2015/10/11

stunnel

Various programs have a http interface, for examp-le, transmission-dameon (a BitTorrent program). These interfaces can be served outside th LAN, but the downside that they have no secure (i.e. encrypted) connection.

Adding SSL to it makes the connection encrypted. stunel is an daemon that tunnels connection with SSL encryption.

Dependecies

Two programs are needed to achieve this. The first is stunell and the second is openssl.

openssl

This program creates SSL certificates.

To generate a certificate, run:

$ openssl req -new -out stunnel_cert.pem -keyout stunnel.pem -nodes -x509 -days 365

This will create a certificate on file stunnel_cert.pem and a new private key stunnel.pem. To generate a certificate from an existing key old_key.pem:

$ openssl req -new -out stunnel_cert.pem -key old_key.pem -nodes -x509 -days 365

stunnel

The following configuration is an example:

client = no

[name_of_config]
cert = stunnel_cert.pem
accept = host_1:80
connect = host_2:81

The first line tells that this configurations is for a server.

The between []'s is the name of the forwarding configuration. Multiple configurations may reside here.

Then, it is specified the path to the certificate file (generated with openssl). In this case, configuration file and certificate file are in the same directory.

accept field is where stunnel will listen for connections. Is the "secure" connection port outside users will see. You can specify host_1, to tell stunnel to accept only connections for this host.

connect is where stunnel will forward the connection for the port specified in accept field. It can be the localhost or other host.

Running stunnel

To run stunnel, just type:

$ stunnel config_file

Root privileges are needed for some ports (lower range).

You should the that line to local.rc for stunnel run on startup.

section: options
    screenSaverSync = true
end
section: screens
    serverhost:
    clienthost:
end
section: links
    clienthost:
        left = serverhost
    serverhost:
        right = clienthost
end

Revision History

Post built on: 2015-11-02 14:39:36
Last modified on: 2015-11-02 14:39:31
First published on: 2015-10-11

Revision Date Description
1.00 2015-10-11 Initial version. Published

Synergy Configuration

Synergy is a program that allows two hosts to share the keyboard and mouse of the "server host" in X11.

Configuration

The following is an example config file, where server is called serverhost and the client is called clienthost. The serverhost screen will be on left of clienthost. Screensaver is synchronized on both screens.

section: options
    screenSaverSync = true
end
section: screens
    serverhost:
    clienthost:
end
section: links
    clienthost:
        left = serverhost
    serverhost:
        right = clienthost
end

Sharing keyboard and mouse

The server side must be initiated with

$ synergys -c config_file

Then, on client, you must run the synergyc specifying the server host

$ synergyc serverhost

Firewall

The default port of Synergy is 24800. This port needs to be open on server host firewall.

Revision History

Post built on: 2015-11-02 14:41:37
Last modified on: 2015-11-02 14:41:33
First published on: 2015-10-11

Revision Date Description
1.00 2015-10-11 Initial version. Published

2015/09/10

Changing dash to bash

The default shell for Ubuntu is dash. To change it to bash, the command update-alternatives could be used. The system used to create this tutorial is Ubuntu Studio 14.04.3.

Current Alternatives for ``sh``

Check the current alternatives for sh with the command:

# update-alternatives --config sh
update-alternatives: error: no alternatives for sh

The message showed that there were no alternatives for sh. It bash is already installed as an alternative, jump to Configure the Alternatives.

Install bash as an Alternative

To install bash as an alternative for sh:

# update-alternatives --install /bin/sh sh /bin/bash 100
update-alternatives: using /bin/bash to provide /bin/sh (sh) in auto mode

Where /bin/sh is the symbolic name of the alternative, sh is the alternative name, /bin/bash is the path to bash and 100 is the priority of this alternative.

As there were no alternatives for sh before, just installing bash will make it the default alternative. Just to illustrate the example, to install dash:

sudo update-alternatives --install /bin/sh sh /bin/dash 50
update-alternatives: using /bin/dash to provide /bin/sh (sh) in auto mode

Now, both bash and dash are installed as an alternative for sh. bash is the selected on auto mode, because it has higher priority.

