Advertisements
Restore Zimbra, OSE, from backups
30 Mar

Restore Zimbra, OSE, from backups

This morning I thought to take advantage of the long weekend and update my Zimbra installation – this didn’t go as well as expected. Instead I ended up with a corrupted server. I was left spending the morning restoring from my latest zmback.sh backup.

The process was simple enough, but since I couldn’t find a clear step-by-step guide I thought having an easy to find reference guide would be of use in the future – as I’m sure I’ll be in a simliar possition again one day. Read more »

Windows 10 DNS Problems
24 Mar

Windows 10 DNS Problems

This week I came accross a strange problem in Windows 10, and since I’m likly to have the same problem in future I thought it worth to record what happened – and how I solved it.

Starting at the beginning I’ll layout the problem. I run my own DNS server on my network both for simple caching and security but mostly to override certain external domains with their internal host. So you can imagine my headache when Firefox starting saying my hosts were unavailable.

After some digging I found, thanks to the ping command, Windows was looking at the wrong IP address. Instead of getting my DNS servers local IP address it was returning the external IP address. My first thoughts were the DNS server was at fault and I spent two or three hours going down that line of thought with no sucess. I finally struck on the idea of using Wireshark to check what was coming back from the DNS server. This at least confirmed that the right – by which I mean local – IP address was returned from DNS which meant Windows was doing some after the fact.

I eventually traced the problem to my Avast anti-virus. Avast has, what in most cases is a really useful – feature called ‘Secure DNS‘ which was intercepting my requests and altering the returned IP. As soon as I disabled this feature my problems were solved.

So I’m posting this here for anyone else whoes having a similar problem. I hope it will help someone else.

Rsync Bandwidth Limit
02 Aug

Rsync Bandwidth Limit

How do I stop Rsync using all my bandwidth?

If you use rsync to move large or just a large number of files from one machine to another, ether over the internet or your local network, you’ll have realised rsync uses as much bandwidth as it can get a hold of which is not always convenient.

The reason you might want to reduce rsync’s bandwidth load is to ensure it doesn’t clog up you network making everything else unusable.

Obviously this is going to slow down to total time require to transfer your files. On the face of it this might not seem ideal, but if your moving your nightly backup files from your webserver to your backup location time isn’t the most important factor. What you really want is these backups to happen seamlessly in the background and not to DDOS your own site.

A normally rsync command might look something like this:

The parameter that tells rsync how much bandwidth to use is --bwlimit.

So if you want to limit rsync to 10MB a second the command would look like:

Or to limit rsync to 5MB a second the command would look like:

Samba Full Audit Trail
19 Jul

Samba Full Audit Trail

This is a new one. I was asked today by someone to explain why files were missing from the Samba file server. Sadly in the end I wasn’t able to find out why simple because there was no log. This at least isn’t a case of a system admin not keeping logs, there were thousands of them for Samba (I managed to trace that to a poorly configured log rotation setup) but not one of those logs could help me – seriously why is it Samba keep so many logs expect the one your interested in!

Unfortunately I wasn’t able to answer the question about where the missing files went, but this isn’t the first time I’ve been asked this question so, next time – and, as any good system admin knows, there is always a next – I want to be able to know what happened.

In this post I will talk you through configuring Samba 3.6.3 to keep a full user audit trail, recording all changes made to the file system – including deletions.

In my own research I was quite impressed that Samba can actually do this already, its just not on by default. The trick is to use a Stackable VFS Module called full_audit. The system I was setting this all up on was a Ubuntu 12.04.5 LTS (precise) and already had full_audit installed so I didn’t need to worry to much about that. To check if its installed on your system you can look for the file /usr/lib/samba/vfs/full_audit.so if its there eveything is installed and working – if it’s not, let me know in the comments bellow because I haven’t found a system which was missing it yet.

Setting up the share

I’m only interested in creating an audit trail for one of the server shares so these setting can be put assigned to the one share configuration. So when all is done the final configuration in /etc/samba/smb.conf will look like this – don’t worry to much about it, it works and I’ll go through it line by line.

When you copy this into your smb.conf file make sure not to copy the current share configuration part too

The normal configuration section you should know already, so let look at the new parts:

vfs objects – Tell Samba to load the new module

full_audit:prefix – This defines how your new log will look and fully supports using Samba variables. The format I’ve chosen is:
%U = Samba username
%I = Client IP Address
%m = Client Hostname
%S = Current Share name – not technically needed since I’m doing this for a single share but probably worth keeping encase the configuration is expanded later
For now ignore nasaudit at the start, but I’ll come on to it again later.

full_audit:success – What actions will user actions to log:
mkdir = Upload/Create new directory
pwrite = Upload/Create new file
rename = Rename a file
rmdir = Delete a directory
unlink = Delete a file

full_audit:failure – The same as full_audit:success but when the action failed

full_audit:facility – Which syslog facility to log to. We can use this later to direct messages out of syslog and into a more useful file

full_audit:priority – The priority to set log messages as.

So there you have it. Next time you restart Samba it will log a whole lot more about what a user is actually doing on your file system, but currently logs are going in /var/log/syslog so in the next step we’ll have to get them out of there into a file of their own.

Redirect the logged output

I use the rsyslog daemon rather then syslog, but the process bellow should work for ether one.

We told Samba to output logs to facility ‘local5’ so we can tell rsyslog to look for that, but rather than just take everything that gets sent to local5 we can use a filter and on messages that contain nasaudit – see told you it I’d come back to it.

Now we know what we’re planning to do lets put it all together. Just add the following line, ether to your /etc/rsyslog.conf file or better still create a new file in the /etc/rsyslog.d/ directory.

Rotating logs

The final thing we need to do is add this new logfile into the /etc/logrotate.d/samba configuration file. This way we get a nice clean audit folder, since these audit logs could be quite long on a busy server trying to search though a single file would grow old – fast

Open up your /etc/logrotate.d/samba in your favourite editor and copy in the block bellow:

This will rotate the logs every day and keeps 90 of them. Deciding how much to keep and how far back you will need to go is going to be a personal thing. In my case I’ve gone with three months to start with so and it’s simple enough to tail that back.

Raspberry Pi Bitcoin Core 0.10.2 Installation
14 Jun

Raspberry Pi Bitcoin Core 0.10.2 Installation

This weekends project is setting up a Raspberry Pi as an online Bitcoin wallet.

As you might the first step has been installing Bitcoin Core. There is no binary Bitcoin available for the Raspberry Pi’s ARM process so I had to build it from source. Less I Forget here is my step-by-step guide:

Requirements

  • Raspberry Pi 2
  • A 2A power supply
  • External HD
  • Raspbian OS Image Downloaded from here
  • The blockchain – Optional but could save days of waiting

Installing a Clean OS

First thing to do now we have a Raspbian install image is copy it to a new microSD card.

Being a Linux user I just copy the image from the command line using dd:

dd is a Unix command so if your MacOSX user the same command will work for you as well. It takes a few minutes but gets the job done. For Windows users a program like Win32DiskImager can do the install for you – full instructions can be found here.

Raspi-Config / Updating

As normal with a new installation raspi-config will run during the first boot. What we need to do here is expand the file system to take up the whole sdcard – no point in empty space just sitting around looking prity.

Once that’s done enable the SSH server. The Pi will reboot after your exit raspi-config so just let it do its thing.

Once the Pi is back up and running you can now keep working working with an attached keyboard a mouse of fire up and SSH connection from another machine and work from there, the choice is yours.

If you do choose the SSH option make sure you start a screen session, since the commands we’re about to run could take a few hours on the Raspberry.

If you need a pointers, the quickest way to get the Raspberry’s IP address is running ifconfig from the command line. The default username is pi and – if you didn’t already change it – the password will be raspberry, but I would highly recommend changing it as your first step passwd will do the job.

Now that we have a running Raspberry Pi and we’ve logged into a terminal – ether thru the keyboard and monitor or over SSH – we’re going to quickly run an OS update:

Installing Bitcoin

Getting the dependencies

We’re going to have to build Bitcoin Core from the source code, and for that we need the build tools and dependent libraries installed:

We also need to install the BerkeleyDB 4.8, since its not available from apt-get we’ll need to build it from source as well. This will take a while so probably best grab a cup of coffee or something, but if your using a Raspberry Pi2 you can replace the make command with make -j4 to spread the load over the extra cores.

