I got an OpenVPN server (ubuntu 14.04) with pam-google-authenticator (20130529-2)
I'm trying to create a new OpenVPN server (ubuntu 18.04) with pam-google-authenticator (20170702-1)
and migrate all the existing secret keys.
when creating a new key using google-authenticator I manage to connect and everything works fine, but when I tried the old keys (copied from the old server), the authentication fail:
pamtester openvpn shalevbs authenticate -> pamtester: Authentication failure
both of the server synched to the same NTP
I also noticed the old secret key is 16 character while the the new one is 26 characters.
have anyone encountered something like this?
I believe this has something to do with your new server running Bit Size of 160 bits, and the older server running 80 bits (the default - maybe old default?)
I believe the size of the secret is defined in libpam/google-authenticator.c on / around line 39.
#define SECRET_BITS 80 // Must be divisible by eight
Go ahead and check this value on the old and new server and see if changing the new server to the same value as the old server fixes things for you.
Related
I have two Qt-based applications (client and server) which use DTLS and TLS connections. That works fine on Ubuntu and Windows 10. Now i have tried to build the server's part for a raspberry pi 4 (raspbian). TLS works fine but a DTLS handshake stops with error.
On server side (raspbian):
14102410:SSL routines:dtls1_read_bytes:sslv3 alert handshake failure
On client (Ubuntu 20):
141A318A:SSL routines:tls_process_ske_dhe:dh key too small
The client's error is quite popular and i have found many solutions fix that (add 2 string into the /etc/ssl/openssl.cnf) but that doesn't affect
In my Solaris server, I have an HTTP Server which handle many incoming connections. In my server logic, it closes connection from client manually so that many TIME_WAIT status appear when I call command netstat -an in my server.
So that I change the tcp_time_wait_interval to 10 second with command:
ndd -set /dev/tcp tcp_time_wait_interval 10000
But I read from user guide, it says : "Do not set the value lower than 60 seconds".
Does anyone know why Oracle recommend that?
The user guide URL is : http://docs.oracle.com/cd/E19455-01/806-6779/chapter4-51/index.html
Was told my Oracle engineer with a very heavy trans load in thousands/sec can set to as low as 10 ms on Solaris 11/11.1
I currently have a Java Applet running on my web page that communicates to a display pole via COM1. However since the Java update I can no longer run self-signed Java Applets and I figure it would just be easier to send an AJAX request back to the server and have the server send a response to a TCP port on the computer...the computer would need a TCP > COM virtual adapter. How do I install a virtual adapter to go from a TCP port to COM1?
I've looked into com0com and that is just confusing as hell to me, and I don't see how to connect any ports to COM1. I've tried tcp2com but it doesn't seem to install the service in Windows 7 x64. I've tried com2tcp and the interface seems like it WOULD work (I haven't tested), but I don't want an app running on the desktop...it needs to be a service that runs in the background.
So to summarize how it would work:
Web page on comp1 sends AJAX request to server
Server sends text response to comp1 on port 999
comp1 has virtual COM port listening on port 999, sends data to COM1
pole displays data
EDIT: I'm using Win 7 x64 and tcp2com doesn't work as a service. I tried using srvany but I get an error stating that the application started then stopped. If I use powershell and pass the tcp2com as an argument, it doesn't quit but it also doesn't run. So I nixed the whole 'service' deal and put the command: powershell -windowstyle hidden "tcp2com --test tcp/999 com1" and it works...sort of. The characters that get sent are all effed. I can write "echo WTF > COM1" on another computer which has COM2TCP (different vendor) and it'll come up as a single block on the POS display pole. However if I use COM2TCP on both the server and client machines, everything works fine...but that's only a trial version and it costs several hundred dollars! On another note, is there a way to send the raw text over IP without having to use another Virtual COM > IP adapter on another computer? Sort of like how curl works but different...?
After somewhat of an exhaustive search, I came across a program called 'piracom'. It's a very simple app that lets you specify port settings for the express purpose of connecting a serial port to an listening port over the network. So this is IP > Serial. For Serial > IP I used HW-VSP3-Single as even on the piracom website it said it's compatible! I've tested and it works!
I just put a shortcut to piracom in the startup folder of my user account; the app runs off of a .ini that it updates every time you make a change...so if you run the server and hide it, on the next reboot of the pc it'll start up running and hidden with all prior settings. Easy.
