SavvyAdmin.com

Updated (11/21/2007): I’ve added an updated version of this How-to on the community supported Ubuntu documentation site. The new document can be found at: https://help.ubuntu.com/community/SinglePacketAuthorization.

Single Packet Authorization (SPA) using “fwknop” is probably one of the coolest recent innovations in server and network access control technology. Just what is SPA, you ask? SPA is a method of limiting access to server and network resources by cryptographically authenticating users before any type TCP/IP stack access is allowed.

In it’s simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it’s listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.

The server however has a nifty trick up it’s sleeve. An authorized user sends a single encrypted UDP packet that is passively sniffed and analyzed by the fwknopd service running on the server using pcap. If successfully authenticated, fwknopd dynamically creates an iptables firewall rule, granting the source IP address of the authorized client access to the service for a defined period of time (default is 30 seconds). Pretty frickin’ cool, eh?

Okay, so here’s how to get it working in Ubuntu 7.04.

• Continue reading or Comments (3)

If you have a large number of passwords, it would be a good idea to write them on a sticky pad and put them on your monitor or secretly under your keyboard. ;-)

Or better yet, you can use a nifty password manager for the Linux platform call Revelation. It’s written for tight integration with the Gnome desktop environment.

Home page: http://oss.codepoet.no/revelation/

The passwords are stored in an encrypted XML file, protected by AES encryption and of course a master passphrase.

It has most of the core functionality one would expect from a mature password manager, including a nice internal directory structure to organize your data, copy and paste, and customizable viewing options.

Definitely worth checking out. Ubuntu 7.04 universe repositories have the latest version available for download.

$ sudo apt-get install revelation

Launch it from Applications -> Accessories -> Revelation Password Manager.

• Comments (0)

An OpenSSH server can be used as a SOCKS compliant proxy, allowing one to tunnel virtually any type of traffic via the SSH protocol. This is very useful when surfing the web on untrusted networks such as hotel internet services and wireless hotspots. You just never know who’s snooping in on your data.

All you need is external access to a trusted OpenSSH server, perhaps the one you have at home, work, etc. If you’re using your laptop to surf the internet at your local coffee shop, you’ll simply need to establish a connection to that external SSH server using the appropriate client variables, and configure your web browser’s proxy settings to connect to a locally defined TCP port.

• Continue reading or Comments (0)

UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu version 8.10 and higher. The latest versions of Ubuntu allow you to use a blank password for your keyring, which will allow user accounts automatically logged in by GDM to access the keyring.

If you are not using the the GDM auto login feature, simply make sure your keyring password is the same as your login password, this way it is automatically unlocked for you. The keyring passwords are now easy to change from “Applications… Accessories… Passwords and Encryption Keys… Edit menu… Preferences… Password Keyrings.” Highlight the “login” entry, and use the “Change Unlock Password” button.

The original instructions below ONLY apply to versions previous to Ubuntu 8.04.

ORIGINAL POST:
If you would like to avoid having to type in a password to access your gnome keyring, then you are in luck. To quote from the authors web site, “PAM_KEYRING is a pam module that launches the gnome-keyring-daemon and then unlocks a keyring using your login password.”

In Ubuntu 7.04, this comes in handy when using Network Manager to connect to your wireless network. Typically users are prompted for the “master” password to their keyring manager immediately after logging on to gnome, and this can become tedious. Installing and configuring PAM_KEYRING is a snap.

1. Install libpam-keyring from universe repositories.

$ sudo apt-get install libpam-keyring

2. Add the pamkeyring module to /etc/pam.d/gdm

$ echo "@include common-pamkeyring" | sudo tee -a /etc/pam.d/gdm

UPDATED: (10/25/2007)
With the release of Ubuntu 7.10 Gutsy, libpam-keyring is no longer needed, as this feature has been built by default in with the package “libpam-gnome-keyring”.

UPDATED: (04/21/2008) - For GDM Auto-Login Users

Sorry for not updating this post sooner. I helped someone else with this offline a while back. Here’s an excerpt from my email. It works well with Ubuntu 7.10 Gutsy, and “should” work with Hardy, unless there’s been some major changes with the libpam-gnome-keyring package that I don’t know about.

The auto login feature of GDM relies on the GDM processes ability to run Gnome as your user account, but it does not have to know the password, as it’s using an “su” command to accomplish the magic.

There lies the problem. The keyring uses the password supplied by the user to unlock itself, and being that no password is supplied to pam, it cannot unlock the keyring.

From a useful bug report, one fellow outlined how he has always done it previously using a login script. He used a tool called “pam-keyring-tool” included with the libpam-keyring package. The new libpam-gnome-keyring package does not include this binary, so in order for this to work, you need compile it from source.

