[38091 views]

[]

[toggle ads]

Odi's astoundingly incomplete notes

New Entries

My favourite .kshrc

/bin/bash

posted on 2014-03-18 14:38 CET in Code | 0 comments | permalink

Apache hickup after glibc update

Gentoo recently updated glibc. After that I saw this in Apache's error_log:
/usr/sbin/apache2: relocation error: /lib64/libresolv.so.2: symbol __sendmmsg, version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference


Re-emerge apache to fix it.

posted on 2014-01-30 18:36 CET in Code | 0 comments | permalink

Drag and drop files into KDE's konsole

I just discovered an extremely handy feature of konsole, KDE's primary terminal emulator. cd to a path in konsole and drag'n'drop a file from Dolphin file manager directly into the terminal, and the file will be copied into the current working directory.

posted on 2014-01-22 09:39 CET in Code | 1 comments | permalink
Cool , works from Konqueror too. :-)

Google still doesn't care about crypto

It still uses weak crypto during SMTP transfers:
Received: from mail-qc0-x244.google.com (mail-qc0-x244.google.com [IPv6:2607:f8b0:400d:c01::244])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
Those algorithms were deprecated years ago for a reason.

posted on 2014-01-21 11:24 CET in Code | 0 comments | permalink

Getting rid of python-3.2 in Gentoo

Gentoo currently has support for Python 2.6, 2.7, 3.2 and 3.3. You only need one of each 2.x and 3.x branch (some ebuild support 2.x only).

So if you currently have:
$ equery l python
 * Searching for python ...
[IP-] [  ] dev-lang/python-2.7.5-r3:2.7
[IP-] [  ] dev-lang/python-3.2.5-r3:3.2
[IP-] [  ] dev-lang/python-3.3.2-r2:3.3
Select 3.3 only:
$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2 *
  [2]   python3.3
$ eselect python set --python3 2
$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2
  [2]   python3.3 *
Rebuild python packages:
$ python-updater

Check what still depends on the unneeded 3.2 slot:
$ qdepends -Q python:3.2
dev-python/pyparsing-2.0.1
dev-python/dbus-python-1.2.0
x11-proto/xcb-proto-1.8-r3
Re-emerge these to eliminate the dependency:
$ emerge -1av pyparsing dbus-python xcb-proto

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] dev-python/pyparsing-2.0.1  USE="-doc -examples" PYTHON_TARGETS="python2_7 python3_3* (-pypy2_0) -python2_6 -python3_2*" 0 kB
[ebuild   R    ] x11-proto/xcb-proto-1.8-r3  ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB
[ebuild   R    ] dev-python/dbus-python-1.2.0  USE="-doc -examples {-test}" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB
Mask python 3.2 in /etc/portage/package.mask:
dev-lang/python:3.2
Now python:3.2 should no longer be required and get removed with
$ emerge --depclean
If it is not offered for removal, remove it manually and then check which packages still pull it in and rebuild those. Repeat the world update and rebuilding the offending python packages until it works:
$ emerge -C python:3.2
$ emerge -uavD world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  NS   #] dev-lang/python-3.2.5-r3:3.2 [2.7.5-r3:2.7, 3.3.2-r2:3.3] USE="ipv6 ncurses readline sqlite ssl threads (wide-unicode) xml -build -doc -examples -gdbm -hardened -tk -wininst" 0 kB

Total: 1 package (1 in new slot), Size of downloads: 0 kB

The following mask changes are necessary to proceed:
 (see "package.unmask" in the portage(5) man page for more details)
# required by dev-python/pycurl-7.19.0-r3[python_targets_python3_2]
# required by app-admin/system-config-printer-common-1.4.3
# required by app-admin/system-config-printer-gnome-1.4.3
# required by kde-base/print-manager-4.11.2
# required by kde-base/kdeutils-meta-4.11.2[cups]
# required by kde-base/kde-meta-4.11.2-r1
# required by @selected
# required by @world (argument)
# /etc/portage/package.mask:
=dev-lang/python-3.2.5-r3
$ emerge -1 pycurl

posted on 2014-01-15 10:15 CET in Code | 0 comments | permalink

Configure forward secrecy

Chosing you SSL cipher suites is one thing. But configuring various services is  another.

Please note that the following algorithms are considered completely broken nowadays: RC4, MD5, 3DES.

