Very slow ssh logins on Fedora 22

I’ve recently set up a Fedora 22 firewall/router at home (more on that later) and I noticed that remote ssh logins were extremely slow. In addition, sudo commands seemed to stall out for the same amount of time (about 25-30 seconds). I’ve done all the basic troubleshooting already: Switch to UseDNS no in /etc/ssh/sshd_config Set GSSAPIAuthentication no in /etc/ssh/sshd_config Tested DNS resolution These lines kept cropping up in my system journal when I tried to access the server using ssh:...

2015-07-27 · 1 min · Major Hayden

X11 forwarding request failed on channel 0

Forwarding X over ssh is normally fairly straightforward when you have the correct packages installed. I have another post about the errors that appear when you’re missing the xorg-x11-xauth (CentOS, Fedora, RHEL) or xauth (Debian, Ubuntu) packages. Today’s error was a bit different. Each time I accessed a particular Debian server via ssh with X forwarding requested, I saw this: $ ssh -YC myserver.example.com X11 forwarding request failed on channel 0 The xauth package was installed and I found a ....

2014-07-24 · 1 min · Major Hayden

PXE boot Fedora 19 using a Mikrotik firewall

Outside of the RHCA exams, I haven’t configured a PXE system for my personal needs. A colleague demoed his PXE setup for me and I was hooked. Once I realized how much time I could save when I’m building and tearing down virtual machines, it made complete sense. This post will show you how to configure PXE and tftpd in Mikrotik’s RouterOS to boot and install Fedora 19 (as well as provide rescue environments)....

2013-07-23 · 3 min · Major Hayden

Changing your ssh server’s port from the default: Is it worth it?

Changing my ssh port from the default port (22) has been one of my standard processes for quite some time when I build new servers or virtual machines. However, I see arguments crop up regularly about it (like this reddit thread or this other one). Before I go any further, let’s settle the “security through obscurity” argument. (This could probably turn into its own post but I’ll be brief for now....

2013-05-15 · 3 min · Major Hayden

virt-manager won’t release the mouse when using ssh forwarding from OS X

The latest versions of virt-manager don’t release the mouse pointer when you’re doing X forwarding to a machine running OS X. This can lead to a rather frustrating user experience since your mouse pointer is totally stuck in the window. Although this didn’t affect me with CentOS 6 hosts, Fedora 18 hosts were a problem. There’s a relatively elegant fix from btm.geek that solved it for me. On your Mac, exit X11/Xquartz and create an ~/....

2013-03-20 · 1 min · Major Hayden

X forwarding over ssh woes: DISPLAY is not set

This problem came up in conversation earlier this week and I realized that I’d never written a post about it. Has this ever happened to you before? $ ssh -YC remotebox [major@remotebox ~]$ xterm xterm: Xt error: Can't open display: xterm: DISPLAY is not set I’ve scratched my head on this error message when the remote server is a minimally-installed CentOS, Fedora, or Red Hat system. It turns out that the xorg-x11-xauth package wasn’t installed with the minimal package set and I didn’t have any authentication credentials ready to hand off to the X server on the remote machine....

2012-07-14 · 2 min · Major Hayden

The Kerberos-hater’s guide to installing Kerberos

As promised in my earlier post entitled Kerberos for haters, I’ve assembled the simplest possible guide to get Kerberos up an running on two CentOS 5 servers. Also, I don’t really hate Kerberos. It’s a bit of an inside joke with my coworkers who are studying for some of the RHCA exams at Rackspace. The additional security provided by Kerberos is quite good but the setup involves a lot of small steps....

2012-02-05 · 6 min · Major Hayden

Kerberos for haters

I’ll be the first one to admit that Kerberos drives me a little insane. It’s a requirement for two of the exams in Red Hat’s RHCA certification track and I’ve been forced to learn it. It provides some pretty nice security features for large server environments. You get central single sign ons, encrypted authentication, and bidirectional validation. However, getting it configured can be a real pain due to some rather archaic commands and shells....

2012-02-03 · 4 min · Major Hayden

Receive e-mail reports for SELinux AVC denials

SELinux isn’t a technology that’s easy to tackle for newcomers. However, there’s been a lot of work to smooth out the rough edges while still keeping a tight grip on what applications and users are allowed to do on a Linux system. One of the biggest efforts has been around setroubleshoot. The purpose behind setroubleshoot is to let users know when access has been denied, help them resolve it if necessary, and to reduce overall frustration while working through tight security restrictions in the default SELinux policies....

2011-09-16 · 3 min · Major Hayden

Securing your ssh server

One of the most common questions that I see in my favorite IRC channel is: “How can I secure sshd on my server?” There’s no single right answer, but most systems administrators combine multiple techniques to provide as much security as possible with the least inconvenience to the end user. Here are my favorite techniques listed from most effective to least effective: SSH key pairs By disabling password-based authentication and requiring ssh key pairs, you reduce the chances of compromise via a brute force attack....

2010-10-12 · 4 min · Major Hayden