bookmark_borderHow to convert/split p12 certificates into single files

So, you got a brand new personal certificate via a authorized issuer and all you got is a single file which has a ending of .p12? You want to use this certificate in various software solutions, but these solutions want single files for the user certificate and the private key? Then you have to split your .p12 file.

What is a .p12 file?

A .p12 file is a bundle which contains your private key as well as your private certificate. For a lot of certificate issuers, distributing these two things in a bundle is obviously easier.
Even if there is a lot of software which supports working with those bundles, there are others which don’t. The most prominent example I know is Network Manager under Linux. If you want to use a .p12 file with the Network Manger OpenVPN extension, you have to split up the .p12 file in it’s single parts. To split p12 certificates into single files will end up in having two files: Your user certificate and key.

Which software is needed?

Under Linux you need to have OpenSSL ready. OpenSSL is installed by default on every Linux based machine nowadays. But just to be sure, we will install OpenSSL again for this tutorial. For Debian, Linux Mint and Ubuntu simply enter the following command:

user@systen:~$ sudo apt-get update && sudo apt-get install openssl

Windows user have to downloaded the OpenSSL tools on their official homepage which can be found here: OpenSSL Windows Binaries

How to split a .p12 file?

Firstly, you have to navigate into the directory were your SSL file is actually stored. You can do this with the command cd. In this example we assume, that the p12 certificate file is stored in the directory ssl:
user@system:~$ cd ssl
Now that you are in the correct directory, you can extract the user key with the following command:

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem

The user certificate can be exported like this:

user@system:~/ssl$ openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

During these two steps you might get asked for a password of the actual .p12 file and for a password for the new exported files. It’s up to you if you want to protect the new exported single files with a password. However, it is recommended of course. You can also do the two commands above within one statement like this (if you want):

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem && openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

Further links

bookmark_borderPrevent / Block package updates under Ubuntu / Debian

Did you know that you can block package updates under Ubuntu and Debian? Let’s say you have a lot of packages installed on your Ubuntu / Debian system and (for whatever reason) you want that specific packages aren’t getting updated whenever you do a system upgrade. This short article is going to show you how to prevent this packages from being updated.

APT or Aptitude: Both can block package updates

Debian / Ubuntu basically has two ways to manage packages. To be more specific there are two package managers which can be used on the console for updating, installing and removing packages / software under your Ubuntu / Debian systems. These two solutions are APT and Aptitude. This article describes how to prevent packages from being updated with both solutions. If you don’t know which of those two you should go with: Simply go with the APT tools (apt-get, apt-mark, apt-cache, …).

How to prevent packages from being updated.

You can always prevent packages from being updated with the help of APT. APT comes with every Ubuntu / Debian installation, so the following command should definitely work on any Debian / Ubuntu based system:

user@system:~$ sudo apt-mark hold <name of the package>

You have to change <name of the package> with the package you want to hold of course. So for e.g. if you want to prevent vlc from getting updated, the command would look like this:

user@system:~$ sudo apt-mark hold vlc

If you’re and Aptitude user instead, the command (with the exact same result) looks like this:

user@system:~$ sudo aptitude hold vlc

If you now update your system with the classical apt-get upgrade command for e.g., the package vlc isn’t going to be upgraded. APT, as well as Aptitude, will echo a notice which is saying that the package has been prevented from being updated.

How to unhold the package?

So, to hold a package is rather easy. But what to do when you want to unhold this package in order to get it updated again? If we use our vlc package from the example above again, the command to unhold and make a package available for an update with APT looks like this:

user@system:~$ sudo apt-mark unhold vlc

Again, the same command with the exact same result in Aptitude does look like this:

user@system:~$ sudo aptitude unhold vlc

But why to hold a package anyway?

