Our CA has a recently unveiled service which will scan our public IPS and report on detected certificates close to expiry which is handy, but we have a lot of servers on non-routable and / or firewalled addresses, so an internal scan is the only way to cover them all.

There seem to be at least a couple of other published approaches in the google including ssl certificate expiration check and the neat ssl-cert-check script at prefetch.net which will take a list of servers and express the expiry date. I wanted something slightly different (more minimalist): as we’re using the excellent zabbix for general system monitoring which especially likes system commands or scripts which take a single parameter and spit out a single return value.

In this case that parameter is a server name or IP address,  returning  either the number of days until SSL cert expiry, or the certificate issuer, depending on which version of the script is called. As I said, we’re using this with zabbix but this is just a command line script usable for quick on the spot checks or could easily be incorporated into another monitoring / alerting system.

A nice simple method I would probably use if I didn’t have zabbix would be to incorporate this into a quick and dirty loop script which periodically queries a list of ips or subnets and fires off an email if the ‘days to expiry’  is below a certain value (exactly what zabbix does now). It could be made a bit more elegant perhaps by using a bit of nmap to build a fast list of responding servers to query, but depends what you want, how much time you have, and how much of a stickler you are for efficiency =)

(Command line for all scripts is simply: ./script-name server.name.or.ip.address )

Script: sslcheck-expiry

#!/bin/bash
# Simple SSL cert days-till-expiry check script
# by Glen Scott, www.glenscott.net

openssl_output=$(echo "
GET / HTTP/1.0
EOT" \
 | openssl s_client -connect $1:443 2>&1);

if [[ "$openssl_output" = *"-----BEGIN CERTIFICATE-----"* ]]; then

        cert_expiry_date=$(echo "$openssl_output" \
         | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
         | openssl x509 -enddate \
         | awk -F= ' /notAfter/ { printf("%s\n",$NF); } ');

        seconds_until_expiry=$(echo "$(date --date="$cert_expiry_date" +%s) - $(date +%s)" |bc);
        days_until_expiry=$(echo "$seconds_until_expiry/(60*60*24)" |bc);

        if [[ $days_until_expiry -ge 0 ]]; then

                echo "$days_until_expiry";
                exit 0

        else

                echo "EXPIRED ($days_until_expiry days)";

                exit 0
        fi

else
    echo "NOT_FOUND";
exit 1

Checking the issuer as well as the expiry

Because we have a bunch of servers setup for dev, test or other purposes with self signed “snake oil” certs and I dont really care about the certs on those, I wanted a method to determine the issuer. (Zabbix then has some logic which only bothers to email us if a cert is about to expire AND is from a real CA.)

Script: sslcheck-issuer-o

Returns the “O” (Organisation) value from the issuer string.

#!/bin/bash
# Simple SSL cert get-issuer-O
# by Glen Scott, www.glenscott.net

openssl_output=$(echo "
GET / HTTP/1.0
EOT" \
 | openssl s_client -connect $1:443 2>&1);

if [[ "$openssl_output" = *"-----BEGIN CERTIFICATE-----"* ]]; then

        cert_issuer=$(echo "$openssl_output" \
         | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
         | openssl x509 -noout -issuer -nameopt sname \
         | tr '/' '\n' | grep O= | cut -c3- );

                echo "$cert_issuer";
                exit 0
else
    echo "NOT_FOUND";
exit 1
fi

Script: sslcheck-issuer-cn

If for some reason you want the CN value from the issuer string, use this instead.

 
#!/bin/bash
# Simple SSL cert get-issuer-CN
# by Glen Scott, www.glenscott.net

openssl_output=$(echo "
GET / HTTP/1.0
EOT" \
 | openssl s_client -connect $1:443 2>&1);

if [[ "$openssl_output" = *"-----BEGIN CERTIFICATE-----"* ]]; then

        cert_issuer=$(echo "$openssl_output" \
         | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
         | openssl x509 -noout -issuer -nameopt sname \
         | tr '/' '\n' | grep CN= | cut -c4- );

                echo "$cert_issuer";
                exit 0

else
    echo "NOT_FOUND";
exit 1
fi

Additional notes:

All scripts use the openssl s_client function to connect to the first string (assuming IP or server name) on default port 443. It echoes some HTTP GET requests and an EOT, otherwise openssl will sit there until timeout waiting for something to happen. If the remote connection sends a certificate down the pipe (identified by the presence of “”—–BEGIN CERTIFICATE—–”) it will process it, otherwise it returns the value ‘NOT FOUND’, which is a catch all for no certificate, a malformed certificate, a network timeout and so on.

