The YubiKey, from Yubico is a small USB device which is about the size of a small flash drive, and which emits OTP strings when the button is depressed.   The device can also be reprogrammed to offer static passwords and the new 2.0 version has a very handy management application available.  The device is compatible with most recent *nix and Solaris installations, as well as MacOS and Windows.

Since receiving mine, I have tested it via several available PHP implementations, and other interfaces, e.g. the Wordpress plugin and the LastPass integration.  Last night, I found a site which offers an Apache HTTP Server module for use with the usual Basic authentication.  Since I wanted to use it on a production server without build tools installed, I first compiled it on a test server, and then copied the necessary files to the production box.  The following are the steps I used to build and enable it.

Install the prerequisites (assuming build-essential is already installed)

Code block

$ sudo apt-get install apache2-threaded-dev libcurl3 libcurl4-openssl-dev

Download, unpack and build:

Code block

$ wget http://mod_authn_yubikey.coffeecrew.org/authn_yubikey.tar.bz2
$ tar jxf authn_yubikey.tar.bz2
$ cd authn_yubikey/
$ apxs2 \
-DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \
-DYK_PACKAGE_VERSION=\\\"0.1\\\" \
-I. -Wc -c -lcurl mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo

If all has gone according to plan, the module object now exists in the .lib (dot lib) directory.  If necessary, scp it to your server and continue.

Note: The following layouts are based on an Ubuntu installation, you may need to put the library where your system expects to find it.

Copy module to required directory:

Code block

sudo cp .lib/mod_authn_yubikey.so /usr/lib/apache2/modules/

Create the basic files to allow the module to be enabled/disabled using the normal Ubuntu functionality:

Module load file (/etc/apache2/mods-available/authn_yubikey.load)

Code block

# /etc/apache2/mods-available/authn_yubikey.load
LoadFile /usr/lib/libcurl.so.4
LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so

Basic module config file:

Code block

# /etc/apache2/mods-available/modules/authn_yubikey.conf
<IfModule mod_authn_yubikey.c>
AuthYubiKeyRequireSecure Off
</IfModule>

Since this module works in a similar manner to the standard Apache Auth packages, create a htpasswd file, adding a user with key id ‘abcdeffedcba’ (first 12 characters emitted by the YubiKey), username ‘jsmith’ and password ‘mypass’. The ‘-s’ uses SHA instead of crypt():

Code block

$ cd /etc/apache2
$ mkdir conf
$ cd conf
$ htpasswd -csb conf/ykUserDb abcdeffedcba jsmith:mypass
$ touch conf/ykTmpDb && chown www-data conf/ykTmpDb

Now just pick a directory or location to protect, and add a basic config section to the appropriate Apache config file:

Code block

<Location /supersekret>
AuthType Basic
AuthBasicProvider yubikey
AuthName "Please log in using your YubiKey"
AuthYubiKeyTimeout 30
AuthYubiKeyTmpFile conf/ykTmpDb
AuthYubiKeyUserFile conf/ykUserDb
AuthYubiKeyRequireSecure On
AuthYubiKeyExternalErrorPage Off
Require valid-user
</Location>

Note: The ‘AuthYubiKeyRequireSecure On’ ensures the only SSL (https) connections are allowed. Turn that off to use standard http.

That’s it, now just enable the module and restart Apache:

Code block

$ sudo a2enmod authn_yubikey
$ sudo /etc/init.d/apache2 restart

For additional information regarding the use and configuration of the module, please check the the mod_authn_yubikey website – http://mod_authn_yubikey.coffeecrew.org/.

Many thanks to Jens Frey, the author of the plugin for his quick response to my request for clarification on a few points.

Prowl is a new application which allows notifications to be pushed to the iPhone from applications like Growl for Windows or Macs.  Fortunately, the developer has also implemented an API so that one can easily submit push notifications from virtually any programming language which is able to talk to it via the web.

So what?  Well, as I am a big fan of Twitter, I follow enough people that I am often unable to keep up with the flow of tweets.  I had resorted to following the most important posters via RSS, but now I am able to follow their accounts and have any posts they submit pushed to my iPhone as a notification.

