Host myserver.mydomain.com
ServerAliveInterval 300
Now even a idle session is not dropped after a while.
Tuesday, 30 December 2008
Avoid timeout with ssh
I found a very userful setting for ssh to avoid connection drop by interposing firewalls: just add in /etc/ssh/ssh_config (or ~/.ssh/config):
Now even a idle session is not dropped after a while.
Now even a idle session is not dropped after a while.
Thursday, 11 December 2008
Careful with rsync!
After losing a lot of data, here the Golden Rule with rsync.
That's all, have fun with rsync.
- Never use
--delete
unless you really need it; - if viable, check what are you going to do with
-av --dry-run
(it doens't take so long, also if a lot of data is to be moved); - it's better to create target directory manually instead of having rsync doing the job:
target$ mkdir -p target_dir
source$ rsync -av source_dir/ target:/target_dir
That's all, have fun with rsync.
Thursday, 4 December 2008
Shibboleth and gmail integration
I started from Will document.
Time needed to have a working shibboleth2.1 IdP with google was a morning.
My difficulties: I was longly blocked by:
It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment
which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.
Instead this error:
means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.
I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.
Time needed to have a working shibboleth2.1 IdP with google was a morning.
My difficulties: I was longly blocked by:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:564] - No user identified by login handler.
11:48:45.683 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:527] - Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.
at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:565) [shibboleth-identityprovider-2.1.0.jar:na]
[...]
It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment
<loginhandler type="RemoteUser">
<authenticationmethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</authenticationmethod>
</loginhandler>
which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.
Instead this error:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:453] - Passive
authentication required but no login handlers available
to support it
means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.
I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.
Tuesday, 2 December 2008
Tomcat only shibboleth-idp2.1 installation: certificate issue
Under shibboleth-idp 1.3 I used to employ the same certificates both for SSO handler (usually port 443) and AA handler (port 8443). It was easy, as both were controlled by web server apache.
With shibboleth-idp 2.1 the preferred installation way is tomcat-only. Actually I found useful using apache to handle SSO, so I could use REMOTE_USER authentication system. But port 8443 is handled by tomcat only.
Well: in server.xml the AA-handler snippet requires key and certificate to be held in a keystore. How to load a key in a keystore?
I found no other way to turn to my old IdP to unleash the power of extkeytool https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
, which is found in the /bin of the shibboleth-idp 1.3 package.
With shibboleth-idp 2.1 the preferred installation way is tomcat-only. Actually I found useful using apache to handle SSO, so I could use REMOTE_USER authentication system. But port 8443 is handled by tomcat only.
Well: in server.xml the AA-handler snippet requires key and certificate to be held in a keystore. How to load a key in a keystore?
I found no other way to turn to my old IdP to unleash the power of extkeytool https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
, which is found in the /bin of the shibboleth-idp 1.3 package.
Monday, 1 December 2008
Sendmail weirdness
While sending mail from sendmail to a TLS-enabled smart host I found these logs, despite CACERT option was inserted in sendmail.mc:
(please note the verify=FAIL).
Well, it was solved adding:
to sendmail.mc.
I double checked CACERT pointed actually to the right CA. Smart Host certificate was issued under the correct CA. So I ended thinking it is just a sendmail oddity.
Dec 1 04:02:12 cantor sendmail[10263]: STARTTLS=client, relay=smtp.unimore.it., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
(please note the verify=FAIL).
Well, it was solved adding:
define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
to sendmail.mc.
I double checked CACERT pointed actually to the right CA. Smart Host certificate was issued under the correct CA. So I ended thinking it is just a sendmail oddity.
Subscribe to:
Posts (Atom)