Bongo's Codeways

LinkedIn now with less salt!

2012-06-07T16:37:36Z

Even the finest sword plunged into salt water will eventually rust. Sun Tzu *

Yesterday, the word of the day at LinkedIn was “Salt” (in the cryptographic sense and not the NaCl sense). Some dodgy fellow made off with at least some of the LinkedIn password database. Those passwords were not stored in cleartext (thank Jupiter) but the hashes weren’t salted. This means tools like John The Ripper can be used to find the original password and that is exactly what happened.

If you are a software developer and you work on public facing web sites, here is the LinkedIn lesson:

Always use salt with your password hashing scheme
Use slow hashing functions like bcrypt or scrypt rather than faster hashing functions like MD5, SHA, etc.

* Note on epigram: Security nerds love to quote Sun Tzu and this was the only Sun Tzu quote I could find that had some salt in it.

Install secure Webmin 1.580 on Ubuntu 12.04 LTS Precise Pangolin

2012-04-29T21:43:08Z

Installing Webmin on Ubuntu 12.04 LTS Precise Pangolin is quite simple. This article will walk you through the complete installation of Webmin 1.580 including the upgrading of the self-signed certificate to a 2048-bit key (a 512-bit key is the default).

This is my system:

$ uname -a
Linux brasenose 3.2.0-24-generic-pae #37-Ubuntu SMP Wed Apr 25 10:47:59 UTC 2012 i686 i686 i386 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 12.04 LTS
Release:	12.04
Codename:	precise
$ openssl version
OpenSSL 1.0.1 14 Mar 2012

That last check is pretty important. If you don’t have OpenSSL installed you are not going to be able to run Webmin over TLS so make sure it is installed.

My demonstration system is a minimal system with only a SSH Server installed and a static IP set-up.

Install Webmin

Things have come a long way in the Webmin world and some cranky old Perl dependencies have now been flushed from the code. Unfortunately, there is no specialized Ubuntu version, so aficionados need to install the Debian version and make manual changes. Fortunately, installing the Debian package is simple. First we need to add the official Webmin repository to our list of software packages:

$ sudo vi /etc/apt/sources.list

Add the following line to the bottom of the file:

64	deb http://download.webmin.com/download/repository sarge contrib

This adds the Webmin Debian repository to your package list. Wondering why the repo release code name is ‘Sarge’? My guess is that it simply never got changed once Debian moved on to Etch in 2007 because it works fine. Sarge was an ancient Debian release from the late pleistocene and it hasn’t been ’round these parts for many moons.

Now we need to add Webmin author Jamie Cameron’s public key to our keyring. Do this from your home directory:

$ cd ~
$ wget http://www.webmin.com/jcameron-key.asc
--2012-04-29 01:34:19--  http://www.webmin.com/jcameron-key.asc
Resolving www.webmin.com (www.webmin.com)... 216.34.181.97
Connecting to www.webmin.com (www.webmin.com)|216.34.181.97|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1320 (1.3K) [text/plain]
Saving to: `jcameron-key.asc'

100%[======================================>] 1,320       --.-K/s   in 0s      

2012-04-29 01:34:19 (41.4 MB/s) - `jcameron-key.asc' saved [1320/1320]
$ sudo apt-key add ~/jcameron-key.asc
[sudo] password for kelvin: 
OK

Now we can install Webmin from the repo we added:

$ sudo apt-get update
...
Fetched 12.6 MB in 37s (333 kB/s)                                              
Reading package lists... Done
$ sudo apt-get install webmin
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl
  libnet-ssleay-perl
The following NEW packages will be installed:
  apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl
  libnet-ssleay-perl webmin
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 16.1 MB of archives.
After this operation, 100 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://download.webmin.com/download/repository/ sarge/contrib webmin all 1.580 [15.8 MB]
Get:2 http://ca.archive.ubuntu.com/ubuntu/ precise/main libnet-ssleay-perl i386 1.42-1build1 [184 kB]
...
Setting up libnet-ssleay-perl (1.42-1build1) ...
Setting up libauthen-pam-perl (0.16-2build2) ...
Setting up libio-pty-perl (1:1.08-1build2) ...
Setting up libapt-pkg-perl (0.1.25build2) ...
Setting up apt-show-versions (0.17) ...
** initializing cache. This may take a while **
Setting up webmin (1.580) ...
Webmin install complete. You can now login to https://brasenose:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.

