Utah Open Source Planet

Phil Windley
pjw
Phil Windley's Technometria

» OS X Leopard Technical Details

Jordan Hubbard, Apple's Director of Engineering of Unix Technologies, spoke at LISA '08 last week. Most people are commenting on the date he gave for the release of Snow Leopard (10.6), the newest version of OS X. I have to admit, I'm ready for some stability improvements, but I was much more intrigued by the details of his talk (PDF).

He spent the bulk of his talk on technical features in Leopard (10.5) that many aren't aware of. He starts with a number of security improvements in Leopard: file quarantine, sandbox, package and code signing, application firewall, parental controls, non-executable (NX) data, address space layout, and randomization. I was completely unaware of most of these improvements.

Jordan also talks about the Unix improvements in Leopard. Leopard is fully Unix compliant. But more than that includes a number of additions like DTrace, Launchd (complete), ASL (replacement for syslog), a read-only version of ZFS (for future compatibility) with a read/write version available. He also talked about Apple's evolving open source strategy.

Last, he talks about improvements coming in OS X that will help developers take better advantage of the multicore chips and sophisticated GPUs that already ship with most Macs. Future kernels will provide better facilities, along with APIs, for managing multi-threaded programs. He says:

Forget everything you thought you knew about multi-threaded programming (and, as it turns out, most developers didn't know much anyway). The kernel is the only one who really knows the right mix of cores and power states to use at any given time - this can't be a pure app-driven decision

I don't know if there's audio or video of the talk available, but it would be very good to hear firsthand.

BTW, anyone know what "LWFLAF" stands for? Jordan uses it as some kind of metric in discussion the various versions of OS X, but I couldn't figure out what it meant.

Tags: osx apple unix security

1:53 PM under apple , osx , security , unix

Tristan Rhodes
no nic
The Open Source Advocate

» ZipTie: New features, new name, new license?

Introduction

It has been over a year since I last posted about an exciting open source project called ZipTie. We use ZipTie to automatically discover our network devices, backup their configurations, and perform a variety of functions related to these devices. Many things have changed with ZipTie since my last post and I want to share those with you. I'll start with the positive changes first, because I am a positive type of person.

New Features

The most obvious improvement is the slick web interface that replaces the previous Java fat client. This interface is powered by Adobe Flex, so it has a great look and feel to it. Having a web interface also simplifies deploying ZipTie, because you don't have to worry about installing a Java application and all the required dependencies. Check out the screenshots:

ZipTie has also added a great community resource called ZipForge, which is a place where anyone can publish custom tools that perform specific functions on network devices. This forge makes it easy to create these tools, without forcing the contributor to learn a lot about ZipTie internal functions.

The new release also adds the ability to gather information about end nodes on a network. This means that I can find out which port a device is plugged into simply by entering the IP address (or MAC address) into ZipTie.

I am not going to list all the improvements in this post, but I will tell you that these developers have been hard at work making ZipTie into an incredibly useful tool.

New Name: NetworkAuthority Inventory

Alterpoint has funded the development of ZipTie from day one. A handful of full-time programmers have been working on ZipTie for over two years, funded completely by Alterpoint. The ZipTie open source community has been growing steadily as this application matured, but most community contributions were in the form of beta testing and ZipForge tools. In the last year, Alterpoint began using ZipTie as the core engine inside their proprietary applications. In case you can't make the connection, these products are the ones that make the money that is used to pay for the open source developers working on ZipTie.

I have often wondered why Alterpoint decided not to advertise their products alongside the ZipTie project. Indeed, their name and commercial branding was almost non-existent on the ZipTie website. The Alterpoint folks must have been thinking the same thing as me, because they have completely overhauled the ZipTie website and changed the name of the project. ZipTie will now be called NetworkAuthority Inventory. The new website has Alterpoint branding and provides information about their commercial offerings and what features you will get if you buy them.

I strongly feel that it is appropriate for Alterpoint to push their products, given the fact that they are paying for ZipTie to be developed. It is important for people to realize that Alterpoint needs to make money if they are going to continue spending resources on this project.

Regarding the new name, I personally don't like it because has five times more syllables than "ZipTie".

New License: No longer open source?

Here is a message from the lead developer of ZipTie regarding the license change:

ZipTie has, up until 10/28/2008, been licensed under the MPL. Now that ZipTie has moved into our NetworkAuthority brand of products, we wanted to put a GPL license on it. Unfortunately, our use of EPL software prohibited us from using the GPL. To get around this, AlterPoint is licensing NetworkAuthority Inventory under the Open Technology License (OTL). It basically reads like a GPL.

This is the area that I am most concerned about. Alterpoint has changed the licensing of this project from Mozilla Public License to a custom license created by Alterpoint. I am not a lawyer, but my conclusion is that this license severely limits the rights of users. Because of this, I do not think it can be considered an open source license. Alterpoint has taken an open source project and turned it into a closed freeware application.

Now, I think I understand the reasoning behind this decision. Alterpoint needs to find ways to make money if it wants to survive. Using ZipTie as the core of their product stack is a great way to benefit from open source development and introduce users to their commercial products. However, changing ZipTie into a proprietary application is not required to accomplish this!

