Monday, June 23, 2014

Avant Window Navigator

Solaris 11 offers a package for the cool Avant Window Navigator (AWN).
The version that ships with Solaris 11.1 is the 0.3.2.1, the last in its branch.
As such it's stable enough for a Solaris class desktop.

Thanks to IPS it's very easy to install AWN in Solaris.
The package information is as follows:

$ pkg info -r avant-window-navigator
          Name: desktop/avant-window-navigator
       Summary: AWN - fully customizable dock-like navigator
      Category: Applications/Panels and Applets
         State: Installed
     Publisher: solaris
       Version: 0.3.2.1
 Build Release: 5.11
        Branch: 0.175.0.0.0.1.0
Packaging Date: October 12, 2011 02:17:51 PM
          Size: 1.54 MB
          FMRI: pkg://solaris/desktop/avant-window-navigator@...


Once installed I decided to give up the traditional GNOME's bottom panel. To compensate I decided to move just a few applets (Workspace Switcher and Trash) to the top panel. Here's how it looks like by now:


Wednesday, June 18, 2014

Seahorse SSH key creation

I've already posted about the troublesome SSH host-based authentication.
Now I'd like to visit the more secure user-key authentication.
What's great about Seahorse is that it's simple.

If lots of keys are to be processed, shell scripts seem inevitable.
This is the case on special occasions, hence not very often.
When that's the case, get to know what's under the hood.

I assume the following prerequisites have been fulfilled:
   
Start Seahorse through the main GNOME Applications menu ( Alt + F1 ).
Go to Applications | Accessories | Passwords and Encryption Keys.
In the application main window choose File | New or Ctrl + N.
Choose Secure Shell Key and click the Continue button.


Fill in a meaningful Key Description and choose RSA 4096 bits.
The next image is just an example, of course.


Click the Create and Set Up button.
Next, enter a strong passphrase to protect the key.


Provide the target Computer Name, Login Name and Password accordingly:



If successful, the key will be listed on the main Seahorse window:


Verify if everything is working as expected.
Attempt to establish a SSH connection to the target host.

The following desktop modal dialog may appear for each SSH key listed in My Personal Keys until a key is found to successfully complete the authorization or no suitable key is found at all.


jsmith@desktop-1.business.corp:~$ ssh nfs-1.business.corp
Last login: Tue Jun 17 15:09:23 2014 from desktop-1...
Oracle Corporation   SunOS 5.11    11.1    April 2014

jsmith@nfs-1.business.corp:~$ _

That should be all.
 

Host-based authentication

Host-based authentication is pretty well "documented" everywhere.
I suspect this is a clear indication that many are actively using it.
It could be thought as an evolution of the legacy RSH.
But I consider it also a legacy to be avoided.

Security is more important as the world is proportionally more dangerous.
And there are security considerations with host-based authentication:
 
  • If the trusted host is compromised, so is everything relying on it;
    (security is hardly perfect, so it's better to layer and segment)
     
  • More SSH code (client and server) is exposed to attack;
    (everybody should know more about bugs and backdoors)
     
  • Client SSH code is made setuid usually to root;
    (when all strive to get rid of root this in the wrong way)
     
  • Can allow root or anybody to log in; 
    (but who they really are?)
     
  • Complex and error-prone setup.
    (must I stress how troublesome is this?)
 
Thus, keep using host-based authentication, specially because of a lazy sysadmins saying so, isn't really reasonable for any serious businesses conscious about security as well.
 

Tuesday, June 17, 2014

GNOME Keyrings

I suspect that GNOME Keyrings aren't well-known.
It's a sort of cache for avoiding to retype passwords and passphrases.

NOTE
By the way, if you get error or warning messages upon logout or shutdown and confirm on /var/adm/messages some entry related to gnome-keyring-daemon.desktop, then try to manually create the missing file:

$ touch ~/.gnome2/keyrings/gnome-keyring-daemon.desktop
$ ll ~/.gnome2/keyrings |grep desktop

-rw------- 1 ... 0 ... gnome-keyring-daemon.desktop


My goal here is to reduce the amount of passphrases I have to type.