OpenLDAP: /etc/slapd.conf:
TLSCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Apache httpd:
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Courier-Imap: /etc/courier-imap/imapd-ssl
TLS_CIPHER_LIST="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
OpenSSH server: /etc/ssh/sshd_config
Protocol 2
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
OpenSSH client: /etc/ssh/ssh_config:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Postfix: important only for mandatory TLS, as there is no end-to-end encryption in SMTP anyway. Email to/from your local system may go through many hops that are not under your control.
/etc/postfix/main.cf:
smtpd_tls_eecdh_grade=ultra
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Openswan:
For protostack=netkey make sure to enable all relevant crypto algorithms in your kernel, for all crypto is done by the kernel and Openswan can only configure what's supported.
To get a list of supported algorithms: ipsec auto --status | less
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048

The algorithms are configured like so (Openswan documentation is very incomplete!):
        # PHASE 1
        # negothiation mode
        aggrmode=no
        ike=aes-sha2_256;modp2048
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=aes_gcm_c-256-sha2_256;modp2048
        salifetime=8h
        pfs=yes
        auto=ignore
The lenth of the PSKs in /etc/ipsec.secrets is very relevant. The minimum safe size depends on IKE hash, but you can always choose longer keys of course:
posted on 2013-11-25 12:25 CET in Code | 0 comments | permalink

slow pasting in vim

I often copy text files via SSH by just opening the target file in vim and then pasting the text into the terminal.
If the file is quite large, this is very slow and if the target machine is close enough you can hear its hard drive going mad.

So what's going on here? vim is writing to its swap file. Character by character. Dutifully flushing each character out of the buffers. Very good in case you lose power, except that it really slows us down here...

Simple solution: disable vim's swap file with the -n option.

vim -n targetfile


posted on 2013-11-12 21:23 CET in Code | 0 comments | permalink

Java's OutputStreamWriter can waste memory

The following little unit test measures the memory usage when you convert from char to byte using an OutputStreamWriter. It does that once without buffering and once with a BufferedWriter wrapped around the stream.
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileOutputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.lang.management.GarbageCollectorMXBean;
import java.lang.management.ManagementFactory;

import junit.framework.TestCase;


public class StreamTest extends TestCase {
    public void test1() throws Exception {
        Runtime rt = Runtime.getRuntime();

        final int max = 10000;
        File f = File.createTempFile("junit", "tmp");

        int gcs = gcs();
        long used = rt.totalMemory() - rt.freeMemory();
        Writer w = new OutputStreamWriter(new FileOutputStream(f), "UTF-8");
        for (int i=0; i<max; i++) {
            w.write("constant");
        }
        w.close();
        assertEquals("increase -Xms -Xmx", gcs, gcs());
        long used2 = rt.totalMemory() - rt.freeMemory();
        System.out.println("unbuffered: "+ (used2 - used) +" bytes");
        
        f.delete();
        gcs = gcs();
        used = rt.totalMemory() - rt.freeMemory();
        w = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(f), "UTF-8"));
        for (int i=0; i<max; i++) {
            w.write("constant");
        }
        w.close();
        assertEquals("increase -Xms -Xmx", gcs, gcs());
        used2 = rt.totalMemory() - rt.freeMemory();
        System.out.println("buffered: "+ (used2 - used) +" bytes");
        
        System.out.println(System.getProperty("java.runtime.version"));
    }
    
    private int gcs() {
        int sum = 0;
        for (GarbageCollectorMXBean mb : ManagementFactory.getGarbageCollectorMXBeans()) {
            sum += mb.getCollectionCount();
        }
        return sum;
    }
}

The result is surprising:
unbuffered: 943896 bytes
buffered: 0 bytes
1.7.0_45-b18
(The actual numbers depend on the heap size). One would assume that unbuffered writes use no memory, and that buffered writes use the buffer size. However this behaviour suggests that OutputStreamWriter's implementation bears a dirty little secret... And where does the buffer memory go? I can just assume that the VM plays dirty optimization tricks here and quickly allocates the transient buffer from thread-local memory without actually resorting to heap.
posted on 2013-11-12 20:40 CET in Code | 0 comments | permalink

Gentoo boost hickups

EDIT: fixed as of Oct 28 2013

If you have accidentially upgraded from dev-libs/boost-1.49.0 to boost-1.52.0 you are probably cursing right now :-)

Symptoms:
Remedy:
The new boost has installed a directory where previously there was a symlink. Remove it. Then downgrade boost manually.
rm /usr/include/boost
/etc/portage/package.mask:
=dev-libs/boost-1.52.0-r6
=dev-util/boost-build-1.52.0-r1
emerge -1 boost boost-build (+ other dependent ebuilds)



posted on 2013-09-18 10:13 CEST in Code | 0 comments | permalink

Misconceptions about security

Again I am coming across a customer who has severe misconceptions about security. They are:

There is 100% security
That is so wrong, it's not even a good joke anymore. Security and usability always add up to 100%. Something that is 100% secure is totally unusable and will not fulfil any requirements other than security requirements. Want a secure computer? Turn it off.

Security is cheap
No, security is not cheap. Security always adds inconvenience, it always takes extra work, it always causes extra problems, it always makes things more complex, it is always harder to debug.

Hiding something makes it secure
Also known as Security By Obscurity. Just because something is inconvenient to access, doesn't mean it can not be accessed. This category includes: code obfuscation, jump hosts, locally encrypted data(bases) like DRM (key is accessible by the same user), obfuscated passwords.

Security of a client application is of importance
A client can run any code. Whether that is the original application, a modification thereof, a hacked version, a custom implementation or something compeletely different is irrelevant to security. What matters is what you can do over the network protocol. If your protocol is insecure, then security in your client can not help you.


posted on 2013-08-16 14:34 CEST in Code | 0 comments | permalink