followup: up at 5am! (river rafting)

http://www.whitewatervoyages.com/rivers … river.html It was rather fun and I’d definitely do it again. We’ll probably go again next month. We’re debating on how to do it though. Some want to do a class 4, but I’m arguing to do a class 3 without a guide. Hopefully, they give us our refund – we initially scheduled 5 people and only 4 went and also rented 5 wetsuits and only needed 3, so we’ll see what happens. If we don’t get the refund or credit, we might not go to the same place again. After rafting, we stopped by downtown Sacramento on the way home. Just to take a stroll around the capitol and stop by a coffee shop for a pastry/coffee and conversation for a break away from driving. Among other things we talked about, I remembered talking about genetically modified food – how it may not be fully tested, etc. I guess there’s a couple arguments for and against it. Growing corn that the bugs won’t eat might be cool so we can have more food for ourselves, but who knows? Maybe the bugs know better not to eat the corn for one reason or another. Then again, this might be a good thing as we can grow more food for less money and we can feed more people with it. It may disturb the ecosystem a bit though – perhaps creating an imbalance. When they took the wolves out of Yellowstone park because they were killing a lot of elk, they created in imbalance where all of the water was being drinken and grass was being eaten. Bring the wolves back brought back some balance. For dinner, we headed to a restaurant called Prasand. (http://www.pasand.com/index.html) It was pretty good – had a bread basket, some naan and Chicken Tikka Masala Curry. I’d recommend the restaurant – I went with Indians and they thought it was good and authentic. It was good for my taste buds as well. Our dinnertime conversation included of some talk about some of the art on the wall. I asked about one of them similar to this one:
Image
(Image pulled from: http://www.asitis.com/)
From that, I got the brief version of the story about Krishna and Arjuna. The Legend of Bagger Vance was actually a book based on that story. Cool stuff. Was exhausted – went home, showered and went to bed.]]>

Installing Openssl/Openssh on Solaris 8

Installing Openssl/Openssh on Solaris 8

Some Compiling NOTES
– If you have problems and decide to start over, run “echo $?” after each command to see if you have errors in your steps
– If you get an error “Cannot find ELF”, it may be because you are using the gnu strip (from binutils). Use the strip that comes with Solaris in /usr/ccs/bin

1) Install compiler (gcc or equivalent – I used Forte Developer 7). You can install gcc with packages SUNWgcmn and SUNWgcc from the Solaris Companion CD or you can get it from sunfreeware.com.

2) path set – cc and make in your path
ie: PATH=/opt/sfw/bin:/usr/ccs/bin:$PATH
The “make” binary is /usr/ccs/bin and if you got gcc from the companion cd, it will be in /opt/sfw/bin (if you got it from sunfreeware.com, it will be in /usr/local/bin)

3) Install patch 112438-01 (reboot the machine after install)

4) Install Openssl (from openssl.org) – latest version as of this writing is 0.96g.
./Config
make
make install

5) Install Openssh (openssh.org) – latest version as of this writing is 3.4p1 – I’m configuring it with pam (so that I can authenticate via ldap) and xauth (so that I can do XForwarding)
./configure –with-pam –with-xauth=/usr/openwin/bin/xauth
make
make install

6) Create a user for ssh
useradd -g nobody -s ‘/usr/bin/false’ sshd

7) If you want XForwarding, in /usr/local/etc/sshd_config, set:
X11Forwarding yes

8) Start the SSH server
/usr/local/sbin/sshd

9) You may want a script to start the ssh server. This is a modified version of the one I took from a source I can’t remember:

#!/sbin/sh
#
# Init file for OpenSSH server daemon
RETVAL=0
prog=”sshd”

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh_host_key
RSA_KEY=/usr/local/etc/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid

do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $”Generating SSH1 RSA host key: ”
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C ” -N ” >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $”RSA1 key generation”
echo
else
failure $”RSA1 key generation”
echo
exit 1
fi
fi
}

do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $”Generating SSH2 RSA host key: ”
if $KEYGEN -q -t rsa -f $RSA_KEY -C ” -N ” >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $”RSA key generation”
echo
else
failure $”RSA key generation”
echo
exit 1
fi
fi
}

do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $”Generating SSH2 DSA host key: ”
if $KEYGEN -q -t dsa -f $DSA_KEY -C ” -N ” >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $”DSA key generation”
echo
else
failure $”DSA key generation”
echo
exit 1
fi
fi
}

do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! “$RETVAL” = 0 ]; then
failure $”Configuration file or keys are invalid”
echo
fi
}

start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen

echo -n $”Starting $prog:”
$SSHD
RETVAL=$?
# [ “$RETVAL” = 0 ] && touch /var/lock/subsys/sshd
echo
}

stop()
{
echo -n $”Stopping $prog:”
pkill $SSHD
RETVAL=$?
# [ “$RETVAL” = 0 ] && rm -f /var/lock/subsys/sshd
echo
}

reload()
{
echo -n $”Reloading $prog:”
killproc $SSHD -HUP
RETVAL=$?
echo
}

case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ “$RETVAL” = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
# fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $”Usage: $0 {start|stop|restart|reload|condrestart|status}”
RETVAL=1
esac
exit $RETVAL

Apache SSL Self-Signed Certificates Without Passphrase

taken from: http://www.rpatrick.com/tech/makecert/

Following is a quick listing of the commands you need to use when setting up an SSL key for Apache that doesn’t require a passphrase to be entered during normal operations, and includes a self-signed certificate so you needn’t bother with cert requests and CAs. The sequence of events is to create a 3DES key, remove the passphrase, and then generate a self-signed certificate.

The following commands are to be entered via the command line, with each openssl statement requiring interactive input. Performed on Red Hat Linux, these instructions ought to also work on other flavors of Unix with OpenSSL and Apache installed.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -key server.key -x509 -out server.crt -days 999

cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

apachectl restart

Verifying that Apache has the correct SSL directives and is using the correct key and certificate created above is left as an exercise for the webmaster.

If your system has a Makefile or symlink in the Apache conf directory, you can opt to pursue an earlier method to this madness using the below steps (provided here only for completeness):

cd /etc/httpd/conf
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
make testcert

Optionally, if you need a server.pem file for a given application, such as courier-imapd, use the following to create the .pem file from the previously created certificate and key:

cat server.key server.crt >server.pem

Using the above method you can enjoy the encryption protection provided by SSL without having to pay a commercial vendor to sign your server keys. If you don’t like the popup presented by some applications (e.g. web browsers) about an untrusted certificate, simply follow the process provided by your application to import or install the certificate, at which point you will no longer have to deal with future dialog boxes regarding an untrusted site.