Are SSH RSA keys a system-wide thing? - EVO 4G Q&A, Help & Troubleshooting

Hello everyone. I'm not very experienced with Linux but have done some. I want to connect to my Tomato router using GScript and RSA keys. I generated keys with ConnectBot and I can connect to it from there fine, however when I try to connect from GScript using ssh -p port [email protected] 'command', I get an error about the host not being in the trusted hosts file. Is this because the RSA keys are not system-wide and GScript is not using what was created by ConnectBot, or is this a different unrelated problem? Any help would be great, thanks!

I really don't know where to start with this. I seriously recommend you read Wikipedia and experiment more with virtualized Linux computers (VMware Player or Oracle VirtualBox are good starts, running CentOS and Ubuntu).
RSA keys, as you're talking about at first, is the public key encryption scheme used to authenticate you to connect to your router, in this case. BUT. The keys you talk about in the second part? Those aren't keys. Your "trusted hosts file" is a list of unique fingerprints that an SSH server creates when it's first initialized, and are used to "sign" that it's the server you're connecting to.
For example, if every day you connect to the same server, and then suddenly one day, you get told that the fingerprints don't match, and you know that nothing has changed on the server end, it's a good chance that something got messed up, or that someone is attempting to perform some kind of a man-in-the-middle attack.
To get back to your question though, no, the Trusted Hosts file is not shared between ConnectBot and GScript. Odds are, ConnectBot isn't even sharing your SSH key (the RSA key) with GScript, and you haven't even gotten to that error yet. The SSH key can be system wide though (PROTIP: Just put it on the root of your SD card and load it into ConnectBot/GScript by manually adding the key file).

Thanks for your help. So basically I just want these two programs to share trusted hosts files and RSA keys. How does GScript initially come to trust a host, and how come ConnectBot didn't have this issue? I guess I could try to find the trusted hosts file ConnectBot is using, and can I move its key file to the root and then share it with GScript? Or do I need to make a new one (possibly in Cygwin on the desktop) and copy it over to the SD card.
I do plan to read more about this stuff, but that will happen in time. Right now I feel very close to accomplishing what I want (as you can probably tell by me posting this at 4:45 AM ).
Thanks again.

For the trusted hosts issue, you can't really share them, as there's no standardized format to the file (it's like trying to swap an MP3 and an AAC file; they both may be music, and they both may be of the same song, but they're quite different). There should be an option on the GScript error message to just add the host to the trusted list. If not, try running the same command from a terminal (ADB shell, or open ConnectBot and connect to local).
In regards to the key file, you'll just have to hunt down wherever ConnectBot placed it, and move it to the root of the SD card, then re-add it in ConnectBot (Press Menu and then Manage SSH keys to get to the key list. Menu again to select add/import).

Thanks. I'm having no luck finding ConnectBot's key file, so I just made a new one in Cygwin and will put it in my SD card. However I'm still not sure how to add/import that into GScript, or how to get GScript to trust that host (I don't see an option for it with the error message). These are questions I need to direct towards the GScript crowd, unfortunately its thread hasn't received much activity in awhile. Is there any other way you would go about saving a script to run from your home screen?