The business model that accomplishes what Alterpoint is trying to do has recently been named "Open-Core Licensing". This model works by building core functionality as open source software, and then adding proprietary features on top of that core. As I will discuss in a future post, a successful open source business provides many benefits to the community and the project.

What can we do about this?

What can we do to encourage Alterpoint to continue using an open source license? There is always the possibility of forking the previous version of ZipTie that was released as MPL. However, forking a community should always be considered a last resort after all other options have failed. Even if ZipTie was forked, I don't know how successful it would be because 99% of the development is being done solely by Alterpoint employees. In theory, the threat of a fork is supposed to prevent software vendors from mistreating open source communities.

I think the best thing we can is do at this point is educate Alterpoint about the benefits of using an open source license for their core product. If the community really cares about this issue, perhaps Alterpoint will re-evaluate their licence.

I think we also need to address their concern with the GPL being incompatible with the EPL. I believe that the Alterpoint wants to use the GPL license because it offers the most protection from other businesses using ZipTie code inside their products without contributing their changes to the project.

Can anyone answer that question? Both Eclipse and Wikipedia state that the licenses are incompatible. However, Ed Burnette from ZDnet points out that EPL code is found within Red Hat Linux:

Take, for example, Red Hat Enterprise Linux. RHEL contains both free and non-free programs. It contains programs covered by GPL, EPL, Apache, BSD, and every other conceivable license. The last paragraph in section 5 says this is OK even though they’re conveyed as a single aggregate.

Is there another OSI license that would be a good fit for this project, and still be compatible with the EPL?

by Tristan Rhodes at 3:52 PM under business , networking , open source , security , ubuntu

Phil Windley
pjw
Phil Windley's Technometria

» WPA Crack

WPA, or WiFi Protected Access, is one of the primary means of protecting Wi-Fi hubs. Ars Technica reports that Erik Tews, a PhD candidate from Germany is prepared to present a paper at PacSec this week that explains how he was able to crack it.

The exploit doesn't actually crack WPA keys, but does allow an attacker to sniff a packet, make minor modifications to the checksum and then use the access point to check the results. This man-in-the-middle attack could allow attackers to make ARP poisoning or Even DNS poisoning attacks.

Tags: security wi-fi wpa

10:08 PM under security , wi-fi , wpa

Aaron Toponce
atoponce
Aaron Toponce

» Identification vs Identity

I had an interesting discussion yesterday at work, that I would like to share here. It was in regards to when the proper time presents itself to show identification versus identifying them on the outset. As you can probably imagine, this was the subject of GnuPG key signing. So, let’s start first with a couple definitions:

Identity: the state or fact of remaining the same one or ones, as under varying aspects or conditions.
Identification: an act or instance of identifying; the state of being identified.

You see, your identity is who you are, while your identification verifies your identity. This is an important realization that many of us in the tech-world don’t seem to grasp when wishing to sign GnuPG keys of others.

Public key cryptography is a wonderful technology. It gives us the ability to create a system in which encrypting and decrypting files can be done with the compromising integrity of the encryption. GnuPG is a decentralized system that enables end users, such as you and I, to create a web of trust, bypassing certificate authorities. This is done by using your own private GPG key to sign the public key of another. The more signatures on that key, the more that key can be trusted. If those who have signed your key have a great deal of signatures also, then a web of trust is created, and trust strengthens. The deeper those signature levels can do, as well as the wider they can spread, on a single key, the more you can trust the person owning that key.

It has been a long-standing acceptance that when you wish to sign another’s public key, that you check a government issued form of identification, such as a drivers license or passport, so you can verify with their picture that they are who they claim to be. I have no objections with this. However, I would have also asked my own mother for her identification before signing her public key. Thanks to my coworkers, I’ve changed my view on asking for identification, and the change stems from a simple sentence:

All you kneed to verify is their identity, not their identification.

In other words, you are there to verify that they are who they claim to be, or their identity. What if it’s your mother? Cerntainly, you already believe her claim to be your mother. What about your wife? Will you put 10 years of marriage and trust second to checking her government issued form of identification? What about coworkers? Hopefully, your company has done the necessary identity checks, including possibly a background check, on the employee. Is checking his identification really needed? Especially if you have worked with him for a great deal of time?

Let’s look at the process of key signing, then the reason behind it. GPG key signing is a 3 fold process:

Verify that you have the proper key installed in your public keyring by asking them for the fingerprint of their key
Verify they are who they claim to be by verifying their identity
Sign their public key

Notice, that no where did I mention a government form of ID. Instead, I said to verify their identity. If it’s my wife, she’s already been identified. If it’s my coworker or boss, they too have already been identified. If it’s a close friend or relative, again, they have clearly identified themselves to me without a government ID. However, if I am not familiar enough with the person to establish a trusting relationship, then checking for their identification would be appropriate. Maybe I’m at a keysigning party, and I have never met any of the people there. Maybe I’ve done online conversations with the individual, but have never met him face-to-face. Asking for identification would be important. But if it’s a close friend, or acquaintance, asking for identification could be insulting to the established relationship, as trust should already be present. Verifying their identity is already accomplished. All I need to do is make sure I have the proper key installed by asking for the fingerprint of his key, then I can sign away.

