ITSA Blog

A few weeks ago, I posted about how to add a pass-phrase to a LUKS encrypted volume. After filling the 8 available slots, that would no longer be an option and you would need to remove some old pass-phrases or update existing slots to add new pass-phrases.

To list the slots, use the luksDump command:

cryptsetup luksDump /dev/sda2

This will print out each slot and whether or not it’s used so that you can remove some old ones.

You can use the luksChangeKey option to update or over-write an existing slot.

cryptsetup luksChangeKey /dev/sda2

After running this command, the actual operation performed was to remove key slot 4 (in my case) and add an entry to slot 0 for the new key. Verified with luksDump again.

I like to keep certain pass words in sync with one another as I perform gigs for various clients and adhere to pass word policies for each company. As part of the password update, I typically need to update my SSH key pass phrase using the following command:

$ ssh-keygen -f ~/.ssh/id_rsa  -p

Note that the filename in question is my private key, specified by the -f.

That allows me to keep the same password across a single client or organization.

I am working on a project where I spin up a number of Windows servers into AWS and had to automate the AD enrollment and hostname setting. To do this, I used the following powershell script which I setup as a scheduled task to run at startup and then create an AMI and/or template from the instance.

This script could use some additional error checking and validation and is a work in progress.

#
# Verify hostname and domain membership.
# - Fix if not valid.
#

#
# There are 4 possible states that this script accounts for:
#
# 1. Computer is a valid member of the domain with proper hostname.
# 2. Computer is an invalid member of the domain.
# 3. Computer is not a member of the domain.
# 4. Computer has an invalid hostname.
#
# There are 4 possible scenarios that must be played out with relation to
# the above states:
# 1. Do nothing.
# 2. Remove computer from domain and reboot (essentially places computer in state 3 on boot).
# 3. Join the domain, reboot.
# 4. Change hostname, reboot.
#
# Note that some machines may go through each of the 4 states before finishing configuration.
#

#
# join domain values
#
$domain = "MYDOMAIN"
$user   = "MYDOMAIN\MYUSER"
$pass   = "MYSECRET"

#
# Function to set hostname to hexadecimal representation of IP address
# to ensure unique hostname among environments.
#
function SetHexHostname {

  $hostName ;

  # Get IP Address of host
  $myIpAddress = "{0:x}" -f (Get-WmiObject Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null}).ipaddress

  # split ip into 4 octets, prep to convert to hexadecimal
  $octets = $myIpAddress.split(".")

  foreach ($octet in $octets) {

    $hexOctet = [System.String]::Format("{0:X}",[System.Convert]::ToUInt32($octet))

    # Prepend 0 to beginning if less than 2 digits
    if ( $hexOctet.Length -lt 2 ) {
      $hexOctet = "0" + "$hexOctet"
    }

    $hostName = "$hostName" + "$hexOctet"
  }

  $hostName = "IP-" +  $hostName

  #
  # If the hostname does not match, change it.
  #
 if ( $hostName.CompareTo( $scriptHost ) -ne 0 ) {

    #
    # Must perform as domain member with privileges to update AD with new name
    # - or as local admin when not a member of domain?
    #

    $computerinfo = Get-WmiObject -Class Win32_ComputerSystem
    $computerinfo.Rename( $hostName )
  }

}

$secpassword = ConvertTo-SecureString $pass -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($user, $secpassword)

#
# hostname to operate against - typically this host
#
$scripthost = get-content env:computername

#
# Check this location for domain membership details.
#
$adminpath = Test-Path \\$scripthost\admin$

#
# Is admin share available?
#
if ($adminpath -eq "TRUE") {

  $ObjReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $scripthost)
  $ObjRegKey = $ObjReg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters")
  $DomName = $ObjRegKey.GetValue("Domain")

  #
  # If domain member of domain, validate membership
  #
  if ( $DomName -eq $domain ) {

    Write-Host "$scripthost is a member of $DomName"

    #
    # Validate domain membership
    #
    $job = Start-Job -Credential $credentials -ScriptBlock { Test-ComputerSecureChannel }
    Wait-Job $job | Out-Null
    $validDomainMember = Receive-Job $job
    Remove-Job $job

    if ( $validDomainMember ) {

      Write-Host "Valid domain member"

      #
      # After validating domain membership, change hostname.
      #
      # - This has an unfortunate side effect of not allowing the script to run any more due
      #   to the job being scheduled as a local admin (with hostname).
      #
      SetHexHostname

    } else {
      write-host "Not a valid domain member"

      #
      # Leave domain by joing workgroup "workgroup" and restart.
      #
      Add-Computer -WorkGroupName "WorkGroup" -Credential $credentials
      Restart-Computer -ComputerName $scripthost

    }

  } else {

    write-host "Not part of domain, joining $domain"
    Add-Computer -DomainName $domain -Credential $credentials
    Restart-Computer -ComputerName $scripthost

  }

} else {

  Write-Host "$scripthost: Computer not found or no access to admin share for me"

}

(Note: does not work on 2003 R2 due to some winRM issues — if you know how to resolve this, please contact me.)

