Blue Flower

Monday, 17 October 2016 02:14

Upgrade your ssh keys

Written by

This was taken from https://wiki.archlinux.org/index.php/SSH_keys#Ed25519

The Windows SSH client PuTTY does not support ECDSA as of March 2016. One needs a PuTTY development snapshot to connect to a server that uses only ECDSA keys.

Ed25519 was introduced in OpenSSH 6.5: "Ed25519 is an elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance". Its main strengths are its speed, its constant-time run time (and resistance against side-channel attacks), and its lack of nebulous hard-coded constants.[11] See also this blog post by a Mozilla developer on how it works.

It is already implemented in many applications and libraries and is the default key exchange algorithm (which is different from key signature) in OpenSSH.

Ed25519 key pairs can be generated with:

# ssh-keygen -t ed25519

There is no need to set the key size, as all Ed25519 keys are 256 bits. Also, they rely on a new key format which "uses a bcrypt-based key derivation function that makes brute-force attacks against stolen private keys far slower".

For those reasons, compatibility with older versions of OpenSSH or other SSH clients and servers may prove troublesome.

Friday, 10 June 2016 01:55

How to install a FreeBSD VM on ESXi 6

Written by

Log into ESXI and on the top right click the IP address of the host and click create new Virtual Machine.

On the next screen click Custom and click next.

Give the VM a unique name and click next. If you have multiple datastores I use datastore1-vmname and click next.

Under storage click the datastore you want the vm to be stored on and click next.

Under the virtual machine version make sure Virtual Machine Version:11 is highlighted and click next.

Under the guest operating system, click other and choose FreeBSD (64-bit) and click next.

This screen will vary from system to system and this will need to be determined by you. Change settings as needed and click next.

Memory size will also vary from system to system. The recommended size is 8GB but you can use as low as 1GB but this is not recommended by me. Click next.

Under the Network section I use the default settings. If you have multiple NICs in your server just change the number at the top. Click next.

The default SCSI controller is LSI Logic Parallel. Don't change this unless you know what you're doing. Click next.

Under the virtual disk for new setups the default create a new disk is fine.  Click next.

Disk size is another variable that needs to be determined by you but I wouldn't recommend anything less than 50GB.  Click next.

Under advanced options I typically don't change anything in this screen. Click next.

Click finish on the next screen and then at the bottom of the ESXI screen it will create the VM for you.

Now what you want to do is download the FreeBSD 10.3 ISO from this location:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/FreeBSD-10.3-RELEASE-amd64-dvd1.iso

Once this is downloaded I would recommended uploading this file to one of your datastores and store it in an ISO folder. You can do this by clicking the IP address at the top left of ESXI and click the summary tab. Under storage towards the right, right-click the datastore you want to store the ISO in and click browse datastore. If you do not have an ISO Folder click the new folder at the top of the window and use ISO for the Folder Name. Click the ISO folder on the left and then click the upload icon (Drive with an arrow pointing up) and click the location where you saved the ISO on your local machine.

Once the ISO has been uploaded and the VM has been created we need to tell the FreeBSD VM where to look for the ISO. Right-Click the datastore1-vmname you created above and click edit settings. Choose the CD/DVD Drive and on the right check the box that says Connect at Power on (at the top) and under the Device Type click Datastore ISO File. Click browse and choose the location where you suploaded the ISO. Click ok at the bottom.

Once the ISO has been properly identified by the FreeBSD VM we can now start it. Right click the datastore1-vmname on the left select Power and click Power on. Your FreeBSD VM will now start. To view the console Right click the datastore1-vmname on the left and click open console. You should now see the installation window open up. Click inside the Window to access the console and continue with the installation on the following page:

http://freebsdrocks.net/index.php/documents/8-installing-freebsd-and-updating-to-stable/18-installing-freebsd-9

Sunday, 05 July 2015 13:23

Installing UCSPI-SSL

Written by

Installing UCSPI-SSL

We need to install ucspi-ssl so qmail will accept smtp connections with ssl. We can do that like so:


# cd /usr/ports/sysutils/ucspi-ssl
# make install clean

Shortly after this starts installing, you will get a popup box that has in it

Options for ca_root_nss 3.11.9_2
[X] ETCSYMLINK Add symlink to /etc/ssl/cert.pem

Make sure that box is checked by hitting the space bar and then hit tab and hit enter.

Creating an SSL key file

If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.)

Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file. As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work.

If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.

