Program Arduino Pro Mini with CP2102 USB module

When I ordered a bunch of Arduino Pro Mini clones I didn't notice that these don't come with an integrated USB-to-Serial adapter (in fact I needed Arduino Nano - well, I was relative new into this).

So to get a change to use them I've also ordered a CP2102 board that converts between USB and TTL. Since it took a while for me to figure out how to use that I will document it here.

First, connect the CP2102 with the Arduino:

KDE: Remove "Switch User" and "Start New Session" from Plasma's lockscreen

If you are the only user on your workstation you probably do not have any need for the "Start New Session" button on Plasma's lockscreen. Quite the contrary it's extremly anoying if you just wanted to unlock your session and accidentally created a new one instead.

These is no UI switch to disable this button but you can use the KDE Action Restrictions for this. Just append the following lines to your "$HOME/.config/kdeglobals" (or "$HOME/.kde/share/config/kdeglobals") and login again:

[KDE Action Restrictions][$i]
action/switch_user=false
action/start_new_session=false

How to wake on lan a remote host on demand using systemd's sockets

Some years ago I wrote an article on how to wake on lan a (SSHFS) fileserver on demand using autofs.

Today I want to describe a more generic way to do the same. This should not only work for SSH but for every services that communicates via TCP. Everything you need is systemd, netcat (nc) and a wake-on-lan tool like etherwake.

Connect to FortigateVPN with OpenfortiVPN

I've got a lot of feedback for my old article How to connect to a FortiGate IPSec-VPN using Linux. However, the connection with vpnc was never stable for me, it always segfaults after a while and I had to restart it.

So I did some more research and found a relative new project called openfortivpn by Adrien Vergé, which uses the SSL VPN tunnel feature of Fortigate instead of IPSec. Additionally, NetworkManager support already exists thanks to the Gnome people.

Migrate user accounts from OpenLDAP to unix system user

At the moment I want to get rid of an OpenLDAP instance wich is only used to authenticate users on a single host by now. I want to take all user accounts and store them as Unix user accounts in /etc/passwd, /etc/shadow and /etc/group. The only problem is the userPassword field. The passwords in OpenLDAP are hashed with the SSHA algorithm, which means Salted SHA-1. They look like "{SSHA}Nxs1gQ299W/QPXoRwW9kDZfaPpLApSWP", which is the Base64 encoded hash and salt.

SHA-1, and especially salted SHA-1, aren't supported by Linux's crypt. So while I can migrate the user names, uid, gid, homeDirectory and unixShell I am not able to migrate the user's passwords. That is very bad.

Fortunately, PAM and pam_exec.so exists! pam_exec calls a user-defined program that can do it's own verification routine. So I wrote a little Python script that looks into the system's shadow file and if the user's password hash starts with '{SSHA}' tries to verify it using the SSHA algorithm:

https://gist.github.com/Cybso/2016e4de9a2465cef920

Store this script under /usr/local/sbin/verify_ssha_passwd, make it executable and change the /etc/pam.d/common-auth from:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so

to

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_exec.so expose_authtok /usr/local/sbin/verify_ssha_passwd
auth requisite pam_deny.so

This will call verify_ssha_passwd if and only if pam_unix.so fails to verify the password on its own.

When the password has been verified successfully this program will call 'passwd' to update the password to the system's default format. This means that this program will make itself obsolete over time.

Security considerations:

This script might be vulnerable to timing attacks, so don't use it in critical environments. Also it doesn't respect the additional shadow fields like 'maximum password age' and 'account expiration date'! If your security setup relies on these fields this script is not for you!

Pages