Additional authentication via script's exit status upon OpenVPN client connection to the server





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















I'm currently using the pam plugin to authenticate openvpn clients. It is working fine. I'm using duplicate certificates but need to do subsequent checks on the host - a home-brew Pulse Secure hostchecker.



I've tried client-connect, up, etc but it's not working. I might be going about it all wrong. Both client-connect and up give me:




WARNING: Failed running command (): external program exited with error status: 1




The script I want to send to the client looks for the existence of a 'secret' file. The real world implementation will look for 10 files but I wanted to keep it simple. In conclusion, I need to authenticate AND look for this file in order to allow a connection. Ideally the client gets a message like "Not an approved platform.". Is this possible when I can't have users modify their ovpn file?




hostcheck.sh (777 permissions)



cat hostcheck.sh

#!/bin/sh



if [ -f /etc/secretfile ] ; then 

    exit 0

else

    exit 1

fi



exit 1


server.conf



duplicate-cn

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

#auth-user-pass-verify /etc/openvpn/hostcheck.sh via-file

script-security 2 

#client-connect /etc/openvpn/hostcheck.sh

up /etc/openvpn/hostcheck.sh

username-as-common-name

#tmp-dir /dev/shm

tmp-dir /tmp





scripts vpn openvpn







share|improve this question































    0















    I'm currently using the pam plugin to authenticate openvpn clients. It is working fine. I'm using duplicate certificates but need to do subsequent checks on the host - a home-brew Pulse Secure hostchecker.



    I've tried client-connect, up, etc but it's not working. I might be going about it all wrong. Both client-connect and up give me:




    WARNING: Failed running command (): external program exited with error status: 1




    The script I want to send to the client looks for the existence of a 'secret' file. The real world implementation will look for 10 files but I wanted to keep it simple. In conclusion, I need to authenticate AND look for this file in order to allow a connection. Ideally the client gets a message like "Not an approved platform.". Is this possible when I can't have users modify their ovpn file?




    hostcheck.sh (777 permissions)



    cat hostcheck.sh
    
#!/bin/sh
    

    
if [ -f /etc/secretfile ] ; then 
    
    exit 0
    
else
    
    exit 1
    
fi
    

    
exit 1


    server.conf



    duplicate-cn
    
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
    
#auth-user-pass-verify /etc/openvpn/hostcheck.sh via-file
    
script-security 2 
    
#client-connect /etc/openvpn/hostcheck.sh
    
up /etc/openvpn/hostcheck.sh
    
username-as-common-name
    
#tmp-dir /dev/shm
    
tmp-dir /tmp





    scripts vpn openvpn







    share|improve this question



























      0












      0








      0








      I'm currently using the pam plugin to authenticate openvpn clients. It is working fine. I'm using duplicate certificates but need to do subsequent checks on the host - a home-brew Pulse Secure hostchecker.



      I've tried client-connect, up, etc but it's not working. I might be going about it all wrong. Both client-connect and up give me:




      WARNING: Failed running command (): external program exited with error status: 1




      The script I want to send to the client looks for the existence of a 'secret' file. The real world implementation will look for 10 files but I wanted to keep it simple. In conclusion, I need to authenticate AND look for this file in order to allow a connection. Ideally the client gets a message like "Not an approved platform.". Is this possible when I can't have users modify their ovpn file?




      hostcheck.sh (777 permissions)



      cat hostcheck.sh
      
#!/bin/sh
      

      
if [ -f /etc/secretfile ] ; then 
      
    exit 0
      
else
      
    exit 1
      
fi
      

      
exit 1


      server.conf



      duplicate-cn
      
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
      
#auth-user-pass-verify /etc/openvpn/hostcheck.sh via-file
      
script-security 2 
      
#client-connect /etc/openvpn/hostcheck.sh
      
up /etc/openvpn/hostcheck.sh
      
username-as-common-name
      
#tmp-dir /dev/shm
      
tmp-dir /tmp





      scripts vpn openvpn







      share|improve this question
















      I'm currently using the pam plugin to authenticate openvpn clients. It is working fine. I'm using duplicate certificates but need to do subsequent checks on the host - a home-brew Pulse Secure hostchecker.



