Compile Samba 4 under Red Hat Enterprise Linux 8 as an AD domain controller

Unfortunately RHEL 7 and RHEL 8 do not support running Samba as an Active Directory Domain Controller (AD DC):
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers

Therefore you need to download the samba sources and compile them yourself.
https://download.samba.org/pub/samba/stable

In this example we use the following settings:

• Server names:
  • server1.example.com: 192.168.10.1/24
  • server2.example.com: 192.168.10.2/24
• Domain name:
  DOM1
• External DNS server:
  8.8.8.8

Samba 4 must use it’s own builtin DNS server for local domain names (e.g. client1.example.com). Unfortunately there is no option to specify a separate DNS server. You may define a forwarder DNS for all non-local domain names (e.g. http://www.microsoft.com). In this example we use the public Google DNS server 8.8.8.8 as a forwarder, but you may use any other DNS server to resolve non-local names.

1. Install necessary packages

sudo dnf install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python36-devel gdb krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins python3-policycoreutils python3-libsemanage python3-setools popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 lmdb-devel perl-Parse-Yapp jansson-devel libarchive-devel python3-iso8601 python3-pyasn1 python3-markdown python3-dns rpcgen libtirpc-devel

2. Download tarball

curl -O https://download.samba.org/pub/samba/stable/samba-4.14.6.tar.gz
tar -xzvf samba-4.14.6.tar.gz
cd samba-4.14.6

3. Patch source code

vim source3/include/includes.h
Comment lines 359-367 so that the code block looks like this:
/* #ifdef TRUE
#undef TRUE
#endif
#define TRUE __ERROR__XX__DONT_USE_TRUE

#ifdef FALSE
#undef FALSE
#endif
#define FALSE __ERROR__XX__DONT_USE_FALSE */

4. Run configure, make and make install

./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind --without-gpgme --with-shared-modules='!vfs_snap
per'
make
sudo make install

5. Edit system configuration files

/etc/hosts:
192.168.10.1 SERVER1.dom1.example.com     SERVER1
192.168.10.2 SERVER2.dom1.example.com     SERVER2

/etc/profile:
PATH=$PATH:/usr/local/samba/bin
export PATH

/etc/resolv.conf:
options timeout:2
nameserver 192.168.10.1
nameserver 192.168.10.2

/etc/logrotate.d/samba:
/usr/local/samba/var/log.samba /usr/local/samba/var/log.smbd /usr/local/samba/var/log.wb-BUILTIN /usr/local/samba/var/wb-DOM1 /usr/local/samba/var/log.winbindd /usr/local/samba/var/log.winbindd-idmap {
    weekly
    maxsize 200M
    missingok
    notifempty
    sharedscripts
    rotate 4
    compress
    delaycompress
    postrotate
        /bin/kill -HUP `cat /usr/local/samba/var/run/samba.pid  2>/dev/null`  2> /dev/null || true
    endscript
}

/etc/init.d/samba:
#!/bin/bash
#
# samba-ad-dc   This shell script takes care of starting and stopping
#               samba AD daemons.
#
# chkconfig: - 58 74
# description: Samba Active Directory Domain Controller
 
### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop samba
# Description: Samba Active Directory Domain Controller
### END INIT INFO
 
# Source function library.
. /etc/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog
 
start() {
        [ "$NETWORKING" = "no" ] && exit 1
        echo -n $"Starting Samba AD DC: "
        daemon $prog_dir/$prog -D
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}
 
 stop() {
        [ "$EUID" != "0" ] && exit 4
        echo -n $"Shutting down Samba AD DC: "
        killproc $prog_dir/$prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}
 
case "$1" in
start)
        start
        ;;
stop)
        stop
        ;;
status)
        status $prog
        ;;
restart)
        stop
        start
        ;;
*)
        echo $"Usage: $0 {start|stop|status|restart}"
        exit 2
esac

6. Open ports on firewall

Standard ports:
samba, ldap, ldaps, kerberos, kpasswd, dns, ntp

Additional ports:
389/udp, 135/tcp, 1024-65535/tcp

7. Edit samba configuration files

/usr/local/samba/etc/samba.conf:
[global]
        dns forwarder = 8.8.8.8
        netbios name = SERVER1
        realm = DOM1.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = DOM1
        idmap_ldb:use rfc2307 = yes
        logging = syslog@3
        log level = 1 auth_audit:3
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/server1.example.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
        # default_realm = EXAMPLE.COM
        default_ccache_name = KEYRING:persistent:%{uid}
[realms]
        # EXAMPLE.COM = {
        #  kdc = kerberos.example.com
        #  admin_server = kerberos.example.com
        # }
[domain_realm]
        # .example.com = EXAMPLE.COM
        # example.com = EXAMPLE.COM

