Red Hat 7.x – Applying Security Updates

This article describes how we can generate several information regarding security update on the Red Hat system. One of the important task that might a system administrator need to have is system security awareness. Red Hat provides several tools in order to manage it security information. At the beginning let’s start with yum updateinfo command.

Β Β Β root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum updateinfo
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-server-openstack-10-tools-debug-rpms/7Server/x86_64                                 | 3.8 kB  00:00:00     
rhel-7-server-openstack-10-tools-rpms/7Server/x86_64                                       | 4.0 kB  00:00:00     
rhel-7-server-openstack-10-tools-source-rpms/7Server/x86_64                                | 3.8 kB  00:00:00     
rhel-7-server-rpms/7Server/x86_64                                                          | 3.5 kB  00:00:00     
rhel-7-server-rt-beta-rpms/x86_64                                                          | 4.0 kB  00:00:00     
rhel-7-server-rt-rpms/7Server/x86_64                                                       | 4.0 kB  00:00:00     
rhel-ha-for-rhel-7-server-rpms/7Server/x86_64                                              | 3.4 kB  00:00:00     
rhel-rs-for-rhel-7-server-rpms/7Server/x86_64                                              | 3.4 kB  00:00:00     
Updates Information Summary: available
    279 Security notice(s)
         44 Critical Security notice(s)
         95 Important Security notice(s)
        119 Moderate Security notice(s)
         21 Low Security notice(s)
    784 Bugfix notice(s)
    117 Enhancement notice(s)
updateinfo summary done

From above output we have a brief information regarding security, bugfix and Enhancement notices. You may obtain more information regarding the list by using command yum updateinfo list. Since it have a long list I was ommitted some ouputs.

Β Β Β root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum updateinfo list
Loaded plugins: langpacks, product-id, subscription-manager
.......
RHEA-2016:2556 enhancement    ModemManager-1.6.0-2.el7.x86_64
RHBA-2014:0726 bugfix         NetworkManager-1:0.9.9.1-22.git20140326.4dba720.el7_0.x86_64
RHSA-2014:0741 Critical/Sec.  firefox-24.6.0-1.el7_0.x86_64
.......
updateinfo list done

From the output you may see Red Hat notice such as RHEA, RHBA and RHSA code. Use the code name like below example if you want to gain more detail information from each notices provided.

Β Β Β root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum updateinfo RHSA-2014:0741
Loaded plugins: langpacks, product-id, subscription-manager
.......    

===============================================================================
  Critical: firefox security update
===============================================================================
  Update ID : RHSA-2014:0741
    Release : 
       Type : security
     Status : final
     Issued : 2014-06-10 00:00:00
       Bugs : 1107399 - CVE-2014-1533 Mozilla: Miscellaneous memory safety hazards (rv:24.6) (MFSA 2014-48)
	    : 1107421 - CVE-2014-1538 Mozilla: Use-after-free and out of bounds issues found using Address Sanitizer (MFSA 2014-49)
	    : 1107424 - CVE-2014-1541 Mozilla: Use-after-free with SMIL Animation Controller (MFSA 2014-52)
       CVEs : CVE-2014-1541
	    : CVE-2014-1533
	    : CVE-2014-1538
Description : Mozilla Firefox is an open source web browser. XULRunner
            : provides the XUL Runtime environment for Mozilla
            : Firefox.
            : 
            : Several flaws were found in the processing of
            : malformed web content. A web page containing
            : malicious content could cause Firefox to crash or,
            : potentially, execute arbitrary code with the
            : privileges of the user running Firefox.
            : (CVE-2014-1533, CVE-2014-1538, CVE-2014-1541)
            : 
            : Red Hat would like to thank the Mozilla project
            : for reporting these issues. Upstream acknowledges
            : Gary Kwong, Christoph Diehl, Christian Holler,
            : Hannes Verschore, Jan de Mooij, Ryan VanderMeulen,
            : Jeff Walden, Kyle Huey, Abhishek Arya, and Nils as
            : the original reporters of these issues.
            : 
            : For technical details regarding these flaws, refer
            : to the Mozilla security advisories for Firefox
            : 24.6.0 ESR. You can find a link to the Mozilla
            : advisories in the References section of this
            : erratum.
            : 
            : All Firefox users should upgrade to these updated
            : packages, which contain Firefox version 24.6.0
            : ESR, which corrects these issues. After installing
            : the update, Firefox must be restarted for the
            : changes to take effect.
   Severity : Critical
updateinfo info done

As an additional information, you may check Common Vulnerabilities and Exposures (CVE) web site to obtain detail information regarding the CVEs that mentioned on the above output.

