Tuesday, September 29, 2009

Command Line TrueCrypt Volume Creation Using ext3 filesystem

The current Linux version of TrueCrypt (version 6.2a) seems to have a bug that does not allow the creation of an ext3 TrueCrypt volume directly from the TrueCrypt command line. The following script provides a workaround, as well as providing a nice user interface (as text-based interfaces go!)

#!/bin/sh

#
# this script creates a truecrypt file container. the script requires
# five parameters:
#
#   - size in GBytes. A 4 GByte container is specified by '4'.
#   - entropy source. This will usually be /dev/random or /dev/urandom
#   - filename. Path and filename of container (ex: /data/secure1.tc)
#   - mount point. Where the container will be mounted (ex: /mnt/tc)
#   - keyfile. Path and filename of the keyfile to be used (ex: /root/key)
#
# note that /dev/random is a blocking device - i.e. it will wait to
# generate random numbers until there is sufficient entropy in the
# system to ensure security. if a blocking device is used, the user
# will probably need to generate entropy by typing random characters
# in a file until /dev/random receives sufficient data.
#
# initially developed and tested on Fedora 10
#

if [ $(id -u) -ne 0 ]; then
echo
echo "This script must be run as root. Exiting..."
echo
exit 1
fi

if [ $# -ne 5 ]; then
echo
echo "usage: $0 size(GB) entropy-src filename mnt-point keyfile"
echo
echo "For example, to create a 4GB truecrypt file container using"
echo "the /dev/random RNG at /data/secure.tc and mount it on"
echo "/mnt/tc with the keyfile /root/thekey, do the following:"
echo
echo "$0 4 /dev/random /data/secure.tc /mnt/tc /root/thekey"
echo
exit 1
fi

GBSIZE=${1}
ENTROPY=${2}
VOL=${3}
MNT=${4}
KEY=${5}

# generate the size of the container in bytes

SIZE=$(echo "${GBSIZE}*(2^30)" | bc)

# unmount anything that is on the designated mount point

truecrypt -t -d $MNT 2> /dev/null

# create a truecrypt file container using the designated key, size,
# and volume location. Create a FAT volume but we'll overwrite it
# later with an ext3 fileysystem (have to do this because truecrypt
# won't allow the direct creation of an ext3 container from the
# command line).

if [ "$ENTROPY" == "/dev/random" ]; then
echo
echo "You have selected a blocking entropy source. This means that"
echo "the creation of the truecrypt file container will wait until"
echo "there is enough randomness in the system to secure the"
echo "encryption keys. If the file container creation process does"
echo "not start immediately, open up a file (e.g. /tmp/barney) and"
echo "begin to type random characters until the progress indicator"
echo "appears."
echo
read -p "Hit the  key to continue..."
echo
fi

truecrypt -t \
--create \
--keyfiles=$KEY \
--password="" \
--volume-type=normal \
--size=${SIZE} \
--encryption=AES \
--hash=SHA-512 \
--filesystem=FAT \
--random-source=${ENTROPY} \
$VOL

if [ "$?" != "0" ]; then
echo
echo "Truecrypt container creation failed."
echo
exit 1
fi

# mount the newly created truecrypt container

truecrypt -t -k $KEY -p "" --protect-hidden=no $VOL $MNT
if [ "$?" != "0" ]; then
echo
echo "Initial mount of newly created truecrypt container failed. Exiting..."
echo
exit 1
fi

# create a ext3 filesystem on the /dev/mapper device

mapper=$(truecrypt -t -l | cut -d" " --fields=3)
umount $MNT
mkfs.ext3 $mapper

# unmount and then remount to use the new filesystem

truecrypt -t -d $VOL
truecrypt -t -k $KEY -p "" --protect-hidden=no $VOL $MNT
if [ "$?" != "0" ]; then
echo
echo "Cannot mount ext3 truecrypt container. Exiting..."
echo
exit 1
fi

echo
echo "The truecrypt container was successfully created and mounted."
echo
exit 0

Labels: ,

Wednesday, September 23, 2009

Hide Users on a Fedora 10 Login Screen

You may want to hide the login ids of users on systems for privacy or security reasons. Although this is possible, the command is very unwieldy. Here's how you do it for Fedora 10.

gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --direct --type bool --set /apps/gdm/simple-greeter/disable_user_list true

Ugly, but it works.

Labels: ,

Saturday, September 19, 2009

NTP Server & Client Configs on Fedora 10

On the server, ensure that there is the following line in the /etc/hosts file:
127.0.0.1 localhost
Also ensure that port 123/UDP is open.

Then edit the /etc/ntp.conf file to look like this:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).


# Permit time synchronization with our time source, but do not

# permit the source to query or modify the service on this system.

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery


# Permit all access over the loopback interface. This could

# be tightened as well, but to do so would effect some of

# the administrative functions.
restrict 127.0.0.1

restrict -6 ::1


# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

#server 0.fedora.pool.ntp.org dynamic

#server 1.fedora.pool.ntp.org dynamic

#server 2.fedora.pool.ntp.org dynamic

driftfile /var/lib/ntp/drift


# Undisciplined Local Clock. This is a fake driver intended for backup

# and when no outside source of synchronized time is available.
server 127.127.1.0

# local clock
fudge
127.127.1.0 stratum 10



# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
On the server, enter:
chkconfig ntpd on
service ntpd on
Then, set the date correctly on the server (date MMDDhhmm).

