Dirk-Jan's blog

Last weekend I installed the upgraded version of Leopard on my Mac mini. The installation went successfully but took a long time to complete. At first nothing seemed to be broken, but soon I discovered the loss of my NFS shares. So I started to look for the Directory Utility, because that was the tool I used for auto mounting my NFS shares in Leopard. After a little digging, I found out that I needed to re-add them using Disk Utility.

- Inside Disk Utility, click File then NFS Mounts..

So if you’re looking for your lost NFS shares you now know what to do.

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64′. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.

Using the wireless functionality of the Cisco 877W router I discovered that the wireless connection being disconnected en reconnected intermittently. At fist I thought it might be my Linux notebook doing wierd things, but as other wireless clients acting the same I suspected my new broadband router. Looking at the router log it appears that Cisco IOS reports “CCKM authentication failed”, in which CCKM stands for Cisco Centralized Key Management.

%DOT11-7-CCKM_AUTH_FAILED: Station 0016.44d7.xxxx CCKM authentication failed

So I started searching the web for this particular error message. As I found out more people have reported it and some were suggesting raising the broadcast key change interval, but that didn’t work for me. Also downgrading the IOS software was mentioned, but hey I don’t like to downgrade so I upgraded to a more up to date IOS version and the problem seems to be fixed! The last two days since the upgrade there are no more annoying dis- and reconnects. It starting to look like Cisco has done a good job!

I did the upgrade from IOS version c870-advipservicesk9-mz.124-22.T.bin to c870-advipservicesk9-mz.124-24.T1.bin.

Beware of IOS version c870-advipservicesk9-mz.124-24.T.bin, this one seems to be unstable.

This will most certainly apply to the complete Cisco 870 series.

Lately I stumbled upon a extension for the well known media server Firefly called Fireplay. It’s a easy to use flash based music player interface for Firefly which uses RSP (Roku Server Protocol). The player is able to list playlists, artists, albums, genres and play selections. Because it’s a flash based player, you can use it everywhere you like.

It has features like download tracks, cover art, generate XSPF-playlists and more. The included documentation states that future features include playlist generation/editing, shuffle mode, and faster browsing.

The following section describes how to install Fireplay.

1. Download Fireplay mirror.

# wget http://www.mellberg.org/FirePlay.zip
--2009-06-12 23:50:18--  http://www.mellberg.org/FirePlay.zip
Resolving www.mellberg.org... 213.185.18.18
Connecting to www.mellberg.org|213.185.18.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104755 (102K) [application/zip]
Saving to: `FirePlay.zip'

100%[======================================>] 104,755      114K/s   in 0.9s

2009-06-12 23:51:04 (114 KB/s) - `FirePlay.zip' saved [104755/104755]

#

2. Copy the zip file to the admin-root directory of Firefly and extract the zip file which contains (four files). The example shows the path for Debian Linux.

# cp FirePlay.zip /usr/share/mt-daapd/admin-root/
# unzip FirePlay.zip
Archive:  FirePlay.zip
  inflating: FirePlay.html
  inflating: FirePlay.readme.txt
  inflating: FirePlay.swf
  inflating: AC_RunActiveContent.js
#

3. Open the usual Firefly URL in your browser followed by the Fireplay page

http://yourserver:3689/FirePlay.html

It is necessary to enter the Firefly admin password, set in the FireFly configuration file (mt-daapd.conf).

It is also possible to serve FirePlay using a webserver like Apache.

Have fun playing songs!

Version 3 of the Simple Network Management Protocol (SNMP) is developed with as main purpose securing the insecure SNMP protocol. Since I needed to setup SNMP for a monitoring tool I decided to do it the secure way, which is SNMP v3. This article will describe how to configure SNMPv3 on a Cisco device using Cisco IOS, in my case a broadband router.

The first task is to login at the console as a privileged user and switch to configuration mode.

router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#

The next task is to define a view. To keep it simple, we’ll create a view that allows access to the entire internet subtree:

#snmp-server view readview internet included

Next, create a group that uses the just created view. This command creates a group called readonly and v3 means that SNMPv3 should be used. The auth keyword specifies that the entity should authenticate packets without encrypting them. The read readview says that the view named readview should be used whenever members of the readonly group access the router.

#snmp-server group readonly v3 auth read readview

The following command creates a user called snmpro, who belongs to the readonly group. auth md5 specifies that the router should use MD5 to authenticate the user (sha is also possible). The next item is the user’s password or passphrase, which is limited to 64 characters. The last item priv des56 specifies the encryption of the SNMP packets.

