OS Tryouts 3: ElementaryOS

The start of ElementaryOS is quite like Linux Mint 17, as they are both based on Ubuntu Linux. One notable difference is that Elementary prompts you by default to choose whether you wish to use the LiveCD system or install it on a computer, whereas Linux Mint 17 simply brings you right into the LiveCD system and provides you a link to install it on your computer, as a shortcut on the Desktop of the LiveCD system.

ElementaryOS requires less space, by about half than Linux Mint 17 does. That’s remarkable but not really a stumbling block since most modern computers all have more than 10GB of primary storage just to start. The installation was really quiet and direct, a pleasant change from PC-BSD for sure. Updates were slipstreamed into the installation routine so there shouldn’t be any need for them once the system is up and running.

The primary login screen is remarkably beautiful. The graphical login has my full name with a place for my password and a Login button, and to the right of that is todays date and time styled in a very appealing way. There also appears to be a “Guest Session” which I will have to investigate, as Linux Mint 17 didn’t include that. Looking around the basic OS I am pleased to see many “Look and Feel” similarities to my beloved Mac OSX. After starting the software update app I expected all the apps to be updated however that wasn’t to be, there are 347 updates pending – so that’s the first thing that needs to happen. Since I have the updater open, clicking on “Install Updates” should get that ball rolling. True to form, the updater is quietly processing it’s duties without user intervention beyond the authentication for elevated privileges that all updaters require in Linuxland. One really neat thing to note in this review is that the devs for ElementaryOS wrote a kernel extension driver for VirtualBox all by themselves. The activation was very straightforward, that’s very impressive. Almost all other OSes force you to install the VBox addins from VBox itself.

The installation of optional software is easily found through the Software Center, it’s icon is a big friendly downward pointing arrow. Many of the apps I would figure would be installed by default, like Firefox and Thunderbird and LibreOffice are not, but they are available. That’s perfectly fine. Having a lot of apps delivered by default only adds to the size of the installation media and can complicate the installation routine if one of those other projects doesn’t behave properly upon installation.

It’s really a toss-up so far between Linux Mint 17 and ElementaryOS. My bias for the Mac OSX interface pushes me ever so slightly over into Elementary territory personally because it isn’t hamstrung by an impossible to eliminate Gnome prime panel that you just can’t get rid of, Elementary comes with a Dock by default. The only irk that gets me about Elementary is that the Dock has no mouse-sensitive effects, but that’s the weakest of quibbles. So far for machines that we’ll end up surplussing, Linux Mint 17 wins for work, but if I were to buy one of the surplussed machines I’d go for Elementary OS instead. It’s mostly just a matter of taste. I could just as easily live with Linux Mint 17.

Google Authenticator

Dial lockOver the long Fourth of July holiday weekend I received an email from WordPress.com detailing news that they were now fully compatible with the Google Authenticator Two-Factor security system. I haven’t thought of Two-Factor in a long while and decided to look into how Google had cornered the market in this particular security market.

First a little background. The term Two-Factor security means that when you want to prove who you are to some service, called authentication, you usually just have to present two pieces of information, a username and a password. This combination not only identifies who you are and proves your identity through the shared secret of the password, but allows systems to remain as open as possible to all clients who want to connect – assuming that everyone is playing by the rules and nobody is trying to be sneaky or clever. Passwords are notoriously wimpy things, most people give up on complexity because they can’t readily remember the password and it’s not convenient so they select simple passwords like “12345”, “password”, or “secret” and leave it at that. The problem with passwords is that people who make them up are either lazy or don’t care about entropy or complexity and since a lot of your work and identity is being controlled using these systems, using these simple passwords is begging for disaster. Another issue that plagues a lot of people, and goes in with how naturally lazy many of us are, is that people will use one poor password on every site they go to and keep their usernames the same as well. The risk here is that when one service is compromised, all the other services are compromised as well and it’s a huge upward climb to get out of that mess if you find yourself trapped in it.

