Pluggable Authentication Modules (PAM) is a framework used for authentication. Typically, most Linux distros come with PAM installed by default. PAM can be powerful if used well and it’s important to understand how PAM works. PAM has its criticisms, but is quite adequate for most purposes.

Refer this LINUX FORMAT article for a good introduction to PAM.

For easy reference, I’ve stitched together an image of important PAM concepts (shown below) taken from the LINUX FORMAT article.

                 First published in

Problem:

When changes are made to /etc/security/limits.conf to apply limits for resources (e.g. file descriptors, processes), the changes are not visible in my Shell (SSH Session). However, when using programs such as su, the changes are visible.

Background:

/etc/security/limits.conf is the configuration file for the pam_limits PAM module. By default, the pam_limits module is used in ssh policies in /etc/pam.d. However, the SSH server must be configured to use PAM.

Solution:

• Make your SSH server PAM-aware by setting one or both of the following in the SSH configuration file:

UsePamSessions=yes

      or

UsePAM=yes

• Restart the SSH server

Root Cause:

The SSH server was not configured to use PAM.

NOTE:

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.

(2) Your rating of this post will be much appreciated. Also, feel free to leave comments.

Problem:

• Cannot connect to a MySQL database on a remote host (port 3306)
• Firewalls aren’t blocking traffic and network connectivity is available.
• The MySQL database is up and running on the remote host and can be accessed when connecting from to it on the remote host (as localhost)

Background:

Access to a MySQL database may be restricted and this restriction may be configured in the configuration file my.cf A directive such as bind-address=127.0.0.1 will ensure that the MySQL database can be accessed only from localhost.

Solution:

1. Edit the configuration file my.cf and ensure that the following is set:
   bind-address=<external-ip of remote host>
2. Restart MySQL

Root Cause:

Connectivity to the MySQL database was restricted in the my.cf configuration file with the bind-address directive.

NOTE:
(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.
(2) Your rating of this post will be much appreciated. Also, feel free to leave comments.

Typically, building a LAMP system on RHEL may be performed by yum installs. However, I wanted specific options built-in for my AMP and I wanted to locate the software in specific locations. hence, I opted to compile from source. It ain’t scary, but took me a few iterations to get stuff sorted out and this article describes what I did:

My LAMP System:

• L – RHEL 5.7 (kernel 2.6.18-274.3.1.el5)
• A – Apache 2.2.20
• M – MySQL 5.5.15
• P – PHP 5.3.8

STEP 1: Install Apache HTTP

Pre-requisites:

• Create a user for Apache. This user will be used to launch the httpd child processes (assuming that the root user will launch the parent process to listen at port 80 (or any port < 1024). I created a user called apache as shown below (command executed as the root user):

  useradd -c "Apache HTTP" -s /bin/bash -m apache

• Select a location to install apache and ensure that the user created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/apache-2.2.20
  chown -R apache:apache /opt/apache-2.2.20

Installation:

As the apache user, I executed the following:

tar -xvzf httpd-2.2.20.tar.gz
cd httpd-2.2.20
./configure --prefix=/opt/apache-2.2.20 --enable-so

STEP 2: Install MySQL

Pre-requisites:

• Create a user for MySQL. This user will be used to launch the mysqld process. I created a user called mysql as shown below (command executed as the root user):

  useradd -c "MySQL Admin" -s /bin/bash -m mysql

• Select a location to install mysql and ensure that the user created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/mysql-5.5.15
  chown -R mysql:mysql /opt/mysql-5.5.15

• You may have to install some packages to build MySQL. I installed packages as per the following command (executed as the root user):

  yum install gcc gcc-c++.x86_64 cmake ncurses-devel libxml2-devel.x86_64

Installation:

As the mysql user, I executed the following:

tar -xvzf mysql-5.5.15.tar.gz
cd mysql-5.5.15
cmake . -DCMAKE_INSTALL_PREFIX=/opt/mysql-5.5.15 -DSYSCONFDIR=/opt/mysql-5.5.15
make
make install

STEP 3: Install PHP

Pre-requisites:

• Select a location to install php and ensure that the appropriate user (web server user e.g. apache) created in the above step has appropriate privileges. I executed the following commands as the root user:

  mkdir /opt/php-5.3.8
  chown -R apache:apache /opt/php-5.3.8

• As I needed a few packages for the phpMyAdmin application and other bespoke PHP applications, I did the following (use a combination of yum and rpm as I did not find all packages in my yum repositories):

  # As root user
  rpm -ivh libmcrypt-2.5.7-1.2.el5.rf.x86_64.rpm
  rpm -ivh libmcrypt-devel-2.5.7-1.2.el5.rf.x86_64.rpm
  rpm -ivh mhash-0.9.9-1.el5.rf.x86_64.rpm
  yum install php53-mbstring.x86_64 bzip2 bz2 libbz2 libbz2-dev autoconf
  tar -xvzf mcrypt-2.6.8.tar.gz
  cd mcrypt-2.6.8
  ./configure --disable-posix-threads --prefix=/opt/mcrypt

Installation:

As the apache user, I executed the following:

tar -xvzf php-5.3.8.tar.gz
cd php-5.3.8
./configure --prefix=/opt/php-5.3.8 --with-apxs2=/opt/apache-2.2.20/bin/apxs --with-config-file-path=/opt/php-5.3.8 --with-mysql=/opt/mysql-5.5.15 --with-bz2 --with-zlib --enable-zip --enable-mbstring --with-mcrypt

• A CSR or Certificate Signing Request is an encrypted block of text that is used to request a digital certificate from a Certificate Authority (CA).
• A CSR must be created on the server which will host the digital certificate.
• A key pair (public/private keys) must be created before or during the creation of a CSR.
• A CSR will contain the public key and other information provided for the certificate (Organization Name, Department Name, etc).
• As a key pair is used in the creation of a CSR, the digital certificate provided by a CA upon receipt of your CSR must be used along with the private key used in the creation of the CSR. If the private key is lost, then the digital certificate will be useless.

Example CSR (base-64 PEM format):

-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0DAYDVQQLFAVUSSZTUzEZMBcGA1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeaau1s6Cdd2Wd
saddad342sdad32dBAPBz3Nl03nLAj766mJ1+OUjVTX9SczeS7u1s6CtHrmw
DggEPADCCAQoCggEBAPBz3Nl0asd21ddadsadOUjVTX9Scz4SD2d2ddadad1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeau1s6CtUJ2kd
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sc527FGTDS72kkkd
-----END CERTIFICATE REQUEST-----

Given below are three methods to generate a CSR using openssl:

METHOD 1: Create a CSR and a new private key

Assuming you start from scratch, use the following command to create a CSR and a private key:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Refer the example in the screenshot below:

METHOD 2: Create a CSR for an existing private key

If you wish to use an existing private key, use the following command to create a CSR with it:

openssl req -out CSR.csr -key privateKey.key -new

Refer the example in the screenshot below:

METHOD 3: Create a CSR for certificate renewal (using an existing certificate and an existing private key)

If you wish to create a CSR for certificate renewal and want to avoid re-entering certificate details, use the following command:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Refer the example in the screenshot below:

NOTE: The CSR file created using METHOD 3 will contain certificate and certificate request details. In this case, you must extract only the certificate request (text from and including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– and submit the extract to your CA.