If you ever compile Nagios successfully on Solaris 10 (trust me, it’s a beast to get working properly), beware if you get the following errors:

[Tue Jul 01 18:15:37 2008] [error] [client 192.168.0.100] ld.so.1: histogram.cgi: fatal
: libgd.so.2: open failed: No such file or directory, referer: 
https://nagiostest.domain.tld/nagios/side.html
[Tue Jul 01 18:15:37 2008] [error] [client 192.168.0.100] Premature end of script heade
rs: histogram.cgi, referer: https://nagiostest.domain.tld/nagios/side.html
[Tue Jul 01 18:16:03 2008] [error] [client 192.168.0.100] ld.so.1: statusmap.cgi: fatal
: libgd.so.2: open failed: No such file or directory, referer: 
https://nagiostest.domain.tld/nagios/cgi-bin/status.cgi?hostgroup=all&style=grid
[Tue Jul 01 18:16:03 2008] [error] [client 192.168.0.100] Premature end of script heade
rs: statusmap.cgi, referer: https://nagiostest.domain.tld/nagios/cgi-bin/status.cgi?hostg
roup=all&style=grid

Read the rest of this entry »

I’ve been getting our Solaris environment setup in the College of Architecture, and one of the things I quickly realized with zones is that I’m going to need to setup LDAP to have any sort of efficient way of managing user accounts. Once this was setup, I quickly realized the need for NFS to be setup and thought that it’d be fairly straight-forward to setup (like it is on Linux). This turned out to not be the case.
Read the rest of this entry »

A friend of mine passed over the following blog entry, which I found quite to my liking. J.P. Boodhoo (a leader in the .Net development community) has found some plugins and tools which enable vim in certain applications in Windows. Those being:

• Visual Studio 2005/2008
• Microsoft Word
• Microsoft Outlook

Check out the article. It’s awesome.

I remembered when I first started doing systems administration. One of the first (and simplest) things I had to do was learn how to generate a self-signed SSL certificate because I didn’t want to pay for one. Well, since my first time doing it, I’ve done the process about 2^18 times now, so it’s second nature to me. But, to some folks who don’t want to read the lengthy explanation on what each step does, here’s a breakdown of what commands you’ll issue on a Linux server. Explanation about the steps will follow.

Read the rest of this entry »

So, in trying to figure out the LDAP issues that I had earlier, I needed to check the public key that was returned by the LDAP server when using SSL / TLS. The problem was that I had the damndest time trying to figure out the command necessary to open up and examine SSL certificates on non-standard ports (ie: anything but HTTPS, IMAPS, POP3 over SSL, etc.). Finally, I found on the Atlassian Confluence website the exact command I needed:

openssl s_client -connect host.example.com:ldaps

This displayed everything I needed to know, including the PEM formatted public key / certificate as well as the Certificate Chain (ie: who was the Certificate Authority for the certificate).

It never ceases to amaze me how many outside dependencies there are for PHP. When trying to get a PHP application to connect to an LDAP server over SSL, you have to have the following:

• OpenLDAP (at least branch 2.x.x)
• OpenSSL
• Reminder: Compile OpenLDAP with SSL support! Just in case you didn’t do that already.

Yes, but once you have all that done, then you need to hope and pray that it will connect successfully. On a Linux server, this is definitely a possibility (but a treacherous task at that). On a Windows machine: forget it. You might as well count your losses and start coding your application in .Net before you try connecting to an LDAP server via SSL with a Windows box (that or you need to be really good at compiling opensource software on Windows machines).

The Error

So, here’s the error message I’m getting in my PHP app:

Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server.

Pretty generic error message right? It can be anything. I’m guessing, though, that it’s something with OpenLDAP. That’s why it comes with the wonderful tool `ldapsearch`. This _should_ help me figure out if it’s an application problem or a OpenLDAP problem.

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-H ldaps://host.example.com searchMailbox=neraath
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Once again, a pretty generic error message. If you try to Google that error message, you’re not gonna get anywhere. This is where OpenLDAP’s debugging switch turns out to be quite handy. My favorite: `-d 7`. Watch it in action:

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-d 7 -H ldaps://host.example.com searchMailbox=neraath
ldap_create
ldap_url_parse_ext(ldaps://host.example.com)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP host.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP.ADDRESS.HIDDEN.HERE:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:278
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:280
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Lo-and-behold the answer becomes evident:

TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').

