tisdag 29 november 2016

keybase.txt

Please ignore this post, it is only a proof of identity for https://keybase.io/johanh

================================================================== https://keybase.io/johanh -------------------------------------------------------------------- I hereby claim: * I am an admin of https://baldpenguin.blogspot.com * I am johanh (https://keybase.io/johanh) on keybase. * I have a public key ASDbPq9SjZ5TkkITqw710MGA9aU_Zhu9Q36nAOFhL1gPKgo To do so, I am signing this object: { "body": { "key": { "eldest_kid": "0101676dc63b160044ed9489c75dfcd9e4670d4d278b466a5b9946433dada98d602e0a", "host": "keybase.io", "kid": "0120db3eaf528d9e53924213ab0ef5d0c180f5a53f661bbd437ea700e1612f580f2a0a", "uid": "10c48c0cdf4f071acf09cbc4e3cc0b19", "username": "johanh" }, "service": { "hostname": "baldpenguin.blogspot.com", "protocol": "https:" }, "type": "web_service_binding", "version": 1 }, "client": { "name": "keybase.io go client", "version": "1.0.18" }, "ctime": 1480372133, "expire_in": 504576000, "merkle_root": { "ctime": 1480372080, "hash": "d67868cc647232c9573359b25b183086490c4ca5e9cbb32885edbdda982c3f6aa161607902e0b8b006be3bcf52bae6f08989f1e979c3453beef60c172ed0d7d4", "seqno": 739029 }, "prev": "72c2bbbbbb03a7aab1e138ea5e7f7b6887cd98e1d8fad433dc5b08494c8f7474", "seqno": 18, "tag": "signature" } which yields the signature: hKRib2R5hqhkZXRhY2hlZMOpaGFzaF90eXBlCqNrZXnEIwEg2z6vUo2eU5JCE6sO9dDBgPWlP2YbvUN+pwDhYS9YDyoKp3BheWxvYWTFAv97ImJvZHkiOnsia2V5Ijp7ImVsZGVzdF9raWQiOiIwMTAxNjc2ZGM2M2IxNjAwNDRlZDk0ODljNzVkZmNkOWU0NjcwZDRkMjc4YjQ2NmE1Yjk5NDY0MzNkYWRhOThkNjAyZTBhIiwiaG9zdCI6ImtleWJhc2UuaW8iLCJraWQiOiIwMTIwZGIzZWFmNTI4ZDllNTM5MjQyMTNhYjBlZjVkMGMxODBmNWE1M2Y2NjFiYmQ0MzdlYTcwMGUxNjEyZjU4MGYyYTBhIiwidWlkIjoiMTBjNDhjMGNkZjRmMDcxYWNmMDljYmM0ZTNjYzBiMTkiLCJ1c2VybmFtZSI6ImpvaGFuaCJ9LCJzZXJ2aWNlIjp7Imhvc3RuYW1lIjoiYmFsZHBlbmd1aW4uYmxvZ3Nwb3QuY29tIiwicHJvdG9jb2wiOiJodHRwczoifSwidHlwZSI6IndlYl9zZXJ2aWNlX2JpbmRpbmciLCJ2ZXJzaW9uIjoxfSwiY2xpZW50Ijp7Im5hbWUiOiJrZXliYXNlLmlvIGdvIGNsaWVudCIsInZlcnNpb24iOiIxLjAuMTgifSwiY3RpbWUiOjE0ODAzNzIxMzMsImV4cGlyZV9pbiI6NTA0NTc2MDAwLCJtZXJrbGVfcm9vdCI6eyJjdGltZSI6MTQ4MDM3MjA4MCwiaGFzaCI6ImQ2Nzg2OGNjNjQ3MjMyYzk1NzMzNTliMjViMTgzMDg2NDkwYzRjYTVlOWNiYjMyODg1ZWRiZGRhOTgyYzNmNmFhMTYxNjA3OTAyZTBiOGIwMDZiZTNiY2Y1MmJhZTZmMDg5ODlmMWU5NzljMzQ1M2JlZWY2MGMxNzJlZDBkN2Q0Iiwic2Vxbm8iOjczOTAyOX0sInByZXYiOiI3MmMyYmJiYmJiMDNhN2FhYjFlMTM4ZWE1ZTdmN2I2ODg3Y2Q5OGUxZDhmYWQ0MzNkYzViMDg0OTRjOGY3NDc0Iiwic2Vxbm8iOjE4LCJ0YWciOiJzaWduYXR1cmUifaNzaWfEQL8VkFr0jD1mX3FYlddUYSGL1ooz0EoQYsurhVOupM3R57crONF+tclokDl9kDTWkUeP3Nh9K9tuZIqSePWhDQmoc2lnX3R5cGUgpGhhc2iCpHR5cGUIpXZhbHVlxCDg7X0I+ztIkuoxdTn8/RG7rwUkVJuBKnJwhknaFnBQj6N0YWfNAgKndmVyc2lvbgE= And finally, I am proving ownership of this host by posting or appending to this document. View my publicly-auditable identity here: https://keybase.io/johanh ==================================================================