Getting the source

Now that the system is ready we can finally start on Bitcoin. First get the source code from the GitHub repository:

Building it

Next we’ll configure it for our system and get the build started. Again this will take ages, but you can speed it up on the Raspberry Pi2 by using the make -j4 command instead of just make – for reference I just used the make option and it was done in about 3 – 4 hours.

Up & running

… and we’re back. We now have Bitcoin Core 0.10.2 installed on our Raspberry. Before we run it for the first time we need to make sure we can download the blockchain. At present the blockchain is over 35Gb. Since we can’t feasible store it on our microSD card we need to put it on an external hard drive.

If you’ve never plug an external drive into a Raspberry Pi before, its worth pointing out the Pi doesn’t have enought power to support the drive directly. You must ether get a drive back with it own power or plug the drive into a powered usb hub.

Once your drive is ready you have a few options for telling Bitcoin Core where to put the blockchain. Ether mount the external drive to /home/pi/.bitcoin or create a symlink there. The final option is to pass the the new location to bitcoin over the command line bitcoin-qt -datadir=/path/to/harddisk/

One last thing before we fire up the Core. If you already have a copy of the blockchain copy this to the Raspberry Pi, it will save hours or even days of waiting. However, if like me you don’t you may run into the same problems I have.

When I started running bitcoin-qt it will crash. After Googling around the error message relates to a lack of memory. The Raspberry Pi2 has 1GB or ram but its appears that isn’t always enough. Since adding more RAM isn’t a practical option I’ve resorted to running this script:

This handy little one-liner will restart bitcoin-qt every time it closes – in my case crashes – and the download will resume where it left off.

I’m not sure if this problem is histochemic of the Raspberry Pi or just while the blockchain is downloading but once my downloads completed I’ll get a better idea and can give some more feedback.

Raspberry Pi Powered OpenVPN – Client Side
19 Apr

Raspberry Pi Powered OpenVPN – Client Side

This is part two of my series on creating your own, private, VPN server at home using a Raspberry Pi. If you have followed on from my Raspberry Pi Powered OpenVPN – Server post you will have a fully working OpenVPN server. You probably also noticed it took you a good portion of your afternoon, but with bugs and hacks being found in more and more Linux software and libraries it is well worth having a server you can trust.

You’ll have noticed though we’re missing a vital step before we can make use of our new server. In part three of my tutorial we created some access keys to allow our phones and laptops (from here on called clients) to access our server, but we haven’t told the clients.

OpenVPN software gets all the information about where your server is, how to connect, what keys to use and what connections to create from a configuration file called and .ovpn. Since you need a separate OVPN file for each client we’ll use a script to do our heavy lifting.

Eric Jodoin first created this script while at the SANS institute, and with some basic template files, it can create configuration files for all our clients.

As with the Raspberry Pi Powered OpenVPN – Server tutorial the following commands still need executed as root, so remember ether add sudo infront of them or make sure you still have root from the sudo -s command.

Setting the defaults

Eric’s script works by combining a default configuration file with the keys specific to client, so we need to create it first.

Create a new blank file:

nano /etc/openvpn/easy-rsa/keys/Default.txt

Then copy and past in this:


Remember to change the line remote to match your setup. Include the public IP address of your OpenVPN server and make sure the port and proto are correct. If in on page four you opted to use TCP or a non standard port, one other than 1194, you need to make sure this is correct here as well.

If you are not sure what your public IP address is you can ask Google.

Some ISPs will rotate your IP address regularly which causes a problem when trying to access your new server. There are however many services that offer dynamic domain names (DDNS). These give you a static domain name but make sure the IP address always points to your home PC. First thing I would do is check your router to see if it supports a DDNS provider. If it doesn’t then you can use a free service like DNS Dynamic, but you will have to setup and run the ddclient on the Pi to keep your IP address updated.

As in the previous tutorials use control+x and save the new file.

Creating the script

Now we’ll create a copy of the script Eric produced, the original PDF download of his research paper can be found online.

First create a new file in nano:

nano -w /etc/openvpn/easy-rsa/keys/ovpn_gen.sh

Get a copy of the script from my gitlab server and past it into this new file. Lastly control+x and save the new script.

By default new files created in nano are just text files, they do not have permission to execute commands. This command will give only the root user permission to read, write or execute our new file:

chmod 700 /etc/openvpn/easy-rsa/keys/ovpn_gen.sh

We can now run the script, but first make sure we are in the keys folder:


The first thing we’re asked for is the Client Name. This must be the same as we used in page three of the server side tutorial. I’ll continue using KEYNAME here, but if I was setting up the key for my Nexus 5 I would use stuart.nexus5.

If everything worked as expected you’ll see a message like this:


Now just rinse and repeat for as many clients as you have setup, but make sure to only run the command for keys you already created. If you need a new device go back to page three and create a new set of keys first.

Downloading the OVPN files

You now have to download your new OVPN file from the /etc/openvpn/easy-rsa/keys/ folder onto your clients. If you are on a link system I would use the scp command, but for Windows users WinSCP would work as well.

If you are using WinSCP you will not have permission to access the /etc/openvpn/easy-rsa/keys/, this is by design and adds additional protect to your server. So you can cp the file into the pi home directory first and download it from there, but make sure to delete it once you have it on the client.

cp /etc/openvpn/easy-rsa/keys/KEYNAME.ovpn /home/pi/

and then

rm /home/pi/KEYNAME.ovpn

In part two of this tutorial we’ll take a look at setting up our client and getting OpenVPN installed and running on your Android phone or tablet.

Fedora/Yum update notification in OpenBox
06 Feb

Fedora/Yum update notification in OpenBox

OpenBox is a minimalist windows manager for Linux, it’s also my manager of choice. Due to its minimal memory footprint its faster than Gnome or KDE, but because its minimal a lot of what you may have come to know and move is no enabled by default.

I will cover more about OpenBox and its configuration in future posts, but this evening I decided to check for any updates to Fedora 21 and to my surprise I found over 200 updates waiting on me. I know, I am really bad at checking for updates but so are you so don’t judge!

When you log into KDE or Gnome many other services and background programs are run, one of which checks for system updates and alerts you. There is no such thing running by default when your first run OpenBox so I created a Bash script that runs in cron. It uses the notify-send command to pop-up alerts when updates are available.

Create a new file in /usr/local/bin/yum-watch and copy in:

Now make sure the file is executable with sudo chmod 700 /usr/local/bin/yum-watch. Now just add your new command to cron or run it at startup and you’ll start getting notifications if and when new updates are available.

The Dangers of Open Spots
01 Feb

The Dangers of Open Spots

All over the web you will see people telling you the internet is an unsafe place to be, but the biggest danger doesn’t come from some one sitting at home intercepting your connection to your bank or Facebook. It comes from someone sitting in the same coffee shop as you getting between you and the internet, what’s known as a ‘man-in-the-middle-attack’.

This illustration shows what a normal Internet connection should look like:

Standard Internet Connection

As you can see the green and red lines represent unchanged traffic between you and the internet.

But in a man in the middle attack it would look more like this:

Man-In-The-Middle Connection

In this case you are sending traffic to a third party, connected to the same router as you, and they are sending that on to the internet. They receive a response back and forward that on to you. This allows them to rewrite any web page or email before you see it and they can see any passwords you are sending.

Having an HTTPS connection can go along way to protect yourself from this kind of attack but it’s not perfect. If a man in the middle can intercept all your traffic they can intercept your connection request offer you a secure connection with them and create a secure connection to the remote host.

SSL Certificate Shield This is part of the reason we use Certificate Authorities. While the man in the middle can offer you a secure connect to their fake site, they can’t fake the signature. So if everything is working correctly your browser will throw up an error an encourage you to click away, but as users we’re trained to push past these without ever reading them or paying attention.

Another way this fails is when a certificate authority, whom your browser trusts, looses control of their keys. In effect a hacker can now create fraudulent certificates for any site they like and your browser will accept it quite happily. At least until everyone updates their browser.

There are a number of solutions to this each with its ups and downs. The one the industry is favouring is EV certs. These are special certificates that in most cases turn your browsers address bar green.