#snmp-server user snmpro readonly v3 auth md5 password priv des56 passphrase

This configuration uses encryption to prevent passwords from being transferred in clear text and also encrypts the SNMP packets themselves, which may contain information that you don’t want available to the public.

End config mode with CNTL/Z or simple type ‘end’. And issue ‘write mem’ to save the current configuration to non-volatile memory to make this change permanent.

router(config)#end
router#write mem
Building configuration...
[OK]
router#

To verify if it’s working you can use snmpwalk. In the example below I use a Linux system to execute the snmpwalk command to request the system description (sysDescr.0) from a host called router.

$ snmpwalk -v 3 -u snmpro -l authPriv -a MD5 -A password -x DES -X passphrase \
router sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 02:31 by prod_rel_team
$

As you can see the system description is returned successfully.

Today I decided it was time to introduce my iPhone to the campus wireless network, instead of using the slow GPRS network of my carrier. I’m still a happy user of the first generation iPhone, so I’m stuck with GPRS and that’s why I like WIFI.

So I downloaded the already made VU-iphone.mobileconfig file to my workstation and fired up my favorite MUA, what happens to be Mozilla Thunderbird to mail the configuration as a attachment, just like the way the online manual described. But as soon as I opened up the mail app on the phone the message looked like normal text and there was no attachment to open. I decided to use Mutt as an alternative and repeated the steps described above. This time the attachment showed up as it should be. So I was able to import the wireless configuration and finished the wireless setup.

Now I’m happy being wireless connected but still curious why the attachment send by Thunderbird did not show up correctly in the mobile mail app. So I compared both mail clients MIME behaviour and it appears that Thunderbird is not behaving correctly according to rfc2183. As you can see it uses Content-Disposition type ‘inline’ instead of the correct ‘attachment’ type.

I have stripped the irrelevant header and body information of the message.

Thunderbird:

User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------070008030904000701030203"

This is a multi-part message in MIME format.
--------------070008030904000701030203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

--------------070008030904000701030203
Content-Type: text/xml;
 name="VU-iphone.mobileconfig"
Content-Transfer-Encoding: 7bit
<strong>Content-Disposition: inline;</strong>
 filename="VU-iphone.mobileconfig"

Mutt:

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
<strong>Content-Disposition: attachment;</strong> filename="VU-iphone.mobileconfig"

This looks like a bug..

As mentioned earlier I would post my wireless configuration of the Cisco 877W router as soon as I got it to work the way I like. In this setup the commonly used IRB bridge option is not used. This configuration will also work on the 857W model.

!
dot11 ssid <your ssid>
   vlan 2
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 <your password>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool wireless
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server <dns server> <dns server>
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid <your ssid>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN vlan2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface Vlan2
 no ip address
!

On the (outside) dialer0 interface I had to add the following line to enable NAT:

ip nat outside

And at last you’ll need the next ip nat and access-list lines to make it work:

ip nat inside source list 103 interface Dialer0 overload
access-list 103 remark Traffic allowed to enter the router from the WLAN
access-list 103 permit 192.168.2.0 0.0.0.255

You can use the show dot11 or debug dot11 commands to troubleshoot. For example, the following output displays a associated device:

router#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [<your ssid>] :

MAC Address    IP address      Device        Name            Parent         State
xxxx.xxxx.xxxx 192.168.2.2     unknown       -               self           Assoc

router#

Enjoy being wireless!

Since switched over to a new theme I needed to rearrange the way the sidebar should look. The list of archives was just to long, think 20 months is the default, to be aesthetic correct. So I started to look for a limit setting in de admin interface of WordPress, but could not find a way to change the limit. I probably looked over it. So browsing through the php scripts I found the file responsible for the way the archives section behaves.

I use WordPress version 2.5.1 from the Debian lenny repository

Edit the following file:

wordpress/wp-includes# vi general-template.php

And look for the following function:

# cat -n general-template.php
<...>
356	function wp_get_archives($args = '') {
357		global $wpdb, $wp_locale;
358
359		$defaults = array(
360			'type' => 'monthly', 'limit' => '<strong>10</strong>',
361			'format' => 'html', 'before' => '',
362			'after' => '', 'show_post_count' => false
363		);
364
<...>
#

Change the options you whish, I lowered the limit to 10 months.