Webmin now is running on port 10000 but you can inspect the TLS properties and see that it is using a 512-bit key. Your browser may warn you of the weak default cryptographic key. That sort of thing is fine if you’re living in North Korea, but we need to upgrade it to use a 2048-bit key like all the cool kids.

The username and password for Webmin is the same as any user that has sudo rights on the system. My username is therefore ‘kelvin’ and my password is ‘PASSWORD’. LOL. No, I’m not going to tell you my password…

Upgrade the self-signed SSL Certificate

Upgrading the Webmin certificate reduces TLS warnings

OpenSSL will be used to generate the needed keys and certificates. We are going to make a self-signed certificate which means that it will raise warnings, scary red flags, a Cthulhu and whoknowswhatelse in most browsers. So if this system will be used by easily frightened system admins (most are) then you might want to get a properly signed certificate from a Certificate Authority instead. Having said that (and alienated most of my readership) let’s get on with it.

The self-signed certificate will be valid for 1825 days or 5 years which is also how long your OS will be maintained by Canonical. Simply change the value after the ‘days’ attribute in the command to meet your needs.

Use OpenSSL to make a private key and a self-signed certificate in one badass command:

$ cd /etc/webmin
$ sudo openssl req -newkey rsa:2048 -days 1825 -nodes -x509 -keyout server.key -out server.crt
[sudo] password for kelvin: 
Generating a 2048 bit RSA private key
.............................................................................................+++
.........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Victoria
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kelvin Wong Heavy Industries S.p.A.
Organizational Unit Name (eg, section) []:Network Operations
Common Name (e.g. server FQDN or YOUR name) []:brasenose.kelvinwong.ca
Email Address []:postmaster@kelvinwong.ca

Okay, so how cool was that? Now you have to make your artifacts usable and safe. First, concatenate the private key and the certificate into a single PEM file that Webmin can understand (tee used for piping because I’m cool and I can read Wikipedia). Second, set the correct permissions and file ownership.


$ pwd
/etc/webmin
$ cat server.crt server.key | sudo tee server.pem > /dev/null
$ sudo chmod 600 server.pem server.key server.crt
$ sudo chown root:bin server.pem server.key server.crt
$ ls -l server.*
-rw------- 1 root bin 1610 Apr 29 13:33 server.crt
-rw------- 1 root bin 1704 Apr 29 13:33 server.key
-rw------- 1 root bin 3314 Apr 29 13:45 server.pem

Now you need to tell Webmin to use your new upgraded certificate.

$ sudo vi /etc/webmin/miniserv.conf

Change the certificate name:

26	keyfile=/etc/webmin/server.pem

Then restart Webmin:

$ sudo invoke-rc.d webmin restart
Stopping Webmin server in /usr/share/webmin
Starting Webmin server in /usr/share/webmin
Pre-loaded WebminCore

Your Webmin installation is now totally badass like a Honey Badger.

Success upgrading Webmin TLS to 2048-bit key

Question: What changes do you make to your Webmin configuration so that it runs well on Ubuntu?

Github says: Please audit your SSH keys

2012-03-07T19:28:30Z

I got the following from Github after their benign hacker incident:

Please audit your SSH keys
On Sunday March 4, 2012 a security vulnerability related to SSH keys (public keys) was discovered. For your protection and to prevent unauthorized access we have disabled your public keys until you approve them.

They want me to audit my SSH keys (a simple process). First, find your public key that you use on GitHub (probably in your .ssh directory if you are using a Mac). Then get its fingerprint. Here’s how you do that on a Mac:

Trinity:~ kelvin$ ls -l .ssh/id_rsa*
-rw-------  1 kelvin  staff  1743 Sep 11  2009 .ssh/id_rsa
-rw-r--r--  1 kelvin  staff   400 Sep 11  2009 .ssh/id_rsa.pub
Trinity:~ kelvin$ ssh-keygen -lf .ssh/id_rsa
2048 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX .ssh/id_rsa.pub (RSA)
Trinity:~ kelvin$

Using ssh-keygen you can get the fingerprint from your private key filename (it will look for your public key for you). That long list of “XX:XX” things will be a hexadecimal number that matches the key fingerprint at the bottom of the GitHub SSH audit page. If it doesn’t match then either Egor hacked you or you might have used a different key (keep looking!).

