How to use chef encrypted databags


Note: Please comment the below line in knife.rb file else it will automatically decrypt values
and show when we use "knife data bag show" command
I initially thought knife was not encrypting my values and had to debug ..which took lot of time.



[root@ec2-test .chef]# cat knife.rb | grep secret
#knife[:secret_file] ='/root/encrypted_data_bag_secret'



knife data bag create  --secret-file /root/.chef/encrypted_data_bag_secret testbag password

{
  "id": "password",
  "password": "this is test password key"


}



[root@ec2-test .chef]# knife data bag show testbag password

id:       password
password:
  cipher:         aes-256-cbc
  encrypted_data: KMHzeFQwfm0wWeHFymxfJsMo425CP+wlwoZ6xN7waVlgUNOmRrr/+jOtDLIN
  s7Xl
  
  iv:             TYPYnSqYTcmU8ZWE2sIt4A==
  
  version:        1
  


Once encrypted if you try to edit the encrypted databag it shows like this 

{
  "name": "data_bag_item_testbag_password",
  "json_class": "Chef::DataBagItem",
  "chef_type": "data_bag_item",
  "data_bag": "testbag",
  "raw_data": {
    "id": "password",
    "password": {
      "encrypted_data": "KMHzeFQwfm0wWeHFymxfJsMo425CP+wlwoZ6xN7waVlgUNOmRrr/+jOtDLIN\ns7Xl\n",
      "iv": "TYPYnSqYTcmU8ZWE2sIt4A==\n",
      "version": 1,
      "cipher": "aes-256-cbc"
    }
  }
}



To show the decrypted values we can use 

[root@ec2-test .chef]# knife data bag show  testbag password --secret-file /root/.chef/encrypted_data_bag_secret

id:       password
password: this is test password key


---------------------------
Some important commands related to data bags

Generate random secret key


openssl rand -base64 512 >encrypted_data_bag_secret

Generate random password

date | md5 in mac 
date | md5sum in any linux machine 

Setting a Secure Flag to cookie in httpd – Apache

First check if mod_headers is loaded. Else enable that module


LoadModule headers_module modules/mod_headers.so

Once the module is loaded .

Header edit Set-Cookie ^(.*)$ $1;Secure


Add above line to your virtual host in httpd.conf/ssl.conf as per your config

What this does is it adds a secure flag to your cookie. This flag is set by application server when sending
a new cookie to client/user when sending http response.This also mean that server will not send cookie over http. It sends only via https .This prevents unauthorized access to cookie data

This can be done via code in java or can be done @ apache/httpd config level.

Here is more info on code level changes click here..!!


