Fixing cyrus SASL pwcheck to use PAM

Cyrus IMAP uses cyrus SASL for all authentication. You can set up SASL to use PAM for checking passwords, but many PAM methods only work when run as root. This means that you need to use the pwcheck daemon to proxy the authentication request. The problem with that is that the pwcheck daemon that comes with cyrus 1.5.x does not use PAM.

The fix is to build cyrus SASL so that it builds pwcheck with PAM support.

Just apply this patch to your copy of the cyrus-sasl port and make it with PWCHECK_USE_PAM=1. Having done this, you can set up the 'cyrus' service in /etc/pam.conf any way you like. The only downside is that pwcheck doesn't know which service is doing the asking, so all users of cyrus pwcheck will be treated the same. In practice this is usually only sendmail and cyrus imap/pop, though, and typically having those in the same authentication domain is ok.

Cyrus SASL 2.x will fix this problem by replacing pwcheck with a more fully featured authentication proxy that will be configurable to use PAM if desired.

Apple AirPorts & FreeBSD

Note! The java configurator works under OS X too. Just pull up a terminal (in the Utilities folder inside Applications) and "java -jar" the jar file!

Note! Most of what used to be here is now obsolete. I've gotten much better information now.

First, both the Apple Airport and the Lucent RG-1000 are the same except for a minor detail. The network name on an RG-1000 is fixed (and is printed on the sticker on the bottom of the unit). Don't try and change it with the configurator program (see below). Apart from that, they can be treated interchangably here.

Jon Sevy has written a most excellent Airport configurator in Java. It can be had here (A port is here). Be sure and follow his instructions carefully (this pretty much means to be sure and retrieve the settings from box before making changes and updating).

The mac Airport software uses a funky hash function to turn the network password into the encryption key. Unfortunately, the function they use is not documented. However, there are ways to specify the network password that avoid this algorithm. To specify a 5 character ascii string that is not hashed, put it in quotes. To specify a straight 10 hex digit key, put a $ (dollar sign) in front of it (so if you specified the key 0xdeadbeef92 to wicontrol on FreeBSD, tell your mac to use $deadbeef92).

Here's what used to be here:

Bill Fenner gave me enough confidence that I could buy an AirPort without a mac and still happily control the thing. With his guidance, I was able to turn NAT off on the thing and bring it sort of up, but without a mac I was unable to turn on encryption, or set an administrative password on the device.

Then my wife bought an iBook.

Now I have everything sewn up just so, but since I never found any sites on the web to help with the process, I thought I would put up some hints about how to get macs with AirPort cards and non-macs with Lucent cards to use the same AirPort with the encryption enabled (in theory, this same trick should work if you're using a mac with Software AirPort turned on too).

Using your mac, visit the AirPort Admin tool. Set your AirPort up with whatever network parameters you need. Turn on WEP and give it a password. Then update the airport.

At this point, you should be cut off from your network, as you must next visit the AirPort panel for your mac's AirPort card. Tell it to hook up to your network. It should then prompt you for the network password.

Having re-established (now secure) communications with your AirPort, revisit the AirPort admin panel. If you are configuring an AirPort with WEP turned on, a menu item will become available called "Network Equivalent Password." This item is not documented very well, but if you bring it up, it will give you a 10 digit hex number. This number is the current encryption key for the network. On your FreeBSD machine, simply use wicontrol -i interface -k key to set the key and wicontrol -i interface -e 1 to enable encryption. Be sure to specify the key with a leading 0x to insure that it is treated as a hex key. Note that if you do a wicontrol -i interface to check the settings, the key will be printed as garbage. The network password is run through a (undocumented) hash to get the hex key.

Be sure that you are communicating with your AirPort and that you have NOT changed the network password before you pull up the Network Equivalent Password. I believe the number you get is actually the AirPort card's encryption key. If you change the network password, then look up the Network Equivalent Password, you'll get the wrong number.

To their credit, Apple does have a page that describes this operation. It's just not all that obvious how one normally finds it.

PPTP + Encryption

This note is obsolete because userland ppp now supports MPPE, which makes the poptop port with userland ppp much easier to set up.

One of the things I've been waiting for is using a FreeBSD machine as a VPN server for Microsoft clients. Although Microsoft's encryption is a little on the slipshod side, its prevelance makes it the winner, unfortunately.

With the advent of netgraph, the implementation becomes a largely kernel based one, with a single userland daemon to maintain it.

The insturctions on how to achieve a PPTP server used to be a lot more complicated, but with the advent of 4.1-RELEASE, all that is necessary is to add the mpd-netgraph port and properly configure it.

Sun USB keyboards

Before I ever owned a single PC I was into Suns in a big way. I always liked Sun keyboards, mostly because they all had a whole lot of keys. Well, the price:performance ratio of PCs has been much better than Suns for quite some time now, so I have been forced to use PCs. Fortunately, FreeBSD makes the prospect a lot more enjoyable. But I still miss good keyboards.

Until now.

The Sun Ray 1 Enterprise station comes with a USB keyboard. That means that Sun has those keyboards available as spare parts. They look and work no differently than a traditional Sun keyboard, except that they don't have a mouse port and they have a suspend key rather than a power key. The part number you want for a North American layout USB Type 6 keyboard is 320-1271. Those of you who like the Unix layout are out of luck. Sun seems to have discontinued the Unix layout USB keyboards (which is fine with me, as the Unix layout had a bunch of things in the wrong place. The NA layout only has control and capslock swapped, and that's easy to fix in software).

FreeBSD's USB keyboard driver works just fine with this keyboard. Unfortunately, the extra keys (the left two columns of edit keys, the help key and the volume control and sleep keys) are ignored. I suspect this has to do with the AT scancode conversion stuff that the USB keyboard driver does. This step may be unnecessary if all you use is X, and can supply a correct XKB configuration. More on this as I progress...