Cleverness works both against people in general, with thieves, phishers, and hackers as well as for people in general, with things like hashapass or applications like 1Password. Hashapass is a free service that combines the web address of a service with one single complicated password to generate a hash, which is to say, a value that is easily calculated from the combination of the single complicated password and the web address but done so in a way that going backwards is very difficult to do. If any piece of the puzzle is missing, it’s technically unsolvable. As an alternative to this there is 1Password, an application that I have become very fond of, and it uses a similar approach to hashapass. In 1Password one master password unlocks a database of all the sites and their individual passwords so you don’t have to remember a constellation of passwords, all you need is to remember one very good secure password and you are all set. There are a few other nice features to 1Password that I like, being able to generate very long random passwords and store them for me allows me to establish plausible deniability when it comes to my online identities. Because 1Password randomly selected a 32-character password for Facebook, I cannot be compelled, even under torture to reveal that password to anyone else. I just don’t know it. I know 1Password, but that’s not the right question so my account remains secure.

All of this I have collected and use, and I use it everywhere. On my MacBook Pro, my iMac at work, my iPad and my iPhone. 1Password makes it very easy to manage the security database and I’m quite sure that it’s secure. In my life, any more security is rather like putting more padlocks on a firmly locked jail cell, it’s rather silly and feels a lot like overkill. Then again, more security is always better, especially if it’s really clever and somewhat convenient.

Two-Factor security adds another component to the process of authentication. It augments the username and password combination. A password is something I know (or store using 1Password) and the second factor is something called a Time-Based One Time Password (TOTP). This is where the free iPhone app called Google Authenticator comes in. The app records a secret key from a site I wish to prove my identity to in the future, for example, Google itself. I set up two-factor, request a security token for Google Authenticator and set it up in the app. The key is transmitted by QR code, which means you can quickly acquire the long complicated random (hard to type) secret key using the camera in your phone. Once this process is complete the Google Authenticator app displays a six digit number that will work to prove your identity to the site associated with that particular entry and this entry only exists for 30 seconds at a time. This six digit password exists only once in any one 30-second period and there is no way to divine this password without having the Google Authenticator application with it’s stored secret code.

Having two-factor enabled in this way means that my username and password are no longer as important as they once were. Even if my username and password are revealed or compromised without my knowledge, the secret key that I have in my Google Authenticator app remains secure with me and the 30-second-long one-time-password additions remain a secret with me. What I know may be compromised, but what I have (the Google Authenticator) most likely won’t be unless someone steals my phone and finds a way to best the security on that device before I have a chance to wipe it remotely. If in the case my Google Authenticator becomes compromised, my passwords will likely not be because they are uncrackable, and so I am still secure.

Practically how does this work? When I want to log into Google Mail using two-factor, this is what I do. I open a web browser, I type in the address “gmail.com” and press enter. Then I enter my username and my password and then in the third field under the password is a box labeled “Google Authenticator Token” and then I grab my phone, start my Google Authenticator application and then read the six-digit number from my phone and type it in. The service logs me right on and after a few seconds, that six-digit password is no longer valid and is meaningless. I’m authenticated and the system did as it was designed to do. One of the nice parts of Google Authenticator is that the entire app is a mathematical operation, it doesn’t require the network at all to generate these numbers, so this would be a good solution for people who may not have a reliable connection to the network or have a data quota on their phone.

Of course, online authentication is just the beginning. I found a way, yesterday, to embed the Google Authenticator system into my Mac OSX Mountain Lion installation so that when I want to login to my computer at work or my laptop I have to type in my username, my password, and read the six-digit code from my Google Authenticator application. The setup isn’t difficult to get it to work. You need a compiled PAM module which I have (just ask if you want a copy) and an application which you use to create the secret key on your computer. With it all set up, and a slight adjustment to a settings file, even if I were to lose security on my password at work nobody could login to my account without my username, password, and GA token.

This arrangement works quite well and I’ve set it up for my Google accounts, my WordPress.com and .org blogs, Facebook, Evernote, and Dropbox accounts as well. Everything is secure, obnoxiously secure. 🙂

photo by: MoneyBlogNewz

God I Wish… Ah!

