Securing passwords safely in Nextcloud and working around a minor flaw

Posted on Leave a commentPosted in Uncategorized

I have had to work around this issue for some time now (as have many other Nextcloud and KeeWeb users).

Apparently from version 1.10 of NextCloud, the regex that had work flawlessly before no longer worked.

For those who are using Nextcloud and KeeWeb (I assume on any OS) and accessing the keepass database file directly using webdav, you will want to search for the string “incompatibleUserAgents” in the <nextcloud installation folder>/lib/base.php file and add the below lines to the end of the incompatibleUserAgents block.

                                // KeeWeb client

The end result will look like this;

                if (!is_array($incompatibleUserAgents)) {
                        $incompatibleUserAgents = [
                                // OS X Finder
                                // Windows webdav drive
                                // KeeWeb client

You should now be able to use the desktop KeeWeb app using webdav. It has worked for me, hope it works for you too.

Alternatively you could just install the keeweb app into Nextcloud and access it direct from within the Nextcloud UI.

A quick cheat sheet to picking the best ciphers

Posted on Leave a commentPosted in Uncategorized

I’ve been working on deploying a new email service based around postfix and dovecot as the imap server (basically the standard services that come with RHEL, CentOS and Fedora) and one of the main things to focus on has been improving security where possible.

I happened to find a pretty useful web site for picking the most secure ciphers, which also gives handy pre-canned cipher lists for things like openssl.


It also gives some handy example configs to use with Apache (httpd).

It has been useful for me, and I hope it will be for you too.

What will happen to the .UK Domain Names after Brexit

Posted on Leave a commentPosted in Uncategorized

Just a thought… Following the EU referendum and the subsequent rift which was highlighted by the very close vote, plus the protests that have taken place since, but just maybe, the United Kingdom is not necessarily as united as we may hope.

Hopefully the new government led by prime minister Theresa May will pull it out of the bag and be able to rebuild and reunify the countries that make up the UK, only time will tell!

Currently the UK enjoys the use of the .uk domain space.  If the UK were to fracture further, at what point will/could .uk become surplus to requirements (if the worst happened)?  I guess the simply answer is when we are simply no longer united and the government has agreed to relinquish further control.

Would the .gb domain name need to be re-instated, which though still online, no one can register new domains.  It is managed by an organisation called JISC which provides much of the academic IT infrastructure used by UK schools, colleges and maybe even university (I didn’t do that much research in all honesty).

I wounder if the there are already plans in the pipeline?  Also how far along are they?

Just think though, the opportunities are there to commercialise the .gb domain.  Had it been available, maybe Great Britain’s Athletes would have bragged about the whopping medal collect following Rio 2016, they could have had the domain

Anyway.  Hopefully that will not happen.

Featured image: London telephone box was taken buy Gordon and is available here;

Who is this Microsoft and what have you done with the REAL Microsoft?!?!

Posted on Leave a commentPosted in Uncategorized

So, it would appear that Microsoft have turned another corner, with regards to opening up it’s platform to a wider audience!  They will be bringing the bash shell to Windows 10 this summer!

See this tech crunch article on this very topic!

I’m quite excited about it really, as it will mean that I can work from a Windows 10 machine without having to constantly go back and forth between dev machine (windows) and dev server.

What’s next Microsoft?

Back to basics – Providing a local yum or dnf repository

Posted on Leave a commentPosted in Uncategorized

A new project I am working on is to create a complete lab environment where I can quickly build fully configured virtual servers from scratch.

For this I plan on using KVM as the virtualisation layer and CentOS as the distribution of choice for the virtual machines.

After a minimal installation of CentOS 7, I needed to be able to install additional packages to provide the numerous services I intend to use, such as DNS, DHCP, PXE pre boot, cobbler for automated installation of CentOS, NFS and maybe a little LDAP based authentication.

I had decided that although I could have had direct access to the internet and therefore rely on downloading all the additional packages required (and their associated dependencies), it would be more fun to create everything from scratch within a self contained environment.

