https://vanade.com login notes and FAQ

Featured

DECstation
the 3100/PMAX
Midgar's Mess
Message board
IllusionMUD
An adventure in Krynn

Vanade.com

Main Page
History of Q
The System Closet
You didn't want to see...
RAID and UPS status
Network status

System Login

Control Panel

Statistics

(Interesting:)
User Agents
Suspected web spammers
(Annoyances:)
FTP Scanners
SSH/FTP Scanners
Open Relay Spammers
phpBB Spammers

Local Services

Local Search Engine (broken)

Quick Links

Google
Yahoo
eBay
GMail

Hewlett-Packard
Intel

login.cgi

login.cgi is the web user interface for my computer to allow remote access via the web. It depends on its security by its users and secure socket layer. It's a work in progress. Key features of login.cgi are to allow upload/download/browse of arbitrary files on the machine (DONE), allow remote password change (Beta test), send/receive mail (work in progress), and more! The main intent is to use this service to phase out telnet and ftp. Please send suggestions! Also keep in mind this service is a security risk for this machine, so be careful where you use it!

Notes

  • Certificates:
    There are two certificates in play here - one is the certificate that proves that this machine is really vanade.com. This certificate is then signed with an "authoritative" certificate by Verisign or some other root certificate signers, which are clearinghouses for certificates. Unfortunately getting a signature from one of these companies costs money and is a recurring cost. It was meant for large companies that have a stake against fraudulent spoofers and man-in-the-middle attacks, specifically those which handle money through their websites. This authoritative signature would make the warning go away. As this service costs ME money instead of generating revenue, the officially signed certificate is out of my price range and thus will not be purchased. Not only it costs money, a questionable certificate buyer can still buy legitimate certificates. There's really no true way to get around spoofing except if you get my server's public key from me, personally.

    As such, I ask that all users of this service be careful to help keeping my machine secure - the worst that can happen if someone tries to spoof my IP address to socially engineer you to give your password - as if you were connecting to my machine. Please report all strange behavior of this service, even if it seems trivial. Though it's generally not harmful to users of this system until hackers decide to trapdoor all accounts, please keep in mind, your password is also a key into my computer, and compromise to your account is a compromise to my computer and network's security.

    Ideally you should check the certificate every so often to make sure it doesn't expire unexpectedly. I will try to make some warnings before the certificate expires so a change should not be alarming.

    Current certificate info (do not trust this as if IP spoofing happened, this webpage you see may not be reliable. Request/Use VPN to be sure.):

    • (obtained with openssl x509 -md5 -noout -in apache.crt -fingerprint)
      • Created September 15, 2008
      • Expires September 14, 2012
      • SHA1 Fingerprint: EC:38:1A:13:B7:AC:49:EF:13:AD:00:31:93:5B:6B:5E:B4:83:56:60
      • MD5 Fingerprint: A7:11:2C:0F:05:AE:B0:DB:F7:53:E6:A2:C6:A5:E9:B4
      • Created September 14, 2012
      • Expires September 13, 2022
      • SHA1 Fingerprint: DE:B8:31:61:30:F8:0C:DF:CC:4D:95:FB:54:14:18:42:49:81:6B:76
      • MD5 Fingerprint: 71:17:E3:6E:8D:9F:8B:0A:DF:18:C0:9B:74:1B:A8:6B
  • Note that the sshd key is different, generated by:
    $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
  • Encryption: Before typing your password, it is strongly suggested that the "lock" icon is shown in your browser indicating a secure link is established between the computers. While the software will try to make sure that all connections to the login script is only over a secure link to ensure no passwords are transmitted cleartext, please make sure that this is the case and not some inadvertent programming error.
  • Uploading has no feedback and can be slow, will need to be patient.
  • Be careful with unseen key loggers. Try not to use machines that you do not trust. I hope to not have to deal with people breaking into my computer.
  • Do not share your password. If someone else has need for an account on my machine, let them notify me and I'll review their account request. Most people who I can talk to in person tend to be allowed.
  • This service is only available to access doujima and uses your YP NIS password/login.
  • Certificates

    It's not safe to download these if you don't trust your network connection, as then you can't trust the content of these files.
  • Self-signed Vanade.com Certificate Authority (CA) Certificate - The key that is related to this certificate is used to sign most of my keys, including the webserver. This is used for VPN and wifi WPA2-Enterprise as well.
  • Apache https Webserver Certificate - You shouldn't need this but this is the Apache server certificate.
  • Cookies

    Cookies are required to save you time from entering your password for each transaction. The cookies are state information to help your computer and this server keep track of your login information, which makes it more difficult for others to hijaack your session without using your password each time.