You may ask yourself why you should hold a package anyway. Well, there are several reasons to do this. For e.g. sometimes you update a package and after this update the software doesn’t work as expected. So if you encounter a problem after an update on a test system, you could hold / block the specific package which causes you trouble on a production system before updating that system. Another example would be that you might have to check the configuration files first before updating a specific software. However, you want to install the latest security updates for the other installed packages. With holding the package you can update the other packages without touching the once you block.
Of course there are many other reasons why holding a package is a useful and a needed feature. You can also do this with a graphical solution like Synaptics. However, the console way of block package updates is much more easier and faster (IMHO) 😉

Further links

bookmark_borderownCloud/nextCloud collaboration with EtherPad and EtherCalc

Besides Collabora Office there is an easy but reliable way to enable collaboration editing of text and spreadsheet files in ownCloud or nextCloud (just like in proprietary solutions like Microsoft OneDrive or Google Drive). This article describes how to install and enable EtherPad along with EtherCalc in your ownCloud or nextCloud instance.

Requirements and preparation

First you need a running ownCloud or nextCloud instance of course. (Note: If you’re using ownCloud, ensure that you don’t use versions higher than 9.1 right now. As of January 2018, the used plugin for the EtherPad / EtherCalc integration doesn’t work with ownCloud higher than version 9.1.) It doesn’t matter if this instance is running on your local home server, an Raspberry Pi or if you rented some space at a webhosting provider of your choice. If you haven’t already a working nextCloud / ownCloud instance and you’re okay with hosting your cloud files at a provider, I recommend you the German webhoster All-Inkl.com. They offer cheap webhosting packages with an integrated installer. The installer automatically installs an ownCloud or nextCloud instance for you. You can directly start working with it afterwards. Just for the records: I’m using All-Inkl.com as well.
Besides the running instance you also need the ownPad plugin. It extends your ownCloud / nextCloud instance in order to communicate with an etherPad / etherCalc instance. You can download the latest release of ownPad for nextCloud and ownCloud here.

Installation

After you’ve downloaded ownPad you have to extract the plugin. If you’re using Windows, you can use WinRAR or 7-Zip to do this. For Linux you can double click the archive in order to open it or you simply extract the archive with the following command:

user@machine:~$ tar xfvz ownpad.tar.gz

You now have to move the so extracted ownpad directory to your webspace / server and place it under the apps folder of your ownCloud or nextCloud installation. Check that the directory has the chmod rights of 755 after you’ve uploaded it, otherwise ownCloud / nextCloud may be unable to find the plugin later on.

Configuration

As next we have to tell ownCloud / nextCloud how to handle files that are using the filename ending .pad or .calc (the standard filename endings for EtherPad and EtherCalc files). To do so, you have to copy the file mimetypemapping.dist.json from the subdirectory resources/config/, which is located within the ownCloud / nextCloud root directory, to the subdirectory config and rename it afterwards to mimetypemapping.json.
Open the so copied file config/mimetypemapping.json with your favorite text editor and add the following two lines to the end of the file:

 "pad": ["application/x-ownpad"],
 "calc": ["application/x-ownpad"]

So for example the end of the final mimetypemapping.json file could look like this:

 ...
 "yaml": ["application/yaml", "text/plain"],
 "yml": ["application/yaml", "text/plain"],
 "zip": ["application/zip"],
 "pad": ["application/x-ownpad"],
 "calc": ["application/x-ownpad"]
}

Now that every requirement has been met, you can go on and activate ownPad within your ownCloud / nextCloud instance. For nextCloud, click on the upper right (gear symbol) and click on Apps. Search for ownPad and click on Enable:

Deactivated ownPad App in the nextCloud administration overview (click to enlarge)

For ownCloud however, you have to click the category selection on the upper left and select Apps (plus symbol). To your left, click on Disabled in order to get a list of all the apps and plugins that are disabled in your ownCloud instance. Search for ownPad in this list and click on Enable.
Now that you’ve enabled the ownPad plugin you should ensure that EtherPad and EtherCalc are also activated. For nextCloud: navigate to Settings (gear symbol upper right), click on Additional settings and search for the Collaborative documents section. Ensure that both check boxes are set. For ownCloud you find these settings under the upper right (click on your username), followed by a click on Administration. To your left you will see a bunch of options. One of them is Collaborative documents. Click on it in:
Enabled EtherPad / EtherCalc

By default, EtherPad and EtherCalc are using the instances which are provided by the developers. If you want to use another public instance you can always changes these Host lines to your needs. A full list of public instances can be found here.
It is also possible to setup and host your own EtherPad / EtherCalc instance. Take a look at the official setup guide provided by the developers if you want to: How to setup your own EhterPad / EtherCalc instance.