A quick glance at these will reveal a lot of duplication: indeed the last two only differ by one line. This is on purpose; I actually started out building a do-everything script with a switch to determine behavior (like this script I subsequently found). This would be a lot more efficient in terms of network requests, you could retrieve the cert once and analyse it in multiple ways. Unfortunately it turns out zabbix really only likes dealing with the one parameter – a minor issue for which I will forgive it – so I’ve broken this out into three smaller scripts.

OpenSSL will only return the date in a format like “Sat Jan 1 17:15:00 WAST 2010″. I was starting to figure out how to chop it up into a usable format like DDMMYYYY using sed, awk, cut and the rest but discovered  to my surprise that the unix date utility understands the string just fine as is. The date is converted to seconds since epoch and the ‘bc’ utility does some math on it, returning a rounded value in days.

Instead of awk in the last two I’ve used a handy-dandy utility called, simply, ‘text replace’ (tr). I actually don’t use awk, sed and regular expressions much and am correspondingly unfamiliar with the syntax, thus was happy to discover and use this nifty shortcut. It’s not as powerful as sed/awk but is great for a simple character replace like this, especially when the process of trying to manipulate both kinds of slashes in the issuer string and replace them with newlines '\n' is frying my brain.

As always, your mileage may vary, particularly regarding any differences in the basic syntax of the various utilities across platforms (I’m using RHEL). ’date’ for example is very forgiving here, this might not be the same everywhere. I’ve also had issues in the past with the syntax of SED on OSX.

Hope someone finds this helpful, and I will write up a brief post on using zabbix to manage SSL cert expiry at some point as well.

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

If you want the gory details, check the thread over at bugs.launchpad.net. I’ll distil the useful bits below.

After the upgrade, my huawei 3G modem stopped being detected by NetworkManager. I’d see the fake ‘ZeroCD’ drive try to map itself and occasionally a gnome message box would be thrown up about a failed mount attempt, but no modem.

A look in the logs revealed /var/log/messages filling up with lines like this:

kernel: option 3-1:1.2: GSM modem (1-port) converter detected
kernel: usb 3-1: GSM modem (1-port) converter now attached to ttyUSB0
kernel: option 3-1:1.1: GSM modem (1-port) converter detected
kernel: usb 3-1: GSM modem (1-port) converter now attached to ttyUSB1
kernel: option 3-1:1.0: GSM modem (1-port) converter detected
kernel: usb 3-1: GSM modem (1-port) converter now attached to ttyUSB2
kernel: option1 ttyUSB2: GSM modem (1-port) converter now disconnected from ttyUSB2
kernel: option 3-1:1.0: device disconnected
kernel: option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
kernel: option 3-1:1.1: device disconnected
kernel: option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
kernel: option 3-1:1.2: device disconnected

So the modem was being disconnected and reconnected at least a couple of times a second for some reason, and the storage device was not appearing at all.

I tried the usb_modeswitch tool which is supposed to jolt misbehaving HUAWEI (and other brand) devices out of their stupor with some undocumented SCSI/USB commands, but no success this time.

After a bit of googling, it turns out this is (was) a known bug in the way the more recent linux kernel handles the combination USB Modem/Storage device hardware (and was allowed to remain in a major release of Ubuntu which is a bit unfortunate as it seems these types of USB modems are pretty common).

There are a couple of fixes pending an official update: either install a patched version of the kernel, or temporarily disable the USB Storage kernel module which looks pretty easy and apparently worked for a few people:

# rmmod usb-storage

Untested by me: Your mileage may vary.  Be warned that even if this works, by unloading the usb-storage kernel module you will lose support for any USB based storage devices, so this is strictly a temporary workaround. I thought I’d try the more permanent and possibly dangerous (?) kernel solution first, which worked.

Steps to upgrade your kernel to a compatible version:

1. Check your current version with the uname -a command. My post-9.10-Karmic upgrade version was: 2.6.31-14-generic #48-Ubuntu SMP  x86_64 GNU/Linux
2. Go to http://kernel.ubuntu.com/~kernel-ppa/mainline/ and download the .deb files for the kernel headers (“all”) and the kernel for your architecture (“amd64″ or “i386″). If you don’t have any kind of internet on the affected ubuntu box, grab them via another connected machine and copy them via removable media (windows or mac should be fine for just getting the files). You want the “linux-header” and “linux-image” files from within the folder with the latest (hopefully stable) version number. You can ignore the source file for now.
3. Go to a command prompt, change to the folder where the downloaded .deb files are located, and execute the following, substituting the .deb file names for the versions you have (make sure you install the headers first).

