1. September 8, 2014

      Junos 12.1X44 Dynamic VPN with FreeRADIUS

      One of the features Juniper added to the SRX Dynamic VPN starting with Junos 12.1X44 is the ability to set the VPN client group via RADIUS (eliminating the need to specify the client username).

      What Juniper don’t tell you is how to do it; using the Juniper-Local-Group-Name VSA (vendor 2636 option 46). So, after some trial and error, here’s how:

      Step 1: Configure the access profile and create the Dynamic VPN client group:

      set security dynamic-vpn clients dynclient-testing remote-protected-resources 192.168.1.0/24
      set security dynamic-vpn clients dynclient-testing remote-exceptions 0.0.0.0/0
      set security dynamic-vpn clients dynclient-testing ipsec-vpn vpn-dynamic
      set security dynamic-vpn clients dynclient-testing user-groups dynvpn_testing
      

      Step 2: Add the following line to /usr/share/freeradius/dictionary.juniper:

      ATTRIBUTE	Juniper-Local-Group-Name		46	string
      

      Step 3: Assign the user the group through /etc/raddb/users (or however you do it):

      testuser    Cleartext-Password := "Testing123"
                  Juniper-Local-Group-Name = dynvpn_testing
      

      And… well, test!

    2. June 3, 2013

      Nikon 35mm f1.8 Back-focus

      So I recently noticed problems with my 35mm back focussing, and as my D90 doesn’t have the fancy on-camera calibration options like later models, had the lens sent away for repair.

      All I had to do was print off a focus test chart from here (unfortunately the original has disappeared off the face of the web, but archive to the rescue!), take a couple test shots at various apertures, and mail it off to get fixed. One month later, the lens is back.

      Below is a comparison at f1.8 before (right) and after (left) the repair… definitely worth having done!

      comparison

      Big thanks to the awesome people at Snapshot!

    3. August 21, 2012

      OCR a scanned PDF with Tesseract

      Simple really: I wanted to OCR a scanned PDF, then embed the output text back into the PDF so that I can search. Surprisingly, an application for this doesn’t already exist, so here’s my script:

      #!/bin/sh
      
      cp $1 $1.bak
      
      pages=$(pdftk $1 dump_data output | grep NumberOfPages | sed -E 's/(.*): (\d*)/\2/g')
      
      for i in `seq 1 $pages`;
      do
              convert -monochrome -density 600 $1\[$(($i - 1 ))\] page$i.tif
              tesseract page$i.tif output -l eng
              pdftk $1 attach_files output.txt to_page $i output $1.new
              mv $1.new $1
              rm output.txt
      done
      
    4. October 10, 2011

      Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64

      Update: In my mad rush to get everything working, I completely missed that 8.1 was released, which adds native 64-bitness. Apart from linking /usr/lib64/libeToken.so to /usr/lib/libeToken.so.8, there are no hacks required anymore! Yay!

      I’ve just installed the oneiric release candidate. And I like the changes. And I like that with a little tweaking, my eToken still works!

      I did a bare-metal install, as I’ve now upgraded to SSD. So, I’ve updated my tutorial to match.

      1. Install 11.10 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you’ll need to prep your x86_64 system with i386 goodness, by using:
        sudo apt-get install ia32-libs libhal1 opensc pcscd

        • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet’s user guide. if you don’t, you’ll see things pop up in /var/log/syslog like
          pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
      2. You’ll need the 32-bit libpcsclite1 and libhal1. Simply run:
        wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
        wget http://archive.ubuntu.com/ubuntu/pool/main/h/hal/libhal1_0.5.14-0ubuntu6_i386.deb
        dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
        dpkg -x libhal1_0.5.14-0ubuntu6_i386.deb libhal1-i386
        sudo cp libpcsclite1-i386/lib/libpcsclite.so.1.0.0 /lib32
        sudo cp libhal1-i386/usr/lib/libhal.so.1.0.0 /usr/lib32
        sudo ln -s /usr/lib32/libhal.so.1.0.0 /usr/lib32/libhal.so.1
        sudo ln -s /lib32/libpcsclite.so.1.0.0 /lib32/libpcsclite.so.1
        
      3. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with
        dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb

      Note: if you’ve got this working before, you’ll notice that in 11.10 they’ve moved from /usr/lib being a link of /usr/lib64 to being it’s own directory; the result being the new location of /usr/lib64/libeTPkcs11.so for your PKCS11 applications.

      So there you go. If you add the /usr/lib64/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken.

      For a quick verification, run

      pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

      , and you should see your eToken.

    5. July 8, 2011

      Aladdin eToken on Ubuntu 11.04 (natty narwhal) amd64

      Update: this has been updated for 11.10, check it out here.

      This is more complicated than it should be, for no real reason. I like my eToken, and have been trying for a good year to get it working on 64-bit Linux. Today, I sat down, started from scratch, and nutted it out. The following 3-step procedure should be all that’s needed to get it working.

      1. Install 11.04 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you’ll need to prep your x86_64 system with i386 goodness, by using:
        sudo apt-get install ia32-libs libhal1 opensc pcscd

        • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet’s user guide. if you don’t, you’ll see things pop up in /var/log/syslog like
          pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
      2. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with
        dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb
      3. Finally, you’ll need the 32-bit libpcsclite1. Simply run:
        wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
        dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
        sudo cp libpcsclite1-i386/lib/* /lib32
        

      So there you go. If you add the /usr/lib/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken.

      For a quick verification, run

      pkcs11-tool --module /usr/lib/libeTPkcs11.so -L

      , and you should see your eToken.

      Also, good-bye Windows XP. This was the last thing preventing me from using Ubuntu on a daily basis, and now you’ve been completely replaced.

