I spent the better part of the weekend with trying to get an older Athlon XP mainboard to boot grub from an USB stick. Unfortunately, without success. Since a few months, my notebook boots Windows XP when it is booted naively. Only if the correct USB stick is plugged in on boot, the Debian system that I work with comes up. The USB stick has grub, a kernel and an initrd which is used to boot and unlock the crypto file systems (crypted LVs) on the disk and can be removed once the system has booted. I wanted to use the same scheme for a “newly built” new desktop from old parts. Unfortunately, this was much harder than I expected. Since a few years, I use the USB-ZIP format for USB sticks that need to boot. It has shown that this format has the best chance to successfully boot. For more information about this format and about how to build it, see /usr/share/syslinux/README.usbkey on any recent Debian system with syslinux installed. My grml USB stick that I always have on me is formatted like this, and the “new” desktop boots it just fine. The boot stick for my notebook is an USB-ZIP as well, only that its primary partition is not FAT, but ext3. Unfortunately, the BIOS of the “new” desktop seems to refuse booting grub. Neither my notebook’s stick nor the new stick even come to the “loading stage x” output of grub, let alone to the menu. syslinux works fine, and both sticks boot just fine on my notebook and on a qemu on the “new” desktop. Since the grub command line has saved me multiple times in the past, I didn’t really like the idea of having to use syslinux, and decided to boot the “new” desktop conventionally from hard disk without the use of an USB boot stick. Until I got this far, the complete saturday and the better part of sunday was wasted. Darn. This reminds me of a mainboard from 2002 (incidentally from the same vendor), which checked whether the first hard disk had an active primary partition on it before it even tried to execute the MBR code. If no primary partition was found (which was common case with the partitioning scheme that I used back then which only had logical drives - this was before I discovered LVM), the BIOS gave the error message “Not found active primary partition” (sic!) and refused to boot. Stupid programmers trying to outsmart the sysadmins of their products. But at least, the error message was reasonably clear back then.

Im currently looking if a UMTS data connection (flatrate) is something for me. Looking around it seems Vodafone has the best network for UMTS with that HSDPA technology (3.6MBit/s max. instead of only 384kbit/s). Especially the area I am most interested in - my way to work, is only available with HSDPA from Vodafone, all other telcos dont seem to be able to get UMTS there. Some days ago I sat besides someone in a train back home who was using UMTS connection. And didnt seem to have any problems. When I asked he told me that its fairly stable, on the whole way he only knows two points where the card seems to switch to the slower GPRS way. And looking at his screen he was using some weird webchat thingie, so nothing that likes too huge lags. (Ah, btw - how can anyone seriously chat in such a weird way? I mean - we have IRC, WTF are people dumb enough to use their webbrowser to chat? Thats so silly) My main usage would be to be online on the way to work / back home, which is about 1.5h each, so 3hours on days where I go to work (using ICEs, so at least there are repeaters for the mobile stuff in the trains). Most of my online usage is ssh based, usually via (Open)VPNs, then some mail sync runs and various small things. Moobicent does offer a flatrate (a real one, not such a “customers are dumb and dont see it is trafficlimited just because we named it flat”one) using the Vodafone network. The hardware I need for it costs 99EUR when I order there. Its some PC Express Card that comes with a PCMCIA Adapter. Now, has anyone out there reading this blog experiences to share? Using google there is Marcs blog which suggests it shouldn’t be too hard to get it all running, but maybe there is something I missed to take into account? Comments? Suggestions? Anything? Email me or catch me on IRC, (no, my blog doesnt have comments), and I summarize the results later. Update:UMTS == 3G; 2 People already told me that the Vodafone net is the right selection in Germany, one said the same for UK.

