Configure phpldapadmin for OpenLDAP Server (CentOS 7)

A. Server Configuration
    192.168.100.195  ldapserver.geekonline.in
    192.168.100.196  client1.geekonline.in
    For detailed LDAP configuration please visit this post.

B. Install phpldapadmin on same server

1.  Install epel repository on the server
    # rpm -ivh  https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

2.  Install phpldapadmin package
     #yum install phpldapadmin
     

3. Take backup of phpldapadmin config file and make the necessary changes
    # cp config.php config.php.orig
    # vi config.php
    Go to line 397 comment it and uncomment line 398
     $servers->setValue('login','attr','dn');
     // $servers->setValue('login','attr','uid');
     

4. Enable httpd service and add firewall rules for httpd service
    #systemctl enable httpd
    #firewall-cmd --permanent --add-port=80/tcp
    #firewall-cmd --reload

5. Try to access phpldapadmin page
    http://192.168.100.195
    while accessing the page It gives below error
    

6. To resolve this Edit the apache configuration file for phpldapadmin
    #cd /etc/httpd/conf.d/
    #vi phpldapadmin.conf
    change the entry from "require local" to "require all granted"
    Save config file and reload apache service
    #systemctl reload httpd
    

7. Now open the page 192.168.100.195/phpldapadmin
    
8. Login on the server
    

9. Now edit the phpldapadmin config file and change The name from Local LDAP server to Geekonline.in LDAP server on Line no 291
    #cd /etc/phpldapadmin
    #vi config.php
    

10. Refresh the page without restarting/reloading httpd service
    

B. Install phpldapadmin on different server 
1. All steps will be same for installation and configuration phpldapadmin on different server.
    Only below additional change in phpldapadmin config is required  on line no 298 
    Change IP address from 127.0.0.1 to OpenLDAP server IP address
        

2. Access the phpldapadmin webpage on the server 
    http://192.168.100.196/phplapadmin
    

Summary:
1. We can configure  phpldapadmin on same server or another server.
2. Managing users and groups on OpenLDAP server becomes easy.  
  
    
    



 

OpenLDAP Server Configuration (CentOS 7)

OpenLDAP is a directory Server and is configured by using LDAP Data Interchange Format files (.ldif). 
Manually Editing config files results in checksum error
Space is considered as a junk character and causes error while importing .ldif files

A. Server Configuration

1. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems
    192.168.100.195  ldapserver.geekonline.in
    192.168.100.196  client1.geekonline.in

    

2. Install necessary packages
     #yum -y install strace net-tools
     #yum install openldap* migrationtools
     #systemctl enable slapd
     #systemctl start slapd

3. Change log settings
     #echo "####Custom Logs for LDAP###" >> /etc/rsyslog.conf
     #echo "local4.* /var/log/slapd/ldap.log" >> /etc/rsyslog.conf
     #tail -n2 /etc/rsyslog.conf
     #systemctl restart rsyslog   or # systemctl reload rsyslog
     It will automatically create directory and files and LDAP logs will be redirected to /var/log/slapd/ldap.log
     

4. Open ports in firewall
     #firewall-cmd --permanent --add-port=389/tcp
     #firewall-cmd --permanent --add-port=636/tcp
     #firewall-cmd --permanent --add-port=9830/tcp
     #firewall-cmd --reload


5.  list the config files
     #cd /etc/openldap/slapd.d/cn\=config
     #ls
     

6.  #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
     

7   Create a admin password in SSHA hash algorithm and copy the output to notepad for further configuration. 
     # slappasswd
     

8.  Create ldif to modify olcDatabase={2}hdb.ldif
      #vi /opt/ldap/db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=geekonline,dc=in

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ULNvNmPZNyCNqlU5E/9DftThZzF4aAEE

     

9. Make sure no extra spaces are present in the file and Import the DB file
     #cd /opt/ldap/
    #ls
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
    #slaptest -u
    