Related

Exchange Problems! 0x800072F17

I really didn't want to post this, honest. I have searched xda. I have searched the web. I have found other threads. I have followed the suggestions. But, it seems that my exgirlfriend may have been right, I'm an idiot.
I can't get my Hermes to connect to my office exchange server. The settings on my end are correct, the issue is on my office's end.
When I sync I get an error and support code 0x80072F17. I know that it's a certificate error.
IT is not going to help me on this one, so I'm on my own. I have tried to manually import the certificate. Didn't work. I tried making a regedit I found on another thread. Didn't work. I tried combinations of various settings. I only time I don't get an error code is when my device begins to endlessly prompt me for my password.
I'm sorry to post, but it's my last option. Does anyone have any work arounds for this error? Is there a way to have my device ignore the certificates? Is there anyone out there that can help??
There must be some way. My colleagues, both of them with HTC Trinity's, original WM5 roms came across this error when the certificate on our Outlook Web Access was about to expire. Me, however, with my HTC TyTN WM6 never got this issue. I'm not sure why. I know I've installed a couple of cert cabs, the one they call sdkcerts.cab and one more. Search for that cab and see if it helps. I always figured it made the device accept non signed software but maybe it helps for these kinds of issues as well.
You just must set correct date and time for you phone and try again.
I'll try and give you a hand...
First off, you need to know a few things to set this up.
(1) The FQDN of you company used to access the OWA (Outlook Web Access), for example, mail.mycompany.com/exchange
(2) The NetBIOS name of your local domain at your office (Right click the My Computer icon on your office pc and select Computer Name and note the Domain. If your IT dept did it the recomended way it'll have a .local extension, for instance, lawoffice.local. You'll use just the domain name without the extension, ie: lawoffice. (without the period, LOL)
(3) I absolutely never use my PC to configure my ActiveSync on my devices, just to initailly copy the certificate to the Storage Card.
Two ways to do the certificate. First is the method I always used until I discovered the second method, which is in my sig.
(BTW, substitute YOUR FQDN for mine, duhh! )
(1) Install the certificate on your PC by going to the FQDN of your OWA in Internet Explorer 7 on your PC, not your PDA (XP is much easier, Vista is quite difficult to do this)
For example, open IE7 and put mail.mycompany.com/exchange in the address bar. You should initially get a "There is a problem with this website's security certificate" error, click on "Continue to this Website" Now, next to the address bar at the top you'll see Certificate Error", click it, View, Install, Next, Next, Finish, Yes. Then you'll see "The import was sucessful" <damn, that took a while!)
Close IE 7 completely and reopen it, put "mail.mydomain.com/exchange" in the address bar and you'll go straight to the OWA page, meaning that your import WAS sucessful, yipee!
(2) Click on Start, Run and type "mmc" and OK. This opens the Microsoft Management Console and you'll see Console1 at the top. File, Add/Remove Snap-In, Add, Certificates, Finish, Close, OK. Now expand Certificates, Trusted Root Certification Authorities, Certificates. Find YOUR certificate in the list. Right click, All Task, Export, Next, DER encoded binary, Next, File name. I use c:\mail.mydomain.com so that I can find it easily. Now finish and you'll get the Export was sucessful message.
(3) Connect to your PDA via ActiveSync as a guest, kill your partnership if it exists, you don't need it), copy the cert to your Storage Card and execute it from there.
Now disconnect youR PDA AND open ActiveSync. Server address is the FQDN of you company without the /exchange, for example, mail.mycompany.com. Leave the check mark on the SSL. Next put your user name, password and the NetBIOS name of your domain. The configure you options for the number of days to sync, etc.
That's it!
Now... once you do that and it works, follow this thread, Auto-provisioning POP3 or Exchange mail via UC Mini how-to.
so you can create a cab to do this automatically!
I had this problem before.
For me, it was due to the fact that I installed CESTAR and it messed up my certs. Unintalling CESTAR won't fix it. You got to reload the rom.
From there, I used Leies' Chinese character support which is free and doesn't mess up the certs.
SOLVED
I have been at this issue for over 2 days now, dealing with the error 0x800072f17. About 5 min ago i fixed it. After narrowing the problem down to a certificate error i then proceeded to look at the certificates. There were two in the certificate store (personal) and both were self signed.
One was XXXX (server name) and the other was XXXX(company name) CA.
The server name one had expired. Seeing as how it is self signed, i had our it admin renew it. He forgot to re-assign it to the outlook web access, so i did it myself in the Internet Information Services console on the server.
This had solved only 1/2 of the problem.
The certificate was assigned to the exchange server, not the OWA web site. After discovering that i could not change the issued to name, or create a new certificate (not an admin) i decided to change the activesync settings to sync the INTERNAL OWA address, which is servername.internaldomain.externaldomain.com (this had not previously worked due to the expired certificate)
Now i have a fully functioning push email system.
Nearly all done without admin permissions.
Whilst im new to this site, feel free to pm me about it.
Solving this is the most satisfying thing i have done this year lol.
But does this allow you to get/check email from outside your location? Or do you have to establish a VPN first?

Will this work for VPN...?

