Host myserver.mydomain.com
ServerAliveInterval 300
Now even a idle session is not dropped after a while.
Tuesday 30 December 2008
Avoid timeout with ssh
I found a very userful setting for ssh to avoid connection drop by interposing firewalls: just add in /etc/ssh/ssh_config (or ~/.ssh/config):
Now even a idle session is not dropped after a while.
Now even a idle session is not dropped after a while.
Thursday 11 December 2008
Careful with rsync!
After losing a lot of data, here the Golden Rule with rsync.
That's all, have fun with rsync.
- Never use
--delete
unless you really need it; - if viable, check what are you going to do with
-av --dry-run
(it doens't take so long, also if a lot of data is to be moved); - it's better to create target directory manually instead of having rsync doing the job:
target$ mkdir -p target_dir
source$ rsync -av source_dir/ target:/target_dir
That's all, have fun with rsync.
Thursday 4 December 2008
Shibboleth and gmail integration
I started from Will document.
Time needed to have a working shibboleth2.1 IdP with google was a morning.
My difficulties: I was longly blocked by:
It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment
which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.
Instead this error:
means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.
I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.
Time needed to have a working shibboleth2.1 IdP with google was a morning.
My difficulties: I was longly blocked by:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:564] - No user identified by login handler.
11:48:45.683 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:527] - Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.
at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:565) [shibboleth-identityprovider-2.1.0.jar:na]
[...]
It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment
<loginhandler type="RemoteUser">
<authenticationmethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</authenticationmethod>
</loginhandler>
which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.
Instead this error:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:453] - Passive
authentication required but no login handlers available
to support it
means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.
I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.
Tuesday 2 December 2008
Tomcat only shibboleth-idp2.1 installation: certificate issue
Under shibboleth-idp 1.3 I used to employ the same certificates both for SSO handler (usually port 443) and AA handler (port 8443). It was easy, as both were controlled by web server apache.
With shibboleth-idp 2.1 the preferred installation way is tomcat-only. Actually I found useful using apache to handle SSO, so I could use REMOTE_USER authentication system. But port 8443 is handled by tomcat only.
Well: in server.xml the AA-handler snippet requires key and certificate to be held in a keystore. How to load a key in a keystore?
I found no other way to turn to my old IdP to unleash the power of extkeytool https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
, which is found in the /bin of the shibboleth-idp 1.3 package.
With shibboleth-idp 2.1 the preferred installation way is tomcat-only. Actually I found useful using apache to handle SSO, so I could use REMOTE_USER authentication system. But port 8443 is handled by tomcat only.
Well: in server.xml the AA-handler snippet requires key and certificate to be held in a keystore. How to load a key in a keystore?
I found no other way to turn to my old IdP to unleash the power of extkeytool https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
, which is found in the /bin of the shibboleth-idp 1.3 package.
Monday 1 December 2008
Sendmail weirdness
While sending mail from sendmail to a TLS-enabled smart host I found these logs, despite CACERT option was inserted in sendmail.mc:
(please note the verify=FAIL).
Well, it was solved adding:
to sendmail.mc.
I double checked CACERT pointed actually to the right CA. Smart Host certificate was issued under the correct CA. So I ended thinking it is just a sendmail oddity.
Dec 1 04:02:12 cantor sendmail[10263]: STARTTLS=client, relay=smtp.unimore.it., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
(please note the verify=FAIL).
Well, it was solved adding:
define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
to sendmail.mc.
I double checked CACERT pointed actually to the right CA. Smart Host certificate was issued under the correct CA. So I ended thinking it is just a sendmail oddity.
Monday 24 November 2008
Restricted access based on ldap groups
It looks quite baroque to me as there are at least three ways of doing:
Using ssh is the easier way, I think. It is enought adding to sshd_config:
The downside is it applies only to ssh. If you need to rule more services, it is useless.
Delegate to pam can be done with pam_listfile, pam_access, pam_time and maybe others.
Just add a line to /etc/pam.d/my_service:
and fill allowed group with the name (cn) of the allowed groups, one per line.
The downside is that this method looks harder than others.
Delegate to ldap took me more time to figure out how to do. The trick is not to trigger pam_unix.
