Recent blog entries for pipeman

13 Aug 2014 (updated 16 Aug 2014 at 19:01 UTC) »
Configuring smart card login on OS X 10.9

Earlier I documented how to use a Finnish government issued ID card (FINeID) for SSH authentication. As my vacation ended and I had to dig the smart card reader out to SSH to a machine, I remembered that I never quite figured out how to get login authentication to work with the same card. It took a bit of detective work but it turns out the basic steps are not that complicated. I will only cover the most basic set-up, where you pair one specific smart card with a local account on your computer using the card's public key. It's possible to have more sophisticated setup for larger organisations.

First, check my previous post and follow the instructions for how to set up OpenSC and verify using pkcs15-tool -k that your card reader and card is working properly.

Then, in case you have Apple ID's associated with your user account, you need to work around a bug in authorizationhost: in System Preferences, go to Users & Groups and select the user you're setting up for smart cart login. Remove all associated Apple ID accounts by clicking on the "Change…" button next to "Apple ID:" and deleting any entries from the list (if any). Failure to do so may make it impossible to unlock the screen and unlock System Preferences panes. You can also manually do this with Directory Utility by removing all entries except the one containing the username from the user's RecordName property in the Users directory.


Once that is done, run the following to enable smart card support for logins:

sudo security authorizationdb smartcard enable

Make sure the card is inserted, and list the public key hashes using the OS X built-in command sc_auth:
sc_auth hash

It should output a list similar to this, but with slightly more random hashes:

01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF todentamis- ja salausavain
02DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF allekirjoitusavain
03DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
04DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
05DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault
06DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc
07DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF Imported Private Key


Again, it's the todentamis- ja salausavain we're interested in. Now use sc_auth to associate that public key with a user account:

sudo sc_auth accept -u USERNAME -h 01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF


This should be it - when the smart cart is initialised, the corresponding user will automatically be selected in the login screen, and instead of prompting for a password it will prompt you for the card's PIN. Note that typically the card PIN defaults to a 4-digit number but it can be changed to (in the case of a FINeID card) any 4-8 character alphanumeric string using e.g. pkcs15-tool --change-pin. For other cards you can inspect the PIN code constraints using pkcs15-tool --list-pins.

When logging in using a smart card rather than a password, OS X will not be able to unlock your login keychain, as it by default is encrypted using your login password. You can choose to either manually unlock the keychain or change the keychain to use your smart card for unlocking rather than a password. If you do that, it means that your keychain is effectively encrypted with your smart card, so if you lose your smart card, you will lose access to your login keychain. It seems that Keychain migration uses your smartcard PIN as your new keychain password, so beware that you may actually lower the keychain encryption key entropy if your smartcard PIN is simpler than your regular password.

If you have FileVault full disk encryption enabled (and you should) OS X will automatically log you in using the password supplied at the FileVault login screen. If you have followed the instructions above, your account will still have a valid password (it's possible to disable password login entirely by deleting the "ShadowHash" entry in the AuthenticationAuthority record of your user account using Directory Utility - note that this will also effectively disable sudo for that user) and you will be automatically logged in, but the system will not be able to unlock your keychain with that password. To prevent automatic login with FileVault, you can run:


sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES


More information in HT5989.

If you know French, this blog post contains some more details on configuring smart card authentication on Mavericks.
2 Jul 2014 (updated 7 Jul 2014 at 12:24 UTC) »

SSH authentication using the Finnish electronic ID card (FINEID) on OS X

The government of Finland provides smart card-enabled ID cards to all residents under the FINeID program run by the Population Register Centre (Väestörekisterikeskus). The chip provided is, according to the spec, based on ISO/IEC 7816-15 (also known as PKCS#15), 7816-4 and 7816-8. The open source project OpenSC makes it possible to interact with PKCS#15 cards on a variety of operating systems, including OS X, Linux and Windows.

When I renewed my ID card I became interested in the possibilities provided by this, so I ordered a card reader known to work with Mac and installed version 0.13. The latest version is 0.14.0 but there are no pre-compiled binaries for OS X, and my own attempts at building it failed quite early.

