Commercial | Alexander Leidinger

Which crypto card to use with FreeBSD (ssh/gpg)

The recent security incident triggered a discussion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suitable crypto cards and found one which is called Feitian PKI Smartcard, and one which is called OpenPGP card. The OpenPGP card also exists in a USB version (basically a small version of the card is already integrated into a small USB card reader).

The Feitian card is reported to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smartcard quick starter guide they have (the Tuning smartcard file system part) tells how to change the parameters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it supports RSA keys upto 3072 bits, but there are reports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hardware PIN pad and display) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyberJack secoder card reader, which is believed to be supported by OpenSC and seems to be a good balance between cost and features of the Reiner SCT card readers.

If anyone reading this can suggest a better crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA support), or a better card reader, or has any practical experience with any of those components on FreeBSD, please add a comment.

Share/Save

ICS on the Samsung Galaxy Tab 10.1

Last week I had a look if there are some news for an official update of the Galaxy Tab 10.1 to ICS. To my surprise there is one at least in Italy. The one I found to download was marked more or less for the European market. Well… that was good enough for me and the night from Friday to Saturday I have spend to update the Tab by hand (unfortunately this includes a factory reset, no smooth migration from an old version, but at least I still have root access).

What I noticed so far:

OpenGL ES speed improved from 4.2 to 6.6 FPS.
I had some lock-ups so far, I do not know if this may be related to some restored data (app data and e.g. Bluetooth/WLAN config restored with TitaniumBackup) or to bugs (Dalvik cache and cache partition where clean, factory reset was done too prior to restoring from the backup). I had to press the power button for some seconds to initiate a reboot. Most of the time it helped to wait a minute before entering the PIN for the SIM. One time it did not help at all, the only way to get it working was to take my WLAN Access Point (AP) offline, start the Tab, enter the PIN, and to restart the AP. At that point I had GPS and WLAN in the Tab activated, in the lock-ups before I did not have GPS active. I had something similar like this with my Nexus S when it got ICS, somehow this resolved itself. Update 2012-08-14: I googled a bit, there was a bug in ICS 4.0.3 related to WLAN, but I have 4.0.4 on the Tab, so this may not be this. I also got the freeze without WLAN but with the mobile data connection active. 2^nd update 2012-08-14: If I disable account syncing with the mobile data connection it does not freeze. I have not yet tried this with the WLAN connection. Update 2012-08-16: The synchronization of the calendar data caused the problem. Deleting all data for any app with calendar in the name and re-syncing fixed the problem. No freeze since I did this yesterday.
When I open/close a folder (much missed feature in Android 3.x), the Tab speaks with me (something like “Folder XXX opened” in the configured language… that is a bit annoying).
I like the default background image.
Update 2012-08-14: The battery icon does stay green even when the battery is nearly empty. 🙁

I was not able to test the Email APP yet, I am waiting for a warranty-replacement of the PSU of my server at home (Murphy’s law: Your PSU will break when you just started a big renovation of your kitchen and do not have time to take care about it, and when you get time a lot of people from the PSU-manufacturer which take care about warranty-replacements are in holiday).

I also need to check the mobile data connectivity (quality and speed), but I would expect that it is not worse than before. Update 2012-08-14: The download speed test shows similar results than before, the upload speed test is slower, but this may be the mobile network here where I tested. At least I can confirm that it works, modulo the problem of the freezes described above.

Share/Save

WebSphere 7: solution to “password is not set” while there is a password set

I googled a lot regarding the error message “password is not set” when testing a datasource in WebSphere (7.0.0.21), but I did not find a solution. A co-worker finally found a solution (by accident?).

Problem case

While having the application JVMs running, I created a new JAAS-J2C authenticator (in my case the same login but a different password), and changed the datasource to use the new authenticator. I saved the config and synchronized it. The files config/cells/cellname/nodes/nodename/resources.xml and config/cells/cellname/security.xml showed that the changes arrived on the node. Testing the datasource connectivity fails now with:

DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource. Encountered java.sql.SQLException: The application server rejected the connection. (Password is not set.)DSRA0010E: SQL State = 08004, Error Code = ‑99,999.

Restarting the application JVMs does not help.

Solution

After stopping everything (application JVMs, nodeagent and deployment manager) and starting everything again, the connection test of the datasource works directly as expected.

I have not tested if it is enough to just stop all application JVMs on one node and the correspding nodeagent, or if I really have to stop the deployment manager too.

Share/Save

Strange performance problem with the IBM HTTP Server (modified apache)

Recently we had a strange performance problem at work. A web application was having slow response times from time to time and users complained. We did not see an uncommon CPU/mem/swap usage on any involved machine. I generated heat-maps from performance measurements and there where no obvious traces of slow behavior. We did not find any reason why the application should be slow for clients, but obviously it was.

Then someone mentioned two recent apache DoS problems. Number one – the cookie hash issue – did not seem to be the cause, we did not see a huge CPU or memory consumption which we would expect to see with such an attack. The second one – the slow reads problem (no max connection duration timeout in apache, can be exploited by a small receive window for TCP) – looked like it could be an issue. The slow read DoS problem can be detected by looking at the server-status page.

What you would see on the server-status page are a lot of worker threads in the ‘W’ (write data) state. This is supposed to be an indication of slow reads. We did see this.

