Using a Yubikey for account security

I got a Yubikey 4 half a year ago (during Red Hat Summit 2016), but until now I didn’t do much with it. Time to change that ;)

If you have any more ideas on how to use the Yubikey, feel free to comment!

Also, If you’re not using 2  factor authentication yet, I urge you to start using it. It gives you a nice additional layer of account security, with limited hassle. It doesn’t even have to cost you any money, if you’re using a software solution. Checkout twofactorauth.org for a (non-comprehensive) list of sites that support it!

 

Replacing Crashplan

I’ve been a longtime user of Crashplan, an easy-to-use cloud backup solution. It works well, and it used to work also on nearly any platform that had a java run-time and some add-on opensource libraries. I’ve used it for some time on my raspberry pi to automatically backup my data to the cloud. (Crashplan on ARM (the architecture of the raspberry pi) is an unsupported configuration though).

Used to work, past tense.

Code42 (the company behind Crashplan) decided to incorporate a new library (libc42archive.so) in the latest update of their client, version 4.8, which has no ARM counterpart. Only x86 (and amd_64) architectures are supported, removing a lot of devices which were able to run crashplan from the list. No source code is available, so this is basically a call to stop using Crashplan on anything other than Intel-compatible architectures. Bleh.
(I opened a support ticket to ask them to restore compatibility, but I’m not holding my breath for it)

I was able to keep it alive for some time by downgrading back to version 4.7 and making the upgrade directory immutable, but it seems that this trick has run it’s course. The client needs to be version 4.8 or you aren’t allowed to connect to the Crashplan back-end.

So, I needed a new solution. One with the requirements of being open source (I don’t want to run in that issue again), offering client-side encryption and incremental forever style backups. Being able to be stored in the cloud was a no-brainer. After some testing of various tools, I ended up with the following combination:

While Crashplan offered immediate push to the cloud, the workflow is now somewhat different: every day a script is triggered (via cron), which executes borgbackup against a USB-connected harddisk for my local (and optionally NFS-shared) data. This allows for fast backups, fast deduplication, and encryption. No data leaves my network at this point.
When all backups are done, the encrypted repository is synced (using rclone) to Backblaze B2, bringing my offsite backup in sync with the local repository.

Using an intermediate USB harddisk is not ideal, but it gives me yet another copy of my data – which is convenient when I’ve just deleted a file that I really did want to keep.

To give you an idea about the compression and deduplication statistics:

                       Original size      Compressed size    Deduplicated size
All archives:                1.10 TB              1.07 TB            446.63 GB

1.10TB is compressed to 1.07TB, and this results in an archive if 446GB. Less than half ;)

To be able to find a file that has been deleted at some point, you can use borgbackup mount :: /<mountpoint> – this will mount the entire repository (using FUSE) on that directory, making it available for browsing. Don’t forget to unmount it using fusermount -u /<mountpoint> when you’re finished.

I’ve uploaded the script to my scripts repository on GitHub.

Running crashplan (headless) on a Raspberry pi 2

In my grand scheme of “abuse all the low-power computing things!”, I’ve moved my crashplan backups over to the Raspberry Pi 2 (rpi2 for short). Installation is relatively painless: download the installer from the crashplan site, and unpack and execute. I installed mine under /opt/crashplan.

Afterwards, there are some things to fix, though, as by default Crashplan is only supported on the Intel architecture:

Install a working JRE (& dependencies for the GUI app should you want to launch it through X forwarding):
apt-get install oracle-java8-jdk libswt-gtk-3-jni libswt-cairo-gtk-3-jni
rm /opt/crashplan/jre; ln -s /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/ /opt/crashplan/jre
rm /opt/crashplan/lib/swt.jar; ln -s /usr/share/java/swt.jar /opt/crashplan/lib/swt.jar