It’s important to understand what this EV certs actually does. It is cryptographically no more secure than a self signed certificate but it has better authenticity. Before any certificate authority can issue you with an EV certificate they have to perform far more checks on who you are, and that’s what you pay for.

A regular certificate lasting one year will separate you from between £9.99 and £175.00 of you hard earned cash but an EV certificate for the same twelve months would set you up back £249.99 and £1000.00.

While EV certificates are a solution, and a good one, they still rely on the website you’re visiting doing the hard work, and paying the fee. So we need to look at more practical solutions a user can do.

One of the best, and easiest, is only accessing the internet from a trusted router. So you can stop using any public wifi, easy. A slightly less extreme way would be if we could access the internet from our home router all the time, from where ever we are.

Raspberry Pi So how do we access the Internet from home when we’re in a coffee shop on the other side of the city? Like everything there are lots of solutions but the main one would be a VPN, like OpenVPN. Like all servers you have to be running it on your home machine at all times, just in case you want to connect to it. Not cost effective and a waste of electricity, but we can use a cheaper form of computer like a Raspberry Pi, I’ve already posted about the running costs of a Pi but it’s usually in the region of £4.60 to £10.52 per year.

This is the solution I’ve decided to go for since its open source and supports all versions of Linux, Windows and even had an Android app.

In the next article I’ll start by talking you through the initial setup of the Raspberry Pi then we’ll move on to installing OpenVPN and finally getting your laptop and Android connected.

Raspberry Pi Yearly Running Cost
29 Jan

Raspberry Pi Yearly Running Cost

I don’t know about you but I run a number or Raspberry Pi’s in my house all doing different jobs. I’ve often heard it said how inexpensive a Pi is to run but I never how inexpensive, and I wanted some real world figures.

After a little time with the good all Google I came across this form post by audigex from 2012 so I’ve used his calculations, just updated the figures.

In the same vane as audigex’s original post I’ve taken the worst case and a more average look. A Raspberry Pi uses 5W maximum, 5V x 1A = 5W, in theory but it should never go higher than 700mA which is only 3.5W.

I really had to search around but the most expensive unit price I could find at present, January 2015, was £0.24 per kWh. I won’t name and shame the company here, but believe me if you’re paying that much you will be hard pressed not to beat it!

Worst Case
Raspberry Pi Power (Watts) 5W
Hours to user 1kWh 200 h = 1000 / 5
Hours in year 8765.81 h
Raspberry Pi per year 43.83 kWh = 8765.81 / 200
Cost per kWh £0.24
Yearly Running Cost £10.52 = 43.83 * 0.24

For a more realistic look I down graded the total watt usage to 3.5W as discussed above and took the average unit cost straight off the UK Gov website, and The Department of Energy & Climate Change Quarterly Energy Prices published on the 18th December 2014. According to official Government statistics the average cost for a kWh unit is £0.15 pence, personally I’m paying slightly less than the average but the figure is still a valid one for this analysis.

Realistic Values
Raspberry Pi Power (Watts) 3.5W
Hours to user 1kWh 286 h = 1000 / 3.5
Hours in year 8765.81 h
Raspberry Pi per year 30.68 kWh = 8765.81 / 200
Cost per kWh £0.15
Yearly Running Cost £4.60 = 30.68 * 0.15

So based on, what I freely admit is back of the napkin math, a Raspberry Pi costs between £4.60 and £10.52 per year. Obvisoully this may be slightly higher if you are also running a USB hub or any external storage.

I hope this is of use to someone else. If you have noticed any flaws in my calculations please let me know in the comments bellow.

Overclocking RaspberryPi
17 Dec

Overclocking RaspberryPi

By default the processor in the Raspberry Pi runs at 700MHz, but it can be overclocked without voiding your warranty. Basically a processor is designed to do one job at time, be it retrieving something from RAM or adding to numbers together, its limited to one task. But when we’re using them the idea of one thing at a time is hard to get our head around since it appears to be doing so much more. That’s because a processor can do that one task really, really, really, fast. The clock speed, 700MHz, give us an idea of how many tasks it can do per second; the higher the speed the better performance you get.

Overclocking simply means increasing the clock speed past its defaults. The problem there is if you overclock to much the processor becomes unstable and can lead to crashes or even burn its self out.

My Raspberry Pi is running Raspbian so to overclock it simple type sudo raspi-config
raspi-config

Go down to item 7 Overclock and press ENTER, press ENTER a second time to confirm the warning message.
raspi-config select frequency

raspi-config has five levels of over clocking: 700MHz (no overclocking), 800MHz (modest), 900MHz (medium), 950MHz (high) and 1000MHz (turbo). All of which are supported by the Raspberry Pi foundation and will not void your warranty, over clocking to anything other than what’s on this list or overvolting the Raspberry Pi will void the warranty.

Select the level of overclocking you want from the list, as bellow, and click on <Ok> to confirm your selection.
raspi-config select frequency

After that your Raspberry Pi will need to reboot for the new settings to take effect. After a reboot you can test your settings by looking in /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

If for any reason your Raspberry Pi fails to boot after you’ve overclocked it hold down the shift key at boot time to temporarily disable overclocking then just go back into sudo raspi-config and select a lower speed.

TrueCrypt
29 Nov

TrueCrypt

TrueCrypt is dead, long live TrueCrypt. In a move that shocked everyone on the internet TrueCrypt was taken down on May 28th 2014 and the official TrueCrypt website, truecrypt.org, began redirecting users to a page warning the software contained unfixed security issues.

This announcement caused a great amount of panic and speculation about one of the most popular cross platform encryption tools available. As the dust settled it’s become clear there are no known security problems with TrueCrypt but all development by the original authors has ceased and it is their opinion that to use unmaintained software would pose a security risk.

Don’t Panic

In part they might be right. If down the line a flaw in TrueCrypt is found they will not be fixing it, but as yet there is no such flaw and a full security audit is under-way. The audit is being carried out by iSECpartners and crowed funded by TrueCrypt users. While still in its infancy it has already completed work on the TrueCrypt boot loader and found nothing of concern. For those who don’t want to read the full report Steve Gibson of GRC.com did a fantastic breakdown for Security Now Episode 458.

Verifying the TrueCrypt v7.1a Files

Across this site I have used my OpenGPG key to digitally sign my downloads as a way of authenticating them. In this case I didnt want to sign the work of someone else and it would only have verified that the download was the one I intended for you to get.

Since paranoia is nothing to be ashamed of I’ve taken a leaf out of GRC’s book and provided SHA256, SHA1 and MD5 hashes for all my downloads which I have then digitally signed to prevent tampering.

Now, since I do not have another site I can host an independant copy of these hashes on I can only point you to the same place as GRC does. Taylor Hornby (aka FireXware) of Defuse Security is hosting a copy of the same files offered by GRC at https://defuse.ca/truecrypt-7.1a-hashes.htm. The best validation I can offer is the hashes of my files match exactly what is offered by GRC and serveral other independent archives.

TrueCrypt 7.1a Archive Repository

File Name Operating System
truecrypt-7.1a-linux-x64.tar.gz Linux/Unix [Download not found]
truecrypt-7.1a-linux-x86.tar.gz Linux/Unix [Download not found]
TrueCrypt 7.1a Mac OS X.dmg Mac OS X [Download not found]
TrueCrypt Setup 7.1a.exe Microsoft Windows [Download not found]
TrueCrypt User Guide.pdf N/A [Download not found]
truecrypt-7.1a-linux-console-x64.tar.gz Linux/Unix [Download not found]
truecrypt-7.1a-linux-console-x86.tar.gz Linux/Unix [Download not found]
TrueCrypt 7.1a Source.tar.gz N/A [Download not found]
TrueCrypt 7.1a Source.zip N/A [Download not found]

OpenPGP Signed Download Hashes

Install Oracle Java JDK or JRE 8u11
18 Jul

Install Oracle Java JDK or JRE 8u11

I do not format my desktop PC very often, I reinstall my laptop three or four times a month but not my primary machine. With almost every clean installation I have to lookup how to install Oracle’s Java instead of using the pre installed version OpenJDK.

Since I search for it so often I thought it was well past time I wrote a guide of my own.