Requirements

1. The Prowl application for the iPhone
2. The ttytter Twitter client, which runs anywhere Perl does (requires LWP::UserAgent)
3. A Twitter account – I use a secondary account which follows only those people from whom I want to receive push notifications
4. The perl script linked below, or one of your creation

Setup

As this uses Prowl, you must purchase that application and download it to your iPhone.  After installation, you can go to the Prowl website, log into your account, and grab a copy of your API key which will allow the script to post notifications to your phone.  As written, the script expects to find that API key in a file called .prowlkey in your home directory.  If you keep it somewhere else, edit the path on Line 27 of the script:

[cce]
if (open(APIKEYFILE, $ENV{‘HOME’} . “/.prowlkey”)) {
[/cce]

Next, you must download and configure the ttytter Twitter client.  Usually, this is just a matter of creating a .ttytterrc file in your home directory.  Note, that if you configure it to use your primary Twitter account, it will forward every tweet you see to your iPhone.  For this reason, I created a secondary Twitter account and followed only a select few people.  Make sure you test this before continuing.

If ttytter is running as expected, Perl is properly installed, so the last prerequisite is to ensure that the Perl module LWP::UserAgent is installed.  From the command line, type or paste the following line.

[cce]perl -e ‘use LWP::UserAgent’[/cce]

If it simply returns a command prompt, your are set.  If you receive an error, then either use your distributions package manager or CPAN to install the libwww-perl module.

The last step is to copy the script to your computer.  You can view and copy the source code here or download it directly from here.  Put the script somewhere accessible to the ttytter application.  I placed both in $HOME/bin and simply named it ttytter-prowl.pl.

Running

Now, to get everything working, simply start ttytter with the -lib=path/to/twitter-prowl.pl (and possibly the -daemon) arguments.  Using -lib will tell ttytter to process that script for each received tweet.  The -daemon argument tells ttytter to fork into the background and run as a daemon.  I tend to run mine in screen so I can check on it, but I intend to move it to daemon mode.

[cc lang="bash"]$ ttytter -lib=ttytter-prowl.pl[/cc]
If everything has gone according to plan, you should soon start receiving tweets on your iPhone as pushes.

Sample Prowl Notification

Wanting to get back into the IPv6 address space, I installed the aiccu client on another server and configured it for my Sixxs tunnel.  This worked out of the box, but within about 36 hours it stopped working.  Most frustrating was the lack of any errors in any logs and restarting the service had no effect.  The tunnel interface was created with the correct IP, route showed all the correct routes, and I could ping the IPv4 address of my assigned PoP (uschi02).  Then, strangely, about two hours later things started working again.  Until this morning…

I awoke to find that the tunnel had again dropped overnight, and as before, nothing I do seems to be able to get the tunnel working again.  The Sixxs website indicates that the PoP is up and talking to other PoPs.

So, since I also have a tunnel from Hurricane, I gave another machine a static IP and added the necessary information to /etc/network/interfaces:

#  Hurrican Electric IPv6 Tunnel
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
endpoint <your_assigned_IPv4_server_endpoint>
address <local_IPv6_tunnel_endpoint>
netmask 64
mtu 1480
up ip -6 route add 2000::/3 dev he-ipv6

From this point, I restarted the network service:

sudo /etc/init.d/networking restart

et voila! The tunnel was up and pingable. So I guess I will stick with the HE service for now, though if anyone has any ideas as to what the issue with Sixxs might be (when using Ubuntu Intrepid and aiccu / AYIYA), please let me know.

Install the usual prerequisites:

sudo apt-get install curl libcurl4-openssl-dev libexpat1-dev

Fetch, unpack, and build:

wget http://kernel.org/pub/software/scm/git/git-1.5.5.3.tar.bz2

tar jxf git-1.5.5.3.tar.bz2

cd git-1.5.5.3

make prefix=/usr all

Unfortunately, at this point I got an error I had not seen on prior installs:

* tclsh failed; using unoptimized loading
MSGFMT    po/de.msg make[1]: *** [po/de.msg] Error 127
make: *** [all] Error 2

A little snooping brought me to this site.  While I’m sure that his method works, it seems a bit extreme to hand-build all of the listed packages.  Fortunately the answer to my problem was there:

sudo apt-get install gettext

After installing gettext, re-running ‘make prefix=/usr’ completed as expected.  After it is built, it is a simple matter to install all of the new goodness:

sudo make prefix=/usr install

Running ‘git version’ should return the newly installed version.  If you want to track the development version, you can now use this installed version of git to check out the devel repository and build it using the same steps.

