Geekblok

Last week I finally got a telephone with bluetooth. As my laptop also as a bluetooth dongle in it, I thought I should be able to do some geeky things with it.
My thoughts were correct: my screensaver is now working, based on the proximity of my telephone. As soon as my phone leaves the desk, the screensaver kicks in and locks the screen. When it is back in the proximity of the laptop, the screen magically unlocks.

Though I am very aware that this really is no good from a security point of view, it is just cool.

I’ll describe what I have done to get this to work. My phone is a Nokia 6151 and the laptop is running Ubuntu desktop.

Read more »

Time for the sixth parth of the ssh guide. This time I’ll dig a bit deeper into using a command in your authorized_keys file. That way you will be able to remotely run a command, about the same way you would like: ssh b10m.example.net uptime, which would return the uptime of the server. If you want to restrict the commands that can be used in the remote command, simply put them into the ~/.ssh/authorized_keys file:

bq. command=”/usr/bin/uptime” ssh-dss AAAAB3NzaC1kc3M…[ rest of key ]…ED8s Comment

If you try to login to the other server now, you only get the output of uptime back:

bq. $ ssh joffie@b10m.example.net
9:24PM up 162 days, 3:45, 5 users, load averages: 0.03, 0.14, 0.12

Make sure that you have got the full command you want to run in the authorized_keys and nothing that could be used by hackers. If you, for example, have a command like command="/usr/bin/vi /tmp/file.txt", the user could exit this vi session with a command like :!/usr/local/bin/bash. Though this example might not seem too “real world”, it shows that you always need to think on what a hacker can do. (In this case starting vi with the -S option would disallow external program calls).

Other interesting features are the use of SSH_ORIGINAL_COMMAND, which is given to the remote environment.

Read more »

Today a co-worker came to my desk with a rather simple but interesting question: “What software do you know that can encrypt a file or directory? The encrypted result needs to be sent abroad on a USB-disk.“

Without hesitating I answered that TrueCrypt could do the job, but then he replied: “Does that work on both Linux and IBM AIX?” (FYI: the data had to come from AIX and had to end-up on Linux). Ehr… Linux yes, AIX no. So I had to re-think…

Then I remembered OpenSSL is installed by default on (almost) all Unix-computers and this opened a new solution. In fact, it’s very simple.

First create a gzipped tar-file of the directory (where “/foo” is the directory containing all files to be encrypted):

# tar zcvfp /root/foo.tar.gz /foo

Next change the ownership to make it a little more secure by default:

# chown 600 /root/foo.tar.gz

Now we start encrypting the created tar-file using OpenSSL with the Blowfish-algorithm. When you press enter after the openssl-command you will be asked for a password. Keep this in mind and keep it secret. If lost there’s no way to recover your precious data!

# openssl enc -blowfish -in /root/foo.tar.gz -out /root/foo.tgz.bf</p> <p>enter bf-cbc encryption password:</p> <p>Verifying - enter bf-cbc encryption password:

You’ll end up with a file named “foo.tgz.bf” in root’s home-directory that is impossible to read and understand.

To decrypt this file one goes the other way around like this:

# openssl enc -d -blowfish &lt; /root/foo.tgz.bf | tar zxvf -</p> <p>enter bf-cbc decryption password:

Enter the password and tada, there’s your data!

Oh and my co-worker returned ten minutes later with a smile on his face.