Solaris 10: Password Fail

A while back I found out that some Solaris systems I was working with were exhibiting unusual behavior with regards to user authentication... when logging in I only needed to get the first 8 characters of my password right to log in, the rest could be gibberish or nothing, it only evaluated the first 8.

For example, let's say your password was "Solaris!!!123" just for laughs...

"Solaris!" is all that gets evaluated and will work by it's self, so would
"Solaris!alsioiwrgf0awey8owy8ogho7wrfgiwehro".

This just disturbed the hell out of me, what I usually tell people is the minimum length of a good password is Solaris' default MAXIMUM. Absolute fail..

However, it can be fixed. The cause of the problem is that the default crypt being used when setting a user's password with "passwd" in Solaris 10 is just that "crypt", ancient as dirt and only able to handle 8 characters. We can get Solaris to use a better encryption algorithm by editing /etc/security/policy.conf

if you #vi /etc/security/policy.conf there is the following line:

CRYPT_DEFAULT=__unix__

you need to change that line to at the very least use md5 (preferably something even stronger, but for this example it will do):

CRYPT_DEFAULT=md5 

Then go reset all your user passwords to use the new crypt method and Magic... the system now cares about passwords longer than 8 characters

Android Apps: The Survivors

After playing with the Droid for a while I had listed out my favorite apps, and I stand by those being decent choices, but after several rom switches and more day-to-day use (as opposed to "it's so new and shiny" use), here's a more relevant list of android apps.. those that I bother to reinstall when rom jumping.

Astro File Manager: Still the most versatile and powerful GUI for android file management.

Orbot: Tor client for the android platform, requires root and a kernel that supports the iptables "match" target. (On that note, verified that the bekit kernels for CM on the droid do support Orbot, works like a charm). You can get orbot from The Guardian Project.

Sesmic: Twitter client with a ton of useful features and notification controls, I converted a while back.

ROM Manager: Obviously, allows for hassle free rom flashing, kernel changes, and OTA rom updates. Pay for it.

G1 IM: Hard to find when it's not built into a rom, it's the best IM client for android around.

Amazon MP3: Sometimes I just really enjoy picking up a new album on demand, amazons prices are reasonable and it's all drm free. (warning: enabling one click purchasing requires significant impulse control)

Google News and Weather: This comes with most roms since it's one of the most demanded apps around, it gives you... news, and weather reports, neat.

Living in Tunnels: beyond basic SSH

Poor Man's VPN... 

use the ssh -D flag to create a socks proxy to a remote machine and then push your traffic through it by pointing applications at the local endpoint. Really handy for coffee shops, airports, any public network in general. I use it with the foxyproxy addon for firefox.

ruiner@maelstrom ~ $ ssh -D 1234 user@remotemachine.tld

ruiner@maelstrom ~ $ netstat -auntp | grep 1234

tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      20846/ssh

Connect the Pipes...
The -L and -R flags allow for the forwarding of ports from one machine to another through an ssh connection. This can be highly entertaining as well as generally useful, particularly in getting around firewall restrictions.

the following opens a local port listening on 8081 which forwards all traffic to the the remote machine on that same port. I've used this when dealing with the occasionally oddly port numbered webgui thats on a box sitting behind a firewall.

ruiner@maelstrom ~ $ ssh -L 8081:localhost:8081 user@remotemachine.tld

and this one is the inverse, forwarding a local port to a remote machine. For instance, temporarily running your webserver off of your laptop instead of the acctual machine while you fix somthing...
ruiner@maelstrom ~ $ ssh -R 80:localhost:80 user@remotemachine.tld

You can acctually build some pretty interesting chains of ssh tunnels using those two commands alone.

Can you hear me now?...

I often run into the problem of running a command on a remote system that takes time to complete, and for one reason or another the connection is dropped and that program's execution is terminated as well. The answer is to utilize the "nohup" command which will allow the process to continue even if ssh times out or exits.

ruiner@maelstrom~$ ssh user@remotemachine.tld nohup sudo emerge  --sync

Long Range Gui...

I honestly don't use xforwarding much except for accessing some gui programs in Solaris, and even thats pretty rare. However, it can be pretty entertaining and occasionally handy to squeeze your xorg server though the tubes and have it pop out gui apps wherever you'd like

The following will run the msfgui (yeah, i know it's deprecated, but if yer going to forward something it may as well be something cool) that is installed on a remote system locally through ssh using high compression, a speedier encryption algorithm, and a faster but less secure xforward flag (Y).

ruiner@maelstrom~$ ssh -Y -C -c blowfish user@remotemachine.tld /pentest/framework3/msfgui

More to be added later...

