Search results for query "change username Linux"
- 135 messages
[CentOS] GSM back door to shell with Centos and Palm handhelds
by J.J. Garcia
Hi folks,
Don't know if it could be interesting or not, even useful, but past days
i was spending my time trying to use an old gsm motorola v150 mobile
phone to get access to my host from my palm device with pssh
(http://www.sealiesoftware.com/pssh/) these are the steps i did to
accomplish it, feel free to suggest or improve it, anyway i found it
usefull.
First, this motorolla has an usb interface to the host, it's quite
simple to attach the phone to the host running CentOs, i dont like very
much usb 'things' but things are like this... anyway, if you do so
you'll notice in syslog:
<...>
Aug 8 20:54:13 spoolbox kernel: cdc_acm 1-2:1.0: ttyACM0: USB ACM
device
<...>
Don't know other mobile phones with an usb interface but it could be
similar in others with an operational modem (i have to admit that im not
an expert in GSM neither telephony...)
Anyway, if you inspect the usb line, you can see:
[root@spoolbox crash]# cat /proc/bus/usb/devices
...>
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 9 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=02(comm.) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=22b8 ProdID=3802 Rev= 0.01
S: Manufacturer=Motorola Inc.
S: Product=Motorola Phone (V150)
C:* #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr= 20mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=01 Driver=cdc_acm
--------------- !!!!!
E: Ad=89(I) Atr=03(Int.) MxPS= 16 Ivl=10ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_acm
--------------- !!!!!
E: Ad=01(O) Atr=02(Bulk) MxPS= 16 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 16 Ivl=0ms
...>
Then, in /dev you will have:
[root@spoolbox crash]# l /dev/ttyACM0
crw------- 1 root root 166, 0 ago 8 20:54 /dev/ttyACM0
In my case, i wasn't sure about this phone modem facilities, and i start
playing with init secuences to discover the modem with 'minicom' tool,
without success. Finally i decided to use 'wvdialconf' utility to check
out my lack of kwlg. :
[root@spoolbox crash]# wvdialconf newconffile
Scanning your serial ports for a modem.
Port Scan*1>: S0 S1 S2 S3 S4 S5 S6 S7
ttyACM0*1>: ATQ0 V1 E1 -- OK
ttyACM0*1>: ATQ0 V1 E1 Z -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM0*1>: Modem Identifier: ATI -- 144
ttyACM0*1>: Speed 4800: AT -- OK
ttyACM0*1>: Speed 9600: AT -- OK
ttyACM0*1>: Speed 19200: AT -- OK
ttyACM0*1>: Speed 38400: AT -- OK
ttyACM0*1>: Speed 57600: AT -- OK
ttyACM0*1>: Speed 115200: AT -- OK
ttyACM0*1>: Speed 230400: AT -- OK
ttyACM0*1>: Speed 460800: AT -- OK
ttyACM0*1>: Max speed is 460800; that should be safe.
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyUSB0*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 115200 baud
ttyUSB0*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.
Found an USB modem on /dev/ttyACM0.
Modem configuration written to newconffile.
ttyACM0Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
[root@spoolbox crash]# l newconffile
-rw-r----- 1 root root 232 jul 30 18:11 newconffile
[root@spoolbox crash]# cat newconffile
[Dialer Defaults]
Modem = /dev/ttyACM0
Baud = 460800
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = USB Modem
; Phone = Target Phone Number>
; Username = Your Login Name>
; Password = Your Password>
With this information, i updated the init sequence in 'minicom'
parameters:
[root@spoolbox crash]# LANG=C; minicom
Welcome to minicom 2.00.0
OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Feb 21 2005, 19:32:30.
Press CTRL-A Z for help on special keys
ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
OK
┌──────[Modem and dialing parameter setup]────────────────┐
│
│
│ A - Init string .. ~^M~ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0^M │
│ B - Reset string . ^M~ATZ^M~ │
<...>
I did an AT command and i get the correspoding OK, cool :)
AT
OK
ATZ
OK
ATD <phone-number>
And my other mobile phone was ringing with an incomming data call.
Up to here fine since the old motorola phone was able to perform calls,
that's not the point unless you want a dial-out line (56k).
What i needed was a dial-in facilities, go on with 'mgetty-sendfax':
First change the /etc/inittab to start using the line:
[root@spoolbox crash]# cat /etc/inittab
<...>
# Modem back line listen
# Data only and two tones b4 connect
T1:2345:respawn:/sbin/mgetty ttyACM0 -D /dev/ttyACM0
<...>
To enable dial-in uncomment the corresponding line at '/etc/mgetty
+sendfax/login.config' file with the previously created profile:
[root@spoolbox crash]# cat /etc/mgetty+sendfax/login.config
<...>
/AutoPPP/ - - /usr/sbin/pppd file /etc/ppp/options.server
<...>
You can even trim more for incomming calls using the corresponding
features at '/etc/mgetty+sendfax/dialin.config', in my case i left it
untouched without restrictions.
And config the line in '/etc/mgetty+sendfax/mgetty.config':
<...>
# Motorola V150/Usb connected to ttyACM0/1: don't do fax, less logging
#
port ttyACM0
debug 9
data-only y
speed 460800
<...>
Up to here, you have the line preset correctly, now you have to use it
to dial-in.
Create a ppp profile file to use in dial-in whatever the line will be:
[root@spoolbox crash]# cat /etc/ppp/options.server
# Do not fork to become a background process
-detach
# To allow pppd to work over a rlogin/telnet connection
asyncmap 0
# Use the modem control lines
modem
# Use hardware flow control
crtscts
# Specifies that pppd use the UUCP-style lock on the serial device
lock
# Adds an entry into the ARP table with the IP address of the client and
the IP address of the NIC
proxyarp
#
# Auth:
# PAP (Password Authentication Protocol) is one of the two protocols
that PPP uses to authenticate
# peers.
# The other is CHAP (Challenge Handshake Authentication Protocol).
# CHAP is a more secure protocol, but is not as widely supported as PAP
require-pap
refuse-chap
#require-chap
#refuse-pap
# if 'login' option (follows) is used, the file /etc/ppp/pap-secrets
need not exist. In fact, it
# might interfere with the proper functioning of PAP. You can remove the
file, or it can contain
# the following line:
# * * ""
# The advantage of maintaining /etc/ppp/pap-secrets with this line is
that it leaves you the option
# of denying PPP access to individual accounts that have entries
in /etc/passwd. To do so, below
# the above line, enter the following line:
# username * -
# where "username" is the username of the account you wish to deny PPP
access. Example:
# #user server secret addrs
# * * "" *
# jdoe * - *
#
#login
# The first DNS server IP address for this network.
ms-dns 192.168.0.1
# The second DNS server IP address for this network.
ms-dns 62.42.230.24
Third, create the specific profile for /dev/ttyACM0 line, where our
phone is:
[root@spoolbox crash]# cat /etc/ppp/options.ttyACM0
# The first IP address is the servers IP address, the second IP address
is
# the free static IP address that can be assigned to the computer
dialing
# in on the modem. This number cannot be in use.
192.168.0.3:192.168.0.69
# The net mask of the LAN the server is connected to.
netmask 255.255.255.0
And since we are using PAP to auth, create the password
at /etc/ppp/pap.secrets:
[root@spoolbox crash]# cat /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client server secret IP addresses
sm0ketst * password *
Now, let's see what's happeninig with all of this stuff:
# telinit q
And check out the syslog:
<...>
Aug 8 21:25:49 spoolbox init: Re-reading inittab
<...>
And check also '/var/log/mgetty.log.ttyACM0':
[root@spoolbox ~]# tail -F /var/log/mgetty.log.ttyACM0
<...>
--
08/08 20:58:28 CM0 mgetty: experimental test release 1.1.31-Jul24
08/08 20:58:28 CM0 check for lockfiles
08/08 20:58:28 CM0 checklock: no active process has lock, will remove
08/08 20:58:28 CM0 locking the line
08/08 20:58:28 CM0 makelock(ttyACM0) called
08/08 20:58:28 CM0 do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 20:58:28 CM0 lock made
08/08 20:58:29 CM0 tio_get_rs232_lines: status: RTS CTS DTR
08/08 20:58:29 CM0 WARNING: DSR is off - modem turned off or bad cable?
