Wednesday, September 16, 2009

Handle broken dependecies with yum

Yum is the updater for rpm based Linux systems, including Fedora, Red Hat Enterprise Linux, and CentOS. Yum does a pretty good job of handling dependencies but its not perfect. If you have a bunch of updates to install but one of them has a broken dependency, the usual update command will fail. A basic update command looks like this:
# yum update
Alternatively, you could specify which packages to update and just list every package except the broken one, like this:
# yum update [package1] [package2] [...]
There is a convenient option added in though which will update all packages except those with broken dependencies. It looks like this:
# yum update --skip-broken

Tuesday, September 15, 2009

Customize your /etc/sudoers file

The sudo command allows non root users to issue administrative commands. Configuration details, including who is allowed to use sudo and for which commands, is stored in a file located at /etc/sudoers. You can also set some other behavioral details in this file. For example, a neat setting is to receive an email or text message each time a user who is not permitted to use sudo tries to use it. To set that up, first configure sSMTP like I detailed in this post for Debian/Ubuntu systems or in this post for RHEL/CentOS systems.

Before making any changes to the /etc/sudoers file, definitely make sure you back it up:
$ sudo cp /etc/sudoers /etc/sudoers.orig
The default behavior for sudo is to report attempted unauthorized uses. Just to make sure, you can add the parameter by adding this line to /etc/sudoers:
Defaults mail_no_user
And to receive emails add this line:
Defaults mailto += ""
The mailto variable is a list so for each "+=" you will be adding another element to that list.

Another fun variable to set is insults. This will make fun of the user if they enter the wrong password when using sudo. To enable this option, add the line:
Defaults insults
For more options, see the sudoers man page with:
man sudoers

Tuesday, September 8, 2009

Disable GUI in Ubuntu/Debian

Ever had a Linux machine with a GUI installed and later decided that you don't always (or ever) need the GUI to be running? A GUI will consume system resources that may be put to better use somewhere else. If you happen to be running Ubuntu or another Debian based machine, you can do it like this:
# update-rc.d -f gdm remove
This command does require root privileges. Also, this command assumes you are running GNOME. If you are running KDE it would look like this:
# update-rc.d -f kdm remove
If you are running XFCE, it will look like this:
# update-rc.d -f xdm remove
To load the GUI for the duration of a logged in session, use this command:
If you later decide that you do want the GUI to be running all the time, use this command to do so:
# update-rc.d -f gdm defaults
Switch gdm for kdm or xdm as appropriate.

Disable root login in Linux

Disabling root logins in Linux is an easy and simple process. Enter this command at the console:
$ sudo passwd -l root
To reenable root login, use this command:
$ sudo passwd -u root
Alternatively, to unlock the root account you could reset the password like I detailed in this post. These commands will work with any username, not just root. For example, if you wanted to disable logins from a user named "phil", the syntax would look like this:
$ sudo passwd -l phil
There are two things to keep in mind when doing this. First is that this only disables logins that use passwords. If you have enabled login over SSH via public keys then that will continue to work. The second thing is that you want to make sure if you disable the root account that you have at least one user who has sudo power. Otherwise you will effectively have a machine without any users able to perform administrative functions because root is disabled and none of the other users can use the sudo command.

Enable root login in Ubuntu

Logging in as root on Linux machines can be a touchy subject. Conventional wisdom says to never log in as root. However, there are functions that only the root user is able to do which requires the use of the sudo and su commands. In keeping with this idea of never logging in as root, Ubuntu ships with root logins disabled. Instead, the first user created is given the power to use the sudo command and assume root privileges. If you have an Ubuntu but want to enable the more conventional root login, here is how you do it:
$ sudo passwd root
You will immediately be prompted to enter, then confirm a new UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Now you can login as root like you would any other user.

Saturday, September 5, 2009

Change GPG passphrase

When you create a new public/private key pair you are prompted to enter a passphrase. This passphrase is then used to unlock the private key. Now suppose that you chose a secure passphrase but maybe after a few years with the same key something happens and someone learns your passphrase. Instead of having to create a whole new key pair, you can change the passphrase relatively easily. Here is how you do it:
$ gpg --edit-key [keyID]
Command> passwd
Enter passphrase:
Enter the new passphrase for this secret key.
Enter passphrase:
Repeat passphrase:
Command> save
And thats it. Your secret key now uses the new passphrase.

Creating GPG keys from the CLI

I've written about GnuPG before; it is an open source implementation of the PGP encryption standard. Most Linux distributions include a version of it and there are binary packages available for Windows and OS X. On a Unix-like system, if you want to create a new public/private key pair, there is a convenient interactive tool to do this. Start by typing this:
$ gpg --gen-key
Next you will be prompted to answer a series of questions:
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
Choose the option for "DSA and Elgamal" by typing a number one:
Next you are asked about key size:
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
IMHO a 2048 bit key is fine. If you want to go bigger you can but you shouldn't go any smaller. Enter the size you want, for 2048 enter:
The next question is to specify an expiration date for your key:
Please specify how long the key should be valid.
0 = key does not expire
[n]= key expires in n days
[n]w = key expires in n weeks
[n]m = key expires in n months
[n]y = key expires in n years
Key is valid for? (0)
Whether you want your key to expire is a personal choice. If you choose to make your key expire you probably will want to make it last at least a few years, but it is up to you. To make the key valid for 3 years, type this:
You will now be asked to verify the expiration date for your key:
Key expires at Tue 04 Sep 2012 11:59:31 AM EDT
Is this correct? (y/N)
If that is correct, type:
Now you get to enter you identifying information, name, email, and comments. After that, you will be prompted to enter a passphrase to use with your private key. Make sure it is something secure! The next thing the system will do is try to generate the keys. If there is not enough activity on the system from which to gather random data, you will be asked to complete other tasks on the system until enough random bytes have been collected to continue. Once this occurs, the key creation will continue on its own.

When that completes you will have a new public/private key pair stored in your keychain, which is located inside "~/.gnupg/".