Generating SSL Certificate Signing Request (CSR) in Linux

Certificate Signing Request (CSR) is the intermediate form of SSL certificate that enables a Certificate Authority (CA) to generate a signed SSL certificate and verify the identity of a domain’s owner. A CSR has encoded a file that provides you with a standardized way to send us your public key along with some information that identifies your company and domain name.

Install Required Packages:
First, we need to install the required packages. If the required packages are already installed then ignore this step.

# yum install openssl mod_ssl
Generate Private Key:
Before generating the CSR we need to generate the private key file. Run the below command to generate the key.

# openssl genrsa -out maddy.com 2048
Output:

Generating RSA private key, 2048 bit long modulus
…………………. …….. …….++++++
………………………… … … .. ++++++
e is 61764 (0x01001)
Enter passphrase for www.maddy.com.key:
Verifying – Enter pass phrase for www.techoism.com.key:
Generate a Certificate Signing Request (CSR):
After generating the private key, next you need to generate CSR using the above key. The command will ask some information regarding the domain.

# openssl req -new -key maddy.com.key -out maddy.com.csr
Output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Bangalore
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:Maddy.com.
Organizational Unit Name (eg, section) []:BLOGSITE
Common Name (eg, your name or your server’s hostname) []:maddy.com
Email Address []:admin@maddy.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You can also create the private key and CSR file using single command. The command first generate the private key then it will generate the CSR.

# openssl req -new -newkey rsa:2048 -nodes -keyout www.maddy.com.key -out www.maddy.com.csr
Now CSR has been generated successfully, use this file to order the SSL certificate.

Configuration of SSH Key Authentication on Linux

SSH Key Authentication allows users to SSH into the server without entering their passwords. SSH keys are additionally secure than passwords because the private key used to secure the connection is never shared. Private keys can also be encoded so their content can’t be read as easily. While SSH passwords are not required once keys are set up, passwords for decrypting the private keys locally are as yet required.

To improve the system security even further, you can enforce key-based authentication by disabling the standard password authentication.

PasswordAuthentication no
Generate SSH Key Pair:
We can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.

# ssh-keygen -t rsa
OR
# ssh-keygen -t dsa
After this, you will be presented with a message similar to this:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
aa:1a:22:51:ee:ee:bc:53:rr:ad:tt:6t:41:a3:55:33 root@maddy.com
The key’s randomart image is:
+–[ RSA 2048]—-+
| .+ |
| + o . o |
| E . = + . |
| o . + * . |
| . S o |
| = o |
| . o . |
| + . |
| . o. |
+—————–+
I have created the key using the passphrase. Also, you can create the key without the passphrase

Copying Public Key
Then we need to copy the public key to our remote server. Here I am choosing the default non-root user as remoteuser but you can use the root user also. Use below command to copy the public key.

# ssh-copy-id maddy@174.40.30.11
Sample Output:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
maddy@174.40.30.11’s password:

Number of key(s) added: 1

Now try logging into the machine, with “ssh ‘maddy@174.40.30.11′”
and check to make sure that only the key(s) you wanted were added.
It will create the authorized_keys file at user .ssh directory.

Note: You can add the public key manually also using following step:

1. Copy the public key.

# cat /root/.ssh/id_rsa.pub
ssh-rsa BBBBdfdddfdzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpsdsdstT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/asdasdasdasdasdasdasqCFAu2YIasdaasdasasdsKA1KxZpfhU/asdaerassdfrfdrgddfdf/asdasdasdasdasdasdasdasdas root@maddy.com

2. Access the remote server and follow below steps to copy the public key in user home directory.

# su – maddy
# mkdir .ssh
# chmod 700 .ssh
Now, you can create or modify the authorized_keys file within this directory.

# vim authorized_keys
ssh-rsa BBBBdfdddfdzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpsdsdstT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/asdasdasdasdasdasdasqCFAu2YIasdaasdasasdsKA1KxZpfhU/asdaerassdfrfdrgddfdf/asdasdasdasdasdasdasdasdas root@maddy.com

And change the authorized_keys file permission.

# chmod 600 authorized_keys

Access Your Server Using SSH Keys
After completing the above procedure, you should be able to login to the remote host without the remote user’s password.

# ssh dennis@174.40.30.11

Now it will ask the passphrase which we set at the time of creating the public key.

We hope this article will be very helpful you.

Installing NTP Server on CentOS/RHEL 7/6/5

Network Time Protocol (NTP) is used to synchronize system clocks of different hosts over the network. Most companies will have a local NTP server that they keep in sync with an external timing source and then they have all of their internal servers sync their time with that machine. In this setup, we will configure Linux system as NTP server.

Install the NTP Packages
NTP server package is provided by CentOS/RHEL default repositories and can be installed using yum command.

# yum install ntp

Configure NTP Server
If you have lots of server in the environment and this we will use NTP servers to synchronize time by the ISP or the Public time located at ntp.org. We suggest using any nearby servers also. You can find nearby servers at NTP Public Pool Time Servers (http://www.pool.ntp.org/en/).

# vim /etc/ntp.conf
server 0.asia.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst

Allow LAN Systems
Now, you need to allow clients from your networks to synchronize time with this server. To do it add following entry in configuration file

# vim /etc/ntp.conf
restrict 192.168.5.0 mask 255.255.255.0 nomodify notrap
Enable NTP Log
In case there are problems with your NTP daemon add a log file statement which will record all NTP server issues. Add the following content as below.

