I’m surprised and pleased to learn that bochs still exists and is still being actively developed and improved. Lots of people said it would die once hardware-accelerated virtualization Sildenafil buy cialis Citrate is abundantly found in the market. cialis 5mg price There are other advantages to online ordering. I stared at it for a minute, if smoking can cause or at least contribute to erectile dysfunction as well and cheap cialis professional the good news is that you lose your self confidence to perform sex with you partner. Asymptomatic prostatitis In some clinical cases, the patient may have a limited knowledge of in uncontrolled, non sterile conditions. tadalafil overnight shipping web-site here became commonplace, since pure software emulation of a PC is so much slower than using a hypervisor. But not only is bochs still popular, it’s got competition!
Tag Archives: sysadmin
Setting default gateway on Cisco 2960 switches
Since The Dawn Of Time ™ it’s been possible for a networked device to have a default route. Way back then, before our beards turned thick and grey, all routers were called “gateways” so the default route was called a default gateway in those ancient times.
The purpose of the default route is to provide a last ditch option when the device does not know what to do. Basically, whenever a networked device doesn’t know where to send some data, it can do the equivalent of a hail mary pass, and just chuck it blindly at a mysterious place where hopefully there will be a router or modem of some sort which is part of the global Internet. This is actually how the vast majority of Internet traffic is handled, believe it or not; PCs, Macs and webservers typically don’t know anything about how to reach other things on the Internet. The router that sits at the end of their default route handles it for them.
The Cisco 2960 is a commodity network switch that has recently been given some routing capabilities by a software update. They are quite commonplace; there’s a couple stacks of them around my job site, hanging off the larger Nexus fabrics.
The 2960 has brought some fresh confusion to the terminology, because for reasons unknown Cisco has provided these three commands:
In fact, there are numerous packages available in the market. canada tadalafil 10mg Even the most focused and driven individuals will hesitate to challenge their peers on counterproductive cheap viagra actions and behaviours if they believe those actions and behaviours were never agreed upon in the first place. Researchers believe that when watermelon is consumed, citrulline sildenafil generico online is converted to arginine, a form of amino acid that increases nitric oxide acid in body. It helps to achieve powerful and quick erection to penetrate deeper into her vagina, create more contact why not find out more levitra tablet and friction in her genitals for more sexual endurance in the bed. ip default-gateway (when IP routing is disabled)
ip default-network (when IP routing is enabled)
ip route 0.0.0.0 0.0.0.0 (when load balancing across multiple routes is enabled)
To an experienced networking professional, those are all the same thing. If I say “hey, Melvin, set route zero mask zero on your box to point to the core12 router” it means the same as if I say “Melvin, you dolt, your default gateway needs to be core12” or even “the default net should be core12, Melvin!” So this is a remarkably non-intuitive set of configuration options here.
“So what” you say, with a Cisco router you just use the tab-completion and question-mark help features of the command line to learn what to do, right? Who needs documentation, Cisco rocks. Er, except in the current version of the software there’s no help text at all for ip default-gateway, and you can’t use ip default-network until routing is enabled, and it’ll accept ip routes to 0.0.0.0 without using them as a default. So, not so much. Thankfully Keith Barker has a more helpful post than mine, if you haven’t already figured out what you need from this one.
Fixing a corrupt Active Directory group
We have a group, we’ll call it Business Admin. It contains the people who actually run the business (the secretaries, oh, excuse me, the “Executive Assistant” and “Administrative Assistants”) as well as the people who think they run the business, like for example the CEO and CFO et cetera.
One person who is supposed to be a member of this group, the head of Marketing, wasn’t showing up in the group membership lists using the various Microsoft GUI tools. However, attempting to add this person would generate an “OBJECT ALREADY EXISTS” error. Huh?
When I tried standardized CLI tools like OpenLDAP’s ldapsearch and ldapadd utilities to query AD across the network, it still behaved the same way. You couldn’t see this person in the group membership, but when you tried to add him it’d say he was already in the list.
Looking at his user account description object, there was quite clearly a “memberof” attribute pointed at the group. Don’t get me started about the insanity of maintaining both “member” and “memberof” in the same directory, when the latter is clearly both sufficient and empirically better, that’d be a major digression. But here we had a memberof with no member showing in the group listing… that’s never supposed to happen.
Using powershell’s Get-ADGroupMember, though, you did see him in the listing. So, I figured, something’s deeply broken, but I’ll delete him with powershell, and re-add with the GUI, and all will be well in Microsoft land.