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com
Advertisements

Change Red Hat 7.x/CentOS 7.x SSH Default Port (SELinux Involved)

This article describes how to change your SSH port on Linux system (in this excercise we use CentOS 7.3) to listen to non default SSH port (TCP Port 22). We will involve SELinux modification to accomodate this change.

1. At the first time let’s verify default configuration and output of sshd service.

    1.1 Verify sshd_config for port configuration.

[root@system1 ~]# cat /etc/ssh/sshd_config | grep "Port 22"  
#Port 22

          Even port 22 is being commented, By default it will use port 22.

    1.2 Confirm that system is now listening on port 22.

[[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:22            *:*                   users:(("sshd",pid=5485,fd=3))
tcp    LISTEN     0      128      :::22           :::*                   users:(("sshd",pid=5485,fd=4))

    1.3 SELinux should on Enforcing mode. If not go to /etc/sysconfig/selinux and change the SELinux mode.

[root@system1 ~]# getenforce 
Enforcing

2. Change the default SSH port and restart the service.

    2.1 Modify sshd_config file to use port 20002 as the default port.

[root@system1 ~]# vim /etc/ssh/sshd_config  
...........
Port 20002
...........

    2.2 Restart sshd service.

[root@server ~]# systemctl restart -l sshd
Job for sshd.service failed because a configured resource limit was exceeded. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@server ~]# systemctl status -l sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: resources) since Sun 2017-02-26 23:43:51 WIB; 6s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5534 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5485 (code=exited, status=0/SUCCESS)

Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service never wrote its PID file. Failing.
Feb 26 23:43:51 server.mylab.com systemd[1]: Failed to start OpenSSH server daemon.
Feb 26 23:43:51 server.mylab.com systemd[1]: Unit sshd.service entered failed state.
Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service failed.

          You may see the service was failed to start. The easiest thing to troubleshoot this issue is to disable the SELinux (setenforce 0) to get an idea whether it is the reason why it block the sshd service. In this excercise we are going to identify using sealert to get more information regarding it.

    2.3 Check if SELinux is blocking sshd from binding to port 20002/TCP.

[root@server ~]# sealert -a /var/log/audit/audit.log 
100% done
found 3 alerts in /var/log/audit/audit.log
...
SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 20002.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow /usr/sbin/sshd to bind to network port 20002
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 20002
    where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that sshd should be allowed name_bind access on the port 20002 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 20002 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          20002
Host                          
Source RPM Packages           openssh-server-6.6.1p1-33.el7_3.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.mylab.com
Platform                      Linux server.mylab.com 3.10.0-514.6.1.el7.x86_64
                              #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-02-26 23:43:47 WIB
Last Seen                     2017-02-26 23:44:33 WIB
Local ID                      b4e40db1-4036-4c63-b35e-6ea5f7bb01c8
...

          sealert output gives us a complete information regarding the issue we are facing. Several important information we have highlighted above can be the clue to fix the issue.

    2.4 Verify SELinux port for ssh and do a necessary changes.

[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      22

          by default SELinux port for ssh is bind to port 22. Add non default port on it.

[root@server ~]# semanage port -a -t ssh_port_t -p tcp 20002
[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      20002, 22

    2.5 Restart sshd service.

[root@server ~]# systemctl restart sshd
[root@server ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-02-26 23:46:43 WIB; 5s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5689 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5690 (sshd)
   CGroup: /system.slice/sshd.service
           └─5690 /usr/sbin/sshd

Feb 26 23:46:43 server.mylab.com systemd[1]: Starting OpenSSH server daemon...
Feb 26 23:46:43 server.mylab.com systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on 0.0.0.0 port 20002.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on :: port 20002.
Feb 26 23:46:43 server.mylab.com systemd[1]: Started OpenSSH server daemon.

