Sunday, November 15, 2009

Running Multiple SSD Daemons in Ubuntu


There are times when running multiple sshd daemons makes sense. One of those times is when you have a server that has both a public/external interface and an private/internal interface. A LTSP server is a perfect example of this.

LTSP servers typically have an internal network that the thin clients are on and an external network that connects to the Internet. Often, the internal users are not using strong passphrases and allowing direct ssh connection from the Internet would put you system at risk.

The solution is to split up the sshd configuration by interface so you can use more secure settings for the public interface.

In this setup I also create a sshd daemon for localhost ( as it is used for NOMACHINE's  nxServer and client.


Create custom files:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_internal
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_localhost
cp /etc/init.d/ssh cp /etc/init.d/ssh_internal
cp /etc/init.d/ssh cp /etc/init.d/ssh_localhost
cp /etc/default/ssh /etc/default/ssh_internal
cp /etc/default/ssh /etc/default/ssh_localhost
cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_internal_rsa_key
cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_localhost_rsa_key
cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_internal_dsa_key
cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_localhost_dsa_key

Minimal Config File Changes
These minimum changes are required to simply make the three daemons configuration different enough to run.  Later you can make modifications to increase the security of the public interface.
Edit /etc/ssh/sshd_config
  1. Edit ListenAddress to make it the ip address of the public interface
  2. Add PidFile /var/run/
Edit /etc/ssh/sshd_config_internal
  1. Edit ListenAddress to make it the ip address of the private interface
  2. Add PidFile /var/run/
  3. Edit HostKey /etc/ssh/ssh_host_internal_rsa_key
  4. Edit HostKey /etc/ssh/ssh_host_internal_dsa_key
Edit /etc/ssh/sshd_config_localhost
  1. Edit ListenAddress to make it
  2. Add PidFile /var/run/
  3. Edit HostKey /etc/ssh/ssh_host_localhost_rsa_key
  4. Edit HostKey /etc/ssh/ssh_host_localhost_dsa_key
Init Script Changes
Here, it is easier to modify one of the scripts first and then do a search and replace to create the second script but I will show all the changes:

Edit /etc/init.d/ssh_internal

sed -i 's/usr.sbin.sshd/usr\/sbin\/sshd_internal/g' ssh_internal_temp
sed -i 's/\/run\/sshd_internal/g' ssh_internal_temp
sed -i 's/"sshd"/"sshd_internal"/g' ssh_internal_temp
sed -i 's/etc.default.ssh/etc\/default\/ssh_internal/g' ssh_internal_temp
sed -i 's/Provides:\t\tsshd/Provides:\t\tsshd_internal/g' ssh_internal_temp

Edit /etc/init.d/ssh_localhost

sed -i 's/usr.sbin.sshd/usr\/sbin\/sshd_localhost/g' ssh_localhost_temp
sed -i 's/\/run\/sshd_localhost/g' ssh_localhost_temp
sed -i 's/"sshd"/"sshd_localhost"/g' ssh_localhost_temp
sed -i 's/etc.default.ssh/etc\/default\/ssh_localhost/g' ssh_localhost_temp
sed -i 's/Provides:\t\tsshd/Provides:\t\tsshd_localhost/g' ssh_localhost_temp

Note that there are no capital Vs in the above.  It is a backslash \ followed by a forwardslash / as in "\/"

Create links to sshd

ln -s /usr/sbin/sshd /usr/sbin/sshd_internal
ln -s /usr/sbin/sshd /usr/sbin/sshd_localhost

Set the new init scripts to start automatically
update-rc.d sshd_internal defaults
update-rc.d sshd_localhost defaults

Wednesday, October 14, 2009

Dansguardian, ident and Windows clients

I manage a Ubuntu, LTSP setup and recently there was an issue where the Windows XP clients that use the Dansguardian web proxy stopped working. Since the issue was noticed some days after the change that casued it I did not realize the connection.

At some point I had enabled ident in the /etc/dansguardian/dansguardian.conf setting in order to record the user name of the person using the proxy. This worked as planned on the LTSP clients however the Windows XP clients stopped working. I figured it out when I noticed that the clients did not totally stop working but were in fact really slow.

The Dansguardian proxy was attempting to connect to Windows XP on port 113/tcp and the firewall was blocking the access. As a workaround I simply added a port exception in the Windows XP firewall to allow the proxy to connect to port 113/tcp. Since nothing was listening on that port Dansguardian instantly received a reply that the connection was refused and the proxy worked fine (with the exception of not being able to identify the user.

I now need to either find a Windows ident server or figure out how the ntlm authentication works in Dansguardian.

Monday, September 21, 2009

Ubuntu and kvm virtualization - know who you are and where it runs

Maybe I should have read the documentation. Might have saved me a few confused hours. I doubt it though as my issue seemed to be something straight forward enough that it is probably not documented.

I had created a virtual machine using the Virtual Machine Manager GUI. It was a CentOS system, minimally configure that I simply wanted to clone as I needed a couple of machines to test Openfire. Unfortunately, all my vast knowledge (Google) ;-) seemed to let me down.

The command that should have cloned the system
sudo virt-clone -o CentOSServer -n CentOSServer2 -f /home/user/CentOS2.img --connect=qemu:///system
failed with an error:

ERROR Domain CentOSServer is not found
Yet, the virtual machine that I was attempting to clone existed. I connected to it with the Virtual Machine Manager and was able to start it and access it without any issues.

I tried various alternatives including specifying --connect=qemu:///session but nothing seemed to work.

I tried virsh to connect in an attempt to use the "list -all" command. I was thinking that the gui could find the virtual machine so it had to be somewhere:
sudo virsh --connect=qemu:///session list --all

Unfortunately, that did not list any virtual machines.

The answer was fairly simple once I noticed that the GUI had specified "localhost (User)" in the name of the host to which I had connected and that the virtual machines were part of. I realized that by running the commands using sudo, I was connecting with root's profile while I was running the Virtual Machine Manager as my own user profile.

Once I realized that I should connect as my own user the "virsh list --all" command showed the virtual machine that I wanted to clone. Then, the following command cloned the system:

sudo virt-clone -o CentOSServer -n CentOSServer2 -f /home/user/CentOS2.img --connect=qemu:///session

I need to do a little research to understand the difference between the session and the system but it worked. Now back to Openfire

Friday, January 16, 2009

Lock Firefox Proxy and other Settings

Locking Firefox settings in a multi-user Linux system can be a bit difficult and the information out there varies in quality. A while ago I found a script written by Andy Rabagliati of that automatically created the correctly formated config file and updated the Firefox settings to import the config file.

Recently when I used it on Ubuntu I ran into issues so I modified the script to account for the way Ubuntu separates the browser from xulrunner.

Here is a link to the updated script

To run the script simply pass it the ip address of the proxy server as follows:
sudo ./
There are numerous additional settings that can be enabled at the bottom of the script. Currently the following settings are enabled:
  1. Set the cache size to 10 megs
  2. Do not hide the tabs if only one is open
  3. Proxy settings
To reverse the settings simply open the all.js files that are modified (modified files are listed when the scrip runs) and remove or comment out the last line in the file or copy the backup version over the modified file,