Keepass in a console

I use the linux console a lot & there are a lot of times I quickly need a password. I also use KeePassX to store all my passwords. I have a sync script setup to securely sync with a private server. To date I have not been able to quickly grab a password from the command line.

I would ideally like something that did the following:
(set KEEPASSKEYFILE=/somepath/somefile & KEEPASSFILE=/somepath/someotherfile)
$ keepass -l gmail (l for list)
Password: ***********

gmail.com – user1
gmail.com – user2

$ keepass -p gmail.com user1 (p for password)
SecretPassword4User1

I haven’t found this yet, maybe I will write it… we will see
But until then I did see this:

  • http://blog.codingtony.com/2011/01/keepass-in-console.html
  • http://sourceforge.net/projects/ckpass/

Encrypted MySQL Connections

This week I fought with MySQL trying to get an encrypted connection. Getting the server piece to appear to work was easier than actually getting the connection. Whether the problems didn’t show up until the connection or if the code in myql client app is just broken, I’m not sure, but I did get it to work.

My environment was:

  • RHEL 6.3
  • MySQL 5.5.28 from MySQL SRPM, compiled against OpenSSL 1.0.0j

ERROR 2026 (HY000): SSL connection error: ASN: before date in the future

  • this one is easy, the client checks the certificate date is > the current, so wait a minute and it goes away

I kept getting: ERROR 2026 (HY000): SSL connection error: protocol version mismatch

  • Make sure that your DN’s are different.
  • I saw a lot of stuff to use 0.9.8(something) to generate the certificates, and this did work once, but I also had several fails with 0.9.8 as well.
  • I also got 1.0.0 to work – not 100% sure what I did differently to finally get it working. All of a sudden it went from not working to working.
  • I did use statically defined subject lines, but not 100% sure that fixed it. I think I had the first one fail but after so many trials, I’m not sure.
  • My guess is that the client side has a problem with any but the simplest DN’s. But that is just a guess.

For the SSL connection error: protocol version mismatch – I did a little research in the code, but then stopped once I got it working:

  1. protocol version mismatch points comes from badVersion_error yassl_error.cpp
  2. badVersion is used in 2 files: extra/yassl/src/yassl_imp.cpp & extra/yassl/src/yassl_int.cpp
  3. either there is a test that is applied to the client cert file that is bombing out because of a version, or the client cert file is not being loaded & causing an error with the underlying ssl — haven’t dug deeper yet

So Here is the code:

/etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
symbolic-links=0
log-error=/var/log/mysqld.log
bind-address=server.milcom.us

sql_mode=STRICT_ALL_TABLES
max_allowed_packet=64M
query_cache_size=128M

# innodb settings
innodb_fast_shutdown=0
innodb_flush_log_at_trx_commit=1
innodb_lock_wait_timeout=120

# replication settings
server-id=1
log-bin=mysql-bin
binlog-format=MIXED
sync_binlog=1

# SSL settings
ssl
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

log-error=/var/log/mysql/error
log-warnings

[client]
host=server.milcom.us
port=3306
user=username

ssl
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem

/etc/mysql/make-cert
#!/bin/bash
# ********* NEW CERT Script **********
rm -f *.pem

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj '/DC=us/DC=milcom/CN=CA'

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj '/DC=us/DC=milcom/DC=server'
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem -subj '/DC=us/DC=milcom/DC=server/CN=user'
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x100001 -out client-cert.pem

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

chmod 600 ca-key.pem
chmod 644 ca-cert.pem
chgrp mysql server* client*
chmod 640 server*
chmod 644 client*

References:

  • http://waterlovinghead.com/MysqlSSL&show_comments=1#comments
  • http://www.mysqlfanboy.com/2011/11/simplified-mysql-ssl-connections/
  • http://bugs.mysql.com/bug.php?id=64870
  • http://orensol.com/2010/06/21/error-2026-hy000-ssl-connection-error-the-solution/
  • http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
  • http://dev.mysql.com/doc/refman/5.0/en/server-options.html
  • http://www.howtoforge.com/managing-multiple-mysql-servers-from-one-phpmyadmin-installation-using-ssl-encryption

OpenSSL & Smart Cards

Started playing with (PKI) smart cards with OpenSSL. Nothing is working so far, but thought I would at least keep my starting point, if I come back to it later. If you have any more suggestions, I would be happy to take a look or greatful for a solution.

