logged in as "safeer". You want to login to "LinuxBox2" as "nebu" without password. Remember that you should know the password of Nebu on LinuxBox2 at least until the set up is complete. This is not a way to impersonate as other users, you have to have privilege to use the account on the remote machine.
Now generate the public/private key pair.
[safeer@linuxbox1 ~]$ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/safeer/.ssh/id_dsa):
Created directory '/home/safeer/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/safeer/.ssh/id_dsa.
Your public key has been saved in /home/safeer/.ssh/id_dsa.pub.
The key fingerprint is:
fd:e3:b0:a5:35:09:6c:c4:14:25:ae:3d:85:dd:82:5d safeer@linuxbox1
This will create a directory .ssh in the home directory (if not already exist) and the permission will be 0700.
/home/safeer/.ssh/id_dsa is the private key for this user
/home/safeer/.ssh/id_dsa.pub is the public key
Permissions for files will be
-rw------- id_dsa
-rw-r--r-- id_dsa.pub
Leave your passphrase as blank(press return key).
Here I have used the DSA encryption algorithm to create the private/public key pair. Alternatively, you can use RSA algorithm (which actually is the default) for which the command will be "ssh-keygen -t rsa"
To login to Linuxbox2 as Nebu, append the public key /home/safeer/.ssh/id_dsa.pub to /home/nebu/.ssh/authorized_keys
(If this file is not already there create it with permission 600)
[safeer@linuxbox1 ~]$scp .ssh/id_dsa.pub nebu@linuxbox2:/home/nebu
nebu@linuxbpx2's password:
[safeer@linuxbox1 ~]$ssh nebu@linuxbox2
nebu@linuxbox2's password:
Last login: Wed Feb 7 09:25:01 2007 from linuxbox5
[nebu@linuxbox2 ~]$mkdir .ssh
[nebu@linuxbox2 ~]$chmod 0700 .ssh
[nebu@linuxbox2 ~]$cat id_dsa.pub >> .ssh/authorized_keys
[nebu@linuxbox2 ~]$chmod 0600 .ssh/authorized_keys
[nebu@linuxbox2 ~]$rm -f id_dsa.pub
Or you can use this single command:
[safeer@linuxbox1 ~]$cat .ssh/id_dsa.pub |ssh nebu@linuxbox2 "mkdir .ssh;chmod 0700 .ssh;cat >> .ssh/authorized_keys;chmod 0600 .ssh/authorized_keys"
nebu@linuxbpx2's password:
[safeer@linuxbox1 ~]$
Everything is setup now. Just try
[safeer@linuxbox1 ~]$ssh nebu@linuxbox2
Last login: Wed Feb 7 09:35:08 2007 from linuxbox1
[nebu@linuxbox2 ~]$
Now you can use ssh,scp and sftp without password.
Please note that to work this public key authentication should be enabled on the server by editing the file "/etc/ssh/sshd_config"
and add/edit the entry
# Allow Identity Auth for SSH2?
PubkeyAuthentication yes
Monday, February 5, 2007
Creating and applying patches in Linux
Anybody who has ever worked in software development would have many times come across the issue of updating or patching their projects to the latest version. In development environments this task is fairly easy if they are using version-ing systems like CVS, SVN, Visual Source Safe etc. But for a quick work around when no such infrastructure is in place is to use the simple linux command "diff".
For the purpose of demonstration we can create a directory structure that looks like a software project .
[safeer@LinuxBox tmp]$mkdir version1;cd version1
[safeer@LinuxBox tmp]$echo "File1version1" > file1;echo "File2version1" > file2
[safeer@LinuxBox tmp]$mkdir includes1;cd includes1
[safeer@LinuxBox tmp]$echo "Lib1version1" > lib1;echo "Lib2version1" > lib2
The project directory looks like this:
version1
|------includes1
| |-------lib1
| |-------lib2
|-------file1
|-------file2
Now I am going to update this project.
[safeer@LinuxBox tmp]$cp -r version1 version2
Whenever you update your project, keep a copy of the source project untouched and update only a fresh copy of that project.