4. Confirm that system is now listening on port 20002.

[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:20002                 *:*              users:(("sshd",pid=5690,fd=3))
tcp    LISTEN     0      128      :::20002                :::*              users:(("sshd",pid=5690,fd=4))

5. Add firewall rule to allow other system accessing this system on port 20002/TCP.

    5.1 Verify current firewall rule.

[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

          You may see ssh service already allowed, but do notice that this is for ssh with default TCP port ( port 22). Hence you need to add port 20002.

    5.2 Add port 20002 on the firewall and verify it.

[root@server ~]# firewall-cmd --permanent --add-port=20002/tcp
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 20002/tcp 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

Happy labbing!!!

Source: Red Hat System Administration III

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com

Reset Root Password on Red Hat7.x/CentOS7.x

Recovering the root password is a trivial task while still logged in as an administrator or a user with full sudo access, but is slightly more involved when an administrator is not logged in. To recover the root password, use the following procedure:

  1. Reboot the system, press e to edit the selected entry. Move the cursor to the kernel command line (the line that starts with linux16). Append rd.break (this will break just before control is handed from the init ramfs to the actual system). Press Crtl+x to boot with the changes. At this point, a root shell will be presented, with the root file system for the actual system mounted read-only on /sysroot.
  2. Remount /sysroot as read-write.
    switch_root:/# mount -oremount,rw /sysroot
  3. Switch into a chroot jail, where /sysroot is treated as the root of the file system tree.
    switch_root:/# chroot /sysroot
  4. Set a new root password
    sh-4.2# passwd root
  5. Make sure that all unlabeled files (including /etc/shadow at this point) get relabeled during boot.
    sh-4.2# touch /.autorelabel
  6. Type exit twice. The first will exit the chroot jail, and the second will exit the initramfs debug shell.

source:
Red Hat System Administration III

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com

Register and subscribe Red Hat 7.3 Packages

This article discribes how to register your Red Hat system to Red Hat subscription manager, enable some repositories and verify it. In this article I am using Red Hat Enterprise Linux 7.3 on virtual environment. You can acquire account for this subscription process on Red Hat portal as a Red Hat developer.

Now login to your system and check your subcriptions status. At this point you will see your system is not registered to any Red Hat subscription packages.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
repolist: 0

Register your system to Red Hat subscription management. Use the following command followed by the credential you acquired from the developer portal.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager register --username=mymail@email.com --password=mypassword
Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: abcdefg-hijkl-mnop-bf16-cfa2dfcebbb4

Once you were registered to the subscription management, you may see the available subscription you may use on your system. Use the following command.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Enterprise Linux Developer Suite
Provides:            Red Hat Software Collections (for RHEL Server)
                     Red Hat Container Development Kit
                     MRG Realtime
                     Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Server - Extended Update Support
                     Red Hat Beta
                     Oracle Java (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Compute Node)
                     dotNET on RHEL Beta (for RHEL Server)
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update
                     Support
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server)
                     Oracle Java (for RHEL Server)
                     Red Hat Container Images
                     Red Hat Enterprise Linux for Real Time
                     dotNET on RHEL (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host
                     Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server)
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Atomic Host Beta
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
                     Red Hat Container Images Beta
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux High Availability (for RHEL Server)
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server)
                     Red Hat Developer Toolset (for RHEL Server)
SKU:                 RH2262474
Contract:            11293058
Pool ID:             8a85f9815af00aed015af02fffbe5bb4
Provides Management: Yes
Available:           100
Suggested:           1
Service Level:       Self-Support
Service Type:        L1-L3
Subscription Type:   Standard
Ends:                03/21/2018
System Type:         Virtual

Type yum repolist to check if we run a registered system. At this point, you may see your system is registered but is not receiving any updates. It is because you are not subcribe to any subscription package list.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is registered to Red Hat Subscription Management, but is not receiving updates. You can use subscription-manager to assign subscriptions.
repolist: 0

