Default Password for Supermicro IPMI/BMCs

2011-10-25 by jhoblitt | 0 comments

Supermicro seems to use more or less that same BMC firmware, at least that’s how it appears from looking at the BMC firmware version numbers, across all of their motherboards. Unlike many other BMCs (notably the Intel BMC/RMM3), you can not set enable/disable usernames or set passwords from the BIOS. The Supermicros default to DHCP and come up immediately with the default name and password.

Many version of the BMC include a java console redirect applet that *does not* work with 64bit JVM on Linux.

Every SM board I’ve touched has used the same default user/passwd.

username: ADMIN
password: ADMIN

default password for Raritan PDUs

2011-10-15 by jhoblitt | 0 comments

username: admin
password: raritan

Known to be the default password for Raritan PX-5000 series (Outlet Metered, Outlet Switched) models:

default password for APC UPS Network Management Card 2

2011-10-15 by jhoblitt | 0 comments

I configured an AP9631 on 2011-10-14 and APC is still following their standard default password scheme of:

username: apc
password: apc

Raritan ferrite cores

2011-10-15 by jhoblitt | 0 comments

Raritan requires a ferrite core to be installed 1.5-3″ from the end of Ethernet patch cables attached to their PDUs if your using on of their external sensor assemblies. I can’t believe that this is to suppress noise from entering into the PDU since PDUs are basically attached to a giant antenna. The only reason I can come up for this is to reduce cross talk between the Ethernet and sensor wires before they attach to the PDU as their ports are adjacent on the chassis. Does anyone have a better explanation?

Raritan ferrite core on cat6 patch cable

WordPress Yoko theme 1.0.5 released

2011-09-04 by jhoblitt | 0 comments

The excellent WordPressYoko theme has a new version 1.0.5 release. Please see the changelog (PDF) for details. If you haven’t explored this theme I would highly encourage you to do so. It’s well designed, works on small form factor devices, has a manual, and the author even provides a template for starting your own sub theme.

I created a child theme of Yoko to tweak a few things for this blog. My theme is named YokoGeek and a list the tweaks I’ve made are in the README. I’m completely open to merging features for technical blogging into YokoGeek; patches welcome.

Recursively chaining SSH ProxyCommand

2011-09-03 by jhoblitt | 0 comments

I just came across this blog post, SSH through jump hosts, on setting up ssh proxing with netcat. The new, highly cleaver, twist here is instead of having to manually add each proxy/jump you want into your ssh config, using a wildcard host statement that can recursively match itself. If your confused as to what ssh proxy/jump/proxycommand is all about, I found a diagram & explanation on the SSH Menu Transparent Multi-hop SSH page.

Verbatim from the post:

Host */*
ProxyCommand ssh $(dirname %h) nc -w1 $(basename %h) %p

This is pretty slick in that you can bounce through an arbitrary number of hosts. eg.

ssh 1sthost/2ndhost/3rdhost

This method isn’t perfect, and while there are some good comments at the bottom of the blog post, I believe there are a few problems that aren’t fully fleshed out in the discussion. If you have different usernames on the systems you want to proxy through, this approach is going to run into trouble. The first ssh hop can get the correct username from the command line as in ssh @... but after that ssh defaults to using $USERNAME. Ideally, one could somehow specify the username for each subsequent hop. Perhaps something like:

ssh foo.example.com/a@bar.example.com/b@baz.example.com/...

However, ssh splits [user@]hostname input into a remote login username part (%r) and a target host name part (%h). The splitting is done on the right most @ and this can lead to the %h no longer being matched by Host */*. eg.

ssh foo@bar.example.com/baz@quix.example.com

Would get parsed as:

%r = foo@bar.example.com/baz
%h = quix.example.com

Since %h does not contain a / at this point, it will not match Host */*. One ugly thing that could be done is change the match to Host * and to make sure this directive stays at the very bottom of the configuration file. Then the original ssh argument could be recreated with %r@%h. At which point you would need to do your own host separator parsing. This approach is highly undesirable because the Host * rule will match any hostname not matched in the configuration file. The more obvious thing to do here is to replace the remote login username separator with another meta-character. This is what the first comment on the post tries to do:

Vincent Bernat Says:
2009-04-10 00:51:16+0200

Here is an “enhanced” version:

Host */*
ProxyCommand ssh ${$(dirname %h)/\%%/@} nc -w5 ${$(basename %h)#*%%} %p

You can specify the login for each hop with “%” instead of “@”.

Which is probably the correct general idea but this syntax won’t work under bash parameter expansion. Comment #6 suggests that this does work under zsh but I’m not generally a zsh user, nor is zsh as commonly installed as bash/ssh/nc. Even if this did work under bash, it would be more convenient to not have to specify data that’s already contained in the ssh client config file. As far as I can tell, there is no way to accomplish this with a recursively matching Host directive as %r will always be the string that was matched when ssh was first invoked. It looks like the only solution would be to write some code that can parse the the ssh config and pull out the appropriate username for each hop in the proxy chain.

The second issue is with the -w1 argument to netcat. Which tells it to disconnect if the connection is idle for one second. Unless your only executing remote commands, this value is probably too short. It needs to be at least >= ServerAliveInterval and probably more like >= ServerAliveInterval * ServerAliveCountMax. A wait timeout shouldn’t be needed at all as a broken ssh connection will kill off the associated shell, which should terminate the netcat invocation. The -w[n] param can just be removed.

If anyone knows a working solution to the the username issue, please let me know.

Skeleton template of a tree of multi-release/arch yum repos

2011-08-19 by jhoblitt | 0 comments

I’ve posted a simple skeleton template that I use for setting up local yum repos for RHEL/Centos. There should be sufficient directions in the README (copied below).

