Being in London, I want to listen to the Geelong games over the streaming radio, but in Linux (and probably Mac), Silverlight just won’t cut it – and the radio fails to load with an error.

I did some digging around, and worked out the URL for the the streaming radio, which you can then plug into MPlayer to obtain the ASX stream:

mplayer -user-agent "NSPlayer/11.08.0005.0000" http://lon-cdn220-is-1.se.bptvlive.ngcdn.telstra.com/online-radio-afl_12

The code on the end is the stream ID. These are the station codes I’ve managed to work out:

• ABC774: 2
• 5AA Adelaide: 3
• 6PR Perth: 4
• 3AW Melbourne: 5
• National Indigenous Radio Service: 6
• Gold FM Gold Coast: 7
• Triple M Sydney: 11
• Triple M Melbourne: 12
• Triple M Brisbane: 13
• Triple M Adelaide: 14
• K-Rock Geelong: 15

I hope this proves useful to someone else.

UPDATE:

For Mac OSX, install MPlayer OSX Extended from http://www.mplayerosx.ch/#downloads.

Then, for the command line bit, just open up the Terminal application from the Utilities folder, and use this full path to find the mplayer binary:

/Applications/MPlayer\ OSX\ Extended.app/Contents/Resources/Binaries/mpextended.mpBinaries/Contents/mpextended-mt.mpBinaries/Contents/MacOS/mplayer -user-agent "NSPlayer/11.08.0005.0000" http://lon-cdn220-is-1.se.bptvlive.ngcdn.telstra.com/online-radio-afl_12

I think one of the killer functions of Puppet is being able to easily install packages and manage services on a system. Most Linux distros these days have tools for working with repositories of packages, like Yum on Fedora/RedHat/CentOS and Apt on Debian and Ubuntu. These work really well with Puppet, because you can easily script a class which requires a specific package, and Puppet will just call the package tool and it’ll install the right package and all of the required dependencies.

Using Solaris feels like a step back from Linux, not having an official repository tool like Yum and Apt. Its package system seems quite primitive which can suffer from the dependency hell that we used to have with RPM before it was wrapped up with Yum. Enter: pkgutil.

Pkgutil is like Yum for Solaris, written in Perl by Peter Bonivart. It was designed for OpenCSW, which is a repository for Open Source packages on Solaris – and also the best place to install Puppet from. With a few simple steps, you can actually build an OpenCSW compatible repository of Solaris packages and tell pkgutil to use it, rather than the standard OpenCSW one.

Puppet has almost gained a proper package provider for Pkgutil (See Puppet issue #4258: Add pkgutil provider), which should be available in Puppet 2.6.4 maybe. In the mean time, we can just install it into our Ruby path to make use of it right now.

Steps involved are:

• Install pkgutil
• Install Puppet on Solaris
• Install the pkgutil provider
• Build an OpenCSW-compatible repository of your own packages
• Define pkgutil as a provder in your Puppet configuration
• Install some packages!

Install pkgutil

Before we do anything, we should install pkgutil. This handy one-liner will install it for Solaris 10 and OpenSolaris.

# pkgadd -d http://mirror.opencsw.org/opencsw/pkgutil-`uname -p`.pkg

For Solaris 8 and 9, take a look at the pkgutil installation page for more details.

Install Puppet

Now that pkgutil is installed, installing Puppet is a breeze!

# /opt/csw/bin/pkgutil --install puppet

This will resolve all the dependencies and install everything just like the Linux package management tools do.

Install the pkgutil provider

I’m using a version of pkgutil from Dominic Cleal’s git repository.

# wget --no-check-certificate https://github.com/domcleal/puppet/raw/143fc744a839affd328234fca26246d49d15d3d8/lib/puppet/provider/package/pkgutil.rb -O /opt/csw/lib/ruby/site_ruby/1.8/puppet/provider/package/pkgutil.rb

This wget will download it, and copy into the right place in the filesystem for Puppet to pick it up.

Build an OpenCSW-compatible repository

As part of OpenCSW, Peter Bonivart has released a tool for creating OpenCSW repositories, called bldcat. You can find it as part of the pkgutilplus package from OpenCSW.

Create yourself a new directory for your packages on your webserver. For me, I needed OpenSolaris 2009.06 and Solaris 10 support, so:

# mkdir -p repo/solaris/i386/5.11/
# mkdir -p repo/solaris/i386/5.10/

Then just put all your packages into that directory, and run bldcat:

# bldcat .

This will generate the catalog, and descriptions file needed for pkgutil. Once you make this directory available by HTTP, you can add the URL into the pkgutil.conf file.

One thing to remember is that you’ll need to do this on a Solaris machine. Although bldcat will work on Linux, it requires some of the Solaris package tools, which won’t be available. For me, I just did it NFS mounted from a Linux server.

Now, set the mirror and noncsw entries like this:

mirror=http://repo.mydomain/repo/solaris
noncsw=true

For my situation, I had to include a few packages that we provided as our standard environment, and the package names weren’t prefixed with CSW, to the ‘noncsw’ option needs to be set.

