I remembered when I first started doing systems administration. One of the first (and simplest) things I had to do was learn how to generate a self-signed SSL certificate because I didn’t want to pay for one. Well, since my first time doing it, I’ve done the process about 2^18 times now, so it’s second nature to me. But, to some folks who don’t want to read the lengthy explanation on what each step does, here’s a breakdown of what commands you’ll issue on a Linux server. Explanation about the steps will follow.

Read more…

*nix, Systems Administration ssl

So, in trying to figure out the LDAP issues that I had earlier, I needed to check the public key that was returned by the LDAP server when using SSL / TLS. The problem was that I had the damndest time trying to figure out the command necessary to open up and examine SSL certificates on non-standard ports (ie: anything but HTTPS, IMAPS, POP3 over SSL, etc.). Finally, I found on the Atlassian Confluence website the exact command I needed:

openssl s_client -connect host.example.com:ldaps

This displayed everything I needed to know, including the PEM formatted public key / certificate as well as the Certificate Chain (ie: who was the Certificate Authority for the certificate).

*nix, Networking

It never ceases to amaze me how many outside dependencies there are for PHP. When trying to get a PHP application to connect to an LDAP server over SSL, you have to have the following:

• OpenLDAP (at least branch 2.x.x)
• OpenSSL
• Reminder: Compile OpenLDAP with SSL support! Just in case you didn’t do that already.

Yes, but once you have all that done, then you need to hope and pray that it will connect successfully. On a Linux server, this is definitely a possibility (but a treacherous task at that). On a Windows machine: forget it. You might as well count your losses and start coding your application in .Net before you try connecting to an LDAP server via SSL with a Windows box (that or you need to be really good at compiling opensource software on Windows machines).

The Error

So, here’s the error message I’m getting in my PHP app:

Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server.

Pretty generic error message right? It can be anything. I’m guessing, though, that it’s something with OpenLDAP. That’s why it comes with the wonderful tool `ldapsearch`. This _should_ help me figure out if it’s an application problem or a OpenLDAP problem.

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-H ldaps://host.example.com searchMailbox=neraath
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Once again, a pretty generic error message. If you try to Google that error message, you’re not gonna get anywhere. This is where OpenLDAP’s debugging switch turns out to be quite handy. My favorite: `-d 7`. Watch it in action:

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-d 7 -H ldaps://host.example.com searchMailbox=neraath
ldap_create
ldap_url_parse_ext(ldaps://host.example.com)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP host.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP.ADDRESS.HIDDEN.HERE:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:278
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:280
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Lo-and-behold the answer becomes evident:

TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').

I change the /etc/openldap/ldap.conf file line ‘TLS_CACERTDIR /etc/apache2/ssl.crt’ from what it is to ‘TLS_CACERTDIR /etc/ssl/certs’. I re-run the above command and it prompts me for a password. This is definitely a good sign. Running it again in my PHP code? Of course not.

Step 2: Google Some More

After more wonderful Googling for the most generic PHP error possible, I find that the problem may potentially be the certificate (view the thread). So, I decide to try to figure out how to actually view the certificate that’s on the server (in case it is self-signed or not trusted, somehow). This takes me the better part of half an hour, but I finally figure out the openssl command necessary to view the public key / certificate of a service:

openssl s_client -connect host.example.com:ldaps

This gave me the public key necessary to save and then place in at /etc/ssl/certs/host.example.com.pem. After doing so, I ran `c_rehash` and then modified my /etc/openldap/ldap.conf file. I added the following lines to the config:

URI: ldap://host.example.com
TLS_CACERT /etc/ssl/certs/host.example.com.pem

After restarting Apache and testing the PHP file, things seem to be going a little smoother. No more connect errors. I will update if something goes awry, though.

*nix, PHP, Software Development

For many of you who use Komodo, you will have undoubtedly come across the Source Code Control feature available within it. This feature works GREAT with MacOS X and Linux systems, but if you have ever tried to use it within Windows, it’s a bit tricky to get working properly (if you’ve even been able to do that).

I’ve been tackling the issue for the past hour or so (after having tried it in the past - but to no avail), but now I think I’ve figured out what’s up with this damn thing. It revolves around using a combination of PuTTY, Subversion (NOT TortoiseSVN), and (of course) Komodo.