4. sudo dpkg -i ./linux-headers-2.6.32-020632rc8_2.6.32-020632rc8_all.deb

5. sudo dpkg -i ./linux-image-2.6.32-020632rc8-generic_2.6.32-020632rc8_amd64.deb

After this, provided everything worked, you’re a reboot away from your modem working again. After the boot, uname -a should reveal the newly installed kernel version. Mine is: 2.6.32-020632rc8-generic #020632rc8 SMP

Once plugged in, the modem worked instantly and my mobile broadband account connected fine. Hooray!

While lsusb output looked the same as before:

Bus 006 Device 004: ID 12d1:1001 Huawei Technologies Co., Ltd. E620 USB Modem

My /var/log/messages also looked a lot healthier:

kernel: USB Serial support registered for GSM modem (1-port)
kernel: option 6-2:1.0: GSM modem (1-port) converter detected
kernel: usb 6-2: GSM modem (1-port) converter now attached to ttyUSB0
kernel: option 6-2:1.1: GSM modem (1-port) converter detected
kernel: usb 6-2: GSM modem (1-port) converter now attached to ttyUSB1
kernel: option 6-2:1.2: GSM modem (1-port) converter detected
kernel: usb 6-2: GSM modem (1-port) converter now attached to ttyUSB2
kernel: usbcore: registered new interface driver option
kernel: option: v0.7.2:USB Driver for GSM modems
kernel: scsi 8:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
kernel: scsi 8:0:0:1: Direct-Access     HUAWEI   SD Storage       2.31 PQ: 0 ANSI: 2
kernel: sr0: scsi-1 drive
kernel: Uniform CD-ROM driver Revision: 3.20
kernel: sr 8:0:0:0: Attached scsi generic sg1 type 5
kernel: sd 8:0:0:1: Attached scsi generic sg2 type 0
kernel: sd 8:0:0:1: [sdb] Attached SCSI removable disk

Additionally, with the new kernel, both the pseudo cdrom, the 3G modem, and presumably the SD storage (though I don’t use it) are working at the same time. So, problem solved.

(Another improvement I noticed with the new version of ubuntu/kernel is I can disconnect the wireless broadband account via networkmanager without nasty gnome freeze-ups. Not sure what the culprit was for this: I worked around by disconnecting the hardware to avoid freezes, but looks like this too is now solved).

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

I had a play with the stock ASUS install for a while, but it was less than exciting. What finally killed it for me was the broken Xandros wireless networking. To get WPA you need to do an update (via the wired connection) and after the update it still didn’t work for me. I finally learned that due to some scripting errors by the eee pc xandros developers WPA still breaks if there are certain characters in the password. Rather than do the script editing dance to fix a distro I was already feeling lackluster about I decided to move on to Ubuntu.

Installation of Ubuntu is a total breeze and everything you need plus instructions is over here : http://www.ubuntu-eee.com/. I won’t go over it here but to summarize:

1. Grab the .ISO (less than 700MB, I used the torrent)
2. Get the unetbootin netboot install utility (sourceforge)
3. Blast the .ISO onto your 1GB usb drive
4. Fire up your eeepc, do the usual ESC to choose boot device, and you’re away.

Up until the install I wasn’t aware of the existence of the ubuntu netbook interface remix: its essentially a touchscreen friendly netbook menu/window manager and very cool. Its the first real argument I’ve seen that might sway me towards installing a third party aftermarket touchscreen.

There are a couple of things that needed changing from the stock install, most importantly the broken SD Card mount function. Fortunately this is dead easy to fix (and it is maybe already sorted in the latest release even as I type this).

Run an update

Before doing any tinkering, its worth allowing ubuntu to run a package update via the synaptic package manager / built in updater / cmd line “apt-get update, apt get upgrade”. This is dead easy: do it first =)

Fixing the SD Card mount

This is a minor annoyance, possibly already fixed if there is a new release out, but very easy to fix.

1. Fire up a terminal window (under accessories)

2. sudo gedit /etc/fstab

3. Comment out (put a hash at the start of) the last line which refers to the cdrom.
4. Save and exit.

This is a minor oversight by the distribution chefs and takes about five minutes to fix. After doing that the SD card mount works seamlessly.