Install openvpn and then place your edited client vpn config files and certificate files on the storage of FireTV similar to the raspberry pi method in the thread below:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Thanks for anyone that may know more than me that could maybe get this to work...
Hmm would be nice if that worked. Did u get a chance to try it?
Sent from my Nexus 5 using XDA Free mobile app
tdfsu said:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Click to expand...
Click to collapse
I'm working on something like this just now. Here's the thing: in my logs for the simplest openvpn app to install (not straight openvpn, it turns out, as there's a windowing issue there that makes it difficult / impossible to navigate through setup, even with a keyboard and Droidmote) once I have a config, I get errors in logcat informing me
"Your image does not support the VPNService API, sorry "
There is a manually installable openvpn binary that I've looked at a bit but not yet configured. It is going to require adding a binary to /system/xbin directly, as the installer (at least on my phone) does not understand where /system/xbin really lives and issues a remount command to a nonexistent partition.
If you're running dd-wrt or similar configurable firewall, another option is to get an account with a provider who is set up to let you do a firewall to firewall connection, and then route either all of your traffic or the traffic from your firetv through that firewall-to-firewall connection.
I have a Private Internet Access vpn account.
Installed openvpn on FireTV--
http play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
Installed busybox on FireTV--
http play.google.com/store/apps/details?id=stericson.busybox&hl=en
I created a pass.txt file with my PIA username on the first line and password on the second line, nothing else, then saved the file as a text file (pass.txt).
Download the following to PC--
http privateinternetaccess.com/openvpn/openvpn.zip
Extracted the zip file.
Edited the location specific .ovpn file (see below), changing the 'remote', 'ca', 'crl' and 'auth' lines to the following--
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /storage/sdcard0/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /storage/sdcard0/openvpn/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /storage/sdcard0/openvpn/crl.pem
Then, save the USFlorida.ovpn file.
Upload ca.crt, crl.pem, pass.txt, and .ovpn file to FireTV to /storage/sdcard0/openvpn/
Open terminal on FireTV. I use jackpal's terminal app below, but you can also use adb.
http play.google.com/store/apps/details?id=jackpal.androidterm
In terminal, type the following--
su
openvpn cd /storage/sdcard0/openvpn/USFlorida.ovpn
But I get several errors. Anyway, that's where I'm at. Maybe someone else more knowledgeable than me can figure it out. Sorry about the links, my low post-count will not allow me to post url's.
Also, you can sideload the following app to verify your external ip address, and it works great with the FireTV remote--
http play.google.com/store/apps/details?id=igit.WhatIsMyIp
The approach you've taken is where I'd be headed next on the client side.
One thing you might want to try is to do the same setup a less locked-down device and confirm that the config files work as expected there.
There's also a good discussion of the hardware approach (setting up a tunnel from your edge to a VPN provider) in the other VPN thread, http://forum.xda-developers.com/showthread.php?t=2797005
also, private internet access will sell a preconfigured router for this purpose!

recover after broken screen, modify default.prop to disable secure USB debug?

Dropped my S3 today, and now the screen doesn't respond to touch. The display also only works partially. This is the excuse I needed to get an S5, but I'd like to pull data off this S3 for the transition. Honestly I'm not even sure there's anything important on there that isn't already backed to the cloud one way or another. But I'd like to poke around to be sure, use Titanium backup for at least a few apps in particular.
So I found this nice utility: http://forum.xda-developers.com/showthread.php?t=2786395 to allow me to control the device and see the screen via adb. Problem is that while USB debugging is enabled, I have to confirm the RSA fingerprint of my PC on the device itself... which I can't do because the digitizer on the phone is broken. Some searching suggests using a USB OTG to connect a mouse to blindly try to hit the RSA confirmation button. Either it doesn't work, or the cable I hacked together didn't cut it. I couldn't get off of the keyguard screen. Ordered a premade OTG adapter, but if that still fails I may have to find another way in.
From what I've read, I can disable the RSA check by setting ro.adb.secure=0 in default.prop, but that file would need to be replaced on the boot ramdisk. Making a custom boot image isn't something I've done. I found this article about it, "HOWTO: Unpack, Edit, and Re-Pack Boot Images". Following that article, should my boot.img come from extracting the L710VPUDNJ2_L710SPRDNJ2_L710VPUDNJ2_HOME.tar.md5 file? And then once I've recompiled boot.img with the modified default.prop, what is the proper method for flashing that boot.img? Do I need to use odin?
The device has stock NJ2+root and Philz Touch recovery. The display and hardware keys work well enough that I can navigate recovery and initiate anything in there, and I can get to an adb shell while the device is booted in recovery.
So two questions...
1) am I on the right track to make and flash a custom boot.img?
2) is this all pointless? would I be better served to simply use recovery to copy down a backup image and extract anything I may need from that? That main data I'm concerned about is keys/etc for 2-factor apps like google authenticator and battle.net.
EDIT: As far as getting in, I couldn't figure out how to make that app work properly for controlling the phone. It could show me the screen, but apparently not send touch input.
BUT, the solution to bypassing secure adb was easy. Since I had a custom recovery and could get adb shell while booted in recovery, I could shell in, mount data, and push my local adbkey.pub to /data/misc/adb/adb_keys. VMLite VNC Server was the easiest way I found to access the system remotely, since I could push the app install from the play store on the web and then use the companion desktop app to launch the server on my phone via adb.

