For those of you that check back on my blog posts. I have a new home! www.jaysonbroughton.com is the new home for rambling techie. I won't be updating these blogs any more; and at some point, will have them pointing to their new home.
~Jayson
Friday, December 31, 2010
Monday, November 22, 2010
Part III - Cups and Windows Drivers - Automagically delicious!
Primer
Wow, this one has been a long time in coming. Call it lack of motivation,
writing 3 other blog posts, or I realized just how much of a PITA it is
to actually get this up and running. Either way, here you go.
Part III focuses on being able to connect to your cups server via samba,
and have the samba/cups server automatically push out the necessary drivers
for your printer. Once again, keep in mind that this was done on an
ubuntu/debian server; so mileage may vary.
First thing you want to do is install the necessary packages to get samba
installed and configured properly. There are plenty of GUI tools out there
to help you setup samba (swat, and some gui utility to setup samba from gnome
are two that come to mind). But alas, it's easier for me to know what actually
goes into a configuration file if I do it from the command line and edit
the smb.conf file. So that's what I'll be doing here in this blog post.
So, first things first: install samba and other necessary apps:
a. apt-get install samba samba-common samba-common-bin
b. download the cups windows drivers from cup's web page
1. wget http://www.cups.org/software.php?VERSION=1.4.5&FILE=cups/windows/cups-windows-6.0-source.tar.gz
Configuring Samba and Cups Services
Once samba is installed, time to play with the configuration, navigate to
/etc/samba/ and open up smb.conf
1. vim /etc/samba/smb.conf
Now, because my network may be slightly different than yours, I will
pastebin what my smb.conf file looks like; the main thing to worry about
is the print share, this is where samba and cups talk to each other about
the necessary printer drivers and whatnot. I know at first glance, it may
look like there are two printer shares, but one is for the window's printers
to view the printers, and the other is print$ that talks to cups. Both very necessary pieces of information.
Once you have successfully setup smb, and tested with: testparm /etc/samba/smb.conf
then it's time to move on to the next step.
** Side Note: I have read on the internet that the following lines should
be put into your /etc/cups/cupsd.conf file, but have found for whatever
reason that it's not necessary on the setup that I use, but if your having
problems printing; you might want to add these lines into your cupds.conf file
After you have setup smb.conf file, there are a few more steps necessary
to get samba to play nice with your printers
a) mkdir -m 777 /var/spool/samba
b) Create a samba user, you can use root, or another use
1) smbpasswd -a root
Get Windows print drivers & Install the cups/samba magic
A) Extract/Build Windows Cups drivers
Okay, I assume you went out and downloaded the Cups drivers (see Introduction); and you followed my steps in
Part 1 of this (putting the proper .ppd file in place for your printer) Now you
need to build the necessary drivers for cups/windows magic.
a) cd to the download directory where you put the cups-windows-source
b) extract the file
  1) tar zxvf cups-windows-6.0-source.tar.gz
c) Navigate to your new directory
  1) cd cups-windows-6.0
d) build packages
  make install
When you run make install, you should see something simliar to this:
Creating directory /usr/share/cups/drivers...
Installing cups6.inf...
Installing cups6.ini...
Installing cupsps6.dll...
Installing cupsui6.dll...
B) Retrieve Windows postscript files from a Windows machine
Now here comes the tricky part. In the past you were able to just get adobe postscript files and use these to generate what was
needed for cups to frolic hand in hand with Windows Operating Systems. Now, through much searching, I have been unable to locate
a valid download from adobe that would work with my Windows 7 machine. So we have to go about this the hard way. Was there ever
really an easy way to this? I mean come-on, this is a 3-part series.
1. As I said, this is the tricky part; the easiest way I found (on both windows vista, 7 and xp) was to find a printer in add/remove
printers that used postscript drivers, and was somewhat similar to the printer that I was going to be using (not necessary, force of
habit no doubt). Once this 'fake' printer was installed, I did a search for the files that I would need for adding to the cups server.
2. Once you have located ALL of these files; scp them over to /usr/share/cups/drivers on the cups server; make sure that they are all lowercase.
And now the magic begins. Before you begin this next step, make sure you created a samba user as outlined earlier. Also, you need to edit your /etc/samba/smb.conf
and modify security = share, to security = user for this next step. Don't forget to change it back to 'security = share' once you have completed this step, or restarting
samba for the changes to take effect.
C) Run the following commands to export cups drivers
1. cupsaddsmb -H localhost -U root -a -v
2. At this point, enter your password, if all is good..you should see a whole boatload of data coming across your screen (hopefully all good) talking about
grabbing the PPD file for your printer (see Part 1) and adding all sorts of cups/samba magic to make everything work.
Once this is complete, DON'T FORGET to change 'security = user' back to 'security = share' or your going to have some problems when it comes to adding printers
** Note - I found that you need to get necessary windows files as separate entities for 32bit and 64bit OS's. So if you have both a 32bit windows host and a 64bit windows host;
you need to get the same dll's (and other files as illustrated above) and run the cupsaddsmb command against both (just put the in different directories prior to running cupsaddsmb)
Testing Out
Final test, and a quick one at that. Fire up your windows client. Now you have two options, you can either add the printer through the add printer wizard, or via \\hostname\printers.
Either one should automagically show the printer in question, allowing you to add the printer to your windows client without having to add print drivers.
Now my reasoning behind this? Well if you really got this far in the blogpost; then I'm sure your curious just why I went through all of this just for a print server at the house.
Well, between work laptops, friends and family that come visit, and odd-ball machines that I tend to work on; it's easier and much less stressful for people that want to print, to
just browse the print share and add the printer; rather than me hunting down my Driver CD and hoping it's compatible with whatever flavor of windows that currently resides
on someone's computer. That and it gets away from installing all of the unnecessary 'junk' that most of the printer CD's come with; when all the person want's to do is print
out a page or two from a website.
Anyway, that concludes part III of Samba and Cups. Holy crap, I realize it took forever (and 2 other blog posts) but as you can see, it was a large work in progress, documenting every one of
my little steps along the way.
Wow, this one has been a long time in coming. Call it lack of motivation,
writing 3 other blog posts, or I realized just how much of a PITA it is
to actually get this up and running. Either way, here you go.
Part III focuses on being able to connect to your cups server via samba,
and have the samba/cups server automatically push out the necessary drivers
for your printer. Once again, keep in mind that this was done on an
ubuntu/debian server; so mileage may vary.
First thing you want to do is install the necessary packages to get samba
installed and configured properly. There are plenty of GUI tools out there
to help you setup samba (swat, and some gui utility to setup samba from gnome
are two that come to mind). But alas, it's easier for me to know what actually
goes into a configuration file if I do it from the command line and edit
the smb.conf file. So that's what I'll be doing here in this blog post.
So, first things first: install samba and other necessary apps:
a. apt-get install samba samba-common samba-common-bin
b. download the cups windows drivers from cup's web page
1. wget http://www.cups.org/software.php?VERSION=1.4.5&FILE=cups/windows/cups-windows-6.0-source.tar.gz
Configuring Samba and Cups Services
Once samba is installed, time to play with the configuration, navigate to
/etc/samba/ and open up smb.conf
1. vim /etc/samba/smb.conf
Now, because my network may be slightly different than yours, I will
pastebin what my smb.conf file looks like; the main thing to worry about
is the print share, this is where samba and cups talk to each other about
the necessary printer drivers and whatnot. I know at first glance, it may
look like there are two printer shares, but one is for the window's printers
to view the printers, and the other is print$ that talks to cups. Both very necessary pieces of information.
Pastebin of smb.conf:
http://www.pastebin.ca/1999380
Once you have successfully setup smb, and tested with: testparm /etc/samba/smb.conf
then it's time to move on to the next step.
** Side Note: I have read on the internet that the following lines should
be put into your /etc/cups/cupsd.conf file, but have found for whatever
reason that it's not necessary on the setup that I use, but if your having
problems printing; you might want to add these lines into your cupds.conf file
mime.convs:
application/octet-stream application/vnd.cups-raw 0 -
mime.types:
application/octet-stream
After you have setup smb.conf file, there are a few more steps necessary
to get samba to play nice with your printers
a) mkdir -m 777 /var/spool/samba
b) Create a samba user, you can use root, or another use
1) smbpasswd -a root
Get Windows print drivers & Install the cups/samba magic
A) Extract/Build Windows Cups drivers
Okay, I assume you went out and downloaded the Cups drivers (see Introduction); and you followed my steps in
Part 1 of this (putting the proper .ppd file in place for your printer) Now you
need to build the necessary drivers for cups/windows magic.
a) cd to the download directory where you put the cups-windows-source
b) extract the file
  1) tar zxvf cups-windows-6.0-source.tar.gz
c) Navigate to your new directory
  1) cd cups-windows-6.0
d) build packages
  make install
When you run make install, you should see something simliar to this:
Creating directory /usr/share/cups/drivers...
