Linux.com

Community Blogs



Squid and Digest Authentication

This week I want to review Digest authentication, which is a step up from Basic proxy authentication, not the best choice but an improvement. Digest Authentication hashes the password before transmitting over the wire. Essentially it sends a message digest generated from multiple items including username, realm and nonce value. If you want to know more see (RFC 2617). Thing to remember is both Basic and Digest are on the weak end of the authentication security spectrum. If your only choice is Basic and Digest, the lesser of two evils is Digest. Digest is very similar to Basic from a configuration perspective. Squid uses an external helper program to facilitate the authentication process. From a Squid configuration perspective, the following pieces are required in the “OPTIONS FOR AUTHENTICATION” section of squid.conf auth_param digest program auth_param digest children auth_param digest realm auth_param nonce_garbage_interval auth_param nonce_max_duration auth_param nonce_max_count The following parameters are similar in nature to Basic authentication; auth_param digest program - provide location of external helper program auth_param digest children – number of spawned processes to facilitate user authentication requests auth_param digest realm – string presented to user when authentication appears on screen Digest authentication introduces the concept of a ‘nonce’ (number used once). This is a generated value (in this case generated by Squid). The client uses this value in conjunction with the password during the hashing process. Without nonce-salting, captured hashed passwords could be replayed. The ‘nonce’ value is regenerated at specified intervals to ensure its continual uniqueness. auth_param nonce_garbage_interval – Specifies how often Squid should clean up its nonce cache auth_param nonce_max_duration – Specified how long the nonce value remains valid auth_param nonce_max_count –Places a limit on how many time a nonce value may be used The last piece of this puzzle is a database of valid users and their associated password. Typically this information is in a hashed text file stored on the Squid server. You should know, Squid does not offer any capabilities for managing it, most users generate it manually or utilize scripts. On an Ubuntu based Squid server the Digest Helper program is located in the following location; /usr/lib/squid3/digest_pw_auth Given above configuration paramaters, the final product should look like this; auth_param digest program /usr/lib/squid3/digest_pw_auth –c /etc/squid3/password-file auth_param digest children 5 auth_param digest realm My Realm auth_param nonce_garbage_interval 5 minutes auth_param nonce_max_duration 30 minutes auth_param nonce_max_count 50 Don’t forget you must adjust Squid ACL’s. The procedure is identical to Basic Auth reviewed last week. Regarding the password file, it should be hashed to keep prying eyes off user passwords. By the way “-c” in above program parameter means you’re specifying the location of a hashed password file. This concludes Digest authentication, don’t forget to restart your proxy server. Next week I’ll talk about NTLM authentication, since most of you are using Windows networks. To find out more visit: www.digitalboundary.net/wp
 

Squid and Basic Authentication

This is perhaps the easiest authentication helper to configure in Squid, but also the most insecure. The biggest problem with Basic is it transmits username and password in clear text, hence very susceptible to network sniffing or man in the middle type attacks. The only reason I’m writing about it is it’s a valid authentication mechanism in some limited circumstances. Secondly I want to show you how authentication has evolved over the years. Ultimately you want to Kerberos authentication with your Squid proxy, but before we got there we had basic. And here is how to configure it; First thing that requires out magic touch is Squid’s configuration. Locate and navigate squid.conf The first section you’ll come across is for configuring authentication. It’s called; # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- You’ll notice there are many comments in this section explaining all the different options. But let’s jump ahead to what we came here for… Locate the following lines; note they will be commented out. Enable them by removing the hash character ‘#’ auth_param basic program auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours If you haven’t noticed already the first parameter auth_param basic program configures the location of an external helper program. This helper program is named pam_auth and on an Ubuntu system is located in the /usr/lib/squid directory. In fact all authentication helpers are located in this directory. Therefore our first line should look like this; auth_param basic program /usr/lib/squid/pam_auth Next we have the children parameter. This configures the specified number of processes to handle incoming authentication reuqests. In above example pam_auth will spawn 5 separate processes to handle all authentication requests. Anywhere between 5-10 helper processes is a good starting point. If Squid runs into trouble, it will tell you in /var/log/squid/cache.log , monitor this file closely. Then we have a realm parameter. This is a string which is presented to the user when the authentication prompt appears on screen. With Basic authentication this is an arbitrary string value. You can use anything, like; “Welcome to my really cool Proxy Server. Enter your Username and Password” Lastly we have the credentialsttl parameter which dictates how long Squid caches authentication requests internally. Keep in mind a small value increases Squid load, while a larger value will reduce it. You may need to play with this if you notice your Squid box is really busy. The last piece to this puzzle is enabling Squid’s authentication ACL. This includes changing two additional parameters. ( ACL & HTTP_ACCESS). The default ACL bases access or no access on client subnets. ACL LOCALNET SRC 192.168.0.0/24 is an example of one. To enable authentication, comment out above default ACL and replace with this; acl authenticatedusers proxy_auth REQUIRED Lastly enable above access list, named authenticatedusers http_access allow authenticatedusers That’s it. Restart Squid service and you should now be prompted for user name and password. You session will be authenticated until you close your browser. www.digitalboundary.net/wp
 