HMCS Corner Brook rechristened HMCS Smiley

2012-02-14T05:25:17Z

Offered without comment. Original here.

Install webby Postgres 8.4 on CentOS 6.2

2012-02-09T19:49:31Z

At the end of this walkthrough you will have the PostgreSQL 8.4 database installed on CentOS 6.2 ready for use with your web projects. Postgres 8.4 is not the latest version, but it is stable and good enough for web development purposes. This set-up is “webby” in the sense that the it should be familiar to web developers.

Prerequisites

You need to be familiar with basic Linux system administration including editing configuration files with text-editors like vi or emacs.

This is our system. It is a basic CentOS 6.2 installation with a static IP:

$ uname -a
Linux schettino.kelvinwong.ca 2.6.32-220.4.1.el6.i686 #1 SMP Mon Jan 23 22:37:12 GMT 2012 i686 i686 i386 GNU/Linux
$ cat /etc/redhat-release
CentOS release 6.2 (Final)

Install Postgres

Installation of Postgres with yum is simple:

[kelvin@schettino ~]$ sudo yum install postgresql-server
[sudo] password for kelvin: 
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
 * base: mirror.its.sfu.ca
 * extras: mirror.its.sfu.ca
 * updates: mirror.its.sfu.ca
base                                                     | 3.7 kB     00:00     
extras                                                   | 3.5 kB     00:00     
updates                                                  | 3.5 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package postgresql-server.i686 0:8.4.9-1.el6_1.1 will be installed
--> Processing Dependency: postgresql-libs(x86-32) = 8.4.9-1.el6_1.1 for package: postgresql-server-8.4.9-1.el6_1.1.i686
--> Processing Dependency: postgresql(x86-32) = 8.4.9-1.el6_1.1 for package: postgresql-server-8.4.9-1.el6_1.1.i686
--> Processing Dependency: libpq.so.5 for package: postgresql-server-8.4.9-1.el6_1.1.i686
--> Running transaction check
---> Package postgresql.i686 0:8.4.9-1.el6_1.1 will be installed
---> Package postgresql-libs.i686 0:8.4.9-1.el6_1.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch        Version                 Repository   Size
================================================================================
Installing:
 postgresql-server        i686        8.4.9-1.el6_1.1         base        3.3 M
Installing for dependencies:
 postgresql               i686        8.4.9-1.el6_1.1         base        2.7 M
 postgresql-libs          i686        8.4.9-1.el6_1.1         base        201 k

Transaction Summary
================================================================================
Install       3 Package(s)

Total download size: 6.2 M
Installed size: 28 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 6.2 M
(1/3): postgresql-8.4.9-1.el6_1.1.i686.rpm               | 2.7 MB     00:01     
(2/3): postgresql-libs-8.4.9-1.el6_1.1.i686.rpm          | 201 kB     00:00     
(3/3): postgresql-server-8.4.9-1.el6_1.1.i686.rpm        | 3.3 MB     00:01     
--------------------------------------------------------------------------------
Total                                           1.5 MB/s | 6.2 MB     00:04     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : postgresql-libs-8.4.9-1.el6_1.1.i686                         1/3 
  Installing : postgresql-8.4.9-1.el6_1.1.i686                              2/3 
  Installing : postgresql-server-8.4.9-1.el6_1.1.i686                       3/3 

Installed:
  postgresql-server.i686 0:8.4.9-1.el6_1.1                                      

Dependency Installed:
  postgresql.i686 0:8.4.9-1.el6_1.1    postgresql-libs.i686 0:8.4.9-1.el6_1.1   

Complete!
[kelvin@schettino ~]$

The server is installed along with the required client programs.

