Wednesday, July 30, 2014

Acronis Image Backup shared folder firewall ports

Acronis Image Backup

TCP/UDP ports: 9876, 9877

Windows Shared Folders

TCP ports: 139, 445
UDP ports: 137, 138

Monday, July 28, 2014

Find files based on modified time

‘find’ is a very powerful Linux command which provides various options for searching files based on different criteria. One of these options allows users to search for files based on the modification/access/creation time of the file. In Windows, we don’t have such powerful command. But we do have a command to search for files based on the file modification time.  It can’t be used to find files based on file creation/access time.  Still something is better than nothing. :| Below you can find how to use this command.

1. Find files modified in the last 1 month

forfiles /P directory /S /D +30
This command search for files created in the folder(specified with /P) in the last 30 days. Specifying /S makes it search for such files recursively in all subfolders.
Get the list of files in the current folder which are modified in last 3 days.
forfiles /S /D +3
Note that we have not used /P as we want to search in the current working directory only.
Get the list of files which are not modified in the last 3 days
forfiles /S /D -3
If there are no files meeting the condition, the command prints the following message.
D:\>forfiles /S /D +3
ERROR: No files found with the specified search criteria.

2. Find files that were last modified 1 month back

forfiles /P directory /S /D -30

3. Find files based on modification date

To find files modified after 1st August 2013, we can run the below command
forfiles /P directory /S /D +08/01/2013
To find files modified before 20th August 2013:
forfiles /P directory /S /D -08/20/2013

Execute commands on the files selected

forfiles has an equivalent functionality similar to -exec option with linux find command. This can be used to run commands on the files set returned by the command.
The syntax of the command is
forfiles /D date /C "cmd /c command @file"

4: Move files to another folder based on modification time

Let’s say we want to move the files which are not modified in the last 3 days to another folder(D:\archiveDir). The command for this would be as below
forfiles /S /D -3 /C "cmd /c move @file D;\archiveDir"
This command looks processes files in subfolders also, ‘/S’ can be removed to perform this only for the files in the current folder.

5: Delete files in the current folder which are modified in the last 7 days

forfiles /D +7 "cmd /C del @file"
Be cautious while running these commands, verify that you are deleting the right set of files, otherwise the data lost may not be recoverable. Use these commands at your own risk.
To remove files from subfolders also:
forfiles /S /D +7 "cmd /c del @file"

Sunday, July 27, 2014

How to change network type from public to private on Windows Server 2012

In Server Manager -> Local Servers -> Tools -> Local Security Policy -> Network List Manager Policies --- right click on Network 1 (the name found in "View your active networks"). Click on the "Network Location" tab and select a "Location type".

Saturday, July 26, 2014

Install IPsec VPN for iPhone Android on pfSense 2.0

Install IPsec VPN for iPhone Android on pfSense 2.0

You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.
This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.
This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actual software Cisco client.

Mobile Clients
Go to VPN > IPsec > Mobile Clients

IKE Extensions: check "Enable IPsec Mobile Client Support".

User Authentication: select "Local Database".
Group Authentication: select "system".

Virtual Address Pool: check "Provide a virtual IP address to clients".
Virtual Address Pool: Netowrk: "" / 24

DNS Servers: check "Provide a DNS server list to clients.
DNS Servers: Server #1:
DNS Servers: Server #2:

Click on "Save" button.
Click on "Apply changes" button.

Next, Create phase1 if it doesn't exist.

Phase 1 settings
Interface: WAN.
Description: IPsecVPN.

Authentication method: Mutual PSK + Xauth.
Negotiation mode: aggressive.
My identifier: My IP address.
Peer identifier: Distinguished name: MY_VPN_GROUP_NAME.
Policy Generation: default.
Proposal Checking: Obey.
Encryption algorithm: AES 128 bits/
Hash algorithm: SHA1.
DH key group: 2.
Lifetime: 28800.

NAT Traversal: Force.

Note: Some have had more success with the following settings:
Policy Generation: Unique.
Proposal Checking: Strict.
NAT Traversal: Force.

