First of all, I needed to know whether the /etc/sysctl.conf I had on my box differed from the original one. But, before doing that, I had to know which RPM package had installed that file. So, I used the rpm command to query this file:

# rpm -qf /etc/sysctl.conf
initscripts-9.03.27-1.el6.centos.1.i686

So, the initscripts package had installed /etc/sysctl.conf.

Then I verified the initscripts package:

# rpm -V initscripts
S.5....T.  c /etc/sysconfig/init
S.5....T.  c /etc/sysctl.conf

According to the following table:

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ

the attributes: size, MD5 checksum and the modification time of /etc/sysctl.conf that existed on my system differed from the attributes of the original file.

Since I had no idea the exact changes I had made to that file at some earlier time, I needed to restore the original and re-modify it from scratch. The new yum “reinstall” command could be used to to do this quite easily.

First, I kept a copy of the current file:

# mv /etc/sysctl.conf /etc/sysctl.conf.modified

Then I reinstalled initscripts using YUM’s reinstall command:

# yum reinstall initscripts
Loaded plugins: downloadonly, fastestmirror, priorities
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * base: ftp.ntua.gr
 * epel: ftp.ntua.gr
 * extras: ftp.ntua.gr
 * ius: mirror.rackspace.co.uk
 * updates: centosr3.centos.org
6 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package initscripts.i686 0:9.03.27-1.el6.centos.1 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
 Package                              Arch                          Version                                           Repository                        Size
=============================================================================================================================================================
Reinstalling:
 initscripts                          i686                          9.03.27-1.el6.centos.1                            updates                          934 k

Transaction Summary
=============================================================================================================================================================
Reinstall     1 Package(s)

Total download size: 934 k
Installed size: 5.4 M
Is this ok [y/N]: y
Downloading Packages:
initscripts-9.03.27-1.el6.centos.1.i686.rpm                                                                                           | 934 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : initscripts-9.03.27-1.el6.centos.1.i686                                                                                                   1/1

Installed:
  initscripts.i686 0:9.03.27-1.el6.centos.1

Complete!

Verify the initscripts package again:

# rpm -V initscripts
S.5....T.  c /etc/sysconfig/init

No verification errors for /etc/sysctl.conf. Note that reinstalling the package did not touch the /etc/sysconfig/init file. It has been mentioned previously that rpm packages do not overwrite existing configuration files.

I had the original file back and I could then start customizing it from scratch.

Restore original configuration files from RPM packages, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• YUM-Priorities Configuration for a CentOS Desktop
• How To Build RPM Packages on Fedora
• How to extract RPM or DEB packages
• Running supervisor 3 on CentOS 5
• RHEL kernel source released with patches already applied

wget ftp://ftp.cc.uoc.gr/mirrors/linux/fedora/linux/development/rawhide/source/SRPMS/supervisor-3.0-0.4.a10.fc16.src.rpm

The simplest way to build an RPM for our CentOS release is to use the --rebuild option of rpmbuild:

rpmbuild --rebuild supervisor-3.0-0.4.a10.fc16.src.rpm

Wait a few seconds for it to finish and then your binary RPM package will be in ~/<your_building_env>/RPMS/....

To satisfy dependencies, you will also need the package python-meld3. So, download and rebuild it:

wget ftp://ftp.cc.uoc.gr/mirrors/linux/fedora/linux/development/rawhide/source/SRPMS/python-meld3-0.6.7-4.fc16.src.rpm
rpmbuild --rebuild python-meld3-0.6.7-4.fc16.src.rpm

Having built RPM packages for supervisor and python-meld3, you can now transfer them to a testing box and install them:

yum localinstall /path/to/supervisor.rpm /path/to/python-meld3
yum install python-elementtree

We also installed elementtree as this is a dependency missing from the supervisor spec file (note to self: file a bug report).

Finally, try to start supervisord:

/etc/init.d/supervisord start

Surprisingly, it complains about the missing elementtree!

