Foundry ServerIron SSL Troubleshooting

Foundry ServerIron SSL Troubleshooting

 Logon to the serveriron and enter enable mode:
 
    rconsole 1 1 

    url debug 3  <client ip>   #client ip is the address you will initiate the traffic from using browser, etc

Generate traffic  # connect to the site through load-balancer address (make a hosts file entry if necessary)
After generating some traffic copy the output from the putty terminal and then turn off debugging with:
    url debug 0

    rconsole-exit

 

Review output for errors and send to foundry if necessary
 
 
If you see

Error "You are about to be redirected to a connection that is not secure."  for pages on your ssl protected sites you may want to try the following:

 

Create  csw rules for Redirects

    csw-rule "r6" response-status-code 301 302

     csw-rule "r7" response-header "Location" pattern "http://www.sysxperts.com"

 

Create a csw policy to rewrite the headers so that all redirects are sent via https instead of http

    csw-policy "sysxperts-301" type response-rewrite

      ! matches all status codes 301-302 for redirects

      match "r6" response-header-rewrite

      ! this takes the first four characters (offset 0 length 4 which is http) and replaces them with "https"

      match "r7" rewrite response-header-replace "https" offset 0 length 4

 

Bind the policy to your virtual server    

    server virtual sysxperts.com

      port ssl response-rewrite-policy "sysxperts-301"


Show tech

Rconsole 1 1
show server session
show server debug
show server traffic
show server proxy
wsm show cpu
wsm dm resource
sh ssl key *
sh ssl cert *
sh ssl stat counter
sh ssl stat alert
sh ssl stat crypto
sh ssl stat client
sh socket stat
sh vm mem
sh vm deb
sh cp deb
sh ssl deb
sh tcp buf
sh cp stat
sh vm stat
sh sock list
sh ssl con
rconsole-exit


Foundry ServerIron SSL Certificate Management

Foundry ServerIron SSL Certificate Management

After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.

Make a note of the existing certificates and keys on the Foundry as follows:

logon to each load balancer with putty and perform a sh config

192.168.5.60 and 192.168.5.80 are prod devices
192.168.7.60 and 192.168.7.80 are test devices
en
sh config

You just need to look at the ssl profile section (see items in bold)

ssl profile www-sysxperts-org2
 keypair-file sysxperts-key2
 certificate-file sysxpertsnew
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining
ssl profile pvalentino
 keypair-file pvalentino-key
 certificate-file pvalentinochain
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining

Make a not of the existing keypair-file and certificate-file names because you cannot use the same name when uploading the new certs and keys. Given the output above and the need to install a new cert for www.sysxperts.org:

Logon to apache web server mnsvlwwwp001 as a regular user (uploads will not work as the root user)

cd to the /data/web/certs folder or wherever you stored the keys and certs. The following uploads must be done as a regular user and in the proper order.

scp ./www.sysxperts.org.key pvalentino@192.168.5.60:sslkeypair:sysxperts-key3:sysxperts:pem
scp ./www.sysxperts.org.key pvalentino@192.168.5.80:sslkeypair:sysxperts-key3:sysxperts:pem
scp ./www.sysxperts.org.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
scp ./www.sysxperts.org.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem
scp ./verisign_inter.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
scp ./verisign_inter.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem

Verify that the new keys and certs have been uploaded to the Foundry devices as follows:

rconsole 1 1
sh ssl cert *
Output >
pvalentinochain 2944
sysxpertsnew 2826
sysxpertsorg3 2826 # here is the new cert chain
sh ssl key *
Output >
pvalentino-key 1209
sysxperts-key2 1197
sysxperts-key3 1209 # here is the new key
rconsole-exit


After uploading all the keys and certs to both devices and verifying, update the config on both devices as follows:

First unbind the ssl policy
server virtual webprd
 no port ssl ssl-terminate www-sysxperts-org2
ssl profile www-sysxperts-org2
 no certificate-file sysxpertsnew
 no keypair-file sysxperts-key2
 

Perform a save with:

end
wr mem
Update ssl profile:
conf t
ssl profile www-sysxperts-org2
 keypair-file sysxperts-key3
 certificate-file sysxpertsorg3
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
enable-certificate-chaining
Bind virtual server to the updated profile:
server virtual webprd
 port ssl ssl-terminate www-sysxperts-org2

Perform a save with:

end
wr mem

Test configuration and burn-in for at least 7 days before cleaning up old certs and keys.

Cleaning up:

en
rconsole 1 1
sh ssl key *
clear ssl key oldkey #removes named key
sh ssl cert *
clear ssl cert oldcert #removes named cert chain
rconsole-exit

Ctrl-H is the backspace key on the Foundry - you can update putty keyboard properties to use Ctrl-H if you find this as annoying as i do :)

 


VMWare ISO storage

VMWare ISO storage and mounting

By far the easiest thing to do is make your workstation the iso storage facility, whether you are mapped to a windows network share or using local disk does not matter.  Just enable the cdrom as a client device in VMWare vi client under Edit Settings for the Virtual Machine you want to setup.  Then restart the Virtual Host, clicking ESC very quickly to get the boot prompt.  Then click the CD/DVD button and map it to an ISO by browsing to your network share or local disk and selecting the appropriate ISO file.


sftp to the esx server and cd to /vmimages

mput *.iso # from directory where your iso's are

Go to virtual machine in VMWare and click it

Choose edit settings

Click DVD on the Hardware tab

Select Datastore ISO file radio button and browse to the vmimages folder to locate your iso and make sure connect at power on is selected

you can mount up to 4 ISO's on a single VM at a time

Reboot the virtual machine and hit escape if necessary to get boot prompt and select the CD/DVD device with the iso you would like to boot from


There are three primary options for storing ISO's.

1) Create a ISO directory on one of your VMFS volumes and store them there.

2) Create a samba mount to a Windows Server and store them there.

3) Create a NFS VMFS volume using a Windows Server and store them there.


How do I create a ISO mount point that points to a Windows Server for storing ISO files for my VM’s?

You can create a mount point inside /vmimages so your VM’s can access ISO files when needed. You could just create a directory on your VMFS volume and copy them there but this takes valuable disk space away from the ESX server. You can also use this technique to create other mount points on the ESX server if you need to copy files from a Windows server to or from it for patches and other things.