As our site is behind a reverse proxy with some kind of IDS/IPS feature, we took the reverse proxy out of the picture to get a better view of who is doing what (we do not have X‑Forwarded-For configured).

At this point we noticed still a lot of connection in the ‘W’ state from the rev-proxy. This was strange, it was not supposed to do this. After restarting the rev-proxy (while the clients went directly to the webservers) we had those ‘W’ entries still in the server-status. This was getting really strange. And to add to this, the duration of the ‘W’ state from the rev-proxy tells that this state is active since several thousand seconds. Ugh. WTF?

Ok, next step: killing the offenders. First I verified in the list of connections in the server-status (extended-status is activated) that all worker threads with the rev-proxy connection of a given PID are in this strange state and no client request is active. Then I killed this particular PID. I wanted to do this until I do not have those strange connections anymore. Unfortunately I arrived at PIDs which were listed in the server-status (even after a refresh), but not available in the OS. That is bad. Very bad.

So the next step was to move all clients away from one webserver, and then to reboot this webserver completely to be sure the entire system is in a known good state for future monitoring (the big hammer approach).

As we did not know if this strange state was due to some kind of mis-administration of the system or not, we decided to have the rev-proxy again in front of the webserver and to monitor the systems.

We survived about one and a half day. After that all worker threads on all webservers where in this state. DoS. At this point we where sure there was something malicious going on (some days later our management showed us a mail from a company which offered security consulting 2 months before to make sure we do not get hit by a DDoS during the holiday season… a coincidence?).

Next step, verification of missing security patches (unfortunately it is not us who decides which patches we apply to the systems). What we noticed is, that the rev-proxy is missing a patch for a DoS problem, and for the webservers a new fixpack was scheduled to be released not far in the future (as of this writing: it is available now).

Since we applied the DoS fix for the rev-proxy, we do not have a problem anymore. This is not really conclusive, as we do not really know if this fixed the problem or if the attacker stopped attacking us.

From reading what the DoS patch fixes, we would assume we should see some continuous traffic going on between the rev-rpoxy and the webserver, but there was nothing when we observed the strange state.

We are still not allowed to apply patches as we think we should do, but at least we have a better monitoring in place to watch out for this particular problem (activate the extended status in apache/IHS, look for lines with state ‘W’ and a long duration (column ‘SS’), raise an alert if the duration is higher than the max. possible/expected/desired duration for all possible URLs).

Share/Save

A phoronix benchmark creates a huge benchmarking discussion

The recent Phoronix benchmark which compared a release candidate of FreeBSD 9 with Oracle Linux Server 6.1 created a huge discussion in the FreeBSD mailinglists. The reason was that some people think the numbers presented there give a wrong picture of FreeBSD. Partly because not all benchmark numbers are presented in the most prominent page (as linked above), but only at a different place. This gives the impression that FreeBSD is inferior in this benchmark while it just puts the focus (for a reason, according to some people) on a different part of the benchmark (to be more specific, blogbench is doing disk reads and writes in parallel, FreeBSD gives higher priority to writes than to reads, FreeBSD 9 outperforms OLS 6.1 in the writes while OLS 6.1 shines with the reads, and only the reads are presented on the first page). Other complaints are that it is told that the default install was used (in this case UFS as the FS), when it was not (ZFS as the FS).

The author of the Phoronix article participated in parts of the discussion and asked for specific improvement suggestions. A FreeBSD committer seems to be already working to get some issues resolved. What I do not like personally, is that the article is not updated with a remark that some things presented do not reflect the reality and a retest is necessary.

As there was much talk in the thread but not much obvious activity from our side to resolve some issues, I started to improve the FreeBSD wiki page about benchmarking so that we are able to point to it in case someone wants to benchmark FreeBSD. Others already chimed in and improved some things too. It is far from perfect, some more eyes – and more importantly some more fingers which add content – are needed. Please go to the wiki page and try to help out (if you are afraid to write something in the wiki, please at least tell your suggestions on a FreeBSD mailinglist so that others can improve the wiki page).

What we need too, is a wiki page about FreeBSD tuning (a first step would be to take the man-page and convert it into a wiki page, then to improve it, and then to feed back the changes to the man-page while keeping the wiki page to be able to cross reference parts from the benchmarking page).

I already told about this in the thread about the Phoronix benchmark: everyone is welcome to improve the situation. Do not talk, write something. No matter if it is an improvement to the benchmarking page, tuning advise, or a tool which inspects the system and suggests some tuning. If you want to help in the wiki, create a FirstnameLastname account and ask a FreeBSD comitter for write access.

A while ago (IIRC we have to think in months or even years) there was some framework for automatic FreeBSD benchmarking. Unfortunately the author run out of time. The framework was able to install a FreeBSD system on a machine, run some specified benchmark (not much benchmarks where integrated), and then install another FreeBSD version to run the same benchmark, or to reinstall the same version to run another benchmark. IIRC there was also some DB behind which collected the results and maybe there was even some way to compare them. It would be nice if someone could get some time to talk with the author to get the framework and set it up somewhere, so that we have a controlled environment where we can do our own benchmarks in an automatic and repeatable fashion with several FreeBSD versions.

Share/Save

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Prob­lem case

Solu­tion

Problem case

Solution