Enable subscription on your system use the following command followed by the pool ID from the subscription list.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager subscribe --pool=8a85f9815af00aed02846f7sffbe5bb4
Successfully attached a subscription for: Red Hat Enterprise Linux Developer Suite

To check your enabled subscription briefly, you may use the following command.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager list

+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.3
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         03/21/2017
Ends:           03/21/2018

To check detail information on your enabled subscription, use the following command.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Enterprise Linux Developer Suite
Provides:            Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update
                     Support
                     Oracle Java (for RHEL Server)
                     Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
                     dotNET on RHEL Beta (for RHEL Server)
                     Red Hat Beta
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server)
                     MRG Realtime
                     Red Hat Developer Toolset (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host Beta
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux for Real Time
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     Red Hat Container Images Beta
                     Red Hat Enterprise Linux High Availability (for RHEL Server)
                     Red Hat Container Development Kit
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Compute Node)
                     Red Hat Enterprise Linux Server - Extended Update Support
                     Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux Atomic Host
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                     Oracle Java (for RHEL Server) - Extended Update Support
                     Red Hat Software Collections (for RHEL Server)
                     dotNET on RHEL (for RHEL Server)
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server)
                     Red Hat Container Images
                     Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server)
SKU:                 RH2262474
Contract:            11293058
Account:             5920534
Serial:              7701382153394857656
Pool ID:             8a85f9815af00aed02846f7sffbe5bb4
Provides Management: Yes
Active:              True
Quantity Used:       1
Service Level:       Self-Support
Service Type:        L1-L3
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              03/21/2017
Ends:                03/21/2018
System Type:         Virtual

Type yum repolist to confirm that now we have some repositories source for the system.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
repo id                                        repo name                                                    status
!rhel-7-server-rpms/7Server/x86_64             Red Hat Enterprise Linux 7 Server (RPMs)                     14,050
!rhel-7-server-rt-beta-rpms/x86_64             Red Hat Enterprise Linux for Real Time Beta (RHEL 7 Server)      15
!rhel-7-server-rt-rpms/7Server/x86_64          Red Hat Enterprise Linux for Real Time (RHEL 7 Server) (RPMs    185
!rhel-ha-for-rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 Serve    291
!rhel-rs-for-rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux Resilient Storage (for RHEL 7 Serve    359
repolist: 14,900

Type yum repolist all to see all repository avalilable on this subscription.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum repolist all
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
repo id                                                             repo name                      status
rh-gluster-3-client-for-rhel-7-server-debug-rpms/7Server/x86_64     Red Hat Storage Native Client  disabled
...............
!rhel-7-server-rpms/7Server/x86_64                                  Red Hat Enterprise Linux 7 Ser enabled: 14,050
...............
!rhel-7-server-rt-beta-rpms/x86_64                                  Red Hat Enterprise Linux for R enabled:     15
...............
!rhel-7-server-rt-rpms/7Server/x86_64                               Red Hat Enterprise Linux for R enabled:    185
...............
!rhel-ha-for-rhel-7-server-rpms/7Server/x86_64                      Red Hat Enterprise Linux High  enabled:    291
...............
!rhel-rs-for-rhel-7-server-rpms/7Server/x86_64                      Red Hat Enterprise Linux Resil enabled:    359
...............
repolist: 14,900

You may enable or disable spesific repository with the following command. Enable or disable the repo from the available repository list.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager repos --disable=rhel-ha-for-rhel-7-server-rpms
Repository 'rhel-ha-for-rhel-7-server-rpms' is disabled for this system.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ subscription-manager repos --enable=rhel-7-server-extras-rpms
Repository 'rhel-7-server-extras-rpms' is enabled for this system.