• First you will have to open the firewall port in ESX by typing in the service console “esxcfg-firewall -e smbClient”. This opens outbound TCP ports 137 – 139 and 445.

• Next make sure the Local Security Policy on the Windows Server you are going to map to has the following settings under Security options. If you do not do this you may get a “Stale NFS Handle” or “Permission denied” error when trying to mount.

o Microsoft network client - digitally sign communications (always) – DISABLED

o Microsoft network client - digitally sign communications (if server agrees) – DISABLED

o Microsoft network server - digitally sign communications (always) – DISABLED

o Microsoft network server - digitally sign communications (if server agrees) – DISABLED

• Next type “cd /vmimages” and then “mkdir ISO”  

• Next type “mount -t smbfs -o username=<local windows username> //windows server/share /vmimages/ISO” you can also use a windows domain username by typing “username=<windows domain username>,workgroup=<windows domain name>”

• You will be prompted for a password for the user account you are using.

• You can type “cd /vmimages/ISO” and do “ls” and you should see all your files. You can now map your VM’s CD-ROM using the Datastore ISO file device type and select the /vmimages/ISO folder.

• If you no longer need this mount point you can un-mount it by typing “umount /vmimages/ISO”

• To automatically have your ESX server mount this when it restarts do the following:
o Edit /etc/fstab using Nano or Vi

o Add the following line to the bottom of the file: “//windows server/share /vmimages/ISO smbfs noauto,username=<windows username>,password=<windows username password> 0 0”

o Edit /etc/rc.local using Nano or Vi

o Add the following line to the bottom of the file “mount –a”

How do I create a NFS volume on a Windows Server to use for storing ISO files for my VM’s? – You can do this if you have Windows 2003 Server R2 which has built-in NFS Services

• On the Windows 2003 Server make sure “Microsoft Services for NFS” in installed. If not you need to add it under Add/Remove Programs, Windows Components, Other Network File and Print Services

• Next go to folder you want to share and right-click on it and select Properties

• Click on the NFS Sharing tab and select “Share this Folder”

• Enter a Share Name, check “Anonymous Access” and make sure the UID and GID are both -2

• In VirtualCenter, select your ESX server and click the “Configuration” tab and then select “Storage”

• Click on “Add Storage” and select “Network File System” as the storage type

• Enter the Windows Server name, the folder (share) name and a descriptive Datastore Name

• Once it finishes the configuration you can now map your VM’s CD-ROM devices to this new VMFS volume


man SELinux, semanage, and restorecon

man SELinux, semanage, and restorecon

selinux(8)            SELinux Command Line documentation            selinux(8)



NAME
       selinux - NSA Security-Enhanced Linux (SELinux)


DESCRIPTION
       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexi-
       ble mandatory access control architecture in the Linux  operating  sys-
       tem.   The  SELinux  architecture  provides  general  support  for  the
       enforcement of many kinds of mandatory access control policies, includ-
       ing  those  based  on  the  concepts  of Type Enforcement®, Role- Based
       Access Control, and Multi-Level Security.  Background  information  and
       technical    documentation    about    SELinux    can   be   found   at
       http://www.nsa.gov/selinux.

       The /etc/selinux/config configuration file controls whether SELinux  is
       enabled  or  disabled, and if enabled, whether SELinux operates in per-
       missive mode or enforcing mode.  The SELINUX variable may be set to any
       one  of  disabled,  permissive,  or  enforcing  to  select one of these
       options.  The disabled option completely disables  the  SELinux  kernel
       and  application  code,  leaving the system running without any SELinux
       protection.  The permissive option enables the SELinux code, but causes
       it  to  operate in a mode where accesses that would be denied by policy
       are permitted but audited.  The enforcing option  enables  the  SELinux
       code  and causes it to enforce access denials as well as auditing them.
       Permissive mode may yield a different set  of  denials  than  enforcing
       mode,  both  because enforcing mode will prevent an operation from pro-
       ceeding past the first denial and because some  application  code  will
       fall back to a less privileged mode of operation if denied access.

       The /etc/selinux/config configuration file also controls what policy is
       active on the system.  SELinux  allows  for  multiple  policies  to  be
       installed on the system, but only one policy may be active at any given
       time.  At present, two kinds of  SELinux  policy  exist:  targeted  and
       strict.   The  targeted  policy is designed as a policy where most pro-
       cesses operate without restrictions, and  only  specific  services  are
       placed  into distinct security domains that are confined by the policy.
       For example, the user would run in a completely unconfined domain while
       the  named  daemon or apache daemon would run in a specific domain tai-
       lored to its operation.  The strict policy  is  designed  as  a  policy
       where  all processes are partitioned into fine-grained security domains
       and confined by policy.  It is anticipated in  the  future  that  other
       policies  will  be created (Multi-Level Security for example).  You can
       define which policy you will run by setting the SELINUXTYPE environment
       variable within /etc/selinux/config.  The corresponding policy configu-
       ration   for   each   such   policy   must   be   installed   in    the
       /etc/selinux/SELINUXTYPE/ directories.

       A given SELinux policy can be customized further based on a set of com-
       pile-time tunable options and a set of runtime policy  booleans.   sys-
       tem-config-securitylevel  allows  customization  of  these booleans and
       tunables.

       Many domains that are protected by SELinux  also  include  selinux  man
       pages explainging how to customize their policy.


FILE LABELING
       All files, directories, devices ... have a security context/label asso-
       ciated with them.  These context are stored in the extended  attributes
       of  the  file  system.  Problems with SELinux often arise from the file
       system being mislabeled. This can be caused by booting the machine with
       a  non  selinux kernel.  If you see an error message containing file_t,
       that is usually a good indicator that you have a serious  problem  with
       file system labeling.
       The  best  way  to  relabel  the file system is to create the flag file
       /.autorelabel and reboot.  system-config-securitylevel, also  has  this
       capability.   The  restorcon/fixfiles  commands  are also available for
       relabeling files.


AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.