Description
===========

This is a very simple template of a yum repository. It is the structure that I
use for maintaining a local repo of RPMs for RHEL/Centos 4/5/6.

USAGE
=====

There is a trivial makefile at the top level of the tree that will run the
[createrepo](http://createrepo.baseurl.org/) utility on the 2nd level of
directories in the tree and create/update a non-GPG signed yum repository. The
tree structure should be as follows:

    .
    |-- 4
    | |-- i386
    | `-- x86_64
    |-- 5
    | |-- i386
    | `-- x86_64
    `-- 6
    |-- i386
    `-- x86_64

The `createrepo` command will be run on (4|5|6)(i386|x86_64) but not the first
level dirs (4|5|6). After `createrepo` finishes running, you should have one usage repo for each major release number and architeture.

    .
    |-- 4
    | |-- i386
    | | `--repodata
    | `-- x86_64
    | `--repodata
    |-- 5
    | |-- i386
    | | `--repodata
    | `-- x86_64
    | | `--repodata
    `-- 6
    |-- i386
    | `--repodata
    `-- x86_64
    `--repodata

To create/modify the working repos just run after adding/removing RPMs from the appropriate $releasever/$basearch and your yum repo is ready for use.

    # copy rpm(s) to some arch dir like 5/x86_64
    makefile

Adding a different arch just recreates creating a directory in the correct
place. For example, to add RHEL5 PPC support:

    mkdir 5/ppc64
    # copy some .rpms --> 5/ppc
    makefile

PUPPET EXAMPLE
==============

Here is a simple example of a puppet class that will setup the repo with the
Yumrepo type. It should work for RHEL/Centos 3/4/5/6 and beyond.

    class yum-local {

      case $operatingsystem {
        'redhat', 'centos': {
          yumrepo { 'local':
            descr => 'my local repo',
            baseurl => 'http://example.org/nso/$releasever/$basearch',
            enabled => 1,
            gpgcheck => 0,
            priority => 1,
          }
        }
      }
    }

Setting the default locale on Gentoo to UTF8 encoding

2011-08-07 by jhoblitt | 0 comments

Gentoo has two good documents on dealing with UTF8 and localization that should be reviewed.

I decided to set my system wide default away from ANSI to UTF8 as gnome-terminal seems to inherit LANG from XDM and there doesn’t seem to be a way to tell it to ignore LANG and default to UTF8. This is really annoying since most RHEL5.x based distros default to UTF8. Here is a quick little shell snippet to set the locale to US/English/UTF8.

#!/bin/bash
cat > /etc/locale.gen <<"END"
# /etc/locale.gen: list all of the locales you want to have on your system
#
# The format of each line:
# <locale> <charmap>
#
# Where  is a locale located in /usr/share/i18n/locales/ and
# where  is a charmap located in /usr/share/i18n/charmaps/.
#
# All blank lines and lines starting with # are ignored.
#
# For the default list of supported combinations, see the file:
# /usr/share/i18n/SUPPORTED
#
# Whenever glibc is emerged, the locales listed here will be automatically
# rebuilt for you.  After updating this file, you can simply run `locale-gen`
# yourself instead of re-emerging glibc.
en_US.UTF-8 UTF-8
en_US ISO-8859-1
END
locale-gen
echo "LANG=en_US.utf8" > /etc/env.d/02locale
env-update
source /etc/profile
locale

Retaining archive links when moving from Blogger to MoveableType

2011-08-07 by jhoblitt | 0 comments

When I converted from Blogger to MT, I renamed the blog path from ‘blog’ to ‘rftm’. The MT importer was clever enough to try to save all of the blogger “permanent” link names. However, since MT and Blogger use different archiving conventions, all the Google indexed links to archive files broke. Here are the rules I used in the Apache2 VHOST to fix the breakage I noticed.

# rename blog path from /blog -> /rtfm
RedirectMatch ^/?blog/(.*)$ http://joshua.hoblitt.com/rtfm/$1

# map from blogger style YYYY_MM_DD_archive.htmlf files to MT YYYY/DD dirs
RedirectMatch ^/?rtfm/(\d{4})_(\d{2})_.._archive.html$ http://joshua.hoblitt.com/rtfm/$1/$2/

# blogger left overs still index by google on 2011-08-03
Redirect /rtfm/labels/resume.html http://joshua.hoblitt.com/resume/joshua_hoblitt-resume.pdf

Encrypted google search

2011-08-05 by jhoblitt | 0 comments

Today on g+ Matt Curtis & Chris Gianelloni shared links to two news stories about ISP hijacking search results. [1] [2] This is exactly the sort of situation that SSL/TLS was intended to protect against and I suspect that this sort of behaviour will only increase as ISP try to find new ways to monetize their traffic. Imagine if your POTS provider (OK – imagine you still have a POTS provider) decided to hijack your outbound phone calls and redirect them to a competitor. Since many of us get service via a regulated (“franchised”) monopoly, there really should be administrative rules that prevent hijacking and differentiated billing for different “types” of traffic (like billing you extra for netflix packets as that cuts into your ISPs cable business). My ISP already redirects you to a “search” page for “failed” DNS requests. DNSSEC can’t get here fast enough…

Any ways, back to search… I have taken action to prevent this sort of mischief by setting https://encrypted.google.com/ as FireFox’s homepage and used the add-to-search-bar addon to make that the default search engine used by the “search bar”. There are good instructions here on how to make this change for Firefox/Opera/Chrome that I need not duplicate.

Hopefully, Mozilla/Google will decide to make this the default for future shipping versions of FF.