Archive for the ·

linux

· Category...

Hello World with Qt 5

Comments Off

Getting started with Qt development is rather easy. As with other C++ development discussed earlier, all tools and libraries are native in the Debian / Ubuntu repositories. The following packages should take care of the basic setup:

apt-get install gcc g++ gdb cmake make build-essential qtcreator qt5-default qtdeclarative5-dev qt5-doc qt5-doc-html qtbase5-doc-html qtbase5-examples

Once installed, this small “Hello World” example, inspired by this tutorial but updated for Qt 5, will verify that everything is setup correctly.

Notice that it is important that this file has the extension .cpp, e.g. helloworld.cpp.

#include <QtWidgets/QApplication>
#include <QtWidgets/QPushButton>


int main( int argc, char **argv ) {
  QApplication a( argc, argv );

  QPushButton hello( "Hello world!", 0 );
  hello.resize( 100, 30 );

  hello.show();
  return a.exec();
}

Once this file is in place, a Qt .pro project must be generated. (This should only be executed once, to generate the file).

qmake -project

It will create a file based on the name of the current directory, with the extension .pro. Edit the file to include the following two lines:

QT += core gui
QT += widgets

If backwards compatibility with older Qt versions is a concern, change the last line to:

greaterThan(QT_MAJOR_VERSION, 4): QT += widgets

Now, the application can be compiled and linked into a binary:

qmake && make && ./helloworld

It should generate a Makefile, make or compile the source code, and start the binary. If everything works out, a new application window with a small button like below will appear.

Comments Off

Ubuntu 16.10 on Asus ZenBook UX330

Comments Off

As mentioned in a previous post, I recently got the Asus ZenBook UX330 (UX330CA-FC020T, to be specific). It’s a very light weight 14″ decent spec’ed laptop which runs Ubuntu flawlessly. Here are some notes on installing, and first impressions.

UEFI boot and install

As far as I’ve seen, there are at least two versions of the BIOS around for these machines: The display model had an “old fashioned” ASCII text based BIOS, while the one which got delivered had a new UEFI based GUI. Both can boot the Ubuntu 16.10 64-bit live image, but the Secure Boot just needs some tweaking.

Before getting to boot, it’s important that the partition of the USB stick which holds the image is marked as bootable. In GParted, this can be done with the option seen below. Once that is taken care of, transferring the ISO is easily done with UNetbootin.

Once ready, plug in the USB stick, restart the machine, and hold F2 to enter the BIOS / UEFI setup. (Holding ESC will show the temporary boot selection menu). The “easy” mode can be seen below.

From here, press F7 to enter “Advanced” mode, and use the arrow keys or mouse to tab over to the Security options. Towards the bottom of that tab, there’s a sub-menu for Secure Boot. Enter that menu, and disable Secure Boot.

Use F10 to save and exit, and got back into the UEFI setup with F2 to verify that the Ubuntu live portion shows up as “1100, Partition 1″. From here you can change the Boot settings to select the USB portion first, or use F8 to boot from that only once, which should be all you need to get the installation going.

Ubuntu compatibility

Here’s a list of features I’ve personally tried and confirmed to be working. In summary, this machine looks very well prepared for Ubuntu, with no major draw-backs. The only additional setup which might be worth-while is configuring the touchpad to temporarily disable while typing, as described here.

Status
USB ports Work
SD card reader Works, mounts.
Wifi Detects all networks; connects.
Fast re-connect after suspend.
Bluetooth Not tried
Web cam Works with “Cheese”
Suspend Works; resumes quickly.
From Ubuntu menu, lid close, or Fn + F1
Flight mode
(Fn + F2)
Work, reconnects quickly.
Keyboard brightness
(Fn + F3/F4)
Works
Screen brightness
(Fn + F5/F6)
Works
External display
(Fn + F7/F8)
Not tried
Volume buttons
(Fn + F10/F11/F12)
Works
CPU throttling Not tried

Specs

The UX330CA is a decent spec’ed laptop, and there’s a few variations should you want more power. Here’s the selection as it looks in early 2017, comparing to the slightly more expensive UX330UA line.

UX330CA UX330UA
Price range €750 €930 – €1300
CPU Core M3-7Y30 1 (2.6) Ghz Core i5 7200U 2.5 (3.5) GHz -
Core i7 7500U 2.9 (3.5) GHz -
Max TDP 4.5 W 15 W
RAM 8 GB 8 / 16 GB
SSD 128 GB 256 / 512 GB
GPU Intel HD Graphics 615 Intel HD Graphics 620
Display 1920 x 1080 pixels; 13.30″
anti-glare; no-touch
1920 x 1080 pixels; 13.30″
anti-glare; no-touch
USB 2x USB 3.0 A
1x USB 3.1 C
2x USB 3.0 A
1x USB 3.1 C
SD card reader SD, SDHC, SDXC SD, SDHC, SDXC
HDMI Micro HDMI Micro HDMI
RJ45 / LAN No,
comes with USB adapter.
No,
comes with USB adapter.
3.5mm mini-jack 1x 1x
Web cam 1280 x 720 pixel 1368 x 768 pixel
Bluetooth version 4.1 4.1
Wifi version 802.11 ac 802.11 ac
Weight 1.20 kg 1.20 kg
Dimensions (W x L x H) 32.20 x 22.10 x 1.23 cm 32.20 x 22.10 x 1.35 cm
Comments Off