Getting your Divx/Xvid going

The next thing you’ll probably want to do is install media codecs so you can play your divx/xvids files on the go. This is as simple as firing off the media player while you have an active net connection and telling it to download the codecs from the apt repository (just search for ‘xvid’).

Another package I needed which didn’t come preinstalled was the VPN client. Standard ubuntu procedure applies here, as in the following packages should be installed:

• pptp-client

• gnome-network-manager

After that a command line network manager restart command purports to give you the VPN options in your network menu, but I needed to reboot before mine appeared. After all this was installed, my netbook connected ot the WPA network and through again to the PPTP VPN no worries.

Currently Unresolved Resolved Issue 1: hibernation is busted.

I won’t go into detail, but even after installing the hibernate package and going in with a gparted usb boot to match the swap partition size to my installed RAM size (512mb), hibernation is still broken. I don’t get the “Insufficient SWAP” type error messages now and it appears to be hibernating, but powering it back on results in a fresh boot rather than a restore from hibernation.

For the time being I’m resorting to leaving it in suspend and making sure I keep it charged if its not being used for a few days.

UPDATE: following the instructions for file-based hibernation in this excellent article at ubuntu-eee.com has things working perfectly.

Currently Unresolved Resolved Issue 2: Webcam is busted

Firing up the built-in ‘cheese’ app doesn’t give me any webcam goodness, only static. This is probably some default setting gone awry in a config file: once again I havent done much (any) research on this so it might be a simple fix. I haven’t tried Skype with it yet either.

UPDATE: Somehow the webcam had become disabled in the BIOS between the Xandros install and the Ubuntu install. Re-enabling it fixed all. Doh.

Currently Unresolved Issue 3: Some windows don’t fit the screen

This can be gotten around to an extent by the hold-down-alt-when-clicking trick, but what I really want is a VGA utility like the one included in the stock distro which allows a bigger virtual screen size. There might be something out there, but I haven’t give it a proper look yet.

I’ll post an update if I manage to resolve any of these items (before going on holiday in a few weeks =) )

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

As mentioned, the eeepc I acquired had XP installed (nlited) and no recovery DVD, so no option of using the built in rescue partition to restore the EEEPC back to the factory state. (Apparently you can hit F9 normally and it takes to to a ‘restore me from hidden partiton’ type GRUB menu). I figured this wouldn’t be a problem, I’d just go to the Asus support site and grab the image. Its linux, right, should be able to get the firmware images easily from the manufacturer, right?

Wrong.

I ransacked the official eeepc.asus.com support site looking for what I needed: at the other end of the search I can honestly say I found zero useful material or info there. (Don’t even bother visiting it, you’re better off going straight to google for this). The support/download section had BIOS updates and the like, but nothing to help with a reinstall. Even searching the forums for what I imagined to be blatantly obvious issues (eg: where do I download the restore cd?) came up with bupkis.

I concluded, to my chagrin, Asus has decided to withhold the support software (a linux distro?) for whatever reason, and the forums were evidently being policed according to this policy, removing any useful information pertaining to it. I expected to find at least a link to an outside site, as google was telling me about various helpful torrents: not finding even a whisper of this on the official support forums smells like seafood.

After a bit of googling and torrent searching I found a few ISO images which purported to be eeepc 701 flavored including a copy of Ubuntu, but I couldn’t get them to run from USB key: syslinux made the drive bootable but either the kernel options were wrong and linux would not boot, or I could get it to boot by plugging in manual options (specifying location of initrd etc) but only made it partway into a boot before falling over and restarting. (I didn’t bother noting or chasing down those errors as I didn’t particularly fancy my mission this evening to be going down the road of fixing boot issues in roll-your-own livecds booting from USB sticks). I realise I’ll probably have to suss this out properly for installing Ubuntu and other flavors down the road, but for now I just wanted the stock Xandros system restore.

I eventually found some downloads which solved the problem.

