Monthly Archives: May 2011

Firefox Kerberos and Active Directory SSO

At my company there are several internal Windows web servers using AD and Kerberos single sign on. That means, on a Windows computer with Internet Explorer, I dont need to authenticate to access those web servers. Using Firefox, I have to give username and password to each and every site. This article tells how I made single sign on work with firefox.

Ubuntu (Natty) client with Firefox 4
First, Kerberos needs to be installed, which obviously was not default in Ubuntu Natty. When running kinit I got the following:

$ kinit
No command 'kniit' found, did you mean:
 Command 'kinit' from package 'heimdal-clients' (universe)
 Command 'kinit' from package 'krb5-user' (main)

I guessed correctly and installed krb5-user:

$ sudo apt-get install krb5-user

That installation asked me for my realm (or something), and I gave the internal DNS domain name, which is on the form:

ad.mycompany.intra

The servers I want to access are called things like:

http://intranet.ad.mycompany.intra
http://server321.ad.mycompany.intra
http://portal.ad.mycompany.intra

This realm was then stored in the kerberos configuration file:

# /etc/krb5.conf
[libdefaults]
        default_realm = AD.MYCOMPANY.INTRA

Now running kinit asked me for my password, I authenticated successfully. My username on my Ubuntu client happened to be the same as my username in Active Directory:

zo0ok@zo0ok-workstation:~$ kinit
Password for zo0ok@AD.MYCOMPANY:INTRA: 
zo0ok@zo0ok-workstation:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: zo0ok@AD.MYCOMPANY.INTRA

Valid starting     Expires            Service principal
05/26/11 13:10:39  05/26/11 23:11:09  krbtgt/AD.MYCOMPANY.INTRA@AD.MYCOMPANY.INTRA
	renew until 05/27/11 13:10:39
zo0ok@zo0ok-workstation:~$ kdestroy
zo0ok@zo0ok-workstation:~$ 

Above example authenticates, lists my tickets and destroys them.

Now it is time for Firefox configuration. In the URL-field, type about:config. You may get a warning about dangerous things and voiding warranty. Proceed and you get to a page with very many configurations. We want to set:

network.negotiate-auth.trusted-uris = .ad.mycompany.intra

I have been told the . before ad is important. Not sure. It should also be possible to include more servers/domains using , between them. I dont know exactly how flexible the field is, but the above setting works for me.

Now, I can single sign on to internal webpages using Firefox on Linux! Note that I have to authenticate using the “kinit” command. It does not work to authenticate to one site in Firefox, and hope to get SSO to all the others.

Simple encryption library for QT (RC5)

Update:Also check out the new improved library.

A while ago I did some QT programming. I think the QT API is very good and useful. I like things about C++ more than Java, but at the same time QT takes away most of the annoyances with C++. Especially, developing cross-platform GUI applications is very nice with QT.

One thing I missed was a simple encryption library. I mean, there is QCA, but how simple is it to use?

So, I did the forbidden thing, and implemented my own encryption library. Ok – it is for many reasons a very stupid thing to do. But it was fun, I did it anyway, it works, and I will share it with you 😉

Well, I did another forbidden thing; I based my library on RC5 – a very elegant and simple encryption algorithm, protected by patents (at least in the US, where I do not live). Anyway, it is of course allowed to make an open source implementation of RC5.

The downloadable package contains three things: the library, a command line encryption utility using the library, and a little command line “unit test” tool. The files are named as:

  • main.cpp – test utility
  • simpleqtrc5.* – the library
  • simpleqtrc5_test.* – the unit test tool

As always with QT, building is very easy:

  $ qmake
  $ make

I used QT 4.5 and QT 4.6. Perhaps you are fine with older versions as well.

I suggest you have a look in the main.cpp-file, or simpleqtrc5.h for examples, instructions and documentation.

The library of course uses QT datatypes, so you can use it very naturally from any QT code. The core is implemented in somewhat optimized C code, that only uses QT datatypes, so it should be 100% portable. There are no non-QT dependencies.

I have implemented both a 32 bit version and a 64 bit version of the algorithm. Of course, both versions work on any CPU, and you chose algorithm at runtime. 32 bit algorithm is faster on 32 bit cpu, and 64 bit algorithm is faster on 64 bit cpu. Maybe this is the only 64-bit implementation of RC5?

Performance is reasonable, as you can see in this example (Ubuntu 11.04, x64):

$ time md5sum 100Mb.bin
28a8c7a11327880877f21c78b7222273  100Mb.bin

real	0m0.238s
user	0m0.220s
sys	0m0.010s

$ time openssl enc -e -aes-128-cbc -k p4ssw0rd -in 100Mb.bin -out 100Mb.aes.enc

real	0m0.580s
user	0m0.510s
sys	0m0.060s

$ time openssl enc -d -aes-128-cbc -k p4ssw0rd -in 100Mb.aes.enc -out 100Mb.aes.dec