Basically I want to decrypt email using my smart card & openssl.

openssl> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so

something like:
openssl> smime -decrypt -in ______ -noverify -keyform engine -engine pkcs11 -id ____

http://ubuntuforums.org/showthread.php?t=1557180

http://www.openssl.org/docs/apps/smime.html

http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart

Using apache as a Reverse Proxy with location http header correction

If you have a front end web server and want to map to a back end application. Apache can do that.

One problem that may occur is a back end application passes back a URL based on the private connection.

this can be fixed with the Header command:

Header edit Location http://backend:8080 https://public.url.com

http://www.denraf.be/content/apache-redirect-response-header
http://httpd.apache.org/docs/current/mod/mod_headers.html
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

Using VNC to look at a remote users desktop on Ubuntu 10.4

This is for a help desk scenario where you need to see the desktop of a remote user.

Install x11vnc on remote machine. Then on the remote system (as root) run x11vnc –localhost
Now if the machine is inside a private network we may need to hop with SSH

user@mysystem:~$ ssh -L5900:localhost:5900 external-host
user@external-host:~$  ssh -L5900:localhost:5900 internal-host
user@internal-host:~$ sudo su -
user@internal-host:~#apt-get install x11vnc
user@internal-host:~# x11vnc --localhost

Now start your local vncviewer and connect to localhost. xvnc4viewer works great on an Ubuntu system.

Ref:
https://help.ubuntu.com/community/VNC

Using VNC to look at a remote users desktop on Ubuntu 10.4

This is for a help desk scenario where you need to see the desktop of a remote user.

Install x11vnc on remote machine. Then on the remote system (as root) run x11vnc –localhost
Now if the machine is inside a private network we may need to hop with SSH

user@mysystem:~$ ssh -L5900:localhost:5900 external-host
user@external-host:~$  ssh -L5900:localhost:5900 internal-host
user@internal-host:~$ sudo su -
user@internal-host:~#apt-get install x11vnc
user@internal-host:~# x11vnc --localhost

Now start your local vncviewer and connect to localhost. xvnc4viewer works great on an Ubuntu system.

Ref:
https://help.ubuntu.com/community/VNC

DHCP Changes Mac Hostname

By default the Hostname on a Mac will be changed by DHCP. Most of the time, I want my hostname to stay the same. So this can be overridden by setting it in:

/etc/hostconfig
change:

HOSTNAME=-AUTOMATIC-
to read
HOSTNAME=mymac

ref: http://hintsforums.macworld.com/showthread.php?t=29712

Set it in the Terminal with
sudo scutil --set HostName <putinyourhostname_or_fqdn_here>
like in: sudo scutil --set HostName server1.mynetwork.com

OR

   1. System Preferences.
   2. Network
   3. Select your network adapter on the left.
   4. Select "Advanced" button at the bottom.
   5. Set the "DHCP client ID" to your hostname.

ref: http://superuser.com/questions/49891/how-can-i-stop-mac-os-x-overriding-my-hostname-when-i-receive-a-dhcp-request-on-s

make an external luks encrypted disk

/dev/sdb is used as the disk in this example — MAKE SURE TO ADJUST FOR YOUR SYSTEM

a good way to do this is:
ls -l /dev/disk/by-id/

to clean / randomize the drive:
dd if=/dev/urandom bs=100M conv=notrunc of=/dev/sdb

fdisk /dev/sdb — create partition 1
cryptsetup –verbose –verify-passphrase –cipher aes-cbc-essiv:sha256 luksformat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 name
mke2fs -j -L “Label” -m 1 /dev/mapper/name
mkdir /mnt/name
mount /dev/mapper/name /mnt/name

Ref:
http://www.hermann-uwe.de/blog/howto-disk-encryption-with-dm-crypt-luks-and-debian