I change the /etc/openldap/ldap.conf file line ‘TLS_CACERTDIR /etc/apache2/ssl.crt’ from what it is to ‘TLS_CACERTDIR /etc/ssl/certs’. I re-run the above command and it prompts me for a password. This is definitely a good sign. Running it again in my PHP code? Of course not.

Step 2: Google Some More

After more wonderful Googling for the most generic PHP error possible, I find that the problem may potentially be the certificate (view the thread). So, I decide to try to figure out how to actually view the certificate that’s on the server (in case it is self-signed or not trusted, somehow). This takes me the better part of half an hour, but I finally figure out the openssl command necessary to view the public key / certificate of a service:

openssl s_client -connect host.example.com:ldaps

This gave me the public key necessary to save and then place in at /etc/ssl/certs/host.example.com.pem. After doing so, I ran `c_rehash` and then modified my /etc/openldap/ldap.conf file. I added the following lines to the config:

URI: ldap://host.example.com
TLS_CACERT /etc/ssl/certs/host.example.com.pem

After restarting Apache and testing the PHP file, things seem to be going a little smoother. No more connect errors. I will update if something goes awry, though.

For many of you who use Komodo, you will have undoubtedly come across the Source Code Control feature available within it. This feature works GREAT with MacOS X and Linux systems, but if you have ever tried to use it within Windows, it’s a bit tricky to get working properly (if you’ve even been able to do that).

I’ve been tackling the issue for the past hour or so (after having tried it in the past - but to no avail), but now I think I’ve figured out what’s up with this damn thing. It revolves around using a combination of PuTTY, Subversion (NOT TortoiseSVN), and (of course) Komodo.

Before we get started, you might want to check out this forum thread as this is what gave me some hints as to what to do, though I had to take it all with a grain of salt since it was so messy. If you don’t care, then read onward!

These first steps are really quite quick, and I don’t care to explain how to do them (as I expect you to figure out how to install applications yourself). If all else fails, RTFM.

1. Install Putty
   Note: You must install the full application (this includes putty.exe, puttygen.exe, plink.exe, etc.)
2. Install Subversion
3. Restart the computer (this will populate your PATH with the environment variables for PuTTY and Subversion)
4. Generate your Public/Private Key Pairs
   (Note: The following section was copied from the Komodo Documentation):

   Run the puttygen utility. Configure as follows:

   1. Set Parameters: Select either “SSH2 RSA” or “SSH2 DSA”.
   2. Generate Key Pair: Click the Generate button to generate the key pair. While the key is being generated, move the mouse pointer around the blank space to provide key randomness.
   3. Enter Key Passphrase: Enter and confirm a passphrase for the key. Remember the passphrase - it is required later.
   4. Save Public Key: Click the “Save public key” button and store the key in a file called public1.key.
   5. Save Private Key: Click the Save private key button and store the key in a file called private1.key, in the same directory as the public key.
   Note: The extension .ppk will be appended to the name specified (i.e. private1.key.ppk).
   6. Copy Key Contents: Copy the contents of the public key field (at the top of the dialog box) to a file named public1-openssh.key. This key is required later.
   7. Close puttygen

5. Load and Configure Pageant
   (Note: This section was copied from the Komodo Documentation):

   Run the pageant program. This loads the Putty Authentication Agent into the Windows System Tray.

   Right-click the Pageant icon in the Windows System Tray. Select Add Key. Navigate to the directory where you saved the public and private keys in the previous step, and select the file private1.key.ppk.

6. Configure PuTTY Session

   Run PuTTY. Note: Before reading the next section, you MUST realize that the naming convention used for the session name is CRITICAL for checking out and committing over SSH. Once you understand this, read the documentation that was copied from the Komodo documentation:

   1. Specify Server: On the Session page of the Configuration form, enter the host name or IP address of the server.
   2. Specify Protocol: On the Session page, in the Protocol field, select the “SSH” protocol.
   3. Create Saved Session: In the Saved Sessions field, enter the host name again. Click the Save button.
   4. Configure Connection: on the Connection page of the Configuration form, enter your username for the server in the Auto-login username field.
   5. Configure SSH Protocol: On the SSH page of the Configuration form, specify “2″ for the Preferred SSH protocol version.
   6. Enable Agent Forwarding: On the Auth page of the Configuration form, check Allow agent forwarding. In the Private key file for authentication field, specify the path and filename of the private key created above (private1.key).
   7. Save Session Information: On the Session page of the Configuration form, click the Save button.

