Category Archives: Linux

Short: Automatically generate a one time password to connect to Sophos or OpenVPN Access servers

Linux, , , , ,

If business partners or companies use Sophos or OpenVPN Access, it is likely that they use some sort of OTP “one time password” mechanism. Either as a standalone password or as a combination of a persistent password + one time password. Usually entered one after another without any whitespace as a response to the VPN client querying upon connection buildup.

If one wanted to automate that, for example on a VPN Gateway, oathtool comes in handy. It allows to generate the right one time password using the initial setup string like that:

oathtool --totp -b "JBSWY3DPEHPK3PXP"

The resulting OTP can then be used further to authenticate with the OpenVPN commandline client.

Using WSL or MSYS2 you can also use (or compile and then use) oathtool on Windows.

A couple reasons not to use glFTPd for business related FTP communication

Linux, ,

1. Quite an unfriendly GitHub owner

They seem a little upset if you disclose migrating away from the software.

2. No disclosure of the source code, who knows what is in it and what it does?

You likely do not want to run this on internet-connected business machines holding and transferring customer data.

3. Try-hard jokes for actual users questions.

4. (Almost) everything it does, other FTPd’s can do better (the legal parts)

  • Modern auth backends (LDAP, SQL, OAuth-ish flows)
  • TLS, IPv6, security hardening
  • General internet-facing FTP/SFTP use
  • Maintainability and transparency (open source)

5. You open a closed-source service, which unknown developers from the scene part of the internet developed, to the internet and actually transfer and store confidential data on it.

Oof!

6. How does one get the idea to use that kind of software for business-critical applications anyway?

No idea. But it actually happened.

7. If that upset someone …

… please accept my apology in advance.

Start check-mk-agent.socket after WireGuard (wg-quick@)

Linux

If you run CheckMK, you likely also run some normal CheckMK-agents on Linux-, Windows- or other hosts. CheckMK in recent versions features a onboarding process which employs OpenSSL to authenticate and encrypt the communication between the CheckMK-installation and the agents. However there is no very practical way to do this with ARM-based systems for now as the binary for the initial onboarding process only exists in a x86 precompiled version.

On ARM-based hosts the “old” systemd socket solution works just fine, however, it is unencrypted and unauthenticated by default. Therefore a practical solution is to employ a VPN of your choice to secure the communication between the CheckMK-installation and CheckMK-agents.

Continue reading Start check-mk-agent.socket after WireGuard (wg-quick@)

Compile tpm2-openssl on Alpine

Linux, , ,

When using TPM 2.0 with a Alpine Linux based host in order to generate certificates, specifically certificate sign requests (CSR’s), one will inevitably stumple upon tpm2-tss and its tpm2-tss engine for OpenSSL to generate a private key which resides in the TPM 2.0 module and a CSR that can be used to generate a signed certificate by any certificate authority.

Continue reading Compile tpm2-openssl on Alpine

GLKVM: Enter AMI-BIOS setup of connected device

Linux, , , , , ,

I recently got to use a GLKVM device to remote control a SFF computer that runs as a server. It features a normal mainboard with an AMI-BIOS. The default of the splash screen of the AMI-BIOS was 1 second.

After trying a couple times to enter the BIOS for WOL and other settings, I failed trying Esc, F1, F2, Del, F10, F11. None of them worked. Supposedly because the time to input was so short and the delay of the remote console just made finding the right moment even more difficult.

The solution I had not heard of before: Keep the right button pressed throughout the whole boot process until you entered the BIOS setup.

And that worked. I kept pressing F2 throughout the whole boot process and suddenly entered the BIOS setup successfully. Afterwards I changed the splash screen timeout from 1 to 5 and retried with a normal button press while the AMI BIOS splash screen kept waiting: Success. A normal short button press worked now due to the updated timeout.

clevis luks bind “Unable to fetch advertisement”

Linux, , , ,

Recently looking into automating LUKS encryption processes, I stumbled upon the the following problem: clevis luks bind returns “Unable to fetch advertisement”.

The error message tells all and nothing. I found that with clevis’ tooling chain, it can be difficult to pinpoint problems easily. After some time I figured that the shell I ran this on had http_proxy environment variables set and therefore the curl-command used in the clevis tooling chain was fetching via the configured http proxy, which denied the connection with a 403 Forbidden error.

It was so unclear because clevis did not output any such error (inside the tooling chain it runs “curl -sfg” which silences all output).

Therefore make sure that the requests can succeed. Make sure that the environment the “clevus luks bind” command runs from does not have any unintended environment variables set, such as http_proxy or https_proxy.