Because I wanted a mix of OpenCSW packages and our corporate standard packages, I copied in the OpenCSW packages (and dependencies) along with the corporate ones into the one repository. You can put Puppet in there also.

NOTE: All your packages need to be *.pkg.gz format, so make sure you compress any packages that aren’t already gzipped!

Define pkgutil as a provider in your Puppet configuration

In the site.pp file on my Puppet Master, I include this definition:

Package {
    provider => $operatingsystem ? {
        redhat => yum,
        centos => yum,
        sles => zypper,
        solaris => pkgutil,
    }
}

To see this in action, I’ve used Nagios’s NRPE as an example.

package { nrpe_package:
  name => $operatingsystem ? {
    Solaris => 'CSWnrpe'
    CentOS  => 'nrpe',
    SLES    => 'nagios-nrpe',
    Debian  => 'nagios-nrpe-server',
  },
  ensure => installed,
}

So with pkgutil, installing packages on Solaris can be as easy as Linux with Puppet.

Since v0.5 of Tram Hunter, we’ve included an option to send anonymous usage statistics to a server I have running on Google’s App Engine. My main aim was to generate some heat maps, based on the location of tram stop requests.

You can now see the final version of the heap map, which is generated nightly, from the latest 1000 requests. It turns out to be quite interesting to look at.

I’m also using the Google Chart API to generate some nice pie charts showing some other info like handset model, Android version and mobile networks.

In other Tram Hunter news, the latest stats from the Android Market show 5687 total installs, with 4293 active installs (75%). We also have a 4.85 rating out of 5, with 255 comments. The comments are all really positive, so it definitely makes development worthwhile.

I’ve created a new Twitter account for Tram Hunter, so for the latest updates, follow @tram_hunter.

Tram Hunter is a project I started nearly 2 years ago. It’s an Android client to the Yarra Trams TramTracker web service, which their iPhone client leaverages to provide real-time tram arrival information to users of trams in Melbourne.

I’m not sure what it is about Trams, but I’m almost enchanted by them. They’re slow, many are really old and usually it’s a pretty rough ride, but they also have much more character than buses and trains.

A friend and I made a mashup of Google Maps with tram stops once, and using timetable information, we plotted approximated locations of trams along a line. The trams even moved along the line, although it wasn’t really realistic, it was fun to watch. I spoke to Yarra Trams about what we had done, and I was invited to come and see the Operations Centre in South Melbourne, which was quite interesting. They offered me a job working with their development team on some .NET/Windows web services stuff (which turned out to be the TramTracker service), but I just couldn’t leave VPAC at the time.

Real Time Departures

Application Menu

So once Android was finally released, I bought their ADP1 development phone as quickly as I could. It cost a fortune, as the Australian dollar was quite weak at the time, but was pretty exciting. The idea of an Open Source phone to finally kick start some innovation in the mobile industry really appealed to me. I started messing with the Android API soon after.

I started working on Tram Hunter but got a bit stuck. I ended up shelving the project because I couldn’t figure out a problem I had, and moved on to other projects. It wasn’t until later (and I had moved to London), I was speaking to a friend of mine who was doing some Android development and he offered to help with the project. I proceeded to clean up the code, so it was in a compile-able state for someone else to look at. Somehow I managed to solve the issue and get something working. Everything seemed to just fall into place, and I had a working first version done.

I came across another project by accident by a couple of guys looking to do the same thing. I emailed them, and suddenly we had three developers and another joined soon after. I opened a Google Code project, put all our stuff into SVN and released version 0.1 to the Android Market. I later started a Google Groups mailing list for the project also.

The Tram Tracker iPhone application is slow and takes many taps to get to the information you want. Their interface has been designed to mimic the information screens at tram stops which is a nice idea, but actually provides an irritating user experience.

In comparison, the goal of Tram Hunter is to bring as many useful features as we can, without compromising the interface. I wanted to provide users the ability to get the information they want, with the least amount of clicks.

By using all the standard Android UI features, we gain a lot without needing to write a lot of code. Google Maps, location information by GPS, Network and Wifi, UI and search are all provided in the API so we don’t need to write this stuff ourselves. It also means it’s fast and simple.

Since the first version, we’ve introduced a few new features and have been fixing bugs. We’re on version 0.5 right now, and there’ll be a new one just around the corner.

The latest stats from the Android Market show 4325 total installs, with 3128 active installs (72%). Not bad considering the slow uptake of Android in Melbourne, and the limited number of tram users in Melbourne.

In version 0.4 of Tram Hunter, I introduced some code which (when only specifically enabled by the user) would send some usage information to a Google App Engine site I have set up. Tram Hunter will provide information about the user’s handset and Tram Hunter settings (e.g. What device is being used, what version of Tram Hunter is installed, which mobile network are we using, etc). It will also send information about which stops a user is requesting, and their location when they make the request.

I’m currently in the process of generating heat maps, to indicate the location of Tram Hunter requests. Unfortunately, the code isn’t finished so I can’t release them out in the open yet. I have some Google App Engine bit to sort out first, but I’ll be releasing all the interesting statistics to the Android community.