Netbook Upgrade

Having disposable cash again is really nice, and I was finally able to pick up some new stuff from newegg after taking care of school expenses.

So I grabbed a Solid State hard-disk for my netbook, which so far is pretty awesome. It's been on my todo list for quite a while, especially since i carry the netbook around almost everywhere so sooner or later it's going to take enough abuse to wreck a spinning drive.

Vertex SSD

The drive's read and write times are considerably faster than the 5400rpm drive that was in the machine initially, and faster than the 7200rpm WD black drive in my thinkpad for everything except sequential read times.

On top of the speed, the machine is now silent unless i'm pushing the process load high enough to get the fan running, and the power saving has bought me about an extra hour and a half of battery life (battery life was down to about 6 and some change hours after a year of use, now it's over 7 and a half). The battery life is one of the most important features in a netbook to me, since the whole point of a netbook is portability and carrying around a power cord / needing to find an outlet detracts from that.

Along with the ssd I bumped the memory up to 2gigs, which is handy since I've playing around a lot with tmpfs file systems in gentoo and that means eating up ram. The system it's self rarely uses more than 200MB it's self, but it's nice having over a gig of memory for those tmpfs file systems.

For the old 5400rpm drive, waste not want not, I bought a cheap as dirt external enclosure.
It's a simple aluminum case with a sata to usb interface, I wedged a couple business cards between the top of the drive and the case on the backside to keep it from rattling at all. For a 10 buck enclosure, I'm happy with it.

Now I'm almost done with a clean install on the new drive, and it feels almost like a new machine.

For more info about running gentoo on netbooks, some of my config information is here

Aluc TV EP 5 Assembly first shot

In this Special Episode, Aluc tells you a bit about your CPU and Briefly how Assembly works.

Aluc.TV

Lenovo T61: Gentoo Config

Dumping this info here for my own future reference if needed, but if someone else uses it too then that's a bonus. So here is the current config of my t61 think-pad.

##make.conf##
CFLAGS="-march=nocona -O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
 
REDUX="-xscreensaver -abiword -ipv6 -kde -xfce -qt -qt4 
-ldap -accessibility -samba -bluetooth"
 
USE="X dbus sqlite sqlite3 bash-completion alsa ssl mmx mmxext 
sse sse2 sse3 ssse3 apache2 java fluxbox mssql mysql snmp vnc 
gtk nessus samba svg gnutls hal acpi truetype vim-syntax spell 
branding jpg jpeg png aim msn jabber tls ${REDUX}"

INPUT_DEVICES="evdev keyboard mouse synaptics"
VIDEO_CARDS="intel i915"

MAKEOPTS="-j3"

PORTAGE_TMPFS="/dev/shm"
PORTAGE_TMPDIR="/dev/shm"
BUILD_PREFIX="/dev/shm"

LINGUAS="en"

ACCEPT_LICENSE="*"

FEATURES="ccache userfetch parallel-fetch"
CCACHE_DIR="/var/tmp/ccache"
CCACHE_SIZE="8G"

source /usr/local/portage/layman/make.conf
-----------------------------------------------------------------------------

entropy ~ # cat /etc/portage/package.use
app-portage/layman git subversion

entropy ~ # cat /etc/portage/package.keywords
x11-terms/terminator
sys-apps/preload
gnome-extra/nautilus-dropbox
media-tv/huludesktop
net-analyzer/fasttrack
net-analyzer/cryptcat
net-analyzer/nikto
net-misc/vidalia

entropy ~ # eselect profile show
Current make.profile symlink:
  default/linux/amd64/10.0/desktop/gnome

2.6.31-gentoo-r10 kernel config: link

Gentoo Netbook: Tweaking Performance, Part 2

Below is some more information on speeding up performance for a Gentoo netbook system. This is all just for testing and fun, and has worked well for me... the usual disclaimers apply.

My last entry on this topic covered performance improvements for portage, this one pertains to increasing the speed of the system in it's entirety.

First and foremost, minimal applications are best suited to netbooks, so when choosing software go for the most stripped down options.

DesktopEnvironment - Fluxbox
Browser - Midori (though firefox works pretty well))
Terminal - Terminator
Editor - vim
NetworkManager - wpa_supplicant/dhcpcd

Beyond that, the following packages seem to help a great deal.

Preload and Prelink

Preload is a daemon which addresses the disk vs memory speed difference when it comes to loading programs. By preloading commonly used files and programs into memory, the latency experienced when opening or interacting with programs is drastically decreased.

Prelink on the other hand is a sort of high level linker and reminds me of the way a binary joiner works, it staticly binds necessary libraries to their executables so that there is no delay due to load references during execution.

The combination of these two pieces of software make opening standard applications such as a web-browser virtually instantaneous.

The two are installed and setup as follows...

Preload:

root@oblivion# emerge preload

root@oblivion# rc-update add preload default
Preload can be further configured via /etc/preload.conf, but it is not normally nessecery.

More information on preload ->  gentoo-wiki: HOWTO prefetch files on boot

Prelink:

root@oblivion# emerge prelink

root@oblivion# prelink -amR

By default Gentoo configures prelink to the normal paths of executables, it also puts in place a daily cronjob to refresh all prelinked programs in the event of system changes.

More information on prelink -> gentoo.org: prelink howto

tmpfs /tmp:

much like using shm for portage, you can mount your /tmp directory as a tmpfs file system that will exist in ram instead of on disk. This will give a small performance increase to any programs that use the /tmp directory.

In /etc/fstab add the following line:

tmpfs             /tmp         tmpfs         defaults,noatime,mode=1777 0 0

Firefox can get a small performance increase by changing it's cache directory to the tmpfs filesystem you created in /tmp, at the loss of retaining that cache between reboots. I find this to be nice middle ground between the normal persistant cache and having no cache at all.

To do this, simply add a new key to about:config in firefox with type string as follows:
browser.cache.disk.parent_directory    /tmp

----
more to come as I research this further..

Gentoo Netbook: Tweaking Performance, Part 1

Below is some information on speeding up performance for a Gentoo netbook system. This is all just for testing and fun, and has worked well for me... the usual disclaimers apply.

I've been running gentoo on my netbook (eeepc 1000HA) for quite a while now and it works great, especially using a minimal environment. Recently though I got the urge to find ways I could push the performance on it a bit further, and I've been rather pleased with the results.

This First Post will be purely about portage, and following shortly I will post about ways to boost the system's performance in general.

Portage:

The largest performance hit gentoo faces on a netbook is in the use of portage, lower end processing power and a slow hard drive can make compiling large numbers of packages a painful process. Here are a few methods to speed things up a bit.

Enable Parallel Fetching.

This tells portage that it should continue to download all of the required packages for an emerge even while it begins compiling those who's downloads have finished. This means that by the time the first package has finished compiling, the next one is already downloaded and ready to go. This will save a little chunk of time for each package involved, and that can really add up if you emerge is > 100 packages.

To do this, just add "parallel-fetching" to your make.conf features.

...

FEATURES="userfetch parallel-fetch"

...

Enable tmpfs for portage temp files.

When emerging packages all of the temporary files are written to disk, then read and executed as needed. This is a massive performance drop for any machine and in particular for machines with slower hard-drives. By default however, gentoo has an available tmpfs ramdisk that is available for our use at /dev/shm, and by keeping all of portage's temp work in ram we can speed things up quite a bit.

First add the following to your make.conf:

...

PORTAGE_TMPFS="/dev/shm"

PORTAGE_TMPDIR="/dev/shm"

BUILD_PREFIX="/dev/shm"

...

Next we need to allow execution from the ramdisk so we have to alter fstab and remove the noexec option. This is an exchange of security for performance, but this being a netbook and not a critical server, it's a reasonable trade off.

after removing the noexec option, the shm line in fstab should look like this:

shm   /dev/shm  tmpfs  nodev,nosuid  0 0

Then unmount and remount shm

#umount shm

#mount shm

more info on /dev/shm -> gentoo-wiki: Gentoo:/dev/shm

WARNING: some very large programs take more space to compile than most systems can handle in memory. An example of this is openoffice, which requres ~6GB of space during the emerge process. If you run into failed compiles due to lack of space, emerge their binary equivilents if they have them or temporarily comment out the shm section of your make.conf. So far I have only had this happen with openoffice (laptop with 4GB ram allocated 2GB dynamic to the shm device, which oo used up before it was even finished unpacking).

CCACHE

Any time you change a use-flag or an ebuild is updated, you will have to recompile that package. CCACHE helps to save some time by keeping a store of precompiled data and then comparing that data to what is required for the new build. The result is that only the parts of the ebuild that are changed need to be recompiled, the rest is provided by ccache. For the best results, ccache should be one of the first packages installed on a system so that it's cache can begin getting built with every new package.

Only two things need to be done to get CCACHE running:

#emerge ccache

and then add the following to your make.conf:

...

FEATURES="ccache userfetch parallel-fetch"

CCACHE_DIR="/var/tmp/ccache"

CCACHE_SIZE="4G"

...

Cyanogenmod For Droid

If your at all involved with android roms and haven't heard about the drama surrounding Ultimate Droid and cyanogenmod, then you just haven't been paying much attention.

I'll keep this simple:

There is an awesome app to manage roms, it handles absolutely everything for you and makes rom swapping painless. This app is called RomManager (it's in the market, you should absolutely buy the premium version.) and was developed by @koush. RomManager is the only reason why I had tried Ultimate Droid, I hadn't even heard of it before I saw it on the download list.. and hey, it worked for what I needed at the time (the right kernel build for orbot).

About a week later, maybe less, the problem occurred.. I saw an update for Ultimate Droid, but then it disappeared. The drama? blackdroid threw a shit fit about UD being part of RomManager... you can hunt down the rest of that part of the drama yourself...

blackdroid's attitude and behaviour put me off and I decided that Ultimate Droid wasn't a project I wanted any part of anymore. So I went back to Rom hunting... and it turned out that the same guy that makes RomManager was developing the cyanogenmod rom for Droid, and had recently updated it, so I gave it a shot... lucky me, it got the kernel update I needed and is a generally awesome Rom, run by people with respectful and professional (read, relaxed and not whiny) attitudes.

Today I read about the continuation of the whole issue, apparently Ultimate Droid v10 is a complete rip of cyanogenmod, kinda funny...

So, at the end of the day, I really like cyanogenmod, and it runs the software that I need it to. The look and feel isn't quite as nice as SmokedGlass, but I'll bet that's mostly a matter of finding the right theme. RomManager will ofcourse be there to help me add any mods that I want and other roms if i get the distro hopping itch. RomManager has also kept distributing UltimateDroid, with occasionally changing entertaining new names, but I wont be running that rom again.

----

Changelog
http://github.com/cy...clair/CHANGELOG

Features:

* Clean shutdown/startup system
* NO APPS2SD. I've implemented a hack that will store the dalvik-cache of system apps in /cache, which saves you ~40MB on /data. A better APPS2SD system is being worked on by Chris Soyars
* Built in USB tether
* ARM NEON optimizations from 0xdroid and Qualcomm
* Includes BusyBox, htop, nano, powertop, openvpn, bash, and all engineering commandline utilities
* FLAC audio support from Kenny Root
* Phone enhancements from Cytown
* Contacts enhancements from Wysie
* Perform zipalign-on-install of applications
* DeskClock tweaks- longer autosilence and "require unlock" option
* Huge collection of ringtones and audio
* All available locales are included thanks to PsychoBoy
* 360-degree auto-orientation by Optedoblivion
* OpenVPN integration thanks to James Bottomley
* Many other bugfixes and tweaks from AOSP contributors

All source code is available at the Koush Github


INSTRUCTIONS:

- First time flashing CM to your Droid?
1. Unlock your device and install ROM Manager from the Market
2. Do a Nandroid backup!
3. Download the ROM to your phone
4. Install the ROM (choose DATA WIPE)

Migrate Sun PAB to Communications Express

Recently I've been working with migrating an instance of Sun's Messaging Server to use UWC communications express, which involves moving all user's PAB entries to new PiServerDB entries.

Seriously.. This too way to long to figure out, first that there even was a tool to use, and then how to get it to work. Thanks again Sun (or i guess now, Oracle) for providing a research project instead of a solution, at least it was fun.

