Monday, November 23, 2009

» Packman repository for KDE3 on openSUSE 11.2

openSUSE 11.2 doesn't ship KDE3 anymore, because it is barely maintained upstream. But you may still install and use KDE3 as your desktop environment as the packages are available in the openSUSE Build Service. Which is why we decided to set up an additional repository that contains the Packman packages that require KDE3. If you want e.g. kde3-amarok, add the following repository: http://ftp.skynet.be/pub/packman/suse/kde3/11.2/packman-kde3.repo

Labels: , , ,

Friday, November 20, 2009

» osc and self-signed certificates the secure way

Obviously, a much more secure option to use the osc Build Service command-line client with your own server instances that have a self-signed certificate is to actually add that server certificate to the list of blessed ones. To do so, do as follows, all of that as root in a shell:
umask 0033
cd /etc/ssl/certs
echo | openssl s_client -showcerts \
-connect YOUR.SERVER:SSL_PORT \
2>&1 |sed -n '/^-----BEGIN/,/^-----END/p' \
> SOME_FILENAME.pem
c_rehash .
Once you've done the above, osc will no longer complain about an invalid (server) peer certificate, as the certificate of your Build Service instance server is now accepted as a valid one. Note that in order to be really secure, you need to ask an administrator of the server what the fingerprint (also called a hash) of the server certificate actually is, in order to compare and make sure you're not blessing an already compromised server or are already subject to a man-in-the-middle attack. To do so, an user who has root access to the server should run the following command, obviously as root, and then give you the output of that command, ideally through a secure communication channel, or through several channels (e.g. SMS mobile text message and/or a signed email and/or IRC from a registered nickname):
cat /etc/ssl/private/lighttpd.pem\
| sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'\
| sha1sum | cut -f1 -d" "
You can then run the following command and compare the output with what that trusted user has given you:
fp=$(sha1sum /etc/ssl/certs/SOME_FILENAME.pem\
| cut -f1 -d" ")
server="...paste what the trusted user has given you here..."
test "$fp" = "$server" && echo OK || echo COMPROMISED
If you have already patched your osc client as I described in my previous post, you can undo that patch with the following code (again, as root in a shell):
umask 0077
cd $(dirname $(rpm -ql osc|grep /conf.py\$))
mv conf.py.orig conf.py
chmod 0644 conf.py

Labels: , ,

» Patch for osc and self-signed certificates

If you are using your own Build Service instance as we do at Packman and if you are using a self-signed certificates for HTTPS, then this patch might come handy for you as well. Note that it disables the peer certificate validation in osc, so don't use that with Build Service instances you down trust, and only if you are willing to take the risk of not detecting man-in-the-middle attacks. In order to apply the patch, simply copy and paste the following block of shell code in a terminal where you are running as root:
cd $(dirname $(rpm -ql osc|grep /conf.py\$))
umask 0077
curl -s -o /tmp/o.patch \
http://linux01.gwdg.de/~pbleser/files/osc/\
osc-disable-peer-cert-check.diff
test $(sha1sum /tmp/o.patch | cut -f1 -d" ") = \
9812ef2a18c02799b9e33d1402509c3217c39194 \
&& patch -p1 -b -z.orig -i /tmp/o.patch
UPDATE: note that in my following blog-post I describe a secure option.

Labels: , ,

Wednesday, November 18, 2009

» webpin .= "11.2";

Just committed the webpin CLI client version 1.2.1, which only contains a single modification: it now also supports searching the Software Portal index for openSUSE 11.2.

Labels: ,