Dropbear

Blog

  • IPv6 and address translation

    We’re in that in-between place where there is plenty of IPv4 out there, but sometimes you either need or want to get to IPv6 addresses.  With the IPv4 address allocations out of ARIN now empty there is going to be an increased need of NAT either between the address families or within it.  This is a quick overview of the different sorts of systems that do this address translations.

    6tunnel

    The best way to describe this is port forwarding across the address families. You can have a IPv4 port on your local device that when you connect to it forwards the connection via IPv6 to a remote device, perhaps on a different port. You can also do it the other way, so connecting to a local IPv6 port will connect to a remote IPv4 port.  Of course “remote” could be another port on the same computer.

    Squid

    You could replace squid with any other sort of proxy server that can work as a reverse proxy and understands IPv6.  From the deployments I’ve heard of, this arrangement where the IPv4 only webservers are front-ended with a dual stack IPv4/IPv6 squid (or other) reverse proxy server or set of servers.  It is a real simple way of getting your webserver onto IPv6, if you cannot do it in the webserver itself.  The usual advantages and disadvantages of using a reverse proxy apply here.  The better long-term solution is to have the servers just run IPv6 natively, but this is a reasonable stop-gap.

    That’s a brief overview of the various packages out there that can help with address translation to either get your servers understanding IPv6 or a client to get to an IPv6 server.  Ideally these are only temporary measures but as some methods people use to write programs (the latest I’ve seen has weird hard-coded 4 byte offset tree-table with 256 long list inside – good luck fixing that!) they may be “temporary” for some time.

    Tayga

    This program implements NAT64 which is a 1:1 address translation.  It can work both ways so IPv6 clients can connect to IPv4 servers and vice-versa.  You would normally use this for your own hosts, rather than for connecting to the internet as you need to specify prefixes. It works like the old style static nat ranges in IPv4 where 1.1.1.10-100 would map to 2.2.2.10-100

    tnat64

    Now this package is a little back-to-front to the others in that it takes an existing IPv4 only application and makes it able to connect, at least at the socket level, to a IPv6 server.  It works by preloading a library which overloads the socket functions like socket() and connect() so it can attempt to find IPv6 servers.

    totd

    This is a small DNS proxy which can be used to translate IPv4 A records to IPv6 AAAA records.  You often use it with translation technologies like Tayga.

     

    totd

    This is a small DNS proxy which can be used to translate IPv4 A records to IPv6 AAAA records.  You often use it with translation technologies like Tayga.

    Related articles
    Enhanced by Zemanta

  • Flash sometimes doesn't like SSL

    I found a strange problem recently.  Using Gallery I could always upload new pictures but someone else using Vista could not upload any pictures.  It didn’t matter if she used IE or Firefox, every single upload made Gallery come up with error #2038 (IO). I could say that anyone that uses Vista deserves everything they get, but that would be a little churlish (if true).

    A few searches showed that this basically gallery saying “something bad happened with your upload”. No, really? You mean it’s not supposed to be a big red box and no uploaded file?  It’s not the world’s most useful error message.

    What got me onto the right path was a message on the gallery forums though it was the other way around. Gallery uses a flash uploader which and this is the same flash if you use Firefox or IE.  It seems it doesn’t like “strange” SSL certificates, such as chained certificates like that site uses (and my site too).  No doubt there is probably some work-around or setting to fix it, but being Vista its probably buried in 20 menu items under some obscure reference.

    Setting up the gallery under a non-ssl site fixed it. Perhaps more correctly it was a work-around.

    Enhanced by Zemanta

  • Passwords in PHP

    Category:WikiProject Cryptography participants
    Image via Wikipedia

    Generally speaking it is a really bad idea to hold passwords in cleartext. I am actually amazed people still do this!  The standard way of holding passwords that has been around for years is to encrypt or hash the password and store the result, called a ciphertext.  There have been many ways of hashing the password, starting off with plain old crypt with no salt (a random pair of characters) then crypt with salt through to MD5 and SHA.

    The thing is, each one of these hashing techniques results in a ciphertext in a different length.  Now with most languages, this doesn’t matter because you know what hash you are using; its simply the name of the function or some flag you set.

    PHP is different, because all of these methods use the one function called crypt which is a little confusing because it is more than plain old crypt.  Around the PHP version 5.3 the developers started putting in the more complex hash algorithms which is good, but the ciphertext has been growing.

