An adventure in Krynn
History of Q
The System Closet
You didn't want to see...
RAID and UPS status
Suspected web spammers
Open Relay Spammers
Local Search Engine (broken)
login.cgi is the web user interface for my computer to allow remote access
via the web. It depends on its security by its users and secure socket layer.
It's a work in progress. Key features of login.cgi are to allow
upload/download/browse of arbitrary files on the machine (DONE),
allow remote password change (Beta test),
send/receive mail (work in progress),
and more! The main intent is to use this service to phase out telnet and ftp.
Please send suggestions!
Also keep in mind this service is a security risk for this machine, so be
careful where you use it!
There are two certificates in play here - one is the
certificate that proves that this machine is really vanade.com. This
certificate is then signed with an "authoritative" certificate by Verisign or
some other root certificate signers,
which are clearinghouses for certificates.
Unfortunately getting a signature from one of these companies
costs money and is a recurring cost.
It was meant for large companies that have a
stake against fraudulent spoofers and man-in-the-middle attacks, specifically
those which handle money through their websites.
This authoritative signature would make the warning go away.
As this service costs ME money instead of generating
revenue, the officially signed certificate
is out of my price range and thus will not be purchased. Not only it costs
money, a questionable certificate buyer can still buy legitimate certificates.
There's really no true way to get around spoofing except if you get my server's
public key from me, personally.
As such, I ask that all users of this service be careful to help
keeping my machine secure -
the worst that can happen if someone tries to spoof my
IP address to socially engineer you to give your password - as if you were
connecting to my machine. Please report all strange behavior of this service,
even if it seems trivial.
Though it's generally not harmful to users
of this system until hackers decide to trapdoor all accounts, please
keep in mind, your password is also a key into my computer, and compromise to
your account is a compromise to my computer and network's security.
Ideally you should check the certificate every so often to make sure it doesn't
expire unexpectedly. I will try to make some warnings before the certificate
expires so a change should not be alarming.
Current certificate info (do not trust this as if IP spoofing happened,
this webpage you see may not be reliable. Request/Use VPN to be sure.):
Note that the sshd key is different, generated by:
- (obtained with
openssl x509 -md5 -noout -in apache.crt -fingerprint)
- Created September 15, 2008
- Expires September 14, 2012
- SHA1 Fingerprint: EC:38:1A:13:B7:AC:49:EF:13:AD:00:31:93:5B:6B:5E:B4:83:56:60
- MD5 Fingerprint: A7:11:2C:0F:05:AE:B0:DB:F7:53:E6:A2:C6:A5:E9:B4
- Created September 14, 2012
- Expires September 13, 2022
- SHA1 Fingerprint: DE:B8:31:61:30:F8:0C:DF:CC:4D:95:FB:54:14:18:42:49:81:6B:76
- MD5 Fingerprint: 71:17:E3:6E:8D:9F:8B:0A:DF:18:C0:9B:74:1B:A8:6B
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
Encryption: Before typing your password, it is strongly suggested
that the "lock" icon is
shown in your browser indicating a secure link is established between the
computers. While the software will try to make sure that all connections to
the login script is only over a secure link to ensure no passwords are
transmitted cleartext, please make sure that this is the case and not some
inadvertent programming error.
Uploading has no feedback and can be slow, will need to be patient.
Be careful with unseen key loggers. Try not to use machines that you
do not trust. I hope to not have to deal with people breaking into my
Do not share your password.
If someone else has need for an account on my machine,
let them notify me and I'll review their account request.
Most people who I can talk to in person tend to be allowed.
This service is only available to access doujima and uses your YP NIS
It's not safe to download these if you don't trust your network connection,
as then you can't trust the content of these files.
Self-signed Vanade.com Certificate Authority (CA) Certificate
- The key that is related to this certificate is used to sign most of my keys,
including the webserver. This is used for VPN and wifi WPA2-Enterprise as
Apache https Webserver Certificate - You shouldn't need this but this is the Apache server certificate.
Cookies are required to save you time from entering your password for each
transaction. The cookies are state information to help your computer and this
server keep track of your login information, which makes it more difficult for
others to hijaack your session without using your password each time.
Cookies are used to identify each session. Please
logout when done. Cookies will auto-expire after some time.
menu. While it is still possible to use the directory browser without
A. Why not? This was originally designed for myself to allow me to securely
upload files to my computer remotely without the need for secure shell access.
With the deactivation of telnetd and ftp, it was necessary another form of
authentication and access other than sshd be available.
However it has now extended to be a value added service for friends to access
their accounts too.
Q. What can I do with this service?Download file only with proper authentication, instead of a global password.
A. The specific reason for this was to allow account-level access to this
machine, allowing bidirectional communication. Specifically, the features
Upload files to this machine to display in your homepage or
any other location.
Save files you downloaded online when you don't have any media with you.
Ability to read/write mail sourced from this machine.
Browse directories and delete files on machine not normally accessible through the web
Change your password
Execute any command (restricted to users who have full shell access.)
- Even allow web pages to be accessed only by people with accounts on this machine, or groups of people on this machine, or only yourself.
Q. I get weird messages or strange behavior, such as infinite refreshing of
a blank(content-less) page, or a nondescriptive access denied page (401)
with Microsoft Internet Explorer.
A. I think I found a bug with IE dealing with meta refreshes and MSIE does not
has been placed.
The code tries to detect the case when it may have problems and issues a click
link to work around the problem. Please click the link
when instructed to do so to continue.
My testing is on Mozilla Firefox which appears to always work properly.
Q. I can login, but I instantly dropped back to the login prompt or when I
A. There potentially can be bugs dealing with my work in progress, but this can
also be caused with cookies expiring inadvertently or if your IP address
changes from what you used to login. Some multiple machine NAT services may
use different, round-robin outgoing machines which will not work properly
with this service.
This feature is to help prevent someone stealing your cookie and obtaining
access to your account along with my computer.
Regular single-host NAT should work just fine. If you're
on dynamic IP and your IP address changes, it will
invalidate the login and prompt for new user and password.
For cases where your web address changes frequently due a round robin proxy,
use the main login page (don't use minilogin) and check the round
robin proxy checkbox when logging in. This will remain valid until you logout.
Don't use this checkbox unless necessary, and make sure you logout when you're
Q. I get a 404 File not Found error when trying to load login.cgi.
A. Make sure you're using https://vanade.com/login.cgi which
encrypts your connection to ensure secure transactions. The https:// indicates
a secure socket should be used over port 443 instead of the insecure http://
protocol over port 80.
Q. I get a certificate warning "Self signed certificate" when I open
the web page.
A. You should accept it, it's safe for your computer to do so.
Unfortunately I cannot afford to buy a Verisign
signed key so I sign it myself. This could mean that Man in the Middle attacks
are possible by spoofing my key, there's nobody to vouch the server you're connected to belongs to me. It's a reasonable risk, you should just accept the
certificate, it only affects security of my computer if someone tries to
socially engineer your password away (by making a fake website that looks like
mine). Please call for the certificate/certificate fingerprint.
Q. I uploaded a file and I'm not sure where it went!
A. Remember the login system is equivalent to being logged into my computer
locally, through SSH, or telnet. Files you create on the system are exactly
where you created them. Watch the "Destination" directory and your "LSCWD" -
your current working directory that's stored in a cookie. Because of this,
you have full access to my computer and can write anywhere you normally can
with your account.
Notes: if you want to create or edit your own webpage, please upload and edit
files in your "www" directory under your home directory, or create one
if it doesn't exist. This directory is used when accessing
Q. What does the upload file entry "Notes:" do?
A. Nothing, yet. :) Well, it puts a note in the logfile, but I decided a
good use for it yet. Perhaps to make things easier I'll use RCS within the
uploader, and this will be the revision control note when overwriting a file.
