I was looking around for concepts in building a reasonably secure HTML login form without using SSL, and I came across an interesting article (link at end of post). The concept it outlines is fairly simple, and I’m a little annoyed that I didn’t think of this myself earlier.

Essentially, the idea is that the password never actually leaves the client machine. Instead, the client sends a cryptographic hash of the password. For other security reasons, we also don’t want the server to store the password in plain text, so it should only store the hash value of the password.

Of course, this alone isn’t enough, because anyone scanning the wire could simply capture the hash and send that along to the server and authenticate. What we need is a way for the server and the client to agree that they have the same hash value for the password, without actually sending it. To accomplish this, we can set up the server to generate a random string and send that to the client. Then, both server and client append the password’s hash to the random string and perform a hash sum on the combined string. The client then sends that string to the server and if it agrees with the result the server got, we have a valid authentication.

The article referenced above included some sample code to illustrate this functionality, but I believe I can simplify it even further. It’s not a practical, real world example, because we’re not sending a user name or retrieving a password from a stored location on the server. But it should be enough to illustrate the concept and give a developer a head start in however they wish to implement. Personally, I plan to instantiate the code in a class and use XMLHttpRequest instead of traditional POST methods.

Anyway, on to the example code. Note: This example doesn’t actually look up any stored user login information. Instead it simply uses a pre-defined password: ‘password’.

We’ll need two files. The first file generates the server’s shared key and passes along the value to the client as well as the HTML and JavaScript needed to input a password, generate hash values and submit the form to the server.

Create main.php with the content:

<?php
// We'll use PHP's session handling to keep track of the server-generated key

session_start();

// Function to generate a random key.
// Modified from code found at: http://www.totallyphp.co.uk/code/create_a_random_password.htm

function randomString($length) {
    $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    $str = NULL;
    $i = 0;
    while ($i < $length) {
        $num = rand(0, 61);
        $tmp = substr($chars, $num, 1);
        $str .= $tmp;
        $i++;
    }
    return $str;
}

// Call the function and set the shared key

$key = $_SESSION['key'] = randomString(20);
?>

<html>
  <head>
    <!-- JavaScript that contains the functions which perform the actual hashing -->
    <script type="text/javascript" src="http://pajhome.org.uk/crypt/md5/sha1.js"></script>

    <!-- The following function creates the hash of the concatenated key and password hash
and submits the content to the server via a form -->
    <script type="text/javascript">
	function login() {
		var p = hex_sha1(document.getElementById('pass').value);
		var k = document.getElementById('key').value;
		var h = hex_sha1(k+p);
		var hash = document.getElementById('hash');
		hash.value = h;
		var f = document.getElementById('finalform');
		f.submit();
	}
    </script>
  </head>
  <body>
    <form action="javascript:login()" method="post" >
	<input type="hidden" id="key" value="<?php echo $key; ?>" />
	<input type="password" id="pass" />
	<input type="submit" value="Submit" />
    </form>
    <form action="login.php" method="post" id="finalform">
	<input type="hidden" name="hash" id="hash" />
    </form>
  </body>
</html>

Next we need the file to handle the submitted values and compare the results. Create login.php with the following contents:

<?php
session_start();
$hash = $_POST['hash'];

$pass = sha1('password');
$key = $_SESSION['key'];

$server_hash = sha1($key.$pass);

if ($server_hash == $hash) {
	echo "MATCH!";
} else {
	echo "NO MATCH!";
}
?>

That’s pretty much it. If you want to see a little more fluid example in action, see: http://www.lightcubesolutions.com/~jhuntwork/secure_login/

Referenced article: PHP - Implementing Secure Login with PHP, JavaScript, and Sessions (without SSL)

1 Comment »

I delayed installing Windows SP3 on my MacBook Pro BootCamp partition because of some sub-conscience fear. If you think it will happen, it very well could - Parallels couldn’t get the Windows Virtual Machine to boot.

When I launched parallels the following screens showed up:

This was quickly followed by this screen:

Then it starting looping in those two screens. Never before have I seen a looping blue screen of death! After a brief investigation (translation: “low level panic attack”) and a few “force kills” in Leopard I found the solution to the problem on the Parellels Forum. For the masses of you who may already know about the solution: Great! For the rest who have been searching and haven’t found the solution this worked for me:

1. Select XP Boot Camp Virtual Machine but don’t start it.
2. Click “Hard Disk 1″ and open Configuration Editor.
3. Click “Advanced” on the right panel.
4. Click the “Clear” button to remove Parallels information from the boot camp partition.
5. Start the Virtual Machine.
6. When asked to Activate Windows say no.
7. Activate windows AFTER it has fully loaded.
8. Reinstall Parallel Tools.

No comments »

It’s often the case in development you’ll find yourself embedding brand new code with the old. The simplest of commands can go a long way to making the content exchange easier. The code window.opener.document.getElementById, is a great way to pass information between webpages (the old and the new) that need to coexist. The scenario could be passing data between a parent window and child or using hidden popups. Here is a PHP example to update checkboxes on a parent window (or launching page) echoing javascript code.