Installing cups6.inf...
Installing cups6.ini...
Installing cupsps6.dll...
Installing cupsui6.dll...
B) Retrieve Windows postscript files from a Windows machine
Now here comes the tricky part. In the past you were able to just get adobe postscript files and use these to generate what was
needed for cups to frolic hand in hand with Windows Operating Systems. Now, through much searching, I have been unable to locate
a valid download from adobe that would work with my Windows 7 machine. So we have to go about this the hard way. Was there ever
really an easy way to this? I mean come-on, this is a 3-part series.
1. As I said, this is the tricky part; the easiest way I found (on both windows vista, 7 and xp) was to find a printer in add/remove
printers that used postscript drivers, and was somewhat similar to the printer that I was going to be using (not necessary, force of
habit no doubt). Once this 'fake' printer was installed, I did a search for the files that I would need for adding to the cups server.
Windows 7/Vista/XP:
cups6.ini
cupsps6.dll
cupsui6.dll
ps5ui.dll
pscript5.dll
pscript.hlp
pscript.ntf
2. Once you have located ALL of these files; scp them over to /usr/share/cups/drivers on the cups server; make sure that they are all lowercase.
And now the magic begins. Before you begin this next step, make sure you created a samba user as outlined earlier. Also, you need to edit your /etc/samba/smb.conf
and modify security = share, to security = user for this next step. Don't forget to change it back to 'security = share' once you have completed this step, or restarting
samba for the changes to take effect.
**Note - I also found through various research, if you have more than 1 samba server on your network, you need to bring the one you are working on, network interface down
(ifconfig dev down) for the duration of the next few steps.
C) Run the following commands to export cups drivers
1. cupsaddsmb -H localhost -U root -a -v
2. At this point, enter your password, if all is good..you should see a whole boatload of data coming across your screen (hopefully all good) talking about
grabbing the PPD file for your printer (see Part 1) and adding all sorts of cups/samba magic to make everything work.
Once this is complete, DON'T FORGET to change 'security = user' back to 'security = share' or your going to have some problems when it comes to adding printers
** Note - I found that you need to get necessary windows files as separate entities for 32bit and 64bit OS's. So if you have both a 32bit windows host and a 64bit windows host;
you need to get the same dll's (and other files as illustrated above) and run the cupsaddsmb command against both (just put the in different directories prior to running cupsaddsmb)
Testing Out
Final test, and a quick one at that. Fire up your windows client. Now you have two options, you can either add the printer through the add printer wizard, or via \\hostname\printers.
Either one should automagically show the printer in question, allowing you to add the printer to your windows client without having to add print drivers.
Now my reasoning behind this? Well if you really got this far in the blogpost; then I'm sure your curious just why I went through all of this just for a print server at the house.
Well, between work laptops, friends and family that come visit, and odd-ball machines that I tend to work on; it's easier and much less stressful for people that want to print, to
just browse the print share and add the printer; rather than me hunting down my Driver CD and hoping it's compatible with whatever flavor of windows that currently resides
on someone's computer. That and it gets away from installing all of the unnecessary 'junk' that most of the printer CD's come with; when all the person want's to do is print
out a page or two from a website.
Anyway, that concludes part III of Samba and Cups. Holy crap, I realize it took forever (and 2 other blog posts) but as you can see, it was a large work in progress, documenting every one of
my little steps along the way.
Wednesday, November 10, 2010
Paranoid Penguin - Information hidden inside of EXIF tagged images
So, this blog actually came about because of the newest 200th edition of @LinuxJournal. The article from LJ had something to do with what you use linux for. Option #51 was "Delete all the GPS location date from Images". Well, I saw that and got to thinking about how many people don't realize that GPS (among other information) is stored inside of an EXIF tagged image (JPEG, TIFF). Alas! a blog post on the very subject was born.
About EXIF
EXIF (exchangeable image file format) was created as a camera specification in 1998 and used by various camera manufactures (and now camera phones) to ‘tag’ image information including, but not limited to: Date and Time stamps, Camera settings, thumbnails, Descriptions and now GPS information. During my testing of EXIF data, I found that images taken with a camera had the following information by default:
* Camera Settings (Exposure, lens used, ISO, Make/Model, Sometimes the SN of the Camera and/or Lens, and Manufacturers information.
Images taken with a Camera phone usually had the above information, but included the phones make/model, Software version and GPS ‘tag’ of the image itself.
Concerns
What I believe is that some users of camera phone’s (as reflected by some example data that I had collected from images for this blog) have no clue just what is stored on their images when they upload that ‘awesome image of my new big screen TV at home’. So as to the title of this blog, paranoid penguin; I will be talking about just how much data is stored on those twitpic/facebook/lmnop image’s that people store. I think a main concern about these images is not only the Make/Model/SW Version of the phone being tagged in EXIF image’s (can you say phone exploits?) but also people that have inadvertently enabled GPS tagging of their images without realizing it. I’m pretty sure the guy who took an image of all his pot, didn’t want a GPS location tagged to his picture he uploaded!
Real-World Examples of Data Collected
As I stated earlier, I began this blog; curious about just how much information people inadvertently put out when they submit images. Because of this, I picked one of the most used image sharing sites for twitter, twitpic. I figured that people snap images of all sorts of strange stuff, and ‘tweet’ it to the world. For this test, I selected 9 random topics to search for; so that I wasn’t limiting myself to ‘latest images’. From those 9 random topics, I picked 10 random images for a total of 90 images. Below, is a table of information that I found relevant to this post.
Totals:
Total Images = 90
Total EXIF Images = 36
GPS Enabled Images = 14
Phones = 28
Camera’s = 8
Percentages:
% of Images w/ EXIF Data = 40%
% of GPS EXIF Images = 50%
% of Phones = 77%
% of Camera’s = 23%
So, in a nutshell, almost half of the images uploaded to twitpic had useful EXIF data, and out of those; HALF, yes HALF of those images had GPS information on it. And like I said earlier; I’m pretty sure the author didn’t really want to broadcast to the world where they took that picture within 15meters (GPS). This can only be explained by the lack of knowledge when it comes to enabling/disabling GPS tagging of images.
Software to read EXIF Data
There is actually an excellent set of software that read’s EXIF (among other image tagged) data. I have used this application for many years to not only strip data that I didn’t want published, but also to read Date/Time stamps of images where I had taken a picture and couldn’t remember when I took it (family photo album). This tool is ExifTool, created by Phil Harvey. You can find information, and download the utility from here: http://www.sno.phy.queensu.ca/~phil/exiftool/
*If you just want to read EXIF data from firefox, there is an excellent plugin called ‘Exif Viewer’. Simple to use, just right-click on an image and view EXIF tag.
Okay, so lets get to installing-configuring this beast, if you don’t have a package manager of your choice (fedora seems to be: perl-Image-ExifTool, debian shows the package as libimage-exiftool-perl). Then you need to go to http://www.sno.phy.queensu.ca/~phil/exiftool/ and download, perl make, make install the package. Once you have successfully installed the exiftool utility; navigate to your favorite directory of photos.
Viewing Image data
Now, because exiftool’s help file is miles long, there are all sorts of different way’s to view whatever you want to with this utility. And because there are different ways to view this data, I will just tell you what I use to view the most data; you can read the help file later and tailor it to your specific needs.
1. From the directory of your photos execute the following:
What the switches do is the following:
-a = allow duplicate tag names in output
-u = extract unknown tags
-g1 = Organize output by tag group
And there you have it, once you execute the exiftool application, you should see all sorts of information from your photo (provided it’s a .jpg or .tiff image, and there is EXIF data to view).
Deleting EXIF Data
So what about all that pesky GPS data? Now that you have gone through all your photos and realized that some of those images that you took, probably shouldn’t have been tagged with GPS data; now what? Well, that’s where exiftool comes in with a simple one-liner, you can remove your GPS tagged data from both images or directories with the following command:
-geotag will remove the Geotagged information (as some cellphones put it into a geotag container) but -a -gps:all will remove all GPS information. By running exiftool -a -u -g1 filename.extension after executing your gps removal switch, you can verify that the data has been removed successfully.
Tada! that’s it, now your images have been successfully purged of GPS tagging. But what about other stuff? What if you don’t want someone to know just what kind of phone you are using? After all, we can’t be too paranoid when it comes to paranoid penguins and security.
Are you starting to see a pattern here? By adding a - to the beginning of what you want to delete and/or modify, you change the exif information. For instance, if you wanted to change the make and model (thus further confusing people, no other real purpose); you would do the following:
And now your image was taken with a Ford Mustang. As you can see, it’s pretty easy to modify and remove information in an EXIF tagged image.
