Stuff I'm Up To

Technical Ramblings

vSphere SSH failed to connect to host — November 17, 2017

vSphere SSH failed to connect to host

When trying to apply patches to one of our ESXi 6.0 hosts I found I couldn’t connect to it using ssh. Stopping and starting SSH from vCenter didn’t work. Neither did disabling/enabling from the DCUI.

From my client I’d see:

ssh_exchange_identification: Connection closed by remote host

So then I resorted to checking out the server from the console. First make sure I stopped SSH from either of the GUI’s.

Use ALT-F1 at the DCUI and logon to the host using your root account.

Then I tried to start sshd as a daemon using:

# /usr/lib/vmware/openssh/bin/sshd -D

Which reported errors Unsupported option running and Unsupported option PrintLastLog

So I editted my /etc/ssh/sshd_config file. Don’t know what caused it. But it was just a # missing from the first line. I guess I must have spannered it at some point when editing it to disable some ciphers. But the good news is using this method I can at least get some clear output from sshd -D to tell me why it wasn’t starting properly.

# running from inetd
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation no

SyslogFacility auth
LogLevel info

PermitRootLogin yes

PrintMotd yes
PrintLastLog no

TCPKeepAlive yes

X11Forwarding no


So just to be safe I checked the other hosts and copied an sshd_config from one of the known good ones.

Horizon View Client v4.6.0 — November 15, 2017

Horizon View Client v4.6.0

I decided to upgrade my VMware Horizon View client today. It still has the same kind of issues as detailed here:

This time around my problems were with libgstreamer components. Even though I ensured they were installed the libraries were a different version that required by the client.

Specifically required:


On my Debian Stretch install I had 1.0 versions.

So a quick fix by linking these made the scan issues go away.

$ cd /usr/lib/x86_64-linux-gnu
$ sudo ln -s
$ sudo ln -s
$ sudo ln -s

Continue reading

Java Keystore Management — November 14, 2017

Java Keystore Management

keystore20explorer_256x256In the process of getting a new queue management system installed I discovered they’re using HTTP and not HTTPS. As part of out security process I had to recommend they change this to a HTTPS/SSL encrypted portal as it uses a logon process that would otherwise be in clear text.

The product is based on Wildfly and Java so they are progressing the deployment use Java keystores (JKS) and certificates. But as they pointed me to their installation guide I discovered they recommend the use of Keystore Explorer for managing the Java certificates.

So I downloaded it and have to say I’m impressed. It makes life so much easier when trying to manage certificates from Windows CA’s, OpenSSL and JKS. Definitely a valuable addition to my tool box. As it’s written in Java it’s available for Windows, Linux and fruit based systems.


Systemd and systemctl services — November 1, 2017

Systemd and systemctl services

I know it’st all that new, but not something I’ve spent much time working with. Previously using init.d to enable/disable systems services. Today I remove a program from my system and purged the config files. But it left behind a service in a failed condition. Of course it failed. I just removed all the files and config.

Using systemctl I could see my magicbox service still there and failed.

$ systemctl status magicbox.service                                   
● magicbox.service - Magic Box process
   Loaded: loaded (/usr/lib/systemd/system/magicbox.service; enabled; ven
   Active: failed (Result: exit-code) since Wed 2017-11-01 13:36:57 GMT; 1min 9s
  Process: 839 ExecStart=/opt/magicbox/embedded/bin/start (code=exited, s
 Main PID: 839 (code=exited, status=203/EXEC)

Thankfully the clue is in the output. It tells me where the .service file is on the Loaded: line. So to tidy up I followed part of the guidance I found here:

$ sudo systemctl disable [servicename]
$ sudo rm /etc/systemd/system/[servicename]
$ sudo systemctl daemon-reload
$ sudo systemctl reset-failed

But bear in mind that the service I want isn’t located there. It’s under /usr/lib/systemd/system so I needed to remove that file instead.

References – See table 1

Fun with NTP — October 4, 2017

Fun with NTP

One of our Debian servers had a large time discrepancy. Turned out NTP wasn’t installed or working.

After I installed ntp I still wasn’t seeing a time update. Probably because I was more than 30 minutes adrift. So I had to force an ntp update.

Install ntp and set the servers in the .conf to match your ntp servers.

$ sudo apt-get install ntp
$ sudo vi /etc/ntp.conf

Then force a time update

$ sudo systemctl stop ntp.service
$ sudo ntpd -gq
$ sudo systemctl start ntp.service

The ntpd may take a while before dropping you back to the prompt.

Horizon Client Stealing my Mouse — September 27, 2017

Horizon Client Stealing my Mouse

On my Linux VMWare Horizon client (v4.5.0 5650368) it doesn’t seem to matter what choice I make about NOT Connecting USB Devices at Startup it still continued to take over my Logitech USB Receiver.

I’d have to use the keyboard and navigate the menu so I could get control of my mouse back. Thankfully I don’t have a Logitech keyboard that uses the same receiver.

It was an easy fix, but I don’t know why it does it. The permissions to the ~/.vmware folder and files all seem OK. IT’s an easy fix of just editing the file view-preferences and amending the line or lines as follows.

$ vi ~/.vmware/view-preferences
view.usbAutoConnectAtStartUp = "FALSE"
view.usbAutoConnectOnInsert = "FALSE"


Android Trusted CA Certificate — September 20, 2017

Android Trusted CA Certificate

We have been tested by some of our Android Lollipop tablets. Adding a trusted CA certificate used to be as easy as visiting the proxy portal and clicking the install certificate button.

Now these devices come up with an error complaining that there is “no certificate in file”.