//Initialize an array of checkboxes
$array_checkbox = array("chk_name1", "chk_name2", "chk_name3", "chk_name4");
$i = 0;
while($i<=4){
    $chkname = $array_checkbox[$i];
    echo "<script type=\"text/javascript\">";
    echo "window.opener.document.getElementById('$chkname').checked=true; </script>";
    $i++;
}

Wasn’t that quick and easy! You’ll notice that you could just as easily replace the checkbox names with div’s, radio buttons or anything that needed to have its value/property modified. This opens a world of possibilities for you doesn’t it?
 

No comments »

Before starting up new projects we make it a custom to take our lessons learned and improve. We are at that point right now and I find myself wanting something to streamline our database architecting and development process. Most of the LAMP design we’ve done in the past has only utilized a handful of tables with minimal relationships. But I’m projecting that our future work will require databases that have more normalized tables with more relationships.

I just realized that through MySQL Workbench we can streamline our process. We typically go through Entity Relationship/Data Design modeling with our clients and this tool can save a few steps. We can go from those diagrams right to the database (live database forward engineering only available in the Enterprise Edition of Workbench). The folks at MySQL have blogged about the screen designs for Workbench that they are developing for Mac OS X. I’m really looking forward to it since I don’t like having to open up Parallels and use Windows for just one tool. It’s certainly worth using the Windows build in the meantime. I’m looking forward to the Alpha release coming in September.

No comments »

Usually I start these types of blogs with a decent disertation of what the problem was and then give the solution. Let’s flip that this time around since I’m in a quick blog mood.

Answer: ActiveCollab

Problem: Keep Reading.

When our clients and projects started to pile up we realized very quickly that we needed to get ourselves something that can give our clients exposure to our progress and help us manage our project. In my history of consulting that was done with multiple spreadsheets and project management software. Not wanting to go down that same path I started looking for SOMETHING that could be the best of all our wants and needs. Here was the raw list of wants and needs.

Needs:

• Project portal that will allow our clients to see status reports
• Tool that will allow us to collaborate with our clients without email chains, phone tag and IM convos
• Location where files can be stored and information shared like a wiki but easy for a non-technical client to use
• Web-Based and pleasing to the eyes
• It needed to have strong User Access Control
• Ticketing System is a must

Here are all the wants:

• It would be great if it could be hosted on our own server
• Wouldn’t it be great to customize it to look exactly the way you want?
• Client portal feel without all that content management work

The solution as was previously stated is ActiveCollab. There were quite a few decent alternatives but AC really met all the requirements and then some. We have been able to customize it exactly the way we wanted and it works great. We are totally a LAMP stack shop and it was great being able to throw the code onto our sever and get it working and customized within a few short hours. Most importantly we have something that meets ALL of our needs and wants.

For more information check out: http://www.activecollab.com/

No comments »

As promised, this is the follow-up of my 21 day OfficeTime evaluation (see original post “Where did time go?“). Not that all of you were waiting with bated breath for it! Nonetheless, I’m trying to stick to my blog promises.

OfficeTime certainly lived up to everything stated in the website. I was truly impressed with the integration with iCal and the ability to track not just your time but see the reports of others (I have yet to get everyone using it though, hence the blog). The benefit of the iCal integration is that when you’re trying to figure out where that time really went all you have to do is pull up your week or month and there it is. Sometimes you don’t realize how your time really gets used until you start discretely tracking it and see it visually. 

The other major thing for me was the Global Menu Bar Start and Stop. It’s a quick way to start timing without having to go through the run around of launching the program (the application has already found its way to my dock). In all blog honesty I hit a few recurring crashes but I was able to submit the bug and get a quick response from the team. They are also really welcoming with suggestions and enhancements that you throw their way.

There are of course plenty of other talking points for this application that are really eye catching. Not that any of you look to me as the authority of all that is consulting, but this is a consultant must have App!

1 Comment »

This is really just an informational post, and a test of sorts. We’re moving our blog from Blogger.com to a locally installed version of Wordpress. There have been a number of articles written about Blogger vs. Wordpress, and I’m sure if you Google it you can find all sorts of views on the subject. When it comes down to it, it’s really just a matter of perspective. We chose to move to Wordpress for the following main reasons:

1.  More editing functionality and possibilities.
2.  Easier template editing (in my opinion).
3.  Larger variety of plugins
4.  Completely installed and managed locally instead of publishing content to a local address through FTP.

If I wanted this to be a long post, I’m sure I could continue to find and list reasons. Suffice it to say that we’re now using Wordpress and the URL for the site has changed. From now on, you can access us here: http://www.lightcubesolutions.com/blog/

No comments »

Since I wrote the post ‘Clonezilla‘ in January, our blog has been getting a lot of hits, apparently from people looking for advice on how to set up Clonezilla. This is understandable, since DRBL (of which Clonezilla is just a piece) is a complex piece of work, with loads of possibilities. So I decided to write up a small HOWTO, a quick and dirty method of getting Clonezilla up and running.