Apple Inc.At work I’ve been thinking about a particular system administration subject on and off for a few days now. When Mac is first installed all the “Optional Sharing Services” are all shipped defaulted to off, which makes sense and is fine. Generally speaking I’ve been fine with using Apple Remote Desktop to share the workstation, open System Preferences, and turning on whatever sharing bits I need to have on for the client workstations and that’s that. However that’s not really that elegant and I’ve been looking for a way to programmatically do it on the command line. As it is, Apple Remote Desktop can send Unix commands to connected workstations. All my client workstations are assembled in a neat little pile on my Apple Remote Desktop screen, as easy as you please. How can I turn on or off these Sharing services without having to upset the user. Ideally I want to turn these on without even sharing their workstation, to in a way, do it under the covers.

Enter the command systemsetup. G’duh. There’s even a handy-dandy template in Apple Remote Desktop that I’ve overlooked all these years that even has the details of the options laid out. So, in Apple Remote Desktop, select the stations you want to change, click the UNIX button, in there select the right template, change the user to root and send the command. Moments later, and in this case, SSH is up and running on the client workstation as easy as you please. Boom. No futzing with sharing workstations, no mucking about with System Preferences. Just simple, easy, like I knew had to exist. Now I know how.

This is actually the way I prefer to learn these things. This was something I sussed out, so it’s worth more than if I just spotted it in some bit of documentation. It took time and energy and it’s mine. The solution is worth something to me, and so I blog about it so I can celebrate Mac OSX and keep a little log in case I forget in the future. It’ll always be here.

Hooray for Mac OSX!

photo by: marcopako 

Starting Out Small

ethernet cablesThere is an issue I have at work, something I’ve written about before in my logs that I’ve found a solution for that I feel I can blog about. I can’t really talk about the why behind all of this, but I can share a technical explanation of how I am addressing this problem. It’s a half-thing, bear with me.

At Western, I’m very interested in the number of open TCP connections that a workstation has open at any one time. I don’t care what state the connection is in, ACK_WAIT to any of the others, if there is a line, I want to know about it. Specifically I want to know how many lines there are. Mac OSX is based on Darwin, and Darwin is based on BSD – so you get a shell to work with when you start Terminal.app. There is a lot of power in the command line interface and once you get the hang of it, it’s really quite useful.

So remote stations, at least two of them I have turned on “Remote Login” in their Sharing applet in System Preferences which enables the machines SSH servers to answer incoming connections. I can use SSH to call up a command line window to those remote stations, feeding them commands. I have done this for a long while for our servers in the office but this is the first time I’ve seriously done this for workstations. So, with this connection established I want to collect the number of TCP connections that machine has established. On the command line there are lots of pieces to get this to work:

First, you need a loop structure so that the command happens regularly: 

while true; do [command]; sleep 60; done

This will run a command every 60 seconds and it will never end unless I send a Control-C character which represents “Break” to the shell.

At first I just needed to count how many connections. You get this number, or at least an approximation of it this way:

netstat -p tcp|wc -l

That calls netstat to list out all the TCP connections, which then I pipe, using the pipe character ‘|’ to another command called wc, which calculates word-counts. I make wc ignore words and just count lines by using the -l switch. I don’t really care what other stations my targets are communicating with, just a count of how many. And yes, technically the SSH connection inflates this by at least one connection, it’s not intended to be forensic.

But something was missing. I need a date stamp. In BSD, there is a command called date, and you can give it a format so you can make date write out the Hours, Minutes, and Seconds the way you want to see them, but date has an annoyance to it. The command date always inserts a ‘newline’ character at the end, so what you’d get is a date, a new line, and your count. It’s okay, but it’s annoying. It would be far better to get rid of that newline character altogether. Enter in the ‘tr’ command, which translates characters. In this case, we tell tr to just delete the newline character, so ask date for the right sort of date, have tr nail off that newline at the end because it’s annoying and…

while true; do date '+%H:%M:%S '|tr -d '\n'; netstat -p tcp|wc -l; sleep 60; done

This outputs a very nicely formatted report on a remote workstation. So now I have datestamps, connection count levels, and when the count gets to a certain number and things happen, I can be faux-psychic.

