I want to configure ipsec via uci (always ipsec[0]). Everything works correctly if ipsec section exists. I can modify ipsec using uci ipsec.#ipsec[0].type='tunnel'. But if ipsec section doesn't exist this command is not working. I want to add the ipsec section if not exist.
The only way I found is to use a shell script
if ! uci -q show ipsec.#ipsec[0]
then
uci add ipsec ipsec
fi
uci show ipsec will show config other than ipsec[0] also so condition will get false and you will end up with adding multiple config of ipsec[0] ipsec[1]
you can do this via below ways.
config ipsec
option type 'tunnel'
type_present=`uci -q get ipsec.#ipsec[0]`
if [ "$type_present" = ""]; then
uci add ipsec ipsec
uci commit ipsec
fi
if you have only one config ipsec then you can name that config section
config ipsec 'my_ipsec' # my_ipsec is named config
and you can access it in better way
uci get ipsec.my_ipsec.type
use -q -> quite mode which will not through an error if entry not found and return blank string.
Related
Is there any way to enable VirtioFS settings for Docker via config file?
enter image description here
While not directly answering your question, I found a way to check if it is enabled at least.
The Docker Desktop settings file has a line that indicates if VirtioFS is enabled or not:
"useVirtualizationFrameworkVirtioFS": true,
The settings file depends on the OS, where is the location for Mac and Linux:
case "$( uname )" in
Darwin)
settings="~/Library/Group Containers/group.com.docker/settings.json"
;;
Linux)
settings="~/.docker/desktop/settings.json"
;;
esac
Changing the setting manually didn't work (it get stuck on "Starting")
I need to bind the code 127 (aka DEL, aka ^?) to delete-char.
If I put DEL: delete-char to ~/.inputrc, it does not work. This is because this code is used by backward-delete-char by default.
So, first I need to free this code from backward-delete-char:
$ bind -u backward-delete-char
But for some reason it is not unset:
$ bind -q backward-delete-char
backward-delete-char can be invoked via "\C-?".
What should be changed in source code of readline library (for local use) to unbind the \C-? from backward-delete-char?
N.B. If I unset for example delete-char, it works flawlessly:
$ bind -u delete-char
$ bind -q delete-char
delete-char is not bound to any keys.
Running GNU bash, version 4.4.19(1)-release (x86_64-apple-darwin16.6.0) I see the same thing. I am able to unset the one I wanted with this: bind -m emacs-meta -u backward-kill-word
According to the maintainer Chet:
Unless you use the -m' option, the commands act on the current keymap, which is eitheremacs' or (usually) `vi-insert'
I found that his example commands didn't quite work, and only -m emacs-meta worked - but I'm not sure how to discover precisely which keymap applies.
Discovery process: searched the mailing list (Googled and site:http://lists.gnu.org/archive/html/bug-bash/ "bind -u") and picked up:
Re: Some readline functions can't be unbound with bind -u
I want to configure freeRADIUS server as a authentication server for enterprise WLAN testing. I'm new to freeRADIUS server configuration. please give me the step by step or any link for installation and configuration
Thanks,
Devaa
First we’ll need a place to work, so I created a directory:
mkdir /usr/src/freeradius && cd /usr/src/freeradius
Next we need to fetch our source and get any dependencies, so update your sources and enter the following commands:
apt-get update
apt-get build-dep freeradius
apt-get install libssl-dev fakeroot
apt-get source freeradius
This should have downloaded the FreeRADIUS source code for us, so now we’ll have to make a few changes to tell our compiler to build it with the EAP modules we’ll be using. First edit /usr/src/freeradius/freeradius-1.1.3/debian/control and remove libssl-dev from Build-Conflicts: and add it to the end of Build-Depends: line. Your file should look like this:
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libssl-dev
Build-Conflicts:
Next you’ll need to add descriptions for your EAP modules, so enter the following at the end of the file:
Package: freeradius-eaptls
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-tls module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_tls.so library. This
module is required if you want to use EAP/TLS authentication, commonly used
for WiFi access points.
Package: freeradius-eappeap
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-peap module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_peap.so library. This
module is required if you want to use EAP/PEAP authentication, commonly used
for WiFi access points.
Save and exit this file.
Next we’ll edit /usr/src/freeradius/freeradius-1.1.3/debian/rules. Find and comment our the “buildssl=” and “moduleslist=-“ lines and add the following lines:
buildssl=–without-rlm_otp –without-rlm_sql_postgresql –without-snmp
modulelist=krb5 ldap sql_mysql sql_iodbc eap_peap eap_tls
Save and exit.