7. Store the Public Key on the Server
   Note: Copied from the Komodo Documentation:

   You must store the public key file generated in step 2 (public1-openssh.key) on the CVS or Subversion server.

   1. Open Command Prompt Window: Type cmd in the Windows Run dialog box.
   2. Copy Public Key to Server: At the command prompt, enter:

   pscp c:\path\to\public1-openssh.key username@server.com:public1-openssh.key

   …where c:\path\to\public1-openssh.key specifies the location of the key file created in step two, and username@server.com specifies your username and URL on the remote server. You are prompted to confirm the legitimacy of the host, and may be prompted to enter your password for the server.
   3. Connect Using Putty: If necessary, run the putty program. In the Saved Sessions field, double-click the configuration created in Step 4. This establishes a connection to the server.
   4. Configure the Key on the Server: After logging on to the server, enter the following commands to configure the SSH key:

   mkdir ~/.ssh
   chmod 700 .ssh
   cat ~/public1-openssh.key >> ~/.ssh/authorized_keys
   rm ~/public1-openssh.key
   chmod 600 ~/.ssh/*

   5. Log Off and Exit Putty: Enter exit to close the session of the server.

8. Setting Up Environment Variables

   Go to your Control Panel and then to the System. Click the Advanced tab and then the Environment Variables button. Add 2 new Global Variables:

   SVN_SSH = "C:\Path\to\plink.exe" -i "C:\Path\to\Private\Key.ppk"
   PLINK_PROTOCOL = ssh

   NOTE that the quotes around the paths are critical to SVN working appropriately. If you don’t use quotes, subversion will try to use the entire string as the path to plink, which will obviously fail. If you put quotes around the entire thing, the same occurs.

9. Checking out files

   This is CRITICAL in order to make certain that Komodo works appropriately. If you do not check out files appropriately, Komodo will hang and then you’ll go hang yourself. The syntax of the command used to check out files should be:

   C:\> svn co svn+ssh://PuTTY Session Name/Path To Repository/ directory

   If you use a hostname rather than a PuTTY Session name, you are guaranteed failure.

Enjoy.

Well now, here’s an interesting problem I had with Perl on the new Mac Xserve running Intel Xeon 64-bit processors. One of our customer’s had a CGI website (cringes) and was using DBD::MySQL to access the MySQL database. Upon initial observations, permissions had been setup incorrectly and the httpd.conf file was not setup properly for CGI executables.

Past this, I find that the server has dependency problems. This was found due to the following error message in the /var/log/httpd/error_log file. The particular error was:

[Mon May  7 15:43:45 2007] [error] [client xx.xx.xx.xx] Premature end of script headers: /Library/WebServer/CGI-Executables/webevent.cgi
install_driver(mysql) failed: Can't locate DBD/mysql.pm in @INC (@INC contains: /Library/WebServer/webevent/lib /System/Library/Perl/5.8.6/darwin-t
hread-multi-2level /System/Library/Perl/5.8.6 /Library/Perl/5.8.6/darwin-thread-multi-2level /Library/Perl/5.8.6 /Library/Perl /Network/Library/Per
l/5.8.6/darwin-thread-multi-2level /Network/Library/Perl/5.8.6 /Network/Library/Perl /System/Library/Perl/Extras/5.8.6/darwin-thread-multi-2level /
System/Library/Perl/Extras/5.8.6 /Library/Perl/5.8.1 .) at (eval 8) line 3.
Perhaps the DBD::mysql perl module hasn't been fully installed,
or perhaps the capitalisation of 'mysql' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, Proxy, Sponge.
 at /Library/WebServer/webevent/lib/db/dbconnect.pm line 58

So, I proceed to install Perl modules. But wait, CPAN’s bitching about an upgrade to CPAN being available. Fine, let’s give it what it wants:

CPAN> install Bundle::CPAN
 
-- CPAN INSTALLS UPDATE --

Cool, now time to move to installing DBI:

CPAN> install DBI
 
-- INSTALL SUCCESSFUL --

Now for the last bit, DBD::mysql:

CPAN> install DBD::MySQL
 
<snip>
t/utf8...............install_driver(mysql) failed: Can't find 'boot_DBD__mysql' symbol in /Library/Perl/DBD-mysql-4.001/blib/arch/auto/DBD/mysql/mysql.bundle
at (eval 3) line 3
Compilation failed in require at (eval 3) line 3.
 