Testing

To test the functionality, create a new EtherPad or EtherCalc file by clicking on the plus icon in your ownCloud / nextCloud file browser:

New file

As you can see, you have two new options which are called Pad and Calc, while Pad is EtherPad (text documents) and Calc is EtherCalc (spreadsheet documents). To create a new spreadsheet document for e.g., click on Calc and give the file a name you desire. After you’ve done this, you will see a new file with a .calc ending in your file browser:
Newly created test EtherCalc file (click to enlarge)

In order to open this file and start editing, just click on it. The EtherCalc editor is going to be loaded and you’re ready to edit the file. If there is no editor popping up (for e.g. your browser wants to download the file instead), recheck that you’ve executed the installation and configuration steps correctly or try a different browser and delete your browser cache as well.
Test EtherCalc file in action. EtherCalc also supports some formulas. (click to enlarge)

About collaboration …

Now that you have a working ownCloud or nextCloud instance with ownPad running, you can start sharing an ownCloud / nextCloud link, which points to your EtherPad or EtherCalc file, with your co-workers. You and your co-workers are able to work simultaneously on that file that way. EtherPad as well as EtherCalc supports color highlighting while multiple people are working on one document. Besides this there is a chat functionality built-in for a better and easier communication. However, you can also use EtherPad and EtherCalc for non collaborative documents.

Final words

At the beginning of this article I mentioned that EtherPad / EtherCalc allows you to do collaboration text / spreadsheet editing like in Microsoft OneDrive or Google Drive. To be honest, to get the same functionality like in these two proprietary solutions you may should better go with Collabora Office which basically provides LibreOffice in your browser. However, for a simple but also effective solution you really should take a look at EtherPad / EtherCalc. It’s easy to setup and use. Besides this it comes with a nice chat functionality which may be helpful as well. And hey, it’s free right? I love open source 😉
 

bookmark_borderSSH as a proxy on Windows, Mac or Linux

You can do a lot of things with SSH besides working securely remote on machines. I’ve already covered at another article how to tunnel (port forwarding) through SSH. This time we’re looking at a way to use SSH as a proxy.

SSH: A tool not only to do remote work

SSH (Secure Shell) is mostly used to do maintenance on your Linux machines. However, over the years the capabilities of SSH has been extended from a simple secure „remote maintenance protocol“ to a utility which is capable of doing things like X-Forwarding (for forwarding graphical application), port forwarding or providing a SOCKS proxy.

Why do you even want to use an proxy server?

Proxy servers are helpful in a lot of ways. For e.g. if you’re staying some nights in a hotel or you’re in any other public Wireless LAN which blocks a specific website you want to visit a proxy will help you to surpass the filter. Or if you are forced to use techniques like DSLight, were you have to share a single IPv4 address with other users. Or to unblock videos on Netflix which are blocked in your country. You see, the situations where a proxy server is helping you are almost countless.
But why would you want to „setup“ an proxy server on your own? The simple answer is, that a lot of the public proxy servers are simply overloaded. They have to handle so much traffic that you sometime barely be able to get 50% of your normal internet speed while using one of these public proxy servers. Besides this, using SSH as a proxy is really easy.

How start a SOCKS proxy server by using SSH

In order to establish a SSH connection to your server which will then be an SOCKS proxy, you have to have the SSH server installed on the server side and the client software on the client side of course.

Using SSH as a proxy on Linux or Mac

For Linux or Mac you can use the SSH client command which is integrated in both systems. The following command would start an SSH connection, where your SOCKS proxy would then be locally reachable on port 19999 (19999 is just an suggestion and can be changed to almost everything starting from 1024 to 49151 (so called „user ports“)) :

user@client:~$ ssh -D 19999 user@server

After the connection has been successfully established, configure your browser to use the proxy server (follow the instructions below).

