securecrt 中的 ssh-agent比较有意思

发表于2011-05-20admin

一个偶然的机会,发现我从一台电脑的虚拟机中的ssh可以直接连到我的另一台服务器。

而我并没有在这个虚拟机中配置ssh key。另一台电脑就不行。

它是如何连上去的?

ssh-v查到一段:

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering public key:

debug1: Server accepts key: pkalg ssh-rsa blen 279debug1: Authentication succeeded (publickey).

而不行的电脑,信息是这样的:

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /home/swigger/.ssh/id_rsa

debug1: Trying private key: /home/swigger/.ssh/id_dsa

debug1: Trying private key: /home/swigger/.ssh/id_ecdsa

debug1: Next authentication method: password

显然,这个Offering public key:后面又没有东西是最可疑的。找到ssh源代码一看,原来这里本来是要显示一个文件名,但可惜是个空串,再花了点时间查了一下,看代码看的,原来这里有个identity没有文件名,不是从文件加载的,来自一个叫agent的东西

然后就查ssh-agent的相关东西,查这个agent的数据来自哪里,从unix socket查到相关的sshd进程。

然后就搜到了相关的信息,原来:

 

securecrt 支持ssh agent forwarding, 不过要在global options中选ssh2打开。

打开后,如果为某个server启用了public key登录,那么相关的key就被securecrt 记录到agent里去了。

通过相关的agent协议,securecrt可以把这个数据提交到在里面运行的ssh, scp等命令,于是啥也没有配置的虚拟机也能直接登到我的目标server了。

不过,我是为server a启用的public key登录,但server b(虚拟机)里也有这个public key的agent记录,这算是bug还是feature呢?

发表在 软件 | 留下评论

该死的hostmonster丢了我所有的文件

发表于2011-03-01admin

整个www目录被hostmonster清空了,所有的附件没有了。值得庆幸的是数据库没有丢,所以文章还在。

十分的气愤,2月19号左右没的。23号我发现。

hm有三个自动备份,每月,每周,每天,但是呢,每月的备份在20号,每周的备份赶在21号,每天的备份在22号。所以三个备份里都没有我的文件。这什么狗屎的备份策略啊。

气愤之余,发现好像也没什么可做的,告它们?跨洋搞这种事我可没精力,所以唯一做了的就是发了封email,说I will never trust you。然后要求把款给退了。退款倒是还算快,两三个邮件来回就搞定了。

搬到了 photonVPS上,后面打算等yardVPS有货了再搬过去。再也不用虚拟主机了,直接上VPS。不过备份得自己来搞了。

发表在 老当益愤 | 一条评论

enable x11 forwarding on debian

发表于2011-02-04admin

when I tried to forward x11 to my windows by securecrt, I found the DISPLAY variable is not set. x11 forwarding is not working even if I set the DISPLAY variable manually. I googled and finally solved this problem:

need install xauth:

apt-get install xauth

need set sshd_config with “AllowTcpForwarding yes” ?? not sure.

发表在 linux | 留下评论

build gcc 4.3 on debian lenny to allow utf-8 with bom source files.

发表于2011-01-04admin

As far as I knnow, gcc accpets utf-8 with bom files from v 4.4.

On some machines, people use a stable linux distr such as debian lenny which only has gcc 4.3.

Yes, we can build a whole new gcc to work on lenny. However the products built by this new gcc won’t work on others.

An idea is build gcc with bom support. there is a patch file for this at http://gcc.gnu.org/ml/gcc-patches/2008-04/msg01371.html .