torsdag 27 oktober 2016

Two-factor authentication part 2 - 2FA with SSH

On any linux based server, it is possible to protect SSH with two-factor authentication using the Google Authenticator PAM module. This is actually easy to install and configure.

Login to your SSH server and install the module.

On Debian (or for instance Raspbian):
sudo apt-get install libpam-google-authenticator
On Fedora:
dnf install google-authenticator

Create the verification key for the user. I prefer to not allow root access to a server, so this step should be run as the user that should be able to login:
google-authenticator
You can answer y to most questions. Finally, you will get a QR code that can be scanned by your phone TOTP app (any standard TOTP application will do). Make sure to store the emergency codes in a safe place, such as a Keepass database or on a paper.

Now you need to make a few changes, so that PAM (which is responsible for authentication on most linux systems) asks for the verification code in addition to your password when logging in through SSH.

Edit the PAM config file for sshd:
sudo nano /etc/pam.d/sshd
 Add the following row to the top of the file:
auth required pam_google_authenticator.so
Edit sshd config:
sudo nano /etc/ssh/sshd_config
Change the following option to yes if it is set to no:
ChallengeResponseAuthentication yes
This will allow the sshd daemon to ask for other things than only the password, such as asking for the additional verification code that we added to the PAM configuration.

You can check sshd_config after any change with the following command:
sudo sshd -t
This will show any error in the sshd configuration and prevent you from being unable to connect to the server. Still, keep an additional terminal open to the server while doing any sshd or authentication changes.

Finally restart the sshd service:
sudo systemctl restart sshd.service
or on older systems:
sudo service sshd restart

Finished! Now you will be asked for the verification code when logging in through SSH in addition to your password.

måndag 25 juli 2016

Two-factor authentication with TOTP applications

Many websites and online services offer two-factor authentication (2FA) using SMS or using a Time-based One-Time Password (TOTP) application (some services also offer an email link, but I will not cover it here, although it also adds security in a similar way).

It is highly recommended to use two-factor authentication to sign in to websites. It adds one layer of information besides the password, which makes signing in to online websites a bit more secure. The only way someone can get into your account is if they acquire both your password and the secret key on your phone.

I prefer TOTP over SMS, because SMS is sometimes more unreliable and slower. (I won't discuss which method is more secure; there are potential vulnerabilities in both use cases depending on device and platform)

Time-based One-Time Password

A Time-based One-Time Password algorithm calculates a one-time password from a shared secret key and the current time. It is a standard described in RFC 6238. It requires that the user saves a secret key on a device, typically a smartphone. Some offer this as a QR code that can be quickly scanned.

The password in the TOTP application is changing every 30 seconds, both in the client and server. You need to enter the password that is currently visible.

The good thing with TOTP is that it is a standard that can be implemented in a generic application. There are services that require the use of their own application, but in my opinion they misses the point. I like to have one single application on my phone with TOTP authentication to a lot of services. Google Authenticator is a good example that implements TOTP. There are even clients for PAM so that you can use it to add security to e.g. server authentication. I use SailOTP on my Jolla phone with Sailfish operating system. For Android, there is a FOSS app available: FreeOTP.