First things first, getting the additional packages installed and dependencies.  Via the Virtual Machine Manager I had attached the CentOS 7 installation media which contained everything I needed.

Lets get started

Logged in as root;

# mkdir /media/dvd
# mount -t iso9660 /dev/cdrom /media/dvd
# mkdir -p /software/centos7
# cp -R /media/dvd/* /software/centos7

Note.  I could have just got away with copying the contents of the Packages directory to the /software/centos7 directory I created, however, this would not have copied across the metadata needed for the local yum repository I intend to create.

Now time to create the yum repository configuration file

CentOS 7 comes with a number of repository configuration files even with the minimal installation.  By default these are all disabled.

[root@rhc-server ~]# cd /etc/yum.repos.d/
[root@rhc-server yum.repos.d]# ll
-rw-r--r--. 1 root root 1612 Jul  4  2014 CentOS-Base.repo
-rw-r--r--. 1 root root  640 Jul  4  2014 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 1331 Jul  4  2014 CentOS-Sources.repo
-rw-r--r--. 1 root root  156 Jul  4  2014 CentOS-Vault.repo
[root@rhc-server yum.repos.d]# grep -i enabled *

Rather than re-invent the wheel, I will make a modified version of the CentOS-Base.repo file.  In addition I will also rename the existing repo files so they are not called upon, which would be a waste of time given my sand boxed environment.  The other option would be to include a “enabled=0” option in each repo file, but that seems more time consuming.

[root@rhc-server yum.repos.d]# cp CentOS-Base.repo CentOS-Base-Local.repo
[root@rhc-server yum.repos.d]# mv CentOS-Base.repo CentOS-Base.repo.old
[root@rhc-server yum.repos.d]# mv CentOS-Debuginfo.repo CentOS-Debuginfo.repo.old
[root@rhc-server yum.repos.d]# mv CentOS-Sources.repo CentOS-Sources.repo.old
[root@rhc-server yum.repos.d]# mv CentOS-Vault.repo CentOS-Vault.repo.old

The new CentOS-Base-Local.repo looks like this;

[root@rhc-server yum.repos.d]# cat

name=CentOS-$releasever - Base - Local

And a quick test proves that it works…

[root@rhc-server yum.repos.d]# yum install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-14.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-14.el7 for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: for package: 32:bind-9.9.4-14.el7.x86_64
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-14.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

Package                         Arch                         Version                                 Repository                       Size
bind                            x86_64                       32:9.9.4-14.el7                         baselocal                       1.8 M
Installing for dependencies:
bind-libs                       x86_64                       32:9.9.4-14.el7                         baselocal                       1.0 M

Transaction Summary
Install  1 Package (+1 Dependent package)

Total download size: 2.7 M
Installed size: 6.8 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /software/centos7/Packages/bind-9.9.4-14.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for bind-9.9.4-14.el7.x86_64.rpm is not installed
Total                                                                                                        24 MB/s | 2.7 MB  00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package    : centos-release-7-0.1406.el7.centos.2.3.x86_64 (@anaconda)
From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-14.el7.x86_64                                                                                         1/2
Installing : 32:bind-9.9.4-14.el7.x86_64                                                                                              2/2
Verifying  : 32:bind-9.9.4-14.el7.x86_64                                                                                              1/2
Verifying  : 32:bind-libs-9.9.4-14.el7.x86_64                                                                                         2/2

bind.x86_64 32:9.9.4-14.el7

Dependency Installed:
bind-libs.x86_64 32:9.9.4-14.el7


And there we have it, I can now begin the next phase of preparing my build and infrastructure services server.

Kernel Tweaks: kernel.randomize_va_space

Posted on Leave a commentPosted in Uncategorized

The purpose of this particular tunable, is to attempt to make it difficult for possible exploits to be found in memory.  It makes use of something called ASLR (Address Space Layout Randomizer).  It will attempt to randomly allocate memory for processes and all associated elements for a process to run (i.e. shared libraries).

