Multiple hop tunnel to chain port forwarding

I was trying to set up a db connection to from a vm on my laptop to a db server that was configured to only accept connections from machines behind its own subnet. I had trouble setting up a multiple hop tunnel for chaining port forwarding through my firewall machine on the same subnet as the db. My first attempt involved two port forwards, on localhost and on the firewall machine, which didn't work for me. This approach I found at http://www.derkeiler.com/Newsgroups/comp.security.ssh/2006-03/msg00267.html involved constructing an end to end connection to the db via the firewall machine

When you have to go through multiple hops, it's usually better to get an
end-to-end connection. In this case:

ssh -oproxycommand="ssh -qaxT firewall nc %h %p" -L 5432:localhost:5432 dbserver

If you have a copy of the snail book, section 11.4 (p444) has a discussion
of these two approaches.

The annoyance with the second approach is that it requires having netcat
("nc") or something equivalent on the intermediate host. I hope that
someday OpenSSH will have this feature built in, i.e. connecting an exec
channel to a remote TCP connection.

Edit: I found some documentation on 'ProxyCommand' here that seems relevant

ProxyCommand
Specifies the command to use to connect to the server. The com-
mand string extends to the end of the line, and is executed with
the user's shell. In the command string, `%h' will be substitut-
ed by the host name to connect and `%p' by the port. The command
can be basically anything, and should read from its standard in-
put and write to its standard output. It should eventually con-
nect an sshd(8) server running on some machine, or execute sshd
-i somewhere. Host key management will be done using the Host-
Name of the host being connected (defaulting to the name typed by
the user). Setting the command to ``none'' disables this option
entirely. Note that CheckHostIP is not available for connects
with a proxy command.

This directive is useful in conjunction with nc(1) and its proxy
support. For example, the following directive would connect via
an HTTP proxy at 192.0.2.0:

ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p

Connect to IMAP using JavaMail over SSL

Connect to and get mailbox information from an imaps server using JavaMail. I'm using a custom SASLMasqueradeAuthenticator method, configuring JavaMail's Socket Fetcher class to use "MailSSLSocketFactory".

    public static void getMailboxInfo(String mail, String mailHost)
            throws javax.mail.NoSuchProviderException, MessagingException, IOException, GeneralSecurityException {
        Config conf = nsit.Config.getInstance();
        String mpUser = "";
        String mpPassword = "";
        // setup mail server
        MailSSLSocketFactory sf = new MailSSLSocketFactory();
        sf.setTrustAllHosts(true);

        // set system properties
        Properties mailProps = System.getProperties();
        mailProps.put("mail.imaps.ssl.socketFactory", sf);
        mailProps.put("mail.store.protocol", "imaps");
        mailProps.put("mail.imaps.host", mailHost);
        mailProps.put("mail.imaps.port", "993");

        // get session
        //Session session = Session.getDefaultInstance(mailProps);
        mailProps.setProperty("mail.imaps.sasl.authorizationid", mail);
        Session session = Session.getInstance(mailProps, new SASLMasqueradeAuthenticator(mpUser, mpPassword));
        session.setDebug(false);
        Store srcStore;
        srcStore = session.getStore();
        srcStore.connect();
        Folder src = srcStore.getDefaultFolder();
        //log.info("src.getName() " + src.getName());
        //log.info("src.getType() " + src.getType());
        //log.info("src.HOLDS_FOLDERS " + src.HOLDS_FOLDERS);

        if ((src.getType() & Folder.HOLDS_FOLDERS) != 0) {
            Folder[] subfolders = src.list();
            log.info("subfolders.length " + subfolders.length);
            for (int i = 0; i < subfolders.length; i++) {
                long msgs_size = 0;

                if (subfolders[i].getMessageCount() != 0) {
                    log.info("subfolders[i].getMessageCount() " + subfolders[i].getMessageCount());
                    subfolders[i].open(Folder.READ_ONLY);
                    Message[] messages = subfolders[i].getMessages();

                    for (int x = 0; x < messages.length; x++) {
                        //log.info("msg_size " + messages[i].getSize() + " bytes long.");
                        if (messages[i].getSize() != -1) {
                            msgs_size += messages[i].getSize();
                        }
                    }
                    log.info("msgs_size " + (msgs_size));
                    log.info("msgs_size " + (msgs_size / (1024L * 1024L)));

                    subfolders[i].close(false);         
            }
        } else {
            System.out.println("Not default folder");
        }
    }

    private static class SASLMasqueradeAuthenticator extends Authenticator {

        String authcid, authcpass;

        public SASLMasqueradeAuthenticator(String adminusername, String adminpassword) {
            authcid = adminusername;
            authcpass = adminpassword;
        }

        protected PasswordAuthentication getPasswordAuthentication() {
            return new PasswordAuthentication(authcid, authcpass);
        }
    }