Im currently looking if a UMTS data connection (flatrate) is something for me. Looking around it seems Vodafone has the best network for UMTS with that HSDPA technology (3.6MBit/s max. instead of only 384kbit/s). Especially the area I am most interested in - my way to work, is only available with HSDPA from Vodafone, all other telcos dont seem to be able to get UMTS there. Some days ago I sat besides someone in a train back home who was using UMTS connection. And didnt seem to have any problems. When I asked he told me that its fairly stable, on the whole way he only knows two points where the card seems to switch to the slower GPRS way. And looking at his screen he was using some weird webchat thingie, so nothing that likes too huge lags. (Ah, btw - how can anyone seriously chat in such a weird way? I mean - we have IRC, WTF are people dumb enough to use their webbrowser to chat? Thats so silly) My main usage would be to be online on the way to work / back home, which is about 1.5h each, so 3hours on days where I go to work (using ICEs, so at least there are repeaters for the mobile stuff in the trains). Most of my online usage is ssh based, usually via (Open)VPNs, then some mail sync runs and various small things. Moobicent does offer a flatrate (a real one, not such a “customers are dumb and dont see it is trafficlimited just because we named it flat”one) using the Vodafone network. The hardware I need for it costs 99EUR when I order there. Its some PC Express Card that comes with a PCMCIA Adapter. Now, has anyone out there reading this blog experiences to share? Using google there is Marcs blog which suggests it shouldn’t be too hard to get it all running, but maybe there is something I missed to take into account? Comments? Suggestions? Anything? Email me or catch me on IRC, (no, my blog doesnt have comments), and I summarize the results later.

My systems run cron-apt with an hourly rhythm, running off ftp2.de.d.o. Once in a while, some of them complain about invalid signatures on release files:

CRON-APT LINE: /usr/bin/apt-get update -o quiet=2
W: GPG error: http://debian.debian.zugschlus.de lenny Release: The following signatures were invalid: BADSIG
A70DAF536070D3A1 Debian Archive Automatic Signing Key (4.0/etch) 
W: GPG error: http://debian.debian.zugschlus.de sid Release: The following signatures were invalid: BADSIG
A70DAF536070D3A1 Debian Archive Automatic Signing Key (4.0/etch) 
W: You may want to run apt-get update to correct these problems

This usually happens in the late evening CEST. In the next cron-apt run, things are fine again. What’s going on here? Is this part of a mirror update process where the Release and Release.gpg files are inconsistent? Any idea how to get rid of these error messages?

Last thursday and friday, I spent around eleven hours in the InterCity Express (ICE) of Deutsche Bahn. I was online, using Simyo GPRS, during this entire time. Thanks to the cellular network repeaters in ICE’s coach 3 and 23, this has worked reasonably well and has cost me EUR 5,27 - in a tariff with no basic charge and no commitment. I really like that, because this usage of the mobile cellular network would have cost about fifty times more just a year ago. Thanks, Simyo, E Plus and the other E Plus resellers who have made the first step to reducing the cost of mobile Internet in Germany. A few technical notes:

• The repeaters in the ICE coaches do only repeat GSM and thus GPRS, but not UMTS. It is advised to lock the UMTS card to GPRS when using Internet from inside the ICE, since the card will otherwise move back and forth between UMTS and GPRS millions of times, which will always result in more than just a few seconds outage. It is much better to live with GPRS’ abysmally large latency.
• I took the opportunity to empty my still-active, old, GPRS only, Simyo SIM which still holds like fifteen Euros. I suspect that I’ll need two more trips of this magnitude to successfully get rid of the amount on that prepaid card.
• I need an external antenna for my UMTS card - it worked really really bad in my mom’s apartment right in the middle of Hamburg.
• There seem to be a number of independent issues in Debian sid (the reason why I am blogging this in English): The connection occasionally hangs (a couple of times an hour) and does not come back by itself. Often, poff/pon is enough, but sometimes it is necessary to pull the UMTS card (an Option 3G PC-Card Datacard) and to re-insert it since there was no answer any more on ttyUSB0. Very annoying.
• The Option 3G Datacard behaves differently depending on the SIM that is inserted. With my older, GPRS-only Simyo SIM, the response to AT+CPIN? is “SIM PUK2” after sending the PIN to the card, while it is “SIM PIN2” in the same situation with the newer UMTS-enabled Simyo SIM.
• chat(8) sucks badly, because it doesn’t seem to elegantly handle this case - no regexps, no if/then, every command sent needs to generate exactly one answer from the card, everything else is an error after timeout.
• When I do this more often, one of the now available flat rates (or, for starters, a 5 GB commitment tariff) for like 20 Euros becomes attractive.