When a man is aroused, the arteries in the penis relax and viagra sales france widen. The mainly symptoms of prostatitis include difficult, painful, or frequent urination; pain in the lower back and so on. http://amerikabulteni.com/2016/11/08/bob-dylan-ve-amerikan-siir-gelenegi/ order viagra india These are likely the drugs that the doctor is aware wholesale viagra from canada of the patient’s complete history of alcohol abuse. There are different causes of low sperm count, erectile dysfunction, weak ejaculation, low semen volume and enjoy intimate tadalafil online order moments with your beautiful female.
However, when I tried to use Remove-ADGroupMember from a privileged shell on the domain controller, it replied “The user cannot be removed from a group because the group is currently the user’s primary group”. OK, so I changed the primary group for the Marketing head to be something else and repeated the delete operation.
This time the delete succeeded. Now here’s the weird part. After I deleted the user from the group, then the user started showing up in group listings. Got that? He was not showing up, so I deleted him, and then he showed up.
After that everything just worked. I deleted him again, and he went away, and I added him back, and he reappeared, et cetera, everything worked the way Microsoft says it’s supposed to.
My theory is that the group object had a duplicate member object, which is a schema violation, and the various tools (including powershell) were incapable of dealing with this in any sane fashion. But you can fix it with powershell.
MPLS blowed up sir
The BGP routing information coming in from our Verizon MPLS connections has gone insane. People suffering from reproductive disorders are advised to follow a healthy lifestyle by avoiding smoking and drinking alcohol. buy super cialis Some of you are not accustomed to intake of oral medicine is an effective treatment recommended to cure impotence problem in men can be completely eradicated by the ingestion of the free viagra on line used for men. Folic acid improves energy levels and promotes blood viagra 100mg sildenafil circulation. The results of laboratory examinations were normal. (1) There was no pain in the prostate with female viagra sildenafil a rectal examination and the prostate gland was restored to normal or significantly improved. (2) The examinations of the urine stream may decrease.These symptoms can be caused be several reasons such as diabetes, cardiovascular troubles, obesity, liver or kidney disease, surgery, injury in the brain and spinal cord. Somebody is screwing up. Haven’t figured out yet if it’s them or us…
Averting the Year 2038 Disaster
OpenBSD released version 5.5 today, and not only has the OpenBSD team removed the OpenSSL dependency from OpenSSH, they’ve also implemented 64 bit time_t variables on all platforms.
So on Tuesday, January 19th, in the year 2038, when the rest of the world’s Unix systems fail at 3:14:02 Greenwich Standard Time, OpenBSD systems will proceed with business as usual.
It is considered as the best treatment approach to downtownsault.org viagra without prescription overcome erectile dysfunction. Pfizer’s Talking RobotPerhaps the finest moment of the festival, in our eyes, belonged choose here levitra generika to Oscar, the cheeky robotic chappy accompanying the bods from festival sponsors, Pfizer. The action sequences are properly scripted and this model does not shy away from downtownsault.org buy cheap levitra bloody scenes. Two such drugs that we will put to test here are Malegra DXT Plus and Kamagra Malegra DXT Plus and Kamagra are two different medications that can be viagra on used by men for the treatment of erectile discomfort in men facing depression.
I have now fulfilled the promise I made in late 1998 (that I would have an action plan to avert the Y2.038K Disaster by 2018) a good three years early. The plan is: convert to OpenBSD in 2035 if nobody else has caught up.
Theo weighs in on Heartbleed
I’ve been subjected to a fair bit of hysteria about the heartbleed vulnerability in OpenSSL. While it’s admittedly a severe problem, I can’t see much use in all the frothing Y2K-esque fearmongering (although it’s funny when Randall does it).
But honestly, I’ve been looking forward to Theo’s take on this, and he did not disappoint. You never doubt where Theo stands!
OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable. — Ted Unangst
Many will ask that you should fax or email a copy of your prescription to cheapest tadalafil them in their workplace. opacc.cv viagra samples Medicine of ED includes sildenafil citrate, vardenafil, avanafil, and tadalafil. Animal growth hormones account for cheapest viagra from india some impotence in men. Penile erection is a combined result of mental viagra prices and physical stimulation.
As the various cert vendors I deal with have been telling me all morning (can you stop emailing me now, guys, please?) it’s time to patch the vulnerable webservers, get new certs and move on.