Stored functions to BASE64 ENCODE and DECODE in MySQL

-- base64.sql - MySQL base64 encoding/decoding functions
-- Copyright (C) 2006 Ian Gulliver
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of version 2 of the GNU General Public License as
-- published by the Free Software Foundation.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program; if not, write to the Free Software
-- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

delimiter |

DROP TABLE IF EXISTS base64_data |
CREATE TABLE base64_data (c CHAR(1) BINARY, val TINYINT) |
INSERT INTO base64_data VALUES
('A',0), ('B',1), ('C',2), ('D',3), ('E',4), ('F',5), ('G',6), ('H',7), ('I',8), ('J',9),
('K',10), ('L',11), ('M',12), ('N',13), ('O',14), ('P',15), ('Q',16), ('R',17), ('S',18), ('T',19),
('U',20), ('V',21), ('W',22), ('X',23), ('Y',24), ('Z',25), ('a',26), ('b',27), ('c',28), ('d',29),
('e',30), ('f',31), ('g',32), ('h',33), ('i',34), ('j',35), ('k',36), ('l',37), ('m',38), ('n',39),
('o',40), ('p',41), ('q',42), ('r',43), ('s',44), ('t',45), ('u',46), ('v',47), ('w',48), ('x',49),
('y',50), ('z',51), ('0',52), ('1',53), ('2',54), ('3',55), ('4',56), ('5',57), ('6',58), ('7',59),
('8',60), ('9',61), ('+',62), ('/',63), ('=',0) |


DROP FUNCTION IF EXISTS BASE64_DECODE |
CREATE FUNCTION BASE64_DECODE (input BLOB)
RETURNS BLOB
CONTAINS SQL
DETERMINISTIC
SQL SECURITY INVOKER
BEGIN
DECLARE ret BLOB DEFAULT '';
DECLARE done TINYINT DEFAULT 0;

IF input IS NULL THEN
RETURN NULL;
END IF;

each_block:
WHILE NOT done DO BEGIN
DECLARE accum_value BIGINT UNSIGNED DEFAULT 0;
DECLARE in_count TINYINT DEFAULT 0;
DECLARE out_count TINYINT DEFAULT 3;

each_input_char:
WHILE in_count < 4 DO BEGIN
DECLARE first_char CHAR(1);

IF LENGTH(input) = 0 THEN
RETURN ret;
END IF;

SET first_char = SUBSTRING(input,1,1);
SET input = SUBSTRING(input,2);

BEGIN
DECLARE tempval TINYINT UNSIGNED;
DECLARE error TINYINT DEFAULT 0;
DECLARE base64_getval CURSOR FOR SELECT val FROM base64_data WHERE c = first_char;
DECLARE CONTINUE HANDLER FOR SQLSTATE '02000' SET error = 1;

OPEN base64_getval;
FETCH base64_getval INTO tempval;
CLOSE base64_getval;

IF error THEN
ITERATE each_input_char;
END IF;

SET accum_value = (accum_value << 6) + tempval;
END;

SET in_count = in_count + 1;

IF first_char = '=' THEN
SET done = 1;
SET out_count = out_count - 1;
END IF;
END; END WHILE;

-- We've now accumulated 24 bits; deaccumulate into bytes

-- We have to work from the left, so use the third byte position and shift left
WHILE out_count > 0 DO BEGIN
SET ret = CONCAT(ret,CHAR((accum_value & 0xff0000) >> 16));
SET out_count = out_count - 1;
SET accum_value = (accum_value << 8) & 0xffffff;
END; END WHILE;

END; END WHILE;

RETURN ret;
END |

DROP FUNCTION IF EXISTS BASE64_ENCODE |
CREATE FUNCTION BASE64_ENCODE (input BLOB)
RETURNS BLOB
CONTAINS SQL
DETERMINISTIC
SQL SECURITY INVOKER
BEGIN
DECLARE ret BLOB DEFAULT '';
DECLARE done TINYINT DEFAULT 0;

