Encrypt disk using truecrypt

1. Create the key file to be used for encrypting the disk:

truecrypt --create-keyfile \
--random-source=/dev/urandom \
/etc/tc-keyfile

2. Change permissions on the key file:

chmod 600 /etc/tc-keyfile

3. Encrypt the disk with AES/SHA-512 encryption scheme (this may take a long time (hours) for larger disks, especially if chain encryption schemes are used, e.g. AES-Twofish-Serpent):

truecrypt --filesystem=none \
--volume-type=normal \
--encryption=AES \
--hash=SHA-512 \
--random-source=/dev/urandom \
--keyfiles=/etc/tc-keyfile \
--password="" \
--create /dev/disk/by-id/[YOUR_DISK_ID_HERE]

4. Mount the encrypted disk: no defined filesystem, no password, a pre-created key file, slot=2 (maps the disk to /dev/mapper/truecrypt2),

truecrypt \
--mount \
--filesystem=none \
--password="" \
--keyfiles=/etc/tc-keyfile \
--protect-hidden=no \
--slot=2 \
/dev/disk/by-id/[YOUR_DISK_ID_HERE]

5. List encrypted disks

truecrypt --list

This should produce the output similar to the below:

2: /dev/disk/by-id/ABC /dev/mapper/truecrypt2 -

Mount truecrypt-encrypted disks at startup (Ubuntu)

Prerequisites:

1. Truecrypt is installed on the target machine. See http://www.truecrypt.org
2. An encrypted disk was created using truecrypt. See encrypting a disk using truecrypt.
3. Commands are run under the root shell (sudo -s).

Steps:

1. Create the following script, save it to /etc/init.d/tc.sh, and make it executable (chmod +x /etc/init.d/tc.sh). The script assumes the following:

• the encrypted disk device is /dev/sdX (replace with your own); it is probably better to use /dev/disk/by-id links, as they will work better if the BIOS disk order changes at some point, e.g. when a new hard drive is added to the system
• the disk is to be mounted into slot number 1 (and therefore will be exposed to the OS by /dev/mapper/truecrypt1)
• the disk was is not formatted for a particular filesystem (it is useful when you would like to use some “exotic” file system which truecrypt does not natively support, e.g. ZFS
• the disk is secured with the keyfile(s) rather than passwords

#!/bin/sh
# Mount and unmount encrypted disks and partitions.
#
### BEGIN INIT INFO
# Provides: tc
# Required-Start: $remote_fs $syslog $time
# Required-Stop: $remote_fs $syslog $time
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: Encrypted disk volume support
# Description: tc provides support for mounting
# encrypted disks and disk volumes
### END INIT INFO

TC_DEVICE="/dev/sdX"
TC_SLOT_NUMBER=1

test -f /usr/bin/truecrypt || exit 0
. /lib/lsb/init-functions

case "$1" in
start) log_daemon_msg "Mounting disk volumes" "tc"
echo
truecrypt \
--filesystem=none \
--password="" \
--keyfiles=/etc/tc.key \
--slot=$TC_SLOT_NUMBER \
--protect-hidden=no \
--mount $TC_DEVICE
log_end_msg $?
;;
stop) log_daemon_msg "Umounting disk volumes" "tc"
echo
truecrypt --dismount $TC_DEVICE
log_end_msg $?
;;
*) log_action_msg "Usage: /etc/init.d/tc.sh {start|stop}"
exit 2
;;
esac
exit 0

2.  Install the startup script using the update-rc.d command. The command below adds tc to be started at runlevels 2, 3, 4, 5 and stopped at runlevels 1 and 6. When starting, the priority 10 ensures that the encrypted disk is mounted before other startup services are run (such as ZFS mounts). When stopping at runlevels 1 and 6, the priority 90 ensures that the encrypted disk is dismounted after all other filesystems are dismounted.

cd /etc/init.d
update-rc.d tc defaults 10 90

3. Test the script

service tc start

This should mount the encrypted disk and make it available under /dev/mapper/truecrypt1. Verify by running the command:

truecrypt --list

This should produce the output similar to the below:

1: /dev/sdX /dev/mapper/truecrypt1 -

Test the script/service by rebooting the machine and ensuring that the encrypted disks survive the hard reboot.