Either remove ldap from /etc/nsswitch.conf passwd, group and shadow lines, or remove pam_unix.so from pam file. For example:
than modify /etc/pam_ldap.conf:
(if my_group is of objectClass posixAccount) or
(if my_group is of objectClass groupOfUniqueNames)
The downside is that you should consider carefully if non-ldap user (root?) should access the service.
- delegate to ssh
- delegate to pam
- delegate to ldap
ssh
Using ssh is the easier way, I think. It is enought adding to sshd_config:
AllowUsers @my_group
The downside is it applies only to ssh. If you need to rule more services, it is useless.
pam
Delegate to pam can be done with pam_listfile, pam_access, pam_time and maybe others.
Just add a line to /etc/pam.d/my_service:
account required /lib/security/pam_listfile.so onerr=fail item=group sense=allow
file=/etc/pam.d/allowed_groups
and fill allowed group with the name (cn) of the allowed groups, one per line.
The downside is that this method looks harder than others.
ldap
Delegate to ldap took me more time to figure out how to do. The trick is not to trigger pam_unix.
Either remove ldap from /etc/nsswitch.conf passwd, group and shadow lines, or remove pam_unix.so from pam file. For example:
# PAM configuration for the Secure Shell service
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
than modify /etc/pam_ldap.conf:
# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid
(if my_group is of objectClass posixAccount) or
# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid
(if my_group is of objectClass groupOfUniqueNames)
The downside is that you should consider carefully if non-ldap user (root?) should access the service.
Thursday 13 November 2008
Sendmail as a MTA client with x509 certificates authentication
My institution has decided to disallow un-authenticated bind to smtp server. Either username and password or x509 client certificate authentication is required.
I'm a exim4 user, but I was in charge of fixing a couple of sendmail-using servers.
So I did some research and the key points looks like adding in /etc/mail/postfix.mc:
actually last line is about key certificate being 640 with group openldap, which is exactly my case.
Then run make (or make && make install for freebsd) and then /etc/init.d/sendmail restart.
I'm a exim4 user, but I was in charge of fixing a couple of sendmail-using servers.
So I did some research and the key points looks like adding in /etc/mail/postfix.mc:
define(`CERT_DIR', `/usr/local/ssl')
define(`confCACERT_PATH', `CERT_DIR/certs')
define(`confCACERT', `CERT_DIR/certs/my-ca-chain.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/certs/server.pem')
define(`confCLIENT_KEY', `CERT_DIR/private/server.key')
define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
actually last line is about key certificate being 640 with group openldap, which is exactly my case.
Then run make (or make && make install for freebsd) and then /etc/init.d/sendmail restart.
Tuesday 11 November 2008
Rails 2.1 named scope
The local rails guru pointed me to the new -- well, kind of -- feature of rails 2.1: the named scope.
In short, it's a way to store a query in the model, semantically very clearly.
I used this feature for the local mailserver administration program.
This is the addition to the MailAddres model:
Now I can use:
To fetch addresses of the user 'test' which are in my_domain, is not the first address, are personal alias (no functional alias or nicknames) but are not choosen by the user.
In short, it's a way to store a query in the model, semantically very clearly.
I used this feature for the local mailserver administration program.
This is the addition to the MailAddres model:
named_scope :kept, :conditions => { :keep => true }
named_scope :unkept, lambda {{ :conditions => ['keep = 0 or keep IS NULL'] } }
named_scope :my_domain, :conditions => { :domain => "my_domain.it" }
named_scope :cadet, lambda {{ :conditions => ['position > 1'] } }
named_scope :personal, lambda {|username, surname| { :conditions => ["local_part = ? or local_part like ?", username, "%"+ActiveSupport::Inflector.parameterize(surname.downcase, '')+"%" ] }}
Now I can use:
UserAccount.find_by_username('test').mail_addresses.my_domain.cadet.personal.unkept
To fetch addresses of the user 'test' which are in my_domain, is not the first address, are personal alias (no functional alias or nicknames) but are not choosen by the user.
Monday 10 November 2008
Unable to have emacs working
I switched to a new client, actually a Wyse S50 thinclient, bound to a xen4 debian virtual machine. I work by opening a shell on the debian client and popping graphical application to thinclient via x-forwarding.
Debian is Etch.
emacs doesn't start properly: error is
Warning: Cannot convert string "-*-courier-medium-r-*-*-*-120-*-*-*-*-iso8859-*" to type FontStruct
Warning: Cannot convert string "-*-helvetica-medium-r-*--*-120-*-*-*-*-iso8859-1" to type FontStruct
then no text is shown but only blocks.