After installing OpenSC, you'll see something similar to the following message in the system log when inserting the card reader and the card:

2014-07-02 20:11:38,774 com.apple.SecurityServer[17]: reader SCR35xx Smart Card Reader 00 00 inserted token "HENKILOKORTTI" (088f5dfb29f6672f9435db333fc0539bc64f2769) subservice 2 using driver com.apple.tokend.opensc

You can then use the pkcs15-tool command to list available private keys stored on the card:

$ pkcs15-tool -k
Using reader with a card: SCR35xx Smart Card Reader 00 00
Private RSA Key [todentamis- ja salausavain]
Object Flags : [0x1], private
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:01;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f004b01
Auth ID : 01
ID : 45

Private RSA Key [allekirjoitusavain]
Object Flags : [0x1], private
Usage : [0x200], nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:02;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f0050164b02
Auth ID : 02
ID : 46

Your FINeID card provides you with two certificates and corresponding keys; one for signing and one for authentication and encryption. However, for the purpose of SSH authentication the certificates (and their stated purpose) don't matter; we just care about the corresponding RSA public and private keys, so we can pick either one. You need to know which one you're using because they're protected with different PIN codes, provided to you by mail. Above, we can see that the first key, labelled todentamis- ja salausavain has ID 45 on the card - let's pick that. It happens to be the authentication/encryption key and is protected with PIN1. We then simply need to retrieve its corresponding public key in a format suitable for an OpenSSH authorized_keys file. Luckily pkcs15-tool provides exactly that - just tell it you want the key with ID 45 and pipe it to pbcopy to place it into your pasteboard.

$ pkcs15-tool --read-ssh-key 45|pbcopy
Using reader with a card: SCR35xx Smart Card Reader 00 00


Open ~/.ssh/authorized_keys on the target computer and paste the contents of your pasteboard into its own line.

Next you need to tell your SSH client to defer authentication to your smart card. This is done by using the -I option to ssh to specify the OpenSC PKCS#11 library, like this:

$ ssh -I /usr/lib/opensc-pkcs11.so karin.local
Enter PIN for 'HENKILOKORTTI (perustunnusluku)':
Last login: Wed Jul 2 21:06:33 2014 from otter.local
karin:~ rasmus$

You will be prompted for your PIN - enter PIN1 here provided that you picked the "todentamis- ja salausavain" key earlier and you will be logged in. To have ssh always query your ID card, add the following to ~/.ssh/config (add a "Host" section above to apply it to one or more specific remote hosts):

PKCS11Provider /usr/lib/opensc-pkcs11.so

That's it! You can now use your Finnish ID card as a hardware authentication token for your SSH logins.

Update: you can apparently also do this using ssh-agent. I haven't tried this yet myself but will update the blog post once I have. Following those instructions seem to put launchd in a very bad state on OS X 10.9.4. I'll investigate a bit more but until then I recommend against trying ssh-agent with the OpenSC PKCS#11 support.

30 Aug 2012 (updated 30 Aug 2012 at 13:02 UTC) »
Disabling Java in Safari for all users on a Mac

There are a lot of instructions on how to disable Java applets in different web browsers. However, none of the instructions I've seen have tackled my situation: in my home we each have one account, and even though I administer the computer I don't know the password of the other accounts hence I can't login as all the other users and manually uncheck the "Enable Java" check box in the Safari security preferences. Because of that I was looking for a way to do it automatically for all users, and this is what I came up with:



# become root
sudo -s

# exit all instances of Safari
killall Safari

# wait for Safari to exit
while ps axc|grep -q Safari ; do echo "waiting..." ; done

# for all users that have a Safari prefs file, set the appropriate keys to "false"
# paste the following all in one go
dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \
done



That's it!

Caveats:
  • This will only change Safari's preferences (we use Safari at home, with Firefox reserved for sites that require Java or Flash)
  • This will only change Safari's preferences if the user has launched Safari at least once
  • While I have tested this in Mountain Lion (10.8.1) and Lion (10.7.4), I can't make any guarantees as to whether it'll work in your particular environment. Worst case it may reset your Safari preferences to default. Always have backups. :-)

If you want to disable all plug-ins as well as Java, something I recommend, run this instead for the last step:


dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java and all plug-ins for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled \
WebKitPluginsEnabled com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \
done



Top shell commands in my home computer as of today:


$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
88 git
76 cd
74 ls
34 sudo
21 ssh
18 du
14 cat
13 ps
13 mdfind
12 open
Retesting

Almost five years ago I took this test, and it classified me as Amiga OS - now I took the same test again and came up as OS X. It would be interesting to see what has changed in more detail; I couldn't figure out any questions that I definitely would have answered differently five years ago.

You are OS X. You tend to be fashionable and clever despite 
being a bit transparent.  Now that you've reached some stability you're 
expecting greater popularity.
Which OS are You?

What has changed in the last five years, however, is that run OS X on most of my computers. Back then, I had Windows 2000 on my desktop computer (with coLinux for development), and Windows XP (I think) on my laptop. I do have a W2K VM on my home Mac (mostly used for getting dissapointed at SF Anytime, a local video-on-demand service that requires Windows (and lately, newer Windows than Windows 2000)), and at work I keep a spare hard disk that I plug in when I need to do things that requires Windows (some of the bureaucracy tools require IE, among other this), but about 80% if my time is spent in OS X and 19% in Linux (although it depends on how you count; I'm pretty much always logged-in to my home Linux server (a small fanless VIA x86 with a flash disk), for example, and similarly always using a handful of Linux servers at work where, among other things, our testing infrastructure is largely Linux- based, even the parts that runs automated tests on Mac OS X (which in itself is an interesting topic for another talk or blog post).