Using SSH as a proxy on Windows

Windows doesn’t comes with an SSH command integrated. This means we need an additional software in order to get connected and use the SSH server as a proxy. My recommendation here is PuTTY. PuTTY is a lightweight SSH client for Windows, which is the counterpart of the SSH command on Linux / Mac. You can download it here. After the download is finished, start PuTTY and enter the server you want to connect to like this:

Hostname you want to connect to

Navigate to Connection –> SSH –> Tunnels and enter the port 19999 in the Source port field (19999 is just an suggestion and can be almost everything starting from 1024 to 49151 (so called „user ports“)). After you’ve entered the desired port number, ensure that you’ve selected Dynamic instead of Local:
Settings to tell SSH to create a SOCKS proxy

Click on the button Add in order to tell PuTTY to actually use the given information for the next connection. If you clicked on Add, you should see the port number you have chosen with the letter D in the upper box. If you’ve done this as well, you’re ready to connect to your server. After the connection is successfully established, go on and configure your browser (follow the instructions below).

Configure Firefox / Google Chrome to use the SOCKS proxy

Now that we’ve connected successfully to our server via SSH, we can actually use the SOCKS proxy which has been provided with the actual SSH connection.

Configuring Firefox to use the SOCKS proxy

Click on the upper right options Symbol (represented as three horizontal lines) and click on Preferences. On the upcoming window, select General and scroll down until you see the context Network proxy. Click on Settings and enter your SOCKS proxy details like this:

Firefox proxy settings

Ensure that you’ve checked the box Use this proxy server for all protocols. After you’ve clicked on OK you’re ready to go. Use portals like BearsMyIp to check if you’re actually surfing through your SSH SOCKS proxy tunnel.
Configuring Google Chrome (or Chromium) to use the SOCKS proxy
For Googles Chrome browser you have to use the command line in order to set your SOCKS proxy. This includes Windows users as well. To start Googles Chrome using your SSH SOCKS proxy start the browser like this:

google-chrome --socks-proxy="socks5://localhost:19999"

The windows command line may look like this:

google-chrome.exe --socks-proxy="socks5://localhost:19999"

Of course you can change google-chrome to chromium if you’re an Chromium user instead.

Final words

An proxy server does have it’s advantages. However, public proxies are sometimes overloaded and you will recognize that as a significantly slow down of your internet connection when you start using them. As an alternative you can use SSH as a simple and fast way to make yourself an SOCKS proxy. Using SSH as a SOCKS proxy is a lot easier than configuring an Apache with Squid for e.g.. If you have a server and you need a proxy, I highly recommend you to use SSH in order to get a safe, fast and stable proxy server with a single command or a few clicks.

Further links

 

bookmark_borderSetup a TeamSpeak 3 Server on Linux (Ubuntu / Debian)

This article is about how to setup a TeamSpeak 3 server on your Linux box. Thanks to the TeamSpeak 3 developers, this process is rather easy and you should have a running TeamSpeak 3 server within minutes.
TeamSpeak 3 is a heavily used solution (if not the most used one) to do low latency voice chat while gaming. For e.g. if you use Skype, the delay and the traffic between the talking people will be much higher, besides the Skype client being way more bloated than TeamSpeak. Besides TeamSpeak 3 there are other gaming based low latency solutions like Discord (which uses central servers without the possibility to setup your own instance) and Mumble.

Install requirements

The TeamSpeak 3 Server doesn’t really need any extra libraries in order to work. With a new Debian 9 setup for e.g. it start without any additional libraries. However to download and extract the server software we need some additional software, in this case a download manger (wget) and the utility to extract the compromised server software (bzip2). With the following command you will install this needed utilities. In this case we use Debian / Ubuntus package manager APT:

user@server:~$ sudo apt-get update
user@server:~$ sudo apt-get install wget bzip2

Now that all the needed utilities are on board, let’s move forward and install the server software itself.

Download and install the TeamSpeak 3 Server

TeamSpeak 3 is a proprietary software solution. Due to this fact you will not be able to install it from the repositories of your Linux distribution. So this means you have to download it from the developers homepage onto your server. You can download the latest TeamSpeak 3 Server software here. As of writing this tutorial the latest and greatest TeamSpeak 3 Server version was 3.0.13.8. Whenever you go through this tutorial, your version number may be a newer one. The following command downloads version 3.0.13.8 to your server:

user@server:~$ wget http://dl.4players.de/ts/releases/3.0.13.8/teamspeak3-server_linux_amd64-3.0.13.8.tar.bz2

After the download is finished (which can take some time depending on your network speed), we can extract the downloaded server software. The following command is doing this:

user@server:~$ tar xfvj teamspeak3-server_linux_amd64-3.0.13.8.tar.bz2

Now it’s time to start the server for the first time.

