sshpass remote command execution - password change

for i in $(cat systems_list)
        do
                sshpass -p "oldpassword@2016" ssh -q root@$i "echo "NEwpassword@2017" | passwd root --stdin"
done

User, group and password syncing script for SFTP servers

Following is the script which can be used to sync users between SFTP systems. We can cron it (running every 30 Minutes). This script can run from any server (ie we can name it IPAserver) that can be used for user creation and password reset purposes. User HOME directories will be created automatically when users do their first login.

----------

#!/bin/bash

SFTP01= 172.28.56.10

SFTP02= 172.28.56.11

export DATE=$(date +%m%d%y%H%M%S)

ls -1  /etc/passwd /etc/group /etc/shadow /etc/gshadow |while read i

do           ssh $SFTP01  "cp $i $i.$DATE";

scp $i $SFTP01 :$i

                ssh $SFTP02  "cp $i $i.$DATE";

scp $i $SFTP02 :$i

done

FIND Command - File Deletion with exclusion specific extension

# cat non_csv_delete.sh

#!/bin/bash

for user in $(cat /sftp_users.txt)

        do find /home/$user/  -type f  ! -name "*.csv*" -a  -type f  ! -name  "*.CSV*"  -delete

done

How to set up SFTP to chroot only for specific users

https://access.redhat.com/solutions/20764

 SOLUTION VERIFIED - Updated March 2 2017 at 1:02 AM - 

English 

Environment

• Red Hat Enterprise Linux (RHEL) 6
• Red Hat Enterprise Linux (RHEL) 7

Issue

• How to set up sftp to chroot only for specific users
• How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected
• Preserve normal ssh/sftp functionality for most other users
• Support for sftp/scp account jails in openssh server
• I am facing problems for configuring sftp server and need assistance for the same.

Resolution

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the "Match" keyword) in the sshd_config file.

This example will use a "Match" block based on group membership, but other criteria may used in a "Match" block to determine which users are restricted to the ChrootDirectory (see "man sshd_config" for more details).

NOTE :- The ownership of the root directory should be root:root and anything else will block chroot sftp access.

If its not root:root, then the below command should be executed for chroot-sftp operation :-

Raw

# chmod root:root /

1. Edit sshd_config
   • Comment the original Subsystem entry for sftp and replace it with a new entry:
   Raw

   #Subsystem      sftp    /usr/libexec/openssh/sftp-server
   Subsystem       sftp    internal-sftp
   

   • Add the following to the end of the /etc/ssh/sshd_config file.
   Raw

           Match Group sftponly
                   ChrootDirectory /chroots/%u
                   AllowTcpForwarding no
                   ForceCommand internal-sftp
                   X11Forwarding no
   

2. Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)
   Raw

   # groupadd sftponly
   

   NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.
3. Configure or create the accounts of any sftp-only users.  NOTE: the specified home directory is relative to the ChrootDirectory.
   Raw

   # usermod  -g sftponly -s /bin/false user  
   

   or
   Raw

   #useradd -d /myhome -M -g sftponly -s /bin/false user
   

   In case you newly create the "user", set its pasword
   Raw

   # passwd user
   

4. Create the user's chroot environment and configure directory permissions.  Ensure that this entire path is owned by root and only writable by root.
   Raw

   # mkdir -p /chroots/user ; chmod -R 755 /chroots/user
   

   NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.
   Users will not be able to see other directories located beneath the root of their chrooted environment.
5. Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).
   Raw

   # mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome
   

   NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.
6. Restart sshd.
   Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

How to configure SFTP to prompt user to change password when user password is expired?

https://access.redhat.com/solutions/24758

nvironment

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6

Issue

• In a SFTP only server, after manually expiring the password, trying to login to SFTP will immediately disconnect the user. As the users do not have a shell, they are not prompted to change password at SFTP prompt as opposed to SSH login.

Resolution

• Once password for a user expires, then the user may be prompted to change his password at the next SFTP login by making the following changes in the ssh configuration file /etc/ssh/sshd_config:

Raw

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

• Then restart sshd service for the changes to take into effect. Now the user whose password has expired will be prompted to reset the password in the next SFTP login.

Root Cause

• ChallengeResponseAuthentication usually serves an equivalent role to password authentication, so you should eihter disable PasswordAuthentication or ChallengeResponseAuthentication.
• The ChallengeResponseAuthentication controls the support for the keyboard-interactive authentication scheme, where the client sends a repsonse to the challenge asked by the server, in this case the server responds back with the password prompt when you enable the ChallengeResponseAuthentication in sshd_config.

SFTP is not working using IPA Client

Edit the /etc/ssh/sshd_config and comment out this line - Subsystem sftp /usr/libexec/openssh/sftp-server Replace it with Subsystem sftp internal-sftp restart sshd service and try.

