Mounting an iOS 5.0.1 device on Ubuntu – how to fix it

Posted on 08/01/2012 by grimneko

After you upgraded your iOS device to 5.0.1 you probably get an error like “Unhandled Lockdown Error (-15)”. The problem is the shipped libimobiledevice which don’t like iOS 5 devices. To fix it do the following:

In a terminal type: “sudo apt-get install ifuse libimobiledevice-utils” (without the ”
Unlock iDevice from device’s lock screen (only needed the first time), plug it in
In the terminal type: “idevicepair unpair && idevicepair pair”
Unplug the iDevice
Make sure the lock screen is still unlocked
Plug it back in

After that it works fine, even with a locked iDevice (iPhone in my case). Most information for this article came from an article over at askubuntu.com.

Happy new year 2012 to you!

Posted on 01/01/2012 by grimneko

Maybe 2012 be a happy and healthy year for you! Let us have more fun together!

-Grimneko

A bunch of tips for improving your postfix setup

Posted on 24/12/2011 by grimneko

Laptop with a opened envelope on the screen that has written eMail on it. Today I learned a few things on postfix and how to set it up cleaner. So I want to share this insights with you, especially the part how to clean up the mail header since it helps a lot and improves your privacy quite a bit. So let’s get started, shouldn’t we ? Lets start by adding a limitation on the SASL authenticated clients which address they can to send out mail. This gets archived by setting up “smtpd_sender_login_maps =” and adding “reject_authenticated_sender_login_missmatch” to smtpd_recipient_restrictions, so he check the map we setup in smtpd_sender_login_maps and if the SASL authenticated client fails rejects the mail. The map is looking like this:

# envelope sender           owners (SASL login names)
john@example.com            john@example.com
helpdesk@example.com        john@example.com, mary@example.com
postmaster                  admin@example.com
@example.net                fred, barney, john@example.com

So, setup the list with the addressed and allowed owners. Then convert it to a hashmap with postmap, and setup postfix.

$: postmap hash:/etc/postfix/addressowner_map
$: postconf -e \ 
'smtpd_sender_login_maps = hash:/etc/postfix/addressowner_map'
$: postconf -e \
'smtpd_recipient_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination'

Don’t forget to make smtpd_recipient_restrictions fitting your setup! After that restart postfix, try first to send out using the usual sender address. It should work fine, but when you set up a sender address you don’t own he should reject it. More information on this mechanism you can find in the Postfix SASL How to.

I was looking a while now for a way to remove my IP from outgoing mails, so my server is the start point of the delivery path. This is to hide my IP, also internal IPs and it solves problems with anti-spam mechanism like SPF. postfix (or any other SMTP server) receives mail from other mail servers (“incoming”), and mails by users (“outgoing”). As we don’t want to strip any headers from incoming mail, we first have to force all users to authenticate (which is a good thing anyway), and make Postfix add another header to authenticated (“outgoing”) mails. Then, we can match this header and strip both the Received line containing internal host names and IPs, and the authenticated header. So edit the config like this:

$: postconf -e 'smtpd_sasl_authenticated_header = yes'
$: postconf -e 'header_checks = regexp:/etc/postfix/header_checks'

Then create the file “header_checks” and add the following line, while editing “yourdomain\.com” to match your mail servers domain.

/^Received: .*\(Authenticated sender:.*/ IGNORE
/^Received: by yourdomain\.com .*from userid [0-9]+\)/ IGNORE

Restart postfix. This takes care of our problem. Send out a mail and compare the resulting header with an older, its much cleaner. Thanks goes to Moblog, who explained it nice and from where I took some parts. So this enables us, cause we have a clean header, to add a SPF record to our domain. To archive this, just create a TXT record with the content “v=spf1 a mx -all”. Simple but working good. For more information on SPF, check Wikipedia, since OpenSPF.org is at least for me always down.

That’s it for today, hope it was inspiring for you.

One-Time-Passwords with Google-Authenticator

Posted on 23/12/2011 by grimneko

Today I want to show you how to set up Google-Authenticator so make your remote login more secure then before. It offers us to secure our login with a HOTP (counter-based, HMAC-based OTP) or TOTP (time-based) tokens as an additional challenge before you can login. Basically even IF someone spots your password, without a fresh token he can’t login. But no worries, in case you loose your cell (which is used as our token-generator, supported is iOS, Android and BlackBerry) he also give us 5 extra tokens for emergency’s.

