You need to automate a task across many machines. You know the user name and password, but for some reason, either by policy or otherwise, you are not allowed to use PKI, or Public Key Infrastructure.
Well, not to give up hope just yet, because there is a nice little tool that is extremely powerful, yet not widely utilized. it's called 'expect'.
Expect does just as you would, uh expect it to do. It will start a process that would normally have interaction, and then you can tell it what to expect in return. Maybe you have to answer a yes or no question or supply it with a name or password. It's not just limited to that. You can specify conditions as to what kind of conversation expect would have. Let's use SSH as an example:
Typically you could ssh to a remote server. Simply use the command:
Ok, no problem. I know the password. I type it in and get my shell access. But what if I need to do 200 remote servers? that's a LOT of typing, and I have other things to do. So, lucily I have expect to the rescue. I would start out writing a shell script, just like other shell scripts, but this time I am going to use expect:
[B]#!/usr/bin/expect
spawn /usr/bin/ssh myself@[lindex $argv 0][/B]
Now we are not finished yet. What we have done so far is to tell expect to run the ssh command as myself to the first argument to the script, which is set up by [lindex $argv 0].We no have to now tell expect that it should get next.
Now if this was our first time connecting to the remote server, ssh may ask us if we want to trust the fingerprint of the remote server to be authentic. Well, having this across the Internet is a good thing, to keep out pesky man-in-the-middle attacks, but I am am on my cozy private LAN and I trust my machines are where they say they are, so I am going to tell expect that if it sees this query, "Are you sure you want to continue connecting (yes/no)?", to answer 'yes' with a 'enter key' character and continue on:
Now the remote server will prompt me for my password. I will tell expect that once it receives the prompt, to go ahead and send the password, along with sending the ENTER key (r):
Once the password is sent, the 'interact' command will then return control of the shell to me and I could take it from there. I could also tell expect to send a command like 'uname -a' for example and just exit. But I will leave it as is for now.
Security note* If you are using expect for this type of automation, storing passwords in the script itself is dangerous and open to prying eyes. You may want to keep your password in a separate file. You can tell expect to read from the file for the password
[B]set tmp [open /home/myself/.secret] set password [read $tmp] close $tmp [/B]
create the file /home/myself/.secret (Changing the path to whatever you desire, as long as you can get to it) and set the perms to 400
There are many great examples of different techniques for expect around the Internet so chances are, if you want to automate it, you can find an example on how to do it.
I [I]expect[/I] that you will find this how-to useful.
-Dave
Here is the complete script:
[B]#!/usr/bin/expect
set fid [open /home/user/.secret] set password [read $fid] close $fid spawn /usr/bin/ssh user@[lindex $argv 0] expect { -re ".*Are.*.*yes.*no.*" { send "yes\r" exp_continue #look for the password prompt }
"*?assword:*" { send $password send "\r" interact #he expect command will now return } }[/B]
I had to create a bond1 on the machine I built once the build process was done. If you ever run into that situation, here is a quick script to make it easier. Look it over. It's crude, but works for now. I may put some string validation in later.
# insert module info into /etc/modprobe.conf if it is not already there if [ -f /etc/modprobe.conf ] then if ! grep ${BOND} /etc/modprobe.conf then echo "install ${BOND} /sbin/modprobe bonding -o ${BOND} miimon=100 mode=active-backup primary=${SL1}" >> /etc/modprobe.conf fi fi
Solar1.net had teamed up with Think Geek. If you ever visit the site or order products from them, please do so through solar1.net (www.solar1.net).
Find out What's New at ThinkGeek!
An online change control management system - 06/05/2008 - Version 0.4.2 Bug fixed where emailing a record did not include record details. Bug fixed where updating a field in a record that already contains data did not update the field.
*Custom fields are now fully editable; delete and modify entries, add new entries in arbitrary positions *Two stage approval, managers authorize, then Ops approves *buttons for admins and managers to delete and lock records *shows who lasted edited, authorized, and approved a record *additional email field for each record so users can get notified when their change is approved *email moved to a button, emails not sent with every modification *button for exporting a record to a word document *interface modified to look nice in both IE and Firefox *many bug fixes
This was quite the sore topic for me, which has turned me off of ATI once and for all. But I got it working and wanted to share my findings with the community
So . . .