Phase 2 settings
Mode: Tunnel.
Local Network: Network
Local Network: / 24

Protocol: ESP
Encryption algorithms: check "AES 128 bits" only.
Hash algorithms: check "SHA1" only.
PFS key group: off.
Lifetime: 28800 seconds.

Click on "Save" button.
Click on "Apply changes" button.

Enable IPsec
VPN > Tunnels tab:

Check "Enable IPsec".

Create a IPsecVPN group with a privilege
Go to System > User Manager > Groups tab > Add a new group:

Group Name: IPsecVPN.
Description: IPsecVPN.

Click on "Save" Button. Then, edit the "IPsecVPN " group we just created again:

At the Assigned Privileges section, click on the "Add" button: select "User - VPN - IPsec xauth Dialin".

Click on "Save" Button.

User Settings - create a new user
Go to System > User Manager > Users tab > Add a new user:
Username: MyName_iphone
Password: ********
Group Memberships: IPsecVPN.

Click on "Save" Button.

Make sure the "Effective Privileges" field: Inherited from "IPSecVPN" has been set after saved.

Firewall Rule - allow VPN clients to connect to WAN interface:
Go to Firewall > Rules > WAN tab > Add new rule:

Interface: WAN.
Protocol: ESP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Description: IPsecVPN

Click on "Save" button.
Click on "Apply changes" button.

Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: ISAKMP (500)
Description: IPsecVPN

Click on "Save" button.
Click on "Apply changes" button.

Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: IPsec NAT-T (4500)
Description: IPsecVPN

Click on "Save" button.
Click on "Apply changes" button.

Firewall Rule - disable VPN clients access to LAN network:
Go to Firewall > Rules > IPsec tab > Add new rule:

Interface: IPsec.
Protocol: any.
Source Address: / 24
Destination: check "not".
Destination: type "WAN net" (or "WAN address" depends on your situation)

Click on "Save" button.
Click on "Apply changes" button.

Interface: IPsec.
Protocol: any.
Source Address: / 24
Destination: check "not".
Destination: type "Network"
Destination: Address " / 16" (we don't want VPN clients to access LAN subnet).

Click on "Save" button.
Click on "Apply changes" button.

Firewall Rule - NAT Outbound:
Go to Firewall > NAT > Outbound tab:

Click on "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" > click on "Save" button. Some rules will be set automatically.

Add a new mapping rule:

Interface: WAN.
Protocol: any.
Source: type "network".
Source: address " / 24".
Destination: check "not".
Destination: type "Network"
Destination: Address " / 16" (we don't want VPN clients to access LAN subnet).

Click on "Save" button.
Click on "Apply changes" button.

Device Setup (iOS)

Go to iPhone > Settings > General > Network > VPN

Add VPN Configuration

Click IPsec
Description: whatever you want
Server: IP of the server
Account: your xauth username
Password: your xauth password (or leave blank to be prompted every time)

Device Setup (Android)

NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.

Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNs
From there, press the menu button, then add.
Connection Template: PSK v1 (AES, xauth, aggressive)
VPN Name: whatever you want
VPN Server: IP of the server
The phone forces the keyboard to numbers, not sure if a hostname is supported.
Pre-Shared Key Type: text
Pre-Shared Key: PSK from the Phase 1 above
Identity Type: User FQDN
Username: your xauth username
Password: your xauth password
Internal Subnet IP: Whatever subnet(s) you specified in p2 above.



By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your firewall if you have the DNS forwarder enabled, or a public DNS server such as
The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.


Friday, July 25, 2014

iSCSI storage


In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee), is an acronym for Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.

Internet Fibre Channel Protocol

Internet Fibre Channel Protocol (iFCP) is a gateway-to-gateway network protocol standard, officially ratified by the Internet Engineering Task Force, which provides Fibre Channel fabric functionality to fibre channel devices over an IP network. Currently the most common comes in 1 Gbit/s, 2 Gbit/s, 4 Gbit/s, 8 Gbit/s, 10 Gbit/s variants.