How to disable the touchpad while typing

Comments Off

Most modern laptops come with a touchpad for cursor control. It is typically located below the space-bar, which means it’s easy to rest your palms on it while typing and send the cursor flying. There are two ways to get around the problem: Disable it altogether and use another pointing device, like the red “TrackPoint” or an external mouse; or temporarily turn it off while typing. Here’s how to do both.

First, make sure the these packages are installed:

apt-get install usbutils xinput xserver-xorg-input-synaptics

Permanently disable

Any input device can be configured through the xinput tool. However, as machine configurations will be different, we’ll need to look at what is connected first. This will list internal and connected devices:

lsusb
 
xinput list

The first command will list connected USB devices, which might be relevant. The second command will output a list like the following, where each device has an ID, but which will change based on the machine and what is connected. The example below is from a Lenovo Thinkpad with an external mouse, so three hardware pointing devices are listed: The touchpad; the trackpoint; and the external Logitech mouse. Notice the ID for the touchpad, which is 12 here.

⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ SynPS/2 Synaptics TouchPad              	id=12	[slave  pointer  (2)]
⎜   ↳ TPPS/2 IBM TrackPoint                   	id=13	[slave  pointer  (2)]
⎜   ↳ Logitech M570                           	id=9	[slave  pointer  (2)]
⎣ Virtual core keyboard                   	id=3	[master keyboard (2)]
    ↳ Virtual core XTEST keyboard             	id=5	[slave  keyboard (3)]
    ↳ Power Button                            	id=6	[slave  keyboard (3)]
    ↳ Video Bus                               	id=7	[slave  keyboard (3)]
    ↳ Sleep Button                            	id=8	[slave  keyboard (3)]
    ↳ Integrated Camera                       	id=10	[slave  keyboard (3)]
    ↳ AT Translated Set 2 keyboard            	id=11	[slave  keyboard (3)]
    ↳ ThinkPad Extra Buttons                  	id=14	[slave  keyboard (3)]

We can query details about a specific device:

xinput list-props 12
 
xinput list-props 12 | grep Enabled

There are two ways to enable and disable a device: By setting the “Device Enabled” property, or with the xinput command shortcut which does the same:

xinput set-prop 12 "Device Enabled" 0
xinput disable 12
 
xinput set-prop 12 "Device Enabled" 1
xinput enable 12

Temporarily turn off while typing

You might want to use the touchpad though, and only avoid the “fat fingers” problem while typing. Here the syndaemon tool comes to the rescue. It’s a “a program that monitors keyboard activity and disables the touchpad when the keyboard is being used”. It means, you’ll have to make sure it’s running in the background, typically through the start-scripts of your desktop.

There’s a few settings to play around with and also a CLI client “synclient“. See also the synaptics driver documentation for more options.

Having this in a startup script will cover most common use cases:

/usr/bin/syndaemon -i 1 -t -d

Comments Off

Linux compatible notebooks and laptops

Comments Off

You’d think that there would be a sizable market for a Linux based laptop, but Microsoft maintains its stronghold, and if anything it’s getting harder to buy random hardware and expect it to just work. Due to the UEFI bootloader; Secure Boot; various proprietary buttons solutions; touch screens; and no or little support from the hardware vendors. After doing a bit of research in small and mid-range notebooks and laptops that works with Linux, here’s a brief summary.

Most of the newer devices were evaluated with a USB live version of Ubuntu 16.10 64-bit.

(Disclaimer: This is not meant to be an exhaustive list of all available brands or Linux compatible devices. Please take it as a snapshot in time of the laptops which happened to be available in my local market. Also note, beyond being a consumer of some of the mentioned laptops, I’m not affiliated with any of them).

Lenovo

The Lenovo Thinkpad is still top of the line when it comes to business laptops. After using the Carbon X1 2016 4th generation edition for about half a year, it’s a sure all-time favorite. It’s available with Intel’s 7th generation Skylake CPU at various speeds, it does not get warm and uses little battery, which again makes for long battery life. A full working day without carrying a charger is usually not a problem.

Any Lenovo Thinkpad you’ll pick up will support Linux easily. It has a huge community and following, which means drivers, special buttons, sensors etc. get support quickly. The exception might be some of the more exotic variants of the Yoga Book (which run Android). In general, booting and installing any version of any GNU/Linux distribution is not a problem.