      I've tried client-connect, up, etc but it's not working. I might be going about it all wrong. Both client-connect and up give me:




      WARNING: Failed running command (): external program exited with error status: 1




      The script I want to send to the client looks for the existence of a 'secret' file. The real world implementation will look for 10 files but I wanted to keep it simple. In conclusion, I need to authenticate AND look for this file in order to allow a connection. Ideally the client gets a message like "Not an approved platform.". Is this possible when I can't have users modify their ovpn file?




      hostcheck.sh (777 permissions)



      cat hostcheck.sh
      
#!/bin/sh
      

      
if [ -f /etc/secretfile ] ; then 
      
    exit 0
      
else
      
    exit 1
      
fi
      

      
exit 1


      server.conf



      duplicate-cn
      
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
      
#auth-user-pass-verify /etc/openvpn/hostcheck.sh via-file
      
script-security 2 
      
#client-connect /etc/openvpn/hostcheck.sh
      
up /etc/openvpn/hostcheck.sh
      
username-as-common-name
      
#tmp-dir /dev/shm
      
tmp-dir /tmp





      scripts vpn openvpn




      scripts vpn openvpn






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 25 at 19:01









      earthmeLon

      6,6981951




      6,6981951










      asked Mar 25 at 16:53









      dblvikingdblviking

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          1














          First, have you tried running the script from the command line? Does it return exit 1? Have you tried debugging your if statement? Does /etc/secretfile exist? If it doesn't, the script is doing what you're asking it to do. What are the permissions for the secretfile? If the user can't access it, then it may not "exist" to them.



          Lock a user account via expiry



          Instead of putting the file there, or removing it, could you just lock the account?



          Lock the account when you don't want the user to access the machine:



          usermod username -e 1999-01-01


          When you want to allow access, unlock the account:



          usermod username -e


          Here, we use something native to Linux authentication (vs our own, custom scripts) to solve the problem, which should help prevent additional security risks. You could shiv this in as you described if you really wanted or needed to do so. For example, lock/unlock the account, using a cron job, or by polling for the files, vs complicating auth upon connection.




          Restrict via blacklist/whitelist groups in pam



          If you don't want users accessing the entire system, vs restricting individual users, you have other options, such as disabling SSH entirely, limiting SSH connection to a whitelist CIDR block, or most simply and in-line with your goals, using pam against a specific group.



          /etc/pam.d/system-auth



          auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed


          /etc/login.group.allowed



          wheel
          
sudo


          In this example, we only allow users in wheel or sudo to login. This will allow you to disable login to most users, while letting some admins access, or revoke all access if you so choose. You'll want to make sure this is owned by root and has something like 644 permissions to prevent unauthorized writes (modeled after /etc/password permissions).




          Use two-factor, one-time passwords (OTP) in pam



          This is just a cool, alternative that could help restrict access based on a list of users with access to OTP secrets. The pam_oath module is easy to set up, and supports FOSS clients, such as Authenticator. This example shows user-based OTP, but can be adjusted for groups, similar to the previous example. You'll need oath-toolkit and want qrencode.



          touch /etc/users.oath
          
chown 600 /etc/users.oath # Will contain sensitive information
          
vim /etc/pam.d/sshd
          



          #%PAM-1.0
          
#auth     required  pam_securetty.so     #disable remote root
          
#auth      include   system-remote-login
          
auth      required  pam_oath.so usersfile=/etc/users.oath window=30 digits=6
          
account   include   system-remote-login
          
password  include   system-remote-login
          
session   include   system-remote-login


          With each user:



          USER=myusername
          
SECRET=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
          
echo "HOTP/T30/6 ${USER} - ${SECRET}" >> /etc/users.oauth
          
QR_SECRET=$(oauthtool -v -d6 ${SECRET} | grep "Base32 secret" | awk '{print $3}')
          
qrencode -o ${USER}-OTP-secret.png $QR_SECRET


          This will only allow key-based authentication, followed by the requirement of entering the one-time password at login. There are command line OTP generators, but typically QR codes are used bring in the credentials. The SECRET and QR_SECRET and resulting image file should all be treated as confidential and ultimately be deleted after setting up the OTP client.






          share|improve this answer


























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1128598%2fadditional-authentication-via-scripts-exit-status-upon-openvpn-client-connectio%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            First, have you tried running the script from the command line? Does it return exit 1? Have you tried debugging your if statement? Does /etc/secretfile exist? If it doesn't, the script is doing what you're asking it to do. What are the permissions for the secretfile? If the user can't access it, then it may not "exist" to them.



