Nextcloud SSO with Keycloak

This documents how I configured Nextcloud to use Single Sign-on leveraging Keycloak as the identity provider. There is official documentation for a Nextcloud-Keycloak integration, but it is behind Nextcloud's paywall.... I found several other guides, some directly conflicting with each other, but piecing them together has produced a working solution.

On to getting things working:

Nextcloud configuration

Global Settings

First, ensure that you do not lock yourself out of your Nextcloud instance while configuring SSO! Set the "Global Settings" to allow multiple back-ends.

Global

Service Provider Data

Provide a certificate for request signing. This is not publicly seen; it is only …

more ...

B&R Automation Studio and PVI Windows Services

1. ADVISORY INFORMATION

Product: B&R Automation Net/PVI
Vendor URL: https://www.br-automation.com/en-us/products/software/automation-netpvi/
Vulnerability #1: CVE-2020-24681 Automation Studio incorrect permission assignments for services. CVSS v3 Base Score: 8.2 (High)
Vulnerability #2: CVE-2020-24681 Net/PVI incorrect permission assignments for services. CVSS v3 Base Score: 8.2 (High)
Vulnerability #3: CVE-2020-24682 Automation Studio unquoted service path vulnerabilities. CVSS v3 Base Score: 7.2 (High)
Vulnerability #4: CVE-2020-24682 PVI Multiple unquoted service path vulnerabilities CVSS v3 Base Score: 7.2 (High)
Date found: 2020-09-28

2. AUTHOR

This vulnerability was discovered and researched by Andrew Hofmans
Public …

more ...

DLL Hijacking Vulnerability in Automation Studio

1. ADVISORY INFORMATION

Product: B&R Automation Net/PVI
Vendor URL: https://www.br-automation.com/en-us/products/software/automation-netpvi/
Vulnerability #1: CVE-2021-22280 DLL Hijacking Vulnerability in Automation Studio. CVSS v3 Base Score: 7.2 (High)
Vulnerability #2: Improper Input Validation CWE-20
Date found: 2020-10-09

2. AUTHOR

This vulnerability was discovered and researched by Andrew Hofmans
Public key: pubkey

3. VERSIONS AFFECTED

Vulnerabilities were found and tested on the most recently released version available at the time (PVI_4.8.2.27 07/27/2020).

4. VULNERABILITY DETAILS

  1. When the PVI Manager process is started, it attempts to load DLL resources that …

more ...

Mirrored Ports with Open vSwitch

After adding some new SSD storage to my home server I had purged a lot of the older VMs that I didn't use frequently in my previous 'Spring Cleaning' effort to make space. One of the VMs that I had purged but now wanted to get back online and running was a Security Onion VM. I won't go into much detail here about SecOnion, there is a lot of good documentation and tutorials already out there on how to set it up. Security Onion requires at least two network interfaces; one for administrative control, and at least one more that …

more ...

Access Git repo over SSH behind jumpbox

I recently ran accross the situation where I wanted to push changes to a repo that was stored on my personal Gitlab server. The issue was that I had recently restructured my homelab and the only way to get to the gitlab server via SSH was through a jumpbox. These were the steps I took to be able to use the normal git workflow while still keeping my network design / security choices intact.

On dev machine

First we will create a new SSH key for the hop from dev machine --> jumpbox.

ssh-keygen -t ed25519 -C "gitlab multihop" -f ~/.ssh/multihop …
more ...