The downside is of course the price. At 1500 to 2500 Euros, it can be a tough pill to swallow if you’re buying new. However, there is also a healthy used-marked, so if you’re willing to wait a bit longer to get the latest tech, it’s a good compromise.

Asus

In hardware circles, ASUS is perhaps more famous for their high quality motherboards, but they also have a healthy range of laptops, many of which support Linux. I looked at a few models, with the ZenBook as the clear winner.

ZenBook UX330

These are nice! In fact, there’s a wide range of configurations colors and prices, most with 13.30″ full 1080HD screens, some with touch screens or larger screens. The cheapest version is now around €750 for an Intel m3-7Y30 dual core (4 threads). At only 4.5 W TDP, it does not get warm and is fan-less. It comes with 8 GB RAM and 128 GB SSD which is decent. Best of all, it’s only 1.3 kg, so just as light as the Lenovo Carbon.

There seems to be a few different BIOS versions on these models. The traditional text-based BIOS had no problems booting the Live USB. However, with the UEFI version, a bit of fiddling with Secure Boot and Boot Priority was required. Turning off Secure Boot and making sure USB partition was marked with a “boot” flag fixed it. (Spoiler alert: I’ll get back to this in a another post, as I already bought this machine).

Furthermore, on Ubuntu 16.10, everything works out of the box: Wifi; suspend; all function buttons: volume; screen dimming; flight mode; touch pad enable/disable. Battery life looks promising at around 10 hours.

The higher end versions, with i7 CPUs; 16 GB RAM; 256/512 GB SSD are probably the closest competitors to Lenovo’s light weight laptops at the moment. At about 25% lower price, they might certainly be worth considering.

R105HA

The Eee line from a few years back were nice super-small “ultrabooks”, albeit somewhat under-powered by today’s standards. A more recent edition, the R105HA is a €240 2-in-1 11″ detachable table and keyboard. It has a USB A slot; it booted to the GRUB menu, but failed to load the Live UI. It could be that it’s not a x64 based CPU at all; not sure.

E402SA

A bit further up the range, but at similar price there’s the E402SA. It’s a 14″ laptop, with full sized keyboard, but only 2 GB RAM and 32 GB SSD. Still not bad for €280. It booted the Ubuntu live stick fine. Wifi; volume buttons; suspend works. Screen dimming works, but not through the function-buttons. The main downside is the cheap keyboard, where the SPACE-key is hinged in the middle, so it might not register a thumb-click in its corners.

PEAQ

I’m not familiar with this brand, and it could be only a label on generic OEM devices of some kind. However, I thought it was worth including, since they had the cheapest smallest notebook I came across.

PNB C111

This is an 11″ but full 1080HD laptop with a tiny keyboard; think early Asus Eee. The €180 version comes with an Intel Celeron N3060 CPU; 2 GB RAM; 32 GB SSD. It is light, but feels plasticy. And as mentioned, the keyboard is cramped, even for small fingers.

It booted the Ubuntu 16.10 64-bit live image fine, and wifi; volume function keys and suspend all work out of the box. Screen dimming also works, but not through the function buttons (this seems to be a common problem).

Other

HP and Dell

There were a few HP and Dell laptops in the shops I went to, but where I tried, none of them would boot the USB image. This could be down to bad luck; the Asus Zenbook was also difficult in UEFI mode, however, I’m not sure they are good options at higher prices than the Zenbook range.

System 76

This is one of the long time dedicated Ubuntu Linux hardware retailers. They don’t make their own hardware though, and instead merely put their name on OEM devices. The problem is, as much as I’d like to support a Linux hardware vendor, it comes at a very high price for mid-tier hardware. Of course, they put extra effort into making sure the drives are all available for their products, including keeping their own driver package repository running, but I’m not sure it’s worth it.

The version I have experience with and bought was the “Gazelle Professional” for some $1300. (New edition here). It works and has been running for five years, it’s nice, but extremely heavy even for its time. At some 4 kg with the charger, it can no longer be considered portable. The newer version in the picture above is the Lemur, at 1.6 kg and starting price of $700.

Comments Off

Linus: Hash function as identifier vs. crypto security

Comments Off

Linus had an interesting observation last week, after it was announced that collisions could be found for the SHA1 hash algorithm. On the “Shattered” page, they declare that everything is broken, from cryptographic signatures to backup systems, and git. Linus however, refutes this, noting that the use of SHA1 in git is not for security, but rather as an identifier for the commit.

In fact, as is pointed out in the comments section of Linus’ post, git could probably have gone with a CRC 160-bit function (the default SHA1 is 160 bits). Or, if there was no need to relate the ID directly to the submitted code, an UUID would also have been fine.

