cloud-init: Automatically import your public SSH keys into LXD Instances

Tags

automation, cloud-init, lxc, lxc profile, lxd, SSH, ssh-key, ubuntu, YAML

While provisioning LXD instance; we can define post deployment task using cloud-init. This will help us to import your public SSH keys, add new user, update packages and install new packages if required. To do that we use lxc profile.

First check what lxc profile you have. There should be one default profile.

# lxc profile list

Copy default profile and create new one

# lxc profile copy default production

Edit newly created profile

# lxc profile edit production

Use the following configuration. This is YAML file and for better formatting please download it from here

Continue reading →

recover corrupt /etc/sudoers file over SSH

Tags

SSH, sudo su, ubuntu

Recently I have faced issue where I mistakenly edit the file under /etc/sudoers.d/. When ever I am trying to sudo; I am getting following error:

fakrul@fakrul-server01:~/.config$ sudo su
>>> /etc/sudoers.d/fakrul_sudo: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers.d/fakrul_sudo near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialise policy plugin

Unfortunately I don’t have any other sudo user. I have googled and got a solution.

Steps:

1. Open two ssh sessions to the target server.

2. In the first session, get the PID of bash by running:
fakrul@fakrul-server01:~/.config$ echo $$
5886

3. In the second session, start the authentication agent with:

pkttyagent --process (pid from step 2)

4. Back in the first session, run:

fakrul@fakrul-server01:~/.config$ pkexec rm /etc/sudoers.d/fakrul_sudo

5. In the second session, you will get the password prompt. “fakrul_sudo” file will be removed in the first session. In same way you can add new file.

 

NSD with DNSSEC (Forward & Reverse DNS)

Tags

DNS, DNSSEC, NSD

In previous two blogs (1st part &  2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading →

INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 2)

Tags

bind, DNS, NSD

In this part we will install BIND and secondary name server. For primary name server installation please check INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 1)

1. Update package library and install BIND

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

2. All the configuration files are in /etc/bind/ folder. Most of the cases the default options work fine. The only thing I did is add the TSIG key for zone transfer.

3. First create they key file
vi ssh.com.bd-key

key ssh.com.bd-key {
algorithm hmac-md5;
secret "N1aqkdyRDOOM01NYt3Vat3v+QmonX8bsNoSdBUyKNB0=";
};

Make sure you copy the secret properly

4. Add the key in named.conf file

sudo vi named.conf

#TSIG key kompella->martini
include "/etc/bind/ssh.com.bd-key";

server 192.0.2.10 {
keys { ssh.com.bd-key; };
};

5. Add the related zone in named.conf.default-zones file:

zone "ssh.com.bd" IN {
type slave;
file "/var/cache/bind/ssh.com.bd.zone";
masters { 192.0.2.10; };
};

zone "113.0.203.in-addr.arpa" IN {
type slave;
file "/var/cache/bind/203.0.113.zone";
masters { 192.0.2.10; };
};

6. Save and reload BIND service.

sudo /etc/init.d/bind9 restart

7. Test the zone transfer:
dig axfr @192.0.2.10 ssh.com.bd soa -k ssh.com.bd-key

If all are on; you can see all the zone entry.

Continue reading →

Encrypt Facebook email communication

Tags

Email Encryption, Facebook, PGP

Now you can use your PGP key to encrypt email sent by Facebook.

How can you do it:

1. Login to you Facebook account.

2. Go to PGP Public KeyYour profile > About > Contact & Basic info > PGP Public Key

3. Past your public key.

4. Facebook will sent you an encrypted verification mail. Check and aggree to that mail.

5. You will get final confirmation.

Benefit?

If any one get access to your email account; they can’t read though your facebook mail or message (hopefully they will not access to your private key or passphrase).  Even if they hack your email account.