Modify GPS Tagged image
Not only can we delete sensitive information from an image, but we can also modify it. What purpose does this serve? I honestly see no reason to modify GPS data in an EXIF image, other than for giggles. In the past, I have modified information tagged in EXIF format such as date/time stamping (sometimes copying over images from my old blackberry would re-stamp the image, thus screwing with my online family photo album); and other information that I felt was incorrect.
But what if you really want to mess around? How about this one?
With this little change, your summer vacation photos appear to have been taken on the northern peninsula in Antarctica. There are all sorts of things you can do with modifying GPS data. Now with being paranoid aside, you can actually use this to later on ‘tag’ your images from vacation, so that you can add valid GPS information to your pictures.
Conclusion
So, as you can see; there is all sorts of information tagged in jpg/tiff photos that you put up on the internet. Some people are aware, and embrace the ability to geotag every image that they take; and yet some people probably had no clue that their images were being tagged with ‘sensitive’ information when they uploaded their latest images to various social media sites.
About EXIF
EXIF (exchangeable image file format) was created as a camera specification in 1998 and used by various camera manufactures (and now camera phones) to ‘tag’ image information including, but not limited to: Date and Time stamps, Camera settings, thumbnails, Descriptions and now GPS information. During my testing of EXIF data, I found that images taken with a camera had the following information by default:
* Camera Settings (Exposure, lens used, ISO, Make/Model, Sometimes the SN of the Camera and/or Lens, and Manufacturers information.
Images taken with a Camera phone usually had the above information, but included the phones make/model, Software version and GPS ‘tag’ of the image itself.
Concerns
What I believe is that some users of camera phone’s (as reflected by some example data that I had collected from images for this blog) have no clue just what is stored on their images when they upload that ‘awesome image of my new big screen TV at home’. So as to the title of this blog, paranoid penguin; I will be talking about just how much data is stored on those twitpic/facebook/lmnop image’s that people store. I think a main concern about these images is not only the Make/Model/SW Version of the phone being tagged in EXIF image’s (can you say phone exploits?) but also people that have inadvertently enabled GPS tagging of their images without realizing it. I’m pretty sure the guy who took an image of all his pot, didn’t want a GPS location tagged to his picture he uploaded!
Real-World Examples of Data Collected
As I stated earlier, I began this blog; curious about just how much information people inadvertently put out when they submit images. Because of this, I picked one of the most used image sharing sites for twitter, twitpic. I figured that people snap images of all sorts of strange stuff, and ‘tweet’ it to the world. For this test, I selected 9 random topics to search for; so that I wasn’t limiting myself to ‘latest images’. From those 9 random topics, I picked 10 random images for a total of 90 images. Below, is a table of information that I found relevant to this post.
Totals:
Total Images = 90
Total EXIF Images = 36
GPS Enabled Images = 14
Phones = 28
Camera’s = 8
Percentages:
% of Images w/ EXIF Data = 40%
% of GPS EXIF Images = 50%
% of Phones = 77%
% of Camera’s = 23%
So, in a nutshell, almost half of the images uploaded to twitpic had useful EXIF data, and out of those; HALF, yes HALF of those images had GPS information on it. And like I said earlier; I’m pretty sure the author didn’t really want to broadcast to the world where they took that picture within 15meters (GPS). This can only be explained by the lack of knowledge when it comes to enabling/disabling GPS tagging of images.
Software to read EXIF Data
There is actually an excellent set of software that read’s EXIF (among other image tagged) data. I have used this application for many years to not only strip data that I didn’t want published, but also to read Date/Time stamps of images where I had taken a picture and couldn’t remember when I took it (family photo album). This tool is ExifTool, created by Phil Harvey. You can find information, and download the utility from here: http://www.sno.phy.queensu.ca/~phil/exiftool/
*If you just want to read EXIF data from firefox, there is an excellent plugin called ‘Exif Viewer’. Simple to use, just right-click on an image and view EXIF tag.
Okay, so lets get to installing-configuring this beast, if you don’t have a package manager of your choice (fedora seems to be: perl-Image-ExifTool, debian shows the package as libimage-exiftool-perl). Then you need to go to http://www.sno.phy.queensu.ca/~phil/exiftool/ and download, perl make, make install the package. Once you have successfully installed the exiftool utility; navigate to your favorite directory of photos.
Viewing Image data
Now, because exiftool’s help file is miles long, there are all sorts of different way’s to view whatever you want to with this utility. And because there are different ways to view this data, I will just tell you what I use to view the most data; you can read the help file later and tailor it to your specific needs.
1. From the directory of your photos execute the following:
exiftool -a -u -g1 filename.extension
What the switches do is the following:
-a = allow duplicate tag names in output
-u = extract unknown tags
-g1 = Organize output by tag group
And there you have it, once you execute the exiftool application, you should see all sorts of information from your photo (provided it’s a .jpg or .tiff image, and there is EXIF data to view).
Deleting EXIF Data
So what about all that pesky GPS data? Now that you have gone through all your photos and realized that some of those images that you took, probably shouldn’t have been tagged with GPS data; now what? Well, that’s where exiftool comes in with a simple one-liner, you can remove your GPS tagged data from both images or directories with the following command:
exiftool -geotag= file-or-directory-name
or
exiftool -a -gps:all -file-or-directory-name
-geotag will remove the Geotagged information (as some cellphones put it into a geotag container) but -a -gps:all will remove all GPS information. By running exiftool -a -u -g1 filename.extension after executing your gps removal switch, you can verify that the data has been removed successfully.
Tada! that’s it, now your images have been successfully purged of GPS tagging. But what about other stuff? What if you don’t want someone to know just what kind of phone you are using? After all, we can’t be too paranoid when it comes to paranoid penguins and security.
exiftool -Make= -Model= file-or-directory-name
Are you starting to see a pattern here? By adding a - to the beginning of what you want to delete and/or modify, you change the exif information. For instance, if you wanted to change the make and model (thus further confusing people, no other real purpose); you would do the following:
exiftool -Make=Ford -Model=Mustang file-or-directory-name
And now your image was taken with a Ford Mustang. As you can see, it’s pretty easy to modify and remove information in an EXIF tagged image.
Modify GPS Tagged image
Not only can we delete sensitive information from an image, but we can also modify it. What purpose does this serve? I honestly see no reason to modify GPS data in an EXIF image, other than for giggles. In the past, I have modified information tagged in EXIF format such as date/time stamping (sometimes copying over images from my old blackberry would re-stamp the image, thus screwing with my online family photo album); and other information that I felt was incorrect.
But what if you really want to mess around? How about this one?
exiftool -exif:gpslatitude=”-62.383333” filename.jpg
exiftool -exif:gpslongitude="-58.45" filename.jpg
With this little change, your summer vacation photos appear to have been taken on the northern peninsula in Antarctica. There are all sorts of things you can do with modifying GPS data. Now with being paranoid aside, you can actually use this to later on ‘tag’ your images from vacation, so that you can add valid GPS information to your pictures.
Conclusion
So, as you can see; there is all sorts of information tagged in jpg/tiff photos that you put up on the internet. Some people are aware, and embrace the ability to geotag every image that they take; and yet some people probably had no clue that their images were being tagged with ‘sensitive’ information when they uploaded their latest images to various social media sites.
Wednesday, October 27, 2010
Mobile One-Time-Passwords with OpenVPN
This started off on my 'wish list' way back when as a fantasy. I was setting up an openVPN server and wrote down a list of how secure (read: paranoid) that i wanted my setup. Back when I worked at a large Techie company; we had securID keyfobs to log into our VPN and SSH servers remotely. The securID keyfobs worked on a basic principal. The user was given a 4-6 digit 'pin' number, and the fob was associated with a securID server. When the user wanted to log into either the VPN or SSH server, they would type in their PIN# followed by (I believe) the 8 digit LCD Display on their fob. The display changed codes every 10 seconds, so you had to be quick. Without the username, keyfob and PIN #, you were not getting into the server. So, that idea led to my 'wishlist' of what I wanted to see on a secure VPN server to the various servers at the house.
So at the time my requirements were simple. I still wanted certificate based authentication (easier to track, and revoke certs), username authentication AND a One-Time-Password. As keyfobs are still pretty expensive equipment, and that would end up being one more thing that I would have to carry around; I stumbled upon mOTP, or Mobile One Time Passwords. mOTP is pretty much limited (at least in my google searching experience) to proprietary systems, fancy keyfobs, or if your lucky; free opensource software Chaching!. In my ever increasing endeavours, I stumbled upon http://motp.sourceforge.net. Oh, this was the pot of gold at the end of the rainbow for me! This had everything I needed to implement a secure openVPN server, except documentation on how the heck I was supposed to do it.