Sites that use 2FA


Here is a good list of sites that use 2FA. Most big online services support 2FA, like Google, Facebook, LinkedIN, Dropbox, Github etc. Note that not every of them use TOTP, but have their own implementation or use some other kind of authentication. For instance Steam have their own implementation of TOTP and you need their own client to use it (but as far as I can tell it is almost following the standard). Paypal's support for SMS 2FA is half broken at least outside of US, though. It works once it is set up, but setting it up is almost impossible due to the broken website.

Steam and TOTP

The following is not supported by Steam, but you can use Steam with a standard TOTP application if you can manually enter the secret key and it supports 5 character passwords (like e.g. SailOTP).

To add the Steam secret key to the TOTP application, you need to install the Steam client on a device first. On an android device (or on the Jolla phone Android layer), the key is located in the file "(/opt/alien)/data/data/com.valvesoftware.android.steam.community/files/Steamguard-$STEAMID" in the string "otpauth://totp/Steam:$STEAM_USERNAME?secret=$SECRET&issuer=Steam" where $SECRET is the secret key. You can add this key manually to the TOTP application.

Screenshot of the SailOTP application in Sailfish (with censored accounts and passwords of course):


söndag 10 juli 2016

Firefox Tracking Protection for all users

Firefox Tracking protection is a great feature used in Private browsing mode. But turning on Firefox tracking protection permanently has several benefits. According to researchers it makes pages load 44% faster and reduces data usage by 39%. You will also get rid of most personalized advertisement, thus the increased performance. Personally, I prefer to choose my advertisement myself.

You can turn on the feature in Firefox by typing about:config in the location bar and hitting enter. Type and find privacy.trackingprotection.enabled and double-click it to toggle it to true.



But how to turn this feature on for all users on the same PC? Usually family members are not tech-savvy enough to mess around in the Firefox configuration interface. Behold, if you are an administrator, you can set a machine-wide setting.

You can tell Firefox to read system preferences by creating a file defaults/pref/local-settings.js in the Firefox installation directory. Then set the default preferences in mozilla.cfg. Mozilla calls this locking preferences, but it doesn't necessarily have to lock them like in a corporate environment. Depending on the setting, the user can still override it. It is worth studying the difference between defaultPref, pref and lockPref in the preference file.


This is a small script that creates the preference files if they don't exist and adds the settings if they don't exist. I leave it as an exercise to the reader if they want the script to change existing settings. Note that the Firefox installation directory can be different in a different Linux distribution.

#!/bin/bash
# set default trackingprotection on in Firefox for all users
if [ `getconf LONG_BIT` = "64" ]; then
    firefoxdir="/usr/lib64/firefox"
else
    firefoxdir="/usr/lib/firefox"
fi
if [ ! -d "$firefoxdir/defaults/pref" ]; then mkdir -p "$firefoxdir/defaults/pref" ; fi
if [ ! -f "$firefoxdir/defaults/pref/local-settings.js" ]; then
    touch "$firefoxdir/defaults/pref/local-settings.js"
    echo '//' >> "$firefoxdir/defaults/pref/local-settings.js"
    echo 'pref("general.config.filename", "mozilla.cfg");' >> "$firefoxdir/defaults/pref/local-settings.js"
    echo 'pref("general.config.obscure_value", 0);' >> "$firefoxdir/defaults/pref/local-settings.js"
else
    if ! grep -q "general.config.filename" "$firefoxdir/defaults/pref/local-settings.js" ; then
        echo 'pref("general.config.filename", "mozilla.cfg");' >> "$firefoxdir/defaults/pref/local-settings.js"
    fi
    if ! grep -q "general.config.obscure_value" "$firefoxdir/defaults/pref/local-settings.js" ; then
        echo 'pref("general.config.obscure_value", 0);' >> "$firefoxdir/defaults/pref/local-settings.js"
    fi
fi
if [ ! -f "$firefoxdir/mozilla.cfg" ]; then
    touch "$firefoxdir/mozilla.cfg"
    echo '//' >> "$firefoxdir/mozilla.cfg"
    echo 'defaultPref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
    echo 'pref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
else
    if ! grep -q "privacy.trackingprotection.enabled" "$firefoxdir/mozilla.cfg" ; then
        echo 'defaultPref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
        echo 'pref("privacy.trackingprotection.enabled", true);' >> "$firefoxdir/mozilla.cfg"
    fi
fi

[1] http://lifehacker.com/turn-on-tracking-protection-in-firefox-to-make-pages-lo-1706946166
[2] http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf
[3] http://kb.mozillazine.org/Locking_preferences

tisdag 5 juli 2016

SleepyHead in Fedora Copr

Fedora Copr is an automated build system with a repository as output. You upload the source, select desired build systems (Fedora, Redhat) and get one or more rpm packages in repositories automatically.

