ZeroBSD

22nd Apr 2013

Simple password generator

While reevaluating my security practices, I came up with the conclusion that my password system is a mess. For obvious reasons, I won’t talk about it much, but I realized that having a handy password generator will be a good idea. While searching a few minutes for hints and solutions, I came up with two methods that works out-of-the box on a OpenBSD machine, without needing any extra package to be installed than the default base system.

Here’s the first one:

dd if=/dev/urandom count=200 bs=1 2>/dev/null|tr “\n” ” “|sed ‘s/[^a-zA-Z0-9]//g’|cut -c-16

It’s a little cryptic for a newbie (due to sed), but what you have to remember is that it generates passwords with a length of 16 characters and modifying the last argument will modify your password length. It’s based on /dev/urandom device, so it should be safe enough.

The second method uses OpenSSL:

openssl rand -base64 16

Careful, sometimes the last two characters would always be “==”. if you use this command, but you can get rid of this by adjusting the length of it.

Now, you can use any of this commands to have a pretty secure password. But to increase the randomness of it, I use a bash script that generates a two strings, one with each method, and I’ve placed a special character between them (it can be “@”, “#”, “$”, “%”, anything you like).

Here’s my script:

part1=`openssl rand -base64 6`
part2=`dd if=/dev/urandom count=200 bs=1 2>/dev/null|tr “\n” ” “|sed ‘s/[^a-zA-Z0-9]//g’|cut -c-9`
echo $part1%$part2

You can easily tweak the length of the each two strings and the special character between them. The example from above gives you a 16 (6+1+9) characters password, with the “%” characters between the two strings.

25th Mar 2013

The value of good documentation

One of the strengths of OpenBSD is its documentation. I’m really glad that developers really takes it seriously, since a good manual page can save you a lot of time and troubles. Here’s an example: I was trying to sort out a text file and remove duplicates. The file was above 200 MB. My first approach was the following:

cat list.txt | sort | uniq > list_m.txt

But after a few seconds, I received the following error:

sort: /var/tmp/sort.G2bEcvsPlX: Too many open files

Let’s break is down:

$ sort -o list_s.txt list.txt

Same error. So it’s related to sort, not to cat or uniq. First impluse: search if other had the same error. No relevant answers in the first minutes. Should I ask this on a forum? Maybe on the mailing list? That was my second impulse. But wait, let’s read the manual for sort. Tried with the following arguments:

$ sort -o list_s.txt list.txt

Same error.

Ok, let’s keep reading. The last paragraph reads:

BUGS

To sort files larger than 60Mb, use sort -H;
files larger than 704Mb must be sorted in smaller pieces, then merged.

There I have it! Good documentation doesn’t just provide a quick fix for a problem but in the same time reduces pollution and cacophony on forums and mailing lists. And it feels good finding out the answer all by yourself.

20th Mar 2013 | 1 note

Setting your dpi

For a pleasant desktop experience, it’s generally a good idea to have your X server run with 96 dpi (dots per inch). Other values might work as well, but I found this to be the perfect choice for my machine. Usually, the system would set this dpi value correctly, but if it doesn’t or if you want to make sure it will not miss, look at your /etc/X11/xdm/Xservers file and find the line that looks something like this:

:0 local /usr/X11R6/bin/X :0 vt05

Modify it, to look like this (basically just insert the ‘-dpi 96’ switch, as shown):

:0 local /usr/X11R6/bin/X -dpi 96 :0 vt05

Restart your X server. Now you’ll surely have a desktop manager with 96 dpi resolution. Nice, isn’t it?

23rd Jan 2013

Permalinks and .htaccess

If you host a Wordpress blog, like I do, you may want to enable those pretty permalinks. Wordpress documentation will tell you what kin of .htaccess file you need in your base folder (meaning the same fodler where your index.php is located for your Wordpress webiste). That’s helpful, but you still need to do a few tricks to have it running on OpneBSD, if you don’t want to end up seeing 404 Errors all the time.

First of all, check if mod_rewrite is enabled for your httpd, by making sure that you have uncommented the following line from your /var/www/config/httpd.conf file:

LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so

Now you need to tell httpd to let you use .htaccess files on your webiste folder. You can do this by searching for this block:

AllowOverride None

and change it to

AllowOverride All

Make sure you are within <Directory “/var/www/htdocs”> directive when you do this.

Now restart (or reload) your httpd. Change your permalinks settings from Wordpress and see the results.

