Generating a public/private keypair the right way

From the command line:

# ssh-keygen -t rsa -b 4096 -o -a 100

-a rounds
When saving a new-format private key (i.e. an
ed25519 key or any SSH protocol 2 key when the
-o flag is set), this option specifies the number
of KDF (key derivation function) rounds used.
Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen).

-b bits
Specifies the number of bits in the key to create.
For RSA keys, the minimum size is 1024 bits and the
default is 2048 bits. Generally, 2048 bits is considered
sufficient. DSA keys must be exactly 1024 bits as
specified by FIPS 186-2.
-o Causes ssh-keygen to save private keys
using the new OpenSSH format rather than the
more compatible PEM format. The new format
has increased resistance to brute-force
password cracking but is not supported by
versions of OpenSSH prior to 6.5. Ed25519
keys always use the new private key format.

-t dsa | ecdsa | ed25519 | rsa | rsa1
Specifies the type of key to create. The possible
values are “rsa1” for protocol version 1 and “dsa”,
“ecdsa”, “ed25519”, or “rsa” for protocol version 2.

A customer recently asked me, "Is there a way to look at a configuration file, without all the comments and excess blank lines?"

Yes, there is! You can use the sed utility to display the contents of a file, omitting any blank lines, and omitting any lines that start with the "#" character (which denotes that the line is a comment), like this: 

sed -e '/^ *#/d' -e '/^$/d' /etc/httpd/conf/httpd.conf

In this example, I am using the sed command to display the content of the httpd.conf file. The -e option allows me to apply an edit to the stream of output. The first edit ('/^ *#/d') instructs sed to search the output for any lines starting with "#" and delete them. The second edit instructs sed to look for blank lines and delete them. It helps to understand basic Regular Expressions, which is an entire other discussion. 
Given a list of hostnames (one per line) in a file named hosts-list, ssh into each server in turn, sudo to root, and execute a command with sudo permissions, You will need to type in the password twice, unless you use an utility like Keepass, that allows you to copy/paste your password. This method makes it very quick and convenient to go thru a long list of servers, to perform a simple admin task. 

for name in $(cat hosts-list); do (ssh -t -o StrictHostKeyChecking=no my.username@${name} 'sudo su - -c "uname -a ; yum clean all"' 2> /dev/null) ; done

A BASH script to monitor disk usage in Linux

Someone asked me if disk space usage can be monitored via a bash script. Yes, it can. The following script can be copied to the host to be monitored, then executed periodically (once an hour?) via a crontab. Keep in mind there are bigger better ways out there to do this, but this isn't bad for a small simple solution. It's also a good exercise for you if you are learning Linux!

# A script to keep an eye on disk use. Mutt must be installed
# and the host must be able to send SMTP mail.

# Alert Recipient 

# Alert Threshhold

df -h -P | grep -vE '^Filesystem|tmpfs|cdrom|iso|nfs|140.139' | awk '{ print $5 " " $1 }' | while read OUTPUT;
        USAGE=$(echo $OUTPUT | awk '{ print $1 }' | cut -d'%' -f1 )
        PARTITION=$(echo $OUTPUT | awk '{ print $2 }')

        if [ $USAGE -ge $ALERT ] ; then
                echo -e "WARNING: Filesystem on \"$PARTITION\" is ${USAGE}% full.\n Threshold is 85% \n HOST: $HOSTNAME\nDATE: $(date)\nThis message generated by /admin-scripts/SpaceWatch on $HOSTNAME" | \
                mutt -s "Alert: Disk space warning on $HOSTNAME" ${ADMIN}


exit 0

2018 University of Nebraska Cornhuskers Football Schedule

What D&D character am I?

I Am A: True Neutral Human Ranger (7th Level)

Ability Scores:

True Neutral A true neutral character does what seems to be a good idea. He doesn't feel strongly one way or the other when it comes to good vs. evil or law vs. chaos. Most true neutral characters exhibit a lack of conviction or bias rather than a commitment to neutrality. Such a character thinks of good as better than evil after all, he would rather have good neighbors and rulers than evil ones. Still, he's not personally committed to upholding good in any abstract or universal way. Some true neutral characters, on the other hand, commit themselves philosophically to neutrality. They see good, evil, law, and chaos as prejudices and dangerous extremes. They advocate the middle way of neutrality as the best, most balanced road in the long run. True neutral is the best alignment you can be because it means you act naturally, without prejudice or compulsion. However, true neutral can be a dangerous alignment when it represents apathy, indifference, and a lack of conviction.

