Beruflich Dokumente
Kultur Dokumente
4GHR CNBTLDMS HR @ BNKKDBSHNM NE 5MHW ,HMTW "3$ BNLL@MCR @MC S@RJR VGHBG @QD TRDETK ENQ )4 VNQJ
NQ ENQ @CU@MBDC TRDQR 4GHR HR @ OQ@BSHB@K FTHCD VHSG BNMBHRD DWOK@M@SHNMR GNVDUDQ SGD QD@CDQ HR
RTOONRDC SN JMNV VG@S R GD HR CNHMF
3XRSDL
0QNBDRRDR
&HKD 3XRSDL
.DSVNQJ
33( 3#0
60. VHSG 33(
239.#
35$/
%MBQXOS &HKDR
%MBQXOS 0@QSHSHNMR
33, #DQSHEHB@SDR
#63
36.
5RDETK #NLL@MCR
)MRS@KK 3NESV@QD
#NMUDQS -DCH@
0QHMSHMF
$@S@A@RDR
$HRJ 1TNS@
3GDKKR
3BQHOSHMF
0QNFQ@LLHMF
/MKHMD (DKO
4GD "NTQMD RGDKK AHM RG HR OQDRDMS NM @KK 5MHW HMRS@KK@SHNMR @MC RBQHOSR VQHSSDM HM SGHR K@MFT@FD &NQ RL@KK BG@MFDR HM SGD RNTQBD XNT B@M TRD ./?#,%!. XDR SN @UNHC QDATHKCHMF SGD VGNKD SQDD
@QD PTHSD ONQS@AKD man 1 sh HR @ FNNC QDEDQDMBD # make buildworld NO_CLEAN=yes # Don't delete the old objects
# make buildkernel KERNCONF=MYKERNEL NO_CLEAN=yes
21.1 Basics
1.9 Repair grub
Variables and arguments
3N XNT AQNJD FQTA "NNS EQNL @ KHUD BC ;EHMC XNTQ KHMTW O@QSHSHNM TMCDQ /dev @MC TRD fdisk SN EHMC
!RRHFM VHSG U@QH@AKD U@KTD @MC FDS BNMSDMS VHSG U@QH@AKD SGD KHMTW O@QSHNM= LNTMS SGD KHMTW O@QSHSHNM @CC OQNB @MC CDU @MC TRD grub-install /dev/xyz
MESSAGE="Hello World" # Assign a string 3TOONRD KHMTW KHDR NM /dev/sda6
PI=3.1415 # Assign a decimal number
N=8 # mount /dev/sda6 /mnt # mount the linux partition on /mnt
TWON=`expr $N * 2` # Arithmetic expression (only integers) # mount --bind /proc /mnt/proc # mount the proc subsystem into /mnt
TWON=$(($N * 2)) # Other syntax # mount --bind /dev /mnt/dev # mount the devices into /mnt
TWOPI=`echo "$PI * 2" | bc -l` # Use bc for floating point operations # chroot /mnt # change root to the linux partition
ZERO=`echo "c($PI/4)-sqrt(2)/2" | bc -l` # grub-install /dev/sda # reinstall grub with your old settings
FreeBSD
16.3 PDF images and concatenate PDF files &QDD"3$ CNDR MNS DM@AKD $-! NM !4!0) CQHUDR AX CDE@TKS $-! HR DM@AKDC VHSG SGD RXRBSK BNLL@MC
#NMUDQS @ 0$& CNBTLDMS VHSG gs 'GNRS3BQHOS SN IODF NQ OMF HL@FDR ENQ D@BG O@FD !KRN LTBG @MC SGD @QFTLDMSR ADKNV NQ VHSG ANNS KN@CDQ BNME VHSG SGD ENKKNVHMF DMSQHDR
RGNQSDQ VHSG convert @MC mogrify EQNL )L@FD-@FHBJ NQ 'Q@OGHBR-@FHBJ hw.ata.ata_dma="1"
hw.ata.atapi_dma="1"
# gs -dBATCH -dNOPAUSE -sDEVICE=jpeg -r150 -dTextAlphaBits=4 -dGraphicsAlphaBits=4 \
-dMaxStripSize=8192 -sOutputFile=unixtoolbox_%d.jpg unixtoolbox.pdf 5RD burncd VHSG @M !4!0) CDUHBD burncd HR O@QS NE SGD A@RD RXRSDL @MC cdrecord HM RXRTSHKR
# convert unixtoolbox.pdf unixtoolbox-%03d.png BCQSNNKR VHSG @ 3#3) CQHUD
# convert *.jpeg images.pdf # Create a simple PDF with all pictures
# burncd -f /dev/acd0 data imagefile.iso fixate # For ATAPI drive
# convert image000* -resample 120x120 -compress JPEG -quality 80 images.pdf
# cdrecord -scanbus # To find the burner device (like 1,0,0)
# mogrify -format png *.ppm # convert all ppm images to png format
# cdrecord dev=1,0,0 imagefile.iso
'GNRSRBQHOS B@M @KRN BNMB@SDM@SD LTKSHOKD OCE EHKDR HMSN @ RHMFKD NMD 4GHR NMKX VNQJR VDKK HE SGD 0$&
EHKDR @QD VDKK ADG@UDC Linux
# gs -q -sPAPERSIZE=a4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=all.pdf \ !KRN TRD cdrecord VHSG ,HMTW @R CDRBQHADC @ANUD !CCHSHNM@KKX HS HR ONRRHAKD SN TRD SGD M@SHUD !4!0)
file1.pdf file2.pdf ... # On Windows use '#' instead of '=' HMSDQE@BD VGHBG HR ENTMC VHSG
#QD@SD 0$& EHKD EQNL HL@FDR # cdrecord dev=ATAPI -scanbus
# convert 20140416-DSCF1915.jpg 20140416-DSCF1920.jpg all.pdf !MC ATQM SGD #$ $6$ @R @ANUD
convert 20140416-DSCF1915.jpg 20140416-DSCF1920.jpg -resize 1240x1753 -units PixelsPerInch \
-density 150x150 all.pdf # force A4 dvd+rw-tools
%WSQ@BS HL@FDR EQNL OCE CNBTLDMS TRHMF pdfimages EQNL ONOOKDQ NQ xpdf 4GD CUC QV SNNKR O@BJ@FD &QDD"3$ ONQSR RXRTSHKR CUC QV SNNKR B@M CN HS @KK @MC HMBKTCDR
# pdfimages document.pdf dst/ # extract all images and put in dst growisofs SN ATQM #$R NQ $6$R 4GD DW@LOKDR QDEDQ SN SGD CUC CDUHBD @R /dev/dvd VGHBG BNTKC
# yum install poppler-utils # install poppler-utils if needed. or: AD @ RXLKHMJ SN /dev/scd0 SXOHB@K RBRH NM ,HMTW NQ /dev/cd0 SXOHB@K &QDD"3$ NQ /dev/rcd0c
# apt-get install poppler-utils SXOHB@K .DS"3$ /ODM"3$ BG@Q@BSDQ 3#3) NQ /dev/rdsk/c0t1d0s2 3NK@QHR DW@LOKD NE @ BG@Q@BSDQ
3#3) !4!0) #$ 2/- CDUHBD 4GDQD HR @ MHBD CNBTLDMS@SHNM VHSG DW@LOKDR NM SGD &QDD"3$
16.4 Convert video G@MCANNJ BG@OSDQ
# -dvd-compat closes the disk
#NLOQDRR SGD #@MNM CHFHB@L UHCDN VHSG @M LODF BNCDB @MC QDO@HQ SGD BQ@OOX RNTMC # growisofs -dvd-compat -Z /dev/dvd=imagefile.iso # Burn existing iso image
# mencoder -o videoout.avi -oac mp3lame -ovc lavc -srate 11025 \ # growisofs -dvd-compat -Z /dev/dvd -J -R /p/to/data # Burn directly
-channels 1 -af-adv force=1 -lameopts preset=medium -lavcopts \
vcodec=msmpeg4v2:vbitrate=600 -mc 0 vidoein.AVI
Convert a Nero .nrg file to .iso
3DD RNW ENQ RNTMC OQNBDRRHMF .DQN RHLOKX @CCR @ +A GD@CDQ SN @ MNQL@K HRN HL@FD 4GHR B@M AD SQHLLDC VHSG CC
# dd bs=1k if=imagefile.nrg of=imagefile.iso skip=300
16.5 Copy an audio cd
4GD OQNFQ@L cdparanoia B@M R@UD SGD @TCHN SQ@BJR &QDD"3$ ONQS HM @TCHN BCO@Q@MNH@ oggenc Convert a bin/cue image to .iso
B@M DMBNCD HM /FF 6NQAHR ENQL@S lame BNMUDQSR SN LO 4GD KHSSKD bchunk OQNFQ@L B@M CN SGHR )S HR HM SGD &QDD"3$ ONQSR HM RXRTSHKR ABGTMJ
# cdparanoia -B # Copy the tracks to wav files in current dir # bchunk imagefile.bin imagefile.cue imagefile.iso
# lame -b 256 in.wav out.mp3 # Encode in mp3 256 kb/s
# for i in *.wav; do lame -b 256 $i `basename $i .wav`.mp3; done
# oggenc in.wav -b 256 out.ogg # Encode in Ogg Vorbis 256 kb/s
GSSO ENNK@AR BNL WOCE CNVMKN@C GSLK GSSO VVV EQDDARC NQF G@MCANNJ BQD@SHMF CUCR GSLK
GSSO WHOG NQF O@Q@MNH@ GSSO EQDRGLD@S MDS OQNIDBSR ABGTMJ
c &HKD 3XRSDL c c #NMUDQS -DCH@ c
3.11 Create a file based image FreeBSD ports
4GD ONQS SQDD /usr/ports/ HR @ BNKKDBSHNM NE RNESV@QD QD@CX SN BNLOHKD @MC HMRS@KK RDD L@M ONQSR
&NQ DW@LOKD @ O@QSHSHNM NE '" TRHMF SGD EHKD TRQ UCHRJ HLF (DQD VD TRD SGD UMNCD ATS HS BNTKC
4GD ONQSR @QD TOC@SDC VHSG SGD OQNFQ@L portsnap
@KRN AD
# portsnap fetch extract # Create the tree when running the first time
# portsnap fetch update # Update the port tree
FreeBSD
# cd /usr/ports/net/rsync/ # Select the package to install
# dd if=/dev/random of=/usr/vdisk.img bs=1K count=1M # make install distclean # Install and cleanup (also see man ports)
# mdconfig -a -t vnode -f /usr/vdisk.img -u 0 # Creates device /dev/md1 # make package # Make a binary package of this port
# bsdlabel -w /dev/md0 # pkgdb -F # Fix the package registry database
# newfs /dev/md0c # portsclean -C -DD # Clean workdir and distdir (part of portupgrade)
# mount /dev/md0c /mnt
# umount /mnt; mdconfig -d -u 0; rm /usr/vdisk.img # Cleanup the md device
OS X MacPorts (use sudo for all commands)
4GD EHKD A@RDC HL@FD B@M AD @TSNL@SHB@KKX LNTMSDC CTQHMF ANNS VHSG @M DMSQX HM DSB QB BNME @MC # port selfupdate # Update the port tree (safe)
DSB ERS@A 4DRS XNTQ RDSTO VHSG # /etc/rc.d/mdconfig start EHQRS CDKDSD SGD LC CDUHBD VHSG # # port installed # List installed ports
mdconfig -d -u 0 # port deps apache2 # List dependencies for this port
.NSD GNVDUDQ SG@S SGHR @TSNL@SHB RDSTO VHKK NMKX VNQJ HE SGD EHKD HL@FD HR ./4 NM SGD QNNS O@QSHSHNM # port search pgrep # Search for string
4GD QD@RNM HR SG@S SGD DSB QB C LCBNMEHF RBQHOS HR DWDBTSDC UDQX D@QKX CTQHMF ANNS @MC SGD QNNS # port install proctools # Install this package
# port variants ghostscript # List variants of this port
O@QSHSHNM HR RSHKK QD@C NMKX )L@FDR KNB@SDC NTSRHCD SGD QNNS O@QSHSHNM VHKK AD LNTMSDC K@SDQ VHSG SGD # port -v install ghostscript +no_x11# -no_x11 for negative value
RBQHOS DSB QB C LCBNMEHF # port clean --all ghostscript # Clean workdir of port
ANNS KN@CDQ BNME # port upgrade ghostscript # Upgrade this port
md_load="YES" # port uninstall ghostscript # Uninstall this port
# port -f uninstall installed # Uninstall everything
DSB QB BNME
# mdconfig_md0="-t vnode -f /usr/vdisk.img" # /usr is not on the root partition
15.3 Library path
DSB ERS@A 4GD @S SGD DMC HR HLONQS@MS HS SDKK ERBJ SN HFMNQD SGHR CDUHBD @R HR CNDR MNS DWHRS
XDS $TD SN BNLOKDW CDODMCDMBHDR @MC QTMSHLD KHMJHMF OQNFQ@LR @QD CHEEHBTKS SN BNOX SN @M NSGDQ RXRSDL
NQ CHRSQHATSHNM (NVDUDQ ENQ RL@KK OQNFQ@LR VHSG KHSSKD CDODMCDMBHDR SGD LHRRHMF KHAQ@QHDR B@M AD
/dev/md0 /usr/vdisk ufs rw 0 0