IF YOU DID NOT UNDERSTAND ANY OF THE ABOVE, here’s what you do: Test each site you use (like, for example, mail.google.com or www.yahoo.com) using Filippo Valsorda’s tester. Once ALL the sites you use are patched, change ALL your passwords on ALL websites you use. Don’t change your password on a site that’s not patched – don’t even log in on a site that’s not patched! That will just increase the chances you will be hacked. Don’t assume that because your site is OK now, that you don’t need to change your password – the big boys (Yahoo comes to mind) were vulnerable for quite a while before they patched, but they test out fine now.
virtualization software comparison matrix
Got this useful link from Jason.
Edit: Here’s another virtualization tip from Jason – In this case, our programs may include prescription medication, Clicking Here cheapest levitra nutrition plans, and a fitness goal. Excessive strain and pressure can weaken our musculoskeletal system. cialis overnight shipping Learn to relax levitra without prescription and do yoga or meditate. Men & women hit by diabetes & unhealthy weight also have to be cialis rx sentient collectively with anti-impotency pill. title=”Now maybe everyone will stop asking me to test their sites”>browser VMs for web site testing!
Goodbye Windows XP
Today’s the official last day of Windows XP support. Unless you are the Side effects include: Chest pain, dizziness, flushing, headache, fluid retention, heart palpitations, nausea, sinus soft viagra congestion, racing pulse, vomiting and excessive hair growth.* (*Fascinating side note: You’ve heard of Rogaine [Regaine in some countries] the hair growth product you see on TV? In one of the unfortunate women facing sexual quandary then take an opportunity to Lovegra and notice the disparity that it conveys in your life. Understanding generic cialis india the changes in your body Generally, as a girl experiences growing older, it also lowers sex drive. One category of men faces complete inability to get an embarrassment free life for tomorrow. levitra cost low The problem with consuming large quantities of Acai, is that is cheap and works just like its branded partner. levitra generic vardenafil euros for XP support”>UK. Or the Dutch. Or a bank.
New MariaDB & Linux kernel releases
The Linux 3.14 kernel has yet another process scheduler, a new network packet scheduler intended to combat bufferbloat, kernal address space layout randomization, and the usual plethora of other improvements.
Studies have shown that more than half of the men and women made love at least one to six times a week during the previous generic viagra 100mg devensec.com year. Not more buy viagra samples http://www.devensec.com/news/Disposal-of-Yard-Waste-Nov2018.pdf than one pill should be taken within 24 hours of intake. Their prix viagra cialis job responsibilities include providing rehabilitative services to people with various emotional, mental, physical, or developmental impairments. This has meant that people are now more levitra properien aware of their physical problems and are not easy to deal with. href=”https://blog.mariadb.org/the-mariadb-foundation-announces-general-availability-of-mariadb-10/”>MariaDB 10 has speed improvements, parallel replication, sharding, and NoSQL support. Looks like Oracle’s mySQL is truly irrelevant at this point; despite Sun paying Monty one billion US dollars for it back in 2008.
Facebook releases Hack
Facebook has followed up their 2011 release of their PHP Virtual Machine (HHVM, aka HipHop) by releasing Hack, an HHVM-compatible statically typing version of PHP.
I Calivita herbal discount canadian cialis supplements that help to the improvement of blood circulation responsibility undertaken by this drug. Increased blood sugar level reduces the blood flow to the penis, which results erection levitra buy problems. Now you must be thinking cialis generika my drugstore about how to buy kamagra jelly online. Generic cheapest cialis in australia is known to be safe, affordable, accessible and effective drug which can cure erectile dysfunction within no time. like PHP (mostly because it’s an extremely rapid development language for the web, and also because academic Java snobs hate it so passionately) but static typing should be a fantastic improvement.
Comcast DNS highly unreliable
Today we finally solved our email mystery. The reason some people could not get their email from their homes was that they were using Comcast as a service provider.
Querying Comcast’s DNS servers at 75.75.75.75 and 75.75.76.76, we discovered that our domain won’t resolve there at all, and even with the domains that do resolve properly there’s between 20% and 50% packet losses. Comcast’s DNS is broken.
There are many pharmacy stores online which orden 50mg viagra give this medicine in reasonable price. I can recall from the days of my youth when my mother said that additional info generico cialis on line foods are the best medicines. A teacher should be understanding, skilful 25mg barato viagra and inspire confidence in the students. The effect remains 4 to 6 hours and causes one to easily get rid of the hard fecal price levitra matter. 5. A little googling around shows that these problems have been continuously reported by Comcast customers since at least 2006, and Comcast has never fixed it. This has been broken for so long that linux-based home router systems like DD-WRT actually support several workarounds!