The point is, security does not exist for itself, but rather as a reaction or mitigation to a threat. If the threat is cosmic rays or disk corruption, assuming no other intentional attack, and all that is required is to detect when there is a bit-flip, CRC, MD5, SHA1 are all fine alternatives. However, for dealing with encrypted messages, keys and signatures, other algorithms are needed. As for git, the biggest threat there is not bit-flips, accidental or malicious. Rather, it is the incorrect behaviour and functioning of the code in the repository. And for that, the solution is not hash functions, but unit tests. As Linus points out, you will definitely notice if characters and code is flipped around.

Comments Off

Raspberry Pi headless install

Comments Off

The minimal “lite” image of Debian 8 (Jessie) is an excellent choice for a headless Raspberry Pi. After downloading to the SD card, these notes from Dmytro Bobkov covers the basic initial setup, while wifi setup from the command line is explained here. More details on CLI wifi on Debian in a previous post here.

If there is no screen or keyboard available, the SD card have to be prepared before the initial boot. Mainly to make sure SSH is running, so you can log in. This discussion covers the topic. However, if things are not working at once, a few debug statements can help. E.g., add as needed in the config file (change the IP as needed to your laptop or machine):

echo "$_IP" | nc 192.168.1.100 10100

echo "ssh has started" | nc 192.168.1.100 10100

On the other end, receive the messages by:

while true; do nc -l 192.168.1.100 10100; done

Finally, you might want to add a few extra packages, based on what you want to use the device for. These might come in handy:

apt-get update
apt-get upgrade

apt-get install htop itop atop git tig tree autossh nmap rsync lynx links emacs

Comments Off

cryptsetup basics

Comments Off

Talking about encryption in the previous post, I realized there are a few details I keep having to look up. This is a collection of the Frequently Asked Questions about cryptsetup formatting and mounting.

Note: For all the following examples, the example device /dev/sdX is used. It’s a device and file which doesn’t exist, on purpose. When replacing with your own e.g. /dev/sda or similar, be careful!

Formatting a new physical drive

Before working with a new drive, it’s recommended to check for bad blocks, to confirm it’s not a DOA (Dead on Arrival). If it is, you might want to claim it on the warranty immediately to avoid losing data in the future.

This command will check for bad blocks, as well as fill the disk with random data to better hide the encrypted volume later:

badblocks -c 10240 -s -w -t random -v /dev/sdX

Next is the partition setup, where all you need is a new cleared (similar to unformatted, but actually cleared) partition. In the gparted UI it’s simply “New -> Cleared -> Apply”, while on the CLI it would go something like this, to create an optimally aligned, primary partition.

parted /dev/sdX mklabel gpt
parted -a optimal /dev/sdX mkpart primary '0%' '100%'

Now, coming to the encrypted volume, you could just use a passphrase, and skip the first line, or store a salted hashed password in a key-file. The benefit of the latter, is that it will generally be a more secure key, and yet you could re-created the keyfile if you lost it, assuming you remember both the password and the salt.

mkpasswd --m=sha-256 --salt='SOME_SALT' | tr -d '\n' > /tmp/key-file

cryptsetup luksFormat /dev/sdX1 /tmp/key-file
cryptsetup open /dev/sdX1 unenc --key-file /tmp/key-file

Notice the mapping name “unenc“, which can be anything of your choosing.

Finally, format and mount the drive. Here, the ext4 file-system is used, with 1% reserved for system

mkfs.ext4 -m 1 -O dir_index,filetype /dev/mapper/unenc
mount /dev/mapper/unenc /mnt/tmp

Creating an encrypted file volume

In some cases, it is useful to encrypt only a small part of the disk, or even move the encrypted container around. A loop device can create a filesystem inside a file residing on any file system, be it USB stick, network mount or local disk.

First, you will have to create an empty file. The dd command will copy zeros to the specified filename. The total size is block size times count, or 500 MB in this example:

dd if=/dev/zero of=myfile bs=1M count=500

Then establish the loopback. It will become available on /dev/loop0, and can be formatted and mounted like any other block device.

losetup /dev/loop0 mycryptfile

Now repeat the luksFormat and filesystem format commands from above:

cryptsetup luksFormat /dev/loop0
cryptsetup open /dev/loop0 mycrypt
mkfs.ext4 -m 1 /dev/mapper/mycrypt
mount /dev/mapper/mycrypt /mnt/tmp

Key managment

Most of the cryptsetup commands above have at least two options when dealing with the keyslot: A passphrase and a key file. Typically, a passphrase is typed in on the prompt when unlocking the partition or modifying the other keys, while a key file is supplied using the –key-file argument. In terms of security, the first is “something you know”, while the latter is “something you have”.

