Oh FileZilla…

I have encountered a weird problem when connecting to our FreeBSD server with FileZilla over SFTP. Either with password or key authentication I would get:

Error:    Server sent disconnect message
Error:    type 2 (protocol error):
Error:    “Too many authentication failures”

So let’s turn on debugging shall we?

 

Trace:    Pageant is running. Requesting keys.
Trace:    Pageant has 15 SSH-2 keys
Trace:    Successfully loaded 1 key pair from file
Trace:    Trying Pageant key #0
Trace:    Server refused our key
Trace:    Trying Pageant key #1
Trace:    Server refused our key
Trace:    Trying Pageant key #2
Trace:    Server refused our key
Trace:    Trying Pageant key #3
Trace:    Server refused our key
Trace:    Trying Pageant key #4
Trace:    Server refused our key
Trace:    Trying Pageant key #5
Trace:    Received disconnect message (protocol error)
Trace:    Disconnection message text: Too many authentication failures

So basically, I give Filezilla a specific keyfile but it tries all my keys anyway. Now let’s see what the bright minds on FileZilla issue tracker have to say about this bug.

https://trac.filezilla-project.org/ticket/7739 gives us a workaround:

which works nicely. A working workaround is a blessing if you really need to use someting that is essentially broken. The bug is marked as a duplicate of https://trac.filezilla-project.org/ticket/5480

This bug contains a brilliant comment by an apparent FileZilla developer:

This is by design, FileZilla uses the system’s SSH agent.

Just reconfigure the server to allow for more keys.

What the actual? The bug will apparently be solved via https://trac.filezilla-project.org/ticket/8232

which is marked as “fixed” and the comment 19 months ago says it will be in the “next version”. The latest version is 3.24.0 released on January 1st 2017 which is exactly what I have and guess what? Not fixed, after 7 years.

 

So at this point I’ll just safely assume that FileZilla might as well be the worst SFTP client in existence and just use something else. But guess what? There is more. The exact same problem exists in Gnome Files if you try to open an sftp:// location. The obvious reason is that Gnome Files does not ask you anything about keys or athenticaton type but just cycles through SSH keys to try and find the correct one. Why did nobody think about offering me a popup dialog to pick the correct key? Probably because Gnome likes to dumb down things, I can’t really find any other reason.

Cen
GitHub
Eurobattle.net
Lagabuse.com
Bnetdocs

pgadmin4 on Fedora 25

You can now access the web interface at http://localhost:5050.

Unfortunately the standalone app does not currently work due to a bug in pgadmin4 package.

Fortunately the pgadmin4 standalone app is just a web wrapper so you are not missing much.

Cen
GitHub
Eurobattle.net
Lagabuse.com
Bnetdocs

Keycloak OAuth endpoints for Postman/HTTP Clients

When testing REST services secured by Keycloak you need to retrieve access tokens via Postman or similar REST client. If you want to implement your own client that has to authenticate with a token you also need to know the Keycloak OpenID endpoints in order to retrieve the access token, refresh it or to end the session (logout).

Retreiving the tokens for a public client using username and password

Public client is typically used for web applications and other client side apps.

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
grant_type password
username <username>
password <password>

Retreiving the tokens for a confidential client using client secret

Confidential client is typically used for secure apps on the back-end.

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id <my-confidential-client-name>
grant_type client_credentials
client_secret <my-client-secret>

Retreive an access token with a refresh token

The first two methods will yield you an access token which you use in the Authorization HTTP header and a refresh token which you save for later. Refresh tokens have much longer expire time as access tokens. The idea is that when the access token expires you use the refresh token to get a new access token. This request also gives you a new refresh token so you can keep the session alive until maximum refresh token expire time is reached. Refresh token expire time equals the session expire time.

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
grant_type refresh_token
refresh_token <my-refresh-token>

Logout the session

To logout and invalidate the session, call a /logout endpoint with your refresh token. The validity of the refresh token is essentially the validity of your entire session.

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/logout
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
refresh_token <my-refresh-token>
Cen
GitHub
Eurobattle.net
Lagabuse.com
Bnetdocs

Fedora 25 on Lenoyo Y50

Everything except WiFi worked out of the box. To get the WiFi working:

Taken from here.

In your BIOS make sure you disable Secure Boot. Not UEFI, not Legacy mode, specifically the switch that disables secure boot and nothing else. After these steps, WiFi works. To enter BIOS on Y50, tap F2 after Lenovo splash screen.

 

Edit 7.2.2017: WiFi performance is unfortunately ABYSMAL. Will update this post if I find any solutions. Connection is super slow and constantly dropping.

Luckily, USB tethering from Android works like a charm so it’s not a deal breaker for now.

Edit 2: looks like blacklisting bcma driver makes things much much better:

 

Cen
GitHub
Eurobattle.net
Lagabuse.com
Bnetdocs