NSS326 SFTP and SSH Key

Similar Messages

• SCP, SSH and SFTP in CMD / File-Explorer and SSH key management with Windows Credential Manger

  Please add SSH, SFTP and SCP in CMD and File Explorer.
  Also, allow us to copy to FTP in File Explorer.
  Would be nice to have the SSH credentials managed by Windows Credentials Manager.

  Even with the RHEL firewall completely disabled, it has the same upper limit. SCP between the Solaris systems, with ipfilter running on both systems and both systems on completely different networks, is not a problem. Between Solaris and RHEL, same network but different subnet, RHEL with no firewall running (only while troubleshooting this, don't panic), still a problem. Using PuTTY SFTP from/to any of the systems is fine, even though on different networks. The mtu on the RHEL was the same as the Solaris systems (1500) - changing values on the RHEL increased the upper limit but still hit a ceiling. Only have one RHEL system so I can't see whether RHEL-RHEL transfers are affected, only those between Solaris, PuTTY on Windows, and the one RHEL system.

• Sender sFTP Adapter - SSH Key

  Hi All,
  I have a small doubt regarding Sender sFTP Adapter. This is what we have done to connect with one of Vendor
  1.     Basis created a SSH key in NWA for Vendor and sent to them.
  2.     They linked the SSH key with user name and asked me to use the same.
  3.     We got the firewalls openepd b/w PI and Vendor
  4.     I provided the same detail in sFTP adapter, but I am not able to connect,
  I am getting below error:
  Error: Cannot connect to SFTP server. Host=########, port=22, username=#####. Private key store=########, private key alias=piPKCS12. Timeout=300000 msecs. Absolute home directory=.: KeyStoreException in Method: getPrivateKey( KeyStore, String, String ). The requested keystore type is not available in the default provider package or any of the other provider packages that were searched. (Software version: 3.0.14.2)
  Please provide your inputs.
  Regards,
  Sachin Dhingra

  Hi,
  The first thing you have to do is use the same userid and the pwd and try to connect to the vendor system from your application layer and see if this is connecting or not. If there is a problem in connection then there are few steps that you have to follow. Below are the steps you need to follow:
  1. Open the port from your Vendor side as well as open the port from your XI system(there might be two ports)
  2. Generate the key of your vendor system and one you started login to the system then it will ask to instal the key , so acept it.
  the IS people can help you out over here.
  3. Try to push the one dummy file in that location manually using the command in application layer.
  4. check the authorization in the target directory and try to provide the proper authorization,, 777 is used for full authorization.
  5. use the same useid and the pwd and then try from your xi system processign a dummy file.
  hope this helps.
  cheers,
  jay

• [SOLVED] a problem with gpg-agent and ssh keys

  I'm baffled by a strangle problem:
  My setup is as follows: I use gpg-agent with --enable-ssh-support, so that my ssh keys are handled by it. All was fine (when I ssh'ed to another machine, a pinentry window popped up, asked for a password, and if I entered the correct one, gpg-agent would decrypt its copy of my private ssh key and use it for identification). But: I needed to change my ssh key, and so I generated a new one. Next, I ssh-add'ed it to gpg-agent (one password to decrypt the private key, then twice another password for gpg-agent). I uploaded the public key to a server. The setup should be complete.
  The problem is that when I ssh to a machine, a pinentry window comes up, but it does not accept my password (the one that I entered twice when ssh-add'ing the key). I tried adding with various different passwords (always deleting ~/.gnupg/private-keys-v1.d/*, since 'ssh-add -d ~/.ssh/id_rsa.pub' would not work for some reason - it would not make gpg-agent forget the key), different pinentry programs ( -qt4, -gtk-2, -curses), and still the same problems. Pinentry itself seems to work fine, since if I enter two different things when it asks for a new passphrase for the key, it detects that there's a problem.
  So, can anyone help? What could I try (please don't post just to say that I could/should use ssh-agent, or keychain, or anything else. I have used various things, and I like this setup the most. It worked before, and I would like to find out why it stopped working and how to get it back to speed.)
  Thanks.
  Last edited by bender02 (2010-02-15 09:52:54)

  Thats a known bug with the new gpg version.
  http://lists.gnupg.org/pipermail/gnupg- … 38045.html
  You could use an older version of gpg or use a development version.

