Dropbear

Category: Software

  • Passwords in PHP

    Category:WikiProject Cryptography participants
    Image via Wikipedia

    Generally speaking it is a really bad idea to hold passwords in cleartext. I am actually amazed people still do this!  The standard way of holding passwords that has been around for years is to encrypt or hash the password and store the result, called a ciphertext.  There have been many ways of hashing the password, starting off with plain old crypt with no salt (a random pair of characters) then crypt with salt through to MD5 and SHA.

    The thing is, each one of these hashing techniques results in a ciphertext in a different length.  Now with most languages, this doesn’t matter because you know what hash you are using; its simply the name of the function or some flag you set.

    PHP is different, because all of these methods use the one function called crypt which is a little confusing because it is more than plain old crypt.  Around the PHP version 5.3 the developers started putting in the more complex hash algorithms which is good, but the ciphertext has been growing.

    A lot of applications store this hashed password in a database and the decision needs to be made; how big should this field be?  For a long while, 50 characters would be enough and this is what programs like JFFNMS use.  Unfortunately the SHA-512 algorithm needs 98 characters so what you get is half a hash stored. When the user enters their password, the program compares the full hash from that password to the half hash in the database and it always fails.

    I’ve adjusted JFFNMS to use 200 character long fields which is fine for now. The problem is who knows what the future will bring?

    Related articles
    Enhanced by Zemanta

  • Gjay 0.3.2 released

    After getting past a series of silly errors gjay version 0.3.2 is now available.  The source code was uploaded to SourceForge and the Debian package has been uploaded to the FTP master site.

    This version fixes the linking bug that have been extensively reported in a lot of Debian packages.  This is where you are using symbols of a library from another but not explicitly linking to it.  It means some versions of GCC will fail to link.

    gjay will now create playlists for Music Player Daemon or mpd and get mpd to run them too.  It does need for mpd and gjay to be on the same computer, or at least the same directory structure, so both programs know what file is.  While gjay has a full view of the filesystem, mpd uses a relative one off its own concept of a root directory.

    As a result of the two music players, both the audacious and mpd client libraries are not linked to gjay but are linked at runtime using dlsym(). It means you don’t need the audacious libraries if you like mpd or vice versa.  I’m not that experienced in using dlsym so hopefully I’ve not stuffed it up; it works for me!

    In theory, gjay could pass its playlists onto other music players.  The problem is knowing how to get the list into the player.  After it does its sorting and randomising, gjay ends up with a linked list of file-names. Now for audacious or (with some caveats) mpd it is pretty simple because they use file-names but others don’t do this.  If you know how it is done with your favourite player then let me know.

     

    Enhanced by Zemanta

  • Silly C errors in gjay

    Gjay GUI

    I have been working on Gjay to add support for http://mpd.wikia.com/wiki/Music_Player_Daemon_Wiki where I had what initially looked like a strange problem. When WITH_MPDCLIENT was defined, the program would crash in all sorts of weird places when the main program structure had this:

    #ifdef WITH_MPDCLIENT
struct mpd_connection *mpdclient_connection;
#endif

    But would work fine when it was:

    struct mpd_connection *mpdclient_connection;
#ifdef WITH_MPDCLIENT
#endif /* WITH_MPDCLIENT */

    I tried changing the structure to just void *blah to see if it made a difference and it didn’t. The program would crash every time.

    The answer was pretty simple in the end. The WITH_MPDCLIENT is defined in the file config.h and not every c source file was including it. Needless to say, they should! So half the program was using one version of the structure and the other was using another; no wonder the whole program was a mess because anything beyond this entry in the structure would be a few bytes out.

    With that little insanity out of the way, I can get back to making gjay work with MPD.

  • JFFNMS at RC2, ncurses at 5.8

    After some reports back about [JFFNMS](http://www.jffnms.org/) 0.9.0rc1 I have now updated it to rc2. Thanks for all who gave me information about how it worked in YOUR setup.  I cannot be sure but I’d say the second RC will be the last until the release itself.

    Sven has also given me the nod and ncurses 5.8 migrated into unstable.  We’ve had one report that the new version of ncurses might not play well with stfl (see #616711 ) but generally speaking it should work ok.

