More information appears in this story on the WRAL website.

Love the quote: “Through his leadership, the emergency communications IT team and the communications-electronics maintenance shop have made great strides toward enhancing the reliability and affordability of a wide variety of technology,” Furey said.

Now I’ll probably need an appointment to talk to him on IRC.

The YubiKey, from Yubico is a small USB device which is about the size of a small flash drive, and which emits OTP strings when the button is depressed.   The device can also be reprogrammed to offer static passwords and the new 2.0 version has a very handy management application available.  The device is compatible with most recent *nix and Solaris installations, as well as MacOS and Windows.

Since receiving mine, I have tested it via several available PHP implementations, and other interfaces, e.g. the Wordpress plugin and the LastPass integration.  Last night, I found a site which offers an Apache HTTP Server module for use with the usual Basic authentication.  Since I wanted to use it on a production server without build tools installed, I first compiled it on a test server, and then copied the necessary files to the production box.  The following are the steps I used to build and enable it.

Install the prerequisites (assuming build-essential is already installed)

Code block

$ sudo apt-get install apache2-threaded-dev libcurl3 libcurl4-openssl-dev

Download, unpack and build:

Code block

$ wget http://mod_authn_yubikey.coffeecrew.org/authn_yubikey.tar.bz2
$ tar jxf authn_yubikey.tar.bz2
$ cd authn_yubikey/
$ apxs2 \
-DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \
-DYK_PACKAGE_VERSION=\\\"0.1\\\" \
-I. -Wc -c -lcurl mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo

If all has gone according to plan, the module object now exists in the .lib (dot lib) directory.  If necessary, scp it to your server and continue.

Note: The following layouts are based on an Ubuntu installation, you may need to put the library where your system expects to find it.

Copy module to required directory:

Code block

sudo cp .lib/mod_authn_yubikey.so /usr/lib/apache2/modules/

Create the basic files to allow the module to be enabled/disabled using the normal Ubuntu functionality:

Module load file (/etc/apache2/mods-available/authn_yubikey.load)

Code block

# /etc/apache2/mods-available/authn_yubikey.load
LoadFile /usr/lib/libcurl.so.4
LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so

Basic module config file:

Code block

# /etc/apache2/mods-available/modules/authn_yubikey.conf
<IfModule mod_authn_yubikey.c>
AuthYubiKeyRequireSecure Off
</IfModule>

Since this module works in a similar manner to the standard Apache Auth packages, create a htpasswd file, adding a user with key id ‘abcdeffedcba’ (first 12 characters emitted by the YubiKey), username ‘jsmith’ and password ‘mypass’. The ‘-s’ uses SHA instead of crypt():

Code block

$ cd /etc/apache2
$ mkdir conf
$ cd conf
$ htpasswd -csb conf/ykUserDb abcdeffedcba jsmith:mypass
$ touch conf/ykTmpDb && chown www-data conf/ykTmpDb

Now just pick a directory or location to protect, and add a basic config section to the appropriate Apache config file:

Code block

<Location /supersekret>
AuthType Basic
AuthBasicProvider yubikey
AuthName "Please log in using your YubiKey"
AuthYubiKeyTimeout 30
AuthYubiKeyTmpFile conf/ykTmpDb
AuthYubiKeyUserFile conf/ykUserDb
AuthYubiKeyRequireSecure On
AuthYubiKeyExternalErrorPage Off
Require valid-user
</Location>

Note: The ‘AuthYubiKeyRequireSecure On’ ensures the only SSL (https) connections are allowed. Turn that off to use standard http.

That’s it, now just enable the module and restart Apache:

Code block

$ sudo a2enmod authn_yubikey
$ sudo /etc/init.d/apache2 restart

For additional information regarding the use and configuration of the module, please check the the mod_authn_yubikey website – http://mod_authn_yubikey.coffeecrew.org/.

Many thanks to Jens Frey, the author of the plugin for his quick response to my request for clarification on a few points.