Heres the process in WinXP:

1. The first thing you need is the EeePC 901 ASUS Linux USB Flash Utility available from eeefiles.com (Link updated! http://www.netbookfiles.com/574/eee-pc-8g-xp-asus-usb-flash-utility-version-v1131/ ). I guess this is the version which comes on the support DVD, but I don’t have that and it wasn’t available from the official site, so… (By the way, thanks a lot Asus, making me resort to downloading from a third party site instead of a trusted source).
2. The next file you’ll need is the Xandros Eee Pc 701 Edition ISO. Get it from the eeepc 701 community project on sourceforge.
3. Once you’ve downloaded both of the above its all pretty much downhill!
4. Now either burn the ISO to a physical disk, or mount the image using a program like daemontools.
5. Plug in your 2GB+ USB stick
6. Run the USB Flash utility, select the detected USB drive,wait for it to format. If prompted, remove and re-insert the stick after the format. It will ask for the linux disk (either insert the physical copy you burned or mount the ISO into a drive).
7. Linux will copy (it takes a few minutes) and at the end you should have a bootable restore on the USB drive.
8. Power on the eeepc, hit F2 for BIOS options, go to “Advanced” and set the “OS Installation” to “Start”. F10 to Save and exit.
9. Put the USB drive in your eeepc, reboot, hit escape on POST to get to the boot menu, and you’re off.
10. Xandros will install (took about ten minutes on mine). Remember to go back into the BIOS and set “OS Installation” to “Finished” once its finished.

That really shouldn’t have taken me a whole evening of googling to get done =

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

There seems to be a few different ways to get the SMB bit done but I ended up using smbfs: you’ll need this on your system for this script to work. If you don’t have it and you’re using a package manager it should be pretty simple to get, a bit of apt-get install smbfs should do the trick.

Note: I am aware of various security issues with running scripts as root, storing passwords in scripts, and this sort of thing. Since this is a super simple backup script, I’m doing it anyway : Complaints department is /dev/null ;)

Script 1: this is a super simple version. It tars and copies some folders to the remote share and thats it.


#!/bin/bash

#simple backup script
#by Glen Scott, glenscott.net

# set smb server and auth vars
sharename="//ourserver/ourshare"
username="ourdomain\ourbackupuser"
password="passwordgoeshere"

backuplocation="/backups/*"
savepath="/root/"
filename=$(hostname).backup.$(date +%a).tar
mountpoint="/mnt/smb"

#tar up the backup folder
tar -cf $savepath$filename $backuplocation

#connect to the share
mount.smbfs $sharename $mountpoint -o username=$username,password=$password

# move the tar
mv -f $savepath$filename $mountpoint

# disconnect the share
umount $mountpoint

#all done!

Script 2: this is the second version I made for another box. It needed a mysql database backed up as well so I added a few lines in for that. I also took the chance to add a quick working folders checker / creator, tidy it up a bit and comment everything.


#!/bin/bash

# simple backup script
# by Glen Scott, glenscott.net

# this is a simple script to tar.gz certain folder locations and copy them to a SMB share
# this script should be run periodically from crontab
# you will need smbfs installed on your system or modify the samba mount method

# set smb server and auth vars
sharename="//ourserver/ourshare"
username="ourdomain\ourbackupuser"
password="passwordgoeshere"

#set mysql details
mysqlhost="localhost"
mysqlusername="root"
mysqlpasswd="mysqlpasswordhere"

#set which folder locations we want to backup, inc trailing slashes
#add more here and append to the appropriate tar line further down the script if needed

location1="/var/"
location2="/backup/"

#set temp files and folders
backuptemp="/backuptmp/"
savepath="/root/backup/"
filename=$(hostname).backup.$(date +%a).tar.gz
mountpoint="/mnt/smb"

# make sure our working folders are present and accounted for

if [ ! -d "${backuptemp}" ]
then
mkdir $backuptemp
fi

if [ ! -d "${savepath}" ]
then
mkdir $savepath
fi

if [ ! -d "${mountpoint}" ]
then
mkdir $mountpoint
fi

# tar up the files we want into the backup temp
tar -cf ${backuptemp}files.tar $location1 $location2

#dump the local mysql db into the backup temp
mysqldump "-h${mysqlhost}" "-u${mysqluser}" "-p${mysqlpasswd}" --all-databases --lock-tables > ${backuptemp}mysqldump.sql

#tar up the backup temp folder
tar -czf $savepath$filename $backuptemp

#connect the smb share to our mount point
mount.smbfs $sharename $mountpoint -o username=$username,password=$password

# copy the tar (could also move it but whatever you like)
cp -f $savepath$filename $mountpoint

# disconnect the share
umount $mountpoint

#all done

As long as you have smbfs installed, the above should work fine.

A word on smbfs: without it the above script will fail. You can probably install smbfs quite easily on your system with the command apt-get install smbfs (or yum if you’re using redhat/fedora, or whatever your flavor of package manager happens to be). I use debian, so apt-get works just fine for me.

