Category Archives: Linux and OSS hints

Applied Crypto Hardening Handbook Update published

Some good friends were involved here, and their work is so much appreciated! 

Applied Crypto Hardening: bettercrypto.org

“This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.”

Markus’ Linux Tips: Pssh – Parallel SSH execution

Honestly, I never spent much effort in automating my home network. No salt or containers involved, only three machines with desktops around. ATM they all run Open SUSE Tumbleweed, simply because I don’t want to re-install or do OS upgrades anymore and I want to have all the new stuff asap. With SUSE’s build service the quality of that “rolling release” Tumbleweed has become overwhelming to me, hardly do I see a problem that prevents me from working and/or stays longer that a few days.

Downside of that is: I get some hundreds of megabytes of updates each week. Event though I made good experience with auto-updates through YaST, I still sometimes feel better with launching the zypper command myself and watching what happens. So I did what my dear lady called “semiautomatic system management” … :-):

I like to play with shell tools, and that’s how I found pssh. I installed the tiny CLI tool that allows running a command on several machines at the same time, and added it to my local aliases. Are you confused already? Ok, here’s the five steps:

Step 1: Install Pssh, e.g. with “zypper in pssh”.

A quick “man pssh” shows you the options the little tool can offer.

Step 2: Create a local file with the list of hosts that you want to update. It’s content should simply be one host(name) or IP per line, like my ~/.pssh:
office
sleepingroom
livingroom
Step 3: Copy your ssh key to the machines involved (“ssh-copy-id” is your friend) and test the login with ssh.
Step 4 (optional): I prefer to have the output of my commands in a separate “log” folder (under ~/Temp) – and that needs to be created.
Step 5: I added “alias zypdup=”pssh -h .pssh -l root -o ~/Temp/pssh ‘zypper dup -y -l –allow-vendor-change'” to my .bashrc file in my home directory. That way, the simple command “zypdup” will update the three machines at home, giving a yes to all answers, accept all licenses and allow vendor change from Packman/VLC and back to open SUSE repositories. To be precise, that “zypdup” will be recognized the next time the shell loads the aliases (like after a “. .bashrc”.

That’s it. But let’s have another quick look at the command: “pssh -h .pssh -l root -o ~/Temp/pssh ” takes the hosts from the file “.pssh”, logs in as “root” and writes its output to files in “~/Temp/pssh” – one file per host, named like the host.

Thus, in a perfect world, all my three systems are on the same patchlevel / upgrade status:

Disclaimer: I know that options like “-y … –allow-vendor-change” may cause trouble, but after five years of Tumbleweed, Build Service, Snapper and SUSE in general, I’ve become pretty daring – there were no problems so far. Your mileage may vary, though. If you’re unsure about the consequences, better don’t follow me. 🙂

UPDATE: After a few weeks I learned that I need to add “-t 0” (or another reasonable timeout value in seconds) to my alias. Updates with zypper usually take some time, and depend heavily on bandwidth and such, thus I can’t or couldn’t make up a reasonable value (yet). 🙂

Quick PDF conversion with convert blocked? [Solved]

Very recently I had to convert a PDF (i.e. concatenate three PDFs into one file) and I was blocked for security reasons. 

convert *pdf complete.pdf usually adds the files it finds in alphanumerical order to complete.pdf.

But not this time: 

“convert: attempt to perform an operation not allowed by the security policy `PDF’ @ error/constitute.c/IsCoderAuthorized/408.”

Googling helped, as it often does, and I found this hint at [Imagemagick security policy ‘PDF’ blocking conversion – Stack Overflow] … :

Well, I added

  <policy domain=”coder” rights=”read | write” pattern=”PDF” />

I added just before in /etc/ImageMagick-7/policy.xml and that makes it work again, but not sure about the security implications of that.”

A comment says that was a Ghostscript vulnerability, but new gs-versions are fine. Let’s hope that’s true…:-)

Update: 

Since the convert process resulted in bad quality (after I applied the changes above), I had to do some more homework and play with the values of this convert command: 

convert -density 200 -trim [Input_PDF_Files]* -quality 50 output.pdf

In my setup, that ends up with decent quality but 2.5 MByte per page.