Before we get started, you might want to check out this forum thread as this is what gave me some hints as to what to do, though I had to take it all with a grain of salt since it was so messy. If you don’t care, then read onward!

These first steps are really quite quick, and I don’t care to explain how to do them (as I expect you to figure out how to install applications yourself). If all else fails, RTFM.

1. Install Putty
   Note: You must install the full application (this includes putty.exe, puttygen.exe, plink.exe, etc.)
2. Install Subversion
3. Restart the computer (this will populate your PATH with the environment variables for PuTTY and Subversion)
4. Generate your Public/Private Key Pairs
   (Note: The following section was copied from the Komodo Documentation):

   Run the puttygen utility. Configure as follows:

   1. Set Parameters: Select either “SSH2 RSA” or “SSH2 DSA”.
   2. Generate Key Pair: Click the Generate button to generate the key pair. While the key is being generated, move the mouse pointer around the blank space to provide key randomness.
   3. Enter Key Passphrase: Enter and confirm a passphrase for the key. Remember the passphrase - it is required later.
   4. Save Public Key: Click the “Save public key” button and store the key in a file called public1.key.
   5. Save Private Key: Click the Save private key button and store the key in a file called private1.key, in the same directory as the public key.
   Note: The extension .ppk will be appended to the name specified (i.e. private1.key.ppk).
   6. Copy Key Contents: Copy the contents of the public key field (at the top of the dialog box) to a file named public1-openssh.key. This key is required later.
   7. Close puttygen

5. Load and Configure Pageant
   (Note: This section was copied from the Komodo Documentation):

   Run the pageant program. This loads the Putty Authentication Agent into the Windows System Tray.

   Right-click the Pageant icon in the Windows System Tray. Select Add Key. Navigate to the directory where you saved the public and private keys in the previous step, and select the file private1.key.ppk.

6. Configure PuTTY Session

   Run PuTTY. Note: Before reading the next section, you MUST realize that the naming convention used for the session name is CRITICAL for checking out and committing over SSH. Once you understand this, read the documentation that was copied from the Komodo documentation:

   1. Specify Server: On the Session page of the Configuration form, enter the host name or IP address of the server.
   2. Specify Protocol: On the Session page, in the Protocol field, select the “SSH” protocol.
   3. Create Saved Session: In the Saved Sessions field, enter the host name again. Click the Save button.
   4. Configure Connection: on the Connection page of the Configuration form, enter your username for the server in the Auto-login username field.
   5. Configure SSH Protocol: On the SSH page of the Configuration form, specify “2″ for the Preferred SSH protocol version.
   6. Enable Agent Forwarding: On the Auth page of the Configuration form, check Allow agent forwarding. In the Private key file for authentication field, specify the path and filename of the private key created above (private1.key).
   7. Save Session Information: On the Session page of the Configuration form, click the Save button.

7. Store the Public Key on the Server
   Note: Copied from the Komodo Documentation:

   You must store the public key file generated in step 2 (public1-openssh.key) on the CVS or Subversion server.

   1. Open Command Prompt Window: Type cmd in the Windows Run dialog box.
   2. Copy Public Key to Server: At the command prompt, enter:

   pscp c:\path\to\public1-openssh.key username@server.com:public1-openssh.key

   …where c:\path\to\public1-openssh.key specifies the location of the key file created in step two, and username@server.com specifies your username and URL on the remote server. You are prompted to confirm the legitimacy of the host, and may be prompted to enter your password for the server.
   3. Connect Using Putty: If necessary, run the putty program. In the Saved Sessions field, double-click the configuration created in Step 4. This establishes a connection to the server.
   4. Configure the Key on the Server: After logging on to the server, enter the following commands to configure the SSH key:

   mkdir ~/.ssh
   chmod 700 .ssh
   cat ~/public1-openssh.key >> ~/.ssh/authorized_keys
   rm ~/public1-openssh.key
   chmod 600 ~/.ssh/*

   5. Log Off and Exit Putty: Enter exit to close the session of the server.

8. Setting Up Environment Variables

   Go to your Control Panel and then to the System. Click the Advanced tab and then the Environment Variables button. Add 2 new Global Variables:

   SVN_SSH = "C:\Path\to\plink.exe" -i "C:\Path\to\Private\Key.ppk"
   PLINK_PROTOCOL = ssh

   NOTE that the quotes around the paths are critical to SVN working appropriately. If you don’t use quotes, subversion will try to use the entire string as the path to plink, which will obviously fail. If you put quotes around the entire thing, the same occurs.

