Upgrade Ubiquiti UniFi AP-AC-Pro to mitigate KRACK

So, if you haven’t heard, there’s a flaw in the WPA2 protocol.  Read about it if you don’t know.

Since have a specific model of Ubiquiti UniFi WiFi AP, I figured they’d have an update quickly, which they did.  However, I didn’t anticipate trouble in updating to latest firmware ( It took a LONG time to finally get it updated.  Essentially, the update via the controller would fail to update, even though it would say it was going to update to the right version.  The AP would blink happily, then reboot on the same version of the firmware, over and over.  I tried other means, including trying local and ssh/scp update methods.  Same result.  In then end, this and this and this helped me diagnose a very odd situation:

  • Controller or other udpates failed because it was using https:// URLs to download the update
  • SSL verification built in fails because the time on the AP was not updated (was December, 1969)
  • Time on the AP was not synced (via NTP) because my local NTP server (on my router) was not functional.
  • my local NTP server was not functional because I had my DNS server pointing to non-standard (non-logging, private) DNS servers.
  • Those private DNS servers were failing to resolve some things, AFAICT, including pool.ntp.org

After updating my DNS servers (now using google again – not my first choice since they log my queries), which fixed NTP server, which allowed me to upgrade the firmware on my PFSense router (which wasn’t getting updates because of the DNS issues) which made NTP happier yet, which allowed the WiFi AP to get the correct time, which allowed the upgrade to happen properly.


Configure pfSense bridge over multiple NICs as LAN

In the past I’ve used “raw” pf on FreeBSD as a firewall for a variety of situations both large and small, but this week I started playing with an inexpensive, fanless, multi-NIC box as a potential firewall and router running pfSense. Interestingly, the first thing I realized is that I could not find in pfSense any completely user-friendly (read: single checkbox) option to turn all but the WAN-designated NIC into a single bridged “LAN”. Seems like a pretty basic thing someone would want to do as a home router, or simply avoid the switching overhead of packets amongst different subnets. A quick search for other solutions didn’t turn up one that I thought was really complete, hence this guide.

Command-line or script access to One-Time-Secret

For a number of reasons, I’ve been playing with OneTimeSecret, a nice little service that allows you to share a secret with someone else and know that it can only be viewed once. Additional features such as Time To Live (TTL) and Encrypted secrets, plus direct email to the intended recipient are nice bonuses.

However, I was wanting to incorporate the sharing of secrets into a shell script, and while the RESTful API is helpful, and I could have used curl, I decided that I could easily provide a simpler interface with functions for scripts and a command line interface. Check it out on GitHub.

MacBook Pro 2016 USB-C to Dual-Link DVI (DVI-DL)

So, you’ve got a nice large 30″ display (e.g. Apple 30″ Cinema Display or Dell 3007WFP) that can render 2560×1600 @ 60 Hz, but it has a Dual-Link DVI connector. And, you have a nice new MacBook Pro 2016 with only USB-C connectors. You might think it would be easy to connect, but this might turn out as a total PITA, because any straightforward solutions (involving simple adapters with physical compatibility) won’t cut it – it’s more complicated…


Using dd to rescue data from failing drive

So, you’ve ignored those SMART errors for a while now, haven’t you. Now you realize that there might actually be something going wrong with your hard drive. You try to naively copy data off, but it fails. But, no worries, there is an option to dd that can help you get most of the data off:

dd if=/dev/sdc of=/home/me/sdc.dd conv=noerror,sync

or, if using lvm

dd if=/dev/vg0/failing-lvm of=/dev/vg0/new-lvm conv=noerror,sync

The conv options specify that dd should ignore read errors, and to synchronize the read position with the write position when those errors occur. The file sdd.dd or new lvm volume could now be mounted:

mount -o loop -t ntfs /home/me/sdd.dd /mnt/old

Hopefully you can recover (most of) the files now.

Local / domain-specific DNS resolvers on Mac OS X

Got VMs? Have local servers at home? Connecting to a VPN? Want to do ALL at the same time and still be able to use typical DNS name resolution to reach the local domain hosts and your VMs? Doing this from a Mac?

To solve the problem of having different, local-only DNS/resolver lookups on Mac, e.g. for a set of local VMs for experimentation, you could encode the hosts into the /etc/hosts file, but you could also run a local instance of dnsmasq. But then how do you tell your Mac to get addresses from that local server or any other (local network) server.


, January 17, 2017. Category: admin, dns, macOS. Tagged: , .

SSH Key Auth on Dell PowerConnect Switches

Today, I tried to setup ssh public keys on our Dell PowerConnect Switches, figuring that good key authentication should be more secure and easier than simple password auth, right? Clearly someone is in the camp of “fallor ergo sum” on this one, and I suppose it might be me.


SSH Auto-Proxy Script

If you’ve ever added a ProxyCommand directive to your ssh config file, sometimes you might be on a portable computer only need that directive sometimes. Other times you might be behind that nasty corporate firewall or on the network with the proxy server? Since the ProxyCommand configuration item can be just about anything you like, as long as it reads from standard-input and writes to standard-output, we can use that fact and write a wrapper around to only invoke a proxy connection when needed. I’ve written such a script and use it regularly to tunnel through HTTP Proxy servers or to jump through intermediate hosts.


SSH through HTTP Proxy

Can’t use SSH on the standard port 22? Need to tunnel through a proxy server? Work behind a draconian firewall and can’t SSH directly? No problem. This document will hopefully show you how to tunnel through an http-proxy server without any server-side modifications.


, January 30, 2004. Category: ssh. Tagged: , , , .