There is now a Fedora 24 Copr repository for SleepyHead:

https://copr.fedorainfracloud.org/coprs/johanh/sleepyhead/

This means you can install SleepyHead from command line with:

sudo dnf copr enable johanh/sleepyhead

sudo dnf install sleepyhead

As long as the repository is enabled, you will also receive any updates to SleepyHead when updating your system with dnf update.

söndag 26 juni 2016

SleepyHead Fedora rpm package

Sleep apnea


It is not so bad getting a diagnosis for sleep apnea. Some people are not even aware of their condition. But it is important to get help, because your health could suffer. Some people might feel a little tired, but other could develop serious illnesses. For more information, see https://en.wikipedia.org/wiki/Sleep_apnea.

CPAP units


So I got this CPAP unit (almost for free because of our Nordic national health insurance). It is locked down, so I can't get any useful data directly out of it. But there is an SD card that is meant to be analyzed by my doctor. And there are free software on the Internet.

SleepyHead


Meet SleepyHead:

http://sleepyhead.jedimark.net

This is a very nice and free (GPL3) cross-platform program. Works in Windows, Mac and Linux.

It is able to import data from an SD card of the most common CPAP units. There is also support for a few pulse oximeters. Below is a screenshot of the welcome screen.


It is important to note that you use this software at your own risk. It is not official medical software and should only be for personal use. See more in the software's disclaimer in the Help menu, About.

Fedora rpm package


There is no rpm package available for Fedora, so I decided to try to build one. Install and use at your own risk. To be on the safe side, use the srpm to build your own package.


To install the software in Fedora 24, download one of the following rpm files:

Fedora 24 64-bit:
sleepyhead-1.0.0-0.3.20160703git0e04bd9.fc24.x86_64.rpm (built from git 2015-07-03 and listed as 1.0.0 Beta 2) - changed 2016-07-04

Fedora 24 32-bit:
sleepyhead-1.0.0-0.3.20160703git0e04bd9.fc24.i686.rpm - changed 2016-07-04

Update: Moved packages to Copr, see next blog post.

Be aware that downloading random rpm packages from the Internet is not a good idea from a security point of view, so you are doing it at your own risk.


To rebuild the package, use the following file:


sleepyhead-1.0.0-0.3.20160703git0e04bd9.fc24.src.rpm - changed 2016-07-04
Update: Moved to Copr, see next blog post.

Building it requires some dependencies, mainly QT5 development libraries and build tools. The spec file has most libraries listed.

I will try to improve the spec if possible and update the packages also. Comments are welcome, I don't have experience creating many rpm packages.


These rpm packages are based on the free and open-source software SleepyHead available from http://sleepyhead.jedimark.net, developed and copyright by Mark Watkins (C) 2011-2016.

söndag 27 mars 2016

Enabling Hibernation in Fedora 23

By default, Fedora doesn't enable hibernation (suspend to disk). Basically what you need is a big enough swap partition. Then it has to be added to fstab and Grub. Initramfs also has to support resuming from hibernation.

On my laptop (MSI GE60) unfortunately the swap partition was too small. Fedora recommends that a swap partition should be half the size of RAM without hibernation and 1.5 the size of RAM with hibernation with 8 GB - 64 GB of RAM[1].

This laptop has 12 GB of RAM, but only a 6 GB swap partition. The partition has to be extended to 18 GB.

There is a 250 GB SSD with 174 GB of space in /home (ext4 on LVM). I had to reduce the home partition to 162 GB to free up space for the swap partition. Of course, I had to free up enough space in the filesystem first. It is better to have a few times more free space than the amount to be reduced.