Dear admins of mail-archive.com, I think that “protecting” E-Mail addresses in a public archive of a technical mailing list which has the topic of E-Mail is a very bad idea. This leads to archive quotes like

We’ve been getting many many strange mailman-bounces. It seems that somewhere the mailman-bounces address is mis-configured. It should be [EMAIL PROTECTED], but mail seems to be sent as [EMAIL PROTECTED] (note missing “u”). That’s causing bounces to bounce all over the place...

which has better not been archived at all - it doesn’t help when vital information is removed from the archived mail. Yes, this example was taken from an actual archive entry. Sheesh.

Recently, Jurij Smakov resigned from maintenance of the Debian torrus packages. This leaves me as the sole maintainer, and I need help. torrus is an extremely powerful framework to collect and display round-robin data. It can do much more than mrtg, is cricket “done right”, but is not configurable via the web as cacti is. Its upstream is busy with their work, but active. It is written in perl and uses XML as configuration file format. It is mainly used to collect operational data from SNMP hosts and network components. It would be great if any co-maintainers offering to help would have knowledge in perl, XML and SNMP. I am currently in the process of fixing the RC bugs and, in a next upload round, other bugs that are pending. torrus is team maintained (but I am the only active team member at the moment). Its maintainer address will be set to a mailing list with the next upload. If you want to help, just subscribe to pkg-torrus-general and/or pkg-torrus-maintainers and say hello. Your help is appreciated.

Marc 'Zugschlus' Haber:

"I think I'm going to stop being responsive to users. They're not worth the blood pressure."

Andrew Suffield:

"But realistically, all that is fairly minor compared to the number of idiot users, idiot developers, kooks, luddites, zealots, managers, politicians, and self-obsessed fools that everybody has to deal with in the free software world."

I think I have a new source of blunt put-downs.

The DDs reading this might know the situation: You are subscribed to a gazillion of mailing lists, and spend quite some time answering questions of people using your packages. That’s fine, service to your users. Occasionally, users take great pains in finding out a personal mail address (for example, by googling, and finding the webmasteridiot mail address on my personal web page) to ask their question in private e-mail. This prevents the answers from showing up in mail archives and deprives the public of a possibility to find a solution to this question themselves in the future. Today, I had this happen to me twice. In the morning, I received a question about exim4 in private e-mail. In German. I investigated the user’s problem (which looked interesting enough), found two minor issues in the Debian exim4 packages and upstream exim behaving not as expected. I fixed the two issues in the package and reported the unexpected behavior of exim to the upstream mailing list. I then reported this - in German - back to the person who asked the question. Time from incoming message to outgoing report was like 80 minutes, most of which I spent with this user’s issue. On my personal time. A short while afterwards, I found out that this person has waited a mere eleven minutes before asking the same question on pkg-exim4-users, this time in English. Had I known before, I would have drafted my answer in English as well, to have the answer publicly visible. By doing this double post, the user has deprived the public of my answer. I’m probably going to stop answering questions asked in private mail. I might draft a boilerplate answer along the lines of “I don’t answer questions asked in private mail unless I am being paid to do so. You might be better off by asking one of the numerous mailing lists that are available on the Internet. I read a lot of them, might see your question, and you might get an answer from me. But otoh, there are many more knowledgeable people on these lists, and you’d want them to see your question as well.” Or I just might hit Delete on questions in my private inbox. The “Delete” approach has become more attractive this afternoon after I pulled the following (anonymized) from my personal Inbox:

Great job breaking exim4 on my system with no easy way to fix it.
$ /etc/init.d/exim4 start
Starting MTA:DEBCONFsomethingDEBCONF found in exim configuration. This
is most probably
caused by you upgrading to exim4 4.67-3 or later without accepting the
suggested conffile changes. Please read
/usr/share/doc/exim4-config/NEWS.Debian.gz for 4.67-2 and 4.67-4
2007-07-17 11:31:57 Exim configuration error in line 25 of
/var/lib/exim4/config.autogenerated.tmp:
  malformed macro definition
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not
installing
/var/lib/exim4/config.autogenerated.tmp to
/var/lib/exim4/config.autogenerated
I’ve been running exim4 v4.63 for awhile now and only have you bugger
exim4-config it doesn’t work.