To list the active keyslots use the following command. It will work both on an open and closed partition.

cryptsetup luksDump /dev/sdX

To add a new key with a prompted password:

cryptsetup luksAddKey /dev/sdX

or a randomly generated key-file:
dd bs=512 count=4 if=/dev/urandom of=~/keyfile_for_sdX iflag=fullblock

cryptsetup luksAddKey /dev/sdX ~/keyfile_for_sdX

To erease one of the existing key-slots, assuming you have more than one.

cryptsetup luksKillSlot /dev/sdX <key slot number>

You might also want to backup the LUKS header, which includes the key-slots, so in case you overwrite existing keys, you can restore the header and unlock with the old keys. It should be noted, that this header will then be able to unlock the partition given any password or keyfile in its keyslots. So, even if you change a password, the old header can be restored and an old password used to unlock. Therefore, it should be considered a secret file and stored securely just as the key file.

cryptsetup luksHeaderBackup /dev/sdX --header-backup-file ~/header_for_sdX

Finally, you might need to wipe the whole encrypted volume. You can do this with the luksKillSlot command, or manually remove all keys, and then change or add the remaining one with a password or keyfile you later remove or forget. E.g. by generating a key-file on the RAM disk /dev/shm, and then rebooting to lose it.

Comments Off

Linux Credit Card

Comments Off

The Linux Foundation is offering a credit card as a way to donate to their cause. There’s an initial $50 price, and then the points which normally gather dust on other credit cards will automatically benefit them. And the card features Tux!

Comments Off

Upgrading Debian Wheezy 7 to Jessie 8

Comments Off

Upgrading from Debian 7 to 8 is reasonably straight forward, following the official instructions. These shorter summaries are also useful references.

Very briefly then, make sure you have backup.
dpkg --get-selections "*" > dpkg_selections.txt
tar zcvf upgrade_backup.tar.gz /etc /var/lib/dpkg /var/lib/apt/extended_states /etc/mysql/my.cnf /etc/fuse.conf /etc/ssh/ssh_config

Update /etc/apt/sources.list, and replace all occurrences of wheezy with jessie.
sed -i 's/wheezy/jessie/g' /etc/apt/sources.list

If VirtualBox is installed, update to the new key:
wget -q -O - http://download.virtualbox.org/virtualbox/debian/oracle_vbox_2016.asc | sudo apt-key add -

Then comes the upgrade dance, with a few prompts, warnings, questions.

apt-get update
apt-get upgrade
apt-get dist-upgrade

After the upgrade, it is recommended to purge unused packages
apt-get purge $(dpkg -l | awk '/^rc/ { print $2 }')
apt-get autoremove

It is also recommended to install the linux-image-* metapackage, e.g. for AMD CPUs
apt-get install linux-image-amd64

Finally, cross your fingers and reboot.

Comments Off

Add-on development for Kodi

Comments Off

On the heels of the QNAP NAS setup notes, here’s a fun integration with my home automation system for living room lights.

The idea is to send the same commands from the Kodi app as the custom Android app does to the Arduino controlled relays. Before the movie starts, the lights go off. I’ll skip the details of that code, but point to a few useful pages to get started. It’s simple.

The Kodi Add-on documentation is good. To get started, you need at least two files: The addon.xml configuration, and your Python script, e.g. myaddon.py. These have to be in a directory on the format script.name (more in the linked documentation) and zip-ed in a ZIP file which does not use use compression, as seen below. This zip-file can now be copied to the NAS, and installed from Kodi.
zip -0 -r myaddon.zip script.myaddon

One gottcha is that the addon.xml file cannot contain a final new-line. At least some people have reported that causing a install error.

For an easy way to get started, look at the Hello World add-on example, as well as its source code. It doesn’t get easier than that.

Comments Off

Securing a Postfix mail server – TLS transport encryption

Comments Off

I previously discussed SPF and DKIM setup for the Postfix mail server. Here’s some notes on TLS transport encryption. (Although, maybe those articles should have come in opposite order).

Using a self-signed certificate (which should be fine for small scale usage), setup is rather easy and straight forward. Creating the keys and certificats boils down to these instructions, copied from here. (Similar instructions here).

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500

Modifying /etc/postfix/main.cf, you might end up with something like this, assuming you’ve copied the keys as indicated by the linked article.
smtp_use_tls = yes
smtpd_use_tls = yes
 
smtp_tls_note_starttls_offer = yes
 
smtpd_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
 
smtpd_tls_key_file = /usr/share/ssl/certs/postfix/device.key
smtpd_tls_cert_file = /usr/share/ssl/certs/postfix/device.crt
smtpd_tls_CAfile = /usr/share/ssl/certs/postfix/rootCA.pem

Once all the changes are made, restart postfix:
service postfix restart

Now you can verify the setup with telnet:
telnet mail.example.com 25
 
EHLO example.com
STARTTLS

This should yield:
220 Ready to start TLS

Another way to confirm the setup is to send an email to a gmail.com account, and observe the lock status icon on the header field drop-down, explained in detail here.

Finally, the official Postfix documentation and notes on authentication (older doc) might come in handy.