Configure the Alternatives

To manually configure an alternative, use the --config paramater for update-alternatives:

update-alternatives --config sh
There are 2 choices for the alternative sh (providing /bin/sh).

  Selection    Path            Priority   Status
------------------------------------------------------------
* 0            /bin/bash        100       auto mode
  1            /bin/bash        100       manual mode
  2            /bin/dash        50        manual mode

Press enter to keep the current choice[*], or type selection number:

And to change the priority of an alternative, just use the install parameter as described above.

Revision History

Post built on: 2015-09-10 22:29:15
Last modified on: 2015-09-10 22:29:09
First published on: 2015-09-10

Revision Date Description
1.00 2015-09-10 Initial version. Published

Installing CyanogenMod on Moto G XT1033

I have written this tutorial a long time ago, but it was never published. I do not even use a Moto G anymore. This tutorial is here now for historical reasons, but it should work on newer versions of CyanogenMod and maybe (with correct firmware, recovery etc.) with newer versions of Moto G.

I have installed CyanogenMod 11 on a Motorola Moto G XT1033 device. I have followed the instructions of the CyanogenMod page for Moto G.

Everything was fine. But, later, I have tried to install Google Apps, with partial success (partial because it was installed, but the phone was unusable). The problem was that, after each reboot, the message Unfortunately the process com.android.systemui has stopped (or something like that) appeared. Then the GUI would stop, come back then the same message would show up again and again.

The problem turned out to be on CyanogenMod, not on Google Apps as I suspected. I wrote this tutorial because I could install Google Apps and the problem did not appear until I rebooted the device (to write this tutorial) and the problem showed up again.

So, I have installed the nightly build for CyanogenMod 12 (from January 27, 2014) and everything is OK (until now).

WARNING: this will void your warranty according to the device manufacturer.

This guide will show the steps I took to install CyanogenMod and Google Apps on a Moto G. Following the "official" tutorial will work. I am publishing my own tutorial because I thought the official was missing some steps. But, when I realized the problem was with the CyanogenMod build, the tutorial was almost done.

Setting Up the Computer

Android SDK must be installed on a computer. fastboot and adb will be used.

The system used was Slackware. The compressed tarball for standalone SDK tools was downloaded, uncompressed it and set the PATH variable of the system for the tools Android SDK.

Backing Up

Backing up data before doing anything that is somewhat dangerous is always a good idea. The steps of this tutorial will wipe the data on the device. Backup the data!

Starting ADB Server

ADB must have the server running in order to communicate with devices.

# adb start-server

Run this command everytime the server is down, otherwise ADB will not be able to communicate with the device.

Unlocking the Device

In order to install a new firmware, the device must be unlocked. A code is sent to Motorola, then an unlock code is sent back by e-mail. The process is fast.

Getting the phone code

Enable USB debugging on the phone (on developer options). If there is not developer options, go to phone settings -> about phone. Click like ten times or more on Build number field, until a message shows up saying you are now a developer.

Connect the phone with a USB cable and reboot the phone on bootloader:

$ adb reboot bootloader

Then to get the phone code (maybe there is no need to run the command as root, but it did not work as a normal user):

# fastboot oem get_unlock_data

WARNING: this will void your warranty according to the device manufacturer.

Go to Motorola Bootloader Unlock. You must login with either a Motorola ID or with a Google+ account. Enter the code from the last command, agree with the terms of license agreement and the unlock code will be provided by e-mail.

The instructions on how to unlock the phone with the provided code will be on the e-mail too. With the phone on bootloader:

$ fastboot oem unlock unlock_code

The device is now unlocked.

Flashing New Recovery

Download ClockworkMod Recovery.

Connect the USB cable and enable USB debugging.

Reboot the device into bootloader

$ adb reboot bootloader

Then flash the image:

# fastboot flash recovery your_recovery_image.img 

As stated on CyanogenMod page:

Note: Some ROMs overwrite recovery at boot time so if you do not plan to immediately boot into recovery to install CyanogenMod, please be aware that this may overwrite your custom recovery with the stock one.

Installing CyanogenMod and Google Apps

Download CyanogenMod zip and Google Apps zip.