10. Note the change in file
     #cat olcDatabase\=\{2\}hdb.ldif (Before any changes)
    
11. Now check the file 
    #cat olcDatabase={1}monitor,cn=config
    


12. Create monitor.ldif file
     #vi monitor.ldif
     
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=geekonline,dc=in" read by * none

    


13.Make sure no extra spaces are present in the file and Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
    #slatptest -u
    

14  Now check file olcDatabase={1}monitor,cn=config for changes
   #cat olcDatabase={1}monitor,cn=config
    

15. Crease SSL Certificates for 10 years
   #openssl req -nodes -new -x509 -keyout /etc/openldap/certs/ldapkey.pem -out /etc/openldap/certs/ldapcert.pem -days 3650
    

16. Create certs.ldif file
      #vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
 
    

 17. Make sure no extra spaces are present in the file and  Import the DB file
    #ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
    #slaptest -u
   

18. Verify the changes
    #cd /etc/openldap/slapd.d
    #cat cn=config.ldif
   

19. Copy DB_CONFIG file and add external schemas (used for storing data)
    #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    #chown ldap:ldap /var/lib/ldap/DB_CONFIG
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
    #ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
  
    

20.create a base.ldif file
     #vi base.ldif

dn: dc=geekonline,dc=in
dc: geekonline
objectClass: top
objectClass: domain

dn: cn=admin,dc=geekonline,dc=in
objectClass: organizationalRole
cn: admin
description: LDAP Manager

dn: ou=People,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=geekonline,dc=in
objectClass: organizationalUnit
ou: Group

   

21. Add base ldif to LDAP Configuration
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f base.ldif
   #slaptest -u
   


22.Check ldap object classes
    #ldapsearch -xb "dc=geekonline,dc=in" "(objectClass=*)"
   

23. check password 
   #ldapsearch -H ldap://127.0.0.1 -D "cn=admin,dc=geekonline,dc=in" -w "pass"
   
 
24.Create OS Users.
   #useradd osuser1
   #useradd osuser2
   #echo "pass1" | passwd --stdin osuser1
   #echo "pass2" | passwd --stdin osuser2

   #mkdir /opt/ldap/migrated_users
   #grep "osuser" /etc/passwd >> /opt/ldap/migrated_users/users
   #grep "osuser" /etc/group >> /opt/ldap/migrated_users/groups
   verify the files

   #cat /opt/ldap/migrated_users/users 
   #cat /opt/ldap/migrated_users/groups

  

25. Using migration tool
     #cd /usr/share/migrationtools/
     #cp migrate_common.ph migrate_common.ph.orig
     #vi migrate_common.ph
     #search and change below entries

     $DEFAULT_MAIL_DOMAIN = "geekonline.in";
     $DEFAULT_BASE = "dc=geekonline,dc=in"; 
     $EXTENDED_SCHEMA = 1;



26. Migrate OS users and groups using migration tool
   #/usr/share/migrationtools/migrate_passwd.pl /opt/ldap/migrated_users/users /opt/ldap/migrated_users/users.ldif
   #/usr/share/migrationtools/migrate_group.pl /opt/ldap/migrated_users/groups /opt/ldap/migrated_users/groups.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/users.ldif
   #ldapadd -x -W -D "cn=admin,dc=geekonline,dc=in" -f /opt/ldap/migrated_users/groups.ldif

   

27.  Search that added user in ldap also check for 
   #ldapsearch -x cn=osuser1 -b dc=geekonline,dc=in
    
  
    #  ldapsearch -x cn=osuser2 -b dc=geekonline,dc=in
  

28 Create password for LDAP users which we are going to create using openssl
    #openssl passwd -crypt pass1
    uSMQbmjkzJzBw
    #openssl passwd -crypt pass2
    195EbQnuDDzcA
    note down the  output
   