A word on Crontab: You’ll need to add the script to your local cron to get regular backups.

I won’t go into hideous details about how crontab works, theres plenty of that on the net already. To keep it simple, if your distro supports it (most should) you can put a symlink to the script in /etc/cron.daily or /etc/cron.weekly which will give you a simple schedule.

If you want something a bit more complicated, you’ll have to mess with the crontab. I’m aware there are commands to get this done but I’ve always just edited the system crontab directly. Mine runs twice a week, on wednesdays and fridays, so my crontab line looks like this:

# m h dom mon dow user command
0 2 * * 3,5 root /root/backupscript

Righto, thats it.

UPDATE: I notice a mutated version of this script has been posted in this forum thread over at linuxquestions.org – cool! Check it out over there if you want to see what someone else has done with it.

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

Preamble: Our new staff laptops are pretty fantastic. Faculty has an initiative subsidizing the cost of deploying tablet notebooks to all schools in Computing and Health Science. I already had one of the few X41s which were wasting away in storage when I arrived: nobody seemed to want to use them becuase they apparently underperformed. I dusted one off and moved from the T42 I was using to the X41, and found the reduced footprint/weight to more than make up for any loss of grunt.

So the new machines have landed, and they’re the very capable Lenovo X61. I’ve had one for a month or so running alongside the X41. I would have made the transition without delay, as the new hardware is better in many respects, and I’m not that biased against Vista that I would avoid upgrading for that reason alone (Vista is mandatory on these new machines to increase staff exposure to the O/S), but theres been a major sticking point, and thats support for my favorite XP encryption solution, Truecrypt with TCGINA.

I’ve had at least one laptop stolen in recent years, and while no important data was lost / exposed via the theft, I now have a heightened awareness of the danger of carrying unencrypted data around. TCGINA does a great job in XP of hooking into the login process and pre-mounting your encrypted storage even before the user profiles are loaded, which means that data can be stored there as well. This effectively means that your desktop folder, my documents, IM data, browser (IE or FF) favorites and history and the like are all stored safely. If the device is lost or stolen, without your password, that sensitive file you left on the desktop isn’t sitting there exposed on an unencrypted diak waiting to be harvested by a forensic undelete utility.

Truecrypt 4 with TCGINA is broken on Vista

Vista takes a different (non GINA) approach to handling the login process , so TCGINA no longer gets it done. This was a real headache: I needed to be using Vista for work but wasn’t comfortable with an unencrypted portable system. (This is before TrueCrypt5 was released – more on this shortly). The X61 has a TPM and thus (any big brother TPM/Vista backdoor conspiracy theories aside) bitlocker should have been an option, but because of the partitioning setup on my notebook, it isn’t. This is because bitlocker works by creating a separate primary partition (size ~1gb or so) on your drive to stick its bootloader and encryption software.

Problem was, I already had the maximum 4x primary partitions. I’m never satisfied, so after installing Vista I went in with a linux livecd and gparted (gnome partition GUI, like travelling first class compared to being jammed in the luggage bay using fdisk) and sliced it up so I could have three additional OS’s booting natively. These were Ubuntu, Backtrack 3 Beta, and WinXP SP2 – (the latter being a real adventure to get co-habitating peacefully with the others, due to an unfortunate tendency to blat whatever bootloader I was using with its own apon install).

Eventually it all worked, with GRUB on the boot partition loading up whichever of my 4 OS/s I wanted. On a side note, whenever I messed with the size of the Vista partition (gparted handles ntfs partition resizing fine) Vista would fail to load until I went in with the vista boot dvd and ran the very simple repair/rescue procedure. Did this each time, and then it was fine.

(I’m aware that alternative bootloaders such as XOSL can supposedly work some magic when it comes to maximum / types of partitions and the O/S’s loaded from them, but I have yet to try it. )

So having reached this stage things were mostly groovy, my 4 OS’s on one machine, but with no encryption whatsoever. At this point, I would have been happy to have it on the Primary O/S only (Vista) as the others were mainly for testing and would be unlikely to have any sensitive data on there, but even that seemed out of reach due to the TCGINA/Vista broken-ness.

So what to do?
Answer: Truecrypt 5 rocks and is not broken on Vista

Midway through pondering how I was going to find a solution, a rescue came along: TrueCrypt 5 was released with a major major feature added: the ability to encrypt entire system & boot partitions.

