Posted by: peter
Today I needed to make one of my Django sites authenticate against the same usebase as one of my FreeRADIUS servers. Now, given that the RADIUS userbase is in PostgreSQL, this could have been done without touching RADIUS per se, however that would not have been nearly as interesting or elegant as making Django speak RADIUS. (And given the strange record format that FreeRADIUS uses, would have taken nearly as long to implement) After about half an hour of hacking on a Django custom Authentication Backend I now have a Django happily authenticating from my FreeRADIUS server with all the flexibility that implies (Being able to proxy requests to third parties, set time of day restrictions, use multiple clustered backends etc etc). Without further ado, here is the first cut:
from django.conf import settings
from django.contrib.auth.models import User
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

class RadiusBackend:
    """
    Authenticate against a RADIUS Server.

    You must have a working RADIUS Server and Secret
    configured in settings.py. For example:

    RADIUS_SERVER = '127.0.0.1'
    RADIUS_SECRET = 'testing123'
    """
    def authenticate(self, username=None, password=None):

        srv=Client(server=settings.RADIUS_SERVER, 
                        secret=settings.RADIUS_SECRET,
                        dict=Dictionary("/usr/share/pyrad/dictionary"))

        req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest)
        req["User-Name"] = username
        req["User-Password"] = req.PwCrypt(password)
        req["NAS-Identifier"] = "django"

        reply=srv.SendPacket(req)
        if reply.code==pyrad.packet.AccessAccept:
            print "access accepted"
            try:
                user = User.objects.get(username=username)
            except User.DoesNotExist:
                # Create a new user. Note that we can set password
                # to anything, because it won't be checked; the password
                # configured on the RADIUS server will.
                user = User(username=username, password='Koh8oF7eiRou4xahxoob')
		#TODO: Use user.set_unusable_password() once
                # Django SVN > 5608 + openSUSE 10.3 bug is fixed
                user.is_staff = False
                user.is_superuser = False
                user.save()
            return user
        else:
            print "access denied"
            return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None
Just copy and paste this code into myproj/radiusauth.py and then stick the following in settings.py:
AUTHENTICATION_BACKENDS = (
    'myproj.radiusauth.RadiusBackend',
    'django.contrib.auth.backends.ModelBackend',
)
This code makes use of Wiggy’s wonderfull Pyrad library, so you will need to have it installed also to make things work.
Tags:
Posted by: peter

My morning mail traffic contained a very sobering post to one of the security mailing lists I follow regarding the security of industrial control systems. Choice quotes include:

The typical lifetime of an industrial control system is can be 10 to 15 years. Chew on that for a minute. What were YOU playing with 15 years ago?

And:

There is much to be afraid of. Cities depend on an infrastructure that runs all too well; utilities are so reliable that we forget about how integral they are to daily life. We’re nearly invisible until something breaks. Think of this the next time you flush your toilet. How long could a large city last without water? The only people who sleep well in my industry are those who do not understand the problem.

Makes you think…

Tags:
Posted by: peter

As it turns out my new company requires a PPTP VPN connection to be able to check email from outside the LAN. While some might argue that you are better off not having access to work email from home, it is a necessary evil for most of us. While I personally think that an industry standard SSL encrypted IMAP connection is at least as secure as the broken PPTP protocol, there is something to be said for hiding Exchange Servers behind firewalls (Have that firewall be a Microsoft server itself, on the other hand is obviously a questionable gain in security).

Anyway, without more ado, here is the proceedure to painlessly (Without booting Windows) connect Linux to a MS PPTP Server:

  • Install the NetworkManager-pptp package (openSUSE users can find it at http://repos.opensuse.org/home:/hgraeber)
  • Restart NetworkManager (It may be easier to simply reboot)
  • Right Click on the NetworkManager icon in the GNOME/KDE sytem tray (next to the clock) and select “Options / Configure”
  • Select “VPN Connections / Add”
  • From the “Service” list select “ppp” (If you run KDE you will now see “You have the GNOME configuration applet installed and can use this to configure the VPN connection……” Press OK to run the GNOME configuration applet)
  • Select “Add
  • Select “Next / PPTP Tunnel / Next”
  • Give a “Connection Name”, Select type of “Windows VPN (PPTP)” and put in the hostname of your Windows VPN server
  • On the “Authentication” tab select “Refuse EAP” (Otherwise Windows rejects the connection attempt)
  • Optionally enable deflate and BSD compression modules from the “Compression and Encryption” tab
  • Click “Forward”, then “Apply”, then “Close”
  • You should now have a new selection with the name you selected for the VPN connection in NetworkManager’s “VPN COnnections submenu. Click on it and you should be able to connect to your VPN server (After entering a valid username and password)

    Tags:
    Posted by: peter

    Well, as many of you know, things with my company Suntel have been a bit unclear since my business partner went to work for our largest partner company (Vodafone). After many discussions, much soul searching, and several months of uncertainty (Including considering a move back to Australia) I am happy to say that I have started working with a great team of people at AirTies Wireless Networks as the “R&D Manager, VoIP Systems”.

