Interesting Smartcard Behavior…

I ma no expert on smartcards (we use Common Access Cards, or CAC, at work).  Recently, I wqaas having issues with ActiveClient reading my card, which told me I had mistyped my pin twice.  Once more, and it would lock out my card.  So I went and asked a coworker how long the timeout is.  He told me there is no timeout – the card count is reset with a successful login.

Worried, I went to my Linux box and logged into webmail with my card, successfully.  Afterwards, ActiveClient on the other machine saw the card fine.

I had a chance yesterday to retest this behavior when another coworker was having similar issues with his card.  He had tried at two different machines to log in with his smartcard, and each time, it was unable to read his card (I did not see the exact error message, but it was not an incorrect PIN entry).  So I offered to let him try on my Linux box (I am the only one using Linux as a workstation), and he was quite surprised to be able to log into webmail from there.  Afterwards, his card worked fine on ActiveClient Windows machines, which was a relief to him, since he had assumed a trip to the ID card office (and a long wait) were in store for him.

I surmise that something on his card got a little scrambled and the Windows ActiveClient could not read what it needed.  The PCSC client, however, not only worked without flaw, it also seemed to clear whatever was bugging ActiveClient.

So, if this happens again, I hopefully will be able to spare someone else a trip to the ID card office.

Got a Netbook…

I am going to a conference soon, and my wife cannot part with her laptop now, so I bought a $300 Asus Eee-PC netbook (1005HAB), with a 9-cell battery that gives me close to 9 hrs of battery time.  I bought it online through Best Buy (I know, I know), and picked it up at the store a few days later.  I had Windows7 Starter Edition on it.  I prepped a USB drive using a the KDE Startup Disk Creator program and the Kubuntu 10.04 Netbook Edition ISO.  I had to find the BIOS first (F2), and tell the netbook to boot from USB, but after that, Kubuntu Netbook installed without a hitch.  I chose to wipe everything, since the netbook came with the OS media (if I ever want to install Windows, yuck – but hey, I paid for it).  I set it up with separate partitions (including /boot) and formatted everything with EXT4 (for later conversion to btrfs when the 2.6.36 kernel comes out).

Everything worked right out of the box.  Including wireless and suspend-resume.  Sweet.  It is a little slow, but who cares?  This thing is so neat.  I am a little addicted to being able to go anywhere around the house now and surf, blog, email, and administer the other machines from this thing.  When I am done, I can close the lid, and later open it back up, wait a bit, and then be prompted to unlock the screen and get back online, no sweat.

In addition to updating the kernel to 2.6.35-17 and updating KDE to version 4.4.5, I also installed the MediBuntu repositories, set up the USB smartcard with Acrobat Reader, Firefox, and Thunderbird, and got the camera working with the new gmail video chat software.  One more thing – to get the function keys to work, I had to edit my /etc/default/grub file and change the line

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

to

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi_osi=Linux"

I also installed “eee-control-tray” from the repositories for better control over the camera, touchpad, etc.  The only thing I do not like is the touchpad, in fact.  When scrolling on a web page, it likes to keep scrolling whenever I move it into the page to click on a a link.  I use a USB wireless mouse now.  We are taking this thing everywhere we go now.

Now Using Kubuntu 10.04 Lucid Lynx…

Well, I finally upgraded my work machine from Jaunty to Lucid about a month ago, and really liked what I saw.  I was using 64-bit, and got sick and tired of all the little issues with flash, Java, and Acrobat Reader., so I switched to 32-bit instead.  KDE4 seems much more stable and polished now, and I can sign PDFs with my smartcard now in Acrobat Reader.  Since it worked so well at work, I went ahead and upgraded at home after a couple weeks.  This involved swapping my media computer with my main computer (the old RAID SATA setup I have is getting a little squirrelly), and rebuilding both.  The RAID computer was built using the Alternate Install ISO, which worked well.  In both cases, I lost no data unless I chose to, so the 300 GB of movies I had copied from our DVDs was wiped from the old media server.  I figure I can always recopy them in a smaller format later.  Yesterday, I updated my wife’s laptop, completely rebuilding it (wiped everything after backing up the user data).  I restored her data later and nothing was lost.