            Lock a user account via expiry



            Instead of putting the file there, or removing it, could you just lock the account?



            Lock the account when you don't want the user to access the machine:



            usermod username -e 1999-01-01


            When you want to allow access, unlock the account:



            usermod username -e


            Here, we use something native to Linux authentication (vs our own, custom scripts) to solve the problem, which should help prevent additional security risks. You could shiv this in as you described if you really wanted or needed to do so. For example, lock/unlock the account, using a cron job, or by polling for the files, vs complicating auth upon connection.




            Restrict via blacklist/whitelist groups in pam



            If you don't want users accessing the entire system, vs restricting individual users, you have other options, such as disabling SSH entirely, limiting SSH connection to a whitelist CIDR block, or most simply and in-line with your goals, using pam against a specific group.



            /etc/pam.d/system-auth



            auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed


            /etc/login.group.allowed



            wheel
            
sudo


            In this example, we only allow users in wheel or sudo to login. This will allow you to disable login to most users, while letting some admins access, or revoke all access if you so choose. You'll want to make sure this is owned by root and has something like 644 permissions to prevent unauthorized writes (modeled after /etc/password permissions).




            Use two-factor, one-time passwords (OTP) in pam



            This is just a cool, alternative that could help restrict access based on a list of users with access to OTP secrets. The pam_oath module is easy to set up, and supports FOSS clients, such as Authenticator. This example shows user-based OTP, but can be adjusted for groups, similar to the previous example. You'll need oath-toolkit and want qrencode.



            touch /etc/users.oath
            
chown 600 /etc/users.oath # Will contain sensitive information
            
vim /etc/pam.d/sshd
            



            #%PAM-1.0
            
#auth     required  pam_securetty.so     #disable remote root
            
#auth      include   system-remote-login
            
auth      required  pam_oath.so usersfile=/etc/users.oath window=30 digits=6
            
account   include   system-remote-login
            
password  include   system-remote-login
            
session   include   system-remote-login


            With each user:



            USER=myusername
            
SECRET=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
            
echo "HOTP/T30/6 ${USER} - ${SECRET}" >> /etc/users.oauth
            
QR_SECRET=$(oauthtool -v -d6 ${SECRET} | grep "Base32 secret" | awk '{print $3}')
            
qrencode -o ${USER}-OTP-secret.png $QR_SECRET


            This will only allow key-based authentication, followed by the requirement of entering the one-time password at login. There are command line OTP generators, but typically QR codes are used bring in the credentials. The SECRET and QR_SECRET and resulting image file should all be treated as confidential and ultimately be deleted after setting up the OTP client.






            share|improve this answer






























              1














              First, have you tried running the script from the command line? Does it return exit 1? Have you tried debugging your if statement? Does /etc/secretfile exist? If it doesn't, the script is doing what you're asking it to do. What are the permissions for the secretfile? If the user can't access it, then it may not "exist" to them.



              Lock a user account via expiry



              Instead of putting the file there, or removing it, could you just lock the account?



              Lock the account when you don't want the user to access the machine:



              usermod username -e 1999-01-01


              When you want to allow access, unlock the account:



              usermod username -e


              Here, we use something native to Linux authentication (vs our own, custom scripts) to solve the problem, which should help prevent additional security risks. You could shiv this in as you described if you really wanted or needed to do so. For example, lock/unlock the account, using a cron job, or by polling for the files, vs complicating auth upon connection.




              Restrict via blacklist/whitelist groups in pam



              If you don't want users accessing the entire system, vs restricting individual users, you have other options, such as disabling SSH entirely, limiting SSH connection to a whitelist CIDR block, or most simply and in-line with your goals, using pam against a specific group.



