Plain IPsec connections between Linux and Windows with pre-shared key

2013-04-25 by Administrator, tagged as ipsec, linux, network, software, tools, windows

My employer publishes Windows shares via IPsec to the Internet. This way we have native access to our files whenever firewall rules permit IP protocol ID 50 (ESP) and 51 (AH) as well as ISAKMP / IKE UDP ports 500 or 4500 (NAT-T). This is a really nice setup with Windows clients, redirected home shares and Offline Files.

Anyways, although the shares are also published via WebDAV I wanted to access them natively through SMB/CIFS from Linux. This is where the Sourceforge hosted ipsec-tools come into play. The tools were originally developed for the BSD operating system as part of the KAME project but have been ported to Linux. If you want to use them to connect to a Windows machine it is absolutely essential that you have version 0.8 or later of the tools as it includes a patch that handles a phase 2 negotiation problem. If you are running OpenSuse 12.3 as I do you will not get compiled binaries out of the standard repositories (not even in factory). Fedora and Ubuntu are there already. A setkey -V will tell you if you are all set.

Once you have the tools installed there are mainly three configuration files that will be touched, all usually located in /etc/racoon.

  • psk.txt - this is where the pre-shared key is stored
  • setkey.conf - rules for the Security Policy Database (SPD)
  • racoon.conf - IKE daemon doing the dynamic key negotiation stuff

psk.txt
You should chmod 400 this file

# Format is
# <IP/email/domain> <complex PSK>
8.8.8.8 sdhAFF3417C18C$74B2.5AiohA64!475F1B;E41:35,2\C

setkey.conf
Windows default uses ESP only!

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon

spdadd 192.168.0.0/16 8.8.8.8 any -P out ipsec
	esp/transport//require;
#	ah/transport//require;

spdadd 8.8.8.8 192.168.0.0/16 any -P in ipsec
	esp/transport//require;
#	ah/transport//require

racoon.conf
Check man racoon.conf for details

path pre_shared_key "/etc/racoon/psk.txt";

#log [notify|debug|debug2];

remote anonymous {
	nat_traversal on;
	exchange_mode main;
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous {
#	pfs_group 2;
	encryption_algorithm 3des,aes;
        authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

When everything is set as required the policy needs to be activated. This is done with
setkey -f /etc/racoon/setkey.conf
and you can verify with
setkey -DP
If you want to disable the rules flush the SPD with
setkey -FP
and the kernel will stop using IPsec.

Finally, run
racoon -F
(-F is for foregorund) and possibly change the logging level if something goes wrong.

Stay tuned for more as I'll dig into automatic start at boot time, less privileged user rules and certificates as authentication method.

A Tag Cloud for BlazeBlogger

2013-04-02 by Administrator, tagged as development, programming, software

I am using BlazeBlogger as my Content Management System (CMS) which is a bunch of Perl scripts that create static webpages from text files. Thus, no database or dynaminc content. So far it perfectly fitted my needs but as my catgories kept growing I started disliking the default list view for them (similar to the Archive list to your right).

I did some research and quickly found a Perl module that creates Tag Clouds and since the author of BlazeBlogger didn't respond to the email I sent containing the changes I did to the code, I just publish it here. Maybe someone finds this uselful.

I am running a Debian system and to get the Perl module HTML::TagCloud on to the system a simple aptitude install libhtml-tagcloud-perl is all it requires. You can alternatively get it from CPAN directly. Furthermore, I added/commented the following lines in the blaze-make file:

28 use HTML::TagCloud;


563   if (my %tags = %$tags) {
564     # Return the list of tags:
565     #return join("\n", map {
566     #  "<li><a href=\"" . fix_link("%root%tags/$tags{$_}->{url}") .
567     #  "\">$_ (" . $tags{$_}->{count} . ")"
568     #} sort(keys(%tags)));
569
570     ### ADDED begin ###
571         # Create tag cloud
572         my $cloud = HTML::TagCloud->new;
573
574         map {
575                 $cloud->add( $_, fix_link("%root%tags/$tags{$_}->{url}" ), $tags{$_}->{count} );
576         } sort(keys(%tags));
577         return $cloud->html_and_css(50);
578     ### ADDED end ###
579   }

In the end you'll get a beautiful nice little tag cloud as you can see to your right for the Categories :)

How to replace Outlook with Thunderbird to connect to Office365

2013-01-04 by Administrator, tagged as microsoft, office, office365, pim, software

With rich email clients dying (check here and here) this article may be already outdated but I thought I'd share it anyway. Maybe Outlook Web App (OWA) is going to be it after all ;-)

This concept is part of my migration from a Microsoft desktop to Linux, something I have been wanting to do for quite some time now but I always got stopped by one feature or another. And with this Windows 8 desaster for desktop users the whole idea got picked up with renewed enthusiasm (I know Metro uhm... the (new) Microsoft Design Language is the future of Windows but it's just not ready yet).