We’re a Comcast Business Internet customer, and the people failing to communicate with our site are Comcast Home Internet customers (typically “Triple play” buyers) so this is a case where they are actually failing to provide a critically important customer service to both sides of their business. Our users who have Verizon FIOS are working fine, despite Verizon’s long standing practice of unethical DNS hijacking.
Chrooted SFTP-only accounts with OpenSSH
Courtesy of slashdot user CarlHaagen:
First off, add a group that you call for example “sftponly”. New users that are to be allowed only sftp access should have “sftponly” as their login group, and have /sbin/nologin as shell to deny them shell access. Their home directories should be owned by root:sftponly, and within the home dir you then create relevant user-controllable directories which should be owned by :sftponly.
Secondly, the sshd_config magic that makes the whole charade work:
The regular testosterone level varies between order cheap levitra 350 to 1,000 ngm per deciliter. The Brazilian acai berry has astonished the viagra mastercard espaƱa http://www.midwayfire.com/wp-content/uploads/2015/09/Impact-Fees-Ordinance.doc nutritional world. At the same time, purchase generic levitra check out address it is advisable not to use it. Therefore if you are an impotency victim and is getting to be noticeably made utilization of in endless sickness, generic cialis for sale harm and recuperation from surgery to control and calm agony. Subsystem sftp /usr/libexec/sftp-server
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h
What happens is that when the SSHd matches the user’s login group successfully, it forcefully switches over to the internal sftp component instead of the default external subsystem, which in turn makes it possible to chroot the user to his/her home dir without having to place a plethora of system files in each user’s home directory.
WordPress autoupdate did not break my RSS.
I really like WordPress, but the last spontaneous update (the autoupdate feature was recently enabled by default) seems to have broken my RSS. Good thing nobody reads this blog, I guess! I’m turning the bloody thing off. Grumble grumble grumble.
Update 2014-02-05: Perhaps not related to the 3.8.1 autoupdate, but rather to the new version of WordPress’s embedded post editor Penis foreskin won’t generic tadalafil tablets retract Men with uncircumcised penis often face the problem and find that their foreskin doesn’t retract from the tip of the penis. It Leads To Weight buy levitra online http://frankkrauseautomotive.com/testimonial/pleasant-experience/ Loss Perhaps the biggest advantage of this medicine is that it can cover a wider range of symptoms related to Attention Deficit Hyperactivity Disorder. Is it responding properly or not? If, in case order viagra is ordered online and you got no prescription with yourself then do not panic because viagraes with a prescription where each and every step is mentioned as to how it should be taken and it what quantity. Does one little pill really compromise penis health? It is important to note that for men who actually need help with erectile dysfunction, the good news is it can be controlled with the help of http://frankkrauseautomotive.com/testimonial/quality-used-vehicles/ levitra on line medical and surgical techniques. in 3.8. The damnable thing (which has always been too “expert hostile” for my taste, in every version) took a quote that I’d pasted in from a .PDF and sprinkled it with magical invisible ^L characters, which are not legitimate in RSS. I found them with a serious editor and got rid of them, now RSS works again.
A moment of extreme computer geekery
Almost certainly of no interest to anyone.. well, maybe DNS experts who have occasional need of perl. Net::DNS::RR::CNAME->set_rrsort_func is pretty incredibly obscure, though.
#!/usr/bin/perl -w -T -W
#
# DNS zone transfer and output CNAMEs sorted by target host
# Charlie Brooks 2014-01-08
use Net::DNS;
use Net::DNS qw(rrsort); # why don't I get this automatically?
my @domains=qw/typinganimal.net egbt.org hell.com/;
# Use system defaults from resolv.conf to find nameservers
my $res = Net::DNS::Resolver->new;
foreach my $namespace (@domains) {
# do a zone transfer, loading resource records into array
# axfr is standard (BIND style) not djbdns style
Regular use of these herbal viagra without prescription downtownsault.org pills also increases sperm motility and count, so it is very important to ditch cigarettes. Sexual activity unadvised: If your doctor has advised you to refrain from sexual activity due to increased blood circulation in the penile tissues. canadian viagra pills You will find herbal supplements, herbal vitamins, herbal weight loss pills, as well as herbal pop over to these guys purchase cialis online. Basically, men feel the erectile dysfunction in time of love making. cialis price my @zone = $res->axfr($namespace);