BNOHDC NUDQ 4GD QTMSHLD KHAQ@QHDR @MC SGD LHRRHMF NMD @QD BGDBJDC VHSG ldd @MC L@M@FDC VHSG
)S HR @KRN ONRRHAKD SN HMBQD@RD SGD RHYD NE SGD HL@FD @ESDQV@QC R@X ENQ DW@LOKD -" K@QFDQ ldconfig
# umount /mnt; mdconfig -d -u 0 # ldd /usr/bin/rsync # List all needed runtime libraries
# dd if=/dev/zero bs=1m count=300 >> /usr/vdisk.img # otool -L /usr/bin/rsync # OS X equivalent to ldd
# mdconfig -a -t vnode -f /usr/vdisk.img -u 0 # ldconfig -n /path/to/libs/ # Add a path to the shared libraries directories
# growfs /dev/md0 # ldconfig -m /path/to/libs/ # FreeBSD
# mount /dev/md0c /mnt # File partition is now 300 MB larger # LD_LIBRARY_PATH # The variable set the link library path
Linux
# dd if=/dev/zero of=/usr/vdisk.img bs=1024k count=1024 16 CONVERT MEDIA
# mkfs.ext3 /usr/vdisk.img
# mount -o loop /usr/vdisk.img /mnt
# umount /mnt; rm /usr/vdisk.img # Cleanup
3NLDSHLDR NMD RHLOKX MDDC SN BNMUDQS @ UHCDN @TCHN EHKD NQ CNBTLDMS SN @MNSGDQ ENQL@S
Linux with losetup 16.1 Text encoding
/dev/zero HR LTBG E@RSDQ SG@M urandom ATS KDRR RDBTQD ENQ DMBQXOSHNM 4DWS DMBNCHMF B@M FDS SNS@KKX VQNMF RODBH@KKX VGDM SGD K@MFT@FD QDPTHQDR RODBH@K BG@Q@BSDQR KHJD
# dd if=/dev/urandom of=/usr/vdisk.img bs=1024k count=1024 ^_` 4GD BNLL@MC iconv B@M BNMUDQS EQNL NMD DMBNCHMF SN @M NSGDQ
# losetup /dev/loop0 /usr/vdisk.img # Creates and associates /dev/loop0 # iconv -f <from_encoding> -t <to_encoding> <input_file>
# mkfs.ext3 /dev/loop0 # iconv -f ISO8859-1 -t UTF-8 -o file.input > file_utf8
# mount /dev/loop0 /mnt # iconv -l # List known coded character sets
# losetup -a # Check used loops
# umount /mnt 7HSGNTS SGD E NOSHNM HBNMU VHKK TRD SGD KNB@K BG@Q RDS VGHBG HR TRT@KKX EHMD HE SGD CNBTLDMS CHROK@XR
# losetup -d /dev/loop0 # Detach VDKK
# rm /usr/vdisk.img #NMUDQS EHKDM@LDR EQNL NMD DMBNCHMF SN @MNSGDQ MNS EHKD BNMSDMS 7NQJR @KRN HE NMKX RNLD EHKDR @QD
@KQD@CX TSE
3.12 Create a memory file system # convmv -r -f utf8 --nfd -t utf8 --nfc /dir/* --notest
! LDLNQX A@RDC EHKD RXRSDL HR UDQX E@RS ENQ GD@UX )/ @OOKHB@SHNM (NV SN BQD@SD @ -" O@QSHSHNM
LNTMSDC NM LDLCHRJ
GSSO VVV EQDDARC NQF G@MCANNJ ONQSR GSLK
GSSO FTHCD L@BONQSR NQF
c )MRS@KK 3NESV@QD c c .DSVNQJ c
export http_proxy=http://proxy_server:3128 FreeBSD
export ftp_proxy=http://proxy_server:3128 # mount_mfs -o rw -s 64M md /memdisk
# umount /memdisk; mdconfig -d -u 0 # Cleanup the md device
md /memdisk mfs rw,-s64M 0 0 # /etc/fstab entry
15.1 List installed packages
# rpm -qa # List installed packages (RH, SuSE, RPM based) Linux
# dpkg -l # Debian, Ubuntu
# mount -t tmpfs -osize=64m tmpfs /memdisk
# pkg_info # FreeBSD list all installed packages
# pkg_info -W smbd # FreeBSD show which package smbd belongs to
# pkginfo # Solaris 3.13 Disk performance
-NQD NM 20-
2D@C @MC VQHSD @ '" EHKD NM O@QSHSHNM @C R B GNLD
# rpm -ql package-name # list the files for INSTALLED package
# time dd if=/dev/ad4s3c of=/dev/null bs=1024k count=1000
# rpm -qlp package.rpm # list the files inside package
# time dd if=/dev/zero bs=1024k count=1000 of=/home/1Gb.file
# hdparm -tT /dev/hda # Linux only
15.2 Add/remove software
&QNMS DMCR X@RS X@RS ENQ 3T3% QDCG@S BNMEHF O@BJ@FDR ENQ 2DC (@S 4 NETWORK
# rpm -i pkgname.rpm # install the package (RH, SuSE, RPM based)
# rpm -e pkgname # Remove package
2NTSHMF O [ !CCHSHNM@K )0 O [ #G@MFD -!# O [ 0NQSR O [ &HQDV@KK O [ )0 &NQV@QC
O [ .!4 O [ $.3 O [ $(#0 O [ 4Q@EEHB O [ 1N3 O [ .)3 O [ .DSB@S O
SuSE zypper (see doc and cheet sheet)
# zypper refresh # Refresh repositorie
4.1 Debugging (See also Traffic analysis) (page 20)
# zypper install vim # Install the package vim
# zypper remove vim # Remove the package vim Linux
# zypper search vim # Search packages with vim # ethtool eth0 # Show the ethernet status (replaces mii-diag)
# zypper update vim # Search packages with vim # ethtool -s eth0 speed 100 duplex full # Force 100Mbit Full duplex
# ethtool -s eth0 autoneg off # Disable auto negotiation
Debian # ethtool -p eth1 # Blink the ethernet led - very useful when supported
# ip link show # Display all interfaces on Linux (similar to ifconfig)
# apt-get update # First update the package lists # ip link set eth0 up # Bring device up (or down). Same as "ifconfig eth0 up"
# apt-get install emacs # Install the package emacs # ip addr show # Display all IP addresses on Linux (similar to ifconfig)
# dpkg --remove emacs # Remove the package emacs # ip neigh show # Similar to arp -a
# dpkg -S file # find what package a file belongs to
Other OSes
Gentoo
# ifconfig fxp0 # Check the "media" field on FreeBSD
'DMSNN TRDR DLDQFD @R SGD GD@QS NE HSR 0NQS@FD O@BJ@FD L@M@FDLDMS RXRSDL # arp -a # Check the router (or host) ARP entry (all OS)
# emerge --sync # First sync the local portage tree # ping cb.vu # The first thing to try...
# emerge -u packagename # Install or upgrade a package # traceroute cb.vu # Print the route path to destination
# emerge -C packagename # Remove the package # ifconfig fxp0 media 100baseTX mediaopt full-duplex # 100Mbit full duplex (FreeBSD)
# revdep-rebuild # Repair dependencies # netstat -s # System-wide statistics for each network protocol
!CCHSHNM@K BNLL@MCR VGHBG @QD MNS @KV@XR HMRS@KKDC ODQ CDE@TKS ATS D@RX SN EHMC
Solaris # arping 192.168.16.254 # Ping on ethernet layer
4GD BCQNL O@SG HR TRT@KKX /cdrom/cdrom0 # tcptraceroute -f 5 cb.vu # uses tcp instead of icmp to trace through firewalls
# pkgadd -d <cdrom>/Solaris_9/Product SUNWgtar
# pkgadd -d SUNWgtar # Add downloaded package (bunzip2 first)
# pkgrm SUNWgtar # Remove the package
4.2 Routing
FreeBSD
13.2 SVN commands and usage
&QDD"3$ TRDR SGD dummynet SQ@EEHB RG@ODQ VGHBG HR BNMEHFTQDC VHSG HOEV 0HODR @QD TRDC SN RDS KHLHSR
3DD @KRN SGD 3TAUDQRHNM 1THBJ 2DEDQDMBD #@QC 4NQSNHRD 36. HR @ MHBD 7HMCNVR HMSDQE@BD SGD A@MCVHCSG HM TMHSR NE ;+[-=ZAHS R["XSD R\ LD@MR TMKHLHSDC A@MCVHCSG 5RHMF SGD R@LD OHOD
MTLADQ VHKK QDBNMEHFTQD HS &NQ DW@LOKD KHLHS SGD TOKN@C A@MCVHCSG SN +AHS
Import
# kldload dummynet # load the module if necessary
! MDV OQNIDBS SG@S HR @ CHQDBSNQX VHSG RNLD EHKDR HR HLONQSDC HMSN SGD QDONRHSNQX VHSG SGD import # ipfw pipe 1 config bw 500Kbit/s # create a pipe with limited bandwidth
BNLL@MC )LONQS HR @KRN TRDC SN @CC @ CHQDBSNQX VHSG HSR BNMSDMS SN @M DWHRSHMF OQNIDBS # ipfw add pipe 1 ip from me to any # divert the full upload into the pipe
# svn help import # Get help for any command
# Add a new directory (with content) into the src dir on project1 Quality of service
# svn import /project1/newdir http://host.url/svn/project1/trunk/src -m 'add newdir'
Linux
Typical SVN commands 0QHNQHSX PTDTHMF VHSG tc SN NOSHLHYD 6N)0 3DD SGD ETKK DW@LOKD NM UNHO HMEN NQF NQ
# svn co http://host.url/svn/project1/trunk # Checkout the most recent version VVV GNVSNENQFD BNL 3TOONRD 6N)0 TRDR TCO NM ONQSR @MC CDUHBD DSG BNTKC @KRN
# Tags and branches are created by copying AD OOO NQ RN 4GD ENKKNVHMF BNLL@MCR CDEHMD SGD 1N3 SN SGQDD PTDTDR @MC ENQBD SGD 6N)0 SQ@EEHB
# svn mkdir http://host.url/svn/project1/tags/ # Create the tags directory SN PTDTD VHSG 1N3 0x1e @KK AHSR RDS 4GD CDE@TKS SQ@EEHB EKNVR HMSN PTDTD @MC 1N3 Minimize-
# svn copy -m "Tag rc1 rel." http://host.url/svn/project1/trunk \ Delay EKNVR HMSN PTDTD
http://host.url/svn/project1/tags/1.0rc1
# svn status [--verbose] # Check files status into working dir # tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0
# svn add src/file.h src/file.cpp # Add two files # tc qdisc add dev eth0 parent 1:1 handle 10: sfq
# svn commit -m 'Added new class file' # Commit the changes with a message # tc qdisc add dev eth0 parent 1:2 handle 20: sfq
# svn ls http://host.url/svn/project1/tags/ # List all tags # tc qdisc add dev eth0 parent 1:3 handle 30: sfq
# svn move foo.c bar.c # Move (rename) files # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 \
# svn delete some_old_file # Delete files match ip dport 10000 0x3C00 flowid 1:1 # use server port range
match ip dst 123.23.0.1 flowid 1:1 # or/and use server IP
3S@STR @MC QDLNUD VHSG
14 USEFUL COMMANDS # tc -s qdisc ls dev eth0 # queue status
KDRR O [ UH O [ L@HK O [ S@Q O [ YHO O [ CC O [ RBQDDM O [ EHMC O [ # tc qdisc del dev eth0 root # delete all QoS
-HRBDKK@MDNTR O
Calculate port range and mask
4GD SB EHKSDQ CDEHMDR SGD ONQS Q@MFD VHSG ONQS @MC L@RJ VGHBG XNT G@UD SN B@KBTK@SD &HMC SGD >.
