FireDaemon

Passwordless root SSH Public Key Authentication on CentOS 6

It’s often useful to be able to SSH to other machines without being prompted for a password. Additionally, if you using tools such as Parallel SSH you will need to setup Public Key SSH Authentication. To set it up is relatively straight forward:

1. On the client machine (ie. the one you are SSH’ing from) you will need to create an SSH RSA key. So run the following command – ensure you don’t supply a password:

[root@node01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c6:66:93:16:73:0b:bf:46:46:28:7d:a5:38:a3:4d:6d root@node01
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . + o     |
|      . @ E      |
|       * & .     |
|      . S =      |
|       = + .     |
|          o      |
|         .       |
|                 |
+-----------------+

This will generate the following files:

[root@node01 ~]# cd ~/.ssh
[root@node02 .ssh]# ls -l
total 8
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-r--r--. 1 root root  406 Jul 27 15:01 id_rsa.pub

3. On the client machine tighten up file system permissions thus:

[root@node01 ~]# chmod 700 ~/.ssh
[root@node01 ~]# chmod 600 ~/.ssh/*
[root@node01 ~]# ls -ld ~/.ssh & ls -l ~/.ssh
drwx------. 2 root root 4096 Jul 27 15:01 /root/.ssh
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-------. 1 root root  406 Jul 27 15:01 id_rsa.pub

4. Now copy the public key to the machine you want to SSH and fix permissions (you will be prompted for the root password):

[root@node01 ~]# ssh root@node02 'mkdir -p /root/.ssh'
[root@node01 ~]# scp /root/.ssh/id_rsa.pub root@node02:/root/.ssh/authorized_keys
[root@node01 ~]# ssh root@node02 'chmod  700 /root/.ssh'
[root@node01 ~]# ssh root@node02 'chmod  600 /root/.ssh/*'

You can also use the utility ssh-copy-id to do the above steps. If you don't have scp on the remote machine you will need to install it:

[root@node01 ~]# ssh root@node02 'yum install openssh-clients'

You should now be able to ssh directory from node01 to node02 without providing a password:

[root@node01 ~]# ssh node02
Last login: Wed Jul 27 15:41:56 2011 from 10.255.5.57
[root@node ~]#

IMPORTANT

There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:

[root@node01 ~]# ssh root@node02 'restorecon -R -v /root/.ssh'
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0

Running TeamSpeak 3 Server As A Service With FireDaemon

Ran into this video today on Running TeamSpeak 3 Server under FireDaemon.

Scheduling a Service to run once per day.

If you need a service to run once per day at a specific time and then exit, you can do so with the following:

1. Create your service as normal
2. Set Settings -> Upon Program Exit -> Disabled (or Report the Termination)
3. Set Scheduling -> Schedule a Restart -> At Specific Time

This will cause FireDaemon to run your app initially to completion. When the app quits FireDaemon doesn’t restart it. At the “Specific Time” the app is run again and the cycle continues.

Tags: schedule service

Are User Passwords Encrypted?

This was a question that was recently asked in a support ticket and it is a very good one.  For those of us who are concerned about security, this is very important.

Rest assured though, the service password is not stored in the filesystem. When the service is created is it passed to the Service Control Manager where it is hashed and stored in the SAM.

Tags: encryption, firedaemon, password

FireDaemon Fusion: Web based Windows service manager

What Is Fusion?

FireDaemon Fusion is a lightweight, secure standalone application server that delivers complete web based configuration, management and control of your FireDaemon Pro and Windows builtin services.

Use Fusion if:

1. You require the ability to edit and control every aspect of your FireDaemon or Windows services via your browser
2. You want to deploy a lightweight application server running as a native builtin service in preference to IIS or a .NET webserver under FireDaemon control
3. You don’t wish to install FireDaemon services or only wish to install FireDaemon services on certain machines
4. You have no need for a GUI based client (MFC or .NET)

Get your copy here:

Tags: manage windows service via browser

Process ID Changes Every Few Seconds

If the process of your FireDaemon Service is changing rapidly, it’s probably because it’s crashing, not starting correctly or terminating.

Generally it can be a pain to troubleshoot this kind of problem, but there are a few things you can do to fix it:

1. Check the windows event logs, they usually reveal exactly what’s happening.
2. The local file system permissions might be wrong, see http://forums.firedaemon.com/system-permission-local-drives-t648.html for more information.
3. If the executable is on a mapped drive or UNC path, your path might be in the wrong format, see http://forums.firedaemon.com/do-use-mapped-drives-t38.html for more information.
4. Are you remotely connected via RDP?  Make sure the “Shadow Console” is enabled.  See http://forums.firedaemon.com/accessing-shadow-console-via-t397.html for more information.
5. If all else fails, then enable Debug Logging in the FireDaemon Service, let the service run a few times and then look at the debug log to see what’s happening.  If you don’t understand it, you can send a support ticket and attach the debug log to your ticket.

Tags: crash, firedaemon, pid changes

Application doesn’t launch under FireDaemon

Often FireDaemon services are run off other local drives eg. E: F: etc. These drives could be a new local disk array, iSCSI targets or SAN LUNs. If you find your app is not launching under FireDaemon control then ensure you have checked that the Security permissions includes SYSTEM / Full Control. You need to check this as when you add a new drive to a machine and format with NTFS this permission is not automatically set. To check this:

1. Go to My Computer and look for the local drive you want to check.
2. Right click on the local drive and select Properties.
3. Click on the Security tab
4. In the list of “Group or user names” look for SYSTEM. If it is not there click Edit
5. A new dialog box will be displayed titled “Permissions for E:”
6. Click Add
7. A new dialog box will be displayed titled “Select Users or Groups”
8. In the “Enter the object names to select” type SYSTEM and click the Check Names button.
9. Click OK
10. Then in “Permssions for E:” dialog check Full Control
11. Then click OK twice.

Your FireDaemon apps should launch correctly.

Tags: application doesnt launch, firedaemon, system permissions

Giving A Normal User Rights To Control A Service With subinacl

Normally starting and stopping a service requires administrator privileges, but you can assign a normal user the right to control an individual service. You do this with the subinacl.exe utility included in the Windows Resource Kit. You can also download it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

To give the user “John” the right to start and stop the TestService service, log on as administrator and run the following command:

subinacl /SERVICE “TestService” /GRANT=john=TO

You can also give a user right to control a service through the use of Group Policies:

http://support.microsoft.com/default.aspx?scid=kb;en-us;288129

Correcting Clock Rollbacks / Rollforwards

If you modify your system clock whilst running FireDaemon in evaluation mode you might encounter this error:

Your system clock appears to have been set back, possibly in an attempt to defeat the security system on this program. Please correct your system clock before trying to run this program again. If your clock is correct, please contact the author of this program for instructions on correcting this error (report code 0,2853,2488).
› Continue reading

Tags: correcting clock rollbacks/rollforwards, firedaemon

PanelDaemon Won’t Install

When installing PanelDaemon, do you get errors like “The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: WEBCA_EvaluateURLsNoFail”

If so, then it is because you have no websites set up in IIS. First set up a website instance and then try the installation of PanelDaemon again.

If you have further problems, check out the installation guide at http://www.paneldaemon.com/manual/