Friday, September 27, 2013

Using Ubuntu and have a Fingerprint Reader on your laptop? Make it work!


This PPA contains packages that add a comprehensive fingerprint-based authentication functionality to Ubuntu, including a seamless integration into GNOME 2.x, Unity and GNOME 3.x. At this time of writing it supports releases of Ubuntu are 12.04, 12.10, 13.04. Please note that since version 12.10 these packages are present in the standard repositories (still, this PPA supports a wider range of fingerprint readers).

Step 1
You should be running Ubuntu 12.04, 12.10, 13.04 or any derivative thereof, and you need to have a supported fingerprint reader. To find out your reader's ID, run the lsusb command and look into the sixth column of the output. Supported devices are:
          045e:00bb    08ff:1683    08ff:2580    08ff:268d
     045e:00bc    08ff:1684    08ff:2660    08ff:268e
     045e:00bd    08ff:1685    08ff:2680    08ff:268f
     045e:00ca    08ff:1686    08ff:2681    08ff:2691
     0483:2015    08ff:1687    08ff:2682    08ff:2810
     0483:2016    08ff:1688    08ff:2683    08ff:5501
     05ba:0007    08ff:1689    08ff:2684    08ff:5731
     05ba:0008    08ff:168a    08ff:2685    138a:0001
     05ba:000a    08ff:168b    08ff:2686    138a:0005
     061a:0110    08ff:168c    08ff:2687    138a:0008
     08ff:1600    08ff:168d    08ff:2688    147e:1000
     08ff:1660    08ff:168e    08ff:2689    147e:2016
     08ff:1680    08ff:168f    08ff:268a    147e:2020
     08ff:1681    08ff:2500    08ff:268b    147e:3001
     08ff:1682    08ff:2550    08ff:268c    1c7a:0603

Step 2
If you have a supported device add this PPA to your sources:
      sudo add-apt-repository ppa:fingerprint/fprint
   sudo apt-get update
   sudo apt-get upgrade

Step 3
Install the software:
     sudo apt-get install libfprint0 fprint-demo libpam-fprintd gksu-polkit

Step 4
Launch “fprint project demo” from your Unity/GNOME applications menu and check that you can enroll and verify your fingerprints and that your reader is indeed supported.  This does NOT save your fingerprints. This just test to make sure it is working.

Step 5
Run fprintd-enroll in terminal to save your fingerprints.

If you have experimented with fingerprint authentication before and have changed your /etc/pam.d/common-auth, you may be presented with a screen asking whether you want to override those changes. Select Yes. Under very special circumstances, you may get an error saying
    pam-auth-update: Local modifications to /etc/pam.d/common-*, not updating.
  pam-auth-update: Run pam-auth-update --force to override.
In this case, run sudo pam-auth-update --force, exactly as suggested, and enable the fprintd profile manually. Leave the standard system profiles (Unix, Keyring and ConsoleKit) enabled as well.

Known issues

1. No fingerprint and password at the same time
At the moment, you cannot type in your password right away when you are asked for fingerprint. You need to make the fingerprint authentication fail first (swipe wrong finger or let it time out) before you are asked for password. This is a limitation of PAM because its modules mustn't be threaded and hence cannot support multiple means of authentication at the same time.
2. Missing support in gksu. When you run Synaptic or a similar graphical application that requires unlimited, full root privileges, the standard authentication window doesn't get displayed. Yet the fingerprint reader is ready, and a swipe will authenticate the user. The informative window not appearing is a major bug in GNOME's gksu, which will never be fixed because of its inner limitations. Instead, a replacement called gksu-polkit is being developed (its latest version is in this PPA). With this package installed, you can then adjust your menu items to call gksu-polkit instead of gksu. Go to System > Preferences > Main Menu, select the item you want to modify, click Properties and in the Command field change "gksu [options...] command" to "gksu-polkit /full/path/to/command" (note that you need to drop all the options to gksu, if any, and full path to command is required).

Note on keyrings and passwordless logins

If you log in with your fingerprint, the default keyring manager will not have access to your password or any other secret data to decrypt your enciphered content with. The same applies to encrypted partitions and their automatic unlocking with libpam-mount or eCryptFS. Please note that it is not possible to unlock the keyring unless you have typed in your password (there's nothing to unlock it with, and having a key stored somewhere on disk is a very naïve and insecure solution). There are basically 2 possible solutions to the keyring issue:
1. Keep logging in with your password as before (you will need to make the fingerprint authentication fail first by scanning a wrong finger) and then use fingerprint only for sudo and locked screens. This way you will have your standard password available in your session, and keyring and encrypted partitions will work as before.
2. Remove the password from your default keyring. This way the passwords in it will be stored unencrypted, but this may be perfectly acceptable for you if you store only insensitive data in it (such as passwords to Wi-Fi networks). If you decide to take this route, here is a short how-to: Go to Applications > Accessories > Passwords and Encryption Keys, card Passwords, right click on Passwords: login, Change Password and set it to empty string.