    AirTies is very strong in the ADSL and Wireless market in Turkey with several million deployed devices, but is really just getting started in the voice market (To be fair the voice market is just getting started in Turkey also). We have some existing combo VoIP Gateway / Router products, but we have significant work ahead of us to become a serious player in the VoIP industry.

    Turk Telekom is currently in the process of un-bundling the local loop, and alternate operators should be able to assign and route local Turkish telephone numbers over IP by the end of the year, so it should be an exciting ride!

    Tags:
    Posted by: peter

    And there was some great news on the feeds this morning, the web tool kit used by my Nokia E61i (and Applie’s Safari web browser) is (re)merging with my desktop browser of choice’s (Konqueror) KHTML web tool kit:

    There is one major web rendering engine that grew entirely out of the open source world: KHTML is KDE’s web renderer which was built from the ground up by the open source community with very little original corporate backing. The code was good and branches were born as a result, the best known being Webkit. Now, after years of split, KHTML and Webkit are coming together once again.
    Tags:
    Posted by: peter

    And the IETF quote of the day is:

    Intervendor security interoperability is the elephant in the room. But it’s still not why we’re in the room
    Tags:
    Posted by: peter

    For the last 6 years I have happily been using HSBC Turkey for both my business and personal banking needs in Turkey. HSBC Turkey’s corporate banking site, funnily enough is considerably worse (and more buggy) than their personal banking site, however it gets the job done. Their personal banking site on the other hand is excellent, and more featurefull and a pleasure to use than HSBC bank sites in many other countries, Australia included!

    A few months ago however, we made a mistake of giving into the requests of some of our small customers and setting up an İş Bankası account as many of them use İş Bankası only and didn’t want to pay the high interbank transfer fees (Why Turkish banks get away with charging fees for transfers I’ll never know) when paying our invoices.

    This is where the battle started. Like any other normal person living in the 21st century I would like to be able to see access all my bank account balances and transaction histories, as well and pay bills and make money transfers via the internet. Now after 3 trips to my branch (not any branch mind you, you can only make any type of account changes through your home branch!), being forced to create a personal account which I have no intention of using, and spending 45 minutes on the telephone, I finally have “access” to internet banking…. If you can call it access…

    I can log in… so I suppose thats a start.. I can also see the balance of my accounts.. But among the 6000 menus, I’ll be stuffed if I can find where to see the account transaction history! It doesn’t help of course that the English translation is so bad (with interspersed Turkish messages) that its often impossible to understand. (So bad in-fact that I logged out and logged back in in Turkish because it was easier to understand!)

    Also, apparently, being able to actually transfer money anyplace is too much to ask, and even though the bank has a copy of my company registration papers, signature circular and passport, I would still have to visit a notary to get a notarised letter that says, yes, I would, pretty please, really, truly, very much like to be able to transfer MY MONEY anywhere at all!!

    Thanks for caring İş Bank.. You just lost a customer!

    Tags:
    Posted by: peter

    While I would not dare to lay claim to the title of “Security Expert”, there is unfortunately many people in the IT industry who do carry such titles and and make such claims, and most definately shouldn’t either. I do however have among my close friends people, not only people who can safely lay claim to the title of “Security Expert”, but who are in fact bona fide “Security Researchers”. These friendships and an interest in all things security related (not just IT) leads me to stumble across things like this presentation on 0day (0day means an unpatched security bug unknown to the public). Among other interesting points, it lists the figure of 348 days as the average time between a private discovery of 0day bugs and patching by the vendor. This is an astonishing figure! Basically, this means that any computer system you own is always vulnerable to security holes that you don’t, but someone else does know about!

    Tags:
    Posted by: peter

    Hard to believe though it may be, T-Mobile made a non-iPhone related announcement last week. And even harder to believe, its new product may be as game-changing as Apple’s.

    It’s called T-Mobile HotSpot @Home, and it’s absolutely ingenious. It could save you hundreds or thousands of dollars a year, and yet enrich T-Mobile at the same time. In the cellphone world, win-win plays like that are extremely rare.