ssh: Setup Passwordless Login

Product: ssh daemon
Version: All

As SELinux become standard about 10 yr ago, but many ssh passwordless setup is still not updated, and causing many confusion.  This post is going to show the complete setup procedure.

Preparation

Enable SSH Daemon log level to DEBUG1, as this is critical to troubleshoot ssh login, as well as sharing sufficient information in the UNIX community forum, when you need to get help:

1. Login as root (or sudo su)
2. Modify /etc/ssh/sshd_config file: vi /etc/ssh/sshd_config
3. Modify

From: LogLevel INFO
To: LogLevel DEBUG1

4. Other acceptable level are DEBUG1, DEBUG2, DEBUG3
5. Restart ssh daemon: systemctl restart sshd
6. View the log while simulating ssh password-less login: tail -f /var/log/secure

Setup

Following illustration will use OS username "oracle" as this is a common example for Oracle database

1. Login as oracle user
2. Create ".ssh" directory, if doesn't exists: mkdir ~/.ssh
3. Change user permission that other user/group can't access: chmod go= ~/.ssh
4. Create authorized_keys and paste the entry from remote machine (such as PuTTY) into it: vi ~/.ssh/authorized_keys
5. Change SELinux permission for above file: restorecon -Fvv ~/.ssh/authorized_keys
6. Setup the ssh client to auto login as oracle, with local file, while another ssh session viewing /var/log/secure in real time to troubleshoot the problem, if applicable

Apache Tomcat with log4j: Workaround to address CVE-2021-44228 in Tomcat Application Server

Product: Tomcat Application Server
Version: All version
URL: https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/

Apache log4j has a new CVE-2021-44228 vulnerability announced yesterday, which allow remove code executing using LDAP messaging lookup.

BleepingComputer.com shown that existing Apache Log4j can use Java startup parameter "-Dlog4j2.formatMsgNoLookups=true" so this post is to show how to configure Windows Service to configure Tomcat Application Server service to startup with this additional Java startup parmaeter

Procedure

1. Run "cmd" to launch Command Prompt

2. For each of the Tomcat in the machine, cd to its bin directory, e.g. 
cd "D:\SAP\SAP BusinessObjects\tomcat\bin"

3. Type "services.msc" and look for the Tomcat service name from "Services" screen. You need to know its instance name to modify it later

4. The Tomcat instance name is BOEXI40Tomcat in my env

5. Open up Tomcat Windows Service editor screen to modify this Windows Service configuration

tomcat9w //ES/BOEXI40Tomcat

6. You will see following editor screen. If you don't, go back Step 3 to ensure you are specifying the correct Tomcat instance name

7. Click on tab "Java" and you should see a text box labeled "Java Options"

8. Scroll to the bottom and add -Dlog4j2.formatMsgNoLookups=true

9. Click on OK button to save and close it

10. Restart Tomcat application server
10.1. Stop Tomcat: D:\SAP\SAP BusinessObjects\tomcat\bin>runas /user:administrator "net stop BOEXI40Tomcat"

Enter the password for administrator:

Attempting to start net stop BOEXI40Tomcat as user "win2019-tester1\administrator" ...

10.2. Start Tomcat: D:\SAP\SAP BusinessObjects\tomcat\bin>runas /user:administrator "net start BOEXI40Tomcat"

Enter the password for administrator:

Attempting to start net start BOEXI40Tomcat as user "win2019-tester1\administrator" ...

11. Verify the Java parameter is there by checking existing running tomcat9.exe. For this execution, the process ID (PID) is 10312 (Task Manager)

D:\SAP\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>runas /user:administrator "jinfo 10312"
Attaching to process ID 10312, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 8.1.061 10.0.2+000
Java System Properties:

java.vendor = SAP AG
org.apache.xml.security.ignoreLineBreaks = true
catalina.base = D:\SAP\SAP BusinessObjects\tomcat
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
catalina.useNaming = true
........
...cut...
........

VM Flags:
Non-default VM flags: -XX:CICompilerCount=2 -XX:CoreDumpType=null -XX:+EnableDebuggingOnDemand -XX:+HeapDumpOnOutOfMemoryError -XX:InitialHeapSize=268435456 -XX:MaxHeapSize=1073741824 -XX:MaxMetaspaceSize=402653184 -XX:MaxNewSize=357564416 -XX:MaxVMs=1 -XX:MinHeapDeltaBytes=524288 -XX:NewSize=89128960 -XX:NonNMethodCodeHeapSize=5828300 -XX:NonProfiledCodeHeapSize=131303578 -XX:OldSize=179306496 -XX:+PrintGCDetails -XX:-PrintGCID -XX:+PrintOldStyleGC -XX:+PrintOldStyleGCDetails -XX:ProfiledCodeHeapSize=131303578 -XX:+ReduceSignalUsage -XX:+SegmentedCodeCache -XX:ThreadStackSize=1024 -XX:-UseAOT -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:-UseLargePagesIndividualAllocation -XX:+UseParallelOldGC -XX:-UseSharedSessionStore

Command line:  -Dcatalina.home=D:\SAP\SAP BusinessObjects\tomcat -Dcatalina.base=D:\SAP\SAP BusinessObjects\tomcat -Xrs -XX:MaxMetaspaceSize=384M -Djava.awt.headless=true -XX:+HeapDumpOnOutOfMemoryError -Xloggc:D:\SAP\SAP BusinessObjects\tomcat\logs\tomcat.gc.log -XX:+PrintGCDetails -XX:+UseParallelOldGC -Xloggc:d:\SAP\SAP BusinessObjects\tomcat\logs\tomcat.gc.log -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true exit abort -Xms256m -Xmx1024m -Xss1024k

12. Done. The new setting is activated.  Test with vulnerability scanner to confirm, as well as fully tested the application functionality before deploy to PROD env

Oracle: How to drop tablespace with missing file with ORA-29857

Product: Oracle DB

Version: 19.2 - 21c

This procedure illustrate how to drop a tablespace which has dbf files that missing, or corrupted.

Assumption:

• Recycle bin is active
• Several users has table and index within the affected tablespace
• Entire tablespace will drop, even if one of the multiple dbf file missing
• Tablespace name is ABC

Problems simulation:

SQL> drop tablespace ABC including contents and datafiles;

ERROR at line 1:
ORA-29857: domain indexes and/or secondary objects exist in the tablespace

Workaround Procedure:

1. Find out all the dbf file ID of the tablespace. Note down the FILE_ID to use later

select file_id from dba_data_files where tablespace_name = 'ABC';

2. Disable all the above dbf file. If multiple files, execute these once per file

alter database datafile [file_id] offline drop;

3. Disable recycle bin

alter system set recyclebin=off deferred;

4. Drop tablespace with all its dbf file

drop tablespace ABC including contents and datafiles;

5. Verify dbf file dropped. There should be no output

select file_id from dba_data_files where tablespace_name = 'ABC';

6. Re-enable recycle bin

alter system set recyclebin=on deferred;