29 July 2010

line noise and random numbers

"Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin"
  -- John von Neumann

Stipulated, but I am beset by closer devils, and I've tinkered with a mild solution I like. Let me tell you more

I've been badgered as some web sites have moved to Java-script evaluation routines for site passwords. Some require mixed case; others punctuation; no doubled letters; minimum length. Contrariwise some limit the character set to prohibit what others require

As such, for the last year or so I have been playing with a quick script on my CentOS 5 box, to generate a unique password per website, and keep a master index of the userid, email address used, and password used. This of course limits my ability to connect to those sites when away from that list. Open-ID roll-in seems to be coming however, and I have a rather clever device, backed by Verisign, and using an inexpensive OTP -- one time password -- hardware device as part of the authentication process

The little generator I wrote is based on simple shell tools -- md5sum, df, date, ps, cut, tr and so forth. It gathers a bit of entropy from a few sources froma few systems around the office, which should be non-correlated from a theoretical basis in the time frames at issue. It does some hashing to get good dispersion. Then it expands into 3 or 4 character vectors each 16 characters wide, using the hexidecimal digits that md5sum emits, as translated by tr; the first three are letters, upper, lower, and digits; the fourth character set are selected specials and punctuation excluding some shell meta's. Depending on a limitation by an option to -a, that vector may be limited to the alpha-numerics only, or also stir in the specials

That 'deck of characters' is handed off to a 'repeated cut of the deck' shuffler, and returned mixed once more just for good measure

I then add a 'bumper' of a letter or digit at each end [one site prohibited starting with a special], and a second character of 'bang' to prevent a mouse slip from dropping a password into the bash history in the case of a panel slip

The results are assembled, trimmed to an optionally specified length, and displayed, where I harvest them as mentioned above

Really, passwords need to die, die, die, but that is for another post

[herrold@centos-5 bin]$ for i in `seq 1 10 `; do ./gen-pw.sh ; done
e!~YJAJ{e:sU[4
2!R5K*U#)LoH~2
c!T)T7A10RjS}7
1!cGJ5T@]YjW>4
5!Q+#)K8:@rT]2
8!^)S~FF:5lV<4
b!dJ:TcKK{tQ)9
2!1dEa:fe~mR{4
3!cD1:eH^6wO*d
d!U*5(UEFWsI:e
[herrold@centos-5 bin]$ for i in `seq 1 10 `; do ./gen-pw.sh -a ; done
5ec280RSY5wIfd
0ddQ31EdJGmIdb
7eb52645U1tH06
0bfb401eG1jUa5
c2cT85QY22pS2d
ba8EALA9RRtR1f
35f59JRD6KpN04
7ed956UbA9pV59
402H3YLLR8hR3e
f2a0Aa9J0JrPde
[herrold@centos-5 bin]$

Completely un-memorizable of course, so really only suitable to a protected physical environment where one may write them down

Random number sin, of course, but the cyber-ninja can more readily put my thumb between pliers jaws, than predict the pseudo random source values I used, I'll readily spill the secret to access my LOL CATS site account. ... I still have to get around to building a few non-correlated hardware random number generators -- diode based, lava lamp based, dice tumbling machine for serious entertaining, I guess

27 July 2010

Letters, we get letters ...

His mother must be so proud to have raised such a pottymouth:


Date: Tue, 27 Jul 2010 15:01:39 +0000
From: BOBBY RAY MCALLISTER
To: centosweb@centos.org
Subject: www.centos.org - Contact the CentOS WebMaster Form

BOBBY RAY MCALLISTER submitted the following Information:
Email BLACKTHORNE4440@AOL.COM
URL AIN'T GOT ONE
ICQ NONE OF THEM, EITHER
Company AIN'T WORKING
Location U.S. OF FUCKING A.
Comments

NO MORE. NO FUCKING MORE OF YOUR BULLSHIT SOLICITATIONS FOR "THIRD PARTIES"
TO ME, MOTHERFUCKERS. THE NEXT ONE GETS COPIED TO THE FTC AS WELL AS FBI
FOR PROSECUTION UNDER ANTI-SPAM STATUTES. I HAVE ASKED YOU TO MAKE FUCKING
WELL SURE TO DELETE MY ADDRESS, AND I STILL GET BULLSHIT FROM YOUR STUPID
FUCKING ASSHIOLE MOTHERFUCKING CLIENTS.

Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1; Trident/4.0;
GTB6.5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

The template CentOS placeholder web page, which is found when people place IP addresses from mail headers into a web browser address bar and hit an unconfigured system, makes it quite clear that we merely supply an operating system, of course. I thought we went through all of this years and years ago with the Tuttle, Oklahoma to and fro. Reading with comprehension must be a rare skill; civility, rarer still

The end headers indicate this person has 'hit the trifecta': Windows, AOL, and Media Center Sadly, the salesperson who sold him those fine products must have also sold him a teletype as the console to use as well, as it is in ALL CAPS

Amazing stuff. I see that I need to amend that form to show originating IP, and perhaps put it under a 'captcha' to ensure at least some ability to read before posting

This one needs to be written while it is fresh

I write about CentOS, annoyances, and nuisances all the time. 'Lest people consider me a grumpy old man, never pleased, I'll drop my guard a bit here and now, and perhaps just this once

I just posted this in Joe Landman's comments section to his blog, but it might get lost. It bears repeating

Russ Herrold says:
July 26, 2010 at 6:23 pm

Hi, Joe

I have not had the chance to write the blog post, but it will get written.

My Dell laptop died, and I sent it to the following folks for refurb, based on some strong recommendations in a TX LUG mailing list

It came back fine, but then died.

http://twitpic.com/20p796

jailhouse stripes on the laptop

I was a slacker and did not ship it back right away. Even after the warranty interval expired, however they took it thru their intake, ID’d a bad video card they had added during the refurb, and swapped it out. gratis

And then shipped it back to me FedEx ... again gratis

One guess who I’ll be using from now on, for out of warranty repairs of Dell kit

http://www.parts-people.com/
512-339-1990

Tell them I sent you ;) Please say 'thanks again' for me

– Russ herrold

20 July 2010

Checklist: RO FTP server setup

Setting up a new RO FTP server setup

The primary usage case is we describe is how to deploy a read-only FTP server with no end user accounts, to be used for distribution of content (here, to be a 'hotfix' archive for publicly accessible binary updates, accessible through yum). We need this to work around a temporarily broken update in CentOS space. We can also use it to add additioanl packages under and under the mediation of the rpm package database

We start with a hardened PMman instance. A secondary purpose of this post is to work from first principles through adding a proper local 'forked packages' archive for CentOS users to follow as a worked example. At all times, we will strive to follow proper sysadmin 'best practices' discpline under SElinux, wrappers and iptables

  1. Install and enable vsftpd which is the package holding the stock ftp daemon -- yum can do this trivially

    yum install vsftpd

    Then enable the ftp server:

    /sbin/chkconfig vsftpd on

    and create a pilot file to look for in later testing:

    mkdir -p /var/ftp/pub/mirror
    echo test > /var/ftp/pub/mirror/README.txt
  2. Run updates, just 'because' and as a matter of good sysadmin

    yum update
    yum clean all
  3. Open wrappers to permit anonymous FTP connections. We edit /etc/hosts.allow and add:

    vsftpd: ALL@ALL
  4. Amend the iptables rules to allow ftp. The file /etc/services reminds us that FTP normally lives at TCP port 21

    1. Add to /etc/sysconfig/iptables-config to include 'ip_conntrack_ftp' in the list of 'IPTABLES_MODULES='

      IPTABLES_MODULES="ip_conntrack_ftp "
    2. and then, in /etc/sysconfig/iptables we add a line to pass FTP content:

      -A RH-Firewall-1-INPUT -m state --state \
         NEW -m tcp -p tcp --dport 21 -j ACCEPT

      [Note: We use the backslash convention here, but iptables does not support this in its config files]

  5. Run the unit through a reboot, both to 'set' the updates by stopping use of any libraries held open through that update, and also to ensure that it works as expected after a 'hands off reboot'

  6. Test from a remote host that FTP works as expected

    [herrold@centos-5 ~]$ lftp 198.49.244.190
    lftp 198.49.244.190:~> cd /pub/mirror
    cd ok, cwd=/pub/mirror
    lftp 198.49.244.190:/pub/mirror> ls
    -rw-r--r-- 1 0 0 5 Jul 20 16:56 README.txt
    lftp 198.49.244.190:/pub/mirror> cat README.txt
    test
    5 bytes transferred
    lftp 198.49.244.190:/pub/mirror> exit
    [herrold@centos-5 ~]$

    ... great

At this point, we have a working RO anonymous ftp server, and can populate it with content.

15 July 2010

Free for some people just means they are not footing the bill ... maybe

I see the following in the New York times today:

Health Plans Must Provide Some Tests at No Cost
By ROBERT PEAR

Published: July 14, 2010

WASHINGTON — The White House on Wednesday issued new rules requiring health insurance companies to provide free coverage for dozens of screenings, laboratory tests and other types of preventive care.

The new requirements promise significant benefits for consumers — if they take advantage of the services that should now be more readily available and affordable.

In general, the government said, Americans use preventive services at about half the rate recommended by doctors and public health experts.

The rules will eliminate co-payments, deductibles and other charges for blood pressure, diabetes and cholesterol tests; many cancer screenings; routine vaccinations; prenatal care; and regular wellness visits for infants and children. ...

I assume that the reporter no longer believes in the tooth fairy. The article is tailored as news, and placed in that section of the paper (Page A16) by the Times editors. It has a laundry list of wonderful tests and services that no 'right thinking' person can deny are useful and desired

But the suggestion is a 'promise [of new] significant benefits for consumers — if [only] they take advantage of the services' without a corresponding cost for getting there. No hint nor argument is made that such 'medical' services are unavailable for private purchase already

Indeed, at the end of the day, there is no support for the headline writers assertion of 'no cost' and the reporter is well willing to disregard the pesky question of how to pay for this largess. Clearly these tests are not free and when accounts are settled; these costs will either pass through in a rate base, or the provider will exit the market it cannot make money in, or the insurance market will wither and die as 'the government' provides an 'option' that picks up the tab ... . But the problem is -- 'the govenment' at whatever level likewise needs to get the money to pay for such happy healthiness, and from the very same pool of people 'benefitted'

It is not at all clear that the transaction friction of a single govenment payer works at all well, or that having no choice but 'insurance' through government once the private insurers die is a good thing at all. In watching the 'response' of the government to the oil spill in the Gulf, it is patently clear that government 'oversight' has slowed the response, as BP has become risk adverse to the (reasonable) prospect of being second-guessed at every turn, and so is seeking prior governmental approval before acting in the remediation. The ccase can be made that playing 'Mother may I?' has harmed the Gulf more than the prior approach

Do we really think that a central government single point of control is going to react as well and quickly as a local doctor on the scene, when Aunt Minnie is lying, dying under an oxygen tent and needs some immediate surgery? Under the current system, the doc knows that he'll get paid, perhaps only in part of what is billed as a 'list price' for a prodedure, but eventually from the present model

But that is the end game, anyway, right? Vote and mandate 'bread and circus entertainment' ... until the producers all surrender and act to stop being charged for 'free' benefits to the consumers

'The problem with socialism is that eventually you run out of the other peoples (willing to be robbed of their) money'