Steps to Hosting a Web Site on Ubuntu 11.04

1. install apache2 the go to /etc/apache2

2. cd sites-available

3. cp default  new_web_site_name_file

4. make the changes as follows this is for Name virtual hosting

NameVirtualHost IP  e.g.x.x.x.x
// this would already be there just change *

ServetrAdmin your mail id //this entry would also be there just change mail id

add the following three entries according to your need

 DocumentRoot /var/www/Your dir name/ // web site's root path
 DirectoryIndex login.php //default login page entry
 ServerName your web site address.com //ur web site address

let other entries be there

save the file.

 

run the following commands as root user or use sudo

a2ensite name  new_web_site_name_file (file name used in step 3)

the restart the apache web server

/etc/init.d/apache2 restart/reload


you can acces the web site aftre making the necessary cahnges in the /etc/hosts file on your system or acess it on the interanet/internet after getting its entry done in the DNS

 

Regards

Harkamal Dadwal

 

 

 

 

 

 

First Post

Well ive been doing some reading trough the forums here aswell as the blogs for a while, about time for me to write something i guess :)

I actually have some questions someone hopefully can help me out with, atm my laptop is running Linux Mint11 with working proprietary drivers for the ATI gfx.

But i have also tried the Fedora livecd and i must say that i really like the interface, not to Unity-ish but instead nice looking and easy to use, but i tried a fresh install and ended upp with the black screen of death so i gave up.

Also had a look at Opensuse, but i cant really decide if i should do the switch from Ubuntu or Debian based if i should go Fedora or Opensuse, any pros and cons that can be good to know about them.

Or should i go with the one that feels best, i want a nice community if help is needed along the journey and ive bumped in to some really unfriendly ones during the years =D

 

SPI Board and Officer Elections - 2011

Software in the Public Interest (SPI) is pleased to announce the results of
the recent board and officer elections.

Board elections were held from July 14-28 2011.

The board terms of David Graham and Jimmy Kaplowitz expired at this
election. In addition one board seat was vacant at the time of the election,
for a total of three available seats. David Graham chose not to stand at
this election and has retired from the board. SPI would like to thank David
for his participation on the board from 2004 - 2011. Clint Adams, Robert
Brockway, Jimmy Kaplowitz and Trevor Walkley stood for election. Jimmy
Kaplowitz was reelected to the board and Clint Adams and Robert Brockway
were newly elected to the board. SPI would like to thank all candidates for
their participation in the election and congratulate Clint Adams, Robert
Brockway and Jimmy Kaplowitz for their election to the board.

The current directors are:

    * Bdale Garbee
    * Joerg Jaspert
    * Jonathan McDowell
    * Michael Schultheiss
    * Clint Adams
    * Robert Brockway
    * Joshua D. Drake
    * Jimmy Kaplowitz
    * Martin Zobel-Helas

Officer elections were held at the board meeting on August 10, 2011. All
existing board members were elected unopposed.

The officers for 2011-2012 are:

    * President: Bdale Garbee
    * Vice-President: Joerg Jaspert
    * Secretary: Jonathan McDowell
    * Treasurer: Michael Schultheiss

SPI associated projects include:

    * ankur.org.in
    * aptosid
    * Debian
    * Drizzle
    * Drupal
    * freedesktop.org
    * Fresco
    * Gallery
    * GNUstep
    * GNU TeXmacs
    * Jenkins
    * LibreOffice
    * madwifi.org
    * OFTC
    * OpenOffice.org
    * OpenVAS
    * Open Voting Foundation
    * Open64
    * OpenWrt
    * OSUNIX
    * Path64
    * PostgreSQL
    * Privoxy
    * The HeliOS Project
    * Tux4Kids
    * Yafaray

Software in the Public Interest, Inc. is a not-for-profit corporation under
the laws of New York State.
 

Read more... Comment (0)
 

Spreading Linux in Bridgeport Public Schools

As of right now, the schools in my hometown are undergoing vital modifications. This is long overdue. I'm worried about the upcoming generation since they are caught in a society with lots of complications. Of this generation, will include my siblings. And, I must do what I can to see them accomplish their potential. 

Since it is said, it is easy to thrive in a successful environment, yet your real strengths are tested with challenges, I decided to offer my help, armed with the skills I harvest to see Bridgeport be the city it can be. A letter stating my concerns and assistant objective has been emailed to the superintendent of the Bridgeport Public Schools. Hopefully, he is convinced. Here is the copy of the letter.

Conclusion: If we want a better future, put in the work, Everyone.