Now, before I begin; I just want to say that they do have setup guides for using radius servers, but I followed my philosophy of 'give it a day of your time, and go find another way'. For the life of me I couldn't get mOTP, FreeRadius and openVPN to play nice. Instead I found the next best thing, PAM modules for mOTP. In this blogpost I won't be telling you how to install openVPN, nor will I explain the best (or most secure) way to setup openvpn, as openVPN is still a learning process for me. I would hope if anyone finds some serious 'oh crap' security hole in how I do things, they would let me know and I can make the necessary changes to this document.
So let's get started shall we? First things first, you need an openVPN server (uh, no crap huh?) that you successfully tested with a client. If you have never set up an openVPN server, their website (www.openvpn.net) has EXCELLENT step-by-step guides on getting started. I have mOTP and openVPN installed on an Debian Server, so keep this in mind while your following this document, as some locations, and packages may shift during shipment so to speak.
Another thing that is a luxury, but not necessarily a necessity; is a development environment that mirrors that of your openVPN server. You will need utilities to compile various software from source, and if your using openVPN on a limited disk space server; you will quickly run out of space. The list of (and in no way complete, I might have had some of these installed at the time that I was writing this document) is as follows:
Development tools (Install these before beginning):
*gcc - needed to compile c/c++ from source
*dpkg-dev - needed by Debian for apt-get source
*libpam0g-dev - PAM Development libraries, needed for mOTP and Compiling openVPN plugins
*make - needed to make gcc files
Setting up PAM Modules for openVPN
*Note: as I stated earlier, I used debian for my openVPN/mOTP setup, so if you are using an RPM pkg mgr, or installing from source, these steps may be different.
1. Download the openVPN source code
a. cd to a temporary directory (/tmp)
b. apt-get source openvpn
2. Compile the auth-pam source
a. navigate to /src-dir/openvpn-dir/plugin/auth-pam (ex: /tmp/openvpn-2.1~rc11/plugin/auth-pam)
b. run: make, inside of the auth-pam directory. This generates the following file:
openvpn-auth-pam.so.
3. Create location and copy over the openvpn-auth-pam.so plugin
a. mkdir -p /usr/share/openvpn/plugin/lib
c. cp openvpn-auth-pam.so /usr/share/openvpn/plugin/lib
4. Edit your openVPN server.conf file (usually located in /etc/openvpn/server.conf), and add the following line:
a. plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
Setup and Configure mOTP files
Note: At this point, you need to download/install the compatible mOTP client for your mobile device, mOTP's website (http://motp.sourceforge.net) has the necessary java files to run on your phone.
I tested this out on both a blackberry 8330, and an Android 2.1 Mobile device, without any problems. Also, your mobile phone OS might also have other mOTP compatible software located in their 'online store' eg: Android Market, Blackberry App World, etc. I would try and use the mOTP client that is offered by mOTP's website before venturing into other mobile clients.
1. Create necessary directories for mOTP and PAM
a. mkdir /var/cache/motp
2. Copy sample configuration file and change permissions on the file
a. cp motp.conf /etc/security
b. chmod 600 /etc/security/motp
3. Create an openvpn file, and set permissions in /etc/pam.d
a. touch /etc/pam.d/openvpn && chmod 644 /etc/pam.d/openvpn
4. Copy pam_mobile_otp.so to /lib/security
a. cp pam_mobile_otp.so /lib/security
5. Modify /etc/pam.d/openvpn with your favorite editor, and add the following information:
auth sufficient /lib/security/pam_mobile_otp.so not_set_pass
password required /lib/security/pam_mobile_otp.so debug
account required /lib/security/pam_mobile_otp.so
Configuring mOTP on your device
1. Start up the mOTP client on your mobile device, enter: #**# when asked to enter your PIN.
This will generate a secret hash that is needed only by the motp.conf file, write down
the hash, because you will need it. Then eat the paper, leave no evidence.
a. Enter #**# on your mobile device.
b. Enter a bunch of random characters to generate your hash
c. Write down the hash results.
d. Also, at least on the android client..you will see an 'epoch' time, this will
be needed to compute the time offset between the server and your phone.
ex: 128797806
Figure out your time offset between the server and your mobile device.
* The offset is in hours. For instance if your phone is set to a different timezone
than that of the server, finding the epoch time is necessary to sync the pin to the hash
generated. Some newer versions of mOTP mobile, allow you to set the timezone manually
in the software, so that you will always have a 0 in the offset on the server. As of this writing
there are two other mOTP clients on the android marketplace, that let you set the UTC where you are currently at.
* Also note, from my experience. If the difference between the two times are less than 360, than you won't need to add anything but a 0 when it comes
to setting your offset. 360=1, 720=2, etc.
1. Write down your epoch time from the mobile device
2. type: "date +%s" on the openVPN server, and write down the first 9 digits of
the server's epoch time.
3. Subtract the two numbers for a positive integer. Ex: 1289798394 (server time)
- 128797806 = 33. This number is the output in 10s of seconds (360=1 hour, etc), write it down, you will need it for this next step.
Configure motp.conf file with the necessary information
motp.conf is located in /etc/security, where you moved it over in a previous step. Use your favourite editor (it is VI, isn't it?) to edit the motp.conf file.
There are comments in the file that tell you what to put where. This might just be a coincidence, or might not...But I found that the username that I selected
for motp.conf had to be different than the username that I had on my server. I think it has something to do with the pam login modules and having the same username.
I didn't look further into this, but just in case, try a different username than a local user on the server.
1. username, secret (the hash generated above), a pin # of your choosing, and your offset
2. Comment out the default (korff) for security purposes. It's in there just as example on how you configure motp.
Configure openvpn
1. Add the following line to your openVPN server.conf file with your favourite editor.
a. plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
b. Note: if you want to just use mOTP as authentication, and not certificates (not recommended) than add 2 more lines to the config:
1. client-cert-not-required
2. username-as-common-name
2. Add the following line to your openVPN client.conf file (on the client machine of couse)
a. auth-user-pass
Test your configuration
1. Restart your openvpn server (/etc/init.d/openvpn restart or if you want to see debug messages on console: openvpn /etc/openvpn/server.conf from the command line)
2. Now test your client, best to test this first from the commandline: openvpn /etc/openvpn/client.conf so that you can see exactally what is going on. For my testing purposes
I had the server running from the commandline, viewing debug messages; and the client from the commandline, watchin them both connect, and checking for any errors.
3. You should now be requested to enter a username, use the name that you created in your motp.conf file earlier.
4. On your Mobile device (remember you have 10 seconds from connection to generate and enter your password) enter the PIN # you created, and use the results (default mobile
app has the result printed below where you enter your pin number, in red)as your one time password.
5. If it all works out, you should now be connected to your VPN. Tada!
So there you have it. Mobile One-Time-Passwords using openVPN. If this doesn't work, my first bet would be to check to see if openvpn worked prior to you venturing into the mobile otp arena. That
was my problem when I first started working with this. Drop me a comment if you use this, curious if anyone else will have a use for this.
So at the time my requirements were simple. I still wanted certificate based authentication (easier to track, and revoke certs), username authentication AND a One-Time-Password. As keyfobs are still pretty expensive equipment, and that would end up being one more thing that I would have to carry around; I stumbled upon mOTP, or Mobile One Time Passwords. mOTP is pretty much limited (at least in my google searching experience) to proprietary systems, fancy keyfobs, or if your lucky; free opensource software Chaching!. In my ever increasing endeavours, I stumbled upon http://motp.sourceforge.net. Oh, this was the pot of gold at the end of the rainbow for me! This had everything I needed to implement a secure openVPN server, except documentation on how the heck I was supposed to do it.
Now, before I begin; I just want to say that they do have setup guides for using radius servers, but I followed my philosophy of 'give it a day of your time, and go find another way'. For the life of me I couldn't get mOTP, FreeRadius and openVPN to play nice. Instead I found the next best thing, PAM modules for mOTP. In this blogpost I won't be telling you how to install openVPN, nor will I explain the best (or most secure) way to setup openvpn, as openVPN is still a learning process for me. I would hope if anyone finds some serious 'oh crap' security hole in how I do things, they would let me know and I can make the necessary changes to this document.
So let's get started shall we? First things first, you need an openVPN server (uh, no crap huh?) that you successfully tested with a client. If you have never set up an openVPN server, their website (www.openvpn.net) has EXCELLENT step-by-step guides on getting started. I have mOTP and openVPN installed on an Debian Server, so keep this in mind while your following this document, as some locations, and packages may shift during shipment so to speak.
