missed me ?

I am on easter vacations (it’s Greece here…orthodox easter is after the catholic one) in my home town since 4-5 days now…I am on dialup so bare with my absence. It’s so so hard to be “online” with dialup..I can’t even read my emails properly. I was used to adsl@home and my university’s line…and now I feel really weird. I got no tech/IT/whatever news from here. My only “news” is that the PortableFirefox I have inside my usb key is a life savior. I can go with it in any friend’s house or netcafe and have everything I want with me…including my passwords that I don’t even have to type 🙂

The only new thing I have found lately and it’s relatively handy is this: If you want to get rid of annoying error popups in firefox go to about:config, find browser.xul.error_pages.enabled and change its value to true. No more error popups, instead you get informative error html pages, I really liked it…

Annoying “security” company

While Googling the net I bumped into this hilarious, frustrating, “insert your own word here” company that sells PCs with “extra security”. It installs linux with some encryption options and asks very large amounts of money for a few copy paste clicks.
Just check this from their site:

Installed Secure™

Level One: Default installation with firewall, encrypted swap, no insecure services such as sendmail. On Gentoo Linux we use Firehol the easy to read and verify iptables based firewall.

Level Two: Loop-AES encrypted partition backed GPG secured multi-key encryption in a subdirectory of the default user with the GPG keyring stored on a USB keychain drive.

Level Three: Entire /home partition is encrypted with a GPG secured multi-key encryption with GPG keyring and partition keys stored on USB keychain drive. You must log in as root at the command line before logging in to X windows.

Level Four: Encrypted root and /home partitions with GPG secured multi-key encryption. Laptop unusable without keychain (and trusted CDROM if so desired). It is impossible to modify or even ascertain what is on the computer.

How much does these cost ? Prepare yourselves…

Level1: 0$
Level2: 200$
Level1: 300$
Level1: 400$

How ridiculous can some people be ?
Level 2 is something like this previous post of mine. Let’s count the chars:
The characters of the commands needed are 470 (or 9 copy-paste lines as I have written them in my post). They are FULLY scriptable, ie a guy who knows a bit of bash can create a script to produce this kind of encrypted loopfiles with a single command in under 3 minutes. But let’s say they don’t copy paste the lines…but they write down every character every time…one by one. It still makes us 0.4255$ per character. THIS is called FRAUD! I am even typing more characters in this post than they are typing to get 200$.

It’s easy to spot which is this company…just google some terms…
If you find the site…check their other “offers” too…

Usb key encryption frenzy, loopfile encryption

It’s time for something more serious now, time to play with encrypted partitions and loop devices storing the keys on the usb key.

Following the excellent loop-AES.README I created an encrypted loop file that is encrypted with some random keys which are stored inside a file…and that file is encrypted with gpg and stored inside my usb stick. Confused ? Here it goes…

“Create 65 random encryption keys and encrypt those keys using gpg.”
# head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >/mnt/usb-key/keyfile.gpg

Time for the loop file creation. An example of a 100Mb file follows:
# dd if=/dev/urandom of=/my-encrypted-loop.aes bs=1k count=100000

Then encrypt the loop file using our previously generated keys. From losetup man page:

-K gpgkey
Password is piped to gpg so that gpg can decrypt file gpgkey which
contains the real keys that are used to encrypt loop device. If
decryption requires public/private keys and gpghome is not speci-
fied, all users use their own gpg public/private keys to decrypt
gpgkey. Decrypted gpgkey should contain 1 or 64 or 65 keys, each
key at least 20 characters and separated by newline. If decrypted
gpgkey contains 64 or 65 keys, then loop device is put to multi-key
mode. In multi-key mode first key is used for first sector, second
key for second sector, and so on. 65th key, if present, is used as
additional input to MD5 IV computation.

So…
# losetup -K /mnt/usb/keyfile.gpg -e AES256 /dev/loop3 /home/kargig/mytest
# losetup -d /dev/loop3

Now add this to /etc/fstab:
/my-encrypted-loop.aes /mnt/private ext3 defaults,noauto,user,loop=/dev/loop3,encryption=AES256,gpgkey=/mnt/usb-key/keyfile.gpg 0 0

now try this in order to check if the fstab entry is working and to format the loopfile:
# losetup -F /dev/loop3
# mke2fs -j /dev/loop3
# losetup -d /dev/loop3

If everything is fine…you can just try this:

mount /mnt/private

And you should be asked for your gpg passphrase 🙂 If you don’t have your usb key mounted, the loop file(or partition) won’t be mountable. BACKUP your keyfile.gpg!!!