Setup SSH Key-Based Authentication on Ubuntu

1. Download the putty and puttygen utilities from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. I like to place these executables under my c:\Windows\system32 directory, so that they are available in the command prompt without additional PATH configuration.
2. Start puttygen and generate a new keypair. I prefer to use SSH2-RSA 4096 bit key. Click the generate button and move your mouse around to generate some randomness. Save the private key; you will use it when configuring putty to connect to your Ubuntu box.
3. Copy the public key from the textbox titled "Public key for pasting into OpenSSH authorized_keys file.
4. Start putty and connect to your Ubuntu box using a username and password.
5. On the Ubuntu box, create the .ssh directory under your home directory:
mkdir ~/.ssh
6. Set the correct permissions:
chmod 700 ~/.ssh
7. Create the authorized_keys file:
nano ~/.ssh/authorized_keys
8. Paste the public key (the one generated by puttygen), save the file (Ctrl+O), and exit (Ctrl-X).
9. Set the correct permissions for the authorized_keys file:
chmod 600 ~/.ssh/authorized_keys
10. Verify that OpenSSH is configured to look for authorized_keys file in the home directory; sometimes, it is defaulted to look for authorized_keys2, etc. To verify OpenSSH service configuration, you need the sudo access:
sudo nano /etc/ssh/sshd_config
11. Look for the line AuthorizedKeysFile %h/.ssh/authorized_keys; it is usually commented out, so un-comment it. Save the configuration file (Ctrl-O), and exit (Ctrl+X). FYI - %h expands to mean the user's home directory.
12. Restart OpenSSH service:
sudo service ssh restart
13. Back on the Windows machine, configure putty to use the private key generated in step 2. Start putty and change the following settings:
* Under Session, enter the hostname as [yourusername]@[yourubuntuhostname], e.g. user1@server1.
* Under Connection->SSH->Auth->Private Key for Authentication, browse to select the private key file you generated in Step 2.
* Customize appearance under Window (columns, rows, number of lines to scrollback); this is optional.
* Under Session->Saved Sessions, give a session name and click the Save button.
14. Now from the command prompt, you can start putty with a session name to automatically login to your Ubuntu box with the private key authentication option:
putty -load [yoursessionname].
15. Create a small bat/cmd file "ssh-to-myserver.cmd" and paste the following inside:
@echo off
putty -load [yoursessionname]
Now you can just double-click on the cmd file, and it will launch putty.
16. In order to convert puttygen private key into the openssh private key, load the private key into puttgen and use the Conversion->Export as OpenSSH option to save the ssh id file. Then you can use this file as the IdentityFile option in your ssh configuration.


Troubleshooting:

If your Ubuntu server continues to ask you for a password, you can try to run the OpenSSH service in the debug mode, which produces a lot of output and can help pinpoint a problem:
1. Stop the OpenSSH service on your Ubuntu box:
sudo service ssh stop
2. Start the OpenSSH service in the debug mode (it will log the (verbose) output to the console:
/usr/sbin/sshd -d
3. Attempt to connect again with a private key (using putty) and watch the output in the Ubuntu console for any error messages.

zfs pool recovery after /dev/sdX disk names changed

I recently ran into this problem with ZFS:

1. I made a mistake by creating a zfs pool by using /dev/sdX definitions (rather than /dev/disk/by-uuid).
2. After the Ubuntu upgrade from Ubuntu 11.10 to Ubuntu 12.04, the hard drive device numbering, i.e. sda, sdb, etc., changed. Needless to say, the zfs pool did not work anymore.

The solution was to run:

zpool import -d /dev/disk/by-id

and then run zpool import [zpoolname] by name, as instructed by zfs.