UPDATE: The heat map is now running well on App Engine. The totally new Tram Hunter web site is now up and running with lots of cool graphs and stuf.

What’s next?

For Tram Hunter, I’m still taking feature requests and bug reports at our issue tracker, but I think development of this is starting to slow down.

I have been throwing around the possibility of porting it to Maemo/Meego to support the Nokia N900 (although something similar already exists) and possibly to BlackBerry devices. BlackBerry also uses Java, so it should be quite easy to reuse a lot of code.

I’m also looking into developing another application for timetable information. I have had many requests for an app for buses and trains, so I’m looking to leaveraging some Google Transit code and proving users with an ability to download specially formatted timetables to their handset and use many of the features of Tram Hunter, but in an offline fashion. The idea is that it’ll be generic enough that it can be used for any type of timetable information for anywhere in the world, as long as people are willing to help port the timetable information.

The key actually emulating a USB keyboard, which makes it instantly usable on any modern OS. You just press the button on the key to generate a one-time-password (OTP) to validate you. The method works by typing in your password, but before hitting the return key, you press the Yubikey button to finish it off. At the end of the OTP generation, it sends a carriage return itself.

The OTP is then sent to a validation server, either hosted by Yubico themselves, or you can host your own.

I’m going to walk through how you can set the infrastructre for doing two-factor authentication on Debian. In my specific case, the requirement was two-factor with an Active Directory username/password combination and the Yubikey as the second factor.

Unfortunately, the documentation from Yubico is quite average. To top it off, they insist on using multiple Google Code project sites for hosting their software.

This would normally be fine, but in this case, they have a Google Code project for every single little piece of code. Much of the documentation I found relates to older projects which are not supported by Yubico. This makes working out exactly what you need difficult. Within the Google Code project sites, documentation often runs in circles between projects.

In this document, I’ll look at using PAM to auth again the Yubico auth servers first. Once that’s working, I’ll move onto flashing the Yubikey with a new key and using our own Validation System.

NOTE: This is just some rough notes I put together. You should definitely read the Yubico documentation for this to really make sense.

Authenticating with the Yubikey with PAM

Get some dependencies

apt-get install libpam-dev libcurl4-openssl-dev libpam-radius-auth

Make ourselves a source directory

mkdir ~/yubikey; cd ~/yubikey

Get the current tarball of libyubikey, and install it

wget http://yubico-c.googlecode.com/files/libyubikey-1.5.tar.gz
tar xf libyubikey-1.5.tar.gz
cd libyubikey-1.5
./configure
make check install

Get the current tarball of the Yubico C client, and install it

wget http://yubico-c-client.googlecode.com/files/ykclient-2.3.tar.gz
tar -xf ykclient-2.3.tar.gz
cd ykclient-2.3
./configure
make
make install

Get the current tarball of the Yubico PAM module, and install it

wget http://yubico-pam.googlecode.com/files/pam_yubico-2.3.tar.gz
tar -xf pam_yubico-2.3.tar.gz
cd pam_yubico-2.3
./configure
make
make install

You should end up with your Yubico PAM module ‘/usr/local/lib/security/pam_yubico.so’

We’ll refer to this in our PAM config /etc/pam.d/openvpn

#
# /etc/pam.d/openvpn - OpenVPN pam configuiration
#
# We fall back to the system default in /etc/pam.d/common-*
#
auth required /usr/local/lib/security/pam_yubico.so id=1 debug authfile=/etc/yubikeyid
auth required pam_radius_auth.so no_warn try_first_pass
@include common-account
@include common-password
@include common-session

This configuration will tell PAM to hit the Yubico module first. This splits apart your password field into your password and OTP. The OTP is validated against the Validation Servers, and the password is then passed onto the next module. This configuration will use the Yubico auth servers to check your token.

Once you have a working config, we’ll move to setting up our own Validation Servers. We’ll need to specify the URL for that in this config later on.

In that case, we’re also using RADIUS. This could be LDAP if you had an LDAP server available. You should be able to use the standard UNIX credentials (/etc/password, /etc/shadow) also.

The other important piece to note here is the authfile, /etc/yubikeyid

This file lists the mapping between username and the fixed part of your Yubikey. This is the first 12 chars of the Yubikey OTP (e.g. when you press the button)

abotting:vvcnrdkvevtj

FreeRADIUS authenticating against Active Directory 2008.

I banged my head against a wall for a while on this one. The trick is that you need at least FreeRADIUS 2.1.6 for AD authentication to work properly.

Add Debian backports to your /etc/apt/sources.list

deb http://www.backports.org/debian lenny-backports main contrib non-free

Import the backports key

wget -O - http://backports.org/debian/archive.key | apt-key add -

Update and install the new freeradius

apt-get update
apt-get -t lenny-backports install freeradius freeradius-ldap

In your radiusd.conf

ldap {
    # Define the LDAP server and the base domain name
    server = "ad.yourcompany.com"
    basedn = "dc=ad, dc=yourcompany, dc=com"

    # Active Directory doesn't allow for Anonymous Binding
    identity = "ldap_bind_user@ad.yourcompany.com"
    password = password

    password_attribute = "userPassword"
    filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=Users,DC=ad,DC=yourcompany,DC=com))"

    # This fixes Active Directory 2008 access
    chase_referrals = yes
    rebind = yes

    # The following are RADIUS defaults
    start_tls = no
    dictionary_mapping = ${raddbdir}/ldap.attrmap
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
}

In our FreeRADIUS client file /etc/freeradius/clients.conf:

client localhost {
    ipaddr = 127.0.0.1
    secret = testing123
    nastype = other
}

Use radtest to test our RADIUS is authenticating properly

radtest <username> <password> localhost 1 testing123

Should return Accept.