28th Oct 2012 | 4 notes

Enabling softupdates

This may be quite trivial and it can be found also in the FAQ with a simple Google search, but I’ve somehow missed it until now. Enabling softupdates can really boost your desktop performance. It’s not something I can measure and prove it, but the general feeling is that Xfce feels faster and this time it’s usable and not that laggy. There’s room for speed improvements still, especially in the video card department, but I’m happy with how the things are for the time being.

Enabling softupdates is very simple, just edit /etc/fstab, by adding the softdep keyword, as in the following example:

fec2653dbd41594a.a / ffs rw,softdep 1 1

This is an example from an /etc/fstab file with UUID, but it’s trivial for the other, older type:

/dev/sda0a / /ffs rw,softdep 1 1

Next time you reboot, you’ll enjoy the performance improvements it brings.

4th Sep 2012 | 1 note

Empty tar.bz2 file (follow-up)

Remember this problem I had? Well, thanks to Andrei Mureșan, it’s fixed now. Apparently, cron has no idea of environmental variables when running the backup script, so I had to add the following line at the begining of my script:

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.

Works like a charm now. For future reference, he’s the full, corrected and working backup script:

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
NOWD=$(date +”%F”)
NOWT=$(date +”%T”)
/usr/local/bin/mysqldump -u root -password \
dbname > /root/databases/db.sql
/bin/tar cvfj /home/john/backup/backup-$NOWD-$NOWT.tar.bz2 \
/var/log /var/www /etc /root/databases
/bin/rm /root/databases/db.sql

30th Jun 2012 | 1 note

Smart IP filter with pf

Not long ago I’ve talked about two ways of making a good IP filter with pf. The first methods involved a pf table created after failed ssh attempts, but the table was not persistent after reboot, and the second method had a static text file from where pf could load unwanted IP for filtering. Let’s merge the two methods.

Let’s say that we already have a text file, manually created, with a selection of unwanted IPs, called /etc/pf.blocked.ip.conf and you also want to filter the ones that keep knowcking on your ssh door. You’ll have to have this in your /etc/pf.conf:

# static text file
table <blockedips> persist file “/etc/pf.blocked.ip.conf”
block in on bnx0 from <blockedips> to any

# not persistent pf table
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to any port \
ssh flags S/SA keep state (max-src-conn 5, \
max-src-conn-rate 5/30, overload <bruteforce> flush global)

Now we would like to dump the bruteforce table into the /etc/blocked.ip.conf file, to have a record of our unwated IPs. A simple dump command is this one:

# pfctl -t bruteforce -T show

but this creates unwanted spaces that must be eliminated. We’ll use sed for this:

# pfctl -t bruteforce -T show | sed ‘s/ //g’

Now the space is gone and we have a properly formatted list of blacklisted IPs. We cannot dumped it right into /etc/blocked.ip.conf, because there might be the same IPs on different lines and we don’t want to have a bloated file loaded by pf. Let’s crate a temporary file with both the content of the bruteforce table and /etc/blocked.ip.conf:

# pfctl -t bruteforce -T show | sed ‘s/ //g’ » /tmp/ip.conf
# cat /etc/blocked.ip.conf » /tmp/ip.conf

Not we have to eliminate the IPs that are found more than one time in that list. We can do this with uniq, but for this, our list have to be ordered with sort.

sort /tmp/ip.conf | uniq » /tmp/ip.final.conf

The file /tmp/ip.final.conf contains now a list with unique blacklisted IP form both out manual /etc/blocked.ip.conf and from what the system catched automatically. If an IP was found on both lists, at the end it will be present in our filter only once. So, after moving along some files and cleaning, we can have a nice procedure for pf IP filtering.

rm /etc/blocked.ip.conf
cp /tmp/ip.final.conf /etc/blocked.ip.conf
rm /tmp/ip.conf
rm /tmp/ip.final.conf

We can make a shell script out of these commands and have cron run it once a day for a manual and automatic, persistent pf IP filter.

30th Jun 2012

Powering down your OpenBSD

After running halt command, the system shuts down nicely, but one thing bugged ever since I’ve first played with OpenBSD: the system did not powered down without pressing the power button. I can live with that, but it’s rather frustrating and I thought that’s probably because OpenBSD doesn’t love my motherboard, though every modern operating systems knows how to power down my system without having me pressing the button (since my hardware is not the most recent one, it has around six years already).

After a quick online search, the solution for my problem revealed itself: it wasn’t a driver problem, it was just a script, /etc/rc.shutdown with a lonely line in it that reads:

powerdown=NO # set to YES for powerdown

So, I obviously modified that into:

powerdown=YES # set to YES for powerdown

and voilà, my system now is powering down nicely.

