My name is Philipp C. Heckel and I write about nerdy things.

Blog


  • May 04 / 2015
  • 3
Linux, Programming, Security

OpenSSH ‘AuthorizedKeysCommand’ with ‘fingerprint’ argument (Patch for OpenSSH 6.6p1)

Many of us developers or system administrators use OpenSSH’s public key authentication (aka password-less login) on a daily basis. The mechanism works based on public key cryptography: By adding a RSA/DSA public key to the authorized_keys file, the user with the matching private key can login without a password. The mechanism works great for a couple of hundred, thousands and even 100k thousand users (tested, login takes ~2sec).

But what if there are more keypairs, say, a million users, or a more flexible approach is desired? Maybe with an LDAP or a database backend? Think of GitHub and how they do their ssh git@github.com ... login! This blog post shows you how to do that by patching OpenSSH’s AuthorizedKeysCommand option to support an additional fingerprint argument.

Continue Reading

  • Mar 24 / 2015
  • 2
Code Snippets, Linux, Scripting

Snippet 0x0B: Bash completion with sub-commands and dynamic options

Every system administrator, most programmers and countless of command line surfing Linux/Mac users use it every day without thinking twice. Hitting the tab key twice, [TAB][TAB], has become the most common thing in the world. Bash completion is the magic behind the tab key. It’s easy to use, but it’s a pain to write. This tiny post demonstrates how to write scripts for bash completion, with sub-commands and dynamic parameters. A working script is embedded in my open source file sync software Syncany.

Continue Reading

  • Mar 22 / 2015
  • 2
Linux, Scripting, Security

Circumvent Internet blockages/filters/censorship with socksproxy and netcat

These days, ISPs are often forced to block the access to certain sites, because their government considers these sites dangerous and/or illegal. While one could certainly discuss the usefulness of such measures in great detail, this tiny post focuses on the more interesting subject of how to circumvent these blockages. It’s not a lenghty post, and it doesn’t show all the ways there are, but I’ll show two simple ways to circumvent Internet non-DNS-based filters.

Continue Reading

  • Jan 24 / 2015
Code Snippets, Programming

Snippet 0x09: Reading a ZIP/JAR file with PHP (here: a JAR manifest)

For my open source file sync software Syncany, I have integrated the automatic plugin build process (we provide plugin repository and an easy plugin API to download plugins) with an upload to the Syncany API server. Plugins (JAR files) are uploaded by Travis (example: Samba plugin) to the Syncany server. To serve meta data on through the plugin API, I need to parse the plugins’ MANIFEST.MF files and store them in a database.

This tiny blog post shows you how to read a ZIP/JAR file entry with PHP, and parse JAR manifest (MANIFEST.MF) file. That’s it. Nothing fancy.

Continue Reading

  • Oct 30 / 2014
  • 1
Code Snippets, Programming

Snippet 0x08: HTTP Basic Auth for secure WebSocket connections (with Undertow)

For my open source file sync software Syncany, I use the embedded web server and web socket server Undertow to provide a websocket and REST based interface by the Syncany daemon. Syncany clients (such as the GUI, or potentially a web interface) connect to this daemon, send requests and receive asynchronous events. Syncany’s GUI client also uses the Undertow websocket client to connect to the above mentioned daemon.

To authenticate the websocket client with the daemon, the simple HTTP basic authentication mechanism over HTTPS is used. This tiny post shows you how to authenticate against a websocket server with HTTP basic auth using the Undertow websocket client.

Continue Reading

  • Oct 17 / 2014
Code Snippets, Security

Snippet 0x06: Disable SSLv3 in Firefox to protect against POODLE attack

The recent POODLE attack (Padding Oracle On Downgraded Legacy Encryption) exploits a vulnerability of an older version of SSL (SSLv3) by performing a padding oracle attack — and thereby allowing a man-in-the-middle scenario.

To be vulnerable, both client (browser) and server have to support SSLv3. If either one does not support or has disabled the protocol, this vulnerability cannot be exploited. This tiny article shows you how to disable SSLv3 in Firefox — thereby effectively making your browser POODLE-safe.

Continue Reading

  • Aug 07 / 2014
  • 4
Code Snippets, Programming, Scripting

Snippet 0x05: Windows .bat: Checking if process is running by PID file

Batch (.bat) files are an MS-DOS legacy technology and I don’t know a single person who loves writing them — and yet, to this day, many people have to do it. In order to run Java programs, start daemons or check if a process is running, batch files have to be used. For my open source file sync tool Syncany, I had to do just that:

The Syncany daemon runs in the background and is started by a batch script. To check if the daemon is already running, the batch script needs to read a PID file and determine if a process with this PID is running.

Since it took me an enormeous amount of time to figure out how to do that (I am a Linux guy!), I wanted to share that little script in this code snippet.

Continue Reading

  • Jun 22 / 2014
  • 4
Code Snippets, Programming

Snippet 0x04: Run .sql-scripts from Java (on HSQLDB, Derby, MySQL, etc.)

Java is sometimes harder than it should be. Oftentimes, very easy things are made hard for no apparent reason. Running SQL scripts (.sql) from inside Java is one of those cases. I really expected this to be easy. And it should be, right? Simply take your JDBC connection and do connection.executeScript() or something. After all, a .sql-script is just a file with many statements.

Turns out there is no easy way to do it without writing some code yourself — at least not to my knowledge. Please enlighten me if there is. In the meantime, checkout my SqlRunner class — a class that reads SQL script files and executes the statements.

Continue Reading