Sunday, 26 March 2017

Kerberos Authentication

​Since I had already explained in the past on the mechanism about kerberos, I would try to keep this as much simple as I can.

Go through the below scanned pic, in short have written few notes .. 

Principal Name and key are specified to the client, so clients sends principal name and request for TGT to KDC. 

KDC generates session key(SK) and TGT containing copy of session key, uses TGS to encrypt TGT. Principal key used to encrypt [ Encrypted GT and copy of session key], Client Decrypts using its principal key to extract session key and encrypted TGT.

When client wants to use any service(SSH/NFS..etc) to obtain access for local or remote system( hereafter referred as service provider), it will use session key to encrypt TGT, clients IP addr, time stamp, and SR and sends to KDC

KDC uses its session keys and TGS keys to extract IP addr, time stamp allowing itself to validate client, on successful generates service session key(SSK) and SR containing IP addr+time stamp+copy of SSK and encrypts using service key for SR. 
SK to encrypt both E(SR) and copy of SSK.

Client uses its copy of SK to extract E(E(SR)+SSK)

Client sends the E(SR) to service provider along with E[ Principal name + Time stamp] with E(SSK) 

Service provider uses SK to extract SR which it retrieves SSK to decrypt clients E( Time stamp + Principal Name) 
Once its successful, service provider grants access to its host system.

How to implement kerberos: 


Friday, 9 December 2016

Security auditing tool - Lynis

Have heard about the tool in the past, but hadn't given any try on this... was very simple to go through and here are very few lines on the post...

Ensure you have git client installed on your system we shall clone from

​# cd lynis
# ./lynis audit system 

performs local security scan and will capture all the details in the log file(/var/log/lynis.log)

Then how audit is different from lynis ?

auditd is daemon to track events(like if your /etc/passwd or /etc/shadow file) being changed where as lynis could track file permission etc not the contents in the file. 

  Lynis security scan details:

  Hardening index : 64 [############        ]
  Tests performed : 206
  Plugins enabled : 2

You could explore more on this tool using ./lynis help, anyway would suggest you to give a try

Wednesday, 7 December 2016

Installing Vagrant VM with Oracle Virtual Box

You could have a development environment that is identical to the production environment locally and you can share all your development. Once you or someone else creates a single Vagrantfile, just need to vagrant up and everything is installed and configured for you to work. 

If you are system admin/operation engineer, vagrant gives you a disposable environment for developing, testing infrastructure management scripts like shell scripts, check cookbooks, puppet modules etc 

we shall see how this can be configured and how to work on ... 

You could download vagrant software based on your operating system from and install.

I would create a directory called vagrant and would initialize. 

$mkdir ~/workspace/vagrant/centos

$ vagrant init
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`` for more information on using Vagrant.

$ ls

Download Oracle virtual box, and since you need to download linux environment which can be from
I shall download centos 6.7 minimal along with puppet.

we need to remove Vagrant file if we already incase created in the directory.

$ vagrant init vagrant-centos-6.7
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`` for more information on using Vagrant.

you would add this box to the provider 'virtualbox' . 

==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'vagrant-centos-6.7' (v0) for provider:
==> box: Successfully added box 'vagrant-centos-6.7' (v0) for 'virtualbox'!

You can make your setting as you wish in the Vagrant file as its self explanatory , few of my changes which I wished to make 

$ vim Vagrant 

 config.vm.boot_timeout = 60 "forwarded_port", guest: 80, host: 8080 "private_network", ip: ""

we would start the vagrant box which would take some time to bring up the machine..
$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
    default: Adapter 2: hostonly
==> default: Forwarding ports...
    default: 80 (guest) => 8080 (host) (adapter 1)
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address:
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Remote connection disconnect. Retrying...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: The guest additions on this VM do not match the installed version of
    default: VirtualBox! In most cases this is fine, but in rare cases it can
    default: prevent things such as shared folders from working properly. If you see
    default: shared folder errors, please make sure the guest additions within the
    default: virtual machine match the version of VirtualBox you have installed on
    default: your host and reload your VM.
    default: Guest Additions Version: 4.3.30
    default: VirtualBox Version: 5.0
==> default: Configuring and enabling network interfaces...
==> default: Mounting shared folders...
    default: /vagrant => D:/HashiCorp/workspace/vagrant/centos

Try to login to box using 'vagrant ssh' 

$ vagrant ssh
Last login: Tue Dec  6 16:34:33 2016
[vagrant@localhost ~]$ uptime
 16:38:27 up 1 min,  1 user,  load average: 0.02, 0.02, 0.00
[vagrant@localhost ~]$

[vagrant@localhost ~]$ sudo yum install httpd
Loaded plugins: fastestmirror
Setting up Install Process
Determining fastest mirrors

  httpd.x86_64 0:2.2.15-55.el6.centos.2

Dependency Installed:
  apr.x86_64 0:1.3.9-5.el6_2                  apr-util.x86_64 0:1.3.9-3.el6_0.1
  apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1      httpd-tools.x86_64 0:2.2.15-55.el6.centos.2
  mailcap.noarch 0:2.1.31-2.el6


Install your httpd web server and create your own default Apache webpage to display. 