Some common things I am doing to customize my Lucid installs of Kubuntu are:

  1. sudo wget --output-document=/etc/apt/sources.list.d/medibuntu.list http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list && sudo apt-get --quiet update && sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring && sudo apt-get --quiet update (from https://help.ubuntu.com/community/Medibuntu)
  2. sudo apt-get --yes install app-install-data-medibuntu apport-hooks-medibuntu
  3. sudo apt-get install libdvdcss2 w32codecs
  4. Update to a later kernel (currently 2.6.35-17) – sudo add-apt-repository ppa:kernel-ppa/ppa && sudo apt-get update
  5. sudo apt-get install linux-headers-2.6.35-17 linux-headers-2.6.35-17-generic linux-image-2.6.35-17-generic linux-maverick-source-2.6.35
  6. Update to a later version of KDE4 (currently KDE 4.4.5) – sudo add-apt-repository ppa:kubuntu-ppa/ppa && sudo apt-get update && sudo apt-get dist-upgrade

So far, things work very well.  The computer with squid, squidGuard, and dansguardian is not going to be upgraded, however.  Another thing – no more XFS.  I now use EXT4 with everything, and have a separate /boot partition.  This is so I can more easily convert to btrfs when 2.6.26 comes out.  I read that btrfs suffered a large performance regression in the 2.6.35 kernel, so I will hold out for the 2.6.36 kernel instead.

Wireless Dilemma and Kubuntu 9.04 Network Manager….

While upgrading my kid’s computer and installing the web proxy and filter (see article titled “SquidGuard Blacklists…“), I ran across a real problem.  Wireless would start only after a user logged into their desktop, so the system had no IP address until then.  However, without an IP, Dansguardian would fail to start.  I tried scripting the problem away, essentially waiting indefinitely until a periodic check showed an IP address in use and then starting the services, but this did not work.  I played around with making an init script under /etc/init.d and using “update-rc.d” to create the proper sym links.  This also did not work.  I tried manually defining the wireless network using /etc/network interfaces and creating a /etc/wpa_supplicant.conf file.  This did not work.

It was then I remembered a server I had built at work, using Ubuntu-9.04, in which I had stripped off all of the GUI/desktop stuff, leaving a bare-bones server instead.  It worked fine on the network, and did not have Network Manager installed.  Looking in the init script folder under /etc/init.d, I found a NetworkManager service, so I made it non-executable (“sudo chmod -x /etc/inint.d/NetworkManager“), and ran “sudo update-rc.d -f NetworkManager remove” to get rid of the startup links.  After that, the wireless network started on boot just fine, with no need for user interaction, and the services for the proxy and filters started flawlessly (I added them into /etc/network/interfaces).

So, Network Manager was stepping all over /etc/network/interfaces.  Not anymore.  I could have removed the package, but other packages will then be removed, and I don’t want that.

For someone having trouble with their manual wireless setup, here are my scrubbed /etc/network/interfaces and /etc/wpa_supplicant.conf files:

/etc/network/interfaces:

auto lo
iface lo inet loopback

auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant.conf

# added 10-18-09 for proxy filter
pre-up iptables-restore < /etc/iptables.rules
post-up /usr/local/squid/sbin/squid
post-up /usr/local/dansguardian/sbin/dansguardian
post-down iptables-save -c > /etc/iptables.rules

/etc/wpa_supplicant.conf:

network={
ssid="myssid"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="my-key-phrase"
}

This is for a WPA2 wireless setup (SSID and passphrase are bogus, of course).  Hope this helps someone.

SquidGuard Blacklists…

Here is a listing of some sites that have actively managed blacklists freely available for non-commercial download:

Shalla Secure Services
Blacklists UT1
MESD Blacklists (not sure how current this one is)

Anyway, I updated the getlists.sh script from the HOWTO – Child-Proofing Internet Access on Kubuntu article. It was failing because squidGuard kept not finding files and going into emergency mode when run with “-C all” to build databases. By also running it with the -d option, I was able to see where it was failing. The Norway site was not permitting the blacklist download to occur, so I found these other sites and wrote that into the script. By doing that and adjusting my squidguard.conf file (commented out the “not_ok” ACL block), as well as by creating files that it could not find (copied ok/domains.db to ok/domains and adult/very_restrictive_expressions to adult/expressions and porn/expressions), the script now ran without errors to completion.

The script is updated here and on the linked article.
getlists.sh (pdf file)

SSH Link to Remember…

This is good – it summarizes all kinds of tips and resources.  I do not want to forget this one, so here it is forever….

http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

Follow

Get every new post delivered to your Inbox.