Setup RSA SecurID VPN on Nokia N900

This post will highlight the configuration required to setup RSA SecurID software on nokia N900 and use vpnc to authenticate.

Install Java on N900
http://wiki.maemo.org/Java
Java for N900 is available as IcedTea6 in extras or extras-testing.

Install micro-emulator
http://www.nokian900applications.com/install-java-on-nokia-n900/
Install micro-emulator as per above link

Download Microemulator.
Unzip microemulator as root in /opt/: unzip microemulator-2.0.4.zip -d /opt/microemulator/

Install RSA SecurID
http://codehunk.wordpress.com/2010/05/11/rsa-securid-token-on-gnulinux/


$ wget ftp://ftp.rsa.com/pub/agents/j2me/JME23.zip
$ wget ftp://ftp.rsasecurity.com/pub/agents/TokenConverter.tar.gz
$ mkdir securId

$ unzip JME23.zip -d securId/
$ tar -C securId -zxvf TokenConverter.tar.gz
$ cd securId
# Convert your RSA token into required format
$ cp some_directory/token_file.sdtid .
$ chmod +x TokenConverter
$ ./TokenConverter token_file.sdtid -p 'password_you_got_from_admin' -o num_out
$ cat num_out | rev | sed -e :a -e 's/\(.*[0-9]\)\([0-9]\{5\}\)/\1-\2/;ta' | rev
21111-12593-96653-61657-73256-55655-33735-53711-52131-25113-57215-55172-12151-26371-12716-73632-5
# Edit SecurId.jad and add the following lines
X-NumericInput: 21111-12593-96653-61657-73256-55655-33735-53711-52131-25113-57215-55172-12151-26371-12716-73632-5
X-AllowNumericInput: No
$ java -cp /opt/microemulator/microemulator.jar:SecurID.jar org.microemu.app.Main com.rsa.swtoken.j2me.client.SecurID

Enter your PIN and you should get a 8-digit passcode which can be used with vpnc

vpnc can be setup the same as done for desktop linux as in
http://bashingbaru.blogspot.com/2011/05/setup-vpn-using-rsa-securid-software.html
 

Ted Talk: Why work doesn't happen at work

Clearly summarises the problem at work places

rpcbind and portmap on SLES11

SLES11 includes 2 programs, rpcbind and portmap which both provide portmapper functionality. SLES11 contains rpcbind-0.1.6+git20080930-6.15.x86_64.rpm portmap-6.0+git20070716-31.16.x86_64.rpm packages which are supposed to provide portmapper functionality. But while using portmap for portmapper functionality mountd fails to start.

root@sles11sp1-XXX:~# rpm -qa | grep portmap
portmap-6.0+git20070716-31.16

root@sles11sp1-XXX:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1

When you start you might see an error, that mound failed to start. If you look at /var/log/messages, you could be seeing

May 20 05:15:18 sles11sp1-XXX mountd[5703]: unable to register (mountd, 1, udp).
May 20 05:15:53 sles11sp1-XXX mountd[5711]: unable to register (mountd, 1, udp).
May 20 05:15:55 sles11sp1-XXX mountd[5713]: unable to register (mountd, 1, udp).

This is because mountd expects to work with rpcbind in SLES11SP1, mountd sees a service on port 111, but cannot register with portmap. It can only register with rpcbind service.

root@sles11sp1-XXX:~ # rpm -qa | grep rpcbind
rpcbind-0.1.6+git20080930-6.15
root@sles11sp1-XXX:~ # rpm -qa | grep portmap
root@sles11sp1-XXX:~ #

Once you remove portmap and install rpcbind, you should be able to start mountd and nfs using /etc/init.d/nfsserver start

Setup VPN using RSA SecurID software Token On Ubuntu

This post will help in configuring RSA SecurID Software Token for use on linux with Cisco VPN client on Ubuntu 10.04

Installing RSA securID software

You should already be having RSA SecurID software Token software and your key file with you.