[vagrant@localhost ~]$ sudo service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]
[vagrant@localhost ~]$
[vagrant@localhost ~]$ sudo cat /var/www/html/index.html
Web server is running but no content has been added yet !
Default webpage for this server
[vagrant@localhost ~]$

Point your IP address in the browser and you could see your web applications. this is only a simple configurations as explained using vagrant. 

On your virtual box, below is what you could see while it's running.

More information about this can be looked using 'help' menu .. I would leave this here for the reader to know more .. 
$ vagrant -h
$ vagrant list-commands

Shall try to re-package CentOS6.8(Minimal) and shall explore more on in coming articles..

Thursday, 3 November 2016

git branching and merge for puppetmaster configs modules and manifests - 4/4

As earlier discussed in the post, we shall add version controlling on /etc/puppet and since its important not to distub the main configuration, we shall create a branch out of it and once its all working fine, we shall merge it with master. 

what and why is branching ?

Branching is a process of creating a new pointer that allows you to branch off the code and work on the same code within the safe environment where you are free to mess up and you can discard those changes and you could merge if you feel its correct. git offers that we could switch code from one branch to other and also by merging you don't have any duplicate code. 

As earlier described in article(, make sure you install/configure your git repository.

[root@puppetmaster puppet]# git branch
* master
[root@puppetmaster puppet]# git branch puppet-testing
[root@puppetmaster puppet]# git branch
* master
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git status
# On branch master
nothing to commit (working directory clean)
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git checkout puppet-testing
Switched to branch 'puppet-testing'
[root@puppetmaster puppet]# git status
# On branch puppet-testing
nothing to commit (working directory clean)
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git branch
* puppet-testing
[root@puppetmaster puppet]#

Now you can do anything you wish to the branch, like deleting, modifying ...

[root@puppetmaster puppet]# cat > git-branching.test
this is just an file created in puppet-testing branch.
we shall see how to merge this into 'master' branch.
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# ls -l git-branching.test
-rw-r--r-- 1 root root 108 Nov  3 04:58 git-branching.test
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git add *
[root@puppetmaster puppet]# git commit -m "Added git-branching to repos"
[puppet-testing 386d918] Added git-branching to repos
 1 files changed, 2 insertions(+), 0 deletions(-)
 create mode 100644 git-branching.test
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git push origin puppet-testing
Counting objects: 4, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 369 bytes, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: Resolving deltas: 100% (1/1), completed with 1 local objects.
 * [new branch]      puppet-testing -> puppet-testing
[root@puppetmaster puppet]#

Refresh you repository in github and you can see branch puppet-testing. you could also create a new branch again from 'puppet-testing' and it can go on as much as you can. something great that's more flexible on git.

Now in order to merge your branch, switch to master branch 

[root@puppetmaster puppet]# git checkout master
Switched to branch 'master'
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git merge puppet-testing
Updating 285446b..386d918
 git-branching.test |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)
 create mode 100644 git-branching.test
[root@puppetmaster puppet]# git branch -d puppet-testing
Deleted branch puppet-testing (was 386d918).
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git push origin master
Total 0 (delta 0), reused 0 (delta 0)
   285446b..386d918  master -> master
[root@puppetmaster puppet]#

[root@puppetmaster puppet]# git push origin --delete puppet-testing
 - [deleted]         puppet-testing
[root@puppetmaster puppet]#

You can now refresh your and see there won't be branch available. checkout in your master branch the file was merged to master..

Thanks for re-sharing !

Run puppet manifests and modules in different environments - 3/4

In our previous posts, we have seen on how to install and configure puppetmaster/puppetclients we shall now see on how to create the manifests on the different environments. Additionally, I have added the puppet configuration folder to be controlled using version controller 'git', where I shall explain in my next final post.

Puppet version 3.8.7, by default has no environmentpath enabled and it needs to be mentioned in config files.

Place these 3 lines below [main] section of /etc/puppet/puppet.conf, save and close.
Defined the directory and have asked puppet to first check environment path while on its execution.
    confdir = /etc/puppet
    environmentpath = $confdir/environments
    basemodulepath  = $confdir/modules:/usr/share/puppet/modules
[root@puppetmaster puppet]#service puppetmaster restart

Production Environment:

[root@puppetmaster puppet]# mkdir -p environments/{production,testing}

[root@puppetmaster ~]# cd /etc/puppet/environments/production
[root@puppetmaster production]# mkdir manifests modules

Define your environment.conf in the each of the folder.