Lets start with creating the key:


# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you just hit Enter, the field will be left blank. Please note: The common name must be the name of the mail server so make sure you enter it on that line:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: THIS IS YOUR EMAIL SERVER NAME
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it.

Now lets give proper ownership to the files:


# chown root:qnofiles servercert.pem

The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.


# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem

The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the "clientcert.pem" file.


# chmod 640 clientcert.pem


Starting qmail


Okay, lets start qmail! (The rehash command may or may not work. it really depends on your shell)


# rehash
# qmailctl start

You should get an output like so:


Starting qmail...

Starting qmail-send
Starting qmail-smtpd

Lets check to make sure qmail is running okay:


# qmailctl stat

You should get the following output:


/service/qmail-send: up (pid 87953) 344 seconds
/service/qmail-send/log: up (pid 87955) 344 seconds
/service/qmail-smtpd: up (pid 87957) 344 seconds
/service/qmail-smtpd/log: up (pid 87958) 344 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

Thats it! We are now done finalizing qmail!

Sunday, 05 July 2015 13:14

How to upgrade FreeBSD to the next -STABLE Version

Written by

The very first thing we want to do is find out what version we are using. Run the following command:

# uname -a

And it should print out something on the next line. I am going to use this example to upgrade FreeBSD from 9.3 to 10.1

FreeBSD mail.domain.xxx 9.3-STABLE FreeBSD Fri Jul 13 25 00:53:24 CDT 2015 This email address is being protected from spambots. You need JavaScript enabled to view it.:/usr/obj/usr/src/sys/GENERIC i386

There are a few things to note. The date after that indicates when the last build took place. Rather old system so we need to update it to 10.1 so lets get started!

We need to tell FreeBSD to download the latest sources for FreeBSD 10.1. Lets get rid of the current sources:


# cd /usr/src
# rm -dfr *

As of 8/5/16 we no longer need to install subversion. 10.3 now includes svnlite as part of the base system.

We need to first sync ports and sources so lets get rid of the current /usr/ports and /usr/src:


# rm -dfr /usr/ports
# rm -dfr /usr/src
# mkdir /usr/ports /usr/src

A list of the current subversion sites are below.

https://www.freebsd.org/doc/handbook/svn.html#svn-mirrors

Now we need to checkout both ports and sources using the following commands. Replace HOST with the closest mirror to you (See link above). Also on the 2nd line if you are using FreeBSD 9 then the command shown will work fine.


# cd /usr/ports
# svnlite checkout https://svn0.us-east.FreeBSD.org/ports/head /usr/ports
# cd /usr/src
# svnlite checkout https://svn0.us-east.FreeBSD.org/base/stable/10 /usr/src

Please DO NOT continue until sources and ports and have synched.

Lets backup etc first:


# rm -dfr /backup/ (If this directory does not exist then please ignore this step)
# mkdir /backup/etc
# cp -Rp /etc/* /backup/etc

You will now need to tell your stable-supfile to use the RELENG_10 tree. The stable-file example file is located at:


# /usr/share/examples/cvsup/stable-supfile

It may be a good idea to look through /usr/ports/UPDATING so take a look:


# vi /usr/ports/UPDATING

Now to remove the old obj files.


# chflags -R noschg /usr/obj/*
# rm -fr /usr/obj/*

Now to build the world.This guide is meant to help you streamline the process of building and installing world. You can find a more direct resource located at

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html

If you have a multi-core processor, or multi-processor system, you can do:


# cd /usr/src
# make -jX buildworld

Otherwise run the following command:


# cd /usr/src
# make buildworld

And then build and install the kernel


# cd /usr/src
# make buildkernel KERNCONF=GENERIC
# cd /usr/src
# make installkernel KERNCONF=GENERIC

Booting into single-user mode
Reboot with your new kernel into single-user mode


# reboot

When your computer reboots, It will bring you to a menu of options. Choose Single-User mode and hit Enter.
Hit [Enter] to boot immediately, or any other key for command prompt.

Booting [kernel] in 9 seconds...

Hit any other key other than [ENTER] to enter single-user mode.

It asks for the location of the shell to be used

choose /bin/sh (just press Enter or Return as this is the default)

Now we need to mount the filesystems


# adjkerntz -i
# mount -a -t ufs

Now to Install world


# cd /usr/src
# mergemaster -p

This does some initial configuration file updates in preparation for the new world. For instance it may add new user groups to the system, or new user names to the password database. This is often necessary when new groups or special system-user accounts have been added since the last update, so that the installworld step will be able to use the newly installed system user or system group names without problems.