What’s New in JDK 8

Java 8 is a major feature release on version 7. The updates are too many to go into great detail here, but Oracle have a full feature change log on their own site

Scope

This guide will tell you how to install Sun/Oracle Java JDK and/or JRE 8u11 on Fedora 20, 19, 18, 17, 16, 15, 14, 13 and 12 – I haven’t tested on all these version of Fedora, only 20 & 19, but Fedora haven’t change the process so much that this wouldn’t work on older versions. If you do find any problems, please let me know in the comments section and I will get the guide updated.

Install Sun/Oracle Java JDK/JRE 8u11

Download 32bit of 64bit RPM packages

Download the RPM files from Oracle’s download page. Depending on your system, 32 or 64bit, download:
* 32-bit JDK download jdk-8u11-linux-i586.rpm
* 64-bit JDK download jdk-8u11-linux-x64.rpm
* 32-bit JRE download jre-8u11-linux-i586.rpm
* 64-bit JRE download jre-8u11-linux-x64.rpm

Install the RPM packages

Next just install the RPM package you’ve just downloaded using one of these commands

Set the newly installed Java as the system default

Now that your Java 8u11 is installed you need to tell Fedora to use it by default. The alternatives simply created links from the system default paths to the new java installation directory

Install Browser plugin for Firefox

Most people do not need to do this, I never do. If you dont know you need java inside your browser skip this step – you can always come back to it later if you find you need to run java from within in Firefox.

Set up Java Development Kit

You only need this if you installed the JDK. These two commands, javac and jar, are just used to complie java code and package the result files for distribution.

If you need to run multiple versions set 8u11 to the default

In the steps above you have replace the already installed version of Java with 8u11, but you havent removed it. If in future you install 8u12, but still want 8u11 to be your default you can specifiy the version of java to pass to alternatives instead of using latest.

JRE Users

JDK Users

Make sure its all worked

Just a quick check to see its all work as you expect

Post Install

You now have Java installed, the last thing to you need to do is make sure you have the JAVA_HOME environment variable set on your system.

You can do this per user by adding the above to $HOME/.bash_profile or make it a system wide setting by adding it to /etc/profile

Switching JRE

Now you have installed Oracle Java, and used alternatives to set it as the system default, you may come across occasions when you need to switch the system back to OpenJDK. You can use the alternatives command with the –config argument to set things up the way you want.

java

javaws

libjavaplugin.so (32-bit)

libjavaplugin.so.x86_64 (64-bit)

javac

14 Jul

Revert to a previous Git commit

Preamble

I make heavy use of git for all my software development, when asked what the point is for a one man development team to something as powerful as git I always reply “universal undo”.

With a recent update to the site i finally got the chance to use it the way I’d always expected to, and it worked exactly as expected but the correct process was harder to find than expected. So here is how I was able to revert my master git branch after committing some bad code:

Reverting Working Copy to Most Recent Commit

To revert all uncommitted changes back to the previous commit: git reset --hard HEAD where HEAD is the last commit in your current branch

Reverting Working Copy to an Older Commit

This is a some what controversial step, but it was what I needed and the only thing I could find that would work. The better option is to avoid a hard reset if other people have copies of the old commits, because using a hard reset like this will force them to have to resynchronize their work with the newly reset branch. This isn’t a problem for me, but it is worth mentioning encase it would be for you.

To revert back to an already committed change:

OpenPGP: How I Sign Keys
11 May

OpenPGP: How I Sign Keys

Signing is a very personal thing. You are telling the world you believe a key belongs to the person who is claiming it. The value of a web of trust comes from the fact you are willing to put your reputation behind this assertion.

Everyone will treat signing differently. Some may feel bumping into someone at a conference is sufficient, other may want a full DNA breakdown with supporting evidence from three expert witnesses. I like to think I’m somewhere in the middle and have documented my signing policy. This page is about how I sign a key and what you need to do next.

Prerequisite

In order to sign a key you need the master key, and as detailed in my key creation guide I keep my master key separate from my normal key store, so can not do any signing during events. Instead I sign all keys at home then get the signed public key back to you for you.

The Act

Like all repetitive tasks I have created a script for that which you can download from its project page. The script does five things:

  1. First download the key to be signed into my keystore
  2. Sign all key identity’s associated with that key
  3. Export the signed public key
  4. Encrypt it
  5. Finally the script deletes the signed public key from the keystore and re-download the unsigned version from the public key

Next

Now I have an encrypted file containing your key I have just signed, but I do not have a signed copy in my key store. My preferred way of getting a signed key to you is by email. Since I have encrypted the signed file you have to have access to the private key and email address in order to use it and I feel this adds a level of additional verification that you really do have control of the key I just signed, after all there are many reasons you might not – I mean I could have just signed the wrong key.

You have noticed my bash script now leaves without a signed copy for you key, this was a deliberate step. I said above by emailing you I am able to assure myself I have not only signed the right key but you have access to the correct email box. Once you import the key and push it back out to your key server I will retrieve a copy from there.

What do you do now?

If you receive a signed key from me you simple need to run the following command:

PGP will ask for your password and import the new signed key and verify the attachment was signed with my primary key fingerprint: BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814. It is now up to your to send your newly signed key back to a server for the rest of the world to see.

05 May

Install SSH Key In A Remote Linux Server

I’ve been setting up a new server and as always the first things to do is forbid root login using a password and install my SSH keys. Once again I had to Google for how to do this, so I thought I would write about it instead.

After creating a new SSH key, if you don’t already have one, you can install it into the target computer using the ssh-copy-id command to install you certificate directly onto the machine.

There are many ways to use the ssh-copy-id command:

  1. Create the SSH keys:

  1. (A) Install the public key:

  1. (A) I If you do not have ssh-copy-id installed on your PC this will also work:

OpenPGP: My Keys
03 May

OpenPGP: My Keys

Its May again and the sun has finally made an appearance. With summer comes the regular spring clearing and it seems as good a time as any to update my public encryption keys. My previous keys were cryptographically less secure, 2048-bit compared to 4096-bits. I have also learnt allot more about best practices when managing keys and feel its about time to put everything I’ve learnt into affect.

My Secondary key 0xB784045B remains the same. This key was and has always been stored off line in a TrueCrypt volume using a 4096-bit key so I always have been, and still remain, confident about its security. I am replacing my Primary key using the full key creation and cross signing guide. This new key is also covered by my signing policy.

My OpenPGP Keys

Bellow is listed my current PGP keys including my Primary-key and Secondary-key. The Key id is a short identifying mark for all keys. It is made up of two components separated by a slash. The first identities the strength and algorithm of the key, so 4096R means its a 4096-bit RSA key. The second is the last 8 digits of the key fingerprint. These are the short form of identification. The keys full identification is its fingerprint, 40 hexadecimal digits.

The key also publishes its creation and expiry dates. All my keys will expire – encase of loss or compromise – however it is my intention to continue extending the expiry date for as long as I feel confident of their security.

Primary OpenPGP Key

0x1FA1E814

The key mentioned bellow (and on /about/me) is my main key, for every day use. It can be considered acceptably-safe, as I take grate care in assuring it remains that way. However, since it is my main key it has to be store on other devices such as laptops, mobile phones and tablets. This opens the key to danger from theft.

Following the advice in the Debian Subkeys wiki I have created separate subkey for signing. This mean the key stored on my devices does not contain the master key – this is stored separately on a TrueCrypt volume in an offline laptop which doesn’t leave the house. Key signing is still done using the master key which means I can not do it during any key-signing events, I have to do it once I get home again – See my full key-signing policy for how I manage this.

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0x1FA1E814 (69 downloads) , it is also returned by my DNS server. If you issue the command dig +short stuart._pka.nxfifteen.me.uk. TXT the returned key should match that provided here.

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 4096R/1FA1E814 Created: 2014-05-04
Key fingerprint = BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814

SmartCard OpenPGP Key

0xB7266A16

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB7266A16 (59 downloads) .

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 2048R/B7266A16 Created: 2014-05-04
Key fingerprint = 0E06 2B0D 4E2D BE43 29B9 1C01 9FCD F90A B726 6A16

Secondary/Alternate OpenPGP Key

0xB784045B

A second key is also available, which can be considered extremely-safe and is never stored on any computer (the keys are located on a TrueCrypt protected USB drive stored in a safe location) or ever been transmitted over the any internet connections, so please be patient if you requires a reply.

This keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB784045B (58 downloads) .

For verification purposes my other keys is always cross-signed with my secondary key.

