14 нояб. 2012 г.

Доступ на удаленный компьютер без пароля по ssh-протоколу.

Среди многого материала, по сабжу, раскиданного по просторам интернет, есть один, куда более действенный. Ему научил меня, когда-то давно, lehisnoe@subnets.ru. Всего 2 строки:

Теория:
ssh-keygen -t dsa
cat ~/.ssh/id_dsa.pub | ssh -l remote_user ip_remote_host "cat >> .ssh/authorized_keys"

1 строка. Генерируем ключ. На вопросы можно ответить просто клавишей ввода.
2 строка. Копируем сгенерированный ключ на удаленную машину.

Практика:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/fs4/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/fs4/.ssh/id_dsa.
Your public key has been saved in /home/fs4/.ssh/id_dsa.pub.
The key fingerprint is:
91:b6:1a:94:90:c7:09:ec:da:cf:71:65:50:e0:c4:59 fs4@fs4
The key's randomart image is:
+--[ DSA 1024]----+
|   .o+ oo=E      |
|    o.+++.       |
|   . .o =.       |
|    .. . oo      |
|   o  . So       |
|  . . .o.        |
|     o.o         |
|      o          |
|                 |
+-----------------+
$ cat ~/.ssh/id_dsa.pub | ssh -l usr2 10.10.254.251 "cat >> .ssh/authorized_keys"
usr2@10.10.254.251's password: 
bash: .ssh/authorized_keys: No such file or directory
Орет на то, что нет такой директории. Её там быть не может только по одной причине - с этой машины никто никуда по ssh не подключался.  Логинимся, подключаемся, отключаемся:
$ ssh -l usr2 10.10.254.251
usr2@10.10.254.251's password:
usr2@10.10.254.251$ ssh -l usr1 10.10.254.250
The authenticity of host '10.10.254.251 (10.10.254.251)' can't be established.
ECDSA key fingerprint is c2:05:f0:ca:1c:e9:48:7a:ca:35:c3:80:8e:c2:ba:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.254.251' (ECDSA) to the list of known hosts.
usr1@10.10.254.250's password:
^C
Повторяем попытку записи ключа на удаленную машину:
$ cat ~/.ssh/id_dsa.pub | ssh -l usr2 10.10.254.251 "cat >> .ssh/authorized_keys"
usr2@10.10.254.251's password: 
$
Если новых сообщений не появилось, то проверяем:
$ ssh -l usr2 10.10.254.251
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Nov 14 18:21:09 YEKT 2012

  System load:  0.09               Processes:           89
  Usage of /:   26.3% of 36.67GB   Users logged in:     1
  Memory usage: 2%                 IP address for eth0: 10.10.254.251
  Swap usage:   0%

  => /media/disk1 is using 86.5% of 1.78TB
  => /media/disk2 is using 92.5% of 1.34TB
  => /media/disk3 is using 91.9% of 1.79TB

  Graph this data and manage this system at https://landscape.canonical.com/

Last login: Wed Nov 14 18:20:22 2012 from 10.10.254.249
usr2@10.10.254.251:~$ exit
logout
Connection to 10.10.254.251 closed.

На этом настройка окончена.


8 нояб. 2012 г.

DNS. Bind9. Секция options

DNS (Bind 9).

Персонально для себя выписываю правильное расположение переменных секции option для bind9 (согласно оф. руководству).