SEE ALSO
       booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restore-
       con(8),       setfiles(8),      ftpd_selinux(8),      named_selinux(8),
       rsync_selinux(8), httpd_selinux(8),  nfs_selinux(8),  samba_selinux(8),
       kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)



FILES
       /etc/selinux/config



dwalsh@redhat.com                 29 Apr 2005                       selinux(8)
semanage(8)                                                        semanage(8)



NAME
       semanage - SELinux Policy Management tool


SYNOPSIS
       semanage {login|user|port|interface|fcontext|translation} -l [-n]
       semanage login -{a|d|m} [-sr] login_name
       semanage user -{a|d|m} [-LrRP] selinux_name
       semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
       semanage interface -{a|d|m} [-tr] interface_spec
       semanage fcontext -{a|d|m} [-frst] file_spec
       semanage translation -{a|d|m} [-T] level



DESCRIPTION
       semanage  is used to configure certain elements of SELinux policy with-
       out requiring modification to or  recompilation  from  policy  sources.
       This  includes the mapping from Linux usernames to SELinux user identi-
       ties (which controls the initial security  context  assigned  to  Linux
       users  when they login and bounds their authorized role set) as well as
       security context mappings for various kinds of objects, such as network
       ports,  interfaces,  and nodes (hosts) as well as the file context map-
       ping. See the EXAMPLES section below for some examples of common usage.
       Note  that the semanage login command deals with the mapping from Linux
       usernames (logins) to SELinux user identities, while the semanage  user
       command  deals  with the mapping from SELinux user identities to autho-
       rized role sets.  In most cases, only the former mapping  needs  to  be
       adjusted by the administrator; the latter is principally defined by the
       base policy and usually does not require modification.


OPTIONS
       -a, --add
              Add a OBJECT record NAME

       -d, --delete
              Delete a OBJECT record NAME

       -f, --ftype
              File Type.   This is used with fcontext.  Requires a  file  type
              as  shown  in  the  mode  field by ls, e.g. use -d to match only
              directories or -- to match only regular files.

       -h, --help
              display this message

       -l, --list
              List the OBJECTS

       -L, --level
              Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys-
              tems only)

       -m, --modify
              Modify a OBJECT record NAME

       -n, --noheading
              Do not print heading when listing OBJECTS.

       -p, --proto
              Protocol for the specified port (tcp|udp).

       -r, --range
              MLS/MCS Security Range (MLS/MCS Systems only)

       -R, --role
              SELinux  Roles.   You must enclose multiple roles within quotes,
              separate by spaces. Or specify -R multiple times.

       -P, --prefix
              SELinux Prefix.  Prefix  added  to  home_dir_t  and  home_t  for
              labeling users home directories.

       -s, --seuser
              SELinux user name

       -t, --type
              SELinux Type for the object

       -T, --trans
              SELinux Translation


EXAMPLE
       # View SELinux user mappings
       $ semanage user -l
       # Allow joe to login as staff_u
       $ semanage login -a -s staff_u joe
       # Add file-context for everything under /web (used by restorecon)
       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # Allow Apache to listen on port 81
       $ semanage port -a -t http_port_t -p tcp 81


AUTHOR
       This  man page was written by Daniel Walsh <dwalsh@redhat.com> and Rus-
       sell Coker <rcoker@redhat.com>.  Examples by Thomas Bleher  <ThomasBle-
       her@gmx.de>.




                                  2005111103                       semanage(8)
restorecon(8)                                                    restorecon(8)



NAME
       restorecon - restore file(s) default SELinux security contexts.


SYNOPSIS
       restorecon [-o outfilename ] [-R] [-n] [-v] [-e directory ] pathname...

       restorecon -f infilename [-o outfilename ] [-e directory  ]  [-R]  [-n]
       [-v] [-F]


DESCRIPTION
       This manual page describes the restorecon program.

       This  program  is  primarily used to set the security context (extended
       attributes) on one or more files.

       It can be run at any time to correct errors, to  add  support  for  new
       policy,  or  with the -n option it can just check whether the file con-
       texts are all as you expect.


OPTIONS
       -i     ignore files that do not exist

       -f infilename
              infilename contains a list of files to be processed by  applica-
              tion. Use - for stdin.

       -e directory
              directory  to  exclude  (repeat  option for more than one direc-
              tory.)

       -R -r  change files and directories file labels recursively

       -n     don’t change any file labels.

       -o outfilename
              save list of files with incorrect context in outfilename.

       -v     show changes in file labels.

       -vv    show changes in file labels, if type, role, or user  are  chang-
              ing.

       -F     Force  reset  of  context to match file_context for customizable
              files, or the user section, if it has changed.


       ARGUMENTS
              pathname...  The pathname for the file(s) to be relabeled.

NOTE
       restorecon does not follow symbolic links.


AUTHOR
       This man page was written by Dan Walsh  <dwalsh@redhat.com>.   Some  of
       the content of this man page was taken from the setfiles man page writ-
       ten by Russell Coker <russell@coker.com.au>.  The program  was  written
       by Dan Walsh <dwalsh@redhat.com>.


SEE ALSO
       load_policy(8), checkpolicy(8) setfiles(8)



                                  2002031409                     restorecon(8)




Sed Example

Sed Examples

 
To prepend a character to the beginning of every line in a file i.e. a ":" for wiki formatting purposes:
sed 's/\(.*\)/:\1/' filename  #to preview what sed will do
sed -i 's/\(.*\)/:\1/' filename #to commit the change to the file
 
or add a " to the beginning and end of every line
sed 's/\(.*\)/"\1"/' filename
sed -i 's/\(.*\)/"\1"/' filename
 

To replace /usr/bin with /usr/local/bin in all files ending in .pl use:

for i in *.pl ; do sed s^\/usr\/bin^\/usr\/local\/bin^g < $i > $i.new; done

Now read the files... they should read /usr/local/bin instead of /usr/bin

 

to remove all instances of /usr from a file

for i in *.pl ; do `sed s^\/usr^^g < $i > $i.new && mv $i.new $i`; done

 for i in *.conf; do sed s^webtest^www^g < $i > $i.new;done




 