9. Checking out files

   This is CRITICAL in order to make certain that Komodo works appropriately. If you do not check out files appropriately, Komodo will hang and then you’ll go hang yourself. The syntax of the command used to check out files should be:

   C:\> svn co svn+ssh://PuTTY Session Name/Path To Repository/ directory

   If you use a hostname rather than a PuTTY Session name, you are guaranteed failure.

Enjoy.

*nix, Software Development

Well now, here’s an interesting problem I had with Perl on the new Mac Xserve running Intel Xeon 64-bit processors. One of our customer’s had a CGI website (cringes) and was using DBD::MySQL to access the MySQL database. Upon initial observations, permissions had been setup incorrectly and the httpd.conf file was not setup properly for CGI executables.

Past this, I find that the server has dependency problems. This was found due to the following error message in the /var/log/httpd/error_log file. The particular error was:

[Mon May  7 15:43:45 2007] [error] [client xx.xx.xx.xx] Premature end of script headers: /Library/WebServer/CGI-Executables/webevent.cgi
install_driver(mysql) failed: Can't locate DBD/mysql.pm in @INC (@INC contains: /Library/WebServer/webevent/lib /System/Library/Perl/5.8.6/darwin-t
hread-multi-2level /System/Library/Perl/5.8.6 /Library/Perl/5.8.6/darwin-thread-multi-2level /Library/Perl/5.8.6 /Library/Perl /Network/Library/Per
l/5.8.6/darwin-thread-multi-2level /Network/Library/Perl/5.8.6 /Network/Library/Perl /System/Library/Perl/Extras/5.8.6/darwin-thread-multi-2level /
System/Library/Perl/Extras/5.8.6 /Library/Perl/5.8.1 .) at (eval 8) line 3.
Perhaps the DBD::mysql perl module hasn't been fully installed,
or perhaps the capitalisation of 'mysql' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, Proxy, Sponge.
 at /Library/WebServer/webevent/lib/db/dbconnect.pm line 58

So, I proceed to install Perl modules. But wait, CPAN’s bitching about an upgrade to CPAN being available. Fine, let’s give it what it wants:

CPAN> install Bundle::CPAN
 
-- CPAN INSTALLS UPDATE --

Cool, now time to move to installing DBI:

CPAN> install DBI
 
-- INSTALL SUCCESSFUL --

Now for the last bit, DBD::mysql:

CPAN> install DBD::MySQL
 
<snip>
t/utf8...............install_driver(mysql) failed: Can't find 'boot_DBD__mysql' symbol in /Library/Perl/DBD-mysql-4.001/blib/arch/auto/DBD/mysql/mysql.bundle
at (eval 3) line 3
Compilation failed in require at (eval 3) line 3.
 
2 tests skipped.
Failed 25/28 test scripts. 413/418 subtests failed.
Files=28, Tests=418,  2 wallclock secs ( 1.54 cusr +  0.35 csys =  1.89 CPU)
Failed 25/28 test programs. 413/418 subtests failed.
make: *** [test_dynamic] Error 255
</snip>

Damn, talk about something unexpected. After reading a few emails, forums, and getting down right frustrated with everything, I find this email note. This isn’t completely correct, in that it turns out you don’t have to install another copy of MySQL in some temporary location for the libraries - you have everything you need, assuming you’ve already installed XCode Tools.

So, what DO you have to do? The following:

shell> cd /path/to/.cpan/build/DBD-mysql-4.001/
shell> perl Makefile.PL --testuser test --testpassword test --testsocket /var/mysql/mysql.sock --cflags="-I/usr/include/mysql" --libs="-L/usr/lib/mysql -lmysqlclient -lz -lm"
shell> make
shell> make test (should work now) 
shell> make install

Understanding of why Perl was so broken

Well, it wasn’t exactly Perl’s fault. It’s MySQL that comes on Apple’s Xserve. Apple, you question with an unquestionable doubt in your mind? Yes, Apple. Check this out:

shell> mysql_config --libs
-arch ppc64  -arch x86_64 -pipe -L/usr/lib/mysql -lmysqlclient -lz -lm
shell> mysql_config --cflags
-I/usr/include/mysql -fno-omit-frame-pointer  -arch ppc64  -arch x86_64 -pipe