Configure Postgres – Initialize and start service

After installing Postgres you will need to initialize the database (once only):

[kelvin@schettino ~]$ sudo service postgresql initdb
Initializing database:                                     [  OK  ]

Set the server to restart on reboots and start the postmaster service:

[kelvin@schettino ~]$ sudo chkconfig postgresql on
[sudo] password for kelvin: 
[kelvin@schettino ~]$ sudo service postgresql start
Starting postgresql service:                               [  OK  ]

Configure Postgres – Set superuser password

Now let’s set a password for the superuser (the postgres user) using the PostgreSQL interactive terminal. Jump into the postgres user by using su (with the dash to get a login shell):

[kelvin@schettino ~]$ su -
Password: 
[root@schettino ~]# su - postgres
-bash-4.1$ psql
psql (8.4.9)
Type "help" for help.

postgres=# \password postgres
Enter new password: 
Enter it again:
postgres=# \q
-bash-4.1$

Configure Postgres – Activate password authentication

By default, the server uses ident as defined in the “PostgreSQL Client Authentication Configuration File”. If you open up pg_hba.conf you can see this default configuration:

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
 
# "local" is for Unix domain socket connections only
local   all         all                               ident
# IPv4 local connections:
host    all         all         127.0.0.1/32          ident
# IPv6 local connections:
host    all         all         ::1/128               ident

Ident is a mapping of local system users (see /etc/passwd for list of system users) to Postgres users. I have never found this authentication method useful for any of the web development work that I have done. I always change it to “md5″ which allows you to create arbitrary users and passwords. Let’s change the server’s client configuration file (I assume you are still using the postgres user shell):

-bash-4.1$ whoami
postgres
-bash-4.1$ vim /var/lib/pgsql/data/pg_hba.conf

Change the “ident” methods to “md5″ methods at the bottom of the pg_hba.conf file:

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
 
# "local" is for Unix domain socket connections only
local   all         all                               md5
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
# IPv6 local connections:
host    all         all         ::1/128               md5
# If you don't want to open Postgres to the Internet
# don't enable this line
host    all         all         0.0.0.0/0             md5

By default, Postgres binds only to localhost and you will need to explicitly tell it to bind to your machine’s IP address. The setting is in postgres.conf. If you don’t need remote access you can skip this.

-bash-4.1$ vim /var/lib/pgsql/data/postgresql.conf

Change the listen_addresses setting to an asterisk to listen to all available IP addresses:

# - Connection Settings -
 
listen_addresses = '*'
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost', '*' = all
                                        # (change requires restart)

Restart your postgres server (exit postgres user into the root shell):

-bash-4.1$ exit
logout
[root@schettino ~]# service postgresql restart
Stopping postgresql service:                               [  OK  ]
Starting postgresql service:                               [  OK  ]
[root@schettino ~]#

Open Firewall (optional)

If you want remote access to the server on Postgres port 5432 you will have to open a port on the firewall. If you still are the root user, type the following:

[root@schettino ~]# whoami
root
[root@schettino ~]# vim /etc/sysconfig/iptables

You can just copy the SSH port rule in iptables and modify the port number from 22 to 5432. Add the following rule just below the SSH port rule and above the rejection rule for the INPUT chain:

10	-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT

When changed, it should look like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reload the rules:

[root@schettino ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@schettino ~]# exit
logout
[kelvin@schettino ~]$

Try it out with pgbench (optional)

To demonstrate the basic use of your new Postgres server, you can try out pgbench which is in the postgresql-contrib RPM. Let’s install it, create a new user, create a new database and run pgbench against it:

[kelvin@schettino ~]$ sudo yum install postgresql-contrib
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
 * base: mirror.its.sfu.ca
 * extras: mirror.its.sfu.ca
 * updates: mirror.its.sfu.ca
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package postgresql-contrib.i686 0:8.4.9-1.el6_1.1 will be installed
--> Processing Dependency: libxslt.so.1(LIBXML2_1.0.18) for package: postgresql-contrib-8.4.9-1.el6_1.1.i686
--> Processing Dependency: libxslt.so.1(LIBXML2_1.0.11) for package: postgresql-contrib-8.4.9-1.el6_1.1.i686
--> Processing Dependency: libxslt.so.1 for package: postgresql-contrib-8.4.9-1.el6_1.1.i686
--> Processing Dependency: libossp-uuid.so.16 for package: postgresql-contrib-8.4.9-1.el6_1.1.i686
--> Running transaction check
---> Package libxslt.i686 0:1.1.26-2.el6 will be installed
---> Package uuid.i686 0:1.6.1-10.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                   Arch        Version                Repository   Size
================================================================================
Installing:
 postgresql-contrib        i686        8.4.9-1.el6_1.1        base        346 k
Installing for dependencies:
 libxslt                   i686        1.1.26-2.el6           base        448 k
 uuid                      i686        1.6.1-10.el6           base         54 k