              /etc/pam.d/system-auth



              auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed


              /etc/login.group.allowed



              wheel
              
sudo


              In this example, we only allow users in wheel or sudo to login. This will allow you to disable login to most users, while letting some admins access, or revoke all access if you so choose. You'll want to make sure this is owned by root and has something like 644 permissions to prevent unauthorized writes (modeled after /etc/password permissions).




              Use two-factor, one-time passwords (OTP) in pam



              This is just a cool, alternative that could help restrict access based on a list of users with access to OTP secrets. The pam_oath module is easy to set up, and supports FOSS clients, such as Authenticator. This example shows user-based OTP, but can be adjusted for groups, similar to the previous example. You'll need oath-toolkit and want qrencode.



              touch /etc/users.oath
              
chown 600 /etc/users.oath # Will contain sensitive information
              
vim /etc/pam.d/sshd
              



              #%PAM-1.0
              
#auth     required  pam_securetty.so     #disable remote root
              
#auth      include   system-remote-login
              
auth      required  pam_oath.so usersfile=/etc/users.oath window=30 digits=6
              
account   include   system-remote-login
              
password  include   system-remote-login
              
session   include   system-remote-login


              With each user:



              USER=myusername
              
SECRET=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
              
echo "HOTP/T30/6 ${USER} - ${SECRET}" >> /etc/users.oauth
              
QR_SECRET=$(oauthtool -v -d6 ${SECRET} | grep "Base32 secret" | awk '{print $3}')
              
qrencode -o ${USER}-OTP-secret.png $QR_SECRET


              This will only allow key-based authentication, followed by the requirement of entering the one-time password at login. There are command line OTP generators, but typically QR codes are used bring in the credentials. The SECRET and QR_SECRET and resulting image file should all be treated as confidential and ultimately be deleted after setting up the OTP client.






              share|improve this answer




























                1












                1








                1







                First, have you tried running the script from the command line? Does it return exit 1? Have you tried debugging your if statement? Does /etc/secretfile exist? If it doesn't, the script is doing what you're asking it to do. What are the permissions for the secretfile? If the user can't access it, then it may not "exist" to them.



                Lock a user account via expiry



                Instead of putting the file there, or removing it, could you just lock the account?



                Lock the account when you don't want the user to access the machine:



                usermod username -e 1999-01-01


                When you want to allow access, unlock the account:



                usermod username -e


                Here, we use something native to Linux authentication (vs our own, custom scripts) to solve the problem, which should help prevent additional security risks. You could shiv this in as you described if you really wanted or needed to do so. For example, lock/unlock the account, using a cron job, or by polling for the files, vs complicating auth upon connection.




                Restrict via blacklist/whitelist groups in pam



                If you don't want users accessing the entire system, vs restricting individual users, you have other options, such as disabling SSH entirely, limiting SSH connection to a whitelist CIDR block, or most simply and in-line with your goals, using pam against a specific group.



                /etc/pam.d/system-auth



                auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed


                /etc/login.group.allowed



                wheel
                
sudo


                In this example, we only allow users in wheel or sudo to login. This will allow you to disable login to most users, while letting some admins access, or revoke all access if you so choose. You'll want to make sure this is owned by root and has something like 644 permissions to prevent unauthorized writes (modeled after /etc/password permissions).




                Use two-factor, one-time passwords (OTP) in pam



                This is just a cool, alternative that could help restrict access based on a list of users with access to OTP secrets. The pam_oath module is easy to set up, and supports FOSS clients, such as Authenticator. This example shows user-based OTP, but can be adjusted for groups, similar to the previous example. You'll need oath-toolkit and want qrencode.



                touch /etc/users.oath
                
chown 600 /etc/users.oath # Will contain sensitive information
                
vim /etc/pam.d/sshd
                



                #%PAM-1.0
                
#auth     required  pam_securetty.so     #disable remote root
                
#auth      include   system-remote-login
                
auth      required  pam_oath.so usersfile=/etc/users.oath window=30 digits=6
                
account   include   system-remote-login
                
password  include   system-remote-login
                
session   include   system-remote-login


                With each user:



                USER=myusername
                
SECRET=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
                
echo "HOTP/T30/6 ${USER} - ${SECRET}" >> /etc/users.oauth
                
QR_SECRET=$(oauthtool -v -d6 ${SECRET} | grep "Base32 secret" | awk '{print $3}')
                
qrencode -o ${USER}-OTP-secret.png $QR_SECRET


                This will only allow key-based authentication, followed by the requirement of entering the one-time password at login. There are command line OTP generators, but typically QR codes are used bring in the credentials. The SECRET and QR_SECRET and resulting image file should all be treated as confidential and ultimately be deleted after setting up the OTP client.






                share|improve this answer















                First, have you tried running the script from the command line? Does it return exit 1? Have you tried debugging your if statement? Does /etc/secretfile exist? If it doesn't, the script is doing what you're asking it to do. What are the permissions for the secretfile? If the user can't access it, then it may not "exist" to them.



                Lock a user account via expiry



                Instead of putting the file there, or removing it, could you just lock the account?



                Lock the account when you don't want the user to access the machine:



                usermod username -e 1999-01-01


                When you want to allow access, unlock the account:



                usermod username -e


                Here, we use something native to Linux authentication (vs our own, custom scripts) to solve the problem, which should help prevent additional security risks. You could shiv this in as you described if you really wanted or needed to do so. For example, lock/unlock the account, using a cron job, or by polling for the files, vs complicating auth upon connection.




                Restrict via blacklist/whitelist groups in pam



                If you don't want users accessing the entire system, vs restricting individual users, you have other options, such as disabling SSH entirely, limiting SSH connection to a whitelist CIDR block, or most simply and in-line with your goals, using pam against a specific group.



                /etc/pam.d/system-auth



                auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed


                /etc/login.group.allowed



                wheel
                
sudo


                In this example, we only allow users in wheel or sudo to login. This will allow you to disable login to most users, while letting some admins access, or revoke all access if you so choose. You'll want to make sure this is owned by root and has something like 644 permissions to prevent unauthorized writes (modeled after /etc/password permissions).




                Use two-factor, one-time passwords (OTP) in pam



                This is just a cool, alternative that could help restrict access based on a list of users with access to OTP secrets. The pam_oath module is easy to set up, and supports FOSS clients, such as Authenticator. This example shows user-based OTP, but can be adjusted for groups, similar to the previous example. You'll need oath-toolkit and want qrencode.



                touch /etc/users.oath
                
chown 600 /etc/users.oath # Will contain sensitive information
                
vim /etc/pam.d/sshd
                



                #%PAM-1.0
                
#auth     required  pam_securetty.so     #disable remote root
                
#auth      include   system-remote-login
                
auth      required  pam_oath.so usersfile=/etc/users.oath window=30 digits=6
                
account   include   system-remote-login
                
password  include   system-remote-login
                
session   include   system-remote-login


                With each user:



                USER=myusername
                
SECRET=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
                
echo "HOTP/T30/6 ${USER} - ${SECRET}" >> /etc/users.oauth
                
QR_SECRET=$(oauthtool -v -d6 ${SECRET} | grep "Base32 secret" | awk '{print $3}')
                
qrencode -o ${USER}-OTP-secret.png $QR_SECRET


                This will only allow key-based authentication, followed by the requirement of entering the one-time password at login. There are command line OTP generators, but typically QR codes are used bring in the credentials. The SECRET and QR_SECRET and resulting image file should all be treated as confidential and ultimately be deleted after setting up the OTP client.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Mar 25 at 19:48

























                answered Mar 25 at 18:55









                earthmeLonearthmeLon

                6,6981951




                6,6981951






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1128598%2fadditional-authentication-via-scripts-exit-status-upon-openvpn-client-connectio%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    數位音樂下載