Now isn’t that funny! On my new Xeon Xserve, the architecture specifications (which for some odd reason appear in BOTH the cflags AND libs flags which normally appear ONLY in the cflags) are for BOTH ppc64 AND x86_64… AFAIK, this server is Intel 64-bit based, not PowerPC any longer. So, when Perl goes through and autoconfigures its switches, these architecture flags cause the tests to blow up because it’s expecting a completely different set of tools that are expected to work on the PowerPC architecture.

Anywho, it’s working now, and that make me (and my client) happy.

*nix, SQL, Software Development

I’m here in Austin, TX today at the SANS: Web Application Security Workshop (I was also here yesterday, too). I hope to be able to provide an accurate review for this nearly worthless workshop that many of us from CIS Customer Applications are attending. There are a couple of individuals who believe that the information being taught here is somewhat worthwhile, but most of us from the group either know everything that’s been taught so far, or find some of the information being taught doesn’t relate to us.

For a quick synopsis, here’s what I would have to say: If you are a intermediate or experienced developer, you will be absolutely bored with this workshop. If you are an executive who has not much technical know-how, but want to learn about security for your web applications, this is a worthwhile program for you to attend. Be aware, however, because there are some things that executives don’t need to (or don’t care to) learn about in this. Regardless, this is the most watered down version of a so-called technical workshop I’ve ever been through. Read on to find out how ridiculous some of the things we learned were.

Read more…

*nix, Networking, PHP, Software Development, Windows

Currently I’m encountering problems with Xorg 7.1, evdev, and my Microsoft IntelliMouse Optical. The issue is that when I run ’startx’, I get the following:

(EE) evdev brain: Unable to initialize inotify, using fallback. (errno: 38)
(EE) evdev brain: Unable to initialize inotify, using fallback. (errno: 38)
(EE) evdev brain: Unable to NONBLOCK inotify, using fallback. (errno: 9)
 
Fatal server error:
bogus pointer event from ddx
XIO:  fatal IO error 104 (Connection reset by peer) on X server ":0.0"
         after 0 requests (0 known processed) with 0 events remaining.

I have had Xorg 7.1 compiled for a long time, no recent updates. However, I changed my /etc/X11/xorg.conf file as such:

...
Section "InputDevice"
    Identifier "Mouse0"
    Driver "evdev"
    Option "Protocol" "auto"
    Option "evBits" "+1-2"
    Option "keyBits" "~272-287"
    Option "relBits" "~0-2 ~6 ~8"
EndSection
...

Will update when I figure this damned problem out.

Read more…

*nix

I subscribe to both the Debian Security and Gentoo Security lists. I’m one of those concerned sys-admins who wants to make sure I’m not running a vulnerable copy of software. Well, is it just me, or has the amount of security vulnerabilities increased over the past few months?

Open-source software had been widely accepted as some of the most stable, trusted, and worthwhile software to use. This was because there were very few security vulnerabilities, production versions of the software were rock-solid, and most of them were easy to administrate for a Unix admin. But, in the past few months, the sheer amount of security messages leads me to one of two conclusions. Either:

• OSS is taking on individuals who are less capable of programming good code.
• OSS and the community are starting to find new vulnerabilities that they didn’t know existed before - and at a rapidly involving rate.
• Competent progammers are getting lazy, not checking their code, and are acting like Microsoft - wanting to get the end product out quickly, regardless of the number of broken things and vulnerabilities.

If it is the foremost one, then I’m starting to question what is being taught to our Computer Science students in universities around the world. It’s reasonable to believe that more and more recently graduated, if not within the past 5-10 years graduated computer science / engineering majors are joining OSS projects - and rightfully so. The community is always in need of volunteers, and sometimes the volunteers are looking for experience on projects that have well founded roots and structure to them so they can better themselves (and their peers) at whatever programming job they get. But, if they are the ones contributing sloppy code, then how can our Universities and Colleges get away with not teaching good coding techniques? That IMHO is a critical aspect for a computing science student to learn at the beginning of their school work, not in the middle, at the end, or (heaven forbid) never at all.

