Pablo Endres’s Blog

I had a couple of scripts working in the back end of an application to create users and set the passwords. So instead of reinventing the wheel I used the ?trusty? useradd.

Until recently one could pass the users password in clear text as a parameter. I assume that someone thought about all the passwords that word saved in history files and decided to change it. The problem is that the used the same parameter but now it expected the password to be encrypted, so it basically stopped working but didn’t generate errors.

After some debugging and some man reading the problem was nailed down, but now I had to generate and encrypt the password. I looked and tried many solutions but the best I could find was the crypt library and decided to access is through perl.  What I liked the most about the solution is that I could use all the same native algorithms that the system has installed.

So lets cut the chase, here are the 5 lines of code needed to get the job done:

salt=$(/usr/bin/mkpasswd -l 8 -s 0)
parameter=”print crypt(config,\”\\\$1\\\$$salt\”)”
encrypted=$(perl -e “$parameter”)
/usr/sbin/useradd -p $encrypted <user>

To create a good salt I used the mkpasswd utility that comes with the expect package (yum install expect).  In this case the $1 is not a variable, but the way of telling crypt to use MD5.

Other valid values for the Glibc crypt are:

For more information http://www.kernel.org/doc/man-pages/online/pages/man3/crypt.3.html or simply: man crypt

Have fun

This feature just popped up and started working after I upgraded to Fedora 10 and I though it was a standard function in gnome, but I was working with Per the other day and his Ubuntu 8.04 didn’t have it running out of the box.  So I had to take a look a the docs to make it work:  http://live.gnome.org/GnomeKeyring/Ssh

This is just one of those features that make your life easier but handling all the ssh sessions for you, the best part is that is one of those setup once and forget feature.  Here is a brief introduction on how it works:

According to the ssh-agent man:

     ssh-agent is a program to hold private keys used for public key authenti-
     cation (RSA, DSA).  The idea is that ssh-agent is started in the begin-
     ning of an X-session or a login session, and all other windows or pro-
     grams are started as clients to the ssh-agent program.  Through use of
     environment variables the agent can be located and automatically used for
     authentication when logging in to other machines using ssh(1).

So what gnome did was include an ssh-agent in the gnome-keyring(-daemon), so it has one interface to manage passwords, ssh keys, etc.  Underneath the hood this is how it works:

1. When Gnome starts the gnome-keyring-daemon (if it is enabled in your conf)
2. The keyring manager starts the ssh-agent component and sets up the SSH_AUTH_SOCK variable, that will redirect ssh to make the queries to that socket
3. The SSH agent automatically loads files in ~/.ssh having names starting with id_rsa or id_dsa or any other keys included by using the ssh-add command
   

That does the job.  If you need to get it working on your Gnome installation follow the instructions here.

Have you ever scanned a pile of documents on a “non enterprise” o home scanner, or just got distracted when using the big Xerox machine in the office.  You’ll end up with a ton of individual pdf files.  After a little google and man reading I found these 2 solutions.

1. On linux just use pdfmerge:   sudo yum install pdfmerge or download the windows version
2. Do it by hand with ghostscript:

gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=finished.pdf Scan001.pdf Scan002.pdf

I finally got fed up of these messages in my log files (/var/log/messages) and decided to do something about them:

Apr 19 04:14:47 hostname snmpd[3458]: Connection from UDP: [127.0.0.1]:42482
Apr 19 04:14:47 hostname snmpd[3458]: Received SNMP packet(s) from UDP: [127.0.0.1]:42482

After reading, googling around and testing for a while I rounded it the following solution, it should work in any Linux system with net-snmp after some tweaks but out of the box on CentOS, REL, Fedora or any of its relatives:

1. Remove the -a from the snmpd start options or write this in the /etc/sysconfig/snmpd.options file:

OPTIONS=”-Lsd -Lf /dev/null -p /var/run/snmpd.pid”

This should take care of the “Received SNMP” packets line (2nd one).

2. Add dontLogTCPWrappersConnects true at the end of your /etc/snmp/snmpd.conf file, that takes care of the other line:

Apr 19 04:13:47 dcf-is1p snmpd[3458]: Connection from UDP: [127.0.0.1]:48911

According to the man page: This setting disables the log messages for accepted connections. Denied connections will still be logged.”

The problem is that the default settings are to log every connection / request, so what we did was leave the log work only for failed and authenticated attempts

Enjoy readable logs!

Well it’s official I’m a published writer!

