By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials.

HP Switch(config)# show include-credentials
Stored in Configuration         : Yes
Enabled in Active Configuration : Yes
Include ClearPass Keys          : No

If you want to encrypt these credentials, you can use the encrypt-credentials command. This command will encrypt the credentials using either a hardcoded 256 bit key, or you can add a pre-shared key to the command. In each case the switch uses AES256-CBC to encrypt the credeitals, regardless of the provided key.

Some weeks ago I decided to move my notes from Microsoft OneNote to Joplin. Microsoft OneNote is a great tool for taking notes collaborative, but sometimes it drives me insane and I wanted a more portable form at for my notes.

Markdown is a perfect portable format, and it is widly adopted. I really like the idea behind Markdown, and I even supported a Microsoft User Voice to add native Markdown support into OneNote. So my new note taking tool had to support Markdown. Long story short: Joplin was my tool of choice. It’s running on Windows and there is also an iOS app. Joplin offers a wide range of options to sync the notes, but none of them seemed to fit my use case - Except for the Joplin Server. I’m not afaraid in running my own infrastructure. I have some Azure credits available each months, so running a small VM for a Joplin Server is a good way to use them.

Many of you might know Pi-hole and use it for blocking ADs. I also used it for a long time in my homenetwork, running it on a Raspberry Pi. A customer of mine then drew my attention to dnsforge.de.

What is dnsforge.de?

dnsforge.de is a censorship-free, secure and redundant DNS resolver without logging, but with an ad blocker.

The server are hosted in Germany. dnsforge.de also offers clean.dnsforge.de, which offers parental control blocklists and Safe Search for search engines and YouTube.

In May 2022, Broadcom announced that it will buy VMware for outstanding $69 billion USD. 18 months later, in November 2023, China finally approved the merger. Chinese regulators were the latest in a long line of authorities to approve the takeover. VMware was gone. It was no “by Broadcom”. And not only the name changed.

There were already countless rumors in the 18 months before the takeover. Broadcoms CEO, Hock Tan, was known for trimming companies for profit. After all, $69 billion USD have to be recouped. So only a couple of days after the final approvement

This is a quick one. Sometimes you need to evacuate VMs from a host, do some maintenance, and redistribute the VMs to the originating host. This can be annoying, especially if you don’t have a vSphere Enterprise Plus license with DRS, DRS groups etc. These few PowerShell lines may help you.

,

This blog will mark its 10th anniversary in January 2024. A decade ago, I embarked on a new blogging journey with the domain vcloudnine.de. Some of you might have known my former blog before I made the switch to vcloudnine.de. I’d been running blazilla.de for over 7 years. However, by the end of 2013, I grew weary of Serendipity, a PHP-powered weblog engine. I craved a shift to Wordpress, but back then, a seamless migration path wasn’t available. So, I made a fresh start with vcloudnine, built on Wordpress.

Usually I tend to use the iPhone WiFi hotspot feature. But lately, I had to switch to USB tethering, because I had to work a whole workday using the hotspot feature. USB tethering saves battery and the connection was more reliable for me. Please note, that you need to install iTunes to use USB tethering, because the necessary Ethernet driver is only available with iTunes. Without this driver, Windows won’t recorgnize the iPhone as an Ethernet connection.

While chilling on my couch, I stumbled over this pretty interesting Reddit thread: Story Time - How I blew up my company’s AD for 24 hours and fixed it : sysadmin (reddit.com)

Long story short: A poor guy applied some STIG hardening and his Active Directory blew up. Root cause was disabling RC4, which caused Kerberos failures, primarily documented by errors like “The encryption type requested is not supported by the KDC.” The guy fixed it by shutdown all domain controllers, changing the KRBTGT account password on one domain controller, and finally, everything came back

In the previous blog post I have showed you how to interactively log in into the Microsoft Graph API. You had to enter a username, a password, and you had to enter a second factor. This is typically not want you want if you want to automate things. But there is another way to get access to the Microsoft Graph API.

Create an app registration

To get access, you have to register an app in your AzureAD. Go to your Azure portal and select “App registration” from the “Manage” section. Add a new registration by clicking to “New registration”.

There is a new API in town… naa, not really new, but the Microsoft Graph API will replace most, if not all, other Azure AD/ Microsoft 365 APIs. Actually, Microsoft has planned to retire Azure AD Graph API and ADAL in Juni 2022. Now they have postponed this date to somewhere after December 2022. This will give you some extra time to refactor your PowerShell scrips and move them to use the PowerShell SDK for Graph.