A word for those maybe thinking “Urk, its from Google”. Yes it is, BUT its not dependent or require you to have anything from the Google services. It’s a opensource implantation of the known algorithms, and like the WordPress plugin shows, nicely can be integrated into various apps. Also its quite cost-effective as most have anyway a smartphone today.

So let’s start with the installation, I did it on a Ubuntu Lucid 10.04. We need to build it the packages “gcc mercurial libpam0g-dev subversion git-core”. Additional we should install “libqrencode”, but as it’s not available from the repository’s we just build it from the source, so we need also “git” to checkout the source from GitHub. libqrencode is to display a QR code on the terminal, saving us the typing of the initial code for the token generator.

$: sudo apt-get update ; sudo apt-get install -yy gcc mercurial libpam0g-dev git-core subversion

Once we’re done that, lets check the mercurial version as its crucial to checkout the Google-Authenticator source-code. You do that with “hg –version”. If the version is bigger then 1.5 then all is OK but if the version is smaller then that, we need to upgrade it to one bigger then 1.5. To do so, just go to the Ubuntu FTP Server and grab the package “mercurial-common_*.deb” and the “mercurial_*_amd64.deb” or “mercurial_*_i386.deb” depending on your system. Install them with:

$: sudo dpkg -i mercurial*.deb

That takes care of mercurial, lets move on with the preparations. Next we install libqrencode:

$: git clone https://github.com/fukuchi/libqrencode.git
$: cd libqrencode
$: ./autogen.sh
$: ./configure --prefix=/usr
$: make
$: sudo make install

With that libqrencode is in place. We need to install it in /usr instead of /usr/local, cause otherwise google-authenticator won’t find it. On we go with building the pam-module:

$: hg clone https://code.google.com/p/google-authenticator/
$: cd google-authenticator/libpam
$: make
$: sudo make install

Now that the parts are in place we begin assembling them. Each user now must run “google-authenticator” once so he gets a key generated before we can activate it. The program generates a base32-encoded key you are to enter in you smartphone, and also here comes libqrencode into play. It generate us a nice handy QR code to shoot with the phone saving us the typing (yes, it works fine on a console, using ansi). Also you get the 5 emergency codes I mentioned earlier. Put them in a save place! Before we make the final changes and activate the new config, open a additional terminal just in case. It’s for the case that something get wrong, so you can look up whats wrong with your config, and so you still have access to the server. Now it gets time to edit the pam-configuration.

$: sudo nano /etc/pam.d/sshd

Now we have to decide if we want get asked for the token before or after the regular password. That determines if you insert the line “auth required pam_google_authenticator.so” before the or after the default line. In Ubuntu the line for the default auth is for example “@include common-account”. So insert it before or after that line, depending on how you like it better. I get asked for my token before the usual password, so I can anger the brute-force kids a bit. After that we edit the sshd_config to enable Challange-Response-Auth.

$: nano /etc/ssh/sshd_config

Here look for the line “ChallengeResponse no” and change the “no” to a “yes”. Now we’re ready to to restart the sshd, and it (should) work.

$: sudo service ssh restart (or sudo /etc/init.d/ssh restart)

Now try to login, and see if everything works. If not, check “/var/log/auth.log” for error-messages. If you only want to use 2-factor-auth only for a few users, then you find a patch here to disable the 2-factor-auth when there is no .google-authenticator file in the home-folder of the user.

If you should use public-key-auth, its a bit complicated. That comes from the fact that the OpenSSH daemon overrides the pam-config on public-key-auth, and so the token-auth won’t take place. For some of you this might be what you want, but for others wanting to combine both, it might be not what they want. I have a solution in one of my magazines here but I want to play first with it a bit, before I write here in detail about that.

Hope you could find something useful in this article. The applications for the cellphones can be found in the following places:

While looking for more information on the Blackberry client I just found something nice. There is a WordPress plugin that allows you to use this login-method with your blog to raise safety for you admin account. The plugin you can download here.