Feel free to use the following public key if you are concerned or paranoid about what you wish to send to me, however if you are in doubt you should probably use my primary key instead.

pub 4096R/B784045B Created: 2011-09-19
Key fingerprint = 2642 7F79 DA14 44C4 CBE9 23BB 22C7 2B37 B784 045B

Chairman of The Software Society OpenPGP key

0x69AA4946

Since April 2012 I have held the position of Chairman of The Software Society Ltd. On the 23th of March this year, 2013, it was decided that the board of directors and office bares (Chairman, Company Secretary and Chief Financial Officer) should all create an use OpenPGP keys for all official business.

It was also decided that each office barers key should last as long as they are in office, the new incumbent creating a new key apon their election.

To this end, during my time in the post my key will be 0x69AA4946 and will be subject to the same signing policy as I has been in use on my personal key.

pub 2048R/69AA4946 Created: 2013-03-24
Key fingerprint = CFAE 70BC 1735 BF50 C993 DACB 6415 6795 69AA 4946

Retired Keys

I have been using PGP on and off since about 2008, in that time many keys have come and gone and I did not set expiry dates on most of them and never thought to generate or use revocation certificates. The nature of OpenPGP and the Web-of-Trust means there is no way retrospectively to remove these keys. The best I can do now is list them here. Do not use any of the keys listed bellow. This is not a complete list, only the ones I can no longer revoke.

0x5DCC0296, 0x541784DD, 0x132DED8D, 0xC5751341, 0xCB52DED2, 0xC941927D, 0xDFA274F2, 0x9F9A8CE0,0x2DF1892D, 0x843D80BA, 0xA7EEB609

OpenPGP: How does PGP work?
03 May

OpenPGP: How does PGP work?

How does it work

The magic, and I call it magic because I freely admit I do not have the mathematical background to explain it better, of this system is that if you encrypt something using the Public-key only the Private-key can decrypt it and vice versa. So there is no way for someone holding the Public-key to decrypt something encrypted using the Public-key, only the Private-key will decrypt it. The same is true in reverse. If something is encrypted using the Private-key only the Public-key can decrypt it again – in practice you won’t have a problem here, because if you hold the Private-key you already hold the Public-key as well.

Now when I write an email and want to sign it PGP looks at the message or file (for simplicity I’ll stick to email as my example) then runs a mathematical hash such as SHA256. A hash is a one way process. If you hash a block of text, using SHA256, you will get a string of what appears to humans as gibberish. The important part is, it is always the same. No matter how many times you run the same block of text through the SHA256 algorithm you will always get the same gibberish. PGP then uses my Private-key to encrypt that hashed result and includes that ether as an attachment to the email or at the bottom of the body.

To verify the integrity of a email the receiving PGP aware application uses the Public-key to decrypt the attached signature and reads the included hash. At this point you have already verified the signature was created using the Private-key because if it had been altered in any way after encryption the Public-key would no longer work. The next step is for the receiving copy of PGP to run the email through the same hash as before, SHA256, and then compare the hash encrypted in the email with the hash it just created. If the two match the email has been verified and you can be sure it has not been altered in transit.

How about encrypted messages

The process for full message encryption is slightly different. The problem with Public-key cryptography is it is incredibly expensive in computational power and CPU time and far large messages it is impractical to encrypt the whole message using a Private-key, so instead we use Symmetric-key encryption. Unlike Public-key encryption Symmetric-key encryption uses the same key to encrypt and decrypt a message.

So now when I send an encrypted message PGP signs the message in the same way detailed above then generates a large random password then uses this to encrypt the message. Now we have an encrypted block of text and a key to decrypt it again and we have to get both to the recipient without the decryption key becoming public, so we call on Public-key cryptography again. Using the recipients Public-key we can no encrypt our generated Symmetric-key and include it in the email header. At the other end the recipient uses their Private-key to decrypt the start of the email then can use the Symmetric-key we provided them to decrypt the message. This actually allows you to send the same email to multiple recipients as well, all we have to do is use the public-key of each person to encrypt a copy of the Symmetric-key.

Why Isn’t It Used More

PGP key management is hard work. Generating key, managing them and adding support to email applications that do not already support them is not for the faint hearted and the process is quite geeky. So while support is there its not easy to use, in simple terms it doesn’t yet pass the granny test.

I hope this will change in future and by signing the majority of my messages and writing these posts I would like to think that I can make it a little easier to get involved. Cryptography and PGP technique in particular is a subject I am interested in. I have given several talks to The Software Society (my local LUG) on the topic and plan to give another over the summer in the hopes of increasing awareness to my little corner of the universe.

If you have any questions or struggle to implement PGP in your own corner please drop me a line and I will do the best I can to help. Even if, like me, you see no reason to encrypt your emails the advantages of being able to sign your emails is huge deal in a world of spam and viruses being distributed by email – often appearing to come from an address you know.

OpenPGP: How do I create a OpenPGP Key?
03 May

OpenPGP: How do I create a OpenPGP Key?

Creating a Secured Key

When you build a PGP key you going to start using that key to verify your identity, so like all other forms of identification you have to protect it. Unfortunately to make PGP usable you cant permanently store you private keys locked in a safe, you actually need a copy of it one your computer, phone, table, laptop, basically any place where you want to send verified emails or decrypt messages you receive.

So what do you do if you phone or laptop are stolen? Even if you have secured your private-key with a strong password it is still at risk from someone with direct access to it.

Protection Using Subkeys

There isn’t allot of information on web about how to secure your key in this situation. I was able to find a few reference sites most notably the Debian Wiki about Subkeys.

When you create a OpenPGP key you are creating one key for signing and another for encryption. Its the signing key that is your master key and the one you need to protect. So after creating a new OpenPGP key you can create a new subkey just for signing.

This way the only things stored on your mobile device are your encryption key and your signing-subkey. If you lose control of your laptop, but still retain control of you master key, you can revoke the sub signing and encryption keys and create replacements.

If an attacker were able to break your password they would get access to anything encrypted before you revoked the key but nothing after that point. They could also only sign emails and files using the subkey you just revoked and any receiving PGP application would see that the key used to sign the message had been revoked and not validate the signature.

So how do we do it?

Step-By-Step

Creating the Keypair

Use the gpg --gen-key command to create the new keypair

You will be prompted to enter a password, its a good idea to make this a secure one; hard to guess and one you want forget. Keep it safe. If you lose your password you could lose control over your key and will have to start again.

Preferred Hash

PGP uses hashes through the signing and encrypting process, I’ve better explained this on the “How is works” page. To strengthen your key you can set your preferred hashes. This is useful because as time moves on and computers become more powerful weaknesses are being discovered in previously thought secure hashes such as SHA-1.

Use the gpg --edit-key command and when prompted enter the commandsetpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed, then save.

Subkey for Signing

OpenPGP subkeys work the same as normal (master) keys, expect they are mathematical related to the master key and they can be used for signing or encrypting. What makes them special here is they can be revoked and store independently of the master key.

Again use the gpg --edit-key command and type addkey. Select a sign only key, ether 3 or 4 depending on if you want to use DSA or RSA. After the new key is ready type save.

Revocation Certificate

Since we are creating subkeys we do not have to worry about theft of a laptop or phone. In that case you could still use your master key to revoke only that subkey. What I describe bellow is when you lose your master key and must revoke everything.

If you ever lose your private key you will have no way of generating the revocation certificates needed to revoke your new key. So best practice is to generate those certificates now and store them in a safe place encase you need them later.

You can do this from the command line with the command:

However I has also worked on a bash script that can automate the process of creating these certificates. More information on this is available from the project page.

Export The Final Product

Now export your keypair. You can export both the private-key and public-key using these commands:

You should protect these two files. Do not keep them on your laptop of mobile. The private file we exported contains your master key. Losing this could compromise your entire keypair.

Creating your Laptop Key

Now that your master key is ready you can create your laptop key. GPG does not make this easy, but with a little trickery you can make it work. These instructions assume you have created your master key on your laptop, if you have created your key on your desktop machine you can just skip the step two and not delete your secret key.

  1. Start by exporting your subkeys gpg --export-secret-subkeys 1FA1E814 > 1FA1E814.sub.gpg
  2. Next delete the master key from your key ring gpg --delete-secret-key 1FA1E814
  3. Now reimport the subkeys back into your keyring, or if you are not working from your laptop just import the subkeys theregpg --import 1FA1E814.sub.gpg.