-------------------------------------------------------------------------
HANDY ONE-LINERS FOR SED (Unix stream editor)               Apr. 26, 2004
compiled by Eric Pement - pemente[at]northpark[dot]edu        version 5.4
Latest version of this file is usually at:
   http://sed.sourceforge.net/sed1line.txt
   http://www.student.northpark.edu/pemente/sed/sed1line.txt
This file is also available in Portuguese at:
   http://www.lrv.ufsc.br/wmaker/sed_ptBR.html

FILE SPACING:

 # double space a file
 sed G

 # double space a file which already has blank lines in it. Output file
 # should contain no more than one blank line between lines of text.
 sed '/^$/d;G'

 # triple space a file
 sed 'G;G'

 # undo double-spacing (assumes even-numbered lines are always blank)
 sed 'n;d'

 # insert a blank line above every line which matches "regex"
 sed '/regex/{x;p;x;}'

 # insert a blank line below every line which matches "regex"
 sed '/regex/G'

 # insert a blank line above and below every line which matches "regex"
 sed '/regex/{x;p;x;G;}'

NUMBERING:

 # number each line of a file (simple left alignment). Using a tab (see
 # note on '\t' at end of file) instead of space will preserve margins.
 sed = filename | sed 'N;s/\n/\t/'

 # number each line of a file (number on left, right-aligned)
 sed = filename | sed 'N; s/^/     /; s/ *\(.\{6,\}\)\n/\1  /'

 # number each line of file, but only print numbers if line is not blank
 sed '/./=' filename | sed '/./N; s/\n/ /'

 # count lines (emulates "wc -l")
 sed -n '$='

TEXT CONVERSION AND SUBSTITUTION:

 # IN UNIX ENVIRONMENT: convert DOS newlines (CR/LF) to Unix format
 sed 's/.$//'               # assumes that all lines end with CR/LF
 sed 's/^M$//'              # in bash/tcsh, press Ctrl-V then Ctrl-M
 sed 's/\x0D$//'            # gsed 3.02.80, but top script is easier

 # IN UNIX ENVIRONMENT: convert Unix newlines (LF) to DOS format
 sed "s/$/`echo -e \\\r`/"            # command line under ksh
 sed 's/$'"/`echo \\\r`/"             # command line under bash
 sed "s/$/`echo \\\r`/"               # command line under zsh
 sed 's/$/\r/'                        # gsed 3.02.80

 # IN DOS ENVIRONMENT: convert Unix newlines (LF) to DOS format
 sed "s/$//"                          # method 1
 sed -n p                             # method 2

 # IN DOS ENVIRONMENT: convert DOS newlines (CR/LF) to Unix format
 # Can only be done with UnxUtils sed, version 4.0.7 or higher.
 # Cannot be done with other DOS versions of sed. Use "tr" instead.
 sed "s/\r//" infile >outfile         # UnxUtils sed v4.0.7 or higher
 tr -d \r <infile >outfile            # GNU tr version 1.22 or higher

 # delete leading whitespace (spaces, tabs) from front of each line
 # aligns all text flush left
 sed 's/^[ \t]*//'                    # see note on '\t' at end of file

 # delete trailing whitespace (spaces, tabs) from end of each line
 sed 's/[ \t]*$//'                    # see note on '\t' at end of file

 # delete BOTH leading and trailing whitespace from each line
 sed 's/^[ \t]*//;s/[ \t]*$//'

 # insert 5 blank spaces at beginning of each line (make page offset)
 sed 's/^/     /'

 # align all text flush right on a 79-column width
 sed -e :a -e 's/^.\{1,78\}$/ &/;ta'  # set at 78 plus 1 space

 # center all text in the middle of 79-column width. In method 1,
 # spaces at the beginning of the line are significant, and trailing
 # spaces are appended at the end of the line. In method 2, spaces at
 # the beginning of the line are discarded in centering the line, and
 # no trailing spaces appear at the end of lines.
 sed  -e :a -e 's/^.\{1,77\}$/ & /;ta'                     # method 1
 sed  -e :a -e 's/^.\{1,77\}$/ &/;ta' -e 's/\( *\)\1/\1/'  # method 2

 # substitute (find and replace) "foo" with "bar" on each line
 sed 's/foo/bar/'             # replaces only 1st instance in a line
 sed 's/foo/bar/4'            # replaces only 4th instance in a line
 sed 's/foo/bar/g'            # replaces ALL instances in a line
 sed 's/\(.*\)foo\(.*foo\)/\1bar\2/' # replace the next-to-last case
 sed 's/\(.*\)foo/\1bar/'            # replace only the last case

 # substitute "foo" with "bar" ONLY for lines which contain "baz"
 sed '/baz/s/foo/bar/g'

 # substitute "foo" with "bar" EXCEPT for lines which contain "baz"
 sed '/baz/!s/foo/bar/g'

 # change "scarlet" or "ruby" or "puce" to "red"
 sed 's/scarlet/red/g;s/ruby/red/g;s/puce/red/g'   # most seds
 gsed 's/scarlet\|ruby\|puce/red/g'                # GNU sed only

 # reverse order of lines (emulates "tac")
 # bug/feature in HHsed v1.5 causes blank lines to be deleted
 sed '1!G;h;$!d'               # method 1
 sed -n '1!G;h;$p'             # method 2

 # reverse each character on the line (emulates "rev")
 sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//'

 # join pairs of lines side-by-side (like "paste")
 sed '$!N;s/\n/ /'

 # if a line ends with a backslash, append the next line to it
 sed -e :a -e '/\\$/N; s/\\\n//; ta'

 # if a line begins with an equal sign, append it to the previous line
 # and replace the "=" with a single space
 sed -e :a -e '$!N;s/\n=/ /;ta' -e 'P;D'

 # add commas to numeric strings, changing "1234567" to "1,234,567"
 gsed ':a;s/\B[0-9]\{3\}\>/,&/;ta'                     # GNU sed
 sed -e :a -e 's/\(.*[0-9]\)\([0-9]\{3\}\)/\1,\2/;ta'  # other seds

 # add commas to numbers with decimal points and minus signs (GNU sed)
 gsed ':a;s/\(^\|[^0-9.]\)\([0-9]\+\)\([0-9]\{3\}\)/\1\2,\3/g;ta'

