OS X 10.13.2 High Sierra SSH Invalid key length

Apple OS X 10.13.2 High Sierra latest update has defaulted to 2048 key length and SHA256 algorithm. This breaks all existing SSH keys that are lower e.g. 1024 or in PEM format. The error thrown by the SSH client is “Invalid key length”.

Fix:
None. Generate a new key pair with ssh-keygen and update remote servers with the public key.

 

OS X 10.13.2 High Sierra SSH Invalid Format

OS X 10.13.2 High Sierra has broken SSH again.

$ ssh remote_server -i ~/.ssh/id_rsa.pub
$ Load key "xxx/.ssh/id_rsa.pub": invalid format

From 10.13.2 onwards the PRIVATE key is needed, earlier versions allowed the Public key “id_rsa.pub” to be used as the identity file.

So change script or ~/.ssh/config accordingly.

Quick Tips: Mail Templates for the Mac Mail app

A common problem is sending form letter mails  to a small number of recipients individually. Mail merge is over kill. It would have been nice to select an email pre-filled with the content, subject and other parameters where you just fill in the “To” field and send.

Well it turns out that the Mac Mail app has just this feature but to use it needs the template message to be saved in any folder other than the default Draft.

The short version is to draft a message and save it. Then move it from the Drafts to another folder e.g. Templates. Now right-click this message in the Templates folder and select “Send Again”. That’s it.

Steps:

  1. Mail > Mailbox > Click the (+)  sign next to the mailbox name > Create a “Templates” folder
  2. Draft a new message and save > Go to Drafts folder > Move this message to the “Templates” folder
  3. Go to the “Templates” folder > Right-click message > Click “Send Again”

Apple Support Link

The "Send Again" option is available on messages in any folder except for the "Drafts".

Python/Django app on CentOS 7 Apache server using mod_wsgi

Python/Django apps can be hosted on Linux Apache web server using the mod_wsgi module. However, the mod_wsgi module has to be compiled with  same version as the one in the virtual environment.

OS: CentOS 7.3

Python: 3.6.2

Get source code

Apache source

$ yum install httpd-deve

Download Python-3.6.2 Gzipped source tarball

Download mod_wsgi Source code (tar.gz)

 

Compile Python and mod_wsgi

Compile Python with the –enable-shared option

cd Puthon-3.6.*-source
./configure --enable-shared
make
make altinstall

 

Post compile add library path /usr/local/lib to ldconfig and check with

# ldconfig –v | grep python

 

now compile mod_wsgi

./configure --with-python=/usr/local/bin/python3.6
make
make install

 

Enable Apache module

Create /etc/httpd/conf.modules.d/10-mod_wsgi.conf

LoadModule wsgi_module modules/mod_wsgi.so

 

Restart apache

Quick Tips: Seamless network backup for windows terminal

Create a text file backup.cmd (Notepad Save As > Change Text File dropdown  to All files)  and add a single line per backup source. Double-click to run.

robocopy.exe \\192.168.0.1\source D:\destination /MIR /ZB /XF *.exe *.pdf /XD "\\192.168.0.1\source\dir1" "\\192.168.0.1\source\dir2" /LOG+:log.txt /TEE

pause

Options:

  1. /S – copy subfolders
  2. /ZB – Copy files in restartable mode, else Backup mode
  3. /XF – Skip, Exclude File patterns e.g. *.exe
  4. /XD – Skip, Exclude directories. No trailing backslash.
  5. /LOG+: log.txt – Log to file log.txt
  6. /MIR – Create an exact copy (Warning: deletes data from destination that does not exist on source)
  7. /TEE – Used with /LOG to enable console logging

 

Easy reporting of website security problems

Two major educational institutions in India have a major security issue with their website (that contains student information) which has now been exposed to any roaming cyber-shark, This information was released rather irresponsibly on Twitter today.

This post is about the difficulty that I faced while trying to contact these organisations. None of the phones mentioned on their site contact page worked and the only listed email was a gmail based address.

Since these sites have exposed almost all their student contact information and other details I thought of contacting them so that they quick block access. But sadly all efforts to connect via phone have failed. Last recourse was to email their listed gmail address. Which I am sure is inundated with spam and so is not monitored regularly or even ignored.

Any organisation with a web site that is hosting student, patient, customer or private information behind an authentication framework should expect to get compromised, or as in this case affected by bad software design that allowed  admin login that can access all student records. When such a compromise is detected by the white-hats, pen testers and other cyber security outfits they generally tend to post it on their site and social network. A security report section should be made part of a standard website framework along with the  existing home, about, contact and blog sections. This makes is very easy to be informed about any security problems and resolution can be that much faster.

