Stuff happens quietly on the GForge front, but after some time we decided we're getting bored with not releasing. Since we seem to have run out of major problems in the codebase, the long-awaited GForge 4.7 release is probably round the corner. And so, since GForge migrated from its own in-house translation system to the more conventional gettext API, I'd like to take the opportunity to issue a call for translations, knowing that potential translators won't be too disturbed by unusual tools and formats. You can grab the current state of the translations from the GForge repository browser. Or, for more long-term involvement, checkout the code through Subversion or through Bzr (my gateway branch is available from bzr.debian.org. Current statistics are as follows:

• bg.po: 382 translated messages, 174 fuzzy translations, 1813 untranslated messages.
• ca.po: 1592 translated messages, 281 fuzzy translations, 496 untranslated messages.
• de.po: 1627 translated messages, 272 fuzzy translations, 470 untranslated messages.
• el.po: 0 translated messages, 2369 untranslated messages.
• eo.po: 0 translated messages, 2369 untranslated messages.
• es.po: 1600 translated messages, 236 fuzzy translations, 533 untranslated messages.
• eu.po: 1392 translated messages, 272 fuzzy translations, 705 untranslated messages.
• fr.po: 2368 translated messages, 1 untranslated message.
• he.po: 0 translated messages, 2369 untranslated messages.
• id.po: 0 translated messages, 2369 untranslated messages.
• it.po: 1781 translated messages, 303 fuzzy translations, 285 untranslated messages.
• ja.po: 246 translated messages, 118 fuzzy translations, 2005 untranslated messages.
• ko.po: 1292 translated messages, 264 fuzzy translations, 813 untranslated messages.
• la.po: 0 translated messages, 2369 untranslated messages.
• nb.po: 0 translated messages, 2369 untranslated messages.
• nl.po: 1621 translated messages, 287 fuzzy translations, 461 untranslated messages.
• pl.po: 0 translated messages, 2369 untranslated messages.
• pt_BR.po: 1292 translated messages, 262 fuzzy translations, 815 untranslated messages.
• pt.po: 0 translated messages, 2369 untranslated messages.
• ru.po: 302 translated messages, 142 fuzzy translations, 1925 untranslated messages.
• sv.po: 1289 translated messages, 261 fuzzy translations, 819 untranslated messages.
• th.po: 0 translated messages, 2369 untranslated messages.
• zh_CN.po: 1691 translated messages, 300 fuzzy translations, 378 untranslated messages.
• zh_TW.po: 1664 translated messages, 289 fuzzy translations, 416 untranslated messages.

Results as patches to our patch tracker or the gforge-devel ML please. (Note to Debian-related readers: this translation work will be directly useful on Alioth when we upgrade it.)

When you have a server on the Internet, you get lots of "brute force" attacks on the SSH daemon, trying plausible logins with a variety of passwords. Even with good passwords, these attacks might eventually succeed (and they're annoying even when they don't), so you want to thwart them. One way is to use fail2ban, a script that monitors the failed connections, and sets up firewall rules (for instance) blocking further connections from the attacking IP addresses. It's good, but it fills your logs with messages about IPs getting banned and unbanned after a while. And you're still at risk that the multiple connections crash the SSH daemon, or trigger a bug in it, or whatever. A second layer of protection can be to block all SSH connection attempts except when they come from known IP addresses, but that doesn't work when you're away from home, and you're locked out. Been there, done that. So, some wise people have devised a trick called "port-knocking". It's similar to only opening the door to people who use a special knock (think "That's all, folks"): the firewall stays closed, but it opens a tiny targeted hole to some IP addresses for a limited length of time, based on a secret handshake. The window for attack is therefore very small, and the SSH daemon stays idle most of the time. And you can still log on your hosted server when you're attending conferences. There are a variety of implementations for this concept. Some could be web-based (you need to submit the right password to a web page), some could use other services or a dedicated daemon. But when I started investigating port-knocking, I wanted something simple, preferably with no dependencies on a daemon that would need to be exposed to the net and potentially crash. I found an article on the Debian Administration website, but I wasn't entirely satisfied with it. The principles appealed to me (netfilter-only, secret handshake in the form of opening connections to secret ports), though, so I evolved it into my own implementation, which I proudly present to you today. The goals of this implementation were:

• flexibility;
• robustness;
• resistance to replay attacks;
• no dependency on user-land daemons;
• simple, easily auditable code;
• must not be a pain in the neck to use.