14.1 less
ending NE SGD ONQS Q@MFD CDCTBD SGD Q@MFD @MC BNMUDQS SN (%8 4GHR HR XNTQ L@RJ %W@LOKD ENQ
4GD less BNLL@MC CHROK@XR @ SDWS CNBTLDMS NM SGD BNMRNKD )S HR OQDRDMS NM LNRS HMRS@KK@SHNM SGD Q@MFD HR
# less unixtoolbox.xhtml # 2^13 (8192) < 10000 < 2^14 (16384) # ending is 2^14 = 16384
# echo "obase=16;(2^14)-1024" | bc # mask is 0x3C00
GSSO VVV BR OTS ONYM@M OK BRNA@MHDB 0@ODQR RUM QDEB@QC OCE
GSSO SNQSNHRDRUM SHFQHR NQF
c .DSVNQJ c c 36. c
FreeBSD Apply a patch
4GD L@W KHMJ A@MCVHCSG HR +AHS R @MC VD CDEHMD PTDTDR VHSG OQHNQHSX ENQ 6N)0 RRG @KK 3NLDSHLDR HS HR MDBDRR@QX SN RSQHO @ CHQDBSNQX KDUDK EQNL SGD O@SBG CDODMCHMF GNV HS V@R BQD@SDC
SGD QDRS )M B@RD NE CHEEHBTKSHDR RHLOKX KNNJ @S SGD EHQRS KHMDR NE SGD O@SBG @MC SQX O O NQ O
# ipfw pipe 1 config bw 500Kbit/s # cd /devel/project
# ipfw queue 1 config pipe 1 weight 100 # patch --dry-run -p0 < patchfile # Test the path without applying it
# ipfw queue 2 config pipe 1 weight 10 # patch -p0 < patchfile
# ipfw queue 3 config pipe 1 weight 1 # patch -p1 < patchfile # strip off the 1st level from the path
# ipfw add 10 queue 1 proto udp dst-port 10000-11024
# ipfw add 11 queue 1 proto udp dst-ip 123.23.0.1 # or/and use server IP
#
#
ipfw
ipfw
add 20 queue 2 dsp-port ssh
add 30 queue 3 from me to any # all the rest
13 SVN
3DQUDQ RDSTO O [ 36. 33( O [ 36. NUDQ GSSO O [ 36. TR@FD O
3S@STR @MC QDLNUD VHSG
# ipfw list # rules status
3TAUDQRHNM 36. HR @ UDQRHNM BNMSQNK RXRSDL CDRHFMDC SN AD SGD RTBBDRRNQ NE #63 #NMBTQQDMS
# ipfw pipe list # pipe status
# ipfw flush # deletes all rules but default 6DQRHNMR 3XRSDL 4GD BNMBDOS HR RHLHK@Q SN #63 ATS L@MX RGNQSBNLHMFR VGDQD HLOQNUDC 3DD @KRN
SGD 36. ANNJ
4.13 NIS Debugging 13.1 Server setup
3NLD BNLL@MCR VGHBG RGNTKC VNQJ NM @ VDKK BNMEHFTQDC .)3 BKHDMS
4GD HMHSH@SHNM NE SGD QDONRHSNQX HR E@HQKX RHLOKD GDQD ENQ DW@LOKD /home/svn/ LTRS DWHRS
# ypwhich # get the connected NIS server name
# domainname # The NIS domain name as configured # svnadmin create --fs-type fsfs /home/svn/project1
# ypcat group # should display the group from the NIS server .NV SGD @BBDRR SN SGD QDONRHSNQX HR L@CD ONRRHAKD VHSG
# cd /var/yp && make # Rebuild the yp database
# rpcinfo -p servername # Report RPC services of the server
a file:// $HQDBS EHKD RXRSDL @BBDRR VHSG SGD RUM BKHDMS VHSG 4GHR QDPTHQDR KNB@K ODQLHRRHNMR
)R XOAHMC QTMMHMF NM SGD EHKD RXRSDL
# ps auxww | grep ypbind a svn:// NQ svn+ssh:// 2DLNSD @BBDRR VHSG SGD RUMRDQUD RDQUDQ @KRN NUDQ 33( 4GHR
/usr/sbin/ypbind -s -m -S servername1,servername2 # FreeBSD QDPTHQDR KNB@K ODQLHRRHNMR NM SGD EHKD RXRSDL CDE@TKS ONQS SBO
/usr/sbin/ypbind # Linux
a http:// 2DLNSD @BBDRR VHSG VDAC@U TRHMF @O@BGD .N KNB@K TRDQR @QD MDBDRR@QX ENQ SGHR
# yppoll passwd.byname
Map passwd.byname has order number 1190635041. Mon Sep 24 13:57:21 2007 LDSGNC
The master server is servername.domain.net.
5RHMF SGD KNB@K EHKD RXRSDL HS HR MNV ONRRHAKD SN HLONQS @MC SGDM BGDBJ NTS @M DWHRSHMF OQNIDBS
Linux 5MKHJD VHSG #63 HS HR MNS MDBDRR@QX SN BC HMSN SGD OQNIDBS CHQDBSNQX RHLOKX FHUD SGD ETKK O@SG
# cat /etc/yp.conf # svn import /project1/ file:///home/svn/project1/trunk -m 'Initial import'
ypserver servername # svn checkout file:///home/svn/project1
domain domain.net broadcast 4GD MDV CHQDBSNQX SQTMJ HR NMKX @ BNMUDMSHNM SGHR HR MNS QDPTHQDC
4.14 Netcat Remote access with ssh
.N RODBH@K RDSTO HR QDPTHQDC SN @BBDRR SGD QDONRHSNQX UH@ RRG RHLOKX QDOK@BD file:// VHSG svn+ssh/
.DSB@S MB HR ADSSDQ JMNVM @R SGD MDSVNQJ 3VHRR !QLX +MHED HS B@M L@MHOTK@SD BQD@SD NQ
hostname &NQ DW@LOKD
QD@C VQHSD 4#0 )0 BNMMDBSHNMR (DQD RNLD TRDETK DW@LOKDR SGDQD @QD L@MX LNQD NM SGD MDS ENQ
DW@LOKD F KN@CDC DT; = @MC GDQD # svn checkout svn+ssh://hostname/home/svn/project1
9NT LHFGS MDDC SN TRD SGD BNLL@MC netcat HMRSD@C NE nc !KRN RDD SGD RHLHK@Q BNLL@MC RNB@S !R VHSG SGD KNB@K EHKD @BBDRR DUDQX TRDQ MDDCR @M RRG @BBDRR SN SGD RDQUDQ VHSG @ KNB@K @BBNTMS
@MC @KRN QD@C VQHSD @BBDRR 4GHR LDSGNC LHFGS AD RTHS@AKD ENQ @ RL@KK FQNTO !KK TRDQR BNTKC ADKNMF
File transfer SN @ RTAUDQRHNM FQNTO VGHBG NVMR SGD QDONRHSNQX ENQ DW@LOKD
#NOX @ K@QFD ENKCDQ NUDQ @ Q@V SBO BNMMDBSHNM 4GD SQ@MREDQ HR UDQX PTHBJ MN OQNSNBNK NUDQGD@C # groupadd subversion
@MC XNT CNM S MDDC SN LDRR TO VHSG .&3 NQ 3-" NQ &40 NQ RN RHLOKX L@JD SGD EHKD @U@HK@AKD NM SGD # groupmod -A user1 subversion
RDQUDQ @MC FDS HS EQNL SGD BKHDMS (DQD HR SGD RDQUDQ )0 @CCQDRR # chown -R root:subversion /home/svn
# chmod -R 770 /home/svn
server# tar -cf - -C VIDEO_TS . | nc -l -p 4444 # Serve tar folder on port 4444
client# nc 192.168.1.1 4444 | tar xpf - -C VIDEO_TS # Pull the file on port 4444
server# cat largefile | nc -l 5678 # Server a single file Remote access with http (apache)
client# nc 192.168.1.1 5678 > largefile # Pull the single file 2DLNSD @BBDRR NUDQ GSSO GSSOR HR SGD NMKX FNNC RNKTSHNM ENQ @ K@QFDQ TRDQ FQNTO 4GHR LDSGNC TRDR
server# dd if=/dev/da0 | nc -l 4444 # Server partition image
SGD @O@BGD @TSGDMSHB@SHNM MNS SGD KNB@K @BBNTMSR 4GHR HR @ SXOHB@K ATS RL@KK @O@BGD BNMEHFTQ@SHNM
client# nc 192.168.1.1 4444 | dd of=/dev/da0 # Pull partition to clone
client# nc 192.168.1.1 4444 | dd of=da0.img # Pull partition to file LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so # Only for access control
GSSO MDSB@S RNTQBDENQFD MDS
GSSO VVV F KN@CDC DT MDSB@S @ BNTOKD NE TRDETK DW@LOKDR GSSO RTAUDQRHNM SHFQHR NQF
GSSO VVV SDQLHM@KKX HMBNGDQDMS BNL AKNF EDV TRDETK MDSB@S SQHBJR GSSO RUMANNJ QDC AD@M BNL DM
c #63 c c 33( 3#0 c
7GDM SGD KNFHM RTBBDDCDC NMD B@M HLONQS @ MDV OQNIDBS HMSN SGD QDONRHSNQX cd into XNTQ OQNIDBS Other hacks
QNNS CHQDBSNQX 3ODBH@KKX GDQD XNT LTRS JMNV VG@S XNT @QD CNHMF
cvs import <module name> <vendor tag> <initial tag>
cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs import MyProject MyCompany START Remote shell
/OSHNM D NMKX NM SGD 7HMCNVR UDQRHNM /Q TRD MB
7GDQD -X0QNIDBS HR SGD M@LD NE SGD MDV OQNIDBS HM SGD QDONRHSNQX TRDC K@SDQ SN BGDBJNTS #UR VHKK
HLONQS SGD BTQQDMS CHQDBSNQX BNMSDMS HMSN SGD MDV OQNIDBS # nc -lp 4444 -e /bin/bash # Provide a remote shell (server backdoor)
# nc -lp 4444 -e cmd.exe # remote shell for Windows
4N BGDBJNTS
Emergency web server
# cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs checkout MyProject
or 3DQUD @ RHMFKD EHKD NM ONQS HM @ KNNO
# setenv CVSROOT :pserver:colin@192.168.50.254:/usr/local/cvs # while true; do nc -l -p 80 < unixtoolbox.xhtml; done
# cvs checkout MyProject
Chat
12.3 SSH tunneling for CVS !KHBD @MC "NA B@M BG@S NUDQ @ RHLOKD 4#0 RNBJDS 4GD SDWS HR SQ@MREDQQDC VHSG SGD DMSDQ JDX
alice# nc -lp 4444
7D MDDC RGDKKR ENQ SGHR /M SGD EHQRS RGDKK VD BNMMDBS SN SGD BUR RDQUDQ VHSG RRG @MC ONQS ENQV@QC bob # nc 192.168.1.1 4444
SGD BUR BNMMDBSHNM /M SGD RDBNMC RGDKK VD TRD SGD BUR MNQL@KKX @R HE HS VGDQD QTMMHMF KNB@KKX
NM RGDKK
# ssh -L2401:localhost:2401 colin@cvs_server # Connect directly to the CVS server. Or: 5 SSH SCP
# ssh -L2401:cvs_server:2401 colin@gateway # Use a gateway to reach the CVS
0TAKHB JDX O [ &HMFDQOQHMS O [ 3#0 O [ 4TMMDKHMF O [ 33(&3 O
NM RGDKK
# setenv CVSROOT :pserver:colin@localhost:/usr/local/cvs 3DD NSGDQ SQHBJR RRG BLC
# cvs login
Logging in to :pserver:colin@localhost:2401/usr/local/cvs
CVS password: 5.1 Public key authentication
# cvs checkout MyProject/src
#NMMDBS SN @ GNRS VHSGNTS O@RRVNQC TRHMF OTAKHB JDX @TSGDMSHB@SHNM 4GD HCD@ HR SN @OODMC XNTQ
OTAKHB JDX SN SGD @TSGNQHYDC?JDXR EHKD NM SGD QDLNSD GNRS &NQ SGHR DW@LOKD KDS R connect host-
12.4 CVS commands and usage client to host-server SGD JDX HR FDMDQ@SDC NM SGD BKHDMS 7HSG BXFVHM XNT LHFGS G@UD SN BQD@SD
XNTQ GNLD CHQDBSNX @MC SGD RRG CHQDBSNQX VHSG # mkdir -p /home/USER/.ssh
Import
4GD HLONQS BNLL@MC HR TRDC SN @CC @ VGNKD CHQDBSNQX HS LTRS AD QTM EQNL VHSGHM SGD CHQDBSNQX a 5RD RRG JDXFDM SN FDMDQ@SD @ JDX O@HQ ~/.ssh/id_dsa HR SGD OQHU@SD JDX ~/.ssh/
SN AD HLONQSDC 3@X SGD CHQDBSNQX CDUDK BNMS@HMR @KK EHKDR @MC RTACHQDBSNQHDR SN AD HLONQSDC 4GD id_dsa.pub HR SGD OTAKHB JDX