Comments Off

QNAP NAS and autofs auto mount

Comments Off

After considering multiple options to cover a HTPC and a NAS, I finally went with the combined “living room” QNAP HS-251+ NAS earlier this year. I’ll leave the reviews to other sites, and just summarize the main features:

  • 2 bay 3.5″ or 2.5″ HDD or SSD
  • Intel Celeron 2GHz Quad core; 2 GB DDR3 RAM
  • 2x 1Gb RJ-45 ports; 2x USB 2.0; 2x USB 3.0
  • 1x HDMI
  • Fan-less
  • Simple remote control
  • Multiple in-house and external apps
  • Good support for Kodi (aka. XBMC)
  • Linux based 32-bit OS, with most common tools and network services available, including SSHD, NFS, SMB, FTPS, rsync.

NFS

Setting up NFS shares on the NAS side is straight forward through the web based UI under “Control Panel”. You probably want to create one or more users which match your own client (e.g. laptop) user, and possibly also related group. All this can be achieved through the UI, however, for setting specific user IDs, SSH into the NAS (using the admin account) and edit /etc/passwd and /etc/group. If the IDs are changed, you’ll also have to update /mnt/HDA_ROOT/.config/nfssetting.

/etc/passwd
david:x:1001:8008:Linux User,,david,:/share/homes/david:/bin/sh
john:x:1000:8008:Linux User,,john,:/share/homes/john:/bin/sh

/etc/group
foobar:x:8008:david,john

The reason for changing the user or group IDs manually might be to match existing IDs on the client machines. In that case, you might also have to provide this option, to make those IDs are actually used by the NAS. This setting is not permanent, so if the NAS is restarted frequently, you might consider a start-up script solution.
echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping

The two relevant configuration files for the NFS setup on the NAS are /etc/exports and /mnt/HDA_ROOT/.config/nfssetting. They will be automatically configured by the UI, however some manual tweaking might be needed. I ended up with something like this, for two machines (with DNS names”laptop”, “desktop” – you can also use IP address) and two shares (“pictures”, “video”). The user (UID) and group (GID) ids will match what’s seen in the /etc/passwd and /etc/group files above.

/etc/exports

"/share/CACHEDEV1_DATA/pictures" laptop(rw,async,no_subtree_check,insecure,no_root_squash) desktop(rw,async,no_subtree_check,insecure,no_root_squash)
"/share/CACHEDEV1_DATA/video" laptop(rw,async,no_subtree_check,insecure,no_root_squash) desktop(rw,async,no_subtree_check,insecure,no_root_squash)

/mnt/HDA_ROOT/.config/nfssetting
"/share/CACHEDEV1_DATA/Public" *(rw,async,no_root_squash,insecure)
[Global]
Version = 4.2.0
[Access]
/share/CACHEDEV1_DATA/Public = FALSE
/share/CACHEDEV1_DATA/pictures = TRUE
/share/CACHEDEV1_DATA/video = TRUE
[AllowIP]
/share/CACHEDEV1_DATA/Public = *
/share/CACHEDEV1_DATA/pictures = laptop,desktop
/share/CACHEDEV1_DATA/video = laptop,desktop
[Permission]
/share/CACHEDEV1_DATA/Public = rw
/share/CACHEDEV1_DATA/pictures = rw,rw
/share/CACHEDEV1_DATA/video = rw,rw
[SquashOption]
/share/CACHEDEV1_DATA/Public = no_root_squash
/share/CACHEDEV1_DATA/pictures = no_root_squash,no_root_squash
/share/CACHEDEV1_DATA/video = no_root_squash,no_root_squash
[AnonUID]
/share/CACHEDEV1_DATA/Public = 65534
/share/CACHEDEV1_DATA/pictures = 1001,1000
/share/CACHEDEV1_DATA/video = 1001,1000
[AnonGID]
/share/CACHEDEV1_DATA/Public = 65534
/share/CACHEDEV1_DATA/pictures = 8008,8008
/share/CACHEDEV1_DATA/video = 8008,8008

After making any changes to the NFS config, restart the service:
/etc/init.d/nfs restart

Client side and autofs

On the client, e.g. laptop or desktop, you’d want to point your NFS mount configuration to the shares created above. However, since either NAS or more likely personal machine will be rebooted, it is useful to configure this through autofs instead of the traditional /etc/fstab config. That way, the shares will be mounted and re-mounted on demand. It will also avoid long waits at boot and shutdown of the client machines.

First, make sure the NFS and autofs packages are installed:
apt-get install portmap nfs-common autofs cifs-utils

Edit /etc/auto.master and add the following line, which specify local mount point, and specific configuration files. Note that that has to match with your setup, so you might want to change the names here. As long as the /mnt directory and config file match, you can use whatever names you like.

/etc/auto.master
/mnt/qnap /etc/auto.qnap

The share specific configuration is then added in the file referenced above. It assumes you’ve named the shares on the NAS “pictures” and “video”. It also assumes the DNS name of the NAS is “qnap” (or you can use an IP here). Finally, it assumes that the shared group is called “foobar”, which should match the GID 8008 above. That GID should also be present on the client machine.