At the end you will get prompted Do you wish to delete what is left of /var/tmp/temproot? [no]. Hit Enter for No. It will spit out an output. Continue on.


# make installworld

Now to update /etc


# /usr/sbin/mergemaster

Update /stand


# cd /usr/src/release
# make all install

Reboot and enjoy your new -STABLE system


# fastboot

To summarize, the currently recommended way of upgrading FreeBSD from sources is:

# cd /usr/src
# make buildworld
# make buildkernel
# make installkernel
# shutdown -r now

Note: There are a few rare cases when an extra run of mergemaster -p is needed before the buildworld step. These are described in UPDATING. In general, though, you can safely omit this step if you are not updating across one or more major FreeBSD versions.

After installkernel finishes successfully, you should boot in single user mode (i.e. using boot -s from the loader prompt). Then run:

# adjkerntz -i
# mount -a -t ufs
# mergemaster -p
# cd /usr/src
# make installworld
# mergemaster
# reboot

Read Further Explanations: The sequence described above is only a short resume to help you getting started. You should however read the following sections to clearly understand each step, especially if you want to use a custom kernel configuration.

Sunday, 05 July 2015 13:13

Updating to -STABLE

Written by

Updated 2/10/13: Updated for FreeBSD 10 and update to pkg system.

This updating to -STABLE guide will be a new rewrite with a few modifications. The CVSup method of retrieving and synchronizing the Ports Collection is being deprecated as part of a migration to Subversion. While it remains supported, the service will be discontinued as of February 28, 2013.

How to update from -RELEASE to -STABLE

Copied with permission by the author

Updating to -STABLE

Original page by Jochem Kossen

Abstract: After a FreeBSD -RELEASE has been released, development continues to the next version. Development is done in a number of branches, like -STABLE and -CURRENT. In this article I'll explain how to track the -STABLE branch.-STABLE is the branch which will bring the next stable release. -CURRENT is the unstable development branch. -CURRENT is only meant for developers!

Note: -STABLE is a BRANCH. That means it is being developed constantly. This also means -STABLE could be broken at any moment. Do not worry though, I've never noticed any problem with it.

Installing subversion is no longer necessary. 10.3 base now includes svnlite. This has been updated below.

Deleting the current sources

First lets get rid of the current /usr/src:


# rm -dfr /usr/src
# mkdir /usr/src

A list of the current subversion sites are below.

https://www.freebsd.org/doc/handbook/svn.html#svn-mirrors

Now we need to checkout both ports and sources using the following commands. Replace HOST with the closest mirror to you (See link above). Also on the 2nd line if you are using FreeBSD 9 then the command shown will work fine.


# cd /usr/src
# svnlite checkout https://svn.FreeBSD.org/base/stable/10 /usr/src

Please DO NOT continue until at least the sources are updated via svn

Building the base system and kernel

Read /usr/src/UPDATING

UPDATING contains important information and clues needed for upgrading FreeBSD. It could be you need to add a user first, or enable a device in your kernel, or whatever. Things like this are in UPDATING, so read it:


# less /usr/src/UPDATING

Remove old obj files. The very first time you run the second or third command, don't be surprised if you see "no match"


# cd /usr/obj
# chflags -R noschg *
# rm -fr *

Update files essential for buildworld


# mergemaster -p

You will get prompted Do you wish to delete what is left of /var/tmp/temproot? [no]. Hit Enter for No. It will spit out an output. Continue on.

Build the world (This can take a REALLY long time. On a 500Mhz PC It can take over an hour-and-a-half.)

If you have a multi-core processor, or multi-processor system, you can do:

# make -jX buildworld

Replace X with the number of total processor cores your system has plus 1. So, on a single CPU dual-core processor, you'd use -j3.


# cd /usr/src
# make buildworld

Build the kernel
(change MYKERNEL to the name of your custom kernel configuration file or GENERIC if you don't use a custom configured kernel)


# cd /usr/src
# make buildkernel KERNCONF=MYKERNEL

Installing the base system and kernel

Install your new kernel:

(change MYKERNEL to the name of your custom kernel configuration file or GENERIC if you don't use a custom configured kernel)


# cd /usr/src
# make installkernel KERNCONF=MYKERNEL

We will get more into customizing your kernel later.

Booting into single-user mode

Reboot with your new kernel into single-user mode


# reboot

When your computer reboots, It will bring you to a menu of options. Choose Single-User mode and hit Enter.
Hit [Enter] to boot immediately, or any other key for command prompt.

Booting [kernel] in 9 seconds...

