Ubuntu Tutorials

This post is in response Aaron Toponce‘s “Ultimate Firefox Extension List“.  I thought I would take a few minutes and make a list of the extensions I use and find that I’d prefer not to live without.  On the one hand I do think they make me more productive.  On the other hand I feel I’m less productive on any machine but my own because I have grown so accustomed to the extensions.  In any event, here is my list (it’s short):

Vimperator – if you love vi you’ll like the vimperator extension for Firefox.  vi keybindings for navigating the interweb.  From gt/gT for navigating tabs, to hjkl for navigating the pages themselves.  There is a long list of key bindings available in the :help.  Again, if you love vi you will enjoy this extension, but be warned.  It has a similar learning curve to the initial vi.

Greasemonkey – I use greasemonkey for a single script.  I use it with my Google Secure script that I posted previously.  I’m sure there may be some other scripts that are worthwhile but I haven’t spent a lot of time searching for them.

FireGPG – This allows you to sign / encrypt text or emails from within your browser.  I prefer to use the more mature Enigmail within Thunderbird, but if I’m shooting something quick out of the browser I still want to see my emails digitally signed.

Again, I have a really short list.  I like minimalist settings and features.  Between these three I can keep my hands on the keyboard during browsing, make sure that all Google Apps that I use are https restricted and sign or encrypt (or both) any of my emails.  Beyond that and you’re just getting greedy

(I should note that the #1 cause of problems with the Firefox browser are 1) too many extensions or 2) conflicting extensions, which is often caused by the first.  If your browser crashes, is terribly slow, eats up all of your system memory, etc try to disable some extensions.  I almost guarantee you’ll find a difference in performance with some of the guilty parties removed.)

Many of you may remember earlier this year I announced that I started with a Linux Training company, Guru Labs. Well I wanted to give a bit of an update after being there now a number of months and invite anyone in the area to come apply for a position there.

I absolutely enjoy my job.  I describe it as being paid to learn.  Not a bad thing to do for a living.  When I’m on the road teaching I’m still learning, but I get to talk about and teach the inner-workings of the Linux OS.  Can’t really beat that.  When I’m not teaching I’m writing courseware, developing labs, testing labs and otherwise learning to become a better and more knowledgeable instructor.  I continue to learn so many things I’ve quickly realized that there is no end to this rabbit hole and I’m loving it!

Guru Labs is hiring.  If you’re in Utah you really might consider applying.  Competitive salary.  Good work environment.  Certifications.  Learning.  Networking.  When you leave Guru Labs you’re a changed geek forever.  When it comes to Linux “Nobody knows it like a Guru knows it!”

If you’re interested check out the Guru Labs website or send a resume to info [at] gurulabs [dot] com.  Tell them who sent you.

Ohh, and if you don’t live in Utah you’re more than welcome to ask for information and sign up for one of our many classes.  We do travel!  Again, tell ‘em who sent ya and I hope to see you in a class soon!

I installed a second machine the other day with Ubuntu 7.10 “Gutsy” Tribe (alpha) 4 release. Based on my initial positive experience on my other machine I thought I’d give it a try. Well, so far so good–things are running great. I love having new features. I think I may just consider running perpetual alpha from now on. Nothing like bleeding edge ehh?

I thought I’d share a screenshot of something I was presented with when I booted this machine this morning. I should mention this machine is probably 3-4 years old at this point and I’m sure Gutsy is absolutely correct in its message. I just thought it was pretty cool that it could tell and would notify me. I’ll let the screenshot do the talking…

Update : Encypted root file system option now available at installation in Ubuntu 7.10.  See Install Time Ubuntu Encryption for more information.

This last week I’ve been very interested in encryption. If you missed it you might be interested in my post on encrypting files or emails with GPG. In this tutorial I wanted to outline how to encrypt a local partition or a removable device (like a USB key). The steps used here will work for either type of device although you’ll need to replace your partition name and number for the examples provided here.

Attention: following this tutorial will wipe all data from the partition or device you write it to. You cannot encrypt your file system after-the-fact using this method. Be sure you have backups or don’t care about the data being lost if you follow these steps!!!