If this does not resolve the issue, try to export the zpool and re-import it using the /dev/disk/by-id configuration, e.g.

zpool export [zpoolname]
zpool import -d /dev/disk/by-id [zpoolname] -f


Disable sudo password entry for admin accounts in Ubuntu

By default, Ubuntu prompts admin users to enter a password when the sudo command is issued in the terminal. If users have sudo privileges, i.e. administrative users, (provided that are already authenticated), additional password entry is rather annoying, especially in development environments. In order to disable the sudo password validation in Ubuntu, add the following line to your /etc/sudoers file:

myadminuser ALL=(ALL) NOPASSWD: ALL

Connecting to EC2 Linux Instance Using Putty

In order to configure an ssh (or putty) connection to a running Amazon Web Services (AWS) instance, do the following:

1. Note (or write down) the key pair name (you must have the private key (*.pem) downloaded to your local computer) of the instance.
2. Note the public DNS address of the running Amazon instance (ec2-AAA-AA-AA-AAA.compute-1.amazonaws.com)
3. Configure your AWS security group to allow connections on port 22. I use the “default” security group, so I modified it to allow connections on port 22 from any IP. You can limit IP addresses for more security, or you may chose to reconfigure your AMI instance to run the ssh server on the port other than 22.
4. Start the instance using Amazon Web Services (AWS) console.

The next set of steps are done on your local computer (the one used to connect to the remote Amazon instance).

5. Start puttygen.exe.
6. Click on the “Load” button and select the private key file (*.pem). Putty filters for the file extension *.ppk by default, so you will need to set the file filter to *.* to select the file).
7. Once the private key is imported, you will get a confirmation message.
8. Click on the “Save private key” button to convert the Amazon private key (*.pem file format) into the putty format (*.ppk). You will be prompted with the file location to save the file to; save the file and note the location (typically, it is your User directory). You may choose not to use the password phrase for the private key, in which case you will be prompted with a puttgen question to ensure this is what you want. If you choose to use the password, you will have to enter it every time to use the private key to connect to the AMI remote server; personally, I chose not to use it, so that I use password-less authentication based on the private key stored on my local computer.

Configure putty to use the newly created key:

9. Open putty.exe.
10. Under Connection->SSH->Auth->Private key for authentication, select the key generated by puttygen in steps 4-7 (the *.ppk file).
11. Under Session->Host name (or IP address), type the username@public DNS address (from step 2), e.g. ec2-user@ec2-AAA-AA-AA-AAA.compute-1.amazonaws.com. Please note that “ec2-user” is the default user name for many AMI images, but not for all. For instance, the official Ubuntu images use the “ubuntu” user name, so your Host name entry would be ubuntu@ec2-AAA-AA-AA-AAA.compute-1.amazonaws.com.
12. Save the putty session in the “Saved session” list by specifying the name and clicking on the “Save” button under Sessions (for example, “ec2”).
13. Test your connection: in the command prompt, type: “putty ec2-user@ec2-AAA-AA-AA-AAA.compute-1.amazonaws.com” (for official Ubuntu images, the user name is “ubuntu”, e.g. putty ubuntu@ec2-AAA-AA-AA-AAA.compute-1.amazonaws.com”. Verify that the connection is successful.
14. You can also create a shortcut “bat/cmd” Windows file in order to minimize typing required to start the connection. In my case, I created the file “ec2-connect.cmd” with the following line:
putty -load “ec2”
and saved it in my c:\Windows folder.
15. At the command prompt, i can therefore type “ec2-connect” in order to automatically start putty and invoke my profile.

Share ZFS partitions via NFS

ZFS come with a built-in ability to share ZFS filesystems via NFS without having to use Ubuntu’s nfs-kernel-server on Ubuntu. In order to do so, set the nfsshare=on property on the ZFS partition you would like to export. For example, if you want to share the documents filesystem in the u pool via NFS, run the following from the root shell:

zfs set sharenfs=on u/documents

This enables the u/documents filesystem for NFS sharing.
In order to make it available, run the following command (again, from the root shell):

zfs share u/document

By default, Ubuntu directories get the drwx,r-x,r-x permissions, which means that only the owner of u/documents get the “write” permissions, and everyone else gets the “read and execute” permission. In order to allow the “read-write-execute” permissions for NFS clients, run the command:
chmod 777 /u/documents
This way, remote clients get the “write” permission on the documents directory; however, the files or directories created by them remain “read-execute” to anyone else.