It can be in set to one of three states;

  • 0 – Completely disabled
  • 1 – Partially enabled (does not provide complete protection)
  • 2 – Complete randomisation of memory allocation to processes

Now, I’m not going to pretend to know everything, But it should also be noted that processes will need to be compiled with appropriate options set to allow them to function with memory being allocated in this way.

For a good explanation of what this covers and how to benefit from it see

For Fedora 22 this parameter is enabled and set to the value of “2”.

[toby@thebay ~]$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2



Save time in Gnome desktop

Posted on Leave a commentPosted in Uncategorized

Use of the keyboard has historically been the primary way to interact with Linux/Unix.  Then came along the GUI.  I prefer the stock Gnome desktop environment in Fedora as a general way day to day way to interact with my system.

That said, keyboard shortcuts come in handy, so whilst trying to work out which keyboard combination would allow me to select a specific instance of an application that is running i.e. I have two terminals open, which keyboard combo do I use?  It turns out that pressing the Super key + ` (the key above the tab) allows me to select between the instances.

More shortcuts can be found here;

Working with LUKS (encryption to you and me)

Posted on Leave a commentPosted in Uncategorized

As a die hard Fedora user, I go through a regular cycle of downloading a new release, upgrading my desktop machine (by trashing what is there, as opposed to an in place upgrade) and then trying to remember how I re-enable the encrypted volumes I have for my data.

My setup is a little convoluted by making use of;

  • 2x 128GB SSD SATA for /home (RAID 1 using software RAID)
  • 2x 1TB 15k SATA for /data (again RAID 1)
  • The RAID arrays both have LVM on top
  • And then the ext4 filesystem which has been encrypted using LUKS

It generally follows the steps detailed below;

  1. Switch to root (yes I know I should do everythingviasudo)
    $ sudo su -
  2. Confirm that there are some md devices in /dev
    # ls /dev/md*
  3. Review what is returned;
  4. Confirm the status of the RAID Arrays;
    mdadm --misc --detail /dev/md12[6-7]
  5. Now I will confirm that the logical volumes exist (generally Fedora has picked these up without issue)
    lv_data vg_data -wi-ao----   1.00t
    lv_home vg_home -wi-ao---- 111.73g
  6. Next I will attempt to open the encrypted volume;
    # cryptsetup luksOpen /dev/mapper/vg_home-lv_home home
  7. And then to mount the volume;
    # mount /dev/mapper/home /home2
  8. Now I will make sure everything looks good in /home2
  9. At this point I need to set things so that I am prompted for the passphrase during startup.
  10. ObtaintheUUID oftheLUKS encrypted volume;
    # cryptsetup luksUUID /dev/mapper/vg_home-lv-home
  11. Edit the /etc/crypttab file to include this new volume at system startup
    home        UUID=bd202e53-de79-4a42-2a5f-2df4a7d40c76
  12. Now we need to edit the /etc/fstab file to include the unencrypted device and mount point;
    /dev/mapper/home          /home2       ext4     defaults      1 2
  13. At this point we should in theory be able to reboot and find the volume is magically mounted.

Kernel Tuning: kernel.panic

Posted on Leave a commentPosted in Uncategorized

Rather than working alphabetically through the list of parameters that may be tuned in the Linux kernel, I thought I’d spice things up and go with a nice and simple one to explain; kernel.panic.

Simply put, when this parameter has a value of “0” (that’s zero), and the kernel panics, the system in question will not reboot automatically, and will waiting for some TLC from a nearby Sys Admin.  If however, it is set to a value other than zero, it should ensure that the system will reboot, therefore hopefully causing only a short outage.

At this point, it might be worth while taking a look at the kdump documentation, to ensure that you have captured the vmcore files relating to the panicked kernel.

Units of time

Posted on Leave a commentPosted in Uncategorized

Useful references for those working with smaller units of time.

1 minute = 60 seconds (s)
1 second (s) = 1,000 milliseconds (ms)
1 millisecond (ms) = 1,000,000 microseconds (μs)
1 microsecond (μs) = 1,000,000,000 nanoseconds (ns)
1 nanosecond (ns) = 1,000,000,000,000 picoseconds (ps)