rssh chroot jailroot sftp creation - By Vinodh tiruttani

Steps for chroot jail folder creation:
The chroot command changes its current and root directories to the provided directory and then run command, if supplied, or an interactive copy of the user's login shell. Please note that not every application can be chrooted.
Creating User
[root@learnadmin ~]# /usr/sbin/useradd testrssh
[root@learnadmin ~]# su testrssh
[testrssh@learnadmin root]$ cd /home/testrssh/
[testrssh@learnadmin ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/testrssh/.ssh/id_dsa):
Created directory '/home/testrssh/.ssh'.
Enter passphrase (empty for no passphrase): < Type passphrase >
Enter same passphrase again: <  Re-type passphrase >
Your identification has been saved in /home/testrssh/.ssh/id_dsa.
Your public key has been saved in /home/testrssh/.ssh/id_dsa.pub.
The key fingerprint is:
92:c9:fe:9f:47:29:ba:15:29:9c:51:84:0f:c6:d8:0b testrssh@learnadmin.com
[testrssh@learnadmin ~]$
[testrssh@learnadmin ~]$ cd .ssh/
[testrssh@learnadmin .ssh]$ pwd
/home/testrssh/.ssh
[testrssh@learnadmin .ssh]$ cp id_dsa.pub authorized_keys2
[testrssh@learnadmin .ssh]$ ls -l
total 24
-rw-r--r-- 1 testrssh testrssh 618 Jun 12 18:12 authorized_keys2
-rw------- 1 testrssh testrssh 736 Jun 12 18:11 id_dsa ( 600 permission)
-rw-r--r-- 1 testrssh testrssh 618 Jun 12 18:11 id_dsa.pub
[testrssh@learnadmin .ssh]$
[testrssh@learnadmin .ssh]$ exit
[root@learnadmin ~]# /usr/sbin/usermod -s /usr/bin/rssh testrssh
Download from net rssh-2.3.3.tar.gz from http://www.pizzashack.org/rssh/downloads.shtml
[root@learnadmin ~]# tar xvf rssh-2.3.3.tar.gz
[root@learnadmin ~]# cd rssh-2.3.3
[root@learnadmin rssh-2.3.3]# ./configure
[root@learnadmin rssh-2.3.3]# make
[root@learnadmin rssh-2.3.3]# make install
[root@learnadmin rssh-2.3.3]# cd ..
 Download from net rssh-2.3.3-1.x86_64.rpm
 [root@learnadmin ~]# rpm -ivh rssh-2.3.3-1.x86_64.rpm
Preparing...                ########################################### [100%]
   1:rssh                   ########################################### [100%]
[root@learnadmin ~]# pwd
/root
·         Converting rssh chroot Jail folder – Execute the below script from the below location
 [root@learnadmin ~]# cp /usr/share/doc/rssh-2.3.3/mkchroot.sh .
[root@learnadmin ~]# chmod 775 mkchroot.sh
 [root@learnadmin ~]# ./mkchroot.sh /home/testrssh/
NOT changing owner of root jail.
NOT changing perms of root jail.
setting up /home/testrssh//usr/bin
setting up /home/testrssh//usr/libexec/openssh
setting up /home/testrssh//usr/libexec
Copying libraries for /usr/bin/scp.
        /lib64/libcrypto.so.6
        /lib64/libutil.so.1
        /usr/lib64/libz.so.1
        /lib64/libnsl.so.1
        /lib64/libcrypt.so.1
        /lib64/libresolv.so.2
        /usr/lib64/libgssapi_krb5.so.2
        /usr/lib64/libkrb5.so.3
        /usr/lib64/libk5crypto.so.3
        /lib64/libcom_err.so.2
        /usr/lib64/libnss3.so
        /lib64/libc.so.6
        /lib64/libdl.so.2
        /usr/lib64/libkrb5support.so.0
        /lib64/libkeyutils.so.1
        /usr/lib64/libnssutil3.so
        /usr/lib64/libplc4.so
        /usr/lib64/libplds4.so
        /usr/lib64/libnspr4.so
        /lib64/libpthread.so.0
        /lib64/libselinux.so.1
        /lib64/libsepol.so.1
Copying libraries for /usr/libexec/openssh/sftp-server.
        /lib64/libcrypto.so.6
        /lib64/libutil.so.1
        /usr/lib64/libz.so.1
        /lib64/libnsl.so.1
        /lib64/libcrypt.so.1
        /lib64/libresolv.so.2
        /usr/lib64/libgssapi_krb5.so.2
        /usr/lib64/libkrb5.so.3
        /usr/lib64/libk5crypto.so.3
        /lib64/libcom_err.so.2
        /usr/lib64/libnss3.so
        /lib64/libc.so.6
        /lib64/libdl.so.2
        /usr/lib64/libkrb5support.so.0
        /lib64/libkeyutils.so.1
        /usr/lib64/libnssutil3.so
        /usr/lib64/libplc4.so
        /usr/lib64/libplds4.so
        /usr/lib64/libnspr4.so
        /lib64/libpthread.so.0
        /lib64/libselinux.so.1
        /lib64/libsepol.so.1
Copying libraries for /usr/bin/rssh.
        /lib64/libc.so.6
Copying libraries for /usr/libexec/rssh_chroot_helper.
        /lib64/libc.so.6
copying name service resolution libraries...
tar: Removing leading `/' from member names
        lib/libnss_files-2.5.so
tar: /lib/libnss1_files*: Cannot stat: No such file or directory
tar: Error exit delayed from previous errors
        lib/libnss_files.so.2
Setting up /etc in the chroot jail
cp: omitting directory `/etc/ld.so.conf.d'
Chroot jail configuration completed.
NOTE: if you are not using the passwd file for authentication,
you may need to copy some of the /lib/libnss_* files into the jail.