Configuring the GNOME Keyrings for passphrases isn't difficult at all. After having installed Seahorse I simply go to System | Preferences | Encryption and Keyrings. Then, it suffices to set the options that best suit the needs.


It's possible to specify the default PGP key.
This is set on the Encryption tab:


The preceding info applies to passphrases only.
What is somewhat unexpected is that passwords are managed differently.
Go back to Seahorse through the main GNOME Applications menu ( Alt + F1 ).


GEdit text signing

Besides GEdit text encryption, another useful functionality is text signing.

For instance if a mail agent doesn't directly support encryption and signing it's still possible to encrypt and sign messages using GEdit as a manual preprocessor. Naturally the keys will have to be present on both endpoints in order to decrypt and verify the message. But that's not that hard with Seahorse. Of course if the mail agent provide all the details built-in it will be much easier; nevertheless...

Let me start with a regular text file I wish to sign.
As you know this will allow me to later verify if someone has tampered with it.




I assume the following prerequisites have been fulfilled:

To sign all the text simply choose Edit | Sign on the GEdit main menu.


A small dialog will open asking for a key to use for signing.
After selecting the desired key click the OK button.
(on the figure below I masked my own key)


If the key passphrase isn't cached by a GNOME keyring, it will be prompted before continuing. Note that there's a degree of asynchronism between the GNOME keyring prompt and the text encryption plugin operation in GEdit, so it's advisable to promptly input the passphrase when asked for.
 

If everything goes well GEdit will automatically refresh accordingly:


Note the * in front of the file name on the GEdit editor tab.
In order to confirm the changes the file must be saved.
Of course the file will grow a few more bytes:
  
NOTE
It's important to notice that Nautilus will know nothing about the fact that the file has been signed. From its point of view it's a regular text/plain.
NOTE
As long as the valid key is present on both the endpoints where the message is exchanged one can freely copy and paste the region
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA-1
...

-----END PGP SIGNATURE-----
NOTE
SHA-1 has been deprecated as vulnerable nowadays.
While the expected SHA-3 isn't available use SHA-512 instead.
Fear nothing, adjust the GNUPG defaults and regenerate the key.
Use RSA 4096 and SHA-512.
Naturally, to verify the message from within GEdit it's just as easy.
Choose Edit | Decrypt/Verify from the main menu.
The passphrase may be asked accordingly.
    
Upon success the following notification appears:


And that's all.
  

GEdit text encryption

You know: like vim on the shell, GEdit is the default editor in GNOME 2.30.2.
One out of many cool things of GEdit is the Seahorse plugin for text encryption.

I'd like to give an example of how easy is to use it!
And all that is available for the Solaris 11 desktop, of course.

Suppose I get a regular text file I wish to encrypt its content:




I assume the following prerequisites have been fulfilled:
 
To encrypt all the text simply choose Edit | Encrypt on the GEdit main menu.


This time I won't be signing the message to assure its integrity. 
Arguably a different key could be used for the purpose of signing.
For now I just select the encryption key and click OK:
(on the figure below I've masked my own key)


If the key passphrase isn't cached by a GNOME keyring, it will be prompted before continuing. Note that there's a degree of asynchronism between the GNOME keyring prompt and the text encryption plugin operation in GEdit, so it's advisable to promptly input the passphrase when asked for.


If everything goes well GEdit will automatically refresh accordingly:


Note the * in front of the file name on the GEdit editor tab.
In order to confirm the changes the file must be saved.
Of course the file will grow a few more bytes:


NOTE
It's important to notice that Nautilus will know nothing about the fact that the file has been encrypted. From its point of view it's a regular text/plain.
NOTE
As long as the valid key is present on both the endpoints where the message is exchanged one can freely copy and paste the region
-----BEGIN PGP MESSAGE----- 
Version: GnuPG v2.0.17 (SunOS)

...