See the difference? Asking for identification when trust has already been established is redundant, and unnecessary. The whole point of key signing is to establish trust. If trust exists, then asking for identification is not needed. What do you want to know from the ID? That they can drive? That they can leave the country and come back in? This breaks the traditional stance of keysigning, where regardless of the individual, you ask for identification. Well, long-standing traditions should be questioned for validity. Doing something, “because that’s how we’ve always done it”, isn’t necessarily correct.

I know some who will not sign a key without verifying identification, even if they have a long standing relationship with you already. I used to be one of these individuals. You want your key signed? Show me some ID. Now, after the brief, but intense, discussion yesterday, I’ve changed my position. Key signing is about building trust. If you trust the person already, what’s the point of asking for ID? If you don’t, your reasons for verifying the identity of the individual are warranted.

by Aaron at 2:54 PM under security

Phil Windley
pjw
Phil Windley's Technometria

» Taking DNS Security for Granted

One of the hallway conversations I had yesterday was about how DNS is just hanging on by a thread from a security standpoint. The basic idea is that if I can control name resolution for you, I can phish you all day and you'll never know. Systems like OpenID are wholly dependent on the integrity of the DNS system.

One method an attacker can use to insert themselves in the DNS resolution process is a Wi-Fi hub. Whether it's a free hub acting as bait, or one someone has broken into, Wi-Fi hubs are a perfect place to subvert DNS. Once that's happened, you may type paypal.com into your browser, but you won't necessarily end up on Paypal's site. Sure, people can check certificates, but who does that?

A more insidious issue is ISPs who hijack "not found" returns as opportunities to display ads. It works like this. Say you type noworkie.windley.com into your browser. You should get a page saying that that domain wasn't found. We've all seen that. But, an ISP can intercept that "not found" return and instead give you an IP address for a server they control that has ads. For windley.com, that might not be a big deal, but what if you typed wwww.paypal.com and got back a page of ads, some of which are from phishers? You think you're clicking on something on a Paypal page, but you're not.

This practice is dangerous, but as far as I know not illegal. Technically, as the owner of windley.com, I and I alone ought to be able determine what subdomains of that domain resolve to. But there's no way to enforce that.

Most of us take DNS for granted, but that's not going to last, I'm afraid. It's the new frontier in subverting the infrastructure of the 'Net for nefarious purposes.

Tags: dns security

3:11 AM under dns , security

Richard K. Miller
no nic
Richard K Miller

» How to browse securely with SSH and a SOCKS proxy

I was in Moab this weekend with my family and our motel had free wireless Internet. I used SSH and a SOCKS proxy to create a secure tunnel to my iMac at work. This allowed me to browse Gmail and Facebook securely.

Here’s a screencast on how to create an SSH tunnel and browse securely in Safari and Firefox:

Here’s a full-size video:
How to browse securely with SSH and a SOCKS proxy (full size video)

These are the basic steps on a Mac:
1. Open Terminal. (In your Applications/Utilities folder.)
2. Type “ssh -D 9999 username@example.com”, replacing “username” and “example.com” with the actual username and address of your remote machine. The remote machine will need the SSH service, or Remote Login service, turned on.
3. Open System Preferences -> Network -> Advanced tab -> Proxies.
4. Turn on the “SOCKS Proxy” and enter “127.0.0.1″ and “9999″ in the fields. Click OK and Apply.

Now your Internet connection will be tunneled through a secure connection to your remote machine — a poor man’s VPN.

by Richard K Miller at 4:54 PM under mac , main , privacy , security , tech , unix (Comments)

Christer Edwards
nonic
Ubuntu Tutorials : Dapper - Gutsy - Hardy - Intrepid

» A supported PGP passphrase agent is not running

This post is published in the hope that it’ll help others solve an issue I’ve been dealing with for the past few weeks. I have searched and searched for a solution and only recently found one workaround for the problem. The bug that I have found is here. Hopefully with some more attention it’ll be properly fixed.

The issue that I have been running into is that no supported PGP passphrase agents were running. In other words I was not able to unlock my PGP keys for email signing and encryption. You will have noticed this problem if you use email signing and encryption with tools such as Enigmail, etc.

The solution that I found, which is also outlined within the bug, is to remove a file that is apparently being loaded when the X session starts. For some reason this file conflicts with the seahorse key caching system, and neither work.

To fix the issue simply move the conflicting file elsewhere:

sudo mv /etc/X11/Xsession.d/90gpg-agent ~/90gpg-agent.bak

Once this file is moved you should be able to restart X and have your key-caching functionality again. If anyone else has a better fix or other suggestions please comment.

Random Posts

by Christer Edwards at 4:42 AM under enigmail , gpa , gpg , key , seahorse , security (Comments)

Tristan Rhodes
no nic
The Open Source Advocate

» Reminder: Physical access = Root access

Today I needed to reset a password on an Ubuntu system. While doing this, I was reminded of just how simple it is to get root access on a default install of Ubuntu. I wanted to share these steps on this blog to remind people that if someone has physical access to your Ubuntu system, they can get root access in just a few seconds.