/etc/auto.qnap
pictures -fstype=nfs,rw,soft,tcp,nolock,gid=foobar qnap:/pictures
video -fstype=nfs,rw,soft,tcp,nolock,gid=foobar qnap:/video

Finally, after making changes to the NFS / autofs confg, restart the service:
/etc/init.d/autofs restart

Comments Off

Let’s Encrypt TLS certificate setup for Apache on Debian 7

Comments Off

Through Let’s Encrypt, anybody can now easily obtain and install a free TSL (or SSL) certificate on their web site. The basic use case for a single host is very simple and straight forward to set up as seen here. For multiple virtual hosts, it is simply a case of rinse and repeat.

On older distributions, a bit more effort is required. E.g. on Debian 7 (Wheezy), the required version of the Augeas library (libaugeas0, augeas-lenses) is not available, so the edits to the Apache config files have to be managed by hand. Furthermore, for transitioning from an old HTTP based server, you need to configure the redirects for any old links which still might hard code “http” in the URL. Finally, there’s some security decisions to consider when selecting which encryption protocols and ciphers to support.

Installation and setup

Because the installer has only been packaged for newer distributions so far, a manual download is required. The initial execution of the letsencrypt-auto binary will install further dependencies.

sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /usr/local/letsencrypt
 
cd /usr/local/letsencrypt
./letsencrypt-auto --help

To acquire the certificates independently of the running Apache web server, first shut it down, and use the stand-alone option for letsencrypt-auto. Replace the email and domain name options with the correct values.

apache2ctl stop
 
./letsencrypt-auto certonly --standalone --email johndoe@example.com -d example.com -d www.example.com

Unless specified on the command line as above, there will be a prompt to enter a contact email, and to agree to the terms of service. Afterwards, four new files will be created:

/etc/letsencrypt/live/example.com/cert.pem
/etc/letsencrypt/live/example.com/chain.pem
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

If you don’t have automated regular backup of /etc, now is a good time to at least backup /etc/letsencrypt and /etc/apache2.

In the Apache config for the virtual host, add a new section (or a new file) for the TSL/SSL port 443. The important new lines in the HTTPS section use the files created above. Please note, this example is for an older Apache version, typically available on Debian 7 Wheezy. See these notes for newer versions.

# This will change when Apache is upgraded to >2.4.8
# See https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates
 
SSLEngine on
 
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

To automatically redirect links which have hard coded http, add something like this to the old port *.80 section.

#Redirrect from http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

While editing the virtual site configuration, it can be useful to watch out for the logging format string. Typically the logging formatter “combined” is used. However, this does not indicate which protocol was used to serve the page. To show the port number used (which implies the protocol), change to “vhost_combined” instead. For example:

CustomLog ${APACHE_LOG_DIR}/example_com-access.log vhost_combined

To finish, optionally edit /etc/apache2/ports.conf, and add the following line to the SSL section. It enables multiple named virtual hosts over SSL, but will not work on old Windows XP systems. Tough luck.

<IfModule mod_ssl.c>
  NameVirtualHost *:443
  Listen 443
</IfModule>

Finally, restart Apache to activate all the changes.

apache2ctl restart

Verification and encryption ciphers

SSL Labs has an excellent and comprehensive online tool to verify your certificate setup. Fill in the domain name field there, or replace your site name in the following URL, and wait a couple of minutes for the report to generate. It will give you a detailed overview of your setup, what works, and what is recommended to change.

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Ideally, you’ll get a grade A as shown in the image below. However, a few more adjustments might be required to get there. It typically has to do with the protocols and ciphers the web server is configured to accept and use. This is of course a moving target as security and cryptography research and attacks evolve. Right now, there are two main considerations to make: All the old SSL protocol versions are broken and obsolete, so should be disabled. Secondly, there’s an attack on the RC4 cipher, but disabling that is a compromise, albeit old, between its insecurity and the “BEAST” attack. Thus, disabling RC4 now seems to be preferred.

Taking all this into account, the recommended configuration for Apache and OpenSSL as it stands excludes all SSL versions, as well as RC4 versions. This should result in a forward secrecy configuration. Again, this is a moving target, so this will have to be updated in the future.

To make these changes, edit the Apache SSL mod file /etc/apache2/mods-available/ssl.conf directly, or update the relevant virtual host site config file with the following lines.


SSLHonorCipherOrder on
 
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !ECDHE-RSA-RC4-SHA"
 
SSLProtocol all -SSLv2 -SSLv3

Restart Apache, and regenerate the SSL Labs report. Hopefully, it will give you a grade A.