• Backup CUCM 10.5 via SFTP using ssh-key

  Hey guys,
  I would like to backup my CUCM 10.5 using SSH pre-shared key. Is it possible?

  Hi,
  the question is not clear. can you give more info ?
  normal backup is done through SFTP network location from disaster recovery page
  HTH
  Anas
  don't forget to rate the helpful posts

• SFTP and SSH question.

  Currently I have a headless OS X Client running Crush FTP over SSH (SFTP) for our work SFTP server this is separate from our main OS X G5 server box.
  I can't seem to SSH into the SFTP server via the terminal in order to manage it an poke around like I do with our server.
  I am about to setup a little OS X server at home and want SFTP access from it, as I can't justify a seperate box, but I also want to be able to SSH into the box from the outside world too.
  I am firstly wondering what the issue is with my Crush FTP server as to wether I will experience the same problem at home.
  The 2nd question is can OS X run FTP over SSH (SFTP) with the built in server admin tools and if so is it as easy as Crush FTP to manage?
  I will be using ACL's so I guess I could restrict access down that way.
  Thoughts, comments, suggestions and explanations very much welcome as I can't find much to answer the above.

  Hi: Port 115 is generally used for SimpleFTP. SecureFTP or FTPS uses port 989 and 990. This might help.
  Tony

• Are "Back to My Mac" FTP and SSH services visible to "everyone"?

  With the MobileMe "Back to my Mac" service, I can establish SSH terminal and SFTP connections from my Mac Mini at home to my Mac Pro at my work.  The SSH (Remote Login) and SFTP (File Sharing) services are enabled under System Preferences -->  Sharing.
  Does this make the SFTP and SSH services on my Mac visible/accessible to anyone else?  I like using "Back to my Mac" because it is simple and it uses key exchange for authentication when connecting.  However, I'm concerned that by enabling the SFTP and SSH services under Sharing, I'm also opening these services up to anyone who can see them.  Is this true, and if so, how can I maintain the security of my computers?
  Thanks in advance,
  jjw

  OK, besides putting me to sleep, the BTMM description seems to indicate that it is your MobileMe password that is important when making BTMM connections through a home NAT router.
  BTMM does open a port through the router, but if I understand correctly, it does not listen for ssh, or vnc, or afp protocols, but rather for the BTMM IPsec secure tunnel to be established, and then all the BTMM supported servers travel over the IPsec secure tunnel.  NOTE: the paper was putting me to sleep, so I could have this wrong.
  Kerberos is used for authentication of the IPsec tunnel.
  What I'm thinking is that if your Mac stays behind a home NAT router, or corporate firewall (that allows BTMM to work), then the important password is your MobileMe password.   If the Mac goes out in public, then all your Mac OS X user account (and guest) passwords need to be strong (where longer is better).
  A GRC Shields-UP probe will not check all possible ports.  If BTMM is running and all the standard ports are marked as stealth, then BTMM is using a non-standard port (as in one GRC does not check by default).  That makes it more difficult for someone to find your NAT router and then your Mac.  While this is NOT security, it does add some difficulty to the intruder's attempts at finding you.
  AGAIN, I did not fully understand the BTMM paper, so "Your Mileage May Vary" with respect to my analysis acccuracy.

• BizTalkServer 2010 SFTP Adapter from CodePlex - Configuring send and receive locations with SSH public and private keys

  Hi there,
  I am looking for step by step instrcutions on how to configure SFTP Codeplex adapter for both receive and send ports.
  Out business partner with whom we push/poll the files from wants us to use SSH encryption/decryption etc.
  Just wondering if the following functionality is supported in Codeplex SFTP adatper without having to write any code.
  Appreciate if there is manaul to do this for SFTP. BTW I do have all the our public and private keys and business partners Public key for configuring.
  For Send port: 1. we would need to encrypt the file with our business partners public key
                        2. sign the file with our private key.
                        3. Send the file through to SSH client which eventually transfers to Remote server.
  Receive port:   1. Connect to SSH Server with SSH-2 key and receive the file
                        2. Verify the file's digital signature agaisnt the Business partners PGP public key
                        3. Decrypt the file using our PGP Public key
  Thanks in advance

  Yes it is supported.
  You can find its documentation in this link 
  You can find section X.509 Certificate Identity Keys
  You can set public and private key in property SSH Identity thumbprint  of send and receive port
  I prefer to test it using client tool like
  FileZilla or WinSCP then test it using sftp adapter
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