Now enter the following commands:
echo “usr/lib/freeradius/rlm_eap_tls*.so” >/usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.install
echo “usr/lib/freeradius/rlm_eap_peap*.so” > /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.install
Next let’s create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eaptls.postinst and enter the following:
#! /bin/sh
set -e
case "$1" in
configure)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius restart
else
/etc/init.d/freeradius restart
fi
;;
abort-upgrade)
;;
abort-remove)
;;
abort-deconfigure)
;;
esac
#DEBHELPER#
Now we’ll create /usr/src/freeradius/freeradius-1.1.3/debian/freeradius-eappeap.postinst and add the following to it:
#! /bin/sh
set -e
case "$1" in
configure)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius reload
else
/etc/init.d/freeradius reload
fi
;;
abort-upgrade)
;;
abort-remove)
;;
abort-deconfigure)
;;
esac
#DEBHELPER#
Now that the hard part is finished let’s compile our deb packages. Enter the following command:
cd /usr/src/freeradius/freeradius-1.1.3/
dpkg-buildpackage -rfakeroot -uc -us
If all went well you should now have several of .deb packages in /usr/src/freradius, so let’s install them by entering the following:
dpkg -i freeradius_1.1.3-3_i386.deb
dpkg -i freeradius-eaptls_1.1.3-3_i386.deb
dpkg -i freeradius-eappeap_1.1.3-3_i386.deb
Check to see if FreeRADIUS compiled and installed correctly by issues the following command:
ps aux | grep freeradius
And you should see something similar to this:
freerad 29998 0.0 0.8 44620 2224 ? Ssl 00:55 0:00 /usr/sbin/freeradius
If not start FreeRADIUS in debug mode as root and look for any clues to why things are not working properly:
freeradius –X
Also check /usr/lib/freeradius and ensure that the rlm_eap_peap-1.1.3.so and rlm_eap_tls-1.1.3.so modules exist.
Now to configure FreeRADIUS
First we’ll edit /etc/freeradius/radiusd.conf
NOTE: When editing the configuration files be sure that every open bracket ({) has a corresponding ending bracket (}) or you will break FreeRADIUS!
Find the mschap stanza under MODULES and configure it with the following parameters:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
Next verify the authorize stanza includes these parameters:
preprocess
mschap
suffix
eap
files
Now verify that the authenticate stanza is configured like this:
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# Allow EAP authentication.
eap
}
Now we have to add a client to the clients.conf. By client we mean an authenticator such as an access point (AP) or a wireless controller. For this example we’ll use my Juniper SSG5’s address of 192.168.44.129. Add the following stanza to the clients.conf:
client 192.168.44.129 {
secret = test123
shortname = Juniper
}
Next we’ll configure our server to support PEAP by editing /etc/freeradius/eap.conf.
First change the default_eap_type in the eap stanza to look like this:
default_eap_type = peap
Because PEAP needs to support our example certificates uncomment the tls stanza as well as the following parameters.
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
Next find and uncomment the peap stanza and the following parameter:
default_eap_type = mschapv2
Now add a test user in the /etc/freeradius/users file so we can test the system. Add the following:
“tobias” User-Password == “password123”
Restart FreeRADIUS with the following command:
/etc/init.d/freeradius restart
Now if you’ve done everything correctly you should be able to authenticate with your test user with the following command:
radtest tobias password123 localhost 0 testing123
You should see:
ending Access-Request of id 170 to 127.0.0.1 port 1812
User-Name = "tobias"
User-Password = "password123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=170, length=20
At this point everything should be working, although you would have to export your CA’s certificate to your PEAP clients so they would trust the server certificate being used by FreeRADIUS. The certificates we are currently using are there only to test with and should not be used for production. Next I’ll explain how to setup your own certificate authority (CA) and create your own certificates.
First we’ll need to install OpenSSL and since we’ll need to generate some complex passwords we’ll also install PWGen the password generator.
apt-get install openssl pwgen
OpenSSL uses a defaults file, /etc/ssl/openssl.cnf, that we’ll backup and edit to save us some time when we start generating our certs.
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
Now edit /etc/ssl/openssl.cnf and find this line:
dir =./demoCA
and change to:
dir =/etc/freeradius/eap/eapCA
This is the location were I’ll be creating the new CA. You might want to look through the rest of the file and edit the defaults to your environment. Here are some of the changes that I made to my openssl.cnf.