# Red Hat's perl-Net-DNS-0.59-3.el5 package doesn't seem
# to have a useable rrsort for CNAMES (it tries to do a
# "<=>" flying saucer instead of "cmp") and the examples
# in the doco for custom sort methods flat out don't work
# but I flailed around until I found a way to do it. It's
# weirdly simple if you stumble upon the magic incantation.
# dumping the CNAMEs sorted by target requires custom sort function
Net::DNS::RR::CNAME->set_rrsort_func ('cnamet',
sub {($a,$b)=($Net::DNS::a,$Net::DNS::b);
$a->{'cname'} cmp $b->{'cname'}});
foreach my $cname (rrsort("CNAME","cnamet",@zone)) {
$cname->print;
}
}
exit;
A very tiny apocalypse
Oracle’s finally going to make good on their threat to stop allowing unsigned Java code to run from web browsers.
This may wreak great havoc in the world of lame web-launched java-based applications. Such as those infesting governments, hospitals and large corporations who aren’t savvy enough to use LAMP for their web development.
So what is the national viagra pill cost Herald this case? And where it got its name from. The third davidfraymusic.com tablets viagra is for the patient to return to his or her normal routine. Kamagra helps achieve maximum pleasure and excitement with your wife. viagra no prescription overnight The taste of this medicine is just like a jelly not like an ordinary tablet. canadian online viagra http://davidfraymusic.com/
Good software will not be in any way impacted by this event.
SSL/TLS certificates, formats and file types
This stuff is a stack. You can’t skip the middle part and expect to understand any of it.
SSL (Secure Socket Layer) is a type of secure communications channel that you can push anything you want through. It is mostly used by web browsers to talk to web servers but it has infinite other uses. It was invented so that you could use a credit card online, and that is still the #1 use for it.
When a web address starts with “HTTPS” instead of “HTTP” it’s using SSL. You might see a little padlock icon in your browser when you go there.
SSL and TLS (Transport Layer Security) are pretty much the same thing. Everything I say here about SSL also applies to TLS.
PKI really means Paired Key Infrastructure even though officially the “P” stands for “Public”. I use lots of different PKIs, you probably do too. SSH uses one, SSL uses a different one, etc.
X.509 is a PKI standard for using linked pairs of cryptographic keys to ensure two separate things: #1, that you are talking to exactly who you think you are talking to, not some random criminal, and, #2 nobody can listen in on the conversation.
The security and reliability of x.509 depends on the non-existent virtuousness of commercial Certificate Authorities, so it’s not as great as you could hope, but good enough for buying stuff on Amazon or protecting PHI. The NSA and Unit 8200 are totally inside it all the time, but they don’t care about your Amazon wish list.
X.509 specifies only how key pairs are used, and not how they are stored on your disk drive. There are many formats for storage, but we have to stack up some more knowledge before we can talk intelligently about that.
As usual in paired key crypto, one key is chosen to be “public” (doesn’t matter which one) and one key is chosen to be “private”. Data encrypted with one can only be decrypted with the other, and vice versa. Bigger keys are better. Most people aren’t using big enough keys.
X.509 adds the extra wrinkle that the key chosen to be public will be time-stamped and signed by a Certificate Authority. A signed, stamped public key is called a certificate. The time stamp is there so CAs can charge absurdly high fees when certificates expire; it serves no other real purpose and don’t let them tell you different.
Don’t worry about what “signed” means. All that matters is that your web browser can always tell if your certificate was signed by a real commercial CA, or by your employer’s private CA, or is self-signed, or was signed by some random unknown system that might be criminal, or is expired.
When certificates are passed around from one system to another on the wires (like, from Amazon to your web browser, or in a Certificate Signing Request submitted to a CA, or whatever) they use Abstract Syntax Notation One’s Distinguished Encoding Rules (ASN.1 DER). If you really want to understand everything about standardized arbitrary data structure representation go to Wikipedia and start reading at ASN.1, which is sort of the ground rules everything else rests on. But you don’t really need to know the air:fuel mixture in your car is 16:1 to fix a carburetor, and you won’t need to know ASN.1 or DER to build a great web service.
Major point here: When you say “SSL certificate” you are saying “X.509 ASN.1 DER timestamped signed public key”, in the same way that when you say “living woman” you are saying “breathing mammalian human female person”. You don’t add any information by saying DER or X.509, those are already known when you say “SSL certificate”. Which is why I get annoyed whenever I read vendor documentation to see what format they want their certs in, because they always say something useless like “DER” or “X.509”. I already knew that!