And if you want to be able to restart or halt your system as normal user, without sudo, just add your user to operator group:

$ sudo user mod -G operator john

29th Jun 2012

Making things pretty

As part of my OpenBSD workstation project, making things pretty is a vital task. I can’t work in an ugly environment, so things have to be simple, functional and more important, coherent.

One of the first things I do on a fresh OpenBSD system intended for desktop use is to install msttcorefonts pack. Probably due to license reasons, you can only install this from ports, so if you don’t have ports yet, just follow the FAQ and do this:

$ cd /tmp
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/5.1/ports.tar.gz
$ cd /usr
$ sudo tar xzf /tmp/ports.tar.gz

Now that we have the ports installed, do this:

# cd /usr/ports/fonts/msttcorefonts
# make install

It’s all on the FAQ, just pointing it out.

Now, for one reason or another, you may need some GTK3 application. I use Xfce and I’m actually pretty satisfied with it, but I also need gedit for reasons mentioned in another post. While gedit is a GTK3, if you don’t choose the right theme, it may fallback to an ugly GTK variant which looks weird. So while your daily GTK2 theme look nice (Firefox, gFTP, XChat), the gedit will be different. There’s nothing I hate most than inconsistency. You need to find themes with support for both GTK2 and GTK3 versions to have theme consistency. A good starting point is gnome-looks.com website, from where you can download them and put them in your ~/.themes folder. If you don’t have it, create it and copy theme’s folders, after you’ve extracted them from the archive. The form the Xfce menu, Setting, Appearance and you can have a look on your new themes.

These packages might be useful, before starting theme hunt:

# pkg_add -vi gtk-engines2
# pkg_add -vi gtk2-murrine-engine

I’ve settled for Clearwaita from the Clearlooks-Phenix package, it looks simple, clean and fresh on both GTK2 and GTK3 applications (I love the old Clearlooks for GTK2 back in the days).

Credit for this posts goes to Igneous, from Freenode’s #openbsd.

29th Jun 2012 | 2 notes

LaTeX in BSD

I was surprised to see that a TeX Live meta-package is missing for FreeBSD, but there is one for OpenBSD. And it also installs nicely as a dependency for gedit-latex, a plugin for gedit that is probably the best LaTeX editor I could find in GTK.

The magic of gedit-latex plugin is that it adds cite-autocompletion and it’s beyond me why this feature is not available in every other LaTeX editor, considering what an excruciating pain dealing with biography is and how much a simple feature like this can help. I think there is only one more editor with cite-autocompletion, namely TexStudio, but it won’t compile on OpenBSD nor FreeBSD and it’s Qt4 and too bloated for my taste. Also, gedit is a nice, clean, simple design application that integrates well in my Xfce’s GTK medium.

FreeBSD 9 has binaries of Gnome 2 while OpenBSD 5.1 got Gnome 3 already. Hence, the ugliness of gedit in OpenBSD, but some theme tweaking I guess could make it better, that’s the only annoyance of my current setup. gedit 2 looked way better in FreeBSD’s Xfce with GTK2 themes, but I’ll dig for some beauty tips in the following days. The gedit 3 is the way to go anyway, no reason to look back.

Although installing TeX Live from official ports in FreeBSD is not possible, there is an alternate solution but I find it convoluted and I prefer the OpenBSD way: installing it from packages. Just type:

pkg_add -vi gedit-latex

and the rest will follow automatically, the system will fetch and install texlive_texmf-minimal package with all the necessary dependencies and you’ll have a nice TeX environment on your OpenBSD 5.1 machine. Sweet. It took me a while to find out about this, as I thought there are no binary packages for TeX Live (don’t ask why I didn’t just look into the ports directory), so I compile it from ports not a few day ago.

gedit-latex package texlive_texmf-minimal and this could be enough for some tasks, but trying to compile my .tex files spilled out a lot of errors concerning special characters like ăîșțâ, so I knew that I needed ut8x and ucs package, which wasn’t in the installed Tex Live distribution. To fix this, we can install the following:

pkg_add -vi texlive_texmf-full

Now we’ll have utf8x, ucs (I know it’s not recommended to use ucs, but it’s the only way to type spcial characters directly in editor and not having to wrapt my fingers for LaTeX codes in each and every word) and mchem package for easily typing chemical symbols.

There are others editors besides gedit-latex that have syntax highlighting for LaTex, but they are either ugly, bloated, Qt4 and old (kile, texmaker, texmakerx) or just ugly (gummi). None of them, with the exception of TeXStudio, a newer one that won’t compile on BSD just yet, won’t have cite-autocompletion which for me is a must. So I guess I’ll stick with gedit-latex for a while, it seems to work just fine for my needs, although it uses to crash a lot.