29 create ldif file for user ldapuser1
   #vi ldapuser1.ldif

dn: cn=ldapuser1,ou=People,dc=geekonline,dc=in
cn: ldapuser1
gidnumber: 100
givenname: ldapuser1
homedirectory: /home/users/ldapuser1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser1
uidnumber: 5001
userpassword: {CRYPT}uSMQbmjkzJzBw
   
   

30 create ldif file for user ldapuser2
   #vi ldapuser1.ldif
 
dn: cn=ldapuser2,ou=People,dc=geekonline,dc=in
cn: ldapuser2
gidnumber: 100
givenname: ldapuser2
homedirectory: /home/users/ldapuser2
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surname
uid: ldapuser2
uidnumber: 5002
userpassword: {CRYPT}195EbQnuDDzcA

   

31. Import both users in LDAP using ldif files
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser1.ldif
     #ldapadd -x -D "cn=admin,dc=geekonline,dc=in" -W -f ldapuser2.ldif
   

32. Verify the users in  LDAP
  #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in
   
  
  #ldapsearch -x cn=ldapuser2 -b dc=geekonline,dc=in
   

B. Client Configuration 
  
     
1. Install the necessary packages
  #yum install openldap-clients nss-pam-ldapd

2. Edit /etc/hosts/ file to for name resolution on both Server and Client Systems 
    192.168.100.195 ldapserver.geekonline.in 
    192.168.100.196 client1.geekonline.in

   

3. Enter below command on the client
    #authconfig --enableldap --enableldapauth --ldapserver=ldapserver.geekonline.in --ldapbasedn="dc=geekonline,dc=in" --enablemkhomedir --update
    
    This will automatically create home directory on client machine at first login

    

   Above command automatically configures ldap client,nsswitch file and PAM  
   #cat /etc/nslcd.conf |grep -v \#
   
  
   #cat /etc/nsswitch.conf |grep -i ldap
   

   #grep -ir home /etc/pam.d/*
   

  

Thus We can Configure LDAP server

C: Deleting LDAP user
   1. Gather the required information from LDAP using below command
   #ldapsearch -x cn=ldapuser1 -b dc=geekonline,dc=in

  2. Delete the user using below command
  #ldapdelete -v -c -D "cn=admin,dc=geekonline,dc=in" -w pass "cn=ldapuser1,ou=People,dc=geekonline,dc=in"



Summary
1. Never edit configuration files manually. 
2. LDAP configuration is easy if you avoid copy paste/typing mistakes (unnecessary spaces are considered as junk characters)
3. You can import existing OS users to LDAP
4. You can create LDAP user directly without creating it on OS
5. Client configuration can be done using fqdn instead of IPs
6. You can Create/modify/delete users easily






 
         

Install and configure webmin with SSL (debian)

1. Create repository for webmin  
        #echo "deb https://download.webmin.com/download/repository sarge contrib" >> webmin.list      
   
2. Fech and install the GPG key for the repository
       #cd /root
       #wget https://download.webmin.com/jcameron-key.asc
       #apt-key add jcameron-key.asc

3. Install webmin
       #apt-get install apt-transport-https
       #apt-get update
       #apt-get install webmin
       If Debian complains about missing dependencies, you can install them with the command
       #apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

4. Manage SSL certificate for webmin (by using existing SSL certifcates)
      #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /etc/webmin/miniserv.pem
      #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/webmin/miniserv.pem
      #systemctl restart webmin

5. Configure apache2 for SSL certificate and redirection
      Create a file /etc/apache2/sites-available/webmin.conf and and put the entries given below

         <VirtualHost *:80>
         ServerName webmin.mydomain.com
         Redirect permanent / https://webmin.mydomain.com/
         </VirtualHost>

         <IfModule mod_ssl.c>
         <VirtualHost *:443>
         ServerName webmin.mydomain.com
         SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
         SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
         Include /etc/letsencrypt/options-ssl-apache.conf
         ProxyPreserveHost On
         ProxyRequests Off
         SSLProxyEngine On

