Stuff I'm Up To

Technical Ramblings

Remmina/xfreerdp Certificate Name Mismatch — July 21, 2017

Remmina/xfreerdp Certificate Name Mismatch

When using Remmina to connect to some of our older Windows systems we’re seeing a certificate problem that prevents it from connecting. Remmina pretty much says you can’t connect, but you can see the error message if you run remmina from a terminal and try to connect.

connected to server:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@           WARNING: CERTIFICATE NAME MISMATCH!           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (m3app) does not match any of the names given in the certificate:
Common Name (CN): no CN found in certificate
A valid certificate for the wrong name should NOT be trusted!
tls_connect: certificate not trusted, aborting.
Error: protocol security negotiation or connection failure

Continue reading

Squid3 changes for Debian Jessie —
Can’t ping using FQDN —

Can’t ping using FQDN

I’ve run across this a few times now. It seems every time I do a big Linux upgrade I lose the ability to connect to an internal server using its FQDN. I can ping the short name, I can do a DNS resolution of the FQDN, but I just can’t connect to it using RDP and can’t ping it using its FQDN.

This is something to do with the domain name being .local and conflicting with the MDNS service. Not sure exactly what but it’s an easy fix.

All you need do is adjust the order of the name service lookups in the /etc/nsswitch.conf file and make sure dns comes before the mdns entry.

$ sudo vi /etc/nsswtch.conf
...
hosts: files myhostname dns mdns4_minimal [NOTFOUND=return]

Initially I found the dns was last in the list so just move it in front of the mdns4_minimal entry and you’re set.

Fail2ban – Quick Reference — July 20, 2017
SSH – no matching key exchange method —

SSH – no matching key exchange method

Trying to logon to some older network switch management interfaces I came across a failure due to them using older SHA1 key exchanges and key types. Thankfully OpenSSH supports some legacy options to get around this, at least until we get the switches replaced or upgraded.

$ ssh admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Add the option to use DH-G1-SHA1

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching host key type found. Their offer: ssh-dss

So now add the ability to use the host key type ssh-dss:

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss admin@192.168.10.1

Now we’re on!

 

References: https://www.openssh.com/legacy.html

VMware Horizon Client on Debian Stretch — July 17, 2017

VMware Horizon Client on Debian Stretch

In order to install the client on Debian 9 (stretch) I’ve had to get libpng12-0 installed from Jessie here:

https://packages.debian.org/en/jessie/amd64/libpng12-0/download

Then had to create symbolic link for libffi.so.5 to the newer version that’s installed.

$ sudo ln -s /usr/lib/x86_64-linux-gnu/libffi.so.5 /usr/lib/x86_64-linux-gnu/libffi.so.6

 

References: https://communities.vmware.com/thread/545364

Debian 9, SAMBA broke my Shares —

Debian 9, SAMBA broke my Shares

I updated my workstation to Debian 9 (stretch) today and immediately after could no longer connect to any of my Windows fileshares.

Guessing this was probably down to changes we made on the Windows servers that disabled SMB v1 it took a little bit of googling to get things working again.

Edit /etc/samba/smb.conf with admin rights and add the following lines into the [global] section.

client max protocol = SMB3
client ipc max protocol = NT1

Save the file and restart the Samba service.

$ sudo systemctl restart samba

 

References: https://forums.linuxmint.com/viewtopic.php?t=220721

Juniper HA Woes — July 6, 2017

Juniper HA Woes

I spent quite some time messing around with a pair of Juniper SRX320’s trying to get the HA clustering setup. The documentation seems pretty straight forward, but I kept tripping over one fatal flaw.

Initially I configured HA using the J-Web interface and it configured successfully. I made some changes, set things up to test and then decided I didn’t like the direction I was taking and wanted to factory reset the devices.

The reset seemed pretty straight forward but then everything went wrong when I tried to follow the Command Line instructions for setting up an Active/Passive configuration. Every time I put the two systems into cluster mode and set the cluster ID and node the secondary node (node 1) always showed as lost and disabled.

Continue reading

OpenVPN DNS — July 4, 2017

OpenVPN DNS

Using OpenDNS on a Linux system that uses resolv.conf requires that the OpenVPN script is able to update the DNS servers sent by the remote dhcp options. To do this you must amend your OpenVPN config file to include the following lines.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Then when you establish your connection your DNS search domain and servers will be added successfully.

References: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

apt-get – Hash Sum mismatch — June 30, 2017

apt-get – Hash Sum mismatch

I tried to run some updates on my workstation today and it failed with a Hash Sum mismatch.

$ sudo apt-get update

W: Failed to fetch http://www.deb-multimedia.org/dists/jessie/main/i18n/Translation-en Hash Sum mismatch

W: Failed to fetch http://www.deb-multimedia.org/dists/jessie/non-free/i18n/Translation-en Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead.

Continue reading

Wrong Certificate! — June 15, 2017

Wrong Certificate!

“Your connection is not private!”

This was a game over message that was the result of installing the wrong type of certificate onto our new printers. We’re still working on getting the template right, but put simply we enabled a User certificate as the HTTPS management certificate. This caused any browser to throw up a serious security alert, serious enough that it doesn’t give you the option to continue to the management interface.

Even trying a factory reset on the printer didn’t take us back to factory settings for the management interface – that’s another bridge we have to cross.

Thankfully, within Google Chrome there is a secret instruction that allows us to continue even though we really shouldn’t.

So don’t use this carte blanche. It’s a get out of jail free card for a specific failure of our own making. If your browser is stopping you from getting to a web site, it’s usually doing so for a very good reason.

One the page where you are prevented access click anywhere inside the browser page and type “badidea“. As if by magic you are now able to visit the page and now we were able to correct our misconfiguration and change the HTTPS certificate back to a valid Web Server type.

If you find “badidea” doesn’t work try using “danger” instead.

 

References: https://www.quora.com/How-do-you-fix-the-privacy-error-in-Chrome-Your-connection-is-not-private

 

Unable to Logon as admin — June 5, 2017

Unable to Logon as admin

I managed to bork one of our test switches today. I was in the process of enabling “netlogin” using RADIUS as the authentication method, when I must have inadvertently enabled RADIUS authentication for the management interface instead of just for “netlogin”.

Using the Extreme documentation as a clue to resolve this kind of issue, but for a forgotten admin password, I was able to modify the instructions slightly to achieve a logon without resorting to a factory reset.

Continue reading