And for more information/references:

Google-Authenticator Homepage
libqrencode Homepage / GitHub
the patch for the PAM module
the draft for the TOTP algorithem at itef.org
RFC4226 HOTP – An HMAC-based One-Time Password Algorithem
Google help pages on the 2-factor authenfication

ColorHug – A open source display colorimeter

Posted on 12/12/2011 by grimneko

Picture of the ColorHug attached to a screen Today I read in the current issue of the Linux Magazin about a opensource colorimeter named ColorHug. It’s certainly something nice since first of all its opensource and also its noticeable cheaper then professional ones. Another plus point for me is that it works on Linux. Many probably wonder “What the heck is a colorimeter to begin with and why does it bother me?”. Well it’s not too complicated, a colorimeter is a device allowing you to calibrate your monitor so it shows the colors accurate. And why should you care? Since you want to view your pictures/videos even nearer to reality, and also it helps when you edit them. The ICC profile that gets generated by it can be used with Linux (well, to be expected, eh?), Windows and also Mac OSX.

The ColorHug itself is a small accessory with the dimensions 32mm wide, 43mmm tall and 21mm deep. It gets connected via USB. Here are some pictures from ColorHug’s website to illustrate how it looks.

The ColorHug is a lot faster then similar products and the good point is it’s open design, which allows for example picture or video editing software to integrate it.

Currently you can preorder the ColorHug for just £48 (56,57€ / 74,92$), its a 20% developer discount since the ColorHug probably have some bugs in the beginning. But due its open design and the possibility to upgrade firmware it no problem to fix possible problems later. If you order later the price is supposed to be £60 (70,70€ / 93,65$), so I suggest if you’re intrested, preorder now.

Please be aware that there are no OSX/Windows driver, users not using Linux can use the LiveCD or the Software included in Fedora 16 or later. For ordering and even more information please visit the ColorHug website.

The software and the firmware for ColorHug can be found on https://gitorious.org/colorhug.

Finally working eMail

Posted on 07/12/2011 by grimneko

After ages I finally took on the fight with my fear of mail-servers and got it working. Found a nice guide on Linode.com that was a great help to figure out various things. I optimized it at some points, and thanks to the book “Das Postfix Buch – Sichere Mailserver mit Linux” (german) from Peer Heinlein I did manage it. Now its adding more features like spam-assassin, virus-scanning, and more. But yea, I’m happy that I conquered my fear, but yea, I’m quite unhappy with the documentation of the dovecot/postfix. It could be improved a lot, but sadly I lack (yet) the knowledge to do so. Without that guide I certainly would have run into a bit trouble, since some points are a confusing without a hint how to work with it. But yea, made it and I will blog also about how I implanted the upcoming features, so you guys can also use it if you also think on setting up a mailserver.

Helpful tools for checking your mailserver are these:

abuse.net/relay.html Mail Relay Testing -Check your mailserver if it can be missused as a open-relay to send spam.

www.mxtoolbox.com Various tools from check your domain’s mx record to checking the servers SPF response.

Fire acrobatics on the Christmas market

Posted on 03/12/2011 by grimneko

A firey acrobatics I took while taking video from the Christmas market in Krefeld.

St. Martin Day festivities in Uerdingen

Posted on 02/12/2011 by grimneko

This clip was done by Marcus and me when we’re attended the traditional St. Martin’s Day festivities. It shows the kids marching with their self-made lanterns and later the fire. Sadly they didn’t showed the cutting of the cloth this year, but still it was nice. For more background on this festivity checkout Wikipedia.

Backup your server to Amazon S3 (simple storage service)

Posted on 02/12/2011 by grimneko

Today I did setup backupninja together with dt-s3-backup to backup my server gpg-encrypted to Amazon’s S3 storage. It’s a quite cost-effective way to back up things and can easily be automated. I used the good tutorial at Marcin Gryszko’s blog for setup. It’s quite good, so I only will add here some tips to get around problems and to improve safety a bit.

One thing is, and this helps also with the Deja-Backup tool for Ubuntu/Debian, often a python lib is missing to let duplicity (the backup program used here and also in the back of Deja-backup) work with S3. So if there is whining from duplicity that it can’t access S3, you need to install the package “python-boto”.

Also you want to make an own user for the backup process at S3. After a bit research I found on Random Musings Blog the help with the IAM policy stuff I wanted (as it’s not really simple in my eyes). When you add your backup user, add a policy like this (with your bucket name in it):

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket_name_here"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket_name_here/*"
    }
  ]
}

That way we limit our user to only access our backup bucket, and so can separate our backup buckets from each-other, so if one gets compromised it not affect other buckets/our main user. This also works good with Deja-backup.