Did MS block access to SYSTEM folder??

Forgive me if this has already been found/fixed/forgotten, but it's been a while since I've actually even tried it. In File Explorer, when tapping on my trusty old Local Disk C shortcut nothing happens anymore ☹ I don't know if it's been blocked or not, but it's been at least 3 or 4 builds since I've even desired going into the system folder. Even my AOW Shortcuts aren't anymore, but instead they give an error saying the directory couldn't be found and would I like to delete the shortcut. Maybe MS finally removed the AoW bits from the recent builds, but that doesn't explain why the Local Disk C shortcut does nothing.
I'm running the latest Insider Slow build 14342.1004.
its "blocked" since 10586.107. but you can still access all folders on pc with enabling full fs access or using sftp (with vcreg or interop tools etc)
tofuschnitte said:
its "blocked" since 10586.107. but you can still access all folders on pc with enabling full fs access or using sftp (with vcreg or interop tools etc)
Click to expand...
Click to collapse
Ahh, I figured this was the case. I don't care for the FS Access thing on pc. Last time I enabled that I could *barely* get my phone to connect to the pc. On average it took 15 minutes to connect, but eventually it stopped altogether. I had to hard reset to fix it.
yep, same here. connectes fine but takes ages to appear in the explorer. but in that case you could use sftp access. simply get the interop tools and activate it (you might need to reset the ndtksvc.dll manually, vcreg has a button for it though iirc), read the tutorials about it. you need the old android bridge tools to get the private key (and convert it with puttygen to use it with pageant) and keep it paired to be able to connect with winscp for example
Last .1004 fast ring build connect my phone with full mtp acces in less 1 minute.

Engineering Mode (no longer working)

There is a special secret dial code for invoking an extended Engineering Mode on the Oneplus 3:
*#36446337#
This opens up the menue of this extended EM.
It worked. But I screwed it up, so I cannot invoke it any more
I know, shame on me and all that stuff, this was totally my fault, as I played around with the apk, copied (not moved) it to the Download folder and tried to install it like a normal app.
Did not work.
But now also invoking the original extended EM no longer works ([email protected]).
I'd like to kindly ask the real experts among you:
1. What is it I screwed up with my stupid attempts to install this apk?
2. Is there any way to restore the information the dialer needs for parsing this secret code - other than performing a factory reset?
Or which is the information that got lost or overwritten?
3. All files in
/system/app/EngineeringMode
/system/app/EngSpecialTest
appear to have been unaffected.
(But could anyone please share the proper contents of these two folders, in case the extended EM works properly for him?)
4. Is there any way of invoking the extended EM directly working around doing it with the secret dialer code given above? e.g. by modifying the apk - admittedly in a more sophisticated way I attempted ?
I hope my question comes in the proper forum, don't want to cross-post it.
Thanks in advance!
Please Post Files as attachment or Link...
Would you be kind enough to post these files or a link to them? Unsure, but suspect a permissions issue or incorrect location of said files. I think you can connect to computer (with debugging enabled, & allowing access & allowing the rsa prompt also). You will need a command line/terminal depending on your desktop /laptop os. . I would say that you can use adb devices, then adb shell and finally am then the package name. Not sure how to format the activity manager command. Mayb am start - n xxx or am start xxx. Perhaps forum or Google can help. I kno that typing just am from the adb shell will list all possible options.

Categories

Resources