New PDP Concept Maple

December 3rd, 2014 1 comment

After having the same Pearl kit for the last 20 years, I’ve finally replaced it. I purchased a PDP Concept Maple 7 piece in Transparent Cherry. Beautiful kit. Here’s a couple of pics of assembly:

Categories: Drums and Drumming, Uncategorized Tags:

Setting PAM requirements for password complexity and lifecycle

December 3rd, 2014 No comments

I had a fairly strict requirement at $work for a system that had the following password security requirements:

  • Minimum of 8 characters
  • Minimum of 2 different complexity classes
  • Password expires after 90 days
  • No reuse of the last 5 passwords AND no more than 1 password change per day
  • Temporary lockout after 5 failed attempts in 15 minutes, lockout to last for 15 minutes

Here’s how I solved it:

# cd /etc/pam.d
# cp system-auth-ac system-auth.local
# cp password-auth-ac password-auth.local

Modify both system-auth.local and password-auth.local to include pam_faillock and pam_cracklib. You should end up with something like:

auth required
auth sufficient nullok try_first_pass
auth [default=die] authfail audit deny=5 unlock_time=900 even_deny_root
auth sufficient authfail audit deny=5 unlock_time=900 even_deny_root
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet account required password requisite try_first_pass retry=3 type= minlen=8 minclass=2 enforce_for_root password sufficient sha512 shadow nullok try_first_pass use_authtok remember=5 password required

Link the new files into place (to avoid authconfig from overwriting them):

# ln -sf system-auth system-auth.local
# ln -sf password-auth password-auth.local

Edit /etc/login.defs and change:


Apply immediately to root:

# chage -M 90 root
# chage -m 1 root

Categories: System Administration Tags:

Puppetmaster cert change

August 6th, 2014 No comments

Some day I will need this. Hat tip to Nan Liu.

From the puppet-users mailing list

Backup your puppet master ssl directory, so you can just retry if something didn’t go as planned.

# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
# remove your old puppet master cert.
puppet cert -c oldmaster
# search the ssl dir and it should not have any files with the oldmaster certname
# generate new master cert (same name as old one, but accept new_hostname in dns_alt_names):
puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt
# you may need to copy the files to some locations if you found files not removed after the cert clean step

At this point you can add a host entry on one of your agents and test via:
puppet agent -t –server new_hostname –noop

You should not have to touch any client cert, that’s only necessary if you need to change your CA cert which is a pain when it expires.



Categories: System Administration Tags:

rpmconf and vimdiff

August 5th, 2014 No comments

I was reading through the Foreman upgrade notes today and came across this gem:

rpmconf -a --frontend=vimdiff

Gives a great side-by-side view of all those .rpmnew files that get created as part of an install so you can reject, accept, or merge the differences. I like it.

Categories: System Administration Tags:

Living with Cisco Anyconnect on OSX

July 22nd, 2014 2 comments

Took me a bit to figure this out, but I needed to override the DNS settings forced upon me by the Cisco Anyconnect client. Unfortunately, $WORK is moving away from the IPSEC VPN in favor of the SSL VPN, so the native Mac client (where I could set DNS servers by hand in advanced settings) no longer works.

To override the settings handed down, I made use of the scutil command and crafted a short script to update the settings. I’ll probably expand the script to actually launch Anyconnect and wait for the tunnel to come up and apply the settings to make things easier on me, but in the meantime here’s the relevant bits.


sudo scutil <

2 TB Virtual Disks in VMware

July 17th, 2013 No comments

When creating a 2TB disk in VMware, if you want to take snapshots do not configure the disk as 2TB, but rather 2032GB to account for the overhead. See

HP Data Protector unable to backup file

March 20th, 2013 No comments

Occasionally, HP Data Protector will be unable to back up a file because of memory constraints. You will get a message something like:

Cannot read X bytes at offset YYYYY(:1): ([1450] Insufficient system resources exist to complete the requested service. ).

The solution lies here:

Categories: System Administration Tags:

Reunion Tour

February 5th, 2013 No comments

This week, the three of us that made up a rock group when we were in high school are reuniting. 15 years later, we’ve all ended back up in the same area we grew up and are going to get together and play through some covers. I have to say I’m pretty pumped.

I’ve been spending time since Christmas on the website’s Edge area. Edge members can watch live lessons, archives of recorded lessons, and interact with the instructors and (maybe more importantly) other Drumeo members via forums, Youtube and e-mail. It’s a pretty incredible concept, and one I’m glad I can participate in. I’ve been able to get some exercises to bring my drumming chops back up to what they once were, and hopefully push them beyond. Back then, my drums stayed at the bassist’s house (and I was too poor for a second set), so practice time was limited. I intend to change that this time around and be more deliberate about practicing and improving my skill set.

If you’re looking for a great drumming community, check out!

Categories: Drums and Drumming Tags: , ,

Time conversion gymnastics in Python

February 5th, 2013 No comments

I was recently working with a sqlite3 database using the DATETIME(‘now’) SQL construct to save the time a row was updated. This results in a format of e.g. 2013-02-05 17:50:42, which is in UTC. In order to display this in local time, I did the following gymnastics:

import calendar,time
time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(calendar.timegm(time.strptime(thetimefromdb, "%Y-%m-%d %H:%M:%S"))))

Is there a better way?

CentOS 6 Kickstart Encrypted Password

January 21st, 2013 No comments

To create the SHA256 encrypted password for a CentOS 6 kickstart file:

python -c 'import crypt; print(crypt.crypt("Password", "$6$Salt"))'