 # add a blank line every 5 lines (after lines 5, 10, 15, 20, etc.)
 gsed '0~5G'                  # GNU sed only
 sed 'n;n;n;n;G;'             # other seds

SELECTIVE PRINTING OF CERTAIN LINES:

 # print first 10 lines of file (emulates behavior of "head")
 sed 10q

 # print first line of file (emulates "head -1")
 sed q

 # print the last 10 lines of a file (emulates "tail")
 sed -e :a -e '$q;N;11,$D;ba'

 # print the last 2 lines of a file (emulates "tail -2")
 sed '$!N;$!D'

 # print the last line of a file (emulates "tail -1")
 sed '$!d'                    # method 1
 sed -n '$p'                  # method 2

 # print only lines which match regular expression (emulates "grep")
 sed -n '/regexp/p'           # method 1
 sed '/regexp/!d'             # method 2

 # print only lines which do NOT match regexp (emulates "grep -v")
 sed -n '/regexp/!p'          # method 1, corresponds to above
 sed '/regexp/d'              # method 2, simpler syntax

 # print the line immediately before a regexp, but not the line
 # containing the regexp
 sed -n '/regexp/{g;1!p;};h'

 # print the line immediately after a regexp, but not the line
 # containing the regexp
 sed -n '/regexp/{n;p;}'

 # print 1 line of context before and after regexp, with line number
 # indicating where the regexp occurred (similar to "grep -A1 -B1")
 sed -n -e '/regexp/{=;x;1!p;g;$!N;p;D;}' -e h

 # grep for AAA and BBB and CCC (in any order)
 sed '/AAA/!d; /BBB/!d; /CCC/!d'

 # grep for AAA and BBB and CCC (in that order)
 sed '/AAA.*BBB.*CCC/!d'

 # grep for AAA or BBB or CCC (emulates "egrep")
 sed -e '/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d    # most seds
 gsed '/AAA\|BBB\|CCC/!d'                        # GNU sed only

 # print paragraph if it contains AAA (blank lines separate paragraphs)
 # HHsed v1.5 must insert a 'G;' after 'x;' in the next 3 scripts below
 sed -e '/./{H;$!d;}' -e 'x;/AAA/!d;'

 # print paragraph if it contains AAA and BBB and CCC (in any order)
 sed -e '/./{H;$!d;}' -e 'x;/AAA/!d;/BBB/!d;/CCC/!d'

 # print paragraph if it contains AAA or BBB or CCC
 sed -e '/./{H;$!d;}' -e 'x;/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d
 gsed '/./{H;$!d;};x;/AAA\|BBB\|CCC/b;d'         # GNU sed only

 # print only lines of 65 characters or longer
 sed -n '/^.\{65\}/p'

 # print only lines of less than 65 characters
 sed -n '/^.\{65\}/!p'        # method 1, corresponds to above
 sed '/^.\{65\}/d'            # method 2, simpler syntax

 # print section of file from regular expression to end of file
 sed -n '/regexp/,$p'

 # print section of file based on line numbers (lines 8-12, inclusive)
 sed -n '8,12p'               # method 1
 sed '8,12!d'                 # method 2

 # print line number 52
 sed -n '52p'                 # method 1
 sed '52!d'                   # method 2
 sed '52q;d'                  # method 3, efficient on large files

 # beginning at line 3, print every 7th line
 gsed -n '3~7p'               # GNU sed only
 sed -n '3,${p;n;n;n;n;n;n;}' # other seds

 # print section of file between two regular expressions (inclusive)
 sed -n '/Iowa/,/Montana/p'             # case sensitive

SELECTIVE DELETION OF CERTAIN LINES:

 # print all of file EXCEPT section between 2 regular expressions
 sed '/Iowa/,/Montana/d'

 # delete duplicate, consecutive lines from a file (emulates "uniq").
 # First line in a set of duplicate lines is kept, rest are deleted.
 sed '$!N; /^\(.*\)\n\1$/!P; D'

 # delete duplicate, nonconsecutive lines from a file. Beware not to
 # overflow the buffer size of the hold space, or else use GNU sed.
 sed -n 'G; s/\n/&&/; /^\([ -~]*\n\).*\n\1/d; s/\n//; h; P'

 # delete all lines except duplicate lines (emulates "uniq -d").
 sed '$!N; s/^\(.*\)\n\1$/\1/; t; D'

 # delete the first 10 lines of a file
 sed '1,10d'

 # delete the last line of a file
 sed '$d'

 # delete the last 2 lines of a file
 sed 'N;$!P;$!D;$d'

 # delete the last 10 lines of a file
 sed -e :a -e '$d;N;2,10ba' -e 'P;D'   # method 1
 sed -n -e :a -e '1,10!{P;N;D;};N;ba'  # method 2

 # delete every 8th line
 gsed '0~8d'                           # GNU sed only
 sed 'n;n;n;n;n;n;n;d;'                # other seds

 # delete ALL blank lines from a file (same as "grep '.' ")
 sed '/^$/d'                           # method 1
 sed '/./!d'                           # method 2

 # delete all CONSECUTIVE blank lines from file except the first; also
 # deletes all blank lines from top and end of file (emulates "cat -s")
 sed '/./,/^$/!d'          # method 1, allows 0 blanks at top, 1 at EOF
 sed '/^$/N;/\n$/D'        # method 2, allows 1 blank at top, 0 at EOF

 # delete all CONSECUTIVE blank lines from file except the first 2:
 sed '/^$/N;/\n$/N;//D'

 # delete all leading blank lines at top of file
 sed '/./,$!d'

 # delete all trailing blank lines at end of file
 sed -e :a -e '/^\n*$/{$d;N;ba' -e '}'  # works on all seds
 sed -e :a -e '/^\n*$/N;/\n$/ba'        # ditto, except for gsed 3.02*

 # delete the last line of each paragraph
 sed -n '/^$/{p;h;};/./{x;/./p;}'

SPECIAL APPLICATIONS:

 # remove nroff overstrikes (char, backspace) from man pages. The 'echo'
 # command may need an -e switch if you use Unix System V or bash shell.
 sed "s/.`echo \\\b`//g"    # double quotes required for Unix environment
 sed 's/.^H//g'             # in bash/tcsh, press Ctrl-V and then Ctrl-H
 sed 's/.\x08//g'           # hex expression for sed v1.5