Boot up your computer
When asked, hit "Escape" to enter the GRUB menu
Select the option that displays "recovery mode"
Select the option labeled "root prompt"
You are now logged in as root with the ability to change anything

It is really just that simple. This root console is great for advanced users who need to reset a password, but the average user will have no idea what to do. For instance, here is how I found the main user of this system:

root@laptop:~# cat /etc/passwd | grep 1000:1000
tristan:x:1000:1000:Tristan Rhodes,,,:/home/tristan:/bin/bash

This output shows that there is a user named "tristan" who is the main user of this system. Next I needed to reset the password for that user. So I entered this command:

root@laptop:~# passwd tristan
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@laptop:~#

Next I was able to reboot the system and login as "tristan" using the new password I created.

Can this process be improved?

Like I mentioned above, the root command prompt is not the most user friendly interface ever invented. At best, it is confusing to new users and at worst it is very dangerous. So how can this be improved? Well there are already some great ideas floating about, and thanks to the powerful Ubuntu Brainstorm website you can see what people have said about this topic. One of the more popular ideas is a Graphical Recovery Mode. If you want to help make Ubuntu better, please vote on the ideas you want to see implemented or even post your own ideas on the Ubuntu Brainstorm website.

Is there any way to prevent root access?

Many people may choose to give up the simple password recovery in the interest of securing their system. There are many different ways to do this including:

Use a BIOS password that prevents the computer from booting
Use a GRUB menu password that prevents the computer from booting
Use an encrypted file-system that requires a password to use

I'm sure there are other ways to do this, so please provide your input in the comments below.

by Tristan Rhodes at 5:43 AM under open source , security , ubuntu

Christer Edwards
nonic
Ubuntu Tutorials : Dapper - Gutsy - Hardy - Intrepid

» Enable Timed or Automatic Login on Ubuntu 8.04

I have heard complaints here and there regarding Ubuntu requiring the user to login at boot time. I, personally, prefer this as I feel it ads a level of security to my machine, but I can see situations where it’d simply be annoying. If you are the only user on your machine and you’d like to enable automatic user login at boot time this post will outline how.

Enabling Timed or Automatic Login

I’ll start with the Automatic Login option and then outline Timed Login below. Both are very similar, and they are configured in the same place. To enable Automatic Login you can navigate to:

System > Administration > Login Window

You will have to provide your password for authentication and then you’ll be presented with the Login Window Preferences tool. To enable Automatic Login you’ll want to navigate to the Security tab.

As you see from the screenshot you have the option to Enable Automatic Login by checking the box. You will also need to select a user to be the default account from the drop down list.

For the Timed Login you’ll want to check the second box, select the user and also select the timeout value. If, for example, you want your machine to auto-login after 30 seconds you’d set the “Pause before login:” value to “30″.

<disclaimer>Again, I would warn you that anyone able to get access to your machine will now be able to access all of your files and settings by simply booting the machine as normal. I prefer to enter my username and password as an additional level of security.</disclaimer>

Other Points of Interest

by Christer Edwards at 4:43 PM under automatic , gnome , login , security , timed (Comments)

Christer Edwards
nonic
Ubuntu Tutorials : Dapper - Gutsy - Hardy - Intrepid

» “What Would You Like To See?” Poll Expiring Tomorrow

I want to thank everyone for the great feedback that I got on the poll regarding what you’d like to see on this site. I think the results are pretty clear, although some of them did surprise me. For those that haven’t taken a look at the results they are as follows:

Gnome Desktop Tips : 221 votes

Virtualization Topics : 163 votes

Installation & Upgrade : 163 votes

Security Related :152 votes

Ubuntu Server : 152 votes

3D Effects : 117 votes

Getting Involved : 69 votes

KDE Stuff : 65 votes

If you’d still like to voice your opinion the poll is still up for another day. You can also comment on this post if you’d like to see topics not listed in the current poll.

I will try to keep these results in mind going forward. I have seen website traffic go up recently, and I’m glad to see people are interested and coming to read the site.

A new poll will be starting July 1 so please come and give me your feedback at that point.

I have been tunneling all of my web traffic over an encrypted SSH connection for some time now. Considering the fact that I travel a lot, I’m very regularly on untrusted, insecure networks. I prefer to secure those connections (web, IM, email, etc) by creating an encrypted SSH connection and pushing the traffic through it. Today I also found a method for also pushing DNS requests through the same tunnel. This ensures total privacy between yourself and the SSH Server.

Step 1: Creating the Tunnel

Creating this private connection you’ll need a remote SSH server to connect to. Mine runs at home in my garage on an old Pentium III 500MHz box (yeah, the kind most people threw away long, long ago!). I connect to this tunnel using:

ssh -D 8080 -fN user@server

This creates a SOCKS compatible proxy, which is a requirement of the DNS forwarding. Other methods on the interwebs suggest using ssh -L or similar, which are not SOCKS compatible proxies.

Step 2: Forwarding DNS

If you’d like to also forward your DNS requests (ie; the site addresses you type into your browser), you’ll need to change a setting in Firefox. This can be done by accessing the address about:config, and entering this string into the configuration:

network.proxy.socks_remote_dns

Change this value to “true”.

