Category Archives: Security

A nicer LUKS full disk encryption passphrase prompt in Debian 7 (Wheezy)

When installing Debian on a new system, if you don’t install Plymouth and you use full disk encryption, the passphrase prompt will come up in a text console which is not very pleasing to the modern eye:

LUKS-text-prompt.png

After much experimentation, I found the Joy theme from the available Plymouth themes provided a much better experience. It was created by Audrien Auburg and adapted from an Edubuntu theme by Jonathan Carter for use with Plymouth. This is an excellent example of Ubuntu functionality brought back into Debian for the benefit of all.

This is how to install such a boot theme in a new Debian system using an Intel graphics chipset:

$ sudo -s
# apt-get install plymouth plymouth-drm

Edit /etc/initramfs-tools/modules and add the modules required for modesetting:

# KMS
intel_agp
drm
i915 modeset=1

Apply the Joy theme and make the changes effective:


# /usr/sbin/plymouth-set-default-theme joy
# update-initramfs -u

And here is the result:

IMG_20130422_132413

If you have another graphics chipset, or if you want more details about setting Plymouth or changing to other themes, check the Debian wiki documentation about Plymouth for more specific instructions.

Also keep in mind this is not very useful on fast SSD-equiped systems: if you don’t use full-disk encryption, the boot sequence is so fast that you won’t see the theme much!

Ajenti, another web admin panel

I just found out about Ajenti, a system management Web UI (released as free open source software under the GPLv3 license), it may be useful to manage desktops and small server setups, as opposed to other projects like Zentyal which do a lot more.

Ajenti

I’ve asked if it’s compatible with Ubuntu 12.04 LTS (which would mean also compatible with Trisquel 6).

Why is this interesting? There are tons of web interfaces out there and vendors of NAS hardware all implement a variation of this. A few years ago when I came across the Franklin Street Statement on Freedom and Network Services I decided that if I was to advocate the use of autonomous, self-hostined/managed services, I should try to Eat my own dog food whenever I could. With this in mind, I kept my eyes open for projects that would not only publish their source code under free open source licenses but also would be easy to implement at home, with consumer hardware, in typical DIY manner – just a bit shy of the current cloud this and cloud that madness.

I’ve been using OpenMediaVault for a couple of small NAS projects, and I love it. It’s based off Debian so I am in familiar territory, I wish this was part of Debian already, I prefer adding such web UIs to existing vanilla installs instead of using a dedicated/modified/derived distribution. I also like its plugins, specially the OpenVPN one, which even generates archives with files and instructions when creating a new access. But aren’t plugins much like packages, optional funcitonality which you should be able to add/remove without bvreaking the system? The main difference is when you have pluggins in such a web UI, such plugins aren’t of Debian-package quality, and introduce yet another layer of software you need to keep an eye on for updates, upgrades, security, etc. Oh, and yet another bug tracker, forum, blog, etc. to follow if you are to get involved.

I’ve always wondered why web UIs like those on OpenWRT or DD-WRT / Tomato are not part of all GNU/Linux distributions, as a separate package. A lot of commercial providers come up with their own too, it all seems like a huge duplication of effort when someone comes up with yet-another-web-ui. Having a common project or interface guidelines would make it easier to use 100% free software on such devices, while having an easy-to-use web interface.

When I researched alternative firmware to use with my DNS-323 Dlink NAS device, I came across Alt-F, yet another one! This motivated me into researching how to install a full distribution on it – eventually Debian was it. It’s very interesting that one can install Debian on several NAS-like devices or specialized hardware, but then you loose the access to a nice (though always different) web interface provided by the vendor.

In many ways it seems sysadmin work and infrastructure management can be done with 100% free software, but what good is it when you have to depend on proprietary interfaces or middleware? I think projects like OpenMediaVault and Ajenti go in the right direction.

What are your favorite Web UI implementations of every-day infrastructure administration tasks?

Software Freedom Day tomorrow in Montreal / demain à Montréal

Don’t miss it! À ne pas manquer!

This year I was able to bring two simultaneaous events together, in different locations.

Cette année j’ai pu programmer 2 événements différents, ça se passe demain, à deux endroits différents :) .

Les détails à / All details at: http://wiki.softwarefreedomday.org/2011/Canada/Montreal

See you there! À demain!

Gobby server in 3 steps

I was tasked to examine different options for internal collaborative editing in a small project, for only a few documents and even fewer people.

I knew there was a Gobby server in Ubuntu but didn’t know it was this easy to setup. I quickly found out about Gobby-Infinote (Gobby using the new Infinote protocol) and Infinoted (server). It was really nice to be able to go to the #infinote channel on Freenode and ask questions one-on-one to the actual developpers and validate my tests! Thank you!

From Gobby’s website:

Gobby is a free collaborative editor supporting multiple documents in one session and a multi-user chat. It runs on Microsoft Windows, Mac OS X, Linux and other Unix-like platforms.