Using your new key

You can now use your laptop keypair to sign, decrypt or encrypt emails and files. If you want to sign someone else’s key or revoke a subkey attached to your mast key you need to use the original master key.

Now that your key is ready for public consumption your can start sharing it. You can distribute your key anyway you like, but the simplest solution is to send it to a key server:

There are hundreds of key servers online, but you don’t need to send your key to all of them. In most cases any key server you use will distribute your public key across all the others. This process is fully automatic but it can take a few days for your key to appear on them all.

OpenPGP: Encryption should be easier than this
02 May

OpenPGP: Encryption should be easier than this

Why I Digitally Sign My E-Mail

Most e-mails I send are digitally signed using a process called “Pretty Good Privacy”, commonly referred to as PGP or GnuPG. PGP has been around since 1991 yet still is not commonly supported by the majority of email clients, at least in the Microsoft echo system, or webmail applications like Gmail or Yahoo Mail. When a digitally signed email is displayed in applications that do not support PGP you may see one of two things; either there will be an attached PGP.sig file or the message may start with “BEGIN PGP SIGNATURE” and appended to the bottom of the text will be a block of gibberish text. These components are used by PGP aware applications to cryptographically verify the identity of the sender. If you also have or use PGP I could send you encrypted email so that only you can read it. Over the next few pages I will give some background on PGP and why I use it.

Email Attachments

Since implementing PGP in my in all my email clients I will no longer open attachments or click links in unsigned emails. Like all security mined people this rule will no doubt cause problems for some and will make the internet a less user-friendly place, but with the amount of spam and viruses delivered by email – often coming from addresses you know – there is no better protection available, likewise I will never send an attachment unsigned.

Background

In 1991 PGP was created by Phil Zimmermann as a way to digitally sign or encrypt messages and file. This is achieved using Public-key cryptography. When you create a PGP key you are creating two very large numbers that are mathematically related, but due to the size of these numbers it is not possible to derive one from the other. So you now have two keys, one considered private the other public and as the name suggests who must keep the Private-key secret from everyone but you can share the Public-key with the world.

I was planning to include a section on this page detailing how PGP works but as I started writing it quickly grew beyond the scope I had indented this introductory page to be. If you are interested in the propeller hat explanation of how PGP can encrypt and digitally verify messages you can find it on at the “How does it work” page.

My Keys

My public keys are published all over the net; on key servers, in my DNS records, on this site on my “OpenPGP Keys” page and on some mailing lists. That is the way you want your public keys after all.

02 Nov

DNS Cache TTL – Windows

Shorten the built in Windows DNS cache time

To force Windows to keep positive entries in DNS Cache for only 4 hours instead of the default 24 hours we need to apply the following change to the registry:

02 Nov

Block Negative DNS Entries – Windows

Windows contains a client-side Domain Name System (DNS) cache. The client-side DNS caching feature may cache results when no valid IP address was found. This article describes how to disable DNS caching for these Negative Entries.

To force Windows not to cache negative entries we need to add a new DWORD to the Windows Registry

01 Jun

Getting Saitek X52 Joystick Working Within Linux

Now that Steam is available for Linux (How to install article coming soon) I have once again made the switch to 100% Linux. How that I have Steam installed I wanted to start playing Egosoft’s X3 series again, but for best performance this really needs a joystick. This is how I went about installing and using my Saitek X52 joystick in Fedora 18.

The problem is as of Fedora 17 the joydev kernel module was removed by default. The result is when a new joystick is plugged in the require paths in /dev/input/jsX are not being created, so your software and games can not find the device. So we need to reinstall the joydev module.

After installing the kernel joydev module the joystick and all its buttons are detected by the latest kernel (which as of writing is)

The Install Instructions for a fresh install

  1. Even though joydev was stripped from the default kernel it has been bundled into an easy to install package available in the yum repsitory

2. Now the kernel software is installed we need to load it. You can ether take a moment and reboot your PC, the modules will get loaded at boot time, or you can load them your self with modprobe

  1. After the new modules have been loaded you can plug your joystick in and you should see the new paths being created under /dev/input it will be something like /dev/input/js0. You can not test to make sure your joystick is being detected correctly using ‘jstest’

Installing Qjoypad Optional, mapping buttons to the keyboard

The Saitek X52 has over 30 buttons on it so the easiest way to set these up would be mapping them to keyboard shortcuts. Luckly, with a little Googling, I found a fantastic tool for this. Qjoypad is a Qt based program that will just sit in your tray and map any button presses to the associated keyboard shortcut.

There are no binary packages, that I could find, but installing from source is fairly painless. There are alternatives out there, but I haven’t spent any time with them. I found Qjoypad first, and for my purposes, it was perfect. If you find something you think is better please let me know in the comments!

  1. Install Qt dependancy packages

  1. Download the latest version of Qjoypad, as of writing that was 4.1.0
  2. Extract downloaded file

  1. Change directory into main source folder

  1. The distributed config file makes a check for qmake, unfortunitly this will fail in Fedora as the qt-devel package installed qmake as qmake-qt4 so we can just comment out the check in line 14-17

  1. Now run config to generate the Makefile

  1. Edit the new Makefile and append -lX11 to the end of line 19. I’m not ‘up-to-scratch’ with Makefiles and compiling, so I’m not able to give a good reason for this, I just now without it ‘make’ will fail to compile. If someone can explain it better than I leave a comment and I’ll happily update the article

  1. Now as root run the install

  1. Run QJoypad

Qjoypad will run in your system tray and can be opened by double clicking. From there you can setup your profiles and key bindings. There is support for multiple profiles as well so you are able to set different bindings for each of your games and load them as required.

I hope this has been of help to you, I know I’ll be refering to it after my next install. Please leave me a comment bellow if this was of help, or you’ve found any problems.

As always, if you have been, thanks for reading

OpenPGP: GPG Cheat Sheet
24 Mar

OpenPGP: GPG Cheat Sheet

You can’t have enough cheat sheets on the net. Well you probably can, but I still wanted to add my own to the mix. I use the GnuPG command line for almost everything, bar actually sending email so this is a nice little reminder to myself what I’m doing

Creating a new Key First steps

gpg --gen-key

Browsing your keyring What have you got
  • List all public keys gpg --list-public-keys
  • List all private keys gpg --list-secret-keys
  • List everyone who has signed a key gpg --list-sig (0xKEYID)
  • Get the full fingerprint gpg --fingerprint (0xKEYID)
Exporting
  • Export your public key to a file gpg --armor --export (0xKEYID)
  • Upload a key to the keyserver. Good for new keys, or after signing someone else’s
    • Using the default Key server gpg --send-keys (0xKEYID)
    • Specifying a Key server gpg --keyserver sks.research.nxfifteen.me.uk --send-keys (0xKEYID)
  • Export/Backup you private key `gpg –armor –export-secret-keys (0xKEYID)
Searching for a key
  • Finding someones key
    • Using the default Key server gpg --search-keys user@email.example.com
    • Specifying a Key server gpg --keyserver sks.research.nxfifteen.me.uk --search-keys user@email.example.com
Encrypting/Decrypting
  • Encrypt a file for someone, by their email gpg --encrypt filename.txt --recipient user@email.example.com
  • Encrypt a file for multiplie people, by their email addresses – It’s usually a good idea to encyrpt to your own key as well or you will not be able to decrypt the file latergpg --encrypt filename.txt --recipient user1@email.example.com --recipient user2@email.example.com
  • Encrypt a file for transmission over text – email, IRC, Jabber etc.gpg --armour --encrypt filename.txt --recipient user1@email.example.com --recipient user2@email.example.com
  • Decrypting a file gpg --output filename.txt --decrypt filename.txt.asc
Import keys You need to get them somewhere
  • Importing from a text file gpg --import publickey.asc
  • Restore a backup of a private key gpg --allow-secret-key-import --import privatekey.asc
Keys Maintenance Revoking
  • Creating a revocation certificate. You must has the private key to do this, if you have lost your private key, well thats when problems kick in gpg --output revoke.asc --gen-revoke 0xKEYID
  • To revoke a the key all you need do is import the revoke.asc into your keyring gpg --import revoke.asc
  • To make sure everyone knows your keys been revoked you need to publish the updated public keygpg --keyserver sks.research.nxfifteen.me.uk --send-keys (0xKEYID)
Keys Maintenance Key Signing
  • You need to edit the key gpg --edit-key 0xKEYID

From here ‘help’ will give you a list of your options, but to sign a key you can ether type ‘sign’ or ‘tsign’. The man pages give a better indication of what the difference is ‘man gpg’ but ‘sign’ is usually sufficent. After they key is signed type ‘save’ and ‘quit’ then you can ether send the key to a keyserver for download by its owner of export the public key and send it by other means, this usually means encrypted email.