About a week ago I finally got my copy from the editor of Hacking Linux Exposed 3rd Edition.  This was a really interesting project I worked on last year. The book was writen in collaboraton, and organized by ISECOM, so I got a chance to work with a lot of top notch guys and gals in the security / Linux area.

It’s a shame I couldn’t have some face time with them, but I hope we’ll meet somewhere along the line to match a face with the name.

I started out helping as a technical reviewer on the book, basically I got the chance to read the book in advance and give some feedback.  After some time major changes had to be made on some chapters, complete rewrites in some cases.  Pete Herzog asked me if I could help out with one of the chapters.

So to make a long story short, if your read chapter 14: Mail Services; that will be me.

I haven’t had time to read the published edition, but all the chapters I got to review were just great.

I can’t agree more with Pete Herzog when I wrote:

The book will help people focus on securing their Linux systems no matter what they do with it– desktop, services, coding workbench, wireless node, PBX, VOIP, etc. by hacking them, it just doesn’t waste your time with old exploits.

Have fun and get ready for a hell of a ride!

I’ve been looking actively for an open source replacement for Visio, the programs work but the main weakness is the lack of the “stencils” or figures to make the diagrams.  The artwork that I found is really lacking the help of a designer.

I checked out Dia 0.96.1 which I had used before and it works really good but as I stated before it lacks the artwork.  The good thing is that there is hope, as stated in it’s web site: “It is also possible to add support for new shapes by writing simple XML files, using a subset of SVG to draw the shape.”

Open Office Draw 2.4.1 is also suitable for the job.  I personally it is a little more limited than Dia for the job, but maybe it’s just my impression.  As a drawing tool it is more complex and give you more for your Money effort like object rotation, and other effect.

Kvio 1.6.3 is also a nice tool.  I have to say that it works really well.  It’s light and has good handling of stencils, they get extra points because it automatically finds and uses the Dia stencils.  The only thing I really don’t handle well yet is that all objects when placed on the sheet a TOO BIG.

Is there a chance that someone with good graphic skills opens an Open Source project to make some standard shapes or stencils that can be used by all  3 tools or any other tools that wants to use them.  If a momentum is created it is also possible to make the Vendors want to publish their shapes in this standard format.

After a lot of fighting I finally got my UMTS card working with Fedora 9.

I have a T-Mobile Web’n'Walk II card which turns out to be a Option GEO201 by Qualcomm.  The main problem with this card is that someone had the wonderful idea of integrating a usb flash drive (so you don’t ever loose the drivers) with a usb gsm modem.

The main trick is to use a small program called usb_modeswitch which disables the flash drive and loads the modem’s driver.  So lets cut the chat and get it done:

1. Go to http://www.draisberghof.de/usb_modeswitch/ and download the latest version of the file.
2. Make sure you have  libusb + libusb-devel + lsusb installed$ sudo yum install libusb libusb-devel usbutils
3. Unpack, build and install the usb_modeswitch.
   

   $ mkdir ~/tmp
   $ cd ~/tmp
   $ tar jxvf ~/Download/usb_modeswitch-0.9.4.tar.bz2  # or a newer version
   $ cd ~/tmp/usb_modeswitch-0.9.4
   $ ./compile.sh
   $ sudo install -m755 -o root usb_modeswitch /usr/sbin
   $ sudo install -m744 -o root usb_modeswitch.conf /etc/

4. Now lets setup udev so it automagically runs usb_modeswitch when the card is inserted.  This gives us the plug ‘n play behaviour.  This we will do as root.
   

   $ /bin/su -
   # vi /etc/udev/rules.d/70-persistent-net.rules
   ####  => Insert the following text:

   #Globetrotter HSDPA Modem T-Mobile Web’n'Walk Express II
   #Bus 002 Device 003: ID 0af0:6701 Option
   #idVendor=05c6, idProduct=1000 are the infos of the flash drive
   #idVendor=0af0, idProduct=6701 are the infos of the HSDPA Modem

   SUBSYSTEM==”usb”, ATTR{idProduct}==”1000″, ATTR{idVendor}==”05c6″, RUN+=”/usr/sbin/usb_modeswitch”

5. Make sure that the ” are correct, and that the copy paste doesn’t screw them up (got reports that it does)
6. Setup the card using the network manager.  Here is my setup for T-Mobile in Germany

Note: The values I used for the udev script I got from running: # lsusb -v

Well hope that sets you up to go.  This should work with other Linux distributions as well

Thanks Per Lasse for the comments and corrections

Updates:
11.12.2007: I upgraded my laptop to Fedora 10 and it works flawless
Tested it in Ubuntu 8.04 LTS and 8.10