I narrowed down two primary functions that are required for my daily work: a client that works with the Microsoft Exchange/Office365 backend my employer provides, and support for Microsoft Lync for Instant Messaging (IM), conferencing, and audio/video calls. With the Office question long being solved and the announced Skype integration into Lync on the horizon, only a decent Outlook substitute is left to be found.

Well, if your usage profile is similar to mine then look no further.

BTW this has been tested with Thunderbird (TB) version 17.0 and I decided for a smooth migration path so currently I am still running on Windows 8 and I still have Outlook/Office installed in parallel with Thunderbird/LibreOffice.

Required Plug-Ins

Usage Profile

I consider myself a moderate Outlook user with a focus on email, calendaring, contacts, and a little bit tasks/to-dos. I have no idea what this Journal feature is for and I also do not know if my way to use Outlook is the best. I rarely access other colleagues' calendars and I never access other mailboxes or grant access to mine. I do use Outlook for business and the backend is Office365 for quite some time now.

In my day-to-day work email is the number one functionality and since I never organize emails into subfolders or anything alike, searching is the must have feature. I also use the possibility to create tasks/to-dos with the follow-up option but I do not categorize emails. When I create message rules I always try to make them server side, something I have always achieved so far ;-)

Calendaring of course gets me organized but I only have a single one. I do check calendars of my colleagues occassionally. Furthermore, I started to use tasks and to-dos more and although I'd be willing to use another tool for this purpose, I do like the interplay with emails/follow-up.

Last but not least contacts are not to be forgotten. Besides a reliable sync of the local address book, searching the Global Address List (GAL) is a must-have and using the GAL as a source for auto-completion is also a requirement.

Obviously, syncing reliably is very important. I actively use Android, iOS, Linux, MeeGo, and Windows devices with most of them using Exchange Active Sync to do the synchronization.

How it works

The gateway to Microsoft Exchange is Exchange Web Services (EWS). I was pretty surprised to find out that there are some advanced add-ons to Thunderbird that make use of this feature. Long gone are the days when OWA was used as a workaround to talk to the Exchange backend. Luckily, this gateway is open to Office365 users.

Email

Currently I use IMAP to connect to my Office365 Exchange mailbox and I haven't tested ExQuilla for this purpose, yet. IMAP works reliably and fast and I do not see a reason why I should rely on an add-on here. Sending is done via SMTP

To find out your server URLs for the IMAP and SMTP service you can go to the Office365 website (usually something like https://www.outlook.com/<DOMAIN NAME>.onmicrosoft.com) and check the OWA options. You should see a link Settings for POP, IMAP, and SMTP access...

ToDo: Screenshot walkthrough

Calendar

The Exchange 2007/2010 Calendar and Tasks Provider add-on is used to synchronize calendars and tasks. It also supports contacts sync but I have found this to be a little bit unstable. Furthermore, auto-completion from the GAL is not supported yet (version 3.1.3).

This EWS provider also manages the Out-of-Office (OoO) settings which you can set on a per calendar basis (anyone can tell me a usae case for this?). First tests were successfull although you get a bunch of HTML crap if you take over the text set from an Outlook client.

Otherwise, this plug-in works reliably as far as I can tell and the developper suggests to check the official website for the latest version as submission to the TB catalog may take a while. Development is quite active (last stable release dates from October 2012) so this seems to be a good choice.

ToDo: Screenshot walkthrough

Tasks

Tasks also uses the Exchange 2007/2010 Calendar and Tasks Provider add-on and you need to create a second calendar for tasks to work. Although it says it does support to-dos (what's the difference?)I haven't managed to get this working. But I can live with that.