08/08 20:58:29 CM0 lowering DTR to reset Modem
08/08 20:58:29 CM0 tss: set speed to 460800 (10004)
08/08 20:58:29 CM0 tio_set_flow_control( HARD )
08/08 20:58:29 CM0 waiting for line to clear (VTIME=1), read:
08/08 20:58:30 CM0 send: \dATQ0V1H0[0d]
08/08 20:58:30 CM0 waiting for ``OK''
08/08 20:58:30 CM0 got: ATQ0V1H0[0d]
08/08 20:58:30 CM0 CND: ATQ0V1H0[0d][0a]OK ** found **
08/08 20:58:30 CM0 send: ATS0=0Q0&D3&C1[0d]
08/08 20:58:30 CM0 waiting for ``OK''
08/08 20:58:30 CM0 got: [0d]
08/08 20:58:30 CM0 CND: OK[0a]ATS0=0Q0&D3&C1[0d]
08/08 20:58:30 CM0 CND: ATS0=0Q0&D3&C1[0d][0a]OK ** found **
08/08 20:58:30 CM0 waiting for line to clear (VTIME=3), read: [0d][0a]
08/08 20:58:30 CM0 removing lock file
08/08 20:58:30 CM0 waiting...
Up to here, the hard part is done except the netfilter part i'll show
later, but from now we can ring our motorola to get access from 'pssh'
in our palm device (in my case i use a bluetooth conn with a Nokia
6600).
If we also want to get access the network from palm device, you have to
tweak the /etc/sysconfig/iptables file in the host where the phone is
connected in the following way:
a) At the top of the file, add the following lines:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# Rule for sharing eth0 with ppp0/ttyACM0 <------- ADD
-A FORWARD -i ppp0 -j ACCEPT <------- ADD
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
<...>
b) At the end of the file, add the following lines:
<...>
# Rest
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Rule for dial-in network sharing
# Remark: Remember to update the /etc/sysctl.conf
# Controls IP packet forwarding
# net.ipv4.ip_forward = 1
# or # echo 1 > /proc/sys/net/ipv4/ip_forward
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
And as you can see, enable packet forwarding by hand or in
'/etc/sysctl.conf'
After that restart iptables
[root@spoolbox ~]# service iptables restart
And check out the 'whole thing':
1st- enable bluetooth on phone,
2nd- enable bluetooth on palm, and connect
[root@spoolbox ~]# tail -F /var/log/mgetty.log.ttyACM0
<...>
--
08/08 21:38:50 CM0 select returned 1
08/08 21:38:50 CM0 checking lockfiles, locking the line
08/08 21:38:50 CM0 makelock(ttyACM0) called
08/08 21:38:50 CM0 do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 21:38:50 CM0 lock made
08/08 21:38:50 CM0 wfr: waiting for ``RING''
08/08 21:38:50 CM0 got: [0d][0a]RING[0d]
08/08 21:38:50 CM0 CND: RING
08/08 21:38:50 CM0 wfr: rc=0, drn=0
08/08 21:38:50 CM0 CND: check no: 'none'
08/08 21:38:50 CM0 send: ATA[0d]
08/08 21:38:50 CM0 waiting for ``CONNECT''
08/08 21:38:50 CM0 got: ATA[0d]
08/08 21:38:50 CM0 CND: OKATA[0d][0a]CONNECT ** found **
08/08 21:39:03 CM0 send:
08/08 21:39:03 CM0 waiting for ``_''
08/08 21:39:03 CM0 got: [0d]
08/08 21:39:03 CM0 CND: CONNECT[0a] ** found **
08/08 21:39:03 CM0 waiting for line to clear (VTIME=3), read:
08/08 21:39:03 CM0 looking for utmp entry... (my PID: 14150)
08/08 21:39:03 CM0 utmp + wtmp entry made
08/08 21:39:04 CM0 tio_set_flow_control( HARD )
08/08 21:39:04 CM0 print welcome banner (/etc/issue)
08/08 21:39:04 CM0 getlogname (AUTO_PPP), read:~[ff]}#[c0]!
08/08 21:39:05 CM0 input finished with '\r', setting ICRNL ONLCR
08/08 21:39:05 CM0 tio_get_rs232_lines: status: RTS CTS DSR DTR DCD RI
08/08 21:39:05 CM0 login: use login config file /etc/mgetty
+sendfax/login.config
08/08 21:39:05 CM0 match: user='/AutoPPP/', key=''
08/08 21:39:05 CM0 match: user='/AutoPPP/', key=''
08/08 21:39:05 CM0 match: user='/AutoPPP/', key='/AutoPPP/'*** hit!
08/08 21:39:05 CM0 calling login: cmd='/usr/sbin/pppd', argv[]='pppd
file /etc/ppp/options.server'
08/08 21:39:05 CM0 setenv: 'CALLER_ID=none'
08/08 21:39:05 CM0 setenv: 'CONNECT='
08/08 21:39:05 CM0 setenv: 'DEVICE=ttyACM0'
08/08 21:39:05 ##### data dev=ttyACM0, pid=14150, caller='none',
conn='', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/'
And in syslog:
<...>
Aug 8 21:39:05 spoolbox mgetty[14150]: data dev=ttyACM0, pid=14150,
caller='none', conn='', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/'
Aug 8 21:39:05 spoolbox pppd[14150]: pppd 2.4.2 started by LOGIN, uid 0
Aug 8 21:39:05 spoolbox pppd[14150]: Using interface ppp0
Aug 8 21:39:05 spoolbox pppd[14150]: Connect: ppp0 <--> /dev/ttyACM0
Aug 8 21:39:10 spoolbox pppd[14150]: PAP peer authentication succeeded
for sm0ketst
Aug 8 21:39:13 spoolbox pppd[14150]: found interface eth0 for proxy arp
Aug 8 21:39:13 spoolbox pppd[14150]: local IP address 192.168.0.3
Aug 8 21:39:13 spoolbox pppd[14150]: remote IP address 192.168.0.69
When disconnected syslog will show:
<...>
Aug 8 21:40:38 spoolbox pppd[14150]: IPCP terminated by peer
Aug 8 21:40:39 spoolbox pppd[14150]: LCP terminated by peer
Aug 8 21:40:42 spoolbox pppd[14150]: Connection terminated.
Aug 8 21:40:42 spoolbox pppd[14150]: Connect time 1.6 minutes.
Aug 8 21:40:42 spoolbox pppd[14150]: Sent 98 bytes, received 86 bytes.
Aug 8 21:40:42 spoolbox pppd[14150]: Connect time 1.6 minutes.
Aug 8 21:40:42 spoolbox pppd[14150]: Sent 98 bytes, received 86 bytes.
Aug 8 21:40:42 spoolbox pppd[14150]: Exit.
And the mgetty log (/var/log/mgetty.log.ttyACM0)
<...>
--
08/08 21:40:42 CM0 mgetty: experimental test release 1.1.31-Jul24
08/08 21:40:42 CM0 check for lockfiles
08/08 21:40:42 CM0 checklock: no active process has lock, will remove
08/08 21:40:42 CM0 locking the line
08/08 21:40:42 CM0 makelock(ttyACM0) called
08/08 21:40:42 CM0 do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 21:40:42 CM0 lock made
08/08 21:40:43 CM0 tio_get_rs232_lines: status: RTS CTS DSR DTR DCD RI
08/08 21:40:43 CM0 WARNING: DCD line still active, check modem settings
(AT&Dx)
08/08 21:40:43 CM0 lowering DTR to reset Modem
08/08 21:40:43 CM0 tss: set speed to 460800 (10004)
08/08 21:40:43 CM0 tio_set_flow_control( HARD )
08/08 21:40:43 CM0 waiting for line to clear (VTIME=1), read:
[0a][0a]NO CARRIER[0a][0a]
08/08 21:40:43 CM0 send: \dATQ0V1H0[0d]
08/08 21:40:44 CM0 waiting for ``OK''
08/08 21:40:44 CM0 got: ATQ0V1H0[0d]
08/08 21:40:44 CM0 CND: ATQ0V1H0[0d][0a]OK ** found **
08/08 21:40:44 CM0 send: ATS0=0Q0&D3&C1[0d]
08/08 21:40:44 CM0 waiting for ``OK''
08/08 21:40:44 CM0 got: [0d]
08/08 21:40:44 CM0 CND: OK[0a]ATS0=0Q0&D3&C1[0d]
08/08 21:40:44 CM0 CND: ATS0=0Q0&D3&C1[0d][0a]OK ** found **
08/08 21:40:44 CM0 waiting for line to clear (VTIME=3), read: [0d][0a]
08/08 21:40:44 CM0 removing lock file
08/08 21:40:44 CM0 waiting...