                    Image
                    數位音樂下載 為非以「實體」方式來販賣音樂的相關產品,而使用數位格式如mp3、AAC等文件格式來進行銷售販賣的一种音乐产业形式。著名的數位音樂下載服務商有iTunes Store、RecoChoku、Google Play音乐和微软Zune等。数字音乐下载在二十一世纪初一度风靡全球, [1] [2] 使得传统唱片产业走向衰落,但其自身也在2010年代流媒体音乐服务如Apple Music、Spotify等的挤压下迅速失去市场份额。 [3] [4] 数字音乐下载有便于携带、传播迅速、制作简单成本低等优点,与流媒体音乐相比也能更好保障音乐人权益; [5] 但它同时很可能带来侵犯版权和滥用的情形, [6] 也给音乐产业带来了诸多不利影响。数字音乐下载为音乐人和乐迷提供了更加便捷直接的交流渠道,也一定程度上推动了网络音乐人的出现和独立音乐的迅速发展。 [7] 目录 1 历史 1.1 技术积淀(1987-2000) 1.2 出现与兴起(2000-2004) 1.3 唱片市场的颠覆者(2004-2007) 1.4 巅峰和衰落(2005-2013) 1.5 摇摇欲坠的现状与不可预知的明天(2014至今) 2 主要文件格式 2.1 PCM编码格式 2.1.1 WAV 2.1.2 APE 2.1.3 FLAC 2.2 苹果推出的无损文件格式 2.2.1 AIFF 2.2.2 ALAC 2.3 有损压缩格式 2.3.1 MP3 2.3.2 AAC 3 主要市场 3.1 iTunes Store 3.2 Google Play音乐商店 3.3 亚马逊音乐商店 3.4 部分其他音乐商店 4 影响与评价 4.1 对音乐产业的影响 4.2 对科技行业的影响 4.3 正面评价 4.4 负面评价 4.4.1 侵权问题 4.4.2 经营模式不明晰 4.4.3 不适应移动时代 4.5 文化现象 5 延伸阅读 6 参考资料 历史 苹果iTunes+iPod的软硬件搭配让数字音
                    Read more

                    格利澤436b

                    Image
                    格利泽436b 太陽系外行星 太陽系外行星列表 艺术家笔下的格利泽436b 母恆星 母恆星 Gliese 436 星座 獅子座 赤經 ( α ) 11 h  42 m  11.0941 s [1] 赤緯 ( δ ) +26° 42′ 23.652″ [1] 距離 33.4 ly (10.2 pc) 光譜類型 M2.5 V [1] 軌道參數 半长轴 ( a ) 0.0291±0.0004 [2] AU 軌道離心率 ( e ) 0.150±0.012 [2] 公轉週期 ( P ) 2.643904±0.000005 [3] d (0.00723849 y) 軌道傾角 ( i ) 85.8 +0.21 −0.25 [3] ° 角距 ( θ ) 2.794 mas 近星點時間 ( T 0 ) 2,451,551.716 ±0.01 JD 半振幅 ( K ) 18.68±0.8 m/s 物理性质 质量 ( m ) 22.2±1.0 [2] M ⊕ 半徑 ( r ) 4.327±0.183 [2] [4] R ⊕ 密度 ( ρ ) 1.51 g cm -3 表面重力 ( g ) 1.18 g 溫度 ( T ) 712±36 [2] K 發現 發現時間 2004 發現者 巴特勒、沃格特、 馬西 et al. 發現方法 徑向速度、凌日法 發現地點 美國加利福尼亞州 發表論文 出版 其他名稱 Ross 905 b, GJ 436 b, [5] LTT 13213 b, GCTP 2704.10 b, LHS 310, AC+27:28217 b, Vyssotsky 616 b, HIP 57087 b, GEN# +9.80120068 b, LP 319-75 b, G 121-7 b, LSPM J1142+2642 b, 1RXS J114211.9+264328 b, ASCC 683818 b, G 147-68 b, UCAC2 41198281 b, BP
                    Read more

                    When can things happen in Etherscan, such as the picture below?

                    Image
                    2 I don't know why balance of the address is 0. when can this situation? etherscan balances share | improve this question asked yesterday Ru Hi Ru Hi 11 1 New contributor Ru Hi is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. add a comment  | 
                    Read more