boltblog

sudo without a password

Unknownbolt | 2010-11-14

Note, this is not something I recommend doing. In fact, the only reason why I’m documenting it is that I am removing this solution from the last box I used to have it on.

Anyway, edit the /etc/sudoers file (with visudo, as root), then add lines under the default one for root, like this:

# User privilege specification
root	ALL=(ALL) ALL
bolt    ALL=(ALL) ALL
bolt    ALL=NOPASSWD: ALL

(replace “bolt” with your own username)

If you would rather want to not type a password only for specific commands, specify them like this:

bolt	ALL=NOPASSWD: /sbin/shutdown, /bin/mount, /bin/umount

(replacing the username and commands with the ones you want)

Using Flags and Arguments in Bash

Unknownbolt | 2010-11-08

Here’s a simple example script, showing how to deal with different inputs depending on the flag preceding them:

#!/bin/bash
USAGE="Usage: Enter a noun after either -p (polite) or -i (insulting)."

while getopts ":p:i:" OPTIONS; do
  case $OPTIONS in
    p ) polite=$OPTARG;;
    i ) insulting=$OPTARG;;
    h ) echo $USAGE;;
    \? ) echo $USAGE
         exit 1;;
    * ) echo $usage
        exit 1;;
  esac

if [ $polite ]; then echo "Your $polite smells good."; fi
if [ $insulting ]; then echo "Your $insulting smells bad."; fi
done

Stolen from http://www.okboot.org/2010/04/using-flags-and-arguments-in-bash.html

exim4 smarthost smtp password

Unknownbolt | 2010-10-25

Note to self:

To use a smarthost you have to authenticate to with exim4, edit /etc/exim4/passwd.client

# password file used when the local exim is authenticating to a remote
# host as a client.
#
# see exim4_passwd_client(5) for more documentation
#
# Example:
### target.mail.server.example:login:password
*:myusername:myawfullylongpassword

Here I added a username and password for all target mail servers (*) because this host sends everything through the smarthost.

If yours does not, you have to be more specific (like the example).

Surprisingly, there is no need to reload or restart exim4 after modifying the passwd.client file.

Use OpenDNS with Smoothwall Express 3.x

Unknownbolt | 2010-10-23

If you’re using DHCP to get your public IP, Smoothwall doesn’t allow you to override the DNS addresses given by your ISP through the DHCP protocol. Time to override Smoothwall 🙂

Edit /etc/rc.d/rc.updatered, and add “DNSMASQ_DNS1=208.67.222.222” and “DNSMASQ_DNS2=208.67.220.220” at the bottom of the DHCP section, making the file look like this:

#!/bin/sh

. /var/smoothwall/ethernet/settings

if [ "$RED_TYPE" = "DHCP" ]; then
 DNSMASQ_DNS1=`/usr/bin/smoothwall/getdnsfromdhcpc.pl 1`
 DNSMASQ_DNS2=`/usr/bin/smoothwall/getdnsfromdhcpc.pl 2`
 . /var/lib/dhcpc/dhcpcd-${RED_DEV}.info
 echo "$IPADDR" >/var/smoothwall/red/local-ipaddress
 echo "$GATEWAY" >/var/smoothwall/red/remote-ipaddress
 DNSMASQ_DNS1=208.67.222.222
 DNSMASQ_DNS2=208.67.220.220
elif [ "$RED_TYPE" = "STATIC" ]; then
 DNSMASQ_DNS1=$DNS1
 DNSMASQ_DNS2=$DNS2
 echo "$RED_ADDRESS" >/var/smoothwall/red/local-ipaddress
 echo "$DEFAULT_GATEWAY" >/var/smoothwall/red/remote-ipaddress
fi

echo -n "$RED_DEV" >/var/smoothwall/red/iface
touch /var/smoothwall/red/active
echo "$DNSMASQ_DNS1" >/var/smoothwall/red/dns1
echo "$DNSMASQ_DNS2" >/var/smoothwall/red/dns2

/usr/bin/smoothcom dnsproxyrestart $DNSMASQ_DNS1 $DNSMASQ_DNS2

/usr/bin/smoothcom setxtaccess
/usr/bin/smoothcom setincoming
/usr/bin/smoothcom snortrestart
/usr/bin/smoothcom upnpdrestart
/usr/bin/smoothcom trafficrestart

/usr/bin/smoothwall/setddns.pl
/usr/bin/smoothwall/updatelists.pl

/etc/rc.d/rc.vpn.up
/etc/rc.d/rc.machineregister

The next time you Smoothwall connects, the setting you just put will override the ones from your ISP. Reboot or reconnect to apply.