Reading a lot of Android nightmare posts about converting the PEM certificate to pfx/p12 using openssl and then rooting the device and delivering the certificate into the folder for the cacerts using the command line it turned out to be far simpler.

Continue reading

OwnCloud, php7.0-fpm and Memcache — September 19, 2017

OwnCloud, php7.0-fpm and Memcache

When checking out the setup for our OwnCloud system it came up with a few cautionary problems that needed to be resolved.

The problems related to environment variables and file locking.

php does not seem to be setup properly to query system environment variables. The test with getenv(“PATH”) only returns an empty response. Please check the installation documentation ↗ for php configuration notes and the php configuration of your server, especially when using php-fpm.


Transactional file locking is using the database as locking backend, for best performance it’s advised to configure a memcache for locking. See the documentation ↗ for more information.

Continue reading

VMWare Restart Guest from Command Line — August 16, 2017

VMWare Restart Guest from Command Line

We don’t have to do this so often. So when we do I always forget the syntax.

Login as root on the host of the guest OS. Find the numeric VMID of the guest and issue a power off/on command.

# vim-cmd vmsvc/getallvms | grep -i "[GUESTNAME]"
Vmid                   Name                                                             File                                                   Guest OS          Version                                                                                                      Annotation                                                                                                   
114    PaymentsTest                            [Datastore-1] PaymentsTest/PaymentsTest.vmx                                               windows8Server64Guest   vmx-10

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered on

# vim-cmd vmsvc/ 114
Powering off VM:

# vim-cmd vmsvc/power.getstate 114
Retrieved runtime info
Powered off

# vim-cmd vmsvc/power.on 114
Powering on VM:



VCSA 6.0 U3b to 6.5 U1 — August 10, 2017

VCSA 6.0 U3b to 6.5 U1

So far this upgrade seems to frustrating straight out of the box! We already run a VCSA (vCenter Server Appliance) and the process should be to automatically deploy a new VCSA and migrate the data from the old to the new and then power down the old. All from the Windows GUI installer.

But it fails to deploy with an unknown error.

If you save and view the installer log it becomes abundantly clear what the failure is. The installer is trying to issue a ‘date’ command at the current VCSA’s command line, and fails because it’s expecting a BASH shell and instead it is getting the default vCenter shell where the BASH shell is disabled.

2017-08-10T07:56:13.446Z - info: VM Identifier for Source VC: 78
2017-08-10T07:56:13.570Z - debug: initiateFileTransferFromGuest error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get fileTransferInfo:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - debug: Failed to get url of file in guest vm:ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Error in getting fileData for nodeType. Error: ServerFaultCode: A general system error occurred: Unknown error
2017-08-10T07:56:13.573Z - error: Failed to read the nodetype, Error: A general system error occurred: Unknown error
2017-08-10T07:56:13.574Z - info: Checking if password expired
2017-08-10T07:56:14.994Z - info: Banner from server, 
VMware vCenter Server Appliance

Type: vCenter Server with an embedded Platform Services Controller

2017-08-10T07:56:14.995Z - info: Connection ready
2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:55:37 UTC 2017 from pc8501.domain.local on pts/0

2017-08-10T07:56:15.008Z - info: STDOUT: Last login: Thu Aug 10 07:56:15 2017 from pc8766.domain.local

2017-08-10T07:56:15.010Z - info: STDOUT: date

2017-08-10T07:56:15.246Z - info: STDOUT: Connected to service

2017-08-10T07:56:15.255Z - info: STDOUT: [?1034h
    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Enable BASH access: "shell.set --enabled True"
    * Launch BASH: "shell"

2017-08-10T07:56:15.255Z - info: STDOUT: Command> d
2017-08-10T07:56:15.256Z - info: STDOUT: ate

2017-08-10T07:56:15.270Z - info: STDOUT: Unknown command: `date'
Command> exit

2017-08-10T07:56:15.305Z - info: Stream :: close
2017-08-10T07:56:15.306Z - info: Password not expired
2017-08-10T07:56:15.308Z - error: sourcePrecheck: error in getting source Info: ServerFaultCode: A general system error occurred: Unknown error

In order to address the issue you need to change the default shell for the root user. It’s very easy to do, but will also require a password change.

Logon to the current VCSA using ssh as the root user. Enable the BASH shell and start the shell using:

shell.set --enabled True

Now change the root users default shell using

# chsh -s /bin/bash root

Now the installer should at least proceed through that part to deploy the image to the specified server.


SMB mount error(112): Host is down — August 3, 2017

SMB mount error(112): Host is down

Whilst trying to mount a Windows (cifs) volume onto my Linux workstation I encountered the following error:

$ sudo mount -t cifs -o user=mylogon //myserver/myshare /mnt/mountpoint 
Password for mylogon@//myserver/myshare: ***********
mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

As ever with Windows I suspected the SMBv1 disabled problem and wasn’t disappointed to discover this was precisely the issue.

Continue reading

OpenSSL and Subject Alternative Names — July 27, 2017

OpenSSL and Subject Alternative Names

Now that Google chrome has started bitching about certificates not having Subject Alternative Names because the practice of using Common Names in certificates has changed.

So in order to get the SAN into a CSR you need to edit the OpenSSL config file you’re using for the request. You can spend time scripting something, but for the few times I do it I’ll just copy the base openssl.cnf file to one specific to the CSR I need to create. After all you’ll already have customised the req_distinguished_name section so you don’t have to put in the country and company name all the time. eg.

$ cp /etc/ssl/openssl.cnf ~/myserver.cnf

Then I just use that new cnf file as part of the command line to create the CSR.

$ openssl req -out myserver.csr -new -newkey rsa:2048 -nodes -keyout myserver.key -config ~/myserver.cnf

Continue reading