Enable the USB debugging and:

$ adb reboot recovery

It was not possible to create a backup of the current system. It was giving errors.

To wipe the current install, select wipe data/factory reset on device's recovery menu.

Then send the CyanogenMod zip and Google Apps zip with the following commands:

$ adb push cyanogen_img.zip /sdcard/
$ adb push google_apps.zip /sdcard/

Then select install zip/choose zip from sdcard. Install Cyanogen Mod and Google Apps.

The Problem

Rebooting the equipment was causing the problem stated at the begining. Formatting the /data and /cache partitions solved the problem. Options to format it are under mounts and storage at the recovery main menu.

Final Considerations

If anything is wrong, try those steps again.

If you can boot the equipment on bootloader, or the system hangs, the situation is not irreversible.

To force device reboot, press Vol Down and Power for ten seconds, then release.

To open the bootloader, turn off the device and power it up pressing Vol Down and Power.

Revision History

Post built on: 2015-09-10 22:36:55
Last modified on: 2015-09-10 22:36:49
First published on: 2015-09-10

Revision Date Description
1.00 2015-01-27 Initial version.
1.01 2015-09-10 Minor Corrections. Published.
1.02 2015-09-10 Adding correct code tags.

2014/08/25

GnuPG Encryption and Signature Reference Guide

This little reference guide has examples that allow encryption/decryption and signature generation/verification with GnuPG.

Encryption

  • To encrypt a file:

    $ gpg --encrypt file.txt
    

    and the encrypted content of file.txt will be on output file file.txt.gpg.

  • ASCII armored encryption:

    $ gpg --armor --encrypt file.txt
    

    file.txt.asc will contain the ASCII armored encrypted file.txt.

  • To specify a recipient:

    $ gpg --recipient rec
    

  • To specify the output file name:

    $ gpg --output fileout.gpg --encrypt file.txt
    

    Instead of the default file.txt.asc, output to fileout.gpg.

  • To decrypt a file:

    $ gpg --decrypt file.asc
    

Signatures

  • To create a detached signature:

    $ gpg --sign myfile.txt
    

    file.txt.gpg will be created with the binary signature.

  • To create a detached signature ASCII armored:

    $ gpg --armor --sign myfile.txt
    

    file.txt.gpg will be created with the ASCII armored signature.

  • To create an attached signature:

    $ gpg --clearsign myfile.txt
    

    file.txt.gpg will be created with both the message and the signature.

  • To verify a signature:

    $ gpg --verify [sig.asc] myfile.txt
    

    Verifies optional parameter sig.asc against myfile.txt.

Revision History

Post built on: 2014-08-25 22:13:30
Last modified on: 2014-08-25 22:13:06
First published on: 2014-08-25

Revision Date Description
1.00 2014-08-25 Initial Version. Published.

2014/03/12

Creating PGP Key With Subkeys

The point of digitally signing and encrypting documents is not the goal of this post. It will be discussed why and how subkeys should be used.

Subkeys

By default, when you create a new public/secret key pair you create, actually, two key pairs:

  • a master key used for signing documents and other keys and
  • a subkey for encryption.

After that, subkeys can be added for encryption or signing.

The point on creating another subkey for signing is that you should keep you master key really safe, as it is the one that "proves" your identity. If any of your subkeys is compromised, you can revoke them and create a new subkey on the same master key, without losing all your web of trust as it would happen if your master key is compromised. There's no limit on how many subkeys can be created and how many subkeys that are expired or revoked on a master key.

How To

Initial Setup

Put these configurations into ~/.gnupg/gpg.conf

fixed-list-mode
keyid-format 0xlong
with-fingerprint
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
cert-digest-algo SHA512

This will ensure that your key will be generated using stronger preferences.

Generate Master Key

If you do not already have a master key pair, create one:

$ gpg --gen-key

Generate Subkeys

Then, use the --edit-key to add more keys:

$ gpg --edit-key mykeyid
     ... some output and require your key password
gpg > addkey

It will prompt which kind of key you want. It was only added new RSA signing subkeys with 4096 as key size and valid for an year in a total of two: one for the laptop and another for the Android phone. New encryption subkeys were not created for each device because, this way, there was not a way of decrypting everything everywhere (and people would not know which key is to be used when encrypting things for me - that is why more than one encryption key does not make much sense).