 
 

Final considerations

Even with all the configuration above in place, the all-green TSL/SSL security lock icon in the browser URL bar, as seen below right, might be elusive. Instead a yellow warning like the on in the image to left might show. This could stem from legacy URLs which have hard coded the http protocol, both to the internal site and external resources like images, scripts. It’s a matter of either using relative links, excluding the protocol and host altogether, absolute site links, inferring the protocol by not specifying it, or hard coding it. Examples:

<img src="blog_pics/ssl_secure.png">
 
<img src="/blog_pics/ssl_secure.png">
 
<img src="//i.creativecommons.org/l/by-sa/3.0/88x31.png">
 
<img src="https://i.creativecommons.org/l/by-sa/3.0/88x31.png">

On a blog like this, it certainly makes sense to put in some effort to update static pages, and make sure that new articles are formatted correctly. However, going through all the hundreds of old articles might not be worth it. When they roll off the main page, the green icon will also show here.

 
 

Comments Off

SPF and DKIM on Postfix

Comments Off

A recent post by Jody Ribton laments the fact that DIY mail servers are having a hard time not getting blocked or rejected in today’s email landscape. The ensuing Slashdot discussion dissected the problem, and came up with a few good pieces of advice also seen on this digitalocean guide:

  • Make sure the server is not an open mail relay.
  • Verify that the sender and server IP addresses are not blacklisted.
  • Apply a Fully Qualified Domain Name (FQDN) and the same host name as the PTR record.
  • Set a Sender Policy Framework (SPF) DNS record.
  • Configure DomainKeys Identified Mail (DKIM) on the sending server and DNS.

Sender Policy Framework (SPF)

“Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators”. [Wikipedia]. It is configured through a special TXT DNS record, and further setup on the sending part is not required.

This guide outlines the parameters, and the easiest way to get started is actually this Microsoft provided online wizard. Given a domain, it will guide you through the settings and present you with the DNS record to add at the end. If the domain already has a SPF record, it will verify it, and also take the current settings into account through the steps.

DomainKeys Identified Mail (DKIM) on Postfix

DKIM offers similar email spoofing protection, but also offers simple content signing. From Wikipedia: “DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.”

Configuration is quite straight forward on Postfix, and this guide shows a typical setup and some common pitfalls. If the same email server caters for multiple domains, an alternative configuration is required. This guide covers those details. Another DNS TXT record on the domain is also required. Finally, once the setup is complete, this tool can be used to verify the DNS record.

Verify the configuration

For both SPF and DKIM, the setup can also be verified by sending an email to check-auth@verifier.port25.com. In addition, an email can be sent to any Gmail account, and by viewing the original message and headers, an extra Authentication-Results header can be seen. See the last guide for further details.

 

 

Comments Off

Manual wifi config in Debian

Comments Off

Most modern GUI based distros handle setup and management of Wifi connections very well these days. However, sometimes you need to go the way of the command line. The following outlines the basics in Debian, plus some useful commands.

Driver
First, the Wifi device I had laying around was a Realtek based USB dongle similar to this. The driver for that is in the non-free repository, so I added the parts in bold to my /etc/apt/sources.list

deb http://ftp.ch.debian.org/debian/ wheezy main contrib non-free
deb http://ftp.ch.debian.org/debian/ wheezy-updates main contrib non-free

I could then install the driver:
apt-get update
apt-get install firmware-realtek

Config
There are two config files to handle: The basic network configuration (/etc/network/interfaces), which also includes wired networks and the loopback, and the WPA wifi specific configuration (/etc/wpa_supplicant/wpa_supplicant.conf). Although it is also possible to specify wifi parameters in the network interfaces file, it is better handled by the wpa because then you can configure settings for multiple networks (e.g. home and work) as seen below.

/etc/network/interfaces contains the following:

# The loopback network interface
auto lo
iface lo inet loopback

# Wired ethernet
auto eth0
iface eth0 inet dhcp

# The primary network interface
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
      wpa-driver nl80211
      wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

The loopback lo interface is configured, a wired eth0 port, and the wlan0 wifi. All networks are set to come up automatically, the last two use DHCP to get their address, and the Realtek nl80211 driver is specified as well as a reference to the WPA Supplicant config.

/etc/wpa_supplicant/wpa_supplicant.conf contains:

ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
    ssid="my_home_network"
    key_mgmt=WPA-PSK
    psk="wifi passphrase"
}

network={
    ssid="my_work_network"
    key_mgmt=NONE
}

Here two networks are configured: A home network with WPA encryption and its passphrase, and an open network for work.

To bring the wifi network up, simply run the following. If iterating on the configuration, it’s has to be stopped first.

ifdown wlan0 && ifup wlan0

Useful commands
Other useful commands while debugging this include:

For general network configuration and status:

ifconfig

iwconfig

For listing all available networks and their parameters. This works even before you have connected to a specific one, so it’s a good test to see if the wifi device is even working:
iwlist wlan0 scan

For starting the wpa supplicant manually and checking the wifi configuration. Notice the specific driver and interface name:
wpa_supplicant -B -Dnl80211 -iwlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Comments Off