Hit any other key other than [ENTER] to enter single-user mode.

It asks for the location of the shell to be used

choose /bin/sh (just press Enter or Return as this is the default)

Now we need to mount the filesystems


# mount -a -t ufs

Now to Install world


# cd /usr/src
# mergemaster -p

You will get prompted Do you wish to delete what is left of /var/tmp/temproot? [no]. Hit Enter for No. It will spit out an output. Continue on.


# make installworld

Update /etc


# rm -fr /etc.old

(The very first time you run this command, don't be surprised if you see "no match" )


# cp -Rp /etc /etc.old
# /usr/sbin/mergemaster

Reboot and enjoy your new -STABLE system


# fastboot

Sunday, 05 July 2015 13:12

Installing FreeBSD 10.3

Written by

Updated 6/9/16: Updated guide to FreeBSD 10.3 installation.

We can now download FreeBSD directly from FTP using the following URL:

FreeBSD 10.3-RELEASE may be downloaded via ftp from the following site:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/

There are a few choices in the list. I would grab the FreeBSD-10.3-RELEASE-amd64-dvd1.iso

It is up to you how you install the media whether you burn it and install on a PC or install via ESXi 5.x (or 6.x) or any other means of installing a virtual machine. I run FreeBSD 10.3 on ESXi 6.0 at the moment.

Once you get the installation started it will ask if you want to Install, Go to a Shell or Live CD. The obvious choice is to click Install.

Next screen is if you want to set a non-default key map? I choose no. If you know you need this then click Yes and choose your option there.

The next screen is the hostname. Type your hostname as it would appear on your network. On my LAN at home it would be FreeBSD9.home.local

The next screen will give you 4 options and I will discuss all 4 options below:

doc - Recommended! This is to install the FreeBSD Man(ual) pages on this host
games - Optional
ports - Recommended! This is to install the ports system
src - Optional - Only install this if you want to track -STABLE

Click ok at the bottom.

At this point it will ask if you want to use the guided method for partitioning, manual or shell. Easiest way to install is via the guided option. Next screen choose entire disk.At this point you can leave the defaults or choose to edit them. Myself I am still old school so I still like to visually see the /var and /tmp partitions. Do I would delete the freebsd-ufs and then make 3 new ones:

Hit enter on create and choose the following (the size of the drive will vary depending on your machine drive space. I am using a 50GB drive in total in this example)

Type freebsd-ufs
Size 5GB
Mountpoint /tmp

Type freebsd-ufs
Size 10GB
Mountpoint /var

Type freebsd-ufs
Size * GB
Mountpoint /usr

The * above indicates use the rest of the drive

When you're done with your selections use the right arrow key to go over to finish. it's going to ask you to confirm your changes. Click commit and we're going to have to wait for it to finish.

At this point we are nearly finished. When the install is completed it will jump to the "Change your root password" screen. Type in a HIGHLY secure password. It should be no less than 8 characters and consist of letters, numbers and punctuation. It will ask you to confirm the password twice.

The next screen will ask you to configure your network adapter. Choose the adapter that is shown on the screen and hit enter. The next screen will ask you if you want to use DHCP. Choose Yes or No depending on your network. In most cases DHCP is the most common option. The next screen will ask if you want to configure IPv4 for this interface. Again, This is the most common method so hitting Enter should be ok. The next screen will ask if you want to configure IPv6 which is the next generation of IP addresses. If you have it and you know it click yes. Otherwise if you don't no click No.

The next screen is your Network Configuration screen. Just hit ok.

When asked Is your CMOS Set to UTC? If you're sure your BIOS is set to UTC, hit yes. Otherwise hit no even if you're unsure.

Choose your Country and hit Enter and then choose your closest State/Province and then hit Enter again.

ALMOST DONE! Now it will ask you if you want to configure any other options. See below:

sshd - RECOMMENDED! Don't disable this. This will allow you to ssh into the box remotely
moused - Optional - You can install this if you plan on using X/gnome/KDE/Etc.
ntpd - Optional - You can specify a NTP server to sync time
powerd - Optional - You can use this to adjust CPU frequency dynamically

It will ask you if you want to enable Dumpdev Configuration. I choose No.

If you want to add users to the system at the time on the next screen click yes. Otherwise click no.

You should now be at the Final Configuration screen. You can change what options are in this screen or you can just hit Enter to exit. It will ask you to confirm if you really want to exit and the system will then reboot.

Congrats! You now have FreeBSD 10.1 installed!

Page 22 of 23