Category: Userland

Which cryp­to card to use with FreeB­SD (ssh/gpg)

The recent secu­ri­ty inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a cryp­to card. I did some research for suit­able cryp­to cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cal­ly a small ver­sion of the card is already inte­grat­ed into a small USB card reader).

The Feit­ian card is report­ed to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the cryp­to card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Rein­er SCT cyber­Jack sec­oder card read­er, which is believed to be sup­port­ed by Open­SC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card readers.

If any­one read­ing this can sug­gest a bet­ter cryp­to card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card read­er, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeB­SD, please add a comment.

Share/Save

Free DLNA serv­er which works good with my Sony BRAVIA TV

In sev­er­al pre­vi­ous posts I wrote about my quest for the right source for­mat to stream video to my Sony BRAVIA TV (build in 2009). The last week-end I final­ly found some­thing which sat­is­fies me.

What I found was servi­io, a free UPnP-AV (DLNA) serv­er. It is writ­ten in java and runs on Win­dows, Lin­ux and FreeB­SD (it is not list­ed on the web­site, but we have an not-so-up-to-date ver­sion in the ports tree). If nec­es­sary it transcodes the input to an appro­pri­ate for­mat for the DLNA ren­der­er (in my case the TV).

I test­ed it with my slow Net­book, so that I was able to see with which input for­mat it will just remux the input con­tain­er to a MPEG trans­port stream, and which input for­mat would be real­ly re-encoded to a for­mat the TV understands.

The bot­tom line of the tests is, that I just need to use a sup­port­ed con­tain­er (like MKV or MP4 or AVI) with H.264-encoded video (e.g. encod­ed by x264) and AC3 audio.

The TV is able to chose between sev­er­al audio streams, but I have not test­ed if servi­io is able to serve files with mul­ti­ple audio streams (my wife has a dif­fer­ent moth­er lan­guage than me, so it is inter­est­ing for us to have mul­ti­ple audio streams for a movie), and I do not know if DLNA sup­ports some­thing like this.

Now I just have to replace minidl­na (which only works good with my TV for MP3s and Pic­tures) with servi­io on my FreeB­SD file serv­er and we can for­get about the disk-juggling.

Share/Save

Lin­ux­u­la­tor progress

This week­end I made some progress in the linuxulator:

  • I MFCed the report­ing of some linux-syscalls to 9‑stable and 8‑stable.
  • I updat­ed my linuxulator-dtrace patch to a recent ‑cur­rent. I already com­piled it on i386 and arundel@ has it com­piled on amd64. I count­ed more than 500 new DTrace probes. Now that DTrace res­cans for SDT probes when a ker­nel mod­ule is loaded, there is no ker­nel pan­ic any­more when the lin­ux mod­ule is loaded after the DTrace mod­ules and you want to use DTrace. I try to com­mit this at a morn­ing of a day where I can fix things dur­ing the day in case some prob­lems show up which I did not notice dur­ing my testing.
  • I cre­at­ed a PR for portmgr@ to repocopy a new linux_base port.
  • I set the expi­ra­tion date of linux_base-fc4 (only used by 7.x and upstream way past its EoL) and all depen­dent ports. It is set to the EoL of the last 7.x release, which can not use a lat­er linux_base port. I also added a com­ment which explains that the date is the EoL of the last 7.x release.
Share/Save

Sock­ets and nullfs: works now in ‑cur­rent

I just updat­ed to a recent ‑cur­rent and tried the new nullfs. Sock­ets (e.g. the MySQL one) work now with nullfs. No need to have e.g. jails on the same FS and hardlink the sock­et to not need to use TCP in MySQL (or an IP at all for the jail).

Great work!

Share/Save

What you should know about SSH

Michael W. Lucas pub­lished his new book “SSH Mas­tery” (no link to an online store, get it from your pre­ferred online or offline one in your part of the world).

Do you think you know a lot about SSH? I thought I did when Michael searched tech­ni­cal proof-readers for this book. I offered to have a look at his work in progress and he gen­tly accept­ed (while I do not get mon­ey for this, I am one of the per­sons he thanks for  the tech­ni­cal review in the begin­ning, so I am involved some­how and as such you should take the fol­low­ing with a grain of salt).

I already had user restric­tions in place before the review, but now I nar­rowed down some restric­tions based upon some con­di­tion­als. I already used SSH tun­nels for var­i­ous things before (where legal­ly applic­a­ble), but I learned some addi­tion­al VPN tech­niques with SSH. I already used mul­ti­ple ssh-keys for var­i­ous things, but Michael pro­vides some inter­est­ing ways of han­dling a large-volume of ssh-keys over mul­ti­ple machines. … I real­ly hope that my review was as valu­able for Michael, as it was for me to do the review.

He ends the book with “You now know more about SSH, OpenSSH and Put­ty than the vast major­i­ty of IT pro­fes­sion­als! Con­grat­u­la­tions”, and this is true, and all that in his writ­ing style where you can come with a prob­lem, read about it, and leave with a solu­tion (nor­mal­ly with a lit­tle bit of enter­tain­ment in between).

I know a lot of peo­ple which work dai­ly with SSH, and they know only a small part of what is pre­sent­ed in this book. In my opin­ion this book is a must-have for every System/Database/Application/Whatever Admin­is­tra­tor in charge of some­thing on an UNIX-like sys­tem, and even “nor­mal users” of SSH (no mat­ter if they use PuT­TY, or a ssh com­mand line pro­gram on an UNIX-like sys­tem (most prob­a­bly it will be OpenSSH or a clone of it)) will get some help­ful infor­ma­tion from this book.

I can only rec­om­mend it.

Share/Save