How to disable password aging for an user account

chage -m 0 -M 99999 -I -1 -E -1 lxuser1

[root@sp1lvlxbpm01 ~]# chage -l lxuser1

Last password change                                    : Feb 13, 2017

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/

Configuring HTTP Proxy in the CLI for yum updates

Configuring HTTP Proxy in the CLI

• Run the subscription-manager command as follows:
  Raw

  # subscription-manager config --server.proxy_hostname=proxy.example.com --server.proxy_port=8080 --server.proxy_user=admin --server.proxy_password=secret

• Also edit /etc/yum.conf for http://:8080

How to troubleshoot device-mapper: table: 253:7: multipath: error getting device？

version：redhat 6.4
problem：

[root@j1 ~]#dmesg
[Hardware Error]: Machine check events logged
[Hardware Error]: Machine check events logged
[Hardware Error]: Machine check events logged
[Hardware Error]: Machine check events logged
ISO 9660 Extensions: Microsoft Joliet Level 3
ISO 9660 Extensions: RRIP_1991A
device-mapper: table: 253:7: multipath: error getting device
device-mapper: ioctl: error adding target to table
device-mapper: table: 253:7: multipath: error getting device
device-mapper: ioctl: error adding target to table
device-mapper: table: 253:7: multipath: error getting device
device-mapper: ioctl: error adding target to table
device-mapper: table: 253:7: multipath: error getting device
device-mapper: ioctl: error adding target to table

[root@j1 ~]# dmsetup info -C
Name             Maj Min Stat Open Targ Event  UUID
vg00-LogVol01    253   5 L--w    1    1      0 LVM-eJV2Rjx11AacJLzet6tcb2z2O9PTUku64U1mtUXXTcl72B6Iu6W5V6Hin7uTNOkw
vg00-LogVol00    253   0 L--w    1    1      0 LVM-eJV2Rjx11AacJLzet6tcb2z2O9PTUku6EJrCeqVbJoyKw44HELUYjF9N2dVlHc4Q
mpathd           253   4 L--w   33    1      1 mpath-36001438009b064580000400000710000
mpathc           253   3 L--w    9    1      1 mpath-36001438009b064580000400000650000
mpathb           253   2 L--w   63    1      1 mpath-36001438009b0645800004000006b0000
vg00-LogVol03    253   1 L--w    1    1      0 LVM-eJV2Rjx11AacJLzet6tcb2z2O9PTUku6HogLq442U3F5A2Kj4PDAOm56R1Krex2j
vg00-LogVol02    253   6 L--w    1    1      0 LVM-eJV2Rjx11AacJLzet6tcb2z2O9PTUku6wQS2Nd3n04mFad51Lx1Y8VBdqIxHq0KV

[root@j1 ~]# vgs
  VG   #PV #LV #SN Attr   VSize   VFree
  vg00   1   4   0 wz--n- 558.68g 369.23g
[root@j1 ~]# pvs
  PV         VG   Fmt  Attr PSize   PFree
  /dev/sda2  vg00 lvm2 a--  558.68g 369.23g
[root@j1 ~]# lvs
  LV       VG   Attr      LSize  Pool Origin Data%  Move Log Cpy%Sync Convert
  LogVol00 vg00 -wi-ao--- 97.66g
  LogVol01 vg00 -wi-ao---  9.77g
  LogVol02 vg00 -wi-ao--- 19.53g
  LogVol03 vg00 -wi-ao--- 62.50g
[root@j1 ~]# lsmod |grep dm_multipath
dm_multipath           17756  4 dm_round_robin
dm_mod                 82839  22 dm_multipath,dm_mirror,dm_log

[root@blj1 ~]# dmsetup info -C|grep "253  51"
c5b99426--ae33--4e40--9196--46a9d8166824-9010fc21--3827--4cce--b5f8--8c843868cab2 253  51 L--w    1   10      0 LVM-WtianbDfgqXa3kjqvNu3Pz2PVO1Vdv8CA84E6FJbCyYfkkDQpGdPYSwrgnk1sYPZ

[root@blj1 ~]# lvs |grep 8c843868cab2
  9010fc21-3827-4cce-b5f8-8c843868cab2 c5b99426-ae33-4e40-9196-46a9d8166824 -wi-ao----  17.12g

root@j1 ~]# grep -v ^$ /etc/multipath.conf
defaults {
        udev_dir                /dev
        polling_interval        10
        path_selector           "round-robin 0"
        path_grouping_policy    failover
        getuid_callout          "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
        prio                    alua
        path_checker            tur
        rr_min_io               100
        rr_min_io_rq            1
        rr_weight               uniform
        failback                immediate
        no_path_retry           12
        user_friendly_names     yes
}
blacklist {
        devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]"
        devnode "^hd[a-z][[0-9]]"
        devnode "^cciss!c[0-9]d[0-9]"
        devnode "^sda[0-9]"
}
devices {
        device {
               vendor                   "HP"
               product                  "OPEN-."
               path_grouping_policy     multibus
               getuid_callout           "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
               path_selector            "round-robin 0"
               path_checker             tur
               features                 "0"
               hardware_handler         "0"
               prio                     const
               failback                 immediate
               rr_weight                uniform
               no_path_retry            queue
               rr_min_io                1000
               rr_min_io_rq             1
       }
}