The bulk of the work therefore stays in the kernel's netfilter (that's for robustness and no user-land dependency), but the control interface is integrated with the usual firewalling script. Resistance to replay attacks is achieved by choosing hard-to-predict ports. So if someone snoops the wireless while I'm at a conference and catches my secret handshake, it'll only be valid for a short period of time, hopefully short enough to prevent dictionary attacks. The handshake is therefore calculated as a function of the current date and time, with an added secret seed. The following shell function calculates 5 port numbers within a given range (requires dc to be installed, for big-integer arithmetic):

calc_knock_ports ()  
    secret=$1
    bottomport=$2
    topport=$3
    nbports=$(( $topport - $bottomport + 1 ))
    hash=$(TZ=UTC date +%Y-%m-%d-%H-$secret   md5sum   awk ' print $1 '   tr a-z A-Z)
    num=$(echo 16i $hash f   dc)
    pk_port1=$(echo $num $nbports 0 ^ / $nbports % $bottomport + f   dc)
    pk_port2=$(echo $num $nbports 1 ^ / $nbports % $bottomport + f   dc)
    pk_port3=$(echo $num $nbports 2 ^ / $nbports % $bottomport + f   dc)
    pk_port4=$(echo $num $nbports 3 ^ / $nbports % $bottomport + f   dc)
    pk_port5=$(echo $num $nbports 4 ^ / $nbports % $bottomport + f   dc)
 

Okay. So this function calculates ports, now what? Now we're going to define a few chains by which netfilter will store states of IP addresses as they progress through the handshake:

setup_portknocking_tables ()  
    iptables -N portknock_into_phase1
    iptables -A portknock_into_phase1 -m recent --name PK_PHASE1 --set
    # iptables -A portknock_into_phase1 -j LOG --log-level notice --log-prefix "INTO PK_PHASE1: "
    iptables -N portknock_into_phase2
    iptables -A portknock_into_phase2 -m recent --name PK_PHASE1 --remove
    iptables -A portknock_into_phase2 -m recent --name PK_PHASE2 --set
    # iptables -A portknock_into_phase2 -j LOG --log-level notice --log-prefix "INTO PK_PHASE2: "
    iptables -N portknock_into_phase3
    iptables -A portknock_into_phase3 -m recent --name PK_PHASE2 --remove
    iptables -A portknock_into_phase3 -m recent --name PK_PHASE3 --set
    # iptables -A portknock_into_phase3 -j LOG --log-level notice --log-prefix "INTO PK_PHASE3: "                     
    iptables -N portknock_into_phase4
    iptables -A portknock_into_phase4 -m recent --name PK_PHASE3 --remove
    iptables -A portknock_into_phase4 -m recent --name PK_PHASE4 --set
    # iptables -A portknock_into_phase4 -j LOG --log-level notice --log-prefix "INTO PK_PHASE4: "
    iptables -N portknock_into_phase5
    iptables -A portknock_into_phase5 -m recent --name PK_PHASE4 --remove
    iptables -A portknock_into_phase5 -m recent --name PK_PHASE5 --set
    iptables -A portknock_into_phase5 -m recent --name PK_ESTABLISHED --set
    # iptables -A portknock_into_phase5 -j LOG --log-level notice --log-prefix "INTO PK_PHASE5: "
    iptables -N portknock_accept
    iptables -A portknock_accept -m limit -j LOG --log-level notice --log-prefix "ACCEPTED AFTER PORTKNOCKING: "
    # iptables -A portknock_accept -m recent --name PK_PHASE5 --remove
    iptables -A portknock_accept -j ACCEPT
    iptables -N portknocking
 

These chains use the recent module, which seems to be commonly available in standard kernels. You'll notice how, as one packet goes through these rules, its originating IP address moves from one set of "recent" addresses to the next. But no logic exists yet to make the packet actually go through these rules, so here comes the glue:

refresh_portknocking ()  
    calc_knock_ports f00b4r 10000 10999
    iptables -F portknocking
    iptables -A portknocking -p tcp --dport $pk_port1 -m state --state NEW                                                 -j portknock_into_phase1
    iptables -A portknocking -p tcp --dport $pk_port2 -m state --state NEW -m recent --rcheck --name PK_PHASE1 --seconds 5 -j portknock_into_phase2
    iptables -A portknocking -p tcp --dport $pk_port3 -m state --state NEW -m recent --rcheck --name PK_PHASE2 --seconds 5 -j portknock_into_phase3
    iptables -A portknocking -p tcp --dport $pk_port4 -m state --state NEW -m recent --rcheck --name PK_PHASE3 --seconds 5 -j portknock_into_phase4
    iptables -A portknocking -p tcp --dport $pk_port5 -m state --state NEW -m recent --rcheck --name PK_PHASE4 --seconds 5 -j portknock_into_phase5
    # echo clear > /proc/net/ipt_recent/PK_DONE
    echo clear > /proc/net/ipt_recent/PK_PHASE1
    echo clear > /proc/net/ipt_recent/PK_PHASE2
    echo clear > /proc/net/ipt_recent/PK_PHASE3
    echo clear > /proc/net/ipt_recent/PK_PHASE4
    echo clear > /proc/net/ipt_recent/PK_PHASE5
 