In a Dream

Reading about Juha's dream reminded me of my own from a couple of nights back.

In the beginning it was a bit like a bad re-make of BSG. We were heading for a destination of unknown location, on a big Battlestar-esque space ship. Somehow magically me and some other dude was on a smaller ferry ship, travelling through some worm-hole-like tunnel that was made out of metal. We landed on some unknown planet, with grass and stone plates laid out in plaths on the ground. We followed one of the paths and ended up in a candystore. A girl worked in the candy store. I noticed that they had Ahlgrens Bilar, a typical Swedish candy, which I found odd for what was presumably an extrasolar planet. I commented to the shopkeeper girl that I liked that candy, and she replied that she had never tasted it, and went to do so. Soon she had eaten all of it, delighted by its taste. I was a bit sad that I got none myself. I also found it odd that they accepted Earth currency and credit cards, and I noticed that she had received mail from Earth, with postage stamps from some Earth country. I even think she had a phone connected to the Earth GSM network. I asked her about it, and she explained that she was part of an intergalactical conspiracy, where her kind had infiltraded all layers of society in, among other worlds, Earth, like in Fight Club but with no malicious intent. Instead it was just a practical thing to be able to communicate and trade intergalactically, also in worlds that were not intergatactically aware yet. I don't remember her name exactly, but I remember her telling me that if someone wanted to mail her from earth, all they had to do was address the envelope to "Her name with-the- Hat" and people of her kind at the post office would make sure that it made its way to her little candy shop in a completely different part of the galaxy.

shell history statistics

Following sti's shell history meme, here are some meaningless shell history statistics from my home computers. (By the way - I would've done that one-liner like this: history | awk '{print $2}' | sort |uniq -c | sort -rn|head - two more pipelines out of habit.)

My home Mac:


$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
127 ssh
52 ls
45 ping
32 cd
26 sudo
13 open
12 mount
10 top
10 cat
9 df

Surprise: mount - turns out I often use mount without parameters to see which device a newly attached hard disk appears at.

My Linux gateway box


$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
47 ls
40 cd
39 screen
38 sudo
24 ps
20 w
19 ping
17 mount
15 cat
14 tuxgdg

No surprises, really - I mostly use this box for IRC in a screen session - but lately also for playing with my Tux Droid, hence tuxgdg.

My work laptop (Linux)


$  history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
92 sudo
76 ssh
41 echo
38 ping
31 ipsec
22 tail
22 cd
21 ls
16 cat
14 vi

This computer is mostly used for remotely connecting to the work VPN (hence ipsec), and through that connecting to work servers using SSH, and the rest is done through Gnome or a web browser.

ping appears everywhere, most likely because my ISP is quite unstable at times. Also, I'm more vi than I thought.

The Big Bang Theory

I started watching The Big Bang Theory, a TV-series centred around a few geeks and a hot girl. It's quite humorous at times, and quite stereotypical all the time. In the second episode, they are trying to assemble an IKEA media centre piece and one of the guys says "this is why Sweden has no space program". Of course, as the resident expatriate Swede I have to set the record straight: Sweden has had a space program for 35 years (if not even longer). It's certainly not big or anything, but at least it's something. :-) Nowadays they're even dabbling with commercial space flight - we'll see how that turns out.

26 Oct 2007 (updated 26 Oct 2007 at 13:20 UTC) »
Mac essentials

A friend of mine has been bugging me to compile a list of Mac software so that he can start using his own Mac properly. So I thought I'll just jot down a few programs that I find make life with Mac bearable, in no particular order.