 # get Usenet/e-mail message header
 sed '/^$/q'                # deletes everything after first blank line

 # get Usenet/e-mail message body
 sed '1,/^$/d'              # deletes everything up to first blank line

 # get Subject header, but remove initial "Subject: " portion
 sed '/^Subject: */!d; s///;q'

 # get return address header
 sed '/^Reply-To:/q; /^From:/h; /./d;g;q'

 # parse out the address proper. Pulls out the e-mail address by itself
 # from the 1-line return address header (see preceding script)
 sed 's/ *(.*)//; s/>.*//; s/.*[:<] *//'

 # add a leading angle bracket and space to each line (quote a message)
 sed 's/^/> /'

 # delete leading angle bracket & space from each line (unquote a message)
 sed 's/^> //'

 # remove most HTML tags (accommodates multiple-line tags)
 sed -e :a -e 's/<[^>]*>//g;/</N;//ba'

 # extract multi-part uuencoded binaries, removing extraneous header
 # info, so that only the uuencoded portion remains. Files passed to
 # sed must be passed in the proper order. Version 1 can be entered
 # from the command line; version 2 can be made into an executable
 # Unix shell script. (Modified from a script by Rahul Dhesi.)
 sed '/^end/,/^begin/d' file1 file2 ... fileX | uudecode   # vers. 1
 sed '/^end/,/^begin/d' "$@" | uudecode                    # vers. 2

 # zip up each .TXT file individually, deleting the source file and
 # setting the name of each .ZIP file to the basename of the .TXT file
 # (under DOS: the "dir /b" switch returns bare filenames in all caps).
 echo @echo off >zipup.bat
 dir /b *.txt | sed "s/^\(.*\)\.TXT/pkzip -mo \1 \1.TXT/" >>zipup.bat

TYPICAL USE: Sed takes one or more editing commands and applies all of
them, in sequence, to each line of input. After all the commands have
been applied to the first input line, that line is output and a second
input line is taken for processing, and the cycle repeats. The
preceding examples assume that input comes from the standard input
device (i.e, the console, normally this will be piped input). One or
more filenames can be appended to the command line if the input does
not come from stdin. Output is sent to stdout (the screen). Thus:

 cat filename | sed '10q'        # uses piped input
 sed '10q' filename              # same effect, avoids a useless "cat"
 sed '10q' filename > newfile    # redirects output to disk

For additional syntax instructions, including the way to apply editing
commands from a disk file instead of the command line, consult "sed &
awk, 2nd Edition," by Dale Dougherty and Arnold Robbins (O'Reilly,
1997; http://www.ora.com), "UNIX Text Processing," by Dale Dougherty
and Tim O'Reilly (Hayden Books, 1987) or the tutorials by Mike Arst
distributed in U-SEDIT2.ZIP (many sites). To fully exploit the power
of sed, one must understand "regular expressions." For this, see
"Mastering Regular Expressions" by Jeffrey Friedl (O'Reilly, 1997).
The manual ("man") pages on Unix systems may be helpful (try "man
sed", "man regexp", or the subsection on regular expressions in "man
ed"), but man pages are notoriously difficult. They are not written to
teach sed use or regexps to first-time users, but as a reference text
for those already acquainted with these tools.

QUOTING SYNTAX: The preceding examples use single quotes ('...')
instead of double quotes ("...") to enclose editing commands, since
sed is typically used on a Unix platform. Single quotes prevent the
Unix shell from intrepreting the dollar sign ($) and backquotes
(`...`), which are expanded by the shell if they are enclosed in
double quotes. Users of the "csh" shell and derivatives will also need
to quote the exclamation mark (!) with the backslash (i.e., \!) to
properly run the examples listed above, even within single quotes.
Versions of sed written for DOS invariably require double quotes
("...") instead of single quotes to enclose editing commands.

USE OF '\t' IN SED SCRIPTS: For clarity in documentation, we have used
the expression '\t' to indicate a tab character (0x09) in the scripts.
However, most versions of sed do not recognize the '\t' abbreviation,
so when typing these scripts from the command line, you should press
the TAB key instead. '\t' is supported as a regular expression
metacharacter in awk, perl, and HHsed, sedmod, and GNU sed v3.02.80.

VERSIONS OF SED: Versions of sed do differ, and some slight syntax
variation is to be expected. In particular, most do not support the
use of labels (:name) or branch instructions (b,t) within editing
commands, except at the end of those commands. We have used the syntax
which will be portable to most users of sed, even though the popular
GNU versions of sed allow a more succinct syntax. When the reader sees
a fairly long command such as this:

   sed -e '/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d

it is heartening to know that GNU sed will let you reduce it to:

   sed '/AAA/b;/BBB/b;/CCC/b;d'      # or even
   sed '/AAA\|BBB\|CCC/b;d'

In addition, remember that while many versions of sed accept a command
like "/one/ s/RE1/RE2/", some do NOT allow "/one/! s/RE1/RE2/", which
contains space before the 's'. Omit the space when typing the command.

OPTIMIZING FOR SPEED: If execution speed needs to be increased (due to
large input files or slow processors or hard disks), substitution will
be executed more quickly if the "find" expression is specified before
giving the "s/.../.../" instruction. Thus:

   sed 's/foo/bar/g' filename         # standard replace command
   sed '/foo/ s/foo/bar/g' filename   # executes more quickly
   sed '/foo/ s//bar/g' filename      # shorthand sed syntax

On line selection or deletion in which you only need to output lines
from the first part of the file, a "quit" command (q) in the script
will drastically reduce processing time for large files. Thus:

   sed -n '45,50p' filename           # print line nos. 45-50 of a file
   sed -n '51q;45,50p' filename       # same, but executes much faster


 
-------------------------------------------------------------------------

 


Foundry ServerIron 4G-SSL config

!Using 8832 out of 393214 bytes

!

ver 10.1.00TI2

!

!

!

trunk switch ethe 3 to 4 

!

!