-countryName_default = AU
+countryName_default = US
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Oregon
+localityName_default = Portland
-0.organizationName_default = Widget ltd
+0.organizationName_default = Fat of the LAN
Now create and change to the directory that all of our certificates and CA will exist:
mkdir /etc/freeradius/eap && cd /etc/freeradius/eap
We will use one of OpenSSL’s included scripts to generate our CA, but you’ll want to customize it a bit before we use it so we’ll make a copy of it in our certificate directory.
cp /usr/lib/ssl/misc/CA.pl /etc/freeradius/eap
Next we have to edit CA.pl to tell it where to create our CA. Open it and change the following line:
CATOP=./demoCA
to:
CATOP=/etc/freeradius/eap/eapCA
Your CA is at the heart of your certificate infrastructure so it is important to protect it once you’ve generated it as well as use a strong password for it. I’ll generate a nice random 25 character password with pwgen. Be sure to record this password as you’ll need it each time you sign a certificate.
pwgen 25 1
aem5xahheethohP5Woh5Eb3ph
Now let’s run the script from within the /etc/freeradius/eap directory.
cd /etc/freeradius/eap
./CA.pl –newca
Answer all of the questions based on your environment and use the password you just created when prompted. When the script finishes you’ll have your own CA in /etc/freeradius/eap/eapCA. The next thing we need to do is create a server certificate for FreeRADIUS and sign it with our new CA.
./CA.pl –newreq-nodes
We should now have a new key pair as well as a signing request ready to send to our CA.
A quick note on compatibility. If you plan to use any of these certificates on Windows clients you’ll need to add XP extensions to the certificates you generate. The xpextensions file is included with Debian’s FreeRADIUS packages and I’ll include it in the appendix for our non-Debian readers. Just make a copy of it in our certificate directory.
cp /usr/share/doc/freeradius/examples/xpextensions /etc/freeradius/eap
Now let’s use our CA key to sign the FreeRADIUS’ certificate request, entering the CA’s password when prompted:
./CA.pl –sign (Optionally add -extensions xpserver_ext -extfile /etc/freeradius/eap/xpextensions)
Now that all of the certificates we need are generated, we need to create a couple of files needed for keying material and tell FreeRADIUS to use the new certs. To create the dh and random files, issue the following command:
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
chmod 640 random newcert.pem newkey.pem newreq.pem dh
Now open your /etc/freeradius/eap.conf file, find the tls stanza, and change to reflect the new certificates we created.
private_key_file = /etc/freeradius/eap/newkey.pem
certificate_file = /etc/freeradius/eap/newcert.pem
CA_file = /etc/freeradius/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/eap/dh
random_file = /etc/freeradius/eap/random
And while we’re at it, uncomment the following lines:
fragment_size = 1024
include_length = yes
Restart FreeRADIUS and copy your CA’s certificate (/etc/freeradius/eap/eapCA/cacert.pem) to your clients. Configure your clients’ supplicant for your new PEAP enabled SSID, configure your AP to use 802.1x and your new FreeRADIUS server and you’re good to go!
If you are looking for more information on RADIUS, check out this book. It’s been extremely helpful thus far.
This question is so broad. It really depends on what you want to do, where your authentication data (e.g. users/passwords) is stored, what type of EAP methods you are going to use, etc.
However, the default FreeRADIUS configuration will work pretty well for most testing with minimal changes.
Start by editing the raddb/users file and add a new user to the top. The form should be like
username Cleartext-Password := "password"
Then you can use radtest or eapol_test to check to see if this is working.
When that works, you can edit the clients.conf file to add your wireless AP or controller.
You should then be able to connect from the wireless network.
However, this can be quite complicated and there are lots of things to go wrong along the way, so don't be discouraged if it doesn't work first time.
Always run the server with debugging on (radiusd -X) when testing, and read all the output. It will show you where things are failing.
There is a lot of information on the FreeRADIUS wiki, for example start with the Basic configuration HOWTO. There is also lots of good tutorial advice on Alan Dekok's page. Note that for wireless you do need to configure EAP.
Here is a step by step link that I used for my freeradius installation.
Freeradius 3 Ubuntu tutorial
If you're still having issues, get a vps that comes with radius installed
How do I set the default channel in NixOS's /etc/configuration.nix?