You may use command yum repolist to refresh the repository lists that we are using.

   root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
repo id                                repo name                                                            status
!rhel-7-server-extras-rpms/x86_64      Red Hat Enterprise Linux 7 Server - Extras (RPMs)                       432
!rhel-7-server-rpms/7Server/x86_64     Red Hat Enterprise Linux 7 Server (RPMs)                             14,050
!rhel-7-server-rt-beta-rpms/x86_64     Red Hat Enterprise Linux for Real Time Beta (RHEL 7 Server) (RPMs)       15
!rhel-7-server-rt-rpms/7Server/x86_64  Red Hat Enterprise Linux for Real Time (RHEL 7 Server) (RPMs)           185
repolist: 14,682

Once all set, you may need to update your system to receive latest update for each package from Red Hat Subscription Management.

    root:redhat.mylab.com in /root
πŸ˜ƒ  ➀ yum update
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
rhel-7-server-extras-rpms                                                               | 3.4 kB  00:00:00     
rhel-7-server-rpms                                                                      | 3.5 kB  00:00:00     
rhel-7-server-rt-beta-rpms                                                              | 4.0 kB  00:00:00     
rhel-7-server-rt-rpms                                                                   | 4.0 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package openjpeg-libs.x86_64 0:1.5.1-10.el7 will be updated
---> Package openjpeg-libs.x86_64 0:1.5.1-16.el7_3 will be an update
---> Package tzdata.noarch 0:2017a-1.el7 will be updated
---> Package tzdata.noarch 0:2017b-1.el7 will be an update
---> Package tzdata-java.noarch 0:2017a-1.el7 will be updated
---> Package tzdata-java.noarch 0:2017b-1.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved



============================================================================================================

 Package               Arch                Version                     Repository                       Size


============================================================================================================

Updating:
 openjpeg-libs         x86_64              1.5.1-16.el7_3              rhel-7-server-rpms               86 k
 tzdata                noarch              2017b-1.el7                 rhel-7-server-rpms              443 k
 tzdata-java           noarch              2017b-1.el7                 rhel-7-server-rpms              182 k

Transaction Summary


============================================================================================================

Upgrade  3 Packages

Total download size: 711 k
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for rhel-7-server-rpms
(1/3): openjpeg-libs-1.5.1-16.el7_3.x86_64.rpm                                          |  86 kB  00:00:01     
(2/3): tzdata-java-2017b-1.el7.noarch.rpm                                               | 182 kB  00:00:01     
(3/3): tzdata-2017b-1.el7.noarch.rpm                                                    | 443 kB  00:00:03     


-----------------------------------------------------------------------------------------------------------

Total                                                                          183 kB/s | 711 kB  00:00:03     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Updating   : tzdata-2017b-1.el7.noarch                                                               1/6 
  Updating   : tzdata-java-2017b-1.el7.noarch                                                          2/6 
  Updating   : openjpeg-libs-1.5.1-16.el7_3.x86_64                                                     3/6 
  Cleanup    : tzdata-2017a-1.el7.noarch                                                               4/6 
  Cleanup    : tzdata-java-2017a-1.el7.noarch                                                          5/6 
  Cleanup    : openjpeg-libs-1.5.1-10.el7.x86_64                                                       6/6 
rhel-7-server-extras-rpms/x86_64/productid                                              | 2.1 kB  00:00:00     
rhel-7-server-rpms/7Server/x86_64/productid                                             | 2.1 kB  00:00:00     
rhel-7-server-rt-beta-rpms/x86_64/productid                                             | 2.1 kB  00:00:00     
rhel-7-server-rt-rpms/7Server/x86_64/productid                                          | 2.1 kB  00:00:00     
  Verifying  : openjpeg-libs-1.5.1-16.el7_3.x86_64                                                     1/6 
  Verifying  : tzdata-java-2017b-1.el7.noarch                                                          2/6 
  Verifying  : tzdata-2017b-1.el7.noarch                                                               3/6 
  Verifying  : tzdata-java-2017a-1.el7.noarch                                                          4/6 
  Verifying  : openjpeg-libs-1.5.1-10.el7.x86_64                                                       5/6 
  Verifying  : tzdata-2017a-1.el7.noarch                                                               6/6 

Updated:
  openjpeg-libs.x86_64 0:1.5.1-16.el7_3     tzdata.noarch 0:2017b-1.el7     tzdata-java.noarch 0:2017b-1.el7    

Complete!



Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com

SSH Key Exchange fails from CentOS 7 to Cisco IOS

This issue was happened when I tried to build a lab using several Cisco devices. I am using CentOS 7 as a SSH terminal server. I was faced the issue only for Cisco devices using IOS, any OSes (IOS-XR and IOS-XE) didn’t shows the same issue.

I did some debug both on the CentOS and the IOS device. You may see these output if you run the same system.

CentOS 7

[root@terminal ~]# ssh -v 172.16.0.21
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.16.0.21 [172.16.0.21] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST (1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 172.16.0.21

Cisco IOS

SSH1: starting SSH control process
SSH1: sent protocol version id SSH-2.0-Cisco-1.25
SSH1: protocol version id is - SSH-2.0-OpenSSH_6.6.1
SSH2 1: send:packet of  length 368 (length also includes padlen of 5)
SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2 1: kex: client->server enc:aes128-ctr mac:hmac-sha1 
SSH2 1: kex: server->client enc:aes128-ctr mac:hmac-sha1 
SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
SSH2 1: Range sent by client is - 1024 < 7680 < 8192 
SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
SSH-5-SSH2_SESSION: SSH2 Session request from 172.16.254.67 (tty = 1) using crypto cipher '', hmac '' Failed
SSH-5-SSH2_CLOSE: SSH2 Session from 172.16.254.67 (tty = 1) for user '' using crypto cipher '', hmac '' closed
SSH1: Session disconnected - error 0x00

Cisco device that I am using supports a maximum key length of 4096 like below. Where as the client is requesting a keylength of 7680.

R1(config)#crypto key generate rsa modulus ?
    size of the key modulus [360-4096]

This seems that the issue is happen in modern SSH Client on my case OpenSSH v6.6.1. Regarding this issue Cisco has registered a bug CSCuo76464 for this.

I did some google search on this case and found that you need to reorganize the KexAlgorithms in /etc/ssh/ssh_config. by adding the following line:

KexAlgorithms diffie-hellman-group14-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Once it done, you may try again the ssh connection. Below is the ssh debug from my terminal server.

[root@terminal ~]# ssh -v cisco@172.16.0.21
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.16.0.21 [172.16.0.21] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: diffie-hellman-group14-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group14-sha1 need=20 dh_need=20
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA bb:62:4e:54:f7:c5:e8:c1:bd:03:40:cc:2d:bd:81:28
debug1: Host '172.16.0.21' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.16.0.21 ([172.16.0.21]:22).
R1#
Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Input Output (I/O) Redirection

Redirection is the transferring of standard output to some other destination, such as another program, file or printer, instead of display monitor . Linux is built being able to run instructions from the command line using switches to create the output. There are always three default files descriptor regarding it – stdin (0), stdout(1) and stderr (2).

Standard Output (stdout)

When we do some Linux command on the terminal we will see some output we expect from the command it self. for example ls command, it will list all items on the current working directory.

[nantoyudi@client02 /]$ ls                                                                                                         
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  repofile  root  run  sbin  srv  sys  tmp  usr  var

Imagine you are going to analyze all PIDs that runs on Linux. It is not a convenient to read page by page on the Linux terminal window. The best way to do that is using stdout output redirection and you can read the file later quietly. Below I am trying to create a fruits.txt file

[nantoyudi@client02 ~]$ echo -e "\napple \nmanggo \nwater melon \ngrape \nbanana \norange" > fruits.txt"
[nantoyudi@client02 ~]$ cat fruits.txt 

apple 
manggo 
water melon 
grape 
banana 
orange

In above example we were used stdout to redirect fruits name to fruits.txt file.

Standard Input (stdin)

Generaly standard input, referred to as ‘stdin’ comes from the keyboard. When you type something using your keyboard you are typing it on stdin (a standard input terminal). Now let’s we jump in to the example.

In this example we are going to use fruits.txt file for stdout method. Using standard input method redirection on that file we can do content manipulation on it. In this example I am going to sort the fruits name a-z.

[nantoyudi@client02 ~]$ sort < fruits.txt 

apple 
banana 
grape 
manggo 
orange
water melon

also you can combine stdin and out like below.

