Monday, March 17, 2025

To remove the ACLs and the accompanying plus sign from a file or directory in linux

In Linux, a plus sign (+) at the end of the file permissions (e.g., -rwxrwxrwx+) indicates that the file or directory has extended permissions set through Access Control Lists (ACLs).

To remove the ACLs and the accompanying plus sign from a file or directory, you can use the setfacl command:

Remove all ACL entries: This will eliminate all extended ACLs associated with the file or directory.
```
bash
setfacl -b filename
```
Replace filename with the name of your file or directory.
Remove the ACL mask: Sometimes, even after removing all ACL entries, the plus sign may persist due to an existing ACL mask. To remove it, use:
```
bash
setfacl -n filename
```
Combining both steps ensures that all ACL entries and masks are removed:
```
bash
setfacl -bn filename
```
This command removes all ACL entries and the ACL mask simultaneously, effectively clearing any extended permissions.

Note: After performing these operations, it's advisable to verify the current permissions using ls -l filename to ensure that the ACLs have been successfully removed and that the plus sign no longer appears.

Caution: Modifying ACLs can impact access permissions for users and groups. Ensure that the standard Unix permissions (rwx for user, group, and others) are set appropriately to maintain the desired access controls after removing ACLs.

By following these steps, you can remove the plus sign from the file permissions, indicating that no extended ACLs are set on the file or directory.

Dot at the end of Linux file permissions - How to Remove them

In Linux, when you list files using the ls -l command, a trailing dot (.) at the end of the permission string indicates that the file has an SELinux security context associated with it. This dot signifies that SELinux attributes are present, even if SELinux is disabled on the system.

To remove this trailing dot, you need to clear the SELinux security context from the files. This can be achieved using the setfattr command, which allows you to manipulate extended attributes on filesystem objects. Here's how you can do it:

Remove SELinux attribute from a single file or directory:
```
bash
sudo setfattr -h -x security.selinux /path/to/file_or_directory
```
Replace /path/to/file_or_directory with the actual path of your file or directory.
Remove SELinux attributes recursively from a directory and its contents:
```
bash
find /path/to/directory -exec sudo setfattr -h -x security.selinux {} \;
```
This command will traverse through the specified directory and remove the SELinux security context from all files and subdirectories within it.

Caution: Modifying or removing SELinux security contexts can have security implications. Ensure that you understand the consequences and have appropriate backups before making these changes.

After performing these steps, the trailing dot should no longer appear in the file permissions when you list them using ls -l

Wednesday, March 12, 2025

Multi-Factor Authentication for Red Hat Enterprise Linux (RHEL) 9

Microsoft does not provide a native version of the Microsoft Authenticator application for Red Hat Enterprise Linux (RHEL) 9 or any other Linux distribution. However, you can implement multi-factor authentication (MFA) on your RHEL 9 system using alternative methods that are compatible with standard authenticator apps, including Microsoft Authenticator.

Option 1: Using the Google Authenticator PAM Module

The Google Authenticator Pluggable Authentication Module (PAM) allows you to set up time-based one-time password (TOTP) authentication on your Linux system. These TOTP codes can be generated by various authenticator apps, including Microsoft Authenticator. Here's how to set it up:

Install the Google Authenticator PAM Module:

First, ensure that the Extra Packages for Enterprise Linux (EPEL) repository is enabled:
```
bash
sudo dnf install epel-release
```
Then, install the google-authenticator package:
```
bash
sudo dnf install google-authenticator
```
Configure the Google Authenticator for Your User Account:

Run the following command to set up Google Authenticator for your user account:
```
bash
google-authenticator
```
You'll be prompted with a series of questions. It's generally safe to answer 'yes' (y) to each prompt. This process will generate a QR code and a secret key.
Set Up the Authenticator App:

Open the Microsoft Authenticator app on your smartphone, select the option to add a new account, and choose the "Other" account type. Scan the QR code displayed during the google-authenticator setup or manually enter the secret key.
Configure SSH to Require MFA:

To enforce MFA for SSH logins, you'll need to modify the PAM and SSH configurations:
- Edit the PAM Configuration for SSH:
  
  Open the SSH PAM configuration file:
```
bash
sudo nano /etc/pam.d/sshd
```
  Add the following line at the end of the file:
```
swift
auth required pam_google_authenticator.so nullok
```
  The nullok option allows users who haven't set up MFA to log in without it. Remove this option to enforce MFA for all users.
- Modify the SSH Daemon Configuration:
  
  Edit the SSH daemon configuration file:
```
bash
sudo nano /etc/ssh/sshd_config
```
  Ensure the following settings are configured:
```
nginx
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
```
  These settings enable challenge-response authentication and require both public key and MFA for login.
- Restart the SSH Service:
  
  Apply the changes by restarting the SSH service:
```
bash
sudo systemctl restart sshd
```

For a detailed guide on setting up MFA using the Google Authenticator PAM module, refer to Red Hat's official documentation.

