Wednesday, November 12, 2014

Wings of Fire - APJ Abdul Kalam

Recently I visited my home town after one year with my cousin brother and this time I booked train ticket from Bangalore. It has always been a great journey for me whenever I have travelled by train. Watching the fields, distant land, people working, trees, mountains and houses gave me a wonderful experience. I felt that my country indeed has lots to offer and great diversities. My journey started from south western part of India and ended in the eastern part and I reached my home after travelling through six states. It was a long journey of about two days and I was thinking what I should do during my travel. So, I looked into my stack of books and I found a book written by our ex-president, a great scientist and a great teacher, Dr. APJ Abdul Kalam. The book was "Wings of Fire". 

It is indeed a great book which not only gives us the experiences of Dr. Kalam but also motivates us to do the likes. Through his experiences he has imparted a sea of knowledge to us. Apart from all the events which he has beautifully written, I liked his scribbled poems. It felt difficult sometimes to fully understand what he actually meant but I gave sufficient time to each of his stanzas. The end result was that I ended the book while returning from home to Bangalore. An old Bengali gentleman, who was having his reservation in front of mine while returning, told me that he has read the book twice and described me his understandings of the book. He was a very friendly person and liked to talk much.

It was a great learning journey as I travelled by train for so long after three years. At the end I decided to take a book on every journey of mine now onwards. 

Wednesday, October 15, 2014

The POODLE attack on SSL 3.0

Google wrote on its blog about the POODLE attack which seems to be a concern now. Though nvd still says it is under review. One of the recommendations being to disable SSL 3.0 on client (or server or both). Readers are suggested to go through "Recommendations" section here for detailed explanation on the recommendation and "The POODLE Attack" section for explanation on how the attack works. Any comments are appreciated.

Sunday, October 12, 2014

Secure copy - an introduction

Secure copy  [scp] is a remote file copy program which comes as a sub-module in OpenSSH. It uses SSH as underlying protocol to transfer data and uses the same authentication. A simple command to copy a file to a remote host is:

scp file user@remote_ip:

There are several options which we can pass to scp [in the command-line itself] like options for ipv4 [-4], ipv6 [-6], option for enabling compression [-C], specifying per-user config file for ssh [-F ssh_config], etc which are passed to underlying ssh process. Additionally, options can be passed in the format used in ssh_config.

Scp works in source and sink modes i.e. 'from' and 'to' which can be seen in the codes and can be realized from the command line also. Users are suggested to go through its manual page. This can be found either by executing "man 1 scp" in the terminal or from the internet ex. 'manual' link of OpenSSH.

Sometimes we need to debug issues in scp for which we may need to see the process hierarchy. For this, we can have a look at "ps -elf" and "pstree -p" and grep for 'ssh' and 'scp' for knowing the process hierarchy in ssh and scp.

Readers are suggested to comment for any rectification on this post or suggestion.

Wednesday, September 3, 2014

Cryptography I course by Stanford

Online learning has gained much popularity these days. One of these courses is Cryptography I taken by Prof. Dan Boneh of Stanford University through Coursera Inc. I highly recommend this course for those who want to start learning this subject. Even if I have studied few topics of the subject back in college and done some self-study in it, I found the course to be somewhat different. The way of teaching is too good. The course material is a balance of both theoretical and practical aspects and it also highlights some of the open problems in cryptography. The learners need to watch few videos each week and need to answer questions at the end, which they get points for. There is a final test at the end of the course. After successfully taking the test, a certificate of accomplishment is generated within two to three days for the participant. I am waiting for its advanced course: Cryptography II. Readers are suggested to go through the references mentioned below for these courses.

References:

Monday, September 1, 2014

SSH protocol overview

Secure Shell, as the name suggests, is a protocol for getting a shell which can be used to securely execute commands on a remote machine. It supports several other features too. It is a combination of three layers of protocols namely, Transport layer protocol, User authentication protocol and Connection protocol [See references below for RFC links]. 

Transport layer protocol provides confidential channel over insecure network. This layer provides server host authentication, key exchange, encryption, integrity protection. It derives session id that may be used by higher level protocols.

User authentication protocol provides a suite of mechanism that can be used to authenticate the client user to the server.

Connection protocol specifies a mechanism to multiplex multiple streams (channels) of data over the confidential and authenticated transport. It also specifies channels for accessing an interactive shell, for proxy-forwarding various external protocols over the secure transport (including arbitrary TCP/IP protocols) and for accessing secure subsystems on the server host. 

OpenSSH is a wonderful implementation of SSH available online [See below for references].

Few references:

Wednesday, August 20, 2014

crypt function in Linux

Here is a function provided to encrypt a given key with a provided salt. The signature of the function is as follows:
 
char *crypt(const char *key, const char *salt);

 
If a salt given has a format of "$.$...$..." i.e. normally of the hashed password stored in shadow file (look for my previous blogs on shadow file), then the function will interpret the salt and get the type of hash to be used. A hash type could be of MD5 ($1$), SHA256 ($5$), etc. This way one can hash a password provided by a user (the argument 'key') and match/authenticate with the one stored in the shadow file. This function is highly recommended not to be used for any other purpose except authentication. Readers are recommended to go through its manual page and understand its usage. 
 
Here are some references:
man 3 crypt

gnu_libc_crypt
man7_crypt

Saturday, August 16, 2014

Linux shadow and passwd files - an introduction

A user's credentials and password related information are maintained in shadow file in Linux. The file requires root permission to be read. It has the following construction:

username : hashed passwd with salt and type : last passwd change day : minimun days to change passwd : max passwd lifetime : warning period : grace period : account expire day

Days above are in refernce to last passwd change day (calculated from epoch, 01/01/1970) and max passwd lifetime. They can be changed as required. In grace period, a user is asked to changed the passwd as soon as s/he logs in whereas in warning period, which is calculated from max passwd lifetime, the user is just thrown a warning message saying when the passwd will expire. The account lock day is the day after which the user is not allowed to login. There are several utilities which can be used with appropriate options to manipulate these entries in shadow file.

A passwd file is a file which stores user information. It has the following construction:

username : user id : group id :full name : home dir : shell

The last field, shell, is the default shell given to the user after login and home dir is its home directory.

The above words are used so as to convey the information. More information comes in a follow-up blog with references. 


Functions to get and set shadow and passwd file values

An introduction was given about the shadow and passwd files in linux in my last post. Here are some of the functions with their signatures which are provided to get/set values from/to these files:

struct spwd *getspnam (const char *name);

Following is the structure which gets populated if the user is present:

 struct spwd {
     char *sp_namp;
     char *sp_pwdp;
     long sp_lstchg;
     long sp_min;
     long sp_max;
     long sp_warn;
     long sp_inact;
     long sp_expire;
     unsigned long sp_flag;
};

Following are the functions which may be used to get entries one by one:

void setspent (void);
struct spwd *getspent (void);
void endspent (void);

Following function deals with passwd file entries:

struct passwd *getpwnam (const char *name);

It returns following structure:
 struct passwd {
     char *pw_name;
     char *pw_passwd;
     uid_t pw_uid;
     gid_t pw_gid;
     char *gecos;
     char *pw_dir;
     char *pw_shell;
};

An exhaustive explanation and lists of functions, their return values, header files to include, etc may be found in their manual pages i.e. man 3 getspnam, man 3 getpwnam, etc and the above definitions of structures and functions signatures are taken from these manual pages itself.