UPDATE: Apparently I just can’t leave well enough alone. Seeing a slow parade of numbers trot by is rather dull when all I really want to know is when these numbers say, get over 70. So…

while true; do test "$(netstat -p tcp|wc -l)" -gt 70 && (date '+%H:%M:%S '|tr -d '\n'; netstat -p tcp|wc -l;); sleep 60; done

 

photo by: Bull3t

Encrypted Time Machine Drive Botch in Mac OSX 10.8.2 Mountain Lion

We had a Firewire 800 drive botch when it came to whole-volume encryption in Mac OSX 10.8.2 Mountain Lion. We lost the password and couldn’t recover it. The drive refused to erase, all the options were grayed out. I refuse to believe that a software change can render hardware junk, so there had to be a way, and I found it. Here’s the procedure:

  • Attach botched drive to computer, since the password won’t work, cancel the unlock dialog box
  • Open Terminal
  • Enter command: diskutil CoreStorage list
  • You will get a long list, you are looking for the UUID of the “Logical Volume Group” at the very top of the list, for the drive that is affected.
  • Enter command: diskutil CoreStorage delete [UUID]
  • The system will eject the volumes, destroy the grouping, erase the disk, then initialize the disk, mount it and finish.
  • Done!

Drafts Changes Workflow

The more I use the Drafts app for my iPad and iPhone the more I love it and the more I want to use it. It’s actually changed the workflow for my “Post-a-Day” WordPress blogging as well as my regular blogging in general. What I used to do was copy the Post-a-Day prompt emails over to my WordPress blog and set the post type to Drafts and let them sit there. I’ve never been a huge fan of the editor built-in to WordPress, but copying the emails to Drafts and storing them there, syncing them to Simperium which then synchronizes them across all my devices that have Drafts loaded on them, which is now just my iPhone.

The app itself has so many neat features, being able to store multiple drafts and have them swipe-accessible from the left makes switching files a breeze and then when the post is done and ready to be published I can swipe from the right and select as many services as I want to send my drafts off to. It’s the perfect promontory to launch Day One, Facebook, Twitter, Tumblr, and WordPress. Generally speaking, the drafts themselves almost always follow a certain path, first to Day One then to WordPress because then WordPress sends links to Twitter, Facebook, and Tumblr on my behalf with the publicize feature. But sometimes I write things that don’t go to my blog, in that case I can send to Day One and Facebook. I have configured the apps representation in Facebook to conform to my “Sharing” security group, so even if I tap the Facebook option I don’t have to worry about my private sharing thoughts leaking out where they don’t belong.

The only thing (yes, there is one of these for every user) that I would really love is a Drafts app for Mac OSX. That would let me hack away on Drafts entries on my iMac without having to clear off workplace desktop space to set up my iPad. I think it’ll just be a matter of time before we see those options start to become available. I would pay $15 for an app like that without even batting an eye.

For the want of pgrep on Mac OSX

I’ve got an issue at work, of course. I’ve got a Mac OSX xServer that has grown crotchety and so I’ve gotten to making things better by using killall on various running processes in order to “clean up the mess”. This is all fine and good and these processes respawn and the world goes back to normal and everything is fine, however I also want to renice this pesky command and give it a lower priority. While killall can do a search by name, renice requires a pid. The way you get pids is to run the ‘ps’ command, but this gives you a big pile of data and really all you want is just the pid itself, so you can pass that to renice.

So here’s how to get your cake and eat it too on Mac OSX Leopard Server:

1) First, change your shell – the default for root is /bin/sh, do this by issuing this command:

chsh -s /bin/bash root

2) Then you’ll need to give bash a profile, create a new file call it .bash_profile and fill it with this text:

[[ -s ~/.bashrc ]] && source ~/.bashrc

3) Next you’ll need to fill out that .bashrc because that contains the function you need to replicate pgrep:

pgrep() for arg; do ps aux|grep $1|grep -v grep|awk '{print $2}';done;

4) Log out and log back in and you’ll end up in bash, not sh, and you’ll have a new command at your disposal, pgrep. You can then use pgrep CommandName and it’ll spit out the pid related to what you are after.

5) Then you can use this new function with renice this way:

renice 20 `pgrep CommandName`

One thing to note here is that the ` character is the backtick character. You’ll find this hiding out in the upper left corner of your keyboard, it’s the unshifted tilde button.