!

ssl profile workplace-ssh

 keypair-file workplace-key

 certificate-file workplacechain

 cipher-suite all-cipher-suites

 disable-ssl-v2

 session-cache off

ssl profile corp1-ssl

 keypair-file corp1-key

 certificate-file corp1chain

 cipher-suite all-cipher-suites

 disable-ssl-v2

 session-cache off

ssl profile groupware

 keypair-file groupware-key                                      

 certificate-file groupwarechain

 cipher-suite all-cipher-suites

 disable-ssl-v2

 session-cache off

!

server backup ethe 3 0012.f27c.5400 vlan-id 100

server no-graceful-shutdown

!

!

server port 80

 tcp

 udp

server port 8080

 tcp

server port 8081

 tcp

server port 8083                                                  

 tcp

server port 8084

 tcp

server port 8085

 tcp

server port 8087

 tcp

server port 8089

 tcp

server port 8090

 tcp

server port 8086

 tcp

server port 8082

 tcp

                                                                  

server port 8088

 tcp

server port 8092

 tcp

server port 8093

 tcp

server port 8094

 tcp

server port 81

 tcp

 tcp keepalive use-master-state

server port 82

 tcp

 tcp keepalive use-master-state

server source-nat-ip 192.168.5.62 255.255.255.0 192.168.5.1 port-range 2

server source-nat-ip 192.168.5.63 255.255.255.0 192.168.5.1 port-range 2 for-ssl

server source-nat-ip 192.168.5.64 255.255.255.0 192.168.5.1 port-range 2 for-ssl

!

!

!

csw-rule "r1" url prefix "html" 

csw-rule "r15" url prefix "/sales" 

csw-rule "r17" url prefix "/PVWeb" 

csw-rule "r2" header "Host" pattern "webtest.corp1.com" 

csw-rule "r21" url prefix "/finance" 

csw-rule "r25" url prefix "/edocs" 

csw-rule "r3" header "Host" pattern "webtest.corp1groupware.com" 

csw-rule "r30" url prefix "/acctg" 

csw-rule "r35" url prefix "/eforms" 

csw-rule "r45" url prefix "/custdb" 

csw-rule "r50" url prefix "/estatement" 

csw-rule "r55" url prefix "/ecosts" 

csw-rule "r60" url prefix "/ereports" 

csw-rule "r65" url prefix "/ebenefits" 

csw-rule "r70" url prefix "/elabels" 

csw-rule "r75" url prefix "/etraining" 

csw-rule "r80" url prefix "/eordering" 

!

!

!                                                                 

csw-policy "app-forward" 

 match "r15" forward 11

 match "r25" forward 25

 match "r21" forward 21

 match "r30" forward 30

 match "r35" forward 35

 match "r45" forward 45

 match "r50" forward 50

 match "r55" forward 55

 match "r60" forward 60

 match "r65" forward 65

 match "r70" forward 70

 match "r75" forward 75

 match "r80" forward 80

 match "r2" forward 2

 match "r3" forward 3

 default forward 2

!

csw-policy "redirect" 

 match "r15" redirect "*" "*" ssl

 match "r17" redirect "PVweb.corp1.com" "*" ssl

 match "r25" redirect "*" "*" ssl

 match "r21" redirect "*" "*" ssl                                 

 match "r30" redirect "*" "*" ssl

 match "r35" redirect "*" "*" ssl

 match "r45" redirect "*" "*" ssl

 match "r50" redirect "*" "*" ssl

 match "r55" redirect "*" "*" ssl

 match "r1" forward 1218

 match "r1" rewrite request-insert client-ip

 match "r60" redirect "*" "*" ssl

 match "r65" redirect "*" "*" ssl

 match "r70" redirect "*" "*" ssl

 match "r75" redirect "*" "*" ssl

 match "r80" redirect "*" "*" ssl

 default forward 1

 default rewrite request-insert client-ip

!

!

server real pvwwwt001 192.168.5.40

 source-nat

 port http

 port http keepalive

 port http url "HEAD /"

 port http server-id 1218

 port http group-id  1 1                                          

 port 8080

 port 8080 keepalive

 port 8080 group-id  11 11

 port 8080 url "GET /sales/includes/isalive.html"

 port 8081

 port 8081 keepalive

 port 8081 group-id  21 21

 port 8081 url "GET /finance/isalive.html"

 port 8082

 port 8082 keepalive

 port 8082 group-id  25 25

 port 8082 url "GET /edocs/isalive.html"

 port 8083

 port 8083 keepalive

 port 8083 group-id  30 30

 port 8083 url "GET /acctg/isalive.html"

 port 8084

 port 8084 keepalive

 port 8084 group-id  35 35

 port 8084 url "GET /eforms/isalive.html"

 port 8086

 port 8086 keepalive

 port 8086 group-id  45 45                                        

 port 8086 url "GET /custdb/isalive.html"

 port 8087

 port 8087 keepalive

 port 8087 group-id  50 50

 port 8087 url "GET /estatement/isalive.html"

 port 8088

 port 8088 keepalive

 port 8088 group-id  55 55

 port 8088 url "GET /ecosts/isalive.html"

 port 8089

 port 8089 keepalive

 port 8089 group-id  60 60

 port 8089 url "GET /ereports/isalive.htm"

 port 8092

 port 8092 keepalive

 port 8092 group-id  65 65

 port 8092 url "GET /ebenefits/"

 port 8090

 port 8090 keepalive

 port 8090 group-id  70 70

 port 8090 url "GET /elabels/"

 port 8094

 port 8094 keepalive                                              

 port 8094 group-id  80 80

 port 8094 url "GET /eordering/isalive.html"

 port 81

 port 81 group-id  2 2

!

