Wednesday, 24th of February 2010 at 11:57:17 PMThe standard network tools ifconfig, netstat and route will be familiar to anyone with more than a passing interest in UNIX or any of its derivations. Linux is no exception, and if you hop on to your nearest Linux machine, you’ll find these installed. However, for the past few years ifconfig and its ilk (often collectively referred to as net-tools) have been deprecated in favour of the iproute2 suite.
| |||||
 | Sometimes, people decide to do something big, something life-changing, something that will undoubtedly cause a huge amount of upheaval in their life. I’m talking about emigration. Just a quick one, this… If you install Likewise Open on Debian Squeeze, you may notice that it doesn’t start on boot-up. The reason is because the new dependency-based boot sequence doesn’t like the init scripts Likewise provides. Luckily, it’s pretty easy to fix. First, make sure you have chkconfig installed (
This uncomments the SUSE parts of the init scripts, which chkconfig wants. It then calls chkconfig to first delete each entry, and then re-add it to make sure everything’s okay. Reboot, and you should have working domain authentication without having to manually start it up. IPv6 is nothing new – it was finally standardised back in 1998 in RFC 2460, and virtually all operating systems have supported it now for at least 5 years, so most people are in a position to give it a try. If you’re one of the lucky ones, your ISP might provide native IPv6 connectivity (like AAISP), but for most of us, the main way to get connected to the rest of the IPv6 Internet is to use something we’ve already got – IPv4. And we’re going to tunnel over it. (Note: This was originally posted on my previous blog, but I’ve noticed that it’s being linked to, so I’ve reposted it here) I’m not a mathematician (or a cryptographer) so I’m happy to take this post’s word for it about a recent attack against SHA-1 (short PDF here). The post goes into detail about changing the preferred digests on a key, and is well worth a read. The post also talks about using 2048-bit RSA keys, instead of the DSA/Elgamal default (which has a maximum size of 1024 bits). It goes into detail about how to migrate to an RSA key – if you’re going to migrate, I definitely recommend reading it. However, I thought it would be nice to write a (very) quick guide on generating RSA private keys with GnuPG, as there are a few extra steps involved – but nothing complicated! Historically, if you wanted to use Active Directory to authenticate users on a UNIX box, you were pretty much limited to using LDAP. This works fine for some people, but it’s not particularly elegant – especially if you’re having to create users home directories all the time, which negates some of the point of centralising authentication to begin with. I’m from a UNIX (mostly Linux) background, so I’m more at home using UNIX-alike platforms. That said, there’s a few things that Microsoft do that are particularly useful, and in my opinion AD is one of them (quiet at the back, there). Handily, there’s a project that can marry the two, and it goes by the name of Likewise. → Continue reading ‘Authenticating Active Directory users on Linux with Likewise Open’… One thing that’s always bugged me about IPTables is the lack of a way to use groups when writing rules, which can complicate things if you’ve got a potentially large rulebase. One way round this is to use something like fwbuilder, which gives you a graphical interface not unlike Checkpoint’s SmartDashboard GUI for their Firewall-1 devices. The downside to this, though, is that the resulting IPTables ruleset is far from legible – which, to be fair, isn’t the goal of fwbuilder – and this makes hacking about with the rules nearly impossible. So what options are there? One way is to repeat the same rule for different sources or destinations, but this can quickly get messy, especially if there’s multiple ports involved. If there was a way we could group things together and keep them tidy, maintaining the rulebase would be a lot easier. This is where MARK comes in. I’m using OpenSC at the moment so that I can repurpose an otherwise unused Aladdin eToken to hold SSH keys. I could go through the process involved in setting up the token, but as this chap has already done a thorough job, I won’t go into detail. Unfortunately, the openssh-client package from Debian (and Ubuntu) doesn’t enable OpenSC support. It’s trivial to rebuild the package with OpenSC support, but for those who don’t want to or can’t for some reason, I’ve put my rebuilt, OpenSC-enabled packages here. Once installed, if your token is set up correctly, you should be able to get your SSH public key from the card with:- ssh-keygen -D <card> …which should give you something like:- ssh-rsa AAAA .. .. .. t8/Q== 1024 65537 14233 .. .. .. 70941 You can then add your private key to a running SSH agent with:- ssh-add -s <card> Pop in your PIN, and ssh should function as if you were using a normally-generated key. I released version 0.0004 of IPTables::Log early yesterday morning, which mostly consists of test fixes. If you’re interested, have a look at the entry on CPAN. |   | |||
| Copyright © 2010 Andy Smith | |||||