All posts by Kic

SSH doesn’t allow logins with keys? SELinux!

If you have correctly setup your authorized_keys and are sure it should allow you logins with keys – then maybe SELinux is giving you a hard time. Especially if your user is not under the normal home directory folder /home. In your /var/log/{auth,secure} files you will see that sshd is not allowed to open authorized_keys and/or authorized_keys2 after you set the “LogLevel DEBUG” in /etc/ssh/sshd_config.

In that case, try to set the correct settings again:

chcon -t ssh_home_t ~PROBLEMATIC_USER/.ssh/
chcon -t ssh_home_t ~PROBLEMATIC_USER/.ssh/authorized_keys

Now everything will work again.

Charge HP Stream 7 while using it with an OTG cable

After a quite frustrating experience with an HP Stream 7 tablet, which refused to get charged while having a USB stick connected to it via an OTG cable, I found an extremly easy solution:

Just disable the Microsoft AC Power Supply which can be found in the device manager under Batteries.

Voila – that’s it.

I have the German version only where it says Microsoft Ladegerät and can be found under Akkus.

Installing Debian Jessie on an APU1D4

To install Debian Jessie on an APU1D4, it is easiest to go for a network installation. You need
– a TFTP server
– a DHCP server
– the Debian file structure in the TFTP server’s root directory

For DHCP you will need something like the following configuration:

ddns-update-style none;
max-lease-time 186400;
authoritative;

subnet 192.168.66.0 netmask 255.255.255.0 {
  range 192.168.66.100 192.168.66.150;
  option domain-name-servers 192.168.66.1;
  option domain-name "example.com";
  option domain-search "example.com";
  option routers 192.168.66.1;
  option broadcast-address 192.168.66.255;
  default-lease-time 86400;
  max-lease-time 186400;
}

host apuc{
	hardware ethernet 00:0d:b9:12:34:bc;
	fixed-address 192.168.66.66;
        filename "pxelinux.0";
        next-server 192.168.66.1;
}
host apud{
	hardware ethernet 00:0d:b9:12:34:bd;
	fixed-address 192.168.66.66;
        filename "pxelinux.0";
        next-server 192.168.66.1;
}
host apue{
	hardware ethernet 00:0d:b9:12:34:be;
	fixed-address 192.168.66.66;
        filename "pxelinux.0";
        next-server 192.168.66.1;
}

For the TFTP server you need something like the following configuration:

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

Then simply extract the debian installer files into /src/tftp . I have included my working configuration into netboot_serial_20150107.tar. Should you want to change its configuration, simply edit the file pxelinux.cfg/default file. Mine looks as follows and is preconfigured for serial console output:

default install
label install
	menu label ^Install
	menu default
	kernel debian-installer/amd64/linux
	append initrd=debian-installer/amd64/initrd.gz --- vga=normal console=tty0 console=ttyS0,115200n8

Attach a serial console cable and fire it up!

Frontend for openssl to check key chains

Since checking SSL key chains with openssl is sometimes a bit tricky, I have written a little perl script as wrapper around it.

Just download check_chain.zip, unzip it and run it as follows:

./check_chain.pl -p server port

-p (optional) prints out the certificates as well
server is the server to check
port (optional) is the port to connect to.

Here is the code:

#!/usr/bin/perl -w

use strict;

my $has_date_parse = 1;
eval {
	require Date::Parse;
	Date::Parse->import( qw/str2time/ )
};

if ( $@ ne "" ) {
	print "Module Date::Parse not found! Skipping expiration date calculation!\n";
	$has_date_parse = 0;
}

my $print_cert = 0;
my $host = shift || &usage();
if ( $host eq '-p' ) {
	$print_cert = 1;
	$host = shift;
}
my $port = (shift || 443);


my $output = `echo "\t" | openssl s_client -host $host -port $port -showcerts 2> /dev/null`;

my $cert_num = 0;

my $line;
my @certs;
my %certs;

foreach $line ( split /\n/, $output ) {
	if ( $line =~ /BEGIN CERTIFICATE/ .. $line =~ /END CERTIFICATE/ ) {
		$certs[$cert_num] .=  "$line\n";
	}
	$cert_num += 1 if $line =~ /END CERTIFICATE/;
}

my $i;
my $serial;
my $attribute;
foreach $i ( 0 .. scalar @certs -1 ) {
	$serial = qx{echo "$certs[$i]" | openssl x509 -serial -noout};
	$serial =~ s/serial=//;
	chomp $serial;
	$certs{$serial}{'certificate'} = $certs[$i];

	foreach $attribute ( qw/issuer subject issuer_hash subject_hash enddate/ ) {
		$certs{$serial}{"$attribute"} = qx{echo "$certs[$i]" | openssl x509 -$attribute -noout};
		chomp $certs{$serial}{"$attribute"};
		$certs{$serial}{"$attribute"} =~ s/notAfter=//;
	}

	# Certificate stored, reuse @certs to keep order with serial number
	$certs[$i] = $serial;
	$certs{$serial}{"order"} = $i;
}

print "\nChecked server: $host on port $port\n";

my $found;
foreach $i ( 0 .. scalar @certs -1 ) {
	print "\nCertificate $i:\n";
	$serial = $certs[$i];
	print "\t", $certs{$serial}{"subject"}, " (hashed: ", $certs{$serial}{"subject_hash"}, ")\n";
	print "\tserial number (check in browser): $serial\n";
	print "\texpires: ", $certs{$serial}{"enddate"};
	if ( $has_date_parse == 1 ) {
		print " (in ", int ((str2time($certs{$serial}{"enddate"}) - time) /60/60/24  ), " days)" ;

	}
	print "\n";
	print "\t", $certs{$serial}{"issuer"}, " (hashed: ", $certs{$serial}{"issuer_hash"}, ")\n";
	print "\tissuer found in chain: ";
	$found = "NO - should be root certificate";
	if ( $certs{$serial}{"issuer_hash"} eq $certs{$serial}{"subject_hash"} ) {
		$found = "SELF SIGNED CERTIFICATE";
	} else {
		foreach ( keys %certs ) {
			if ( $certs{$serial}{"issuer_hash"} eq $certs{$_}{"subject_hash"} ) {
				$found = "YES";
			}
		}
	}
	print "$found\n";
}

if ( $print_cert == 1 ) {
	foreach $i ( 0 .. scalar @certs -1 ) {
		print "\nCertificate $i:\n";
		$serial = $certs[$i];
		print $certs{$serial}{"certificate"}
	}
}

sub usage {
	print "Usage: $0 [-p] server_name [port]\n";
	print "\t-p : also print certificates\n";
	print "\tserver_name : server to check, mandatory\n";
	print "\tport : port to check, default: 443\n";
	exit;
}

Its output is as follows:

$ ./check_chain.pl www.lavalite.de

Checked server: www.lavalite.de on port 443

Certificate 0:
	subject= /C=DE/OU=Domain Control Validated/CN=www.lavalite.de (hashed: dad54aee)
	serial number (check in browser): 11213FB18C3CEF8B39A731AB874D155363F2
	expires: Dec  8 11:13:28 2015 GMT (in 318 days)
	issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 (hashed: 79701ca5)
	issuer found in chain: YES

Certificate 1:
	subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 (hashed: 79701ca5)
	serial number (check in browser): 040000000001444EF03E20
	expires: Feb 20 10:00:00 2024 GMT (in 3314 days)
	issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA (hashed: b0f3e76e)
	issuer found in chain: NO - should be root certificate