Step 3: Using the Tunnel

The last step is to configure your browser to use these new settings. In Firefox 3 (I hope you’ve upgraded by now), you can activate/toggle these settings via:

Edit > Preferences > Advanced > Network > Settings

Select “Manual Proxy Configuration” and add localhost to the “SOCKS Host:” field, followed by port 8080 (assuming you’ve used the port in the example above).

This will then forward your web traffic through the SSH tunnel and DNS requests will also be forwarded.

You may want to check out the FoxyProxy plugin for a simpler way of toggling this on & off.

To deactivate the tunneling and use the local DNS again simply revert Step 3 back to “Direct Connection to the Internet”.

The trick is port forwarding. The idea is that a box will be listening for connections on a port that you specify. If a connection is made, the packets are then transferred through the SSH connection to the box at the other end on a different port that you have specified. So, the obvious is, you need access to an SSH server to make this possible. Let’s take a specific example.

I’m at work. The company mail server is not accessible from the Internet, so when I get home, I can’t read my corporate mail. One specific day during the week, however, I need access. I try to convince the network administrator to punch a hole in the firewall, or at least give me VPN access, but nothing. No ports open for tightest security is his approach. So, seeing as though I have access to an SSH server at home, I open an outbound port that will allow me to connect back in. In otherwords, piggy-backing off of the SSH connection to my home SSH server. I issue the following command from work, just before I leave:

ssh -R 22225:mail.company.com:25 -fN ssh.home.com

What is this saying exactly? It’s saying that the SSH server on ssh.home.com will be listening for mail traffic on port 22225. When a connection is made, the packets will be forwarded through the SSH connection to mail.company.com in the corporate office on port 25. As far as the connection is concerned, mail.company.com received a port 25 packet as if it came from the box internally on the corporate LAN. All I need to do, is launch my favorite email client that supports TCP proxies, and connect to ssh.home.com on port 22225 to make the connection. Simple as pie.

Let’s look at another example:

ssh -R 22222:foo.example.com:22 -fN ssh.home.com

This example is saying that the SSH server on ssh.home.com will be listening for SSH traffic on port 22222. If a connection is made, the packets will be forwarded through the SSH connection to foo.example.com in the corporate office on port 22. This is a great way to get SSH access to machines in the office that are not accessible to the Internet.

Cool, eh? Who would’ve thought that the developers of the most secure-by-default Unix, OpenBSD, would be providing me with simple tools to bypass firewalls?

Now, the question remains, what about the firewall? My only response- what about it? If you have an outbound Internet connection, your only task may be to find out what port is open for the outbound connections. If you have access to an SSH server that you can configure, then change the port on the SSH box to match your corporate outbound port, and you’ve effectively bypassed any and all firewalls that may be in place, both out an in. The only way, the ONLY way you can keep me from bypassing your firewall is to completely cut outbound connections to the Inertnet. Completely, and totally isolate the corporate network. Then, you have a impenetrable firewall.

So, as I mentioned earlier, “What goes out can come back in”.

by Aaron at 3:58 PM under linux , security

Scott Morris
nexangelus
OpenSUSE Linux Rants

» OpenSUSE Linux 10.3: Signing Self-Generated SSL Certificates as Your Own Certificate Authority

Overview

At some point or another, you’ll likely end up needing an SSL certificate for a Web site somewhere along the line. For a commercial site, your hosting provider can or will help you get this all squared away. This article is not for people in that situation.

What we’re doing here will be to create our own Certificate Authority. Then, we’ll create our own server key and a signing request. Then, we’ll sign our own certificate using the key and certificate from our own Certificate Authority. In other words, we’re not just going to create an SSL certificate, but we’re going to sign that bad boy, too.

This is useful for personal websites that need a little security, or when you’re waiting for your real cert from a real Certificate Authority. Perhaps you need it for transmitting data from an external server to your Intranet. Or perhaps you need it in any of the three hundred thousand seven hundred forty-two other situations that may arise.

Certificate Authority

The first thing that you’ll need is root access to the server. SSH in and head somewhere secure like /root.

Next, we’ll go ahead and generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.

To create our key, we’ll run this command:

openssl genrsa -des3 -out ca.key 4096

When we do that, it looks something like this:

[1257][root@mail:~/cert]$ openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
……………………………………………………………………………………………………………….++
………………………………………….++
e is 65537 (0×10001)
Enter pass phrase for ca.key: [enter a pass phrase here for the CA key]
Verifying - Enter pass phrase for ca.key: [verify the same pass phrase here]
[1258][root@mail:~/cert]$

Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. With that, let’s whip out the certificate. Notice that we are making it good for 3650 days, or 10 years. Adjust to your taste. So let’s make the cert, now. This is done with the following command:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

And doing this may resemble something like this:

[1306][root@mail:~/cert]$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Corporation
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.microsoft.com
Email Address []:bill.gates@microsoft.com
[1307][root@mail:~/cert]$

Our Server Key and CSR

Next up on the list is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. We will do that with this command:

openssl genrsa -des3 -out server.key 4096

The output should look familiar:

[1310][root@mail:~/cert]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
…………………………..++
….++
e is 65537 (0×10001)
Enter pass phrase for server.key: [enter a pass phrase here for our server key]
Verifying - Enter pass phrase for server.key: [verify the same pass phrase here]
[1313][root@mail:~/cert]$

Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Now… let’s see… oh yeah. Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

To create the CSR, we do this:

openssl req -new -key server.key -out server.csr

Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. And so we do:

[1313][root@mail:~/cert]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Eagle Mountain
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suse Blog
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.suseblog.com
Email Address []:my-address@suseblog.com [put in your real email address here]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[1323][root@mail:~/cert]$

Sign the Certificate

Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely.