 NOTE: you must MANUALLY edit your syslog rc script to start syslogd
with appropriate options to log to /home/testrssh//dev/log.  In most cases,
you will need to start syslog as:
    /sbin/syslogd -a /home/testrssh//dev/log
 NOTE: we make no guarantee that ANY of this will work for you... if it
doesn't, you're on your own.  Sorry!
 Note: while executing above command some files are not copied, we need to copy manually.
[root@learnadmin ~]#
[root@learnadmin ~]# cd /home/testrssh/
[root@learnadmin testrssh]# cd dev/
[root@learnadmin dev]# mknod -m 666 zero c 1 5
[root@learnadmin dev]# mknod -m 666 null c 1 3
[root@learnadmin dev]# cd ../lib
[root@learnadmin lib]# cp /lib/ld-linux.so.2 .
[root@learnadmin lib]# cp /lib/libc.so.6 .
[root@learnadmin lib]# cd ../lib64/
[root@learnadmin lib64]# cp /lib64/ld-linux-x86-64.so.2 .
[root@learnadmin lib64]# cp /lib64/libnss_* .
[root@learnadmin lib64]# cd
[root@learnadmin]# vi /etc/rssh.conf ( add the user and uncomment 2 lines)
allowscp
allowsftp
user=testrssh:011:00011:"/home/testrssh"
:wq!
[root@learnadmin ~]#
Done rssh chroot jail folder is created
-------------------------------------------------
Testing rssh login  from remote system
Login to server  from remote server
 Copy id_dsa key from Server ( user: testrssh )
[root@clientmachine test-rssh-keys]# vi id_dsa_testrssh

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,42ED97DC52451DE9

UAh2bmigMZ5DN0KVadfR9bRrFL7l0mUMF7iCjgbqHA3wgNfPttytDmt3jJR5Mmb+
uxl0s1D1JwDvNstUgTL9fDC+TnrQXj+0YVQ7bvHPLdcyTEUm3MXNAbqv3PUoFAVa
qfLPtybOHCADOA6wH+vcJ4Mt2NM/M+fbMbcmBsrMw3fYzB2na5Zs2OoVxKLbVPEo
mKP3Eu5Eo1nC6wApQkBzO7ZJDq3x7YjxPPQJZ82j/vVVuZsGj0IFBRm1Esj8gABp
MlQfTzK0wnbbCJ2L3CqRPS7gyyKCpdQtuNYliDh8E+uXAsCjIx+rksfRJkTmKTDj
Huob0no/69che/tnBzhzQV3B6C1BrJ4CPElRVOoq2niQIy4ruku5wK9ONm3J50It
wc3uADpOgBUStavVpuUJTU4Oe8rVraUhEyBB0iOpYySGrAAfEtabwCwB0OvK+bht
1mLleTDGadms07+psexV4L66bmDY6ypu7dtcGWuFXQP5UQdOHqS7ehdEtCpuboer
BVkcrdivDHoc88cScuDOytPsFyMiHJ5fkrMLtKWQBTF3I7SiDqVBq/lKFcubZK3Q
K/PpJyasnxlcaLJLFkFibw==
-----END DSA PRIVATE KEY-----
 :wq!
 [root@ clientmachine test-rssh-keys]# chmod 600 id_dsa_testrssh
 [root@ clientmachine test-rssh-keys]# sftp -o IdentityFile=id_dsa_testrssh testrssh@sftp server
Connecting to 10.x.x.x...
Enter passphrase for key 'id_dsa_testrssh':
sftp> ls
dev    etc    lib    lib64  usr
sftp> cd /root
Couldn't canonicalise: No such file or directory
sftp> cd /tmp
Couldn't canonicalise: No such file or directory
sftp>
 rssh chroot jail folder is working.


How to parse xml tags in bash or retrieve xml tag values in linux


Consider the following example file test.xml





<header>
        <tag1>1</tag1>
        <system>test123</system>
        <cdc>230</cdc>
       
</header>

   
 


 grep -E -m 1 -o "(.*)" test.xml

This will return "test123"


if you want only the value we need to pipe it further

grep -E -m 1 -o "(.*)" test.xml | sed -e 's,.*\([^<]*\).*,\1,g'

This will return "test123"

fix failed: NT_STATUS_BAD_NETWORK_NAME"



smbclient -L 127.0.0.1 -U testuser  ( will list directories )

smbclient //127.0.0.1/Pubshare -U testuser ( will connect )