Archive for the ‘Tech’ Category

Hacking the Kerberos

February 14th, 2012 1 comment

In the spare time I’ve had in Melbourne, I’ve written a small Ajax app called kpassweb to do Kerberos password changes. Configuration on the backend is pretty minimal. As it turned out, the backend PHP Pecl library kadm5 doesn’t work with current versions of Kerberos, so I’ve also written a patch to get that working.

It’s not quite finished, since compiling with the patch still produces a bunch of deprecated symbols from the Zend PHP interface, but it makes it usable.

As a side note, this was all done on my venerable Atom CPU netbook with a whole 8GB of storage, with connectivity snaffled from the Melbourne city library, McDonalds, and over an epically slow cellular connection. I really don’t recommend this.

Categories: Tech Tags: , , , , ,

Ultimate Music Source

March 6th, 2011 1 comment

Hi, my name is Edward, and I’m an audiophile.

I’m also cheap. I refuse to spend several thousand dollars on a CD player and fiddling around with swapping discs, when I’ve already gone to the trouble of ripping all my music to highly convenient FLAC files. Instead, I cheated. I did buy some nice speakers and an amp, but I’m not going to discuss those. Suffice to say that they are nice.

What I did buy, is a tiny silent computer made by NorhTec in Thailand, and a USB soundcard, made by Pro-Ject Audio, who reside in the Czech Republic. The computer is JrMX Microclient. It has a one gigahertz 586 compatible processor, 512 MB of ram, USB and ethernet ports, and in my version, internal space for a half-terabyte 2.5″ laptop hard drive. The delivered cost for this to New Zealand was USD$149 + USD$49 shipping, plus another hundred odd for the hard drive.

On to the computer, I loaded the latest version of the Debian* operating system, and the music playing software mpd. Onto my phone, I loaded MPDroid, which let’s me control said music software from my phone.

All my music is now on this computer, which I can control from my phone. This means I can come home, pull out my phone, and have all my music instantly available. I have no need to turn on my desktop, mess about with a laptop, external hard drives, insufficiently sized iPods, fumble with a poorly designed TV driven menu, sort through CDs, or any other such nonsense, it’s all just there.

It’s running. In a month or so, I might put up some technical details of the software, and how well it works in practice.

* Ubuntu doesn’t support the Ethernet module. Nobody seems to be quite sure why.

Software that needs to be drowned

January 28th, 2011 1 comment

I remember why I got out of being a sysadmin, it’s a lot like being a plumber.

Some software – Dovecot for example – is a joy to use, because it’s well documented, and just works, even when you want it to do slightly strange things. Other software, in this case Cyrus saslauthd, is so follicle destroyingly bad, that it needs to be taken out the back and drowned. Twice.

Having procured a shiny new Android phone and talked Vodafone into supplying me with lots of traffic, I set about setting it up to talk my email and Jabber server, and blog, and all that goodness, and everything is shiny.

Later, it occurred to me, that if my phone is stolen, and the thief is clever enough to extract my password, he has ssh and sudo access to my server. The odds of this happening are exceedingly low, but the results of this happening are catastrophically high. Compounding this is that everything on this server hangs off the Kerberos database for authentication, which means that my users don’t have different passwords for different services, but presents problems once users start saving these passwords on to their phones.

But, I had a great idea. Run up local SQL database that has a list of alternate hashes that only work for email, chat, blogs and other non-shell activity. Awesome. I built the database schema and connected dovecot to in the space of a lunch hour., and all was happy. Tonight, I attempted to connect up other systems. After spending an hour and half battling the mysterious server_set_id in exim, I tried to make the saslauthd connect to the database.

After much cursing, I have discovered that the saslauthd SQL plugin requires that the password is stored in plain text, because the SELECT string isn’t capable of substituting the password into the query string. It also doesn’t handle more that a single row response, which means the entire exercise is looking somewhat futile, because my blogging software (wordpress) and chat software (Openfire) and various other bits and pieces all go through the LDAP server which can only do plain text authentication to Kerberos via saslauthd. It is possible to get exim to use the dovecot sasl server, but this architecturally seems like the wrong way of doing things.

And this is why I hated being a sysadmin, so much software out there is just rubbish.

Update: I set exim to use Dovecots SASL daemon. Works great.

QR Codes on Concert Posters

January 17th, 2011 4 comments

I’ve had an Android phone phone for a bit over a week now, and already I’m seeing the possibilities.

One of my little bug bears is that I see posters up for concerts and think ‘Oh that would be cool to go to’ – and then totally forget when the evening rolls around.

In theory, I can put these concerts into the calendar on my phone, but often, that’s just not feasible.

However, there’s a neat bit of software by ZXing that will scan in QR codes, or the equivalent for iPhones. QR codes can embed information in various formats, including events. Here’s one below.

I’d go to so many more events if posters had these.

Update @ 1350 17th Jan: Changed the iPhone link for a free App.

Update @ 1525 17th Jan: Replaced the QR code with one generated locally. Some reader implementations were returning very strange results. If you’re reading this and could try the above code and leave a comment with the software you use and the results it gives, that would be awesome.

Categories: Tech Tags: , , ,

Openfire with Kerberos/GSSAPI

October 13th, 2010 Comments off

Short version: If you have an openfire server where it’s hostname does not match the xmpp domain name it’s serving, you probably need to force the fully qualified domain name (FQDN) property, like this.

xmpp.domain =

xmpp.fqdn =

Categories: Tech Tags: , , , ,

Password hashes for OpenLDAP in PHP 5

May 26th, 2010 2 comments

Having spent far too long trying to work out to make PHP 5 create usable password hashes for OpenLDAP from examples on the Internet (hint, comments on the md5() function on are dangerously wrong), I resorted to reading the RFCs and writing the code myself. This is posted below for other people who might have the same problem.