Replace some libraries by their recompiled variants – you can compile them yourself (thanks to Jon Rogers for the instructions) or download them straight from his site if you’re lazy.
wget http://www.jonrogers.co.uk/wp-content/uploads/2012/05/libmd5.so -O /opt/crashplan/libmd5.so
wget http://www.jonrogers.co.uk/wp-content/uploads/2012/05/libjtux.so -O /opt/crashplan/libjtux.so

Add a library to the CrashplanEngine startup classpath:
sed -i 's|FULL_CP="|FULL_CP="/usr/share/java/jna.jar:|' /opt/crashplan/bin/CrashPlanEngine
And now you should be able to start your engine(s)!
/opt/crashplan/bin/CrashPlanEngine start
And the desktop app (which you can forward to your local Linux pc via ssh -X user@rpi2)
/opt/crashplan/bin/CrashPlanDesktop
this does take forever to start. But it works. Or you can use these instructions (from Crashplan Support) to administer it remotely.

ASUS UX305UA and Linux

The ASUS UX305UA is an ultrabook with the Skylake microarchitecture – the (as of writing) latest iteration in Intel processors. Unfortunately, Skylake support on Linux wasn’t really a granted thing the time the device got released. Fortunately it’s gotten a lot better of late.

After searching and reporting some bugs to the Debian Bugtracker, nearly everything works out of the box on Debian Sid (unstable), and probably soon on Stretch (current testing). So if you’re installing a new one now, I’d really suggest you go for Sid instead.

After installing the base system via a netinstall image, you’ll probably end up with a Stretch (testing) installation with a 4.3 kernel. This will not really work when rebooting, giving you a black screen. To solve that, boot with

i915.preliminary_hw_support=1 i915.modeset=0

on the kernel command line.

After this, I’d recommend adding a line for unstable and experimental to your apt sources:

# echo "deb http://httpredir.debian.org/debian/ unstable main contrib non-free" > /etc/apt/sources.list.d/unstable.list
# echo "deb http://httpredir.debian.org/debian/ experimental main contrib non-free" > /etc/apt/sources.list.d/experimental.list

and then upgrading your system to the latest unstable:
# apt-get update && apt-get dist-upgrade
This will result in you getting a linux-4.5 kernel and a boatload of updated drivers (eg. Xorg)

Next, upgrade even further: scary experimental mode on! This you’ll need to do manually (experimental never auto-upgrades, because of the possible breakage that might be caused):

First, find out the latest kernel

# apt-cache search linux-image-4 | grep amd64
linux-headers-4.5.0-1-amd64 - Header files for Linux 4.5.0-1-amd64
linux-image-4.5.0-1-amd64 - Linux 4.5 for 64-bit PCs
linux-image-4.5.0-1-amd64-dbg - Debugging symbols for Linux 4.5.0-1-amd64
linux-headers-4.6.0-rc3-amd64 - Header files for Linux 4.6.0-rc3-amd64
linux-image-4.6.0-rc3-amd64 - Linux 4.6-rc3 for 64-bit PCs
linux-image-4.6.0-rc3-amd64-dbg - Debugging symbols for Linux 4.6.0-rc3-amd64
linux-image-4.5.0-1-amd64-signed - Signatures for Linux 4.5.0-1-amd64 kernel and modules
linux-headers-4.4.0-1-grsec-amd64 - Header files for Linux 4.4.0-1-grsec-amd64
linux-image-4.4.0-1-grsec-amd64 - Linux 4.4 for 64-bit PCs, Grsecurity protection

As you can see above, 4.6.0-rc3 is available, but since it’s a prerelease kernel it’s not automatically installed. We want it, and with it, a bunch of firmware packages (to make sure we have the latest)
# apt-get install -t experimental linux-image-4.6.0-rc3-amd64 firmware-linux firmware-iwlwifi firmware-misc-nonfree intel-microcode
For good measure, you can even throw the latest iwlwifi firmware (not packaged yet in Debian) in the mix (found on GitHub):
# wget https://github.com/OpenELEC/iwlwifi-firmware/raw/master/firmware/iwlwifi-7265D-21.ucode -O /lib/firmware/iwlwifi-7265D-21.ucode
Next, reboot, and things should look a lot better already. Right now everything will work, except..