• Tabulation and arrow keys don�t work through ssh

  Hi!
  I just got a solaris 10 on a v240. But I loggin through SSH, tabulation key and arroy keys don� t work. It � s quite nasty because I cannot just repeat a command for example, I�ve to type it allover again. I� m quite surprised because I have an old solaris where it does work without problem. Should I change something in the configuration?
  Thanks

  Is your shell one that you want?
  csh and sh don't support autocompletion or arrow histories. you'd need tcsh or bash or something.
  Darren

• Java API that implements the SSH, SFTP and Telnet protocols

  Hi,
  I'm looking for a Java API that implements the SSH, SFTP and Telnet protocols. Does anyone have a suggestion?
  Any Suggestions are really appreciated ?
  Thanks,
  Avin

  I believe SSH and telnet are used for interactive command line sessions, don't know how you want to use them in a program.

• Setup advice for rsync, ssh keys and launchd - all for remote webserver backup

  Hi There,
  This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
  rsync
  I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
  sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
  I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
  Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
  launchd
  While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
  http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
  I'm guessing I need to:
  Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
  Create a launchd Property List File that will run the script at certain times
  Somehow register the Property List File with launchd so it runs
  Or maybe I should just use Automator and iCal?
  I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
  Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
  Any help or suggestions would be much appreciated.
  Cheers
  Ben

  Hi There,
  This is the first time I'm doing this and I have limited command line experience but I need to setup a automatic backup of our webservers.
  rsync
  I have 4x rsync commands that work when run from the command line manually - here is an example, they just pull files from a few directories:
  sudo rsync -avzO -e ssh [email protected]:/backups/ /Volumes/ServerVolume/webserver-backups/DEV/mysql/
  I had issues with writing the files locally when running the above so had to do it as root and also add -O (-avzO). But because I need to run these automaticlly, I'm worried that running them as root will require a password - is that correct?
  Also, while I've setup ssh keys, I feel unsure this has been done correctly - how do I test this properly?
  launchd
  While I've set up cron jobs on the webserver (a mysql dump) I don't have any experience with launchd and feel a bit out of my depth after reading the pages here:
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/ScheduledJobs.html
  http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystem Startup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/TP40001762-104142
  http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/launchd.8.html#//apple_ref/doc/man/8/launchd
  I'm guessing I need to:
  Somehow make the rsync command a file that wil execute in Terminal - do I just put it in a file and give it a .sh extension?
  Create a launchd Property List File that will run the script at certain times
  Somehow register the Property List File with launchd so it runs
  Or maybe I should just use Automator and iCal?
  I did try getting automator to run the rsync commands in terminal from iCal (I just pasted the commands straight in and set automator to pass them as arguments) but it doesn't seem to launch terminal so if there are errors, I can't see what they are. Because they started though, I think my SSH keys are setup.
  Maybe it would just be better to figure out what is wrong with rsync commands and the permissions and just make these all run unattented from iCal?
  Any help or suggestions would be much appreciated.
  Cheers
  Ben

• Ssh keys and gnupg keys from wiki instructions...

  following first the gnupg instructions and then ssh keys I've managed to get several instances of gpg-agent running.
  [root@frylock ~]# ps aux | grep agent
  root 2764 0.0 0.0 4208 432 ? Ss 11:15 0:00 ssh-agent
  xtian 2785 0.0 0.1 3500 972 ? Ss 11:18 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /home/frylock/xtian/.gnupg/gpg-agent.env
  root 2958 0.0 0.0 3168 688 ? Ss 11:39 0:00
  gpg-agent -s --enable-ssh-support --daemon
  --write-env-file /root/.gnupg/gpg-agent.env
  root 3036 0.0 0.0 4740 392 ? Ss 11:43 0:00 gpg-agent --daemon
  root 3186 0.0 0.0 4740 388 ? Ss 11:53 0:00 gpg-agent --daemon
  root 3299 0.0 0.0 4740 388 ? Ss 11:58 0:00 gpg-agent --daemon
  root 3549 0.0 0.0 4740 392 ? Ss 12:54 0:00 gpg-agent --daemon
  This I can resolve by going back over the instructions--a fifth time. But what I don't understand, why my user account owner of a running process when I'm only logged in one tty as root?
  //EDIT: Clarify the login scenario
  // EDIT: the code block is cutting off line
  Last edited by xtian (2013-09-07 14:20:00)