So the work can be done by these steps:

bom

[code]

##download the patch to ~/bom.patch
apt-get source gcc-4.3
cd gcc-4.3-4.3.2
debian/rules unpack
cd src/libcpp
patch -p1 < ~/bom.patch
cd build
##from gcc -v
../src/configure -v –with-pkgversion=’Debian 4.3.2-1.1′ –with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs –enable-languages=c,c++,fortran,objc,obj-c++ –prefix=/usr –enable-shared –with-system-zlib –libexecdir=/usr/lib –without-included-gettext –enable-threads=posix –enable-nls –with-gxx-include-dir=/usr/include/c++/4.3 –program-suffix=-4.3 –enable-clocale=gnu –enable-libstdcxx-debug –enable-objc-gc –enable-mpfr –enable-targets=all –enable-cld –enable-checking=release –build=i486-linux-gnu –host=i486-linux-gnu –target=i486-linux-gnu
make

[/code]

after all, replace  /usr/lib/gcc/i486-linux-gnu/4.3/cc1plus  and /usr/lib/gcc/i486-linux-gnu/4.3/cc1 with the ones which we just made in directory ‘build/gcc’. Don’t make install to keep the system clean.

发表在 linux | 留下评论

修改 vs2010 编译器使之支持u8″字符串”的形式

发表于2011-01-03admin

vs有比较完善的unicode支持,从2005(或更早?)开始就支持源文件是utf-8,并且可以用中文做变量名函数名。(可以是可以,不推荐)

不过,也有一点很让人生气,就算源文件是utf-8编码的,编译时,他也会把utf-8转成主机的编码。所以,对于中文编码而言,如果源文件是

utf-8的并且有这样的内容,编译还是一样出问题:

const char * test = "®";
tt.cpp(10) : warning C4566: character represented by universal-character-name '\u00AE' cannot be represented in the current code page (936)

c++0x草案中有 u8″string literal” 形式的字符串,如果可以用这个,则问题解决,可惜的是,vs2010并不支持 u8-prefix string literal。当然,u和U也不支持。不过由于windows本身所说的unicode是utf-16 le,所以vc里L”string”就是u”string”。

如果才能让vc以持u8呢?写一个宏和字符串转化的类,在运行期转化是一个可行但比较折中的办法,这个办法最大的问题是依然不能在代码里写”®”这样的字串,因为编译期转成中文编码失败成?号,运行期转成utf-8还是问号。

当然,可以写 L”®”,这样这个u8类可以这样写:

string to_utf8(const wchar_t*);
#define U8(string)  to_utf8(string).c_str()

然后在用的地方写:

U8(L”®”);

这样基本能用,但带来了一些运行期消耗。并且L的字符串也比较大。当然宏本身还可以改改,使得不需要写L,而是在预处理后加入L,但会带来额外的限制(想想U8(“hello” “world”))。

能不能hack编译器加入u8的支持呢?经过一番研究,发现了点眉目。

首先,vc编译器编译的主要功能代码在c1xx.dll中。这个dll的x86版本位于 C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\c1xx.dll。惊喜的是微软提供了它的pdb,这样分析它的行为就大大简化了。

经过研究发现,vc基本上函展开,获取token生成语法树是一次过的。

在关键函数

4F4C9430 GetTokenFromCurrentChar

处,会有一个循环,从一个全局变量中读取解析到的内容,然后构造出一个token。我们要做的就是hack这个过程,如果当前token符合 u8″string”的形式,则处理一遍字符串,转成8进制的串表示方法。

经过一番苦战成功后,结果如下:

 
tt.cpp:
 
#define U8(str) u8##str
#define U16(str) L##str
 
int main()
{
 
U8("哈");
u8"哈";
return 0;
}
 
D:\temp&gt;cl /E tt.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.
 
tt.cpp
#line 1 "tt.cpp"
int main()
{
 
"\345\223\210";
"\345\223\210";
return 0;
}

使用的办法是:

把原始的c1xx.dll重命名为c1xx_.dll,写了一个假的c1xx.dll,把导出函数的调用都重定位到c1xx_.dll。然后在GetTokenFromCurrentChar的循环开始处:

4F4C943E                                             8B3D 046C644F    MOV EDI,DWORD PTR DS:[Current_char]

写入一个跳转,跳转到自己的函数中检查是否需要替换字串。写完后变成:

4F4C943E                                             E8 4D7EB60E      CALL c1xx.asmReplCurCode
4F4C9443                                             90               NOP

这个被调用的函数是这样的:
__declspec(naked) void asmReplCurCode()
{
__asm
{
pushad;
call ReplCurCode;
popad;
mov edi, [ptrCurChar];
mov edi, [edi];
ret;
}
}
即用汇编做一个简单的包装,调用C++函数,然后完成被覆盖的代码要完成的事,然后ret回去。

ReplCurCode是这样的:

void ReplCurCode()
{
if (g_pred == 0)
{
g_pred = 1;
char ch = ** ptrCurChar;
//note: in creating/using precompiled header mode, don't insert this code since it had done before.
if (ch == '\r' || ch == '\n')
{
replace = *ptrCurChar;
const char * scode = "\r\n#define __bultin_u8 1\r\n1\r\n";
match = scode + strlen(scode)-3;
*ptrCurChar = scode;
return ;
}
}
 
if (*ptrCurChar == match)
{
*ptrCurChar = replace;
match = 0;
replace = 0;
}
 
const char * src = *ptrCurChar;
if (src[0] == '#' &amp;&amp; src[1] == 'd')
{
int ff = 0;
}
 
string prefix;
while (isspace((unsigned char)(src[0])))
{
prefix += src[0];
++ src;
}
 
if (src[0] == 'u' &amp;&amp;  src[1] == '8' &amp;&amp; src[2] == '"')
{
//so this is a U8 str.
string sb;
size_t sz = TextProcess::unescape(src+3, MAXLONG, sb);
if (src[sz+3] == '"')
{
string st = TextProcess::escape(sb.c_str(), sb.length());
string &amp; codestr = getPool(prefix + st, src);
match   = codestr.c_str() + codestr.length();
replace = src+sz+4;
*ptrCurChar = codestr.c_str();
}
}
}

在首次处理的时候插入一个宏定义,这样代码中就可以知道编译器是不是修改支持了u8的功能。ptrCurChar是微软的c1xx.dll中的全局变量的地址,通过它知道当前要解析什么样的代码,解析完之后替换掉它,使得

u8″哈”

交给微软cl.exe解释的时候变成  “\345\223\210” 当然下一次再跑到这里的时候,比较是不是解释完我设置的替换串了,是的话换回原始要解释的内容,当然是跳过了u8″哈”这个串的。

即: if(*ptrCurChar == match) *ptrCurChar = replace;

这样处理完了之后,vs2010就完美的支持u8″string”了。不过只能小范围内使用或写一些自己用的工具,对于大的团队而言,还是等微软下一个vs吧,也许那时就真正支持u8″literal string”了。

其实不只是 u8 literal string,这样改编译器,还能实现一些更有意思的东西。

dowload:  hack_c1xx.dll

仅适用于原始md5为D05630986B03CBB28CD4D8E1BDD65831的c1xx.dll。

把原始c1xx.dll改名为c1xx_.dll,把hack_c1xx.dll改名为c1xx.dll

发表在 开发, 破解狂 | 留下评论

Test unsigned drivers in windows vista/7 x64

发表于2010-09-23admin

How to Disable Signature Enforcement during Development

During the early stages of development, developers can disable enforcement in Windows so that driver signing is not necessary. The following options are available for developers to disable kernel mode code signing enforcement temporarily so that Windows Vista will load an unsigned driver.

  • Attaching a kernel debugger. Attaching an active kernel debugger to the target computer disables the enforcement of kernel mode signatures in Windows Vista and allows the driver to load.
  • Using the F8 option. An F8 Advanced Boot Option introduced with Windows Vista—“Disable Driver Signature Enforcement”—is available to disable the kernel-signing enforcement only for the current boot session. This setting does not persist across boot sessions.
  • Setting the boot configuration. A boot configuration setting is available in the Windows Vista Beta2 release that disables the enforcement of kernel mode signatures to be persisted across boot sessions.

bcdedit /copy {current} /d “test_driver”
set GUID={guid-returned-by-previous-command}
bcdedit /set %GUID% loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit /set %GUID% testsigning on
bcdedit /set %GUID% nointegritychecks ON

发表在 开发 | 留下评论

rebuild debian kernel.