Starting supervisord: Traceback (most recent call last):
  File "/usr/bin/supervisord", line 5, in ?
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 2479, in ?
    working_set.require(__requires__)
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 585, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 483, in resolve
    raise DistributionNotFound(req)  # XXX put more info here
pkg_resources.DistributionNotFound: elementtree

Checking the requirements file at: /usr/lib/python2.4/site-packages/supervisor-3.0a10-py2.4.egg-info/requires.txt there are no special version requirements:

meld3 >= 0.6.5
elementtree

[iterparse]
cElementTree >= 1.0.2

After some investigation on the supervisor-users mailing list, I found a message that indicated that setuptools.setup() should be used instead of distutils.core.setup() in the setup.py script.

So, the dependency resolution depends on the way the package has been installed! I didn’t even bother to patch setup.py… Knowing that the dependencies are correctly installed, I commented out the elementtree line and also the meld3 line as this caused the same error.

So, my /usr/lib/python2.4/site-packages/supervisor-3.0a10-py2.4.egg-info/requires.txt file looks like this:

#meld3 >= 0.6.5
#elementtree

[iterparse]
cElementTree >= 1.0.2

Now supervisor starts without errors:

# /etc/init.d/supervisord start
Starting supervisord:                                      [  OK  ]
# cat /var/log/supervisor/supervisord.log
2011-05-12 02:56:08,221 CRIT Supervisor running as root (no user in config file)
2011-05-12 02:56:08,267 INFO RPC interface 'supervisor' initialized
2011-05-12 02:56:08,267 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2011-05-12 02:56:08,271 INFO daemonizing the supervisord process
2011-05-12 02:56:08,272 INFO supervisord started with pid 21337

This is what it takes to run supervisord 3 in CentOS 5 or RHEL 5. If you have any comments and suggestions, please let me know in the comments below.

Running supervisor 3 on CentOS 5, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• High CPU usage while running CentOS as guest on Virtualbox or VMware
• Sticking with CentOS, RPMforge and yum-priorities for now
• YUM-Priorities Configuration for a CentOS Desktop
• Awaiting CentOS 6
• My running dog

There is an ongoing discussion about it at LWN you might find interesting.

RHEL kernel source released with patches already applied, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• The Complete Fedora Kernel Headers
• Build a single native kernel module
• Kernel 2.6.17 and lirc_gpio driver
• Get my kernel headers script
• Software that detects violations of open source licenses

Awaiting CentOS 6, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• High CPU usage while running CentOS as guest on Virtualbox or VMware
• Running supervisor 3 on CentOS 5
• Fedora Server vs CentOS
• CentOS, Debian, FreeBSD, OpenSolaris
• YUM-Priorities Configuration for a CentOS Desktop

Is a caching nameserver really important?

There is some controversy about the real benefits of using a caching name server in a system, either desktop or server. In this article we keep controversy out of the discussion and focus on the performance improvement the caching of DNS information can offer to a system while performing specific tasks. For instance, a caching nameserver allows a web browser to acquire DNS information from the local DNS cache, provided that this information has already been cached, without the need to access any public DNS servers, which results in faster web browsing. Similarly, in a server environment, services like spam filters often need to perform many DNS queries for the same hostnames. The latency of the communication with the remote nameserver may add up to the total time of email processing.

BIND vs dnsmasq

BIND is the flagship of DNS servers with large deployments around the globe. I have used BIND for many years as a caching nameserver, even on my desktop, until I realized it is overkill to use BIND this way. There are lighter solutions, even all-in-one software like dnsmasq, that seem to be more suitable for setting up local DNS caching.

System preparation

So, let’s get started with the system preparation before going into the details of the dnsmasq configuration.

First of all, we need to install dnsmasq:

yum install dnsmasq

dnsmasq, when run as root, is designed to drop privileges and run as an unprivileged user. By default, this user is nobody. We use a dedicated system user to run dnsmasq.