Updating file1 & lib1
[safeer@LinuxBox tmp]$echo File1version2 >> file1;cd includes1;echo Lib2version2 >> lib2
Add new subdirectory and files to project
[safeer@LinuxBox tmp]$mkdir includes2;cd includes2;echo "Lib3version2" > lib3;echo "Lib4version2" > lib34
The updated project directory looks like this:
version2
|------includes1
| |-------lib1
| |-------lib2 ====> Updated
|------includes2 ====
| |-------lib3 ==== } Newly added
| |-------lib4 ====
|-------file1
|-------file2 ====> Updated
[safeer@LinuxBox tmp]$ls
veersion1 version2
Now create the patch file:
[safeer@LinuxBox tmp]$diff -Naur version1 version2 > version-1-2.patch
[safeer@LinuxBox tmp]$cat version-1-2.patch
diff -Naur version1/file1 version2/file1
--- version1/file1 2007-02-05 11:31:08.000000000 +0000
+++ version2/file1 2007-02-05 11:33:34.000000000 +0000
For the purpose of demonstration we can create a directory structure that looks like a software project .
[safeer@LinuxBox tmp]$mkdir version1;cd version1
[safeer@LinuxBox tmp]$echo "File1version1" > file1;echo "File2version1" > file2
[safeer@LinuxBox tmp]$mkdir includes1;cd includes1
[safeer@LinuxBox tmp]$echo "Lib1version1" > lib1;echo "Lib2version1" > lib2
The project directory looks like this:
version1
|------includes1
| |-------lib1
| |-------lib2
|-------file1
|-------file2
Now I am going to update this project.
[safeer@LinuxBox tmp]$cp -r version1 version2
Whenever you update your project, keep a copy of the source project untouched and update only a fresh copy of that project.
Updating file1 & lib1
[safeer@LinuxBox tmp]$echo File1version2 >> file1;cd includes1;echo Lib2version2 >> lib2
Add new subdirectory and files to project
[safeer@LinuxBox tmp]$mkdir includes2;cd includes2;echo "Lib3version2" > lib3;echo "Lib4version2" > lib34
The updated project directory looks like this:
version2
|------includes1
| |-------lib1
| |-------lib2 ====> Updated
|------includes2 ====
| |-------lib3 ==== } Newly added
| |-------lib4 ====
|-------file1
|-------file2 ====> Updated
[safeer@LinuxBox tmp]$ls
veersion1 version2
Now create the patch file:
[safeer@LinuxBox tmp]$diff -Naur version1 version2 > version-1-2.patch
[safeer@LinuxBox tmp]$cat version-1-2.patch
diff -Naur version1/file1 version2/file1
--- version1/file1 2007-02-05 11:31:08.000000000 +0000
+++ version2/file1 2007-02-05 11:33:34.000000000 +0000
@@ -1 +1,2 @@
File1version1
+File1version2
diff -Naur version1/includes1/lib2 version2/includes1/lib2
--- version1/includes1/lib2 2007-02-05 11:32:20.000000000 +0000
+++ version2/includes1/lib2 2007-02-05 11:34:06.000000000 +0000
@@ -1 +1,2 @@
Lib2version1
+Lib2version2
diff -Naur version1/includes2/lib3 version2/includes2/lib3
--- version1/includes2/lib3 1970-01-01 00:00:00.000000000 +0000
+++ version2/includes2/lib3 2007-02-05 11:35:16.000000000 +0000
@@ -0,0 +1 @@
+Lib3version2
diff -Naur version1/includes2/lib4 version2/includes2/lib4
--- version1/includes2/lib4 1970-01-01 00:00:00.000000000 +0000
+++ version2/includes2/lib4 2007-02-05 11:35:22.000000000 +0000
@@ -0,0 +1 @@
+Lib4version2
Now suppose that our old project is installed in /usr/project/
[safeer@LinuxBox tmp]$cd /usr/project;ls
version1
Now copy the patch file to this directory
[safeer@LinuxBox tmp]$cp /home/safeer/tmp/version-1-2.patch .
Now apply the patch
[safeer@LinuxBox tmp]$patch -p0 < version-1-2.patch
patching file version1/file1
patching file version1/includes1/lib2
patching file version1/includes2/lib3
patching file version1/includes2/lib4
The patch has updated the modified files file1,lib2 and created new directory includes2 with two files lib3 and lib4 in it.
diff command can record the difference of not only text files, but executables also. So this will work for all sort of files
Saturday, February 3, 2007
Verifying file integrity
Whenever you use a file obtained from a public source or over a network, its a good practice to check the integrity of the file. This is very useful when softwares are downloaded from public web sites. There are many hashing algorithms that can be used to check the integrity of files. Some of them are MD5, SHA, PGP etc..