I mean, this user has

• Not read NEWS.Debian.gz before updating
• Declined the configuration file updates that were offered by dpkg during the update.
• Received a clear-text error message explaining the issue and pointing to the docs.
• Vulgarly insulted the maintainer

Sorry, but: How stupid can people be? I think I’m going to stop being responsive to users. They’re not worth the blood pressure.

I have uploaded exim4 4.67-2 to experimental. Lots of changes and improvements. Quite some changes have gone into the Debconf stuff (for example, the split/unsplit config question is not asked first any more), and into update-exim4.conf (including input sanitazion, transformation of input to lower case, and getting rid of the DEBCONFsomethingDEBCONF stuff in the configuration). I’d like you to test the experimental package before I upload to unstable (probably on sunday). Please report your findings.

exim4 (4.67-2) experimental; urgency=low
  - update-exim4.conf:
    - finally get rid of the DEBCONFfooDEBCONF stuff. That information
      is now passed to the configuration by ue4c by directly setting exim
      macros in the configuration. This has caused both the configuration
      and ue4c to be much shorter.
    - run with -e, -C and -u.
    - convert input read from update-exim4.conf.conf to lower case
    - barf if strange characters are found in ue4cc. Closes: #400294
  - Remove superfluous “x$foo” = “xbar” constructs from scripts
  - Add routers to reject mail to accounts with low UID.
    Closes: #400790.
  - Make daily cron job barf if /usr/bin/mail is not found. Have
    exim4-base recommend mailx. Closes: #427960
  - Have all -daemon packages provide exim4-localscanapi-1.0 and
    exim4-localscanapi-1.1 as requested by Magnus Holmgren while fixing
    #426425. Also include exim4-localscan-plugin-config script with
    exim4-dev. Thanks to Magnus for helping with this. Closes: #428274
  - remove /etc/exim4/email-addresses symlink and document this.
    Thanks to Josip Rodin. Closes: #420578
  - introduce conf.d/250_exim4-config_lowuid which optionally allows
    to reject (or alias away) mail to low-uid accounts that are not
    listed in an exception list. Thanks to Dominic Hargreaves,
    Marc Sherman and Ross Boylan. Closes: #400790, #307768, #331716
  - remove versioned depends on cron, since the version we need is
    well before sarge.
  - Add cron   fcron dependency. Fcron is going to be removed again
    at the first sign of trouble. Closes: #381806
  - remove move_exim3_spool debconf template. Closes: #391762
  - replace openssl gendh with openssl dhparam. Closes: #413235
  - adapt docs, README and manpages
  - have Hilko fix the lynx-dump postprocessing to repair generating
    README.Debian text version. Thanks!
  - increase README.Debian generation robustness. Thanks to Hilko.
  - debconf:
    - Partly apply Christian Perrier’s patch for reviewed
      templates and control file. Closes: #426980
    - Other minor template changes.
    - get rid of “mails” in debconf templates, use “messages” instead.
      Re-word local_interface debconf template. Other minor changes.
      Thanks to Jens Seidel and Christian Perrrier. Closes: #394976
    - re-work exim4-config.config logic to have split/non-split config
      asked last instead of first. This partly addresses #410756.
    - Add exim4-daemon-heavy.templates, exim4-daemon-light.templates
      and exim4.templates to POTFILES.in
    - Re-Word dc_other_hostnames debconf template.
      Thanks to Hans G. Ehrbar. Closes: #421860
    - translation updates:
      - French
      - Ukrainian. Closes: #427793
      - Bulgarian.
      - Thai.
      - Galician.
      - Swedish.
      - Punjabi.
      - Indonesian.
      - Italian.
      - Khmer.
      - Traditional Chinese. Closes: #428072, #428069.
      - Portuguese.
      - Simplified Chinese. Closes: #428072, #428069.
      - Marathi
 -- Marc Haber <mh+debian-packages@zugschlus.de>  Wed, 13 Jun 2007 14:00:38 +020
0