         # allow for upgrading to websockets
         RewriteEngine On
         RewriteCond %{HTTP:Upgrade} =websocket [NC]
         RewriteRule /(.*) ws://127.0.0.1:10000/$1 [P,L]
         RewriteCond %{HTTP:Upgrade} !=websocket [NC]
         RewriteRule /(.*) https://127.0.0.1:10000/$1 [P,L]

         # Proxy to your local webmin instance
         ProxyPass / https://127.0.0.1:10000/
         ProxyPassReverse / https://127.0.0.1:10000/

         </VirtualHost>
         </IfModule>

6. Configure IPTables to drop requests on 4200 from world
      #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 10000 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 10000 -j DROP

7.  Enable Apache Configuration         
     #ln -s /etc/apache2/sites-available/webmin.conf /etc/apache2/sites-enabled/webmin.conf        
     #systemctl reload apache2

 

Summary:
After this setup webmin will be available only on https://wembin.mydomain.com and https://webmin.mydomain.com:10000 will not work

 

 

 

Install and configure shellinabox (web terminal) with SSL (debian)

1. Install the package shellinabox which is present in repository
         #sudo apt-get install shellinabox

2. Check settings 
         #cat /etc/default/shellinabox (For RHEL it will be /etc/sysconfig/shellinaboxd)

3. Manage SSL certificate for shellinabox (by using existing SSL certifcates)
        #cat /etc/ssl/certs/web/mydomain.com/privkey.pem > /var/lib/shellinabox/certificate.pem
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /var/lib/shellinabox/certificate.pem
        #systemctl restart shellinabox

4. Configure  apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/shellinabox.conf and and put the entries given below
  

          <VirtualHost *:80>
          ServerName terminal.mydomain.com
          Redirect permanent / https://terminal.mydomain.com/
          </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
          ServerName terminal.mydomain.com
          SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
          SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
          Include /etc/letsencrypt/options-ssl-apache.conf
          ProxyPreserveHost On
          ProxyRequests Off

          # allow for upgrading to websockets
          RewriteEngine On
          RewriteCond %{HTTP:Upgrade} =websocket [NC]
          RewriteRule /(.*) ws://127.0.0.1:4200/$1 [P,L]
          RewriteCond %{HTTP:Upgrade} !=websocket [NC]
          RewriteRule /(.*) http://127.0.0.1:4200/$1 [P,L]

          # Proxy to your local bash instance
          ProxyPass / http://127.0.0.1:4200/
          ProxyPassReverse / http://127.0.0.1:4200/

          </VirtualHost>
          </IfModule>

5.  Configure IPTables to drop requests on 4200 from world
        iptables -A INPUT -p tcp -s 127.0.0.1 --dport 4200 -j ACCEPT
        iptables -A INPUT -p tcp --dport 4200 -j DROP
  

6.  Enable Apache Configuration 
       #ln -s /etc/apache2/sites-available/shellinabox.conf /etc/apache2/sites-enabled/shellinabox.conf
       #systemctl reload apache2

Summary:
After this setup web terminal (shellinabox) will be available only on https://terminal.mydomain.com and https://terminal.mydomain.com:4200 will not work

 


					

Install and configure cockpit with SSL (debian)

1. Edit /etc/apt/sources.list file or create new file /etc/apt/sources.list.d/Backports.list and add below lines

        #deb http://ftp.debian.org/debian/ stretch-backports main contrib non-free
        #deb http://packages.prosody.im/debian stretch main
        #deb https://apt.dockerproject.org/repo debian-stretch main

2.  Install cockpit package
        #sudo apt-get update
        #sudo apt-get install cockpit

3. Manage SSL certificate for cockpit (by using existing SSL certifcates) 
        #cat /etc/cockpit/ws-certs.d/cockpit.base.cert > /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #systemctl reload cockpit