MD5
Message Digest algorithm 5 (MD5) is a popular cryptographic hashing algorithm with a 128 bit encryption key. It produces a 32 bit hash value as output from the input file of any size. The use of this value is that if a file is tampered after calculating its MD5 hash, that can be detected by using the MD5 sum calculated earlier.
There are many tools that can be used to generate and verify MD5 checksums. Most of the linux distributions comes with the command md5sum.
Create a file:
[safeer@LinuxBox ~]$echo "Unchanged File" > inputfile.txt
Compute the md5 checksum for this file and store it in a file
[safeer@LinuxBox ~]$md5sum inputfile.txt > inputfile.md5
[safeer@LinuxBox ~]$cat inputfile.md5
7d26e15c0ab488afb85ff48ff9bfbf34 inputfile.txt
Now verify the integrity of source file using the md5 sum.
[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: OK
The result of this test will be OK since we haven't made any modification to the source file. Now we can test again after changing the source file.
[safeer@LinuxBox ~]$echo "The file is modified" >> inputfile.txt
[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
This way we can verify whether a file is tampered or note. Many web sites provide the MD5 key of their softwares so that you can verify the integrity of the software after downloading.
Now we can have a look at a real scenario. I am going to download Apache HTTPD server from the a mirror website. They have also provided the MD5 and PGP checksum of the software.
[safeer@LinuxBox ~]$wget http://www.reverse.net/pub/apache/httpd/httpd-2.2.4.tar.gz
Now the MD5 file. This is a plain text file.
[safeer@LinuxBox ~]$wget http://www.apache.org/dist/httpd/httpd-2.2.4.tar.gz.md5
Make sue that both the file to be checked and its md5sum file are in the same directory.
[safeer@LinuxBox ~]$md5sum -c httpd-2.2.4.tar.gz.md5
httpd-2.2.4.tar.gz: OK
This ensures us that the httpd package we have downloaded is the original package that is provided by the web site.
Findout more about md5sum man pages
#man md5sum
MD5
Message Digest algorithm 5 (MD5) is a popular cryptographic hashing algorithm with a 128 bit encryption key. It produces a 32 bit hash value as output from the input file of any size. The use of this value is that if a file is tampered after calculating its MD5 hash, that can be detected by using the MD5 sum calculated earlier.
There are many tools that can be used to generate and verify MD5 checksums. Most of the linux distributions comes with the command md5sum.
Create a file:
[safeer@LinuxBox ~]$echo "Unchanged File" > inputfile.txt
Compute the md5 checksum for this file and store it in a file
[safeer@LinuxBox ~]$md5sum inputfile.txt > inputfile.md5
[safeer@LinuxBox ~]$cat inputfile.md5
7d26e15c0ab488afb85ff48ff9bfbf34 inputfile.txt
Now verify the integrity of source file using the md5 sum.
[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: OK
The result of this test will be OK since we haven't made any modification to the source file. Now we can test again after changing the source file.
[safeer@LinuxBox ~]$echo "The file is modified" >> inputfile.txt
[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
This way we can verify whether a file is tampered or note. Many web sites provide the MD5 key of their softwares so that you can verify the integrity of the software after downloading.
Now we can have a look at a real scenario. I am going to download Apache HTTPD server from the a mirror website. They have also provided the MD5 and PGP checksum of the software.
[safeer@LinuxBox ~]$wget http://www.reverse.net/pub/apache/httpd/httpd-2.2.4.tar.gz
Now the MD5 file. This is a plain text file.
[safeer@LinuxBox ~]$wget http://www.apache.org/dist/httpd/httpd-2.2.4.tar.gz.md5
Make sue that both the file to be checked and its md5sum file are in the same directory.
[safeer@LinuxBox ~]$md5sum -c httpd-2.2.4.tar.gz.md5
httpd-2.2.4.tar.gz: OK
This ensures us that the httpd package we have downloaded is the original package that is provided by the web site.
Findout more about md5sum man pages
#man md5sum
Subscribe to:
Comments (Atom)