    A lot of applications store this hashed password in a database and the decision needs to be made; how big should this field be?  For a long while, 50 characters would be enough and this is what programs like JFFNMS use.  Unfortunately the SHA-512 algorithm needs 98 characters so what you get is half a hash stored. When the user enters their password, the program compares the full hash from that password to the half hash in the database and it always fails.

    I’ve adjusted JFFNMS to use 200 character long fields which is fine for now. The problem is who knows what the future will bring?

    Related articles
    Enhanced by Zemanta

  • Lottery from ancient rockers

    Apparently I’ve won the lottery. What is even more amazing is that it is one based not in Australia but in the UK ELO (England Lottery Organisation) and I didn’t even buy a ticket.  Even more amazing is even though this organisation is based in England, they don’t write English very well; perhaps its declining school standards. They’re so concerned about giving you the maximum return on the dollar (or pound) they don’t even use a proper co.uk email address but a free webmail from umail.

    It is, of course a scam. Popularly known as Nigerian 419 or advanced-fee fraud. You can win the money but.. well it seems there is some holdup and you need to pay some “release fee” or some bribe to get your dollars.  What makes me a little sad is it was for only 250,000 UK pounds. I feel ripped off as a few google searches showed people being offered over 500,000 pounds on the same scam. Don’t these crooks know I have a high aussie dollar exchange rate to overcome?

    About the only interesting thing about it was that my dspam filters missed it but they’ve now been retrained with that miss. I think sending it as a pdf was why it made it through.

    And I now cannot get ELO (Electric Light Orchestra) songs out of my head, thanks a lot scammers! (It’s a livin’ thing, ya know)

    Related articles
    Enhanced by Zemanta

  • Gjay 0.3.2 released

    After getting past a series of silly errors gjay version 0.3.2 is now available.  The source code was uploaded to SourceForge and the Debian package has been uploaded to the FTP master site.

    This version fixes the linking bug that have been extensively reported in a lot of Debian packages.  This is where you are using symbols of a library from another but not explicitly linking to it.  It means some versions of GCC will fail to link.

    gjay will now create playlists for Music Player Daemon or mpd and get mpd to run them too.  It does need for mpd and gjay to be on the same computer, or at least the same directory structure, so both programs know what file is.  While gjay has a full view of the filesystem, mpd uses a relative one off its own concept of a root directory.

    As a result of the two music players, both the audacious and mpd client libraries are not linked to gjay but are linked at runtime using dlsym(). It means you don’t need the audacious libraries if you like mpd or vice versa.  I’m not that experienced in using dlsym so hopefully I’ve not stuffed it up; it works for me!

    In theory, gjay could pass its playlists onto other music players.  The problem is knowing how to get the list into the player.  After it does its sorting and randomising, gjay ends up with a linked list of file-names. Now for audacious or (with some caveats) mpd it is pretty simple because they use file-names but others don’t do this.  If you know how it is done with your favourite player then let me know.

     

    Enhanced by Zemanta

  • Getting around the WordPress "add image" bug

    WordPress currently has an annoying bug where you cannot add images easily using the in-built editor. Instead of a pop-up being shown with the image setting details, you are sent to another page.  Once you choose the image size etc, you go to a blank page. Until that’s fixed, there is a work-around.  It’s not exactly pretty but it does work. I have assumed you have uploaded your images to the media library first.

    First, type up what you want your blog entry to say. The save it as a draft which is the button in the blue circle in the screenshot. Then click the “add image” icon which will bring up the warning to go to the image selection page. This page should be a pop up on the same screen but is not (and is the bug).


    On the image selection page choose “Image library” which is the blue circle and edit the meta-data such as the name caption etc. Once you are happy with your decisions, click the “Insert into Post” button (red circle) which goes to a blank screen.

    The blank screen actually does have data in it. You will need to view source which will show something like:

    The stuff in the win.send_to_editor is what you want. You will also need to change the backslash-quotes to plain quotes, so the code I would use is

    You then enter this information back into your post (click back a few times in your browser). Also, make sure you have your editor set for HTML and not Visual for it to work. With that small bit of HTML, I have a nice set of home-grown tomatoes, or whatever else you want.

