Calebotomy

Making Secure Recoverable Passwords ( part 3 )

If you haven’t read Part 1 please do so. Although the criticism of Part 2 should be taken with a grain of XKCD Salt, and even the primary plaintiff admitted that it would take him 2 months to crack the final salted sha512. Usually your attacker shouldn’t have your shadow file, and having stored them as anything less is just plain not secure. I will acknowledge it has some merit. Read more →

Making secure recoverable Passwords (Part 2)

This has been prompted by Dave Jacoby’s post on generating passwords and the fact that I’ve learned a new trick since my my first article in 2008; which you should read first (it’s a prereq). Some might point out that using a hex digest limits the characters that will be generated too much, do this then. echo -n “date” | sum | base64 So let’s say you have to change your password every month. Read more →

Bypassing disabled accounts with KDM

So the most common way of disabling an account in a unix system is changing the users shell in /etc/passwd to /bin/false or /sbin/nologin. However, I’ve discovered on Arch Linux that if I do this only shell login’s are disabled, I was still able to log the user in with gui via kdm. I also tried using usermod –expiredate 1. this was not effective either however. the only way I found to lock the account from kdm login was to do a passwd -l accountname, which only locks password authentication. Read more →

Port forwarding in OpenWRT

So you need the outside world to have access to some box’s on your internal network. first you should use Static DHCP to tell static the IP’s of the computer you’re routing to. Then you of course need to know the inbound from the outside world and the port on the computer you are forwarding too. For this example we’ll forward WAN (Wide Area Network (or (probably) the Internet)) port 8080 to a local dev box running Apache on httpd (we assume you know how to set apache up and make sure it’s working on the LAN(Local Area Network)). Read more →

Quick sha1sum with Crypto++

I’ve been working on Korama. I was originally planning on hashing each music file and using the sha1 for the track primary key. However, after benchmarking an actual implementation. I’ve decided that it’s too slow, 20 minutes for 3k+ tracks, also my program was about 5 minutes slower than find … -exec sha1sum not sure on the reason why. However, since I had problems figuring out how to do it I figure I’ll post a basic sha1sum program that I made with the help of people on the Crypto++ Mailing List. Read more →

FSDaily security fail (see image)

Hint, Hint! FSDaily don’t access your db with the root account. and definitely make sure that, that error page doesn’t show that to users.– This work by Caleb Cushing is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. Read more →

PostgreSQL initial setup (authentication)

If you followed my last initial setup post on creating users and are running a default install of postgres you currently should be able to access the database on your cli. However, many distributions do not install postgres in a default manner. A great many distributions make the default authentication for sockets ident sameuser. This is technically much more secure than trust which is the default. However, you may find yourself locked out of your database on the local cli if you make the database name different. Read more →

Adding a new group to an open shell without logging in and out

Most Unix users believe it’s impossible to add a group that was recently added to your user account without logging in and logging out. If you’re running X and need to give your gui new permissions (like dolphin/konqueoror) this may be true, for the most part. I don’t know how to change it for those processes. However, if you need to change it for a shell prompt it’s easy. You merely execute the command newgrp in an open shell prompt and that prompt will now be loaded with the new group. Read more →

More Security = Better. Wrong!

So I just had a discussion on #ubuntu-server on freenode about why my not having a password to connect to postgresql via a socket (read local cli) is insecure. So I asked them, how exactly is it that someone is going to get this access? The answer “there are bad people on the Internet”. I’m sure many people right now are agreeing with them and thinking I’m crazy. Let’s discuss my setup though shall we. Read more →

iptables browsing samba shares

NOTE: this assumes that you’ve read my previous post on basic iptables setup on the desktop So I just spent the longest time trying to determine what ports I needed to browse and use samba shares. The sad answer is it’s just one. iptables -A INPUT -p udp –sport 137 -j ACCEPT the catch with all the information I found with google was that most of it was for samba servers. Read more →