Sometimes duplicate entries appear for events. Looks like every event also is a task in the Outlook mailbox. The task shows the free/busy information while the event itself does not. I haven't found out yet when those entries appear and disappear but you can always quickly disable the view for the tasks calendar item when you find this annoying.

ToDo: Screenshot walkthrough

Contacts

Sadly, the EWS calendar and task provider unsufficiently supports contacts sync. Sometimes the address book completely hangs and you need to kill the whole Thunderbird process tree to get it back working. Furthermore, it also doesn't support auto-completion from GAL items. So this is where the ExQuilla add-on jumps in. In the end you have quite a few address books configured but hey, it works. OK, I know it's a little bit confusing and I do hope the EWS provider will bring reliable contacts support soon but for the time being...

ToDo: Screenshot walkthrough

What doesn't work?

ToDo: Update paragraph

So far I am pretty satisfied. Of course, one needs to adapt to the new UI and so on but most features relevant to me work fine (e.g. search).
Lync integration isn't there but TBDialOut let's me at least dial from the addressbook. It would be great if it would support dialing from an email (Sender, CC, etc.), too. Telify offers phone numbers as links in the email body though.
Opening calendars from colleagues or managing filter rules isn't possible either but I rarely have to so I use OWA for this.
Tasks do work (seem to need a separate calendar item) but To-Dos do not.

Other nice Add-Ons I use

Base64 decoding now also possible with DuckDuckGo

2012-10-26 by Administrator, tagged as duckduck, search, software, tools

Now that's something. Couple of weeks ago I mailed the DuckDuckGo support if they also support decoding base64 but they didn't. Today I am searching for an online decoder again and... there it is:

base64 decode -String-to-decode-

Just type base64 decode in front of any base64-encoded string into the search field of DuckDuckGo and that's it.

Keep up the great work you people at DuckDuckGo

Google go home!

Windows Server 2012 Internal Database Connection String

2012-09-21 by Administrator, tagged as microsoft, software, windows

With the new release of Windows Server Microsoft not only changed the location and name of the internal database to Windows Internal Database (WID) but also the string you need to use to connect to it for management purposes. It is now:

\\.\pipe\MICROSOFT##WID\tsql\query

Now someone please update the Wiki article at
https://en.wikipedia.org/wiki/Windows_Internal_Database

BTW I found this in the log file located under

%WINDIR%\WID\Log\error.log

Where you can also find details about the version of the WID running:

Microsoft SQL Server 2012 - 11.0.2100.60 (X64)
Feb 10 2012 19:39:15 
Copyright (c) Microsoft Corporation
iWindows Internal Database (64-bit) on Windows NT 6.2  (Build 9200: ) (Hypervisor)

(c) Microsoft Corporation.
All rights reserved.
Server process ID is 1648.
Authentication mode is WINDOWS-ONLY.
Logging SQL Server messages in file 'C:\Windows\WID\Log\error.log'.
The service account is 'NT SERVICE\MSSQL$MICROSOFT##WID'. This is an informational message; no user action is required.
Registry startup parameters: 
	 -w 65535
	 -T 1617
	 -K
	 -e C:\Windows\WID\Log\error.log
	 -l C:\Windows\WID\Data\mastlog.ldf
	 -d C:\Windows\WID\Data\master.mdf
Command Line Startup Parameters:
	 -S "MSWIN8.SQLWID"
	 -s "MICROSOFT##WID"

Base64 encode with DuckDuckGo

2012-09-06 by Administrator, tagged as duckduck, search, software, tools

I searched for an online base64 en-/decoder with my search engine of choice DuckDuckGo and accidentally discovered that they directly encode any string you type if the first word is base64.

I checked but didn't find this feature documented. So I asked their support if they also support decoding. Sadly, they do not but took it as a feature suggestion.

So click this to encode The Perimeterless Network
https://duckduckgo.com/?q=base64+The+Perimeterless+Network

Even more cool, since I use IE shortcuts I only need to type dd base64 String-To-Encode (dd being my DuckDuckGo shortcut) in my address bar and I have it directly encoded. And since the IE address bar is part of my Windows taskbar base64 encoding a string is a matter of not even switching windows.

Catch Windows SNMP Trap Service Input

2012-08-07 by Administrator, tagged as development, microsoft, software, windows

During the setup of some network appliances I was looking for a tool to display the information the local SNMP Trap service on a Windows machine receives. This was mainly for firewall testing purposes to ensure I was receiving what I was looking for.