  xtian wrote:
  cfr wrote:For example, I don't include the code in ~/.xinitrc or in /etc/profile.d precisely because I'm starting the agent somewhere else.
  That's just it. I'm not starting it somewhere else. According to the wiki, its being called from .xinitrc and that's where the call is made to the script in profile.d, I think. Unless the script in /etc/profile.d is starting the script automatically?? I don't know.
  Yes. The script you have in /etc/profile.d will start it automatically. I have a similar script in /etc/kde/env and that is all I use. I don't need anything in ~/.xinitrc (or kde's autostart stuff or whatever).  At least, this is true provided those scripts are sourced. What you definitely do not want is the line you currently have in ~/.xinitrc which does not check to see if an instance of gpg-agent is already running.
  This is what I use:
  $ cat /etc/kde/env/gpg-agent-startup.sh
  #!/bin/sh
  # see https://wiki.archlinux.org/index.php/SSH_Keys
  GPG_AGENT=/usr/bin/gpg-agent
  ## Run gpg-agent only if not already running, and available
  if [ -x "${GPG_AGENT}" ] ; then
  # check validity of GPG_SOCKET (in case of session crash)
  GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
  GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
  if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  else
  GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
  if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  fi
  fi
  unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
  fi
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  eval "$(cat "${GPG_AGENT_INFO_FILE}")"
  eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
  export GPG_TTY=$(tty)
  else
  eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
  fi
  fi
  In any case, your script should check for the environment file and only start an instance of the agent if it doesn't exist.
  I'ts not my script. I'm not up on BASH scripts. This one is from the wiki page. Isn't this script checking just that in this IF clause:
  if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
  eval "$(cat "$envfile")"
  Yes. But the line you have in ~/.xinitrc does NOT check this. It just starts an instance of gpg-agent as a daemon.

• How do I configure Kwallet to manage SSH and GPG keys? [SOLVED]

  I'm using a select few KDE programs (not the DE) such as Kontact (and with that KMail, Korganizer, Kaddressbook...) and Kwallet. I've got a GPG and an SSH key which I need in Git to sign commits and push. I'd like to have Kwallet manage ALL of these passwords/passphrases, (e-mail, SSH, GPG) and only be prompted for a password to unlock my wallet once per session - or better yet, have the wallet unlocked by logging in (like the keychain in OS X). I'm currently using SLiM (systemd, slim.service) as the login manager. I had a glance at this tutorial for inspiration but to no success...
  This is my ~/.xinitrc:
  #!/bin/sh
  if [ -d /etc/X11/xinit/xinitrc.d ]; then
  for f in /etc/X11/xinit/xinitrc.d/*; do
  [ -x "$f" ] && . "$f"
  done
  unset f
  fi
  # Hide mouse cursor when idle
  unclutter -idle 4 &
  # Background image
  hsetroot -fill $HOME/img/08.jpg &
  # Window manager
  xmonad
  This is my ~/.zprofile (failed attempt, fake GPG-key name)
  #!/bin/sh
  # Load keychain to handle ssh and gpg keys
  export SSH_ASKPASS=/usr/bin/ksshaskpass
  eval `keychain --eval id_rsa 1234ABCD`
  $HOME/.keychain/`hostname`-sh
  $HOME/.keychain/`hostname`-sh-gpg
  This is my ~/.gnupg/gpg.conf (commented lines not included)
  no-greeting
  require-cross-certification
  charset utf-8
  keyserver hkp://keys.gnupg.net
  Last edited by totte (2012-10-25 10:49:52)