IF input IS NULL THEN
RETURN NULL;
END IF;

each_block:
WHILE NOT done DO BEGIN
DECLARE accum_value BIGINT UNSIGNED DEFAULT 0;
DECLARE in_count TINYINT DEFAULT 0;
DECLARE out_count TINYINT;

each_input_char:
WHILE in_count < 3 DO BEGIN
DECLARE first_char CHAR(1);

IF LENGTH(input) = 0 THEN
SET done = 1;
SET accum_value = accum_value << (8 * (3 - in_count));
LEAVE each_input_char;
END IF;

SET first_char = SUBSTRING(input,1,1);
SET input = SUBSTRING(input,2);

SET accum_value = (accum_value << 8) + ASCII(first_char);

SET in_count = in_count + 1;
END; END WHILE;

-- We've now accumulated 24 bits; deaccumulate into base64 characters

-- We have to work from the left, so use the third byte position and shift left
CASE
WHEN in_count = 3 THEN SET out_count = 4;
WHEN in_count = 2 THEN SET out_count = 3;
WHEN in_count = 1 THEN SET out_count = 2;
ELSE RETURN ret;
END CASE;

WHILE out_count > 0 DO BEGIN
BEGIN
DECLARE out_char CHAR(1);
DECLARE base64_getval CURSOR FOR SELECT c FROM base64_data WHERE val = (accum_value >> 18);

OPEN base64_getval;
FETCH base64_getval INTO out_char;
CLOSE base64_getval;

SET ret = CONCAT(ret,out_char);
SET out_count = out_count - 1;
SET accum_value = accum_value << 6 & 0xffffff;
END;
END; END WHILE;

CASE
WHEN in_count = 2 THEN SET ret = CONCAT(ret,'=');
WHEN in_count = 1 THEN SET ret = CONCAT(ret,'==');
ELSE BEGIN END;
END CASE;

END; END WHILE;

RETURN ret;
END |

Shibboleth Relational Database DataConnector

Example Shibboleth Relational Database DataConnector configuration for MySQL with column mapping of AES encrypted attribute.

                                xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                            id="MyDatabase">
        
                                                   jdbcURL="jdbc:mysql://localhost:3306/handle"
                                           jdbcUserName="test"
                                           jdbcPassword="test" />

        
                            SELECT AES_DECRYPT(password, 'key') FROM handle WHERE username='$requestContext.principalName'
            ]]>
        
     


    

Jsp Insert into MySQL database, AES encryption

Jsp code that inserts into a MySQL database, using AES_ENCRYPTION for 128 bit AES encryption of one of the database columns with ON DUPLICATE KEY UPDATE syntax.

<%@page import="java.sql.*"%>
<%@page import="java.io.*"%>

<%
String username = request.getParameter("username");
String password = request.getParameter("password");
String connectionURL = "jdbc:mysql://localhost:3306/handle";
Connection connection = null;
PreparedStatement pstatement = null;
Class.forName("com.mysql.jdbc.Driver").newInstance();
int updateQuery = 0;
if(username!=null && password!=null){
            try {
              connection = DriverManager.getConnection (connectionURL, "test", "test");
              String queryString = "INSERT INTO handle(username, password, last_login) VALUES (?, AES_ENCRYPT(?, 'key'), now()) ON DUPLICATE KEY UPDATE last_login=now()";
              /* createStatement() is used for create statement
              object that is used for sending sql statements to 
              the specified database. */
              pstatement = connection.prepareStatement(queryString);
              pstatement.setString(1, username);
              pstatement.setString(2, password);
              pstatement.setString(3, password);
              updateQuery = pstatement.executeUpdate();
              if (updateQuery != 0) { %>
                   
                   
                      
                   
              <%

              }
            } 
            catch (Exception ex)  { %>
                   
                   
                      
                   
              <%

              }

            finally {
                // close all the connections.
                pstatement.close();
                connection.close();
            }
}
%>

Half-Marathon Training

I follow the training regimens on running.about.com to train for races - I've run several 5k's and 10k's. This summer I am entered in the 2009 Rock 'n' Roll Chicago Half Marathon on August 2, 2009 as a charity runner for the American Cancer Society. To train for the race I'm using the Half-Marathon Advanced Beginner training program on running.about.com. I'm on week 9, currently - I repeat some weeks to pad out the time until the race. The long 10 mile+ runs are pretty brutal - I made the mistake last week trying to do a 10 mile run in the 90+ degree heat. I'll probably write more about this stuff later on.

Javascript form autosubmit

Autosubmit form with Javascript. Place

 onload="document.forms[0].submit()" 

in your form's body tag then something like

                

                        


                                 />

                                 />