On the client,
ensure that there is the following line in the /etc/hosts file:
127.0.0.1 localhost


Edit the /etc/ntp.conf file to look like this, assuming that the local NTP server we just set up is named barney with an IP address of 10.8.0.1:


# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

driftfile /var/lib/ntp/drift

# Hosts on local network are less restricted.
restrict barney mask 255.255.255.0 nomodify notrap
server barney

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

On the client, enter:
chkconfig ntpd on
service ntpd on
If there is a large difference in times, you can quickly bring the client into close sync with the time server by typing:
ntpdate barney
You can see if the client is being updated by using the command:
watch ntpq -p


Labels: ,

Friday, September 18, 2009

RPM & YUM tricks



So you're building a complex system that requires installing many software packages in RPM format and you keep having problems with dependencies, conflicts, and who knows what else. Here are some handy RPM commands that might come in useful.

# extracts the contents of an RPM to disk
rpm2cpio < packagename.rpm | cpio - ivd

# list the contents of an RPM file
rpm -qpi packagename.rpm

# install all the RPMs in the current folder
rpm -U *.rpm

# don't install, but print out what would happen
rpm -i --test list of RPM packages

# replace existing files in another package even if there is a conflict
rpm -i --replacefiles packagename.rpm

# Removes the last 'n' RPMs. The example below uses last 15 RPMs.
rpm -qa --last | head -15 | cut -d" " -f 1 | xargs rpm -e

# test a group of RPMs for missing dependencies (or other problems)
# definitely need to resolve "is needed by" errors
mkdir /tmp/testdb
rpm --initdb --dbpath /tmp/testdb
cd packages folder
rpm --test --dbpath /tmp/testdb -Uvh *.rpm
rpm -rf /tmp/testdb



# save the RPMs that are downloaded and installed by yum

Edit the /etc/yum.conf file and change (or insert) keepcache=1


# download only (don't install) RPMs using yum
yum install yum-downloadonly
yum update somepackage --downloadonly
yum update somepackage --downloadonly --downloaddir=/tmp/newpkgs

Labels: , ,

Root is read-only?

When you're doing serious work on Linux, sometimes things get broken and need to be fixed. If that something involves disks, you might be greeted with a screen at boot that says that there is a problem and that you should "Give root password for maintenance (or type Control-D for normal startup)". But when you type your root password and get the shell prompt, you can't do anything because the root is read-only. For instance, you might need to edit /etc/fstab or another configuration file to remove or comment out an offending line. But you can't save your changes because root is read-only. The command to fix this is simple:

mount -n -o remount -t ext3 /dev/sda3 /

Remember to enter the correct filesystem type (ext3 in this example) and the correct disk partition (/dev/sda3 in this example) and your problem should be solved.

Labels: ,

Friday, September 4, 2009

Compiling & Installing Truecrypt on Fedora 10

Truecrypt is a powerful, multi-platform encryption tool. However, only OpenSuse and Ubuntu packages are available for download at the Truecrypt web site. Those with other distributions must compile it themselves. This tutorial covers compiling and installing Truecrypt on Fedora 10 and assumes starting from a base OS install.
  1. Download the Truecrypt source code from http://www.truecrypt.org/downloads2 (Mac OS X / Linux tar.gz file).
  2. Copy the downloaded file to a folder of your choice and extract it: tar xzf truecrypt-file.tar.gz
  3. cd into the new source code directory
  4. Download the crypto header files by doing the following:
    wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11.h
    wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h
    wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h
  5. Make sure the necessary packages (and their dependencies) are installed:
    yum install gcc-c++ fuse-devel wxGTK-devel
  6. make
  7. If successful, the truecrypt executable should be in the Main folder. Move the executable to /usr/bin: mv Main/truecrypt /usr/bin (must be root)
You may want to install truecrypt executable on other computers without having to compile it on each computer. There may be occasions where you don't have web access to download the packages upon which truecrypt depends. Fortunately, the number of software packages that truecrypt is dependent upon to run is much smaller than the number necessary to compile it.

In addition to the newly truecrypt executable, you will need to include three software packages in the installation package:
  • SDL
  • wxGTK
  • wxBase
Normally, the RPM files are not saved when installed by yum. This behavior can be changed by editing the /etc/yum.conf file and adding (or changing) the line "keepcache=1". Then, when installing (yum install SDL wxGTK wxBase), the RPMs are saved in the yum cache. The new RPMs can be in one of two cache locations:
  • /var/cache/yum/fedora/packages
  • /var/cache/yum/updates/packages
Once you have a compiled truecrypt executable and three RPMs, you can pop them on a thumb drive and install them on any other Fedora 10 computer by:
  • Copying the truecrypt executable to /usr/bin
  • yum install SDL...rpm wxBase...rpm wxGTK...rpm
Where the complete filenames for the SDL wxBase and wxGTK RPM files are listed.

Labels: , ,