How to wake on lan a remote host on demand using systemd's sockets

Some years ago I wrote an article on how to wake on lan a (SSHFS) fileserver on demand using autofs.

Today I want to describe a more generic way to do the same. This should not only work for SSH but for every services that communicates via TCP. Everything you need is systemd, netcat (nc) and a wake-on-lan tool like etherwake.

Connect to FortigateVPN with OpenfortiVPN

I've got a lot of feedback for my old article How to connect to a FortiGate IPSec-VPN using Linux. However, the connection with vpnc was never stable for me, it always segfaults after a while and I had to restart it.

So I did some more research and found a relative new project called openfortivpn by Adrien Vergé, which uses the SSL VPN tunnel feature of Fortigate instead of IPSec. Additionally, NetworkManager support already exists thanks to the Gnome people.

Migrate user accounts from OpenLDAP to unix system user

At the moment I want to get rid of an OpenLDAP instance wich is only used to authenticate users on a single host by now. I want to take all user accounts and store them as Unix user accounts in /etc/passwd, /etc/shadow and /etc/group. The only problem is the userPassword field. The passwords in OpenLDAP are hashed with the SSHA algorithm, which means Salted SHA-1. They look like "{SSHA}Nxs1gQ299W/QPXoRwW9kDZfaPpLApSWP", which is the Base64 encoded hash and salt.

SHA-1, and especially salted SHA-1, aren't supported by Linux's crypt. So while I can migrate the user names, uid, gid, homeDirectory and unixShell I am not able to migrate the user's passwords. That is very bad.

Fortunately, PAM and exists! pam_exec calls a user-defined program that can do it's own verification routine. So I wrote a little Python script that looks into the system's shadow file and if the user's password hash starts with '{SSHA}' tries to verify it using the SSHA algorithm:

Store this script under /usr/local/sbin/verify_ssha_passwd, make it executable and change the /etc/pam.d/common-auth from:

auth [success=1 default=ignore] nullok_secure
auth requisite


auth [success=2 default=ignore] nullok_secure
auth [success=1 default=ignore] expose_authtok /usr/local/sbin/verify_ssha_passwd
auth requisite

This will call verify_ssha_passwd if and only if fails to verify the password on its own.

When the password has been verified successfully this program will call 'passwd' to update the password to the system's default format. This means that this program will make itself obsolete over time.

Security considerations:

This script might be vulnerable to timing attacks, so don't use it in critical environments. Also it doesn't respect the additional shadow fields like 'maximum password age' and 'account expiration date'! If your security setup relies on these fields this script is not for you!

Play a movie as screensaver in KDE

Did you ever want to play a video as screensaver? With KDE this is pretty easy.

  1. First, you need a video player. I choosed mpv, but mplayer will also do.
  2. Second, you need a video. Store it in a public readable place, for example in /opt/cats.mp4. This is not exactly required in a single-user environment, but since your screensaver will be available to all users it is a nice idea. Of course you could also place it in another directory like /etc/screensaver and/or symlink to the real file. This will make it easier to replace the actual video file.
  3. Third, create a custom screensaver service file for KDE:


    [Desktop Entry]
    Exec=mpv --loop=inf -ao=null /opt/cats.mp4
    Name=Custom Video
    [Desktop Action InWindow]
    Exec=mpv --loop=inf -ao=null --no-keepaspect --wid=%w /opt/cats.mp4
    Name=Display in Specified Window
    [Desktop Action Root]
    Exec=mpv --loop=inf -ao=null --no-keepaspect --wid=0 /opt/cats.mp4
    Name=Display in Root Window
    On an Intel NUC I had also to append '-vo=x11' to the option's list.

    The exact location of the ScreenSavers directory may depend on your distribution. If unsure, try to locate it with:

    $ find /usr -type d -name ScreenSavers
  4. Finally, open the Lock Screen menu from KDE's settings and select your custom screensaver.

Debian Squeeze auf Jessie

TIL Ein Upgrade von Debian Squeeze (6) auf Jessie (8) ohne Umweg über Wheezy (7) ist möglich, aber mit Schmerzen verbunden.

TL;DR: Eine Neuinstallation geht in der Regel einfacher. Falls man es trotzdem probieren will, dann sollte man an ein Backup denken und einigermaßen wissen, wie man mit Dependency-Problemen bei der Paketinstallation umzugehen hat.

Der Anfang ist wie üblich: