Posts

Showing posts from April, 2014

(Ab)using Samba and inotify to implement simple menu of privileged actions [Part 2: Proof of Concept Implementation]

In my last post, I ran through the design; this post is shows the result of my initial proof-of-concept. It was interesting to play with some new modules in Python I hadn't previously used, including Python's threading.Timer and of course pyinotify, and the subprocess and shlex modules, which I'm already familiar with, but it rates a mention.

Here's the code. Needless to say, it needs some tidying up, but I think the basic principles and threading correctness seem okay.

(Ab)using Samba and inotify to implement simple menu of privileged actions [Part 1]

Part 1: Design Analysis

I expect there will be at least one other part that covers the implementation, and another part covering how to use it.

Let's say you offer some form of software as a service to customers, such as a website with a database, middle-ware and web tier. In order to limit exposure, you have a policy not to allow console access via tools such as SSH or RDP. You might instead offer access to various directories using tools such as Samba, and perhaps remote access to the database (over SSL) if required. Samba could also provide access to the logs.

Ah, but if someone has access to change something in a configuration, such as in the middleware layer or web tier, how then would they restart things? A few options come to mind. The first might be some restricted access via SSH where the user is forced into a menu-driven interface. Another might be some web-interface (such as cPanel). Those would be the obvious contenders, let's look at each before deciding if it i…

ORA-12170: TNS:Connect timeout — resolved

If you're dealing with Oracle clients, you may be familiar with the error message
ERROR ORA-12170: TNS:Connect timed out occurred I was recently asked to investigate such a problem where an application server was having trouble talking to a database server. This issue was blocking progress on a number of projects in our development environment, and our developers' agile post-it note progress note board had a red post-it saying 'Waiting for Cameron', so I thought I should promote it to the front of my rather long list of things I needed to do... it probably also helped that the problem domain was rather interesting to me, and so it ended being a late-night productivity session where I wasn't interrupted and my experimentation wouldn't disrupt others. I think my colleagues are still getting used to seeing email from me at the wee hours of the morning.

This can masquerade as a number of other error strings as well. Here's what you might see in the sqlnet.log f…

Getting MySQL server to run with SSL

Image
I needed to get an old version of MySQL server running with SSL. Thankfully, that support has been there for a long time, although on my previous try I found it rather frustrating and gave it over for some other job that needed doing.

If securing client connections to a database server is a non-negotiable requirement, I would suggest that MySQL is perhaps a poor-fit and other options, such as PostgreSQL -- according to common web-consensus and my interactions with developers would suggest -- should be first considered. While MySQL can do SSL connections, it does so in a rather poor way that leaves much to be desired.

UPDATED 2014-04-28 for MySQL 5.0 (on ancient Debian Etch).

Here is the fast guide to getting SSL on MySQL server. I'm doing this on a Debian 7 ("Wheezy") server. To complete things, I'll test connectivity from a 5.1 client as well as a reasonably up-to-date MySQL Workbench 5.2 CE, plus a Python 2.6 client; just to see what sort of pain awaits.

UPDATE: 2014-0…

Influencing Python's choice of SSL/TLS cipher-suite

I'm debugging a fault being received by an application that uses the Python [v2.7] SOAP library (module name 'suds'). I want to look inside the SSL datastream, much as I can between SoapUI and the same server. SoapUI, being the typical Java client, doesn't default to a particularly high grade of cryptography, and so with the private key I can first record and then later inspect the cleartext data with Wireshark.

But Python, like many others, seems to default to enabling a lot of more secure cipher-suites that enable perfect-forward-secrecy. In order to snoop on those, you need to get the client to dump out the pre-master key somewhere.This post shows how you can you get Python's SSL module to use a different cipher specification string.

Making Cluster-SSH (and regular SSH) a lot more usable with regard to reconnecting

Image
If you find yourself patching a lot of machines at once, and reboot, then your SSH window will close.... not very useful if you want to keep track of a number machines you need to log back into to check that all is okay, or to start services that don't start automatically. It makes that time of the month -- patching -- rather more tedious and painful than it ought to be.

Enter a useful tool called Cluster SSH (command name 'cssh', package name 'clusterssh', version used is 3.28 from EPEL). It distributes my keystrokes to all of the windows that it starts. You can toggle, add and remove hosts to manage, and you can configure clusters of machines. While it does lack polish, it is very useful in reducing the amount of time it takes to patch a lot of machines; I estimate that it takes the time required to about a third.

Here's an example of using it 'in anger' while patching 37 machines. I've deliberately made the image small enough so as to make any te…