options {
     [ attach-cache cache_name; ]
     [ version version_string; ]
     [ hostname hostname_string; ]
     [ server-id server_id_string; ]
     [ directory path_name; ]
     [ key-directory path_name; ]
     [ managed-keys-directory path_name; ]
     [ named-xfer path_name; ]
     [ tkey-gssapi-credential principal; ]
     [ tkey-domain domainname; ]
     [ tkey-dhkey key_name key_tag; ]
     [ cache-file path_name; ]
     [ dump-file path_name; ]
     [ bindkeys-file path_name; ]
     [ memstatistics yes_or_no; ]
     [ memstatistics-file path_name; ]
     [ pid-file path_name; ]
     [ recursing-file path_name; ]
     [ statistics-file path_name; ]
     [ zone-statistics yes_or_no; ]
     [ auth-nxdomain yes_or_no; ]
     [ deallocate-on-exit yes_or_no; ]
     [ dialup dialup_option; ]
     [ fake-iquery yes_or_no; ]
     [ fetch-glue yes_or_no; ]
     [ flush-zones-on-shutdown yes_or_no; ]
     [ has-old-clients yes_or_no; ]
     [ host-statistics yes_or_no; ]
     [ host-statistics-max number; ]
     [ minimal-responses yes_or_no; ]
     [ multiple-cnames yes_or_no; ]
     [ notify yes_or_no | explicit | master-only; ]
     [ recursion yes_or_no; ]
     [ rfc2308-type1 yes_or_no; ]
     [ use-id-pool yes_or_no; ]
     [ maintain-ixfr-base yes_or_no; ]
     [ ixfr-from-differences (yes_or_no | master | slave); ]
     [ dnssec-enable yes_or_no; ]
     [ dnssec-validation yes_or_no; ]
     [ dnssec-lookaside ( auto | domain trust-anchor domain ); ]
     [ dnssec-must-be-secure domain yes_or_no; ]
     [ dnssec-accept-expired yes_or_no; ]
     [ forward ( only | first ); ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ] 
     [ dual-stack-servers [port ip_port] {
          ( domain_name [port ip_port] | ip_addr [port ip_port] ) ;
     ... }; ]
     [ check-names ( master | slave | response )
          ( warn | fail | ignore ); ]
     [ check-dup-records ( warn | fail | ignore ); ]
     [ check-mx ( warn | fail | ignore ); ]
     [ check-wildcard yes_or_no; ]
     [ check-integrity yes_or_no; ]
     [ check-mx-cname ( warn | fail | ignore ); ]
     [ check-srv-cname ( warn | fail | ignore ); ]
     [ check-sibling yes_or_no; ]
     [ allow-notify { address_match_list }; ]
     [ allow-query { address_match_list }; ]
     [ allow-query-on { address_match_list }; ]
     [ allow-query-cache { address_match_list }; ]
     [ allow-query-cache-on { address_match_list }; ]
     [ allow-transfer { address_match_list }; ]
     [ allow-recursion { address_match_list }; ]
     [ allow-recursion-on { address_match_list }; ]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
     [ dnssec-dnskey-kskonly yes_or_no; ]
     [ dnssec-secure-to-insecure yes_or_no ;]
     [ try-tcp-refresh yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
     [ blackhole { address_match_list }; ]
     [ use-v4-udp-ports { port_list }; ]
     [ avoid-v4-udp-ports { port_list }; ]
     [ use-v6-udp-ports { port_list }; ]
     [ avoid-v6-udp-ports { port_list }; ]
     [ listen-on [ port ip_port ] { address_match_list }; ] 
     [ listen-on-v6 [ port ip_port ] { address_match_list }; ]
     [ query-source ( ( ip4_addr | * )
     [ port ( ip_port | * ) ] |
     [ address ( ip4_addr | * ) ]
     [ port ( ip_port | * ) ] ) ; ]
     [ query-source-v6 ( ( ip6_addr | * )
     [ port ( ip_port | * ) ] |
     [ address ( ip6_addr | * ) ]
     [ port ( ip_port | * ) ] ) ; ]
     [ use-queryport-pool yes_or_no; ]
     [ queryport-pool-ports number; ]
     [ queryport-pool-updateinterval number; ]
     [ max-transfer-time-in number; ]
     [ max-transfer-time-out number; ]
     [ max-transfer-idle-in number; ]
     [ max-transfer-idle-out number; ]
     [ tcp-clients number; ]
     [ reserved-sockets number; ]
     [ recursive-clients number; ]
     [ serial-query-rate number; ]
     [ serial-queries number; ]
     [ tcp-listen-queue number; ]
     [ transfer-format ( one-answer | many-answers ); ]
     [ transfers-in number; ]
     [ transfers-out number; ]
     [ transfers-per-ns number; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ alt-transfer-source-v6 (ip6_addr | *)
          [port ip_port] ; ]
     [ use-alt-transfer-source yes_or_no; ]
     [ notify-delay seconds ; ]
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ notify-to-soa yes_or_no ; ]
     [ also-notify { ip_addr [port ip_port] ;
     [ ip_addr [port ip_port] ; ... ] }; ]
     [ max-ixfr-log-size number; ]
     [ max-journal-size size_spec; ]
     [ coresize size_spec ; ]
     [ datasize size_spec ; ]
     [ files size_spec ; ]
     [ stacksize size_spec ; ]
     [ cleaning-interval number; ]
     [ heartbeat-interval number; ]
     [ interface-interval number; ]
     [ statistics-interval number; ]
     [ topology { address_match_list }];
     [ sortlist { address_match_list }];
     [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
     [ lame-ttl number; ]
     [ max-ncache-ttl number; ]
     [ max-cache-ttl number; ]
     [ sig-validity-interval number [number] ; ]
     [ sig-signing-nodes number ; ]
     [ sig-signing-signatures number ; ]
     [ sig-signing-type number ; ]
     [ min-roots number; ]
     [ use-ixfr yes_or_no ; ]
     [ provide-ixfr yes_or_no; ]
     [ request-ixfr yes_or_no; ]
     [ treat-cr-as-space yes_or_no ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ port ip_port; ]
     [ additional-from-auth yes_or_no ; ]
     [ additional-from-cache yes_or_no ; ]
     [ random-device path_name ; ]
     [ max-cache-size size_spec ; ]
     [ match-mapped-addresses yes_or_no; ]
     [ filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); ]
     [ preferred-glue ( A | AAAA | NONE ); ]
     [ edns-udp-size number; ]
     [ max-udp-size number; ]
     [ root-delegation-only [ exclude { namelist } ] ; ]
     [ querylog yes_or_no ; ]
     [ disable-algorithms domain { algorithm;
     [ algorithm; ] }; ]
     [ acache-enable yes_or_no ; ]
     [ acache-cleaning-interval number; ]
     [ max-acache-size size_spec ; ]
     [ clients-per-query number ; ]
     [ max-clients-per-query number ; ]
     [ masterfile-format (text|raw) ; ]
     [ empty-server name ; ]
     [ empty-contact name ; ]
     [ empty-zones-enable yes_or_no ; ]
     [ disable-empty-zone zone_name ; ]
     [ zero-no-soa-ttl yes_or_no ; ]
     [ zero-no-soa-ttl-cache yes_or_no ; ]
     [ deny-answer-addresses { address_match_list } [ except-from { namelist } ];]
     [ deny-answer-aliases { namelist } [ except-from { namelist } ];]
};

Следовательно секция options должна будет выглядеть как-то так:

options {
version "DNS Server";

directory "/etc/namedb";
dump-file "/var/named/etc/namedb/named_dump.db";
pid-file "/var/run/named/pid";
statistics-file "/var/named/etc/namedb/named.stats";

forwarders { 62.165.32.250;
    62.165.33.250;
        8.8.8.8;
};

listen-on { 10.10.254.253;
 192.168.1.252;
 127.0.0.1;
};

querylog yes;
};