  No success so far, really, need more ideas.
  Neither of /etc/kde/env/{gpg,ssh}-agent-startup.sh seem to be run by anything automatically on my system upon boot and logging in. I tried going back to the beginning and I got GPG working alright, when signing a commit I was automatically authenticated. SSH however still prompts me by CLI to enter my passphrase when I try to git-push or ssh into a server. I set an empty password for the wallet to have it "unlocked by logging in". I thought setting "export SSH_ASKPASS='/usr/bin/ksshaskpass'" in ~/.zprofile would have it prompt for the password in some manner of Qt window related to Kwallet, but apparently it doesn't. In top both ssh-agent and gpg-agent are displayed as running - but if I run gpg-agent in Konsole I get the output "gpg-agent: no gpg-agent running in this session", ssh-agent on the other hand outputs "SSH_AUTH_SOCK=/tmp/ssh-noaDS3C4AP8M/agent.1830; export SSH_AUTH_SOCK;
  SSH_AGENT_PID=1831; export SSH_AGENT_PID;
  echo Agent pid 1831;".
  Here's my ~/.zprofile, ~/.xinitrc, ~/.gnupg/gpg.conf, ~/.gnupg/gpg-agent.conf and ~/.zshrc (probably irrelevant but included anyway):
  ~/.zprofile
  export EDITOR='vim'
  export GIT_EDITOR='vim -fg'
  export GPG_TTY=$(tty)
  export GREP_COLOR='1;34'
  export GREP_OPTIONS='--color=auto'
  export LANG='en_GB.UTF-8'
  export PAGER='less'
  export PINENTRY='/usr/bin/pinentry-kwallet'
  export SSH_ASKPASS='/usr/bin/ksshaskpass'
  export VISUAL='vim'
  ~/.xinitrc
  #!/bin/sh
  if [ -d /etc/X11/xinit/xinitrc.d ]; then
  for f in /etc/X11/xinit/xinitrc.d/*; do
  [ -x "$f" ] && . "$f"
  done
  unset f
  fi
  # Kwallet
  kwalletd &
  # Keychain (SSH & GPG)
  eval `keychain --eval id_rsa 1234ABCD` &
  # Hide mouse cursor when idle
  unclutter -idle 4 &
  # Background image
  hsetroot -fill $HOME/img/08.jpg &
  # Akonadi
  akonadictl start &
  # Music Player Daemon
  mpd &
  # Window manager
  xmonad
  ~/.gnupg/gpg.conf
  no-greeting
  require-cross-certification
  charset utf-8
  keyserver hkp://keys.gnupg.net
  use-agent
  ~/.gnupg/gpg-agent.conf
  pinentry-program /usr/bin/pinentry-kwallet
  no-grab
  ~/.zshrc (probably irrelevant)
  # PATH
  # System executables
  PATH0="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin"
  # My executables
  PATH1="$HOME/bin"
  export PATH="$PATH0:$PATH1"
  # COLOURS
  autoload colors; colors;
  eval "`dircolors -b ~/.dircolorsrc`"
  # GENERAL
  HISTFILE=$HOME/.zsh_history
  HISTSIZE=10000
  SAVEHIST=10000
  setopt append_history
  setopt extended_history
  setopt hist_expire_dups_first
  setopt hist_ignore_dups
  setopt hist_ignore_space
  setopt hist_verify
  setopt inc_append_history
  setopt share_history
  setopt prompt_subst
  setopt correctall
  setopt auto_menu
  setopt complete_in_word
  setopt always_to_end
  setopt extendedglob
  # ALIASES
  alias rezsh='. ~/.zshrc'
  alias _='sudo '
  alias l='ls -lh --color'
  alias la='ls -lAh --color'
  alias -- -='cd -'
  alias ..='cd ..'
  alias df='df -h'
  alias g='git'
  alias tmux='tmux attach'
  alias cp='cp -v'
  alias mv='mv -v'
  alias rm='rm -v'
  alias rmdir='rmdir -v'
  alias d='dirs -v'
  bu(){cp -v $1 ${1}.backup}
  cmds(){history | awk '{print $2}' | sort | uniq -c | sort -rn | head}
  md(){mkdir -p $1; cd $1}
  # OS-specific aliases
  if [[ $(uname) == "Darwin" ]]; then
  # Mac OS X
  alias pkgs='port search' # Search
  alias pkgi='sudo port install' # Install
  alias pkgu='sudo port selfupdate && sudo port upgrade outdated' # Update & Upgrade
  alias pkgr='sudo port uninstall --follow-dependencies' # Remove package and unused dependencies
  alias pkgl='port installed' # List installed packages
  alias python='/usr/local/bin/python3'
  alias pip='pip-3.2'
  alias pips='pip-3.2 search'
  alias pipi='pip-3.2 install'
  alias pipu='pip-3.2 install -U'
  alias pipr='pip-3.2 uninstall'
  alias pipl='pip-3.2 freeze'
  alias v='mvim'
  elif [[ $(uname) == "Linux" ]]; then
  alias pips='pip search'
  alias pipi='pip install'
  alias pipu='pip install -U'
  alias pipr='pip uninstall'
  alias pipl='pip freeze'
  alias v='vim'
  case $(lsb_release -d | cut -f2 | cut -d " " -f1) in
  (Arch) # Arch Linux
  alias equa='alsamixer -D equal'
  alias pkgs='pacman -Ss' # Search
  alias pkgi='sudo pacman -S' # Install
  alias pkgu='sudo pacman -Syu' # Update & Upgrade
  alias pkgr='sudo pacman -Rns' # Remove package, configuration backups and unused dependencies
  alias pkgl='pacman -Q' # List installed packages
  alias pkgd='whoneeds' # List packages depending on specified package
