molik's questions

I have an authentication server based on certificate. The previous roll of certificate (1 CA + 1 Server + 1 Client) worked perfectly. A few days ago the client certificate expired and I had to generate a new one. I encountered the following problem so I generated once again all of the certificates (CA, Server and Client) but the problem still remain.

The server hold the CA + Server + Client certificates. The Client hold the CA + Client certificates.

Here is the error I the client get when trying to authenticate (using wpasupplicant) :

root@HP:/etc/wpa_supplicant# wpa_supplicant -c certs.conf -D wired -i enp63s0
  Successfully initialized wpa_supplicant
  enp63s0: Associated with 01:80:c2:00:00:03
  enp63s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
  enp6350: CTRL-EVENT-EAP-STARTED EAP authentication started
  enp63s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
  enp6350: CTRL-EVENT-EAP-METHOD EAP vendor e method 13 (TLS) selected
  enp63s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc. /[email protected]/CN=Example certificate Authority' hash=71d392c4f64b1dd18d378c57fea2f2673a26ad4a93974f70e5c1a44709f89ab3
  enp6350: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/0=Example Inc./CN=Example Server Certificate/[email protected]' hash=c6c4425f12a6540ca9327769d50e95de32df60aac46c0dcd
54291db880192a5
> SSL: SSL3 alert: write (local SSL3 detected an error): fatal:decrypt error
> OpenSSL: openssl_handshake - SSL_connect error:0407E068:rsa routines:RSA_verify_PKCS1_PSS_mgf1:bad signature
> OpenSSL: pending error: error:1416D07B:SSL routines:tls_process_key_exchange: bad signature
  enp6350: CTRL-EVENT-EAP-FAILURE EAP authentication failed
  Cenp6350: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
  enp6350: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED
  enp63s0: CTRL-EVENT-TERMINATING
root@HP:/etc/wpa_supplicant#

The error lines are at the ">".

I tested the fingerprint of the certificates stored on the client and they are the same as the one on the server.

Do you know where the problem come from ?

Edit : Can you explain to me what a bad signature mean ? I wasn't able to find it

I built my first custom kernel and have a few problem with it (see this other post).

I configured with /etc/network/interfaces one ip address on each physical interface of the computer. The commande ip a show the IP addresses on each interfaces.

debian@debian:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 64:70:02:11:67:a4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 brd 192.168.5.255 scope global enp7s0
       valid_lft forever preferred_lft forever
    inet6 fe80::6670:2ff:fe11:67a4/64 scope link
       valid_lft forever preferred_lft forever
3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:1c:c0:94:71:d1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.2/24 brd 192.168.5.255 scope global enp0s25
       valid_lft forever preferred_lft forever
    inet6 fe80::21c:c0ff:fe94:71d1/64 scope link
       valid_lft forever preferred_lft forever
debian@debian:~$

debian@debian:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp7s0
#iface enp7s0 inet dhcp
iface enp7s0 inet static
address 192.168.5.1/24


allow-hotplug enp0s25
#iface enp0s25 inet dhcp
iface enp0s25 inet static
address 192.168.5.2/24


debian@debian:~$

enp0s25 = intel interface enp7s0 = realtek interface

The problem is the following :

• When I connect an ethernet cable to the intel interface (driver e1000e), i can ping both ip addresses (even if the other interface is down).

• When I connect an ethernet cable to the realtek tp-link interface (driver r8169), i can't ping any of the ip addresses (including the IP associated to it). The interface goes up when a cable is connected to it.

I searched a bit and I can't find a similar problem to mine. Do you know why there is a difference between what linux is prompting and what really happen with the interfaces ?

Edit : The problem is not related to the custom kernel, it also appear in the default Debian 4.19 kernel version. But they were working like a charm with a with a PfSense.

Edit 2 : The current route table (can change after the networking service is restarted and the realtek interface is upped before the intel interface).

debian@debian:~$ ip route
192.168.5.0/24 dev enp0s25 proto kernel scope link src 192.168.5.2
192.168.5.0/24 dev enp7s0 proto kernel scope link src 192.168.5.1
debian@debian:~$

I need a new debian kernel to activate a module available only on version 5.13 and more. So I found a tutorial to configure, build and install it.

After rebooting the computer and selecting through grub the new kernel, the computer get stuck at /dev/sda1: clean. Booting on the new kernel in recovery mode don't avoid the problem.

I can ping and ssh into the computer when the main terminal is frozen, and the new kernel is runing :

debian@debian:~$ uname -r
5.13.7

I already tried fsck -f /dev/sda1 from a live ubuntu but there is no error for the disk.

Do you know how to correct the problem ? I don't want to have an ethernet interface dedicated to ssh because I need them all to try the new module.

PS : I didn't installed a graphical interface for the OS

Edit :

• find /usr/lib/modules/5.13.7/kernel/drivers/ nvidia doesn't find anything

• For the console driver I don't know where to find it, cat /sys/class/vtconsole/vtcon1/bind return 1 (I have only vtcon1)

• systemctl status return State : running

• cat /proc/fb return nothing

I am using Freeradius to authenticate users in PEAP-GTC and I want it to give a VLAN ID to the authenticator which will be assigned to the port of the authenticated client.