8. Create domain

sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [DOM1.EXAMPLE.COM]:  
Domain [DOM1]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:  
Administrator password: yourpasswordhere
Retype password: yourpasswordhere

9. Set password restrictions (optional)

samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=180
samba-tool domain passwordsettings set --account-lockout-threshold=10
samba-tool domain passwordsettings set --account-lockout-duration=10
samba-tool domain passwordsettings set --history-length=10
samba-tool domain passwordsettings set --min-pwd-length=12
 
samba-tool domain passwordsettings show
 
samba-tool domain passwordsettings pso create admin 10 --account-lockout-duration=5 --history-length=5 --min-pwd-length=20
samba-tool domain passwordsettings pso create system 20 --account-lockout-duration=5 --history-length=4 --min-pwd-length=20 --max-pwd-age=365
samba-tool domain passwordsettings pso list
 
samba-tool domain passwordsettings pso apply system Administrator

10. Start samba on server1

sudo systemctl daemon-reload
sudo systemctl start samba

Alternatively you may start samba directly:
sudo /usr/local/samba/sbin/samba &

11. Add the second DC to the domain (run all commands on server2)

/etc/krb5.conf:
[libdefaults]
        dns_lookup_realm = false
        dns_lookup_kdc = true
        default_realm = DOM1.EXAMPLE.COM

/usr/local/samba/etc/samba.conf:
[global]
        dns forwarder = 8.8.8.8
        netbios name = SERVER2
        realm = DOM1.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = DOM1
        idmap_ldb:use rfc2307 = yes
        logging = syslog@3
        log level = 1 auth_audit:3
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/dom1.example.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Add server2 to domain
samba-tool domain join dom1.example.com DC -U"DOM1\administrator" --option='idmap_ldb:use rfc2307 = yes'
...
Password for [DOM1\administrator]: yourpasswordhere

Change krb5.conf again to make server2 a fully standalone DC
/etc/krb5.conf:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_realm = DOM1.EXAMPLE.COM
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
        # default_realm = EXAMPLE.COM
        default_ccache_name = KEYRING:persistent:%{uid}
[realms]
 DOM1.EXAMPLE.COM = {
        kdc = SERVER2.example.com
        admin_server = SERVER2.example.com
 }
 # EXAMPLE.COM = {
 #        kdc = kerberos.example.com
 #        admin_server = kerberos.example.com
 # }
[domain_realm]
        # .example.com = EXAMPLE.COM
        # example.com = EXAMPLE.COM

Start samba on server2
sudo systemctl daemon-reload
sudo systemctl start samba

12. Check replication status (run command on both servers)

sudo samba-tool drs showrepl

30th Anniversary of Linux

SASL authentication with Postfix (Ubuntu 18.04)

If you run Postfix as a mail server to receive emails from the Internet as well as send out emails from the internal network to the Internet, you probably have the following scenario.

1. Emails from the Internet should be received without authentication. Other mail servers should be able to deliver emails without having to login first. They most likely don’t have an internal account they could use to log into your email server.
2. On the other hand, if users send emails from your internal network to the outside or to each other, they should authenticate first. At least they are using your domain name in their email address, and this privilege should only be available for legitimate users.

Postfix uses SASL to authenticate SMTP logins. SASL is able to use all sorts of backends for authentication. In the following example we use PAM to authenticate user logins. In larger corporate environments, you may want to connect SASL to your internal LDAP database.

These are the steps to install and configure saslauthd. Postfix should already be configured and running.