Set the address and shared secret of the radius server in /etc/pam_radius_auth.conf. The password of testing123 was defined in our RADIUS client config.

# server[:port] shared_secret   timeout (s)
127.0.0.1       testing123      1

OpenVPN has an issue with PAM loading the Yubikey module, so we have to LD_PRELOAD the pam module before starting OpenVPN.

export LD_PRELOAD=/lib/libpam.so.0.81.12; openvpn --config openvpn.conf

For a permanent fix, at the end of the start_vpn function in /etc/init.d/openvpn, just before the $DAEMON line:

    export LD_PRELOAD=/lib/libpam.so.0.81.12
    $DAEMON $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
        $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
        --config $CONFIG_DIR/$NAME.conf || STATUS=1

Change the path of /lib/libpam.so.0.81.12 to suit your own system.

I won’t go into the OpenVPN configuration, except that for PAM authentication you need these options in your server config:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
username-as-common-name
ns-cert-type server
client-cert-not-required

Personalising your Yubikey

To host your own Yubikey validation system, you require the secret AES key of your Yubikey. In the past, Yubico could provide this to you. Now, you’re required to flash your Yubikey yourself which will generate a new AES key.

Yubico provide a personalisation tool for Linux, Mac and Windows. If you’re on Windows, you get a nice little GUI. For Linux and Mac, you have a CLI based tool. It’s worth having a look at the ‘Personalization Tool’ page at: http://www.yubico.com/developers/personalization/

Installing the Personalisation Tool

Install some dependencies:

apt-get install libusb-1.0.0-dev

Grab the latest Pesonalisation Tool tarball from: http://code.google.com/p/yubikey-personalization/

cd ~/yubikey
wget http://yubico-c.googlecode.com/files/libyubikey-1.5.tar.gz

Extract, build and install libyubikey

tar xf libyubikey-1.5.tar.gz
cd libyubikey-1.5
./configure
make
make install

You’ll need to provide a UID value for flashing your Yubikey. It needs to be 6 characters, and in hexadecimal. You can use this command to generate one for you.

dd if=/dev/urandom of=/dev/stdout count=100 2>/dev/null | xargs -0 modhex | cut -c 1-10 | awk '{print "vv" $1}'
74657374696e

You must provide the public name (fixed) parameter in modhex format. The modhex format is a special encoding used to ensure characters sent by the key are always correctly interpreted whatever keyboard layout you use.

You also need to generate yourself a public name for your key. This is known as the ‘fixed’ part, and it’ll be the first 16 chars when you generate your OTP. This will identify your key from anybody else’s.

dd if=/dev/urandom of=/dev/stdout count=100 2>/dev/null | xargs -0 modhex | cut -c 1-10 | awk '{print "vv" $1}'
vvcnrdkvevtj

This comamnd generate some random text, does a modhex operation, grabs the first 10 chars, then adds ‘vv’ to the front to make it up to 12.

You’ll be prompted for a passphrase on your AES key. I leave mine blank, but if you do set one, don’t ever lose it. I believe it’ll stop you from re-personalising your Yubikey.

ykpersonalize -ouid=74657374696e -ofixed=vvcnrdkvevtj
Firmware version 2.1.2 Touch level 1793 Program sequence 1
Passphrase to create AES key:
Configuration data to be written to key configuration 1:
fixed: m:vvcnrdkvevtj
uid: h:74657374696e
key: h:fcaad309a20ne1809c2db2f7f0e8d6ea
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:

Commit? (y/n) [n]: y

Save this information, as we’ll need it later.

Setting up yor own YubiKey OTP Validation Server

You need to install two things: The Key Storage Module and the Yubico Validation Server. The Key Storage Module (KSM) holds the secret AES key of your Yubikey token, while the Validation Server does the OTP check against the KSM.

In their 2.0 architecture, you can have multiple KSM’s and Validation servers with work together for reduncancy.