The command we’re going to run looks like this:

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

And when we run it, we see something hopefully resembling this:

[1326][root@mail:~/cert]$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=UT/L=Eagle Mountain/O=Suse Blog/CN=www.suseblog.com/emailAddress=my-address@suseblog.com
Getting CA Private Key
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
[1332][root@mail:~/cert]$

Generate server.key That Won’t Prompt for Password

Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

When we run these commands, here’s our output:

[1354][root@mail:~/cert]$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
writing RSA key
[1354][root@mail:~/cert]$ mv server.key server.key.secure
[1354][root@mail:~/cert]$ mv server.key.insecure server.key
[1354][root@mail:~/cert]$

Placing the Files

At this stage, you should now have a bunch of files. These, in fact:

[1354][root@mail:~/cert]$ ll
total 32
drwxr-xr-x  2 root root 4096 2008-06-02 13:54 .
drwx—— 10 root root 4096 2008-06-02 13:35 ..
-rw-r–r–  1 root root 2529 2008-06-02 13:07 ca.crt [CA certificate]
-rw-r–r–  1 root root 3311 2008-06-02 12:58 ca.key [CA key]
-rw-r–r–  1 root root 2049 2008-06-02 13:32 server.crt [our server certificate]
-rw-r–r–  1 root root 1748 2008-06-02 13:23 server.csr [our server signing request]
-rw-r–r–  1 root root 3243 2008-06-02 13:54 server.key [our password-less server key]
-rw-r–r–  1 root root 3311 2008-06-02 13:13 server.key.secure [our passworded server key]
[1355][root@mail:~/cert]$

Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this:

chmod 0600 server.key.secure server.key server.csr server.crt

Now, here’s where things depend on the distribution that you are using. I will describe what I am doing so that if you are not on OpenSUSE, you will still be able to get this working.

In OpenSUSE, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:

[1348][root@mail:~/cert]$ mv server.key /etc/apache2/ssl.key/server.key
[1349][root@mail:~/cert]$ mv server.crt /etc/apache2/ssl.crt/server.crt
[1349][root@mail:~/cert]$ mv server.csr /etc/apache2/ssl.csr/server.csr
[1349][root@mail:~/cert]$

Yep, pretty complex stuff, moving files.

Now, we need to make a handful more edits to some files, and we’re just about there.

System Configuration

First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file.

Next, open up the config file that tells apache2 which ports to listen on. In OpenSUSE, this file is /etc/apache2/listen.conf. Rip that bad boy open. You will see the following line:

NameVirtualHost *:80

Add a new line for port 443, our HTTPS port, so that it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443

Save and quit.

Virtual Host Configuration

In OpenSUSE, it’s really easy to have virtual hosts on a machine. I have like 10 on mine. One of them is my blog, www.suseblog.com. Well, to make this easy, in OpenSUSE, the virtual domain configuration files are located in /etc/apache2/vhosts.d, each with their own name. My www.suseblog.com configuration file is called suseblog.conf. To set up SSL for this virtual host, just duplicate the file and give it another name. In my case, I named it ssl-suseblog.conf.

Now, we’re going to open up that file and add like 4 lines to it. No sweat.

At the top of the file, there is a line that looks like this:

<VirtualHost *:80>

Change the port from 80 to 443, so it looks like this:

<VirtualHost *:443>

Then, go down a ways and add these lines:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Save and quit on that one, too.

Configure Firewall

We can configure this thing perfectly, but if the firewall doesn’t know to let traffic through, we will not have HTTPS access to the server. Let’s check the firewall really quick to make sure.

Fire up YAST. Go to the Security & Users option on the right, and select FIREWALL from the left. If you do not have a firewall running on the machine, you can just exit now. If you do, you will need to go to ALLOWED SERVICES. In the SERVICES TO ALLOW drop-down on the right, select HTTPS Server. Then click ADD. Then click NEXT, and finally FINISH. You should now have port 443 opened for HTTPS business.

Now, let’s go ahead and restart apache and enjoy our new self-signed self-generated SSL cert on our HTTPS service:

[1426][root@mail:/etc/apache2]$ /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate)          done
Starting httpd2 (prefork)                                             done
[1427][root@mail:/etc/apache2]$

Conclusion

Well, we’ve concluded. Enjoy.

by Scott Morris at 9:54 PM under apache , linux tips , security , signed certs , ssl , suse tips and tricks (Comments)

Christer Edwards
nonic
Ubuntu Tutorials : Dapper - Gutsy - Hardy - Intrepid

» OpenSSL & OpenSSH Vulnerabilities : Confirm & Fix Instructions

I’m sure many of you have heard by this point that there is a reported vulnerability in openSSL and openSSH. The basis of this is that they keys that are generated when you use these tools (ie; installing openssh-server, etc) are generated in a weak manner and can be prone to simple brute force attacking.