• Install package sasl2-bin
• Insert the follwing lines into your Postfix configuration /etc/postfix/main.cf
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_service = smtpd
  smtpd_tls_auth_only = yes
  broken_sasl_auth_clients = yes
  …
  smtpd_recipient_restrictions =
  …
  # The order of recipient restrictions is important, so be careful where to insert the next line
         permit_sasl_authenticated,
  …
• Create the following file: /etc/postfix/sasl/smtpd.conf
  pwcheck_method:saslauthd
  log_level: 10
  mech_list: PLAIN LOGIN
  saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
• Create the following directory: /var/spool/postfix/var/run/saslauthd
  sudo mkdir -p /var/spool/postfix/var/run/saslauthd
• Add the user postfix to the sasl group so he is able to access the socket directory:
  sudo usermod -aG sasl postfix
• Create the following file: /etc/pam.d/smtpd
  auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/postfix/sasl-group.allowed
  @include common-auth
  @include common-account
  @include common-password
  @include common-session
• Create the following file: /etc/postfix/sasl-group.allowed
  smtp
• Add local user accounts that should be allowed to login via the smtpd service to the local group “smtp”:
  sudo usermod -aG smtp alice
  sudo usermod -aG smtp bob
  …
• Edit the following lines in /etc/default/saslauthd
  MECHANISMS=”pam”
  OPTIONS=”-m /var/spool/postfix/var/run/saslauthd”
• Enable and start the saslauthd service:
  sudo systemctl enable saslauthd
  sudo systemctl start saslauthd
• Reload the postfix service:
  sudo systemctl reload postfix

Important

Integrating saslauthd with the PAM module pam_listfile is crucial. Otherwise SASL authentication could be misused to guess passwords of all your local user accounts, including root. If you follow the steps above, only users that belong to the group “smtp” are allowed to login via the smtpd service.

Using the German electronic identity card (eID) in Ubuntu 20.04

The new eID functionality of the German identity card enables you to identify yourself with your real name towards government or commercial web services. It makes sure that it is really you who uses the web service, and not someone else who stole your online identity by email spoofing, SIM swapping, IMSI catcher, etc. .

In the following example, we will be using the eID to sign our PGP key. The new signature will uniquely identify the owner of the German identity card as the owner of the PGP key, which can then be used to e.g. sign and encrypt emails. That way PGP no longer relies on a web of trust, but works similar to the PKI concept of S/MIME certificates, in that the real identity of the owner of a certificate will be checked and then signed by a common public authority (CA) that everyone trusts.

Prerequisites

• A German identity card with eID functionality.
• A supported RFID card reader, e.g. from REINER SCT.
• Operating system drivers for your card reader. In Ubuntu 20.04 drivers for all REINER SCT card readers (also called “cyberJack”) are included in the package libifd-cyberjack6. You can download Ubuntu drivers from their website too, but they didn’t work for me.
• On Linux, the pcscd daemon that enables access to smart card readers.
• An application called AusweisApp2 that handles authentication (PIN entry) and authorization (who wants to access what kind of information on your eID). In Ubuntu 20.04 AusweisApp2 is already included in the standard repositories (version 1.20.0). The app is also included as a snap install (newer version 1.20.2), but that didn’t work for me (for the error message see below).

First steps

• Make sure you have the letter with the initial PIN for your eID at hand.
• IMPORTANT: Make sure your RFID card reader is updated to the latest firmware release. With most card readers, the firmware can only be updated while you install the card reader on a Windows system.
• IMPORTANT: Remove usbguard. Even after I permanently added the card reader to the list of allowed devices, pcscd could not find my card reader, or AusweisApp2 did not properly recognize my card reader and complained about missing drivers.
• Install all necessary software packages and drivers for Ubuntu 20.04:
  pcscd pcsc-tools libifd-cyberjack6 libusb-1.0-0 libusb-1.0-0 libccid libpcsclite1 libpcsc-perl libpcsclite-dev

Test your card reader

Start the pcscd daemon in debug mode:

$ sudo pcscd -df
00000000 [140135772616640] pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000086 [140135772616640] configfile.l:293:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000017 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: ..
00000006 [140135772616640] configfile.l:369:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00000029 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: .
00000009 [140135772616640] pcscdaemon.c:663:main() pcsc-lite 1.8.26 daemon ready.
00003514 [140135772616640] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0xABCD, PID: 0x1234, path: /dev/bus/usb/001/001
...

Plug in your card reader.

IMPORTANT: If you use a USB card reader, plug it directly into your PC or laptop. Do not use a USB hub, as the hub may not provide enough power for the USB device. Also make sure to use the USB cable that came with the card reader. Longer cables may result in unstable connections.