Run the following commands as root to create such an unprivileged system user and group named dnsmasq:

groupadd -r dnsmasq
useradd -r -g dnsmasq dnsmasq

The above should be enough.

Configuration

All dnsmasq configuration options go into /etc/dnsmasq.conf. Here we write this file from scratch, so if you need to keep a copy of the original that ships with your distribution, do so with:

cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

Now, let’s get started with adding our own dnsmasq configuration in /etc/dnsmasq.conf.

First of all, we set some options regarding the basic server operation like the interface and port on which it should bind, the unprivileged user that should run the service and a PID file:

listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid

The bind-interfaces directive instructs dnsmasq to bind only to the network interface specified in the listen-address directive.

Next comes logging.

By default, dnsmasq sends its log messages to the DAEMON syslog facility (LOCAL0 when operating in debug mode). We go with the defaults here, but keep in mind that a separate log file can be set as it is shown in the configuration snippet below (currently commented out):

#log-facility=/var/log/dnsmasq.log
#log-queries

Logging to file requires some extra configuration for proper log rotation. For more information, please read Appendix II.

Finally, we set the options that configure dnsmasq’s name resolution and caching operations.

The following directives prevent dnsmasq from forwarding plain names (without any dots) or addresses in the non-routed address space to the parent nameservers.

domain-needed
bogus-priv

The no-hosts directive also instructs dnsmasq not to read any hostnames from /etc/hosts. In most systems, /etc/hosts is queried before a DNS service is used by the system for name lookups. So, all plain name to private IP mappings should normally be added in /etc/hosts. If this is not what you want, then take a look at the expand-hosts and domain directives.

no-hosts

Set the maximum number of concurrent DNS queries. The default value is 150. Adjust to your needs.

dns-forward-max=150

Set the size of the dnsmasq cache. The default is to keep 150 hostnames. By setting the cache size to 0 disables the feature (this is not what we really want). Again, adjust this value according to your needs.

cache-size=1000

The following directive controls whether negative caching should be enabled or not. Negative caching allows dnsmasq to remember “no such domain” answers from the parent nameservers, so it does not query for the same non-existent hostnames again and again. This is probably useful for spam filters or MTA services. By default, negative caching is enabled. To disable, un-comment the following directive.

#no-negcache

The neg-ttl directive sets a default TTL value to add to negative replies from the parent nameservers, in case these replies do not contain TTL information. If neg-ttl is not set and a negative reply from a parent DNS server does not contain TTL information, then dnsmasq will not cache the reply. Here we set the default TTL to 3600 seconds. Again, adjust to your specific needs.

neg-ttl=3600

Here we use a separate file where dnsmasq reads the IPs of the parent nameservers from. The syntax is the same as in /etc/resolv.conf. We do this to facilitate the manipulation of the parent nameservers that should be used by dnsmasq by using, for example, an external script. The filename we use here is resolv.dnsmasq, but this can be changed to your liking. We also set the no-poll directive here to prevent dnsmasq from polling the ‘resolv’ file for changes.

resolv-file=/etc/resolv.dnsmasq
no-poll

A full configuration file containing all the above configuration, which can can be used as a drop-in replacement of the default /etc/dnsmasq.conf, can be found in Appendix I.

Upstream Nameservers

We have used a separate file to store the IPs of the parent nameservers; that is /etc/resolv.dnsmasq. Using the same syntax as in /etc/resolv.conf add the nameserver IP addresses in resolv.dnsmasq. For example:

nameserver 192.168.0.252
nameserver 192.168.0.253
nameserver 192.168.0.254

Note that we still need to make a change in /etc/resolv.conf before the system starts using dnsmasq for domain name lookups. Read on…

Starting dnsmasq

In order to start dnsmasq, run as root:

/etc/init.d/dnsmasq start

Check the syslog or the dnsmasq logfile (if used) for any error messages.