Adobe Labs have released an alpha of Adobe Air for linux, and tonight I finally remembered about it and downloaded it. It is closed source, but I find it useful, so I installed it. Installation is as easy as 1) download the bin file, 2) give it execute perms, and 3) run it as root so it can install systemwide.

I then proceeded to the Twhirl website, and while that site’s easy download button did not yet realize that Air was available for linux, there is a direct download link, which Firefox opened properly with Air and installed (it asked for my password again to install as root).

From there, simply click on the icon, enter your Twitter username and password, and away you go!

The affected versions:

•  VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
• VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
•  VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

Source:  http://isc.sans.org/diary.html?storyid=4018

Step 1: Download the software

Go to http://www.vmware.com and follow the links to download the free VMware Server software. You will need to register for a free license key and then you can download the software packages.
Step 2: Install a few prerequisites

$ sudo aptitude install linux-headers-`uname -r` build-essential xinetd

$ sudo aptitude install libxtst6 libxt6 libxrender1 libxi-dev

If you are not going to install the Management Interface (a web based management console), I believe you need only install the prerequisites on the first line above.

Step 3: Install VMware Server

I keep all my virtual machines in /opt/vmware, so I create that directory before running the following. There is a default directory and if you would prefer to keep yours there, then simply allow the script to create it during the install process.

$ sudo mkdir /opt/vmware

$ sudo chown sws. /opt/vmware

$ tar zxf VMware-server-1.0.4-56528.tar.gz

$ cd vmware-server-distrib

$ sudo ./vmware-install.pl

With the exception of the path mentioned above, I use the defaults for all other options.

Step 4: Install the VMware Management Interface (vmware-mui)

$ cd ..

$ tar zxf VMware-mui-1.0.4-56528.tar.gz

$ cd vmware-mui-distrib

$ sudo ./vmware-install.pl

Step 5: Fix the MUI startup script

At the end of step 4, the vmware-mui install script tries to start the new apache server (httpd.vmware), but that usually fails as #!/bin/sh is not an alias for bash. To fix that, simply edit /etc/init.d/httpd.vmware and change the first line from #!/bin/sh to #!/bin/bash.

After saving the file, you should be able to start it:

$ sudo /etc/init.d/httpd.vmware start

If everything worked, you should be able to now browse to either http://yourvmwareserver:8222 or https://yourvmwareserver:8333 from another machine on your network. Log in with a user account on the VMware server machine.

/usr/bin/python: symbol lookup error: /opt/sun-jdk-1.6.0.03/jre/plugin/i386/ns7/libjavaplugin_oji.so: undefined symbol: PR_NewMonitor

Googling led me to this forum post, which references this bug report. All of which seem to point at the Sun Java plugin as the culprit, so I tried removing it:

$ sudo apt-get remove sun-java6-plugin

I can verify that removing the plugin cured the problem, and I am now happily subscribed to Hubblecast, TekZilla and several other HD videocasts. Unfortunately, now it is just a matter of time until I find a website where I will need Java enabled in the browser.

For me, calling vlc in the following way fixed my problems:

G_SLICE=always-malloc vlc

I’m sure a more permanent fix is in the works.

--- bin/extra/openfired 2007-06-22 15:24:32.000000000 -0400
+++ /etc/init.d/openfired       2007-08-26 08:30:48.000000000 -0400
@@ -47,10 +47,10 @@
fi

-function execCommand() {
+execCommand() {
OLD_PWD=`pwd`
cd $OPENFIRE_HOME/bin
-       CMD="./openfire.sh $1"
+       CMD="./openfire $1"
su -c "$CMD" $OPENFIRE_USER &
sleep 1 # allows prompt to return
cd $OLD_PWD