I’ve successfully got it working using the following procedures:

Step 1: Download latest pam_keyring source code. I like to place all source code in /usr/src/:

cd /usr/src/
sudo wget http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.9.tar.gz

Step 2: Unpack source code

sudo tar zxfv pam_keyring-0.0.9.tar.gz

Step 3: Install prerequisites

sudo apt-get install build-essential libglib1.2-dev libglib2.0-dev
sudo apt-get install libtool libgnome-keyring-dev libpam0g-dev

Step 4: Compile and Install

cd /usr/src/pam_keyring-0.0.9
sudo ./configure --prefix=/usr
sudo make
sudo cp src/pam-keyring-tool /usr/bin/

Note: I’m not doing a “make install” because I only want this binary to be installed and nothing else)

Step 5: Test binary

/usr/bin/pam-keyring-tool --help

If you get a nice usage menu, you’ll see what the tool options are, and your compilation is complete.

Step 6: Create login script called “unlock-keyring.sh”.

Since the file will contain your password in clear text, you’ll want to keep it in your home folder, readable only by your user. Yes… I know this is lame.

mkdir ~/scripts
sudo chmod 750 ~/scripts
touch ~/scripts/unlock-keyring.sh
sudo chmod 750 ~/scripts/unlock-keyring.sh
sudo gedit ~/scripts/unlock-keyring.sh

Add the following to the script:


#!/bin/bash
echo "PASSWORD_HERE" | /usr/bin/pam-keyring-tool -u -s

Step 7: Add the script to your gnome session startup scripts

System -> Preferences -> Sessions

Under Startup Programs, add a new entry that will appear first in the list. e.g. “1-unlock-keyring”

The command will be:
“/home/USERNAME_HERE/scripts/unlock-keyring.sh”

Step 8: Ensure your /etc/pam.d/gdm-autologin is set to it’s defaults. This was the default Gutsy 7.10 version for reference.

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
@include common-account
session required pam_limits.so
@include common-session
@include common-password

Step 9: Restart GDM or simply reboot.

I really hope this helps you guys out.

• Comments (19)

If your system is using a default installation of GRUB as it’s boot loader, chances are it has not been set up with a password.

When at the GRUB menu, one can edit the kernel selection by highlighting the menu item, and pressing the “e” button. By editing the “kernel” entry, they can pass any number of boot variables and options. For instance, the options “init 1″ or “single” boot the operating system into “single user” mode (run level 1), which drops you into a root prompt with no authentication necessary.

• Continue reading or Comments (0)

If you would like to get your Creative Zen V Plus or related portable music player working in Ubuntu 7.04 and above, you’re in luck!

All you need is “Gnomad2″ as the graphical front end to your players music and playlists, and several libraries that are installed as dependencies (i.e. libmtp5). MTP stands for Microsoft Transfer Protocol, and libmtp5 is the key component to making this work.

As of this writing, the Creative Zen V Plus was not added to the libmtp5 udev rules file. This means that you would need root privileges to run Gnomad2, unless you changed the default permissions. No worries… correcting this is very easy to do.

• Continue reading or Comments (5)

If you’re not going to use tapes, CD’s, DVD’s, or other form of attached media for storing your backups, you’re more than likely going to use some form of a remote network storage repository. There are many ways to ship your *nix backups across a network to a remote file system. Using SSH (and its related tools) is among the most popular methods for this delivery process as it can be relatively fast, free, secure, and very flexible.

In the following examples, I’ll show you three ways to ship an archived folder to a remote SSH server.

• Continue reading or Comments (0)

If you ever need to work with a large file and wish you could split it into smaller pieces, you’ll be pleased to know that it’s extremely easy to do in Linux. You can use the “split” utility that comes standard with most *nix variations. Lets take a look at a couple easy examples.

To create a test file to work with, the following will create one that’s exactly 100 megabytes. Note, I am using ‘dd’ with /dev/urandom to demonstrate that the results of the split and reassembly are completely accurate. This will be accomplished via md5 hash comparisons at the end of this process.

• Continue reading or Comments (0)

UPDATE (11-04-2008): NetworkManager 0.7 has been introduced with Ubuntu 8.10. This major overhaul includes native support for Mobile Broadband card as shown in the screen-shots below. The great news is that virtually all CDMA cards work right out of the box with no configuration necessary. Thank you, NetworkManager developers! I suggest upgrading to the latest version of Ubuntu, or use the NetworkManager PPA or SVN to at least upgrade to version 0.7.

ORIGINAL POST: Great news! The internal Dell Wireless 5700 Mini PCI Express Card for use with CDMA/EVDO networks is very easy to get working with Linux. The following tutorial was written for Ubuntu 7.04 (and works with 7.10 Gutsy), but the procedures are essentially the same for most Linux distributions. Please consult with your distribution documentation to assist with any differences.

Here’s how to get it going.

• Continue reading or Comments (26)