4.  Configure apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/cockpit.conf and and put the entries given below

           <VirtualHost *:80>
           ServerName cockpit.mydomain.com
           Redirect permanent / https://cockpit.mydomain.com/
           </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
           ServerName cockpit.mydomain.com
           SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
           SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
           Include /etc/letsencrypt/options-ssl-apache.conf
           ProxyPreserveHost On
           ProxyRequests Off

          # allow for upgrading to websockets
           RewriteEngine On
           RewriteCond %{HTTP:Upgrade} =websocket [NC]
           RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
           RewriteCond %{HTTP:Upgrade} !=websocket [NC]
           RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]

           # Proxy to your local cockpit instance
           ProxyPass / http://127.0.0.1:9090/
           ProxyPassReverse / http://127.0.0.1:9090/

           </VirtualHost>
           </IfModule>

 



5. Configure IPTables to drop requests on 9090 from world
        #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9090 -j ACCEPT
        #iptables -A INPUT -p tcp --dport 9090 -j DROP

 6. Enable Apache Configuration 
        #ln -s /etc/apache2/sites-available/cockpit.conf /etc/apache2/sites-enabled/cockpit.conf
        #systemctl reload apache2

          

Summary:
After this setup web terminal cockpit will be available only on https://cockpit.mydomain.com and https://cockpit.mydomain.com:9090 will not work                          

SUSE Enterprise Service Pack Migration

SUSE supports two different upgrade and migration methods one is online and the other is offline. We will go through both the methods. 

A. Take snapper snapshot.
  1. Take snapper snapshot before proceeding to service pack migration using below command #sanpper create --description “Before Service Pack Migration”
B. Method 1: Offline Upgrade and migration
  1. Offline methods usually boot another operating system from which the installed SLES version is upgraded. Examples are: DVD, flash disk & ISO image                                                                              
  2. Download the latest ISO of the respective SUSE Service pack from here.                                                                 
  3. Insert DVD or Attach the ISO through ILO/IDRAC of the SUSE Linux Enterprise 12 SP3 installation medium and boot your machine. A Welcome screen is displayed, followed by the boot screen                                                                                                                                                                    
  4. Press F11 to enter in boot menu.                                                                                                                                                        
  5. Boot system by selecting Upgrade in the boot menu.                                                                     
  6. Accept the license agreement and Proceed with Next                                                                    
  7. It will start updating installer
  8. On the Select for Upgrade screen, select the partition to upgrade and click Next. System mounts the selected partition and displays all repositories that have been found on the partition that you want to upgrade
  9. On the Previously Used Repositories screen, adjust the status of the repositories: enable those you want to include in the upgrade process and disable any repositories that are no longer needed. Proceed with Next.                                                                                                                                  
  10. On the Registration screen, select whether to register the upgraded system now (by entering your registration data and clicking Next) or if to Skip Registration.
  11. Select the add-on product according to the requirement                                                                
  12. Review the Installation Settings for the upgrade, especially the Update Options.                          
  13. Start the installation and removal procedure by clicking Update.                                                   
  14. The system will start upgrading.                                                                                                      
  15. Once the update is completed, system will reboot to the updated service pack.

C. Method 2: Online upgrade and migration

  1. SUSE offers an intuitive graphical and a simple command line tool to upgrade a running system to a new service pack. Before you can start a service pack migration, your system must be registered at the SUSE Customer Center.                                                                                                                                                                                                                                                                                  
  2. Check the system version before upgrade.                                                                                                                                                                                                                                                           
  3. #SUSEConnect -r <REGISTRATION_CODE> -e <EMAILID>                                                        
  4. Install the latest updates:
    #zypper patch                                                                                                                                     
  5. Check the available repositories.
    #zypper repos                                                                                                                                                      
  6. Install the zypper-migration-plugin package and its dependencies:
    #zypper in zypper-migration-plugin                                                                                                 
  7. Run zypper migration.
    #zypper migration                                                                                                                                                         
  8. Review all the changes, especially the packages that are going to be removed. Proceed by typing “y”.                                                                                                                                                        
  9. Select the service pack which you want to install, in my case I have selected service pack 3.                                                                                                                                                              
                                                                                                                                                                                                                                                                                                     