  • screen brightness buttons (Fn-F5 Fn-F6 Fn-F7). This requires (for now) this patch from kernel bugreport 98931. (Debian bugreport: 818494)
  • Screen auto brightness/ambient light (Fn-A): you can use the driver from GitHub
  • Disable-touchpad button (Fn-F7): you can use any old script, really. Just call synclient TouchpadOff=1 and it’s off. And =0 for on)

Replacing OS X with Linux on my Mac Mini 2,1

I still had an old Mac Mini (model 2,1) – which I bought during a period of experimentation with different operating systems –  connected to the TV, running Mac OS X Lion. Not Apple’s finest installment of OS X, truth be told.

The reasons I wanted to get rid of it:

  • Apple stopped providing updates for it. Not fantastic from a security point of view.
  • They also managed to actually break VNC for anything except the OS X client
  • TeamViewer takes up a ridiculous amount of CPU power on OS X
  • You can’t turn off the Mac Mini using the power button, it goes to sleep, and it can’t be reprogrammed.
  • It’s just .. sooo… slooooooooow

The only thing the device is used for is

  • iTunes to manage an iPod classic, and to auto-rip newly bought CD’s
  • Using Videostream to cast movies to our Chromecast
  • Playing music from the audio library to the connected amplifier

Not much, really. So, in the end, being tired of the general slowness of the device, I bit the bullet, exchanged the old 80GB hard disk with a newer and bigger model, and went on the journey to install Debian on it.

So, the road to success was:

  1. download the multiarch network install CD image, burn it to a CD. 1
    Why multi-arch, you might ask? Why not use the x86_64 (64-bit) install image, as the Intel Core2Duo is capable of handling this? Because Apple, in all their wisdom, decided to include a 32-bit EFI with a CPU capable of handling 64-bit code. So you get a bit of a schizophrenic situation. The multiarch CD image supports both 32-bit and 64-bit (U)EFI, and hence, it works for this device.
  2. boot from said CD (press and hold the ALT button as soon as the grey screen appears on your Mac)
  3. profit!

I installed:

All in all it works rather nicely. The only problems I ran into was with respect to the iPod management, which was solved by resetting the iPod with iTunes for windows, which formatted the device as VFAThttps://en.wikipedia.org/wiki/File_Allocation_Table#FAT32, instead of Mac OS’ HFS+.

  1. note that this link points to the daily built CD images, which might or might not be broken at any given day

Managing TP-Link easy smart switches from Linux

I’ve recently acquired some TP-Link ‘Easy Smart’ managed switches – cheap, decently built (metal casing), and a lot of features above the usual unmanaged stuff:

  • Effective network monitoring via Port Mirroring, Loop Prevention and Cable Diagnostics
  • Port and tag-based QoS enable smooth latency-sensitive traffic
  • Abundant VLAN features improve network security via traffic segmentation
  • IGMP Snooping optimizes multicast applications

Unfortunately, it uses a windows application to manage the switches – the 5 and 8 port varieties don’t have a usable built-in web server to manage them. Luckely, there’s a way to make that still work on Linux ;) as it seems that it’s just a JavaFX application. The only thing you’ll ever need a windows installation for (or use Wine) is to install the actual application.

After installation, You’ll find a file called “Easy Smart Configuration Utility.exe” in the installation path. Copy that to your Linux installation, rename to .jar, and you’re good to go.

To run it, you’ll also need the Oracle Java distribution, as JavaFX is not yet part of OpenJDK. Install that in your distribution of choice, and you’ll be able to start the application using java -jar “Easy Smart Configuration Utility.jar” and it’ll start right up.

tplink_easysmart

Unfortunately, it doesn’t work out of the box. The tool doesn’t find any devices on the network, but they are there.
Checking with netstat, the tool bound itself on UDP port 29809, on the local ip address.