Now you can get shell access from your palm, use your favourite www palm
browser and send-receive emails, etc... with some tweaks from your palm,
all of this using your host as your gateway.
I think that's all and i didn't forget anything, feel free to knock the
door on me if something fails... but since phone companies are providing
no-cost for certain calls, i found it usefull to get a shell on my palm
to launch certain commands on the host at 0-cost, yes, at 56K, but it's
free :)
Jose.
--
-----------------------------------------------------------------
sparkbox.stigmatedbrain.net 2.6.9-34.0.2.ELsmp i686 GNU/Linux
21:40:01 up 7 days, 1:52, 44 users, load average: 3.18, 1.91, 1.62
-----------------------------------------------------------------
The Moral Law causes the people to be in complete
accord with their ruler, so that they will follow him
regardless of their lives, undismayed by any danger.
--The Art of War by Sun Tzu
Chapter I: Laying Plans
19 years, 7 months
[CentOS] Kickstart help
by Daniel Burkland
Hey all,
I have sort of an odd request for you today in regards to Kickstart
configuration. I have recently created a kickstart configuration file to
better standardize the configuration aspect of my server installations.
I am having one issue and that is distributing a script (yum-check) via
the kickstart file (in %post section). Parts of the script get written
to the correct file (/usr/bin/yum-check & /etc/cron.daily/yum.cron)
however variables in the individual scripts I believe are getting parsed
by Kickstart. The parsing of these variables is preventing them from
being written to the respective file. I am wondering if any of you have
ever distributed a shell script via kickstart before and if so how did
you do it? I would also like to mention that I have attempted to wget
the script to the current directory (after cding into /usr/bin/ for
example) with no luck. I have attached my kickstart configuration file
so you can get a better picture of what I'm trying to do.
Thanks a lot,
Dan
# Kickstart file automatically generated by anaconda.
install
url --url=ftp://kickstart.example.com/install/CentOS/x86_64/5.3/
lang en_US.UTF-8
# Use text mode install
text
keyboard us
network --device eth0 --bootproto static --ip 192.168.101.161 --netmask 255.255.255.0 --gateway 192.168.101.1 --nameserver 192.168.101.14 --hostname guineapig.example.com
reboot
rootpw --iscrypted afdafsf0saf87
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --enforcing
timezone --utc America/Chicago
bootloader --location=mbr --driveorder=sda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --initlabel
part / --fstype ext3 --size 7683
part swap --fstype swap --size 509
%packages --nobase --ignoremissing
@editors
@core
bind-utils.x86_64
bind-libs.x86_64
telnet.x86_64
mailx.x86_64
vixie-cron.x86_64
audit.x86_64
man.x86_64
wget.x86_64
sendmail.x86_64
sudo.x86_64
openldap-clients.x86_64
nss_ldap.x86_64
ntp.x86_64
%post
### System Configuration Files Section ###
yum update -y
# Update default hasing algorith for userPasswords
authconfig --passalgo=sha512 --update
# /etc/nsswitch.conf
cat << EOF1 > /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group ou=people,dc=example,dc=com?one
EOF1
# /etc/resolv.conf
cat << EOF2 > /etc/resolv.conf
# Created by Dan Burkland 8/17/2009
domain example.com
search example.com
nameserver 192.168.101.14
EOF2
# /etc/ssh/sshd_config
cat << EOF3 > /etc/ssh/sshd_config
#$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
ListenAddress 192.168.101.161
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
Banner /etc/issue
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF3
# /etc/pam.d/system-auth
cat << EOF4 > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_ldap.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_ldap.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF4
# /etc/hosts
cat << EOF5 > /etc/hosts
127.0.0.1 localhost localhost.localdomain guineapig.example.com guineapig
EOF5
# /etc/issue
cat << EOF6 > /etc/issue
WARNING
This System is for the use of authorized users only. Individuals
using this computer without authority, or in excess of their
authority, are subject to having all of their activities on this
system monitored and recorded by system personnel. In the course
of monitoring individuals improperly using this system, or in the
course of system maintenance, the activities of authorized users
may also be monitored. Anyone using this system expressly
consents to such monitoring and is advised that if such
monitoring reveals possible criminal activity, system personnel
may provide the evidence of such monitoring to law enforcement
officials.
EOF6
# /etc/crontab modifications for NTP & Auditd log rotation
cat << EOF7 >> /etc/crontab
00 23 * * * root ntpdate north-america.pool.ntp.org
00 0 * * * root /etc/init.d/auditd rotate
EOF7
# /etc/ldap.conf
cat << EOF8 > /etc/ldap.conf
# /etc/ldap.conf - Created by: Dan Burkland 8/17/2009
uri ldaps://ldap.example.com
base dc=example,dc=com
timelimit 30
TLS_CACERT /etc/pki/tls/certs/cacert.pem
ssl on
nss_initgroups_ignoreusers root,haldaemon,dbus,ldap
EOF8
# /etc/pki/tls/certs/cacert.pem
cat << EOF9 > /etc/pki/tls/certs/cacert.pem
Certificate contents go here
EOF9
rm -f /etc/openldap/ldap.conf
ln -s /etc/ldap.conf /etc/openldap/ldap.conf
# Create /usr/bin/yum-check and make it executable
cat << EOF10 > /usr/bin/yum-check
#!/bin/sh
#
# Name: yum-check
# Author: Michael Heiming - 2005-03-11
# Function: Run from cron to check for yum updates
# and mail results
# Version: 0.7 (initial)
# 2005-03-12 0.8 randomize startup (cron only)
# Config: /etc/sysconfig/yum
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
maila=${MAILTO:=root}
yumdat="/tmp/yum-check-update.$$"
yumb="/usr/bin/yum"
# wait a random interval if there is not a controlling terminal,
# for load management
if ! [ -t ]
then
num=$RANDOM
let "num %= ${RANGE:=1}"
sleep $num
fi
rm -f ${yumdat%%[0-9]*}*
$yumb check-update >& $yumdat
yumstatus="$?"
case $yumstatus in
100)
cat $yumdat |\
mail -s "Alert ${HOSTNAME} updates available!" $maila
exit 0
;;
0)
# Only send mail if debug is turned on
if [ ${CHECKWRK} = "yes" ];then
cat $yumdat |\
mail -s "Yum check succeeded ${HOSTNAME} zero patches available." $maila
fi
exit 0
;;
*)
# Unexpected yum return status
(echo "Undefined, yum return status: ${yumstatus}" && \
[ -e "${yumdat}" ] && cat "${yumdat}" )|\
mail -s "Alert ${HOSTNAME} problems running yum." $maila
esac
[ -e "${yumdat}" ] && rm ${yumdat}
EOF10
chmod +x /usr/bin/yum-check
# Create yum-check cronjob and make script executable
cat << EOF11 > /etc/cron.daily/yum.cron
#!/bin/sh
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
if [ -f /var/lock/subsys/yum ]; then
if [ ${CHECKONLY} = "yes" ];then
/usr/bin/yum-check
fi
else
/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
/usr/bin/yum -R 120 -e 0 -d 0 -y update
fi
EOF11
chmod +x /etc/cron.daily/yum.cron
# Create yum-check configuration file
cat << EOF12 > /etc/sysconfig/yum-check
# yes sets yum to check for updates and mail only if patches are available
# no does enable autoupdate if /var/lock/subsys/yum is available
CHECKONLY="yes"
# defaults to root, leave empty if .forward/alias in place for root
MAILTO="dan(a)example.com"
# Set to yes for debugging only! You'll get a mail for each run!
CHECKWRK="no"
# Seconds to randomize startup, if running from cron to balance load
RANGE="3600"
EOF12
# Change logrotate to rotate daily instead of weekly
cat << EOF13 > /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
daily
# keep 4 days worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
EOF13
# IPtables rule configuration
cat << EOF14 > /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
EOF14
# Disable USB mass storage module
cat << EOF15 > /etc/modprobe.d/blacklist-usbstorage
blacklist usb-storage
EOF15
# Restrict access to the "/root" folder
chmod 700 /root
# Set default umask to 077
sed -i 's/022/077/' /etc/bashrc
sed -i 's/022/077/' /etc/csh.cshrc
# Log out idle users after 15 minutes
cat << EOF16 > /etc/profile.d/autologout
readonly TMOUT=900
readonly HISTFILE
EOF16
# Make the os-security.sh executable
chmod +x /etc/profile.d/autologout
# Enable security-related sysctls
cat << EOF17 > /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
EOF17
# /etc/sudoers
cat << EOF18 > /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
example ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
EOF18
# /etc/nscd.conf
cat << EOF19 > /etc/nscd.conf
server-user nscd
debug-level 0
reload-count unlimited
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 3600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
enable-cache hosts no
EOF19
# Permantely prevent IPv6 module from being loaded
cat << EOF20 > /etc/modprobe.d/disableipv6
install ipv6 /bin/true
EOF20
# Disable another IPv6 related setting
cat << EOF21 >> /etc/sysconfig/network
NETWORKING_IPV6=no
EOF21
# Set secure permissions on /etc/sudoers file
chmod 440 /etc/sudoers
# Set secure permissions on /bin/su
chmod 700 /bin/su
# Enable/Disable necessary services
chkconfig sendmail on
chkconfig auditd on
chkconfig nscd on
chkconfig ip6tables off
chkconfig multipathd off
chkconfig netconsole off
chkconfig netfs off
chkconfig netplugd off
chkconfig rdisc off
16 years, 6 months
[CentOS] Apache issue
by William Warren
I know it is a configuration error. But i cannot figure it out. The
server was working fine until a couple of days ago. it is now throwing:
Forbidden
You don't have permission to access / on this server.