I performed my tests on an Ubuntu 9.10 64-bit desktop.

  1. On all client systems, install the gobby-infinote package
  2. Then on the server system, install the infinoted package
  3. Once the server is installed, either:
  • If you trust your local network and don’t want any security, launch the server using: 
    infinoted --security-policy=no-tls

    or

  • If you’d rather have encryption, TLS is available. Use: 
    infinoted --create-key --create-certificate -k key.pem  -c cert.pem

The keys creation is automatic, and you can launch the server just using:

infinoted -k key.pem  -c cert.pem

You can also specify such options in ~/.config/infinoted.conf as noted on Infinoted’s wiki (which I plan to update with some of my notes). I am not sure yet what’s best to start the server automatically at system’s startup, I am told upstart should handle this. I’ll probably file a bug or investigate that further later.

Of course your server system can be a desktop, and you can run Gobby from that same system. Once installed clients should go to Accessories > Internet > Gobby Collaborative Editor (0.5).

You will also need to install avahi-daemon so the Infinote Gobby server availability is advertised through your local network and it’s shown among possible choices in your Gobby clients.

If you have setup TLS and you double click one of the available servers that use it, you will be presented a warning as you have a self-signed certificate:

The “other” Gobby in Ubuntu is a previous, stable version (package: gobby). Its server companion, sobby, is not the focus of current development efforts.

The main differences I found are:

  • Optional TLS encryption
  • Undo ability (which required rewriting the sync protocol)
  • Interface improvements
  • Ability to delete files
  • Folder hierarchy creation now possible
  • Graceful recovery & offer to save when the server “disappears” or when someone deletes a file
  • Zeroconf support – so the server “advertises” itself on a LAN, no more IP/port info needed

The current client version in Karmic is 0.4.92 but 0.4.93 is already in Lucid and 0.4.94 is looing up.

Find out more here:

Jaunty Candy

Here’s some candy I am enjoying in Jaunty:

Per-user language settings under System > Administration > Language support:

Cryptkeeper, (package: cryptkeeper) a tray applet to graphically manage EncFS encrypted directories:

ext4 filesystem support in the Gnome partition editor (package: gparted):

I’d love to hear about any of your favorite Jaunty candy too :)

Drupal 5.x and 6.x LoCo Suite Released

David Giard, a founding member of the Ubuntu Quebec LoCo Team, relayed these news to me this morning (via The Fridge):

NOT A FORK – as soon as I posted this I got a comment about this being a fork, well, it’s not! It’s a collection of modules and a theme, which are managed via a project in Launchpad. This is not a separate fork of Drupal! :)

Drupal 5.x and 6.x LoCo Suite Released

That long needed suite of tools has finally been completed.

This suite is designed for any Ubuntu Local Communities wanting to host a website. It is designed to allow any LoCo team to quickly create a website using Drupal for their team.

What this suite offers:

  • An approved theme for any LoCo
  • A highly customizable theme
  • Launchpad OpenID integration
  • -> Users don’t need to create an account on your site
  • Launchpad Teams integration
  • -> Can control access levels in site based on LP team memberships
  • Fast and friendly support

Official project: launchpad.net/loco-drupal/

Release Downloads:

Drupal 5.x: launchpad.net/loco-drupal/5.x/0.5.0

Drupal 6.x: launchpad.net/loco-drupal/6.x/1.1.0

Drupal 7.x: in development

A Special Thanks:

This project would not be possible without all the collaboration involved.

The Ubuntu South Dakota Local CommunityMichael Lustfield

The Ubuntu Quebec Local CommunityDavid Giard

Joey Stanford

Stuart Metcalfe

Easy, free removable storage encryption that works with Ubuntu Hardy and Intrepid

I’ve been playing with encryption for some time now and I am always curious about removable storage encryption.

There are tons of guides to do this but it always seems to require either too many steps or some non-free software. I’ve been using this method succesfully adapted from this post for some time now so I wanted to share it here, if anyone has better ideas I’d love to hear it. Removable storage encrypted using this method can also be read directly from Intrepid Live CD sessions as Intrepid now includes cryptsetup by default.

You will need to install the cryptsetup package in Hardy, and also gparted as a helper graphical application to setup partitions and format your media. Gparted is already available on LiveCD sessions. Yes I know this can be done in command line, but I try to limit that as I show this to other CLI-agnostic friends.

Notice I’ve added a step (formatting with a regular partition first), and I used partitions instead of device names.

Find out which device your stick is by issuing from command line:
sudo lshw -C disk -short

This may also help detect other types of storage:
Find out which device your stick is by issuing from command line:
sudo lshw -C storage -short

Example output:
H/W path Device Class Description
=======================================================
/0/100/1f.1/0 /dev/sda disk 251GB Maxtor 6L250R0
/0/100/1f.1/1 /dev/sdb disk 251GB Maxtor 6L250R0
/0/100/1f.1/2 /dev/cdrom disk DVD-RW DVR-110D
/0/100/1f.1/3 /dev/cdrom1 disk RW/DVD GCC-4521B
/0/100/1f.1/3/0 /dev/cdrom1 disk
/0/1/0.0.0 /dev/sdc disk 256MB Cruzer Micro
/0/1/0.0.0/0 /dev/sdc disk 256MB

In this case the device is /dev/sdc.