Resizing an LVM/ext4 /home partition

I don't recommend doing this, unless you have knowledge about partitions and LVM. You could easily destroy your data! But I will describe step by step how I did it.

Boot the laptop into single mode. At the Grub screen, edit the linux kernel command line and add "single" or "rescue.target" (without quotes) to the command line. Ctrl-X to boot. At the rescue prompt, enter your root password.

At the root rescue prompt, unmount /home with:
umount /home
Check the partition:
e2fsck -f /dev/mapper/fedora_msi-home
(on another laptop, the partition will be named something else, but you will find it under /dev/mapper. "df" will also show currently mounted partitions and usually they are also listed in /etc/fstab)

Resize the file system:
resize2fs -p /dev/mapper/fedora_msi-home 162G
Resize the logical volume:
lvreduce -L 162G /dev/fedora_msi/home

Before continuing, make sure that the partition lines up with the logical volume:
e2fsck -f /dev/mapper/fedora_msi-home
If there are errors because of a too small logical volume, it can be extended with for instance "lvextend -L +1G /dev/fedora_msi/home". Continue extending and running e2fsck until e2fsck is happy.

Make sure the file system fills up the logical volume:
resize2fs -p /dev/mapper/fedora_msi-home
Check again:
e2fsck -f /dev/mapper/fedora_msi-home
Now mount the home partition again:
mount /home
Looks good:
df -h|grep home
/dev/mapper/fedora_msi-home    160G    80G    72G  53% /home

Extending the swap partition

Now that there is enough space available in the LVM volume group, we can extend the logical volume and swap space. Still at the rescue prompt, turn off swap (this should work fine also in runlevel 5/desktop):
swapoff -a
Extend the logical volume:
lvextend -L +12G /dev/fedora_msi/swap
Then just create a new swap partition on the 18GB volume:
mkswap /dev/fedora_msi/swap
Turn on swap:
swapon -a
Check with "free" that your swap space is available. If you didn't already, now you can shutdown and reboot the computer.

Enabling hibernation in Fedora

Check that your laptop at least is able to suspend:
systemctl suspend
In Gnome, you can also click the Gnome status menu, then press the Alt key and the power off icon will turn into a suspend icon. On MSI GE60, the Fn+F10 key combination also suspends.

If it suspends fine and turns on successfully with the power button to where you had left it, there is at least a better chance that also hibernation works fine.

To enable hibernation, add your swap space to fstab (if it isn't already). Note that the partition UUID changed when creating a new swap space above. To get the UUID, issue:
blkid /dev/mapper/fedora_msi-swap
(on another laptop, the partition will be named something else, but you will find it under /dev/mapper)

The output will be something like:
/dev/mapper/fedora_msi-swap: UUID="eb721352-fe3c-4097-9d3f-042de0c98aa5" TYPE="swap"
 Add it to /etc/fstab in the following format, preferably as the last row after the other partitions:
UUID=eb721352-fe3c-4097-9d3f-042de0c98aa5 swap swap defaults 0 0
Check if initramfs contains support for resuming from hibernation:
lsinitrd|more
In the "dracut modules:" section, you should find "resume".

If not, then run dracut to regenerate initramfs for the current running linux kernel:
dracut -f -v
The output should now include the "resume" module.

Add the swap partition to Grub. In my case, I added it to /etc/default/grub:
GRUB_CMDLINE_LINUX="resume=/dev/disk/by-uuid/eb721352-fe3c-4097-9d3f-042de0c98aa5 rd.lvm.lv=fedora_msi/swap rd.lvm.lv=fedora_msi/root nouveau.modeset=0 rd.driver.blacklist=nouveau rhgb quiet"
Just add the "resume=/dev/disk/by-uuid/eb721352-fe3c-4097-9d3f-042de0c98aa5" with your own uuid of your swap partition. You know the uuid from the blkid command and fstab. Then write the new Grub configuration:
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

To be sure that you set everything alright in fstab and Grub, reboot once:
systemctl reboot
If you rebooted successfully, login and try to hibernate:
systemctl hibernate
Another nice sleep state:
systemctl hybrid-sleep
The latter is a nice sleep state for especially stationary laptops. If there is still power when resuming, the system wakes up quickly from suspend in RAM. If the battery and/or power is lost, then it will resume from hibernation (from disk).