Additionally, a 404 Not Found error was encountered while trying to use
an ErrorDocument to handle the request.
Apache/2.0.52 (CentOS) Server at BabyHydra.localdomain Port 80
Nothing has changed that i can see. Can anyone give me a place to look
for the problem? Here's my httpd.conf:
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process
as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default'
server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/etc/httpd" will be interpreted by the
# server as "/etc/httpd/logs/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# Don't give away too much information about all the subcomponents
# we are running. Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at
<URL:http://httpd.apache.org/docs-2.0/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/httpd"
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile run/httpd.pid
#
# Timeout: The number of seconds before receives and sends time out.
#
TimeOut 120
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive on
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 500
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
MinSpareServers 1
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen *:80
Listen *:21
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a
DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
#
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On
### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin(a)your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify
itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address
here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName new.host.name:80
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot /home/www
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/home/www">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the
# same purpose, but it is much slower.
#
DirectoryIndex index.html index.html.var
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
</IfModule>
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.0/mod/core.html#enablemmap
#
#EnableMMAP off
#
# EnableSendfile: Control whether the sendfile kernel support is
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#enablesendfile
#
#EnableSendfile off
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog logs/error_log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog logs/access_log common
#
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
#
# For a single logfile with access, agent, and referer information
# (Combined Logfile Format), use the following directive:
#
CustomLog logs/access_log combined
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
#
# Aliases: Add here as many aliases as you need (with no limit). The
format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ /user/www/icons/
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
#
# WebDAV module configuration section.
#
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the
client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Directives controlling the display of server-generated directory listings.
#
#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing VersionSort NameWidth=*
#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif
#
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
ReadmeName README.html
HeaderName HEADER.html
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
#
# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn
no pl pt pt-BR ru sv zh-CN zh-TW
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#
ForceLanguagePriority Prefer Fallback
#
# Specify a default charset for all pages sent out. This is
# always a good idea and opens the door for future internationalisation
# of your web site, should you ever want it. Specifying it as
# a default does little harm; as the standard dictates that a page
# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
# are merely stating the obvious. There are also some security
# reasons in browsers, related to javascript and URL parsing
# which encourage you to always set a default char set.
#
AddDefaultCharset UTF-8
#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See http://www.iana.org/assignments/character-sets for the
# official list of charset names and their respective RFCs.
#
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
# The set below does not map to a specific (iso) standard
# but works on a fairly wide range of browsers. Note that
# capitalization actually matters (it should not, but it
# does for some browsers).
#
# See http://www.iana.org/assignments/character-sets
# for a list of sorts. But browsers support few.
#
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
#
# For files that include their own HTTP headers:
#
#AddHandler send-as-is asis
#
# For server-parsed imagemap files:
#
AddHandler imap-file map
#
# For type maps (negotiated resources):
# (This is enabled by default to allow the Apache "It Worked" page
# to be distributed in multiple languages.)
#
AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /var/www/error/include/ files and
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#
Alias /error/ /user/www/error/
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
<Directory "/var/www/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
</IfModule>
</IfModule>
#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
ServerPath /home/www
User www
Group users
UserDir "/home/www"
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via:
headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On
#
# To enable a cache of proxied content, uncomment the following lines.
# See http://httpd.apache.org/docs-2.0/mod/mod_cache.html for more details.
#
#<IfModule mod_disk_cache.c>
# CacheEnable disk /
# CacheRoot "/var/cache/mod_proxy"
#</IfModule>
#
#</IfModule>
# End of proxy directives.
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry
about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Use name-based virtual hosting.
#
#NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster(a)dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
--
My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper; and
every tongue that shall rise against thee in judgment thou shalt
condemn. This is the heritage of the servants of the LORD, and their
righteousness is of me, saith the LORD.
-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)
Linux user #322099
Machines:
206822
256638
276825
http://counter.li.org/
20 years, 2 months
Re: [CentOS] CentOS Digest, Vol 134, Issue 12
by magesh.kuppusamy@gmail.com
Sent from BlackBerry Passport
Original Message
From: centos-request(a)centos.org
Sent: Saturday, March 12, 2016 5:30 PM
To: centos(a)centos.org
Reply To: centos(a)centos.org
Subject: CentOS Digest, Vol 134, Issue 12
Send CentOS mailing list submissions to
centos(a)centos.or',g
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos
or, via email, send a message with subject or body 'help' to
centos-request(a)centos.org
You can reach the person managing the list at
centos-owner(a)centos.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS digest..."
Today's Topics:
1. CentOS-announce Digest, Vol 133, Issue 5
(centos-announce-request(a)centos.org)
2. Re: Openshot 2.x (beta) on C7?? (Chris Beattie)
3. Re: Openshot 2.x (beta) on C7?? (Nux!)
4. CentOS 7 and display managers (m.roth(a)5-cent.us)
5. Re: CentOS 7 and display managers (Richard)
6. Re: CentOS 7 and display managers (m.roth(a)5-cent.us)
7. Re: CentOS 7 and display managers (Valeri Galtsev)
8. Re: CentOS 7 and display managers (m.roth(a)5-cent.us)
9. Re: CentOS 7 and display managers (Frank Cox)
10. Re: CentOS 7 and display managers (Scot P. Floess)
11. Centos and automatic update on server (Alessandro Baggi)
12. Re: Centos and automatic update on server (Alice Wonder)
13. Re: Centos and automatic update on server (m.roth(a)5-cent.us)
14. Re: Centos and automatic update on server (m.roth(a)5-cent.us)
15. Re: Centos and automatic update on server (David Nelson)
----------------------------------------------------------------------
Message: 1
Date: Fri, 11 Mar 2016 12:00:02 +0000
From: centos-announce-request(a)centos.org
To: centos-announce(a)centos.org
Subject: [CentOS] CentOS-announce Digest, Vol 133, Issue 5
Message-ID: <mailman.5.1457697602.15401.centos-announce(a)centos.org>
Content-Type: text/plain; charset="us-ascii"
Send CentOS-announce mailing list submissions to
centos-announce(a)centos.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-request(a)centos.org
You can reach the person managing the list at
centos-announce-owner(a)centos.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."
