Stuff I'm Up To

Technical Ramblings

VCSA root Locked Out! — June 7, 2019

VCSA root Locked Out!

This gave me cause for tears today. The VCSA (vCenter Server Appliance) management Web UI (https://vcsa:5480) decided not to let me in as root. I’m guessing I spannered the password a few too many times.

It’s a very good job that at some point in the past I put my public key onto the system so I could use my plain old no password required private key to logon to the system using ssh!

SSH Logon with Private Key

Now I’m logged onto the console how do I go about getting access back to the Web UI? I discovered that the VCSA system uses pam_tally2 to lockout sessions. What I needed to do was reset the root account:

# pam_tally2 --user=root
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root --reset
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root
 Login           Failures Latest failure     From

Now I can logon to the Web UI!

The lesson to learn here is to install your public key onto your precious Linux boxes!

Advertisements
Public Key from Private Key — January 3, 2019

Public Key from Private Key

I fall over this every so often. I have the private key file but would either have to trawl servers for authorized_keys files to get the public password or remember how to obtain the public key from the private key.

Time to document it here so I don’t have to hunt for it with Google again.

For an RSA PEM format public key

$ openssl rsa -in private.key -pubout

-----BEGIN PUBLIC KEY-----
MIIBIDA ...
-----END PUBLIC KEY-----

For an SSH putty friendly version

$ ssh-keygen -y -f private.key

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQE ...
SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ];
# set macs [ hmac-sha2-256 "hmac-sha2-256-etm@openssh.com" hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

SSH Logon with Private Key — March 1, 2017
SSH Weak MAC Algorithms Enabled — February 15, 2017
SSH Tunnelling — September 27, 2016
Debian Installation — September 20, 2016

Debian Installation

When I setup a Debian server there’s a few basic things I do to get it online.

First steps boot from the netinst CD and follow the installer.

First logon using SSH as your regular user account as root can’t access the system remotely. So you’ll have to logon unprivileged and then su to root.

$ su

Sudo

Then before doing anything else install sudo and give your user account access by making them a member of the sudo group.

# apt-get install sudo
# usermod -a -G sudo [user]

You’ll have to logout and back in to pick-up the sudo group change.

Continue reading