Signing and Verifying files
  • To sign a file with your default key use this gpg --detach-sign --armour filename.txt
  • To verify a signed file but put the output from above filename.txt.asc gpg --verify filename.txt.asc
Rooting the Google Nexus7, in Linux
20 Mar

Rooting the Google Nexus7, in Linux

In a previous post I talked about installing CyanogenMod 7.1 Alpha 3 on my HP TouchPad, but since Santa was very nice to me this year I now have a Nexu7, and of course I want to root it. Most of the toolkits and instructions I found talked about doing this thru Windows, but I’m a Linux guy and don’t want to install Windows for what will take less than an hour. So further Googling came up with a way of doing it thru Linux.

Warning!

Like every site before me, be warned. Follow this guide at your own risk. Rooting, unlocking and installing new ROMs does invalidate your warranty and risk causing damage to your data and/or device. While nothing bad has happened to me followed these instructions, you can’t discount the idea entirely. So BACK UP YOUR DATA – If you don’t Murphy’s Law says you will need it

The Toolkit

There are alot of ways to ‘manually’ unlock your device, but all the ones I was able to find involved downloading the Android SDK. This is a good way to do things if you ether know what your doing, or want a better understanding of the steps involved. However I wanted it done quick, and at the time I was on my netbook and seen no need to install the entire SDK. So I chose to use a toolkit.

The next problem was finding one. The vast majority of kits run under Windows, as previously stated I’m a penguin at heart and needed to find a Linux kit. tatelucas, member of the XDA-Developers forum – if you’ve never checked it out you really should – was there with the solution: Universal Nexus Linux Toolkit, formerly named galaxy-nexus-linux-toolkit. At the time of writing his toolkit supports the

  • Nexus 4 mako
  • Nexus 10 manta
  • Nexus 7 (WiFi) grouper
  • Galaxy Nexus (GSM) maguro
  • Galaxy Nexus (Verizon) toro
  • Galaxy Nexus (Sprint) toroplus
  • Nexus S (worldwide version, i9020t and i9023) crespo
  • Nexus S (850MHz version, i9020a) crespo
  • Nexus S (Korea version, m200) crespo
  • Nexus S 4G (d720) crespo4g

however I have only tested it on the device I have, the Nexus 7 grouper. This toolkit allows you to unlock and re-lock the bootloader, get root access, install ClockworkMod recovery both touch or standard version and, if you feel the need, reinstall the Google stock rom.

Requirements So what do you need?

  • Android Debugging Enabled
  • Universal Nexus Linux Toolkit – The best method for this is using git, but you could also browse the repository down manually download the files, I will be using git

Downloading from git Just in-case you don’t know how

Getting Root

Now that we have a copy of the files, in my case stored in “~/RootNexus7/galaxy-nexus-linux-toolkit”, change to the stable source, the folder called “stable”, and we can start the install.

From this point on the installation is straight forward. Tatelucas has made the interface really easy to use and the on-screen instructions detail each option and tell you want you need to be doing on the table.

Now you have root

If everthing worked as expected you should now have root access to your Nexus. The first thing I would recommend you do now is install a proper/full backup package. My app of choice is Titanium Backup ★ root. After that… do a little Googling, the platform is now your oyster – enjoy

If you like this toolkit, why not buy the developer a coffee?

Donate to tatelucas with PayPal

Setup your own Firefox Sync Server
15 Mar

Setup your own Firefox Sync Server

As most people know I hate using someone else’s service when I can host my own and since I’ve started using Firefox for Android that’s no exception.

Firefox allows you to sync your preferences, bookmarks and add-on settings between devices using the Firefox Sync Service, but they default servers are hosted by Mozilla. This isn’t a problem for me as they encrypt all data in the client before its transmitted to their servers, and if you don’t trust the client then there are bigger problems. Still I like to ‘roll-my-own’ when ever I can and Mozilla have made running you own sync server very easy.

The instructions bellow are based on my current install. Which is Ubuntu 12.04.1 LTS, MySQL and Apache2. These steps worked with out any problems for me – please let me know in the comments how you get on and if you find any problems or have to take any additional steps I missed out.

As yet Mozilla don’t release any binary packages for their server, so to install one what I’ll be doing it checking out the latest release from their repository and building it in-place

Prerequisites These are the things you’ll need

Like most software, the server is made up of several components that all work together to form the final application. In-order for them to work you will need to make sure your system has these installed, or install them now:

To install these on my Ubuntu machine I just make the this request of Apt-get:

The Build Use the source

Now that your machine is ready you need to get a copy of the latest source code from https://hg.mozilla.org/services/server-full:

No we have the source we can use the build command to make an Python environment isolated from the rest of the system. It’s into this environment all the required dependences are installed :

In a unique step for I even got make to ran the testsuite on the compiled source:

In the end this worked out to my advantage because it found a missing dependency. Using the pip command I installed pysqlite into the new python environment:

Running test again produced no error so it’s safe to move onto the configuration

The Configuration Make it work

To configure the server you only need to edit the ini-like setup file “./etc/sync.conf“. The is well commented and you will probably be able to make seance of it. In the most part the defaults worked fine for me, but you do have to change a few things.

The first is the fallback_node URL. This is the client visible URL of your service and make sure node-assignment and user registration works correctly. The default value has port 5000 specified in the URL. This is in-case you are running in standalone server mode, I am not as I will be putting Apache in front of the server so I just took it out:

Out-the-box the server will use sqlite files for the user and storage database. You’ll see in the configuration file these are being stored in “/tmp” this is obliviously an terrible idea for a production server, so next well move them to a more appropriate place:

Apache Running behind a Web Server

At this point the server already has a server built in which I’ve not talked about, partly this is because while it is good testing it should not be used in a production environment but mostly its because I never had any cause to run it.

For production server you will need a web server which is compatible with WSGI protocal. These include, but are probably not limited to:

  • Apache – Combined with mod_wsgi
  • NGinx – With Gunicorn or uWSGI
  • lighttpd – With flup, using the fcgi or scgi protocol

I will be talking about the first option as my server was already configured for it.

Create a new Apache configuration file for your server, bellow is an example of the configuration I used:

That should be you done. Just reload your Apache server to activate the new host and start playing:

Security & User Registration It’s not a dirty word you know!

After installation and Apache setup your ready to rock and or roll! However in the default configuration the server support new user registration using the Firefox built in interface. Now unless you are going to make your server public to the world it’s a good idea to disable this after you have setup your own Firefox instance:

Getting Logitech Custom Mouse Buttons Working Within Linux
13 Mar

Getting Logitech Custom Mouse Buttons Working Within Linux

Having lived in a Windows environment for the past couple of years I’ve gotten somewhat used to my routines and short cuts, most of which are missing or changed now that I’m 95% Ubuntu. The most notable absentee are all the extra buttons on my Logitech MX Revolution mouse, which I have mapped to a vast array or custom key stroked. So, lest I forget, this is how I have got these custom buttons working correctly.

All these buttons are detected by the latest kernel (which as of writing is)

This is great news because all we need to do now is map each button against the desired application/keystroke.

My system of choice is Ubuntu 10.10 as of writing, this has since changed to Fedora so all the command line and install command listed are correct for this distributions as of writing. If you find other commands work on other distributions leave a not in the command and I will be sure to update the main article.

The Install Instructions for a fresh install

  1. We should install xbindkeys. This will re-map mouse and keyboard inputs so the install is…

The goal is to configure the mouse buttons to send key combinations to activate o

ther desktop or application functionalities. Technically all xbindkeys is doing is executing an application in response to a keystroke or mouse button.