Fibre Channel over IP

Fibre Channel over IP (FCIP or FC/IP, also known as Fibre Channel tunneling or storage tunneling) is an Internet Protocol (IP) created by the Internet Engineering Task Force (IETF) for storage technology.

Fibre Channel over Ethernet

Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol.

Thursday, July 24, 2014

execute mysql query statement through command line

mysql -u root -p -e "show databases;"


mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_test -N -B -e "show databases;"

WMIC: the best command line tool you've never used

Some people say command line tools are obsolete, out of date, no longer necessary when you can “point and click”, instead.
But the reality is very different. Every version of Windows sees the command line given new powers and abilities, and if you don’t explore these then you really are missing out.
Take the WMIC command, for instance.  It has astonishing scope and a huge set of features: the program can return useful information about your system, control running programs, and generally manage just about every aspect of your PC, all from the command line or a convenient shortcut.
How might this work? Let’s suppose you need to know the model of motherboard used in your PC. You could poke around in a system information program, but it’s easier to open a command window (elevated, on Windows Vista or 7 – click Start, type CMD, right-click the link to cmd.exe and select Run As Administrator) and enter the command
wmic baseboard get product,manufacturer
WMIC will then give you the answer right away.
Or maybe you’re wondering if your BIOS needs an update.  How old is it, anyway?  Restart your PC and one of the boot-time messages might give you a date, but again it’s easier to enter something like
wmic bios get name
and let WMIC tell you more.
System Information
The program can also provide details on many other aspects of your system.  Commands like
wmic product list brief
wmic service list brief
wmic process list brief
wmic startup list brief

will list your installed software, services, running processes and Windows startup programs, for instance.
Obviously these details can be found elsewhere, but one advantage of WMIC is that it can save its output for reference later.   Use the command
wmic service get /format:hform > c:\folder\services.html
and WMIC will create a formatted HTML page detailing your running services (replace “C:\folder” with an appropriate path for your system). If you have PC problems a few months later you can then look back at this record and see what’s  changed.
Uninstall automatically
WMIC isn’t just about reporting on system information, though. Use the appropriate CALL command and it can also carry out a variety of useful maintenance tasks.
Do you regularly have to uninstall and reinstall particular programs, for instance?  Doing this manually via Control Panel is tedious, but WMIC can automatically uninstall many applications with a single command.  To see how, enter
wmic product get name
and look for the name of the program you’d like to remove. Then enter the name as it appears in that list, in a second command, like this
wmic product where name=”windows live writer” call uninstall
And your specified program will be uninstalled automatically, without you even seeing the uninstall program.  (Which is convenient, but also risky as there probably will be no chance to cancel your action – so use this with extreme care.)
Process management
WMIC can, say, also close all the instances of a particular program. So if you want to shut down all Internet Explorer windows, for instance, then the command
wmic process where name=”iexplore.exe” call terminate
would do the trick, closing every instance immediately. (Though again, beware, programs closed in this way probably won’t prompt you to save files you’re working on, so use the command carelessly and data may be lost.)
Or maybe you’d prefer to optimise your system by setting your process CPU priorities?  WMIC can handle that, too.  Entering
wmic process where name=”notepad.exe” call setpriority 64
will set every running Notepad process to the Idle priority, for instance (see MSDN for the numbers to use to set other priorities).
And this is still barely scratching the surface.  WMIC can also give you useful information about your PCs user accounts, change the Start mode of particular services, retrieve useful information from your event logs, change a static IP address, reboot or shut down a PC, and a whole lot more.
And best of all, you can even apply the commands to a remote system by applying the NODE switch and a network name, like
wmic /node:steve-pc service list brief
There’s a huge amount of power on offer here, then.  See the Tech-Wreck InfoSec Blog for more great WMIC examples, then open a command window and try a few for yourself.


Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State
Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User
Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons
Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief
Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog
Get Mac Address - wmic nic get macaddress
Reboot or Shutdown - wmic os where buildnumber="2600" call reboot
Update static IP address - wmic nicconfig where index=9 call enablestatic(""), ("")
Change network gateway - wmic nicconfig where index=9 call setgateways("", ""),(1,2)
Enable DHCP - wmic nicconfig where index=9 call enabledhcp
Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled"
Start an Application - wmic process call create "calc.exe"
Terminate an Application - wmic process where name="calc.exe" call terminate
Change Process Priority - wmic process where name="explorer.exe" call setpriority 64
Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid
Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm
Information about files - wmic path cim_datafile where "Path='\\windows\\system32\\wbem\\' and FileSize>1784088" > c:\wbemfiles.txt
Process list - wmic process get /format:htable > c:\process.htm
Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:\appevent.htm
Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF
Get Running Services Information - Wmic service where (state=”running”) get caption, name, startmode, state
Get Startmode of Services - Wmic service get caption, name, startmode, state
Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value
Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV
Get Startup List - wmic startup list full
Find a specific Process - wmic process list brief find "cmd.exe"
Get List of IP Interfaces - wmic nicconfig where IPEnabled='true'
Change IP Address - wmic nicconfig where Index=1 call EnableStatic (""), ("")
OS/System Report HTML Formatted - wmic /output:c:\os.html os get /format:hform
Products/Programs Installed Report HTML Formatted - wmic /output:c:\product.html product get /format:hform
Services Report on a Remote Machine HTML Formatted - wmic /output:c:\services.htm /node:server1 service list full / format:htable
Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number - wmic /node:”HOST” bios get serialnumber
Get PC Product Number - wmic /node:”HOST” baseboard get product
Get Services for Remote Machine in HTML Format - wmic /output:c:\services.htm /node:server1 service list full / format:htable

Wednesday, July 23, 2014

Brother MFC 7460DN Printer

I have a Brother MFC-665W. It is on a LAN using DHCP. I want to scan, and when i pushed the Scan button the LCD on the printer says "Check Connection". I can print to the printer, copy, and fax from it, but it doesn't want to scan. I've tried to scan from a PC using the Control Center 3, but when i try a prescan it gives me a Failed to Connect to device message. I've also tried setting static and clearing memory from unplugging the power, while press and hold the red stop button turned plugged back the power, but still the same have the same issue.


I think I solve the issue for scanning so far. Here's what you do goto control panel -> Scanners and Cameras. Then right click into propertise, then check Specify your machine by address. It should already have the printer IP address listed in the box below. If not our can goto to your router and see the ip in the DHCP Client List .

After this I'm able to use the Control Center 3 scanning.

I think the problem was the NODE name list in the setting in my winxp pro does not match the actual NODE name the printer is using.


Monday, July 21, 2014

NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

Domain sid inconsistent



  • Select "Enter System Out-of-Box Experience (OOBE)"
  • Check "Generalize"

Saturday, July 19, 2014

The server was unable to allocate from the system nonpaged pool because the server has reached the configured limit for nonpaged pool allocations


After several days of backing up clients to a windows 7 machine acting as a BDR, the clients are no longer able to connect. Rebooting the BDR resolves the issue for a few days. 
Looking in the System Event viewer the following entry will be shown.
Error 2017
"The server was unable to allocate from the system nonpaged pool because the server has reached the configured limit for nonpaged pool allocations."


Windows 7 is not designed to handle the large traffic generated by backing up multiple clients. 


The following registry keys can be adjusted to help windows 7 manage the high traffic.
Set the following registry key to '1′ (default value is 0 - zero):
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache
Set the following registry entry to '3' (default value is 1):
A restart is required after making the changes.
Windows 7 should not be used as a backup destination.  Windows 7 is a workstation OS and not intended by Microsoft to be used as a file server.

Acronis Advanced Backup TIB, XML and Catalog files

Catalog contains catalog (that you can see on the 'data view' tab). Without it you can use 'archive view' instead. It will be regenerated on the next backup or manually by 'catalog now' function.
Without xml files archives are restorable, too, however xml files will be regenerated automatically during restore and will not contain some information from the original files. For example, if archive contains several full backups, new xml file will be generated for each chain of full and dependent backups. Archive name will be changed to something like Archive_2013_01_20_ ... (i.e. orignal name + date) If you need to continue backing up to the archive, xml files must not be deleted.

