K2yo234hkjh23r0a: Encryption, privacy, e-mail, and instant messenging

I am quite pleased to see Google's new option for Gmail to have your Gmail session in https by default. Basically, that means that the data communicated will be encrypted, rather than passed across the Internet in plaintext. Previously, and still, you could explicitly request an encrypted session by designating the protocol to be HTTPS in the URL, like https://www.gmail.com. To ensure your Gmail sessions are encrypted, go to your Settings and scroll to the bottom, and select the option "Always use https".

While there are performance penalties, I think that encryption is generally a good idea. In particular, I find it almost scandalous that Instant Messengers do not offer an option to encrypt your conversations by default. A popular IM encryption software suite, providing plugins for a number of messengers, is Off the Record. Of course, both sides need to be using it for the encryption to work (or how would the otherside decrypt your messages?), so that is a massive barrier to using it commonly.

One "feature" I dislike about OTR is deniability, which I probably don't understand very well. They do not employ digital signatures that would certify messages were from you outside of your current session. This is considered good, I think so that people cannot be held strictly responsible for forged messages purporting to be from them: hence deniability. I can see applications for it, but I think that, while I appreciate the privacy of encryption, I don't necessarily want deniability. I am generally responsible for what I do and say.

Secrets

Biometrics are unique identifiers, but they are not secrets - Bruce Schneier

I have generally felt the same way. I am scared that so many people push towards biometrics in place of passwords. Not that passwords are great.

Victory is Mine

So, I can finally use synergy securely in Thornbrough now.

install synergy

I need to install synergy. However, I'm a mere user on Ubuntu Feisty, and I can't compile it. Compilation complains about a missing Xtst library, which is present in a fashion, and which I can persuade it through any means known to me to detect it. However, it's not very necessary, as I can download the .deb via http://packages.ubuntu.com and use dpkg -x to extract it into my $HOME/local. Yay.

configure synergy

This was simple. I copied the example configure file I had extracted to $HOME/.synergy.conf and set the right hostnames.

secure it

The synergy website recommends, on the clients, forwarding the server's port locally to the synergy server host via SSH, and then connecting the client to the server 'locally' (the traffic of which is all sent encrypted over the wire/air).

ssh -f -N -L 24800:server-hostname:24800 server-hostname

That's a great idea, except that the machines here don't have sshd installed. Consequently, I can't log into the synergy server host to forward the port.

install sshd

Alright, back to packages.ubuntu.com, download openssh-server, and extract it to $HOME/local. Try to run - uh oh, this will require some configuration.

configure sshd

1. sshd re-exec requires execution with an absolute path

   So, first, it needs to be run via its absolute path. Alright, create a wrapper script in $HOME/local/bin to it.

3. /etc/ssh/sshd_config: No such file or directory

   Then, it needs to find a configuration file. Let's add an empty $HOME/local/etc/ssh/sshd_config and pass it as an argument to sshd's -f option in my wrapper script.

4. Could not load host key: /etc/ssh/ssh_host_key
   Could not load host key: /etc/ssh/ssh_host_rsa_key
   Could not load host key: /etc/ssh/ssh_host_dsa_key
   Disabling protocol version 1. Could not load host key
   Privilege separation user sshd does not exist

   Now, there's no host keys found. Alright, let's use ssh-keygen to generate some.

   ssh-keygen -f $HOME/local/etc/ssh/ssh_host_rsa_key

   And specify the file location in the config file.

5. Disabling protocol version 1. Could not load host key
   Privilege separation user sshd does not exist

   Hmm, it's complaining that it can't find one for protocol 1. Let's tell it to use protocol 2.

6. Privilege separation user sshd does not exist

   Can't use privilege separation because of no user sshd, eh? I guess we'll have to do without :( Add another config line.
7. Silent death? Try '-D -e' options.

   Bind to port 22 on 0.0.0.0 failed: Permission denied.
   Cannot bind any address.