If everything seems to be OK, set the dnsmasq service to start on boot:

chkconfig dnsmasq on

This command might be Red-Hat specific, so consult your distribution’s documentation about how to set services to start on boot.

Switch name resolution to dnsmasq

What we have done so far is set up the dnsmasq service. For hostnames that do not exist in /etc/hosts the system still uses the nameserver inside /etc/resolv.conf for name resolution.

To start using dnsmasq, edit /etc/resolv.conf, remove all nameservers and add only the IP of our dnsmasq service:

nameserver 127.0.0.1

From now on, the system will use dnsmasq for domain name resolution. You can un-comment the log-queries option in order to confirm the dnsmasq operation.

Appendix I – Full configuration file

This is the complete configuration file containing the configuration that has been discussed in this article. Note that it can be used as is to replace the default /etc/dnsmasq.conf.

#
# Configuration file for dnsmasq acting as a caching nameserver.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
#
# Updated versions of this configuration file may be available at:
#
#   http://www.g-loaded.eu/2010/09/18/caching-nameserver-using-dnsmasq/
#

#
# Basic server configuration
#

listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid

#
# Logging
#

#log-facility=/var/log/dnsmasq.log
#log-queries

#
# Name resolution options
#

domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
#no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll

This file is meant to be used both on servers and desktops.

Appendix II – Logging to file

Before dnsmasq starts logging to file it is required to set the path to the logfile in the log-facility option inside /etc/dnsmasq.conf.

log-facility=/var/log/dnsmasq.log

To ensure proper rotation of the log file you should use the following logrotate configuration:

/var/log/dnsmasq.log {
    monthly
    missingok
    notifempty
    delaycompress
    sharedscripts
    postrotate
        [ ! -f /var/run/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq.pid`
    endscript
    create 0640 dnsmasq dnsmasq
}

Save the above configuration in /etc/logrotate.d/dnsmasq. Also, adjust the log filename or the path to the PID file in case you have used custom names, but make sure you do not change the USR2 signal that is sent to the dnsmasq process in the post-rotation script.

Final Thoughts

dnsmasq is a very lightweight service. Therefore, you can run it on any system, either server or desktop without any noticeable impact on system resources. In this guide we used it as an internal system service bound to the loopback interface, without permitting direct access from the outside. This along with the fact that dnsmasq is mature software that has been around for several years makes our setup rather secure.

Several people might argue that the performance improvement a local caching nameserver offers in terms of name lookup speed is insignificant. This might be true in some cases, but there are times that this performance improvement is noticeable, especially when the quality of the network connectivity between the current machine and the upstream nameserver is an issue, or when the upstream name server is overloaded. On the other hand, it is almost certain that a local caching DNS server can in no way make name resolution slower, unless perhaps a huge cache is being used. Generally, I find keeping such a service operational a good idea.

In this article we discussed about one of the dnsmasq features: DNS caching. dnsmasq is a lot more than just that. Check the whole feature set in the dnsmasq homepage. Perhaps, in the future, more guides covering other features of this software are published. Until then, enjoy local DNS caching!!!

Caching Nameserver using dnsmasq, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• How to change the Timezone
• Use wget or curl to download from RapidShare Premium
• How to Disable IPv6 in Fedora and CentOS
• CPU Time saved by WP-Super-Cache

#################################################################################
# mod_python and mod_wsgi compatibility note
#################################################################################
# mod_wsgi will deadlock if run in daemon mode while mod_python is enabled
# do not enable both mod_python and mod_wsgi if you are going to use the
# WSGIDaemonProcess directive
# In previous version of mod_wsgi, apache would segfault when both mod_wsgi
# and mod_python were enabled.  This update does not guarantee that will not
# happen.
#################################################################################
# Do not enable mod_python and mod_wsgi in the same apache process.
#################################################################################

Keep this in mind if you plan to mix both modules under the same Apache instance.