Obviously I botched something with fonts.
Well, I must admit I turned crazy and apt-get installed so many things now I can't remember.
Ok, I fixed a unexisting symlink which arose a warning everytime a font package was installed:
warning: directory /usr/lib/X11/fonts/Type1 does not exist
sudo ln -s /usr/share/fonts/X11 /usr/lib/X11/fonts
My xorg.conf looks like:
Section "Files"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/X11R6/lib/X11/fonts/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/X11R6/lib/X11/fonts/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/:unscaled"
FontPath "/etc/X11/fon/etc/X11/fonts/Type1"
FontPath "/usr/X11R6/lib/X11/fonts/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi"
# path to defoma fonts
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
EndSection
As soon as I find a solution I will post it.
Debian is Etch.
emacs doesn't start properly: error is
Warning: Cannot convert string "-*-courier-medium-r-*-*-*-120-*-*-*-*-iso8859-*" to type FontStruct
Warning: Cannot convert string "-*-helvetica-medium-r-*--*-120-*-*-*-*-iso8859-1" to type FontStruct
then no text is shown but only blocks.
Obviously I botched something with fonts.
Well, I must admit I turned crazy and apt-get installed so many things now I can't remember.
Ok, I fixed a unexisting symlink which arose a warning everytime a font package was installed:
warning: directory /usr/lib/X11/fonts/Type1 does not exist
sudo ln -s /usr/share/fonts/X11 /usr/lib/X11/fonts
My xorg.conf looks like:
Section "Files"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/X11R6/lib/X11/fonts/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/X11R6/lib/X11/fonts/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/:unscaled"
FontPath "/etc/X11/fon/etc/X11/fonts/Type1"
FontPath "/usr/X11R6/lib/X11/fonts/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi"
# path to defoma fonts
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
EndSection
As soon as I find a solution I will post it.
Friday 7 November 2008
Split shibboleth-sp 1.3 configuration
I'm trying to clarify to myself how to configure shibboleth-sp 1.3 on Debian GNU/Linux with two name based virtual hosts.
The problem is: it should redirect user to IdP, but IdP should redirect back to the correct caller.
I'm quite sure on metadata.xml are to appear two entries hardcoded to the sitename.
I'm less sure how to modify shibboleth.xml. Actually the matter is if I should add a Application element inside Applications. Please note this Application is nearly empty, as it inherits the Session and CredentialUse elements.
Ok: it turns out that a Application inside Applications is needed in shibboleth.xml:
And then a new Host element inside RequestMapper again in shibboleth.xml:
But, surprise surprise, on the metadata.xml it is enought to add two more bindings to <AssertionConsumerService>:
The problem is: it should redirect user to IdP, but IdP should redirect back to the correct caller.
I'm quite sure on metadata.xml are to appear two entries hardcoded to the sitename.
I'm less sure how to modify shibboleth.xml. Actually the matter is if I should add a Application element inside Applications. Please note this Application is nearly empty, as it inherits the Session and CredentialUse elements.
Ok: it turns out that a Application inside Applications is needed in shibboleth.xml:
<application id="my_id" homeurl="http://my_virtual_host.unimore.it"
saml="urn:oasis:names:tc:SAML:1.0:assertion" md="urn:oasis:names:tc:SAML:2.0:metadata">
<errors session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html" rm="/etc/shibboleth/rmError.html"
access="/etc/shibboleth/accessError.html" ssl="/etc/shibboleth/sslError.html"
supportcontact="my_admin@unimore.it" logolocation="/shibboleth-sp/logo.jpg"
stylesheet="/shibboleth-sp/main.css">
</errors>
</application>
And then a new Host element inside RequestMapper again in shibboleth.xml:
<Host name="my_virtual_host.unimore.it" applicationId="my_id">
<Path name="secure" authType="shibboleth" requireSession="true"/>
But, surprise surprise, on the metadata.xml it is enought to add two more bindings to <AssertionConsumerService>:
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="1"></AssertionConsumerService> <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="2"></AssertionConsumerService><AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="3"></AssertionConsumerService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="4"></AssertionConsumerService>
Subscribe to:
Posts (Atom)