Blog

ssh fatal: buffer_get: trying to get more bytes than in buffer

The issue

You are using ssh to login to a server with ssh key authentication and you get connection closed. On the server you are logging into the syslog shows as messages like

Oct 17 11:30:02 myserver sshd[27687]: [ID 800047 auth.crit] fatal: buffer_get: trying to get more bytes than in buffer

The fix

Check your authorized_keys file on the remote server. Use ssh-keygen -l -f  ~/.ssh/authorized_keys

ssh-keygen -l -f ~/.ssh/authorized_keys
buffer_get: trying to get more bytes than in buffer

The above shows there is at least one  key in your file that is the wrong format – usually because it is  split over several lines rather than being just one long line. (note it could be any key in the file – not the one you are using from your server ) Once you fix the key then confirm with ssh-keygen that all is well – it should return a md5 checksum.
ssh-keygen -l -f authorized_keys
md5 1024 5d:35:7e:ad:3d:e6:70:6d:6f:1d:76:1a:46:ee:c1:c9 authorized_keys

Now retry your ssh access

TSM ANS1245E The file has an unknown format When doing a RMAN restore

TSM ANS1245E The file has an unknown format

If the DBAs get the error “ANS1245E The file has an unknown format”

when doing a RMAN restore of a DB from one machine to another, check the version of the TSM client API ( not the TDP version ) is the same on both machines.

The easiest way to do this is to type dsmc on both machines

This is machine 1 where the TSM RMAN backup was done

$ dsmc
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 7, Release 1, Level 1.0

This is machine 2 where the DBAs were restoring the RMAN backup to

$ dsmc
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 6, Release 4, Level 2.0

The fix was to upgrade the TSM client on machine 2 to 7.1.1 to match that on machine 1. Once the client was updated the RMAN restore worked fine.

Configure Sendmail on HPUX to listen on localhost only

Configure Sendmail on HPUX to listen on localhost only

HPUX 11.23

Edit /etc/mail/sendmail.cf  – search for DaemonPortOptions  and set
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

Restart Sendmail

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm sendmail is only listening on localhost

netstat -an | grep 25
tcp 0 0 127.0.0.1.25 *.* LISTEN

HPUX 11.11,  HPUX 11.00 and HPUX 10.20

Edit /etc/mail/sendmail.cf  – search for DaemonPortOptions  and set
O DaemonPortOptions=Addr=127.0.0.1

Restart Sendmail

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm Sendmail is only listening on localhost

netstat -an | grep 25
tcp 0 0 127.0.0.1.25 *.* LISTEN

HPUX 11.31

cd /usr/newconfig/etc/mail/cf/cf
./gen_cf

1 General Features
8:  Send only

0 Main Menu

5: Generate sendmail.cf

6: Generate submit.cf

9: Create User and Queue for MSP
The group account for smmsp would be
created with the following gid value
gid = 25
>  Do you want to continue and create the group with the above gid
Press any key to continue or [n/N] to change the gid value

Group created Successfully

The user account for smmsp would be
created with the following uid value(recommended).
uid = 2500
>  Do you want to continue and create the user with the above uid
Press any key to continue or [n/N] to change the uid value

User created successfully
Creating Queue dir for MSP: /var/spool/clientmqueue/
Access permissions of /usr/sbin/sendmail is set to 2555
Group ID of /usr/sbin/sendmail is set to smmsp
Press any key to continue

0: Exit from selection

cp sendmail.cf.gen /etc/mail/sendmail.cf
cp submit.cf.gen /etc/mail/submit.cf

vi /etc/mail/sendmail.cf
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

vi /etc/rc.config.d/mailservs
export SENDMAIL_SERVER=0
export SENDMAIL_SERVER_NAME=
export SENDMAIL_RECVONLY=0
export SENDMAIL_SENDONLY=1

cp sendmail.cf.gen /etc/mail/sendmail.cf
cp submit.cf.gen /etc/mail/submit.cf

vi /etc/mail/sendmail.cf
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm Sendmail is listening on localhost only

netstat -an | grep 25

tcp        0      0  127.0.0.1.25           *.*                     LISTEN

Installing letsencrypt free SSL HTTPS certificate on Centos 6 Apache

Letsenscrypt is a free an open automated certificate authority. You can get a SSL certificate from them for free that is trusted by browsers on nearly all platforms – see the FAQ

This is how to do it for Centos 6 running Apache HTTPD server and assumes you already have HTTPS setup but are currently using a self signed certificate.

Note the way you request and get verified for the certificate is by installing a Python client which will  start up it’s own web server on port 80. The install of the client may involve installing dependency Centos packages  like gcc and other development tools.

So first install the client

As root or using sudo

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Stop Apache

service httpd stop

Run the client ( note as Centos 6 uses Python 2.6 you have to enable debug mode and you get lots of warnings about version 2.6 ) giving your email address and the domains you want i.e for my site I did

./letsencrypt-auto certonly --standalone --email me@tuqix.org -d tuqix.org  -d www.tuqix.org

It will fire up a screen to ask you to accept their terms and conditions

Selection_024

It will then come back with a message that your certificate has been saved as /etc/letsencrypt/live/yourdomain/fullchain.pem

Start your Apache HTTP server

service httpd start

Edit /etc/httpd/conf.d/ssl.conf

Update
SSLCertificateFile /etc/letsencrypt/live/yourdomain/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/yourdomain/chain.pem

Restart Apache HTTPD server

service httpd restart

Now when you https://yourdomain    your browser should not complain about the SSL certicate

Renewing your certificate

Letsencrypt certificates are valid for 90 days.