Humans are the most adaptable of the common races. Short generations and a penchant for migration and conquest have made them physically diverse as well. Humans are often unorthodox in their dress, sporting unusual hairstyles, fanciful clothes, tattoos, and the like.

Rangers are skilled stalkers and hunters who make their home in the woods. Their martial skill is nearly the equal of the fighter, but they lack the latter's dedication to the craft of fighting. Instead, the ranger focuses his skills and training on a specific enemy a type of creature he bears a vengeful grudge against and hunts above all others. Rangers often accept the role of protector, aiding those who live in or travel through the woods. His skills allow him to move quietly and stick to the shadows, especially in natural settings, and he also has special knowledge of certain types of creatures. Finally, an experienced ranger has such a tie to nature that he can actually draw on natural power to cast divine spells, much as a druid does, and like a druid he is often accompanied by animal companions. A ranger's Wisdom score should be high, as this determines the maximum spell level that he can cast.

Find out What Kind of Dungeons and Dragons Character Would You Be?, courtesy of Easydamus (e-mail)

CentOS7: HOWTO show running services

[root@tony ~]# systemctl --no-page -t service -a --state running --no-legend
auditd.service           loaded active running Security Auditing Service
crond.service            loaded active running Command Scheduler
dbus.service             loaded active running D-Bus System Message Bus
dovecot.service          loaded active running Dovecot IMAP/POP3 email server
getty@tty1.service       loaded active running Getty on tty1
gssproxy.service         loaded active running GSSAPI Proxy Daemon
lvm2-lvmetad.service     loaded active running LVM2 metadata daemon
NetworkManager.service   loaded active running Network Manager
ntpd.service             loaded active running Network Time Service
polkit.service           loaded active running Authorization Manager
postfix.service          loaded active running Postfix Mail Transport Agent
rsyslog.service          loaded active running System Logging Service
sshd.service             loaded active running OpenSSH server daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service   loaded active running Login Service
systemd-udevd.service    loaded active running udev Kernel Device Manager
tuned.service            loaded active running Dynamic System Tuning Daemon
vmtoolsd.service         loaded active running Service for virtual machines hosted on VMware
wpa_supplicant.service   loaded active running WPA Supplicant daemon
[root@tony ~]#

Here's a fun little script using the Google Maps Geocoding API:

[pete@server1 ~]# cat

if [[ -z $@ ]]; then 
  echo "Works better with an address..."
  exit 1
if [[ ! -x /usr/bin/curl ]]; then 
  echo "ERROR: Can't work without /usr/bin/curl"
  exit 1
if [ ! -x /usr/bin/xml2 ]; then 
  echo "ERROR: Please install package xml2 from the EPEL repo first."
  exit 1

address="$(echo $@ | sed 's/ /+/g')"

curl -s "${address}" \
     -o /tmp/file.xml

eval $(xml2 < /tmp/file.xml | tr '/, ' '___' | grep =)

if [[ $_GeocodeResponse_status == "OK" ]]; then
  echo "Address: $(echo $address | sed 's/+/ /g')"
  echo "Lattitude: $_GeocodeResponse_result_geometry_location_lat"
  echo "Longitude: $_GeocodeResponse_result_geometry_location_lng"
  echo "No results"

exit 0

[pete@server1 ~]# ./ 1600 Pennsylvania Ave, Washington, DC
Address: 1600 Pennsylvania Ave, Washington, DC
Lattitude: 38.8791981
Longitude: -76.9818437
[pete@server1 ~]#


How to download all the RHEL7 docs

You can easily download all of the available Red Hat Enterprise Linux 7 Documentation (in PDF format) from a BASH prompt, by using the following command line:

curl -s | grep -o '[^"]*Linux/7/pdf[^"]*' | xargs -I{} wget{}

This is very handy when you are studying for RHEL 7 Certification (RHCSA/RHCE). All the answers to the test are in these docs...  :-)

Official RHEL7 Information

Here's a list of links to Official Red Hat Enterprise Linux information:

RHEL 7 Reference Cards

Red Hat provides these quick reference PDF files for their Red Hat Enterprise Linux products:

How to delete blank rows in MS Excel

How to quickly and easily delete all blank rows from an Excel Spreadsheet:


How to write a shell script to ensure only one instance of the script runs for each user.