Before I go on, a bit of a disclaimer: Following the instructions below may not provide you with results that fit your particular needs. If you have specific and detailed requirements, see the DRBL documentation. If you would like to hire LightCube Solutions to provide assistance in setting up a Clonezilla solution for your organization, see our Contact page.

The Steps

1. Install Ubuntu Hardy

You’ll need a Linux machine to run your Clonezilla services. I chose Ubuntu because it’s easy to set up and is quite popular. DRBL will also run on Debian and Fedora.

2. Install DRBL

First off, open up a Terminal. In Ubuntu Hardy, this is located in ‘Applications -> Accessories -> Terminal’. Then change to super-user access by typing:

sudo -i

Next, add DRBL’s GPG key to your system:

wget http://drbl.sourceforge.net/GPG-KEY-DRBL
apt-key add GPG-KEY-DRBL

Update your apt configuration so that you can install software from the DRBL guys:

cp /etc/apt/sources.list{,.bak}
echo "deb http://drbl.sourceforge.net/drbl-core drbl stable" \
  >> /etc/apt/sources.list

Finally, install DRBL:

apt-get update
apt-get install drbl

3. Configure a Network Alias

DRBL requires that you have two network interfaces. We can get around this by adding a virtual interface:

cat >> /etc/network/interfaces << "EOF"
auto eth0:1
iface eth0:1 inet static
   address 192.168.222.1
   netmask 255.255.255.0
EOF
ifup eth0:1

Don’t worry if you see something like this (it’s just an annoying but harmless bug in Ubuntu):
(SIOCSIFFLAGS: Cannot assign requested address)
To verify that you have set up the alias properly, type:

ip addr show eth0 | grep eth0:1

You should see something like this:
inet 192.168.222.1/24 brd 192.168.222.255 scope global eth0:1

4. Configure Your New DRBL Server

If you want to just accept all of the default settings, run the following (note that this will require an internet connection and may take some time):

/opt/drbl/sbin/drbl4imp

Otherwise, if you want to specify your own settings, run the following two items:

/opt/drbl/sbin/drblsrv -i
/opt/drbl/sbin/drblpush -i

Congratulations! That’s it, you have a DRBL/Clonezilla server ready to create and deploy custom images. All you need to do to start cloning is run:

/opt/drbl/sbin/dcs

Then, boot up your client machines using PXE. See, that wasn’t too painful…

No comments »

The blogs are hot with chatter about upgrading to the new iphone 3G. To be honest I’m not exempt from the thought. After having used the iphone since November ‘07 I’m more than pleased. (Sigh I’m already speaking past tense) It has truly been the best mobile device I’ve EVER had. But there is something about the iphone 3G that is tugging at the hem of my pants.  Just brining up the conversation with my wife I get a coast to coast eye roll. 
I’ll be the first to admit that it has only been a few months since I’ve purchased the iPhone. In my right mind, I would never have considered an upgrade just after an 8 month purchase. I’m not one to keep up with the Jones’ either. I really don’t need to upgrade my hardware every 6-10 months to feel I’m with the “in crowd”. So all that said and in an effort to placate my conscience i’ll do my best to analyze the situation from a purely fact based approach. Here is my best shot:

• 3G
• GPS
• Upgraded Design - Speakers and such
• The iphone can be a “hand-me down” (It’s a glorified ipod touch if you want it for $100. I’ll take the first bidder)

So should “i” iphone 3G?

2 Comments »

Where were you last week Tuesday? What did you do? How much time did you spend doing whatever you were doing?
I’ve seen enough Law and Order episodes to know that if I’m ever asked those questions I better have an accurate answer. But have you ever really stopped to think how much time was spent working on “X” or “Y” last week Tuesday? For a small business consultant the answer to those questions directly translates into dollars and cents.
There are so many different things fighting time falling into the buckets of billable and non-billable. Keeping track of everything usually becomes a memory exercise when you actually have time after the fact to sit down and write it up. I would guess that more often than not things are forgotten. Think of the phone calls, the quick emails, the text messages, and multiply that by each simultaneous project (Dare I say per client?). Besides project scope creep, not tracking time and billing accordingly can lead to a serious migraine.
So where I’m going with all of this? I’ve been poking around for something other than my notebook, iCal and/or memory to track time. I’ve tried various methods over the years but haven’t been able to really get a solid solution. Personally, every minute needs to be tracked WHILE I’m doing the work.
OfficeTime seems to solve the problem. Upon mentioning it to my business partner ‘JH’ he responded - “Another tool”? But I think I’ve found a winner here. Here is why in a nutshell:

• Simple “Play, Pause and Stop” buttons to activate a timer
• Reporting of time spent based on a number of fields (Time, Project, Etc)
• Team tracking to see how others are spending their time
• Calendar Integration (Great for me as an iCal user!)

The only way to know if its truly it is the time tool of all tools is to demo it out for 21 days. I’ll let you know how it went.

1 Comment »