But as of right now it's disallowed to overwrite a file so it's moot.
Q. How do I move or rename a file?
move, to move/rename a file. If you PIN a directory, it will be made as
your default move/copy
directory, else you can simply rename it within the directory.
The old method of using a command line still works, of course.
Q. What software is this?
A. This is weblogker, and is custom, from-scratch software written in
Perl for use only vanade.com. This software may not be redistributed or
executed on other systems, and is not open-source. Persons with normal
accounts may review the code if so desired, but I'd prefer it not be used
This service does not handle special characters very well. Most of the
time it will drop all special symbols unexpectedly. Try not to use special
symbols in your subdirectory names, and thus won't need them in the web access scripts.
The web utility is invoked by pointing your web browser to:
https://vanade.com/ login script and options
The intent is that you can use all features of this service through its
web menu system without having to muck with the URL.
There are additional features that are available that can be
used to secure items for authorized users,
without changing your existing webpages.
.htaccess security will remain available, there's no intent to remove this,
except for places where anyone would like fine control on access rights.
If you are not logged in, you will be redirected to a login page.
Here describes the most common usage method options:
|login.cgi||Access main page.||https://vanade.com/login.cgi|
|login.cgi?menu||Access menu page if you're logged in||https://vanade.com/login.cgi?menu|
|login.cgi?upload||Upload a file. Fill in local filename and desired directory (or clear it for home directory.)||https://vanade.com/login.cgi?upload|
|login.cgi?logout||Logout of this service||https://vanade.com/login.cgi?logout|
|login.cgi?micro||Mini login or display login status. Used to
incorporate login to a main page so you can subsequently let someone
read other pages after login (see machine main page for an example).
|login.cgi?edit=absolute filename||Edit a text file. Specify 'create' to create new file||https://vanade.com/login.cgi?edit=/etc/passwd|
|login.cgi?ls&dir=directory||View files in a directory and allow file management if write access is allowed.||https://vanade.com/login.cgi?ls&dir=/home|
|login.cgi?icon=directory or file||If directory, show a contact page of all pictures in directory (or a dummy if not a picture). If target is a picture file, show a thumbnail of that picture.||https://vanade.com/login.cgi?icon=/home|
|login.cgi?view=file||Show contents of file with login.cgi links on top. If a text file, it's inlined. If it's a picture, it's inlined with an imagemap (see below).||https://vanade.com/login.cgi?view=/etc/passwd|
|login.cgi/absolute filename||Transmit the file with guessed MIME type for your browser to handle, or view contents of a directory. NOTE: the two slashes between login.cgi and the filename is intentional.|
Also: If the target is a CGI, it will be executed. Not all CGIs will work through this method. Server side includes will NOT be parsed.
|download.cgi/absolute filename||Download a file as application/octet-stream. See above entry for caveats. Will NOT execute CGI scripts.||https://vanade.com/download.cgi//etc/passwd|
Notes for ?view= in picture mode:
When viewing a photo, you may click on different portions of the picture to
browse the directory the picture is in. This works regardless if you have the
previous/index/next top index buttons turned disabled or not.
Imagine the picture in 9 quadrants:
| 1 | 2 | 3 |
| | | 3 |
| 3 | 3 | 3 |
Clicking on region 1 will go to previous picture in directory; 2, to index;
and 3, to next picture. Right-clicking on the unlabeled areas will allow
normal context menu usage.
[Ads go here... but we don't have any ads, so nothing goes here and
nothing to help pay for this network connection!
So, since there are no ads, and it costs me money (electricity, hardware
repairs, and time for maintainance) to keep this server up,
there are lots of restrictions to usage and linking to this server.
Do you want to donate some cash? So you can have a little space here to
advertise your wares? Feel free to send mail to webmaster or sysadmin. Note
that I will be very selective on what kinds of ads are acceptable.]