The good news is you can automagically renew your certificate. By default it will only update your certificate if it will expire in less than 30 days so you can run a cron job once a month for example without any harm.

To renew a certificate :-

Stop Apache

service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug

If the renew was successful you will see :-

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/yourdomain/fullchain.pem (success)

Then start Apache

service httpd start

To run from cron create a script /usr/local/bin/letsencrypt.renew like

#!/bin/bash

/sbin/service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug  > /var/log/letsencrypt/renew.log 2>&1

 

/sbin/service httpd start

 

Add it to root’s cron to run for example 03:00 on the 9th of each month

00 03 09 * * /usr/local/bin/letsencrypt.renew

TSM ANS4042E one or more unrecognised characters and is not valid , Linux client

When backing up on a Linux client to TSM getting the error :-

ANS4042E Object name  contains one or more unrecognised characters and is not valid

In our case we had file names based on surnames – some of which had non english characters.

The fix was :-

export LANG=C

In our backup script.

 

Odiris A-8 Coconut Grater Review

Odiris A-8 Coconut Grater Review

Getting the edible coconut out of a coconut can be a challenge. I have found a useful tool – the Odiris A-8 Coconut Grater.

odiris-box

It comes with just the blade needed to be screwed onto the body

Odiris Coconut Grater
Odiris Coconut Grater
Odiris assembled
Odiris Coconut Grater Assembled

 

Once assembled you clamp it to a worktop  ( use some paper to protect the worktop surface ) with a bowl underneath the cutter to catch the coconut gratings and then hold a half of a coconut with one hand while turning the handle with the other.

Odiris ready for action
Odiris ready for action

You need to rotate round the coconut as you go so the blades can get access to all the content.

Odiris done

 

I found it easy to use and easy to clean afterwards – much better than try to use a knife to get at the coconut.

The UK distributor is Nishan Enterprise Lanka Limited . You can find the Odiris for sale on Ebay as well as in various ethnic grocery shops.

 

 

Discover what control LDOM a guest LDOM is on

If you are on a Solaris LDOM and you want to find out what the Control LDOM is :-

virtinfo -a
Domain role: LDoms guest I/O
Domain name: myserver-p1
Domain UUID: 06a4456da-76e0-4aa9-a0ef-ebc64ed0aada
Control domain: mycontrolldom
Chassis serial#: 1223BEZ6RRE

So the above shows it to be a guest LDOM called myserver-p1 and the Control LDOM is mycontrolldom

Use can aslo just use virtinfo -c to just return the Control domain

 

E437: terminal capability “cm” required in Redhat or Centos 6

If you try to use vi or another curses based application in Redhat or Centos 6 and you get the error :-

E437: terminal capability “cm” required
Press ENTER or type command to continue
And your TERM type is something other than a vt100 like a dtterm then you need to install additional terminfo

The fix

yum install ncurses-term

Now ls /usr/share/terminfo/d   shows lots of entries rather than dumb

 

Seas 11-FM speaker repair / replacement

SEAS 11-FM Speaker Foam Surround Repair

I bought a SEAS 603 kit many years ago and over the years it has been put into new cabinets , the tweeter and woofer have been replaced so only the midrange unit 11-FM is the original. This unit is not looking so good – the foam surround has perished in places and is looking yucky :-

 

11-FM speaker before repair
11-FM speaker before repair

A search for a suitable replacement did not yield any satisfactory results – most speaker units these days are designed for 2 way systems and the 11-FM comes with it’s own sealed enclosure  cone and the specs are quite unusual. So my search turned to replacement foam surrounds – I found a company Good HIFi that offers replacement foam surrounds for the SEAS 11-FM and they also ship world wide. They have a useful video on their site showing how to replace a foam surround. I ordered 2 replacement foam surrounds an a bottle of glue. The replacements arrived and they looked like :-

SEAS 11-FM foam surround

 

Once removed from the cabinet the old foam surround is removed – useful tools are a craft knife and a wood chisel.

SEAS 11-FM with old foam surround removed

Next you glue the inner edge of the replacement foam surround to the cone and use a suitable weight to hold down the cone until the glue dries – make sure the cone is still centred and does  not rub on anything.

Next glue thr outer edge of the replacement foam surround to the speaker chassis – use some clothes pegs and cardboard  to hold it down while the glue dries. Once complete it will look as good as new.

Finished repaired speaker
Finished repaired speaker

Now you can put them back into the cabinets and enjoy your speakers once more

Speakers in cabinet
Speakers in cabinet

 

Speaker in cabinet
Speaker in cabinet

 

 

UTF-8 AIX and the 

I setup a GPG encryption transfer with a 3rd party to transfer XML files.

On decrypting the GPG XML file I noticed when I vi’d the file I had  at the beginning of the file – everything else in the file was displayed OK.

In the end it turned out it was all to do with character sets – the default AIX charcter set is ISO8859-1 and the file was sent from a server that was using UTF-8

The  I was seeing is the BOM Byte Order Mark – Wikipedia has a useful page  that shows what characters are displayed on a ISO8859-1 system for the various UTF encodings.

To convert to ISO8859-1 you can use iconv