I was woking on production systems of a customer so I didn't want anything with an installer and since I was sitting on Windows servers beeing from Microsoft was also desirable. Well, duckducking the Internet I stumbled upon SNMPUtil.exe a quite old tool from the NT4 Resource Kit that also made it into the later W2K ResKit. Many of those little helpers can be downloaded from Microsoft but although I had access to an MSDN account I could not find the tool anywhere officially.

I just could not justify using executable code from an untrusted source so I was doing some more research why this tool had disappeared from the Surface of the world of Microsoft (hehe, like this teaser - it's gonna get me billions of clicks). To make a long story short, due to a Java-related settlement Microsoft made with Sun Microsystems certain products are not available anymore. So that path was jammed.

I figured it could not be that hard to code a small tool by myself that would hook to the service and just print out what was coming in on the commandline. I cannot remember what I was specifically searching for but I ended up on a site with the source code of the SNMPUtil. If the link does not work probably try hackchina and snmputil with a search engine of your choice. Well, source code... can it be more trusted?

So where would I get an IDE for C? Right, there's a tool from Microsoft perfectly fitting my requirement to do some express coding ;-). A quick install in my development virtual machine and I was ready to dig into C coding a little bit.

OK, I have to admit I only deleted lines of code and ensured all dependencies were there to let me compile the code. I created the following diff file with the GnuWin32 tools. Patch is also available if you want to patch the code from Code Forge

snmpUtil.diff

Ah yes, I needed to add the following resource files to be able to compile the code

  • MgmtAPI.Lib
  • SnmpAPI.Lib

So if you want to see what's coming to your SNMP Trap service ensure it is running in the first place. Then switch to the commandline and run the snmpCatcher executable you hopefully achieved to compile ;-) Lean back and enjoy the traps...

Microsoft AD RMS goes mobile

2012-01-24 by Administrator, tagged as data privacy, erm, irm, microsoft, rms, security, software

To spread the rumor, there is a new solution for mobile devices on the horizon supporting Rights Management Services (RMS) from Microsoft:

http://www.rmsviewer.com/

It is said to support iPhone, iPad and RIM Blackberry devices. Looking forward to see it on the App store

Times Change

2012-01-11 by Administrator, tagged as fun, hardware

The iPhone Killer Pt.1

2011-11-09 by Administrator, tagged as hardware, smartphone

A couple of years ago the smartphone decission to take was: "Will I go with the iPhone 3G or do I choose a Windows Mobile 6 phone?". I remember well sitting next to my boss at our christmas party. When he heard about my thoughts he just slipped over the brand new Apple device and said: "If you have questions the answer is 'Only one button.'". I was so pissed at the time about the laggy Windows Mobile phones that I got convinced right away although I knew I would hate Apple for their "Do what we tell you to do" politics.

After two years most of my colleagues upgraded to the new iPhone 4, some switched to a Windows Phone 7 device, and others went the Android way. Mainly because I saw the need for improvements on the hardware side I felt the time is not ready for a change but I also felt it would be before another two years pass. I decided to stick with my iPhone 3G and luckily I got hold of an unused 3GS otherwise I might not have been able to wait that long. At that point I thought my next device would be Android driven.

Since then I tested every beta of iOS 5. Apple did some very necessary improvements (mainly OTA, WLAN Sync, and most of all Notifications) but it's iOS after all. It's just not sexy anoymore. I got so bored I went to a mobile store and played around with Windows Phone. If I wouldn't have found the device I am using now my next phone would have been from Redmond, that is for sure.

But what about the Android thing? Well, I had the chance to test the Samsung Galaxy S II aka i9100 for a couple of month. In terms of features it is even, sometimes better, sometimes worse than the iPhone. Otherwise, it is just ugly shit. Cheap and shitty hardware (they should also have used gorilla body and not only gorilla glass for the display), shitty UI and physical design, absolute shitty usability. While I can give the iPhone to my dad or my three year old son and be sure they get along I could never do this with an Android device. It is just crab. After four month of intensive day2day usage I am further away from Android as I ever was before. I am so glad I didn't have to buy this device.

So about a week ago I finally got my device of choice and since then I am always running around with a little smile in my face and a tickling at the ends of my underjaw. Ladies and gentlemen, let me present to you...

the iPhone killer

... more after the break ...