Starting the TeamSpeak 3 Server

Now, that we’ve downloaded and extracted the server software, we will be able to start the server software. To do so, we have to change into the TeamSpeak Server directory (which has been automatically created with extracting the server software) and issue the command to start the server:

user@server:~$ cd teamspeak3-server_linux_amd64
user@server:~/teamspeak3-server_linux_amd64$ ./ts3server_startscript.sh start

The first start takes some time, approximate 1-3 minutes. After the first start is finished, you will get an output like this:

------------------------------------------------------------------
 I M P O R T A N T
------------------------------------------------------------------
 Server Query Admin Account created
 loginname= "serveradmin", password= "BVV2YUIJ"
------------------------------------------------------------------
------------------------------------------------------------------
 I M P O R T A N T
------------------------------------------------------------------
 ServerAdmin privilege key created, please use it to gain
 serveradmin rights for your virtualserver. please
 also check the doc/privilegekey_guide.txt for details.
token=zvCYfUTRlcYl12dviAMuGKR7e+nQYKSE0bD9O4CI
------------------------------------------------------------------

Important: You should write down the server query admin account on a piece of paper, or you save these informations in a password database. This account is needed in emergency cases, like lost TeamSpeak user data or hacking attempts.
In this case we only need the privilege key for now. Store the line, starting with token= in a text file. We need this token later on.
To finally ensure if you’re server is running correctly, you can issue the following command:

user@server:~/teamspeak3-server_linux_amd64$ ./ts3server_startscript.sh status
Server is running

If the output Server is running is welcoming you, it’s time to connect to your new server.

Connect to your server and give yourself admin rights

At this point I assume, that you’ve already installed the TeamSpeak 3 client onto your computer. If you didn’t, you should download it here. If you’re a Linux user, you have to download the TeamSpeak 3 client through the link. You will not find the TeamSpeak 3 client in the distribution repositories due to the same reason as you will not find the TeamSpeak 3 server software.
To connect to your server, start the TeamSpeak 3 client and click on Connections –> Connect or use the hotkey CTRL+S. In the upcoming dialog, enter the IP address or name of your server and pick a nickname which you want to use on that server and hit the Connect button.

Connection dialog

The server recognizes that the server was initially setup and pops up another dialog where it asks for a so called Privilege Key. This Privilege Key is the generated token we’ve saved a few steps before in a text file. Open the text file (if not already) and copy everything after token= and insert this key into the dialog box like this:
TeamSpeak privilege key

After you’ve used the privilege key you can delete the text file. A privilege key is for onetime use only. However, you should now see a new symbol besides your nickname which states that you’re an Administrator. From now on, you should be able to create channels, server groups, edit the servers name and so on.
Indicator that you’re an Admin (click to enlarge)

After this step your TeamSpeak 3 server is completely and fully setup. You can now close the SSH connection to your server and start to share your servers address with your friends and start talking 🙂

Useful tips

While the TeamSpeak 3 software is mainly rock solid, you should take care that your server is always up to date. To update the TeamSpeak 3 server software go to their official homepage, download the newest version (like you did before in this tutorial with wget) and extract it. The files will be overwritten besides the database files. This ensures that you don’t have to start all over again when you do an update. However, you have to stop the TeamSpeak 3 server before you update it. You can do this easily like this:

user@server:~$ cd teamspeak3-server_linux_amd64
user@server:~/teamspeak3-server_linux_amd64$ ./ts3server_startscript.sh stop

After you’ve extracted the updated server files you can start the server again:

user@server:~/teamspeak3-server_linux_amd64$ ./ts3server_startscript.sh start

Please be also aware that you should use a firewall or package filter solution like IPTables. A server with the latest security patches is good, but a firewall solution will always increases the security these days.

Final words

In times where almost everything goes more and more centralized (Discord, WhatsApp, …) I feel that a solution like TeamSpeak 3 is really needed. I know there are other solutions like Mumble which has the additional benefit of being Open Source, however, we can’t have enough decentralized solutions if you ask me 😉
I hope this tutorial is helpful for you. If you have any questions or if you just want to leave a feedback, use the comment section below.

Further links