  • Adium X is the most elegant instant messaging software ever. Comes with Growl integration, of course.
  • For web browsing, Safari 3 is very usable and has all the essential features I need including tabbed browsing and type-as-you-find (Mac stylee) plus some other neat goodies such as a sweet DOM inspector and universally resizable text fields (so that I don't have to put up with Advogatos very very small textarea for writing this blog post), although I still have Firefox lying around for stupid sites that won't work with Safari (Gmail's chat, for example).
  • For Safari: Inquisitor turns the Safari search field into a real-time search/suggestion thingy
  • Also for Safari, be sure to install GrowlSafari to get Growl integration with Safari. This, for example, lets me have important RSS feeds in the bookmark bar, and get Growl notifications when they are updated
  • VLC for watching videos
  • QuickTime XviD Component - so that you can watch those downl^H^H^H^H^Hmovies ripped from legally obtained DVDs, in Front Row (tip: Front Row follows symlinks; so if you download your movies to a location - say /Volumes/BigDisk - other than ~/Movies, just ln -s /Volumes/BigDisk ~/Movies/ and you'll be able to navigate to them in Front Row)
  • On the same theme, you'll also most likely need A52Codec to get some audio stimuli from those movies as well
  • For BitTorrent, I use Azureus (with the classic UI). Yes, it is a resource hog, but it is also very feature-rich. In Azureus, I use the plugin RSSFeed Scanner to subscribe to RSS feeds with interesting torrents, so it will generally download everything I'm interested in automatically.
  • QuickSilver is another integral part of any modern Mac. It lets you launch applications with just Ctrl- Space and the first few letters of the application name. Sleek and handy. It can also do a gazillion of other things that I've never bothered to learn about.
  • Growl is one of these tiny additions that just extends OS X in a natural way. In itself it doesn't do much, but it gives other applications a method of giving notifications of important events in an elegant way.
  • If you like me use last.fm a lot, then you will want iScrobbler, that is a bit more lightweight than the official last.fm client. Also, it gives you neat Growl integration of iTunes
  • For the UNIX and Linux inclined, there is of course a whole world of good stuff. A good start is to install the X11 application that comes with Mac OS X, and then install Fink or MacPorts (personally, I prefer Fink because of apt-get goodness).
  • Google Earth is a good time waster (but why isn't there a full screen mode?)
  • For coding I use Aquamacs Emacs - however, since I moved over from my old PPC Mac Mini a new Intel iMac, it refuses to shut down properly, so I have to kill -9 it manually. I have yet to investigate it, though, since normally, once I launch Emacs, it stays up until it's time to reboot the computer some week later.
  • To keep track of my computer resource usage, I use MenuMeters
  • To keep track of my computer's IP adress, I use DynDNS and the corresponding DynDNS Dashboard widget
  • For backup, I've used Jungle Disk and Amazon S3, although I am currently considering other options due to a few bugs in the exclusion logic in the Jungle Disk backup feature

That was the ones I could come up with from the top of my head. Well, naturally I have lots of other programs installed (hundreds of them being regular Unix tools coming from Fink such as ethereal, nmap and tcpdump for network monitoring and troubleshooting), but these are the most important ones. The only game I play is basically the old Command & Conquer Generals, which Aspyr was nice enough to release an Intel update to, so it plays nicely also on my new iMac. Most of the time I spend in OS X's own Terminal application, running irssi or messing around with shell scripts or other coding stuff (another tip: command-double click on a URL in Terminal opens it in a browser).

8 Jul 2007 (updated 8 Jul 2007 at 03:45 UTC) »
Vacation mac-on-mac-on-linux

My vacation has started. Of course, that means sitting up all night getting red-eyed making random hacks. Pretty much the same stuff as usual, that is.

I've found myself booting into Linux on my Mac at home more often nowadays. Ubuntu 7.04 does quite a good job on my PPC Mac Mini. I noticed that IBM has a JDK for PPC - and it was even available in some repository through apt. My two biggest annoyances to date: Flash and no Compiz or Beryl. The open-source Flash implementation that is what you'll have to live with if you're on PPC (Macromedia hasn't released a PPC version of their own player) can't play YouTube videos (which is possibly the most important job for Flash on my computer) and seems to crash the browser occasionally. Also, web sites that tries to figure out whether you have Flash installed or not, tend to think that you don't. As to Compiz/Beryl, I've become so used to having wobbling windows at work, so when I sit at a Linux desktop without any desktop effects, it feels all stiff and, well, boring. It's like rounded corners: it just makes things feel more natural. I did in fact get some wobbliness out of SUSE 10.1 for PPC, however, the graphics drivers were pretty messy and my screen ended up with the colours inverted. I eventually gave up, after many hours of X configuration file editing.

Another annoyance is the lack of write support for journaled HFS+ filesystems, which is what most of my disks are formatted in. I currently haven't yet figured out a good filesystem that works reliably in both Linux and Mac. I have lots of media files that I want to access from both environments, and that doesn't work out too well. Now, I haven't checked up on the ext2/ext3 support in Mac OS for a few months, but last time I checked, there was an ext2 filesystem driver for OS X that worked OK, except that it seemed to often fail to unmount the filesystem cleanly, and then refusing to mount it on subsequent reboots (as it was dirty and there was no fsck). For now, I've been using HFS+ for my big media disk - I can at least safely read from it - we'll see if I totally mess it up if I try writing to it. For my portable hard disk, I've even used NTFS (since I need to mount it in Windows and it needs to store virtual machine images of several gigabytes, so FAT32 is a no-go) and when needed used ntfs-3g to mount it in both Linux and OS X. Very slow, but works for dropping files back and forth.

42 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!