  10. Select yes to continue                                                                                                                                                                                                                                                                             
  11. After successful migration restart your system and check using following commands.
    #cat /etc/Suse-release or lsb-release -d

    #uname -a

create swap partition using swapfile

  1. On the server there is 4GB memory and 4GB swap file on TEST server which is not enough.
  2. Now the existing swap partition is created in lvm and there is no scope to increase the size
    
    
  3. To overcome this problem create a swapfile using dd command with permission 0600
    
  4. Change the file permission to 0600
  5. Set the file as swap area
  6. Test by enabling the swap on swapfile
  7. Make this boot persistent by adding the entry in fstab
  8. Always run mount -a command to check if any error in fstab file
  9. Now disable swap on /swapfile which we have enabled manually and check swap partitions
    
    
  10. Now check boot persistence by swapon command 

ssh jailing with all commands

Steps for ssh jailing

  1. Create a user for jailing environment and set password if user doesn't exist.
    
    #useradd -m testuser
    #passwd testuser 
  2. Create a Directory Structure for Secure environment.
    
    ( In our case we are creating secure environment in /home directory. You can change it according to requirement)
    #cd /home
    #mkdir -p secure/home
    #cd /home/secure/home
    #mkdir testuser
    #chown testuser:testuser testuser
    
    
  3. Enable commands for the user in chrooted environment.
    
    #cp -pr /bin /home/secure/
    #cp -fr /lib /home/secure/
    #cp -fr /lib64 /home/secure/
    #mkdir /home/secure/usr
    #cp -pr /usr/lib /home/secure/usr/
    #cp -pr /usr/bin /home/secure/usr/
    #mkdir -p /home/secure/etc/
    #cp -p /etc/environment /home/secure/etc/ 
  4. Configuration for jailing.
    
    Edit the file sshd_config
    #vi /etc/ssh/sshd_config
    
      #SSH JAILING                     
      Match User testuser
      chrootdirectory /home/secure
      #ForceCommand internal-sftp   (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed )
    
    
  5. # service sshd reload 
    
    
  6. After logging in from another server /home/secure will become your / partition over ssh connection.
           #ssh testuser@<ip>
Chroot Configuration for Group:
  1. Suppose there are multiple users which needs to be restricted using chroot. 
    Then create a group chroot and add users to the group
     #groupadd chroot
     #usermod -aG chroot testuser
    
  2. change sshd config like given below
     #SSH JAILING                     
     Match Group chroot 
     chrootdirectory /home/secure 
       #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed ) # service sshd reload 
  3. # service sshd reload 

Things to remember:
  1. The chroot directory should alway have root ownership and permission 755 
    otherwise you will get below error
    packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
     
  2. Don't forget to copy /etc/environment
    otherwise you will get below error while changing shell to bash
    bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

					

Configure WIFI Without GUI in Linux

1) Find out the wireless device name.

#iw dev

2) check wireless device status up or down

#ip link show wlan0

3) scan wireless networks

#iw wlan0 scan

Now to configure and connect wireless without GUI we will require package wpa_supplicant-0.7.3-9.el6.i686


4) Create a configuration file

#wpa_passphrase >> /etc/wpa_supplicant/wpa_supplicant.conf

5) To start the device through command line

#wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

where -B means run wpa_supplicant in the background.
-D specifies the wireless driver. wext is the generic driver.
-c specifies the path for the configuration file.

put above command in /etc/rc.local so that after booting it will automatically connect to wireless device.

Enabling rc.local in debian9

rc.local is deprecated in debian 9 by default

To enable it

  1. create file /etc/systemd/system/multi-user.target.wants/rc.local.service

vi /etc/systemd/system/multi-user.target.wants/rc.local.service

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target

2. #systemctl daemon-reload

3. #systemcl restart rc.local.service