  alias poweroff='sudo systemctl poweroff'
  alias reboot='sudo systemctl reboot'
  alias nw='wicd-curses'
  (Debian|Ubuntu) # Debian and Ubuntu
  alias pkgs='aptitude search' # Search
  alias pkgi='sudo aptitude install' # Install
  alias pkgu='sudo aptitude update && sudo aptitude upgrade' # Update & Upgrade
  alias pkgr='sudo aptitude purge' # Remove package, configuration files and unused dependencies
  alias pkgl='aptitude search -F "%p" "~i"' # List installed packages
  alias reboot='sudo shutdown -r now'
  alias shutdown='sudo shutdown -h now'
  esac
  fi
  # Host-specific aliases
  if [[ ${HOST:r} == "betre" ]]; then
  alias poff='sudo /sbin/write-magic 0xdeadbeef && sudo /sbin/reboot'
  fi
  # TAB COMPLETION
  autoload compinit
  compinit
  # Case-insensitive (all),partial-word and then substring completion
  zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
  zstyle ':completion:*:*:*:*:*' menu select
  zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories
  cdpath=(.)
  # Use /etc/hosts and known_hosts for hostname completion
  [ -r /etc/ssh/ssh_known_hosts ] && _global_ssh_hosts=(${${${${(f)"$(</etc/ssh/ssh_known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
  [ -r ~/.ssh/known_hosts ] && _ssh_hosts=(${${${${(f)"$(<$HOME/.ssh/known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
  [ -r /etc/hosts ] && : ${(A)_etc_hosts:=${(s: :)${(ps:\t:)${${(f)~~"$(</etc/hosts)"}%%\#*}##[:blank:]#[^[:blank:]]#}}} || _etc_hosts=()
  hosts=(
  "$_global_ssh_hosts[@]"
  "$_ssh_hosts[@]"
  "$_etc_hosts[@]"
  `hostname`
  localhost
  zstyle ':completion:*:hosts' hosts $hosts
  # KEYBINDINGS
  bindkey '^[[A' history-beginning-search-backward
  bindkey '^[[B' history-beginning-search-forward
  bindkey "^[[H" beginning-of-line
  bindkey "^[[1~" beginning-of-line
  bindkey "^[OH" beginning-of-line
  bindkey "^[[F" end-of-line
  bindkey "^[[4~" end-of-line
  bindkey "^[OF" end-of-line
  # Make the delete key (or Fn + Delete on the Mac) work instead of outputting a ~
  bindkey '^?' backward-delete-char
  bindkey "^[[3~" delete-char
  bindkey "^[3;5~" delete-char
  bindkey "\e[3~" delete-char
  # TITLES
  tmux_title="%16<..<%~%<<"
  term_tab_title="%m"
  term_title="Terminal"
  function title(){
  if [[ "$TERM" == screen* ]]; then
  print -Pn "\ek$tmux_title:q\e\\"
  elif [[ $TERM == rxvt* ]] || [[ "$TERM_PROGRAM" == "iTerm.app" ]]; then
  print -Pn "\e]2;$term_title:q\a"
  print -Pn "\e]1;$term_tab_title:q\a"
  fi
  function title_precmd(){
  title $tmux_title $term_tab_title $term_title
  function title_preexec(){
  emulate -L zsh
  setopt extended_glob
  local tmux_title=${1[(wr)^(*=*|sudo|ssh|-*)]}
  title $tmux_title $term_tab_title $term_title
  # ZSH VCS_INFO MODULE
  autoload -Uz vcs_info
  #zstyle ':vcs_info:*+*:*' debug true
  zstyle ':vcs_info:*' enable git
  zstyle ':vcs_info:git*' formats '%fon $(rou)%b%f%c%u%m'
  zstyle ':vcs_info:git*' actionformats '%fon $(rou)%b%f:$(rou)%a%f%c%u%m'
  zstyle ':vcs_info:git*:*' stagedstr ' (staged)'
  zstyle ':vcs_info:git*:*' unstagedstr ' (unstaged)'
  zstyle ':vcs_info:git*:*' get-revision true
  zstyle ':vcs_info:git*:*' check-for-changes true
  zstyle ':vcs_info:git*+set-message:*' hooks git-stash git-untracked
  # Display count of stashed changes
  function +vi-git-stash(){
  local -a stashes
  if [[ -s ${hook_com[base]}/.git/refs/stash ]] ; then
  stashes=$(git stash list 2>/dev/null | wc -l)
  if [[ $stashes > 1 ]] ; then
  hook_com[misc]+=" (${stashes} stashes)"
  else
  hook_com[misc]+=" (${stashes} stash)"
  fi
  fi
  # Display message if untracked files are present
  function +vi-git-untracked(){
  if [[ $(git rev-parse --is-inside-work-tree 2> /dev/null) == 'true' ]] && \
  git status --porcelain | grep '??' &> /dev/null ; then
  hook_com[unstaged]+=" (untracked files present)"
  fi
  function prompt_precmd(){
  vcs_info
  # PROMPT
  # Root or user?
  function rou(){
  if [[ $UID -eq 0 ]] ; then
  echo "%{$fg[magenta]%}"
  else
  echo "%{$fg[blue]%}"
  fi
  # Display ± if we're in a git repository and » at all other times
  function prompt_character(){
  git branch >/dev/null 2>/dev/null && echo '%{$fg[white]%}±%{$reset_color%}' && return
  echo '%{$fg[white]%}»%{$reset_color%}'
  # Set the prompt
  function set_prompt(){
  PROMPT="$(rou)%n %{$reset_color%}at $(rou)%m %{$reset_color%}in $(rou)%~ ${vcs_info_msg_0_}
  %{$reset_color%}$(prompt_character) "
  # HOOKS
  autoload -U add-zsh-hook
  add-zsh-hook preexec title_preexec
  add-zsh-hook precmd title_precmd
  add-zsh-hook precmd prompt_precmd
  add-zsh-hook precmd set_prompt

