Installing IBM Endpoint Client on Linux

08-Oct, 2013

I have been investigating IBM End Point, which appears at first gance to be a fantasic tool. The help for Linux clients appears to be a little light (or am I missing something?) but in order to install the End Point Client onto Linux you run the following commands:

mkdir ~/bigfix-client-tmp
mkdir -p /etc/opt/BESClient/
cd ~/bigfix-client-tmp
wget http://nas.justnudge.com/software/bigfix/BESAgent-current.x86_64.rpm
wget http://nas.justnudge.com/software/bigfix/masthead.afxm
mv masthead.afxm /etc/opt/BESClient/actionsite.afxm
rpm -ivh BESAgent-current.x86_64.rpm
cd ~
rm -rf ~/bigfix-client-tmp
chkconfig besclient on
service besclient start

I have placed the masthead and actionsite files onto my NAS for ease of use, but they are located in the following location on a standard IEM installation:

  • C:\Program Files (x86)\BigFix Enterprise\BES Server\actionsite.afxm
  • C:\Program Files (x86)\BigFix Enterprise\BES Server\BESReportsData\swiftsure.justnudge.com\masthead.afxm

Note, my IEM server is called swiftsure.justnudge.com.

Comments

Setting up a PXE boot server with CentOS and DNSMasq

20-Feb, 2013

I am building a lot of temporary hosts at the moment and being able to install them as quickly as possible is always good. So I have decided to install a PXE server that will allow my installations to install without human intervention.

To setup this you need an existing host that contains a mirror of Centos (you can get away without a mirror but syncing a mirror is so much faster than going out onto the internet to download all the necessary patches that may be required). If you do setup a mirror allocate about 150Gb of Diskspace to the mirror and sync it every evening using rsync.

On the host execute the following command:

yum install syslinux tftp tftp-server -y

Once the server is installed execute the following command:

chkconfig xinetd on
service xinetd restart

To copy the files to enable the clients to boot execute the following commands:

cd /var/lib/tftpboot
cp /usr/share/syslinux/menu.c32 .
cp /usr/share/syslinux/pxelinux.0 .
cp /opt/mirror/centos/6.3/os/x86_64/images/pxeboot/initrd.img .
cp /opt/mirror/centos/6.3/os/x86_64/images/pxeboot/vmlinuz .

NOTE: TFTP does not seem to work with symlinks so the files need to be copied.

When the server boots it will attempt to use it’s MAC address to determine what boot configuration it would use and will fall back onto a configration called “default”:

mkdir -p /var/lib/tftpboot/pxelinux.cfg
vi /var/lib/tftpboot/pxelinux.cfg/default
Enter the following information into the file and save it:

timeout 100
default menu.c32
 
menu title ########## JustNudge Boot Menu ##########
label 1
   menu label ^1) Install CentOS 6
   kernel vmlinuz
   append initrd=initrd.img devfs=nomount ks=http://nas.justnudge.com/centos6.ks
 
label 2
   menu label ^2) Boot from local drive
   localboot

The above example will automatically install Centos using a kickstart file that configures it as per our build standards.

To ensure that the above is picked up, add the following line to your dnsmasq configuration file:

dhcp-boot=pxelinux.0,nas.justnudge.com,192.168.1.50

Where the PXE server is nas.justnudge.com with an IP address of 192.168.1.50.

When started the VM will look like the following:

PXE boot screenshot

Comments

Using Google Authenticator with CentOS 6

19-Feb, 2013

We have been doing some work recently with Amazon Web Services and noticed that it now supports using Google Authenticator for two factor authentication. For those that don’t know, the Google Authenticator is an application that you install onto your Android or iPhone which acts like an RSA token, providing a random number that changes every 30 seconds.

When I saw that Amazon had integrated it into AWS it got me thinking that we could use it to secure some of our perimeter Centos hosts using an SSH PAM module. A little bit of searching showed that this was possible and this post details how it was done.

Installation

Install Centos 6.2.

Run yum install make pam-devel -y

Download the source for the PAM module here.

Unpack the installation running the following command:

[root@JNC6NET0004 install]# tar xfvj libpam-google-authenticator-1.0-source.tar.bz2
libpam-google-authenticator-1.0/base32.c
libpam-google-authenticator-1.0/demo.c
libpam-google-authenticator-1.0/google-authenticator.c
libpam-google-authenticator-1.0/hmac.c
libpam-google-authenticator-1.0/pam_google_authenticator.c
libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
libpam-google-authenticator-1.0/sha1.c
libpam-google-authenticator-1.0/base32.h
libpam-google-authenticator-1.0/hmac.h
libpam-google-authenticator-1.0/sha1.h
libpam-google-authenticator-1.0/totp.html
libpam-google-authenticator-1.0/Makefile
libpam-google-authenticator-1.0/FILEFORMAT
libpam-google-authenticator-1.0/README
libpam-google-authenticator-1.0/utc-time/
libpam-google-authenticator-1.0/utc-time/app.yaml
libpam-google-authenticator-1.0/utc-time/utc-time.py

Change to the extracted directory and execute the command make install:

[root@JNC6NET0004 libpam-google-authenticator-1.0]# make install
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin
[root@JNC6NET0004 libpam-google-authenticator-1.0]#

Installing the PAM module

Backup the file /etc/pam.d/sshd and add the following lines to it:

auth required pam_google_authenticator.so

Backup the file /etc/ssh/sshd_config and ensure the following lines are present:

PermitRootLogin no
ChallengeResponseAuthentication yes

Once these changes have been made restart SSH by executing the following command:

service sshd restart

Setting up the key for a user

su to the user that you want generate the token for and execute the google authenticator command::

google-authenticator

You will notice above that it displayed a secret key and a URL, open the URL and it will show you 3D barcode.

Open the authenticator application and click the Scan Barcode button and scan the barcode from your screen.

Google Authenticator Scan Barcode

You should then see the counter for the application.

Google Authenticator Counter

Testing

Open up a new SSH terminal (such as Putty) to the host and login as the user that created the token above.

Enter the verification code from the Google authenticator.

Enter the users password.

All being well you should be able to login as shown below:

Google Authenticator Putty

Comments

More Posts..