Skip to content

Instantly share code, notes, and snippets.

View jimdigriz's full-sized avatar

Alexander Clouter jimdigriz

47 followers · 5 following
View GitHub Profile
@jimdigriz
jimdigriz / aws-getcallerid.md
Last active June 19, 2022 06:59
AWS GetCallerIdentity in POSIX Shell

I wanted to be able to use AWS GetCallerIdentity in a Lambda function but without having to import all of the AWS CLI (and Python runtime) in order to do so.

This involves the AWS Signature Version 4 Signing Process which a lot of online examples made look pretty complicated and were really hard to follow, so I decided to make the situation worse by adding my own implementation to the tirefire!

To use this you need at least AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, but otherwise just run the script. The example shows how to request temporary security credentials and you can use that reponse to populate the environment variables manually when calling the script:

aws sts get-session-token --duration-seconds 900

e

@jimdigriz
jimdigriz / freeradius-salted-hash.md
Created June 19, 2022 07:01
Generating Salted Hashes for FreeRADIUS in SQL

FreeRADIUS supports using salted hashes for user authentication but there is very little material on how to generate these OpenLDAP style hashes.

When using an SQL backend for your user management it really is useful to have an SQL statement that can create these salted hashes for you which is what this snippet provides below:

  • insert.sql: adds a new user to your radcheck table
  • update.sql: updates the password for an existing user in your radcheck table

Remember to replace the username (bob) and password (hello) in your prepared statements with templated parameters.

N.B. FreeRADIUS for [some awful reason (there are no good reasons!) records the users plaintext password by default in radpostauth](https://github.com/FreeRADIUS/freeradius-server/blob/v3.

@jimdigriz
jimdigriz / ldap-auth-ntlm.md
Last active June 19, 2022 07:04
Python ldap3 GSS-SPNEGO NTLM authentication

Example of how to glue pyspengo to ldap3 to pull off a GSS-SPNEGO authentication.

. /path/to/your/env_configuration
export LDAP_HOST LDAP_HOST_CA LDAP_USERNAME LDAP_PASSWORD
python ldap-auth-ntlm.py
@jimdigriz
jimdigriz / hkdf.erl
Last active September 26, 2022 14:11
HKDF implementation in Erlang
% https://www.rfc-editor.org/rfc/rfc5869
% https://en.wikipedia.org/wiki/HKDF#Example:_Python_implementation
-define(HASH_LENGTH, 32). % maps:get(size, crypto:hash_info(sha256))
hkdf(Length, IKM, Salt0, Info) when not is_list(Salt0) andalso not is_binary(Salt0); Salt0 == []; Salt0 == <<>> ->
Salt = binary:copy(<<0>>, ?HASH_LENGTH),
hkdf(Length, IKM, Salt, Info);
hkdf(Length, IKM, Salt, Info) ->
PRK = crypto:mac(hmac, sha256, Salt, IKM),
hkdf(Length, IKM, Salt, Info, PRK, <<>>, <<>>, 0).
hkdf(Length, _IKM, _Salt, _Info, _PRK, _T0, OKM, I) when I == ceil(Length / ?HASH_LENGTH) ->
@jimdigriz
jimdigriz / Windows EAP Tracing.md
Last active July 7, 2023 12:45
Notes on Windows 10/11 EAP Tracing

This document describes the process to debug 802.1X on Windows 10 and 11.

It targets the users of RADIUS servers so that they may capture information useful to their RADIUS vendor (ie. NetworkRADIUS) in resolving interoperability issues with the Microsoft EAP supplicant.

Related Links

@jimdigriz
jimdigriz / build-eapol_test.sh
Last active October 24, 2022 09:26
apt update
apt -y upgrade --no-install-recommends
apt -y install --no-install-recommends \
build-essential \
ca-certificates \
git \
libdbus-1-dev \
libnl-3-dev \
libnl-genl-3-dev \
libnl-route-3-dev \
@jimdigriz
jimdigriz / git-qscrambled
Last active October 10, 2023 12:17
This script is used to maintain scrambled kdb+/q '*.q_' files within a git project
#!/bin/sh
# This script is used to maintain scrambled kdb+/q '*.q_' files within a git
# project. The unscrambled '*.q' files are retained as an encrypted CMS file
# using recipient certificates generated from a list of OpenSSH public keys
# stored at the top of the project in an '.authorized_keys' file.
#
# For this to work effectively, you need to include '*.q' in your .gitignore
#
# TODO sign the CMS and verify the signature is at least one that is listed
@jimdigriz
jimdigriz / maxmind.q
Last active January 21, 2023 12:58
Poorman's geoIP lookups for kdb+/q using Maxmind's (CSV) GeoIP database
/ Poorman's geoIP lookups for kdb+/q using Maxmind's (CSV) GeoIP database
/ Copyright (C) 2023, coreMem Limited <info@coremem.com>
/ SPDX-License-Identifier: Unlicense
/ Website: https://gist.github.com/jimdigriz/2dd4b249d2e3f24d8838f6466674f945
/ Usage:
/ q)/ unzip GeoLite2-Country-CSV_20230117.zip somewhere
/ q)\l maxmind.q
/ q)/ load the GeoIP data in
/ q)maxmind"GeoLite2-Country-CSV_20230117"
/ q)/ load in your dataset
@jimdigriz
jimdigriz / apt-list-non-debian-stable-packages.py
Last active May 18, 2024 07:29
List installed packages not part of Debian 'stable'
#!/usr/bin/env python3
import apt
ORIGINS = frozenset(['stable', 'stable-security'])
CACHE = apt.Cache()
for pkg in filter(lambda p: p.installed, CACHE):
origins = pkg.versions[pkg.candidate].origins
if not any(( o for o in origins if o.archive in ORIGINS )):
@jimdigriz
jimdigriz / debian-unifi.md
Last active April 3, 2024 18:27
Self-Hosting a UniFi Network Server on Debian "bookworm" 12

These instructions have been adapted from the official docs and avoid you have to run any lengthy scripts but you should still be able to get up and running within five minutes or so.

N.B. since the release of 7.5.x and 8.x there are no longer 32 bit releases (so no armhf) but someone noticed that the packages are architechiture neutral (ie. all) in amd64 so you can just pretend to be amd64 on arm64. When doing this, after the update you will still need to do the snappy fix described below.

I am targetting ARM64 but if you are using x86_64 (aka AMD64/amd64) then you should replace all occurances of arm64 (and armhf) with amd64.

Plumb in the Unifi packaging by running:

sudo curl -o /usr/share/keyrings/unifi-repo.gpg https://dl.ui.com/unifi/