Unfortunately Gnome doesn't support hibernation by default. You have to use your own shortcut or hibernate from command line. There is also a Gnome extension that currently seems to work fine[2]. It will add a hibernation icon to the Gnome Status menu. Using Alt modifier, you can also do a hybrid sleep.



[1] https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/sect-installation-gui-manual-partitioning-recommended.html
[2] https://extensions.gnome.org/extension/755/hibernate-status-button/

måndag 4 januari 2016

Using Dropbox from command line in Fedora

Dropbox is a file hosting service operated by Dropbox Inc. that offers easy cloud storage on multiple platforms. Note that Dropbox is proprietary software, but offers a free account with up to 2 GB of storage [1]. Personally I've used Dropbox to sync files between PCs and also phones.

In Fedora linux, you can install Dropbox from the RPM Fusion repository [2]. This is basically an installer and command line client script for the binary Dropbox daemon (application) that then has to be separately installed by each user. There is also a plugin for nautilus, the file manager: nautilus-dropbox.

To install, simply issue on the command line as root (or sudo):
dnf install dropbox nautilus-dropbox
You could also download the program from Dropbox home page and install it manually [3]. I prefer using the Fedora package, then it will be nicely integrated also in Gnome on a desktop PC. The following instruction is how to install and configure on a headless PC, using only the command line (well almost, you need a web browser at some point).

To install the actual daemon (application), issue the following command as user:
dropbox start -i
Let the program download the daemon and install it.

If you already started the daemon, ensure it is stopped with:
dropbox stop
Now run the dameon manually from command line to initialize it and connect to your Dropbox account:
~/.dropbox-dist/dropboxd
You should see the following output:
 This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=7d44a548aa48f285f3da0x63564d03c2 to link this machine.
You need to copy this link and paste it into a browser and then login to your Dropbox account. How this is done is up to you. Either copy the link from an SSH window, type it manually on a separate device that has a browser or use link (lynx) on the headless PC. After this step, Dropbox will create a ~/Dropbox folder and start synchronizing.
(I don't know why this step isn't implemented in the /usr/bin/dropbox script. It makes no sense that it supports installing the daemon, but not connecting it to your account and initializing, even though the daemon can do it, half ways at least).

Kill the previous command with Ctrl-c. Whenever you need, you can start Dropbox with
dropbox start
Type 'dropbox help' to get more information using the command line [4].

In Fedora, Dropbox will now automatically start when you login to a desktop session, but not on the command line, e.g. remotely via SSH. To make it start also in bash, add the following to your .bash_profile:
# start Dropbox
if [ "$SHLVL" = 1 ]; then
    sessions=$(who | grep -c "$USER")
    if [ $sessions -eq "1" ]; then
       [ -x /usr/bin/dropbox ] && /usr/bin/dropbox start
    fi
fi
Here is the explanation for the above script. It will only run when the SHLVL variable is 1, which means it will prevent from starting several times in nested bash threads (starting bash from within bash). It will also only start if this is the first and only session where the user is logged in. Then it checks for existence of the Dropbox start script and starts it. If for some reason the checks don't work and Dropbox is already started, it is no big deal. Dropbox will print a warning that it is already running.

To stop Dropbox when logging out from the last session, add the following to your .bash_logout:
# stop Dropbox
if [ "$SHLVL" = 1 ]; then
    sessions=$(who | grep -c "$USER")
    if [ $sessions -eq "1" ]; then
        [ -x /usr/bin/dropbox ] && /usr/bin/dropbox stop
    fi
fi
Similarly to the start script, it will not stop Dropbox from a nested bash session and only when it is run by the last user session.

The scripts won't run when starting an xterm within a desktop session (only .bashrc is executed when starting a terminal within a desktop session, not .bash_profile nor .bash_logout).

[1] https://en.wikipedia.org/wiki/Dropbox_%28service%29
[2] http://rpmfusion.org/
[3] http://www.dropboxwiki.com/tips-and-tricks/install-dropbox-in-an-entirely-text-based-linux-environment
[4] http://www.dropboxwiki.com/tips-and-tricks/using-the-official-dropbox-command-line-interface-cli