# vim /etc/ntp.conf
logfile /var/log/ntp.log

Add Firewall Rules
NTP server listens on UDP port 123. If you are using iptables of the server then run the following command.
CentOS/RHEL 7

# firewall-cmd –add-service=ntp –permanent
# firewall-cmd –reload
CentOS/RHEL 6/5

# iptables -A INPUT -s 192.168.1.0/24 -p udp –dport 123 -j ACCEPT
# iptables -A INPUT -p udp –dport 123 -j DROP
Restart NTP Server
After all NTP configuration, Let’s restart NTP server using following commands.

CentOS/RHEL 7

# systemctl start ntpd
# systemctl enable ntpd
CentOS/RHEL 6/5

# service ntpd start
# chkconfig ntpd on
Verify Configuration
You can verify the configuration using below command.

# ntpq -p
# date -R

 Configuring sudo Access

  1. Log in to the system as the root user.
  2. Create a normal user account using the useradd command. Replace USERNAME with the user name that you wish to create.
    # useradd USERNAME
  3. Set a password for the new user using the passwd command.
    # passwd USERNAME Changing password for user USERNAME. New password: Retype new password: passwd: all authentication tokens updated successfully.
  4. Run the visudo to edit the /etc/sudoers file. This file defines the policies applied by the sudo command.
    # visudo
  5. Find the lines in the file that grant sudo access to users in the group wheel when enabled.
    ## Allows people in group wheel to run all commands
    # %wheel        ALL=(ALL)       ALL
  6. Remove the comment character (#) at the start of the second line. This enables the configuration option.
  7. Save your changes and exit the editor.
  8. Add the user you created to the wheel group using the usermod command.
    # usermod -aG wheel USERNAME
  9. Test that the updated configuration allows the user you created to run commands using sudo.
    1. Use the su to switch to the new user account that you created.
      # su USERNAME -
    2. Use the groups to verify that the user is in the wheel group.
      $ groups USERNAME wheel
    3. Use the sudo command to run the whoami command. As this is the first time you have run a command using sudo from this user account the banner message will be displayed. You will be also be prompted to enter the password for the user account.
      $ sudo whoami We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for USERNAME: root
      The last line of the output is the user name returned by the whoami command. If sudo is configured correctly this value will be root.
You have successfully configured a user with sudo access. You can now log in to this user account and use sudo to run commands as if you were logged in to the account of the root user

Install SVN (Subversion) Server on Linux

Install SVN (Subversion) Server on Fedora 20/19, CentOS/Red Hat (RHEL) 6.5/5.10

This is guide, howto install SVN (Subversion) server on Fedora 20/19/18/17/16/15/14, CentOS 6.5/6.4/6.3/6.2/6.1/6/5.10, Red Hat (RHEL) 6.5/6.4/6.3/6.2/6.1/6/5.10.

What is SVN (Subversion)?
Subversion is a free/open-source version control system. Subversion manages files and directories, and the changes made to them, over time. This allows you to recover older versions of your data, or examine the history of how your data changed. In this regard, many people think of a version control system as a sort of “time machine”.

Install SVN (Subversion) Server on Fedora 20/19/18, CentOS 6.5/5.10, Red Hat (RHEL) 6.5/5.10

1. Change root user
su –
## OR ##
sudo -i

2. Install needed packages (mod_dav_svn and subversion)
#yum install mod_dav_svn subversion
Note: If you don’t have Apache installed already, this command installs it also. Read more about installing Apache and PHP >>

3. Modify Subversion config file /etc/httpd/conf.d/subversion.conf
Add following config to /etc/httpd/conf.d/subversion.conf file:
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn>
DAV svn
SVNParentPath /var/www/svn
AuthType Basic
AuthName “Subversion repositories”
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>

4. Add SVN (Subversion) users
Use following command:

## Create testuser ##
htpasswd -cm /etc/svn-auth-users testuser
New password:
Re-type new password:
Adding password for user testuser

## Create testuser2 ##
htpasswd -m /etc/svn-auth-users testuser2
New password:
Re-type new password:
Adding password for user testuser2
Note: Use exactly same file and path name as used on subversion.conf file.

This example use /etc/svn-auth-users file.

5. Create and configure SVN repository
#mkdir /var/www/svn
#cd /var/www/svn

#svnadmin create testrepo
#chown -R apache.apache testrepo

## If you have SELinux enabled (you can check it with “sestatus” command) ## then change SELinux security context with chcon command ##

#chcon -R -t httpd_sys_content_t /var/www/svn/testrepo

## Following enables commits over http ##
#chcon -R -t httpd_sys_rw_content_t /var/www/svn/testrepo

#Restart Apache:
## Fedora ##
systemctl restart httpd.service
## OR ##
#service httpd restart

## CentOS / RHEL ##
/etc/init.d/httpd restart
## OR ##
service httpd restart

Goto http://localhost/svn/testrepo address and you should see something like following, write username and password:

SVN testrepo revision 0:

6. Configure repository
To disable anonymous access and enable access control add following rows to testrepo/conf/svnserve.conf file:

## Disable anonymous access ##
anon-access = none

## Enable access control ##
authz-db = authz

7. Create trunk, branches and tags structure under testrepo
Create “template” directories with following command:
#mkdir -p /tmp/svn-structure-template/{trunk,branches,tags}

Then import template to project repository using “svn import” command:
#svn import -m ‘Initial import’ /tmp/svn-structure-template/

http://localhost/svn/testrepo/
Adding /tmp/svn-structure-template/trunk
Adding /tmp/svn-structure-template/branches
Adding /tmp/svn-structure-template/tags

Committed revision 1.
Check results on browser and see testrepo revision 1: