Sunday, March 23, 2014

Stop copy-pasting!

ssh user@machine sh -c 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub

When you SSH into Linux from Windows/MSYS

Add the following to your .profile (works with BASH).

if [ "$TERM" = "msys" ]
then
        export TERM=cygwin
fi
Otherwise, vim, less, man, mc... won't work as expected.

Wednesday, September 25, 2013

FreeRADIUS Check attributes operators for users and groups (and a “reasonable” Fall-Through)

mysql> SELECT * FROM radcheck;
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
| 14 | b        | User-Name          | := | b     |
| 36 | b        | Cleartext-Password | := | b     |
+----+----------+--------------------+----+-------+
2 rows in set (0.00 sec)

mysql> SELECT * FROM radgroupcheck;
+----+-----------+--------------------+----+-------+
| id | groupname | attribute          | op | value |
+----+-----------+--------------------+----+-------+
| 25 | abc       | Cleartext-Password | += | abc   |
+----+-----------+--------------------+----+-------+
1 row in set (0.00 sec)

mysql> SELECT * FROM radreply;
+----+----------+--------------+----+-------+
| id | username | attribute    | op | value |
+----+----------+--------------+----+-------+
|  4 | b        | Fall-Through | =  | Yes   |
+----+----------+--------------+----+-------+
1 row in set (0.00 sec)

mysql>

The trick is using  :=  operator in radcheck (users’ check attributes table) and  +=  in radgroupcheck (groups’ check attributes table).

That way, if a password is present in radcheck, it will be matched against user/NAS-provided data, otherwise the group password will be matched.

This holds true for other RADIUS check attributes (Login-Time, for example)..

Fall-Through = Yes in radreply is optional; but it’s necessary if you have

read_groups = no

in /etc/freeradius/sql.conf.

Of course it’s assumed that user b is member of group abc (radusergroup table not shown here).

References:


Update: User-Name := b in radcheck is unnecessary, but it could be useful in your frontend application (ahem) to create an attribute-less user i.e. a draft user to configure in a second time.

In the same way, Group := abc could be put into radgroupcheck. But, please, never use = operator, use :=. Otherwise FreeRADIUS would find it uncorrect and coerce it to ==, which means a Group attribute would be required, with that value, in the Access-Request packet from NAS, which is certainly not what you want (access will be rejected any time; see also this commit).

Thursday, July 11, 2013

Fix broken dependencies in a .deb package (the dirty way: extract and re-build)

Which is the only available way when you have no source packages available...

dpkg-deb --raw-extract mypkg_1.0.0-1_amd64.deb mypkg_1.0.0-1_amd64

#
# Edit stuff in mypkg_1.0.0-1_amd64/DEBIAN/control ...
#
# (Possibly create a backup copy of the original .deb)
#

# Re-build the package:
dpkg-deb --build mypkg_1.0.0-1_amd64 mypkg_1.0.0-1_amd64.deb

# Install it:
dpkg -i ./mypkg_1.0.0-1_amd64.deb

# Install missing (but now available) dependencies:
apt-get -f install

Now, the longer story.

Sometimes hardware vendors distribute monitoring tools, but they don’t upgrade them to support recent distro releases.

http://downloads.linux.hp.com/SDR/downloads/ProLiantSupportPack/Debian/dists/

In the specific case, hp-snmp-agents (browse|download) was designed for squeeze and depended upon libsnmp15, which has been replaced by libsnmp30 and/or libsnmp-base in jessie (and wheezy?). So the only solution was extracting the package content, editing Depends: row and rebuilding the package.

More explicitly, in DEBIAN/control:

Depends: hp-health, lib32gcc1 (>= 1:4.1.1), lib32stdc++6 (>= 4.1.1), libc6 (>= 2.7-1), libc6-i386 (>= 2.7-1), libsnmp15 (>= 5.4.1~dfsg), bash, ethtool, pciutils, snmpd

has been turned into

Depends: hp-health, lib32gcc1 (>= 1:4.1.1), lib32stdc++6 (>= 4.1.1), libc6 (>= 2.7-1), libc6-i386 (>= 2.7-1), libsnmp30|libsnmp-base, bash, ethtool, pciutils, snmpd

Monday, June 3, 2013

Prevent custom Debian packages from being upgraded (except by your own “flavour”)

The use case is a QEMU build with GlusterFS native integration.

You’ve created your custom debs.

You don’t want your packages to be replaced by the official Debian ones (which lack the desired feature) the next time you do an apt-get upgrade.

So.

Adopt a customized deb revision name/number such as -2+glusterfs

More explicitely, on top of debian/changelog you write something like:

qemu (1.5.0+dfsg-2+glusterfs) testing; urgency=low
Build and install your package (I assume you know how to do that already).

The magic is done by APT Pinning.

Put this in your /etc/apt/preferences (or create a specific fragment in /etc/apt/preferences.d/)

  Package: qemu*
  Pin: version *-*+glusterfs
  Pin-Priority: 1001

So, in case you create your own repo, only QEMU-related packages whose revision number ends in +glusterfs (i.e.your own “flavour”) will automatically replace your installed ones.

Which is visibly far more flexible then using aptitude hold and friends.

Monday, August 6, 2012

dh_make under debian wheezy (testing)

use --copyright, because -c doesn’t work.

Friday, July 20, 2012

Debian preseed / Simple-CDD : avoid first keyboard layout question

In profiles/MYPROFILE.conf put:

KERNEL_PARAMS="$KERNEL_PARAMS bootkbd=it"
I actually use:
KERNEL_PARAMS="$KERNEL_PARAMS bootkbd=it DEBONF_DEBUG=7 auto=true"