Ubuntu Tutorials

Yesterday I outlined how to install and play StarCraft and the BroodWar expansion on Ubuntu 8.04.  Today I’ll build on that by outlining how to install the 1.15.2 “no CD” patch available from Blizzard Entertainment.

Installing the 1.15.2 “no CD” patch

One thing we quickly realized after installing was that it was a bit annoying to require the CD to play. After some quick searching we found that Blizzard had released a patch that would allow the game to play minus the CD. To install that patch you’ll need to follow a few more steps.

You’ll need to copy some of the CD contents into your StarCraft installation directory. Each CD (StarCraft original and / or the BroodWar expansion) has a file called “install.exe”. This file needs to be copied into your StarCraft installation directory. The file also needs to be renamed according to which it is. This means if you are copying the contents from the StarCraft original game CD the resulting file needs to be renamed “StarCraft.mpq”.  If you are copying the install.exe from the BroodWar expansion disk you’ll need to rename that file “BroodWar.mpq”.

The following two commands will properly copy and rename the files on both CDs. If you only have the original and not the BroodWar expansion you only need the first command.

Copy the install.exe file from the StarCraft original installation CD:

cp /media/cdrom/install.exe ~/.wine/drive_c/Program\ Files/Starcraft/StarCraft.mpq

Copy the install.exe file from the StarCraft BroodWar expansion CD:

cp /media/cdrom/install.exe ~/.wine/drive_c/Program\ Files/Starcraft/BroodWar.mpq

One last step is to install the patch itself available from Blizzard. Download the appropriate .exe file for your Starcraft installation (ie; original or BroodWar), run it via wine and you’re done. You can now enjoy playing StarCraft on Ubuntu 8.04 without requiring the CD.

I’m sure many of you have heard by this point that there is a reported vulnerability in openSSL and openSSH.  The basis of this is that they keys that are generated when you use these tools (ie; installing openssh-server, etc) are generated in a weak manner and can be prone to simple brute force attacking.

If you’ve never installed openssh-server, used openssh-clients or generated an X.509 certificate you should be safe.  If you have done any of the above keep reading for a validation and fix instructions.  It can’t hurt to run the validation script in either case, just to be safe.

Security patches have been deployed to the Ubuntu archives so the first step is to, of course, apply any security patches available.

Am I Affected?

The first item at hand is verifying whether or not you have been affected by the vulnerability.  As mentioned above there are some common tasks that would qualify, but lets test your machine to make sure.

Download the script linked below and run it using the example syntax below:

dowkd.pl.gz (Download this file and unzip)

dowkd.pl PGP signature (Optionally verify the signature of the script)

Cut-n-Paste command-line example of downloading and running the test:

wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
gunzip dowkd.pl.gz
chmod u+x dowkd.pl
./dowkd.pl user
./dowkd.pl host <hostname>

If you see output similar to:

/home/username/.ssh/id_dsa.pub:1: weak key

…then you have been affected by the vulnerability.  If you do not see “weak key” reported then you are OK.

How Do I Fix My Machine?

To update your machine and patch the vulnerability the first thing you want to do is check for and apply any system updates available.  The main Ubuntu archives have been updated with the fixes.  If you are using an alternate mirror the fix may not have propagated yet, so you may not see it available for another few hours.

Apply any updates:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

You should see an update for openssl and openssh packages (along with anything else available).

After these new packages have been applied you’ll want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).

UPDATE: The latest package release will automagically re-create any server-side ssh keys for you and notify you of the reason. Also, there is a new utility built into the latest release that will check keys for you. After your updates are applied try the tool:

ssh-vulnkey

To generate a new openssh key for your user: (This only required if ‘./dowkd.pl user‘ reports weak)

ssh-keygen -t dsa -b 1024

To generate a new openssh key for your server: (This only required if ./dowkd.pl host <hostname> reports weak)

sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key*
sudo dpkg-reconfigure -plow openssh-server

You should now run the validation script again and make sure it does not report any errors.  If you still see reported warnings such as:

/home/username/.ssh/authorized_hosts:1: weak key

…this means that you have authorized_host keys saved that are still affected.  Open the .ssh/authorized_hosts file with a text editor and delete the affected line (:1: means line 1, etc).

Continue to run the ./dowkd.pl script until no weaknesses are reported.

These steps should be run on any system that you manage to ensure they are sufficiently patched.