Aczid's blog

Oh my, it's been so long since I last checked in here. Since then, I've graduated from the HvA and the kind folks at Nikhef have offered me a job. In September I hope to start my master's in computer science at the Vrije Universiteit.

I should also mention I attended HAR, EGEE, and RER2009 last year. And to top it, off the week before christmas I visited CERN for the all-hands developers meeting. I got the t-shirt and everything. Project Euler, Insecure Programming By Example (with great help from Mishou and some No Starch Press books) and Securitytube are what's keeping me busy besides that.

I helped out my friends set up a music-related blog at phonophanatic.nl which is already doing quite well, if you have an off-beat taste in music I recommend you check it out. Finally, here's a pic of me and my colleague with Bob Jones, the EGEE project director.

The past week I have tried using an Aladdin eToken on my Ubuntu desktop. They are used at Nikhef to store x509 certificates with Grid credentials, and make proxy certificates from those. (A proxy certificate is a more temporary certificate, signed by the original.) The ultimate goal (for me) was to use it to store the private keys I use most, my SSH keys.

After peeking around the Nikhef Gridwiki and downloading the eToken PKI Client 4.55 from aladdin.ru, the pkcs11-tool confirmed the token was loaded and recognized by the system. I was also able to store my grid certificate on it with the instructions provided, and loaded the /usr/lib/libeToken.so file into Firefox as a security device. After restarting firefox things took a turn for the worse...

It appears the Aladdin client ships with some of its own binaries, which appear to do something to firefox (like overwriting the LD_LIBRARY_PATH environment variable) and shipping an old version of libnss3 that's needed by firefox. This sends firefox crashing with a "could not initialize XPCOM" message. A colleague helped me to locate (using strace) and fix the offending libraries in /usr/lib/eToken/nss_tools. The shipped files should be removed, and replaced by symlinks to the system certutil and modutil binaries. This fixes the problem! (Thanks again, Willem)

After alleviating this puzzling error, I was free to play around with the token some more. Concerning Openssh, it appears the shipped Ubuntu version doesn't enable the use of a smartcard (which is what the token pretends to be). This can be alleviated in two ways. Either by recompiling openssh with the --with-opensc flag, or applying a PKCS11 patch to openssh. The opensc option seemed to be the easier route. Getting the source packages built on Ubuntu was as simple as:

aczid@maggie:~$ apt-get source openssh; apt-get build-dep openssh

If you get errors about public keys that are missing, look them up using gpg --keyserver keyserver.ubuntu.com --search-keys <name of maintainer> This implies you trust this person and his or her public key!

aczid@maggie:~$ cd openssh-5.1p1/
aczid@maggie:~/openssh-5.1p1$ vi debian/rules 

Add the line: confflags += --with-opensc=/usr/ and build the package with dpkg-buildpackage. Now your SSH will understand opensc which relies on PKCS15, but the card is still formatted as PKCS11. Luckily, the token can hold files to facilitate both API's simultaneously. Detailed instructions to accomplish this with a different kind of token Worked For Me (TM). I suppose once you have the pkcs#-tools working, they're all more or less the same.

Now that you know how to put your certificate on the token using both API's, we can finally use openssh! Extract the public key from you certificate and place it in a remote server's authorized_keys file, and launch your newly built ssh with:

aczid@maggie:~/openssh-5.1p1$ ./debian/openssh-client/usr/bin/ssh -I0 <some host>

If you would like to use your existing keys (like the ones generated by ssh-keygen) you need to generate a self-signed certificate from them and put it on the token. Now you can use ssh without even needing a .ssh directory to store your private key! Unfortunately I was still unable to use the token to generate grid proxy certificates on Ubuntu.

About two weeks ago I started my internship at Nikhef, the Dutch institute for subatomic physics. Up until now it has mostly been a dizzying experience. I'm learning to cope with a whole new world, namely that of Grid computing. That wiki page is actually not very specific as to scale, so perhaps the GridPP introduction page can convey it better. Nikhef (together with SARA) has a Tier-1 site, which means they can provide computing power and storage for one tenth of the data generated by the LHC experiments. If nothing else, this map showing the grid sites should impress you.

View Larger Map

But you still know nothing of my tiny, (so far) insignificant role in all this. It's to design and develop the EES. It involves the redesign of existing (sudo-like) pluggable software library that should be backwards-compatible. And oh yeah, it's in C. I hope now you'll understand why I feel like my head is spinning. I've just about given up on reading all the related articles linked from the LHC wikipedia entry in my first week. I feel right in my place, but not very useful yet. The Grid infrastructure is so huge I only have a vague, high level idea of how it's all supposed to work. I have heard new acronyms every day for the past two weeks, most of which are still kind of lacking a real definition for me. In the mean time I've been coding several prototypes (more like examples, or exercises) of how parts of the project should work.

Blogging everything I learn there would be impossible, but you can follow me on twitter to keep up with my progress. My direct supervisor / boss is also on there. I hope to get out a blogpost again every week or so.