$ PID=$(pgrep -f "java -jar Easy Smart Configuration Utility.jar"); netstat -lnput | grep -e Proto -e $PID

Proto  Recv-Q  Send-Q  Local Address            Foreign Address  State  PID/Program name 
udp6   0       0       [your ip address]:29809  :::*                    28529/java

Checking with tcpdump showed that the traffic was returning, but since our tool is only listening on the local ip, and not the UDP broadcast address, it never sees anything.

# tcpdump udp port 29809
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:35:48.652235 IP [your ip address].29809 > 255.255.255.255.29808: UDP, length 36
09:35:48.961586 IP [switch ip address].29808 > 255.255.255.255.29809: UDP, length 159

It seems the tool binds to the local IP instead of the ‘any ip’, 0.0.0.0, so you need to locally forward the traffic incoming on the port to your local ip. To do this, execute this command (and/or add it to your local firewall script):

# iptables -t nat -A PREROUTING -p udp -d 255.255.255.255 --dport 29809 -j DNAT --to [your ip address]:29809

And don’t forget to enable IP forwarding

# echo 1 > /proc/sys/net/ipv4/ip_forward

Now you should be able to find and configure the switches in your local network.

OpenWRT, Atheros & channel availability

If you’re living outside the US, and you’re using OpenWRT (a fantastic 3rdparty opensource firmware for many routers), you might have noticed that not all the WiFi channels which are legally allowed in your region are actually available for you to choose from.

This is a known issue, and stems from the fact that the OpenWRT images are built without CONFIG_ATH_USER_REGD=y (which allows overriding the wifi-card builtin default regulatory domain), so that the builds are compliant with the regulations of the US. (see trac ticket 6923)
If you pick another region in the settings, the ROM will pick the most restrictive of the two – in my case this means that WiFi channels 12 and 13 are not available to choose from.

There are two ways to get around this:

  • Building OpenWRT from source, and enabling this option
  • Using reghack to patch the drivers (see the README on how to do this)

I only recently learned of reghack (thanks, Stijn!) which works nicely ;)

XPS13, Linux, suspend and Intel Rapid Start Technology

As an addendum to my previous post on how to install Debian Sid on the XPS13, I’ve been having issues with suspend – the laptop would sporadicaly not go to sleep properly on lid close, or it wouldn’t come out of suspend afterwards.

I seem to have found a solution for both:

  • The laptop suspends correctly after upgrading the xserver-xorg-video-intel driver to the version available in experimental, and upgrading the kernel to kernel 3.9 rc 6 (which contains a bunch of fixes for Ivy Bridge, and the touchpad driver comes built-in). You’ll need to manually build this kernel as detailed in the Debian Kernel Handbook.
  • The not waking up part seems to have been caused by the Intel Rapid Start Technology (iRST in short), which basically is an (S4) hibernate triggered from the BIOS a short while after you put the laptop in (S3) suspend (you never see this from the OS side). The laptop will dump the memory contents to a special partition on the harddisk and shutdown completely. Very good for battery life, less so for waking up from suspend – sometimes it would be instantaneously, sometimes it would take a minute or two, and at other times it just wouldn’t do anything.
    After disabling this in the BIOS the laptop works as expected.
    (you can find more about iRST and Dell here)

Dell XPS 13 and Debian Sid

I purchased a Dell XPS 13 Ultrabook, to replace my ageing Apple Macbook 2,1. After six years of daily use, it’s (over)due to retire.

The reasons for not going for another Apple product:

  • I don’t agree with their behaviour in the various markets where they’re competing. It’s competing, Apple, not sueing for the smallest tidbit. Want to survive, innovate.
  • I no longer use OSX. Linux all the way, baby.
  • Seriously overpriced hardware for the same specifications. The only thing going for them is the screen resolution on the Retina models.