Step 1:

The first step in the tutorial is installing the cryptsetup utility, which is part of the cryptsetup package. You can search for this using your favorite package management utility or use this command:

sudo aptitude install cryptsetup

Step 2:

Now that we have the cryptsetup utility installed we’ll need to prepare the device for use. If you have a newly created device or partition you may be able to skip this step, but it also won’t hurt to redo this step anyway.

If you are unsure what the device is listed as, you can use either of these two commands:

sudo fdisk -l

(this will list your current partition table, both on local and removable media.)

dmesg

(this will show kernel messages pertaining to hardware. If you plug in a removable device and wait a few seconds, this will show what you what device the kernel assigned the hardware.)

Once you know what device you want to apply this to you can run the following command on [your device] to create the partition you want to encrypt. I suppose you can also use a graphical utility like gparted, etc. Those tools are outside the scope of this tutorial.

sudo fdisk /dev/[your device]

(ie; if your device showed up as /dev/sdb you would use: sudo fdisk /dev/sdb)

For removable media make a single primary partition using the entire space of the device (or alter for your needs if you know what you’re doing).

Once you have created the partition you’ll want to “w”rite the change in fdisk. Remember, if you don’t “w”rite the changes none will be applied.

Step 3:

To make sure that your kernel is up to date concerning the newly created / altered partition table you may need to run the command:

sudo partprobe

Step 4:

Now we’ll get to encrypting this new partition. There are different options you can use here, and I’ll outline a few of them, but there really isn’t one that is “the best”. It depends on your level of security needs and the time you want to spend on it. If you want it done quickly and want a basic level of fairly-hard-to-break encryption you can use the first option. If you are super paranoid and don’t mind letting this take some time (hours or days on large disks!) to build you can use option three. Somewhere in the middle, option two is probably fine. Anyone have suggestions on other methods?

We’ll write data over the newly created partition to help aid in the encryption process. By writing data to the partition prior to encryption it helps protect against data attacks, finding patterns on the block-level, etc. You can use one of the following three commands:

sudo dd if=/dev/zero of=/dev/[your device] bs=4K

(this method is probably recommended unless you expect active attacks against your encryption layer)

sudo badblocks -vfw /dev/[your device] [block-size-of-your-device]

(this option will write 5 data patterns across your drive and overwrite and verify the data. This is used to check for badblocks, but can also be used to wipe out any existing data)

sudo dd if=/dev/urandom of=/dev/[your device] bs=4K

(this method is considered pretty secure. It is based on the truly random option below but is pseudo-random data--probably a very good option in most cases.)

sudo dd if=/dev/random of=/dev/[your device] bs=4K

(this is considered the most secure but will take a long time. It is also important to generate a lot of random data on your machine. Launch some applications, do some high disc I/O, move the mouse erratically, etc. This may take DAYS!)

Step 5:

At this point the partition is ready to be encrypted. Now there are multiple encryption methods and options to be used within each. This tutorial outlines using the LUKS encryption with my prefered string length, hash and cipher. You may change these if you know what you’re doing. If not, omitting my options will use the defaults (ripemd160 hash). This command will remind you that all data will be lost (although we already lost everything in Step 4. This is also where you’ll be prompted for your passphrase to access the encryption.

sudo cryptsetup luksFormat /dev/[your device] -c aes -s 256 -h sha256

(again, past [your device] are my preferred options)

If you see an error near this point similar to “Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-plain cipher spec and verify that /dev/[your device] contains at least 258 sectors.” you’ll need to run this command:

sudo modprobe dm-crypt

You may want to have this module auto-magically added at boot time by appending this line to your /etc/modules file:

dm-crypt

Step 6:

Now that we’ve created the encryption basic layout on the partition we need to open the encrypted partition for use.

sudo cryptsetup luksOpen /dev/[your device] name

(name can be whatever you like. I use things like secure or vault or encrypt)

Step 7:

Now that we have the device open and added to the dm (dev mapper) system we can actually create a file system on it and use it. One last command and we’ve got ourselves an encrypted, usable filesystem.

sudo mke2fs -j /dev/mapper/name -L label

(where name was applied above and label is the filesystem label. I generally match the two. This also assumes an ext3 file system. If you know you want a different filesystem type I'm assuming you know the right command.)

If you’ve come this far your device is ready to use. A few additional points that you may be interested in.

