blog/ archives/ 2017/ 04
Windows10 delete wireless password

It is not often that I write a article about the Windows operating system . In this case it is about be about Windows 10. From time to time there is a need for a Windows laptop I borrow from a pool. It is only needed to run certain applications that are bound to the operating system. I still have not found a working, 64 bit version of the webex plugin to run on a Linux host natively.

I was really amazed I have found such a nice solution for the cmd.exe. I wanted to delete WLAN password.

Now how does it works on a windows 10 host? To show available WLAN profiles on the machine use following command:

netsh wlan show profiles

To delete a profile use following command, where "Home" is the name of a certain WLAN profile

netsh wlan delete profile name=Home
2017-04-03
Conditional aliases for zshrc

I have been searching for conditional aliases for the last time. F.e. if you have a LDAP server and a syslog server and each of this servcies is running on physically different hosts and each of them has scripts that can be executed only from that particular host it would be good if a failure message would be run while trying to run a command from a "wrong" host. Sometimes such error messages are included in that scritps that you run, but mostly they are not.

I have found a simple solution for this usecase, initally I thought it could be resolved only with a alias and a comparisson. I found out it could be solved for zsh (maybe for bash as well) using a simple function. Refering to the upper example with LDAP and syslog where f.e. LDAP service and its scripts is running on hostname auth1 and syslog service and its scripts is running on hostname log1 following function will display a error message if trying to run aliases on wrong hosts:

# grep in syslog (host log1)
function gacl(){
        if [ $(hostname -s) == "log1" ]; then
                grep $1 /var/log/syslog.log
        else
                echo "This function works only on log1"
        fi
}

# grep in auth.log (host auth1)
function syslog(){
        if [ $(hostname -s) == "auth1" ]; then
                grep $1 /var/log/auth.log
        else
                echo "This function works only on auth1"
        fi
}

Add this both functions to .zshrc file and each time if you try to run function on wrong hosts a hint will be displayed.

IPv6 OSPF IPSec authentication methods

All IP Routing protocols support some types of neighbour authetication. But OSPFv3 does not include any authentication on by itself. It relies on security mechanisms implemented in the IPv6 protocol. This makes implementation of OSPFv3 simpler and less prone to bugs on its own.

There are 2 methods of configuring authentication in OSPFv3:

  • Authentication per interface
  • Authentication per OSPFv3 area

Authentication per interface

While configuring IPSec authentication 2 parameters are needed:

  • SPI is needed (Security Policy Index).
  • AH (Authentication Header)

The SPI index is a locally significant integer number between 256 and 4,294,967,295. The AH key on IOS can be done using 2 different algorithms:

  • MD5 key (32 chars)
  • SHA-1 key (40 chars)

Below the IOS inline help while configurin IPv6 authentication AH:

R1(config-if)#ipv6 ospf authentication ipsec spi 256 md5 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  MD5 key (32 chars)

R1(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  SHA-1 key (40 chars)

Here a example on howto generate a key on a linux/UNIX host:

user@host % echo cisco | sha1sum 
20a43b29a07a27dcf58a5709bf210ccbf972917d  -
user@host % echo cisco | md5sum
cc79bc443b2c09b3208d49eb19168ca5  -

If both parameters have been defined a working configuration for a interface could look like this:

interface FastEthernet0/0
 ipv6 address FE80::0 link-local
 ipv6 enable
 ipv6 ospf authentication ipsec spi 256 sha1 20a43b29a07a27dcf58a5709bf210ccbf972917d
 ipv6 ospf 1 area 0
end

Authentication per OSPF area

The configuration on a per area basis works the same as in example above. The authentication work then on all OSPF area participating interfaces with the same key.

router ospfv3 1
 area 0 authentication ipsec spi 256 sha1 20a43b29a07a27dcf58a5709bf210ccbf972917d

Verification

Use following commands to verfiy a successful IPSec authentication:

R1#show crypto map

R1#sh crypto ipsec sa

R1#show crypto ipsec policy

R1#show ipv6 ospf interface

Troubleshooting

While configuring on a virtual lab enviroment i have noticed if adding the IPSec authentication to a router process on a already converged OSPF network nothing happens. The neighbourship is stable. Apparently you need to reset the OSPF process to re-initiate the neighbourship. It is comparable to making changes to BGP sessions, as long as you do not tear the BGP/TCP session down the neighbours continue to use working configuration.