What I did, was to download the driver from ATI. Then build a package for gutsy (I renamed the download because it was too long to type and I am lazy):
You're not done yet. The above will install the xorg driver, but not the kernel module. It seems that I had to do that myself. This is contained in the fglrx-kernel-source package that you installed above.
cd into /usr/src, and run
sudo tar xvfj fglrx.tar.bz2
This will create a modules directory. cd into modules/fglrx and run the make.sh. this will build the fglrx kernel module.
cd /usr/src/modules
sudo ./make.sh
If all is built well, you should have a module called fglrx.ko. Copy this into /lib/modules/<your kernel version>/volatile/.
If you are in the UNIX field, at some point it time you have had to interview cantidates, or be interviewed by technical staff at a company. These are technical questions I would consider mid-senior level. I based them on real-world situations that I deal with on a daily basis. I have tried to keep them as platform independant as possible. You may leave comments about any of these or to contribute your own.
1. A Machine is listening on a TCP socket. How would you determine which process is the one listening?
2. What is a process in the 'D' state.
3. Name 5 standard ports ( 22:ssh, 23:telnet, 53:dns, etc . . .)
4. What is a TTY and how does it relate to processes?
5. You need to test if a server (10.10.1.1) is listening on port 80. You telnet to that machine on port 80. You get the following response.Describe the response and how to remedy it.
Trying 10.10.1.1...
6. What is a 'DMZ' and why is it important?
7. You are trying to reach a server on port 80 on a remote DMZ. You know the firewall is open and the port is listening, but you get no response from the server. What could be the problem?
8. A server is out of disk space. You notice a very large log file and determine it is save to remove. You remove the file but the disk still show full. What would cause this and how would you remedy it?
9. Using grep, How would you display the contents of a config file minus comments and blank lines?
10. How would you search recursively through directories looking for files containing the word "foo"?
11. Without using an editor such as vi, ed, or emacs, how would you replace all iterations of the word XXX with the word YYY in all the files in a directory?
12. You see a directory with the permissions 'drwxr-xr-T' What does the T represent and why would you use it?
13. What is setuid and why is it dangerous?
14. When administering DNS, what is the significance of the serial number?
15. When administering Apache 2.x, How does the MaxClients setting affect server performance?
16. Explain "Load Average"?
17. A server is responding very sluggish. You run 'top' but you do not see any processes using very much CPU or memory. What other factors could cause poor performance?
18. How would you tell if a process is actively swapping?
19. As process was killed using a -9 signal. After that, the process can not be started again. What is the most common cause for this and what would be the solution?
20. What are the two situations where you would need to reboot a UNIX system?
Answers: 1. lsof| grep | grep LIST to find the PID, then ps -ef | grep PID to display the process.
2. D is an 'interruptible sleep' state where a process is waiting for IO to complete before it can continue. Mostly caused by flaky NFS setups.
3. See /etc/services for list of ports.
4. A tty is an active terminal session. Any processes bound to a tty would exit if the tty is disconnected.
5. This is a situation where a firewall would be blocking the port. Have an admin of the firewall open the port.
6. A DMZ is a "demilitarized zone". This is useful if you wish to contain systems exposed to the internet that may become compromised by attack.
7. Make sure a route is set for the return path to the clients' subnet.
8. The process that is writing the file still has control of the inode. Either restart the process, or truncate the file by redirecting stdin into the file ( > file).
9. grep -v ^# | grep -v ^$
10. find . | xargs grep
11. perl -pi -e 's/XXX/YYY/g'
12. A T (or t) represents a 'sicky bit'. When the sticky bit is turned on for a directory users can have read and/or write permissions for that directory, but they can only remove or rename files that they own.