Today's Topics:
1. CESA-2016:0428 Moderate CentOS 6 libssh2 Security Update
(Johnny Hughes)
2. CESA-2016:0428 Moderate CentOS 7 libssh2 Security Update
(Johnny Hughes)
3. CESA-2016:C001 ipa and glusterfs Update (Johnny Hughes)
4. CESA-2016:0430 Important CentOS 7 xerces-c Security Update
(Johnny Hughes)
----------------------------------------------------------------------
Message: 1
Date: Thu, 10 Mar 2016 12:05:04 +0000
From: Johnny Hughes <johnny(a)centos.org>
To: centos-announce(a)centos.org
Subject: [CentOS-announce] CESA-2016:0428 Moderate CentOS 6 libssh2
Security Update
Message-ID: <20160310120504.GA20915(a)n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2016:0428 Moderate
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0428.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
3dd5f11872a5254b65711f88a89b4400c87329ed185af7d69d1d705f94abe13d libssh2-1.4.2-2.el6_7.1.i686.rpm
c00dbe2421aada7e7eb2bc87e5160014aae7673e684011783dc34cfa9dd1fcae libssh2-devel-1.4.2-2.el6_7.1.i686.rpm
4be2256b4afe177140a3e87fdc0061d76b3f142ef7264aeb0f9d7a8b5b8fe3b7 libssh2-docs-1.4.2-2.el6_7.1.i686.rpm
x86_64:
3dd5f11872a5254b65711f88a89b4400c87329ed185af7d69d1d705f94abe13d libssh2-1.4.2-2.el6_7.1.i686.rpm
729dc417c94e9efbe67f10fe848ce3571945f054bd87fec428179b58dd09bef6 libssh2-1.4.2-2.el6_7.1.x86_64.rpm
c00dbe2421aada7e7eb2bc87e5160014aae7673e684011783dc34cfa9dd1fcae libssh2-devel-1.4.2-2.el6_7.1.i686.rpm
2004db099a3302057dbf799c09012d8d9bc1360ddf043ecef2e485f0b3b7fc86 libssh2-devel-1.4.2-2.el6_7.1.x86_64.rpm
d2faf5949f869b6b295c3241707e3f40a74f7c1862da57daaaca77aabce535aa libssh2-docs-1.4.2-2.el6_7.1.x86_64.rpm
Source:
042b1f294e214d514f5b16332956e168cc168c90a416bcfe4bbc1625636581fc libssh2-1.4.2-2.el6_7.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos(a)irc.freenode.net
Twitter: @JohnnyCentOS
------------------------------
Message: 2
Date: Thu, 10 Mar 2016 12:53:35 +0000
From: Johnny Hughes <johnny(a)centos.org>
To: centos-announce(a)centos.org
Subject: [CentOS-announce] CESA-2016:0428 Moderate CentOS 7 libssh2
Security Update
Message-ID: <20160310125335.GA39205(a)n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2016:0428 Moderate
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0428.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
3a25e00b04b27ba59fa17adb97791702dcccb56e130eb5f51651d6fe4fe42f89 libssh2-1.4.3-10.el7_2.1.i686.rpm
1e1f93e449e678597bfdd99bed306c9bb8d5b513ffcaea13d32f5b7434900300 libssh2-1.4.3-10.el7_2.1.x86_64.rpm
e76bdc2e93bbb6c4ac8705d50eef1f114ee8b8674e8436063359ac5518b10191 libssh2-devel-1.4.3-10.el7_2.1.i686.rpm
b176ee6feaf699eb9ed7466309ab9a9e8d6a7cccaf2e38a15093c484dbd22548 libssh2-devel-1.4.3-10.el7_2.1.x86_64.rpm
f76b77eed1cc006c0947abd138084a5808d97b311ebf0e13fbf3504248698f4e libssh2-docs-1.4.3-10.el7_2.1.noarch.rpm
Source:
2181b44f7d4636eb0920582a519d1adabae94f34cb49c531a5a2b31e2ad4cf57 libssh2-1.4.3-10.el7_2.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos(a)irc.freenode.net
Twitter: @JohnnyCentOS
------------------------------
Message: 3
Date: Thu, 10 Mar 2016 17:33:15 +0000
From: Johnny Hughes <johnny(a)centos.org>
To: centos-announce(a)centos.org
Subject: [CentOS-announce] CESA-2016:C001 ipa and glusterfs Update
Message-ID: <20160310173315.GA44278(a)n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and BugFix Advisory 2016:C001
Upstream details at : https://bugs.centos.org/view.php?id=10538
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
96963d839797a7601ef6a4922c94e7ef82b42fcb70533f9a31c43adceee2fb19 glusterfs-3.7.1-16.0.1.el7.centos.x86_64.rpm
0edd9669023af5881cd554a25f11af30c4ad1cec2ac515355a55541ca5afd444 glusterfs-api-3.7.1-16.0.1.el7.centos.x86_64.rpm
1ff4ab3dee2755555db663d522929c45949544d023f0af862e595234eb206b1e glusterfs-api-devel-3.7.1-16.0.1.el7.centos.x86_64.rpm
310cdbc4645b1dff02f7fd1ab15ca11f3d2b65a49e684a3015de264cc9055d2d glusterfs-cli-3.7.1-16.0.1.el7.centos.x86_64.rpm
7ebb8186125e4246b0ba612961872e3a6229351d15c6849c9b4d3d57587005f0 glusterfs-client-xlators-3.7.1-16.0.1.el7.centos.x86_64.rpm
fb6f197ac33e79768892ec98548521cba9dbabbaf6dd577a1b9d09c461c344bc glusterfs-devel-3.7.1-16.0.1.el7.centos.x86_64.rpm
c50c59c56d305efd2caaf49f9a03a934f60d6d60b9ede5fa6f9c7c41d4d0af3e glusterfs-fuse-3.7.1-16.0.1.el7.centos.x86_64.rpm
8eb112d7a006b9edcf0a6dce79abb6018909c8d9b6baa645f623f5cc4a38a837 glusterfs-libs-3.7.1-16.0.1.el7.centos.x86_64.rpm
959d24d812bb0679000f78d9e17b13476e424bb811b159eea8632d98dd2b46a3 glusterfs-rdma-3.7.1-16.0.1.el7.centos.x86_64.rpm
be195e50fcbd3c190e90ecbe5690a664e01bf953ae29be709a4a6aba662736bb ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
46df2769ffc4e7439ddd6a8a140b0afcb4f45204aa717dbe4fc027dd4c5dda71 ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
c64d59f138beb4fb8a8a3a200c7696213eebf5c07ac50bb43a7faaadd1b5b9c0 ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
c20a31a1e4ac386e50c55839ef25b4ad1b3c261d60981da35d7c0d6a7d773ee9 ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
9accd7c6001f0f0c02b37eae8538e3045eaaf0f04008d5202fd4007368ba0a64 ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
5a5a91ff922ba863eef85723f589d3c940d2e8e529683ca811016688f7bcc95a ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.x86_64.rpm
2bc01ee09379a075724d311ff883fac2564ac27826a5b4ee0d4c7c09492a75c4 python-gluster-3.7.1-16.0.1.el7.centos.x86_64.rpm
Source:
e2ca01712e5f0c52b16a9397597ca15597bccf692881404f695f6cec8f97d925 glusterfs-3.7.1-16.0.1.el7.centos.src.rpm
febdf5cf5065c93fb4ba44c02f3ac44bfe1a02b2ff5c489e3a4ec8556c99762f ipa-4.2.0-15.0.1.el7.centos.6.src.rpm
NOTE: This rebuild was done to all the packages to have a DIST tag of .el7.centos.
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net
------------------------------
Message: 4
Date: Thu, 10 Mar 2016 17:35:16 +0000
From: Johnny Hughes <johnny(a)centos.org>
To: centos-announce(a)centos.org
Subject: [CentOS-announce] CESA-2016:0430 Important CentOS 7 xerces-c
Security Update
Message-ID: <20160310173516.GA44370(a)n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2016:0430 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0430.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0102baca3c47fdb3a16d421d42be3c2e1944ef95cf0bad1b42d01e8fda4d5f83 xerces-c-3.1.1-8.el7_2.i686.rpm
06c92060b15956706630e2d2fd84d72ad71db65151b4435828980d869a7d4f11 xerces-c-3.1.1-8.el7_2.x86_64.rpm
9009f3e814779b14a0e0d6a75fbe555804f2a031e70b15309fe6734205c1c4d2 xerces-c-devel-3.1.1-8.el7_2.i686.rpm
dad423ae642a29be177bb4825f71ad3fa5d8db98c4ee658f12094e30c3a88d04 xerces-c-devel-3.1.1-8.el7_2.x86_64.rpm
7fbb6adaf2adb7f3dbf34bf3f2c9e9ea4da1bd61660d84856189583511eec395 xerces-c-doc-3.1.1-8.el7_2.noarch.rpm
Source:
95181791907cd7b8bc12c5814cf8e8182aec7dd51faa88224c6f1ec3f4a2336c xerces-c-3.1.1-8.el7_2.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos(a)irc.freenode.net
Twitter: @JohnnyCentOS
------------------------------
_______________________________________________
CentOS-announce mailing list
CentOS-announce(a)centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
End of CentOS-announce Digest, Vol 133, Issue 5
***********************************************
------------------------------
Message: 2
Date: Fri, 11 Mar 2016 15:53:29 +0000
From: Chris Beattie <cbeattie(a)geninfo.com>
To: 'CentOS mailing list' <centos(a)centos.org>
Subject: Re: [CentOS] Openshot 2.x (beta) on C7??