This was pretty much holy grail stuff to me at that point.

I wasted no time in firing up the new Truecrypt on Vista to see if the promises were true. Summary: some of them are. Its good, but not perfect. It didn’t work “out of the box” (but then bitlocker didn’t work at all): There were hiccups because I had GRUB as my primary bootloader (TC5 refuses to deal with anything but the windows bootloader) and I was unable to encrypt my entire disk, as I initially thought I’d be able to do, because my partition setup included logical partitions (this scenario throws an error after you try to process a whole disk which contains logical partitions).

So to get it working? First, I had to nuke GRUB from the primary partition, and set it up on the secondary so I could still access my linux installs. This was pretty simple: I booted into Ubuntu (which is where my grub config lives) and installed it on the second partition via some simple GRUB commands which I googled and now cant remember (partition 2 happens to be where XP is installed), then booted up with my vista dvd and let it replace the primary bootloader.

It is probably worth noting that I also had the Backtrack distro* installed on one of the logical partitions (along with a swap partition and an independently encrypted truecrypt partition), and GRUB could load Backtrack fine throughout this process, as its location didn’t change. (sda6).

After that it was as simple as running the truecrypt system/boot encryption wizard from Vista again, allowing it to create a recovery CD (backup of the volume headers in case of corruption or a changed, forgotten password) and waiting for a couple of hours while it processed my vista system partition, live.

Voila – it works. My Vista partition is now secure, and my other OS’s boot fine, albeit unencrypted. The next step is to reorganize everything so I can get rid of the logical partitions and hence do a proper whole-disk encryption to cover both my Windows and Linux installs. I’m sure theres a post in that.

* Backtrack is a Slackware based livecd distro loaded with a plethora of security tools. Since my primary laptop is usually of the subnotebook/ultraportable breed and hence doesn’t usually include a CD/DVD drive, I’ve previously installed backtrack to a USB key and booted off that, but its easier to have it integrated as a boot option, epecially with nice large hard drives making the 3GB or so loss of usable space hardly noticable.

UPDATE: I have since received a few queries about this article via email and clarified it a bit, so I’ll post the emails and responses below.

John: Hello,
i read your article Quad boot with Linux, XP and Encrypted Vista on the Lenovo
x61 Tablet, but there is not much details. My problem is that i have 2 primary
partitions, 1. is winxp, second is linux. I have grub loader. So my problem is
after i will encrypt my windows primary partition + use pre boot lock stuff from TC, how my grub loader will work? Because if i understand well TC boot lock will delete MBR a put own code overthere.
Thanks for your reply.

Hi John

I have not encrypted WinXP with Truecrypt yet, only Vista, however I suppose it is more or less the same.

To answer your question: When you encrypt your windows partition it will install the TC bootloader on the MBR, and yes it will overwrite GRUB.

What you need to do is install GRUB on your linux partition before running truecrypt in windows. You will need to boot into linux and run some “grub” commands (suggest you google them) to install it to another partition/drive. (It is ok to have the grub bootloader installed on two drives at once). Once you have encrypted your windows system partition, the Truecrypt bootloader will detect any other bootable drives on the system and give you the option of booting from them instead of your encrypted windows when you start up. (They will not be encrypted or otherwise protected by truecrypt, but they will be bootable)

John: Ok till that part its clean, u mean just install grub not into MBR but on the linux partition where the linux is. Dont understand what u mean by grub will be installed on two drives at once, u mean MBR + linux partition?

Yes, you install the grub bootloader onto your linux partition. After that grub will be *temporarily* installed two places at once, but only until you run fixboot+fixmbr, after that the Windows bootloader will be restored to the primary drive/partition.

If I recall correctly, truecrypt will not do full system encryption while you have GRUB on the primary MBR, so once you have installed GRUB on your linux parition/drive, you need to replace it on the primary with the default WinXP bootloader (easiest way is to go in with the WinXP boot cd, go to the recovery console and use the “fixboot” and “fixmbr” commands). Once you have done this, boot back into windows (should go straight on with no sign of grub) and TC should encrypt your windows system partition fine.

John: Here is a place where i completly got lost. What do u mean by primary MBR? Ok anyway why do i have to put grub to primary? Didnt u say that its enought to install grub on linux partition, and simply overwrite MBR by truecrypt? Why do i have to do fixmbr and stuf…

fixmbr and fixboot are the microsoft command line tools for restoring the default windows bootloader. You need to do this because truecrypt will not encrypt a windows partition which has grub installed as its primary bootloader. Truecrypt then replaces the windows bootloader with its own bootloader which will then launch windows (encrypted) and also any other bootable drives/partions (ie your linux one with GRUB installed) that it finds.