This is all on Solaris 10 but should work on any platform.

quick and dirty script to use the pab2abs.pl migration tool:

#!/bin/bash

#migrateUsers.sh
#replace the host, dn, and passwords according to your environment

#
#get the PAB entries
ldapsearch -h ldap.mydomain.com -1 -T -D cn="Directory Manager" -w supersecretpassword -b ou=$1,ou=people,o=mybasedn,o=pab un=* > $1_tmp

#fix the space-comma problem or pab2abs will fail on random accounts
cat $1_tmp | sed 's/ ,/, /g' > $1_pab

#run pab2abs to generate ldif
perl pab2abs.pl -f params -i $1_pab -o $1_abs.ldif

#add new piserverdb entries
ldapmodify -h ldap.mydomain.com -D cn="Directory Manager" -w supersecretpassword -a -f $1_abs.ldif

#cleanup
mv $1_* migratedUsers/.

Then just build a list of userids that you want to migrate and pass with a loop for the win.

bash# for i in $(cat userlist);do ./migrateUsers.sh $i;done

Ultimate Droid and Orbot

Update: Any rom which has a kernel that supports the iptables match "owner" module should be able to run orbot without any trouble.Currently I'm running caynogenmod for droid with the bekit low voltage kernel and it works perfectly. Just download the .apk from the guardian project, use a file manager like astro to install it, and be sure to select the transparent proxy option, then just pick whichever apps you want to torify from the list.

--------------------------------

I've always been a supporter of net privacy and Tor in particular, and a friend of mine got me interested in the guardian project, so I grabbed the beta version of Orbot just to try it out.. sweet, tor from my phone.

Unfortunately the Smoked Glass Rom I was using didn't support the Iptables modules necessary for the transparent proxy method orbot used for tunnelling apps through privoxy/tor. So, I was forced to try out some other Roms and their respective kernels.. okay, forced is a bad way to put it, it was a lot of fun.

I checked out "bugless beast" and cyanogenmod for droid, both of which were slick and fast in their own right with some spiffy features, but neither had a kernel that would support orbot... This really shocked me since any time I compile a Linux kernel I load in every possible Iptables module I can, and the one in question is included in most standard Linux distros. I was about to just give up and stick with cyanogen for a while but then I saw in the RomManager app (it's in the market, not expensive, pay for it) a Rom called "Ultimate Droid"... I couldn't help myself, it's such a presumptive and audacious name I just had to give it a shot, and well, It worked.

Additional Feature Set for Ultimate Droid:

New Features Included Listed In Red
Added & Included:
-Themable Framework (Can Now Use MetaMorph To Easily Install Full Themes)
-Over The Air Updater Now Combined w/Ultimate Droid Customizer
-New Command Line w/History (Works Better for Windows Users)
-20 Point Drop In Bechmark on setCPU (Better Equals Faster )
-Smoother 3D Launcher When Combined w/Live Wallpapers
-New Blackdroid & Team Wallpapers (Included w/Helix2)
-New Blackdroid & Team Live Wallpapers (Uploading Soon)
-Even Smoother Pinch & Zoom
-All Commands for Busybox and Toolbox Symlinked
-Extremely Optimized
-Official MultiTouch Browser
-2.1 MultiTouch Gallery 3D
-2.1 Music App
-2.1 News and Weather App (w/HTC Weather Images)
-2.1 Desk Clock w/White Screensaver Clock
-HQ Video Recording Tweak (credit to Fede)
-Minimum Brightness Hack (credit to xeudoxus)
-HQ YouTube Default Tweak (credit to xeudoxus)
-”Droid” Themed 5 screen 2.1 app drawer w/Interactive Live Wallpapers
-”Droid” Themed 5 screen 2.1 3D Launcher w/Interactive Live Wallpapers
-”BlackDroid” Themed Helix App Drawer (Up to 7 screens, Interactive Wallpapers, Auto Rotation, Double Tap for Screen Preview, Up to Four Customizable Launcher Buttons – Drag Shortcut to bottom – Hit Menu to Customize) (Thanks to arctu)
“BlackDroid” Themed Helix 3D Launcher w/Blackdroid & Team Wallpapers (Up to 7 screens, Interactive Wallpapers, Auto Rotation, Double Tap for Screen Preview, Up to Four Customizable Launcher Buttons – Drag Shortcut to bottom – Hit Menu to Customize) (Thanks to arctu)
-New Customizable Nexusmod Live Wallpapers (8 Different Colors – Refer to Second Post)
-Completely Deodexed System
-Wifi Tethering
-SuperUser App
-Flash Image
-Busybox