Next make sure the device is unmounted:
sudo umount /dev/sdc1

Format your removable storage device using gparted, create one single ext3 partition on it. This will end up being partition /dev/sdc1 (assuming your device is /dev/sdc like in my example).

If you do not want to encrypt the whole removable storage, repartition it using gparted.

Overwrite the created partition with an encrypted partition on the target media:
sudo luksformat /dev/sdc1

This will ask you for a passphrase. The default file system is “vfat”, but you can specify a different one with the “-t” option. An example of the same, using an ext3 partition:
sudo luksformat -t ext3 /dev/sdc1

Make sure you type YES in all capitals when prompted, read the prompts carefully.

After this procedure, remove the stick and plug it in again. This should trigger a dialog which asks you for the passphrase and mounts the encrypted partition (along with any unencrypted one, of course).

I was able to read a stick encrypted this way in other computers, just by installing cryptsetup on them. You will need to install cryptsetup and reboot every computer where you want to access this.

Intrepid already comes with cryptsetup installed BTW.

I hear this kind of encrypted removable media can also be read from Windows using FreeOTFE but I haven’t tried it. If anyone can share how to do that, I’d also like to hear about it.

Just a little warning at the end: Please be aware that if you lose the passphrase, I CAN’T HELP RECOVERING THE DATA! This may sound obvious but in a previous posting about this I got private requests about such problems. No comments!

The single most important thing you should know about Ubuntu…

… if you’re new around or if you’re introducing someone else to Ubuntu for the first time, I think a critical read is the following link:

Painfully obvious ? Rightfully so.

Many new (and old) “converts” ask questions about how to compile applications, manually install .deb packages… those should be the last one needs to do when installing applications in Ubuntu (or any Linux for that matter), at least when you want to keep the system as close as possible to regular, supported security/feature updates and upgrades as possible.

I am still a bit surprised when I get a comment like “I’ve been trying to compile/install XYZ for a few days/hours” and there almost always is a solution using packages part of the regular repositories! For those special cases when there isn’t I have a million suggestions, but compiling is far from the top of my list.

Another friendly advice, also consider asking on the Launchpad “Answers” system or showing your new converts how to do that, many times you may find things in Ubuntu are done in a slightly different way – not always obvious, most of the time easier. Don’t take my word for it ;) Asking where or how to get help is OK too.

Last but not least, http://www.ubuntu.com/support provides links to official docs, free community support and even commercial options. Chances are there is a Local Community Team in your area, know it, promote it, join it, use it!

There’s only one better thing than discovering Ubuntu, and that is knowing where its community is and how to tackle into it and even participate in it. I’ve found when new users are empowered to do this, they don’t have to depend on me at all for future support! Well, unless they want 24/7 immediate phone support, that is ;)

Become a router port forwarding guru in 5 minutes

If you’ve ever helped someone over the phone change any router configuration, you know it’s a bit of a challenge to guide anyone through the mazes of menus and options each different router has just to enable port forwarding for any given application.

Fear not, you can now become your local neighborhood router guru, just bookmarkhttp://www.portforward.com and have it handy when someone requests you mighty knowledge. If you feel like letting anyone else in to this carefully guarded secret, do so at your own risk :)

Thanks for the tip, David!

Canonical hiring

Canonical is hiring and the positions list is growing by the day. If you’d like to join a place where IRC is a requirement, colleagues are in almost every timezone, and hacking your home electronics is rather common, check the list and also how to apply.

Contact me if you have any questions.

July 2008 postings

  • GNOME Developer, Online Services

    • Job Location: At home with broadband, in an American/European time zone. This job involves international travel three to four times a year, usually for one week.

  • QA Engineer, Online Services

    • Job Location: Home based with broadband. This job involves international travel several times a year, usually for one week.

  • Engineering Manager, Linux Desktop Experience Team

    • Job Location: Millbank Tower, London; UK preferably

  • Web Developer, Business Information Systems

    • Job Location: At home with broadband. This job involves international travel several times a year, usually for periods of one or two weeks.

  • Web Developer, Online Services

    • Job Location: Home based with broadband. This job involves international travel several times a year, usually for one week

  • ISV Relationship Manager

    • Job Location: The role will involve significant travel, most of which will be in the US and Europe. Boston, London or San Francisco are the preferred locations

  • Security Engineer

    • Job Location: Your home, as long as you have broadband. Some international travel will be required.

  • Engineering Manager

    • Job Location: Your home (given appropriate facilities including broadband Internet) in an American or European time zone.

June 2008 postings

May 2008 postings

April 2008 postings

March 2008 postings

February 2008 postings