    Cookies are used to identify each session. Please logout when done. Cookies will auto-expire after some time.

    Javascript

    Weblogker uses javascript for additional usability features such as the context menu. While it is still possible to use the directory browser without Javascript, its usability is quite limited.

    FAQ

    Q. Why?
    A. Why not? This was originally designed for myself to allow me to securely upload files to my computer remotely without the need for secure shell access. With the deactivation of telnetd and ftp, it was necessary another form of authentication and access other than sshd be available. However it has now extended to be a value added service for friends to access their accounts too.

    Q. What can I do with this service?
    A. The specific reason for this was to allow account-level access to this machine, allowing bidirectional communication. Specifically, the features designed/planned are:

  • Download file only with proper authentication, instead of a global password.
    • Even allow web pages to be accessed only by people with accounts on this machine, or groups of people on this machine, or only yourself.
  • Upload files to this machine to display in your homepage or any other location. Save files you downloaded online when you don't have any media with you.
  • Ability to read/write mail sourced from this machine.
  • Browse directories and delete files on machine not normally accessible through the web
  • Change your password
  • Execute any command (restricted to users who have full shell access.)
  • Q. I get weird messages or strange behavior, such as infinite refreshing of a blank(content-less) page, or a nondescriptive access denied page (401) with Microsoft Internet Explorer.
    A. I think I found a bug with IE dealing with meta refreshes and MSIE does not render pages when a error code is provided. A workaround to use javascript has been placed. The code tries to detect the case when it may have problems and issues a click link to work around the problem. Please click the link when instructed to do so to continue. My testing is on Mozilla Firefox which appears to always work properly.

    Q. I can login, but I instantly dropped back to the login prompt or when I reconnect.
    A. There potentially can be bugs dealing with my work in progress, but this can also be caused with cookies expiring inadvertently or if your IP address changes from what you used to login. Some multiple machine NAT services may use different, round-robin outgoing machines which will not work properly with this service.
    This feature is to help prevent someone stealing your cookie and obtaining access to your account along with my computer.
    Regular single-host NAT should work just fine. If you're on dynamic IP and your IP address changes, it will invalidate the login and prompt for new user and password.
    For cases where your web address changes frequently due a round robin proxy, use the main login page (don't use minilogin) and check the round robin proxy checkbox when logging in. This will remain valid until you logout. Don't use this checkbox unless necessary, and make sure you logout when you're done.

    Q. I get a 404 File not Found error when trying to load login.cgi.
    A. Make sure you're using https://vanade.com/login.cgi which encrypts your connection to ensure secure transactions. The https:// indicates a secure socket should be used over port 443 instead of the insecure http:// protocol over port 80.

    Q. I get a certificate warning "Self signed certificate" when I open the web page.
    A. You should accept it, it's safe for your computer to do so. Unfortunately I cannot afford to buy a Verisign signed key so I sign it myself. This could mean that Man in the Middle attacks are possible by spoofing my key, there's nobody to vouch the server you're connected to belongs to me. It's a reasonable risk, you should just accept the certificate, it only affects security of my computer if someone tries to socially engineer your password away (by making a fake website that looks like mine). Please call for the certificate/certificate fingerprint.

    Q. I uploaded a file and I'm not sure where it went!
    A. Remember the login system is equivalent to being logged into my computer locally, through SSH, or telnet. Files you create on the system are exactly where you created them. Watch the "Destination" directory and your "LSCWD" - your current working directory that's stored in a cookie. Because of this, you have full access to my computer and can write anywhere you normally can with your account.
    Notes: if you want to create or edit your own webpage, please upload and edit files in your "www" directory under your home directory, or create one if it doesn't exist. This directory is used when accessing http://vanade.com/~userid.

    Q. What does the upload file entry "Notes:" do?
    A. Nothing, yet. :) Well, it puts a note in the logfile, but I decided a good use for it yet. Perhaps to make things easier I'll use RCS within the uploader, and this will be the revision control note when overwriting a file. But as of right now it's disallowed to overwrite a file so it's moot.

