• AuthorizedKeysCommand
• AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.

#!/bin/bash
# $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $
#
# Check if the user is in the right group 
#  and afterwards retrieve the SSH public key from LDAP
# Logs directly in Syslog
#
#
# sshd_config for OpenSSH 6.2 or higher:
#
#  AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh
#  AuthorizedKeysCommandUser nobody
# 

LDAP_SERVER="ldap-server"
BASE_DN="ou=users,dc=company,dc=example,dc=com"
ALLOWED_GROUP="6667"

# load local configuration if available
if [ -f /etc/example/ldap.cfg ]; then
    . /etc/example/ldap.cfg
fi

SSH_USER=$1

if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}";
then
	logger -t sshd -p info "User $SSH_USER is a member of the group"
else 
	logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied"
	echo 
	exit 0
fi


KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;')

logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER"
echo "${KEY}"

The script must be executed as ‘postgres’ user.

#!/bin/bash

# $Id: check_slave_replication.sh 3421 2013-08-09 07:52:44Z jmorano $

STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
 
## Master (p_) and Slave (s_) DB Server Information	
export s_host=$1
export s_port=$2
export p_db=$3
export p_host=$4
export p_port=$5
 
export psql=/opt/postgresql/bin/psql
export bc=/usr/bin/bc
 
## Limits
export  critical_limit=83886080 # 5 * 16MB, size of 5 WAL files
export   warning_limit=16777216 # 16 MB, size of 1 WAL file
 
master_lag=$($psql -U postgres -h$p_host -p$p_port -A -t -c "SELECT pg_xlog_location_diff(pg_current_xlog_location(), '0/0') AS offset" $p_db)
slave_lag=$($psql -U postgres  -h$s_host -p$s_port -A -t -c "SELECT pg_xlog_location_diff(pg_last_xlog_receive_location(), '0/0') AS receive" $p_db)
replay_lag=$($psql -U postgres -h$s_host -p$s_port -A -t -c "SELECT pg_xlog_location_diff(pg_last_xlog_replay_location(), '0/0') AS replay" $p_db)
replay_timediff=$($psql -U postgres -h$s_host -p$s_port -A -t -c "SELECT NOW() - pg_last_xact_replay_timestamp() AS replication_delay" $p_db)
 
if [[ $master_lag -eq '' || $slave_lag -eq '' || $replay_lag -eq '' ]]; then
    echo "CRITICAL: Stream has no value to compare (is replication configured or connectivity problem?)"
    exit $STATE_CRITICAL
else
    if [[ $master_lag -eq $slave_lag && $master_lag -eq $replay_lag && $slave_lag -eq $replay_lag ]] ; then
        echo "OK: Stream: MASTER:$master_lag Slave:$slave_lag Replay:$replay_lag"
        exit $STATE_OK
    else
        if [[ $master_lag -eq $slave_lag ]] ; then
            if [[ $master_lag -ne $replay_lag ]] ; then
                if [ $(bc <<< $master_lag-$replay_lag) -lt $warning_limit ]; then
                    echo "OK: Stream: MASTER:$master_lag Replay:$replay_lag :: REPLAY BEHIND"
                    exit $STATE_OK
                else
                    echo "WARNING: Stream: MASTER:$master_lag Replay:$replay_lag :: REPLAY $(bc <<< $master_lag-$replay_lag)bytes BEHIND (${replay_timediff}seconds)"
                    exit $STATE_WARNING
                fi
            fi
        else
            if [ $(bc <<< $master_lag-$slave_lag) -gt $critical_limit ]; then
                echo "CRITICAL: Stream: MASTER:$master_lag Slave:$slave_lag :: STREAM BEYOND CRITICAL LIMIT ($(bc <<< $master_lag-$slave_lag)bytes)"
                exit $STATE_CRITICAL
            else
                if [ $(bc <<< $master_lag-$slave_lag) -lt $warning_limit ]; then
                    echo "OK: Stream: MASTER:$master_lag Slave:$slave_lag Replay:$replay_lag :: STREAM BEHIND"
                    exit $STATE_OK
                else
                    echo "WARNING: Stream: MASTER:$master_lag Slave:$slave_lag :: STREAM BEYOND WARNING LIMIT ($(bc <<< $master_lag-$replay_lag)bytes)"
                    exit $STATE_WARNING
                fi
            fi
        fi
        echo "UNKNOWN: Stream: MASTER: $master_lag Slave: $slave_lag Replay: $replay_lag"
        exit $STATE_UNKNOWN
    fi
fi

Possible outputs:

$ bash check_slave_replication.sh 192.168.0.1 5432 live 192.168.0.2 5432
WARNING: Stream: MASTER:1907958306184 Replay:1907878056888 :: REPLAY 80249296bytes BEHIND (00:03:14.056747seconds)
$ bash check_slave_replication.sh 192.168.0.1 5432 live 192.168.0.2 5432
OK: Stream: MASTER:2055690128376 Slave:2055690143144 Replay:2055690193744 :: STREAM BEHIND
$ bash check_slave_replication.sh 192.168.0.1 5432 live 192.168.0.2 5432
OK: Stream: MASTER:2055690497120 Replay:2055690497328 :: REPLAY BEHIND
$ bash check_slave_replication.sh 192.168.0.1 5432 live 192.168.0.2 5432
OK: Stream: MASTER:2055691704672 Slave:2055691704672 Replay:2055691704672

One way of creating a simple backup, is by using the tar command with the incremental option.