In the output of the pcscd daemon (after a couple of seconds, wait for it!), you will see something like this:

99999999 [140135764219648] hotplug_libudev.c:655:HPEstablishUSBNotifications() USB Device add
00000158 [140135764219648] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0x0C4B, PID: 0x0500, path: /dev/bus/usb/002/012
00000010 [140135764219648] hotplug_libudev.c:440:HPAddDevice() Adding USB device: REINER SCT cyberJack RFID standard
00000050 [140135764219648] readerfactory.c:1074:RFInitializeReader() Attempting startup of REINER SCT cyberJack RFID standard (1234567890) 00 00 using /usr/lib/pcsc/drivers/l
ibifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so
CYBERJACK: Started
00001347 [140135764219648] readerfactory.c:950:RFBindFunctions() Loading IFD Handler 3.0
00023288 [140135764219648] readerfactory.c:391:RFAddReader() Using the pcscd polling thread

Notice that the pcscd daemon uses the driver from the package libifd-cyberjack we installed earlier. You can also check the output from the pcscd client tool:

$ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: REINER SCT cyberJack RFID standard (1234567890) 00 00

Thu Nov 19 13:17:31 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 0
 Card state: Card removed,

As you can see, pcscd properly detected the card reader. Now insert your identity card into the card reader while pcsc_scan is running. The output of pcsc_scan will show something like this:

Thu Nov 19 13:21:24 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 3
 Card state: Card inserted,
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
       Personalausweis (German Identity Card) (eID)

Install and start the application AusweisApp2

Install the application AusweisApp2 from the general Ubuntu repository. Do not install the snap app! In my case, the snap version of AusweisApp2 did not work properly. I got the following error message in my system logs:

Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 07606784 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:0c4b/0500:libudev:0:/dev/bus/usb/002/006)
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000015 readerfactory.c:376:RFAddReader() REINER SCT cyberJack RFID standard (1234567890) init failed.
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000073 hotplug_libudev.c:526:HPAddDevice() Failed adding USB device: REINER SCT cyberJack RFID standard

After you start the application, go to Start -> Settings -> USB card reader to check if the app can communicate with your card reader.

If you haven’t done so before, the app will ask you to change the initial PIN that you received by mail. You have to set your own PIN before you use any online service.

Test the authentication process

Go to Start -> Self-Authentication -> See my personal data. Here you can check the data that is stored on your eID, and also make sure that the authentication process is working properly.

Click on “Proceed to PIN entry”. On your card reader, you will need to confirm the service provider who wants to access your card, and also which information is requested from your card. Of course you also need to enter your new PIN.

Sign your PGP certificate

Go to Start -> Provider -> Other services -> Schlüsselbeglaubigung. The key signing service is provided by Governikus, the company that develops AusweisApp2.

Click on “To online application”. This will start your default web browser and open the URL https://pgp.governikus.de/pgp/ . Of course you can also enter the URL directly in your web browser. Just make sure that AusweisApp2 is running in the background.

On the website you may upload your PGP public certificate. After successful authentication by eID, you will receive an email with your certificate signed by Governikus. The signature certifies that the PGP key really belongs to you and not someone else who is impersonating you by using your email address (email spoofing) or smartphone number (SIM card swapping, IMSI catcher).

Summary

The whole eID authentication process on a website can be described as follows:

1. Start the pcscd daemon, either by “sudo systemctl start pcscd”, or if this doesn’t work by “sudo pcscd -f”.
2. Plug in your card reader. You should see a confirmation in the daemon output (or by typing “systemctl status pcscd” if you started pcscd with systemctl):
   “CYBERJACK: Started”
3. Start the application AusweisApp2.
4. Go to the website that requests eID authentication (“elektronischer Personalausweis”), and click on “Login”.
5. Your webbrowser automatically transfers control to AusweisApp2. There you should see who is requesting what kind of information from your eID.
6. Insert the identity card into your card reader.
7. In AusweisApp2, click on “Proceed to PIN entry”.
8. Control is transferred to your card reader. There you need to:
   1. Confirm the service provider.
   2. Confirm the data he wants to have access to.
   3. Enter your PIN.
9. On the display of your card reader, you should see something like “Tunnel established”. AusweisApp2 shows something like “Authentication successful”. The website should automatically proceed to its regular contents, just as if you would have entered username and password.
10. That’s it. You can remove your identity card from the card reader.

---

Troubleshooting

• If you see the following error message in the output of pcsc_scan, it means that pcsc_scan cannot communicate with the daemon pcscd. Make sure that the daemon is running.

SCardGetStatusChange: RPC transport error.