Right. This function adds rules to the portknocking chain. A packet injected into this ruleset will, depending on its destination port and whether its source IP address has already been seen, end up in one of the PK_PHASE* sets. All we have to do now is therefore to send some packets to this portknocking chain, and use the port-knocking sets to decide whether to accept incoming connections or not:

iptables -A INPUT -j portknocking
iptables -A INPUT -m recent --rcheck --seconds 5 --name PK_PHASE5 -m state --state NEW -p tcp --dport ssh -j portknock_accept

This example only mentions accepting incoming SSH connections, but it's in no way a limitation: a server of mine uses similar rules to DNAT certain ports to internal IP addresses. And there we have it for the server part: incoming SSH connections are usually ignored (well, handled by the rest of the firewall script, but let's assume that it drops these packets by default), but if one IP address knows the appropriate ports and sends a connection attempt to them in order, then it'll be able to open SSH connections for a little while after that. Of course, it's going to be boring if one has to send these packets by hand, but it can be easily automated by a script. Here's a ~/bin/portknock.sh I have:

#! /bin/sh
host=$1
port=$2
calc_knock_ports ()  
[...]
 
calc_knock_ports f00b4r 10000 10999
for i in $pk_port1 $pk_port2 $pk_port3 $pk_port4 $pk_port5 ; do
    nc -w 1 $host $i < /dev/null > /dev/null 2>&1
done
nc $host $port

It's designed to be called with two parameters, a host and a port, and it needs netcat in addition to dc. Why the last line, I hear you cry? Because then I can just add the following lines to my ~/.ssh/config:

Host blahblah
  IdentityFile foobar
  ProxyCommand /home/roland/bin/portknock.sh %h %p

...and SSH will automagically tunnel its network socket through the script, which will in turn happily tunnel that through netcat after completing the secret handshake. And when I type ssh myserver on my laptop, interesting stuff happens behind the scenes, and a special, just-for-me hole is opened in the server firewall, just for the few seconds I need to establish the SSH session (packets belonging to established TCP sockets are allowed by the firewall's connection tracking). Note: This article is deliberately short on details and ready-to-run scripts. Firstly because firewall scripts vary wildly so any script would have to be adapted anyway, but mostly because security is best handled with one's brain switched on. Fiddling with a firewall can easily open gaping holes or lock everyone out. So please make sure you understand what goes on before blindly pasting stuff into your own setup. Some of the lines that are commented out may also be of interest, and were left as an exercise for the reader. Other lines were not included, and are also left as a rather important exercise to the reader; note in particular how the netfilter rules as currently established do not mitigate the replay attacks...

Quick status update: not much happened due to a variety of reasons, but there is still some progress to report. The most important piece of news is that the Mediawiki plugin should be on its way to Debian sid by the time you read this, as the new gforge-plugin-mediawiki binary package (it'll have to go through NEW, but that seems to be rather fast these days). Testing and reporting and bugfixing are most welcome, of course. I also went through a round of cleanups in the packaging. No more Lintian overrides, far fewer Lintian errors and warnings, and some fixes for PostgreSQL 8.3 compatibility.

First, and most important: while researching a functional bug for a client, I found a rather important security problem in GForge. All versions (starting from 3.1) are vulnerable to an SQL injection problem due to missing input sanitisation. Debian packages have already been fixed and released, and the patches have been committed to the upstream Subversion repository, so non-Debian users are encouraged to grab the patches from there. For instance, the patches for the 4.5.* branch can be obtained from the ViewVC page. For reference, the CVE ID for this problem is CVE-2008-0173. Secondly, there's a new "gforge" tag on this blog, to filter posts that relate to GForge. I mainly created it in response to the existence of a feed aggregator focusing on forges and variants, but you can also subscribe to it directly if you only want to hear about Gforge and not about my other Free Software activities. I'll also use it to announce security patches like this one.

I'm on a roll...

