Sysadmin Blog

How do I verify that a private key matches a certificate?

info@cyberbyte.ch (Mike Rhyner) — Fri, 11 Feb 2022 11:47:56 GMT

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key:

openssl rsa -check -noout -in myserver.key
RSA Key is ok

If it doesn't say 'RSA key ok', it isn't OK!"

To view its modulus:

openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate:

openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key.

Automount user's home directories

info@cyberbyte.ch (Mike Rhyner) — Sun, 16 May 2004 22:00:00 GMT

Follow those steps for automounting every user's homedir under a particular directory:

Make sure you have installed autofs

Add the following line to the automount.master file (mostly in /etc/autofs/):

    /home/net    /etc/autofs/auto.home

Then Add this line to auto.home (mostly in /etc/autofs/):

    *	-rw,soft,intr	server:/&

or for a SAMBA server:

    *	-rw,soft,intr,fstype=smbfs,uid=&,gid=100,credentials=/home/&/.smbpasswd             ://server/&

But what does that mean?
The Asterisk (*) stands for any (pseudo)-directory under the given mountpoint. After the dash, there are the mount options, and with the Ampersand (&) we refer to the directory name that would be accessed by the user. So the appropriate NFS export or sharename will be automounted. For SAMBA, it is used also for setting the owner of the files in the mounted directory and for the credentials file in user's (local) home directory for authentication.

With this, users can just use their home directory on a server, e.g. by cd'ing to /home/net/. After some time of inactivity, the directory will be unmounted without manual intervention.

Integrate new drivers into a RedHat Network Boot Disk

info@cyberbyte.ch (Mike Rhyner) — Mon, 22 Sep 2003 22:00:00 GMT

It is possible that the hardware changes with new server models and you cannot boot any more from the RedHat Bootdisk. Then you need to inspect your new hardware and see what new devices are built in and get a driver for it.

For more convenience, I have written some simple scripts, which do the most annoying tasks.

The drivers need to be changed on different locations:

Network drivers must be put on the boot-disk, because all other packages, drivers, etc. are loaded from a network location

Ungzip bootnet.img.gz with:

        gunzip bootnet.img.gz

Mount the Image as a loop filesystem on /mnt/bootimage:

        unpack_bootimage.sh bootnet.img

Unpack and mount the inital ramdisk with the following script, give the initrd-file under /mnt/bootimage/ as argument. The inital ramdisk will be mounted under /mnt/initrd:

        unpack_initrd.sh initrd.img

Unpack the modules with the following script:

       unpack_modules.sh /mnt/initrd/modules/modules.cgz

Now copy the new driver module(s) to /var/tmp/modules/ directory
Change /mnt/initrd/modules/pcitable and add a new line with the vendor ID, product ID, driver name and description to the file (see example below):

        0x8086  0x1010  "e1000"         "Intel Corporation|PRO/1000"

Change the file /mnt/initrd/modules/module-info and add a line for each the driver name, type and description (see the following example):

        e1000
                eth
                "Intel EtherExpress Pro 1000"

Add a line for the new driver to the file /mnt/initrd/modules/modules.dep if the new driver module is dependent on othe kernel modules. Mostly not necessary for ethernet adapters.

Re-pack the modules to the archive, kernel-version-directory under /var/tmp/modules as 1st argument, cpio archive file as 2nd argument:

        pack_modules.sh 2.4.20-18.7BOOT /mnt/initrd/modules/modules.cgz

"exit" from the initrd-mount, if you are there, /mnt/initrd or subdirectories of it musn't be your current dir!

If you also need to update the boot-kernel (when used some modules not for acutal kernel version), copy the new vmlinuz kernel image to /mnt/bootimage
Unmount and pack the initial ramdisk, give the initrd-file under /mnt/bootimage to be updated as argument:

        pack_initrd.sh initrd.img

Now unmount the bootimage and write it to a boot floppy with this script:

        pack_bootimage.sh bootnet.img

Most other drivers, like for SCSI-Controllers are in the stage2 Image
Mount the Stage 2 image (network-connected part of the installation):

        mount -o loop /install/cdrom/RedHat/base/stage2.img /mnt/image

Unpack the modules with the following script:

        unpack_modules.sh /mnt/image/modules/modules.cgz

Now copy the new driver module(s) to /var/tmp/ directory

Important: If the new modules are built for another kernel version as the one on the boodisk, the bootdisk image must be updated with the corresponding kernel image. Further, all modules need to be replaced by one's of the same kernel version as the kernel image!

Change /mnt/image/modules/pcitable and add a new line with the vendor ID, product ID, driver name and description to the file (see example below):

        0x9005  0x801f  "aic79xx"       "Adaptec|AIC7902 Ultra 320 SCSI Adapter"

Change the file /mnt/initrd/modules/module-info and add a line for each the driver name, type and description (see the following example):

        aic79xx
                scsi
                "Adaptec AIC79xx Ultra 320 SCSI Host Adapter"

Add a line for the new driver to the file /mnt/image/modules/modules.dep if the new driver module is dependent on other kernel modules. Example:

        aic79xx: scsi_mod

Re-pack the modules to the archive, kernel-version-directory under /var/tmp/ as 1st argument (see /var/tmp/modules), cpio archive file as 2nd argument:

        pack_modules.sh  /mnt/image/modules/modules.cgz

Leave the mountpoint of the image (/mnt/image or subdirectories of it musn't be your current dir!)

Unmount the image:

        umount /mnt/image