   Right, can't bind to port 22 as a stupid user. Well, there's plenty of ports I can bind to (like 3636). Another line in the config.
8. Still fails, '-D -e' again.

   Couldn't create pid file "/var/run/sshd.pid": Permission denied

   Alright, I bet I can change the PID file path in the config - yup, set a new line.
9. Just for the heck of it, let's say yes to PubkeyAuthentication and X11Forwarding, just in case.

run sshd

Finally, everything seems to work. I have to add `-p 3636` to the ssh forwarding statement to ensure it can find the port I'm using for the sshd server. I run sshd with '-D -e' so I can see any errors.

run synergys

Runs as normal on the server host (the one with the keyboard and mouse to be shared)

run synergyc

On the clients (the ones whose keyboards don't matter)

$ ssh -f -N -L 24800:SYNSERVERHOSTNAME:24800 SYNSERVERHOSTNAME -p 3636
$ synergyc -f localhost

For those it might interest, here's my final sshd_config file, mildly censored.

Port 3636
Protocol 2
UsePrivilegeSeparation no
HostKey /path/to/my/ssh_host_rsa_key
X11Forwarding yes
PidFile /path/to/some/user/writable/run/sshd.pid
PubkeyAuthentication yes

And here is my sshd wrapper

#!/bin/sh

$HOME/local/usr/sbin/sshd -e -f $HOME/local/etc/ssh/sshd_config "$@"

For those not in the know, $@ in bash matches arguments I passed to the script. '-e' is to print to stderr rather than the syslog.

TERM: undefined variable

So, I have had issues with scp'ing and sftp'ing into machines that change from csh to bash via .cshrc. The protocols for both SCP and SFTP operate over an SSH shell, so if strange text is delivered to them and they can't handle it, they fail. If the first thing that happens when they SSH into the machine is that the shell underneath changes from csh to bash, they get confused and fail or hang. Consequently, I had added the following code snippet to .cshrc on such machines:

if ("$TERM" != "dumb") then
    exec bash
    exit
endif

However, on one of them, I then see printed to my screen "TERM: Undefined variable". So, I have now updated the .cshrc to check whether it's defined, too:

if ("$?TERM") then
    if ("$TERM" != "dumb") then
        exec bash
        exit
    endif
endif

Yay, better workiness.

On a side note, this does make me happy that I kept the / and /home partitions separate. If it's not the hard drive and I have to re-install an OS at some point, at least that will be simple.

The automatic fsck on boot encountered errors it didn't know how to deal with, so it aborted, dropped me to a recovery shell (thanks Fedora) and asked me to manually do it. So I did. Perhaps the problems here are just from random, anomalous freezes (still going back to open radeon driver) and file system inconsistency due to hard rebooting. Ah well.

I've just lost my panel applets again. A large chunk of launchers, that is. Ah well. It feels ominous. I am otherwise presently rsync'ing my home directory onto my external drive. I obey the methodology outlined by Mike Rubel. It's pretty nice and pleasant to think about. I should replicate it somewhere in case that page ever goes down :)

Essentially, he advocates a methods including the one I use (and trailing slashes are important):

mv backup.3 backup.tmp
mv backup.2 backup.3
mv backup.1 backup.2
mv backup.0 backup.1
rsync -a --delete --link-dest=../backup.1 someSourceDirectory/ backup.0/

Once I have a better storage solution, I think I will go through my computer and 'archive' stuff. That is, I will remove data I rarely use to external storage. While it might impair access to my information, the idea will be that it wasn't anything I was really using, anyway, and that I'll have a cleaner home directory. Also, perhaps I should have a networked file system solution, where I (and I alone) could access my data over the Internets. I wish I knew more about web security in that regard. I have a very patch-work knowledge from a variety of experience. (I am grateful for that one co-op job.)

I suppose I should retire for the night now. I'll note one grievance I have with Blogger, though: I really dislike how it presumes I want implicit <br />s everytime I use a newline in my text, even though for actual publishing I have the option disabled. Tee hee!