So a basic sequence of things you would do:

1. Boot into your linux install and install the grub bootloader onto the linux drive/partition
2. Boot into windows recovery console (winxp cd) and restore the default bootloader (fixboot/fixmbr)
3. Take cd out and boot up normally – grub should be gone and you will get into windows.
4. Run truecrypt and encrypt windows partition
5. Next time you boot up, TC bootloader is there and you can boot straight into windows or grub/linux.

Hope this answers your question!

John: Thanks a lot, –=John=–

Hope this helps anyone else as well  =) – Glen

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

By far the most time consuming and painful task has been configuring samba / kerberos for AD. Given that this is mostly because of my inexperience in this area: but the entire process seems a lot more painful than it should be. Next time around will certainly be smoother, mostly through what I’ve learned about the available tools such as kinit and net.

Some gotchas:

AllowGroups in sshd_config gave me more hassle than it should have.

Firstly, AllowGroups is CASE sensitive in a funky manner. What I mean by this is, regardless of the actual case of the group according to the active directory, it only works for sshd if the group is specified all lowercase. If not, the group isn’t recognised.

It took me a while to figure out the next reason AllowGroups was not working: it didn’t like co-existing with AllowUsers. To my mind this is a no-brainer, both directives should work. However, once I commented out AllowUsers, the groups started authenticating properly. To maintain access for my local admin users, I added their local group to AllowGroups, so AllowUsers is no longer required.

A puzzlement with account creation which was pretty funny when I discovered the reason: I had left the session PAM module active for samba: every user who browsed the samba share was being created a user account. I twigged to this when I accessed it myself and watched local accounts created both for my user account and my workstation account. Since I don’t want accounts created via samba I split the session, auth, account sections off into seperate PAM files for finer control and made sure samba wasn’t using session anymore.

Once the assorted hassles with AD auth are sorted and behaving as planned, I’ll actually be able to get started on some of the other items in the list. When its all done I’m certainly going to generate some fat HOWTO documentation for my department to east the struggles of the next tech who needs to deal with it.

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

Firstly, as this box is to be shell-accessible by students, it needs to be as idiot-proof as possible while still allowing reasonable access to a development environment. This means limitations on runaway forks, inode creation, et cetera.

This machine will need to authenticate and create users based on pre-existing groups in the Active Directory. As we do not have schema access there will be no installation of extensions to the AD for unix support. I am personally against this approach anyway: For simple authentication of users, directly modifying the AD schema seems excessive.

Security is also another fairly prominent concern : I am well aware that once a potentially malicious (or simply curious) user has access to a local account, without appropriate countermeasures and vigilance by the keepers of root, a security breach is quite likely. One of the core study streams at the School of Computer and Information Science where I work is Computer and Network Security: consequently we have a number of potential users fairly au-fait in that area: so adequate security on a system they will be accessing is quite important.

Security concerns currently on my list:

• Preventing local system exploits
• Constraining system resource abuse
• Preventing unauthorised network access*

* As this machine will have internet access outside the firewall scope of other networks accessible to the students (wireless, computer labs etc) an important consideration is preventing its use to circumvent network access restrictions (for example via a userland proxy or chat bot, or unrestricted SMTP). As the development machine is located in a secure DMZ, compromise from the outside due to an insecure listening process of some kind started either accidentally or maliciously by a user is of less concern to interneal network security in general, but measures should still be taken to prevent this sort of thing.

For the time being, no X environment is required, which will save me some work in the short term until I can look at it later in the ‘optional extras’ category.

Items on the agenda to setup:

• User Authentication and auto local account / home directory creation via Active Directory
• C dev environment
• Tomcat based java dev environment
• Access via: SSH, FTP, HTTP, SMB (latter 2 with intelligently mapped user paths)
• Local system firewalling according to security policy
• Auditing of local user logins
• Tripwire integrity auditing
• Backups of config, tripwire db, user homes, and MSQL db to active directory based server

In Part 2 I will cover a few of the items in the list including User Auth via AD, C Dev environment, SSH setup, and any incidentals I encountered along the way.

Visit glenscott.net for more content. Some rights reserved: Except where specified otherwise, the content of this feed is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.