Thursday, July 17, 2014

Static NFS mounts vs autofs direct map mounts

Static NFS mounts vs autofs direct map mounts

Do you use static nfs mounts or automount? If you use automount, the mount needs to get re-established if not acessed for a while, thus delaying the first page load.


It's actually hard to argue one way or the other. The only item I can point out (happened to me) is that if you are using static mounts as in fstab and someone/thing makes an error the system may not boot and you'll have to go into rescue mode to get the system back online. That won't happen when using autofs.

How to mount SMB CIFS Windows shared folder under FreeBSD

This document provides help on mounting SMB/CIFS shares under FreeBSD Operating System.
The mount_smbfs command mounts a share from a remote server using SMB/CIFS protocol. You can easily mount MySharedFolder share using the following syntax:
1mount_smbfs -I //myUser@serverName/mySharedFolder /mnt/mySharedFolder
Where, is the IP address of the remote computer.
myUser is your user name.
serverName is NETBIOS Server Name.
mySharedFolder is CIFS share name.
/mnt/mySharedFolder is the local mount point directory.
You will be prompted for your password. Once this happens you can change to the directory and view the contents using cd and ls command:
1cd /mnt/mySharedFolder
2ls -la
To avoid password prompt, you have to create a .nsmbrc file in your home directory:
1vi ~/.nsmbrc
Set username and password as follows:
Note: Both the hostname and the username need to be in uppercase.
Now mount mySharedFolder as follows:
1mount_smbfs -N -I //myUser@serverName/mySharedFolder /mnt/mySharedFolder
The -N option forces to read a password from ~/.nsmbrc file. At run time, mount_smbfs reads the ~/.nsmbrc file for additional configuration parameters and a password. If no password is found, mount_smbfs prompts for it. You need to use the -N option while writing a shell script.
mount_smbfs does not make the mount permanent. If the FreeBSD system is rebooted, you will have to mount the share again. To make the mount occur each time you start the FreeBSD system, you can put an entry in your/etc/fstab file. An example file would look like this:
//myUser@serverName/mySharedFolder /mnt/mySharedFolder smbfs rw,-N,-I192.168.1.1 0 0
Next, you have to add the username and password to /etc/nsmb.conf:

Wednesday, July 16, 2014


編譯 / 王紫炘



《Entrepreneur》的專欄作家Matthew Toren,建議我們可以做這樣的生活練習:在最有威力的早晨時光,詢問自己一些大膽、樂觀的問題,讓自己帶著創業家的心態與眼光,迎接一天的工作。他建議從以下三個問題開始:

1. 我今天可以幫助誰?

古希臘哲學家柏拉圖有一句名言:「待人要仁慈,因為你所遇到的每個人,都正在經歷艱苦的戰鬥。」(Be kind, for everyone you meet is fighting a hard battle.)


2. 我今天怎麼樣才能變得更好?




3. 今天我要如何創造價值?




mysql mysqldump read password login information from file for crontab

mysql mysqldump read password login information from file for crontab

# vim ~/.my.cnf

host = hostname
port = 3306
user = root
password = mypassword
database = dbname

host = hostname
port = 3306
user = root
password = mypassword
database = dbname

The [client] option group is read by all client programs (including mysqldump, but not by mysqld).
The [mysqldump] option group is for "mysqldump" command only.

Make sure no other people can read .my.cnf file:
# chmod 400 ~/.my.cnf

Following two commands work:
# mysql --defaults-file=/root/.my.cnf
# mysqldump --defaults-file=/root/.my.cnf db_name > db_name.sql

or simply:
# mysql
# mysqldump db_name > db_name.sql

Multiple selection
# vim ~/.my.cnf
host = hostname1
port = 3306
user = root
password = mypassword
database = dbname1

host = hostname2
port = 3306
user = root
password = mypassword
database = dbname2

# mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1

Note: group has to be preceded by 'client' to be read by mysql.
Note: it has to go after any [client] groups, otherwise it will be overridden.