05 July 2010

SELinux other voices

The RHCE in channel of my last post complains I was too hard on him or her. Also that person points out they used a differing approach for building the new policy file, which permits more atomicity in maintaining several policies (here, sorting by daemon). While I invited reply by way of a formal post to that person, it appears that this is their 'final word' ("topic closed") on the matter. As such I note it here for those of you playing along at home:

grep vsftpd /var/log/audit/audit.log | \
   audit2allow -M vsftpd
semodule -i vsftpd.pp
vi vsftpd.te
checkmodule -M -m -o vsftpd.mod vsftpd.te
semodule_package -o vsftpd.pp -m vsftpd.mod
semodule -i vsftpd.pp

More information that is accurate is better than less. Clearly there are many paths to rule generation and maintenance. The takeaway remains: Use, and do not disable, SELinux

Thanks for the feedback

SELinux sanity outline

Rusty Coker mentioned in a recent blog post that he had not found a COLO facility or VM provider that enabled SELinux in its hosts by default. People regularly whine: It's too hard, and I don't need it and disable the SELinux protections. Foo

I call: Bull on the latter As to the former I sent a private email to Rusty, and offered to 'comp' him an instance to break

If anyone knows of a virtual hosting company that runs Xen or KVM virtual machines with SE Linux support then please let me know, I'll write a blog post comparing such companies if there are some.

umm -- I would be embarrased to be a hosting provider which did NOT enable SElinux

Please feel free to set up a 'comp' account at:
http://www.pmman.com/signup/
at the green arrow. Use the [please do not repeat this] 'Offer Code' of: ...

... I repeated the offer at his blog's comment site

And the question came up today in the #centos IRC channel

13:52 Andro1d> orc_orc: how can i recompile a pp from a te ?
13:53 Andro1d> checkmodule -M -m -o vsftpd.mod vsftpd.te gives a lot of errors :-/
13:53 orc_orc> ehh?
13:53 wolfy> Andro1d:
http://wiki.centos.org/HowTos/SELinux [CentOS wiki]
13:53 orc_orc> make a working dir -- say:
mkdir -p /etc/selinux/targeted/foo
and cd into it
13:54 orc_orc> Gather all the selinux noise:
audit2allow -i /var/log/audit/audit.log* -m local > local.te
13:54 Andro1d> hm, I think I'm missing some types in my .te file
13:54 orc_orc> Note the '*' in that prior line, which reads all log files present
13:54 Andro1d> mom...
13:54 orc_orc> Install the selinux-devel package for the needed Makefile
13:54 Andro1d> don't wanna make a "huge" selinux policy :)
13:54 orc_orc> Then run:
make -f /usr/share/selinux/devel/Makefile
13:55 orc_orc> and apply it:
semodule -i local.pp
13:55 orc_orc> Test again
13:55 Andro1d> yop, mompl
13:55 orc_orc> When happy, be sure to save a versioned copy, because SELinux audit file ageing will cause you to forget what was needed in that merge
13:55 orc_orc> For extra credit, amend:
/etc/audit/auditd.conf
to retain a sensible universe of back logs
13:56 orc_orc> '4' is wayyy too small

wolfy (a channel regular who offers reliable answers), pointed to the CentOS secondary source answer in the wiki; this post will also pass into our planet as yet another piece of documention and 'cheatsheet'. You saw a self-described RHCE (and he was proud of it coming into the channel today) doing that whimpering for his mommy as I read him the 'riot act'. I don't care in the least that this is new and 'hard' -- growing and learning new tools is part of the Unix culture, always has been, and always will be. That is why I try to make #centos a learning venue rather than a drive-by 'spoon-feeding' shop

How many times do we need to bang the SELinux drum to get your attention?

Yes, you lazy slogs of alleged sysadmins who simply disable SELinux, I am talking to YOU! yep - words are hard to memorize, but this is a basic 'lather, rinse and repeat' cycle which one can solve experimentally if not predictively from knowledge of what is happening. Run a tail -f /var/log/audit/audit.log if you must to see when the rule set needs to be rebuilt

But stop disabling SELinux and stop making excuses