KSM Installation

Make a working directory, and get the KSM package

mkdir ~/yubikey && cd ~/yubikey
wget http://yubikey-ksm.googlecode.com/files/yubikey-ksm-1.3.tgz
tar xfz yubikey-ksm-1.3.tgz

Install the KSM files

cd yubikey-ksm-1.3
make install

Install Apache2 and PHP

Install Apache2, PHP and MySQL

apt-get install apache2 php5 php5-mcrypt php5-curl mysql-server php5-mysql libdbd-mysql-perl

Create the ykksm table

echo "CREATE DATABASE ykksm;" | mysql -u root -p

Import the DB schema

mysql -u root -p ykksm < /usr/share/doc/ykksm/ykksm-db.sql

Set up some MySQL permissions

CREATE USER 'ykksmreader';
GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('hYea3Inb');

CREATE USER 'ykksmimporter';
GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost';
SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('ikSab29');

FLUSH PRIVILEGES;

Include path configuration

Set the include path by creating a file /etc/php5/conf.d/ykksm.ini

cat > /etc/php5/conf.d/ykksm.ini << EOF
include_path = "/etc/ykksm:/usr/share/ykksm"
EOF

Make a web server symlink

make -f /usr/share/doc/ykksm/ykksm.mk symlink

Set your configuration settings in /etc/ykksm/ykksm-config.php

<?php
  $db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
  $db_username = "ykksmreader";
  $db_password = "hYe63Inb";
  $db_options  = array();
  $logfacility = LOG_LOCAL0;
?>

Restart Apache2

/etc/init.d/apache2 restart

Test the KSM Server

Try this URL:

curl 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Unknown yubikey

It should return ‘Unknown Key’ until we have imported our Yubikey into the database.

Install the Yubico Validation Server

The latest version, and documentation can be found at: http://code.google.com/p/yubikey-val-server-php/

Installation

Go to our working source directory, and grab the package

cd ~/yubikey
wget http://yubikey-val-server-php.googlecode.com/files/yubikey-val-2.4.tgz

Extract, build and install the server

tar -zxf yubikey-val-2.4.tgz
cd yubikey-val-2.4
make install

Create the ykval database and import the schema

echo 'create database ykval' | mysql -u root -p
mysql -u root -p ykval < /usr/share/doc/ykval/ykval-db.sql

Install the symlink

make symlink

Include path configuration

cat > /etc/default/ykval-queue << EOF
DAEMON_ARGS="/etc/ykval:/usr/share/ykval
EOF

Create a htaccess file: /var/www/wsapi/2.0/.htaccess

RewriteEngine on
RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L]

php_value include_path ".:/etc/ykval:/usr/share/ykval"

Symlink the htaccess file

cd /var/www/wsapi; ln -s 2.0/.htaccess /var/www/wsapi/.htaccess

Copy the template config file for the Validation Server

cp /etc/ykval/ykval-config.php-template /etc/ykval/ykval-config.php

Edit the file and configure settings in /etc/ykval/ykval-config.php

<?php

  # For the validation interface.
  $baseParams = array ();
  $baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
  $baseParams['__YKVAL_DB_USER__'] = 'ykvalverifier';
  $baseParams['__YKVAL_DB_PW__'] = 'password';
  $baseParams['__YKVAL_DB_OPTIONS__'] = array();

  # For the validation server sync
  $baseParams['__YKVAL_SYNC_POOL__'] = array("http://localhost/wsapi/2.0/sync");

  # An array of IP addresses allowed to issue sync requests
  # NOTE: You must use IP addresses here.
  $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("127.0.0.1");

  # Specify how often the sync daemon awakens
  $baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;

  # Specify how long the sync daemon will wait for response
  $baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;

  # Specify how old entries in the database should be considered aborted attempts
  $baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;

  # These are settings for the validation server.
  $baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
  $baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
  $baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
  $baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;

  // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
  // CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
  // itself.
  function otp2ksmurls ($otp, $client) {
    return array("http://localhost/wsapi/decrypt?otp=$otp",);
  }
?>

In the above configuration, we’re only expecting to use one Validation Server and one KSM. If you’re planning on having multiple Validation servers and KSM’s, then you’ll be including the other Validation Servers in the SYNC_POOL, and your KSM’s in the URLs at the bottom, returned by the otp2ksmurls function.

Enable the mod_rewrite

a2enmod rewrite

Create the ykval database user

CREATE USER 'ykvalverifier'@'localhost' IDENTIFIED BY  'password';
GRANT ALL PRIVILEGES ON `ykval`. * TO  'ykvalverifier'@'localhost';

Fix some privileges on our config file

chgrp www-data /etc/ykval/ykval-config.php

The Sync Daemon uses the PEAR module System_Daemon so you need to install it:

apt-get install php-pear
pear install System_Daemon-0.9.2

Install the init.d script

ykval-queue install
update-rc.d -f ykval-queue defaults

Start the daemon

/etc/init.d/ykval-queue start

Testing

Use CURL to test our server is working

curl 'http://localhost/wsapi/verify?id=1&otp=vvcnrdkvevtefjbrjnlnldnhcujvddbikngjrtgh'

It should return something like this:

h=aPCQ4kWJilDgriyEii3j8J8lfuY=
t=2009-04-27T19:08:51Z0100
status=NO_SUCH_CLIENT

Once we import our Yubikey into the database, we should get a nice ‘status=OK’ message.

Importing your keys into the KSM server

Refer back to the output from personalising your Yubikey. You’ll need the fixed part (referred to as publicname in the DB), internal name (UID) and our AES key.

This is an entry for our newly personalised Yubikey.