Another thing that is a luxury, but not necessarily a necessity; is a development environment that mirrors that of your openVPN server. You will need utilities to compile various software from source, and if your using openVPN on a limited disk space server; you will quickly run out of space. The list of (and in no way complete, I might have had some of these installed at the time that I was writing this document) is as follows:
Development tools (Install these before beginning):
*gcc - needed to compile c/c++ from source
*dpkg-dev - needed by Debian for apt-get source
*libpam0g-dev - PAM Development libraries, needed for mOTP and Compiling openVPN plugins
*make - needed to make gcc files
Setting up PAM Modules for openVPN
*Note: as I stated earlier, I used debian for my openVPN/mOTP setup, so if you are using an RPM pkg mgr, or installing from source, these steps may be different.
1. Download the openVPN source code
a. cd to a temporary directory (/tmp)
b. apt-get source openvpn
2. Compile the auth-pam source
a. navigate to /src-dir/openvpn-dir/plugin/auth-pam (ex: /tmp/openvpn-2.1~rc11/plugin/auth-pam)
b. run: make, inside of the auth-pam directory. This generates the following file:
openvpn-auth-pam.so.
3. Create location and copy over the openvpn-auth-pam.so plugin
a. mkdir -p /usr/share/openvpn/plugin/lib
c. cp openvpn-auth-pam.so /usr/share/openvpn/plugin/lib
4. Edit your openVPN server.conf file (usually located in /etc/openvpn/server.conf), and add the following line:
a. plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
Setup and Configure mOTP files
Note: At this point, you need to download/install the compatible mOTP client for your mobile device, mOTP's website (http://motp.sourceforge.net) has the necessary java files to run on your phone.
I tested this out on both a blackberry 8330, and an Android 2.1 Mobile device, without any problems. Also, your mobile phone OS might also have other mOTP compatible software located in their 'online store' eg: Android Market, Blackberry App World, etc. I would try and use the mOTP client that is offered by mOTP's website before venturing into other mobile clients.
1. Create necessary directories for mOTP and PAM
a. mkdir /var/cache/motp
2. Copy sample configuration file and change permissions on the file
a. cp motp.conf /etc/security
b. chmod 600 /etc/security/motp
3. Create an openvpn file, and set permissions in /etc/pam.d
a. touch /etc/pam.d/openvpn && chmod 644 /etc/pam.d/openvpn
4. Copy pam_mobile_otp.so to /lib/security
a. cp pam_mobile_otp.so /lib/security
5. Modify /etc/pam.d/openvpn with your favorite editor, and add the following information:
auth sufficient /lib/security/pam_mobile_otp.so not_set_pass
password required /lib/security/pam_mobile_otp.so debug
account required /lib/security/pam_mobile_otp.so
Configuring mOTP on your device
1. Start up the mOTP client on your mobile device, enter: #**# when asked to enter your PIN.
This will generate a secret hash that is needed only by the motp.conf file, write down
the hash, because you will need it. Then eat the paper, leave no evidence.
a. Enter #**# on your mobile device.
b. Enter a bunch of random characters to generate your hash
c. Write down the hash results.
d. Also, at least on the android client..you will see an 'epoch' time, this will
be needed to compute the time offset between the server and your phone.
ex: 128797806
Figure out your time offset between the server and your mobile device.
* The offset is in hours. For instance if your phone is set to a different timezone
than that of the server, finding the epoch time is necessary to sync the pin to the hash
generated. Some newer versions of mOTP mobile, allow you to set the timezone manually
in the software, so that you will always have a 0 in the offset on the server. As of this writing
there are two other mOTP clients on the android marketplace, that let you set the UTC where you are currently at.
* Also note, from my experience. If the difference between the two times are less than 360, than you won't need to add anything but a 0 when it comes
to setting your offset. 360=1, 720=2, etc.
1. Write down your epoch time from the mobile device
2. type: "date +%s" on the openVPN server, and write down the first 9 digits of
the server's epoch time.
3. Subtract the two numbers for a positive integer. Ex: 1289798394 (server time)
- 128797806 = 33. This number is the output in 10s of seconds (360=1 hour, etc), write it down, you will need it for this next step.
Configure motp.conf file with the necessary information
motp.conf is located in /etc/security, where you moved it over in a previous step. Use your favourite editor (it is VI, isn't it?) to edit the motp.conf file.
There are comments in the file that tell you what to put where. This might just be a coincidence, or might not...But I found that the username that I selected
for motp.conf had to be different than the username that I had on my server. I think it has something to do with the pam login modules and having the same username.
I didn't look further into this, but just in case, try a different username than a local user on the server.
1. username, secret (the hash generated above), a pin # of your choosing, and your offset
2. Comment out the default (korff) for security purposes. It's in there just as example on how you configure motp.
Configure openvpn
1. Add the following line to your openVPN server.conf file with your favourite editor.
a. plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
b. Note: if you want to just use mOTP as authentication, and not certificates (not recommended) than add 2 more lines to the config:
1. client-cert-not-required
2. username-as-common-name
2. Add the following line to your openVPN client.conf file (on the client machine of couse)
a. auth-user-pass
Test your configuration
1. Restart your openvpn server (/etc/init.d/openvpn restart or if you want to see debug messages on console: openvpn /etc/openvpn/server.conf from the command line)
2. Now test your client, best to test this first from the commandline: openvpn /etc/openvpn/client.conf so that you can see exactally what is going on. For my testing purposes
I had the server running from the commandline, viewing debug messages; and the client from the commandline, watchin them both connect, and checking for any errors.
3. You should now be requested to enter a username, use the name that you created in your motp.conf file earlier.
4. On your Mobile device (remember you have 10 seconds from connection to generate and enter your password) enter the PIN # you created, and use the results (default mobile
app has the result printed below where you enter your pin number, in red)as your one time password.
5. If it all works out, you should now be connected to your VPN. Tada!
So there you have it. Mobile One-Time-Passwords using openVPN. If this doesn't work, my first bet would be to check to see if openvpn worked prior to you venturing into the mobile otp arena. That
was my problem when I first started working with this. Drop me a comment if you use this, curious if anyone else will have a use for this.
Sunday, September 19, 2010
Part #2 - Networking Sane
Part #2 - Installing/Configuring Saned for network scanner access.
Okay, now that I/you/the family pet can finally print through cups to your new all-in-one device; it’s time to setup and configure SANEd so everyone can scan in a document. My reasoning behind this was in the past, we had to unplug the all-in-one from one desktop, drag the laptop in the computer room, plug the scanner in, scan the documents, unplug the scanner (and if we remembered to) plug it back into the desktop. What a royal PITA to do every time we wanted to scan a document in, and even more of a PITA when your attempting to print off a document from the desktop, only to realize that the last person who used the printer forgot to plug it back into the desktop! *cough* you know who you are! *cough*.
In part 1 I talked about installing the necessary packages for sane and the hplip drivers. If you haven’t already done this, please for the love of everything holy, do this now.
Before we start getting into saned configuration, the first thing you need to do is make sure that your new fancy schmancy all-in-one works with the scanner. Now according to http://www.openprinting.org/printers my HP Deskjet all-in-one F4480 is considered a ‘paperweight’. I don’t know their reasoning behind this, and maybe their database needs to be updated. But I do know that both cups and saned support this device with the hplip driver’s. So at some point, I’ll have to update this. And the Sane page for supported devices: http://www.sane-project.org/sane-mfgs.html#SCANNERS Doesn’t even show the all-in-one. But alas, once again this does work, I promise you. To see a list of supported devices with the HPLIP device driver, go here: http://hplipopensource.com/hplip-web/supported_devices/index.html
If HPlip website says Scanning/Printing/WorldDomination is supported, then you are good to go.
From the commandline type: scanimage -L
If your scanner shows up (and it should with the hplip driver support) then you can use this device with saned. For instance with my HP F4480 I get the following result:
device `hpaio:/usb/Deskjet_F4400_series?serial=CN07DC404ZXXXX' is a Hewlett-Packard Deskjet_F4400_series all-in-one
So, now that we know that scanimage can see your scanner, time to make the necessary changes. Once again, I am doing this from an Ubuntu 10.04LTS distro, so you might have to change stuff for the distribution that you are using.
First things first, changed your inetd.conf file to allow saned access.
1. vim /etc/inetd.conf
2. add the following information: sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
This will allow inetd to push the saned port through and startup the saned services. Next, make sure that the tcp port is setup properly in /etc/services
1. vim /etc/services
2. search for: sane-port
3. Should look like this: sane-port 6566/tcp sane saned # SANE network scanner daemon
Okay, now that the hard stuff is out of the way, time to setup the saned.conf file. It’s actually quite straightforward and I really only have 2 lines (for security reasons) inside of my saned.conf file
1. vim /etc/sane.d/saned.conf
2. Add the following (mileage may vary depending on your internal network)
1. data_portrange = 10000 - 10100
2. 192.168.1.0/24
As you can see, I used a CIDR network mask for my network. You can add specific ip addresses, CIDR subnets, or even ipv6.