Creative Commons License
Using Ubuntu and have a Fingerprint Reader on your laptop? Make it work! by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Monday, September 23, 2013

Have a RaspberryPi? Need a VPN server?

The Raspberry Pi is a credit-card sized computer that costs between $25 and $35 that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video.  The SoC is a Broadcom BCM2835. This contains an ARM1176JZFS, with floating point, running at 700Mhz, and a Videocore 4 GPU. The GPU is capable of BluRay quality playback, using H.264 at 40MBits/s. It has a fast 3D core accessed using the supplied OpenGL ES2.0 and OpenVG libraries.  The GPU provides Open GL ES 2.0, hardware-accelerated OpenVG, and 1080p30 H.264 high-profile decode.
The GPU is capable of 1Gpixel/s, 1.5Gtexel/s or 24 GFLOPs of general purpose compute and features a bunch of texture filtering and DMA infrastructure.  That is, graphics capabilities are roughly equivalent to Xbox 1 level of performance. Overall real world performance is something like a 300MHz Pentium 2, only with much, much swankier graphics.
A VPN (virtual private network) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from encryption.
A VPN connection across the Internet is similar to a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network.
VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely and cost-effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. VPN technology is also used by ordinary Internet users to connect toproxy servers for the purpose of protecting one's identity.

Let's setup an OpenVPN server using your RaspberryPi

First of all you'll need to ensure you have Raspbian installed and running on your RaspberryPi. If you need to download the latest version you can get that here.  If you need help installing the operating system you can find help here.  Once you have your operating system installed and you have verified it is up and running you can proceed with the steps below.

Step 1
To be able to install the latest program versions we should update our packet sources, open a terminal windows and type:
sudo apt-get update
Step 2
Now we are installing OpenVPN and OpenSSL via the terminal.
sudo apt-get install openvpn openssl
Step 3
We are switching to the directory of OpenVPN and paste a directory we will be needing later into it.
cd /etc/openvpn
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Step 4
Now we open the file easy-rsa/vars with nano and apply some changes.
nano /easy-rsa/vars 
export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
Step 5
We change the directory, log in as root user and execute some configurations.
cd easy-rsa
sudo su
source vars
./pkitool --initca
ln -s openssl-1.0.0.cnf openssl.cnf
Step 6
Now we are able to generate the components for the encryption of OpenVPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.
./build-ca OpenVPN
./build-key-server server
./build-key client1
Step 7
The calculation of the last components can take a few minutes.
Step 8
We have to switch the directory again and create the file openvpn.conf with the following content:
cd ..
sudo touch openvpn.conf
sudo nano openvpn.conf
Nano is a word processing program that opens within the terminal, type the following:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS"
push "dhcp-option DNS"
log-append /var/log/openvpn
You can change the DNS-servers to any DNS you like, these are Google's.  After you have finished typing that all in you can press Ctrl + o  to save it to the open file.  After you've saved it you can press Ctrl + x to exit the word processing.  If it asks you to save again just say yes.
Step 9
Now, create the internet-forwarding for the VPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.  Wifi will most likely be "wlan0".
sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
sudo iptables -t nat -A POSTROUTING -s ! -d -o eth0 -j MASQUERADE
Step 10
One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.
cd ..
sudo nano sysctl.conf
Step 11
A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):
crontab -e
@reboot sudo iptables -t nat -A POSTROUTING -s ! -d -o eth0 -j MASQUERADE
Step 12
Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the internal IP address of your Pi or, if you are using a DynDNS service,  by the given domain.
sudo su
cd /etc/openvpn/easy-rsa/keys
nano raspberrypi.ovpn
dev tun
proto udp
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
verb 3
Step 13
Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.
tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn
mv openvpn-keys.tgz /home/pi
chown pi:pi /home/pi/openvpn-keys.tgz
Step 14
Restart the OpenVPN server.
sudo /etc/init.d/openvpn start
Finished! Now we are able to download the file die openvpn-keys.tar.gz on the client and extract the files to your OpenVPN client folder.

Creative Commons License
Have a RaspberryPi? Need a VPN server? by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.