Or set it as a alias command:
# vim ~/.cshrc
alias d1 'mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1'

Unable to use key file "id_rsa" (OpenSSH SSH-2 private key)

Unable to use key file "id_rsa" (OpenSSH SSH-2 private key)

You cannot use "OpenSSH SSH2 private key" directly with pscp. Please convert the private key file to PuTTY format using PuTTYgen tool.

cmd> pscp -i test.ppk MyName@ .

SFTP server (SSH FTP server) on Windows

Bitvise SSH Server WinSSHD

Core FTP

VanDyke VShell

不使用密碼的SSH連線 - ssh-keygen

不使用密碼的SSH連線 - ssh-keygen

環境介紹 (windows 使用putty pietty 連線也可以,後面會說明)

A電腦 - 要被連線的主機
B電腦 - 使用SSH連線到A電腦的主機

小明 在 A主機 有一個使用者帳號 A_min
在 B主機 有一個使用者帳號 B_min

環境設定 - A主機

# vi /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no (如果不想讓使用者使用密碼登入的話再設定)

# service sshd restart

步驟一 - 於B電腦使用ssh-keygen 產生 兩把金鑰

[B_min@B電腦 ~]$ ssh-keygen -t rsa
(按三下Enter 不用設密碼)

會在 /home/B_min/.ssh/ 目錄下產生2個檔案: id_rsa ,

步驟二 - 將 B電腦產生的 上傳到 A電腦的 A_min 家目錄底下的 ".ssh"目錄 (什麼方法都可以只要你把它放進去就對了)

[B_min@B電腦 ~]$ cd ~/.ssh
[B_min@B電腦 .ssh]$ pwd
[B_min@B電腦 .ssh]$ scp A_min@


[A_min@A電腦 ~]$ cd ~/.ssh
[A_min@A電腦 .ssh]$ cat ../ >> authorized_keys2
[A_min@A電腦 .ssh]$ chmod 644 ~/.ssh/authorized_keys2

WARNING: There has been an SSH1 exploit and you should be using ssh2/DSA or ssh2/rsa keys. Such keys go into ~/.ssh/authorized_keys2 but are generated in a similar way. See about the exploit to learn more. (舊得是用 ~/.ssh/authorized_keys)


[B_min@B電腦 ~]$ ssh A_min@
Last login: Fri Feb 27 21:40:00 2009 from


Windows Client - B電腦是Windows Client的話...

需要工具軟體:PuTTY , PuTTYgen 下載

Generate > 滑鼠亂動進度列跑跑跑(很有趣XD) > 金鑰演算完成

Save Public Key > 存檔 →  步驟一的
Save Private Key > 存檔 → 步驟一的 id_rsa

阿接下來就跟步驟二之後一樣,把 丟到 A電腦上的 A_min 帳號....自己看著辦

PuTTY 使用金鑰連線方法

設定畫面 > Connection > SSH > Auth
將key的位置放入Private key file for authentication

login as:A_min
Authenticating with public key "imported-openssh-key"


In a previous article, I showed you how to backup your mySQL database from one box to another.  In this example I used ftp.   I now know of a more secure method which is suitable for use across untrusted networks, particularly the internet.
See also ssh - much more secure than telnet for a few more ways of copying files files around

How's it all done then?
It's all done with ssh (or more correctly, with OpenSSH).  When I first tried this solution with ssh, I couldn't find a way to connect to the other box from within a script.   I could see no way to securely supply the password.  So I gave up.  Then I posted a message to the freebsd questions mailing list and I found my answer.
If you read man ssh, you'll find a section which talks about RSA based authentication.  This allows one box to authenticate itself without having to supply a password.  Which is exactly what is needed in this situation.

What you'll need first
First, you'll need a login on both machines.  And both machines will need to be running ssh (my preference is the OpenSSH implementation of ssh).  I suggest you connect to both machines now, via ssh of course, and then continue with the rest of the article.
I'll refer to one machine as the source machine.  That's the box from which you wish to transfer files.  I'll refer to the other machine as the destination machine, the box to which you wish to transfer files.