• DS 6.3 ssh key and password expiration warnings

  I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
  In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
  If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
  The user can only login if they start from a different username and bypass the ssh key check.
  Hope this makes sense.

  After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.

• Remote login via ssh and public keys

  I'm not exactly a UNIX expert, but I need to be able to remote login to my PowerBook. The problem with enabling ssh is that as soon as I'm on campus, all kinds of nefarious hosts try brute force attempts to crack my password. I've heard that public/private key logins are the answer, and I've managed to get the public key in the right place on my PowerBook (the private key resides on my iPhone, from which I'll be logging in). But I have two questions:
  1) How do I disable logins via user/password?
  2) When I use my private key, I'm asked to enter the password for the key -- ssh isn't properly storing that password. I've checked permissions, but how can I get ssh to store that password, as it should?

  1) In Sharing > Remote Login, do I still need an account listed to be able to use ssh logins with a public key? I ask because currently (i.e. password authentication enabled), when no accounts are listed, login via public key doesn't work. In other words, an account has to be listed for public key logins to work.
  Yes you still need an account name to login to that computer. However you don't need to specify an account in the sharing preferences. You can lock down the security further by limiting which user accounts can login via ssh.
  by default if you don't specify a username when you login it will use the username of the device your logging in from. So to use an alternative login name you would use
  ssh [email protected]
  whereas john can be anyname or your choosing.
  Put another way: if turn off password authentication for ssh in sshd_config, how should Sharing > Remote Login be configured?
  If you turn off password authentication you still need to allow your user account to login via ssh in the sharing preferences or you can allow all.
  2) According to that MacOS X Hints article:
  "Leopard has now a built-in support for SSH authentication with public keys.
  OSX has been able to use ssh public key authentication since day 1 of the beta release of osx. It is not new to leopared it has been around for years.
  Just open Terminal and ssh to your public-key-enabled server. A Keychain window appears, proposing you to enter the pass phrase, and then remembering it in your keychain. "
  I have not used this functionality as I don't use any passwords for ssh logins.
  They're talking about the password associated with the key. But on second thought, that password is being saved on the client, not the server, right?
  I am sure this is the case.