• If AusweisApp2 does not recognize your card reader, or complains about missing drivers, try to start pcscd from the command line (“sudo pcscd -f”), and not as a background service (“sudo systemctl start pcscd”). Also make sure that you removed usbguard and did a reboot afterwards.

• If the authentication process is not working, try to update the firmware of your smart card reader to the latest version. This might only work under Windows 10 during Windows driver installation for the new smart card reader device.

Let’s Encrypt Certificate for SMTP with STARTTLS

<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80"><strong>Let's Encrypt</strong> provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.Let’s Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80">The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain <strong>URL on your web server</strong>:The way Let’s Encrypt usually works requires you to setup a web server. Let’s Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:

<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80"><strong>http://www.yourserver.com/.well-known/acme-challenge/</strong>FgedPYS65N3HfwmM7IWY2&#8230;http://www.yourserver.com/.well-known/acme-challenge/FgedPYS65N3HfwmM7IWY2…

<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80">That way you prove that you are the owner of the domain "yourserver.com". But there is another even easier way to prove ownership of a domain: <strong>DNS</strong>. You place the response in a specific TXT record of your domain: <strong>_acme-challenge.www.yourserver.com</strong>That way you prove that you are the owner of the domain “yourserver.com”. But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain: _acme-challenge.www.yourserver.com

• You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
• The “certbot” command line client does all the rest in just one call.
• Under Debian 9 and 10, “certbot” is part of the official package repository.
• You can run certbot on any Linux client. You don’t have to run it on the email server.

Example

<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80">In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called <strong>_acme-challenge.mx.yourserver.com</strong> . The value of the TXT record is in the output of certbot.In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called _acme-challenge.mx.yourserver.com . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d mx.yourserver.com
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for mx.yourserver.com 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name 
_acme-challenge.mx.yourserver.com with the following value: 
 
1A4RACHEISTBLUTWURST_egTVadkeiieikeieisfkfk
 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/privkey.pem 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le

C++ – The Beast is Back (Halloween Special)

Do you remember the time when programming languages like Visual Basic and Java came out and flourished, because they let programmers forget about all the underlying technical details of computers, so they could focus more on things like algorithms and use cases?

“I don’t wanna waste my time with solving memory management problems or all those other low level stuff. These days are finally over!” Many programmers hated C++ because they were annoyed by memory leaks, pointers, byte sizes of variable types and data structures, compiler errors, linker warnings, … the list goes on and on.

And managers? They loved Java and Visual Basic. Less tech talk about problems nobody really understands anyway, faster time to market, happy customers, what else could you want?

It seemed like the days of C and C++ were counted. Maybe they could still be used for some low level system programming, but certainly not application programming. Instead let’s move on and jump on the ponderous but convenient bytecode train. Just add some more RAM modules to the server, and triple the disk space of those cloud containers, then we’re done. What a beautiful simple world it is now, the world of software programming. Right? Right?? Right???

The Return of the Beast

Well … not so fast (pun intended). New emerging technologies like Big Data, Blockchain and AI become part of everyday application development. And what about IoT (edge cloud)? Small IoT devices don’t have Terabytes of RAM and server scale CPU processors. All of these rapidly growing technologies require lean and fast code modules tailored to their specific requirements.

I recently came across a free eBook from O’Reilly: C++ Today – The Beast is Back. It is from 2015, but large parts are still valid today. I highly recommend reading it. Once you have finished, here is my very own top 6 list of reasons why “the beast is back”:

1. Coding discipline
   Source code formatting, code commenting, coding guidelines, best practices: Python brought discipline back into aspiring programmers. Coders are now less annoyed by investing time in high quality source code, because they realize it will in turn create higher quality software that is easier to maintain and safes time and money in the end. C++ development also requires a lot of discipline and attention to details, but you are rewarded with a minimum disk and memory footprint and unparalleled performance.
2. Focus on technology
   Tech is back: Logging in with SSH to a remote git server? Using vim to fix a typo in some Python source files? No problem. Today there are more tutorials out there about vim and the Linux command line than ever before. Students again want to get in touch with the underlying technology and learn how stuff works under the hood. Knowing the memory footprint of a running program is not considered evil sorcery any more.
3. New standards
   C++ has come a long way since the last decade:
   C++11, C++14, C++17, C++20
   New programming ideas and standards are coming up every year, and C++ is adapting fast.
4. New technologies
   Blockchain, IoT, Big Data and Deep Learning: Exciting new technologies are all about performance, data crunching, sheer numbers. You need a lean and fast beast like C++ to tame them. For example the core of TensorFlow, today’s most popular machine learning framework, is written in C++.
5. Low competition
   In July 2019 Microsoft announced they are thinking about moving from C++ to Rust for developing internal and external software. My question: What do you do with the rest of the weekend? Seriously: It might sound like a great idea to get rid of stack overflow problems and the like, but porting tons of code from C++ to Rust will probably take decades. Furthermore, Rust is not nearly as developed and stable as C++. There sure are still heaps of banana skins hidden beneath the shiny new surface of Rust.
6. Go green, go C++
   In 2018 the first YouTube video hit 5 billion views and burned as much energy as 40,000 US homes use in a year. This should make it very clear that every innocent clickety-click-click-barely-touching-the-shiny-polished-surface-of-your-tiny-cutesy-iphone has a huge impact on telecommunication infrastructure and cloud data centers spread around the globe. Cloud services are run by software. The more efficient the software is, the less energy these services consume (CPU, hard drive, memory, etc.). Unfortunately today’s most famous programming languages JavaScript, Java and Python are rather energy inefficient. Compiled languages like C++ use less memory, produce less hard drive read/writes and consume less CPU cycles, thus making them far more energy efficient.

Slow wifi network on Linux laptop

If network performance on your laptop is slow and unstable, it might be because power management of your wifi adapter and of Linux are not playing together.

One of the things you will notice are flapping ping rates:

$ ping 192.168.0.1 
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=23.3 ms 
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=44.7 ms 
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=1161 ms 
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=35.2 ms
...
^C 
--- 192.168.0.1 ping statistics --- 
30 packets transmitted, 20 received, 33% packet loss, time 30000.14s 
rtt min/avg/max/mdev = 23.3/537.9/2119.2/2005.3 ms

As you can see the 3rd ping has a high round trip time of over one second. You might also notice high packet loss rates.

If this is the case and your hardware seems to be ok, you can try to switch off Network Manager’s automatic power management in /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf:

[connection] 
wifi.powersave = 2

Restart NetworkManager (sudo systemctl restart NetworkManager) or reboot your Laptop.

If you are not using NetworkManager, you can try to switch off power management directly:

sudo iwconfig wlp2s0 txpower fixed

Afterwards check that power management is really disabled:

sudo iwconfig wlp2s0
...
    Power Management:off
...

iptables: Block traffic by country (Debian 10)

You need the package versions from at least Debian 10 testing for this to work. Installing specific packages from the testing branch is beyond the scope of this article, but there are many tutorials online.

• Switch to legacy iptables (I did not try it with the new nftables packet filter that came with Debian 10):

sudo update-alternatives --config iptables 
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). 

 Selection    Path                       Priority   Status 
------------------------------------------------------------ 
 0            /usr/sbin/iptables-nft      20        auto mode 
* 1            /usr/sbin/iptables-legacy   10        manual mode 
 2            /usr/sbin/iptables-nft      20        manual mode 

Press <enter> to keep the current choice[*], or type selection number: 1

• Install iptables module “geoip” (from testing) and dependencies:

sudo aptitude install xtables-addons-common/testing xtables-addons-dkms/testing libnet-cidr-lite-perl libtext-csv-xs-perl

• Make sure you have the right version (from Debian testing):

apt show xtables-addons-common
...
Version: 3.5-0.1
...

• Download and build geoip database (zipped CSV file from MaxMind):

sudo -i
mkdir /usr/share/xt_geoip/ 
cd /usr/share/xt_geoip/
/usr/lib/xtables-addons/xt_geoip_dl
cd GeoLite2-Country-CSV_* 
/usr/lib/xtables-addons/xt_geoip_build
cp *iv? ..

