smartcard + configfile: how to avoid error "File name too long"? - token

I am trying to change my openconnect usage from command line to configfile.
I need to use a smartcard (StarSign CUT S, from Giesecke & Devrient GmbH) in order to access my VPN.
My current command line works fine and I can connect to the VPN:
$ openconnect \
--authgroup=<my_gateway> \
--protocol=gp \
--servercert <...> \
--disable-ipv6 \
--cafile <file.pem> \
<my_server_url> \
-c "pkcs11:model=XXXXXXXXXXXXXXXX;manufacturer=A.E.T.%20Europe%20B.V.;serial=XXXXXXXXXXXXXXXX;token=XXXXXXXXX;id=<...>;object=<...>;type=cert"
But when I try this configfile:
(All arguments are exactly the same!)
# vpn.config
authgroup = <my_gateway>
protocol = gp
servercert = <...>
disable-ipv6
cafile = <file.pem>
server = <my_server_url>
certificate = "pkcs11:model=XXXXXXXXXXXXXXXX;manufacturer=A.E.T.%20Europe%20B.V.;serial=XXXXXXXXXXXXXXXX;token=XXXXXXXXX;id=<...>;object=<...>;type=cert"
I get this error:
$ openconnect --config=vpn.config
Failed to open key/certificate file <...>: File name too long
Loading certificate failed. Aborting.
Failed to open HTTPS connection to <...>
Failed to complete authentication
Any idea on how to make it work? Or is it a bug in openconnect?
Thanks.
PS 1:
$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.7. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script
PS 2: All commands executed as root.

Remove the double quotes from the configuration file:
# vpn.config
...
certificate = pkcs11:model=XXXXXXXXXXXXXXXX;manufacturer=A.E.T.%20Europe%20B.V.;serial=XXXXXXXXXXXXXXXX;token=XXXXXXXXX;id=<...>;object=<...>;type=cert

Related

Xorg/xinput does not recognise evdev devices in Docker (Alpine base image)

I'm trying to run an Xorg server in Docker, due to the host OS not having any X installed, nor can it preserve installed packages between updates (however, Docker containers are preserved).
My goal is to run an X app in "kiosk" mode (no desktop environment, no window manager, just a single X app taking up the whole display), confined to the Docker container - specifically, Chromium to open the web management interface of the host (which is embedded in the distro).
After reading a swathe of Xorg/Xinput articles, setup guides, manuals and whatnot, and I'm still not sure what's going wrong.
This is my current Dockerfile:
FROM alpine:3.16
# Install Xorg
RUN \
apk add --no-cache \
xorg-server eudev mesa \
xinput xinit xhost evtest \
xf86-input-libinput xf86-video-fbdev xf86-input-evdev \
dbus xrandr xset xsetroot \
xeyes libinput mesa-dri-swrast mesa-dri-gallium mesa-egl
# Install Chromium
RUN \
apk add --no-cache \
chromium
CMD [ "/usr/bin/xinit", "/usr/bin/chromium-browser", "--no-sandbox", "--kiosk" ]
Then run it by passing in all the necessary udev entries:
docker run --rm -it \
--device=/dev/input \
--device=/dev/console \
--device=/dev/dri \
--device=/dev/fb0 \
--device=/dev/tty \
--device=/dev/tty1 \
--device=/dev/vga_arbiter \
--device=/dev/snd \
--cap-add=SYS_TTY_CONFIG \
alpine-xorg:latest http://172.17.0.1:8123/
In my case, I'm trying to use a 7" touchscreen HDMI display, designed for Raspberry Pis (however, I'm not using a Pi, but an Intel based mini PC).
Xorg logs aren't much help, they contain just init information about Xinput, no devices identified or anything.
Here's the log: https://paste-bin.xyz/65152
I've also fiddled around with evtest - in my case, /dev/input/event3 corresponds to the touchscreen's input, and evtest successfully recognises them: https://paste-bin.xyz/65154
However xinput doesn't even see these as a possible device:
a369b238e0f1:/var/log# xinput list
⎡ Virtual core pointer id=2 [master pointer (3)]
⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)]
⎣ Virtual core keyboard id=3 [master keyboard (2)]
↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)]
According to the Xorg logs, the appropriate init scripts have been loaded:
[ 3724.820] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
/usr/share/X11/xorg.conf.d/10-evdev.conf exists, and contains all the needed entries:
#
# Catch-all evdev loader for udev-based systems
# We don't simply match on any device since that also adds accelerometers
# and other devices that we don't really want to use. The list below
# matches everything but joysticks.
Section "InputClass"
Identifier "evdev pointer catchall"
MatchIsPointer "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev keyboard catchall"
MatchIsKeyboard "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev touchpad catchall"
MatchIsTouchpad "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev tablet catchall"
MatchIsTablet "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev touchscreen catchall"
MatchIsTouchscreen "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Where is this setup going wrong, why can't xinput register the evdev devices when the necessary events are clearly there and usable?