There is a command to set it and rebuild with
sudo nix-channel --add https://nixos.org/channels/nixpkgs-unstable
sudo nixos-rebuild switch -I nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs
but I'd like to have it setup in configuration.nix so I don't have to remember how to do this everytime. Thanks!
system.autoUpgrade.channel is what you might be looking for
set it to any channel e.g.
system.autoUpgrade.channel = "https://nixos.org/channels/nixos-16.03-small/";
the documentation says:
by default, this is the channel set using nix-channel (run
nix-channel --list to see the current value)
an up to date list of channels can be found on https://nixos.org/channels/
ref: https://nixos.org/nixos/manual/options.html#opt-system.autoUpgrade.channel
https://nixos.org/nixos/manual/index.html#idm140737317454064
Set nixPath = [ "nixpkgs=http://nixos.org/channels/nixos-unstable/nixexprs.tar.xz" ];, see https://github.com/snabblab/snabblab-nixos/blob/d8b9761b107293891b19021f2f0f77a0e3ba3746/modules/common.nix#L39
The nix.nixPath (ref) option looks like it will do what you're after.
Also the nixos-unstable channel might be more appropriate for you, rather than nixpkgs-unstable. I believe the pkgs in the nixpkgs channel are tested and built for non-nixOS systems, though I can't remember a reference for that at the moment.
nix-channel --add https://nixos.org/channels/nixos-unstable/
nix-channel --update nixos-unstable
# /etc/nixos/configuration.nix
# Put nixos-unstable at the front of nixPath
{ lib, ... }:
{
nix.nixPath = lib.mkDefault (lib.mkBefore [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos-unstable" ]);
}
If you want the imperative nix-channel commands in your configuration.nix as well you could write a small systemd service to do so, as shown here.
Edit: To ensure configuration.nix is built from the latest unstable channel just set the value of nixpkgs as in the answer from #iElectric and Nix will use the expressions contained at that URL whenever it evaluates configuration.nix.
PS I realised you could also just point the nixos path to the nixos-unstable channel by doing nix-channel --add https://nixos.org/channels/nixos-unstable/ nixos but I think the first solution is clearer.
My RoR app needs to access a remote database (FWIW it's mysql hosted on rds.amazonaws.com). The only way to access it is through an SSH tunnel.
I've already tested access on my local machine. I'm setting up the tunnel via the equivalent of:
ssh -f -N -L 3307:longname.rds.amazonaws.com:3306 remote_user#remote_host.com
(but see https://stackoverflow.com/a/27305457/558639 to see how I'm actually doing it). At any rate, I will need to install an SSH key pair (both private and public parts) on Heroku for this to work.
I'm on unfamiliar territory here, though. I could write a script that starts up at the beginning of a Heroku session that installs the keys. What's the right way to accomplish this and not expose the private key unnecessarily?
Here's what I've come up with. (See SSH tunneling from Heroku for a longer description.)
set up a bunch of environment variables, including the public and private keys, using heroku config:set NAME1=value1 NAME2=value2 etc...
create .profile.d/web-setup.sh with the following contents. Note that as per https://devcenter.heroku.com/articles/profiled, any file in the .profile.d directory will be run when the dyno is first set up.
NOTE: This way, the private SSH key only appears as a configuration variable in the heroku environment. Since other sensitive information is kept there, I assume that this is a relatively safe approach.
The .profile.d/web-setup.sh file contains:
# file=.profile.d/web-setup.sh
# create keypair files on this dyno
echo $0: creating public and private key files
mkdir -p ${HOME}/.ssh
echo "${PUBLIC_KEY}" > ${HOME}/.ssh/heroku_id_rsa.pub
chmod 644 ${HOME}/.ssh/heroku_id_rsa.pub
# note the use of double quotes to preserve newlines!
echo "${PRIVATE_KEY}" > ${HOME}/.ssh/heroku_id_rsa
chmod 600 ${HOME}/.ssh/heroku_id_rsa
# You may need to preload known-hosts here. See
# https://stackoverflow.com/questions/21575582/ssh-tunneling-from-heroku/27361295#27361295
# on how to do that.
# open a tunnel if not already running
SSH_CMD="ssh -f -i ${HOME}/.ssh/heroku_id_rsa -N -L ${LOCAL_PORT}:${REMOTE_MYSQL_HOST}:${MYSQL_PORT} ${REMOTE_USER}#${REMOTE_SITE}"
PID=`pgrep -f "${SSH_CMD}"`
if [ $PID ] ; then
echo $0: tunnel already running on ${PID}
else
echo $0 launching tunnel
$SSH_CMD
fi