Category Archives: Security

I changed the password for my git repo and now it’s failing authentication on a pull

On my primary machine that’s always locked, I cache my password for some repos.  I just do.

So, after being forced to change the password to a (https!) repo, I tried a pull and it just happened to me.  This doesn’t impact ssh public key authentication.

$ git pull
remote: Invalid username or password. If you log in via a third party service you must ensure you have an account password set in your account profile.
fatal: Authentication failed for 'https://bitbucket.org/me/repo/'

You have to reset your credential helper cache, like so:

$ git config --global credential.helper cache
$ git pull

Ah, now — prompted for username & password.  #verynice

Username for 'https://bitbucket.org': fakeusename_1  
Password for 'https://fakeusername_1@bitbucket.org': 
remote: Counting objects: 11, done.
remote: Compressing objects: 100% (10/10), done.
....

And, scene.

git clone config global reset author –what?

Ah, cloning a git repo again, for the first time.   Here’s me using bitbucket.org; it’s free for slackers like me.

OK, so first:

$ mkdir -p ~/git/bitbucketrepo

$ git init ~/git/bitbucketrepo

$ cd ~/git/bitbucketrepo

$ git clone https://full-address-as-seen-in-bitbucket

Cool, now I add a few scripts & am ready to ‘stage’ them with ‘add.’

$ git add .

Unfortunately, this machine will get auto-assigned a name & email based on your login & some FQDN stuff.  I think we should change it.

$ git config --global user.name "Tom's Fedora 24 Workstation"
$ git config --global user.email tomblog@personalemail.email

Now, kick of a commit:

$ git commit -m "testing for blog"
[master 0e08355] testing for blog
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode ....

Now, time to ‘push’ it to bitbucket:

$ git push

AWW Crap, more stuff:

$ git push
warning: push.default is unset; its implicit value has changed in
Git 2.0 from 'matching' to 'simple'. To squelch this message
and maintain the traditional behavior, use:

  git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

  git config --global push.default simple

When push.default is set to 'matching', git will push local branches
to the remote branches that already exist with the same name.

Since Git 2.0, Git defaults to the more conservative 'simple'
behavior, which only pushes the current branch to the corresponding
remote branch that 'git pull' uses to update the current branch.

See 'git help config' and search for 'push.default' for further information.
(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode
'current' instead of 'simple' if you sometimes use older versions of Git)

Then you’re prompted for your password & everything works.

HOWEVER — for the next ‘push’ – let’s adapt for the ‘new behavior:’

$ git config --global push.default simple

Make a test file & test again:

$ echo "BLOG TEST" > new_stuff.txt
$ git add .
$ git commit -m "blog test"
[master xxx] blog test
 1 file changed, 2 insertions(+)
 create mode ....
$ git push
Password for 'https://.....
Counting objects: 5, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (4/4), done.

Looks good!

See you in a year when you need to do it again.

 

SUNNOVA … why doesn’t NOPASSWD work in /etc/sudoers in Fedora 24?

I’m used to just copy/pasting root & adding in my username, then tacking on NOPASSWD: ALL at the end, like so:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
tbizzle     ALL=(ALL)       NOPASSWD: ALL

Then, running a sudo command, I STILL had to enter the password:

[tbizzle@f24-mac ~]$ sudo date
[sudo] password for tbizzle: 
Tue Jun 28 01:11:55 EDT 2016

CRAP.  That’s not what I wanted.

 

But NOW, it’s different.  The “fix” was to add the entry AFTER wheel for it to work:

[tbizzle@f24-mac ~]$ sudo grep -A4 -B4 bizzle /etc/sudoers | grep -A4 -B4 NOPASS
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
tbizzle     ALL=(ALL) NOPASSWD: ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

and now:

[tbizzle@f24-mac ~]$ sudo date
Tue Jun 28 01:10:26 EDT 2016

 

Hope it helps

HOWTO: Linksys – EA9500 / AC5400 & hosting your own Websites

I have an EA9500 Smart Router and when I activated this and turned my ASUS RT-N66U into an Access Point, I found myself unable to access the websites I hosted myself.

Well, for Linksys, there’s an enabled FEATURE, that just so stops this from working properly aka, breaks NAT loopback.

Here’s the symptom.

On the network at home, you can’t get to your website.

Pop over to your phone / LTE – there’s your site.
Continue reading HOWTO: Linksys – EA9500 / AC5400 & hosting your own Websites

HOWTO: firewalld – allowing individual host access

So, you’re rolling out a new webserver and want only certain people to take a look at the content? Here’s how you do it.
CentOS 7.2 is the OS being used.

What zone are you in?
[root@blog-test ~]# firewall-cmd --get-default-zone
public

OK, let’s make a new zone:

firewall-cmd --permanent --new-zone=blog
systemctl reload firewalld

Now, let’s add your IP & a friends IP to start testing … given you’re using apache & it’s still on port 80:

firewall-cmd --permanent --zone=blog --add-source=YOUR_IP/32
firewall-cmd --permanent --zone=blog --add-source=FRIENDS_IP/32
firewall-cmd --permanent --zone=blog --add-port=80/tcp

NOTE:  If you are using that port in another zone, remove it from that other zone first, because it can’t be in 2 zones at once.

That’s all there is. Move along now.

 

Schedule A Whitespace Secure-Erase

 

Caution – if you screw this up, you’ll lose everything.


OK, now that that’s out of the way — let’s say that I’ve determined that I’d like to run zeroes across the whitespace on my HDD weekly.

On my MacPro4,1, I’m running OS X 10.6.7 & found an easy way to do it.  My account has Admin privileges, so there’s no ‘sudo’, or password required.

I didn’t want to dive into Apple Script, so I fired up SecureCRT and used the bash shell to whip up a simple command-line execution of the ‘diskutil’ app. So, without further ado, here’s the simple script (made u+x) in my home directory /Users/otech, called wipewhite.sh

#!/bin/bash

diskutil secureErase freespace 0 /Volumes/Test_HDD

Yeah. Simple. Oh Yeah – note the word ‘freespace’ above – über important.

Then, I added it into CRON (crontab -e), to be run on Friday nights (or early AM) at 0300.

0 3 * * 5 /Users/otech/wipewhite.sh

So, here’s the breakdown of the diskutil commands that I’ve selected:

diskutil <verb> <options>

‘secureErase’ – (verb) with (option) ‘freespace’ and (option) ‘0’ to the path of the Volume: /Volumes/Test_HDD (yours is different):

secureErase: Securely erase a disk or freespace on a volume
freespace: Tells it to just erase the freespace on a volume, NOT the disk
Level: 0 – Single-pass zeros
1 – Single-pass random numbers
2 – US DoD 7-pass secure erase
3 – Gutmann algorithm 35-pass secure erase
4 – US DoE 3-pass secure erase.

Now, yes – 0 is pretty weak and I could have selected one of the other options, but I didn’t.  For a 750GB WD Black drive, it took somewhere around 3.5 hours.  I wonder how long Level 2 will take.