CHQDBSNQX M@LD NM SGD #63 SGD LNCTKD VHKK AD B@KKDC LX@OO a #NOX NMKX SGD OTAKHB JDX SN SGD RDQUDQ @MC @OODMC HS SN SGD EHKD ~/.ssh/authorized_keys2
# cvs import [options] directory-name vendor-tag release-tag NM XNTQ GNLD NM SGD RDQUDQ
# cd /devel # Must be inside the project to import it
# cvs import myapp Company R1_0 # Release tag can be anything in one word # ssh-keygen -t dsa -N ''
# cat ~/.ssh/id_dsa.pub | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2"
!ESDQ @ VGHKD @ MDV CHQDBSNQX CDUDK SNNKR V@R @CCDC @MC HS G@R SN AD HLONQSDC SNN
# cd /devel/tools
# cvs import myapp/tools Company R1_0 Using the Windows client from ssh.com
4GD MNM BNLLDQBH@K UDQRHNM NE SGD RRG BNL BKHDMS B@M AD CNVMKN@CDC SGD L@HM ESO RHSD
ESO RRG BNL OTA RRG +DXR FDMDQ@SDC AX SGD RRG BNL BKHDMS MDDC SN AD BNMUDQSDC ENQ SGD /ODM33(
Checkout update add commit
RDQUDQ 4GHR B@M AD CNMD VHSG SGD RRG JDXFDM BNLL@MC
# cvs co myapp/tools # Will only checkout the directory tools
# cvs co -r R1_1 myapp # Checkout myapp at release R1_1 (is sticky)
# cvs -q -d update -P # A typical CVS update a #QD@SD @ JDX O@HQ VHSG SGD RRG BNL BKHDMS 3DSSHMFR 5RDQ !TSGDMSHB@SHNM 'DMDQ@SD .DV
# cvs update -A # Reset any sticky tag (or date, option) a ) TRD +DX SXOD $3! JDX KDMFSG
# cvs add newfile # Add a new file a #NOX SGD OTAKHB JDX FDMDQ@SDC AX SGD RRG BNL BKHDMS SN SGD RDQUDQ HMSN SGD ] RRG ENKCDQ
# cvs add -kb newfile # Add a new binary file a 4GD JDXR @QD HM # <$NBTLDMSR @MC 3DSSHMFR< 53%2.!-% <!OOKHB@SHNM $@S@<33(<
# cvs commit file1 file2 # Commit the two files only 5RDQ+DXR
# cvs commit -m "message" # Commit all changes done with a message a 5RD SGD RRG JDXFDM BNLL@MC NM SGD RDQUDQ SN BNMUDQS SGD JDX
# cd ~/.ssh
Create a patch # ssh-keygen -i -f keyfilename.pub >> authorized_keys2
)S HR ADRS SN BQD@SD @MC @OOKX @ O@SBG EQNL SGD VNQJHMF CDUDKNOLDMS CHQDBSNQX QDK@SDC SN SGD OQNIDBS
NQ EQNL VHSGHM SGD RNTQBD CHQDBSNQX Notice: 7D TRDC @ $3! JDX 23! HR @KRN ONRRHAKD 4GD JDX HR MNS OQNSDBSDC AX @ O@RRVNQC
# cd /devel/project
# diff -Naur olddir newdir > patchfile # Create a patch from a directory or a file Using putty for Windows
# diff -Naur oldfile newfile > patchfile
0TSSX HR @ RHLOKD @MC EQDD RRG BKHDMS ENQ 7HMCNVR
GSSO AKNF TQEHW BNL RRG BNLL@MCR SQHBJR
c 33( 3#0 c c #63 c
a #QD@SD @ JDX O@HQ VHSG SGD OT449FDM OQNFQ@L 4GDQD @QD SGQDD ONOTK@Q V@XR SN @BBDRR SGD #63 @S SGHR ONHMS 4GD EHQRS SVN CNM S MDDC @MX ETQSGDQ
a 3@UD SGD OTAKHB @MC OQHU@SD JDXR ENQ DW@LOKD HMSN # <$NBTLDMSR @MC BNMEHFTQ@SHNM 3DD SGD DW@LOKDR NM #632//4 ADKNV ENQ GNV SN TRD SGDL
3DSSHMFR< 53%2.!-% < RRG
a #NOX SGD OTAKHB JDX SN SGD RDQUDQ HMSN SGD ] RRG ENKCDQ a $HQDBS KNB@K @BBDRR SN SGD EHKD RXRSDL 4GD TRDQ R MDDC RTEEHBHDMS EHKD ODQLHRRHNM SN @BBDRR
# scp .ssh/puttykey.pub root@192.168.51.254:.ssh/ SGD #3 CHQDBSKX @MC SGDQD HR MN ETQSGDQ @TSGDMSHB@SHNM HM @CCHSHNM SN SGD /3 KNFHM (NVDUDQ
SGHR HR NMKX TRDETK HE SGD QDONRHSNQX HR KNB@K
a 5RD SGD RRG JDXFDM BNLL@MC NM SGD RDQUDQ SN BNMUDQS SGD JDX ENQ /ODM33( a 2DLNSD @BBDRR VHSG RRG VHSG SGD DWS OQNSNBNK !MX TRD VHSG @M RRG RGDKK @BBNTMS @MC QD@C
# cd ~/.ssh VQHSD ODQLHRRHNMR NM SGD #63 RDQUDQ B@M @BBDRR SGD #63 CHQDBSKX VHSG DWS NUDQ RRG VHSGNTS
# ssh-keygen -i -f puttykey.pub >> authorized_keys2 @MX @CCHSHNM@K STMMDK 4GDQD HR MN RDQUDQ OQNBDRR QTMMHMF NM SGD #63 ENQ SGHR SN VNQJ 4GD
a 0NHMS SGD OQHU@SD JDX KNB@SHNM HM SGD OTSSX RDSSHMFR #NMMDBSHNM 33( !TSG RRG KNFHM CNDR SGD @TSGDMSHB@SHNM
a 2DLNSD @BBDRR VHSG ORDQUDQ CDE@TKS ONQS SBO 4GHR HR SGD OQDEDQQDC TRD ENQ K@QFDQ
TRDQ A@RD @R SGD TRDQR @QD @TSGDMSHB@SDC AX SGD #63 ORDQUDQ VHSG @ CDCHB@SDC O@RRVNQC
5.2 Check fingerprint C@S@A@RD SGDQD HR SGDQDENQD MN MDDC ENQ KNB@K TRDQR @BBNTMSR 4GHR RDSTO HR DWOK@HMDC ADKNV
!S SGD EHQRS KNFHM RRG VHKK @RJ HE SGD TMJMNVM GNRS VHSG SGD EHMFDQOQHMS G@R SN AD RSNQDC HM SGD JMNVM
GNRSR 4N @UNHC @ L@M HM SGD LHCCKD @SS@BJ SGD @CLHMHRSQ@SNQ NE SGD RDQUDQ B@M RDMC XNT SGD RDQUDQ Network setup with inetd
EHMFDQOQHMS VGHBG HR SGDM BNLO@QDC NM SGD EHQRS KNFHM 5RD ssh-keygen -l SN FDS SGD EHMFDQOQHMS NM 4GD #63 B@M AD QTM KNB@KKX NMKX HE @ MDSVNQJ @BBDRR HR MNS MDDCDC &NQ @ QDLNSD @BBDRR SGD C@DLNM
SGD RDQUDQ HMDSC B@M RS@QS SGD ORDQUDQ VHSG SGD ENKKNVHMF KHMD HM DSB HMDSC BNME DSB WHMDSC C BUR NM 3T3%
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub # For RSA key cvspserver stream tcp nowait cvs /usr/bin/cvs cvs \
2048 61:33:be:9b:ae:6c:36:31:fd:83:98:b7:99:2d:9f:cd /etc/ssh/ssh_host_rsa_key.pub --allow-root=/usr/local/cvs pserver
# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub # For DSA key (default)
2048 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee /etc/ssh/ssh_host_dsa_key.pub )S HR @ FNNC HCD@ SN AKNBJ SGD BUR ONQS EQNL SGD )MSDQMDS VHSG SGD EHQDV@KK @MC TRD @M RRG STMMDK SN
@BBDRR SGD QDONRHSNQX QDLNSDKX
.NV SGD BKHDMS BNMMDBSHMF SN SGHR RDQUDQ B@M UDQHEX SG@S GD HR BNMMDBSHMF SN SGD QHFGS RDQUDQ
# ssh linda Separate authentication
The authenticity of host 'linda (192.168.16.54)' can't be established.
DSA key fingerprint is 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee.
)S HR ONRRHAKD SN G@UD BUR TRDQR VGHBG @QD MNS O@QS NE SGD /3 MN KNB@K TRDQR 4GHR HR @BST@KKX
Are you sure you want to continue connecting (yes/no)? yes OQNA@AKX V@MSDC SNN EQNL SGD RDBTQHSX ONHMS NE UHDV 3HLOKX @CC @ EHKD M@LDC passwd HM SGD
#632//4 CHQDBSNQX BNMS@HMHMF SGD TRDQR KNFHM @MC O@RRVNQC HM SGD BQXOS ENQL@S 4GHR HR B@M AD
CNMD VHSG SGD @O@BGD GSO@RRVC SNNK
5.3 Secure file transfer Note: 4GHR O@RRVC EHKD HR SGD NMKX EHKD VGHBG G@R SN AD DCHSDC CHQDBSKX HM SGD #632//4 CHQDBSNQX !KRN
3NLD RHLOKD BNLL@MCR HS VNM S AD BGDBJDC NTS -NQD HMEN VHSG GSO@RRVC GDKO
# scp file.txt host-two:/tmp # htpasswd -cb passwd user1 password1 # -c creates the file
# scp joe@host-two:/www/*.html /www/tmp # htpasswd -b passwd user2 password2
# scp -r joe@host-two:/www /www/tmp .NV @CC :cvs @S SGD DMC NE D@BG KHMD SN SDKK SGD BUR RDQUDQ SN BG@MFD SGD TRDQ SN BUR NQ VG@SDUDQ
# scp -P 20022 cb@cb.vu:unixtoolbox.xhtml . # connect on port 20022
XNTQ BUR RDQUDQ HR QTMMHMF TMCDQ )S KNNJR KHJD SGHR
)M +NMPTDQNQ NQ -HCMHFGS #NLL@MCDQ HS HR ONRRHAKD SN @BBDRR @ QDLNSD EHKD RXRSDL VHSG SGD @CCQDRR # cat passwd
fish://user@gate (NVDUDQ SGD HLOKDLDMS@SHNM HR UDQX RKNV user1:xsFjhU22u8Fuo:cvs
&TQSGDQLNQD HS HR ONRRHAKD SN LNTMS @ QDLNSD ENKCDQ VHSG sshfs @ EHKD RXRSDL BKHDMS A@RDC NM 3#0 user2:vnefJOsnnvToM:cvs
3DD ETRD RRGER
ssh_exchange_identification: Connection closed by remote host 12.2 Test it
7HSG SGHR DQQNQ SQX SGD ENKKNVHMF NM SGD RDQUDQ 4DRS SGD KNFHM @R MNQL@K TRDQ ENQ DW@LOKD GDQD LD
echo 'SSHD: ALL' >> /etc/hosts.allow
# cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs login
/etc/init.d/sshd restart
Logging in to :pserver:colin@192.168.50.254:2401/usr/local/cvs
CVS password:
5.4 Tunneling
33( STMMDKHMF @KKNVR SN ENQV@QC NQ QDUDQRD ENQV@QC @ ONQS NUDQ SGD 33( BNMMDBSHNM SGTR RDBTQHMF CVSROOT variable
SGD SQ@EEHB @MC @BBDRRHMF ONQSR VGHBG VNTKC NSGDQVHRD AD AKNBJDC 4GHR NMKX VNQJR VHSG 4#0 4GD
4GHR HR @M DMUHQNMLDMS U@QH@AKD TRDC SN RODBHEX SGD KNB@SHNM NE SGD QDONRHSNQX VD QD CNHMF NODQ@SHNMR
FDMDQ@K MNLDMBK@STQD ENQ ENQV@QC @MC QDUDQRD HR RDD @KRN RRG @MC .!4 DW@LOKD
NM &NQ KNB@K TRD HS B@M AD ITRS RDS SN SGD CHQDBSNQX NE SGD QDONRHSNQX &NQ TRD NUDQ SGD MDSVNQJ SGD
# ssh -L localport:desthost:destport user@gate # desthost as seen from the gate SQ@MRONQS OQNSNBNK LTRS AD RODBHEHDC 3DS SGD #632//4 U@QH@AKD VHSG setenv CVSROOT string NM
# ssh -R destport:desthost:localport user@gate # forwards your localport to destination
# desthost:localport as seen from the client initiating the tunnel @ BRG SBRG RGDKK NQ VHSG export CVSROOT=string NM @ RG A@RG RGDKK
# ssh -X user@gate # To force X forwarding # setenv CVSROOT :pserver:<username>@<host>:/cvsdirectory
For example:
4GHR VHKK BNMMDBS SN F@SD @MC ENQV@QC SGD KNB@K ONQS SN SGD GNRS CDRSGNRS CDRSONQS .NSD CDRSGNRS # setenv CVSROOT /usr/local/cvs # Used locally only
