Samstag, 13. August 2016
Samstag, 30. August 2014
Remove plain passwords from froxlor db and configure postfix with sasl and pam-mysql
This time the post will be really short. Why? Because Stefan has written everything you should know about this topic. So I'm referring to him:
Stefans Blog: Froxlor with hashed (encrypted) passwords and sasl
Stefans Blog: Froxlor with hashed (encrypted) passwords and sasl
Mittwoch, 6. August 2014
ownCloud: Migration from SQLite to MySQL/PostgreSQL possible via CLI - finally!
I've once created an ownCloud (5.x IIRC) installation for private purposes. Because I tried to create a "low footprint" installation, I used sqlite - which turned out to be a bad idea.
If you are running a ownCloud installation, you're going to use it. And after a while it's not only you using it. Your wife/husband will use it, your relatives and your friends for sure. Just because it is working and it is not only you who wants to share content but them as well - probably content you requested them to share with you. BTW, and just in case if you are not aware of, the ownCloud Android app can upload your pictures taken with your device instantly.
Ok, so what's the problem with sqlite? Locking! If you have some users, some Androids, some iOS devices and some shared links your ownCloud will definitely be slow. So you have to migrate. My first attempt was to migrate the data directory. But then you've to create all of your users manually. Remember the relatives, the friends and your wife/husband. If you want to avoid setting new passwords and telling them, you're going to change something (which might sometimes be a good idea, because they might tell you that they do not need the account any longer because they moved to their own-ownCloud), you want to migrate the database as well. This part turned out to be the hardest and was not possible without investing hours into a database migration.
Just before I migrated my ownCloud (6.something) to a different server, I updated it to version 7.0.1.1. This update was the very best update of my ownCloud installation (moving from 5 to 6 was like a mess). The admin interface told me I should migrate the database with this simple command:
BTW, occ offers some cool stuff for administrating your ownCloud. I've not yet tried them all, but they look very useful to me:
If you are running a ownCloud installation, you're going to use it. And after a while it's not only you using it. Your wife/husband will use it, your relatives and your friends for sure. Just because it is working and it is not only you who wants to share content but them as well - probably content you requested them to share with you. BTW, and just in case if you are not aware of, the ownCloud Android app can upload your pictures taken with your device instantly.
Ok, so what's the problem with sqlite? Locking! If you have some users, some Androids, some iOS devices and some shared links your ownCloud will definitely be slow. So you have to migrate. My first attempt was to migrate the data directory. But then you've to create all of your users manually. Remember the relatives, the friends and your wife/husband. If you want to avoid setting new passwords and telling them, you're going to change something (which might sometimes be a good idea, because they might tell you that they do not need the account any longer because they moved to their own-ownCloud), you want to migrate the database as well. This part turned out to be the hardest and was not possible without investing hours into a database migration.
Just before I migrated my ownCloud (6.something) to a different server, I updated it to version 7.0.1.1. This update was the very best update of my ownCloud installation (moving from 5 to 6 was like a mess). The admin interface told me I should migrate the database with this simple command:
./occ db:convert-type mysql owncloud localhost owncloudTo be fair, it told me to use "occ db:convert-type" but this echos
db:convert-type [--port="..."] [--password="..."] [--clear-schema] [--all-apps] type username hostname databaseSo my database migration took me 7 minutes and now I can move the whole installation to my new server - hopefully my puppet integration allows me to do this without much effort.
BTW, occ offers some cool stuff for administrating your ownCloud. I've not yet tried them all, but they look very useful to me:
# ./occ ownCloud version 7.0.1 Usage: [options] command [arguments] Options: --help -h Display this help message. --quiet -q Do not output any message. --verbose -v|vv|vvv Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug --version -V Display this application version. --ansi Force ANSI output. --no-ansi Disable ANSI output. --no-interaction -n Do not ask any interactive question. Available commands: help Displays help for a command list Lists commands status show some status information upgrade run upgrade routines app app:disable disable an app app:enable enable an app app:list List all available apps db db:convert-type Convert the ownCloud database to the newly configured one db:generate-change-script generates the change script from the current connected db to db_structure.xml files files:scan rescan filesystem ldap ldap:set-config modifies an LDAP configuration ldap:show-config shows the LDAP configuration ldap:test-config tests an LDAP configuration maintenance maintenance:mode set maintenance mode maintenance:repair repair this installation maintenance:singleuser set single user mode user user:lastseen shows when the user was logged it last time user:report shows how many users have access user:resetpassword Resets the password of the named user
Donnerstag, 6. Februar 2014
SSL and PFS on Linux and Citrix NetScaler
The last few days I was doing some SSL optimization regarding Linux servers and NetScaler appliances. If you want to do this by yourself, the first paper you should read is "Applied Crypto Hardening" from bettercrypto.org.
After implementing these best practices you can test your setup (if your server is reachable by public and running on default port 443) with Qualys' ssltest.
On Citrix NetScaler you can mitigate risk by denying insecure SSL renegotiation:set ssl parameter -denySSLReneg NONSECUREYou can now check the status.
show ssl parameter
...
Deny SSL Renegotiation NONSECURE
...
Don't forget to save the running configuration.
save ns config
I've decided to disable RC4 ciphers by disabling the DEFAULT cipher group and enabling the cipher group HIGH per vServer.
A side node: if you do not have a N3 chip in your NetScaler MPX you won't be able to use ECDHE. I guess this results in having no Perfect Forward Secrecy at all.Some other useful links you might be interested in:
Credit goes to kro.hn, for supplying additional useful information.Update: Does your mail server support STARTTLS?
Update 2: How's your Browsers SSL?Dienstag, 30. Juli 2013
Certificate based Wifi access and RADIUS Server (Microsoft Server 2008 R2) and local CA
We have had trouble while authenticate iOS based devices via Client certificates (802.1X) in a Wifi setup with Wireless LAN Controller (from various vendors). These certificates are issued by an external SA/CA (in our case MobileIron local CA w/o external trust). We tried to configure a Network Policy (Network Policy and Access Services) for Smartcard/Certificate based authentication on a NPS/RADIUS Win2k8R2 EE server.
When the client tried to establish a connection the following error occured.
Authentication Type: EAP EAP Type: - Account Session Identifier: ... Logging Results: Accounting information was written to the local log file. Reason Code: 22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.Thanks to Microsoft Support we got this issue solved. Solution in our case is:
-
Importing third-party certification authority certificate in the NTAuth store on the NPS server.
How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store (KB295663)certutil -enterprise -addstore NTAuth CA_CertFilename.cer
- Adding third-party certification authority to the Trusted Root Certification Authorities (local Machine)
-
Changing device to user certificate and adding AD account name as Subject Alternative Name (SAN).
Certificate Requirements for PEAP and EAP.
Abonnieren
Posts (Atom)
Read Audio-CD (bash, Gnome Virtual File System, abcde)
My father in law bought a new car. Because the vendor doesn't ship an audio CD drive anymore but an usb interface he asked us to encode "some" of his favorite CDs so he can listen to them. Encoding one CD took some time and I had to start the encoding process manually. So I wrote a simple (really simple, no command line options, no interrupt criteria and so one) to automate this process:
- open CD drive
- start script
- put in audio CD
- close CD drive
- wait until CD drive opens again
- continue with the third step
As soon as all CDs are encoded, hit ^C (CTRL+C) and close the CD tray.Developed and tested on
Limitations
Known limitations are:
Where to get this script? https://gist.github.com/kallies/6c0f20b3bd18d2883f6dabb1fc388e08