Penguins in a Strange Land

I’ve been late to update to Fedora 12, and I’ve kept my installation at Fedora 11. Oh, but I couldn’t update my kernel either. It seems the following module is to blame:

$ modinfo ssb
filename: /lib/modules/2.6.29.4-167.fc11.i586/kernel/drivers/ssb/ssb.ko
license: GPL
description: Sonics Silicon Backplane driver
srcversion: A3AE34BE4010797EEEB08AF
....


What is ssb.ko? Well, according to Kconfig in the corresponding source directory, it’s probably related to some Broadcom device.

Now that I know the culprit, I can continue the installation. Oh, I installed Fedora 12 by dd(1)ing the ext4 filesystem in LiveOS/ext3fs.img (that itself is in LiveOS/squashfs.img in the LiveCD image) under my old installation of Fedora 11. That allowed me to download and compile the wireless driver (in package kmod-wl) without requiring a cabled network.

So, how to disable the module? In the installed system, just add a line in /etc/modprobe.d/blacklist.conf. As for when booting, LiveCD or system? Well, by grep(1)ing the contents of the initrd, it’s by using the following parameter: rdblacklist=ssb.

And how did I found out this module was the culprit? Booting with the arguments: udevtrace udevlog init=/bin/bash

I was booted directly to bash, then did: strace -f -e open /sbin/start_udev

udevd will start, serializing the events, and being a little slower, allowing me to see the point of failure.

Now, to migrate the configuration…

So, you have a Linux system and want to show its hawtness to random stranges, but without having them mess with the system permanently? And use that account for those airport checks automatically? Well, it’s easy.

1. Disable remote login for the guest account:

   echo DenyUsers guest >> /etc/ssh/sshd_config
   service sshd condrestart
   

2. Create the guest account:

   adduser guest

3. Make the guest account home directory a filesystem in RAM:

   echo "guest /home/guest tmpfs size=20%,
     mode=0700,uid=$(id -u guest),gid=$(id -g guest) 0 0" >> /etc/fstab
   

4. And finally configure the system to automatically login as guest:

   echo '
   [daemon]
   TimedLoginEnable=true
   TimedLogin=guest
   TimedLoginDelay=15
   ' >> /etc/gdm/custom.conf
   

That’s it. On your next reboot, and if you do nothing, you’ll be logged in as guest. If you don’t like that the terminal for the guest user doesn’t include a pretty prompt, you may change the fstab entry, mounting the tmpfs somewhere else, like /home/.guest, and then have a funionfs mount for ~ with /etc/skel on top.

On boot, just make sure to cancel the automatic login, if you want to log in as another user.

There are several reasons for having an encrypted home partition. But usually, everyone should have it, if only for the reason that disks do go bad, and you don’t want to replace it and leave private data behind.

With that in mind, there are several options, depending in your operating system and security requirements. In this howto I’ll be concentrating on pam_mount, using a LUKS encrypted partition. Probably limited to Linux, then. PAM works in many Unix systems, but LUKS may be restricted.

But before beginning, you have to choose between security and speed. By that, I mean choose an encryption and chaining algorithms. For the most security, I recommend aes-xts-plain, with essiv:sha256 for IV calculation. For speed, though, on my netbook, I use blowfish-ecb-plain. Blowfish is slightly faster than AES, and not much less secure, but the ECB chaining mode is the fastest and very much insecure method. So choose wisely. Personally, my data isn’t that important, and if cryptanalysts are interested in it, there are better methods on getting the data: http://xkcd.com/538/

Now that you have chosen the algorithm, it’s time to encrypt your swap partition. That’s right, never forget the swap partition, where sensitive data may be swapped out to:

echo 'swap /dev/sdaX /dev/urandom swap,cipher=blowfish-ecb-plain'
  >> /etc/crypttab
echo '/dev/mapper/swap    swap    swap    defaults    0 0' >> /etc/fstab

Then reboot. Make sure you correct the swap device and replace the current entry in /etc/fstab.

Make a backup of your current home folder, or start from a clean state. Choose the partition you want your home to reside on, and format it as a LUKS device. First, however, you should zero the first megabyte or two, so that the detection code doesn’t mistake it as other filesystem:

dd if=/dev/zero of=/dev/sdaY bs=16M count=1

Take care to erase the correct device! And if it contained sensitive data, then remove the count=1 and let it zero the full partition. Next, format it as LUKS. I’ll be using the less secure algorithm. When asked for a passphrase, enter your user’s.

cryptsetup luksFormat /dev/sdaY --cipher blowfish-ecb-plain --key-size 128

OK, you now have a device formated for encryption. Next step, activate it, and format a real filesystem on top:

cryptsetup luksOpen /dev/sdaY enc

This will create the device: /dev/mapper/enc

For filesystem, choose what you will. I use ext4:

mkfs.ext4 /dev/mapper/enc

Then mount it, and restore your original data. Or start from scratch:

mount /dev/mapper/enc /mnt
cp -a /etc/skell/.[[:alnum:]]* /mnt/
chown user: /mnt -R
umount /mnt

Your home is ready! Unmount it, the job of mounting and unmounting will be done by pam_mount:

umount /mnt
cryptsetup luksClose enc

The preliminaries are done. You have your home in an encrypted device. Now, to configure pajm_mount for automatically mount and unmount it.

Make sure you have pam_mount installed in your system. The package is called like the name in Fedora, and libpam-mount in Debian/Ubuntu. The configuration file is /etc/security/pam_mount.conf.xml, read it, and disable any limitation you’re interested in. Add a line for your user:

<volume user="luciano" path="/dev/sdaY" mountpoint="~" options="" />

Note the empty options key, otherwise some default options may get in your way. Try either way. If you didn’t zero the device, and it gets detected as something else than a LUKS device, then add fstype="crypt_LUKS" to the line. You can see what it is detected as with:

# blkid /dev/sdaY
/dev/sdaY: UUID=".." SEC_TYPE="ext2" TYPE="ext3"

If it doesn’t say LUKS, then you must add the fstype definition.

pam_mount is now set up. Next, configure PAM to use it. There are some particularities for pam_mount, especially because GDM may try to start daemons as your user before you get your home mounted. Created a configuration file that will be include by other PAM-aware services, defining pam_mount

echo '
auth	optional	pam_mount.so
session	optional	pam_mount.so
' >> /etc/pam.d/system-mount

Now, depending on your current PAM configuration, you may get away with doing the following steps only to the /etc/pam.d/system-auth or other generic file, included by services’ definitions. But that is not the case for Fedora 11, and do make sure all services include the generic file first.
In my case, I changed the files:

• /etc/pam.d/sshd
• /etc/pam.d/login
• /etc/pam.d/gdm-password

Now, add the following line as the first auth definition, or as the definition immediately after an selinux permit or close action:

auth        include       system-mount

Also, for session, respecting the selinux thingy:

session     include       system-mount

Now try logging in as the user in a console, or via ssh. You should see the prompt for password as: pam_mount password:
If it works, then try a graphical login. Console is easier, a graphical login may get dbus or keyring programs running before the pam_mount is run, but you’ll prevent that by having the system-mount lines as the first ones.