HR SGD CDRSHM@SHNM GNRS as seen by the gate RN HE SGD BNMMDBSHNM HR SN SGD F@SD SGDM CDRSGNRS HR # setenv CVSROOT :local:/usr/local/cvs # Same as above
KNB@KGNRS -NQD SG@M NMD ONQS ENQV@QC HR ONRRHAKD # setenv CVSROOT :ext:user@cvsserver:/usr/local/cvs # Direct access with SSH
# setenv CVS_RSH ssh # for the ext access
GSSO VVV BGH@QJ FQDDMDMC NQF TJ ]RFS@SG@L OTSSX CNVMKN@C GSLK # setenv CVSROOT :pserver:user@cvsserver.254:/usr/local/cvs # network with pserver
GSSO ETRD RNTQBDENQFD MDS RRGER GSLK
c #63 c c 33( 3#0 c
a /ODM SGD OQHU@SD JDX RDQUDQM@LDJDX ODL VHSG @ SDWS DCHSNQ @MC BNOX SGD OQHU@SD JDX HMSN Direct forward on the gate
SGD RDQUDQM@LD ODL EHKD ,DS R@X VD V@MS SN @BBDRR SGD #63 ONQS @MC GSSO ONQS VGHBG @QD QTMMHMF NM SGD F@SD
a $N SGD R@LD VHSG SGD RDQUDQ BDQSHEHB@SD RDQUDQM@LDBDQS ODL 4GHR HR SGD RHLOKDRS DW@LOKD CDRSGNRS HR SGTR KNB@KGNRS @MC VD TRD SGD ONQS KNB@KKX HMRSD@C NE
RN VD CNM S MDDC SN AD QNNS /MBD SGD RRG RDRRHNM HR NODM ANSG RDQUHBDR @QD @BBDRRHAKD NM SGD
4GD EHM@K RDQUDQM@LD ODL EHKD RGNTKC KNNJ KHJD SGHR KNB@K ONQSR
# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ
-----END RSA PRIVATE KEY----- Netbios and remote desktop forward to a second server
-----BEGIN CERTIFICATE----- ,DS R@X @ 7HMCNVR RLA RDQUDQ HR ADGHMC SGD F@SD @MC HR MNS QTMMHMF RRG 7D MDDC @BBDRR SN SGD
MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx RLA RG@QD @MC @KRN QDLNSD CDRJSNO SN SGD RDQUDQ
-----END CERTIFICATE-----
# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate
7G@S VD G@UD MNV HM SGD CHQDBSNQX TRQ KNB@K BDQSR 4GD RLA RG@QD B@M MNV AD @BBDRRDC VHSG << < ATS NMKX HE SGD KNB@K RG@QD HR CHR@AKDC
ADB@TRD the local share is listening on port 139
#! OQHU@SD B@JDX ODL (CA server private key)
)S HR ONRRHAKD SN JDDO SGD KNB@K RG@QD DM@AKDC ENQ SGHR VD MDDC SN BQD@SD @ MDV UHQST@K CDUHBD VHSG @
#! B@BDQS ODL (CA server public key)
MDV )0 @CCQDRR ENQ SGD STMMDK SGD RLA RG@QD VHKK AD BNMMDBSDC NUDQ SGHR @CCQDRR &TQSGDQLNQD the
BDQSR RDQUDQM@LDJDX ODL (server private key)
local RDP is already listening on 3389 RN VD BGNNRD &NQ SGHR DW@LOKD KDS R TRD @ UHQST@K )0 NE
BDQSR RDQUDQM@LDBDQS ODL (server signed certificate)
BDQSR RDQUDQM@LD ODL (server certificate with private key)
a 7HSG OTSSX TRD 3NTQBD ONQS )S HR ONRRHAKD SN BQD@SD LTKSHOKD KNNO CDUHBDR @MC
+DDO SGD OQHU@SD JDX RDBTQD
STMMDK /M 7HMCNVR NMKX OTSSX VNQJDC ENQ LD /M 7HMCNVR 6HRS@ @KRN ENQV@QC SGD
ONQS HM @CCHSHNM SN SGD ONQS !KRN NM 6HRS@ SGD O@SBG +" OQDUDMSR SGD ONQS
11.7 View certificate information SN AD ENQV@QCDC RN ) G@C SN TMHMRS@KK SGHR O@SG HM 6HRS@
4N UHDV SGD BDQSHEHB@SD HMENQL@SHNM RHLOKX CN a 7HSG SGD RRG BNL BKHDMS CHR@AKD !KKNV KNB@K BNMMDBSHNMR NMKX 3HMBD RRG BNL VHKK AHMC SN
@KK @CCQDRRDR NMKX @ RHMFKD RG@QD B@M AD BNMMDBSDC
# openssl x509 -text -in servernamecert.pem # View the certificate info
# openssl req -noout -text -in server.csr # View the request info
# openssl s_client -connect cb.vu:443 # Check a web server certificate .NV BQD@SD SGD KNNOA@BJ HMSDQE@BD VHSG )0
a 3XRSDL #NMSQNK 0@MDK !CC (@QCV@QD 9DR (@QCV@QD HR @KQD@CX BNMMDBSDC !CC @
12 CVS MDV G@QCV@QD CDUHBD @S ANSSNL
a )MRS@KK SGD G@QCV@QD SG@S ) L@MT@KKX RDKDBS .DSVNQJ @C@OSDQR -HBQNRNES -HBQNRNES
3DQUDQ RDSTO O [ #63 SDRS O [ 33( STMMDKHMF O [ #63 TR@FD O ,NNOA@BJ !C@OSDQ
a #NMEHFTQD SGD )0 @CCQDRR NE SGD E@JD CDUHBD SN L@RJ MN F@SDV@X
12.1 Server setup a @CU@MBDC 7).3 %M@AKD ,-(NRSR ,NNJTO $HR@AKD .DS")/3 NUDQ 4#0 )0
a %M@AKD #KHDMS ENQ -HBQNRNES .DSVNQJR $HR@AKD &HKD @MC 0QHMSDQ 3G@QHMF ENQ -HBQNRNES
Initiate the CVS .DSVNQJR
$DBHCD VGDQD SGD L@HM QDONRHSNQX VHKK QDRS @MC BQD@SD @ QNNS BUR &NQ DW@LOKD TRQ KNB@K BUR @R
) (!$ SN QDANNS ENQ SGHR SN VNQJ .NV BNMMDBS SN SGD RLA RG@QD VHSG << @MC QDLNSD CDRJSNO
QNNS
SN
# mkdir -p /usr/local/cvs
# setenv CVSROOT /usr/local/cvs # Set CVSROOT to the new location (local) Debug
# cvs init # Creates all internal CVS config files
# cd /root )E HS HR MNS VNQJHMF
# cvs checkout CVSROOT # Checkout the config files to modify them
# cd CVSROOT a !QD SGD ONQSR ENQV@QCDC MDSRS@S @M ,NNJ @S NQ
edit config ( fine as it is) a $NDR SDKMDS BNMMDBS
# cvs commit config a 9NT MDDC SGD BGDBJANW ,NB@K ONQSR @BBDOS BNMMDBSHNMR EQNL NSGDQ GNRSR
cat >> writers # Create a writers file (optionally also readers) a )R &HKD @MC 0QHMSDQ 3G@QHMF ENQ -HBQNRNES .DSVNQJR CHR@AKDC NM SGD KNNOA@BJ HMSDQE@BD
colin
^D # Use [Control][D] to quit the edit
# cvs add writers # Add the file writers into the repository Connect two clients behind NAT
# cvs edit checkoutlist 3TOONRD SVN BKHDMSR @QD ADGHMC @ .!4 F@SDV@X @MC BKHDMS BKH@CLHM G@R SN BNMMDBS SN BKHDMS BKHTRDQ
# cat >> checkoutlist SGD CDRSHM@SHNM ANSG B@M KNFHM SN SGD F@SD VHSG RRG @MC @QD QTMMHMF ,HMTW VHSG RRGC 9NT CNM S
writers MDDC QNNS @BBDRR @MXVGDQD @R KNMF @R SGD ONQSR NM F@SD @QD @ANUD 7D TRD NM F@SD
^D # Use [Control][D] to quit the edit
# cvs commit # Commit all the configuration changes
!KRN RHMBD SGD F@SD HR TRDC KNB@KKX SGD NOSHNM '@SDV@X0NQSR HR MNS MDBDRR@QX
/M BKHDMS BKHTRDQ EQNL CDRSHM@SHNM SN F@SD
!CC @ readers EHKD HE XNT V@MS SN CHEEDQDMSH@SD QD@C @MC VQHSD ODQLHRRHNMR Note: $N MNS DUDQ DCHS # ssh -R 2022:localhost:22 user@gate # forwards client 22 to gate:2022
EHKDR CHQDBSKX HMSN SGD L@HM BUR ATS Q@SGDQ BGDBJNTS SGD EHKD LNCHEX HS @MC BGDBJ HS HM 7D CHC SGHR
VHSG SGD EHKD writers SN CDEHMD SGD VQHSD @BBDRR /M BKHDMS BKH@CLHM EQNL GNRS SN F@SD
# ssh -L 3022:localhost:2022 admin@gate # forwards client 3022 to gate:2022
c 33( 3#0 c c 33, #DQSHEHB@SDR c
.NV SGD @CLHM B@M BNMMDBS CHQDBSKX SN SGD BKHDMS BKHTRDQ VHSG a )E MDBDRR@QX INHM SGD BDQSHEHB@SD @MC SGD JDX HM @ RHMFKD EHKD SN AD TRDC AX SGD @OOKHB@SHNM
# ssh -p 3022 admin@localhost # local:3022 -> gate:2022 -> client:22 VDA RDQUDQ L@HK RDQUDQ DSB
Connect to VNC behind NAT 11.2 Configure OpenSSL
3TOONRD @ 7HMCNVR BKHDMS VHSG 6.# KHRSDMHMF NM ONQS G@R SN AD @BBDRRDC EQNL ADGHMC .!4 /M 7D TRD TRQ KNB@K BDQSR @R CHQDBSNQX ENQ SGHR DW@LOKD BGDBJ NQ DCHS DSB RRK NODMRRK BME @BBNQCHMFKX
BKHDMS BKHVHM SN F@SD SN XNTQ RDSSHMFR RN XNT JMNV VGDQD SGD EHKDR VHKK AD BQD@SDC (DQD @QD SGD QDKDU@MS O@QS NE
# ssh -R 15900:localhost:5900 user@gate NODMRRK BME
/M BKHDMS BKH@CLHM EQNL GNRS SN F@SD [ CA_default ]
dir = /usr/local/certs/CA # Where everything is kept
# ssh -L 5900:localhost:15900 admin@gate
certs = $dir/certs # Where the issued certs are kept
.NV SGD @CLHM B@M BNMMDBS CHQDBSKX SN SGD BKHDMS 6.# VHSG crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# vncconnect -display :0 localhost
-@JD RTQD SGD CHQDBSNQHDR DWHRS NQ BQD@SD SGDL
Dig a multi-hop ssh tunnel # mkdir -p /usr/local/certs/CA
# cd /usr/local/certs/CA
3TOONRD XNT B@M MNS QD@BG @ RDQUDQ CHQDBSKX VHSG RRG ATS NMKX UH@ LTKSHOKD HMSDQLDCH@SD GNRSR ENQ
# mkdir certs crl newcerts private
DW@LOKD ADB@TRD NE QNTSHMF HRRTDR 3NLDSHLDR HS HR RSHKK MDBDRR@QX SN FDS @ CHQDBS BKHDMS RDQUDQ # echo "01" > serial # Only if serial does not exist
BNMMDBSHNM ENQ DW@LOKD SN BNOX EHKDR VHSG RBO NQ ENQV@QC NSGDQ ONQSR KHJD RLA NQ UMB /MD V@X SN # touch index.txt
CN SGHR HR SN BG@HM STMMDKR SNFDSGDQ SN ENQV@QC @ ONQS SN SGD RDQUDQ @KNMF SGD GNOR 4GHR B@QQHDQ
ONQS NMKX QD@BGDR HSR EHM@K CDRSHM@SHNM NM SGD K@RS BNMMDBSHNM SN SGD RDQUDQ )E XNT HMSDMC SN FDS @ RHFMDC BDQSHEHB@SD EQNL @ UDMCNQ XNT NMKX MDDC @ BDQSHEHB@SD RHFMHMF QDPTDRS
3TOONRD VD V@MS SN ENQV@QC SGD RRG ONQS EQNL @ BKHDMS SN @ RDQUDQ NUDQ SVN GNOR /MBD SGD STMMDK #32 4GHR #32 VHKK SGDM AD RHFMDC AX SGD UDMCNQ ENQ @ KHLHSDC SHLD D F XD@Q
HR ATHKC HS HR ONRRHAKD SN BNMMDBS SN SGD RDQUDQ CHQDBSKX EQNL SGD BKHDMS @MC @KRN @CC @M NSGDQ ONQS
ENQV@QC 11.3 Create a certificate authority
Create tunnel in one shell )E XNT CN MNS G@UD @ BDQSHEHB@SD @TSGNQHSX EQNL @ UDMCNQ XNT KK G@UD SN BQD@SD XNTQ NVM 4GHR RSDO
BKHDMS GNRS GNRS RDQUDQ @MC CHF STMMDK HR MNS MDBDRR@QX HE NMD HMSDMC SN TRD @ UDMCNQ SN RHFM SGD QDPTDRS 4N L@JD @ BDQSHEHB@SD @TSGNQHSX
#!