 


To: John J. Ramos, Sr/Superintendent

From: Istimsak Abdulbasir

 

Greetings Mr. Ramos,

My name is Istimsak Abdulbasir, a Linux.com Moderator and member of the “Linux Foundation” which is a non-for-profit organization that specializes in the promotion of Linux. There has been reports that the Bridgeport Public School System is undergoing vital changes. These changes are to improve student and teacher performances which, hopefully, will increase the success rate of students achieving educational standards. This is a critical step towards making education work wonders for all beneficiaries in preparation of a challenging future. As an individual with siblings currently attending, this means so much to the entire family.


Because I am a big fan of education, I would be happy to assist in this endeavor. Currently, I am involved in IT, and one of my main functions is dekstop PC revival. Purchasing computer hardware and software can be very expensive. To alternate this complication and stay “Green” at the same time, old, used, and non-working computers will be collected, gone through a series of repairs and configurations, and supplied to any school institute in the Bridgeport area in need of modern technology. The machines will have a new OS system, Ubuntu Linux; which provides better security, increased speed, more stability, easy to use and will deliver a different perspective on computer science. Since Linux is still relatively new, I’m more than happy to tutor students and teachers in its system operations.


The best part about Ubuntu Linux, it's free. You do not have to pay a penny for the software or for the latest upgrades. Using linux has the potential to help you, economically, stay within educational budget without the need to ever upgrade your systems. Acquiring software applications is a breeze since all programs are managed in an online archive. No purchasing of applications is necessary.


If you would like to know more about what I am willing to offer, you can contact me via cellphone or email. Look forward to hearing from you.

 

 

Cross-compiling for ARM

In order to do program in ARM board [9TDMI], I cross-compiled using the Linux 'C' compiler for ARM and here is the procedure that I used.

Read more... Comment (0)
 

Installing and Using Mysql on Ubuntu

1. run following command in terminal
  
   sudo apt-get install mysql-server

    during the installation process it will ask for root password

2. to check whether the Mysql server is installed & running properly,run
  
   sudo netstat -tap | grep mysql

   you sholud see now the following lines or something similar:
  
   tcp        0      0 localhost.localdo:mysql *:*                     LISTEN      13059/mysqld

3. If in case your server is not running properly you can restart it by running following command
   sudo /etc/init.d/mysql restart

Using Mysql
4. when mysql is installed, you can start it by running:

 mysql -u root -p

the command prompt will change now to mysql>

5. to create database use:
    create database databasename;
6. to use database use:
    use databasename;

from here on you can create table,insert into table and peroform other mysql actions

Read more... Comment (4)
 

Convert ext2 to ext3 file system

The conversion procedure is very simple enough. Let us assume /dev/sda6 (ext2 now) mounted on /convert.  You will be seeing fstb entries like,

/dev/sda6         /convert             ext2    defaults        0 0

Unmount the partition

umount /dev/sda6

Enable Journal (converting to ext3) using tune2fs command,

tune2fs -j /dev/sda6

Edit /etc/fstab and for /dev/sda6 change the file system type to ext3. Finally, the entry should be like this,

/dev/sda6         /convert             ext3    defaults        1 2

Mount the partition using mount command,

mount -a

If above command doesn’t work, reboot the system and check.

Read more... Comment (0)
 

MultiPath TCP in the Linux Kernel

MultiPath TCP is an extension to TCP to transmit data of a single connection over multiple interfaces simultaneously. (http://datatracker.ietf.org/wg/mptcp)

This allows a better throughput and better resilience in case of link-failures.

We have an implementation of MultiPath TCP in the Linux Kernel.

Visit http://inl.info.ucl.ac.be/mptcp/ to try out and contribute to our open-source project.

 

 

 

Read more... Comment (0)
 

First blog post...

Well, I guess I will start a little about me, how I got involved in Linux and where I hope it takes me in the future!

I'm Justin, 32 years old in NJ.  I work in law enforcement and I've been dabbling in the Linux realm for the past 5 years.  My first distro was Red Hat... I bought it off ebay and I had no idea what I was doing.  I got frustrated and continued with Windows but dual booted Ubuntu and a few other distros here and there.

Over the past 2 years I've been reading and using it for data recovery jobs for my friends.  Within the past year I've really made a push to use Linux primarily and I'm on a good track right now. 

While still very green with Linux I have learned a lot and it just never stops.  The flexibility, stability and high customization is what I like the most.  The open source community is amazing, the support is amazing and it's free! 

I wiped my windows hdd in my laptop and that is purely Linux.  My hopes are to show people how Linux will benefit them and for business how much money it can save. 

 

My wife and I operate a small internet store selling vinyl wall art and I haven't changed some of the art to a different format yet so I'm sorry to say I have to keep the XP machine around a bit longer.  Perhaps after the summer as boating will occupy most of my time (hah)!

I look forward to the community and hope to contact linux users in my area soon!

 

 

 
Page 2 of 14

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board