Install wine on ubuntu if you don't have it yet as
sudo aptitude install wine

Once you have wine installed, you need to configure wine by running
winecfg

Create a new Drive Z: to provide access to either your home directory or to the whole filesystem

Now Install RSA SecurID Software in wine as
wine ./RSA_SecurID_Software_Token_3.0.5.exe

This should install the software, and add a menu item in 'Applications->Wine->Programs'. Run the RSA SecurID software from the menu and import the key.

Installing VPNC 

vpnc can be installed from repositories
sudo aptitude install vpnc

If you have your VPN server info as a pcf file, then it needs to be converted into a vpnc format

mkdir vpnclient

cd vpnclient

wget http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c

sudo apt-get install libgcrypt11-dev

gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)

chmod +x cisco-decrypt

sudo cp cisco-decrypt /usr/bin

wget http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc

sudo cp pcf2vpnc /usr/bin

pcf2vpnc XXX.pcf > XXX.conf

sudo cp XXX.conf  /etc/vpnc/

The above steps would convert the pcf into vpnc format and get it ready for use

Using RSA TokenCode/PassCode with vpnc

Now we need to get vpnc use the token generated by RSA SecurID for authentication. Along with the software token, there is a PIN associated with. Switch RSA to 'Advanced View' and enter PIN and enter PIN there, you should have

When you run vpnc from command line, you need to use 'Current PASSCODE' as your password. It might prompt you for Next passcode in which use the 'Next PASSCODE' as displayed in above image

root@XXX:/etc/vpnc# vpnc --xauth-inter XXX
Enter Username and Password.
Passcode for VPN XXX@XXX.XXX.XXX.XXX:

Enter Next PASSCODE:
Passcode for VPN XXX@XXX.XXX.XXX.XXX:
VPNC started in background (pid: 26055)...
root@XXX:/etc/vpnc#

References
http://www.ubuntugeek.com/how-to-setup-cisco-vpn-using-vpnc-ubuntu-jaunty-9-04.html
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-April/003023.html
http://codehunk.wordpress.com/2010/05/11/rsa-securid-token-on-gnulinux/

How linux mount uses /etc/mtab

From linux man page

The programs mount and umount maintain a list of currently mounted filesystems in the file /etc/mtab.  If no arguments are given to mount, this list is printed.

When  the  proc  filesystem  is  mounted (say at /proc), the files /etc/mtab and /proc/mounts have very similar contents. The former has somewhat more information, such as the mount options used, but is not necessarily up-to-date (cf. the -n option below). It is possible to replace /etc/mtab by a symbolic link to /proc/mounts, and especially when you have very large numbers of mounts things will be much faster with that symlink, but some information is lost that way, and in particular using the "user" option will fail.

To know how mount command uses mtab file can be found by tracing the calls of mount

XXX:~ # strace mount -o loop ubuntu-10.04.2-desktop-amd64.iso temp_mount 

would generate output of the all system calls that the mount command made

stat("ubuntu-10.04.2-desktop-amd64.iso", {st_mode=S_IFREG|0644, st_size=721129472, ...}) = 0 
getcwd("/home/XXX", 4095)          = 15
readlink("/home/XXX/ubuntu-10.04.2-desktop-amd64.iso", 0x7fff11803d10, 4096) = -1 EINVAL (Invalid argument)
getcwd("/home/XXX", 4095)          = 10
readlink("/home/XXX/temp_mount", 0x7fff11803a40, 4096) = -1 EINVAL (Invalid argument)

Checks if the given path is a softlink, then does verification from mtab if a mount has been done already.

stat("/sbin/mount.iso9660", 0x7fff118048c0) = -1 ENOENT (No such file or directory)
mount("/dev/loop0", "temp_mount", "iso9660", MS_MGC_VAL, NULL) = 0
readlink("/dev", 0x7fff11803a40, 4096)  = -1 EINVAL (Invalid argument)
readlink("/dev/loop0", 0x7fff11803a40, 4096) = -1 EINVAL (Invalid argument)
getcwd("/home/XXX", 4095)          = 10
readlink("/home/XXX/temp_mount", 0x7fff11803a40, 4096) = -1 EINVAL (Invalid argument)
lstat("/etc/mtab", {st_mode=S_IFREG|0644, st_size=795, ...}) = 0
read_link("/home/XXX/temp_mount", 0x7fff11803a40, 4096) = -1 EINVAL (Invalid argument)