Extra reasons to go for the XPS 13:

  • Nice extra discount through work.
  • Very nice screen resolution on a 13″. Not quite up to retina specs yet, but this is good enough ;)
  • Ultrabook. Light. Long battery.
  • SSD, and loads of RAM

Spec comparison:

Apple Macbook 2,1Dell XPS 13 (2013)
Weight:2.3kg1.03kg
Screen resolution:1200×8001920×1200
Memory:2GiB8GiB
Storage:80GiB HDD256GiB SSD
CPU:Core2Duo 2GHzCore i5-3337U
Battery life:3-4 hours7-8 hours

The laptop arrived in a sortof-stylish black Dell box, unfortunately taped over with all kinds of deliver stickers. Oh well.

The box it was shipped in

The box it was shipped in

Inside you can see the box for the power cord, and the box with the actual laptop. Nicely packaged, pluspoints here, Dell ;)

Nicely packaged

Nicely packaged

Fancy Dell box containing the actual laptop

Fancy Dell box containing the actual laptop

The actual laptop. Wrapped in plastic, protected with foam

The actual laptop. Wrapped in plastic, protected with foam

All unpacked and ready to rock!

All unpacked and ready to rock!

It’s also a bit smaller than my old Macbook, although they’re both rated as being 13″ laptops.

Dell XPS13 on top of my Macbook 2.1. Bit smaller. A lot lighter.

Dell XPS13 on top of my Macbook 2.1. Bit smaller. A lot lighter.

Unfortunately, the laptop I got shipped originally had some issues: plenty of backlight bleeding, and a wifi module that was broken – it would detect a wireless network for 1-2 minutes after powerup, and then nothing.
I called Dell, they sent round a technician… but after this repair, it was completely dead. So they shipped me a replacement, on which I’m typing this blog-post.

Back to the actual laptop – it’s a nice piece of hardware, but the Core i5 version comes shipped with Windows 8, unfortunately. Luckely for us, it’s easy to put something else on (or next) to it ;)
(note: the Core i7 version is the ‘developer’ version, which is shipped with Ubuntu! :D It’s called Project Sputnik)

Steps to shrink the Windows 8 partition (if you want to keep it around, otherwise you can just wipe the entire SDD. Don’t forget to first create some recovery images, though!):

  • Disable hibernate: open a command prompt (in admin mode) and type: powercfg /H off
  • Disable the windows pagefile (you can do this in Control Panel – System – Advanced Settings)
  • Disable system restore (ditto)

A reboot later, you should be able to shrink the partition to the minimum required (I left it around 50GiB). If you don’t disable all that crap, Windows will only allow you to shrink down to around 110GiB, which is frankly ridiculous.
You can enable everything again after shrinking the partition.

This will leave us with a nice amount of storage to put Linux on.

Now, download the Debian Testing latest weekly dvd 1 for amd64. You’ll also need a USB stick of 8GiB (4.5 is needed). Format that stick as FAT32, and copy the content of the DVD image on the stick (not the actual ISO).

After this is done, you can reboot the laptop. When you see the Dell logo flash on the screen, quickly hit F12 (repeatedly). This will present you with the boot menu, where you can choose what to boot. I recommend to pick ‘Legacy mode’, and from there ‘USB storage’. Normally this will boot the Debian installer from the memory stick.

To install Debian, I refer you to the Debian Installation Manual, an excellent document that details all the steps. Just be careful not to wipe out the existing Windows partition, should you want to keep it ;)

Some time later, you’ll get to reboot the system, and Debian should be the default choice to boot with the UEFI boot manager ;)

At this point it’s also highly recommended to add unstable and experimental sources to your /etc/apt/sources.list file – the testing distribution just installed it – ahem – slightly outdated in software terms, and we’ll definitely need a new kernel.

Add this to /etc/apt/sources.list (replacing XX with your two-letter country code):

deb http://ftp.XX.debian.org/debian/ sid main contrib non-free
deb http://ftp.XX.debian.org/debian/ experimental main contrib non-free
deb-src http://ftp.XX.debian.org/debian/ experimental main contrib non-free

Do an apt-get update && apt-get dist-upgrade and you’re good to go on the packages. For a newer kernel, do apt-cache search linux-image and check for the latest kernel release, right now that is linux-image-3.8-trunk-amd64, which you can install with apt-get install -t experimental linux-image-3.8-trunk-amd64.