In the company I work for, most documentation is maintained in Word format. Except mine. I have a dokuwiki and am thankfully allowed this exception as I am the only Linuxer in the company. Since Windows systems need external documentation (being hindered by the absence of commentable text configuration files), there is a policy that all configuration data needs to be explicitly documented. I hate that idea, since documentation is always outdated, and documenting configuration changes doubles the work that needs to be done. After finding out that dokuwiki has a command line interface, I implemented a mechanism that can run from cron and keeps wiki pages of configuration files up to date on an automated basis. On the target systems (the ones that need to have their configuration documented), I installed a script which generates a tarball containing the relevant configuration files on standard output. For more sensitive data, the script could do some basic sanitazion such as removing passwords from the configuration files before putting them into the tarball. On the system running the cron job, the following script runs:

#!/bin/bash
set -e
set -C
set -u
JOBNAME=“update-wiki-firewall-config”
DWPAGE=“php4 /usr/share/dokuwiki/bin/dwpage.php”
TMPBASE=“/tmp”
SSHID=“$HOME/.ssh/$USER-passphraseless-$(hostname)”
REMOTEHOST=“remote.fqdn.example”
REMOTEJOB=“pull-netfilter-init-config-tar”
SHAREDIR=“$HOME/share/$JOBNAME”
WIKINAMESPACE=“pointer:to:namespace”
start=’/*BEGIN generated firewall rules */’
end=’/*END generated firewall rules */’
insert=’/*INSERT generated firewall rules */’
umask 077
if ! TMPDIR=“$(mktemp -d $TMPBASE/fwconfig.XXXXXXXXXX)”; then
        echo >&2 “ERR: cannot create temp dir in $TMPBASE”
        exit 1
fi
cd $TMPDIR
mkdir remote
ssh -i $SSHID root@$REMOTEHOST $REMOTEJOB   \
 tar --extract --gzip --file - --directory remote
mkdir workdir
touch workdir/rulelistfile
echo “$start” >> workdir/rulelistfile
for fwfile in $(find $TMPDIR/remote/rules/up -type f   sort); do
  MTIME=“$(stat --format=”%y“ $fwfile)”
  PROSEEXPLANATION="$( $fwfile sed -n '/^#::#/ s/^#::#[[:space:]]*//;p;q; ')"
  if [ -z "$PROSEEXPLANATION" ]; then
    PROSEEXPLANATION="netfilter-init internal code"
  fi
  rm -f workdir/newwikipage
   $SHAREDIR/wikipagetemplate \
    sed \
        -e "s PLHfilenamePLH $(basename $fwfile) " \
        -e "s PLHproseexplanationPLH $PROSEEXPLANATION " \
        -e "s PLHmtimePLH $MTIME " \
        -e "/PLHcontentsPLH/r$fwfile" \
        -e "s/PLHcontentsPLH//" \
  > workdir/newwikipage
  WIKIPAGENAME=“$WIKINAMESPACE:regeln:$(basename $fwfile .rul)”
  $DWPAGE checkout $WIKIPAGENAME workdir/wikipage
  if ! cmp --quiet workdir/wikipage workdir/newwikipage; then
    cp workdir/newwikipage workdir/wikipage
    $DWPAGE -m “new contents imported from $fwfile” commit workdir/wikipage $WIKIPAGENAME
  fi
  echo “  * [[$WIKIPAGENAME $(basename $fwfile)]] - $PROSEEXPLANATION” >> workdir/rulelistfile
done
echo “$end” >> workdir/rulelistfile
$DWPAGE checkout $WIKINAMESPACE workdir/contentspage.txt
 workdir/contentspage.txt \
  sed -e "\ ^$ start//\\*/\\* \$ ,\ ^$ end//\\*/\\* \$ d; "   \
  sed -e "\ ^$ insert//\\*/\\* \$ rworkdir/rulelistfile" \
  > workdir/newcontentspage.txt
if ! cmp --quiet workdir/contentspage.txt workdir/newcontentspage.txt; then
  cp workdir/newcontentspage.txt workdir/contentspage.txt
  $DWPAGE -m “new contents page” commit workdir/contentspage.txt $WIKINAMESPACE
fi
cd /
rm -rf “$TMPDIR”