To mount the remote NFS filesystem on a client, run the following on a client (from the root shell):

mount -t nfs nfsfileserver:/u/documents /mnt/documents


The nfsfileserver parameter is the ip address or the dns-resolvable name of the NFS server. The /mnt/documents directory must exist prior to mounting.

When mounting NFS filesystems on Mac OS X, it is important to pass the resvport parameter, or the NFS mount fails with a permissions denied error.

mount -t nfs -o resvport nfsfileserver:/u/documents /mnt/documents

—
For information on how to install ZFS on Ubuntu, please see the following post: Installing ZFS on Ubuntu.

For information on how to configure ZFS pools and partitions on Ubuntu, please see the following post: Configure ZFS-RAIDZ on Ubuntu.

Multiple Versions of Apache Ant on Ubuntu

Ubuntu Linux comes with alternatives – a command-line utility to create and maintain symbolic links to default commands. This utility can be found in many Linux distributions; however, this guide was specifically written for and tested on Ubuntu 11.10.

Here is how you can use alternatives to install and configure apache-ant.

1. Download and extract apache-ant-1.6.5:
   
wget http://archive.apache.org/dist/ant/binaries/apache-ant-1.6.5-bin.tar.bz2
tar xvf apache-ant-1.6.5-bin.tar.bz2

2. Repeat for apache-ant-1.8.2 (or any other version you may need):
   
wget http://archive.apache.org/dist/ant/binaries/apache-ant-1.8.2-bin.tar.bz2
tar xvf apache-ant-1.8.2-bin.tar.bz2

3. Check if apache-ant is already installed and move its binaries to the “stock” directory:
   test -f /usr/share/ant || sudo mv /usr/share/ant /usr/share/apache-ant-stock
4. Move apache-ant-1.6.5 to /usr/share:
   
sudo mv apache-ant-1.6.5 /usr/share/

5. Move apache-ant-1.8.2 to /usr/share:
   
sudo mv apache-ant-1.8.2 /usr/share/

6. Use alternatives to map /usr/share/apache-ant-1.6.5 to /usr/share/ant, which is Ubuntu’s default location for the apache-ant binaries:
   
update-alternatives --install /usr/share/ant ant-bins /usr/share/apache-ant-1.6.5 1

7. Add /usr/share/apache-ant-1.8.2:
   
update-alternatives --install /usr/share/ant ant-bins /usr/share/apache-ant-1.8.2 2

8. Re-add the “stock” apache-ant binaries to be provided by alternatives:
   
update-alternatives --install /usr/share/ant ant-bins /usr/share/apache-ant-stock 3

9. Use alternatives to the map /usr/share/apache-ant-1.6.5/bin/ant executable to /usr/bin/ant:
   
update-alternatives --install /usr/bin/ant ant /usr/share/apache-ant-1.6.5/bin/ant 1

10. Map the /usr/share/apache-ant-1.8.2/bin/ant executable to /usr/bin/ant:
    
update-alternatives --install /usr/bin/ant ant /usr/share/apache-ant-1.8.2/bin/ant 2

11. Add the “stock” executable to alternatives:
    
update-alternatives --install /usr/bin/ant ant /usr/share/apache-ant-stock/bin/ant 3

12. Configure alternatives to use the apache-ant-1.6.5 binary directory:
    
update-alternatives --config ant-bins

13. Configure alternatives to use the apache-ant-1.6.5 binaries to provide ant:
    
update-alternatives --config ant

14. Verify that apache-ant is properly configured for version 1.6.5:
    
ant -version