[root@puppetmaster production]# cat environments.conf
modulepath = $confdir/environments/production/modules:$condfir/modules:/usr/share/puppet/modules
[root@puppetmaster production]#

[root@puppetmaster production]#mkdir -p modules/prodtest/{files,manifests}

Finally, once after you create your directories, the tree structure should be as below :

[root@puppetmaster production]# tree -F .
├── environments.conf
├── manifests/
│   └── node.pp
└── modules/
    └── prodtest/
        ├── files/
        │   └── prodtest.conf
        └── manifests/
            └── init.pp

5 directories, 4 files
[root@puppetmaster production]#

Create files accordingly..

[root@puppetmaster production]# cat modules/prodtest/manifests/init.pp
class prodtest {
file {'/tmp/production':
       path => '/tmp/production',
       ensure => present,
       mode => 640,
       source  => 'puppet:///modules/prodtest/prodtest.conf',
[root@puppetmaster production]#

[root@puppetmaster production]# cat modules/prodtest/files/prodtest.conf
I am executing from the prodcution environment....
[root@puppetmaster production]#

[root@puppetmaster production]# cat manifests/node.pp
    include prodtest
[root@puppetmaster production]#

From the client, execute the below to retrive info..

[root@puppetclient ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for
Info: Applying configuration version '1478153895'
Notice: /Stage[main]/Prodtest/File[/tmp/production]/ensure: defined content as '{md5}467d4f8c0dff1ec2799ee98637aff019'
Notice: Finished catalog run in 0.11 seconds
[root@puppetclient ~]#

[root@puppetclient ~]# ls -l /tmp/production
-rw-r----- 1 root root 51 Nov  3 06:18 /tmp/production

[root@puppetclient ~]# cat /tmp/production
I am executing from the prodcution environment....
[root@puppetclient ~]#

Now you could write all your classes from the module directory and start executing those manifests. 
punch "puppet manifests examples" in google and you will get lot of pages. I would leave it as an exercise for the reader. 

testing environment:

Just as in the production, I have create a separate environment for 'testing' ,create the directories and files as the same as what you did for production environment.

[root@puppetmaster environments]# tree -F testing/
├── environments.conf
├── manifests/
│   └── nodes.pp
└── modules/
    └── testing/
        ├── files/
        │   └── testing.conf
        └── manifests/
            └── init.pp

5 directories, 4 files
[root@puppetmaster environments]#

[root@puppetmaster testing]# cat environments.conf
modulepath = $confdir/environments/testing/modules:$condfir/modules:/usr/share/puppet/modules
[root@puppetmaster testing]#

[root@puppetmaster testing]# cat modules/testing/manifests/init.pp
class testing {
file { '/tmp/testing':
  ensure  => present,
  owner   => 'root',
  group   => 'root',
  mode    => '0777',
  source  => 'puppet:///modules/testing/testing.conf',
[root@puppetmaster testing]#

[root@puppetmaster testing]# cat modules/testing/files/testing.conf
creating from testing environment....
Creating the test file for Puppet demonstration
[root@puppetmaster testing]#
 [root@puppetmaster testing]# cat manifests/nodes.pp
    include testing
[root@puppetmaster testing]#

On the client, execute mentioning the environment which puppet should pick, else by default it will pick from 'production'

[root@puppetclient ~]# puppet agent -t --environment testing
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for
Info: Applying configuration version '1478154384'
Notice: /Stage[main]/Testing/File[/tmp/testing]/ensure: defined content as '{md5}8fffaf0c4ae55d51df4e926284eef521'
Notice: Finished catalog run in 0.10 seconds
[root@puppetclient ~]#

[root@puppetclient ~]#ls -l
-rwxrwxrwx 1 root root 86 Nov  3 06:26 /tmp/testing
[root@puppetclient ~]#

[root@puppetclient ~]# cat /tmp/testing
creating from testing environment....
Creating the test file for Puppet demonstration
[root@puppetclient ~]#

we shall see in our next post, on how to add '/etc/puppet' to version controlling and create branch for testing puppet and later merging so that it can be used for many in the development/testing teams.

Thanks for re-sharing !

Wednesday, 2 November 2016

​Configure your own git server - Linux

In this post, I would explain on how to configure your own git server where you could manage your own code or your configuration files.  
I shall consider two servers one with hostname 'gitserver' other as a 'gitclient'.

Environment: Linux Centos 6
git version: 1.7.1

First, you would require to install 'git' on both the machines. 

#yum install -y git

Ensure you have created a password less authentication between 'gitserver' and 'gitclient'. incase any help needed refer - 

Create a project directory for git on your 'gitserver'

[root@gitserver ~]# mkdir python.git
[root@gitserver ~]# cd python.git/
[root@gitserver python.git]# git init --bare
Initialized empty Git repository in /root/python.git/
[root@gitserver python.git]#

Login to the 'gitclient' to create a git empty repository.