    Finally, congratulations to the Debian project on [winning two categories at the Linux New Media Awards](http://www.debian.org/News/2011/20110304). It was especially good to hear the presentation by Karsten Gerloff who is president of the Free Software Foundation Europe.

    ## ncurses bug update
    It seems that the ncurses bug is more serious and is to do with newwin() function in the library. If you get crashes when a program starts and its linked to ncurses 5.8 (even if it is not a Debian system) you may have this problem.

    It doesn’t happen to all ncurses programs, as the stfl example code and mutt work ok.

    Y9VW3CNYRFF6

  • Apache and incomplete redirection messages

    As part of moving my site around, I needed a bunch of redirects so that http://enc.com.au/docs/linuxload.html now becomes because its now controlled by [Wordpress][]. so I used the [RedirectPermanent][] feature of [mod_alias][2.2 mod_alias] to do it with lines like:

    RedirectPermanent /docs/linuxload.html /2010/07/manually_calculating_process_times/

    So you come in on /docs/linuxload.html and redirect to the blog entry, simple really! It actually works, kinda, but the log files fill with things like:

    [Fri Mar 04 14:40:17 2011] [warn] [client 172.16.242.1] incomplete redirection target of '/2010/07/manually_calculating_process_times/' for URI '/docs/linuxload.html' modified to 'http://enc.com.au/2010/07/manually_calculating_process_times/

    What is going on? Why won’t Apache just be quiet and be happy? The reason is in the Redirect Directive documentation on the [2.0 mod_alias][] page:

    > Also, URL-path must be a fully qualified URL, not a relative path, even when used with .htaccess files or inside of sections.

    But I’m running Apache 2.2 and the [2.2 mod_alias][] page says:
    > The new URL should be an absolute URL beginning with a scheme and hostname, but a URL-path beginning with a slash may also be used, in which case the scheme and hostname of the current server will be added.

    That’s it, you two choices:

    * Use relative urls and have Apache complain
    * Use absolute urls and have a happy Apache

    Changing the above config snippet to use absolute paths fixed it.

    RedirectPermanent /docs/linuxload.html http://enc.com.au/2010/07/manually_calculating_process_times/

    [2.2 mod_alias]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html
    [2.0 mod_alias]: http://httpd.apache.org/docs/2.0/mod/mod_alias.html
    [RedirectPermanent]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirectpermanent
    [Wordpress]: http://www.wordpress.org/

  • JFFNMS 0.9.0 release candidate 1 out

    The next version of [JFFNMS](http://www.jffnms.org/) is nearing completion and is now at Release Candidate 1. Version 0.9.0 has a major amount of work in cleaning up and securing the code.

    The majority of the work has been in the complete re-write of the engines that do the polling, autodiscovery and consolidation. The parent/child communication has changed as has the way the processes are forked.

    On the front-end, the requirement to register globals has finally been removed, with the code explicitly specifying and sanitising the variables it requires. This will make it easier to debug problems and make the application webservers more secure.

    Finally there is better support for High Capacity interface counters and some support for IPv6, meaning you can see how slow ipv6.google.com is from your place.

    JFFNMS 0.9.0rc1 is available from SourceForge at

  • Syntax Highlighting with Mid-Century themes

    As a site that discusses a variety of programming languages, I thought it would be good to have syntax highlighting for the code snippets. This blog previously ran [Movable Type][] so it had to fit in with the setup I have already.

    So I found the [Syntax Highlighter][] module ok and the initial installation
    went fine, it was simply:

    1. Download the .zip archive
    2. Unzip the archive into a temporary directory
    3. Copy the plugins/SyntaxHighlighter directory to my plugins directory
    4. Copy the mt-static/plugins/SyntaxHighlighter directory to static/plugins

    You then need to edit the “HTML Head” template and add to the bottom of it the following line:

    Next, I like to use [Markdown][] as my “markup” language. But you can only have one type text filter. Another plugin called [FormatStack][] solves this.
    Create a new stack and put [Syntax Highlighter][] before [Markdown][].
    You can then create documents with both sorts of tags and it works quite nicely, well… almost.
    Mid Century Problems
    ——————–
    This is probably not a Mid-Century specific problem but the modern templates
    or styles may cause a problem. You’ll find you switch styles and suddenly, no more syntax highlighting.
    The problem is the onLoad functions get overloaded. Some styles have
    an onload property on their body. You’ll see lines similiar to

    This onload event stops other onload events, which means Syntax Highlighter cannot do its thing. The fix is rather simple, you just adjust thetemplates so they look like the following:

    

mtAttachEvent("load", mtEntryOnLoad);

    After doing this and publishing it all worked! You may also see this sort of problem with other plugins that use the mtAttachEvent() Javascript call.