Now why would a Linux distribution have automatic updates? They don’t. They never have. They allow the user to maintain software updates without intervention. Automation is performed by the administrator and that’s why most folks use Linux.

Not any more.

I was tailing the system log on my Fedora 15 desktop yesterday when I see this message roll across the display:

Jul 14 16:32:14 my-desktop dbus-daemon: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
Jul 14 16:32:14 my-desktop dbus-daemon: [system] Successfully activated service 'org.freedesktop.PackageKit'
Jul 14 16:33:53 my-desktop yum[18560]: Updated: 32:bind-license-9.8.0-7.P4.fc15.noarch
Jul 14 16:33:55 my-desktop yum[18560]: Updated: 32:bind-libs-9.8.0-7.P4.fc15.i686
Jul 14 16:33:59 my-desktop yum[18560]: Updated: 32:bind-utils-9.8.0-7.P4.fc15.i686
Jul 14 16:34:01 my-desktop yum[18560]: Updated: 32:bind-libs-lite-9.8.0-7.P4.fc15.i686
Jul 14 16:34:03 my-desktop yum[18560]: Updated: kernel-headers-2.6.38.8-35.fc15.i686
Jul 14 16:34:15 my-desktop yum[18560]: Installed: kernel-devel-2.6.38.8-35.fc15.i686
Jul 14 16:34:28 my-desktop yum[18560]: Installed: kernel-2.6.38.8-35.fc15.i686

Now I’m no fan of PackageKit. I dislike the new era of deveopers who have come in and name their daemons, packages, and config files in camel case going against the long running standard of using all lower case. This is especially true of anything with a Kit appended to the name. This is the same movement that is trying to take the desktop with Linux and destroying the simple nature of a beautiful system.

Now, here is how you disable the automatic updates:
1. Install or confirm that you have gnome-packagekit installed.
2. Run ‘gpk-prefs’ and configure it to never check for any updates.

Note that the following applies to a Windows Slave connecting to a Linux master.

When implementing authentication with Jenkins and using slaves, it is important to allow slaves to authenticate to the master in order to continue working. When using the JNLP protocol with slaves, the following may be done to authenticate slaves to the master:

1. Edit the jenkins-slave.xml to reflect the following arguments — append to the end:

-classpath "%BASE%\lib\commons-codec-1.5.jar" -jnlpCredentials username:password -noCertificateCheck

Once that is complete, download the common-codec-1.5.jar and place in the lib directory within the jenkins slave working directory (you will have to create this if it does not yet exist).

Download from:

http://commons.apache.org/codec/download_codec.cgi

Next, restart the Jenkins Slave service on the slave and verify.

I was reviewing the FAQ for cryptsetup today and noticed the following warning on the page:

- Ubuntu as of 4/2011: It seems the installer offers to create LUKS partitions in a way that several people mistook for an offer to activate their existing LUKS partition. The installer gives no or an inadequate warning and will destroy your old LUKS header, causing permanent data loss. See also the section on Backup and Data Recovery.

re: http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

That’s pretty bad. That’s actually something that is not forgivable, IMO.

Any time you deal with someone’s data, you should be very careful, too careful.

As I’ve been working with Jenkins lately, authentication has become an obstacle to overcome. I’ve begun using the AD plugin for authentication which seems to work fairly well. Two issues that I have found semi regularly as I test and implement solutions around authentication are; 1) administrator locked out, and 2) connection timeouts to AD from Jenkins.

In order to resolve the issue with any user getting locked out, there are two possible solutions that I use. The one that seems most recommended on the internet is to edit the config.xml in the Jenkins home directory and set useSecurity to false. I don’t like this and don’t use it anymore. The method that I prefer (when locking myself out) is to set myself up as the administrator by adding the following permission node:

hudson.model.Hudson.Administer:USERNAME

After that, a restart of tomcat will allow you to login as the administrator.

As far as the connection timeouts, those are intermittent and have not yet warranted detailed troubleshooting. I am using an uncommon network configuration for this particular deployment which introduces quite a bit of latency at times.