Checks the filesystem type and gets ready to call the corresponding filesystem mount command

getpid()                                = 1052
open("/etc/mtab~1052", O_WRONLY|O_CREAT, 0600) = 3
close(3)                                = 0
link("/etc/mtab~1052", "/etc/mtab~")    = 0
open("/etc/mtab~", O_WRONLY)            = 3
fcntl(3, F_SETLK, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0
unlink("/etc/mtab~1052")                = 0
umask(077)                              = 022
open("/etc/mtab", O_RDWR|O_CREAT|O_APPEND, 0666) = 5
umask(022)                              = 077

Finds the current PID, then creates a /etc/mtab~ file. Since there shouldn't be two process with same pid, this should be open the only process which has this file open and even if this process dies and a new mount process is run with the same pid, the new process would be able to use the old file as the 'open' is not called with O_EXCL is not used. Once it ensures that /etc/mtab~1052 has been created using 'open' it goes ahead with set /etc/mtab~ and /etc/mtab~1052 as hard link. 

A crash here after creating hard link before 'unlink' of /etc/mtab~ creates problems with mount or umount commands. If a programs dies after creating the file /etc/mtab~, any new mount/umount operations would try to call 'link' which would fail as there is an already /etc/mtab~ file and would assume that somebody is trying to write to the /etc/mtab file.

Rest of the trace for the mount command is

open("/etc/mtab", O_RDWR|O_CREAT|O_APPEND, 0666) = 5
umask(022)                              = 077
fstat(5, {st_mode=S_IFREG|0644, st_size=795, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7a6819a000
fstat(5, {st_mode=S_IFREG|0644, st_size=795, ...}) = 0
lseek(5, 0, SEEK_SET)                   = 0
read(5, "/dev/sda6 / ext3 rw,errors=remou"..., 795) = 795
write(5, "/dev/loop0 /home/XXX/temp_m"..., 52) = 52
close(5)                                = 0
munmap(0x7f7a6819a000, 4096)            = 0
close(3)                                = 0
unlink("/etc/mtab~")                    = 0

mount will the open the /etc/mtab and append the new mounted filesystem. Removes /etc/mtab~ before exiting.

Build a single kernel module form source tree

make -C /lib/modules/$(KVERSION)/build M=$(PWD) modules

Tivoization

Tivoization refers to the configuring by the manufacturer or vendor of a digital electronic product that uses free software so that the product will operate only with a specific version of such software. Although the concept can initially seem very simple and innocuous, a closer look shows that it could have important implications for the future of free software and for the computer industry as a whole. http://www.linfo.org/tivoization.html

rpcbind port conflict with statd no SLES 11

In sles11 portmap has been replaced with rpcbind, which provides additional features like IPv6 and nfsv4 support. By default like portmap, rpcbind listens on port 111. But rpcbind also uses an additional UDP port that it always keeps open and blocked.

Output for portmap on older SLES version

XXX:~ # lsof -p 4046
COMMAND  PID   USER   FD   TYPE DEVICE    SIZE    NODE NAME
portmap 4046 nobody  cwd    DIR    8,1   24576       2 /
portmap 4046 nobody  rtd    DIR    8,1   24576       2 /
portmap 4046 nobody  txt    REG    8,1   17568  687066 /sbin/portmap
portmap 4046 nobody  mem    REG    8,1  132847 1733314 /lib64/ld-2.4.so
portmap 4046 nobody  mem    REG    8,1   36736 1733389 /lib64/libwrap.so.0.7.6
portmap 4046 nobody  mem    REG    8,1   14646 1733355 /lib64/libutil-2.4.so
portmap 4046 nobody  mem    REG    8,1 1570331 1733321 /lib64/libc-2.4.so
portmap 4046 nobody  mem    REG    0,0               0 [heap] (stat: No such file or directory)
portmap 4046 nobody    0u   CHR    1,3            3763 /dev/null
portmap 4046 nobody    1u   CHR    1,3            3763 /dev/null
portmap 4046 nobody    2u   CHR    1,3            3763 /dev/null
portmap 4046 nobody    3u  IPv4  13208             UDP *:sunrpc 
portmap 4046 nobody    4u  IPv4  13220             TCP *:sunrpc (LISTEN)
XXX:~ # 