How to install a TFS 2017 agent on Windows Server using Powershell Script?

I am trying to install the VSTS build agent on a Windows Server 2016 using the below Powershell script but the script fails with the below error.
$tfsUrl=”http://vwmaztfsapp:8080/tfs/Collection”
$pool = ”Cli Execution”
$username = ”dev.local\svc_tfsAcc”
$password = ”MyPassword”
$AgentName = "Aut1"
CD "$AgentFolder\vsts-agent-win7-x64-2.122.1-Aut6\"
# configure agent to run as a Windows service that logs on as a domain account
& .\config.cmd --unattended -–url "$tfsUrl" --auth "integrated" -–pool "$pool" -–agent "$AgentName" --work "$AgentFolder\$AgentName" –-runAsService -–windowsLogonAccount "$username" –-windowsLogonPassword "$password"
Error below -
PS C:\Agents\vsts-agent-win7-x64-2.122.1-Aut6> C:\Agents\vsts-agent-win7-x64-2.122.1-Aut6\InstallAgent.ps1
config.cmd : Unrecognized command-line input arguments: 'unattended'. For usage refer to: .\config.cmd --help or ./config.sh --help
At C:\Agents\vsts-agent-win7-x64-2.122.1-Aut6\InstallAgent.ps1:49 char:1
+ & .\config.cmd --unattended -–url "$tfsUrl" --auth "integrated" -–poo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Unrecognized co...onfig.sh --help:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Is there something that I am missing?
I need to install the agent on multiple servers and that's the reason I want to automate this process.
Update
I was using command without "" such as:
.\config.cmd --unattended --url https://dev.azure.com/patricklu2020 --auth pat --token n2upx6epgl4srovzgp6is5wytjfkspvv6uvxxxx --pool default --agent myAgent --work D:\agent_work
If you want to configure as a service, you need to configure the agent from an elevated PowerShell window, this is required.
I would suggest you directly run the command from an elevated powershell window first, and then check if you are able to configure the agent correctly.
This kind of error maybe caused by passing arguments incorrectly. Kindly verify it.

HyperLedger Sawtooth Seth Getting Started error 2

I'm following the Getting started tutorial of Sawtooth Seth (https://sawtooth.hyperledger.org/docs/seth/releases/latest/getting_started.html), but I'm not able to set up an account on the network. The network is running properly in another shell. (I've removed the -aes128 flag for simplicity)
lorenzo#MacBook-Air-di-Lorenzo ~ $ cd gitHubRepo/sawtooth-seth/
lorenzo#MacBook-Air-di-Lorenzo ~/gitHubRepo/sawtooth-seth $ docker exec -it seth-cli bash
root#a6caea38a1a8:/project/sawtooth-seth# openssl ecparam -genkey -name secp256k1 | openssl ec -out key-file.pem
read EC key
writing EC key
root#a6caea38a1a8:/project/sawtooth-seth# seth account import key-file.pem myalias
error: Found argument 'myalias' which wasn't expected, or isn't valid in this context
USAGE:
seth account import <key-file> --pass-file <pass-file>
For more information try --help
root#a6caea38a1a8:/project/sawtooth-seth# seth account import key-file.pem --pass-file myalias
Error: No such file or directory (os error 2)
root#a6caea38a1a8:/project/sawtooth-seth# ls
bin cli common contracts key-file.pem protos tests
You ran the seth command in the seth-cli Docker container.
You need to run it in the seth-cli-go container until PR https://github.com/hyperledger/sawtooth-seth/pull/72 is merged.
EDIT: This was merged 2018-11-13.
A good resource for questions like this is also the seth chat channel at
https://chat.hyperledger.org/channel/sawtooth-seth