[nantoyudi@client02 ~]$ sort < fruits.txt > fruits-sort.txt
[nantoyudi@client02 ~]$ cat fruits-sort.txt 

apple 
banana 
grape 
manggo 
orange
water melon

Standard Error (stderr)

The final component on this dialog of file descriptors is standard error (stderr). When you type any Linux command on your terminal, the output of the command will send to one of two places, it is could be a valid output or it could be an error messages. Any error message will send out to the terminal screen as it does on the stdout. Let’s we try one command to generate error messages

[nantoyudi@client02 ~]$ find / -name "*.rpm"
...
find: β€˜/proc/626/task/626/fdinfo’: Permission denied
find: β€˜/proc/626/task/626/ns’: Permission denied
find: β€˜/proc/626/fd’: Permission denied
find: β€˜/proc/626/fdinfo’: Permission denied
find: β€˜/proc/626/ns’: Permission denied
...

You may have seen a lot of Permission Denied error on above output. You may get rid off this error messages using stderr redirection.

[nantoyudi@client02 ~]$ find / -name "*.rpm" 2> /dev/null
...
/repofile/Packages/zlib-1.2.7-13.el7.i686.rpm
/repofile/Packages/zlib-1.2.7-13.el7.x86_64.rpm
/repofile/Packages/zlib-devel-1.2.7-13.el7.i686.rpm
/repofile/Packages/zlib-devel-1.2.7-13.el7.x86_64.rpm
...

If you want to analyze the output quietly, you can redirect the expectet ouput to the file withtout any error messages on it.

[nantoyudi@client02 ~]$ find / -name "*.rpm" > rpm-list.txt 2> /dev/null
[nantoyudi@client02 ~]$ ls -l
total 244
-rw-rw-r--. 1 nantoyudi nantoyudi     51 Jul 19 16:24 fruits.txt
-rw-rw-r--. 1 nantoyudi nantoyudi 244493 Jul 20 05:58 rpm-list.txt

or you can also redirect the error messages to a file.

[nantoyudi@client02 ~]$ find / -name "*.rpm" > rpm-list.txt 2> error-list.txt
[nantoyudi@client02 ~]$ ls -l
total 392
-rw-rw-r--. 1 nantoyudi nantoyudi 151499 Jul 20 06:00 error-list.txt
-rw-rw-r--. 1 nantoyudi nantoyudi     51 Jul 19 16:24 fruits.txt
-rw-rw-r--. 1 nantoyudi nantoyudi 244493 Jul 20 06:00 rpm-list.txt
[nantoyudi@client02 ~]$

Another option on this ouput redirection is appending the file. Any output redirection to a same file will overwrite existing file content. Use append option to keep the old content on it.

[nantoyudi@client02 ~]$ sort < fruits.txt >> fruits-sort.txt
[nantoyudi@client02 ~]$ cat fruits-sort.txt 

apple 
banana 
grape 
manggo 
orange
water melon 

apple 
banana 
grape 
manggo 
orange
water melon

Pipe

A pipe is a form of redirection that is used in Linux and other Unix-Like Operating System to send the output from one program to another program for further processing. A pipe is designated in commands by the vertical bar character. The general syntax for pipe is:

command_1 | command_2 [| command_3...]

This chain can continue for any number of commands or programs. In most operation, Linux administrator usually use two element when use this pipe methode command and filter like below:

command_1 | (filter) 

One class of program you can use with pipes is called filters. Filters take ouput from the input the command you entered and spit it out with the filter method you are defined. Below are several filters you may need to explore:

  • sort → sort line of text
  • uniq → report or omit repeated lines
  • grep → print lines matching a pattern
  • wc → print newline, word and byte counts for each file
  • head → output the first ten lines of a file
  • tail → output the last ten lines of a file
  • tee → read from a standard input and write to standard output and files
  • more → spit out an output through text one screen at one time
  • less → similar with more but it has more feature such as find a word

Now let’s perform some tasks with pipe and filters. I have created three files fruits-1.txt, fruits-2.txt and numbers.txt for this purpose.