2 tests skipped.
Failed 25/28 test scripts. 413/418 subtests failed.
Files=28, Tests=418,  2 wallclock secs ( 1.54 cusr +  0.35 csys =  1.89 CPU)
Failed 25/28 test programs. 413/418 subtests failed.
make: *** [test_dynamic] Error 255
</snip>

Damn, talk about something unexpected. After reading a few emails, forums, and getting down right frustrated with everything, I find this email note. This isn’t completely correct, in that it turns out you don’t have to install another copy of MySQL in some temporary location for the libraries - you have everything you need, assuming you’ve already installed XCode Tools.

So, what DO you have to do? The following:

shell> cd /path/to/.cpan/build/DBD-mysql-4.001/
shell> perl Makefile.PL --testuser test --testpassword test --testsocket /var/mysql/mysql.sock --cflags="-I/usr/include/mysql" --libs="-L/usr/lib/mysql -lmysqlclient -lz -lm"
shell> make
shell> make test (should work now) 
shell> make install

Understanding of why Perl was so broken

Well, it wasn’t exactly Perl’s fault. It’s MySQL that comes on Apple’s Xserve. Apple, you question with an unquestionable doubt in your mind? Yes, Apple. Check this out:

shell> mysql_config --libs
-arch ppc64  -arch x86_64 -pipe -L/usr/lib/mysql -lmysqlclient -lz -lm
shell> mysql_config --cflags
-I/usr/include/mysql -fno-omit-frame-pointer  -arch ppc64  -arch x86_64 -pipe

Now isn’t that funny! On my new Xeon Xserve, the architecture specifications (which for some odd reason appear in BOTH the cflags AND libs flags which normally appear ONLY in the cflags) are for BOTH ppc64 AND x86_64… AFAIK, this server is Intel 64-bit based, not PowerPC any longer. So, when Perl goes through and autoconfigures its switches, these architecture flags cause the tests to blow up because it’s expecting a completely different set of tools that are expected to work on the PowerPC architecture.

Anywho, it’s working now, and that make me (and my client) happy.

I’m here in Austin, TX today at the SANS: Web Application Security Workshop (I was also here yesterday, too). I hope to be able to provide an accurate review for this nearly worthless workshop that many of us from CIS Customer Applications are attending. There are a couple of individuals who believe that the information being taught here is somewhat worthwhile, but most of us from the group either know everything that’s been taught so far, or find some of the information being taught doesn’t relate to us.

For a quick synopsis, here’s what I would have to say: If you are a intermediate or experienced developer, you will be absolutely bored with this workshop. If you are an executive who has not much technical know-how, but want to learn about security for your web applications, this is a worthwhile program for you to attend. Be aware, however, because there are some things that executives don’t need to (or don’t care to) learn about in this. Regardless, this is the most watered down version of a so-called technical workshop I’ve ever been through. Read on to find out how ridiculous some of the things we learned were.

Read the rest of this entry »

Currently I’m encountering problems with Xorg 7.1, evdev, and my Microsoft IntelliMouse Optical. The issue is that when I run ’startx’, I get the following:

(EE) evdev brain: Unable to initialize inotify, using fallback. (errno: 38)
(EE) evdev brain: Unable to initialize inotify, using fallback. (errno: 38)
(EE) evdev brain: Unable to NONBLOCK inotify, using fallback. (errno: 9)
 
Fatal server error:
bogus pointer event from ddx
XIO:  fatal IO error 104 (Connection reset by peer) on X server ":0.0"
         after 0 requests (0 known processed) with 0 events remaining.

I have had Xorg 7.1 compiled for a long time, no recent updates. However, I changed my /etc/X11/xorg.conf file as such:

...
Section "InputDevice"
    Identifier "Mouse0"
    Driver "evdev"
    Option "Protocol" "auto"
    Option "evBits" "+1-2"
    Option "keyBits" "~272-287"
    Option "relBits" "~0-2 ~6 ~8"
EndSection
...

Will update when I figure this damned problem out.

Read the rest of this entry »