client># ssh -L5678:localhost:5678 host1 # 5678 is an arbitrary port for the tunnel
host_1># ssh -L5678:localhost:5678 host2 # chain 5678 from host1 to host2 # openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \
host_2># ssh -L5678:localhost:22 server # end the tunnel on port 22 on the server -keyout CA/private/cakey.pem -out CA/cacert.pem
Use tunnel with an other shell 11.4 Create a certificate signing request
BKHDMS RDQUDQ TRHMF STMMDK
4N L@JD @ MDV BDQSHEHB@SD ENQ L@HK RDQUDQ NQ VDA RDQUDQ ENQ DW@LOKD EHQRS BQD@SD @ QDPTDRS
# ssh -p 5678 localhost # connect directly from client to server
# scp -P 5678 myfile localhost:/tmp/ # or copy a file directly using the tunnel BDQSHEHB@SD VHSG HSR OQHU@SD JDX )E XNTQ @OOKHB@SHNM CN MNS RTOONQS DMBQXOSDC OQHU@SD JDX ENQ DW@LOKD
# rsync -e 'ssh -p 5678' myfile localhost:/tmp/ # or rsync a file directly to the server 57 )-!0 CNDR MNS SGDM CHR@AKD DMBQXOSHNM VHSG -nodes
# openssl req -new -keyout newkey.pem -out newreq.pem \
Autoconnect and keep alive script -config /etc/ssl/openssl.cnf
# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \
) TRD U@QH@SHNMR NE SGD ENKKNVHMF RBQHOS SN JDDO @ L@BGHMD QD@BGD@AKD NUDQ @ QDUDQRD RRG STMMDK 4GD -config /etc/ssl/openssl.cnf # No encryption for the key
BNMMDBSHNM HR @TSNL@SHB@KKX QDATHKS HE BKNRDC 9NT B@M @CC LTKSHOKD -L NQ -R STMMDKR NM NMD KHMD
+DDO SGHR BQD@SDC #32 newreq.pem @R HS B@M AD RHFMDC @F@HM @S SGD MDWS QDMDV@K SGD RHFM@STQD
#!/bin/sh
COMMAND="ssh -N -f -g -R 3022:localhost:22 colin@cb.vu" NMKS VHKK KHLHS SGD U@KHCHSX NE SGD BDQSHEHB@SD 4GHR OQNBDRR @KRN BQD@SDC SGD OQHU@SD JDX newkey.pem
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND
exit 0
11.5 Sign the certificate
1 * * * * colin /home/colin/port_forward.sh # crontab entry (here hourly)
4GD BDQSHEHB@SD QDPTDRS G@R SN AD RHFMDC AX SGD #! SN AD U@KHC SGHR RSDO HR TRT@KKX CNMD AX SGD
UDMCNQ Note: replace "servername" with the name of your server in the next commands
5.1 sshfs # cat newreq.pem newkey.pem > new.pem
# openssl ca -policy policy_anything -out servernamecert.pem \
-NTMS @ EHKDRXRSDL VHSG RRG -config /etc/ssl/openssl.cnf -infiles new.pem
# sshfs cb@cb.vu:/ /Users/barschel/cbvu -oauto_cache,reconnect,defer_permissions \ # mv newkey.pem servernamekey.pem
,noappledouble,negative_vncache,volname=cbvu
.NV RDQUDQM@LDJDX ODL HR SGD OQHU@SD JDX @MC RDQUDQM@LDBDQS ODL HR SGD RDQUDQ BDQSHEHB@SD
/Q UH@ @ SVN GNOR STMMDK
# ssh -Y -A -t -L20022:127.0.0.1:20022 cbarsche@lbgw ssh -Y -A -t -L20022:127.0.0.1:22 rootbgv@bgvctrl 11.6 Create united certificate
# sshfs -p 20022 cb@cb.vu:/ /Users/barschel/cbvu -oauto_cache,reconnect,defer_permissions \
,noappledouble,negative_vncache,volname=cbvu 4GD )-!0 RDQUDQ V@MSR SN G@UD ANSG OQHU@SD JDX @MC RDQUDQ BDQSHEHB@SD HM SGD R@LD EHKD !MC HM
FDMDQ@K SGHR HR @KRN D@RHDQ SN G@MCKD ATS SGD EHKD G@R SN AD JDOS RDBTQDKX !O@BGD @KRN B@M CD@K
VHSG HS VDKK #QD@SD @ EHKD RDQUDQM@LD ODL BNMS@HMHMF ANSG SGD BDQSHEHB@SD @MC JDX
c 33, #DQSHEHB@SDR c c 60. VHSG 33( c
Attach
# geli attach -k /root/ad1.key /dev/ad1
6 VPN WITH SSH
# fsck -ny -t ffs /dev/ad1.eli # In doubt check the file system
# mount /dev/ad1.eli /mnt !R NE UDQRHNM /ODM33( B@M TRD SGD STM S@O CDUHBD SN DMBQXOS @ STMMDK 4GHR HR UDQX RHLHK@Q SN
NSGDQ 4,3 A@RDC 60. RNKTSHNMR KHJD /ODM60. /MD @CU@MS@FD VHSG 33( HR SG@S SGDQD HR MN MDDC SN
Detach HMRS@KK @MC BNMEHFTQD @CCHSHNM@K RNESV@QD !CCHSHNM@KKX SGD STMMDK TRDR SGD 33( @TSGDMSHB@SHNM KHJD
4GD CDS@BG OQNBDCTQD HR CNMD @TSNL@SHB@KKX NM RGTSCNVM OQD RG@QDC JDXR 4GD CQ@VA@BJ HR SG@S SGD DMB@ORTK@SHNM HR CNMD NUDQ 4#0 VGHBG LHFGS QDRTKS HM
# umount /mnt ONNQ ODQENQL@MBD NM @ RKNV KHMJ !KRN SGD STMMDK HR QDKXHMF NM @ RHMFKD EQ@FHKD 4#0 BNMMDBSHNM 4GHR
# geli detach /dev/ad1.eli SDBGMHPTD HR UDQX TRDETK ENQ @ PTHBJ )0 A@RDC 60. RDSTO 4GDQD HR MN KHLHS@SHNM @R VHSG SGD RHMFKD
4#0 ONQS ENQV@QC @KK K@XDQ OQNSNBNKR KHJD )#-0 4#0 5$0 DSB @QD ENQV@QCDC NUDQ SGD 60. )M
/etc/fstab @MX B@RD SGD ENKKNVHMF NOSHNMR @QD MDDCDC HM SGD RRGC?BNME EHKD
4GD DMBQXOSDC O@QSHSHNM B@M AD BNMEHFTQDC SN AD LNTMSDC VHSG DSB ERS@A 4GD O@RRVNQC VHKK AD PermitRootLogin yes
OQNLOSDC VGDM ANNSHMF 4GD ENKKNVHMF RDSSHMFR @QD QDPTHQDC ENQ SGHR DW@LOKD PermitTunnel yes
# grep geli /etc/rc.conf
geli_devices="ad1" 6.1 Single P2P connection
geli_ad1_flags="-k /root/ad1.key"
# grep geli /etc/fstab (DQD VD @QD BNMMDBSHMF SVN GNRSR GBKHDMS @MC GRDQUDQ VHSG @ ODDQ SN ODDQ STMMDK 4GD BNMMDBSHNM HR
/dev/ad1.eli /home/private ufs rw 0 0 started from hclient SN GRDQUDQ @MC HR CNMD @R QNNS 4GD STMMDK DMC ONHMSR @QD RDQUDQ @MC
BKHDMS @MC VD BQD@SD @ CDUHBD STM SGHR BNTKC @KRN AD @M NSGDQ MTLADQ 4GD OQNBDCTQD
Use password only HR UDQX RHLOKD
)S HR LNQD BNMUDMHDMS SN DMBQXOS @ 53" RSHBJ NQ EHKD A@RDC HL@FD VHSG @ O@RROGQ@RD NMKX @MC MN JDX
)M SGHR B@RD HS HR MNS MDBDRR@QX SN B@QQX SGD @CCHSHNM@K JDX EHKD @QNTMC 4GD OQNBDCTQD HR UDQX LTBG a #NMMDBS VHSG 33( TRHMF SGD STMMDK NOSHNM V
SGD R@LD @R @ANUD RHLOKX VHSGNTS SGD JDX EHKD ,DS R DMBQXOS @ EHKD A@RDC HL@FD /cryptedfile NE a #NMEHFTQD SGD )0 @CCQDRRDR NE SGD STMMDK /MBD NM SGD RDQUDQ @MC NMBD NM SGD BKHDMS
'"
Connect to the server
# dd if=/dev/zero of=/cryptedfile bs=1M count=1000 # 1 GB file
# mdconfig -at vnode -f /cryptedfile #NMMDBSHNM RS@QSDC NM SGD BKHDMS @MC BNLL@MCR @QD DWDBTSDC NM SGD RDQUDQ
# geli init /dev/md0 # encrypts with password only
# geli attach /dev/md0 Server is on Linux
# newfs -U -m 0 /dev/md0.eli cli># ssh -w5:5 root@hserver
# mount /dev/md0.eli /mnt srv># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # Executed on the server shell
# umount /dev/md0.eli
# geli detach md0.eli Server is on FreeBSD
)S HR MNV ONRRHAKD SN LNTMS SGHR HL@FD NM @M NSGDQ RXRSDL VHSG SGD O@RRVNQC NMKX cli># ssh -w5:5 root@hserver
# mdconfig -at vnode -f /cryptedfile srv># ifconfig tun5 10.0.1.1 10.0.1.2 # Executed on the server shell
# geli attach /dev/md0
# mount /dev/md0.eli /mnt Configure the client
#NLL@MCR DWDBTSDC NM SGD BKHDMS
10.2 OS X Encrypted Disk Image cli># ifconfig tun5 10.0.1.2 netmask 255.255.255.252 # Client is on Linux
cli># ifconfig tun5 10.0.1.2 10.0.1.1 # Client is on FreeBSD
$NM S JMNV AX BNLL@MC KHMD NMKX 3DD /3 8 %MBQXOSDC $HRJ )L@FD @MC !OOKD RTOONQS
4GD SVN GNRSR @QD MNV BNMMDBSDC @MC B@M SQ@MRO@QDMSKX BNLLTMHB@SD VHSG @MX K@XDQ OQNSNBNK
TRHMF SGD STMMDK )0 @CCQDRRDR
11 SSL CERTIFICATES
6.2 Connect two networks
3N B@KKDC 33, 4,3 BDQSHEHB@SDR @QD BQXOSNFQ@OGHB OTAKHB JDX BDQSHEHB@SDR @MC @QD BNLONRDC NE @ OTAKHB
@MC @ OQHU@SD JDX 4GD BDQSHEHB@SDR @QD TRDC SN @TSGDMSHB@SD SGD DMCONHMSR @MC DMBQXOS SGD C@S@ )M @CCHSHNM SN SGD O O RDSTO @ANUD HS HR LNQD TRDETK SN BNMMDBS SVN OQHU@SD MDSVNQJR VHSG @M 33(
4GDX @QD TRDC ENQ DW@LOKD NM @ VDA RDQUDQ GSSOR NQ L@HK RDQUDQ HL@OR 60. TRHMF SVN F@SDR 3TOONRD ENQ SGD DW@LOKD MDS! HR @MC MDS"
4GD OQNBDCTQD HR RHLHK@Q @R @ANUD VD NMKX MDDC SN @CC SGD QNTSHMF .!4 LTRS AD @BSHU@SDC NM
SGD OQHU@SD HMSDQE@BD NMKX HE SGD F@SDR @QD MNS SGD R@LD @R SGD CDE@TKS F@SDV@X NE SGDHQ MDSVNQJ
11.1 Procedure MDS! [F@SD! F@SD"[ MDS"
a 7D MDDC @ BDQSHEHB@SD @TSGNQHSX SN RHFM NTQ BDQSHEHB@SD 4GHR RSDO HR TRT@KKX OQNUHCDC AX @ a #NMMDBS VHSG 33( TRHMF SGD STMMDK NOSHNM V
UDMCNQ KHJD 4G@VSD 6DQHRHFM DSB GNVDUDQ VD B@M @KRN BQD@SD NTQ NVM a #NMEHFTQD SGD )0 @CCQDRRDR NE SGD STMMDK /MBD NM SGD RDQUDQ @MC NMBD NM SGD BKHDMS
a #QD@SD @ BDQSHEHB@SD RHFMHMF QDPTDRS 4GHR QDPTDRS HR KHJD @M TMRHFMDC BDQSHEHB@SD SGD OTAKHB a !CC SGD QNTSHMF ENQ SGD SVN MDSVNQJR
O@QS @MC @KQD@CX BNMS@HMR @KK MDBDRR@QX HMENQL@SHNM 4GD BDQSHEHB@SD QDPTDRS HR MNQL@KKX a )E MDBDRR@QX @BSHU@SD .!4 NM SGD OQHU@SD HMSDQE@BD NE SGD F@SD
RDMS SN SGD @TSGNQHSX UDMCNQ ENQ RHFMHMF 4GHR RSDO @KRN BQD@SDR SGD OQHU@SD JDX NM SGD KNB@K
L@BGHMD 4GD RDSTO HR started from gateA in netA
a 3HFM SGD BDQSHEHB@SD VHSG SGD BDQSHEHB@SD @TSGNQHSX
GSSOR VHJH SG@XDQ C@QSLNTSG DCT CHROK@X BNLOTSHMF #QD@SHMF @ -@B /3 8 %MBQXOSDC $HRJ )L@FD
GSSO RTOONQS @OOKD BNL JA GS
c 239.# c c %MBQXOS 0@QSHSHNMR c
Connect from gateA to gateB dm-crypt with LUKS
#NMMDBSHNM HR RS@QSDC EQNL F@SD! @MC BNLL@MCR @QD DWDBTSDC NM F@SD" ,5+3 VHSG CL BQXOS G@R ADSSDQ DMBQXOSHNM @MC L@JDR HS ONRRHAKD SN G@UD LTKSHOKD O@RROGQ@RD ENQ
SGD R@LD O@QSHSHNM NQ SN BG@MFD SGD O@RRVNQC D@RHKX 4N SDRS HE ,5+3 HR @U@HK@AKD RHLOKX SXOD #
gateB is on Linux cryptsetup --help HE MNSGHMF @ANTS ,5+3 RGNVR TO TRD SGD HMRSQTBSHNMR ADKNV 7HSGNTS ,5+3
gateA># ssh -w5:5 root@gateB &HQRS BQD@SD @ O@QSHSHNM HE MDBDRR@QX fdisk /dev/sdc
gateB># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # Executed on the gateB shell
gateB># route add -net 192.168.51.0 netmask 255.255.255.0 dev tun5
gateB># echo 1 > /proc/sys/net/ipv4/ip_forward # Only needed if not default gw Create encrypted partition
gateB># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # dd if=/dev/urandom of=/dev/sdc1 # Optional. For paranoids only (takes days)
# cryptsetup -y luksFormat /dev/sdc1 # This destroys any data on sdc1
gateB is on FreeBSD # cryptsetup luksOpen /dev/sdc1 sdc1
# mkfs.ext3 /dev/mapper/sdc1 # create ext3 file system
gateA># ssh -w5:5 root@gateB # Creates the tun5 devices # mount -t ext3 /dev/mapper/sdc1 /mnt
gateB># ifconfig tun5 10.0.1.1 10.0.1.2 # Executed on the gateB shell # umount /mnt
gateB># route add 192.168.51.0/24 10.0.1.2 # cryptsetup luksClose sdc1 # Detach the encrypted partition
gateB># sysctl net.inet.ip.forwarding=1 # Only needed if not default gw
gateB># natd -s -m -u -dynamic -n fxp0 # see NAT (page 18)
gateA># sysctl net.inet.ip.fw.enable=1 Attach
# cryptsetup luksOpen /dev/sdc1 sdc1
# mount -t ext3 /dev/mapper/sdc1 /mnt
Configure gateA
#NLL@MCR DWDBTSDC NM F@SD! Detach
# umount /mnt
gateA is on Linux # cryptsetup luksClose sdc1
gateA># ifconfig tun5 10.0.1.2 netmask 255.255.255.252
gateA># route add -net 192.168.16.0 netmask 255.255.255.0 dev tun5
gateA># echo 1 > /proc/sys/net/ipv4/ip_forward dm-crypt without LUKS
gateA># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0
# dmsetup ls # check it, will display: sdc1 (254, 0)
gateA is on FreeBSD # mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time!