Now, to fix some of the issues I’ve encountered:

Non-functional wifi
On another laptop (or in Windows), download the firmware-iwlwifi package. Install it – a reboot later you should be able to configure the wireless interface. You might also need wpasupplicant if you use encryption on your network. (I’m lazy, so I downloaded all the packages needed for wicd and configured stuff that way.)

Laptop wakes from suspend out of the blue
I’ve encountered a few times that the machine came out of suspend without any trigger from me – highly annoying (and dangerous, should this happen while the machine is in a backpack and start to heat up). I’ve found this Bug report on Launchpad about it. The fix seems to be to disable “Smart Connect” in the BIOS. I’ve tried it here, seems to work.

Touchpad isn’t recognized as a touchpad
The patches to support the touchpad are on route to be included in kernel 3.9, but (at the time of writing) that one hasn’t been released yet. So we need to take the latest kernel available in Debian Experimental (3.8.5) and patch this with the driver. Luckely Debian has The Linux Kernel Handbook which explains how to do all this the proper Debian way ;)

First, install the necessary build packages: apt-get install build-essential fakeroot devscripts && apt-get build-dep linux-3.8
Next, get the kernel sourcecode: apt-get source linux-image-3.8-trunk-amd64 -t experimental
Download the patches too: wget 'https://patchwork.kernel.org/patch/1859901/raw/' -O /usr/src/cypress-touchpad-v7.patch and wget 'https://patchwork.kernel.org/patch/1859901/raw/' -O /usr/src/cypress-touchpad-v7.patch
Now, go to the source directory cd /usr/src/linux-3.8.5 and execute the script to rebuild the kernel with the two patches:  bash debian/bin/test-patches ../cypress-touchpad-v7.patch ../increase-struct-ps2dev-cmdbuf-to-8-bytes.patch
Now go eat a pizza, make some coffee, solve a theorem or so. It’ll take a bit. When it finishes, you’ll have another shiny kernel in /usr/src, which you can install with dpkg -i linux-image-3.8-trunk-amd64_3.8.5-1~experimental.1a~test_amd64.deb And Bob’s your uncle.

Brightness level doesn’t stick after a suspend/resume
For this I made a custom suspend-resume hook for pm-utils. Add the following script as /etc/pm.d/sleep.d/00backlight

#!/bin/bash

SYSFS=/sys/class/backlight/intel_backlight
TMP=/var/tmp/backlight-restore

case $1 in
“suspend”|”hibernate”)
echo “Saving backlight brightness level…”
cat $SYSFS/actual_brightness > $TMP
;;
“resume”|”thaw”)
if [ -e $TMP ]; then
echo “Restoring backlight brightness level…”
cat $TMP > $SYSFS/brightness
rm $TMP
else
echo “No brightness level save file found.”
fi
;;
*)
echo “Dunno what you’re trying…”
exit 1
;;
esac

This script will read the backlight brightness level upon suspend, and store it in a file in /var/tmp. Upon resume, the value is read from the file and the brightness level set to it.

The permanent fix is also scheduled for kernel 3.9.

Unreadable (way too tiny) fonts in applications
This is actually a drawback from having a high-resolution screen: a lot fits on it, but the fonts are tiny.
I had the issue mostly in Opera, IceDove (a rebranded Thunderbird) and XTerm, my X Terminal of choice.

In Opera you can just set the default zoom level. I put this at 120%, everything is readable now.
For Thunderbird, I can advise installing the ViewAbout extension, and then looking in View -> ViewAbout -> about:config for the setting layout.css.devPixelsPerPx, and setting this to “1.2”.
For XTerm, I added this to .Xresources (in my home directory):

XTerm*faceName: Dejavu Sans Mono
XTerm*faceSize: 11

so that XTerm uses the Dejavu Sans Mono truetype font, size 11, instead of the default.