-----END PGP SIGNATURE-----
NOTE
SHA-1 has been deprecated as vulnerable nowadays.
While the expected SHA-3 isn't available use SHA-512 instead.
Fear nothing, adjust the GNUPG defaults and regenerate the key.
Use RSA 4096 and SHA-512.

Naturally, to decrypt the message from within GEdit it's just as easy.
Choose Edit | Decrypt/Verify from the main menu.
The passphrase may be asked accordingly.

And that's all.
 

Seahorse PGP key creation

Currently, it's recommended to work with RSA keys only.
It's currently recommended to use 4096 bits and SHA-256 or SHA-512.
Though not certain this is likely to suffice until SHA-3 become available.

In general, DSA keys are to be completely avoided.
Anyway, coincidence or not DSA seems to be buggy in Seahorse.

Start Seahorse through the main GNOME Applications menu ( Alt + F1 ).
Go to Applications | Accessories | Passwords and Encryption Keys.
In the application main window choose File | New or Ctrl + N.
Choose PGP Key and click the Continue button.


Enter the new key information.
The next image is just an example, of course.


If wondering about the Advanced key options, the defaults are as follows.
But of course, it may be desirable to set an Expiration Date and 4096 bits.


Click the Create button and then enter a strong passphrase to protect the key.


Click the OK button and then wait for a little while...


Finally, the key will appear on the Seahorse main window.
You can verify that on the My Personal Keys tab:


On subsequent posts I shall attempt a few examples of how to use this key.
  

GNUPG defaults

GNUPG stands for GNU Privacy Guard.
For now I'm just interested in adjusting some security defaults.
Whenever possible I'll be relying on Seahorse for the dirty work.
Maybe because I'm lazy or because I don't want details at this moment.

The key adjustment that's highly recommended is the replacement of SHA-1.
Until the advent of SHA-3, it's recommended to use SHA-256 or SHA-512.
As note here, don't create new RSA keys less than 4096 bits either.

In Solaris, GNUPG is delivered by the following IPS package:

$ pkg info -r gnupg
          Name: crypto/gnupg
       Summary: GNU Privacy Guard
   Description: ... OpenPGP Standard as defined by RFC4880.
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 2.0.17
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.0
Packaging Date: September  4, 2012 05:06:14 PM
          Size: 7.98 MB
          FMRI: pkg://solaris/crypto/gnupg@...


Two fundamental CLI programs are:
  • gpg2 (documented in GPG2(1))
  • gpgconf (documented in GPGCONF(1))
  • gpg-zip (documented in GPG-ZIP(1))
  
The configuration files are "two level" (local and global).
The local settings override the global settings.
By the way, this is quite traditional in Unix.
They are:
  • .gnupg/gpg.conf
  • /etc/gnupg/gpgconf.conf    (doesn't exist by default)

Finally, to achieve what I need, according to The Appache Software Foundation the following adjustments are required to avoid SHA-1 weakness:

$ tail .gnupg/gpg.conf
...
#
# Setting Defaults
#

personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 \

                        AES256 AES192 AES \
                        CAST5 ZLIB BZIP2 ZIP Uncompressed
    

Monday, June 16, 2014

Seahorse installation

Seahorse is a GNOME application for managing encryption keys.
That's what states the IPS package summary.

But it's also:
  • A convenience tool for setting up SSH authentication.
  • A convenient way for encrypting and signing files in GEdit and Nautilus.
   
As generally known:
  • Encryption is for privacy;
  • Signing is for integrity.

$ pkg info -r seahorse 
          Name: gnome/security/seahorse
       Summary: ... for managing encryption keys.
      Category: System/Security
         State: Installed
     Publisher: solaris
       Version: 2.30.1
 Build Release: 5.11
        Branch: 0.175.1.0.0.18.0
Packaging Date: June 11, 2012 10:26:25 PM
          Size: 5.80 MB
          FMRI: pkg://...