Update: As Graham pointed out in this comment, there is no issue if mod_python 3.3.1 is used. That’s great news because I would miss the flexibility of mod_python when it comes to request processing.

mod_wsgi incompatible with mod_python, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Making a directory writable by the webserver
• My running dog
• Use mod_deflate to Compress Web Content delivered by Apache

#! /usr/bin/env bash
#
# Error Report for httpd
#
# Requires:
#   - scanerrlog - http://www.librelogiciel.com/software/ScanErrLog/action_Presentation
#   - jaxml - http://www.librelogiciel.com/software/jaxml/action_Presentation
#
 
cat /var/log/httpd/error_log \
    /var/www/vhosts/*/log/error_log \
    | python /usr/local/bin/scanerrlog.py -f text \
    | /bin/mail -s "`hostname` - Apache Error Report" root@localhost
 
exit 0

Some notes:

1. Make sure that this cronjob runs before log rotation takes place.
2. The above shell script concatenates the error_log files from the main web server and all virtualhosts. Edit the paths to reflect your server configuration and virtualhost layout.
3. Edit the path to scanerrlog.py.

Scanerrlog has some quite nice features that let you further customize the report. Make sure you read the help message.

Script for Apache Error Report, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• SELinux audit reports script
• Strange mod_dav_svn error
• How to integrate seaudit-report in logwatch
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• When it comes to error messages…

function rsse_add_related_posts($PostBody) {
  if (!rsse_verify_feed()) { return $PostBody; }
  if (function_exists('yarpp_related')) {
    $PostBody .= yarpp_related(array('post'),array(),false,false,'rss');
  }
  return $PostBody;
}
 
add_filter('the_content', 'rsse_add_related_posts', 252);

This code used a function of another plugin to attach a ‘related posts‘ section at the end of the full content of each feed entry. As soon as I commented out the above filter and started attaching the related-posts section to the feed content through the YARPP plugin’s administration interface, everything was normal again. No more php-cgi processes timing-out or over-consuming the CPU cycles.

The following graph shows clearly the problematic period:

php-cgi processes consuming the CPU

The httpd error_log included many errors like the following:

[...]
Allowed memory size of 33554432 bytes exhausted (tried to allocate 18893 bytes)
[...]
mod_fcgid: process ... exit(communication error), terminated by calling exit(), return code: 1
[...]
[warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[...]
[warn] mod_fcgid: stderr: PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate 4864 bytes)
[...]
Premature end of script headers: index.php
[...]

Note that these errors might appear in several occasions.

In my case, finding that faulty piece of code was a huge relief, I can tell you.

Issues with the feeds are now resolved, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• WordPress 2.0.6 – Feed Issues Resolved
• Issue addressed: Author feeds deliver full content
• Status of content availability via feeds
• G-Loaded Feeds
• When it comes to error messages…

But first, let’s install some dependencies. I assume that you will try the code on a machine aimed for testing, so I won’t be using the system’s package manager but instead use easy_install to install the needed Python modules. Other commands like pip could be used as well. If you do not want to mess with your system-wide python installation, just use virtualenv and pip, but I won’t go into the details about how to use these tools in the current document.

Install the needed dependencies:

easy_install pycrypto
easy_install pyasn1
easy_install pam
easy_install twisted

Make sure you have gcc installed, because it will be needed to complete the installation of Twisted and PyCrypto.

I have created a project for this code at Bitbucket, called RapidSSH. This will make it easier to share code and ideas about SSH server implementations in Python using Twisted.