It's all about keys
WARNING: This section recommends using an empty passphrase which is is risky. If anyone obtains your private key, they will be able to login to any machine on which your public key is an authorized_key.
The non-password authentication is done with keys.  And it's done like this.
  • Run ssh-keygen on the source machine.   Accept the default values for all questions.  Be sure to supply an empty passphrase.  This will create two files under .ssh in your home directory.   These files are ~/.ssh/identity and ~/.ssh/   The first file should not be revealed to anyone.   The second file is public and contains your public key.
  • Copy the contents of ~/.ssh/ to the destination machine and place it within ~/.ssh/authorized_keys.  Be sure to name the file correctly.

WARNING: There has been an SSH1 exploit and you should be using ssh2/DSA or ssh2/rsa keys. Such keys go into ~/.ssh/authorized_keys2 but are generated in a similar way. See about the exploit to learn more.

If you are doing a copy.paste with the public key, remember that authorized_keys contains only one key per line, although this line may be very long.  You should now be able to connect from the source box to the destination box without a password.   Like this:
If that doesn't work, then something is wrong.  check the above steps and try again.
You should also read ssh - authorized keys and chmod to see how I later broke this solution by changing directory permissions.

How does this magic work?
ssh-keygen create two keys, one public, one private.  When you connect to the remote box, the ssh server on that box sends your ssh program a challenge in the form of a random number.  This random number challenge is encrypted with the public key you placed on the destination box.   The challenge can only be decrypted by the private key, which is on the source box.  The ssh program decrypts this number and tells the server the answer.  In this method, the client tells the server that it knows the private key.  It is by this method that one box proves to another box it is who it says it is.

The backup script
I took the original backup script I created for mySQL and modified it to use ssh.  Here is the amended script.  You can also obtain this script from xxx.

# mysql databse backup
# Copyright 1999, 2000 DVL Software Limited
# Available from 

# the name of the backup file. file name format is 

# dump the database.
# make the following replacements:
#     userid     - the user id to use when connecting 
#                  to the database
#     password   - the password for the above user
#     database   - the name of database to dump
#     /pathto/   - the path to the backup file
/usr/local/bin/mysqldump -uuserid -ppassword -c 
                                  --add-drop-table database 
                                  > /pathto/forum_backup.txt

# compress it
tar cfz $BackupFile /pathto/forum_backup.txt

# copy it offsite, change user and accordingly.
scp $BackupFile$BackupFile

# remove the files we created
rm $BackupFile forum_backup.txt

Additions to the above
There are a few nice additions to the above script which work rather nicely.  I also use this script to backup various directories, but exclude others.   The additions to do that look like this:
tar cfz $BackupFile                        \
       -X exclude.txt                      \
       /home/freebsddiary/forum_backup.txt \
       /home/freebsddiary/www/*.php3       \
       /home/freebsddiary/www/phorum       \
As you can see, I backup all the php3 files, and everything in the phorum and phpPolls directory.  But I also exclude everything specified in the exclude.txt file.   Here's what that file contains:
$ more exclude.txt
You can put whatever you want.  In this case, no directories named _vti_cnf will be included in the backup.

Doing it all from a cron job
This should work flawlessley.  The only thing needed now is a cron job to start off the above.  Here is what I use:
$ more ~/crontab
#/home/freebsddiary/crontab - dan's crontab for FreeBSDDiary
# mail any output to `dan', no matter whose crontab this is
#minute hour    mday    month   wday    command
0       5       *       *       *       $HOME/
This will run the patch job at 5am every day.  Adjust the values as appropriate to your need.  See man 5 crontab for some very good examples.
The above can be added to the cron jobs by doing this:
crontab ~/crontab

That's everything!
Michael O Shea wrote in to mention that using rsync over SSH would be faster as it transfers only changed files.  That's a very good idea if tranferring the same group of files on a regular basis.  See rsync - synchronizing two file trees for more information.
That should be everything.  Please, if you do follow these instructions, and they work for you, please tell your friends.  It if doesn't work, and you can figure out what I've left out, please add your comments using the link at the top or bottom of this article.