Additional

First, if this is a local partition and filesystem, such as a /data folder, you may want it to be mounted automagically at boot time. You can add the new partition to your /etc/fstab file to be mounted at boot. Be sure to specify the /dev/mapper/[name] location and not the original partition location. You should note that when your booting system arrives at this device it will prompt you for a passphrase key and halt the boot process until one is provided. An example of a line in the /etc/fstab is:

/dev/mapper/name /data ext3 defaults 0 0

Second, if you are using this on a removable drive such as a usb key the Gnome Desktop (someone verify in KDE?) will recognize the encrypted setup and prompt you for a key visually. A message such as “The storage device contains encrypted data. Enter a password to unlock” will appear. You will be required to know the passphrase (as supplied in Step 5) to access this device again. The desktop system also allows you to “forget immediately“, “remember password until you logout” or “remember forever” the key provided. Those options are up to you and your usage. “Remember forever” should store the key in your gnome keyring.

Third, if you are following this guide for use on a removable disk you may want to change ownership (chown) on the mounted path and set group id (sgid) on the directory so that your user has full permissions. Considering we ran everything with sudo the mounted path and ownership is probably set to the root user. You can use these two commands to set the permissions:

sudo chown -R user.user /media/[name]

(user.user should, of course, be replaced with your username on the system)

sudo chmod g+s /media/[name]

([name] is the mount point that the system auto-mounted the device on. It *should* match whatever you set the label to in step 7.)

There is also an option to create multiple keys to unlock the device. This is helpful if it is a multi-user system and you don’t want to use a shared passphrase. You would add a key to the encrypted device using:

sudo cryptsetup luksAddKey /dev/[your device]

This will prompt you for your current key and then the new key. The new key will have to be entered twice. Also, if you want to remove a key you can use the similar:

sudo cryptsetup luksDelKey /dev/[your device] [slot #]

To find out more information about your encrypted partition / device, and to see things such as assigned key slots, you can also use:

sudo cryptsetup status name

sudo cryptsetup luksDump /dev/[your device]

I would like to expand this soon to include encrypting your entire root filesystem or other variations like bypassing the passphrase but storing the “key” an a usb drive or similar. This way it is similar to a hardware key needed to boot your machine. There are a lot of different ways this could go… until then, I think this has become long enough

Well these Vim tips have really been one of the more popular topics to come through this blog in a while.  I’d like to keep with tradition and keep these going each Friday.  This weeks tip is reverting or redoing changes based on time, vs simply the undo command (‘u’) and redo command (‘ctrl-r’).

From the vim :help section:

:earlier {count}    Go to older text state {count} times.

:earlier {N}s    Go to older text state {N} seconds before.

:earlier {N}m    Go to older text state {N} minutes before.

:earlier {N}h    Go to older text state {N} hours before.

Also supported is the :later command following the same syntax pattern. Easily revert to changes at previous times with the :earlier, or re-do changes forward with :later.  Of course :later won’t read your mind and create your document for you, but once you’ve gone back in time you can go back to the future.

For more info on this tip type “:help earlier” within vim.

I wanted to give another update on my Gutsy testing. I now have two of my laptops running Ubuntu 7.10 “Gutsy Gibbon” and they are both working just fine so far. I have been consistently submitting the bugs that I find (and thanks to all the rest of you doing the same!) Again, nothing to keep me from using the machine in production so far, just little oddities here and there.

Beyond the report above there is something else here that I think many of you will be interested in. With the release of Gutsy there will be a package called “ubuntu-restricted-extras” which includes the following:

cabextract flashplugin-nonfree gsfonts-x11 gstreamer0.10-ffmpeg gstreamer0.10-plugins-bad gstreamer0.10-plugins-bad-multiverse gstreamer0.10-plugins-ugly gstreamer0.10-plugins-ugly-multiverse jackd java-common liba52-0.7.4 libavcodec1d libavutil1d libcdaudio1 libdvdread3 libfaac0 libfaad2-0 libfreebob0 libgsm1 libid3tag0 libjack0 liblame0 libltdl3 libmad0 libmjpegtools0c2a libmms0 libmp4v2-0 libmpcdec3 libmpeg2-4 libqt3-mt libquicktime1 libsidplay1 libsoundtouch1c2 libx264-54 libxvidcore4 msttcorefonts odbcinst1debian1 qjackctl sun-java6-bin sun-java6-jre sun-java6-plugin ubuntu-restricted-extras unixodbc unrar

That is quite a bit of the “extra” stuff that many of us have installed manually or looked to third-party solutions like Automatix for. This is one more positive step in the right direction for ease of use, but perhaps not quite 100% when it comes to Free Software. Of course we all have to draw that line somewhere, up to you.

