What more could you want?
Security
Webmin Java-based File Manager and Mac, Safari
Jun 4th
So, Mac uses their own Java, and Webmin doesn’t like it.
I’ve found that opening Applications ->Utilities -> Java Preferences.app and clearing the cache helps. Click the Network tab, and click “Delete Files…” Optionally, uncheck “Keep temporary files for fast access” to make the fix permanent.
Hope this helps!
/cs
Plesk 9 and PCI compliance
Apr 14th
The basics are easy, as one can attest with a Google search: Apache, Mail, etc.
But, I’ve found that the Plesk CP for Plesk 9 doesn’t run on Apache, it runs on Lighttpd. To disable weak ciphers on a Plesk/Red Hat box, edit /etc/sw-cp-server/applications.d/plesk.conf and add this line:
ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”
I don’t know if you can add it just anywhere, but you ought to be able to. Personally, I put it between the “include_shell” and “index-file.names” lines in the conf, line 11. After all that, issue “service psa restart” and you’re good to go.
You can test the setup using this command:
# openssl s_client -connect localhost:8443 -ssl2
Run that from the box itself, either as root or as a regular user. It gave me a “Connection reset by peer” error on SSLv2 connection. This is expected, and means that SSLv2 has been successfully disabled. Go run that scan again.
Also, keep in mind the recent “Plesk broke openssl” (or vice-versa) fiasco.
/cs
GPG, Mail 4.2, Snow Leopard, and Happiness
Feb 5th
I discovered Cyanide and Happiness on YouTube the other day. It’s hilarious.
Also, I found a way to use GPG signing and encryption in Apple’s Mail app.
First, quit Mail. I know it’s hard, but you can do it!
Second, back up your GPG keys and REMOVE YOUR EXISTING ~/.gnupg directory if it exists. The configuration file that already exists somehow conflicts with the pinentry app that prompts for your GPG password. I back up my keys this way:
$ gpg -a –export me@ozymo.com >> me_ozymo.com.asc$ gpg -a –export-secret-key me@ozymo.com >> me_ozymo.com.asc
Note that this will store your PRIVATE key in the file as well. This is necessary for importing, but not ideal to keep around on some random computer. Use your head.
Third, download this file. If you don’t trust me, look here on page 6. Or here. Same file. Once it downloads, drag it into ~/Library/Mail/Bundles. If there is already a GPGMail.mailbundle there, remove it and drop the new one in place.
Fourth, open Mail.
Fifth, be happy. And check out Cyanide and Happiness. It’s REALLY funny. I laughed my ass off and sewed it to a chair.
/cs
OpenSolaris as Synergy Host
Oct 22nd
UPDATE 081205: Adding “AllowTcpForwarding” to the sshd_config and restarting SSH should enable port forwarding, as it is disabled by default.
–
I have installed OpenSolaris on my Gateway MT3705 notebook. I know. I must be a glutton for punishment.
I have a Dell desktop that I also use, and like to have my laptop be the “control center”. I accomplish this by using Synergy through an SSH tunnel. Today was the first time I tried to use OpenSolaris as the host for my Synergy setup. And it failed miserably.
After some googling, I found out that the SSH package in OpenSolaris is broken. It doesn’t allow for correct SSH tunneling. Here are some links for reference.
I run Debian on my desktop machine at present. I’ve run SSH tunnels between my laptop and desktop while both were running Debian. No problem. I’ve set up an alias in my .bashrc on each of my boxes so that I don’t have to type the whole command each time:
alias synsetup=’ssh -f -N -L 24800:host:24800 host && synergyc localhost’
Obviously, this assumes that the host and client are already correctly configured. I’ve discussed this previously.
So, I compiled and configured synergy in OpenSolaris, and tried to run the synergys command: No problem. It runs fine, and works great on it’s own, outside of an SSH tunnel. I can connect from the client without issue:
$ ps -ef | grep synergys
chuck 1159 1 0 19:44:13 ? 0:00 synergys$ netstat -an | grep 24800
*.24800 *.* 0 0 49152 0 LISTEN
10.6.101.176.24800 10.6.101.174.38334 9088 0 49232 0 ESTABLISHED
But, running Synergy all alone transmits information between the two host over the network in plain text. So, it’s best to run Synergy through an SSH tunnel.
Here’s a smattering of what I get when I follow the instructions from Synergy’s site on setting up the client through an SSH tunnel:
$ synergyc -f localhost
INFO: synergyc.cpp,716: Synergy client 1.3.1 on Linux 2.6.26-1-686 #1 SMP Thu Oct 9 15:18:09 UTC 2008 i686
DEBUG: CXWindowsScreen.cpp,841: XOpenDisplay(“:0.0″)
DEBUG: CXWindowsScreenSaver.cpp,339: xscreensaver window: 0×00000000
DEBUG: CXWindowsScreen.cpp,111: screen shape: 0,0 2560×1024 (xinerama)
DEBUG: CXWindowsScreen.cpp,112: window is 0×03400004
DEBUG: CScreen.cpp,38: opened display
NOTE: synergyc.cpp,330: started client
channel 2: open failed: administratively prohibited: open failed
NOTE: synergyc.cpp,276: disconnected from server
. . . (until Ctrl-C)
^CDEBUG: CScreen.cpp,49: closed display
NOTE: synergyc.cpp,408: stopped client
So, I googled the error message. The first link shed some light. I dug farther, and found the links I posted above.
So, tunneling is broke on OpenSolaris, but works fine on Debian. Why not reverse it? I set up this alias on my OpenSolaris laptop, to start the Synergy server. It creates a reverse tunnel to the desktop machine, which runs Debian:
synserver_setup=’/usr/local/bin/synergys && ssh -f -N -R 24800:localhost:24800 chuck@client’
The only thing that’s different is the direction from which the tunnel is created. To tunnel from the client to the server from the client, the ‘-L’ flag is used to create the local tunnel. To tunnel from the client to the server from the server, the ‘-R’ flag is used to create the remote tunnel. All set.
/cs
Secure Synergy
Sep 8th
I have a laptop that I use as my primary computer, and a desktop machine that I attach it to at work (both run linux). I use synergy to connect the two so that I don’t have to remember which mouse is attached.
By default, synergy is quite insecure. On the contrary, running synergy inside an encrypted ssh tunnel is quite secure.
I have two machines:
- My laptop: synclient
- My desktop: synserver
So, I use the keyboard/mouse from the desktop to control everything. I assume that you are already aware of synergy and that you already have a working config. Oh, ant that you are running Linux. Oh, and that both of your Linux machine name the other one in their /etc/hosts files. Oh, and that you have your synergy config in /etc/synergy.conf. Now we don’t have to have everything all cluttered with flags.
There is no guaranty here that any of this will work on or improve the security of Windows. You’ve been warned.
I log into both machines, and start up the synergy server on my desktop (I have a synergy.conf in /etc, so there is no need to pass it a config file argument with -c):
chuck@synserver:~$ synergys
I then log into my laptop, and do the following:
chuck@synclient:~$ ssh -f -N -L 24800:synserver:24800 synserver
chuck@synclient:~$ synergyc localhost
Now, it’s a pain to have to do that every time. So, I put an alias in my ~/.bashrc:
alias synclient=’ssh -f -N -L 24800:synserver:24800 synserver && synergyc localhost’
Now, I can log into my laptop, once I’ve started synergys on the desktop, and run this:
chuck@synclient:~$ synclient
Now, the SSH tunnel has been configured, and the synergyclient started, all in one command. No mess, no fuss. No password leaked on the net.
/cs