Filename: scripts/rapidsshd_unix.py

#!/usr/bin/env python
#
# This file is part of rapidssh - http://bitbucket.org/gnotaras/rapidssh/
#
# rapidssh - A set of Secure Shell (SSH) server implementations in Python
#            using Twisted.conch, part of the Twisted Framework.
#
# Copyright (c) 2010 George Notaras - http://www.g-loaded.eu
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# Initially based on the sshsimpleserver.py kindly published by:
# Twisted Matrix Laboratories - http://twistedmatrix.com
#
 
import sys
import pam
 
from twisted.conch.unix import UnixSSHRealm
from twisted.cred import portal
from twisted.cred.credentials import IUsernamePassword
from twisted.cred.checkers import ICredentialsChecker
from twisted.cred.error import UnauthorizedLogin
from twisted.conch.checkers import SSHPublicKeyDatabase
from twisted.conch.ssh import factory, userauth, connection, keys, session
from twisted.internet import reactor, defer
from zope.interface import implements
from twisted.python import log
 
# Logging
# Currently logging to STDERR
log.startLogging(sys.stderr)
 
# Server-side public and private keys. These are the keys found in
# sshsimpleserver.py. Make sure you generate your own using ssh-keygen!
 
publicKey = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEArzJx8OYOnJmzf4tfBEvLi8DVPrJ3/c9k2I/Az64fxjHf9imyRJbixtQhlH9lfNjUIx+4LmrJH5QNRsFporcHDKOTwTTYLh5KmRpslkYHRivcJSkbh/C+BR3utDS555mV'
 
privateKey = """-----BEGIN RSA PRIVATE KEY-----
MIIByAIBAAJhAK8ycfDmDpyZs3+LXwRLy4vA1T6yd/3PZNiPwM+uH8Yx3/YpskSW
4sbUIZR/ZXzY1CMfuC5qyR+UDUbBaaK3Bwyjk8E02C4eSpkabJZGB0Yr3CUpG4fw
vgUd7rQ0ueeZlQIBIwJgbh+1VZfr7WftK5lu7MHtqE1S1vPWZQYE3+VUn8yJADyb
Z4fsZaCrzW9lkIqXkE3GIY+ojdhZhkO1gbG0118sIgphwSWKRxK0mvh6ERxKqIt1
xJEJO74EykXZV4oNJ8sjAjEA3J9r2ZghVhGN6V8DnQrTk24Td0E8hU8AcP0FVP+8
PQm/g/aXf2QQkQT+omdHVEJrAjEAy0pL0EBH6EVS98evDCBtQw22OZT52qXlAwZ2
gyTriKFVoqjeEjt3SZKKqXHSApP/AjBLpF99zcJJZRq2abgYlf9lv1chkrWqDHUu
DZttmYJeEfiFBBavVYIF1dOlZT0G8jMCMBc7sOSZodFnAiryP+Qg9otSBjJ3bQML
pSTqy7c3a2AScC/YyOwkDaICHnnD3XyjMwIxALRzl0tQEKMXs6hH8ToUdlLROCrP
EhQ0wahUTCk1gKA4uPD6TMTChavbh4K63OvbKg==
-----END RSA PRIVATE KEY-----"""
 
 
class PamPasswordDatabase:
    """Authentication/authorization backend using the 'login' PAM service"""
    credentialInterfaces = IUsernamePassword,
    implements(ICredentialsChecker)
 
    def requestAvatarId(self, credentials):
        if pam.authenticate(credentials.username, credentials.password):
            return defer.succeed(credentials.username)
        return defer.fail(UnauthorizedLogin("invalid password"))
 
 
class UnixSSHdFactory(factory.SSHFactory):
    publicKeys = {
        'ssh-rsa': keys.Key.fromString(data=publicKey)
    }
    privateKeys = {
        'ssh-rsa': keys.Key.fromString(data=privateKey)
    }
    services = {
        'ssh-userauth': userauth.SSHUserAuthServer,
        'ssh-connection': connection.SSHConnection
    }
 