13. Setuid allows a process to run as a different user, typically root. Running programs as setuid can be dangerous! The power that you get from running as a regular user rather than an under-privileged user also opens the program up for abuse and is a potential security risk.
14. The serial number allows slave DNS server to keep track of changes made to the master server.
15. The MaxClients directive sets the limit on the number of simultaneous requests that will be served. The default value is 256; to increase it, you must also raise ServerLimit.
16. The load average is the sum of the run queue length and the number of jobs currently running on the CPUs. The load average tries to measure the number of active processes at any time. As a measure of CPU utilization, the load average is simplistic, poorly defined, but far from useless. High load averages usually mean that the system is being used heavily and the response time is correspondingly slow. What's high? Ideally, you'd like a load average under, say, 5, Ultimately, 'high' means high enough so that you don't need uptime to tell you that the system is overloaded. Different systems will behave differently under the same load average. Running a single cpu-bound background job can bring response to a crawl even though the load avg remains quite low.
17. Check IOwait. Process could be waiting for disk operations to complete which could be causing the system to become unresponsive.
18. Run 'vmstat 1' and watch the si and so columns. This will indicate the ammount of data being swapped in, and swapped out respectively.
19. The process could have allocated semaphores. run ipcs as root to display any semaphores in use and use ipcrm to remove any that are still allocated by the process.
20. A system crash or the version of the kernel has changed.
If you are old enough to remember the movie, "War Games", You may recall a young Mathew Broderick who was eager to play a game from a remote computer. Unaware that the remote computer system was part of Norad's WOPR, or War Operation Plan Response computer. By doing a few hours of research he was able to easily guess the password (joshua) and gain access to the one machine that could cause World War Three. While hollywood always takes things to a whole new level of far-fetched, These are not far off from security breaches of today.
Good web security begins by forming good habits. But old habits are hard to break. One of which are good passwords. You have to be living in a cave or under a rock to not have to know and remember at least one password. And with more sites requiring registration (including this one), you may have to be able to recall dozens of passwords to access these systems. Having a "bad" password could make it easier for someone to crack the site or account by using an easily guessable password or one that can be cracked in a short period of time using an automated program. I should take this opportunity to point out that while this article will help protect against a brute force attack, it will not eliminate it. All passwords are crackable. What makes them crackable is time, and what separates the good passwords from bad is the time it would take to crack it. This article will not cover good encryption. No matter how good a password is, if someone is watching the flow of network traffic, they could capture and record your password if the communication is not protected with encryption. This is a separate topic which may be covered in a future article.
This article is three-fold. First, to give you an understanding of the need for good passwords. Second, if you develop or administer a password enabled site, I will explain how to add a few lines of PHP code to your site to force strong passwords. Lastly, I will share a common technique that will help remembering better passwords easier.
Lets take a moment to analyze a couple different password techniques. Passwords can be categorized using three conditions:
1. Length 2. Complexity 3. Diversity of characters
It takes a combination of these conditions to make for really decent passwords. The first one is easy: Length. A password of four or less characters would be considered a very weak password. The time it could take to crack a short password versus a longer one is dramatically less.
Examples of short, weak passwords:
"hi"
"dog"
"f9"
"1234"
The next condition is complexity. Many people use names, places, and other normal words ass passwords. This is a common practice because these are easier to remember. What can you remember longer, Your mother's name, or ws3LL498uWBSdf8? Right, I know the answer to that already. The problem with this, is that there is a common technique to break that kind of password. This is commonly known as the 'dictionary' or 'word based' attack. A malicious person would have a database of all the common words found in a dictionary along with common names and places. This would make a brute force attack much more successful for an automated program because to a computer the list of dictionary type words are relatively short. Some people think they are clever by adding a number to the password, however brute force programs check for those too.
Examples of dictionary based, weak passwords:
"barbra99"
"century"
"Washington"
"acme001"
"Dragon4"
Finally we add diversity.
Here is a quick puzzle for you. Try to guess an eight-letter word using the letters a, b, and c. How long would it take and how many tries would it take to guess aabbbbcc? This isn't a very fun puzzle and if you were bored enough or driving from California to Florida you may give it a try. Now, try to guess an eight-letter word using different combinations of the letters a through z (upper and lower case), 1 through 9, and all of the symbols above the numbers on your keyboard? How long would it take you to guess B&f@0sP4? I would guess a lot longer. This is NOT one of my passwords, by the way. It would also take a computer much longer to guess it as well, which is why it is always a good idea to have diversity in you passwords. It makes them much more difficult (time) to crack.
Applying this technique to your PHP Application
Now that you have a good understanding of what good passwords are and why you need them, Lets look at how you can enforce these in your PHP web application. For this how-to I am using a standard Debian Linux system with apache and php4. You can certainly adjust this for your distribution or UNIX variant, But I can't cover all of them in the scope of this article so you can either post any specific questions in the Solar1.net forums , or search Google for the answer. Most Linux distributions come equipped with a utility called cracklib. Cracklib is a handy tool that the Linux passwd utility uses to enforce good passwords. Unfortunately PHP does not come packaged with the ability to use cracklib out of the box. For this we are going to have to recompile PHP.
Debian is, in my opinion, vastly superior with it's package management and I would like to keep the software installed on my system that way for ease of management. I dont like to venture too far off course with source tarballs that I have to manually install and keep track of. That being said I am going to use the debian source package from the apt repository to pull down the source, so I can easily build a debian package.
$ sudo apt-get source php4
This will pull down the php4 source code, which is already tailored for the debian system, and modify it. Once the source is downloaded, cd into the 'debian' folder within the php directory. The file to look for is called 'rules'. Look for a line that stars with 'COMMON_CONFIG='. You will notice that there are many options that are used to compile php4. We are going to add '--with-crack=/usr' to those options. You can fit it in between any of the other options, but be sure to add a backslash (\) so it continues the line just like the rest of them unless it is the last option. Mine looks like this:
Once that is done we need to compile it. To build the debian package, cd up one directory to the parent php4-x.x.x directory and run the build command:
$ sudo dpkg-buildpackage -rfakeroot -b
If this throws 'not found' errors, make sure you have the dpkg-dev and fakeroot packages installed. It may complain about missing dependencies (lots of -dev packages) so you can 'apt-get install' those too. If you've successfully built the packages, you can then upgrade your existing php packages with these new ones, which should now be one directory up alongside the top of the php4 directory. Did I loose anyone yet? If you've been following along, just 'cd ..' and you should see them in the directory listing.
to install them, just like any other debian package, just use dpkg:
$ dpkg -i
If you have other php4 packs installed, you may upgrade them as well from your new ones. Otherwise you probably only need the php4_x.x.x... package. Once the pack is installed you will need to restart your web server, if the installation process didn't already do it. To test it out create yourself a test php file with the following contents:
phpinfo(); ?>
Load this up in your apache and hit it with your browser. You should see all the details of your php install. search for the work 'crack'. You should see a line that reads, "crack support enabled". If so, you are well on your way.
Cracklib did not seem to come with a set of dictionary words, which may have been a bug in the debian package. I have a collection of words located HERE for download. uncompress the words file and place it into /usr/share/dict/. once the file is there you can generate CrackLib dictionary from downloaded word list:
Next is to modify your php application. If you know where the password management section of your application is, you should be able to add the following function to it:
function crackit() { if (isset($_POST['passwd1'], $_POST['passwd2']) && is_string($_POST['passwd1'])) { $temppass = $_POST['passwd1']; $dictionary = crack_opendict('/usr/share/cracklib/pw_dict') or die('Unable to open CrackLib dictionary'); $check = crack_check($dictionary, "$temppass"); $diag = crack_getlastmessage(); if ($diag != "strong password") { $rpasswd_error_msg = "Password error: $diag"; }
else if ($_POST['passwd1'] !== $_POST['passwd2']) { $rpasswd_error_msg = 'Passwords do not match'; } else if (strlen($_POST['passwd1']) < 6 ) { $rpasswd_error_msg = 'Password must be at least 6 characters long'; } else { echo "Good Password!\n"; exit(0); //exit('window.close();'); }
$rpasswd_error = ''.$rpasswd_error_msg.'';
} else { $rpasswd_error = ''; }
}
Assuming your password variables are passwd1 ( and passwd2 if you enter it twice for verification), this function will first check to make sure it isn't an easy common word (remember the dictionary based words). Next it will check the length to make sure it is long enough. You can call this function somewhere in you password verification code by calling crackit(). You probably will have to modify this code you fit your application. I am just trying to give you a baseline to start from.