The Security Vulnerability Reporting section should contain the following:

A dedicated email address e.g. security.problem@domain.tld

A Security Vulnerability Reporting policy that defines the cyber warriors code of conduct;

  1. Don’t steal, corrupt or delete data
  2. Don’t disrupt or degrade service
  3. Disclose the vulnerability with technical details and proof-of-concept if necessary.
  4. Provide a  reasonable amount of time before public disclosure.

Of course, once this problem has been reported and fixed, then it’s the organisations responsibility to inform all the people whose data has been compromised. A general rule of thumb is that if the exposed data is likely to affect the person then they must be informed about the data breach. Email id, password and phone number are all valid candidates to trigger the “likely to be affected” alert. Especially passwords are very sensitive as its a common practice to repeat passwords for various services like email, Facebook, Twitter, Instagram etc.

Please don’t contact me for the school names.

 

Quick Tip: Single drive on IBM ServerRAID

Server hardware upgrade needed a new 2 TB drive on an IBM X-series server with LSI RAID. Here are the steps followed using the BIOS configuration utility;

  1. F2 [Diagnostics] at boot, then CTRL+H to enter MegaRAID WebConfig utility
  2. The default Logical view will display existing configuration of Virtual and Physical drives along with any unconfigured drives at the end
  3. Click “Configuration Wizard” > Click “Add Configuration > choose Manual
  4. In the Drives window select the newly added drive and click “Add to Array”
  5. This drive will now move to the Drive Groups window under a new group
  6.  Click “Accept DG”  > click Next
  7. Click “Add to SPAN” > click Next
  8. Click Accept
  9. Click Yes to accept the RAID 0 with single drive configuration as shown > click Accept
  10. Logical View will display the new disk group initialising
  11. Save and reboot

The OS will now detect a new drive, format … etc

Quick Tip: Delete existing partitions during CentOS 7 installation

Got stuck recently during a remote gig installing CentOS. Vanilla install failed  due to a hardware error and had to be reinstalled but unlike the earlier versions there wasn’t a clearly defined path to delete existing partitions. So here is what we did;

Installation destination:

  1. Custom partitoning, create automatic partitions will prompt that there is not enough free space
  2. Click Done to go back
  3. Select Automatic partition, click Done
  4. Click the recover free space option on the Error prompt window
  5. Delete all exiting partitions (or as needed)
  6. Click preserve to save changes
  7. Click Done to go back
  8. The Disk free space displayed near the bottom has increased

That’s it. You can now proceed with the usual installation steps.

AMD Ryzen and CentOS 7 issues

Stability problem

Stock CentOS 7 has an old kernel 3.10.x which is causing major stability issues with AMD Ryzen 7 and the B350 series of motherboards.

Solution

Switch to the newer 4.1x kernel as follows;

Install latest 4.1x kernel from ElRepo

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install -y kernel-ml

Reboot and select the 4.1x option in Grub boot options screen

Regenerate Grub2 config files

grub2-mkconfig -o /boot/grub2/grub.cfg

Change Grub settings

Edit /etc/default/grub
Change GRUB_DEFAULT = saved to 0

Or

List Grub boot options

grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2

Set default Kernel

grub2-set-default 0
grub2-editenv list

Reboot. Default boot will load the 4.1x kernel.

Verify

uname -r

Disable Kernel Updates

Update: yum installs or updates will revert back to the base kernel version 3.10.x, to stop kernel updates edit /etc/yum.conf and under the [main] section add line

exclude=kernel*

or remember to add the exclude option during yum

yum -x 'kernel*' update

Custom setup for email accounts

Outlook Settings

File > Add Account > Manual setup … > POP or IMAP

Fill in the details (username = email id) > Click [More Settings]

Click Outgoing Server Tab > Tick/Check “My Outgoing Server …” and “Use same settings …”

Click Advanced Tab > In Server Port Numbers, change the encrypted connection type as follows:

  1. Incoming: SSL (Port 993 for IMAP and 995 for POP)
  2. Outgoing: SSL (Port 465) or TLS (Port 587)

Click Ok to go back to the Account Settings screen > Click Next

Outlook will now send a test mail,

Android Settings

  1. Settings > Accounts > Add Account > Email > other (POP3/IMAP)
  2. Fill-in details and click [Manual Setup]
  3. Select POP3 or IMAP
  4. Fill-in details and change security to SSL/TLS, Port will change to 993 for IMAP and 95 for POP3
  5. Credentials will be verified, in case of error re-check the email/username and password
  6. Fill-in details for the SMTP server, change security to STARTTLS, Port will change to 587
  7. Credentials will be verified, in case of error re-check the email/username and password
  8. Change account settings and account name as required

Screenshots

IOS Settings

… coming soon, waiting for screens.