# This will generate an MD5 sum hash.
$encrypted_password = '{MD5}' . base64_encode(md5( $newpassword,TRUE));

# This will generate a SHA-1 hashed password.
$encrypted_password = '{SHA}' . base64_encode(sha1( $newpassword, TRUE ));

# This will generate a SHA-1 hashed password with a salt.
$encrypted_password = '{SSHA}' . base64_encode(sha1( $newpassword.$salt, TRUE ). $salt);

RFC 2307
RFC 3112
OpenLDAP Faq-O-Matic

PHP: 5.2.10 (Ubuntu Karmic/9.10)
OpenLDAP (Ubuntu Lucid/10.4)

Categories: Tech Tags: , , , , , ,

Sun Microsystems has gone Nova

April 23rd, 2010 Comments off

In a homage to the Oracle-Sun Microsystems buyout, the phenomena where a company purchases another company and the best and brightest talent promptly leave, shall now be known as; “Going nova.”

Categories: Tech Tags: , , , ,

Linux in Europe

March 21st, 2010 1 comment

Before taking off to Europe, I was sincerely considering whether or not to take my netbook. I took it. It’s been a godsend. I have used it for so many things. Hostelworld, train bookings, city and country guides on Wikitravel, writing this blog, discussing souvenir requests, Netbanking, maps, emailing my landlord and flatmates in New Zealand, and of course, the ever-present and ubiquitous Facebook. It’s also pretty handy for whiling away the time on those twelve hour plane and train journeys too.

Yes, I could use the various Internet terminals that are now available everywhere, but you just don’t know if those have key loggers or not. I’m not wildly enthusiastic about the idea of someone in Europe getting access to my bank and email accounts. This isn’t likely, because most of the terminals are running Linux anyway, but it’s just easier to take a one kilo netbook, and use for as long as I have a power source, rather than negotiating use of the shared terminals.

Oh yeah – I keep seeing Linux everywhere. I have yet to see another traveller – apart from Aaron – using Linux, although you could argue that facebook looks the same on everything – but I have noticed that a large chunk of web terminals, kiosks, PoS terminals, Wifi captive portals, in-flight entertainment systems, and various embedded devices are running Linux. Though in the case of Meininger Hotels, they use Linux for everything, with a quasi Windows XP theme on the web terminals.

I am curious what has led to this. Is it developer preference, better internationalisation support, customisability, or simply a case of escaping licence costs?

Categories: Life, Tech Tags: ,

Asus V3-P5G31 SATA Power Imbalance

December 15th, 2009 Comments off

asus_p5g31_smallA month or two ago, I purchased an Asus V3-P5G3 Barebones kit to replace my very aging Athlon PC that was getting louder and more capricious by the day.

In a fit of misplaced brand loyalty, I decided to go for Asus components where possible, figuring that if everything was Asus, and I had some strange hardware issue, I could let them sort it out. I put in a EN9600GT Silent video card and massive Zalman CNPS7700-ALCU*, and things ran great – not to mention quietly.

A little bit later, I finally picked up a new DVD drive (again, Asus) and a new SATA hard drive to replace the well-out-of-warranty EIDE hard drive that I had been using. I have them on my desk right now.

The above kit has a single EIDE connector, and four SATA ports. For some strange reason, Asus has attached to the power supply four legacy molex connectors and a single SATA power connector. It’s just retarded. Nor did they include any converter cables. I have 1.5 TB of inaccessible hard drive space, because I need the optical drive to install the new OS!

* Photos to follow at a later date.

Categories: Tech Tags: , , , ,

The Unbearable Weirdness of OpenID

September 4th, 2009 1 comment

Right now, you probably have a whole bunch of identities floating around the Internet. If you’re like me, you can’t remember every username/password combination, and have resorted to a less than perfect method of keeping track of them all. Thankfully, various websites have started using your email as your login name, which is one less piece of extraneous information to remember.

There’s some obvious benefits to this approach. Emails are unique to a person – or at least, unique to collection of interested people – and their use as a login ID makes it easy to send out new passwords. As a result, I’m sure more than a few people now have an entire IMAP folder full of emailed passwords.

There’s still the underlying problem that users now have lots of passwords, or have to settle for a bunch of websites having the same password, with the obvious security risk.

The plausible solution that’s frantically trying to get headway is OpenID. Currently, it does seem to solve a whole bunch of problems. Especially when all you want to do is leave one solitary comment on a blog that you’ve come across and are unlikely to ever read again. What it’s lacking, is traction.

The problem is one of usability. Users have had a good decade or more of seeing user@domain as a way of identifying or contacting a person, and as a document or location which you can browse to. OpenID abuses the URI concept not only as a document about yourself, but also as a username, and a hook into the RPC mechanism.

This observation isn’t new. There’s already been large amounts of debate over the use of a URI as an identifier. A proposal was put forward a couple of years ago to solve this by abusing the plaintext authentication built into the HTTP protocol. The main problem is that it requires making certain assumptions about the domains DNS infrastructure, and overriding the authentication mechanism – which is a Bad Thing[tm].

However, the author of that proposal is on to something, and there’s a better solution. There’s a DNS record type called SRV. This record allows you to retrieve servers associated with a domain, much like MX records do for mail. By utilizing this it would be possible to specify the exact server used for OpenID authentication for a given domain.

This approach would also make spreading the load balancing and automatic fail over much easier due to the weighting system built into the SRV records return mechanism. In addition, it would also make it much simpler to virtually host OpenID domains on another hosts servers.


Categories: Tech Tags: , ,