  1. So in-order to map a mouse button to a keystroke we have to install an application called xte, which in Ubuntu comes as part of the xautomation package which can be installed like this

  1. Now we need to create a configuration file for xbindkey, which can be done like this…

  1. We need to edit this file in a text editor. I use nano, but vim, kate or gedit are just as good but you can of course use what ever editor you would prefer to…

The xbindkeys configuration file has a very simple format…

  1. So we need to add our button-to-key configurations, but first we need to know what ‘events’ the mouse buttons are triggering before we can remap them. For this we can use xev, this program is a key and mouse event sniffer. It runs by opening a small window. You can now start pressing keyboard or mouse buttons over the window and see if they are detected. For example the forward button on my Logitech Revolution MX looks something like this:

Bellow I’ve included a table for the Logitech MX mouse, these will probably be if you have a newer, or older mouse

Mouse Button Event Code xbindkeys Code
Thumb Scroll Up 13 b:13
Thumb Scroll Click 17 b:17
Thumb Scroll Down 15 b:15
Thumb Button Up 9 b:9
Thumb Button Down 8 b:8
Left Button 1 b:1
Right Button 2 b:2
Scroll Up 4 b:4
Scroll Down 5 b:5
  1. Now that we have a list of all our button codes we can move on to actually writing the configuration file. For example I have this to map the Thumb Button Up and Thumb Button Down buttons to switching workspace in my Gnome shell, these keycombinations are specific to my setup so you will need to chnage them. What I’m doing here is pressing the ‘Windows’ key ‘Left Control’ then ether ‘Down’ or ‘Up’ then releasing the other two keys…

The Rapup Now we make it all work

Thats all there is. Once you have setup your /.xbindkeysrc confirguration file, you just need to configure xbindkeys to run automatically on system startup. This is going to be different depending on your windows manager, but here are the steps for KDE and Gnome

Gnome3
  1. There’s a tool in GNOME 3 which allows you to add, modify and remove autostart entries and you can run it by executing from a terminal or from the ALT+F2 dialog. Just run gnome-session-properties
  2. Click on “Add”
  3. Write ‘Xbindkeys’ in the Name and ‘/usr/bin/xbindkeys’ as the Command and press OK.
  4. Done!
KDE
  1. Open System Settings.
  2. Go to Advanced tab -> Autostart.
  3. Click on “Add Program…”.
  4. Write ‘/usr/bin/xbindkeys’ and press OK. A new dialog pops up. Press OK again.
  5. Done!
Installing CyanogenMod 7.1 Alpha 3 on my HP TouchPad
24 Feb

Installing CyanogenMod 7.1 Alpha 3 on my HP TouchPad

I have just finished installing CyanogenMod 7.1 Alpha 3 on my HP TouchPad. Its gorgeous. I cant say I ever become a fan of WebOS, unlike some I’ve talked to it never grew on me and the rare times when I did want to make use of it the App Market was far too over priced and in my experience limited, but now with Android the device ‘sings’

The install was a breeze in the end, all the same here are the steps I went threw. I never needed to do any disaster recovery so I don’t list any. How ever I would highly recommend anyone interested in doing this to read the FAQ at rootzwiki.com before going any further it contains all the disclaimers and alpha-software warnings you would expect as well as an in-depth list of disaster recovery options.

The Install Instructions for a fresh install

  1. Prepare your PC for the installation by downloading the Palm SDK from the HP website. The site has full easy to follow instructions for Linux, Windows and OS X users so replicating them her seems redundant. Once you have installed the the SDK you can continue with the steps listed bellow.
  2. You now need to download the required software. At the end of it you will end up with the four files:
    • ACMEInstaller.zip – RootzWiki Forumi
    • update-cm-7.1.0-tenderloin-a2.1-fullofbugs.zip – RootzWiki Forumi
    • update-cwm_tenderloin-1012.zip – RootzWiki Forumi
    • moboot_0.3.5.zip – Moboot Projecti
  3. If you wish to have access to the extra Google apps, like Gmail, YouTube or the Android Market you will have to download the latest gApps installer from the CyanogenMod wiki site
  4. Unzip the ACMEInstaller.zip file. On Linux systems you can leave it where you downloaded it too, but in Windows at least it will make like a little
    easier if you move the unzipped file to the same directory you installed the Palm Novacom SDK to. On my VirtualBox machine it is C:\Program Files (x86)\Palm, Inc but I’m running a 64bit system, in 32bit the directory will probably be C:\Program Files\Palm, Inc
  5. Now connect your TouchPad using its USB cable to your PC. The TouchPad will notifiy you that its detected a new USB connection. Tap the symbol to mount the tables SD card on your computer.
  6. Open your file manager and on the root level of the SD card create a new folder called cminstall. Into this new folder copy the zip files you
    downloaded before, do not unzip them and don’t copy ACMEInstaller.zip file, just leave this file on the PC for now. Once your done the contents
    of your new “cminstall” folder should be:

    • update-cm-7.1.0-tenderloin-a2.1-fullofbugs.zip
    • update-cwm_tenderloin-1012.zip
    • moboot_0.3.5.zip
    • gapps-gb--signed.zip – *You only need this if you’re planning to install the extra Google Apps
      7.You now need to reboot the TouchPad. Make sure you eject the TouchPads SD card correctly from your PC, some systems delay writes to external USB devices to speed things up.
      Once the TouchPad has been removed follow these steps to reboot it, while the USB cable is still connected:
    • Press the Home Button
    • Bring up the Applications List
    • Select the Settings Tab
    • Open Device Info
    • Press the red Reset Options button at the bottom of the screen
    • Press the grey Restart button at the top of the screen
  7. As the TouchPad reboots the screen will turn off, as soon as this happens press and hold the Volume-Up button. Keep holding it until a USB icon fills the display. After a few second your computer will recognize the TouchPad.
    • Under Linux, open a terminal and change directory to the where you unzipped the ACMEInstaller.zip file
    • Under Windows, open a command prompt and change directory to where you installed the Palm SDK:
    • Open the start Menu
    • Type cmd (no quotes) hit enter
    • A black and white terminal window should have opened
    • To change directory, type cd c:\PATH for me the path is C:\Program Files (x86)\Palm, Inc so I typed: cd C:\Program Files (x86)\Palm, Inc

    *

  8. On both systems enter this command novacom boot mem:// < ACMEInstaller
  9. Make a cup of tea. That’s really all there is to the install. It will take a few minutes but once its done the TouchPad will reboot into Android
Non-Root Ubuntu Shutdown
24 Feb

Non-Root Ubuntu Shutdown

It may at first seem rather daft that you must become root before you can shutdown you PC, but it does make sense. Linux is designed as a multi-user system, just think of any web site you’ve ever visited. Many different people can be accessing the same site at the same time and that’s to say nothing for the other people hosting their site on the same machine. Could you imagine the chaos that would result if any one of those users were able to turn that machine off at will? You may still be thinking “ye, but they could pull the power” but, they couldn’t, the users I am referring to have no physical access to the machines in question so securing the shutdown commands in this way is still highly effective.

In my research I have come across a couple of different methods to achieving the goal of non-root shutdown. The /etc/shutdown.allow file is a common option, however it fails the ‘usability’ test for me as it requires a number of other steps and relies on keyboard shortcuts to be correctly configured and not intercepted by other process. Because of that I have decided to go with the sudo method as my recommended choice.

The SUDO Method

In-order for user of the ‘shutdown’ group to turn off the machine we must create the group ‘shutdown’. So run this command, prefixing it with sudo to make sure it is run as root

Next we need to start adding people to our new shutdown group. This command will do the job, just replace username with your username.

or

Anyone you add to this group will be able to shutdown your computer, even when they’re not sitting at it so be selective in your choices. The next thing we need to do is give the shutdown group permission to invoke the command for shutting down or rebooting. In Linux these command are /sbin/shutdown, /sbin/reboot or /sbin/halt so now run the visudo command and add the following lines.

That’s you done. Now anyone in the shutdown group can now run sudo shutdown as if they were root and shutdown the computer.

The Next Step?

At this point you may have notice that users still have to prefix the shutdown command with sudo. I personally like this as it reduced the risk of typo etc.. but I know for some (or most) its still a pain, so we can remove it.

What we need to do is create a script in /usr/local/bin/shutdown which prepends the sudo command for us.

Now just make the script executable and, for a little extra protection, change its ownership to out new shutdown group