In a BASH Script:

if [ -e ${LOCKFILE} ] && kill -0 `cat ${LOCKFILE}`; then
    echo "Already running!"
    exit 1
trap "rm -f ${LOCKFILE}; exit" INT TERM EXIT
echo $$ > ${LOCKFILE}

Start by determining a name for the lock file. In this case, the lock file is generated by suffixing a common name with the username of the current user. Then, check if the lock file exists and if the PID contained within the lock file is running. If it is, exit with a message.

Create a trap to remove the lock file on a clean exit, or unclean exits (any exit with the signal INT or TERM). Finally, if the script has not exited yet, create the lock file, and store the PID of the current process ($$) in it. 

Happy Birthday Sadie!

How to create a custom Linux man page and deploy it as a rpm file

Knowing how to create and deploy your own Linux man pages can make documentation a lot easier to access for your users and co-workers. Here is a process that you can use to make a man page, install it, and even deploy it via a gpg-signed rpm file. In the following examples, I am using a Red Hat Enterprise Linux 6 server, and I am logged in as an unprivileged userid (pete). You can also follow this example on CentOS or Fedora.

Create a man page

Using your favorite text editor, create your man page text file. See  man 7 mdoc for 
information on how the markup language shown in the following example works:

.\" Manpage for Pete.
.\" Contact to correct errors or typos.
.TH man 1 "29 April 2015" "1.0" "Pete Man Page"
pete \- Professional Linux Geek
Pete is a Linux Geek who lives in Pennsylvania USA
Pete Vargas Mas
Professional Linux Geek
Cell Phone:  (+1) 515-555-1212
Pete does like Starbucks Venti Skinny Cinnamon Dolce Latte no-whip…hint…
Minion(8), Minion(8), Minion(8)
No known bugs this week.
Pete Vargas Mas (

I created the above file in my home directory (/home/pete), and named the file  pete.1 .

At this point, you can view the formatted man page using the command:    man ./pete.1
Remember, the    man 7 mdoc  command will display a page that describes all the macros
you can use when creating a man page.

Install the MAN Page

From the command line:

install –g 0 –o 0 –m 0644 pete.1 /usr/local/man/man8/
gzip /usr/local/man/man8/pete.1

Now you should be able to view your manpage using:    man pete

How to prepare the custom man page for installation via RPM

If you don’t have an environment for building custom RPM files, then do this in your home directory:

sudo yum install rpm-build rpm-devel rpmdevtools rpmdev-setuptree
echo “%_sourcedir %{_topdir}/SOURCES/%{name}-%{version}” >> ~/.rpmmacros

Now you can create a skeleton spec file:

cd ~/rpmbuild/SPECS
rpmdev-newspec pete.spec

Create the source tar ball in the SOURCES/ directory, using the previously created pete.1.gz file:

mkdir –p pete-1.0/
cp /usr/local/man/man8/pete.1.gz pete-1.0/
tar cvzf pete-1.0.tar.gz ./pete-1.0/
mv pete-1.0.tar.gz ./pete-1.0/
cd ../SPECS

Edit the spec file:

Use your favorite text editor to edit the spec file shell created earlier:

vi pete.spec

Here’s an example of what my spec file looks like:

Name:           pete
Version:        1.0
Release:        1%{?dist}
Summary:        Pete Documentation
Group:          Testing
License:        GPL
Source0:        %{name}-%{version}.tar.gz
BuildArch:      noarch
Vendor:         VargasMas Consulting
Packager:       Pete Vargas Mas

This is a test. We are trying to install a
sysadmin generated man page from a rpm file.
Just to prove we can.

%setup -q


mkdir -p $RPM_BUILD_ROOT/usr/share/man/man8
install pete.1.gz $RPM_BUILD_ROOT/usr/share/man/man8



* Wed Apr 29 2015  -
- Initial build.

Now save your spec file and create the rpm file:

rpmbuild –ba pete.spec

Look in the ../RPMS/noarch/ directory for your newly created rpm file!

Can we sign our RPM with a GPG Key?

