<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="https://www.stress-free.co.nz"  xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
 <title>stressfree - security</title>
 <link>https://www.stress-free.co.nz/tech/security</link>
 <description></description>
 <language>en</language>
<item>
 <title>Transparent Single Sign-On with CAS &amp; eDirectory</title>
 <link>https://www.stress-free.co.nz/transparent_sso_with_cas_and_edirectory</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
    &lt;div class=&quot;image&quot;&gt;&lt;img src=&quot;/sites/default/files/u63/cas-logo.jpg&quot; alt=&quot;&quot; width=&quot;185&quot; height=&quot;86&quot; /&gt;&lt;/div&gt;
&lt;p&gt;A few months ago I had a &lt;a href=&quot;http://www.ja-sig.org/issues/browse/CAS-658&quot;&gt;patch&lt;/a&gt; accepted by the &lt;a id=&quot;k-iv&quot; title=&quot;JA-SIG CAS project&quot; href=&quot;http://www.ja-sig.org/products/cas/&quot;&gt;JA-SIG CAS project&lt;/a&gt; to enable this single sign-on (&lt;a id=&quot;n6hp&quot; title=&quot;SSO&quot; href=&quot;http://en.wikipedia.org/wiki/Single_sign-on&quot;&gt;SSO&lt;/a&gt;) service to automatically authenticate users who are part of an internal Novell network. The benefit of this is that once a user has logged into their corporate network they do not have to authenticate themselves when they use any of the company&#039;s web applications. CAS is a good choice for an SSO solution because it is free, &lt;a id=&quot;vd-z&quot; title=&quot;fairly simple to setup and utilise&quot; href=&quot;http://www.ja-sig.org/products/cas/server/index.html&quot;&gt;fairly simple to setup&lt;/a&gt; and has libraries for integrating &lt;a id=&quot;pelw&quot; title=&quot;CAS with Java&quot; href=&quot;http://www.ja-sig.org/products/cas/client/javaclient/index.html&quot;&gt;with Java&lt;/a&gt; and just about &lt;a id=&quot;gywm&quot; title=&quot;every other web language&quot; href=&quot;http://www.ja-sig.org/wiki/display/CASC/Clients&quot;&gt;every other web language&lt;/a&gt;. Also, due to its relative simplicity, many popular web applications support CAS &#039;out of the box&#039;, so it pays to do some checking before reinventing the SSO wheel.&lt;/p&gt;
&lt;p&gt;How exactly this transparent authentication mechanism works is a little complicated, but in practice it occurs in a fraction of a second without any intervention. Below is a diagram outlining the actions that take place and a brief description of what happens at each step.&lt;/p&gt;
&lt;div id=&quot;jy:r&quot; class=&quot;centeredimage&quot;&gt;&lt;a href=&quot;/sites/default/files/u63/cas_process_lg.jpg&quot;&gt; &lt;img src=&quot;/sites/default/files/u63/cas_process_sm.jpg&quot; alt=&quot;&quot; width=&quot;400&quot; height=&quot;249&quot; /&gt;&lt;br /&gt;An overview of the transparent authentication process (click to enlarge)&lt;/a&gt;&lt;/div&gt;
&lt;ol&gt;&lt;li&gt; The staff member logs in to the Novell network to gain access to their desktop. &lt;/li&gt;
&lt;li&gt; Once logged in the user visits an internally hosted web application. (e.g. CRM, DMS, etc.) &lt;/li&gt;
&lt;li&gt; Because the user is not logged in, the web application returns a CAS redirect command to the browser. &lt;/li&gt;
&lt;li&gt; The user&#039;s browser is automatically redirected to the CAS web service for authentication. &lt;/li&gt;
&lt;li&gt; The CAS service detects the incoming I.P. address and performs an LDAP search for this value in the eDirectory. &lt;/li&gt;
&lt;li&gt; The LDAP search finds the user&#039;s I.P. address and returns their credentials. &lt;/li&gt;
&lt;li&gt; CAS creates an authenticated session for the user and returns a one-time use ticket to the browser. &lt;/li&gt;
&lt;li&gt; The browser automatically redirects back to the web application and presents the authentication ticket for validation. &lt;/li&gt;
&lt;li&gt; The web application checks this ticket against the CAS service. If valid the user&#039;s credentials are returned. &lt;/li&gt;
&lt;li&gt; The web application creates an authenticated session and returns the relevant HTML content to the browser. &lt;/li&gt;
&lt;/ol&gt;&lt;p&gt;Setting all this up is not too difficult, so long as you carefully follow &lt;a id=&quot;bni9&quot; title=&quot;my instructions on the CAS wiki&quot; href=&quot;http://www.ja-sig.org/wiki/display/CASUM/Transparent+LDAP-based+Remote+Address+Authentication+Handler&quot;&gt;my instructions on the CAS wiki&lt;/a&gt;. The key is understanding what is going on and how the CAS configuration files work to achieve this task. The added bonus is that because this technique uses information stored in eDirectory it works with (pretty much) any Internet browser without any extra client-side software.&lt;/p&gt;
&lt;p&gt; &lt;/p&gt;
&lt;!--break--&gt;  &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/web_services&quot;&gt;web services&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/sso&quot;&gt;sso&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Thu, 27 Nov 2008 02:41:34 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">531 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>A little OSX security tip</title>