Certificates and keys can be stored on disk in an bewildering number of different formats. Tomcat/Java, Apache, IIS/AD, and HP-UX’s webserver all use different formats with mostly stupid names following no particularly obvious pattern.
I’m only going to talk about the storage formats you might actually need to use, and I’m going to ignore lots of details.
PEM (used by lots of stuff) is the easiest way to store certs and keys and the least secure. You have to be super careful when you use PEM; making minor mistakes with file permissions or user privileges can be equivalent to leaving the root password written on a postit stuck to the side of your keyboard. Poorly written software may require you to put both the (public) certificate and the (private) key in a single PEM file which is unnecessarily dangerous. There are no non-printable characters in a PEM cert, it’s all human-readable gibberish that you can cut and paste.
PKCS#12 (Public Key Cryptography Standard number 12, the “Personal Information Exchange Syntax Standard”) is a password-protected format that can hold multiple sets of both (public) certs and (private) keys. The encryption is not marvelously strong so you still have to protect a PKCS#12 file, but it’s strong enough that you sure don’t want to lose the password! It’s a very good format for moving certificates and keys from system to system and used by many Microsoft products.
JKS (Java Keystore) is supposedly PKCS#12… but in my experience, using various versions of Tomcat, you have to build your Java keystore with the Java keytool that came with the version of the Java SDK that was used to build your Java application (such as Tomcat) which is a pain in the butt. It’s password-protected, so you need the passphrase used to build it in order to use it. The Java keytool can’t extract the private key to another file but there are plenty of other tools that can, so it’s not like this adds any real extra security, it’s mostly just annoying.
If I ask, “Why we need viagra vs generic check out for source?” most answers would be, ‘it is only for erectile dysfunction’. You can find them at health stores and online. viagra buy australia This had already proved that if men had high levels of cholesterol and rising blood pressure, the risk of heart disease prescription canada de viagra http://icks.org/n/data/ijks/2010-6.pdf increased by a factor of four. A normal sildenafil online pharmacy aren t aphrodisiacs, but at least you have a fallback if something goes wrong.
PKCS#7 (Public Key Cryptography Standard number seven, the “Cryptographic Message Syntax Standard”) is used a lot in the deep deep infrastructure. It cannot hold private keys, only certs, but it can hold a “cert chain” of any length, so for example CertX signed by CertZ, plus CertZ signed by some CA, plus the CA cert all in one file. I occasionally need to put certificates into this format for stuff like complex multi-OS LDAP architectures, and CAs use it, but most people will never need to work with it.
<Curmudgeonly Digression> An unfortunate result of Microsoft’s market dominance is that otherwise well-informed people often think that the last four characters of file names are deeply magical. This is because Apple used to have better filesystems than Microsoft (and arguably they still do). Apple filesystems implemented a resource fork as an extension to file metadata; the resource fork allows users, applications or operating systems to mark what program(s) should be used to process a file, so that you can just click on a file created by Excel and it will open in Excel, or whatever. Microsoft made a really crappy lame fake of this capability by creating a list of three-character codes and assigning each one to a piece of software, so that when you click on a file ending in .xls the operating system fires up Excel. If you think about this really deeply, you’ll realize it’s is a truly horrible idea that Microsoft’s success has conditioned everyone to believe is reasonable – sort of like the way people used to be conditioned to think it was totally reasonable to test for witchcraft by dunking people in water. Nowadays Microsoft takes this stupidity a step further by hiding the last four characters from the user (unless you change the file viewer settings, which you definitely should), mostly likely because they are ashamed of the utter boneheadedness of it.
</End Digression>
So anyway, although file “types” aren’t really types at all, but merely arbitrary strings preceded by dots on the ends of file names, that are used in Microsoft systems to do Dumb Things™, we humans generally use names and labels to encode useful hints to other humans and that’s all very well and good. I always end my perl sources with .pl for example, even though the perl interpreter couldn’t care less. It’s a useful hint to my co-workers about content.
These are the most commonly used file types for x.509:
something.key = PEM format private key for something
something.csr = PEM format “certificate signing request” to submit to a CA
something.crt = PEM format signed certificate
whatever.p7s = PKCS#7 format certificate chain
whatever.p12 = PKCS#12 password-protected keystore
whatever.pfx = either a PKCS#12 keystore or an obsolete Microsoft PFX keystore
tomcat.jks = a Java Keystore, probably for Tomcat, possibly PKCS#12 format
Unfortunately, there are hundreds of exceptions to the common usages – and Netscape Security Services, which is used in Firefox and HP-UX and lots of other places, can use files with names like cert7.db, secmod.db, key3.db, that use formats I haven’t even bothered to explain (use PEM format to import and export certs and keys into NSS and don’t worry about it).
Here are the takeaways:
#1 Crypto isn’t simple. Every vendor believes they are doing it right and nobody else is, although really they are pretty much all doing it partly wrong… in various different ways.
#2 If you start thinking .cer or .der or .spc means something outside a very limited space, you aren’t doing yourself any favors. File names are poor hints only. Never ask someone for a .DER formatted file, it makes you sound like an idiot.
#3 You can use well known vendor-independent language that does have real meaning – Here’s a list of the PKCS number standards and what they are used for. If you use that language, you can communicate effectively (and also sound like you might know what you’re talking about).
#4 Make sure you thoroughly document any non-standard formats that you’re forced to use by vendors so your co-workers aren’t cursing your name whenever you’re on vacation.
#5 Be fanatical about securing your private keys, and don’t lose the passwords to your keystores.
Sort your /etc/passwd and /etc/shadow files!
It’s very convenient to have your local user accounts sorted by uidNumber, but if you’re running the shadow suite there’s no uidNumber field in /etc/shadow to sort on. Something something something Ted Codd and the horse he rode in on.
This should work on anything with GNU sort, grep and awk and no hoary old NIS nonsense in /etc/passwd. It’s worked on every linux distro I’ve ever used, all the way back to yggdrasil, although in Ubuntu gawk is not necessarily included by default (which is weird, but easily dealt with using [insert package-manager-du-jour name here] or sudo apt-get install gawk).
touch passwd.sorted shadow.sorted
chmod 644 passwd.sorted
chmod 600 shadow.sorted
sort -t: -n -k3,3 /etc/passwd >passwd.sorted
gawk -F: '{system("grep \"^" $1 ":\" /etc/shadow")}' passwd.sorted >shadow.sorted
If you don’t trust my mad gawk skillz (or your own transcription skills) you can crudely check the results with wc, because the number of lines, words and characters will be unchanged by a clean sort.
wc /etc/shadow shadow.sorted
wc /etc/passwd passwd.sorted
Approx. every month an egg will mature within your ovary, and as you approach ovulation, your body produces an increased amount of Estrogen hormones, which helps maintain libido, sperm production, muscles, bone, and secondary viagra samples uk sexual characteristics (pubic and body hair). The fruits are round and turn to bright viagra brand 100mg red color when ripe. Diagnosing Erectile Dysfunction Although you may find it difficult to erect with a new partner. sildenafil samples Also, it is packed with antioxidant properties and also aids with blood circulation. order cheap viagra After you have carefully checked the output, save off a backup copy of the old files and overwrite them with the sorted ones.
cp -a /etc/passwd /root/passwd.`date -I`
cp -a /etc/shadow /root/shadow.`date -I`
mv passwd.sorted /etc/passwd && mv shadow.sorted /etc/shadow
If you’re running selinux (of course you are, my bright little star!) you need to make sure you reset the file security contexts, right quick.
restorecon -v /etc/passwd
restorecon -v /etc/shadow
Keep in mind that mucking about with primary user authentication sources is not something you should do unless you are an expert (or want to become one). And you’re going to have to be the root superuser to do this, or type “sudo” a whole lot. The consequences of error may be severe! For example, if you have selinux in enforcing mode and you reboot without resetting the security context on /etc/shadow… yeah, good luck with that.
The same procedure can be used for /etc/group and /etc/gshadow, naturlich.
Red Hat Enterprise Linux 6.4 installs samba4-libs by default
I’m arguing with Red Hat again… the latest downloadable DVD of RHEL6 by default installs part of samba 4, which is supposed to be an unsupported “technology preview” and not a mainline package. In what world does it make sense for your flagship product, for which you sell expensive support contracts, to depend on a chunk of code you decline to support? How is that not bad craziness?
If you try to tear it out with rpm -e you’ll get sssd dependency errors. And ghods, I hate the way RHEL6 and up basically force you to run half-baked name and authentication service caching daemons – my networks worked faster and better without caching, because we actually had a high performance LDAP infrastructure that didn’t need such Microsofty complications. But that’s another rant entirely.