Setting Expiration Dates

It is reasonable setting expiration dates for the keys. If the password is forgotten or the key is lost other way, people will notice the key is no longer valid.

If it was not set on subkey creation, this is how to set expiration date:

Use gpg --edit-key command.

Select the keys with key key_index where the key_index is based on the list from edit-key output. Then use the command expire. You will be prompted for the valid period of the key. Save modifications with save.

For example, to modify key 1 expiration date:

$ gpg --edit-key keyid
...
gpg > key 1
...
gpg > expire
 ... set the date for expiration
gpg > save

Export All Secret Keys

All secret keys will be exported to mysecretkeys file, ASCII armored, with this command:

$ gpg --armor --export-secret-keys masterkeyid > mysecretkeys

Exporting Only Secret Subkeys

To export only secret subkeys:

$ gpg --armor --export-secret-subkeys masterkeyid > mysecretsubkeys

And to export only some secret subkeys:

$ gpg --armor --export-secret-subkeys subkeyid1! ... subkeyid2! > partialsecretsubkeys

The exclamation marks (!) are mandatory.

Deleting Unwanted Subkeys

After exporting secret keys, delete subkeys that are not supposed to be on the device. Use gpg --edit-key command.

Once in edit-key mode, to select a key,then use ``key key_index` to select the keys to be deleted. Once all keys that will be removed are selected, use the delkey command.

Creating Revocation Certificates

Revocation certificates are supposed to be used when your key is compromised, and will invalidate the key.

To create a revocation certificate:

$ gpg --gen-revoke keyid > revocationcertificate

Importing Subkeys On Another Hosts

To import a key, or only subkeys, on another host is as simple as:

$ gpg --import mykeys

where mykeys is the file where the keys were exported.

Properly Storing Keys and Revocation Certificates

The master key should be kept really safe. Store the exported keys and revocation certificates on a USB stick and printed on paper. Keep another copy on a safe place, like your parent's home.

This way, if a device fail, the keys are not lost forever. If a key is compromised, there is a way to revoke it. If a key is compromised because one of the backups is compromised too, there is another bakcup to revoke the key.

Revision History

Post built on: 2014-03-12 23:38:22
Last modified on: 2014-03-12 23:37:30
First published on: 2014-02-21

Revision Date Description
1.00 2014-03-12 Initial Version. Published.

2014/02/21

Converting kmz to gpx

Recently, I have started to collect data from GPS during bicycle commutes using an Android smartphone. This job is done by MyTracks. I have tried other applications, but this one worked out best.

MyTracks, by default, creates a kmz file, which is a Keyhole Markup Language (kml) file (or various) bundled with other resources into a zip file. It can export to other types, but kmz has some advantages, like photographs embedded on markers.

Loading this file in Google Maps directly from Google Drive was straightforward, but it requires an internet connection. I wanted to view, and maybe edit, the file offline. I have tried loading the kmz file directly on various applications under Linux, but the I have only achieved getting the begin and end points this way.

So, I converted the kmz file to gpx (GPS Exchange Format) using gpsbabel and the track was correctly imported (I am using JOSM - Java OpenStreetMap on the computer).

How to Convert

Given a kmz file, to get a gpx one:

$ unzip -p myfile.kmz doc.kml | gpsbabel -i kml -f - -o gpx -F myfile.gpx

myfile.kmz is the file to be converted. gpsbabel does not convert kmz directly to gpx, so it is necessary to extract the kml file that inside kmz (which is doc.kml in the example). The file is piped to gpsbabel which will save the new gpx file myfile.gpx. If there is more than one kml file, the processes must be repeated for every kml.

  • gpsbabel (accessed 2014-02-20): project website;

  • kml (accessed 2014-02-20): Keyhole Markup Language file type;

  • gpx (accessed 2014-02-20): GPS Exchange Format file type.

Revision History

Post built on: 2014-02-21 00:00:18
Last modified on: 2014-02-21 00:00:13
First published on: 2014-01-21

Revision Date Description
1.00 2014-02-21 Initial Version. Published.