Transaction Summary
================================================================================
Install       3 Package(s)

Total download size: 848 k
Installed size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 848 k
(1/3): libxslt-1.1.26-2.el6.i686.rpm                     | 448 kB     00:00     
(2/3): postgresql-contrib-8.4.9-1.el6_1.1.i686.rpm       | 346 kB     00:00     
(3/3): uuid-1.6.1-10.el6.i686.rpm                        |  54 kB     00:00     
--------------------------------------------------------------------------------
Total                                           520 kB/s | 848 kB     00:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : uuid-1.6.1-10.el6.i686                                       1/3 
  Installing : libxslt-1.1.26-2.el6.i686                                    2/3 
  Installing : postgresql-contrib-8.4.9-1.el6_1.1.i686                      3/3 

Installed:
  postgresql-contrib.i686 0:8.4.9-1.el6_1.1                                     

Dependency Installed:
  libxslt.i686 0:1.1.26-2.el6              uuid.i686 0:1.6.1-10.el6             

Complete!
[kelvin@schettino ~]$ which pgbench
/usr/bin/pgbench

Create a new Postgres user by using the createuser wrapper (the P switch allows you to set a password for your new user):

[kelvin@schettino ~]$ su -
Password: 
[root@schettino ~]# su - postgres
-bash-4.1$ createuser -P francesco
Enter password for new role: [password for user francesco]
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
Password: [password for postgres]
-bash-4.1$

Make a new database named “winnings” and change the owner to “francesco”:

-bash-4.1$ createdb -O francesco winnings
Password: [password for postgres]
-bash-4.1$

Now we can fill it up with pgbench:

-bash-4.1$ pgbench -i -U francesco winnings
Password: [password for user francesco]
NOTICE:  table "pgbench_branches" does not exist, skipping
NOTICE:  table "pgbench_tellers" does not exist, skipping
NOTICE:  table "pgbench_accounts" does not exist, skipping
NOTICE:  table "pgbench_history" does not exist, skipping
creating tables...
10000 tuples done.
20000 tuples done.
30000 tuples done.
40000 tuples done.
50000 tuples done.
60000 tuples done.
70000 tuples done.
80000 tuples done.
90000 tuples done.
100000 tuples done.
set primary key...
NOTICE:  ALTER TABLE / ADD PRIMARY KEY will create implicit index "pgbench_branches_pkey" for table "pgbench_branches"
NOTICE:  ALTER TABLE / ADD PRIMARY KEY will create implicit index "pgbench_tellers_pkey" for table "pgbench_tellers"
NOTICE:  ALTER TABLE / ADD PRIMARY KEY will create implicit index "pgbench_accounts_pkey" for table "pgbench_accounts"
vacuum...done.
-bash-4.1$ pgbench -c 4 -S -t 2000 -U francesco winnings
Password: [password for user francesco]
starting vacuum...end.
transaction type: SELECT only
scaling factor: 1
query mode: simple
number of clients: 4
number of transactions per client: 2000
number of transactions actually processed: 8000/8000
tps = 4836.016718 (including connections establishing)
tps = 5052.773057 (excluding connections establishing)
-bash-4.1$ pgbench -c 4 -t 2000 -U francesco winnings
Password: [password for user francesco]
starting vacuum...end.
transaction type: TPC-B (sort of)
scaling factor: 1
query mode: simple
number of clients: 4
number of transactions per client: 2000
number of transactions actually processed: 8000/8000
tps = 237.345234 (including connections establishing)
tps = 237.889294 (excluding connections establishing)
-bash-4.1$

You can clean up the database by dropping the “winnings” database and dropping “francesco”:

-bash-4.1$ dropdb winnings
Password: [password for postgres]
-bash-4.1$ dropuser francesco
Password: [password for postgres]
-bash-4.1$

Enjoy your webby Postgres!

Caveat! If you have an Apache/PHP5 server that wants to talk to your Postgres, you will have to set the appropriate SELinux boolean to allow the communication: setsebool -P httpd_can_network_connect_db 1