Script to check IPA user expiration and send email to user

1) Configure Email relay for the host, it would require you to have an SMTP server IP and put that in sendmail or pistfix (MTA) config


2) Test Emails

3) Use below script for rest of the task:
---------------------------------

#!/bin/bash

#written by - Ram Nath (ram@mydomain.com)
# notifies people a set number of days before expiry, once via email
# notifies people a set number of days before expiry, once via email

# open a kerberos ticket using keytab authentication
# the following keytab file was made using ktutil with rc4-hmac

/usr/bin/kinit admin@INFRA.MYDOMAN -k -t /test/bin/admin.keytab

# how many days before expiry? at which point a single email should be sent out

cd /tmp
THENUMBEROFDAYS=30

#queries the ldap server for whatever group you want, or search parameters you want to use
# grepping memberUid for the group you want and piping to awk results in a list of users
USERLIST=$(ldapsearch -x -b cn=users,cn=accounts,dc=infra,dc=MYDOMAIN | grep "uid:" | awk '{print $2}')

# start the main loop
for USER in $USERLIST;
do
# gets todays date in the same format as ipa
TODAYSDATE=$(date +"%Y%m%d")
echo "Checking Expiry For $USER"

# gets date, removes time uses cut to get only first 8 characters of date
EXPIRYDATE=$(ipa user-show $USER --all | grep krbpasswordexpiration | awk '{print $2}' | cut -c 1-8)

# using date command to convert to a proper date format for the subtraction of days left
CALCEXPIRY=$(date -d "$EXPIRYDATE" +%j)
CALCTODAY=$(date -d "$TODAYSDATE" +%j)
DAYSLEFT=$(expr $CALCEXPIRY - $CALCTODAY)

echo "$USER has $DAYSLEFT left"

# send out an email if it matches the specified number of days left
if [ $DAYSLEFT -le $THENUMBEROFDAYS ];
then

# create the email content
echo "Hi There," >> $USER.temp
echo " " >> $USER.temp
echo "Password for Cloud User $USER is going to expire in $DAYSLEFT days." >> $USER.temp
echo "Kindly ask user to reset it." >> $USER.temp
echo " " >> $USER.temp
echo "Regards," >> $USER.temp
echo "IPA Admin" >> $USER.temp

# send the email out
mailx -r PasswordAlerts@ipaserver.infra.mydomain -s "IPA user $USER's password expires in $DAYSLEFT days!" ram@mydomain.com < $USER.temp
# delete content file
rm -rf $USER.temp
fi
done

RHEV Manager Alert Email Notification Implementation - RHEV 3.5

1) We need to create a .conf file like engine-notifier.conf at /etc/ovirt-engine/notifier/notifier.conf.d/

[root@rhevm ~]# ls -ltr /etc/ovirt-engine/notifier/notifier.conf.d/
total 12
-rw-r--r--. 1 root root 231 Jun  7  2015 README
-rw-r--r--. 1 root root  32 Mar  3 10:36 10-setup-jboss.conf
-rw-r--r--. 1 root root  66 Mar  3 10:39 engine-notifier.conf

[root@rhevm ~]# cat /etc/ovirt-engine/notifier/notifier.conf.d/engine-notifier.conf
MAIL_SERVER=10.100.2.6
MAIL_FROM=admin@rhevm.mydomain.com  #<- email="" p="" suits="" use="" whatever="" you="">
2) Make sure that "ovirt-engine-notifier" service is up and running to read this configuration.


3) Now, you need to specify email address to receive emails from RHEV manager Console at :
Syetsm > Users > Admin@Internal > Event notifier > Manage Events > Check all requited fields and specify recipient email id

You should be getting alerts now on.

That's All!

Recursive file permissions issue on / directory

One developer had run "sudo chown -R user ../../" from his home directory and created permission issues at / in one of the systems. Most of the directories at "/" level are with "user:root" permissions and it looks all bad. System has stopped responding to ssh connections. It says "connections refused" to new ssh connections. 

Solution:

This is a very bad condition but yes, we can recover it using the rpm database. Run the command as follows?

# for i in $(rpm -qa); do echo "Working on $i"; rpm --setugids $i; rpm --setperms $i; done

This will restore the user ownership, group ownership as well as set the permissions too. This will display lots and lots of messages on screen, as well as the errors, you can just ignore them out. And it will take much time to restore the permissions/ownership depending on the number of installed rpms.

Please note that only those file/directory permissions/ownership will be changed back to normal which are deployed by rpm. Other file permissions/ownerships won't be changed at all.