digiKam – Facebook export

by Pedro M. S. Oliveira | Jun 19, 2016 | Daily life, Linux

I use digiKam as my primary photo manager, it’s a great professional tool for those work with media. Maybe you are one of these and you didn’t even noticed, look at your mobile phone probably you have hundreds (maybe even thousands) of pictures on it. If you sum the ones you take with your camera it will be even more, so after a few years some of us may have more than 100.000 pictures.

This is why you need a photo manager and I would strongly recommend digiKam. I’ve been using it for years and I love it.

One part of taking pictures is be able to share them, digiKam supports exports to several social media web sites; Facebook, Igmur, Twitter, Flickr, etc.

Nevertheless the integration with Facebook is not working properly, and I doubt that the digiKam developers can do something here as it looks more of a Facebook issue. I’ve came out with a workaround that may help go around this issue if want to use the Facebook export function. Just follow these easy steps (I’ve done this with digiKam v5, but it will also work on v4):

With your default browser log in to Facebook.
Open digiKam from a console, just type digiKam on the command line.
Inside digiKam go to menu export, choose export to Facebook.
On the export dialog press change account.
You’ll see that in the browser it just states success, nevertheless you don’t see the authentication link that you need to use to paste into the plugin dialogue.
On the console where you started digiKam you have some of the debugging info of what is happening
1. digiKam uses OAuth to authenticate with Facebook so look for a line like:
  - OAuth URL: QUrl(“https://www.facebook.com/dialog/oauth?xxxxxxxxxxxxx
Copy the content of that line starting on “https://…token” (without the quotes)
Enable debug mode on your browser (I use Firefox CTRL+SHIFT+C or F12)
On the debug window select network and persistent, see selected options on image bellow:
Paste the URL that you got on this list step 7 on the browser
On the debug window you should be able to see an entry like the one bellow, with a right click choose copy location
Go to the digiKam Facebook export plugin window and just paste.
YOU’RE DONE

Now you can share all those pictures to world 🙂

Just select the pictures you want, use the export plugin, choose your Facebook album (or create a new one within digiKam), choose to resize (or not the images). If you create a new album be careful with the the permissions you wish for the album, on the Add Album option you’ll be able to select who do you wish to share your pictures. By default all your friends will be able too see it, but this may not be right for all the albums so just choose careful your options, usually I choose only me and then on Facebook page I add who I want to share it with.

More about digiKam

A professional digital photo management application for KDE (it will work on Linux, Windows and MacOS), which makes importing and organizing digital photos a “snap”. The photos are organized in albums which can be sorted chronologically, by folder layout or by custom collections
Powerful, fast and automated tagging
An easy-to-use interface is provided that enables you to connect your camera directly and preview, download and/or delete your images
A Light Table function is provided. This tool assists artists and photographers with reviewing their work ensuring the highest quality only
Common filters are available out of the box, with side by side previews
Extensible by the use of plugins and recipes

Hope you enjoy this tool as much as I do.

Have fun,

Pedro Oliveira

OpenVPN username/password authentication on DD-WRT

by Pedro M. S. Oliveira | Jan 19, 2014 | Daily life, Linux

In this post I’ll be using DD-WRT build 23320 and an ASUS RT-AC66U router to set up two “always on” VPNs (using openvpn) using username / password authentication. This router supports all the new wifi protocols and in theory has over 1Gbps ability using dual band, also supports 2.4GHz and 5.0Ghz band communication. I’ve used it with DD-WRT without any stability issues for more than 6 months now.

DD-WRT is one of my favourite linux distros, it’s specially made to work on home routers, APs and small appliances. You may download it from: http://www.dd-wrt.com and make sure your equipment is supported by looking into the router database.

Apart from the regular home router needs DD-WRT also support a complete set of network functionality like:

FreeRadius
PPPoE Server
VPN
USB (printing/mass storage)
NAS
Hotspot
SIP Proxy
Adblocking
Webserver
QOS

As I said, I’ll be talking about enhancing the standard functionality of openvpn in dd-wrt. OpenVPN is available on most of the DD-WRT appliances, nevertheless you can only have one vpn connected and it doesn’t support username/password authentication.

Let me describe the setup:

Home at country A (localnet 192.168.17.0/27)
Home at country B (localnet 192.168.18.0/27)
External third-party net at country C (localnet 172.17.31.0/23)
In order to see IPTV on country A I need to route all the IPTV network through openvpn server at country B
I want to have full network access to networks on country B and C from country A
I want to have full network access from country B to country A
I don’t want access from country C on country A (or B but it’s not relevant for us)

What’s needed:

DD-WRT enabled router (in this case ASUS RT-AC66U) with support for openvpn (mega version).
OpenVPN endpoint* (in this examples we will be using 2 endpoints, one for country B and another to country C).
User access to those endpoint (username/password/certificates).

* as an endpoint you may use anykind of applyance or custom-made openvpn solution, if you want to build it fast I’d recommend you Endian FW, Pfsense, or your own OpenVPN installation.

DD-WRT has a very nice graphical interface and we will use it to build our setup, before I configured the router thought the command line, storing all the config data in nvram with the commands:

nvram set _VAR1_=”config blabla”

nvram commit

and the created a startup script that would read all those variables and create the config files.

But as I said there’s a better way of doing it and that’s by using the startup option on the command menu that can be found under administration.

We will create a unique script that will be read when the DD-WRT comes to live and startup our VPNs.

Just go to press edit under the startup place older.