USE ykksm;
INSERT INTO `yubikeys` (`serialnr`, `publicname`, `created`, `internalname`, `aeskey`, `lockcode`, `creator`, `active`, `hardware`)
VALUES (101209, 'vvcnrdkvevtj', '2010-05-07 15:18:40', '74657374696e', 'fcaad309a20ne1809c2db2f7f0e8d6ea', '000000000000', '', 1, 1);

This entry is required for our systems to authenticate against the Validation server. I’m not exactly sure about this, as the documentation is somewhat bare. I think you need an administrator-type person’s key details in here. The imporant part is the ID. This values corresponds the the ‘id=’ value in our CURL requests and in our PAM config.

USE ykval;
INSERT INTO `clients`
(`id`, `active`, `created`, `secret`, `email`, `notes`, `otp`)
VALUES
(1, 1, 1, 'fcaad309a20ne1809c2db2f7f0e8d6ea', 'your@email.addr', 'Any text your want', 'vvcnrdkvevterfbtelvnvkkueenecrlfnlhdjetrhgnk');

We’ll hit our new Validation Server to make sure it’s working

curl "http://localhost/wsapi/2.0/verify?id=1&nonce=askjdnvajsndjkasndvjsnad&otp=vvcnrdkvevtjkreuvvlhtubjecbrticjneckgrigkck"
h=KLEb3gOJ4KqQaCVbh8cEvXjH50U=

It should return something like this:

t=2010-05-20T11:24:53Z0051
otp=vvvcnrdkvevtjkreuvvlhtubjecbrticjneckgrigkck
nonce=askjdnvajsndjkasndvjsnad
sl=100
status=OK

In this URL, we’ve added the ‘nonce’ parameter. This just a test to make sure the v2.0 API is working. ‘status=OK’ means it’s all good! If you get ‘NOT_ENOUGH_ANSWERS’, it means it has trouble trying to sync with other Validation Servers.

We’ll get PAM using our new Validation Servers for auth

/etc/pam.d/openvpn

auth required /usr/local/lib/security/pam_yubico.so id=1 authfile=/etc/yubikeyid url=http://10.68.130.198/wsapi/verify?id=%d&otp=%s debug

If you watch /var/log/auth.log, you should see the PAM module spitting out some debugging information which may be useful. It also spits out your plain text password too, while you have the debug option on. Make sure you remove this later.

Problems

If you see an error like this:

PAM unable to dlopen(/lib/security/pam_yubico.so): /lib/security/pam_yubico.so: undefined symbol: pam_set_data

you’ll need the LD_PRELOAD trick from above. Something to do with dlopening the PAM module I believe.

The virt-install command contains an extra-args argument, where you can fill-in the specific parts of the preseeding. I don’t want to set an IP address in the file as it’s going to be used to build lots of machines, so I just specify that at install time. The URL part is where out preseed config file is stored. This obviously means that the machine needs to able to contact with webserver at install time to download the config.

$ NAME=debian-test
virt-install --name=${NAME} \
--ram=512 --file=/var/lib/xen/images/${NAME}.img \
--file-size 8 \
--nographics \
--paravirt \
--network=bridge:br0 \
--location=http://mirrors.uwa.edu.au/debian/dists/lenny/main/installer-i386 \
--extra-args="auto=true interface=eth0 hostname=${NAME} domain=vpac.org netcfg/get_ipaddress=192.168.1.2 netcfg/get_netmask=255.255.255.0 netcfg/get_gateway=192.168.1.1 netcfg/get_nameservers=192.168.1.1 netcfg/disable_dhcp=true url=http://webserver/preseed.cfg"

To get an idea of the contents of the preseed config file, the best place to start is the Debian stable example preseed file. It lists lots of different options, with plenty of comments so you can understand what’s going on.

For me to get a fully-automated install, I used these options. It’s fairly standard, but definitely worth reading the comments about each line.

$ egrep -v "(^#|^$)" preseed.cfg
d-i debian-installer/locale string en_AU
d-i console-keymaps-at/keymap select us
d-i netcfg/choose_interface select eth0
d-i netcfg/disable_dhcp boolean true
d-i netcfg/dhcp_options select Configure network manually
d-i netcfg/confirm_static boolean true
d-i mirror/protocol string http
d-i mirror/country string manual
d-i mirror/http/hostname string mirrors.uwa.edu.au
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string
d-i clock-setup/utc boolean true
d-i time/zone string Australia/Melbourne
d-i clock-setup/ntp boolean true
d-i clock-setup/ntp-server string ntp.vpac.org
d-i partman-auto/method string regular
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/choose_recipe select atomic
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i passwd/make-user boolean false
d-i passwd/root-password-crypted password [MD5 Sum of the password]
tasksel tasksel/first multiselect standard
d-i pkgsel/include string openssh-server vim puppet
popularity-contest popularity-contest/participate boolean false
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean false
d-i finish-install/reboot_in_progress note

Some good resources I found, which might help you are:

• The Preseeding d-i page on the Debian wiki
• Mike Renfro’s Unattended Debian Installations (or How I Learned to Stop Worrying and Love the preseed.cfg)

This is going to mean it’s going to become much harder to get RTMPdump for downloading copies of ABC’s iView files, which I previously posted about. This might also have interesting consequences for XBMC and Boxee which both include this code for supporting streaming media from BBC’s iPlayer.