travis encrypt-file for maven deploy

On my computer:
travis login --org
Username: xxxxxx
Password: xxxxxx
Successfully logged in as xxxxxx!
travis encrypt-file codesigning.asc -r XXXXXX/XXXXXX
encrypting codesigning.asc for XXXXXX/XXXXXX
storing result as codesigning.asc.enc
storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
openssl aes-256-cbc -K $encrypted_abcd1234_key -iv $encrypted_abcd1234_iv -in codesigning.asc.enc -out codesigning.asc -d
Pro Tip: You can add it automatically by running with --add.
Make sure to add codesigning.asc.enc to the git repository.
Make sure not to add codesigning.asc to the git repository.
Commit all changes to your .travis.yml.
On my travis acount:
On my GitHub repository:
I paste the codesigning.asc.enc file in the test folder test/codesigning.asc.enc.
I add this shell script:
if [ "$TRAVIS_BRANCH" = 'master' ] && [ "$TRAVIS_PULL_REQUEST" == 'false' ]; then
echo "******** Starting gpg"
openssl aes-256-cbc -K "$encrypted_abcd1234_key" -iv "$encrypted_abcd1234_iv" -in test/codesigning.asc.enc -out test/codesigning.asc -d
gpg --fast-import test/codesigning.asc
fi
I have this error on my travis console:
bad decrypt
139864985556640:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
gpg: invalid radix64 character FE skipped
gpg: invalid radix64 character C4 skipped
gpg: read_block: read error: invalid packet
gpg: import from `test/codesigning.asc' failed: invalid keyring
gpg: Total number processed: 0
OpenPGP (the cryptographic protocol implemented by gpg) and X.509 (the cryptographic protocol used by OpenSSL) are not compatible. You cannot import this key to GnuPG (you could to gpgsm which implements X.509, but this is not the normal gpg you want to use). You will have to stick with OpenSSL or GnuTLS to handle the key and encrypted messages for it.

getting SSL_connect ... sslv3 alert handshake failure when using .p12 file ruby

I'm trying to use a p12 file and password to open an https page using RestClient in ruby.
p12 = OpenSSL::PKCS12.new(File.read("#{RAILS_ROOT}/file.p12"), "pass")
resp = RestClient::Resource.new(url, :ssl_client_key => p12.key).get
than I get:
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure
(RestClient is not mandatory - anything else will do)
what am I missing?
You must install openssl package and reinstall ruby.
Not sure that important:
rmdir $rvm_path/usr/ssl/certs
ln -s /etc/ssl/certs $rvm_path/usr/ssl
Necesery:
rvm pkg install openssl
rvm <(if exist) re>install <RUBY_VERSION> --with-openssl-dir=$rvm_path/usr
You need to import your file.p12 file into your nssdb location.
mkdir /root/nssdb
pk12util -i /path-to/your/file.p12 -d /root/nssdb
certutil -L -d /root/nssdb/
export SSL_DIR = /root/nssdb
curl -X POST -H "Content-Type: text/xml" --data "#{xml}" --cert cert:password "https://yoururl.com" -v -k
chmod -R 777 /root/nssdb
chown -R user /root/nssdb
Embed this curl call in your ruby client. It will work.
Note: If you are using a different ssl version you need to add --tlsv1.0 to the curl command

Resources