I used to process all my audio for CCHits.net on my home machine, but due to some instabilities, I moved to building the audio on an EC2 server. I’ve seen some comments about doing similar things recently, so I decided to document how I build the CCHits shows.
Read More
Tag: Script
Want multiple vhosts without creating new apache config files each time? Use vhost_alias
This is a pretty quick technical post explaining how to get vhost_alias working with apache2 on Ubuntu 12.10. Read More
A quick word on salting your hashes.
If you don’t know what hashing is in relation to coding, the long version is here: Cryptographic Hash Function but the short version is that it performs a mathermatical formula to components of the file, string or data, and returns a much shorter number with a slim chance of “collisions”.
I don’t know whether it’s immediately clear to anyone else, but I used to think this was a good idea.
<?php $password = sha1($_POST['password']);
Then I went to a PHPNW session, and asked someone to take a look at my code, and got a thorough drubbing for not adding a cryptographic salt (wikipedia).
For those who don’t know, a salt is a set of characters you add before or after the password (or both!) to make it so that a simple “rainbow table analysis” doesn’t work (essentially a brute-force attack against the authentication data by hashing lots and lots of strings looking for another hash which matches the stored hash). In order to make it possible to actually authenticate with that string again in the future, the string should be easily repeatable, and a way to do that is to use other data that’s already in the user record.
For example, this is a simple salt:
<?php
$password = sha1('salt' . $_POST['password']);
I read in the April 2012 edition of 2600 magazine something that I should have been doing with my hashes all along. How’s this for more secure code?
<?php
$site_salt = 'pepper';
$SQL = "SELECT intUserID FROM users WHERE strUsername = ?";
$DB = new PDO($dsn);
$query = $DB->prepare($SQL);
$query->execute(array(strtolower($_POST['username'])));
$userid = $query->fetch();
if ($userid == false) {
return false;
}
$prefix = '';
$suffix = '';
if ($userid % 2 == 0) {
$prefix = $site_salt;
} else {
$suffix = $site_salt;
}
if ($userid % 3 == 0) {
$prefix .= strtolower($_POST['username']);
} else {
$suffix .= strtolower($_POST['username']);
}
if ($userid % 4 == 0) {
$prefix = strrev($prefix);
}
if ($userid % 5 == 0) {
$suffix = strrev($suffix);
}
$hashedPassword = sha1($prefix . $_POST['password'] . $suffix);
So, this gives you an easily repeatable string, that’s relatively hard to calculate without easy access to the source code :)
Installing MOTP-AS under Ubuntu 11.10
Please note, I am having issues with localhost authentication. See below
MOTP-AS is a simple installable two-factor authentication system using the mOTP algorythm for generating one-time passwords. MOTP-AS integrates with FreeRadius to provide the same authentication to log in to managed servers in a consistent manner.
I’ve recently installed this on my Ubuntu 11.10 laptop and on my Ubuntu 12.04 Beta server, and the installation instructions worked on both, so I thought I’d share them with you.
Installing appropriate packages
sudo apt-get install libpam-radius-auth freeradius mysql-server phpmyadmin
Alternatively, use tasksel to install the LAMP server task, then
sudo apt-get install libpam-radius-auth freeradius
Download the latest version of motp-as from http://motp-as.network-cube.de/index.php/download/current-version
Unpack it.
tar xfz ~/Downloads/motp-as*
Setting up the database
Go into the Setup/MySQL directory of the MOTP-AS directory. Edit motp_schema.sql at the line “CREATE USER”. Change the password from motp to something more secure.
mysql -u root -p < motp_schema.sql
Now update Setup/config.php with the new password you just created.
Setting up the web site
Copy the HTML directory to /var/www/motp (or somewhere else in your web root). You may need to do this either as root, or as a user with permissions to write to /var/www
cp -Rf ~/MOTP-AS_*/HTML /var/www/motp
Note this must be done after you’ve made your changes to Setup/config.php
Setting up FreeRadius
Stop the FreeRadius service
sudo /etc/init.d/freeradius stop
Users
Backup the users file
sudo mv /etc/freeradius/users /etc/freeradius/users.dist
Edit the users file you’re about to copy in
nano ~/MOTP-AS_*/Setup/Freeradius/users
Find the part where it says “/var/www/htdocs/radius-auth.php” and change that to “/var/www/motp/radius-auth.php”
Copy in the new users file
sudo cp ~/MOTP-AS_*/Setup/Freeradius/users /etc/freeradius/users
Dynamic Clients
Backup the dynamic-clients file
sudo mv /etc/freeradius/sites-available/dynamic-clients /etc/freeradius/sites-available/dynamic-clients.dist
Edit the new dynamic-clients file
nano ~/MOTP-AS_*/Setup/Freeradius/dynamic-clients
Find the three lines saying “/var/www/htdocs” and replace that string with “/var/www/motp” (I use Ctrl+W, Ctrl+R in nano to do a replace-all.)