The authenticator is already configured to assign the VLAN ID recieved by the radius server to the port of the client, and to create the vlan if it does not exist.

On the Freeradius server i tried several things found on the internet to send the VLAN ID to the authenticator :

• In the users file :

  DEFAULT Auth-Type := EAP   # and also DEFAULT NAS-Port-Type == "Ethernet"
  Tunnel-Type = 13,
  Tunnel-Medium-TYpe=6,
  Tunnel-Private-Group-Id=5
  

• In the eap module file :

  eap {
       use_tunneled_reply = yes
       ....
  peap {
       use_tunneled_reply = yes
  

• In the inner-tunnel sites file :

  post-auth {
             ....
             update {
                     &outer.session-state.Tunnel-Type := Tunnel-Type[*]
                     &outer.session-state.Tunnel-Medium-Type := Tunnel-Medium-Type[*]
                     &outer.session-state.Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*]
                     &outer.session-state.User-Name := Use-Name[*]
                     &outer.session-state: += &rpely:
                     }
  

The authenticator keep assigning the default vlan to the connected users, freeradius doesn't seem so send the vlan id.

Do you know how can freeradius assign a VLAN to the authenticated users ?

I am using the librarie "libfaketime" to fake the time of my system. My objective is to change the time inside a docker container, independently of the host time. It can allow me to transform the container as a ntp server, distributing the fake time to the host. (I know I shouldn't sync a ntp server to itself, and i shouldn't peer to a server giving fake time but it is for testing purposes).

By looking at the readme, i found the possibility to change the date and time system-wide, faking directly the output of the date command.

It is using environment variables and the file /etc/faketimerc. The file is allowing the time modification wanted. Details on the exact configuration.

I replicated the configuration of the link above, I have all 3 environment variables and the file configured. But I cant change the output of the date command.

The librarie is working when I use basic modification like : faketime -f ‘-10d’ date` (echo the fake time to the terminal).

Edit : For information, libfaketime doesn't change the time distributed by the server (running ntpd). So the client is not stepping to the fake time displayed by the date command.

I am running a ntp server, using the following configuration :

server 127.127.1.0 minpoll 5 maxpoll 5 iburst burst
fudge 127.127.1.0 stratum 0 refid GPS

Is there a way for my server to select this local clock faster than the default 5 minutes ? Minpoll and maxpoll increase the reach faster but it is not used in the clock selection.

I have 2 ntp server syncing to their local clock, the first one is a stratum 1 and the second is a stratum 7. The client is polling both of them and don't have a local clock as backup.

My ntp results are the following (view from the client) :

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.1.5     .GPS.            1 l    1    32  377    1.492   -0.107   0.249
+192.168.1.6     LOCL            8 l    1    32  377    1.369   183.293  0.249

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
x192.168.1.5     .GPS.            1 l    1    32  377    1.383   -0.135   0.120
x192.168.1.6     LOCL            8 l    1    32  377    1.3677  183.231  0.122

I know in my case that the difference between the offsets are very big. I am just testing things, theses servers won't be used.

If a server is declared as a falseticker by the client, can the status be reconsidered ? Or is the server sentenced to stay falseticker ?

I know after a restart of the ntp service on the client, the server status will be refreshed. But can it happen without restarting ntp on the client ?

I read about the 2036 problem of NTP and i decided to make some tests on it. My server takes the time from his local clock, and my client takes the time only from this server (not even his local clock).

I changed the server date to 01 JAN 2040 12:00:00 and the client was polling the server and changed his date to 2040. I am running NTP Version 4 on the client, did this problem got patched ? If yes, was it in Version 4 or earlier ?

After that, i decided to change the server date to year 2070. Now the client is ignoring the server, it can see it, the poll reached 377, more than 5 minutes has passed, but it never synchronizes to it. It seems like he his ignoring it because of a wrong date.

Do you know the maximum date a server can broadcast before client ignoring it ?

I am running a NTP server on an Ubuntu 20.04 LTS. The server work fine and the client poll correctly the server. But i keep getting a permission error when i want to record statistics.

I tried to include the following lines in ntp.conf :

statistics rawstats
statsdir /var/log/ntpstats/
filegen rawstats file raw type day link enable

When looking at systemctl ntp status :

mars 05 09:08:48 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:50 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:52 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied
mars 05 09:08:54 RD-NTP ntpd[3534] : can't open /var/log/ntpstats/raw.20210305: Permission denied

But for me, the directory have the correct permissions ls -al :

drwxr-xr-x 2 ntp ntp 4096 april 2 2020 .

Before choosing the default folder, i tried with one i created and adding ntp in the permission using this command : chmod ntp:ntp /home/ubuntu/ntpstats/, it wasnt working so i switched to this one, not working either.

Do you know why ntpd keep getting error even if ntp have the upper hand on the folder ?