Prowl is a new application which allows notifications to be pushed to the iPhone from applications like Growl for Windows or Macs.  Fortunately, the developer has also implemented an API so that one can easily submit push notifications from virtually any programming language which is able to talk to it via the web.

So what?  Well, as I am a big fan of Twitter, I follow enough people that I am often unable to keep up with the flow of tweets.  I had resorted to following the most important posters via RSS, but now I am able to follow their accounts and have any posts they submit pushed to my iPhone as a notification.

Requirements

1. The Prowl application for the iPhone
2. The ttytter Twitter client, which runs anywhere Perl does (requires LWP::UserAgent)
3. A Twitter account – I use a secondary account which follows only those people from whom I want to receive push notifications
4. The perl script linked below, or one of your creation

Setup

As this uses Prowl, you must purchase that application and download it to your iPhone.  After installation, you can go to the Prowl website, log into your account, and grab a copy of your API key which will allow the script to post notifications to your phone.  As written, the script expects to find that API key in a file called .prowlkey in your home directory.  If you keep it somewhere else, edit the path on Line 27 of the script:

[cce]
if (open(APIKEYFILE, $ENV{‘HOME’} . “/.prowlkey”)) {
[/cce]

Next, you must download and configure the ttytter Twitter client.  Usually, this is just a matter of creating a .ttytterrc file in your home directory.  Note, that if you configure it to use your primary Twitter account, it will forward every tweet you see to your iPhone.  For this reason, I created a secondary Twitter account and followed only a select few people.  Make sure you test this before continuing.

If ttytter is running as expected, Perl is properly installed, so the last prerequisite is to ensure that the Perl module LWP::UserAgent is installed.  From the command line, type or paste the following line.

[cce]perl -e ‘use LWP::UserAgent’[/cce]

If it simply returns a command prompt, your are set.  If you receive an error, then either use your distributions package manager or CPAN to install the libwww-perl module.

The last step is to copy the script to your computer.  You can view and copy the source code here or download it directly from here.  Put the script somewhere accessible to the ttytter application.  I placed both in $HOME/bin and simply named it ttytter-prowl.pl.

Running

Now, to get everything working, simply start ttytter with the -lib=path/to/twitter-prowl.pl (and possibly the -daemon) arguments.  Using -lib will tell ttytter to process that script for each received tweet.  The -daemon argument tells ttytter to fork into the background and run as a daemon.  I tend to run mine in screen so I can check on it, but I intend to move it to daemon mode.

[cc lang="bash"]$ ttytter -lib=ttytter-prowl.pl[/cc]
If everything has gone according to plan, you should soon start receiving tweets on your iPhone as pushes.

Sample Prowl Notification

Wanting to get back into the IPv6 address space, I installed the aiccu client on another server and configured it for my Sixxs tunnel.  This worked out of the box, but within about 36 hours it stopped working.  Most frustrating was the lack of any errors in any logs and restarting the service had no effect.  The tunnel interface was created with the correct IP, route showed all the correct routes, and I could ping the IPv4 address of my assigned PoP (uschi02).  Then, strangely, about two hours later things started working again.  Until this morning…

I awoke to find that the tunnel had again dropped overnight, and as before, nothing I do seems to be able to get the tunnel working again.  The Sixxs website indicates that the PoP is up and talking to other PoPs.

So, since I also have a tunnel from Hurricane, I gave another machine a static IP and added the necessary information to /etc/network/interfaces:

#  Hurrican Electric IPv6 Tunnel
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
endpoint <your_assigned_IPv4_server_endpoint>
address <local_IPv6_tunnel_endpoint>
netmask 64
mtu 1480
up ip -6 route add 2000::/3 dev he-ipv6

From this point, I restarted the network service:

sudo /etc/init.d/networking restart

et voila! The tunnel was up and pingable. So I guess I will stick with the HE service for now, though if anyone has any ideas as to what the issue with Sixxs might be (when using Ubuntu Intrepid and aiccu / AYIYA), please let me know.