发表于2010-09-15admin

apt-get install linux-source-2.6  libncurses5-dev

tar -xjf  /usr/src-linux-source-2.6.32.tar.bz2

cd linux-source-2.6.32

make menuconfig

make KDEB_PKGVERSION=my1.0 deb-pkg

 … to be continue…

发表在 linux | 留下评论

在Debian Linux下编译第一个objc程序

发表于2010-08-12admin

 

首先,我们要安装相应的程序:

apt-get install gcc gobjc gcc g++ gnustep libgnustep-gui-dev

然后编写一个hello.m文件:

连hello.m都是抄来的,哈哈,程序如下:

#import <Foundation/Foundation.h>

@interface HelloWorld : NSObject

– (void) hello;

@end

@implementation HelloWorld

– (void) hello {

NSLog(@”hello world!”);

}

@end

int main(void) {

HelloWorld *hw = [[HelloWorld alloc] init];

[hw hello];

[hw release];

}

然后就是编译了:

编译成.o文件:

gcc -fconstant-string-class=NSConstantString -I /usr/include/GNUstep/ -c hello.m

链接:

gcc hello.o -o hello -lgnustep-base

一些方便的设置:

在bashrc中添加一条:

alias objcc=’gcc -fconstant-string-class=NSConstantString -I /usr/include/GNUstep/ -lgnustep-base’

以上命令就简化啦:

objcc –o hello hello.m

运行:

$ ./hello

2010-08-12 01:03:23.930 hello[1642] hello world!

发表在 开发 | 留下评论

virtualbox port forwarding

发表于2010-07-31admin

copied from the manual….

As the virtual machine is connected to a private network internal to VirtualBox and invisible to the host, network services on the guest are not accessible to the host machine or to other computers on the same network. However, like a physical router, VirtualBox can make selected services available to the world outside the guest through port forwarding. This means that VirtualBox listens to certain ports on the host and resends all packets which arrive there to the guest, on the same or a different port.

To an application on the host or other physical (or virtual) machines on the network, it looks as though the service being proxied is actually running on the host. This also means that you cannot run the same service on the same ports on the host. However, you still gain the advantages of running the service in a virtual machine — for example, services on the host machine or on other virtual machines cannot be compromised or crashed by a vulnerability or a bug in the service, and the service can run in a different operating system than the host system.

You can set up a guest service which you wish to proxy using the command line tool VBoxManage; for details, please refer to the section called “VBoxManage modifyvm”.

You will need to know which ports on the guest the service uses and to decide which ports to use on the host (often but not always you will want to use the same ports on the guest and on the host). You can use any ports on the host which are not already in use by a service. For example, to set up incoming NAT connections to an ssh server in the guest, use the following command:

VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"

With the above example, all TCP traffic arriving on port 2222 on any host interface will be forwarded to port 22 in the guest. The protocol name tcp is a mandatory attribute defining which protocol should be used for forwarding (udp could also be used). The name guestssh is purely descriptive and will be auto-generated if omitted. The number after --natpf denotes the network card, like in other parts of VBoxManage.

To remove this forwarding rule again, use the following command:

VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"

If for some reason the guest uses a static assigned IP address not leased from the built-in DHCP server, it is required to specify the guest IP when registering the forwarding rule:

VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"

This example is identical to the previous one, except that the NAT engine is being told that the guest can be found at the 10.0.2.19 address.

To forward all incoming traffic from a specific host interface to the guest, specify the IP of that host interface like this:

VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"

This forwards all TCP traffic arriving on the localhost interface (127.0.0.1) via port 2222 to port 22 in the guest.