Yes, this needs some more documentation and generalization. But it’s just a proof of concept that needs some polishing before being put into real life use. Here are the two template files for wiki page and contents page:

====== Firewallregeln PLHfilenamePLH ======
Last changed on target system: PLHmtimePLH
PLHproseexplanationPLH
<code>
PLHcontentsPLH
</code>

===== Dump of firewall rules =====
/*INSERT generated firewall rules */
/*BEGIN generated firewall rules */
/*END generated firewall rules */

The index page template relys on the HiddenComment dokuwiki plugin to be installed, or the placeholders show up in the rendered wiki page. The code uses the first comment line marked with #::# to generate a short explanation of the file being pulled into the wiki. dwpage.php is a fully-fledged command line interface to dokuwiki, committed new pages are fulled versioned as if entered through the wiki web front end. This way, the documentation in the wiki is guaranteed to be current and to fit the configuration found on the live system - it is directly pulled from the live system. Yes, rendering of the code is currently suboptimal. Working on it.

Dear Lazyweb, can you please explain how to properly credit a frenchman in a changelog without mangling his name? I do not consider it acceptable to use a different editor, make sure that my terminal was started with the proper environment variables set (run-time configuration does not seem to do it) before I can correctly enter non-english characters in a text mode editor. I guess I need to make the UTF-8 transition on the desktop. Are there any docs about how to do this? It is just incredibly frustrating to spend an hour on IRC just to create a changelog entry for a patch that took a minute to make and five minutes to test.

Daniel, why do you insists on having your e-mail service with the ISP who serves your home IP connection? In my opinion, it would be a much better idea to separate IP and mail services to different companies - it is much easier to change one of them if no other services depend on it. And, btw, it is a pain to have an uncommentable blog.

One of my dedicated servers was in bad need of major LVM surgery today. Since the rescue system delivered with the server by the housing provider suffers from lack of LVM support, I needed to pull a creative stunt with grub and grml to accomplish this. The dedicated server rented from strato is the Box I tested in a different article. Installing the LVM-based Debian system via the LVM-less rescue system involved first installing without LVM in the partition which was originally supposed to be swap, booting the just installed system and using this temporary system to finally bootstrap the target. I had originally planned to go this way again in case rescue should become necessary. Today, I checked first whether the provider supplied rescue system had improved in the mean time (which it hadn’t), and I didn’t feel like installing a new temporary system. Instead, I decided to go through a different route, using grml. grml is extremely versatile regarding boot. All you need is to get the grml kernel to boot and point it towards the grml initrd, and the initrd automatically searches the available drives for the compressed file system image, mounts it and continues the boot process. This was the point where I hooked myself into grml. I put an ext3fs on the swap partition and copied the contents of a grml CD to that partition. After thinking a while about how to get ISOLINUX to boot this grml, I remembered that the disk already has grub installed, and decided to use grub to boot grml. This was possible because the provider offers a serial console for the machine. If no serial console had been available, things would have been a lot harder since there would be no feedback and one would have to talk to grub via offline editing of menu.lst. Thanks to the serial console, things were a lot faster. Booting grml via grub is actually easy. After finding out which partition grml is on (find /linux26) and setting this partition as root, all you need is “kernel /linux26 ramdisk_size=100000 init=/etc/init lang=us BOOT_IMAGE=grml console=ttyS0,57600n8”, “initrd /minirt26.gz” and finally “boot”. The “57600” given on the kernel command line was actually the hardest part: Strato operates the serial console at unusual 57600 bps, and grml’s serial console feature starts mgetty with hard-coded 9600 bps. The rather frustrating symptom was that you can watch grml booting, with “Finished execution of main grml startup” as the last sign of life. Knowing that there is a login prompt waiting for you at the wrong baud rate. After talking to Mika from the grml team for some minutes, we decided to take two “roads” to solve the issue. Mika hacked grml’s startup process to parse the baud rate to be used for mgetty from the kernel command line. Since I couldn’t wait for Mika’s fix, I used a grml.sh script to put a fixed mgetty.config over the file contained in grml. After fixing some stupid mistakes on my part, I finally received my grml login prompt and could start with the LVM surgery. Grml is a perfect tool for such tasks since it is extremely flexible and not selective in which medium and partition types it can boot from. It has saved me a lot of grief today and has helped me in solving a difficult problem. Oh, btw, pvmove --alloc anywhere can move a logical volume inside a pysical volume without the need of a temporary physical volume, and it is thus possible to “manually” defragment a physical volume in order to allow more clean resizing of logical values. While it is debateable whether this does really make sense, it satisfies my sense of order to have an LVM setup unfragmented.