I’ll have more Gutsy updates soon and (hopefully) a tutorial on encrypted filesystems by this weekend. Thanks for reading.

First, I apologize for not having any tutorials most of this week. Things have been a bit busy in just getting back from a month on the road and I’ve been catching up. I’ll get things going again, I promise.

Last nite I finally got most of my new network figured out (for those that didn’t know, we recently moved into a bigger house). I’ve been spending time replacing the house phone jacks with Cat5 connectors and I’ve ordered a few 10/100/1000 switches from newegg. Those should get here today and then the house’ll run on gigabit-goodness!

The one major problem I’ve had is that I haven’t had to (settle) for DSL in years! In our other house we had Fiber Optic (15M/15M connection), and previous to that it was a 6M/1.5M Cable connection with Comcast. Downgrading to a 1.5M/680K connection with Qworst has been a poor experience. As I usually tell anyone that asks, if you have a choice between Cable and DSL, pick the Cable.

In any event, last nite I hacked the Action-crap DSL modem/router/headache into submission and the bulk of my networking is routing through a Netgear wireless router. I’ll end up chaining the Action-crap to the Netgear and then into the two switches, hopefully by days end.

In the long run I’d like to setup one of my local servers to be the DHCP / DNS / Firewall, but that might have to wait until this weekend or something.

In any event, if you’ve read this far I appreciate it but I really don’t have anything important to say. I’ll get back to the regular tutorials soon… just as soon as the rest of my network is up and reliable.

I thought some of you might be interested in reading a recent interview I did with Linux.com concerning the US Teams Project.

Ubuntu tries to go LoCo in all 50 states

Enjoy

Preface

Saturday night the Ubuntu Utah Team had a great presentation on Privacy and Encryption. One very important topic and another very interesting topic. With as much is going on these days to screw with our privacy (NSA) it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, but honestly if I really wanted to talk to the NSA I’d send my emails directly to them. I’m not doing things that *needs* to be hidden, it’s simply a matter of it not being any of their business.

I have for some time now been digitally signing my emails. If you’ve seen me pop-up on a mailing list or got any emails from me you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.

I have also started signing and *encrypting* emails to others that also have a PGP key pair that I have personally trust-signed. We’ll get into the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.

The GUI Front-End

There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)

First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.

sudo aptitude install seahorse (gnome)

or

sudo aptitude install gpa (gnome)

or

sudo aptitude install kgpg (kde)

Creating The Key

Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.

Applications > Accessories > Passwords and Encryption Keys

Select “Key” from the File Menu and “Create New Key (ctrl-N)”

This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.

The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.

You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I chose the 4096 but, again, the default 2048 is plenty powerful in itself.

You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.

When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!

Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.

You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.

Using the Key

For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one (actually the #1 reason I use Thunderbird as my client) with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.

Evolution has PGP support built in but it is not as flexible (or at least I haven’t figured it out). You can find this in the Privacy tab of your email box settings.

Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.

Until then I hope this helped a little bit.

UPDATE: screenshots of the key creation here [1,2,3,4]

Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!

Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.

Today I needed to come up with some more command line magic. You might remember the post I did about digging out of holes with some command line magic. Today’s goal was to do some math, or more specifically, find an average of numbers based from data in a text file. I asked around in IRC for some solutions and one user (the genius coder) came up with something in about two-minutes. Can you improve this or do it with another language? Bash? Python? C? I’d like to see other implementations if you’d like to take the challenge. It’s not much but gets your mind going…

Here is a link to an example file I’m sourcing from. Not the exact same, but you get the idea. Basically taking quarterly data and averaging it. (Let’s not get into a discussion on a better way to store this data in the first place, I’m just looking at clean ways to average the data.)

First submission here:

cat quarterly.txt | grep Q3 | cut -d “=” -f2 | perl -e ‘$a=0;$b=0;while(<>){$a++;$b+=$_;}print $b/$a.”\n”;’

I’m sure some of you Perl mongers can play some golf with this. Who else wants to try?