MarkChandler 2700034QTX Tags:  cntlm ntlmv2 linux windows aix ntlmaps proxy isa fedora 3 Comments 4,645 Views
I just discovered a piece of software called Cntlm that allows a UNIX/Linux platform to get access to the Internet via Windows proxy services.
For a long time now, I thought that the only solution to accessing the Internet through a Windows-based proxy from a UNIX/Linux platform was to use a service called NTLMAPS.
This software would act as a proxy itself, but get its Internet feed from a connection that it makes to a Windows proxy. You can give it the credentials for authentication that you use for a Windows desktop and it uses those to authenticate against the proxy.
Cntlm does the same job as NTLMAPS, but seems to be faster and also support NTLMv2 authentication. One of my gripes with NTLMAPS was that I couldn't put in a sufficiently complex password. The password also has to be specified at runtime or in cleartext within a configuration file. Cntlm fixes this by allowing hashes to be generated from password which can then be put in the configuration file. Depending on how fussy your ISA server is, you may need to masquerade the Workstation that you're authenticating from.
I'd been trying out Cntlm on Fedora 13 (it's in the repos), but have now moved on to trying it on AIX. There's a tar.gz bundle that can be downloaded from the project site. Extracting it gives you a sample config file, binary, and man page - no RPM or bff, unfortunately. When it's run, it drops into the background, so you don't have to worry about using & to send it to the background. It will just need to be killed if you want to stop it running.
The package is marked as "aix5", but I've been testing it on AIX 6.1 without any trouble so far.
MarkChandler 2700034QTX 1,073 Views
While checking the difference between the current and last commits, git was printing a lot of what looked like control characters.
Some Googling showed that these were colour settings for the terminal. They look like "^[[32m+^[[m^[[32m".
I checked that the TERM setting was suitable (xterm-256color), so it should be able to process the sequences.
But, I found something that indicated that the pager used by git mightn't interpret the sequences.
Exporting PAGER=/usr/bin/less seems to fix the problem. So, I've put it in my profile now.
Use Kerberos Authentication for users and Configure KDC. If you're already using Kerberos to allow AIX hosts to authenticate users against AD, then you can import the same krb5.keytab into the HMC. You can also use the same server and realm names as per the krb5.conf.
Although it is convenient, it's probably not best practise to use the same Kerberos key for multiple hosts to talk to AD. I haven't researched that yet.
Use NTP to make sure that the HMC clock is set correctly. I'm not sure how feasible it is to use Kerberos authentication without an NTP updated clock.
When creating the profiles on the HMC, you may need to to set the Remote user ID as "firstname.lastname@example.org" (e.g. email@example.com). You should also make sure that in the "User properties" section, the "Allow remote access via the web" option is ticked.
My tested combination of technology is HMC V7 R7.7.0 SP2 and Active Directory running on Windows Server 2003.
Hopefully, I'll add more explicit instructions later.
So, you want to generate a hash value for a file, but AIX has no native or Linux Toolbox utility for doing that.
Hopefully, you have OpenSSL (and OpenSSH) installed on your target system. If so, you can use the openssl command to generate hashes for a quite a few different schemes.
There are a few different ways that you can run it:
Options 1 & 2, will only work for a limited set of hash types. As of writing, these are: md2, md4, md5, rmd160, sha, sha1.
You can list what the supported hash types are by running "openssl list-message-digest-commands".
Options 3 will work for hash types upto sha512. Check the man page on openssl for more detail. Or you can force the dgst subcommand to list its options with
"openssl dgst -?"
Update #1: I've changed option one so that's simpler, from openssl dgst <hash type> <file> to just openssl <hash type> file. I've also corrected the explanation of the options accordingly and expanded on them a bit.
As administrators, many of us enjoy the ability to use the command line tools to quickly and efficiently carry out tasks. This applies to VIO servers as well as plain AIX or GNU/Linux systems. On AIX & Linux, we can easily setup shell prompts to remind us of what system we're on. Unfortunately, this is not the case for VIO servers. We get the rather plain "$" when we're signed-on as padmin, or the "#" when using oem_setup_env. Considering that these systems are critical to the good health to the LPARs that depend on them, it would be nice to have that extra bit of information in the prompt, that tells us which VIO server we're administering. Otherwise, we could find ourselves very quickly and efficiently doing something disastrous.
I had a quick play with this myself and realised that I could change the PS1 environment variable in the .profile for padmin. I set it, as follows, in the second line of the file:
export PS1="$(hostname)$ "
Great. Now when on as padmin, I had the normal prompt, but prefixed with the hostname. This matched-up with other people's findings.
IBM Systems mag : Changing the padmin .profile
However, this prompt carries over to the "root" user when using the oem_setup_env command. So, there's no way of knowing if you're padmin or root from the prompt. To fix this problem, I changed the "aix" alias that I was already using to run the oem_setup_env command, and extended it from...
alias aix="ioscli oem_setup_env"
alias aix="PS1=\"$(hostname)\# \" ioscli oem_setup_env"
Now when I switch to the root user, I'll get an appropriate prompt that still tells me what host I'm on. Of course, using the normal oem_setup_env command will just show the padmin prompt. So, be wary of that.
Update: A cleaner, less obscure approach, using .kshrc
After playing around with this and bouncing ideas between myself and Anthony, I settled on using a combination of changes. First, setting the ENV variable in the .profile to point to the .kshrc. I'm also showing the trimmed down "aix" alias that no longer needs PS1 changed as part of its setting.
alias aix="ioscli oem_setup_env"
In the .kshrc, we setup some logic to determine whether we're padmin or root. The last line sets up command history navigation and is not part of this solution.
if [ "$(whoami)" != "root" ]; then
In this version, the username is explicitly printed as part of the command prompt. Leaving out the "$(whoami)@" will just leave the "$" or "#" to tell you whether you're root or not.