This is pretty disappointing from Adobe, especially after claiming they would be in the process of opening up the protocol.

I just rewrote the iView plugin for XBMC.. and it’s far more robust. There is still lots to finish, but it kinda works. This was spurred on by someone actually trying it out, and then me finding out that ABC changed their XML.

You’ll need the RTMP patch for XBMC, and version 0.2 of the ABC iView plugin for XBMC.

Some things that still need improving are:

• Auth token still times out. That means that if you watch something, you’ll need to go back to the channels list and then back into the channel to list the programs again and get a new auth token. Annoying.
• No thumbnails or extended metadata available for channels or programs.
• Some programs have funny names. Pretty minor, but annoying.
• Programs are streamed in 4:3, but are actually produced in 16:9. I set XBMC to 16:9 Stretch mode.

For more info about the plugin, see this other entry I wrote.

Don’t forget to vote for an iView plugin for Boxee at the Customer Support Community for boxee. It might might help get iView into Boxee!

Following on from the last post about using rtmpdump to grab ABC’s iView programs, I’ve made a start on an XBMC plugin.. with the hope of eventually working on a Boxee plugin also.

To start with, you’ll need my patch to all you to specify the tcurl of an rtmp stream from with the XBMC API. This is needed because XBMC makes some assumptions about RTMP urls, based on other streams like Hulu and BBC’s iPlayer. ABC’s method is similar, but a little different. I’ll be trying to get the patch sent upstream, but it may need a little more work.

Now you’re going to have to compile XBMC yourself from source. I’ve only done it on Linux, so I can’t help you with Mac, Windows or Xbox versions. For information about compiling it on Ubuntu, you can check out the page on the XBMC wiki. You just need to do ‘cd’ into the XBMC directory you did your SVN checkout on, and then:

patch -p0 < /path/to/abc-iview-rtmp-tcurl-fix.patch

Hopefully you shouldn’t see any errors.

You can then grab my very basic iView plugin for XBMC. It’ll need to be extracted into your plugins/video directory of your XBMC installation.

This plugin has some serious limitations right now..

Firstly, some shows are listed as just ‘Episode 1′. It seems that in the XML files describing the shows, the data is very inconsistent. I’ll be looking at this in the next version of the plugin.

Next, because of the nature of the auth token that is generated, if you watch a program and then go back to the list of programs, if you try another, it will fail to play, as the token has timed out. You need to go back another level to the channels, then click the channel you want. This means that the URLS listed will generate a new token which will be valid again.

Last, the shows are all broadcasted in 16:9 on the TV, but streamed at 640×480 (4:3). This is really silly, but you can fix it by setting your XBMC view to use ‘Stretch 16:9′. Not ideal, but I’ll be looking into automatically setting the view if it’s exposed in the XBMC API.

It’s still very rough, but a start. Boxee has just announced a new API which I’ll be taking a look at shortly.

UPDATE: Version 0.2 of the plugin is out. See here.

I’ve done a little bit of work since my last post on this, and a couple of people have asked for my stuff. Here goes.

Firstly, you can use RTMPdump to download the iView stream on your Linux box. You’ll need to download rtmpdump 1.4 and compile it yourself. It should just take a ‘make’ as long as you have all the requirements.

When iView starts, it first requests an XML config file, from the URL http://www.abc.net.au/iview/iview_config.xml

<?xml version="1.0" encoding="utf-8"?>
<config>
<param name="authenticate_path"   value="http://202.125.43.119/iview.asmx/isp" />
<param name="media_path"          value="flash/playback/_definst_/" />
<param name="media_path_mp4"      value="flash:mp4/playback/_definst_/" />
<param name="server_streaming"    value="rtmp://cp53909.edgefcs.net/ondemand" />
<param name="server_speedtest"    value="rtmp://cp44823.edgefcs.net/ondemand" />
<param name="xml_help"            value="iview_help.xml" />
<param name="xml_channels"        value="iview_channels.xml" />
<param name="xml_series"          value="http://www.abc.net.au/playback/xml/rmp_series_list.xml" />
<param name="xml_thumbnails"      value="http://www.abc.net.au/playback/xml/thumbnails.xml" />
<param name="xml_classifications" value="http://www.abc.net.au/playback/xml/classifications.xml" />
<param name="xml_feature"         value="http://www.abc.net.au/playback/xml/iview_feature.xml" />
<param name="xml_feature_home"    value="http://www.abc.net.au/playback/xml/iview_homepage.xml" />
<param name="server_time"         value="http://www.abc.net.au/iview/time.htm" />
<param name="thumbs_path"         value="http://www.abc.net.au/playback/thumbs/" />
<param name="base_url"            value="http://www.abc.net.au/iview" />
<param name="channel_id_arts"     value="2260366" />
<param name="channel_id_news"     value="2186765" />
<param name="channel_id_docs"     value="2176127" />
<param name="channel_id_shop"     value="2186639" />
<param name="channel_id_catchup"  value="2172737" />
<param name="channel_id_kazam"    value="2288241" />
<param name="channel_id_faves"    value="2478452" />
<param name="channels_main"       value="catchup,news,docs,arts,shop" />
<param name="channels_kids"       value="kazam,faves" />
</config>