Copy in the new dynamic-clients file
sudo cp ~/MOTP-AS_*/Setup/Freeradius/dynamic-clients /etc/freeradius/sites-available/dynamic-clients
Then make that function available
sudo ln -s /etc/freeradius/sites-available/dynamic-clients /etc/freeradius/sites-enabled/dynamic-clients
Accounting
Amend the default script to enable accounting
sudo cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/default.dist
Then edit it to use the MOTP accounting functions
sudo nano /etc/freeradius/sites-available/default
Search for the line “accounting {” then comment that whole block out with the hash/pound sign “#“. Fortunately in the distribution supplied default file, this only means commenting out a few lines, which are “detail“, “unix“, “radutmp“, “exec“, “attr_filter.accounting_response“, and then the closing “}” for that block.
If you’re using nano, press the insert key (or Ctrl+R if you can’t find that easily) and enter /home/MyUserName/MOTP-AS_v0.7.2/Setup/Freeradius/accounting (amend the path as appropriate). Replace the section “/var/www/htdocs” with “/var/www/motp“.
Save and exit
Finishing off FreeRadius
sudo /etc/init.d/freeradius start
Install your client
Personally, I have an Android device, and I chose to install the Mobile-OTP app from the Android Marketplace. I also, through work, have a Nokia 6303i Classic, on which I installed the MOTP application from the MOTP site.
I’ve heard good things about iOTP for iPhone, although I personally don’t have one.
Configuring MOTP
Go to http://localhost/motp (or https://yourdomain.com/motp)
Login with the username admin and password of motp.
Securing the admin account
Click on the red text in “First time configuration”
Click on “Change password of User ‘admin’”
Enter a new password. Do not set the time or uses section of this page. Click “Set“. Ignore the warning.
Click on “Home”
Setting up your first user
Click on “Quick Add” (under “Wizards”)
Enter a username. It should be the username for your Ubuntu 11.10 device.
On the client, create a profile for the device. Most of them create a profile by asking for a seed, rather than a secret, so those will likely be more than 16 characters long – maybe even 20 (Mobile-OTP for Android) or 25 (MOTP Java app).
Once you’ve got your secret (on Mobile-OTP, by pushing-and-holding on the profile name and selecting “Show Secret“, on MOTP Java app, once you’ve put 0000 as the PIN for the first time to initialize it, you get a string “Init-Secret:“), put that into the “Secret” field, and then ask the user to set their pin here – I suggest 1234 initially, as the user can change it to something they want after.
Click OK, then click “Logout” and test authentication. If it all goes OK, they should be presented with “Welcome to the Mobile OTP Authentication Server“.
Under “Settings” they can change their own PIN.
Testing radius authentication works OK
Run the radius testing program, like this, as a user:
radtest username passcode localhost 0 testing123
(This assumes the default localhost password hasn’t changed)
If you get anything like “rad_recv: Access-Reject packet from host“, then you’ve failed to configure something properly, or you’ve entered the PIN or code wrong.
Restart FreeRadius in debugging mode by doing the following:
/etc/init.d/freeradius stop
/usr/sbin/freeradius -X
This will produce a large quantity of logs on-screen, so I’d suggest running the test itself from a separate window. Run the radtest command (listed above) again. Look for your error messages. In my case, I forgot to update the line in users, so I saw this error message: Could not open input file: /var/www/htdocs/radius-auth.php
To find where this fault was, I did (as root, in /etc/freeradius)
find -R 'htdocs' /etc/freeradius
And got back:Â users: Exec-Program-Wait = “/usr/bin/php /var/www/htdocs/radius-auth.php %{User-Name} %{User-Password} %{Client-Shortname}”
That told me the fault was in the users file.
Fix the issue, check it again, and when you get this message “rad_recv: Access-Accept packet from host” press Ctrl+C to cancel the test mode of FreeRadius, and then run:
sudo /etc/init.d/freeradius start
Configuring pam_radius_auth.conf
Edit /etc/pam_radius_auth.conf
sudo nano /etc/pam_radius_auth.conf
Find the line which says “127.0.0.1” and replace the shared secret with something you want your server to use. You will also need to amend /etc/freeradius/clients.conf and replace the “secret” in the localhost client there (by default, it’s “testing123” in freeradius).