server real pvwwwt003 192.168.5.50

 source-nat

 port http

 port http keepalive

 port http url "HEAD /"

 port http server-id 1211

 port http group-id  1 1

 port 8080

 port 8080 keepalive

 port 8080 group-id  11 11

 port 8080 url "GET /sales/includes/isalive.html"

 port 8082

 port 8082 keepalive

 port 8082 group-id  25 25

 port 8082 url "GET /edocs/isalive.html"

 port 8081

 port 8081 keepalive

 port 8081 group-id  21 21                                        

 port 8081 url "GET /finance/isalive.html"

 port 8083

 port 8083 keepalive

 port 8083 group-id  30 30

 port 8083 url "GET /acctg/isalive.html"

 port 8084

 port 8084 keepalive

 port 8084 group-id  35 35

 port 8084 url "GET /eforms/isalive.html"

 port 8086

 port 8086 keepalive

 port 8086 group-id  45 45

 port 8086 url "GET /custdb/isalive.html"

 port 8087

 port 8087 keepalive

 port 8087 group-id  50 50

 port 8087 url "GET /estatement/isalive.html"

 port 8088

 port 8088 keepalive

 port 8088 group-id  55 55

 port 8088 url "GET /ecosts/isalive.html"

 port 8089

 port 8089 keepalive                                              

 port 8089 group-id  60 60

 port 8089 url "GET /ereports/isalive.htm"

 port 8092

 port 8092 keepalive

 port 8092 group-id  65 65

 port 8092 url "GET /ebenefits/"

 port 8090

 port 8090 keepalive

 port 8090 group-id  70 70

 port 8090 url "GET /elabels/"

 port 8094

 port 8094 keepalive

 port 8094 group-id  80 80

 port 8094 url "GET /eordering/isalive.html"

 port 81

 port 81 group-id  2 2

!

server remote-name pvwwwt002 192.168.4.70

 source-nat

 port http

 port http keepalive

 port http url "GET /"

!                                                                 

server remote-name pvwwwt004 192.168.4.71

 source-nat

 port http

 port http keepalive

 port http url "GET /"

!

server real t001-groupware 192.168.5.101

 source-nat

 port http

 port http keepalive

 port http url "HEAD /"

 port http group-id  1 1

 port 8093

 port 8093 keepalive

 port 8093 group-id  75 75

 port 8093 url "GET /etraining/isalive.html"

 port 82

 port 82 group-id  3 3

!

server real t003-groupware 192.168.5.102

 source-nat

 port http

 port http keepalive                                              

 port http url "HEAD /"

 port http group-id  1 1

 port 8093

 port 8093 keepalive

 port 8093 group-id  75 75

 port 8093 url "GET /etraining/isalive.html"

 port 82

 port 82 group-id  3 3

!

!

server virtual webtest1 192.168.5.61

 port default sticky

 port http

 port http cookie-name "ServerID"

 port http csw-policy "redirect"

 port http csw

 port http request-insert client-ip "X-Forwarded-For"

 port ssl sticky

 port ssl ssl-terminate corp1-ssl

 port ssl csw-policy "app-forward"

 port ssl csw

 bind http pvwwwt001 http pvwwwt003 http

 bind ssl pvwwwt001 81 real-port http pvwwwt003 81 real-port http pvwwwt001 8080 pvwwwt003 8080

 bind ssl pvwwwt001 8081 pvwwwt003 8081 pvwwwt001 8082 pvwwwt003 8082

 bind ssl pvwwwt001 8083 pvwwwt003 8083 pvwwwt001 8084 pvwwwt001 8087

 bind ssl pvwwwt003 8087 pvwwwt001 8088 pvwwwt003 8088 pvwwwt003 8084

 bind ssl pvwwwt001 8086 pvwwwt003 8086 pvwwwt001 8089 pvwwwt003 8089

 bind ssl pvwwwt001 8092 pvwwwt003 8092 pvwwwt001 8090 pvwwwt003 8090

 bind ssl pvwwwt001 8094 pvwwwt003 8094

!

server virtual salestest 192.168.5.67

 port default sticky

 port http

 bind http pvwwwt002 http pvwwwt004 http

!

server virtual groupware 192.168.5.100

 port default sticky

 port http

 port http cookie-name "ServerID"

 port http csw-policy "redirect"

 port http csw

 port http request-insert client-ip "X-Forwarded-For"

 port ssl sticky

 port ssl ssl-terminate groupware

 port ssl csw-policy "app-forward"

 port ssl csw                                                     

 bind http t001-groupware http t003-groupware http

 bind ssl t001-groupware 8093 t003-groupware 8093 t001-groupware 82 real-port http t003-groupware 82 real-port http

!

!

!

!

!

vlan 1 name DEFAULT-VLAN by port

 no spanning-tree

!

vlan 100 name HOT-SYNC by port

 untagged ethe 3 to 4 

 no spanning-tree

!

!

aaa authentication web-server default local

aaa authentication login default local

no enable aaa console                                             

hostname foundry1

ip address 192.168.5.60 255.255.255.0

ip default-gateway 192.168.5.1

ip dns domain-name corp1.com

ip dns server-address 192.168.1.11 192.168.1.10

logging buffered 1000

telnet server

snmp-server

clock summer-time

clock timezone us Central

web-management

!

!

!

!

ip ssh  idle-time 240

!

!

end

SSH Service Accounts

On RedHat version 5 and above there is an ssh-copy-id utility that may be used; however, for lower revisions you will need to copy the following script to /usr/bin/ssh-copy-id and make it executable before following the remainder of the steps.

#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/identity.pub"

if [ "-i" = "$1" ]; then
  shift
  # check if we have 2 parameters left, if so the first is the new ID file
  if [ -n "$2" ]; then
    if expr "$1" : ".*.pub" ; then
      ID_FILE="$1"
    else
      ID_FILE="$1.pub"
    fi
    shift         # and this should leave $1 as the target name
  fi
 else
  if [ x$SSH_AUTH_SOCK != x ] ; then
    GET_ID="$GET_ID ssh-add -L"
  fi
fi
 
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
   GET_ID="cat ${ID_FILE}"
fi

if [ -z "`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
fi

if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
  exit 1
fi

{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF


Logon as or create the service account on all machines required:

useradd -u 199 -s /bin/false serviceacct

echo password1 | passwd --stdin servicacct


Create your DSA key pair:

ssh-keygen -t dsa

Don't enter a password, just hit Enter key three times in quick succession.

Copy your new public ID to all the servers:

logon or su to the service account and run...

ssh-copy-id -i ~/.ssh/id_dsa.pub remoteservername

For bi-directional connectivity repeat the procedure on the remote server pointing back to the original.