With this it should be quite easy to set up an automated backup to Amazon S3. My thank goes out to the two blog’s as they were a great help and finally let me get things started! I hope this collection of hints help you, too. As a word for those probably saying “S3 ? Cloud? Isn’t it insecure?”. Well, we counter the problem of possible spying on our data by using gpg encryption with a password, and if you use a 30-50 random char&number password it should be so strong that even a computer cluster should get trouble breaking it in reasonable time.

Gitosis and Git, another installation guide

Posted on 24/11/2011 by grimneko

Sure you found already lots of guides on how to set up gitosis, but here I wanna focus on something I required as I wanted to use a ssh-key different from the usual ~/.ssh/id_rsa. As hardly any page mentioned how to do it, I thought I show the different ways to do so and how to install gitosis in general. So lets begin, I use for the guide a Ubuntu 10.04 LTS but switch package manager/package name and it should work on your Linux distro too, as the rest is the same as far as I can tell.

First off we start with installation of gitosis:

$# sudo apt-get install gitosis

Now we need a ssh-key. Unless you already prepared one, you can produce one like this on your local machine and upload it to the server via scp after you created it:

$# ssh-keygen -t rsa -C "admin@gitosis" -f ~/.ssh/gitosis_on_server
$# scp ~/.ssh/gitosis_on_server.pub master@myserver.de:/home/master/

I add here the “-f ” parameter of ssh-keygen, as this is the point which my installation guide wanna go on, specifically to use a ssh-keyfile that not have the usual name id_rsa. Feel free to change the filename to your like, and not forget to set the proper user/server etc. for scp . I will go on with the key called “gitosis_on_server”. The -C option is for setting the name we use later to refer to this specific key in the options.
That done we’re good for initializing gitosis master repository which will serve us as place for the auth-keys and configuration for the repository to come. To do so, we issue the following command on our server:

$# sudo -H -u gitosis gitosis-init < ~/gitosis_on_server.pub

That creates the master repository, and once that’s done we come to the interesting part. Now we either set the $GIT_SSH environment variable to a ssh command line that give your git the identify key, or like I did, edit our /etc/ssh/ssh_config a bit. Basically we define a hostentry and on the side we save us some typing that way later on, so I go here for this solution.

$# sudo nano /etc/ssh/ssh_config

Scroll down there until you reached the end, and then add the following (with your data added of course, only let the user stay as “gitosis”! :

Host               gitosis-host
HostName           myserver.com
IdentityFile       ~/.ssh/gitosis_at_server
User               gitosis

With that git knows when we give it the server gitosis-host that it should use the data from this entry in the ssh_config (also makes it easy for normal ssh connection, less typing). Anyway, back to gitosis. Now we clone the repository we just created to our local machine:

$# git clone ssh://gitosis-host/gitosis-admin.git

Then he ask you for the password for the ssh-key we created earlier (if you set one, and you should to improve security!). If you should encounter an error during this that’s like this:

Permission denied (publickey).
fatal: The remote end hung up unexpectedly

Then you most likely restricted ssh access on the server to specific groups/users, so add gitosis to the list of allowed users or add the gitosis user to the required group. If all went ok, then we can add new users/repositorys using the repository we just created. To do so, open the gitosis.conf in the folder we cloned and add entrys like this:

[group myrepo]
writable = myrepo
members = admin@gitosis

Then commit and push (!!). Do not forget the pushing, otherwise it don’t work and yea, I forgot it too and was quite irritated until I realized it. Once it’s pushed and so on the server, lets clone it and push some files into it.

$# git clone ssh://gitosis-host/myrepo.git
$# echo 'testing here' > testfile.txt
$# git add .
$# git commit -m 'adding testfile'
$# git push origin master
$# git push

So, now we want to add another user? No problem, just generate a new key with a different user@computer (here we do user1@desktop). Then we add it to the gitosis.conf in our admin repository clone like this:

[group myrepo]
writable = myrepo
members = admin@gitosis user1@desktop

And now we copy over the public keyfile. Pay attention, the public keyfile must be named like the user we just added plus “.pub”. The keyfile gets copied into/keydir/. In the example it looks like/keydir/user1@desktop.pub. That done, push it and you’re done. Now the new user can checkout it, and if thats you, just make another entry in the ssh_config, and then use the new host to clone it.

Hope I didn’t confuse you too much on the way. This guide uses parts from Ivan Kuznetsov’s guide, the help with the ssh came from the ssh manpage.

Grimneko's blogging space

Another place where some blog about findings, thoughts and more…