# Components have already been registered in twisted.conch.unix
 
portal = portal.Portal(UnixSSHRealm())
portal.registerChecker(PamPasswordDatabase())   # Supports PAM
portal.registerChecker(SSHPublicKeyDatabase())  # Supports PKI
UnixSSHdFactory.portal = portal
 
if __name__ == '__main__':
    reactor.listenTCP(5022, UnixSSHdFactory())
    reactor.run()

Some notes:

• The server uses the very same public and private keys as found in the sshsimpleserver.py script. Make sure you generate new keys using ssh-keygen if you plan to run this on a public server (although this not recommended).
• Twisted included a module for PAM authentication, twisted.cred.pamauth, but unfortunately I could not locate one of its dependencies to make it work. So, I used the excellent python-pam to create a custom PAM authenticator class.
• I can guess what you might thought when you read about this code:
  

  Python is a cross-platform programming language. Twisted runs on Windows. So, is this a solution for running a SSH server on Win32?

  Well, at the moment it won’t run because internally it uses some Python modules that are available on UNIX platforms only. But, I intend to investigate the possibility of running this on Windows since I already need something like that.

We can now enjoy our Python SSH server. Run as root:

python scripts/rapidsshd_unix.py

From another machine, connect to the server using an ssh client:

ssh -p 5022 rocky@arena

If you have deployed your public key in the ~/.ssh/authorized_keys file on the remote machine (arena), you should be able to authenticate using the public key:

ssh -p 5022 -i /path/to/private.key rocky@arena

You should get output like the following on the server:

[root@arena ~]# python ssh.py
2010-03-26 21:30:05+0000 [-] Log opened.
2010-03-26 21:30:05+0000 [-] __main__.UnixSSHdFactory starting on 5022
2010-03-26 21:30:05+0000 [-] Starting factory <__main__.UnixSSHdFactory instance at 0xb7a0b0cc>
2010-03-26 21:30:13+0000 [__main__.UnixSSHdFactory] disabling diffie-hellman-group-exchange because we cannot find moduli file
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] outgoing: aes256-ctr hmac-sha1 none
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] incoming: aes256-ctr hmac-sha1 none
2010-03-26 21:30:14+0000 [SSHServerTransport,0,192.168.0.172] NEW KEYS
2010-03-26 21:30:14+0000 [SSHServerTransport,0,192.168.0.172] starting service ssh-userauth
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth none
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky authenticated with publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] starting service ssh-connection
2010-03-26 21:30:17+0000 [SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] got channel session request
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] channel open
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] pty request: xterm (24L, 80L, 0L, 0L)
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] getting shell

This first release of the RapidSSH project exists solely for demonstration purposes. Don’t get fooled by the small amount of code. Information about how to put the pieces together is scarce and it required a lot trial&error and source code reading. The above implementation contains none of the customizations I had in mind. These will be done as soon as I find some time to do so. Until then it will be nice to hear about your experiences or implementations you have worked on.

Python SSH Server for UNIX Systems using Twisted.conch, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Epiphany Python Console – Open New Tab
• Python IRC Bot
• Python Crash Course
• Set up the VNC Server in Fedora
• Descramble Passwords from gftp Bookmarks using Python

[Update: It has been resolved. Update you SA rules]

To inactivate the FH_DATE_PAST_20XX test system-wide add the following line to the Spamassassin configuration file, usually located at /etc/mail/spamassassin/local.cf:

score FH_DATE_PAST_20XX 0

If you use the spamassassin server (spamd), don’t forget to restart it for the changes to take effect.

As I have mentioned in the update above, the issue has been resolved (Kudos). The Spamassassin developers have released updated rules for the FH_DATE_PAST_20XX test, so make sure you run sa-update:

/usr/bin/sa-update

If you compile your rules, make sure you also run /usr/bin/sa-compile and of course restart spamd.

Spamassassin FH_DATE_PAST_20XX test buggy in 2010, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Windows 7, OpenSolaris – put to the test
• Fedora Core 5 Test 2 Review
• Wishes for a happy 2010