What’s touching that config file?!

Unknownbolt | 2010-10-21

Recently I started wondering what the heck was putting “root: bolt” at the end of /etc/aliases “every time” I did an upgrade of something.

I asked #debian on irc.freenode.net, who told me to run this:

grep /etc/aliases /var/lib/dpkg/info/*postinst

What it does is basically to look though all files which names end in “postinst” in the /var/lib/dpkg/info/ directory, showing all lines which contain “/etc/aliases“, and where they’re at.

The result was this:

$ grep /etc/aliases /var/lib/dpkg/info/*postinst
/var/lib/dpkg/info/exim4-config.postinst:    echo "root: ${poma}" >> /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst:#initialize /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst:echo '# /etc/aliases' > /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:echo 'mailer-daemon: postmaster' >> /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:done >> /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:mv /etc/aliases.tmp /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst:    if [ ! -e /etc/aliases ] ; then
/var/lib/dpkg/info/exim4-config.postinst:    if ! grep -q '^root:[[:space:]]*[[:alnum:]]' /etc/aliases && \

This tells you a lot of things. Firstly, exim4 is likely the culprit here. Upgrading it will likely cause “root: bolt” (or whoever is set as your postmaster in exim4) to be added to the end of the file again. Also, if you notice the last line there, it’s actually grepping for a line starting with “root:”, followed by a space and something alpha-numeric.

This means that if I, instead of removing or commenting the “root: bolt” line, replace it with “root: root”, directing all of root’s mail… to root, there will be a line matching the aforementioned description, and exim4’s postinst script will leave /etc/aliases alone.

Hooray!

OTP (one-time passwords) on Debian Squeeze SSH logins

Unknownbolt | 2010-10-21

So, you’re out of your secret lair and now you need to log in from a computer you don’t trust. After all, every computer you don’t administer is most likely full of viruses, malware and probably even a hardware keylogger somewhere along the keyboard cord, right?

So you want to use a one-time password, so that even if someone snatches it, it has already been used and can never be used again.

Fortunately, one-time passwords on Debian is a breeze to set up.

apt-get install opie-server

This will install opie-server, which will drag along opie-client and libpam-opie as dependencies, unless you have them already.

Now you have to choose if you want one-time passwords for every single login, or only the ones happening over SSH

I wanted it only for SSH logins, so I edit /etc/pam.d/sshd (might be named just “ssh” in other distros)

At the bottom of the file, I appended:

auth sufficient pam_opie.so
auth required pam_deny.so

This will make your server first ask for your password, then ask for the one-time password if the password is correct. If you want it to not ask for your normal password, comment out the last line of the file, saying “@include common-auth”

“common-auth“, in /etc/pam.d, is also the file you have to edit if you want one-time passwords for all logins, not just for SSH. Don’t have sshd ask for your normal password if you also use that for FTP connections or other stuff which doesn’t also require a one-time password. Your normal password should be unique.

Then you need to enable challenge response authentication in SSH, which is disabled by default in Debian Squeeze. Edit /etc/ssh/sshd_config and locate the line “ChallengeResponseAuthentication no” change this to “yes” and restart sshd

/etc/init.d/ssh restart

Next, all you have to do is set a passphrase for your one-time passwords:

opiepasswd -cf

-c is for console mode, -f is only needed if you’re currently logged in remotely, to force opiepasswd to assume the connection is secure.

Enter the passphrase it asks for. This should be some sentence you can easily remember, preferably with upper and lower case and punctuation.

Now you’re ready to try it. Connect, enter your password, watch the one-time password challenge appear:

ssh myserver.dhampir.no
Password:
otp-md5 498 sl8229 ext, Response:

You can generate the one-time passwords using any suitable tool. I use VeJOTP to generate the passwords on my Java phone, which is really neat, but you can also just use “opiekey” to generate passwords and print them out:

$ opiekey -n 10 498 sl8229
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: BABY NAN GALL MONA WEST LUG
490: FEND DES WOO RACE BED AQUA
491: GET FAST HECK BELA NONE RAY
492: NINE SUCH CUNY ARID JUNO SOUR
493: DOTE DUG BRED WARN AWRY SAID
494: FAWN ABUT SAY KILL WAVE WATS
495: RASH AMES BLUE SAP DEE GAB
496: JACK DIRE LUCY ROOM JACK RENA
497: FLUE LOAM TICK LAMB ROWS BEST
498: GLIB ELBA POE OUCH ROW LEN

This command generates the 10 next passphrases, counting down from the requested one (498) based on challenge sl8229.

