September 27, 2015

Linux VNC alternative: x2go

The ideal Linux terminal server has finally come true.
It is called X2Go, and it's open source and free. It's based on the NX protocol and works great, with Windows/Mac/Linux clients. 

September 26, 2015

use supervisor to monitor your process

https://serversforhackers.com/monitoring-processes-with-supervisord

sudo apt-get install -y supervisor

Let's create a configuration for it called webhooks.conf. This file will be created at /etc/supervisor/conf.d/webhooks.conf:
[program:nodehook]
command=/usr/bin/node /srv/http.js
directory=/srv
autostart=true
autorestart=true
startretries=3
stderr_logfile=/var/log/webhook/nodehook.err.log
stdout_logfile=/var/log/webhook/nodehook.out.log
user=www-data
environment=SECRET_PASSPHRASE='this is secret',SECRET_TWO='another secret'
Then:
supervisorctl reread
supervisorctl update

September 25, 2015

hg-git push: no changes found

If you use hg-git, and you know you have new changesets, but hg push is telling you "no changes found", using the following command may solve the problem:

hg bookmark -f master


This is because hg-git uses bookmark to simulate git branches. Somehow this bookmark wasn't moved with your latest hg update. So, this should fix it.

docker make file

build:
    docker build --rm -t logtest:v1 .
clean:
    @docker rm  `docker ps -a  | awk '/Exited/ || /Created/ {print  $$1}'`
    @docker rmi `docker images | awk '/^<none>/{print $$3}'`
list:
    docker ps -a
    echo
    docker images

Docker to find host IP address

netstat -nr | awk '/^0\.0\.0\.0/{print $2}'

September 17, 2015

join Linux to Windows domain

Use likewise-open

http://askubuntu.com/questions/452904/likewise-open-14-04-other-easy-way-to-connect-ad

http://www.powerbrokeropen.org/licensing/

 PowerBroker Identity Services – Open Edition git repository: git://source.pbis.beyondtrust.com/pbis.git

Windows Machine Authentication:
A few very helpful links to me:

http://ubuntuforums.org/archive/index.php/t-2141567.html
Many corporation deploy 802.1x machine authentication, because it's more secure than username authentication. Here's a guide of how to do such authentication.

The basic idea is that when a machine joins an AD domain, DC generates a password corresponding to that machine name. The password is transparent to administrators, but an open source software "likewise open" can get this password. So we can use machine name and password to do a 802.1x machine authentication, with PEAP-MSCHAPV2, other than EAP-TLS certificate.
https://learningnetwork.cisco.com/thread/33200?start=15&tstart=0

The client is configured to provide some form of credentials when it connects to an 802.1x network.  These credentials could be in the form of a username/password, machine account/password, certificate, or a number of other lesser used credentials.

The RADIUS server (ISE in your case), just needs to be able to verify if the supplied credentials are accurate.  To verify username/password credentials, it can look in the local user database, or reach out to external repositories, such as AD.  To verify machine account/password credentials, it will need to reach out to AD.  To verify certificates, it need to have the CA cert of the server that signed the client certificates installed.

In short, the client is the one that decides the credentials to supply, and ISE just needs to be able to validate them.

When discussing machone or user account authentication, you can do one or the other or even do both on a per client basis.

If you only want to do machine authentication, that's fine.  A benefit to machine authentication is that it can be done before a user actually logs into the PC.  So things like login scripts can be run.  But you can only do this on a PC that is in AD (unless you want to consider enabling EAP-TLS with certificates).

If you only want to do user authentication, that's fine as well.  This will happen after the user has logged into the OS.  So your laptop will not have a network connect if it's just sitting at a login prompt.

You can also do both.  Historically how this has worked is that the PC will do machine authentication when it first boots up.  Then once a user logs in, it will do a new authentication with the user credentials.  Not very many people did this.  With the latest anyconnect client and ISE, you can actually do both at the same time now (I think they call it EAP chaining).  But again, not many people do this.

September 16, 2015

Using netcat to send udp broadcast packet

1. You need to be root  on Linux
2. make sure you use the traditional netcat. In Ubuntu, that's nc.traditional
3. to send broadcast to broadcast address 192.168.1.255 port 8080, do this:

       echo -n "hello" | nc -b -u 192.168.1.255 8080 
4. OR, use ncat:

       echo -n "hello" | ncat -u 192.168.1.255 8080 

5. OR, use socat:
echo -n "hello" | socat - udp-datagram:192.168.1.255:8080,broadcast