Hopefully they have good data to help prevent this in future launches.

I am online tonight shopping for a local land-based telephone service.  After spending twenty minutes looking around the Embarq website at their various plans, I still have not found out how they define “local” as in “Local phone service” which is included in their basic package.  I know, it should be in the FAQ section, or somewhere else linked directly from the page describing that as included in that package, but it is not.

So I find their Customer Service page and, conveniently, they have a Sales Chat link.  I fill in my question, and submit it.  This is what follows:

Scott Schulz
Initial Question/Comment: Looking at your service, but unable to find out what constitutes Local service. How is that defined?

6:19:08 PM System System
Jill @ EMBARQ has joined this session!

6:19:08 PM System System
Connected with Jill @ EMBARQ

6:19:08 PM System System
Phone Number: 919xxxxxxx

6:19:08 PM System System
Hello, thank you for contacting Embarq Customer Service. Please give me one moment to pull up your account information.

6:19:21 PM Customer Scott Schulz
I do not yet have an account

6:22:33 PM AgentJill @ EMBARQ
Can I please verify you on the account with the last four digits of your social security number or the password on your account?

6:22:46 PM Customer Scott Schulz
I do not yet have an account

6:27:08 PM Agent Jill @ EMBARQ
It seems that you have been idle for more than two minutes. I apologize for any inconvenience, but if there is no response in the next 2 minutes, this session will end. Thank you for your cooperation.

6:27:34 PM Customer Scott Schulz
I do not yet have an account, I am shopping for one

Jill @ EMBARQ
Thank you for connecting with Embarq! If you require further assistance, feel free to contact us again. You may chat live with an Embarq agent 8am to 8pm Eastern time Monday through Friday and 11am to 8pm Eastern time on Saturday. In a moment, you will be asked to take a short survey to rate your satisfaction with Embarq. Your feedback is important to us and we would appreciate you taking the time to respond. Have a great day Scott!

6:29:58 PM System System
Jill @ EMBARQ has left this session!

6:29:58 PM System System
The session has ended!

So much for pre-sales support… and so much for using Embarq as a carrier.

Install the usual prerequisites:

sudo apt-get install curl libcurl4-openssl-dev libexpat1-dev

Fetch, unpack, and build:

wget http://kernel.org/pub/software/scm/git/git-1.5.5.3.tar.bz2

tar jxf git-1.5.5.3.tar.bz2

cd git-1.5.5.3

make prefix=/usr all

Unfortunately, at this point I got an error I had not seen on prior installs:

* tclsh failed; using unoptimized loading
MSGFMT    po/de.msg make[1]: *** [po/de.msg] Error 127
make: *** [all] Error 2

A little snooping brought me to this site.  While I’m sure that his method works, it seems a bit extreme to hand-build all of the listed packages.  Fortunately the answer to my problem was there:

sudo apt-get install gettext

After installing gettext, re-running ‘make prefix=/usr’ completed as expected.  After it is built, it is a simple matter to install all of the new goodness:

sudo make prefix=/usr install

Running ‘git version’ should return the newly installed version.  If you want to track the development version, you can now use this installed version of git to check out the devel repository and build it using the same steps.

Adobe Labs have released an alpha of Adobe Air for linux, and tonight I finally remembered about it and downloaded it. It is closed source, but I find it useful, so I installed it. Installation is as easy as 1) download the bin file, 2) give it execute perms, and 3) run it as root so it can install systemwide.

I then proceeded to the Twhirl website, and while that site’s easy download button did not yet realize that Air was available for linux, there is a direct download link, which Firefox opened properly with Air and installed (it asked for my password again to install as root).

From there, simply click on the icon, enter your Twitter username and password, and away you go!

The affected versions:

•  VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
• VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
•  VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

Source:  http://isc.sans.org/diary.html?storyid=4018