Now it's a matter of installing HW-VSP3 on the server and making a method on the Rails app which will write to the virtual COM port. The only issue I can see right now is that writing echo \14Test This! > COM3 actually prints the \14...if I do that in my Java applet, it sends the "go to beginning" signal.
Addendum 1: The \14 problem was fixed by using the serialport gem for RoR. I created a method in a controller that returned head :no_content and then send data to the COM port. Calls to this method were made via jQuery's $.Ajax, using "HEAD" HTTP method. Apparently though I had to add the GET verb in Rails routes because the HEAD option isn't supported for some gimpy reason.
Addendum 2: Some garbage data was being sent to the display pole at the end of the string...turns out I needed to turn off the "NVT" option in HW-VSP3. Also keep in mind that firewalls need to be modified to allow communication.
I'm a veteran of Asterisk 1.4 and am looking to build a new application on Asterisk 11 (which is currently beta, but is planned to be LTS release some time before I need it.)
I can't get Asterisk Manager Interface on 11 to send me any events. (Now, obviously, in production, I need to cut down these AMI rights drastically, but as I'm exploring I've opened the firehose, if you will.)
manager.conf looks like this:
[general]
enabled = yes
port = 5038
bindaddr = 127.0.0.1
[manager]
secret = squirrel
deny = 0.0.0.0/0.0.0.0
permit = 127.0.0.1/255.0.0.0
read = all
write = all
I then use telnet to try to get in and explore the event stream:
$ telnet localhost 5038
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Asterisk Call Manager/1.3
Action: Login
Username: manager
Secret: squirrel
Events: on
Response: Success
Message: Authentication accepted
Event: FullyBooted
Privilege: system,all
Status: Fully Booted
...and there it sits, not moving, no matter what I actually do with the system. I've also tried using the Event manager action with EventMask: on to try to get something out of it; the command is accepted, but nothing changes. It will happily respond to any other actions I send it, though.
Any leads? This sort of thing worked fine under 1.4, and I'm not finding anything in any documentation suggesting I'm doing something wrong. I suppose the next thing to try is 1.8...
(There is little else in /etc/asterisk; I'm using example configs only for reference. This is as minimal as we get...)
It's may be bug in Asteriks / FreePBX. I had same situation, and my API php script didn't receive any events from AMI.
For fix this bug, you must install "Conferences" module and restart Asterisk from SSH: service asterisk restart
I just tested this with the latest 11 from subversion using your configs. I see events being generated. For example, executing this from the CLI:
*CLI> channel originate Local/Foo application Bar
While invalid, will cause some events to be spit out to the manager interface.
I'm using IE9 beta and Fiddler to understand the https session negotiation taking place for the above url (chosen for no paritcular reason other than it's secured).
Some observations made me curious.. does anyone understand what's happening here?
1. When I connect with Fiddler setting: HTTPS decrypt OFF, I see this sequence
5 CONNECTs to fiddler2.com with nothing but headers showing
a) Curious, why more than one?
1 CONNECT to beta.urs.microsoft.com
b) Does this have something to do with asking MS which cert it recognises? I thought this data is supposed to be kept locally? Maybe that only happened because I'm using a beta of IE9?
4 CONNECTs to fiddler2.com with the same SessionID but different Random and the list of ciphers available on the client.
1 CONNECT to beta.urs.microsoft.com with similar content to above 4
c) Why the multiple CONNECTs here with different Random?
2. When I connect with Fiddler setting: HTTPS decrypt ON, I see this sequence
5 CONNECTs to fiddler2.com with nothing but headers in the request only and the response shows a certificate and the chosen cipher. Same in all 5.
a) same question
1 GET with the page contents
d) what happened to the extra CONNECTs this time?
I'm trying to relate what I see here to the negotiation between client and server as it's documented here.
Transport Layer Security
Tyia,
Mick.
You didn't mention what browser you're using and what ciphers you have enabled in that browser.
Sometimes, you'll see multiple CONNECT handshakes because the server immediately closes the connection (ungracefully stating that they don't support the requested protocol version) and the client will retry (fallback) to an older protocol version. You definitely see this happen a lot if you enable TLSv1.1 and TLSv1.2 in IE, for instance.
You also may see multiple CONNECTs if the client aborts a connection and then attempts to open a new one.
urs.microsoft.com and beta.urs.microsoft.com are used for the SmartScreen site-reputation feature.