Now save saned.conf and restart inetd
1. pkill inetd && inetd
telnet to tcp port 6566 from the server, you should get the following:
1. telnet localhost 6566
root@dino:/etc/init.d# telnet localhost 6566
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
2. If you can connect to localhost, then saned is properly setup and listening on tcp port 6566.
When I first set this up, I had issues with saned and networking. These were my steps to debugging the saned interface.
1. Stop inetd (pkill inetd)
2. start saned in debug mode: /etc/init.d/saned -d255
3. This kicks off a high-level debug to the console. From here (once you have setup the sane client..more on that in a minute) you can scan a document remotely and see the debug output. Once you are done debugging, don’t forget to restart inetd.
Okay, so it’s safe to assume that saned is now listening on port 6566. Time to do some network scanning!
Remote scanning from a linux client
1. Make sure you actually have xsane installed (get it from the repo’s)
a. apt-get install xsane xsane-common
2. Setup the sane client for network scanning
a. vim /etc/sane.d/net.conf
b. add the ip address of the saned server
c. Save and quit the file
3. Put a document in the scanner, fire up xsane from the client and see if it scans!
a. xscane will check the net.conf file and attempt to connect to the server, if it makes a valid connection, you will see the device name in the title page of xsane. From here just select scan and you should see your document loaded up on the scanner. If you are having problems, check above on how I documented starting saned in debug mode.
Remote scanning from a windows client
1. Get the sanetwain package from http://sanetwain.ozuzo.net/
2. Unzip the package and execute: ScanImage.exe
3. Click the little wrench and screwdriver icon up at the top
4. Add the ip address of the saned server and port 6566 (if you set user access, now is the time to put the user name in)
5. Either click ‘scan image’ to start scanning, or close out ScanImage.exe and open it up again...by closing out and re-opening the application, it appears that it goes out to the server and adds the remote scanning device (had to do this on windows 7, tricky bugger). Tada! you should be able to remotely scan from windows now. As i said earlier, if this doesn’t work, run saned in debug mode.
There you have it, Network scanning with sane on both linux and windows clients.
My last and final part on this blog will be on getting SAMBA, CUPS and Windows driver’s happy. As this is a royal PITA to do, muchless remember how I did this 3 days ago; I’ll probably post this final update this week.
Okay, now that I/you/the family pet can finally print through cups to your new all-in-one device; it’s time to setup and configure SANEd so everyone can scan in a document. My reasoning behind this was in the past, we had to unplug the all-in-one from one desktop, drag the laptop in the computer room, plug the scanner in, scan the documents, unplug the scanner (and if we remembered to) plug it back into the desktop. What a royal PITA to do every time we wanted to scan a document in, and even more of a PITA when your attempting to print off a document from the desktop, only to realize that the last person who used the printer forgot to plug it back into the desktop! *cough* you know who you are! *cough*.
In part 1 I talked about installing the necessary packages for sane and the hplip drivers. If you haven’t already done this, please for the love of everything holy, do this now.
Before we start getting into saned configuration, the first thing you need to do is make sure that your new fancy schmancy all-in-one works with the scanner. Now according to http://www.openprinting.org/printers my HP Deskjet all-in-one F4480 is considered a ‘paperweight’. I don’t know their reasoning behind this, and maybe their database needs to be updated. But I do know that both cups and saned support this device with the hplip driver’s. So at some point, I’ll have to update this. And the Sane page for supported devices: http://www.sane-project.org/sane-mfgs.html#SCANNERS Doesn’t even show the all-in-one. But alas, once again this does work, I promise you. To see a list of supported devices with the HPLIP device driver, go here: http://hplipopensource.com/hplip-web/supported_devices/index.html
If HPlip website says Scanning/Printing/WorldDomination is supported, then you are good to go.
From the commandline type: scanimage -L
If your scanner shows up (and it should with the hplip driver support) then you can use this device with saned. For instance with my HP F4480 I get the following result:
device `hpaio:/usb/Deskjet_F4400_series?serial=CN07DC404ZXXXX' is a Hewlett-Packard Deskjet_F4400_series all-in-one
So, now that we know that scanimage can see your scanner, time to make the necessary changes. Once again, I am doing this from an Ubuntu 10.04LTS distro, so you might have to change stuff for the distribution that you are using.
First things first, changed your inetd.conf file to allow saned access.
1. vim /etc/inetd.conf
2. add the following information: sane-port stream tcp nowait saned.saned /usr/sbin/saned saned
This will allow inetd to push the saned port through and startup the saned services. Next, make sure that the tcp port is setup properly in /etc/services
1. vim /etc/services
2. search for: sane-port
3. Should look like this: sane-port 6566/tcp sane saned # SANE network scanner daemon
Okay, now that the hard stuff is out of the way, time to setup the saned.conf file. It’s actually quite straightforward and I really only have 2 lines (for security reasons) inside of my saned.conf file
1. vim /etc/sane.d/saned.conf
2. Add the following (mileage may vary depending on your internal network)
1. data_portrange = 10000 - 10100
2. 192.168.1.0/24
As you can see, I used a CIDR network mask for my network. You can add specific ip addresses, CIDR subnets, or even ipv6.
Now save saned.conf and restart inetd
1. pkill inetd && inetd
telnet to tcp port 6566 from the server, you should get the following:
1. telnet localhost 6566
root@dino:/etc/init.d# telnet localhost 6566
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
2. If you can connect to localhost, then saned is properly setup and listening on tcp port 6566.
When I first set this up, I had issues with saned and networking. These were my steps to debugging the saned interface.
1. Stop inetd (pkill inetd)
2. start saned in debug mode: /etc/init.d/saned -d255
3. This kicks off a high-level debug to the console. From here (once you have setup the sane client..more on that in a minute) you can scan a document remotely and see the debug output. Once you are done debugging, don’t forget to restart inetd.
Okay, so it’s safe to assume that saned is now listening on port 6566. Time to do some network scanning!
Remote scanning from a linux client
1. Make sure you actually have xsane installed (get it from the repo’s)
a. apt-get install xsane xsane-common
2. Setup the sane client for network scanning
a. vim /etc/sane.d/net.conf
b. add the ip address of the saned server
c. Save and quit the file
3. Put a document in the scanner, fire up xsane from the client and see if it scans!
a. xscane will check the net.conf file and attempt to connect to the server, if it makes a valid connection, you will see the device name in the title page of xsane. From here just select scan and you should see your document loaded up on the scanner. If you are having problems, check above on how I documented starting saned in debug mode.
Remote scanning from a windows client
1. Get the sanetwain package from http://sanetwain.ozuzo.net/
2. Unzip the package and execute: ScanImage.exe
3. Click the little wrench and screwdriver icon up at the top
4. Add the ip address of the saned server and port 6566 (if you set user access, now is the time to put the user name in)
5. Either click ‘scan image’ to start scanning, or close out ScanImage.exe and open it up again...by closing out and re-opening the application, it appears that it goes out to the server and adds the remote scanning device (had to do this on windows 7, tricky bugger). Tada! you should be able to remotely scan from windows now. As i said earlier, if this doesn’t work, run saned in debug mode.
There you have it, Network scanning with sane on both linux and windows clients.
My last and final part on this blog will be on getting SAMBA, CUPS and Windows driver’s happy. As this is a royal PITA to do, muchless remember how I did this 3 days ago; I’ll probably post this final update this week.
HP Deskjet F4480 - Cups, Saned, and Samba oh my!
Part #1 Cups install/configuration
So, my old HP Deskjet all-in-one finally gave up the ghost earlier this year. Something to do with the Printer Cartridges and error’s all over the place. Well, as a family of 4 1/2(does the dog count as a half?) we really needed a new printer/scanner/copier combo, but I just couldn't justify the $100+ for a networked all-in-one with limited functionality. So alas! out comes the penguin in me. We bought a HP Deskjet F4480 All-In-One from walmart last weekend, and I set out to network share the device.
Here were my goals:
* Get Cups to share the printer to all the machines in the house
*Enable remote administration of CUPS so that I wouldn’t have to VNC to the server and administer everything
*Get the Scanner to work with saned and sanetwain (window’s Xsane equivalent) so that we can scan from the windows machine’s, along with the linux machines.
*Auto-push window’s print drivers to window’s machines so I’m not hunting down the silly CD every time I need to add a printer for guests that come in and want to print
*Secure things down so only our local subnet can print/scan/take over the world.
