Posts Tagged ‘linux’

Quick Script to join content hosts to Satellite 6

April 23rd, 2015 No comments

I wrote this for $DAYJOB to move machines registered with RHN or CentOS machines not registered to anything over to our Satellite 6 server.

I presume you have created activation keys titled organization-${DISTRO}${MAJ_REL}-development for all combinations of DISTRO (rhel, centos) and MAJ_REL (6, 7).

# Prepare to register with Satellite
# Make sure lsb_release is installed  
rpm -q redhat-lsb-core 2>&1 >/dev/null
if [ $? -ne 0 ]; then
  yum -y install redhat-lsb-core
# Which version are we running
RELEASE=`lsb_release -r -s`
# Are we on CentOS or RHEL?
if [ -f /etc/centos-release ]; then
  # Get the copr release of RHSM for CentOS
  if [ ! -f /etc/yum.repos.d/dgoodwin-subscription-manager.repo ]; then
    wget -O /etc/yum.repos.d/dgoodwin-subscription-manager.repo${MAJ_REL}/dgoodwin-subscription-manager-epel-${MAJ_REL}.repo
# Install the certificates - will pull in subscription-manager
yum -y install
# Install additional useful packages
yum -y install katello-agent
/sbin/service goferd start
# Register with Satellite
subscription-manager register --org="Example" --activationkey="example-${DISTRO}${MAJ_REL}-development"

Setting PAM requirements for password complexity and lifecycle

December 3rd, 2014 No comments

I had a fairly strict requirement at $work for a system that had the following password security requirements:

  • Minimum of 8 characters
  • Minimum of 2 different complexity classes
  • Password expires after 90 days
  • No reuse of the last 5 passwords AND no more than 1 password change per day
  • Temporary lockout after 5 failed attempts in 15 minutes, lockout to last for 15 minutes

Here’s how I solved it:

# cd /etc/pam.d
# cp system-auth-ac system-auth.local
# cp password-auth-ac password-auth.local

Modify both system-auth.local and password-auth.local to include pam_faillock and pam_cracklib. You should end up with something like:

auth required
auth sufficient nullok try_first_pass
auth [default=die] authfail audit deny=5 unlock_time=900 even_deny_root
auth sufficient authfail audit deny=5 unlock_time=900 even_deny_root
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet account required password requisite try_first_pass retry=3 type= minlen=8 minclass=2 enforce_for_root password sufficient sha512 shadow nullok try_first_pass use_authtok remember=5 password required

Link the new files into place (to avoid authconfig from overwriting them):

# ln -sf system-auth system-auth.local
# ln -sf password-auth password-auth.local

Edit /etc/login.defs and change:


Apply immediately to root:

# chage -M 90 root
# chage -m 1 root

Categories: System Administration Tags:

CentOS 6 Kickstart Encrypted Password

January 21st, 2013 No comments

To create the SHA256 encrypted password for a CentOS 6 kickstart file:

python -c 'import crypt; print(crypt.crypt("Password", "$6$Salt"))'

Juniper Network Connect on CentOS 6

January 15th, 2013 No comments

The best method for making this work seems to be a 32-bit firefox (even on 64-bit CentOS/RHEL). The trick is that the NC installer launches xterm directly to prompt for a root password – so the following RPMs should be installed before launching the SSL VPN site:

* xterm
* firefox.i686
* libXtst.i686
* libcurl.i686
* gtk2-engines.i686
* alsa-plugins-pulseaudio.i686
* PackageKit-gtk-module.i686