Message-ID:
<C56CB550F3B0CC428EFC662940A0C2E6A70634F8(a)EX10MS2.geninfo.com>
Content-Type: text/plain; charset="us-ascii"
On 3/11/2016 2:02 AM, Sorin Srbu wrote:
>>> Looks like installing openshot 2.x on C7 isn't as trivial
>>
>> It is not trivial at all. The best way to handle this will be to find the
>> required packages in Fedora and rebuild them.
>
> So what's the easy way?
>
> Switch to Ubuntu or something? 8-O
Maybe Fedora, maybe Ubuntu? It's more time-consuming than hard to build a virtual machine these days, and it's not even that time-consuming. Is there a distro that already has what you want all packaged up? Run it in a VM. Take a snapshot first if you want to try something potentially system-breaking or that's going to spew files everywhere. On a single-user machine, the performance should be within a few percent of running on the bare metal. So, if you test drive some beta software and it doesn't perform well on a VM, it's probably not going to be much better running on a same-spec physical machine.
NB: I administer several hundred virtual desktops, so I chugged rather than sipped the virtualization Kool-Aid. :-)
--
-Chris
------------------------------
Message: 3
Date: Fri, 11 Mar 2016 16:07:24 +0000 (GMT)
From: Nux! <nux(a)li.nux.ro>
To: CentOS mailing list <centos(a)centos.org>
Subject: Re: [CentOS] Openshot 2.x (beta) on C7??
Message-ID: <1470053539.78961.1457712444140.JavaMail.zimbra(a)li.nux.ro>
Content-Type: text/plain; charset=utf-8
Ubuntu in a docker?
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Chris Beattie" <cbeattie(a)geninfo.com>
> To: "CentOS mailing list" <centos(a)centos.org>
> Sent: Friday, 11 March, 2016 15:53:29
> Subject: Re: [CentOS] Openshot 2.x (beta) on C7??
> On 3/11/2016 2:02 AM, Sorin Srbu wrote:
>>>> Looks like installing openshot 2.x on C7 isn't as trivial
>>>
>>> It is not trivial at all. The best way to handle this will be to find the
>>> required packages in Fedora and rebuild them.
>>
>> So what's the easy way?
>>
>> Switch to Ubuntu or something? 8-O
>
> Maybe Fedora, maybe Ubuntu? It's more time-consuming than hard to build a
> virtual machine these days, and it's not even that time-consuming. Is there a
> distro that already has what you want all packaged up? Run it in a VM. Take a
> snapshot first if you want to try something potentially system-breaking or
> that's going to spew files everywhere. On a single-user machine, the
> performance should be within a few percent of running on the bare metal. So,
> if you test drive some beta software and it doesn't perform well on a VM, it's
> probably not going to be much better running on a same-spec physical machine.
>
> NB: I administer several hundred virtual desktops, so I chugged rather than
> sipped the virtualization Kool-Aid. :-)
>
> --
> -Chris
> _______________________________________________
> CentOS mailing list
> CentOS(a)centos.org
> https://lists.centos.org/mailman/listinfo/centos
------------------------------
Message: 4
Date: Fri, 11 Mar 2016 11:33:57 -0500
From: m.roth(a)5-cent.us
To: "CentOS" <centos(a)centos.org>
Subject: [CentOS] CentOS 7 and display managers
Message-ID:
<19814dd6ca3be28d95ab776fd52cbb58.squirrel(a)host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8
<rant>
Dear gnome developers - could you *possibly* be more anti-Unix? I mean,
thanks *so* much for trying to turn Linux into Windows or Macs....
</rant>
So, now that I've gotten that out, the KDE display manager, on the login
screen, easily lets you choose window managers. Gnome utterly refuses to
consider such an idea.
I've just yum groupinstall "KDE Plasma Workspaces" on one of my user's new
system... and I cannot figure out, not in googling, and there's nothing
vaguely obvious anywhere, how to change to KDE from gnome.
Anyone got a pointer?
mark, frustrated
------------------------------
Message: 5
Date: Fri, 11 Mar 2016 16:42:34 +0000
From: Richard <lists-centos(a)listmail.innovate.net>
To: CentOS mailing list <centos(a)centos.org>
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID: <D655042E52FAB736EED4FCD8(a)ritz.innovate.net>
Content-Type: text/plain; charset=us-ascii
> Date: Friday, March 11, 2016 11:33:57 -0500
> From: m.roth(a)5-cent.us
>
> So, now that I've gotten that out, the KDE display manager, on the
> login screen, easily lets you choose window managers. Gnome utterly
> refuses to consider such an idea.
>
> I've just yum groupinstall "KDE Plasma Workspaces" on one of my
> user's new system... and I cannot figure out, not in googling, and
> there's nothing vaguely obvious anywhere, how to change to KDE from
> gnome.
>
With gnome there is a "gear wheel" on the password entry page -- on
the right below the password box, next to the "sign in" label. If I
select it I can switch between gnome and mate. Does KDE show there as
an option?
------------------------------
Message: 6
Date: Fri, 11 Mar 2016 11:46:20 -0500
From: m.roth(a)5-cent.us
To: "CentOS mailing list" <centos(a)centos.org>
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID:
<8f02f00958f1b8f56d9235b4bf7a0564.squirrel(a)host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8
Richard wrote:
>
>
>> Date: Friday, March 11, 2016 11:33:57 -0500
>> From: m.roth(a)5-cent.us
>>
>> So, now that I've gotten that out, the KDE display manager, on the
>> login screen, easily lets you choose window managers. Gnome utterly
>> refuses to consider such an idea.
>>
>> I've just yum groupinstall "KDE Plasma Workspaces" on one of my
>> user's new system... and I cannot figure out, not in googling, and
>> there's nothing vaguely obvious anywhere, how to change to KDE from
>> gnome.
>
> With gnome there is a "gear wheel" on the password entry page -- on
> the right below the password box, next to the "sign in" label. If I
> select it I can switch between gnome and mate. Does KDE show there as
> an option?
Fascinating. Not in ours. It displays our issue, and in the upper left,
some icons that let you deal with sound, I think, connection, maybe, and I
forget what else.
mark
------------------------------
Message: 7
Date: Fri, 11 Mar 2016 10:52:12 -0600 (CST)
From: "Valeri Galtsev" <galtsev(a)kicp.uchicago.edu>
To: "CentOS mailing list" <centos(a)centos.org>
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID:
<13369.128.135.52.6.1457715132.squirrel(a)cosmo.uchicago.edu>
Content-Type: text/plain;charset=iso-8859-1
On Fri, March 11, 2016 10:46 am, m.roth(a)5-cent.us wrote:
> Richard wrote:
>>
>>
>>> Date: Friday, March 11, 2016 11:33:57 -0500
>>> From: m.roth(a)5-cent.us
>>>
>>> So, now that I've gotten that out, the KDE display manager, on the
>>> login screen, easily lets you choose window managers. Gnome utterly
>>> refuses to consider such an idea.
>>>
>>> I've just yum groupinstall "KDE Plasma Workspaces" on one of my
>>> user's new system... and I cannot figure out, not in googling, and
>>> there's nothing vaguely obvious anywhere, how to change to KDE from
>>> gnome.
>>
>> With gnome there is a "gear wheel" on the password entry page -- on
>> the right below the password box, next to the "sign in" label. If I
>> select it I can switch between gnome and mate. Does KDE show there as
>> an option?
>
> Fascinating. Not in ours. It displays our issue, and in the upper left,
> some icons that let you deal with sound, I think, connection, maybe, and I
> forget what else.
In my case the gear which when clicked of gives you drop down choices of
Desktop Environments (DE) installed appears only after I click on
particular user. In other words, when user has password field, he also has
a gear to click on to choose DE.
I hope, this helps.
Valeri
>
> mark
>
> _______________________________________________
> CentOS mailing list
> CentOS(a)centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
------------------------------
Message: 8
Date: Fri, 11 Mar 2016 12:05:49 -0500
From: m.roth(a)5-cent.us
To: "CentOS mailing list" <centos(a)centos.org>
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID:
<3ddbfe316694094045c2b88aa5c3f7d9.squirrel(a)host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8
Valeri Galtsev wrote:
> On Fri, March 11, 2016 10:46 am, m.roth(a)5-cent.us wrote:
>> Richard wrote:
>>>> Date: Friday, March 11, 2016 11:33:57 -0500
>>>> From: m.roth(a)5-cent.us
>>>>
>>>> So, now that I've gotten that out, the KDE display manager, on the
>>>> login screen, easily lets you choose window managers. Gnome utterly
>>>> refuses to consider such an idea.