If you’ve never installed openssh-server, used openssh-clients or generated an X.509 certificate you should be safe. If you have done any of the above keep reading for a validation and fix instructions. It can’t hurt to run the validation script in either case, just to be safe.

Security patches have been deployed to the Ubuntu archives so the first step is to, of course, apply any security patches available.

Am I Affected?

The first item at hand is verifying whether or not you have been affected by the vulnerability. As mentioned above there are some common tasks that would qualify, but lets test your machine to make sure.

Download the script linked below and run it using the example syntax below:

dowkd.pl.gz (Download this file and unzip)

dowkd.pl PGP signature (Optionally verify the signature of the script)

Cut-n-Paste command-line example of downloading and running the test:

wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz gunzip dowkd.pl.gz chmod u+x dowkd.pl ./dowkd.pl user ./dowkd.pl host <hostname>

If you see output similar to:

/home/username/.ssh/id_dsa.pub:1: weak key

…then you have been affected by the vulnerability. If you do not see “weak key” reported then you are OK.

How Do I Fix My Machine?

To update your machine and patch the vulnerability the first thing you want to do is check for and apply any system updates available. The main Ubuntu archives have been updated with the fixes. If you are using an alternate mirror the fix may not have propagated yet, so you may not see it available for another few hours.

Apply any updates:

sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade

You should see an update for openssl and openssh packages (along with anything else available).

After these new packages have been applied you’ll want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).

UPDATE: The latest package release will automagically re-create any server-side ssh keys for you and notify you of the reason. Also, there is a new utility built into the latest release that will check keys for you. After your updates are applied try the tool:

ssh-vulnkey

To generate a new openssh key for your user: (This only required if ‘./dowkd.pl user‘ reports weak)

ssh-keygen -t dsa -b 1024

To generate a new openssh key for your server: (This only required if ./dowkd.pl host <hostname> reports weak)

sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key* sudo dpkg-reconfigure -plow openssh-server

You should now run the validation script again and make sure it does not report any errors. If you still see reported warnings such as:

/home/username/.ssh/authorized_hosts:1: weak key

…this means that you have authorized_host keys saved that are still affected. Open the .ssh/authorized_hosts file with a text editor and delete the affected line (:1: means line 1, etc).

Continue to run the ./dowkd.pl script until no weaknesses are reported.

These steps should be run on any system that you manage to ensure they are sufficiently patched.

Random Posts

by Christer Edwards at 8:49 PM under openssh , openssl , patch , security (Comments)

Christer Edwards
nonic
Ubuntu Tutorials : Dapper - Gutsy - Hardy - Intrepid

» Why ufw Does Not Need A GUI

I’ve been hearing more and more recent requests (at OpenWeek -chat and in blog comments) regarding a request for a GUI on top of ufw. I wanted to take a second and outline more clearly what ufw is, which will likely stop these requests. I think its just a simple matter of not truly understand what ufw does which leads to these. Bottom line, there are already a number of GUI firewall applications, adding one for ufw would be basically pointless. (Before you argue that point, keep reading.)

What is ufw?

ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool. iptables has been around for quite a long time, is very, very robust and very widely used. It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it. (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)

The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”. While iptables is already installed and available for use, the syntax can be complicated. For example, lets say you wanted to block all connections from the IP address 10.100.0.5:

iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT ufw: sudo ufw deny from 10.100.0.5

Another slightly more complicated example could be written for blocking specific ports and protocols:

iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT ufw: sudo ufw deny from 10.100.0.5 to any port 22

ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way. Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.

For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc. Those are graphical tools which create and manage iptables / netfilter rules “under the hood”. ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.

The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed. ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.

Random Posts

by Christer Edwards at 8:16 PM under firestarter , firewall , iptables , netfilter , security , ufw (Comments)

Phil Windley
pjw
Phil Windley's Technometria

» Web Authentication with Selective Delegation using SRP

Bryant Cutler and Devlin Daley developed a methodology for adding selective delegation to relationship-based identity systems. This afternoon I presented that work at WWW2008. The talk went well. There were probably about 40 people in the room. There were some good questions afterwards, so all in all, I'm pleased. Here are the slides (PDF) if you're interested.

Tags: www2008 security identity delegation

10:01 AM under delegation , identity , security , www2008

Scott Morris
nexangelus
OpenSUSE Linux Rants

» ARP Poisoning - I Read Your Email

Alrighty, folks. I gave a presentation at Utah Valley State College last night about a network security issue called ARP poisoning. It is the ability to hijack any computer’s connection on a local area network. The concept is that you force all traffic going to and from that machine through your own computer. You are then able to filter through that traffic and determine what the user is doing. It is possible to view passwords, and even change traffic as it goes through your computer. Even if they are on a secure website. It’s a fairly common method of attack, and is something to watch out for. I have compiled my notes into an article in the form of a 4-page PDF. If you want to take a look at how ARP Poisoning works, view the PDF here.

by Scott Morris at 3:24 PM under freebies , general linux , security (Comments)

Jesse Stay
obfuscated, Uncle_Jesse
Stay N' Alive » OSS

» Five Real Reasons Vista Beats Mac OS X

I’m going to step away from my normal focus on Social Media because the inner-geek in me just couldn’t resist. Recently Chris Pirillo posted a challenge that I just couldn’t help taking on. In it, he criticizes a post by Preston Galla of ComputerWorld stating “5 Reasons Vista Beats OS X”, and he makes some very good points. I admire Chris a lot because he’s one of the most unbiased Geeks I know, except when it comes to the Mac. Chris and I would get along well.