Today I was looking for an automated way to find any security related server mis-configurations on my website, and found a really nice tool called Nikto that does just that. In fact it was so helpful it showed me I was doing directory indexing through Apache where I didn’t want to.
Here is an example of its use.

aczid@aczid:~$ nikto -host blog.aczid.nl
---------------------------------------------------------------------------
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       127.0.1.1
+ Target Hostname: blog.aczid.nl
+ Target Port:     80
+ Start Time:      2009-01-25 0:16:00
---------------------------------------------------------------------------
+ Server: nginx/0.6.32
+ OSVDB-0: Retrieved X-Powered-By header: Phusion Passenger (mod_rails/mod_rack) 2.0.6
- /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET)
+ OSVDB-0: GET /?mod=some_thing&op=browse : Sage 1.0b3 reveals system paths with invalid module names.
+ OSVDB-3092: GET /sitemap.xml : This gives a nice listing of the site content.
+ OSVDB-3092: GET /archives/ : This might be interesting...
+ OSVDB-3092: GET /stats/ : This might be interesting...
+ 2967 items checked: 6 item(s) reported on remote host
+ End Time:        2009-01-25 0:16:00 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

And remember, Gort! Klaatu barada nikto!

After moving most of my Ruby apps onto Apache I got back to the idea of wanting to do my own log analysis. Although the Google analytics urchin is nice, I prefer something more unobtrusive. I have used AWstats in the past, and was always quite impressed with its feature set. After installing Apache again, I figured I would give it a go. I prefer using the packaged AWstats because that way it will (hopefully) automatically update through apt. This post on AWstats by Sami Dalouche was really helpful in getting my head around the packaged AWstats configuration on Debian. This will show you how to make awstats virtualhosts for every domain on your site, show you how to set up a cronjob and prevent logrotate from rotating the logs before AWstats has run. So after you have copied a new awstats.<yourvhost>.conf file in /etc/awstats/, set up the following variables: (This of course implies you have set the access_log to the same location, /var/log/nginx/<yourvhost>-access.log)

LogFile=”/var/log/nginx/<yourvhost>-access.log”
SiteDomain=”<yourvhost>”
HostAliases=”<yourvhost>”
DirData=”/var/lib/awstats/<yourvhost>”

And set the logformat for Nginx:

LogFormat="%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"

Now for the Apache Virtualhost, which is also largely boilerplate.

<VirtualHost>
        ServerName <yourvhost>
        Alias /awstatsclasses "/usr/share/awstats/lib/"
        Alias /awstats-icon/ "/usr/share/awstats/icon/"
        Alias /awstatscss "/usr/share/doc/awstats/examples/css"
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        ScriptAlias /stats /usr/lib/cgi-bin/awstats.pl
        # This is the important bit. It tells AWstats to use your defined vhost config from the .conf file, rather than try to parse the Apache log.
        SetEnv AWSTATS_FORCE_CONFIG <yourvhost>
</VirtualHost>

If the website you want to monitor is already being served from Apache, and Nginx proxies requests for nonexistent files to Apache you are probably done. Go check <yourvhost>/stats/! If the site is served using only Nginx (static assets) you will have to add a proxy_pass in your Nginx virtualhost for the 4 paths in the VirtualHost definition needed by awstats. Hope this helps people out who are struggling to get this set up! It took me about a day in total, I think. Now I have fancy separate stats on all my public Nginx websites!

Using some free time I had during the holidays creatively, I have finally made a better layout design for the blog you are reading now. I hope you enjoy it, and everything is rendering well for you.

This week I have moved my Ruby websites (which were previously running on Mongrel) to the Phusion Passenger Apache2 module. I have lived without apache for about a year, but I am really happy I switched back to it again. I am still using Nginx as a front-end proxy to serve static assets.
I am very pleased with Passenger because it makes deployment a lot easier! Basically, all Capistrano needs to do now for a deployment is move your app into the DocumentRoot and touch a "restart.txt" file. It supposedly works with any Rack-based web framework. I am using it with Merb and Rails.

I have more available memory and CPU cycles because there are no idle mongrels running, and availability is increased because new instances of the apps are spawned as needed (where memory is shared between multiple instances of an app).

Life is good with passenger!

I have written a paper about the security architecture and known vulnrabilities of DVB digital television systems.
This was a school project so the paper is in Dutch. I got an A for it!

PDF

I’ve finally bought my own domain, aczid.nl. Besides the blog, I want to host my music, code and other creations here.
All you readers out there can visit my blog at blog.aczid.nl.
I would like to thank Lasert for providing me with a 2 GHz/256 512 MB Xen slice on a big unclogged eweka tube. It’s a fun and stimulating experience to set up your own front-end/proxy server, subversion, et cetera.
I plan to do most if not all of the site in Ruby on Rails. The blog is served using Nginx, Mongrel and Typo.

When using Firefox on GNU/Linux to test web apps all day, there comes a point where you wonder whether things would work (as well) in Internet Explorer. Although there are Wine configurations to run IE on Linux, I decided I'd rather just run Windows in in a VM.
Thinking I'd use a open source solution I struggled for a while trying to create VM's with Qemu. Those, unfortunately, didn't even get through the Windows XP CD bootloader.

Desperate to get it to work (easily) I decided I'd give VMware workstation a try. We had a licence already.
I downloaded the 6.0 tgz, compiled it and clicked through the wizard to create a VM. But when I tried to register I noticed the licence we had was for VMware workstation 5.0!

I discovered that although the workstation version of VMware won't allow you to actually run the virtual machines that you create with it, the free VMware player will run those just fine!

After booting up the VM in vmplayer the Windows installer ran flawlessly. I'm now the happy user of a free as in beer virtualized Windows installation! I am however somewhat embarrassed to admit I couldn't create a fully functional VM with Qemu.