>>>>
>>>> I've just yum groupinstall "KDE Plasma Workspaces" on one of my
>>>> user's new system... and I cannot figure out, not in googling, and
>>>> there's nothing vaguely obvious anywhere, how to change to KDE from
>>>> gnome.
>>>
>>> With gnome there is a "gear wheel" on the password entry page -- on
>>> the right below the password box, next to the "sign in" label. If I
>>> select it I can switch between gnome and mate. Does KDE show there as
>>> an option?
>>
>> Fascinating. Not in ours. It displays our issue, and in the upper left,
>> some icons that let you deal with sound, I think, connection, maybe, and
>> I forget what else.
>
> In my case the gear which when clicked of gives you drop down choices of
> Desktop Environments (DE) installed appears only after I click on
> particular user. In other words, when user has password field, he also has
> a gear to click on to choose DE.
>
> I hope, this helps.
Ah, that was it, it's not on the screen where you put in your username,
it's on the password screen. On the other hand, the easier solution was to
just create /etc/sysconfig/desktop, which did not exist, and add the two
lines to it.
Thanks, folks.
mark
------------------------------
Message: 9
Date: Fri, 11 Mar 2016 11:16:38 -0600
From: Frank Cox <theatre(a)melvilletheatre.com>
To: centos(a)centos.org
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID:
<20160311111638.bc745cc6c6aa1e38a7d26885(a)melvilletheatre.com>
Content-Type: text/plain; charset=US-ASCII
On Fri, 11 Mar 2016 10:52:12 -0600 (CST)
Valeri Galtsev wrote:
> > Fascinating. Not in ours. It displays our issue, and in the upper left,
> > some icons that let you deal with sound, I think, connection, maybe, and I
> > forget what else.
>
> In my case the gear which when clicked of gives you drop down choices of
> Desktop Environments (DE) installed appears only after I click on
> particular user. In other words, when user has password field, he also has
> a gear to click on to choose DE.
With gdm the gear only shows up if you have more than one whatever.session file in /usr/share/xsessions. gnome-classic-session and gnome-session-xsession provides this file for gnome sessions, mate-session-manager provides it for mate, and I don't know what provides it for kde.
lightdm is a lot more configurable than gdm, and it's easy to use that instead:
systemctl disable gdm
systemctl enable lightdm
systemctl isolate graphical.target
Then you can easily configure /etc/lightdm/lightdm-gtk-greeter.conf to do pretty much what you want it to do. I haven't yet figured out how to get rid of the blank photo man beside the password prompt, though.
--
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
------------------------------
Message: 10
Date: Fri, 11 Mar 2016 18:07:29 -0500 (EST)
From: "Scot P. Floess" <sfloess(a)nc.rr.com>
To: CentOS mailing list <centos(a)centos.org>
Subject: Re: [CentOS] CentOS 7 and display managers
Message-ID: <alpine.LRH.2.20.1603111805520.2021(a)admin.flossware.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed
I think its in /usr/share/desktop
DISPLAYMANAGER=KDE
or something like that
On Fri, 11 Mar 2016, m.roth(a)5-cent.us wrote:
> <rant>
> Dear gnome developers - could you *possibly* be more anti-Unix? I mean,
> thanks *so* much for trying to turn Linux into Windows or Macs....
> </rant>
>
> So, now that I've gotten that out, the KDE display manager, on the login
> screen, easily lets you choose window managers. Gnome utterly refuses to
> consider such an idea.
>
> I've just yum groupinstall "KDE Plasma Workspaces" on one of my user's new
> system... and I cannot figure out, not in googling, and there's nothing
> vaguely obvious anywhere, how to change to KDE from gnome.
>
> Anyone got a pointer?
>
> mark, frustrated
>
> _______________________________________________
> CentOS mailing list
> CentOS(a)centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
Scot P. Floess RHCT (Certificate Number 605010084735240)
Chief Architect FlossWare http://sourceforge.net/projects/flossware
http://flossware.sourceforge.net
https://github.com/organizations/FlossWare
------------------------------
Message: 11
Date: Fri, 11 Mar 2016 19:41:54 +0100
From: Alessandro Baggi <alessandro.baggi(a)gmail.com>
To: CentOS mailing list <centos(a)centos.org>
Subject: [CentOS] Centos and automatic update on server
Message-ID:
<CA+1R4jQzwzFomCO-sfWeFTsjXA3XNzq3cTKZYET0UY9q8Hjn7Q(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi list, I know that there are automatic update with yum-cron but never
tried.
In my experiences I never did automatic backup because if update was broken
my installation will be broken and I wait some time before apply update.
Today seems to be that automatic update are used more than before.
What do you think about automatic update? It is a good practice on a
server? What is your experiences?
Thanks in advance.
Alessandro
------------------------------
Message: 12
Date: Fri, 11 Mar 2016 10:47:26 -0800
From: Alice Wonder <alice(a)domblogger.net>
To: centos(a)centos.org
Subject: Re: [CentOS] Centos and automatic update on server
Message-ID: <56E312BE.40606(a)domblogger.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 03/11/2016 10:41 AM, Alessandro Baggi wrote:
> Hi list, I know that there are automatic update with yum-cron but never
> tried.
> In my experiences I never did automatic backup because if update was broken
> my installation will be broken and I wait some time before apply update.
> Today seems to be that automatic update are used more than before.
> What do you think about automatic update? It is a good practice on a
> server? What is your experiences?
>
> Thanks in advance.
>
> Alessandro
For me, yum-cron only downloads the updates and e-mails me to let me
know they are ready. It does not actually apply them.
To apply them, I ssh in and run the command "yum update" and they
install fast w/o me needing to wait for the download.
That lets me test everything that is critical and make sure it works
after the update.
------------------------------
Message: 13
Date: Fri, 11 Mar 2016 13:55:12 -0500
From: m.roth(a)5-cent.us
To: "CentOS mailing list" <centos(a)centos.org>
Subject: Re: [CentOS] Centos and automatic update on server
Message-ID:
<f37b628d428c3e57349bbd146e31c2f9.squirrel(a)host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8
Alessandro Baggi wrote:
> Hi list, I know that there are automatic update with yum-cron but never
> tried.
> In my experiences I never did automatic backup because if update was
> broken
> my installation will be broken and I wait some time before apply update.
> Today seems to be that automatic update are used more than before.
> What do you think about automatic update? It is a good practice on a
> server? What is your experiences?
>
1. Under *NO* *CIRCUMSTANCES* would I *ever* have that running on
a production machine. That's what test boxes are for.
2. If it was my own machine at home, thanks, but I want to wake up,
or come home, to a guaranteed working system. I'll update, so
I can always undo.
------------------------------
Message: 14
Date: Fri, 11 Mar 2016 13:58:32 -0500
From: m.roth(a)5-cent.us
To: "CentOS mailing list" <centos(a)centos.org>
Subject: Re: [CentOS] Centos and automatic update on server
Message-ID:
<4a4e118ea85aafda74981ea49ac92734.squirrel(a)host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8
Sorry, <enter> accidentally got hit before I finished.
m.roth(a)5-cent.us wrote:
> Alessandro Baggi wrote:
>> Hi list, I know that there are automatic update with yum-cron but never
>> tried.
>> In my experiences I never did automatic backup because if update was
>> broken
>> my installation will be broken and I wait some time before apply update.
>> Today seems to be that automatic update are used more than before.
>> What do you think about automatic update? It is a good practice on a
>> server? What is your experiences?
>
> 1. Under *NO* *CIRCUMSTANCES* would I *ever* have that running on
> a production machine. That's what test boxes are for.
> 2. If it was my own machine at home, thanks, but I want to wake up,
> or come home, to a guaranteed working system. I'll update, so
> I can always undo.
3. Systems like backup servers, etc, sure. They're not critical.
4. We don't do it on users' systems unless we're *sure* that
it won't break something.
Finally, on systems where there is a concern that something might break,
like video drivers, we put excludes in /etc/yum.conf, and disable them
under controlled conditions (i.e., one of us is sitting there doing it.)
mark
------------------------------
Message: 15
Date: Fri, 11 Mar 2016 11:22:17 -0800
From: David Nelson <david(a)davidnelson.net>
To: CentOS mailing list <centos(a)centos.org>
Subject: Re: [CentOS] Centos and automatic update on server
Message-ID: <ED7CF038-5FCC-4F1A-A956-1510729C28EC(a)davidnelson.net>
Content-Type: text/plain; charset=us-ascii
Personally I enable yum-cron on relatively simple configs without much that could break, for example a LAMP server. Especially when they are public-facing and thus have greater exposure to security threats.