One-time passwords count downwards, because every key is based on the previous ones, and starting at the end of the list, you then can’t calculate the “next” (previous) key.

Putty keeps disconnecting

Unknownbolt | 2010-09-19

On a recent vacation, taking a train across the entire country, I was using my cell phone’s 3G connection to provide my Internet connection. Every little tunnel and other signal interference along the way would cut off the SSH connection I was sending all my traffic through.

While googling, still on the train, I found the PuTTY FAQ, which says this is actually a Windows problem. In short, the solution is to increase the amount of times Windows will attempt to resend lost TCP packets.

This is done by going into the Windows registry, using “regedit” or another suitable tool You can launch regedit by typing WinKey+r, then entering “regedit” into the dialog box.

Once in, browse to the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

In there, change (or create, if missing), the following keys and values:

TcpMaxConnectRetransmissions => 16
TcpMaxDataRetransmissions => 32

Depending on your registry tool, it might ask you to specify a type for the (new) variables. Use DWORD, and the 32-bit kind of DWORD if your tool allows you to specify that.

Reboot and try again.

After doing this, no railroad tunnel could break my SSH connection. Everything would just pause for a few seconds while Windows was sending the same packets over and over, trying to reach the server.

You can probably set these variables to higher numbers too, but I already increased them quite a bit from the values the PuTTY FAQ told me to use, and these are the ones that worked for me.

Switching alsa sound cards around

Unknownbolt | 2010-09-19

Short reference on switching around alsa sound cards, making another one the default.
Needed to do this since my computer has 3 sound cards (M-Audio, SoundBlaster and the G35 headset)

List alsa modules:

cat /proc/asound/modules
0 snd_ice1724
1 snd_ctxfi
2 snd_usb_audio

Edit /etc/modprobe.d/alsa-base.conf, adding the following lines (note the underscores from above are now dashes):

options snd-ctxfi index=-2
options snd-usb-audio index=-2
options snd-ice1724 index=-1

Done.
If you’re reading this, and you’re not me, customize the above to match your settings, and the priorities you want for your modules.

Windows XP activation doesn’t pop up after repair or ghost

Unknownbolt | 2010-08-15

Also, how to log on without activating Windows 🙂

Ghosted a machine to a new harddrive today, as the old one was failing.

Windows activation pops up on the first boot, as is to be expected, but when I clicked “Activate”, nothing happened. The activation wizard simply wouldn’t continue. And of course I couldn’t get in and activate the system normally, because Windows didn’t let me log on without activating. Gah!

The solution, it turns out, is the following:

Start the machine, while repeatedly hitting F8 from just after the initial BIOS image disappears
Choose “Safe-mode with command prompt”
When the command prompt appears, type “explorer” and press <enter>

You’re in!

Now you need to (re-)install a hotfix, and Internet Explorer 8. Download them on another machine, and put them on a CD, a USB-stick, or whatever you have available. Install the hotfix first.

Hotfix KB946501: http://support.microsoft.com/default.aspx/kb/946501
Internet Explorer 8: http://www.microsoft.com/windows/internet-explorer/default.aspx

The files you need are called (for English Windows XP):
WindowsXP-KB946501-v2-x86-ENU (hotfix)
IE8-WindowsXP-x86-ENU (Internet Explorer 8)

Anyway, after they’re installed, reboot and activate as usual.

Worked for me 🙂

Error -6003 during Creative X-fi driver install

Unknownbolt | 2010-08-15

So the installer says something like:

Setup has experienced an error.
Please do the following:
 - Close any running programs
 - Empty your temporary folder
 - Check your Internet connection (Internet-based Setups)
Then try to run the Setup again.
Error code: -6003

What do you do to solve this?

Why, erase any folder with a number as its entire name (mine was named “09”, but I’m sure it can be something else) in the following directory:
%System Drive%\Program Files\Common Files\InstallShield\Professional\RunTime\

No, it doesn’t make sense, but it worked perfectly. No reboot or anything. Just remove (or simply move) that folder, and things will start working. Brilliant.