If it is the second choice, then I applaud the OpenSource community for actually finding, fixing, and releasing these vulnerabilities. I certainly don’t want to be helping to maintain a customer’s website with 500K credit card numbers in a database only to find that one of the most blatent security holes in the database software has let 5 hackers through to obtain most, if not all, of those credit card numbers. I’m sure the rest of the community feels the same way with this. For the second choice, it would render this whole argument useless as it’s simply an applause rather than a rant anyways.

If it is the final choice, then my message to the open source community is wake the f*ck up. As Admiral Adama from Battlestar Galactica puts it, “You’ve lost sight of the true goal.” The true goal of OpenSource software is not to be first-to-market, is not to have the most features that pleases everyone, is not to make a quick fix to a problem and move on. It’s working with your peers on projects, deciding which features will take time to develop and truly developing the ones that benefit the community the most. It’s making sure that your code is rock solid. Above all, it’s making a product that everyone around the world can utilize, come to trust, and will turn to for the solution you’re providing again and again.

So, OpenSource community, will you make sure you’re writing the most efficient code?

*nix, Random

If you by chance be building eterm in Gentoo and get the following error:

gcc -Os -march=pentium4 -pipe -o .libs/Eterm main.o  -L/usr/lib -L/usr/X11R6/lib ./.libs/libEterm.so /usr/lib/libImlib2.so
/usr/lib/libfreetype.so -lz /usr/lib/libttf.so -ldl -lutempter /usr/lib/libast.so -lSM -lICE /usr/lib/libpcre.so -lXmu -lXext -lX11
-lutil -lm -Wl,--rpath -Wl,/usr/lib:/usr/lib/Eterm
./.libs/libEterm.so: undefined reference to `imlib_render_pixmaps_for_whole_image'
./.libs/libEterm.so: undefined reference to `imlib_context_set_display'
./.libs/libEterm.so: undefined reference to `imlib_render_pixmaps_for_whole_image_at_size'
./.libs/libEterm.so: undefined reference to `imlib_context_set_colormap'
./.libs/libEterm.so: undefined reference to `imlib_context_set_drawable'
./.libs/libEterm.so: undefined reference to `imlib_context_set_visual'
./.libs/libEterm.so: undefined reference to `imlib_free_pixmap_and_mask'
collect2: ld returned 1 exit status
make[2]: *** [Eterm] B³±d 1
make[2]: Leaving directory `/var/tmp/portage/eterm-0.9.3-r4/work/Eterm-0.9.3/src'
make[1]: *** [all-recursive] B³±d 1
make[1]: Leaving directory `/var/tmp/portage/eterm-0.9.3-r4/work/Eterm-0.9.3'
make: *** [all-recursive-am] B³±d 2 
 
!!! ERROR: x11-terms/eterm-0.9.3-r4 failed.
!!! Function src_compile, Line 54, Exitcode 2
!!! make failed

Then you have a USE flag problem. I’m seeing a lot more of them recently.

Anywho, your solution is:

root#> USE="X" emerge imlib imlib2 eterm

This should compile it nicely.

*nix

Okay, time to try this again and not sound pissed off, cause I just spend the past 10 minutes typing this thing up and managed to hit “Ctrl+R” - destroying my work….

Okay, so last week I had gotten fed up with Debian’s lack of speed with regards to packages and lack of good support and stability with the testing distribution, so I decided that it had to go on my desktop. The decision was upon me to try to figure out which distribution I was going to go to next. FreeBSD was out of the question, and I really did not like the choice of Suse, RedHat, etc. So, I was stuck between the choice of Gentoo or Ubuntu. Eventually, my heart went back to Gentoo as I’ve had nothing but sheer happiness with that distro.

But alas, my reinstallation turned me from a happy gentle human to a truly crazy and perplexed human. Why? Because of one stupid little thing I probably should not have been working on, but did so because I have a tendency to track these things down until they are FIXED. The problem, was with gensplash.

For those who don’t know, Gensplash is Gentoo’s program that will create a graphical bootup splash screen much like Ubuntu, MacOS, and alas, Windows. This splash screen looks much prettier than the traditional text dump of the kernel loading to the screen.

Nevertheless, if you would like to read-on to see what I had to do in order to fix it, and the other complications that I came across along the way, please read on!

Read more…

*nix