Output for rpcbind on SLES11

XXX:~ # lsof -p 9909
COMMAND  PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
rpcbind 9909 root  cwd    DIR                8,1     4096       2 /
rpcbind 9909 root  rtd    DIR                8,1     4096       2 /
rpcbind 9909 root  txt    REG                8,1    56536 6185085 /sbin/rpcbind
rpcbind 9909 root  mem    REG                8,1    61467 7405594 /lib64/libnss_files-2.11.1.so
rpcbind 9909 root  mem    REG                8,1    19114 7405583 /lib64/libdl-2.11.1.so
rpcbind 9909 root  mem    REG                8,1    39712 7405649 /lib64/libgssglue.so.1.0.0
rpcbind 9909 root  mem    REG                8,1   108213 7405588 /lib64/libnsl-2.11.1.so
rpcbind 9909 root  mem    REG                8,1  1661454 7405577 /lib64/libc-2.11.1.so
rpcbind 9909 root  mem    REG                8,1   135646 7405603 /lib64/libpthread-2.11.1.so
rpcbind 9909 root  mem    REG                8,1   160248 7405669 /lib64/libtirpc.so.1.0.10
rpcbind 9909 root  mem    REG                8,1    42016 7405618 /lib64/libwrap.so.0.7.6
rpcbind 9909 root  mem    REG                8,1   149797 7405570 /lib64/ld-2.11.1.so
rpcbind 9909 root    0u   CHR                1,3      0t0    2376 /dev/null
rpcbind 9909 root    1u   CHR                1,3      0t0    2376 /dev/null
rpcbind 9909 root    2u   CHR                1,3      0t0    2376 /dev/null
rpcbind 9909 root    3r   REG                8,6        0  563076 /var/run/rpcbind.lock
rpcbind 9909 root    4u  sock                0,6      0t0   18570 can't identify protocol
rpcbind 9909 root    5u  unix 0xffff88042b8b63c0      0t0   18543 /var/run/rpcbind.sock
rpcbind 9909 root    6u  IPv4              18545      0t0     UDP *:sunrpc 
rpcbind 9909 root    7u  IPv4              18549      0t0     UDP *:690 
rpcbind 9909 root    8u  IPv4              18550      0t0     TCP *:sunrpc (LISTEN)
rpcbind 9909 root    9u  IPv6              18552      0t0     UDP *:sunrpc 
rpcbind 9909 root   10u  IPv6              18554      0t0     UDP *:690 
rpcbind 9909 root   11u  IPv6              18555      0t0     TCP *:sunrpc (LISTEN)
XXX:~ # 

rpcbind uses an additional UDP port, in this case it is port 690. Unfortunately there is no way to control on which port rpcbind will get when it requests a free UDP port.

On a typical NFS server mountd/nfsd/statd are configured to start on specified ports, this is to assist in configuring the firewall. On our machines, statd was configured to start on port 690, but as rpcbind was started before statd, statd could not start with error 'address already in use'

XXX:~ # grep statd /var/log/messages | tail -10

2011 May 10 11:45:38 XXX_01 rpc.statd[27766]: Version 1.2.1 Starting
2011 May 10 11:45:38 XXX_01 rpc.statd[27766]: Could not bind name to socket: Address already in use

This happens occasionally during reboots, when rpcbind acquires the same port on which statd was configured to start. Since this is a UDP port, it does not show up in 'netstat' and will only show up in lsof

XXX:~ # netstat -atn | grep 690
XXX:~ #

Mplayer shortcuts on nokia N900

Nokia N900 has limited of keys in its keyboard. Some of the special characters like '[' and ']' are missing from the keyboard. While using mplayer '[' and ']' are used to increase/decrease the speed of the video.

As these keys are missing from the keyboard, you can re-map increase/decrease speed functionality to other keys by having a custom input.conf file. A sample input.conf to re-map increase/decrease speed to '(' and ')'

( speed_mult 0.9091    # scale playback speed
) speed_mult 1.1