Red Hat

Option 2: Using the Authenticator Application via Snap

An alternative is to install the "Authenticator" application, which is available as a Snap package and can manage TOTP tokens. Here's how to install it:

Enable Snap Support on RHEL 9:

Ensure that the EPEL repository is enabled:
```
bash
sudo dnf install epel-release
```
Install Snapd:
```
bash
sudo dnf install snapd
```
Enable and start the Snapd service:
```
bash
sudo systemctl enable --now snapd.socket
```
Create a symbolic link to enable classic Snap support:
```
bash
sudo ln -s /var/lib/snapd/snap /snap
```
Restart your system or log out and back in to ensure the Snap paths are updated.
Install the Authenticator Application:

Install the Authenticator app using Snap:
```
bash
sudo snap install authenticator --edge
```

This application can generate TOTP codes compatible with services that support standard authenticator apps.

Snapcraft

Note: The availability and compatibility of these methods may vary depending on your organization's security policies and the specific services you're accessing. Always ensure that any changes to authentication mechanisms comply with your organization's security guidelines.

Monday, February 24, 2025

How To Automount NFS Share in Linux Using Autofs

In this tutorial, we will show you how to Automount NFS share in Linux using Autofs.

Network File System (NFS) is a robust way to share directories across systems, enabling seamless access to files. However, manually mounting NFS shares can be tedious, especially when managing multiple systems. This is where autofs, a dynamic automounting tool, shines. Autofs automatically mounts NFS shares when accessed and unmounts them when idle, saving system resources.

Prerequisites

A working NFS server with shared directories.
A Linux client machine (tested on Debian 12, RHEL 9).
Sudo or root access on the client machine.

Autofs service reads two files Master map file ( /etc/auto.master ) and a map file like /etc/auto.misc or /etc/auto.xxxx.

In ‘/etc/auto.master’ file we have three different fields :

/<Mount-Point>     <Map-file>     <Timeout-Value>

In map file (/etc/auto.misc or /etc/auto.xxxx) also we have three different fields:

<Mount-Point>    <Mount-Options>        <Location_of_File System>

In this tutorial, we will demonstrate how to mount an NFS share using autofs. The NFS share /var/nfs_share is exported from an Ubuntu 24.04 NFS server with the IP address 192.168.1.11. We will mount this NFS share on both RHEL 9 and Debian 12 or Ubuntu 24.04 Linux systems using autofs.

Mount nfs share using Autofs in RHEL 9

1) Install autofs package

Install the autofs package using below yum command if it is not installed.

$ sudo rpm -q autofs
package autofs is not installed
$ sudo dnf install autofs

2) Edit the Master map file (/etc/auto.master )

Add the following line .

$ sudo vi /etc/auto.master
/dbstuff  /etc/auto.nfsdb  --timeout=180

Note : Mount point ‘/dbstuff’‘ must exist on your system. If not then create a directory ‘mkdir /dbstuff‘. NFS Share will automatically umount after 180 seconds or 3 minutes if don’t perform any action on the share.

3) Create a map file ‘/etc/auto.nfsdb’

Create a map file and add the following line.

$ sudo vi /etc/auto.nfsdb
db_backup -fstype=nfs,rw,soft,intr 192.168.1.11:/var/nfs_share

Save and exit the file.

Where :

db_backup is a mount point.
-fstype=nfs is the file system type & ‘rw,soft,intr’ are mount options.
‘192.168.1.11:/var/nfs_share’ is nfs share location.