$ pkg info -r seahorse-plugins
          Name: gnome/security/seahorse/seahorse-plugins
       Summary: Plugins for gedit and nautilus
      Category: System/Security
         State: Installed
     Publisher: solaris
       Version: 2.30.1
 Build Release: 5.11
        Branch: 0.175.1.0.0.20.0
Packaging Date: July  9, 2012 06:34:17 PM
          Size: 2.28 MB
          FMRI: pkg://...


The main application is accessible from the main menu (Alt + F1).
Go to Applications | Accessories | Passwords and Encryption Keys:


The contents of the main window tabs are as follows:
  • My Personal Keys  →  ~/.ssh/authorized_keys
  • Other Keys  →  ~/.ssh/other_keys.seahorse

The GEdit plugin is found at Edit | Preferences | Plugins | Text Encryption.


And is used through the Edit menu:


The Nautilus plugin is automatically enabled.


But in order to take advantage of encryption and signing keys must be created.
That's where Seahorse comes handy.
  

Friday, June 13, 2014

Compiz Fusion

Compiz is an amazing extension to the Unix desktop.
There's nothing closer in Windows.

I'd like to take note of a just a few things that works on my desktop.
Some features doesn't seem to work or I may have an issue with my keyboard.
Anyway, my intention is to cover a very few basics that once worked for me.

Desktop workspaces

Multiple desktop workspaces are one of the best goodies of a Unix desktop.
In general I would say that there shouldn't be more than 6 workspaces.
Windows fellows certainly envy this feature since a very long time.
Windows graphical subsystem engineering falls short.

I don't intend to visit every aspect of workspaces.
After all most of them should be obviously self-explanatory.
However, there may be a small gotcha:
Setting the number of workspaces with and without Compiz.
Normally, right-clicking on a Solaris 11.1 desktop, which is GNOME version 2.30.2 (a reasonably stable one), doesn't easily offer the option to change the number of workspaces:


When Compiz  is active things change.
This is controlled by CompizConfig Settings Manager.
Go to General Options | Desktop Size | Horizontal Virtual Size:


But if none of the previous work, there's still the possibility to go to the GNOME Configuration Editor (gconf-editor(1)), which isn't easily accessible through menus or other means. For instance, the GNOME Run Application can be used to launch it.

If Compiz is being used:
Set the hsize at /apps/compiz/general/screen0/options
Otherwise:
Set the num_workspaces at /apps/metacity/general
   

GNOME Run Application

The GNOME Run Application is extremely useful.
Sometimes a shell isn't open but would be required to launch and application.
That's when the tool is very convenient.

Go to Application | Run Application menu item or press Alt + F2.


If Alt + F2 happens not to be working as expected and if all the defaults are untouched to a quite reasonable extent, then if Compiz is being used check the CompizConfig Settings Manager through the go to the System | Preferences menu. On the General Category, mark the Gnome Compatibility checkbox and voilĂ ! it shall work nicely!

Note that this will also fix Alt + F1 which opens the Application menu.
     

GNOME Configuration Editor

The GNOME Configuration Editor is an important tool.
But at the same time it's a danger one if not properly used.
It resembles the Windows Registry HKEY_CURRENT_USER.


To make sure that GNOME Configuration Editor is installed:

$ pkg info -r gconf-editor
          Name: gnome/config/gconf/gconf-editor
       Summary: GNOME configuration database editor
      Category: Applications/Configuration and Preferences
         State: Installed
     Publisher: solaris
       Version: 2.30.0
 Build Release: 5.11
        Branch: 0.175.1.0.0.18.0
Packaging Date: June 11, 2012 10:24:12 PM
          Size: 1.52 MB
          FMRI: pkg://solaris/gnome/config/gconf/gconf-editor@...


It won't appear anywhere on the GNOME desktop.
Naturally it can be started from the shell as most applications.
But I prefer to use the GNOME Run Application invoked by Alt + F2.