What if you want to change your password ? Simply do this to decrypt the gpg file and re-encrypt it with a new password:
# gpg -d /mnt/usb-key/keyfile.gpg > /mnt/usb-key/clearkeys.txt
# cat /mnt/usb-key/clearkeys.txt | gpg --symmetric -a > /mnt/usb-key/newkeyfile.gpg
(now make sure the keyfile.gpg and newkeyfile.gpg differs, if yes it means that the gpg password was changed...move on)
# mv /mnt/usb-key/newkeyfile.gpg /mnt/usb-key/keyfile.gpg
# rm -f /mnt/usb-key/clearkeys.txt

(thanks to metown for pointing at some errors at the previous post)

What’s left to be done now is make it work like the pam_usb module, ie create a set of scripts(or programs?) so that when I want to mount the encrypted partition it will automatically check the usb key to find a private key to check it against the “partition’s public key” so there won’t be a need for typing a passphrase.

More fun with a usb key: pam_usb, hotplug and xlockmore

Uncle sivitos introduced the idea of using hotplug with the usb key. So here we go:

Insert this to your sysctl
kernel.hotplug = /usr/bin/usbhotplug
and then emerge xlockmore.
Now go to your /etc/pam_usb/handlers/xlock.sh, and edit it so the start function looks like this:
su - USERNAME -c "xlock -display $DISP"

where USERNAME is the name of the user that you start X with…you don’t still use X as root…do you ?

Now plug and unplug the usb key to see what happens. Normally when you unplug it your X session should be locked and you should be asked for a password. Then , when you plug your usb key back in … you should be able to return in your X session after 1-2 seconds of delay. Try it and tell me whether it works for you too 🙂

Using a usb stick to login to gentoo Linux

It was kinda late, and I wanted to do something tonight…something interesting. I was looking at my usb key when I had this flash…”Could I use my usb key to login to my pc with a certain account ?”.
Googling … googling… I need a PAM module to do it. eix time now!
#eix pam usb
* sys-libs/pam_usb
Available versions: 0.3.1 0.3.2
Homepage: http://www.pamusb.org/
Description: A PAM module that enables authentication using an USB-Storage device (such as an USB Pen) through DSA private/public keys.

Bingo!

I emerged it and edited /etc/pam.d/system-auth and /etc/pam.d/login
In the very first line of the files I added:
auth sufficient /lib/security/pam_usb.so !check_device allow_remote=1 force_device=/dev/sda1 fs=vfat debug=1 log_file=/var/log/pam_usb.log

Then I just did:
usbadm keygen /mnt/usb1 root 4096
as the great quickstart of pam_usb describes and I am set!

just a test then…:
$ su
#

Damn! I liked that!

and you can check the debug log too:
[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbI7wL6Z] for dropping
[device.c:358] Using /tmp/pam_usbI7wL6Z as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbI7wL6Z using vfat
[device.c:253] Device mounted, trying to open private key
[device.c:181] Opening /tmp/pam_usbI7wL6Z/.auth/root.XXXXXX
[device.c:261] Private key opened
[auth.c:207] Private key imported
[auth.c:218] Public key imported
[device.c:455] Dropping [/tmp/pam_usbI7wL6Z]
[dsa.c:77] Checking DSA key pair...
[dsa.c:87] Signing pseudo random data [1 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [2 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [3 time(s)]...
[dsa.c:94] Valid signature
[pam.c:207] Access granted

What about if I remove the usb key ?

$ su
Password:
su: Authentication failure
Sorry.
$

and the debug log:

[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbTMRHEZ] for dropping
[device.c:358] Using /tmp/pam_usbTMRHEZ as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbTMRHEZ using vfat
[device.c:242] mount failed: No such file or directory
[device.c:249] Unable to mount /dev/sda1, tried with 1 fs
[device.c:376] Device forcing failed, back to guess mode
[device.c:419] Cannot find any device
[device.c:455] Dropping [/tmp/pam_usbTMRHEZ]
[auth.c:186] Invalid device
[pam.c:203] Cannot authenticate user "root"

I really liked that today…felt like Mission Impossible..yeah 😛
I wonder if I could make that work with xscreensaver too…would be pretty cool, wouldn’t it ?

Gentoo and Acrobat Reader Firefox plugin fix

If you use gtk+ with version higher than 2.4.9 you might have noticed that the acrobat reader plugin does not work with firefox. To solve this you have to take certain steps.
mkdir /opt/Acrobat7/Reader/intellinux/lib/gui
ebuild /usr/portage/x11-libs/gtk+/gtk+-2.4.9-r1.ebuild install
cp -ax /var/tmp/portage/gtk+-2.4.9-r1/image/usr/lib/* /opt/Acrobat7/Reader/intellinux/lib/gui/

Now edit ‘acoread’ (/usr/bin/acroread)

find this section in the acroread script:
intellinux)
LD_LIBRARY_PATH="`prepend "$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib:$ACRO_INSTALL_DIR/$ACRO_CONFIG/sidecars" "$LD_LIBRARY_PATH"`"
export LD_LIBRARY_PATH
;;

now modify the LD_LIBRARY_PATH line, ie. the ‘intellinux)’ one to look as follows:
LD_LIBRARY_PATH="`prepend "$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib/gui:$ACRO_INSTALL_DIR/$ACRO_CONFIG/lib:$ACRO_INSTALL_DIR/$ACRO_CONFIG/sidecars" "$LD_LIBRARY_PATH"`"

and you are set 🙂

try the acrobat reader plugin now 🙂

It works for me!

