Tuesday 30 December 2008

Avoid timeout with ssh

I found a very userful setting for ssh to avoid connection drop by interposing firewalls: just add in /etc/ssh/ssh_config (or ~/.ssh/config):


Host myserver.mydomain.com
ServerAliveInterval 300


Now even a idle session is not dropped after a while.

Thursday 11 December 2008

Careful with rsync!

After losing a lot of data, here the Golden Rule with rsync.

  • Never use
    --delete
    unless you really need it;

  • if viable, check what are you going to do with
    -av --dry-run
    (it doens't take so long, also if a lot of data is to be moved);

  • it's better to create target directory manually instead of having rsync doing the job:

    target$ mkdir -p target_dir
    source$ rsync -av source_dir/ target:/target_dir


That's all, have fun with rsync.

Thursday 4 December 2008

Shibboleth and gmail integration

I started from Will document.

Time needed to have a working shibboleth2.1 IdP with google was a morning.

My difficulties: I was longly blocked by:

ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:564] - No user identified by login handler.

11:48:45.683 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:527] - Authentication failed with the error:

edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.

at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:565) [shibboleth-identityprovider-2.1.0.jar:na]
[...]

It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment

<loginhandler type="RemoteUser">
<authenticationmethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</authenticationmethod>

</loginhandler>

which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.

Instead this error:

ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:453] - Passive
authentication required but no login handlers available
to support it

means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.

I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.

Tuesday 2 December 2008

Tomcat only shibboleth-idp2.1 installation: certificate issue

Under shibboleth-idp 1.3 I used to employ the same certificates both for SSO handler (usually port 443) and AA handler (port 8443). It was easy, as both were controlled by web server apache.

With shibboleth-idp 2.1 the preferred installation way is tomcat-only. Actually I found useful using apache to handle SSO, so I could use REMOTE_USER authentication system. But port 8443 is handled by tomcat only.

Well: in server.xml the AA-handler snippet requires key and certificate to be held in a keystore. How to load a key in a keystore?

I found no other way to turn to my old IdP to unleash the power of extkeytool https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
, which is found in the /bin of the shibboleth-idp 1.3 package.

Monday 1 December 2008

Sendmail weirdness

While sending mail from sendmail to a TLS-enabled smart host I found these logs, despite CACERT option was inserted in sendmail.mc:

Dec 1 04:02:12 cantor sendmail[10263]: STARTTLS=client, relay=smtp.unimore.it., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

(please note the verify=FAIL).

Well, it was solved adding:

define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl

to sendmail.mc.

I double checked CACERT pointed actually to the right CA. Smart Host certificate was issued under the correct CA. So I ended thinking it is just a sendmail oddity.