From this file, you can find out which other XML files you need for the channels and program descriptions. Firstly though, you need a special token, which is like an authorisation string. It’s done by doing a HTTP GET on the authenticate_path, which will return something like:

<?xml version="1.0" encoding="utf-8"?>
<iview xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="iview.abc.net.au">
<ip>124.168.17.31</ip>
<isp>iiNet</isp>
<desc>iiNet Limited</desc>
<host>Akamai</host>
<server />
<bwtest />
<token>daEdOckcEbtaqdmdLasbhcBbCbobAbOaxa5-bjOn1r-8-jml_rFAnL&amp;aifp=v001</token>
<text>iView is unmetered for &lt;a href="http://www.iinet.net.au/" target="_blank"&gt;iiNet&lt;/a&gt; customers.</text>
<free>yes</free>
<count>5557</count>
<init>false</init>
</iview>

This is doing a lookup of my IP address, to ensure I’m in Australia, and pass me the token. The token has a short lifetime also, only a few minutes. You then need this token to help you build the URL to request the video stream you want.

To find the programs of a particular channel, you need to grab a URL like this: http://www.abc.net.au/playback/xml/output/catchup.xml.

<?xml version="1.0"?>
<rmp-content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<channel enabled="true" id="2172737">
<name>ABC CatchUp</name>
<description><![CDATA[Recent best of ABC1 & ABC2 TV]]></description>
<intro></intro>
<ident></ident>
<channel-logo>http://www.abc.net.au/playback/img/chl_catchup.png</channel-logo>
<image id="258433" order="1">
<title><![CDATA[ABC Catchup Background 09]]></title>
<version id="1071615">
<title><![CDATA[1230x564jpg]]></title>
<url>http://www.abc.net.au/reslib/200806/r258433_1071615.jpg</url>
</version>
</image>
<image id="257912" order="2">
<title><![CDATA[ABC Catchup background 06]]></title>
<version id="1068909">
<title><![CDATA[1230x564jpg]]></title>
<url>http://www.abc.net.au/reslib/200806/r257912_1068909.jpg</url>
</version>
</image>
<program-title-list>
<program-title id="352699" promo="false" order="9">
<title><![CDATA[Catalyst Series 10 Episode 8]]></title>
<short-title></short-title>
<synopsis><![CDATA[Malaria jumps the gap from monkey to man; could bubbles be a solution to the hard hit  mining industry? And see how a horse trainer applies his skill to the training of elephants, with remarkable success.]]></synopsis>
<publish-date>03/04/2009 12:00:00</publish-date>
<expire-date>17/04/2009 00:00:00</expire-date>
<transmission-date>02/04/2009 00:00:00</transmission-date>
<censorship>G</censorship>
<censorship-warning></censorship-warning>
<website>Go to website</website>
<website-url>http://www.abc.net.au/catalyst/</website-url>
<video-download></video-download>
<video-download-url>http://www.abc.net.au/tv/geo/catalyst/vodcast/default.htm</video-download-url>
<shop></shop>
<shop-url></shop-url>
<category>Science and Technology</category>
<cue-points>
</cue-points>
<video-asset id="1619127" order="0">
<title><![CDATA[1850flv]]></title>
<url>catch_up/catalyst_09_10_08.flv</url>
<unc-path>catalyst_09_10_08.flv</unc-path>
<duration>27.00</duration>
<file-size>135</file-size>
<thumb>abc_catchup.jpg</thumb>
</video-asset>
</program-title>
<program-title id="....">
...more programs...
</program-title>
</program-title-list>
</channel>
</rmp-content>


I’ve shortened the output of the ‘Catch Up’ channel here. This is what you’re likely to see when you get the channel XML file. As you can see, this is describing an episode of Catalyst, and I’ve marked the URL in bold.

TOKEN=`curl -q http://202.125.43.119/iview.asmx/isp | grep token | sed 's/<token>//g' | sed 's/\&amp;/\&/g' | sed 's,</token>,,g' | sed 's/ //g'`; ./rtmpdump --rtmp "rtmp://203.206.129.37:1935////flash/playback/_definst_/catch_up/catalyst_09_10_08.flv" --auth "auth=${TOKEN}" -t "rtmp://cp53909.edgefcs.net/ondemand?auth=${TOKEN}" -o test.flv

This horrible command is getting the token, and stripping out all unncessesary characters, and then passing it onto rtmpdump. You might have also noticed in the command above, I have four slashes in the RTMP url. This is to work around some assumptions that rtmpdump makes about the path. I had made a patch, but in rtmpdump 1.4, you can just use 4 slashes to make it work.

Most of this data came from doing Wireshark packet traces while working with the flash-based iView interface. Also important to note that the programs have an expiry date also. If the command above returns a ‘stream not found’ message, you’ll probably need a newer episode.

In the next post, I’ll be posting the code for the XBMC plugin.