* Do all of this from a headless virtualbox interface
Did I accomplish my goals? yup, all but the last one. Everything worked splendid in Virtualbox during my testing phases (I test all of my new home ‘servers’ in virtualbox before pushing them out). But when I pushed it prod to my little server (AMD 1.2Ghz w/ only 1GB ram, 40GB hd, I’m a cheap bastard), my little server couldn’t keep up with all of the USB emulation between the device, server and virtualbox..CPU was at 90%+ and memory went through the roof when attempting to print. So I took it out of virtualbox until I can scrounge up enough dough to buy a decent server. (This server hosts: pop3, cups, gallery2 (our family photo gallery), vpn, nagios, and other such services through VirtualBox...so I REALLY need an upgrade at some point).
I’ll post how I did all of this, from memory (although I might miss a dependency or two).
Step 1: Download files and install services
I did all of this from my Ubuntu 10.04LTS server, so mileage may vary. First, I went to HP’s opensource website: http://hplipopensource.com/hplip-web/index.html and downloaded the .deb package (newer than what Ubuntu has in it’s repo, and fixes issues with the scanner btw). Then off to cups.org to download windows driver support (http://www.cups.org/software.php). Now time for packages and dependencies!
Checking my list of installed packages, I must assume that I installed the following (and dependencies of course):
DO FIRST: dpkg -i yourhplip-package.dpkg and install it’s called for dependencies!
CUPS: cups, cups-bsd, cups-client, cups-common, cups-pdf, cups-ppdc (for ppd manipulation), ghostscript-cups, hal-cups-utils, libcups2, libcups2-dev, libgnomecups1.0-1
SANE: sane, libsane, libsane-dev, sane-utils, xsane, xsane-common
SAMBA: samba, samba-common, samba-common-bin, system-config-samba (gui, came default for some reason)
Okay, so once the packages were installed, I set out to get cups installed and configured so that I could at least print over the network.
I’m not going to go into detail about each configuration change and what I did (although I’ll add some comments here and there in the configuration). So here is what my /etc/cups/cupsd.conf looks like (make sure you backup your config before making changes). Keep in mind, the policies were created by ubuntu when I installed the package, for now I left them alone until I can create my own policies, but it works so I’m not complaining right now.
## Go here for my cupds.conf. It appears blogger seems to think my configuration is in html and attempts to format it, oi.
http://pastebin.ca/1944437
Okay, save config and restart cups! /etc/init.d/cups restart (or if your using upstart.. restart cups).
Since I’m a CLI lover, all of this was done from an ssh session, once cups is restarted, you should be able to navigate to the cups page from anyone in (in this example 192.168.1.*) subnet. Fire up firefox (you ARE using firefox, right?) and navigate to: https://your.cups.ip:631 I say https, because by default cups wants https authentication, and you might as well get into the habit of using https for security purposes.
I hope you followed the first instruction to install the hplip driver before you started installing/configuring cups..if not, you should be able to install the .deb package for hplip before configuring your printer. Restart cups after installing hplip just in case.
Now, it’s time to install the printer! Administration - > Printers -> Add Printer ->Local Printer
In my case, it shows up as: HP Deskjet F4400 series (HP Deskjet F4400 series). Select it and click next. Give it a name, description, location and click ‘share printer’, click continue. Select your driver, if it’s not listed..search your server for the *.ppd file for your printer (this is what I had to do for the hp4480), unzip the ppd file, and copy it over to the machine that you are browsing cups from, then add the .ppd file). Once this is done, click ‘Add Printer’.
Tada! Now you have a shared network printer with cups.
From a linux client, you can add the printer via the ipp address (In cups, click ‘printers’ and click the printer..up in the address bar, copy the url, and paste for ipp printing). For windows client’s, if you have ipp setup in windows (more on that in part 2/3) you can do the following (example is with Windows 7)
Start -> Devices and Printers -> Add Printer -> Add network printer ->The Printer I want isn’t listed -> Select a shared printer by name ->Copy/Paste the URL as above into this and click next.
For some people this may work (surf the net for ‘IPP printing in Windows 7’ to find out how you enable ipp printing in windows 7...can’t remember this off the top of my head). For me, and for whatever reason this didn’t work very well. So I opted to use samba in order to push windows drivers out to my connected clients. More on this in the next part.
Part 2 will cover Samba/Sane configurations with Cups for sharing your scanner and pushing out windows drivers.
Part #1 Cups install/configuration
So, my old HP Deskjet all-in-one finally gave up the ghost earlier this year. Something to do with the Printer Cartridges and error’s all over the place. Well, as a family of 4 1/2(does the dog count as a half?) we really needed a new printer/scanner/copier combo, but I just couldn't justify the $100+ for a networked all-in-one with limited functionality. So alas! out comes the penguin in me. We bought a HP Deskjet F4480 All-In-One from walmart last weekend, and I set out to network share the device.
Here were my goals:
* Get Cups to share the printer to all the machines in the house
*Enable remote administration of CUPS so that I wouldn’t have to VNC to the server and administer everything
*Get the Scanner to work with saned and sanetwain (window’s Xsane equivalent) so that we can scan from the windows machine’s, along with the linux machines.
*Auto-push window’s print drivers to window’s machines so I’m not hunting down the silly CD every time I need to add a printer for guests that come in and want to print
*Secure things down so only our local subnet can print/scan/take over the world.
* Do all of this from a headless virtualbox interface
Did I accomplish my goals? yup, all but the last one. Everything worked splendid in Virtualbox during my testing phases (I test all of my new home ‘servers’ in virtualbox before pushing them out). But when I pushed it prod to my little server (AMD 1.2Ghz w/ only 1GB ram, 40GB hd, I’m a cheap bastard), my little server couldn’t keep up with all of the USB emulation between the device, server and virtualbox..CPU was at 90%+ and memory went through the roof when attempting to print. So I took it out of virtualbox until I can scrounge up enough dough to buy a decent server. (This server hosts: pop3, cups, gallery2 (our family photo gallery), vpn, nagios, and other such services through VirtualBox...so I REALLY need an upgrade at some point).
I’ll post how I did all of this, from memory (although I might miss a dependency or two).
Step 1: Download files and install services
I did all of this from my Ubuntu 10.04LTS server, so mileage may vary. First, I went to HP’s opensource website: http://hplipopensource.com/hplip-web/index.html and downloaded the .deb package (newer than what Ubuntu has in it’s repo, and fixes issues with the scanner btw). Then off to cups.org to download windows driver support (http://www.cups.org/software.php). Now time for packages and dependencies!
Checking my list of installed packages, I must assume that I installed the following (and dependencies of course):
DO FIRST: dpkg -i yourhplip-package.dpkg and install it’s called for dependencies!
CUPS: cups, cups-bsd, cups-client, cups-common, cups-pdf, cups-ppdc (for ppd manipulation), ghostscript-cups, hal-cups-utils, libcups2, libcups2-dev, libgnomecups1.0-1
SANE: sane, libsane, libsane-dev, sane-utils, xsane, xsane-common
SAMBA: samba, samba-common, samba-common-bin, system-config-samba (gui, came default for some reason)
Okay, so once the packages were installed, I set out to get cups installed and configured so that I could at least print over the network.
I’m not going to go into detail about each configuration change and what I did (although I’ll add some comments here and there in the configuration). So here is what my /etc/cups/cupsd.conf looks like (make sure you backup your config before making changes). Keep in mind, the policies were created by ubuntu when I installed the package, for now I left them alone until I can create my own policies, but it works so I’m not complaining right now.
## Go here for my cupds.conf. It appears blogger seems to think my configuration is in html and attempts to format it, oi.
http://pastebin.ca/1944437
Okay, save config and restart cups! /etc/init.d/cups restart (or if your using upstart.. restart cups).
Since I’m a CLI lover, all of this was done from an ssh session, once cups is restarted, you should be able to navigate to the cups page from anyone in (in this example 192.168.1.*) subnet. Fire up firefox (you ARE using firefox, right?) and navigate to: https://your.cups.ip:631 I say https, because by default cups wants https authentication, and you might as well get into the habit of using https for security purposes.
I hope you followed the first instruction to install the hplip driver before you started installing/configuring cups..if not, you should be able to install the .deb package for hplip before configuring your printer. Restart cups after installing hplip just in case.
Now, it’s time to install the printer! Administration - > Printers -> Add Printer ->Local Printer
In my case, it shows up as: HP Deskjet F4400 series (HP Deskjet F4400 series). Select it and click next. Give it a name, description, location and click ‘share printer’, click continue. Select your driver, if it’s not listed..search your server for the *.ppd file for your printer (this is what I had to do for the hp4480), unzip the ppd file, and copy it over to the machine that you are browsing cups from, then add the .ppd file). Once this is done, click ‘Add Printer’.
Tada! Now you have a shared network printer with cups.