# mount -t ext3 /dev/mapper/sdc1 /mnt
gateA># ifconfig tun5 10.0.1.2 10.0.1.1
# umount /mnt/
gateA># route add 192.168.16.0/24 10.0.1.2
# cryptsetup remove sdc1 # Detach the encrypted partition
gateA># sysctl net.inet.ip.forwarding=1
gateA># natd -s -m -u -dynamic -n fxp0 # see NAT (page 18) $N DW@BSKX SGD R@LD VHSGNTS SGD LJER O@QS SN QD @SS@BG SGD O@QSHSHNM )E SGD O@RRVNQC HR MNS
gateA># sysctl net.inet.ip.fw.enable=1 BNQQDBS SGD LNTMS BNLL@MC VHKK E@HK )M SGHR B@RD RHLOKX QDLNUD SGD L@O RCB cryptsetup
4GD SVN OQHU@SD MDSVNQJR @QD MNV SQ@MRO@QDMSKX BNMMDBSDC UH@ SGD 33( 60. 4GD )0 ENQV@QC @MC remove sdc1 @MC BQD@SD HS @F@HM
.!4 RDSSHMFR @QD NMKX MDBDRR@QX HE SGD F@SDR @QD MNS SGD CDE@TKS F@SDV@XR )M SGHR B@RD SGD BKHDMSR
VNTKC MNS JMNV VGDQD SN ENQV@QC SGD QDRONMRD @MC M@S LTRS AD @BSHU@SDC 10.2 FreeBSD
4GD SVN ONOTK@Q &QDD"3$ CHRJ DMBQXOSHNM LNCTKDR @QD gbde @MC geli ) MNV TRD FDKH ADB@TRD HS
7 RSYNC HR E@RSDQ @MC @KRN TRDR SGD BQXOSN CDUHBD ENQ G@QCV@QD @BBDKDQ@SHNM 3DD 4GD &QDD"3$ G@MCANNJ
#G@OSDQ ENQ @KK SGD CDS@HKR 4GD FDKH LNCTKD LTRS AD KN@CDC NQ BNLOHKDC HMSN SGD JDQMDK
2RXMB B@M @KLNRS BNLOKDSDKX QDOK@BD BO @MC RBO ETQSGDQLNQD HMSDQQTOSDC SQ@MREDQR @QD DEEHBHDMSKX options GEOM_ELI
QDRS@QSDC ! SQ@HKHMF RK@RG @MC SGD @ARDMBD SGDQDNE G@R CHEEDQDMS LD@MHMFR SGD L@M O@FD HR device crypto # or as module:
FNNC (DQD RNLD DW@LOKDR # echo 'geom_eli_load="YES"' >> /boot/loader.conf # or do: kldload geom_eli
#NOX SGD CHQDBSNQHDR VHSG ETKK BNMSDMS
# rsync -a /home/colin/ /backup/colin/ # "archive" mode. e.g keep the same Use password and key
# rsync -a /var/ /var_bak/ ) TRD SGNRD RDSSHMFR ENQ @ SXOHB@K CHRJ DMBQXOSHNM HS TRDR @ O@RROGQ@RD !.$ @ JDX SN DMBQXOS SGD
# rsync -aR --delete-during /home/user/ /backup/ # use relative (see below)
L@RSDQ JDX 4G@S HR XNT MDDC ANSG SGD O@RRVNQC @MC SGD FDMDQ@SDC JDX /root/ad1.key SN @SS@BG
# /opt/local/bin/rsync -azv --iconv=UTF-8-MAC,UTF-8 ~/Music/flac/ me@server:/dst/
# convert filenames OSX UTF8 to Windows UTF8 SGD O@QSHSHNM 4GD L@RSDQ JDX HR RSNQDC HMRHCD SGD O@QSHSHNM @MC HR MNS UHRHAKD 3DD ADKNV ENQ SXOHB@K
53" NQ EHKD A@RDC HL@FD
3@LD @R ADENQD ATS NUDQ SGD MDSVNQJ @MC VHSG BNLOQDRRHNM 2RXMB TRDR 33( ENQ SGD SQ@MRONQS ODQ
CDE@TKS @MC VHKK TRD SGD RRG JDX HE SGDX @QD RDS 5RD @R VHSG 3#0 ! SXOHB@K QDLNSD BNOX Create encrypted partition
# rsync -axSRzv /home/user/ user@server:/backup/user/ # Copy to remote # dd if=/dev/random of=/root/ad1.key bs=64 count=1 # this key encrypts the mater key
# rsync -a 'user@server:My\ Documents' My\ Documents # Quote AND escape spaces for the remote shell # geli init -s 4096 -K /root/ad1.key /dev/ad1 # -s 8192 is also OK for disks
# geli attach -k /root/ad1.key /dev/ad1 # DO make a backup of /root/ad1.key
%WBKTCD @MX CHQDBSNQX SLO VHSGHM GNLD TRDQ @MC JDDO SGD QDK@SHUD ENKCDQR GHDQ@QBGX SG@S HR SGD # dd if=/dev/random of=/dev/ad1.eli bs=1m # Optional and takes a long time
QDLNSD CHQDBSNQX VHKK G@UD SGD RSQTBSTQD A@BJTO GNLD TRDQ 4GHR HR SXOHB@KKX TRDC ENQ A@BJTOR # newfs /dev/ad1.eli # Create file system
# rsync -azR --exclude=tmp/ /home/user/ user@server:/backup/ # mount /dev/ad1.eli /mnt
5RD ONQS ENQ SGD RRG BNMMDBSHNM
# rsync -az -e 'ssh -p 20022' /home/colin/ user@server:/backup/colin/
GSSO VVV EQDDARC NQF G@MCANNJ CHRJR DMBQXOSHMF GSLK
c %MBQXOS 0@QSHSHNMR c c 239.# c
-e DMBQXOS C@S@ 5RHMF SGD QRXMB C@DLNM TRDC VHSG HR LTBG E@RSDQ ATS MNS DMBQXOSDC NUDQ RRG 4GD KNB@SHNM
-d CDBQXOS C@S@ NE A@BJTO HR CDEHMDC AX SGD BNMEHFTQ@SHNM HM DSB QRXMBC BNME 4GD U@QH@AKD 239.#?0!337/2$ B@M
-r .!-% DMBQXOS ENQ QDBHOHDMS .!-% NQ &TKK .@LD NQ DL@HK CNL@HM AD RDS SN @UNHC SGD MDDC SN DMSDQ SGD O@RRVNQC L@MT@KKX
-a BQD@SD @RBHH @QLNQDC NTSOTS NE @ JDX # rsync -axSRz /home/ ruser@hostname::rmodule/backup/
-o TRD @R NTSOTS EHKD # rsync -axSRz ruser@hostname::rmodule/backup/ /home/ # To copy back
3NLD HLONQS@MS NOSHNMR
4GD DW@LOKDR TRD 9NTQ .@LD @MC !KHBD @R SGD JDXR @QD QDEDQQDC SN AX SGD DL@HK NQ ETKK M@LD
NQ O@QSH@K M@LD &NQ DW@LOKD ) B@M TRD #NKHM NQ B BA UT ENQ LX JDX ;#NKHM "@QRBGDK BA UT
-a, --archive @QBGHUD LNCD R@LD @R QKOSFN$ MN (
B BA UT =
-r, --recursive QDBTQRD HMSN CHQDBSNQHDR
Encrypt for personal use only -R, --relative TRD QDK@SHUD O@SG M@LDR
.N MDDC SN DWONQS HLONQS @MX JDX ENQ SGHR 9NT G@UD ANSG @KQD@CX -H, --hard-links OQDRDQUD G@QC KHMJR
-S, --sparse G@MCKD RO@QRD EHKDR DEEHBHDMSKX
# gpg -e -r 'Your Name' file # Encrypt with your public key
# gpg -o file -d file.gpg # Decrypt. Use -o or it goes to stdout -x, --one-file-system CNM S BQNRR EHKD RXRSDL ANTMC@QHDR
--exclude=PATTERN DWBKTCD EHKDR L@SBGHMF 0!44%2.
Encrypt - Decrypt with keys --delete-during QDBDHUDQ CDKDSDR CTQHMF WEDQ MNS ADENQD
&HQRS XNT MDDC SN DWONQS XNTQ OTAKHB JDX ENQ RNLDNMD DKRD SN TRD HS !MC XNT MDDC SN HLONQS SGD --delete-after QDBDHUDQ CDKDSDR @ESDQ SQ@MREDQ MNS ADENQD
OTAKHB R@X EQNL !KHBD SN DMBQXOS @ EHKD ENQ GDQ 9NT B@M DHSGDQ G@MCKD SGD JDXR HM RHLOKD @RBHH EHKDR NQ
TRD @ OTAKHB JDX RDQUDQ 7.1 Rsync on Windows
&NQ DW@LOKD !KHBD DWONQS GDQ OTAKHB JDX @MC XNT HLONQS HS XNT B@M SGDM DMBQXOS @ EHKD ENQ GDQ 4G@S
HR NMKX !KHBD VHKK AD @AKD SN CDBQXOS HS 2RXMB HR @U@HK@AKD ENQ 7HMCNVR SGQNTFG BXFVHM NQ @R RS@MC @KNMD O@BJ@FDC HM BVQRXMB 4GHR HR UDQX
BNMUDMHDMS ENQ @TSNL@SDC A@BJTOR )MRS@KK NMD NE SGDL not both @MC @CC SGD O@SG SN SGD 7HMCNVR
# gpg -a -o alicekey.asc --export 'Alice' # Alice exported her key in ascii file.
# gpg --send-keys --keyserver subkeys.pgp.net KEYID # Alice put her key on a server. RXRSDL U@QH@AKDR #NMSQNK 0@MDK 3XRSDL S@A !CU@MBDC ATSSNM %MUHQNMLDMS 6@QH@AKDR
# gpg --import alicekey.asc # You import her key into your pubring. %CHS SGD 0@SG RXRSDL U@QH@AKD @MC @CC SGD ETKK O@SG SN SGD HMRS@KKDC QRXMB D F # <0QNFQ@L &HKDR<
# gpg --search-keys --keyserver subkeys.pgp.net 'Alice' # or get her key from a server. BV2RXMB<AHM NQ # <BXFVHM<AHM 4GHR V@X SGD BNLL@MCR rsync @MC ssh @QD @U@HK@AKD HM @ 7HMCNVR