    6. June 21, 2011

      KVM virtual console to physical TTY

      This took me longer than it should’ve to figure out… I wanted to take the virtual console (pts) from a KVM virtual machine, and map it to a physical tty, so that I could login to my virtual machine from the physical keyboard, without having to login to the virtual host itself. This can be done with a simple one-liner:

      screen /dev/pts/1 > /dev/tty9 < /dev/tty9 &

      Add that to /etc/rc.d/rc.local to start on system startup (hopefully after the VM has started), and I'm all set!

    7. January 16, 2011

      Surprise!

      Here be the official spilling of the beans to the internet. Apologies to anyone we didn’t manage to tell in person who feels they should have been told before this, we did our best.

      Here goes: Beverley and I are trying our hand at growing a human child.

      We’re at the 12 week mark as of today, and preliminary results are promising. The Junior Laundry is exhibiting signs of being indeed human. YUS! Here’s the first official baby photo:

    8. August 23, 2010

      pfSense IPv6 HowTo (PPTP with Thomson ST536v6 in NZ)

      I’ve just spent a few hours getting this going, and so I thought I’d write up a quick howto.

      1. Install VirtualBox. Windows Virtual PC doesn’t support starting machines as services, and I never really liked VMWare Server due to it’s high overhead.
      2. Created a virtual machine and install pfSense 1.2.3. Accept VirtualBox’s default FreeBSD settings, except create 2 network cards (pfSense won’t work without at least 2), both bridged to the physical network interface. Remember that the modem will run on a different IP address range (10.0.0.138), and so while using VLANs and actually separating the networks is an option, having everything on the same network won’t do anything bad.
      3. Now that pfSense is running, setup the Thomson ST536v6 to act as a PPTP server. This is so that pfSense will get the real, public internet connection with real-world IP address. Much nicer than having to use NAT or DMZ, and the Thomson does a nice job of this. Telnet into the modem (remember the default username is Administrator and password is blank) and run the following commands (which WILL destroy your current config). Note: this forum post is mostly correct, but I kept getting an “Invalid phonebook destination name, phonebook is in use.” error when trying to flush the ATM interface without first detaching it.
        :system reset
        :ppp relay flush
        :eth flush
        :atm ifdetach intf=atm_0_100
        :atm flush
        :ppp flush
        :atm phonebook flush
        :saveall
        :atm phonebook add name=BrPPPoE_ph addr=0.100
        :service system modify name=PPTP state=enabled
        :saveall
        :system reboot
      4. After power cycling the modem, time to configure pfSense. Bind LAN to em0 and WAN to em1 (or vice-versa, doesn’t matter). pfSense will take forever bringing up the WAN interface, because it’s expecting a DHCP lease which isn’t available. The LAN interface will start acting as a DHCP server, which is good, given you’ve just told your modem to stop doing that.
      5. Login to the pfSense web UI. Under Interfaces, select WAN. Change the Type to PPTP. The Username and Password won’t have any effect for Telecom ADSL connections (user@xtrabb.co.nz and telecom work fine), but for UBS or LLU connections you’ll need to use something specific. Set the Local IP address to 10.0.0.139/24 and the Remote IP address to 10.0.0.138 (which the modem should be listening on, as well as 192.168.1.254).
      6. Not quite sure what causes the PPTP connection to stand up (I think I just waited and it came up automatically), but at this point you could probably power cycle the virtual pfSense and it should all liven up. If you’ve done it right, you should have an internet connection on your clients (you may need to refresh the DHCP lease). Step one complete!
      7. Now for tunnelled IPv6, to go http://tunnelbroker.net and sign up for a tunnel. Don’t forget to tick the IPv6 enable box (under Advanced in pfSense’s System menu)
      8. There’s a great shell script here which takes care of creating the tunnel on pfSense. You’ll need to run this on each restart, but each time you restart your public IP address is likely to change anyway. I may get bored and update the script to handle this automatically at some point…
      9. Anyway, if you can get to http://ipv6.google.com, step two complete!
    9. July 2, 2010

      jQuery qtip & fullcalendar

      Was having a really strange problem today; getting qtip (1.0.0-rc3) and fullcalendar (1.4.5) to play nice. No matter what, it was erroring on line 139:

      $(this).data('qtip').current = $(this).data('qtip').interfaces.length

      Thankfully the intertubes had a very helpful post; changing line 134:

      if(typeof $(this).data('qtip') == 'object')

      to:

      if(typeof $(this).data('qtip') == 'object' && $(this).data('qtip') !== null)

      made it all happy. Good coding practice FTW…

    10. June 7, 2010

      Signs of life

      Ya, it’s been a while since adding content to this site, I know. It’s on the todo list.

      While helping my lovely wife and my grandfather-in-law get their blogs online, I realised I’ve mostly neglected mine. It’s not because I don’t love you, sweet internets, but because I’ve found that the free time I once had for ranting online has almost vanished. It’s honours project time, my final year of uni, my victory lap. Although I don’t have exams, it feels like I’m being tested every day. It feels like it’s no longer fun whimsical nonsense, at uni and at work. And as much as I thought it never would, I want it to be over quickly.

      I gave up writing for Nexus; not because I didn’t enjoy it, but because I felt my writing was getting to the stage of interestingness. Throughout all the articles of The Nerdery, you’ll notice a certain “shit, gotta get this done before Monday” feel to them. They were forced. And then, something happened at the start of the year; I felt like I had something to say. I felt like I had to educate the masses. Unfortunately, this came at a time where the new editor felt that Nexus had evolved too much over Josh’s tenure, and decided to take it back a notch. I felt like I no longer belonged.

      It’s the sort of feeling I’m starting to find from places where I thought I had permanent membership.

      Anywho, that’s enough emo for one night.