Friday, March 29, 2013

Installing Firefox on Solaris (Update)

On this post I'm going over how to install Firefox on Solaris 10. This is an update from one of my earlier posts. The reason for this update is because there has been some changes on how you get Firefox. The place where Mozilla would point it's uses to download Firefox was the OpenSolaris.org website. Oracle took down the OpenSolaris.org website on March 23 2013. As my old instructions used a different install process, I felt I needed to rewrite this how-to.


The other main place to get Firefox is at SunFreeware.com or UNIXpackages.com, which are the same people. The only issue with getting Firefox from there site is that it is not actually from them. They go out of there way to say this on there site and I quote; "They are the ONLY packages in our repository that are not compiled by us, and were contributed by External Offshore developers in East Asia". The quote used to say "contributed by developers in Beijing China", apparently someone complained and a change was made. With all the hacking allegations concerning China you may not not want to get Firefox from them.

The other places that host Solaris software or packages is blastwave and OpenCSW.org. Blastwave is now a dead project and OpenCSW.org doesn't have Firefox in their package list.

Now I have some good news and some bad news. Good news Oracle is now providing patches and/or packages for Firefox. The bad news is that they are not keeping up with the Firefox versions from Mozilla. Not to mention the CVE vulnerabilities that are coming out.

Below I list two places to get Firefox from Oracle. You will need a Oracle Support login to download the files. The 2nd link lets you see the 3rd party patches that are available before you need to login to Oracle. You can get newer versions of Firefox, then what is linked to below, by putting in a ticket (SR) to your MOS (My Oracle Support) account.
Oracle Support document 1448883.1
Third Party Software in Oracle Products webpage.

The main package for Firefox is SUNWfirefox. There are a few additional Firefox packages that you might have installed on your sever. To see what Firefox related packages are on your server run the command below.
# pkginfo -l | grep firefox
PKGINST: SUNWfirefox
PKGINST: SUNWfirefoxl10n-es-ES
PKGINST: SUNWfirefox-devel

To see a complete list of Solaris 10 packages click here.

Oracle has provided the following patches for Firefox: 145080-11 (x86) & 145080-12 (SPARC). Applying this patch may take a little longer then what you are used too but, it will upgrade Firefox from 3.X to Firefox 10.0.7. # mv 145080-12.zip /tmp
# unzip 145080-12.zip
# patchadd 145080-12

Congrats you have install the ESR version Firefox on Solaris 10. Oracle also has an updated version of Firefox for Solaris 11, coming soon.

My Other Firefox posts.
Installing Firefox on a Solaris server
Installing Firefox on Solaris (Update II)
Installing Firefox on Solaris (Update III)

If you have anything to add please post below.

Thursday, March 28, 2013

Change the ILOM IP address

From time to time I have to change the IP addresses on the ILOM (Integrated Lights Out Manager). So I decided to post my notes on how to do this and maybe someone will find it useful. There is also anther older hardware manger called ALOM (Advanced Lights Out Manager), this not the same. They both the provide console access to your server. For these don't know, console access is when you get remote access to a server, as if you where right next to it. So basically you see everything as if you where physically there. Note that this post changes the IP address for the MGT (management) port. This doesn't change the servers IP address for the OS installed on the hardware.

If this is the first time anyone has logged in then the ILOM will be set to the defaults. The default username is root and the default password is changeme.
# ssh root@server-ILOM
Are you sure you want to continue connecting (yes/no)? yes
Password:

For most severs with ILOM just put in the commands like you see below in the example. -> cd SP/network
-> set pendingipaddress=10.1.0.10
-> set pendingipgatway=0.0.0.0
-> set pendingipnetmask=255.0.0.0
-> set pendingipdiscovery=static
-> set commitpending=true

To check you work or see what your IP settings are, type ls or use the command below
You can see your IP address from any place in the ILOM by running the command below. -> show /SP/network 
To change the IP address of the chassis or CMM that hold the blade servers. Login and go to /CMM/network like in the example below and run the same commands as above. -> cd CMM/network
You can change the IP to the blades from the chassis ILOM as well. -> cd CH/BL#/SP/network

If you have any comments or questions please post them below.

Friday, March 1, 2013

How to set up SHA-256 or SHA-512 hashing

These are my notes on how to setup better password hashing on your Solaris 10 servers. To make your servers more secure, you will want to use SHA-256 or SHA-512 password hashing. Many old servers use a weaker hash by default. In the example below user1 is using the MD5 hash and user2 is using the SHA-512 hash. As you can see, the hash for user2 is using is much longer. The fact that it is longer makes the hash more secure.

user1:$1$QNhPL6JG$fISdvRQdpXSj1seOcYoSk.
user2:$6$GptKlbR1$3Qjb5HBh.2R87N8RkvxWYnpHETXfVCeOEgQTs5EXBs6o9nb6z2tHkqalNt1H2ZI5dicCFkUnRRgWFW65CUOBF0

In /etc/security/policy.conf make sure the following setting is set.
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

In /etc/security/policy.conf change the following lines to what you see below. #CRYPT_ALGORITHMS_DEPRECATE=__UNIX__
CRYPT_DEFAULTS=6


In /etc/security/crypt.conf you should see the following lines at the end. If there not there, then you most likely don't have this patch 140905-02 installed. If you have a Oracle Support contract you can download it from My Oracle Support.
5 crypt_sha256.so.1
6 crypt_sha512.so.1


I got the info about the missing patch from a post I made at the Oracle Communities forum. Below, I have posted a link to my post.
https://communities.oracle.com/portal

To see what hash your users are using look at your /etc/shadow file. If the users hash starts with $5 or $6 than they are using SHA-256 or SHA-512. After you make the changes above the users will need to reset there password. You will need to use the -d with the passwd command to delete the users password hash. If this is not done the account will continue to use the old hash. On Linux machines you don't need to run the passwd -d command.

passwd -d user1
passwd: password information changed for user1
passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1


I hope this helps some one out.