[nantoyudi@client02 ~]$ cat fruits-1.txt fruits-2.txt numbers.txt

apple
manggo 
grape 
banana 
orange

apple
water melon
plumb 
jack fruit 
strawberry
1
2
3
4
5
6
7
8
9
10
11
12
13
15

do notice that an apple on each file you will know it later how the filter works on it.

Sort

[nantoyudi@client02 ~]$ cat fruits-1.txt fruits-2.txt | sort 


apple
apple
banana 
grape 
jack fruit 
manggo 
orange
plumb 
strawberry
water melon

uniq

[nantoyudi@client02 ~]$ cat fruits-1.txt fruits-2.txt | sort | uniq

apple
banana 
grape 
jack fruit 
manggo 
orange
plumb 
strawberry
water melon

If you want to find out which word has been duplicated use below commands:

[nantoyudi@client02 ~]$ cat fruits-1.txt fruits-2.txt | sort | uniq -d

apple

grep

[nantoyudi@client02 ~]$ cat fruits-1.txt fruits-2.txt | grep apple
apple
apple

wc

[nantoyudi@client02 ~]$ wc fruits-1.txt
 6  5 37 fruits-1.txt

head

[nantoyudi@client02 ~]$ head numbers.txt 
1
2
3
4
5
6
7
8
9
10

tail

[nantoyudi@client02 ~]$ tail numbers.txt 
5
6
7
8
9
10
11
12
13
15

tee

[nantoyudi@client02 ~]$ ls | tee list-files.txt
error-list.txt
fruits-1.txt
fruits-2.txt
fruits-sort.txt
fruits.txt
list-files.txt
numbers.txt
rpm-list.txt

[nantoyudi@client02 ~]$ cat list-files.txt 
error-list.txt
fruits-1.txt
fruits-2.txt
fruits-sort.txt
fruits.txt
list-files.txt
numbers.txt
rpm-list.txt

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Globbing and Wildcards

You may have heard about using wildcards. We use wildcards to make us easier to refer to certain parts of the filenames, the official terminology is globbing. So what is globbing?

  • Globbing is also known as using wildcards
  • Used to match filenames
  • More about glob on man 7 glob

A string is a wildcard pattern if it contains one of the characters ‘?’, ‘\*’ or ‘[‘. Globbing is the operation that expands a wildcards pattern into the list of pathnames matching the pattern. for further information, wildcard pattern is not regular expressions, although they are a bit similar. First of all, they match filenames rather that text, Secondly, the conventions are not the same: for example, in a regular expression ‘*’ means zero or more copies of the preceding thing.

In this example I have created several files on /root directory for the demonstration, those are host hostname post cost most 2files 3files 10files 20files. Now let’s jump in

Examples

Any number of characters – ‘*’

[root@client02 etc]# ls host*                                                                                  
host hostname 

the star (‘*’) character will match any other characters after the word host. You may also use the star before the filenames

[root@client02 ~]# ls *st                                                                                                      
host  most  myhost

Single number of character – ‘?’

[root@client02 ~]# ls ?files                                                                                                       
2files  3files                                                                                                                   

[root@client02 ~]# ls host?                                                                                                          
ls: cannot access host?: No such file or directory

On the first example we use ‘?’ to match two files (2files and 3files). Second example shows us that no files are match. It is because we are using ‘?’ to match one of any character.

Choices between characters – [ab]

[root@client02 ~]# ls [hm]ost                                                                                                      
host  most

Two characters in the square bracket will use ‘or‘ rule, match ‘h‘ or ‘m‘ following with ‘ost‘ word.

[root@client02 ~]# ls [!hm]ost                                                                                                     
cost  post

It will match anything before an ‘ost’ except ‘h’ and ‘m’

Using series – [0-9]

[root@client02 ~]# ls [0-9]files                                                                                                   
2files  3files  

[root@client02 ~]# ls [0-9][0-9]files                                                                                              
10files  20files

If you have some numbers on your filenames you may use above technique, those method will match any one digit number in range 0 to 9 before the word files. In the second example we use two square brackets to match two digit numbers.

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com