If you want to use your OTP for all authentication credentials, edit /etc/pam.d/common-auth, or if you just want to use it with specific access protocols, edit the relevant file in /etc/pam.d for the authentication systems you want to use OTP for.
You need to add the following line – either on the line before “@include common-auth” (for non common-auth files) or after the primary comment block for common-auth.
auth sufficient pam_radius_auth.so
Open a separate terminal session to your box (especially! if you’re remote) and ensure you can still login with your regular credentials.
Then try a connection with your radius credentials. It should just work! If not, stop the freeradius server and re-run it using /usr/sbin/freeradius -X and see whether you’re getting a different error message.
** UPDATE **
I have noticed that I’m getting locked out when using my non-radius credentials. This is probably due to the placement of the line in the /etc/pam.d/common-auth – it should probably come after the pam_unix.so line, but I’ve not tested that yet. I’m also going to try to suggest that there be an optional time-out period on locked accounts to the developers of MOTP-AS.
The second issue I’m struggling with is that I’m getting errors when using the LightDM. I’m getting the following error message in /var/log/auth.log:
pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "spriggsj"
I don’t know if this is because I’m using ecryptfs as well, or because there’s something wonky going on with the common-auth structure I’m using.
A quick note – Using SOX to trim, normalize and change the rate of a track to 44100
sox outro_rev.wav --norm -r 44100 -t sox - silence 1 0.1 1% reverse | sox -t sox - outfile.flac silence 1 0.1 1% reverse
Feel free to add tweaks to this! :)
This is for Dave “The Love Bug” Lee
Using the recursive_import.php script for importing photos to the #Horde module Ansel with subdirectories
I have a problem with the excellent Horde module “Ansel” – their photo
display and manipulation application – which I’m
documenting-until-I-fix-it.
there’s a script called recursive_import.php – you’ll find this under
/path/to/your/horde/install/ansel/scripts/recursive_import.php and it
takes the following arguments: -d /path/to/directory -u USERNAME -p
PASSWORD I’d been using it thinking it would handle directory navigation a bit
better than it did, by running it as follows: php recursive_import.php -d import_dir -u fred -p bloggs Infact, I needed to do it like this: php recursive_import.php -d `pwd`/import_dir -u fred -p bloggs This is because the script navigates up and down the directory
structure as it works out the contents of each directory, instead of
handling the referencing properly. I plan to look at this properly
tomorrow when I’ve got a day off, but if I don’t, or if the patch
doesn’t get accepted, at least you know how to fix it now! :)
Posted via email from Jon’s posterous
Locally Monitoring Interfaces on Nokia Firewalls (and – by a link – McAfee Sidewinders) for Failover
I recently wrote a document on http://jon.spriggs.org.uk/blog explaining how to monitor the interface of a McAfee sidewinder to see when it failed over. I don’t know why I didn’t write it on Posterous, but if you’re following me on Posterous, and you think that you might want to know how to use Perl to repeatedly loop over the same command, and show the results with a date stamp underneath it (a bit like the watch command) then you’ll find this page really useful. In the mean time, I’ve also written the same script for the CSH shell, which is used, amongst other places, on Nokia Firewalls.
Introduction
One of our requirements with one of our customers is to perform regular and routine failover tests. As the interface is not responsive to providing information about when service has failed from Primary to Secondary and back again, I re-wrote the script I adjusted for McAfee Sidewinders to run on the SECONDARY NODE to show the interface address of one NIC every 5 seconds. I’ll also show how to slightly modify the script with different time delays and interface names. Please note, there may be much better ways of doing this. I needed something in a hurry, and this gave me what I needed. If you’ve got any better ideas, please drop me a note at jon@spriggs.org.uk or note below how to do it :)
Steps to perform
while (-e /bin/csh)
ifconfig eth-s1p1c0 | grep inet
date
sleep 5
end
inet mtu 1500
inet 1.2.3.4/24 broadcast 1.2.3.255
inet 1.2.3.5/24 broadcast 1.2.3.255 vrrpmac 0:0:aa:bb:cc:dd
Tweaks
In the bold section above, replace the interface name identified (here it’s eth-s1p1c0) with an interface you know will fail over, you can also make bigger or smaller the sleep command – here it’s 5 seconds, but there’s probably no reason why it couldn’t be 1 or 10.