• Gettext transition is fully done now (old functions have even been removed).
• French translation 100% complete! Woo!
• Packages now use ucf. So there.
• Installation process streamlined: if you just want the web interface, you'll only need to aptitude install gforge-web-apache2, and the only interactions it'll require are to type the admin password (twice) and to accept (or integrate by hand) a change in the PostgreSQL config file.
• It even works on Debian GNU/kFreeBSD!

Plans for the near future include continuing to clean up upstream code and maintainer scripts, making sure the installation process is as simple as possible (even for other subpackages), splitting out a few plugins into their own packages. And the big placeholders-in-prepared-SQL-queries audit I mentioned last time, but it may happen progressively rather than in one big go.

Apparently some people worry that Gforge may be abandoned, or on the verge of being superseded with the proprietary "Gforge Advanced Server" rewrite. Let it be known that I for one have no plans to switch to Gforge AS, for all the reasons you'd expect from a free software user and advocate: I don't have access to the source code (it's made illegible by some sort of industrial PHP obfuscator), I can't hack it because the license doesn't allow me to, I can't audit it for security flaws, I can't adapt it to particular needs, etc. Since a significant part of my income comes from maintaining Gforge instances for clients, with local modifications for their particular needs, it's an economical necessity that Gforge stays free. And evolving. Right. Having said that, I guess I have to show concrete evolutions in addition to principles and ideals. So what changed recently?

• I believe the Gettext transition is now more or less complete. The initial bulk of it was done during the summer, but a few odds and ends were still dangling, such as plural forms here and there. The translations should now also be used in the appropriate place (no more receiving an email in Dutch even though you're French, simply because the person who clicked on the button that triggered the email was Dutch). I'm trying to bring the French translation to completion, but it's a long and boring task, so it'll happen gradually. As for other languages... "patches welcome".
• I've started using IPv6 at home, with a dual IPv4+IPv6 stack and hostnames that resolve to both kinds of addresses. The problem is that neither Gforge nor its packaging were designed with IPv6 in mind, so the Apache virtual host didn't listen on the IPv6 address, and even when it did, Gforge wouldn't understand IPv6 addresses in its session code. All that has been fixed, and you can now run Gforge on a dual-stack server.
• Lots of "undefined variable" PHP warnings have been fixed (not only by me, by the way). They probably weren't harmful by themselves, but they were signs of sloppy coding.
• The FCKeditor plugin now uses FCKeditor as provided by the Debian package, rather than its own (outdated and unmaintained) copy.

All this has committed and uploaded to Debian. As usual, please test and report failures. Plans for my foreseeable future include:

• Making the clean-and-working Mediawiki integration plugin public (the delay is not due to technical reasons).
• Using placeholders in SQL queries, to reduce the risk of SQL injections. This probably means a full audit of all the places in the code where queries are made, so it may take some time.
• Maybe a full audit for HTML injections and cross-site scripting vulnerabilities, too. Probably a long and boring task too.
• Switching to ucf for management of config files.
• I'm still toying with the idea of switching to dbconfig-common, too. But since I'm not sure it's going to be good enough, that's not very high on my priority list.
• I'm pondering whether I should try to make a live-CD with an installed Gforge. Or maybe a fully automated installation with debian-installer and preseeding. That may debunk the misconception that Gforge is hard to install.

Places where help would be most welcome:

• Translations! I can do French, I fixed a few strings in Spanish and Japanese, maybe I can do some minor fixes in German too, but that's not good enough. Of course, translators should be aware this is not a small task: gforge.pot contains about 2200 strings. But even reading and fixing (or removing) the obviously incorrect translations would help.
• Packaging for RPM-based systems. I fear that aspect of Gforge has been all but abandoned, and I don't think there are any working RPMs around.
• Testing, testing, testing. Gforge is rather versatile, and a big piece of software. I don't use all the features myself, so bugs are likely to lurk in those places I don't see often enough.
• I know some of you out there have a locally patched Gforge installation. You know you'll have a hell of a time porting those patches to the next version when you upgrade. Why not share them, so everyone profits from them (and you can then profit from the patches from the other users)?

There. That was the news. Now for a bit of trivia: it's amazing how having a metric of one's productivity gives an incentive to increase it. I found mine on Ohloh, which provides code and license analyses and statistics on free software projects, as well as statistics on commits by contributors. They even have a shiny widget with a scrollable timeline showing commits over time, as well as comparative commit graphs. My obvious personal goal is to get up to the first position among the contributors, but of course I wouldn't complain if the current top committer stayed ahead by springing back into activity.