From a linux client, you can add the printer via the ipp address (In cups, click ‘printers’ and click the printer..up in the address bar, copy the url, and paste for ipp printing). For windows client’s, if you have ipp setup in windows (more on that in part 2/3) you can do the following (example is with Windows 7)
Start -> Devices and Printers -> Add Printer -> Add network printer ->The Printer I want isn’t listed -> Select a shared printer by name ->Copy/Paste the URL as above into this and click next.
For some people this may work (surf the net for ‘IPP printing in Windows 7’ to find out how you enable ipp printing in windows 7...can’t remember this off the top of my head). For me, and for whatever reason this didn’t work very well. So I opted to use samba in order to push windows drivers out to my connected clients. More on this in the next part.
Part 2 will cover Samba/Sane configurations with Cups for sharing your scanner and pushing out windows drivers.
Wednesday, June 2, 2010
Filter External Email with Gmail
BIS Filtering Functionality with Android Mobile
So, recently I saw the light and picked up a HTC Hero running Android 2.1. I love the thing, but I did run into one issue with it; work email. Before I ditched my Blackberry, I was able to use the BIS (Blackberry Internet Service) Portal to filter my work email, thus receiving only specific messages (such as nagios alerts, important email from co-workers, etc). As I receive on average 600+ messages a day, this was a very critical feature. But when I went to the Android, I noticed that this feature was lacking. On the first night with my fancy new phone and all of my work email being sent to it, I thought the girlfriend was going to find an orifice of mine to place said phone due to it going off every few minutes and waking her up. Well, there had to be a better solution than this, and there is! While surfing around the internet for a possible solution, I came across a blog post of a guy who filtered his G-Mail account for specific emails; I just took it a step further.
What I did was use Gmail's 'Add POP3 Email account' feature to check my work email, then filter based on specific subjects/from/etc. Anything that did not match the filter criteria was automatically deleted without going to the Inbox first. This actually works pretty well, every so often an email will slip through the filter; but that's expected for the amount of email I receive on a daily basis. This not only works for Android type phones, but just about any phone that can receive gmail via the pop3 setting (I'll be testing this on a Palm here shortly). Thus mimicking the handy BIS filtering, and saving your phone from being launched in the air by a significant other who woke up to the message notification for the umpteenth time.
First things first, make sure you have a Gmail account. Yes, this sounds silly that I would mention it...but you never know. Everything else follows in quick steps, so follow along.
1. Log into Google mail
2. Select 'Settings' in Upper right-hand corner of the screen
3. Select ' Accounts and Import' Tab
4. Under 'Check mail using POP3' click the 'Add POP3 email account', a popup box will come up (make SURE you have enabled popups on your browser prior to doing this)
5. Enter the foreign email address (such as: user@somecompany.com and click 'next step'
6. Enter username, password, POP Server, port #, Label incoming messages. Label incoming messages is optional, but it's nice to see where the email came from. In this case, I labeled all incoming messages 'Work'. So when I receive an email on my phone, I can see if it came from work or into my regular gmail account. (VALUABLE STEP: click 'leave mail on server', if you don't; you won't be getting your regular email from user@somecompany.com with whatever MTA that you use)
7. Click 'Add Account'
8. Either select 'Yes, I want to be able to send mail as user@somecompany.com, or No. (for just receiving email, I used the No option, but that's up to you)
9. Click 'Next Step'
10. After your last step, google will go out and fetch your pop3 email from user@somecompany.com, if this is successful than continue on. If it is not successful, make sure your settings for your pop3 account is configured properly (including your password)
Set Filters
Now that you are receiving your user@somecompany.com email, it's time to filter out specific emails that you want to receive on your phone.
1. Click 'Filters' Tab inside of Settings
2. click 'Create New Filter'
3. To: = user@somecompany.com
4. Add: - next to anything you want filtered into your in-box, separated by a comma.
ex: -nagios@somecompany.com,-myboss@somecompany.com
5. Click 'Test Search'. Your excluded filter options should not show up on your search results, which is a good thing; you shouldn't see your filtered objects.
6. Click 'Next Step'
7. Select your option on where to put the un-filtered email. In this case I chose to delete instead of Archive my email.
If you archive your non-filtered email, it can still be read, but won't be going into your google inbox.
8. Click on 'Also apply filter to xxx conversations below'
9. Click 'Create Filter'
What this feature does is the following:
1. Google checks user@somecompany.com's email
2. E-mail is put through the filter that you setup. If from/subject/body/etc matches your - (do not include) filter, than it is delivered into your Gmail
account with the label that you attached to it in the previous steps.
3. If it does not match your (do not include) filter, than the email is automatically deleted (or archived, however you set this up)
There you have it! BIS functionality with Gmail and the android! As I said earlier, based upon the amount of email that you receive, some email's might squeeze by.
But I'll take an extra email or two over 600 of them going to my device.
So, recently I saw the light and picked up a HTC Hero running Android 2.1. I love the thing, but I did run into one issue with it; work email. Before I ditched my Blackberry, I was able to use the BIS (Blackberry Internet Service) Portal to filter my work email, thus receiving only specific messages (such as nagios alerts, important email from co-workers, etc). As I receive on average 600+ messages a day, this was a very critical feature. But when I went to the Android, I noticed that this feature was lacking. On the first night with my fancy new phone and all of my work email being sent to it, I thought the girlfriend was going to find an orifice of mine to place said phone due to it going off every few minutes and waking her up. Well, there had to be a better solution than this, and there is! While surfing around the internet for a possible solution, I came across a blog post of a guy who filtered his G-Mail account for specific emails; I just took it a step further.
What I did was use Gmail's 'Add POP3 Email account' feature to check my work email, then filter based on specific subjects/from/etc. Anything that did not match the filter criteria was automatically deleted without going to the Inbox first. This actually works pretty well, every so often an email will slip through the filter; but that's expected for the amount of email I receive on a daily basis. This not only works for Android type phones, but just about any phone that can receive gmail via the pop3 setting (I'll be testing this on a Palm here shortly). Thus mimicking the handy BIS filtering, and saving your phone from being launched in the air by a significant other who woke up to the message notification for the umpteenth time.
First things first, make sure you have a Gmail account. Yes, this sounds silly that I would mention it...but you never know. Everything else follows in quick steps, so follow along.
1. Log into Google mail
2. Select 'Settings' in Upper right-hand corner of the screen
3. Select ' Accounts and Import' Tab
4. Under 'Check mail using POP3' click the 'Add POP3 email account', a popup box will come up (make SURE you have enabled popups on your browser prior to doing this)
5. Enter the foreign email address (such as: user@somecompany.com and click 'next step'
6. Enter username, password, POP Server, port #, Label incoming messages. Label incoming messages is optional, but it's nice to see where the email came from. In this case, I labeled all incoming messages 'Work'. So when I receive an email on my phone, I can see if it came from work or into my regular gmail account. (VALUABLE STEP: click 'leave mail on server', if you don't; you won't be getting your regular email from user@somecompany.com with whatever MTA that you use)
7. Click 'Add Account'
8. Either select 'Yes, I want to be able to send mail as user@somecompany.com, or No. (for just receiving email, I used the No option, but that's up to you)
9. Click 'Next Step'
10. After your last step, google will go out and fetch your pop3 email from user@somecompany.com, if this is successful than continue on. If it is not successful, make sure your settings for your pop3 account is configured properly (including your password)
Set Filters
Now that you are receiving your user@somecompany.com email, it's time to filter out specific emails that you want to receive on your phone.
1. Click 'Filters' Tab inside of Settings
2. click 'Create New Filter'
3. To: = user@somecompany.com
4. Add: - next to anything you want filtered into your in-box, separated by a comma.
ex: -nagios@somecompany.com,-myboss@somecompany.com
5. Click 'Test Search'. Your excluded filter options should not show up on your search results, which is a good thing; you shouldn't see your filtered objects.
6. Click 'Next Step'
7. Select your option on where to put the un-filtered email. In this case I chose to delete instead of Archive my email.
If you archive your non-filtered email, it can still be read, but won't be going into your google inbox.
8. Click on 'Also apply filter to xxx conversations below'
9. Click 'Create Filter'
What this feature does is the following:
1. Google checks user@somecompany.com's email
2. E-mail is put through the filter that you setup. If from/subject/body/etc matches your - (do not include) filter, than it is delivered into your Gmail
account with the label that you attached to it in the previous steps.
3. If it does not match your (do not include) filter, than the email is automatically deleted (or archived, however you set this up)
There you have it! BIS functionality with Gmail and the android! As I said earlier, based upon the amount of email that you receive, some email's might squeeze by.
But I'll take an extra email or two over 600 of them going to my device.
Subscribe to:
Posts (Atom)