[root@gitclient ~]# mkdir python
[root@gitclient ~]# cd python/
[root@gitclient python]# git init
Initialized empty Git repository in /root/python/.git/

[root@gitclient python]# cat >
print "Hi .. I am from gitclient who will be commited to gitserver"
[root@gitclient python]# 

[root@gitclient python]# git add .
[root@gitclient python]# git commit -m "First git commit - Hello" -a
[master (root-commit) 5308ec1] First git commit - Hello
 Committer: root <>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:

    git config --global "Your Name"
    git config --global

If the identity used for this commit is wrong, you can fix it with:

    git commit --amend --author='Your Name <>'

 1 files changed, 2 insertions(+), 0 deletions(-)
 create mode 100644
[root@gitclient python]#

[root@gitclient python]# git remote add origin ssh://
[root@gitclient python]# git push origin master
Counting objects: 3, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 295 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
 * [new branch]      master -> master
[root@gitclient python]#

you can check from gitserver log regarding the commits.

[root@gitserver python.git]# git log
commit 5308ec10f87eab1c5bb474a5f42de26818915f7b
Date:   Wed Nov 2 13:57:48 2016 +0530

    First git commit - Hello
[root@gitserver python.git]#

If there are anyone who wants to add their code to this repository, they just would need to clone the repository to their local machine.

#git clone ssh://

they could now edit files, write commit change messages and then can push to the server. 

You can also add your repository in, incase if you need any help refer 

Git cheat sheet

Thanks for re-sharing

Run puppetmaster/puppetclients using Dockers 2/4

In my earlier post, we already have set up puppet master and puppet client in the Guest OS, since its easily portable for deployment of applications I would create an docker image so that it would be easy for us to deploy the same in other machines to test in any environment without any overheads.

you can see the previous post on how to install puppet :

You first need to install docker packages 

Downloaded the docker images of Centos 6, which will pull the latest docker image.

root@ubuntu:~# docker pull centos:6
6: Pulling from library/centos

Digest: sha256:f3cc24b376d42d9fd9fa914335dddee46ed7b5a2e2dd1ee6df045ce437199d79
Status: Image is up to date for centos:6

You need to fire up two containers from the downloaded docker image, one for the puppetmaster and the other for puppetclient. 

root@ubuntu:~# docker run -it --name puppetmaster --hostname centos:6 /bin/bash
root@puppetmaster /] 

root@ubuntu:~# docker run -it --name puppetclient --hostname centos:6 /bin/bash
root@puppetmaster /] 

root@ubuntu:~# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
7d2c3af9ff52        76aa66802274        "/bin/bash"         24 hours ago        Up 3 hours                              puppetclient
113707c588ab        6f9a4933ce57        "/bin/bash"         2 days ago          Up 3 hours                              puppetmaster

Once you have fired up your docker containers, make sure you have your both hosts puppetmaster and puppetclient are resolvable, either in DNS or in /etc/hosts.
you can install/configure puppet master and puppet client as in the article 

once they are completed, you can stop both the containers. 
root@ubuntu:~#docker stop puppetmaster
root@ubuntu:~#docker stop puppetclient

root@ubuntu:~#docker ps
<display no running containers>

root@ubuntu:~#docker commit -m "puppetmaster" <CONTAINER ID> <dockerid>/puppetmaster:<tag>
root@ubuntu:~#docker commit -m "puppetclient" <CONTAINER ID> <dockerid>/puppetclient:<tag>

root@ubuntu:~#docker images
<you could now see your image installed with puppetmaster and puppetclient>

anyone who has no account for docker hub, you can create a new account.
already account exists, then you can push you docker image created puppetmaster/puppetclient to your account and can be download later in any of the platform installed with dockers to fire up two containers. 

root@ubuntu:~#docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to to create one.
Username (dockerid):

root@ubuntu:~#docker push <dockerid>/puppetmaster:latest
root@ubuntu:~#docker push <dockerid>/puppetclient:lastest

you have now successfully uploaded your images to your dockerid repository. 

you can download anytime if you require your docker images using below command and start to firing up your container.

root@ubuntu:~#docker run -it --name puppetmaster --hostname <dockerid>/puppetmaster /bin/bash
root@puppetmaster /] service puppetmaster start
root@puppetmaster /] echo "" >>/etc/hosts

root@ubuntu:~#docker run -it --name puppetclient --hostname <dockerid>/puppetclient /bin/bash
root@puppetclient /]echo "" >>/etc/hosts"

Try to check if they are able to ping resolve both the nodes and once done your puppetmaster/puppetclient with docker images are ready to use.

try executing "testing" part from particle to see it all works as expected.

Thanks for re-sharing