Marc, that's fairly easy. HUB really stands for Hosed Utter Beast (yes, I just have had one of them break this morning. Well, it was a SWITCH, not a HUB, oh well...), WEB is all that's Weird, Erotic or Broken. HTH.

Marc, fwiw imo LCD-displays and RAM-memory are much more fun :-) ymmv.

I keep wondering why people keep writing HUB, WEB and SPAM, where the correct technical terms are Hub, Web and Spam. Neither of the three expressions is an acronym. Well, SPAM is, but Spiced Pork and Ham is a Trademark of Hormel Industries, and they ask people not to use their trademark to talk about Unsolicited Commercial/Bulk E-Mail on the Internet. They do, however, allow the expression Spam to be used for UCE/UBE. Any idea why people keep treating Hub and Web as an acronym? It disturbes my reading tremendously.

the other day, on ICQ:

K: “What are you doing today?” Me: “Taking some training in using a commercial spam filter appliance.” K: “It’s all Spam. Autodelete everything.”

Next thing I remember was the trainer asking why I was laughing so hysterically.

After asking for useable CA Software, I have finally settled on using EasyRSA. This is what I did to come across the packaging shortcomings of EasyRSA in Debian. Storing your CA Be sure that your CA is stored in a secure place. Don’t store it online, and make it accessible only to yourself. In my opinion, storing the the CA in a cryptoloop container file on a small 32 MB USB stick is a good idea. Cryptloop is rather easy today and available in the stock Linux kernel. I commonly use grml-crypt to manage the crypto loopback stuff:

sudo grml-crypt start /media/usb4/cryptoloop $MOUNTPOINT

Gotcha: don’t confuse sudo’s “password” prompt with grml-crypt’s “Enter LUKS passphrase” prompt, the cryptoloop password won’t bring you anywhere on the sudo prompt. Preparing the CA directory For the CA, create a dedicated directory in the mounted cryptoloop file system. You’re originally supposed to copy the entire EasyRSA directory tree in there, but I’d recommend to only link the files from your system’s EasyRSA directory to automatically take advantage of distribution updates. You’ll need at least these links:

lrwxrwxrwx 1 mh mh   56 Dec 25 23:23 openssl.cnf -> /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
lrwxrwxrwx 1 mh mh   52 Dec 25 23:22 pkitool -> /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool
lrwxrwxrwx 1 mh mh   60 Dec 25 23:23 whichopensslcnf -> /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf

ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf .
ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool .
ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf .

Configuring your CA The only thing you cannot link is the vars file which contains your CA’s local settings:

export EASY_RSA=“$(pwd)”
export OPENSSL=“openssl”
export PKCS11TOOL=“pkcs11-tool”
export GREP=“grep”
export KEY_CONFIG=$($EASY_RSA/whichopensslcnf $EASY_RSA)
export KEY_DIR=“$EASY_RSA/keys”
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY=“DE”
export KEY_PROVINCE=“”
export KEY_CITY=“”
export KEY_ORG=“Zugschlus.de”
export KEY_EMAIL=“mh+easyrsa-mh-openvpn@zugschlus.de”
export PKCS11_MODULE_PATH=“dummy”
export PKCS11_PIN=“dummy”