Fun with google images – GoogleMontage

There’s a site called GoogleMontage that you can give many keywords or expressions and it creates a nice montage of pictures. Check this sample I did about the city I currently study and live. (I don’t know for how long this image will be kept on their servers, so if you can’t see it post a comment).

Alternate local image if the above link stops responding: local sample

Making life easier with gentoo

I really like the emerge tool that gentoo has. My only problem so far was the search option it had. It’s sometimes pretty slow, so I wanted an alternative. After some googling I came up with eix. It’s a powerfull search tool for the portage with indexing capabilities. So the search is really FAST!

Here’s an example of a search while emerging the latest gcc:

# time emerge -s doom >/dev/null

real 0m40.642s
user 0m0.768s
sys 0m0.210s
# time eix -s doom >/dev/null

real 0m1.140s
user 0m0.059s
sys 0m0.012s

I think that you can easily spot the “improvement”…right ?

What I also like about eix is that you can see all available versions when you search for something and not just the latest stable. Check this output when searching for gcc:

* sys-devel/gcc
Available versions: [P]2.95.3-r8 [P]3.1.1-r2 [P]3.2.3-r4 [P]3.3.2 [P]3.3.2-r5 [P]3.3.2-r7 3.3.5-r1 ~3.3.5.20050130 3.3.5.20050130-r1 ~3.3.5.20050130-r2 *~3.4.1-r3 *~3.4.3-r1 *~3.4.3.20050110-r1 *~3.4.3.20050110-r2 [M]4.0.0_beta20050402
Installed: 3.3.5.20050130-r1
Homepage: http://www.gnu.org/software/gcc/gcc.html
Description: The GNU Compiler Collection. Includes C/C++, java compilers, pie+ssp extensions, Haj Ten Brugge runtime bounds checking

Well, after searching for doom I’ve decided to install it too 🙂 Doom3 to be exact using the pak files I had in my windows ntfs partition. I just needed to “ln -s” the pak files and my savegames to the proper dirs. I now enjoy doom3 on my gentoo and I get about the same fps I used to get at windows (maybe even just a bit better, but that could be because there were many things running concurrently at windows, e.g. antivirus, firewall, windows crappy services,etc) .

If you like openoffice and you use latex there’s a very nice macro that combines these 2 worlds: OOoLatexEquation. I think it’s just great when you want to have some nice looking math formulas on your documents (embedded as graphics of course). Check this screenshot.

Oh and something I don’t understand. I have emerge multitail some time ago and I saw that there’s an updated version out, but when I “emerge -uDpv world” I don’t see it listed. When I try “emerge -u multitail” it’s there:

[ebuild U ] app-text/multitail-3.4.8 [3.4.5] -debug 63 kB

any ideas why can this be happening ? Is it a bug ? If it is it could affect the whole system by not listing packages that have security problems and “must” be updated. I have never seen it happening before and I wish I won’t see it in the future again.

More patent problems

In a recent post in slashdot it is said that vlc is threatened with closure due to software patents. You can read more about it here: Videolan patent problem.

This patent madness will drive many opensource developers crazy in a very short time…I guess that it is getting more and more difficult to code something when you are in fear that someone may sue you for something that you just…thought. The problem is bigger for people coding multimedia applications. That’s where the most money from typical users are spent…and that’s where big companies base their success. You buy a dvd from your local store…but now you need to watch it with a decent player right ? Who has de-interlace support ? Who has DTS support ? and so on and so on… This is really getting nowhere…If companies persist on their patents each one is going to create a crippled player due to patents pending from the “opponent” companies…just crazy…and BAD for the users…

shame…but that’s how things work lately…There was a time where software was cheap and hardware was trully expensive..this has changed completely nowdays…

More links on patent problems:
DTS vs Videolan
Kopete patent problems

Stopping Trackback Spam ?

I’ve found this little hack for wordpress that supposedly stops trackback spamming. I’ve installed it..and I will wait for the results.

Not much else is going on lately since my free time is .. absent.

By the way..the wordpress theme I use is not imhotep any more but gentle calm. I’ve added a calendar and some Meta links to the theme..and I like it a bit more this way than the original.