You may insert the text bellow, I’ll describe what it does further on the post.

mkdir /tmp/openvpncl cat > /tmp/openvpncl/myauth1.txt << EOF MY_USER_NAME_GOES_HERE MY_PASSWORD_GOES_HERE EOF cat > /tmp/openvpncl/myauth2.txt << EOF MY_USER_NAME_GOES_HERE MY_PASSWORD_GOES_HERE EOF chmod 500 /tmp/openvpncl/myauth1.txt chmod 500 /tmp/openvpncl/myauth2.txt cat > /tmp/openvpncl/route-up_1.sh << EOF #!/bin/sh route add -net 23.13.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 80.24.178.0/23 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 10.2.2.0/24 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 10.22.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES EOF cat > /tmp/openvpncl/route-up_2.sh << EOF #!/bin/sh route add -net 16.13.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 12.24.178.0/23 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 13.2.2.0/24 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 10.232.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES EOF chmod 500 /tmp/openvpncl/route-up_1.sh chmod 500 /tmp/openvpncl/route-up_2.sh cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf << EOF client proto udp resolv-retry infinite nobind persist-key persist-tun ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca auth-user-pass /tmp/openvpncl/myauth1.txt script-security 2 dev tap1 cipher bf-cbc auth sha1 remote CHANGE_TO_HOSTNAME_or_IP_1 1194 comp-lzo no tls-client tun-mtu 1500 mtu-disc yes fast-io EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf << EOF client proto udp resolv-retry infinite nobind persist-key persist-tun ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca auth-user-pass /tmp/openvpncl/myauth2.txt script-security 2 dev tap2 cipher bf-cbc auth sha1 remote CHANGE_TO_HOSTNAME_or_IP_2 1194 comp-lzo no tls-client tun-mtu 1500 mtu-disc yes fast-io EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca << EOF -----BEGIN CERTIFICATE----- YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb -----END CERTIFICATE----- EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca << EOF -----BEGIN CERTIFICATE----- YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb -----END CERTIFICATE----- EOF chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca sleep 5

(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf –route-up /tmp/openvpncl/route-up1.sh &) > /dev/null
(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf –route-up /tmp/openvpncl/route-up2.sh &) > /dev/null

If you know openvpn a bit deeper you may find odd that I’m not using LZO compression, this is done on purpose, LZO will limit the bandwidth available on the router because of cpu usage. In my case most of the traffic is already compressed (ssh, mp4, images, and so on). With LZO I would find my cpu near 100% with traffic around 25Mbps. So I prefer to disable it and compress the traffic between the endpoints at application level. This allows me to have 100Mbps+ throughput on the VPN link with this router + DD-WRT config.

You will have to edit the firewall place older on DD-WRT , once again press edit and insert the following:

iptables -I FORWARD 1 -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD 2 -i tap1 -o br0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -0 tap2 -j ACCEPT
iptables -I INPUT 1 -i tap1 -o br0 -j ACCEPT

The startup script is nothing more than a set of commands that will be run to create the configuration files on DD-WRT , please be advised that you will have the VPNs in plain text on the configuration, this may pose a security risk. Nevertheless it’s not less insecure than have the full configuration relaying on certificates as if someone is able to retrieve your data from DD-WRT he will also be able to retrieve the certificates. If you really don’t want to have the password on plain text you won’t be able to fully automate the VPN startup process.

The iptables rules are need in order to allow access to the different networks, this is the most basic set of rules that will allow the configuration I proposed at the beginning. Finally please don’t forget to change the route-upX.sh scripts to match your needs.

Happy networking with DD-WRT!

Pedro Oliveira

Avoiding SSH password authentication with secure keys

by Pedro M. S. Oliveira | Aug 11, 2009 | Linux, Solaris

My last post was quite controversial as I wrote about an authentication form using the password on the command line. Today I’ll be writing about how to login without password prompting but also about ssh-agent, secure RSA keys and how to execute remote commands with ssh.

First of all you need to generate a RSA key:

ssh-keygen -t rsa

accept the default location, and then protect the certificate with a password.

By now in your $HOME/.ssh folder you have at least these two files id_rsa.pub and id_rsa. The .pub file is the file that contains your public RSA key part, as the name says it’s public and you can use it to authenticate with remote hosts, the id_rsa file is the private part of your key and no1 else besides you should have access to it. Nevertheless we also protect the key with a password so if someone access it it won’t be a big problem.

Now, to use the “passwordless” authentication you need to copy the content of id_rsa.pub to the $HOME/.ssh/authorized_keys on the remote machine, if the file doesn’t exists please create it before.
If you want do this in a simple command line just type the following:

cat $HOME/.ssh/id_rsa.pub | ssh YOUR_USER@REMOTE_SERVER “cat >> ./ssh/authorized_keys”

It will ask you the password just the first time. And your done.

But now every time you use the certificate it will ask you for the certificate password not the user at server one (and this because you protected your certificate, if you didn’t protect it you would be logged in by now).

If you want a totally automated process you can use ssh-agent. This way you’ll be able to put your certificate password only one time (for instance at session start) and use it when logged in.
To use ssh-agent just do the following:

cp /etc/X11/xdm/sys.xsession ~/.xsession

edit the .xsession file so some variables look like the following:

usessh=”yes”
sshagent=”yes”

now you need to reset your X (just logout and login).

Now to use ssh-agent and having your certificate available just type:
ssh-add
This will ask you for your certificate password and now you may use it for login into remote servers without using passwords anymore (until the next logout or shutdown).
Cheers,
Pedro Oliveira