Comments have been removed from this file. Better copy the file from /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars and edit it to your needs. I added the two PKCS11 variables since you won’t otherwise be able to issue certificate requests. Creating the CA Next, decide on a shell instance where you will do most operations, and source vars in there. Next, run /usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all. If you do this in a directory of an already-in-use EasyRSA CA, you’ll need to restore your backup. To actually initialize the CA, run pkitool --initca --pass. If you do not give the --pass parameter, you’ll create a CA that can issue certificates without asking for a passphrase, which might not be a brilliant idea. Choose a reasonably secure pass phrase. Creating Certificates - the simple and suboptimal way You can now simply proceed to create an arbitrary number of pairs of “private” keys and associated certificate by simply calling pkitool <clientname> and/or pkitool --server <servername>. Depending on your security policy, you can mandate the private keys to be protected by a passphrase (adding --pass to the command lines), but you’ll have the expense of being asked for the passphrase every time you start a new openvpn daemon. Creating Certificates the Right Way I have put the “private” in quotes since the keys created this way are not really private: The key was created on the box hosting the CA, was stored on the local (crypted) file system and needs to be moved to the target system via a secure channel. Doing so the right way is harder than expected, so it is usually the better way to keep the private key really private by creating it directly on the target system. On the target system, you need OpenVPN installed, and openssl. After the certificate was created, you can remove openssl again. Creating a private key is part of a key-pair generation process that also leaves a certificate request. The contents of the certificate request is public, and you can safely move it to the CA box and convert it to a certificate by signing the request. You only need to make sure that nobody exchanges your target system’s certificate request for her own before you sign it as you might end up certifying a wrong identity. For the rest of this document we’re going to assume that you have ssh access to the target system and have verified the ssh host key, so that you can be reasonably sure to be connected to the right system. To create a certificate request, you can use this script, which I have called create-easyrsa-cert-req:

#!/bin/bash
set -u
TMPDIR=“/tmp”
export OPENSSL=“openssl”
export PKCS11TOOL=“pkcs11-tool”
export GREP=“grep”
export KEY_CONFIG=“/usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf”
export KEY_DIR=“$TMPDIR/keys.$$”
mkdir -p $KEY_DIR
export KEY_SIZE=1024
export KEY_EXPIRE=3650
export KEY_COUNTRY=“DE”
export KEY_PROVINCE=“”
export KEY_CITY=“”
export KEY_ORG=“Zugschlus”
export KEY_OU=“$(hostname --fqdn)”
export KEY_EMAIL=“mh+$(hostname)-ovpn-cert@zugschlus.de”
export DEBUG=1
umask 077
if [ “$ 1:-foo ” != “server” ]; then
  /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool --csr $(hostname)
else
  /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool --csr --server $(hostname)
fi
mv $TMPDIR/keys.$$/* .
rm -rf $TMPDIR/keys.$$

When called without parameters, it creates a certificate request for an OpenVPN client certificate, and when you call it with “server” as parameter, it will create a server certificate request. In any case, it will leave two files in the current directory. They are named after the current host name, and have the extensions .csr and .key. The .key file is your private key. keep it private! The .csr file is the certificate request which you can now move to the keys subdirectory of your CA directory via scp or other means such as an USB stick. To do the actual signing, invoke pkitool --sign <hostname> and enter the CA passphrase. You can ignore the error message that there was no .key file to chmod. Gotcha, when signing a server certificate, use pkitool --server --sign <hostname>. Move Certificate to the target host You can now move the certificate to the target system. Since you’re probably going to need the root certificate and the certificate revocation list as well, you can move the .key file (if created on the CA system), the .crt file, and ca.crt to the target system. These files are public, so there is no need for a secure channel. Revoking Certificates Since an OpenVPN server’s only means of authentication is to check whether the certificate presented by a client is signed by the “right” CA, the only way to revoke VPN access is to revoke the certificate. This is also done on the CA system by calling /usr/share/doc/openvpn/examples/easy-rsa/2.0/revoke-full <client-name>. This creates a crl.pem file which contains a list of all revoked certificates. You need to have a mechanism to distribute that list to all systems that might need it, and it is recommended to have this automated. Remember, if you do not distribute the .crl file, the systems are not going to know about revoked certificates.

Mailing lists of big and successful open source projects are these days flooded with clueless requests from newbies which obviously have not spent a second getting acquainted with the tool or with the basics of the underlying protocols. I’m going to publish some of the “best” of these messages in irregular intervals her, tagges with “best-of-mailing-list”. All articles tagged appropriately can be seen as blog entries. There is also an RSS feed.