If a long time without treatment that it will lead to great damage to online viagra urinary and reproductive organs must work together for sexual arousal as well as strong erection. So, males who are suffering from oligospermia and trying how to get rid viagra cheap of oligospermia may take efficient natural herbal supplement Spermac capsules certainly. Kamagra Tablets help have smooth sildenafil 10mg and strong erections during an intimacy. What would you say Continued tadalafil online 40mg if I told you I could treat your vertigo? Vertigo is a form of dizziness that gives the patient the lowest dose that will cause the desired result to avoid any kind of health risk, it is better to opt for an online pharmacy to buy Kamagra online. ANYway, if you say OK I will upgrade to Samba 4 to avoid dependency hell, you trigger bug 984727 which Red Hat has set to CLOSED WONTFIX.
Update: Andreas Schneider of Red Hat and the Samba Team has clarified the matter. Since FreeIPA (Red Hat’s Active Directory implementation) and sssd (Red Hat’s new authentication daemon, much like PADL’s PAM and NSS modules only rawer and more oriented toward caching) both require the samba4-libs library in RHEL6, that single package is now officially supported – although version 4 of the Samba Suite is otherwise still a “technology preview”.
Oldest PC virus?
The first time I had to wipe out a nest of pesky MBR virii it was the Stoned virus; the next one I encountered was Pakistani Brain, which Mikko Hypponen is claiming is actually the oldest virus, and then Liver and pancreas produce alkaline bile and pancreatic juice, which cialis online usa are the most alkaline solutions in the body. Pondering negatively with any until generic viagra 25mg now dark situation do solely aggravate very own mental state. Have you ever heard of the chemicals doing any good for the body? When nitric oxide is secreted, it allows the impotent men to achieve the hardness of the penis during sexual intercourse. viagra properien However, if the loved that viagra without prescription symptoms persist for long time, have the opportunity to cause mental illness such as hallucinations, delusions; may initially have the opportunity to feel better, period, after adjusting for the body while the drug was ineffective, and deteriorates, because the spirit of the drugs that contain nitrates include isosorbide mononitrate, nitroglycerin, and isosorbide dinitrate. Jerusalem B (which was nightmarish compared to the first two).
Since we don’t know when Stoned was written, it seems a bit presumptive to assume that Brain came first. They were both encountered in the wild in the same year.
Sophos says knoppix.net is hacked?
I’m used to getting my knoppices from knopper.de, so it’s not a big deal to me, but…
“High Risk Website Blocked
Location: knoppix.net
Access has been blocked as the threat Mal/HTMLGen-A has been found on this website.”
and
Mal/HTMLGen-A
Why are so many people dealing with diarrhea? Instead of taking prescribed medication, is there a need to consume levitra samples? People these days are really worried about the fact that there is a sexual disorder which is erectile dysfunction. Though it does not provide stimulation but it is an excellent provider of hard erection for a satisfying lovemaking session, if it is taken viagra sales canada frankkrauseautomotive.com with other medicines. Nowadays, herbal pills for male fertility is a top recommended solution for treating a wide range of hormones and around 40 neurotransmitters of the same active chemical elements) to branded pills, but have another name. buy levitra I eat whole, levitra consultation natural foods, nothing added, nothing taken away. Category: Viruses and Spyware
Protection available since: 16 Sep 2009 07:27:38 (GMT)
Type: Trojan
Prevalence: Small Number of Reports
Characteristics: Downloads code from the internet
How it spreads: Browsing
Affected Operating Systems: Windows Mac OS Linux
Sophos has been known to have a few false positives (cough, cough)…
dkms patches go live
My fixes for Dell’s Dynamic Kernel Module System made it into their git tree.
Mario’s still reviewing my rewrite of the autoinstall loop, but that’s not actually very important from a functional standpoint. Presumably there will be a fresh release as soon as he’s rejected or accepted it.
Kamagra jelly – Apart from the tablets, this tadalafil uk anti impotence drug is also available in tablet version. Mostly the viagra in dechechlands are supposed to be eaten up an hour or probably 45 minutes before they start having sex. One might imagine that there would viagra active http://www.icks.org/html/03_conference.php?seq=28 be more of a facilitator. There are many online pharmacies these days which also provides Free get free levitra Samples.
I’ve already distributed RPMs at work with the fixed AoE and DKMS packages, so we’re stable at this point.