Top posters in a few Debian-related Planets:

$ planet-scores.sh 
Planet Debian-FR :
     19 Rapha l Hertzog
      4 Roland Mas
      3 Jean-Christophe Dubacq
      2 Gr gory Colpart
      2 Alexis Sukrieh

Sometimes I think this should be renamed Planet Buxy.

Planet Debian-FR (utilisateurs) :
     10 Julien Candelier
      8 Emilien Macchi
      4 Guilhem Bonnefille
      3 Shams Fantar
      1 Rapha l Hertzog
      1 Olivier Berger (perso)
      1 Jean-Christophe Dubacq
      1 Jean-Baptiste H tier (djib)
      1 Eric Veiras Galisson

Newly added contributors to that planet have all their recent articles aggregated, not only the ones they wrote since they were added.

Planet Debian :
     40 Christian Perrier
      2 Russell Coker
      2 Raphael Geissert
      1 Wouter Verhelst
      1 Steve Kemp
      1 Romain Francoise
      1 NOKUBI Takatsugu
      1 Michal  iha 
      1 John Goerzen
      1 Joey Schulze
      1 Gerfried Fuchs
      1 Fathi Boudra
      1 Enrico Zini
      1 Emanuele Rocca
      1 Dirk Eddelbuettel
      1 David Welton
      1 Christine Spang
      1 Antti-Juhani Kaijanaho
      1 Adam Rosi-Kessel

Planet "Christian loves rugby".

debian-community.org :
      4 Holger Levsen
      3 Andrew Donnellan
      2 Evgeni Golov
      1 Wolfgang Lonien
      1 Rapha l Hertzog
      1 Martin Albisetti
      1 Marcos Marado
      1 Jean-Christophe Dubacq
      1 Cord Beermann
      1 Benjamin A'Lee
      1 Andreas Putzo
$

I know I have an encoding problem on some planets, but that script is a very basic curl+shell+sed+grep+recode+sort+uniq pipeline, and I only use it for the amusement value. Maybe I'll recode it with a proper RSS parser some day if I feel utterly bored.

Apparently it's desirable to be able to filter this blog according to language as well as according to subject. So I've decided to kill the geek-fr and geek-en tags I had, and replace them with the generic geek tag. I also created fr and en tags, one of which should be present on all articles. To preserve the existing RSS feeds, geek-fr and geek-en have been redefined as simply the intersection of geek and fr or en, thanks to Ikiwiki. I could also create a photo-fr feed and so on, but so far I don't think it's warranted.

As I type this, debs for a current snapshot of upstream Subversion are on their way to Debian Sid. They are taken from the Subversion trunk and not from the yet-to-be-released 4.6 branch, because a few important changes have taken place on the trunk only, and the 4.6 branch is merged anyway. Hence the version number, 4.6.99+svn6078-1. These packages did spend some time in experimental, and I didn't get any bug reports, but that doesn't mean they're bug-free. Use with caution. One of the big changes is that Gforge now uses Gettext rather than its home-made internationalisation system. Which means probably fewer problems, and a more standard system allowing more people to get involved. Can you guess what I'm hinting at? Yes, it's a call for translations! Anyone interested in getting involved should bzr branch http://alioth.debian.org/~lolando/bzr/gforge/upstream-svn/trunk/, and start poking the existing *.po files (or creating new ones!). Why the private repo and not the upstream Subversion repository? Rationale follows. My job as a freelancer as well as my role as an Alioth admin involve maintaining separate branches of the Gforge code (different clients have different needs and patches). In order to facilitate patch migration, I therefore need a distributed VCS, and I've been using Bazaar for a few years, with a manual gatewaying between upstream CVS first, then Subversion, and a few private Bazaar branches. Now that Bazaar (as in Arch) is dead, I'm using Bazaar (as in Bazaar-NG, Bazaar-2, or bzr), which seems to be approaching a 1.0 release, and which provides a plugin to interoperate easily with Subversion repositories. And since the upstream Subversion repository is not accessible anonymously anyway, I decided to publish my gateway branch. I'll probably publish more branches as time passes (probably the Alioth branch, and quite possibly feature branches too). Note: if you want to share a bzr repository of a project containing PHP scripts with Apache, you may encounter a problem, because the bzr repository contains files named *.php.knit and *.php.kndx. And Apache will happily give these files to the PHP interpreter when serving them, and that's not what you want. My trick to fix that is to add a .htaccess file somewhere where the repository is stored, with the following contents:

AddHandler None .knit .kndx

This will ensure that these files will be sent straight to the HTTP client, and not through the PHP interpreter.