You will also want to encrypt these backup files and one easy to do this, is by using GPG keys.

The following example assumes you have logged on the FTP server before and that you have created a backup subdirectory.
It also uses the ncftp tool.

#!/bin/bash

DIRS="/etc /root /home /var/cache/bind /var/spool/postfix /var/www"
INCFILE="/root/.backup/inc_file"
CURRENT_DATE=$(date '+%Y%m%d')
DSTFILE="/data/backup/backup-$CURRENT_DATE.gpg"
GPGUSER="gpg@localhost"
HETZNERUSER=ftpuser
HETZNERPASS=secret
HETZNERSERVER=ftpuser.your-backup.de
HETZNERDIR=backup

tar cvzg $INCFILE -f - $DIRS | gpg -r $GPGUSER -e > $DSTFILE
ncftpput -DD -u $HETZNERUSER -p $HETZNERPASS $HETZNERSERVER $HETZNERDIR $DSTFILE

When working in a UNIX/Linux/MacOSX environment, the command is often used to execute some tasks. The default shell in the Terminal.app (MacOSX) and in most other terminals, is the Bourne Again Shell aka bash.

Bash is intended to be a conformant implementation of the Shell and Utilities portion of the IEEE POSIX specification. Bash also incorporates useful features from the Korn and C shells (ksh and csh).

Screen is a full-screen text-based window manager with VT100/ANSI terminal emulation. It has the ability to detach shell sessions, which is extremely useful for executing remote processes or executing processes that should be terminated after log out or termination of the shell process itself.

my ~/.bashrc

First we start off with configuration the Bash configuration file, which is located at ~/.bashrc for the current user or at /etc/bashrc.bashrc for system-wide configurations.

Most users will just edit their own bashrc file.
The options defined in this file, have comments above them so I won’t re-explain them.

# define your local timezone
export TZ='Europe/Brussels'

# If not running interactively, don't do anything
[ -z "$PS1" ] && return

# don't put duplicate lines in the history. See bash(1) for more options
export HISTCONTROL=ignoredups
# ... and ignore same sucessive entries.
export HISTCONTROL=ignoreboth

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# define all aliases in a separate file
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# turn on bash completion, must be installed separately
if [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
fi

# define some colors which will be used in PS1 and PS2
BLUE="[�33[0;34m]"
LIGHT_GRAY="[�33[0;37m]"
GREEN="[�33[0;32m]"
LIGHT_BLUE="[�33[1;34m]"
LIGHT_CYAN="[�33[1;36m]"
YELLOW="[�33[1;33m]"
WHITE="[�33[1;37m]"
RED="[�33[0;31m]"
NO_COLOUR="[�33[0m]"

# if this shell was started in the screen command, use a different PS1 prompt
if [[ $TERM =~ screen ]] ; then
    PS1="${GREEN}.oO( $BLUEh $GREEN|$BLUE w $GREEN)Oo"'[�33k][�33\]'".$NO_COLOUR "
else
    PS1="${GREEN}.oO( $BLUEh $GREEN|$BLUE w $GREEN)Oo.$NO_COLOUR "
fi
PS2="$GREEN.oO($NO_COLOUR "

This local bashrc file enables some default settings and creates a fancy bash prompt in colour. (See screenshot)

Next we’ll set up the Screen configuration file.

my ~/.screenrc

The following Screen configuration file sets some options that I find useful. These options included:

• no splash screen at startup
• no visual bell
• a customized status bar at the bottom of the screen
• a huge scrollback buffer
• updated window names, based on the current command
• UTF8 encoding

The file will be saved in the user home directory, at ~/.screenrc

# some default settings
startup_message off
vbell off
msgwait 1
defutf8 on
compacthist on

# Monitor windows
defmonitor on
activity ""

# Turns off alternate screen switching in xterms,
# so that text in screen will go into the xterm's scrollback buffer:
termcapinfo xterm* ti@:te@
altscreen on

# Enable 256 color terminal
attrcolor b ".I"
termcapinfo xterm 'Co#256:AB=E[48;5;%dm:AF=E[38;5;%dm'
defbce "on"

# Log 10000 lines
defscrollback 50000

backtick 2 60 60 echo $USERNAME

screen 0

shelltitle '. |bash'
hardstatus alwayslastline '%{= .y}.oO(%{= .b}%2`@%H%{= .y})Oo. %{= .b}%{+} %= %-w %{= .yb} %n:[%t] %{= db} %+w %{= .y}time: [%c]'

bindkey -k k2 screen                                    # F2  | Create new window
bindkey -k k3 prev                                      # F3  | Previous Window
bindkey -k k4 next                                      # F4  | Next Window
register r "^a:source $HOME/.screenrc^M"                #     | Goes with F5 definition
bindkey -k k5 process r                                 # F5  | Reload profile
bindkey -k k6 detach                                    # F6  | Detach from this session
bindkey -k k7 copy                                      # F7  | Enter copy/scrollback mode
register t "^aA^aa^k^h"                                 #     | Goes with the F8 definition
bindkey -k k8 process t                                 # F8  | Re-title a window

In order to have updated window names, it is important that the above Bash configuration regarding the PS1 variable, has been enabled. If not, then there will be no updated window names!

This configuration file was used to create the following screenshot:

References

Some options were taken out of the Byobu configuration file, others were found on the Interweb.