It is not possible to configure incoming NAT connections while the VM is running. However, you can change the settings for a VM which is currently saved (or powered off at a snapshot).

发表在 软件使用 | 留下评论

debian linux 配置ipsec l2tp PSK

发表于2010-05-09admin

PSK=windows中说的预共享密钥

折腾了一天多,总结一下。一个字:日!

pptp的配置比较简单,三两个就折腾出来了。l2tp配置文章较少,大都说得很轻松的样子。实际上如果环境顺利,也不需要折腾这么久,只是。。。。。

先说下总结出来的步骤:(实验环境debian 192.168.163.133  xp 192.168.1.200 都在vm里)

编辑 /etc/sysctl.conf 启用 ipv4 forward.  
sysctl –p 应用

安装组件
apt-get install pptpd l2tpd openswan ipsec-tools

修改 /etc/ipsec.secrets,设置PSK。
192.168.163.133  %any: PSK “12345678”

修改 ipsec.conf

Copy /etc/ipsec.d/examples/l2tp-psk.conf 的两个conn段配置

修改:

gateway
….
rightprotoport=17/%any

修改/etc/xl2tp/xl2tp.conf

[global]
port = 1701
[lns default]
ip range = 192.168.254.20-192.168.254.255
local ip = 192.168.254.2
require chap = yes
refuse pap = yes
require authentication = yes
name = pandora
pppoptfile = /etc/ppp/options.l2tpd.lns
flow bit = yes

创建 /etc/ppp/options.l2tpd.lns

ms-dns 8.8.8.8
ms-dns 208.67.222.222

重启服务。以上实际上就是顺利情况下要做的事情了。

但我折腾了一天多!因为….

rightprotoport=17/%any这一句,默认是rightprotoport=17/0

此时会出错,啥也连不上,改成%any,折腾了好久想到要改这里,改成%any,还是不行,改成17/1701,好,终于行了。

换到正式环境,还是不行。最终tcpdump发现,写成17/1701,则只有公网IP才能连上服务器!

准确的说,也不是公网IP,而是服务器的包要发回到源IP的1701端口,发得通才能连上。所以实验环境的两相同子网虚拟机可连。

正式环境里用公网IP不用家里路由器拨号可连。但在内网就不可连。所以写成17/1701是太不好用了。但写成%any或0都不可以。

实验环境的debian和正式环境的ubuntu都验证了这一现象。

改了配置查了错误数据,是这样的提示:

control_finish: Peer requested tunnel 56 twice, ignoring second one.

搜一下这个错误,网上有很多难兄难弟,但基本都没个结论。比如这位仁兄:http://bbs.chinaunix.net/viewthread.php?action=printable&tid=1422551

为什么?不得不怀疑是BUG!apt-get remove  openswan。下载最终版编译安装。17/%any好了。也就是说:

debian和unbuntu的openswan 2.6.23+dfsg-1 有严重bug, rightprotoport=17/0和rightprotoport=17/%any不能用!

 绝大多数时间就耗在斗争这个问题了。而且换成最新版的openswan 2.6.25之后,rightprotoport=17/0还是不能工作!只是17/%any可以了。

中间还出现过别的问题 ,在配置 /etc/ppp/options.l2tpd.lns 时,win7突然连不上服务器了,XP可以。怎么配来配去甚至配回去都不行。无耐重启WIN7,还是不行。再重启了服务,终于行了。看来这个鬼服务一点鲁棒性也没有。

不过,即使是最终配到现在,也还是有一个问题没有解决。那就是,同一个内网里,只有一个设备可以连接。WIN7上去了,XP就上不去了,反之同样。还好我的目的是给手机用,此问题暂时忽略。不过还是很不爽,这意味着在公司,我不能把这个设置告诉别人了,因为大家在同一内网,别人一连L2tp,我就连不了了。只能让别人连pptp。如果有哪位知晓,请回复告之。

todo:view this.

发表在 linux | 留下评论