Now that I have educated you on the importance of good passwords, Let me try and give you an easy way to remember them. Having a good password is ideal, but if you have to resort to writing them all on a sticky-note and pasting them on your monitor, you may as well just have a t-shirt with your passwords printed on them. Many time have I walked by offices and banks and have seen passwords on post-it notes stuck to monitors.
@page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } --> What I like to do is come up with a phrase. Something that is catchy. I use numbers and symbols and a combination of lower and capital letters. For example, the @ sign is pronounced, 'at'. So I may come up with a phrase that uses the word 'at'. Numbers pronounce like words too, like 8, or 'ate'. and 4, or 'for'. You get the idea. So lets take the phrase, "Lunch at eight, and don't be late.", could be written as Lunch@8&dontBL8. That's an easy phrase to remember. It's nice and long and uses many different characters so the chances are that cracking or guessing this password would take longer than anyone would care to try. Give it try and you'll see that it isn't as hard to remember as you think it would be.
Textures for graphics are messed up. 3/7/2007 - They have gotten better since upgrading wine to current git version. Here are some screenshots:
How I got this far:
First I grabbed the source for the latest release of wine from www.winehq.com As od 3/1/2007, I have been using the latest development code, from the git repository to track the progress of this game. I didn't use the pre-compiled debian package for this reason: When I tried using the debian package, I found that the fonts were not rendering. After searching the forums (http://bugs.winehq.org/show_bug.cgi?id=7507 ), I found that there is a known bug in wine that prevented the fonts to render correctly. After applying this patch (updated) , It rendered fonts correctly.
Once you have the source tarball, Extract it.
tar xvfj wine-0.9.31.tar.bz2
cd wine-0.9.31
Next you have to get and apply the font-fix patch.
Now we compile wine. I am running a 64bit OS. However, most windows apps and games are 32bit, so compiling natively for me will not work. I have to tell my compiler to compile for 32 bit. You may not have to do that if you are already running a 32 bit OS.
First, Make sure you have the supported packages installed
For a 64bit os, I have to symlink some libraries that were missing:
cd /usr/lib32
sudo ln -s libX11.so.6 libX11.so
sudo ln -s libXext.so.6 libXext.so
sudo ln -s libfreetype.so.6 libfreetype.so
sudo ln -s libz.so.1 libz.so
cd -
Then we'll compile wine (for 64bit OS)
LDFLAGS="-L/lib32 -L/usr/lib32 -Wl,-rpath,/lib32 -Wl,-rpath,/usr/lib32" ./configure && make -j3 depend && make -j3 all
(For 32 bit OS)
./configure && make -j3 depend && make -j3 all
Note: the '-j3' means compile 3 files at once. This is handy for multi core/cpu machines as it allows more files to be compiled at the same time. If you had 4 CPU's you could use '-j8'. You probably will not want to do this if you only have one CPU and can omit the '-j' parameter. Once that is done, weill install wine. The default installation location is /usr/local
sudo make install
Ok. Once that is installed, check your wine version to make sure it is correct
wine --version
You should then be able to install and run Supreme Commander. Once I have fixed the problems I've have above, I'll update this How-to.
cd
wine setup.exe
Update: 2/25/2007: Once the game is installed, You can start the game using this command:
The "/novalidate" switch fixed a problem I had . When the game launched, it gave me an error message of "Please verify system meets minimum specifications". By adding the novalidate switch, it allowed the game to begin.