    Q. How do I move or rename a file?
    A. If you have Javascript enabled, you can rightclick on a file and select move, to move/rename a file. If you PIN a directory, it will be made as your default move/copy directory, else you can simply rename it within the directory. The old method of using a command line still works, of course.

    Q. What software is this?
    A. This is weblogker, and is custom, from-scratch software written in Perl for use only vanade.com. This software may not be redistributed or executed on other systems, and is not open-source. Persons with normal accounts may review the code if so desired, but I'd prefer it not be used anywhere else.

    Known Bugs

  • This service does not handle special characters very well. Most of the time it will drop all special symbols unexpectedly. Try not to use special symbols in your subdirectory names, and thus won't need them in the web access scripts.
  • HOWTO

    The web utility is invoked by pointing your web browser to:

    https://vanade.com/ login script and options

    The intent is that you can use all features of this service through its web menu system without having to muck with the URL. There are additional features that are available that can be used to secure items for authorized users, without changing your existing webpages. .htaccess security will remain available, there's no intent to remove this, except for places where anyone would like fine control on access rights.

    If you are not logged in, you will be redirected to a login page.

    Here describes the most common usage method options:

    commandDescriptionExample
    login.cgiAccess main page.https://vanade.com/login.cgi
    login.cgi?menuAccess menu page if you're logged inhttps://vanade.com/login.cgi?menu
    login.cgi?uploadUpload a file. Fill in local filename and desired directory (or clear it for home directory.)https://vanade.com/login.cgi?upload
    login.cgi?logoutLogout of this servicehttps://vanade.com/login.cgi?logout
    login.cgi?microMini login or display login status. Used to incorporate login to a main page so you can subsequently let someone read other pages after login (see machine main page for an example). https://vanade.com/login.cgi?micro
    login.cgi?edit=absolute filenameEdit a text file. Specify 'create' to create new filehttps://vanade.com/login.cgi?edit=/etc/passwd
    login.cgi?ls&dir=directoryView files in a directory and allow file management if write access is allowed.https://vanade.com/login.cgi?ls&dir=/home
    login.cgi?icon=directory or fileIf directory, show a contact page of all pictures in directory (or a dummy if not a picture). If target is a picture file, show a thumbnail of that picture.https://vanade.com/login.cgi?icon=/home
    login.cgi?view=fileShow contents of file with login.cgi links on top. If a text file, it's inlined. If it's a picture, it's inlined with an imagemap (see below).https://vanade.com/login.cgi?view=/etc/passwd
    login.cgi/absolute filenameTransmit the file with guessed MIME type for your browser to handle, or view contents of a directory. NOTE: the two slashes between login.cgi and the filename is intentional.
    Also: If the target is a CGI, it will be executed. Not all CGIs will work through this method. Server side includes will NOT be parsed.
    https://vanade.com/login.cgi//etc/passwd
    https://vanade.com/login.cgi/~/.bashrc
    download.cgi/absolute filenameDownload a file as application/octet-stream. See above entry for caveats. Will NOT execute CGI scripts.https://vanade.com/download.cgi//etc/passwd

    Notes for ?view= in picture mode:
    When viewing a photo, you may click on different portions of the picture to browse the directory the picture is in. This works regardless if you have the previous/index/next top index buttons turned disabled or not.
    Imagine the picture in 9 quadrants:

    +---+---+---+
    | 1 | 2 | 3 |
    +---+---+---+
    |   |   | 3 |
    +---+---+---+
    | 3 | 3 | 3 |
    +---+---+---+
    
    Clicking on region 1 will go to previous picture in directory; 2, to index; and 3, to next picture. Right-clicking on the unlabeled areas will allow normal context menu usage.

    Return

    [Ads go here... but we don't have any ads, so nothing goes here and nothing to help pay for this network connection!

    So, since there are no ads, and it costs me money (electricity, hardware repairs, and time for maintainance) to keep this server up, there are lots of restrictions to usage and linking to this server. See Terms of Use before linking.

    Do you want to donate some cash? So you can have a little space here to advertise your wares? Feel free to send mail to webmaster or sysadmin. Note that I will be very selective on what kinds of ads are acceptable.]