Using stunnel to Encrypt Database Connections

Most RDBMS such as PostgreSQL and MySQL support TLS connections to encrypt the data on the wire between the application and the database. However there also seems to be applications here and there that don’t support TLS connections to the database server.  Not the end of the world when your app is on the same server as the database server, but who does that? 😉 Read more

SSH – disable StrictHostChecking as well as writing key to known_hosts

I often do a lot of work with temporary Vagrant, Docker, VMs, and I don’t really want those host keys clogging up my ~/.ssh/known_hosts file. So I just add the following alias to my shell “rc” file. In my case, I use zsh so it’s ~/.zshrc :

alias ssh-nocheck="ssh -o 'StrictHostKeyChecking no' -o 'UserKnownHostsFile /dev/null'"

Viola!  Now all I need to is to use something akin to:

ssh-nocheck -p 2222 root@192.168.2.138

Hostname on AWS CentOS 7 EC2

I was setting up a shiny new CentOS 7 EC2 instance, but when I tried to set the hostname using all of the typical Linux-y ways, none of them stuck after a reboot.  It just kept going back to the default EC2 naming convention of ‘ip-172.31.x.x’.  Since I am still getting used to CentOS 7 and all of the stuff they changed from 6, I figured it was a CentOS 7 thing.  Not so…

Read more

Configuring TACACS+ on Juniper SRX and Windows Active Directory

I’m sure someone has already documented this somewhere, but here are my usual breadcrumbs.  After pouring through Juniper’s thorough, yet scattered, documentation I finally got my SRX talking to Windows Ad via TACACS+.

I decided to go with TACACS.net, a free (not as in beer, though) command line oriented service that runs on Windows. It’s a very nice program and really cool that it can be downloaded for free. They charge for support, so I guess that’s how they keep the lights on. Read more

Most Awesome CMS Ever – Part Deux

In a previous post, I wrote about a CMS called GPeasy.  That post actually seems to still get a lot of hits, which might lead the visitors to wonder why I raved about GPeasy when I am using WP as my CMS/blog platform.  Good question.  At the time I decided to go with a CMS, WP was starting to get really good at being both a CMS and blogging platform and GPeasy was still being baked.  But I might have to revisit GPeasy as it looks like they’ve added some cool features.Of course, I also stumbled upon Octopress the other day, which seems to be an interesting blog platform geared towards hackers with a lot of ways to show code, etc.  I might have to check that out as well.  Options abound!

Allowing non-root users access to libvirt and virsh using polkit

I’ve been using virt-manager to manage my KVM hosts and I’m not keen on having to login to the remote hosts as root, plus I would get the password prompt every time I connect to the server (sure I could setup my pulic SSH key on the root account, but not a good idea to use RSA auth to the root account on a remote server).  With Debian (Wheezy) it was fairly simple in that all that I had to do was add my regular username to the group “libvirt”.  Then I could use the URI: qemu+ssh://virtadmin@my.kvmhost.com/system to connect to the remote KVM host using virt-manager.

Read more