• Check your iptables rules in INPUT chain. It should look something like this, if you already setup iptables:

# iptables --line-numbers -nL  INPUT

Chain INPUT (policy DROP) 
num  target     prot opt source               destination          
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     ...
3    ACCEPT     ...
...
8    LOG        all  --  0.0.0.0/0            0.0.0.0/0            state INVALID,NEW LOG flags 0 level 4 prefix "DROP input:"

• Add iptables rule to block all incoming traffic from e.g. Prague/Czech Republic. Make sure to insert the new rule after the RELATED/ESTABLISHED rule and before any other ACCEPT rules. In this example, the rule is inserted as line number 2.

iptables -I INPUT 2 -m geoip --src-cc CZ -j DROP

• In the second example we block all traffic except the one that is originating from the United States. TCP traffic is not simply dropped, but spoofed by the DELUDE target.

iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
iptables -I INPUT 2 -p tcp -m geoip ! --src-cc US -j DELUDE

Important things to note:

• You have to reinstall package “xtables-addons-common” with every new kernel version because it is compiled during package installation using the current kernel source (see /usr/src/xtables-addons-*).
• For more information about the DELUDE target in the second example, see “man xtables-addons”. It spoofs nmap scans and makes it harder for port scanners to scan the destination host. It is only valid for TCP traffic.

Add entropy to KVM virtual guests (Why is key creation so slow?)

Problem

Cryptographic key creation (GnuPG, SSH, etc.) in virtual guests may be very slow because there is not enough entropy.

$ cat /proc/sys/kernel/random/entropy_avail 
7

Solution

Add /dev/urandom from virtual host in virt-manager. Click on “Add Hardware”.

Add “RNG” device.

This is what will be added to the qemu xml file in /etc/libvirt/qemu:

<domain type='kvm'>
  ---
  <devices>
    ...
   <rng model='virtio'> 
     <backend model='random'>/dev/urandom</backend> 
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> 
   </rng> 
 </devices> 
</domain>

In the virtual guest, install “rng-tools” (Ubuntu 18.04).

$ sudo apt-get install rng-tools

If something goes wrong, the rngd daemon will complain in /var/log/syslog.

Oct 13 22:48:07 guest rngd: read error 
Oct 13 22:48:07 guest rngd: message repeated 99 times: [ read error] 
Oct 13 22:48:07 guest rngd: No entropy sources working, exiting rngd

If rngd is working correctly, check entropy level again.

$ cat /proc/sys/kernel/random/entropy_avail
3162

Sending mail on the Linux command line (Ubuntu 18.04)

How to send end-to-end encrypted emails on the Linux command line.

If you want to add attachments, use mutt or mail from GNU Mailutils as the mail client. The following examples use mailx and ssmtp.

Unencrypted mail

Install package “bsd-mailx”:

$ sudo apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 
. 
Cc: 

Notes:

• Mail gets sent to postmaster@example.com (see mail.rc).
• Mail server is mail.example.com (see mail.rc).
• Email message body is terminated by a single “.” as the last line.

Encrypted mail (Inline PGP)

Make sure you can send unencrypted mail (s. “Unencrypted mail” above).

Check that you have GnuPG version 2 installed, and If you haven’t done so before, create private and public GnuPG key.

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
...
$ gpg --gen-key
...

Import public PGP key from recipient.

$ gpg --import alice.pub

First sign message (clearsign – ascii signature will be appended to text), then encrypt message, then mail message.

$ echo "Hello Alice, if you can read this your PGP mail client is working." | 
    gpg --clearsign | 
    gpg -a -r alice@example.com --encrypt | 
    mailx -s "PGP encrypted mail test" alice@example.com

Notes:

• First sign the message. “gpg –clearsign” uses the default private key to sign message. Check with “gpg -K”. Otherwise use option “–default-key bob@example.com” to choose a specific private key.
• Then encrypt the message. Check with “gpg -k” that the recipient’s user id is properly added to your GPG keyring.
• The user id of the public key used for encryption does not necessarily has to correspond with the recipient email address. You can encrypt a message with the public key of “bob@example.com”, and then send the email to “alice@example.com”. If Alice has the corresponding private key for “bob@example.com”, she will be able decrypt and read the email without any problems.
• Finally send the mail message. The email body is simply the signed and encrypted message text in ASCII format.
• The email subject will not be encrypted.

Encrypted mail (S/MIME)

Make sure you can send unencrypted mail (s. “Unencrypted mail” above).

You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).

You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called “bob.pem”).

-----BEGIN PRIVATE KEY-----
 ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

The public certificate of the recipient must be in PEM format too (in the following example it is called “alice.pem”). You can extract it from an email signature if the recipient already sent you a signed email.

-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

Install the package “ssmtp”.

$ sudo apt-get install ssmtp

Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.

$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | 
    openssl smime -sign -signer bob.pem -text | 
    openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | 
    ssmtp -t

Notes:

• Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
• If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
• You still need the public certificate of the recipient, and make somehow sure that it is authentic.
• Again, the email subject will not be encrypted.