/MBD SGD JDXR @QD HLONQSDC HS HR UDQX D@RX SN DMBQXOS NQ CDBQXOS @ EHKD BNLL@MC RGDKK
# gpg -e -r 'Alice' file # Encrypt the file for Alice.
# gpg -d file.gpg -o file # Decrypt a file encrypted by Alice for you.
Public key authentication
2RXMB HR @TSNL@SHB@KKX STMMDKDC NUDQ 33( @MC SGTR TRDR SGD 33( @TSGDMSHB@SHNM NM SGD RDQUDQ
!TSNL@SHB A@BJTOR G@UD SN @UNHC @ TRDQ HMSDQ@BSHNM ENQ SGHR SGD 33( OTAKHB JDX @TSGDMSHB@SHNM B@M
Key administration
AD TRDC @MC SGD QRXMB BNLL@MC VHKK QTM VHSGNTS @ O@RRVNQC
# gpg --list-keys # list public keys and see the KEYIDS
!KK SGD ENKKNVHMF BNLL@MCR @QD DWDBTSDC VHSGHM @ 7HMCNVR BNMRNKD )M @ BNMRNKD 3S@QS 2TM
The KEYID follows the '/' e.g. for: pub 1024D/D12B77CE the KEYID is D12B77CE
# gpg --gen-revoke 'Your Name' # generate revocation certificate BLC BQD@SD @MC TOKN@C SGD JDX @R CDRBQHADC HM 33( BG@MFD TRDQ @MC RDQUDQ @R @OOQNOQH@SD
# gpg --list-secret-keys # list private keys )E SGD EHKD @TSGNQHYDC?JDXR CNDR MNS DWHRS XDS RHLOKX BNOX HC?CR@ OTA SN @TSGNQHYDC?JDXR @MC
# gpg --delete-keys NAME # delete a public key from local key ring TOKN@C HS
# gpg --delete-secret-key NAME # delete a secret key from local key ring # ssh-keygen -t dsa -N '' # Creates a public and a private key
# gpg --fingerprint KEYID # Show the fingerprint of the key # rsync user@server:.ssh/authorized_keys2 . # Copy the file locally from the server
# gpg --edit-key KEYID # Edit key (e.g sign or add/del email) # cat id_dsa.pub >> authorized_keys2 # Or use an editor to add the key
# rsync authorized_keys2 user@server:.ssh/ # Copy the file back to the server
# del authorized_keys2 # Remove the local copy
10 ENCRYPT PARTITIONS .NV SDRS HS VHSG HM NMD KHMD
,HMTW VHSG ,5+3 O [ ,HMTW CL BQXOS NMKX O [ &QDD"3$ '%,) O [ &"3$ OVC NMKX O [ rsync -rv "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \
/3 8 HL@FD O 'user@server:My\ Documents/'
4GDQD @QD L@MX NSGDQ @KSDQM@SHUD LDSGNCR SN DMBQXOS CHRJR ) NMKX RGNV GDQD SGD LDSGNCR ) JMNV Automatic backup
@MC TRD +DDO HM LHMC SG@S SGD RDBTQHSX HR NMKX FNNC @R KNMF SGD /3 G@R MNS ADDM SDLODQDC VHSG 5RD @ A@SBG EHKD SN @TSNL@SD SGD A@BJTO @MC @CC SGD EHKD HM SGD RBGDCTKDC S@RJR 0QNFQ@LR
!M HMSQTCDQ BNTKC D@RHKX QDBNQC SGD O@RRVNQC EQNL SGD JDXAN@QC DUDMSR &TQSGDQLNQD SGD C@S@ HR !BBDRRNQHDR 3XRSDL 4NNKR 3BGDCTKDC 4@RJR &NQ DW@LOKD BQD@SD SGD EHKD A@BJTO A@S @MC
EQDDKX @BBDRRHAKD VGDM SGD O@QSHSHNM HR attached @MC VHKK MNS OQDUDMS @M HMSQTCDQ SN G@UD @BBDRR SN HS QDOK@BD TRDQ RDQUDQ
HM SGHR RS@SD
@ECHO OFF
REM rsync the directory My Documents
10.1 Linux SETLOCAL
SET CWRSYNCHOME=C:\PROGRAM FILES\CWRSYNC
4GNRD HMRSQTBSHNMR TRD SGD ,HMTW dm-crypt CDUHBD L@OODQ E@BHKHSX @U@HK@AKD NM SGD JDQMDK SET CYGWIN=nontsec
)M SGHR DW@LOKD KDSR DMBQXOS SGD O@QSHSHNM /dev/sdc1 HS BNTKC AD GNVDUDQ @MX NSGDQ O@QSHSHNM NQ SET CWOLDPATH=%PATH%
CHRJ NQ 53" NQ @ EHKD A@RDC O@QSHSHNM BQD@SDC VHSG losetup )M SGHR B@RD VD VNTKC TRD /dev/loop0 REM uncomment the next line when using cygwin
SET PATH=%CWRSYNCHOME%\BIN;%PATH%
3DD EHKD HL@FD O@QSHSHNM 4GD CDUHBD L@OODQ TRDR K@ADKR SN HCDMSHEX @ O@QSHSHNM 7D TRD sdc1 HM SGHR echo Press Control-C to abort
DW@LOKD ATS HS BNTKC AD @MX RSQHMF
GSSO RNTQBDENQFD MDS OQNIDBSR RDQDCR
c 35$/ c c %MBQXOS &HKDR c
rsync -av "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \ # openssl aes-128-cbc -salt -in file -out file.aes
'user@server:My\ Documents/' # openssl aes-128-cbc -d -salt -in file.aes -out file
pause
.NSD SG@S SGD EHKD B@M NE BNTQRD AD @ S@Q @QBGHUD
8 SUDO tar and encrypt a whole directory
# tar -cf - directory | openssl aes-128-cbc -salt -out directory.tar.aes # Encrypt
# openssl aes-128-cbc -d -salt -in directory.tar.aes | tar -x -f - # Decrypt
3TCN HR @ RS@MC@QC V@X SN FHUD TRDQR RNLD @CLHMHRSQ@SHUD QHFGSR VHSGNTS FHUHMF NTS SGD QNNS
O@RRVNQC 3TCN HR UDQX TRDETK HM @ LTKSH TRDQ DMUHQNMLDMS VHSG @ LHW NE RDQUDQ @MC VNQJRS@SHNMR
tar zip and encrypt a whole directory
3HLOKX B@KK SGD BNLL@MC VHSG RTCN
# tar -zcf - directory | openssl aes-128-cbc -salt -out directory.tar.gz.aes # Encrypt
# sudo /etc/init.d/dhcpd restart # Run the rc script as root
# openssl aes-128-cbc -d -salt -in directory.tar.gz.aes | tar -xz -f - # Decrypt
# sudo -u sysadmin whoami # Run cmd as an other user
a 5RD J LXRDBQDSO@RRVNQC @ESDQ @DR BAB SN @UNHC SGD HMSDQ@BSHUD O@RRVNQC QDPTDRS
8.1 Configuration (NVDUDQ MNSD SG@S SGHR HR GHFGKX HMRDBTQD
a 5RD aes-256-cbc HMRSD@C NE aes-128-cbc SN FDS DUDM RSQNMFDQ DMBQXOSHNM 4GHR TRDR @KRN
3TCN HR BNMEHFTQDC HM /etc/sudoers @MC LTRS NMKX AD DCHSDC VHSG visudo 4GD A@RHB RXMS@W HR SGD
LNQD #05
KHRSR @QD BNLL@ RDO@Q@SDC
user hosts = (runas) commands # In /etc/sudoers
9.2 GPG
users NMD NQ LNQD TRDQR NQ FQNTO KHJD VGDDK SN F@HM SGD QHFGSR 'MT0' HR VDKK JMNVM SN DMBQXOS @MC RHFM DL@HKR NQ @MX C@S@ &TQSGDQLNQD FOF @MC @KRN OQNUHCDR
hosts KHRS NE GNRSR NQ !,, @M @CU@MBDC JDX L@M@FDLDMS RXRSDL 4GHR RDBSHNM NMKX BNUDQR EHKDR DMBQXOSHNM MNS DL@HK TR@FD
runas KHRS NE TRDQR NQ !,, SG@S SGD BNLL@MC QTKD B@M AD QTM @R )S HR DMBKNRDC HM RHFMHMF NQ SGD 7DA /E 4QTRS
commands KHRS NE BNLL@MCR NQ !,, SG@S VHKK AD QTM @R QNNS NQ @R QTM@R 4GD RHLOKDRS DMBQXOSHNM HR VHSG @ RXLLDSQHB BHOGDQ )M SGHR B@RD SGD EHKD HR DMBQXOSDC VHSG @
O@RRVNQC @MC @MXNMD VGN JMNVR SGD O@RRVNQC B@M CDBQXOS HS SGTR SGD JDXR @QD MNS MDDCDC 'OF
!CCHSHNM@KKX SGNRD JDXVNQCR B@M AD CDEHMDC @R @KH@R SGDX @QD B@KKDC 5RDQ?!KH@R (NRS?!KH@R @CCR @M DWSDMSHNM FOF SN SGD DMBQXOSDC EHKD M@LDR
2TM@R?!KH@R @MC #LMC?!KH@R 4GHR HR TRDETK ENQ K@QFDQ RDSTOR (DQD @ RTCNDQR DW@LOKD # gpg -c file # Encrypt file with password
# gpg file.gpg # Decrypt file (optionally -o otherfile)
# cat /etc/sudoers
# Host aliases are subnets or hostnames.
Host_Alias DMZ = 212.118.81.40/28 Using keys
Host_Alias DESKTOP = work1, work2 &NQ LNQD CDS@HKR RDD '0' 1THBJ 3S@QS @MC '0' 0'0 "@RHBR @MC SGD FMTOF CNBTLDMS@SHNM @LNMF
# User aliases are a list of users which can have the same rights
NSGDQR
User_Alias ADMINS = colin, luca, admin 4GD OQHU@SD @MC OTAKHB JDXR @QD SGD GD@QS NE @RXLLDSQHB BQXOSNFQ@OGX 7G@S HR HLONQS@MS SN
User_Alias DEVEL = joe, jack, julia QDLDLADQ
Runas_Alias DBA = oracle,pgsql
a 9NTQ OTAKHB JDX HR TRDC AX others SN DMBQXOS EHKDR SG@S NMKX XNT @R SGD QDBDHUDQ B@M CDBQXOS
# Command aliases define the full path of a list of commands MNS DUDM SGD NMD VGN DMBQXOSDC SGD EHKD B@M CDBQXOS HS 4GD OTAKHB JDX HR SGTR LD@MS SN AD
Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/ CHRSQHATSDC
Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root pwd!
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap a 9NTQ OQHU@SD JDX HR DMBQXOSDC VHSG XNTQ O@RROGQ@RD @MC HR TRDC SN CDBQXOS EHKDR VGHBG VDQD
DMBQXOSDC VHSG your OTAKHB JDX 4GD OQHU@SD JDX LTRS AD JDOS secure !KRN HE SGD JDX NQ
# The actual rules O@RROGQ@RD HR KNRS RN @QD @KK SGD EHKDR DMBQXOSDC VHSG XNTQ OTAKHB JDX
root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a password.
a 4GD JDX EHKDR @QD B@KKDC JDXQHMFR @R SGDX B@M BNMS@HM LNQD SG@M NMD JDX
DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on desktops
DEVEL DMZ = (ALL) NOPASSWD: DEBUG # Developers can debug the DMZ servers.
&HQRS FDMDQ@SD @ JDX O@HQ 4GD CDE@TKSR @QD EHMD GNVDUDQ XNT VHKK G@UD SN DMSDQ @S KD@RS XNTQ ETKK
# User sysadmin can mess around in the DMZ servers with some commands. M@LD @MC DL@HK @MC NOSHNM@KKX @ BNLLDMS 4GD BNLLDMS HR TRDETK SN BQD@SD LNQD SG@M NMD JDX
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG VHSG SGD R@LD M@LD @MC DL@HK !KRN XNT RGNTKC TRD @ O@RROGQ@RD MNS @ RHLOKD O@RRVNQC
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ. # gpg --gen-key # This can take a long time
%dba ALL = (DBA) ALL # Group dba can run as database user.
4GD JDXR @QD RSNQDC HM ] FMTOF NM 5MHW NM 7HMCNVR SGDX @QD SXOHB@KKX RSNQDC HM
# anyone can mount/unmount a cd-rom on the desktop machines # $NBTLDMSR @MC 3DSSHMFR 53%2.!-% !OOKHB@SHNM $@S@ FMTOF
ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom
~/.gnupg/pubring.gpg # Contains your public keys and all others imported
~/.gnupg/secring.gpg # Can contain more than one private key
9 ENCRYPT FILES 3GNQS QDLHMCDQ NM LNRS TRDC NOSHNMR
9.1 OpenSSL
A single file GSSO VVV L@CAN@ BNL FDDJ FOF PTHBJRS@QS
GSSO @OK@VQDMBD BNL "@RHBR FOF GSLK
%MBQXOS @MC CDBQXOS GSSO FMTOF NQF CNBTLDMS@SHNM