    Reducing Includes
    —————–
    By default, the script includes all syntaxes it knows. If you want to only include some, you do this by specifying what brushes you want. For example if you only will highlight perl and python scripts then you can change the line to:

    Syntax Themes
    ————-
    The other attribute the Include line will take is theme. There are several themes but default is alternating white on grey with the rest being
    variations on light text on a dark background.

    [Syntax Highlighter]: http://plugins.movabletype.org/syntaxhighlighter-for-movable/
    [Movable Type]: http://www.movabletype.org/
    [Markdown]: http://daringfireball.net/projects/markdown/
    [FormatStack]: http://plugins.movabletype.org/formatstack/

  • JFFNMS and IPv6

    ipv6-google-rrt.png

    One of the many Free Software projects I work on is JFFNMS, which is a network management system written in PHP. In light that the last IPv4 address blocks have now been allocated to APNIC it’s probably timely to look at how to manage network devices in a new IPv6 world.
    First you need to get the basics sorted out and for that it is best to use the net-snmp command line utilities to check all is well. Then its onto what to do in JFFNMS itself.
    Now fixed with proper markup, I hope.

    (more…)

  • Playing text adventures with mudlet

    Mudlet

    I’ve been playing text based multi-user games on and off for years, or perhaps that’s decades.  When I first started playing them, all you had was telnet. Then this program called TinyFugue appeared which is still shipped by Debian. The generic term for these sorts of games are MUDs, or Multi User Dungeons.

    Anyhow, I recently came across a new MUD client called Mudlet.  It’s a very slick program and works quite well. The way it does its triggers (reactions to what the mud sends you) and aliases (reactions to what you type) is done well and is fast.  For some people you may have 100s of potiential matches on a incoming or outgoing line so you want it to be fast.

    After trying it out, my next reaction was “ok, so is it packaged in Debian?”. To my surprise, it wasn’t so the only obvious thing to do was for me to package it.  It is now sitting in the NEW queue waiting for our ever-overloaded ftp masters to have a look at it.

    While the program is done well, as shipped it doesn’t play too well with a Linux system. The package carries about 4 different other packages around. I’ve changed that now so it uses the system libraries and fonts. All of them are shipped in Debian and I’m sure they individually get more attention and love then I would give them being a sub-part of the main package. It of course cuts down on build times and archive sizes too.

    I still play muds, no matter what client. For me there they’re fun on two levels. The first is the puzzles and gameplay of the MUD itself.  I play some MUDs run by Iron Realms who continuously update them, giving you new challenges.

    The second level is the scripting and customisation you can do.  Instead of typing “sip health” you can write some scripts to check your health level and get the script to do it.  Mudlet (and a lot of other MUD clients) use the Lua langauge to do this scripting. It’s a little funny language but is easy to learn and use.  You won’t be able to build some epic programs with it, but for scripting it is pretty good.

     

    Languages in Hunspell

    Mudlet uses the hunspell library for spell checking.  I have, of course, linked it with the Debian library. The difficulty now is what language?  I was surprised that when you intialise the library, you specify what language files to use right there.  Now for me its simple, the english dictionaries should be used!  What I don’t undertand is if there is a way of determining the right dictionary globally for a user.

    I first though it would be one of the locale parameters, those LC_whatever fields. Mine is en_AU.UTF8, which there is no dictionary for as I’d use en_US or en_UK.  I could possibly patch Mudlet and find a dialog box somewhere where you can set the language, but to me an environment variable makes more sense.  Does anyone use the DICTIONARY variable, for example?

     

  • dh-make and cdbs

    If you use dh-make with CDBS then you need to know that CDBS is no longer a package type, but is a rules format. This is where it should of been in the first place and for a few versions of dh-make there was this half-hearted attempt to change it over.

    Version 0.57 has the right fixes and just got uploaded.  I’m not sure how many people actually use CDBS on new packages anymore, but it should work fine now.

    Oh, and dh-make is now of Alioth git repository instead of subversion.