But I don't as often on things that are internal-only and/or have a more complex setup such as running software I had to compile from source.
> On Mar 11, 2016, at 10:41, Alessandro Baggi <alessandro.baggi(a)gmail.com> wrote:
>
> Hi list, I know that there are automatic update with yum-cron but never
> tried.
> In my experiences I never did automatic backup because if update was broken
> my installation will be broken and I wait some time before apply update.
> Today seems to be that automatic update are used more than before.
> What do you think about automatic update? It is a good practice on a
> server? What is your experiences?
>
> Thanks in advance.
>
> Alessandro
> _______________________________________________
> CentOS mailing list
> CentOS(a)centos.org
> https://lists.centos.org/mailman/listinfo/centos
------------------------------
_______________________________________________
CentOS mailing list
CentOS(a)centos.org
https://lists.centos.org/mailman/listinfo/centos
End of CentOS Digest, Vol 134, Issue 12
***************************************
10 years
[CentOS] proftpd can't login locally
by Tim Dunphy
Hello list!!
I am trying to setup very simple authentication for proftpd under centos 5.6. But for some reason it isn't working and I was hoping to get some advice into how to resolve the issue.
Machine info:
[code]
[root@VIRTCENT07:~] #cat /etc/redhat-release
CentOS release 5.6 (Final)
[root@VIRTCENT07:~] #uname -a
Linux VIRTCENT07 2.6.18-238.el5xen #1 SMP Thu Jan 13 17:49:40 EST 2011 i686 i686 i386 GNU/Linux
[/code]
Proftpd version
[code]
ProFTPD Version 1.3.3e
[/code]
When I try to log into FTP authentication fails even tho the password is typed correctly
[code]
[root@VIRTCENT07:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
[/code]
I've enabled the ExtendedLogs option in the config and this is what I saw as a result
[code]
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:00 -0400] "USER bluethundr" 331 -
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "PASS (hidden)" 530 -
127.0.0.1 UNKNOWN nobody [12/Aug/2011:11:45:04 -0400] "SYST" 215 -
[/code]
The user account is stored in LDAP
[code]
[root@VIRTCENT07:~] #getent passwd | grep bluethundr
bluethundr:*:1001:1002:That Guy:/home/bluethundr:/bin/bash
[/code]
The proftpd user runs the 'nobody' account
[code]
User nobody
Group nobody
[/code]
Which is also stored in LDAP
[code]
[root@VIRTCENT07:~] #getent passwd | grep nobody
nobody:x:99:99:Nobody:/:/sbin/nologin
[/code]
The user that ProFTPd runs as is using a valid shell
[code]
[root@VIRTCENT07:~] #cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
[/code]
And this is what my entire ProFTPd config file is looking like
[code]
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
DefaultRoot ~ !adm
VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
# LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
# LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
# LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
# LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
# LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
# LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
# LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
# LoadModule mod_quotatab_radius.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
# LoadModule mod_ctrls_admin.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
# LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
# LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
# LoadModule mod_geoip.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
# LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
# LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
# LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
# LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
# LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
# LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
# LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
# LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
# LoadModule mod_tls_shmcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
# LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
# LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
# LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
# LoadModule mod_wrap2_sql.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
# LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfDefine>
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous>
</IfDefine>
[/code]
I have also tried raising the debug level to 10
[code]
DebugLevel 10
SystemLog /var/log/proftpd/proftpd.log
And this was the info I saw in the log file:
Aug 12 15:13:48 VIRTCENT07 proftpd[9959] 192.168.1.29: ProFTPD 1.3.3e (maint) (built Thu Apr 7 2011 14:41:56 UTC) standalone mode STARTUP
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): AuthOrder in effect, resetting auth module order
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): connected - local : 127.0.0.1:21
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): connected - remote : 127.0.0.1:40875
Aug 12 15:13:53 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): FTP session opened.
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_tls
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_core
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_core
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_delay
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'USER bluethundr' to mod_auth
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'USER bluethundr' to mod_auth
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD command 'USER bluethundr' to mod_delay
Aug 12 15:13:55 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'USER bluethundr' to mod_log
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_vroot
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): mod_vroot/0.8.5: vroot registered
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'PASS (hidden)' to mod_auth
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved UID 1001 for user 'bluethundr'
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved group IDs: 1002, 500
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): retrieved group name: bluethundr
Aug 12 15:13:57 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): ROOT PRIVS at mod_auth_pam.c:312
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): RELINQUISH PRIVS at mod_auth_pam.c:482
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): USER bluethundr (Login failed): Incorrect password.
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_vroot
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): mod_vroot/0.8.5: vroot unregistered
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_tls
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching PRE_CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching CMD command 'SYST' to mod_core
Aug 12 15:13:58 VIRTCENT07 proftpd[9964] 192.168.1.29 (127.0.0.1[127.0.0.1]): dispatching LOG_CMD command 'SYST' to mod_log
[/code]
I was able to generate some additional debugging information. not sure how much this helps, but here ya go..
[code]
- using TCP receive buffer size of 87380 bytes
- using TCP send buffer size of 16384 bytes
- testing Unix domain socket using S_ISFIFO
- testing Unix domain socket using S_ISSOCK
- using S_ISSOCK macro for Unix domain socket detection
- mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- retrieved UID 99 for user 'nobody'
- retrieved GID 99 for group 'nobody'
- using TCP receive buffer size of 87380 bytes
- using TCP send buffer size of 16384 bytes
- testing Unix domain socket using S_ISFIFO
- testing Unix domain socket using S_ISSOCK
- using S_ISSOCK macro for Unix domain socket detection
- mod_tls/2.4.2: using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- retrieved UID 99 for user 'nobody'
- retrieved GID 99 for group 'nobody'
- <IfDefine>: skipping 'TLS' section at line 178
- <IfDefine>: skipping 'DYNAMIC_BAN_LISTS' section at line 195
- <IfDefine>: skipping 'ANONYMOUS_FTP' section at line 228
- UseReverseDNS off, returning IP address instead of DNS name
192.168.1.29 -
192.168.1.29 - Config for ProFTPD server:
192.168.1.29 - ServerIdent
192.168.1.29 - DefaultServer
192.168.1.29 - VRootEngine
192.168.1.29 - DefaultRoot
192.168.1.29 - VRootAlias
192.168.1.29 - AuthPAMConfig
192.168.1.29 - AuthOrder
192.168.1.29 - UserID
192.168.1.29 - UserName
192.168.1.29 - GroupID
192.168.1.29 - GroupName
192.168.1.29 - UseSendfile
192.168.1.29 - DebugLevel
192.168.1.29 - ExtendedLog
192.168.1.29 - Limit
192.168.1.29 - AllowAll
192.168.1.29 - Umask
192.168.1.29 - AllowOverwrite
192.168.1.29 - ROOT PRIVS at mod_delay.c:354
192.168.1.29 - RELINQUISH PRIVS at mod_delay.c:359
192.168.1.29 - ROOT PRIVS at mod_ctrls.c:1139
192.168.1.29 - RELINQUISH PRIVS at mod_ctrls.c:1141
192.168.1.29 - mod_lang/0.9: binding to text domain 'proftpd' using locale path '/usr/share/locale'
192.168.1.29 - mod_lang/0.9: using locale files in '/usr/share/locale'
192.168.1.29 - mod_lang/0.9: added the following supported languages: zh_CN, bg_BG, ja_JP, en_US, ru_RU, zh_TW, ko_KR, fr_FR, it_IT
192.168.1.29 - retrieved group ID: 99
192.168.1.29 - setting group ID: 99
192.168.1.29 - SETUP PRIVS at main.c:3131
192.168.1.29 - ROOT PRIVS at main.c:2153
192.168.1.29 - RELINQUISH PRIVS at main.c:2160
192.168.1.29 - ROOT PRIVS at main.c:2488
192.168.1.29 - deleting existing scoreboard '/var/run/proftpd/proftpd.scoreboard'
I was hoping someone out there might be able to recognize what the problem may be and have some suggestions that might help resolve the issue.[/code]
thanks in advance!!
tim
14 years, 7 months