I too am a Mac user, in fact, the post I am typing at the moment is on MarsEdit on a Macbook. I absolutely love my Mac, and thus far have not found a preferred Operating System for development and desktop environment to work on, at least as a software developer (I should note that actually, most of my software development is over Terminal on the Mac, over to a Linux Server, my preferred server OS).

I will be the first to admit however that the Mac does have its flaws, in particular Leopard. I do run a Vista Ultimate machine, and I love it too, but for different reasons. Let me give 5 real reasons, and Chris, if you’re reading I would love to hear your response to this, why Vista, at times can be better than a Mac, in particular Leopard. Here are 5 reasons in response to Chris’s challenge that I think really make sense:

It’s all about the media. Chris, I’m not sure if you’ve used Windows Media Center to its full extent, but sit down, set up a Windows Media Center machine/server, and then set up an Xbox 360. Be sure your server has a good TV card or two in it as well. Now, sync the two, and begin watching TV live over your home network. Add on a Media Center Extender to another TV in your house and begin streaming live TV on another channel to that TV as well. Now, on one of the extenders, open up some music, maybe even from your iTunes library on your PC (assuming it’s not DRM protected, stupid Apple). Go on over and visit the videos you have stored on your PC. Install some MCE plugins, and begin browsing your videos on Youtube, or even Netflix watch now movies. Got HD? MCE supports it. Go to the sports section, see all the sports games playing currently and what their scores are, surf through all the sports channels (all in HD!). Go in and schedule to record your favorite TV Series. AppleTV isn’t even near ready for this (although I so desperately would love to see them do it!). Heck, turn off MCE even and start playing some games, or rent a movie. If you can point out a Mac combination that can do that, I’ll jump for joy!
The corporate environment. As a CTO and entrepreneur, I simply cannot force everyone onto a Mac. I have first, the expense of the learning curve and integration between Mac and PC, and second the cost of the Macs themselves. I can get a PC for under $500 these days. The closest equivalent to that is the Mac Mini, which still, at the equivalent PC level is more expensive. Now, add to that the expense of Parallels so those that need Windows apps like Quickbooks Corporate editions and others. True, integration with Exchange is possible, but is still pretty limited when compared to Windows. In the end I’m looking at a pretty expensive IT budget. Again, I think a Mac is an excellent development machine, and would still encourage a Mac for my developers due to their need to develop in cross-platform environments, but it just doesn’t make sense cost-wise across the entire company.
Hardware compatibility. I agree - there are a lot of options when it comes to supporting hardware for a Mac, but, can I just get a decent wireless print server that works with the Macs in my household? What about print drivers that work across the network with Windows-connected printers? Leopard fixes some of that, but it’s still not anywhere near compatible as the Vista machines are. Is it Mac’s fault? No, but it is a strong point to buying Vista. What about shuffling around every time I need to connect to a projector because Macs use the non-standard VGA/DVI adapters? I’m sure the readers can come up with more unsupported hardware.
Finance Software. I touched on this a little earlier, and Galla very broadly covered it in mentioning supported software, but his claim was not backed by specific examples. Simply saying, “Vista runs more software” is an opinion, and Chris, as you point out not necessarily proof that Vista is better. However, one thing I do have issues with is the vast array of Windows Finance software (aka Small and large business versions of Quicken and Turbotax) but lack of within Leopard. I run a very small business at the moment, and frankly, Quickbooks for Mac is simply too much for me. I’m looking for something more like Quicken Home and Business until my business gets large enough for me to hire an Accountant. There’s also the flip-side to that in that if you run a very large business, there are no enterprise versions of Quickbooks for Mac. This is why both my Father, and Father-in-Law who are CPAs do not use Macs. For now, I’m stuck to slowing down my machine with Parallels any time I need something like that, which, IMO is a hack.
It’s all about the animated wallpaper! Can your Mac run animated pictures of waterfalls, running streams, or flowing lava? My Vista machine can. Come on - you have to admit that’s something my Vista machine can do that my Macbook can’t, don’t you? So long as we’re going to praise the Mac UI this is one really cool feature I’d just love to see on my Mac. There are also other cool UI features on Vista that I like, even though I think Mac trumps them as a whole.

So, those may or may not be big things to some, but that is my list, and you asked Chris. Of course I could always come up with 10 more things that Mac beats Vista in, but my point is, as they told us when I was a Sales person at Computer City as a teenager, there are strengths to each OS - it’s important to evaluate what works best for you and your situation, and choose accordingly. Now, I ask my readers, are there any reasons (supported by true, concrete facts) that you feel Vista beats Leopard or the Mac in general?