 <link>https://www.stress-free.co.nz/a_little_osx_security_tip</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt; The administrator designated user is by default the first user created on an OSX system.    &lt;br /&gt;In many cases you probably only have one user on the system and in that case this account will have administrator privileges. Whilst administrator privileges are not complete &#039;root&#039; privileges it does hold enough power to do serious damage.&lt;/p&gt;  &lt;p&gt;Most of the so called OSX &#039;viruses&#039; are actually trojan horses that are executed by an unsuspecting user. The most famous one was a &lt;a href=&quot;http://www.macrumors.com/pages/2006/02/20060216005401.shtml&quot;&gt;bash script named like an image file&lt;/a&gt; and then given a picture icon (so when the user opened it the malicious script was run).    &lt;br /&gt;&lt;br /&gt;The easiest way to protect yourself from all of this is to create an admin account with administrator privileges and then take away administrator privileges from your everyday users. This will ensure that even if you accidentally run a trojan or just a malicious application it won&#039;t be able to cause any real harm (though it would still be possible to delete all your personal data files). Whenever a system modification is about to take place the authentication box will popup asking for the administrator username/password. This is a nice warning message to you that a system change is going to take place and a deterrent to those users who are not supposed to be making system changes (like kids wanting to install games or p2p clients).    &lt;br /&gt;&lt;br /&gt;It is a nice security blanket and something Apple should really consider doing by default (but I guess they are more concerned about ease of use). If you ever need true root privileges to edit system details (like files in /etc/) open the Terminal and do the following: &lt;/p&gt;  &lt;p class=&quot;codesnippet&quot;&gt; su admin [enter]    &lt;br /&gt;(change from your account to the admin)    &lt;br /&gt;sudo sh [enter]    &lt;br /&gt;(open an sh terminal prompt with root privileges, you&#039;ll then be able to make any edits you like) &lt;/p&gt; &lt;p&gt; In both cases you&#039;ll need to enter the admin password as the sudo command is only available to the user designated as the administrator on the computer. It is possible to edit the sudo configuration file and add a specific non-administrator user to the list of allowed users but it is a lot easier (and a little bit more secure) not to do this.&lt;/p&gt; &lt;p&gt; &lt;/p&gt;   &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/apple&quot;&gt;apple&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/osx&quot;&gt;osx&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Thu, 13 Jul 2006 23:04:25 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">287 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>Parallels on OSX and OpenSUSE 10.1 experimenting</title>
 <link>https://www.stress-free.co.nz/parallels_on_osx_and_opensuse_10_1_experimenting</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt;I have been trying out SuSE 10.1 on my iMac with the Release Candidate version of &lt;a href=&quot;http://www.parallels.com/&quot;&gt;Parallels&lt;/a&gt;. Parallels is awesome, there is nothing like being able to play with (and blow away) Linux and Windows at almost full speed directly within OSX. On the PowerPC I have used Virtual PC and the Intel iMac has also &lt;a href=&quot;https://www.stress-free.co.nz/node/256/2/&quot;&gt;gone through Bootcamp&lt;/a&gt; but Parallels is far and away a better solution for most tasks (you would not want to run games through Parallels).    &lt;br /&gt;From a website design perspective it really eases the testing of html/css in all four major environments (Windows Explorer, Firefox, Linux Konquerer and OSX Safari).    &lt;br /&gt;&lt;br /&gt;One new default feature in OpenSUSE 10.1 that is really very cool is AppArmor. It makes the task of securing server and client based applications simple through the automatic creation of application-based rules (i.e. Firefox can execute these files, modify these files and access these devices). The &lt;a href=&quot;http://susediary.blogspot.com/2006/05/securing-applications-with-apparmor.html&quot;&gt;SUSE Diary has a nicely written tutorial&lt;/a&gt; introducing the application and describing how to easily create rulesets.&lt;/p&gt;  &lt;p&gt;Through proper use it can protect systems from zero day exploits and just stop users from doing dumb things. It is definitely a huge feature that will appeal to corporate users, rather than messing around with file permission and access levels directly, you just tell the kernel what you want the application to be able to do and it looks after it from there. In theory these rulesets can be managed centrally from Zen (they are just simple text files) but I don&#039;t think Novell have released details on this.    &lt;br /&gt;&lt;br /&gt;Also the Jem Report have a useful article describing &lt;a href=&quot;http://www.thejemreport.com/mambo/node/254/42/&quot;&gt;how to get your OpenSUSE 10.1 install up to speed&lt;/a&gt; with all the packages you may need (Java, mp3, etc.). OpenSUSE have begun to make this task easier with their &#039;Add-On&#039; CD but still it is nice to have a single document that lists all the optional features available.    &lt;br /&gt;&lt;/p&gt;   &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/suse&quot;&gt;suse&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/osx&quot;&gt;osx&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/virtualisation&quot;&gt;virtualisation&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Tue, 23 May 2006 20:53:17 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">276 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>Bug in SUSE 9.2/9.3 Yast Firewall Scripts</title>
 <link>https://www.stress-free.co.nz/bug_in_suse_9_2_9_3_yast_firewall_scripts</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt;There exists a bug in the Yast firewall scripts for configuring access to a DHCP server. DHCP requires broadcasting capability but the Yast firewall script does not enable this by default. In order to fix the problem ensure the following two directives are set in the /etc/sysconfig/SuSEfirewall2 script:&lt;/p&gt;  &lt;p class=&quot;codesnippet&quot;&gt;FW_SERVICES_EXT_UDP=&quot;bootps&quot;    &lt;br /&gt; FW_ALLOW_FW_BROADCAST=&quot;yes bootps&quot;&lt;/p&gt;  &lt;p&gt;Setting these two directives will allow the DHCP server to broadcast its availability to the rest of the network without having to lower your server&#039;s firewall.    &lt;br /&gt;&lt;/p&gt;   &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/suse&quot;&gt;suse&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/firewall&quot;&gt;firewall&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Sun, 27 Nov 2005 09:09:30 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">172 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>Border Manager with Linux Howto</title>
 <link>https://www.stress-free.co.nz/border_manager_with_linux_howto</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt;After some experimenting today I have put together a howto for getting Linux to authenticate to a Border Manager proxy server. If you do not know what that means do not worry but if you do and have tried in the past you maybe very interested to have a read of &lt;a href=&quot;/index.php?option=com_content&amp;amp;task=view&amp;amp;id=160&quot;&gt;this tutorial&lt;/a&gt;.&lt;/p&gt;  &lt;p&gt; &lt;/p&gt;   &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/linux&quot;&gt;linux&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/novell&quot;&gt;novell&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/border_manager&quot;&gt;border manager&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Mon, 31 Oct 2005 09:13:21 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">161 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>Border Manager Authentication with Linux</title>
 <link>https://www.stress-free.co.nz/border_manager_authentication_with_linux</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt;Getting a Linux server or workstation to work nicely with Novell&#039;s Border Manager can be very difficult. Novell have recently brought out a &lt;a href=&quot;http://www.novell.com/coolsolutions/tip/15611.html&quot;&gt;Linux version&lt;/a&gt; of their clntrust.exe application for Linux workstations (available in Border Manager 3.8 SP4) but this requires Gnome and the Novell Linux Client. If you are running a server (or use a non-Novell supported Linux distro) meeting these requirements can be difficult. Fortunately there is &lt;a href=&quot;http://cl4others.sourceforge.net/&quot;&gt;cl4others&lt;/a&gt; which authenticates to the Border Manager through simple command line instructions in a far more flexible manner. Documentation for cl4others is pretty sparse so I have written this little tutorial on how to get it set up and running.  &lt;/p&gt;  &lt;p&gt;This solution is really intended for servers where shell access by normal users is limited as Border Manager authentication is not handled on a per user basis. For web and file servers such a setup is fine but if you require per user authentication to the Border Manager you should probably look at the Gnome/Netware Linux Client/clntrust stack from Novell. &lt;/p&gt;  &lt;p&gt;&lt;span style=&quot;font-weight: bold&quot;&gt;NOTE: &lt;/span&gt;For instructions 1-9 you will need to have root privileges. &lt;/p&gt;  &lt;p&gt;1. Install ncp for your distribution.    &lt;br /&gt;The easiest way to find the rpm is through rpmfind or if you are running SuSE you will find ftp.suse.com has an rpm for your specific version.    &lt;br /&gt;&lt;br /&gt;2. Extract the cl4others x86 binary and copy it to /usr/bin.    &lt;br /&gt;Make sure its permissions are set so that it can be executed by non-root users. &lt;/p&gt;  &lt;p class=&quot;codesnippet&quot;&gt;chmod a+x /usr/bin/cl4others&lt;/p&gt;  &lt;p&gt;3. Make a directory in /mnt called bordermanager so that you can mount the volume to it. &lt;/p&gt;    &lt;p&gt;4. Edit /etc/fstab and add the following entry: (all on one line)&lt;/p&gt;  &lt;p class=&quot;codesnippet&quot;&gt;NW_SERVER/NW_USER  /mnt/bordermanager  ncp        defaults,ro,mode=400,uid=root,gid=root,owner=root,ipserver=NW_SERVERIP,    &lt;br /&gt;passwdfile=/root/.ncppasswd,multiple        0 0 &lt;/p&gt;  &lt;p&gt; Replace the following with your network details:    &lt;br /&gt;NW_SERVER = Netware BorderManager server name    &lt;br /&gt;NW_SERVERIP = Netware BorderManager IP/DNS name    &lt;br /&gt;NW_USER = Netware user you will be accessing the proxy as &lt;/p&gt;  &lt;p&gt;This mounts the Border Manager volume read-only with all files owned by root with read access to the files only granted to root. This means if one of your server accounts gets compromised (other than root) your Border Manager files will be safe and away from prying eyes.    &lt;br /&gt;&lt;br /&gt;&lt;span style=&quot;font-weight: bold&quot;&gt;NOTE: &lt;/span&gt;In order for cl4others to work you must have read access to the BorderManager SYS volume. Remember to set a Border Manager access rule for the user you are connecting attempting to access the Internet as.    &lt;br /&gt;&lt;br /&gt;5. Now create a file for storing the login password to the server: &lt;/p&gt;  &lt;p class=&quot;codesnippet&quot;&gt;pico /root/.ncppasswd &lt;/p&gt; Add the following entry:  &lt;p class=&quot;codesnippet&quot;&gt;NW_SERVER/NW_USER:Your Password &lt;/p&gt; Change the file so that it can only be read by root:  &lt;p class=&quot;codesnippet&quot;&gt;chmod og-rwx /root/.ncppasswd &lt;/p&gt; 6. Mount the Border Manager volume:  &lt;p class=&quot;codesnippet&quot;&gt;mount /mnt/bordermanager &lt;/p&gt; (This should mount the SYS volume of the BM server  &lt;br /&gt;&lt;br /&gt;7. If you have a firewall running you will need to open port 3024 for UDP traffic.  &lt;br /&gt;For SuSE edit edit /etc/sysconfig/SuSEfirewall2 and add an entry:  &lt;p class=&quot;codesnippet&quot;&gt;FW_SERVICES_EXT_UDP=&quot;3024&quot; &lt;/p&gt; Restart the firewall, for SuSE:  &lt;p class=&quot;codesnippet&quot;&gt;rcSuSEfirewall2 restart &lt;/p&gt;8. Now as root start cl4others (I have had mixed results starting it as any other user).  &lt;p class=&quot;codesnippet&quot;&gt;cl4others /mnt/bordermanager &amp;amp; &lt;/p&gt;9. With Yast setup the proxy. You don&#039;t need to specify any user just point the proxy to the url of the proxy server. Save the changes. In order for them to take effect you will need to logout of the console and log back in again.  &lt;br /&gt;&lt;br /&gt;You should be able to access websites now through the Border Manager proxy with any of the Linux accounts.  &lt;br /&gt;&lt;br /&gt;10 .Test it by downloading an html file:  &lt;p class=&quot;codesnippet&quot;&gt;wget https://www.stress-free.co.nz/sites/default/files/images/whichdoctor.jpg &lt;/p&gt;  &lt;p&gt; Hopefully if everything works correctly you should be authenticating and using your Border Manager proxy with Linux.&lt;/p&gt;  &lt;p&gt; &lt;/p&gt;   &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/linux&quot;&gt;linux&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tutorials&quot;&gt;software tutorials&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/novell&quot;&gt;novell&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/border_manager&quot;&gt;border manager&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Mon, 31 Oct 2005 07:20:35 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">160 at https://www.stress-free.co.nz</guid>
</item>
<item>
 <title>Useful SSH Keygen Guide</title>
 <link>https://www.stress-free.co.nz/useful_ssh_keygen_guide</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
      &lt;p&gt;This &lt;a href=&quot;http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/openssh-clients.html&quot;&gt;Red Hat document&lt;/a&gt; although old concisely explains how to generate and install DSA and RSA keys via SSH. Very handy when you are logging in to a number of different servers for administration purposes.&lt;/p&gt;    &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/linux&quot;&gt;linux&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/security&quot;&gt;security&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/ssh&quot;&gt;ssh&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Wed, 26 Oct 2005 09:21:32 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">159 at https://www.stress-free.co.nz</guid>
</item>
</channel>
</rss>