    Enhanced by Zemanta

  • Silly C errors in gjay

    Gjay GUI

    I have been working on Gjay to add support for http://mpd.wikia.com/wiki/Music_Player_Daemon_Wiki where I had what initially looked like a strange problem. When WITH_MPDCLIENT was defined, the program would crash in all sorts of weird places when the main program structure had this:

    #ifdef WITH_MPDCLIENT
struct mpd_connection *mpdclient_connection;
#endif

    But would work fine when it was:

    struct mpd_connection *mpdclient_connection;
#ifdef WITH_MPDCLIENT
#endif /* WITH_MPDCLIENT */

    I tried changing the structure to just void *blah to see if it made a difference and it didn’t. The program would crash every time.

    The answer was pretty simple in the end. The WITH_MPDCLIENT is defined in the file config.h and not every c source file was including it. Needless to say, they should! So half the program was using one version of the structure and the other was using another; no wonder the whole program was a mess because anything beyond this entry in the structure would be a few bytes out.

    With that little insanity out of the way, I can get back to making gjay work with MPD.

  • JFFNMS at RC2, ncurses at 5.8

    After some reports back about [JFFNMS](http://www.jffnms.org/) 0.9.0rc1 I have now updated it to rc2. Thanks for all who gave me information about how it worked in YOUR setup.  I cannot be sure but I’d say the second RC will be the last until the release itself.

    Sven has also given me the nod and ncurses 5.8 migrated into unstable.  We’ve had one report that the new version of ncurses might not play well with stfl (see #616711 ) but generally speaking it should work ok.

    Finally, congratulations to the Debian project on [winning two categories at the Linux New Media Awards](http://www.debian.org/News/2011/20110304). It was especially good to hear the presentation by Karsten Gerloff who is president of the Free Software Foundation Europe.

    ## ncurses bug update
    It seems that the ncurses bug is more serious and is to do with newwin() function in the library. If you get crashes when a program starts and its linked to ncurses 5.8 (even if it is not a Debian system) you may have this problem.

    It doesn’t happen to all ncurses programs, as the stfl example code and mutt work ok.

    Y9VW3CNYRFF6

  • Apache and incomplete redirection messages

    As part of moving my site around, I needed a bunch of redirects so that http://enc.com.au/docs/linuxload.html now becomes because its now controlled by [Wordpress][]. so I used the [RedirectPermanent][] feature of [mod_alias][2.2 mod_alias] to do it with lines like:

    RedirectPermanent /docs/linuxload.html /2010/07/manually_calculating_process_times/

    So you come in on /docs/linuxload.html and redirect to the blog entry, simple really! It actually works, kinda, but the log files fill with things like:

    [Fri Mar 04 14:40:17 2011] [warn] [client 172.16.242.1] incomplete redirection target of '/2010/07/manually_calculating_process_times/' for URI '/docs/linuxload.html' modified to 'http://enc.com.au/2010/07/manually_calculating_process_times/

    What is going on? Why won’t Apache just be quiet and be happy? The reason is in the Redirect Directive documentation on the [2.0 mod_alias][] page:

    > Also, URL-path must be a fully qualified URL, not a relative path, even when used with .htaccess files or inside of sections.

    But I’m running Apache 2.2 and the [2.2 mod_alias][] page says:
    > The new URL should be an absolute URL beginning with a scheme and hostname, but a URL-path beginning with a slash may also be used, in which case the scheme and hostname of the current server will be added.

    That’s it, you two choices:

    * Use relative urls and have Apache complain
    * Use absolute urls and have a happy Apache

    Changing the above config snippet to use absolute paths fixed it.

    RedirectPermanent /docs/linuxload.html http://enc.com.au/2010/07/manually_calculating_process_times/

    [2.2 mod_alias]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html
    [2.0 mod_alias]: http://httpd.apache.org/docs/2.0/mod/mod_alias.html
    [RedirectPermanent]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirectpermanent
    [Wordpress]: http://www.wordpress.org/

  • JFFNMS 0.9.0 release candidate 1 out

    The next version of [JFFNMS](http://www.jffnms.org/) is nearing completion and is now at Release Candidate 1. Version 0.9.0 has a major amount of work in cleaning up and securing the code.

    The majority of the work has been in the complete re-write of the engines that do the polling, autodiscovery and consolidation. The parent/child communication has changed as has the way the processes are forked.

    On the front-end, the requirement to register globals has finally been removed, with the code explicitly specifying and sanitising the variables it requires. This will make it easier to debug problems and make the application webservers more secure.

    Finally there is better support for High Capacity interface counters and some support for IPv6, meaning you can see how slow ipv6.google.com is from your place.

    JFFNMS 0.9.0rc1 is available from SourceForge at