4) Start the auotfs service

$ sudo systemctl restart autofs.service
$ sudo systemctl enable autofs.service

5) Try to access the mount point

Mount point of nfs share will be ‘/dbstuff/db_backup‘. When we try access the mount point then autofs service will mount nfs share automatically as shown below:

Mount NFS share using autofs in Debian 12 / Ubuntu 24.04

1) Install the autofs package using apt command

$ sudo apt update && sudo apt install autofs -y

2) Edit the Master Map file ‘/etc/auto.master’

Add the following line in the master map file.

$ sudo vi /etc/auto.master
/dbstuff   /etc/auto.nfsdb   --timeout=180

Save & exit the file.

Create the mount point.

$ sudo mkdir /dbstuff

3) Create a map file ‘/etc/auto.nfsdb’

Add the following line in the map file.

$ sudo vi /etc/auto.nfsdb
db_backup   -fstype=nfs4,rw,soft,intr   192.168.1.11:/var/nfs_share

4) Start the autofs service

$ sudo systemctl restart autofs && sudo systemctl enable autofs

5) Try to access the mount point

Perfect, above confirms that NFS share has been mount automatically via autofs.

That’s all from tutorial, I hope you have found it useful and informative, feel free to post your queries and feedback in below comments section.

Friday, January 31, 2025

How to Install and Log In to Windows 11 Without a Microsoft Account

By default, you must log in with a Microsoft account in order to install Windows 11 and go through the box (OOBE) setup process that triggers either as part of installation or the first time you turn on a new Windows PC. It seems like Microsoft really wants you to log in to Windows 11 using its account system, both so it can track you and so you can get benefits such as synchronizing your wallpaper and preferences across different computers.

However, there are many reasons why you would want to install Windows 11 using a local account only. Maybe you want to install Windows 11 with a local (non-Microsoft) account because you are installing the OS on a child's PC or on a PC that you plan to sell, give to a friend or donate to a charity (without giving other people access to personal data). Or perhaps you just like your privacy and don't want to create an account with Microsoft in the first place.

Whatever your reason for doing so, it's easy to install or set up Windows 11 without using a Microsoft account. Below, we'll show you two methods: the first involves issuing some commands during the install / OOBE process. The second, which only works for a clean install, requires you to create a modified USB install disk using a free tool called Rufus. We've tested these methods on the latest major Windows 11 version, 24H2, and they work.

How to Install Windows 11 Without a Microsoft Account

There's a simple trick for setting up Windows 11 with a local account that involves issuing a command to keep the OOBE from requiring Internet and then cutting off Internet at just the right time in the setup process. This works the same way whether you are doing a clean install of Windows 11 or following the OOBE process on a store-bought computer

1. Follow the Windows 11 install process until you get to the "choose a country" screen.

Now's the time to cut off the Internet. However, before you do, you need to issue a command that prevents Windows 11 from forcing you to have an Internet connection.

2. Hit Shift + F10. A command prompt appears.

3. Type OOBE\BYPASSNRO to disable the Internet connection requirement.

The computer will reboot and return you to this screen.

4. Hit Shift + F10 again and this time Type ipconfig /release. Then hit Enter to disable the Internet. This effectively disconnects your computer from the Internet. If you're on Ethernet, you could just disconnect the plug, but this is just as easy if not easier.

5. Close the command prompt.

6. Continue with the installation, choosing the region. keyboard and second keyboard option.

A screen saying "Let's connect you to a network" appears, warning you that you need Internet.

7. Click "I don't have Internet" to continue.

8. Click Continue with limited setup if prompted. The OOBE may skip this screen and take you straight to the next step.

A new login screen appears asking "Who's going to use this device?"

9. Enter a username you want to use for your local Windows 11 account and click Next.

10. Enter a password you would like to use and click Next. You can also leave this field blank and have no password, but that's not recommended.

11. Complete the rest of the install process as you normally would.

Acuityware's Technology Blog

Monday, March 17, 2025

To remove the ACLs and the accompanying plus sign from a file or directory in linux

Dot at the end of Linux file permissions - How to Remove them

Wednesday, March 12, 2025

Multi-Factor Authentication for Red Hat Enterprise Linux (RHEL) 9

Monday, February 24, 2025

How To Automount NFS Share in Linux Using Autofs

Prerequisites

Mount nfs share using Autofs in RHEL 9

Mount NFS share using autofs in Debian 12 / Ubuntu 24.04

Friday, January 31, 2025

How to Install and Log In to Windows 11 Without a Microsoft Account

How to Install and Log In to Windows 11 Without a Microsoft Account

Yelp