Yes we can! You can use an existing gpg key pair to sign your rpm file.
If you don’t already have a gpg key pair, we can create one as shown in the following example:

[pete@linuxserver ~]$ mkdir ~/.gnupg

[pete@linuxserver ~]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Thu 28 Apr 2016 11:24:48 AM EDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Pete Vargas Mas
Email address:
Comment: Pete's RPM Signing Key
You selected this USER-ID:
    "Pete Vargas Mas (Pete's RPM Signing Key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(At this point, you will enter a passphrase...)

can't connect to `/home/pete/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[30638]: directory `/home/pete/.gnupg/private-keys-v1.d' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: /home/pete/.gnupg/trustdb.gpg: trustdb created
gpg: key 13B81880 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-04-28
pub   2048R/13B81880 2015-04-29 [expires: 2016-04-28]
      Key fingerprint = 0BE5 04F4 86EA 43A3 740B  24CC 88D7 94E0 13B8 1880
uid                  Pete Vargas Mas (Pete's RPM Signing Key)
sub   2048R/48AE8EB3 2015-04-29 [expires: 2016-04-28]

[pete@linuxserver ~]$

You can list all your gpg keys and see the new key:

[pete@linuxserver ~]$ gpg --list-keys
pub   2048R/13B81880 2015-04-29 [expires: 2016-04-28]
uid                  Pete Vargas Mas (Pete's RPM Signing Key)
sub   2048R/48AE8EB3 2015-04-29 [expires: 2016-04-28]

[pete@linuxserver ~]$

Now export the GPG key to a file, by specifying the uid of the key to export:

[pete@linuxserver ~]$ gpg --export -a 'Pete Vargas Mas' > RPM-GPG-KEY-PeteVargasMas

Import the GPG key into the rpm keyring:

[pete@linuxserver ~]$ sudo rpm --import RPM-GPG-KEY-PeteVargasMas

Check that rpm is aware of your gpg key:

[pete@linuxserver ~]$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

gpg-pubkey-0608b895-4bd22942 --> gpg(EPEL (6) )
gpg-pubkey-13b81880-5880f80a --> gpg(Pete Vargas Mas (Pete's  RPM Signing Key) )

Add the following two lines to the bottom of your ~/.rpmmacros file:

%_signature gpg
%_gpg_name  Pete Vargas Mas

This will tell the rpmbuild command (that we’ll be using later) which users gpg key to use for signing.

Now we can use the RPM command to sign our rpm file with the GPG Key:

[pete@linuxserver ~]$ rpm --addsign rpmbuild/RPMS/noarch/pete-1.0-1.el6.noarch.rpm
Enter pass phrase:
Pass phrase is good.
[pete@linuxserver ~]$

To verify that we have a signed rpm file, use the “rpm –qpi” command as in the following example:

[pete@linuxserver ~]$ rpm -qpi rpmbuild/RPMS/noarch/pete-1.0-1.el6.noarch.rpm
Name        : pete                         Relocations: (not relocatable)
Version     : 1.0                               Vendor:
Release     : 1.el6                         Build Date: Wed 29 Apr 2015 10:40:48 AM EDT
Install Date: (not installed)               Build Host:
Group       : Testing                       Source RPM: pete-1.0-1.el6.src.rpm
Size        : 494                              License: GPL
Signature   : RSA/SHA1, Wed 29 Apr 2015 11:37:27 AM EDT, Key ID 88d784e013b81880
Packager    : Pete Vargas Mas
Summary     : Pete Documentation
Description :
This is a test. We are trying to install a
sysadmin generated man page from a rpm file.
Just to prove we can.
[pete@linuxserver ~]$

Now you can install your custom RPM file using yum:

[pete@linuxserver ~]$ sudo yum localinstall /home/pete/rpmbuild/RPMS/noarch/pete-1.0-1.el6.noarch.rpm
Loaded plugins: downloadonly, rhnplugin, security
Setting up Local Package Process
Examining /home/pete/rpmbuild/RPMS/noarch/pete-1.0-1.el6.noarch.rpm: pete-1.0-1.el6.noarch
Marking /home/pete/rpmbuild/RPMS/noarch/pete-1.0-1.el6.noarch.rpm to be installed
rhel-x86_64-server-6                                                                        | 1.5 kB     00:00
rhel-x86_64-server-optional-6                                                               | 1.5 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package pete.noarch 0:1.0-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

Package                  Arch                       Version                        Repository                                  Size
pete                     noarch                     1.0-1.el6                      /pete-1.0-1.el6.noarch                     494

Transaction Summary
Install       1 Package(s)

Total size: 494
Installed size: 494
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pete-1.0-1.el6.noarch                                                                                             1/1
  Verifying  : pete-1.0-1.el6.noarch                                                                                             1/1

  pete.noarch 0:1.0-1.el6

[pete@linuxserver ~]$

If you want to distribute your rpm file to the public, you will need to sign your rpm with a gpg key that has been uploaded to a public keyserver (that’s a separate article!), or give the recipient a copy of your PUBLIC gpg key (the RPM-GPG-KEY-PeteVargasMas I created earlier) so they can verify the rpm file on their own.