real	0m0.619s
user	0m0.460s
sys	0m0.150s

$ md5sum 100Mb.aes.dec
28a8c7a11327880877f21c78b7222273  100Mb.aes.dec

$ time ./SimpleQtRC5 -e -p p4ssw0rd -i 100Mb.bin -o 100Mb.rc5.enc

real	0m1.678s
user	0m1.540s
sys	0m0.120s

$ time ./SimpleQtRC5 -d -p p4ssw0rd -i 100Mb.rc5.enc -o 100Mb.rc5.dec

real	0m2.064s
user	0m1.970s
sys	0m0.090s

$ md5sum 100Mb.rc5.dec 
28a8c7a11327880877f21c78b7222273  100Mb.rc5.dec

$ ls -l 100Mb.*
-rw-r--r-- 1 freke freke 104857600 2011-05-04 19:16 100Mb.aes.dec
-rw-r--r-- 1 freke freke 104857632 2011-05-04 19:15 100Mb.aes.enc
-rw-r--r-- 1 freke freke 104857600 2011-05-04 19:10 100Mb.bin
-rw-r--r-- 1 freke freke 104857600 2011-05-04 19:19 100Mb.rc5.dec
-rw-r--r-- 1 freke freke 104857634 2011-05-04 19:19 100Mb.rc5.enc

Above you can see:

  1. Calculating md5 sum of 100Mb-file
  2. Encrypting using openssl/aes-128 in 0.6s
  3. Decrypting using openssl/aes-128 in 0.6s
  4. Calculating md5sum to confirm that decryption recovered original file
  5. Encrypting using QT/RC5 in 1.7s
  6. Decrypting using QT/RC5 in 2.1s
  7. Calculating md5sum to confirm that decryption recovered original file
  8. Listing 100Mb files

The test program is quite simple to use:

$ ./SimpleQtRC5 
SimpleRC5 (v0.0)
USAGE:
  SimpleRC5 -t testfile
  SimpleRC5 -e OPTIONS
  SimpleRC5 -d OPTIONS
  SimpleRC5 -h
OPTIONS:
  -k SecretFile (preferred to -p)
  -p Secret (default = )
  -i IndataFile
  -o OutdataFile
  -w32    : use 32-bit words
  -w64    : use 64-bit words
  -w      : use native CPU words (default)
  -cbc    : CBC
  -cfb    : CFB (default)
  -n      : no header
  -v      : verbose

The only thing to explain is that without the header, the program can not itself figure out what options to use to decrypt (32/64 bit or cbc/cfb). The header does not reveal anything at all.

!! Please download the new and improved library !!

You can download the source: SimpleQtRC5-0.1.tgz.

If you have any questions, suggestions or complaints just let me know! I really believe the library is stable and secure, and simple to use! I might document it better if anyone cares about it.

Choosing a good password

Security, particularly on the internet, is about passwords. I once read a very good (although a bit long) paper on how to chose good passwords, but when I want that paper, I never find it. And when people ask me about it, I never have a link.

So, the paper is called Simple Formula for Strong Passwords Tutorial, and can be downloaded here.

Tomato Firmware on ASUS WL-520gu

Unfortunately, they dont make the ASUS WL500-g router anymore. I needed a new router and decided to go with the ASUS WL520-gu (a cheaper and less powerful router than the 500).

If you want to run Tomato on it, note that you need the ND version of Tomato. Also, You need to use ASUS official firmware restore utility to flash it the first time. Install the Utility on Windows from the CD that came with the router. You start the router, with the reset button pressed for 5 seconds, to make the router try to download firmware from the restore utility.

The WL520-gu router works fine with Tomato 1.28 (latest version as I write). It has only 4Mb ROM (compared to 8Mb on ASUS WL500G PrV2), which is fine unless you want too many extra or advanced features.

Tomato seems to be replaced by TomatoUSB, but I have tried only the former.

Upgrading to Ubuntu “Natty” 11.04

I rarely upgrade my operating systems. Installing from scratch and migrating my files usually gives a more predictable result. Mac OS X is usually fine to upgrade.

So, I decided to try to upgrade my x64 workstation running Ubuntu 10.10 to 11.04, and to do it the normal user-way.

In conclusion everything went just fine. The upgrade took roughly 3h on a 3GHz Dual Core Athlon x64 with an old-style SATA drive (tempting to get an SSD drive), with a 10Mbit internet connection.

Grub Question
I got a scary question from Grub: do you want to keep your grub configuration, use the maintainers version, or [plenty of other options]? I dont remember editing my Grub configuration. I have a Windows 7 system as well that I want to be able to boot. Anyway, I choose to install the new version and pray. It went all fine. But, for a user upgrade, that question did not feel so comfortable.

Extra PPA repositories
I had installed software from non-standard repositories (latest version of Shotwell and Handbrake). Those programs simply did not exist when I had upgraded. I did not get any warnings or questions, they just disappeared.

Skype and DropBox did work after the upgrade though. DropBox works, but the DropBox icon (some kind of nautilus-plugin) is lost in Unity. Starting the Dropbox application (which exists) does not do anything. So, I really dont know if I can reconfigure or manage dropbox from Unity, or if I can monitor my transfers.

Unity
Well, it will take time to get used to Unity. I did not love Gnome, and I like the Unity vision and idea better. So, I have decided to live with it and try to enjoy it. All my Compiz configurations were gone, perhaps it is possible to restore them. What currently disturbs me the most with Unity is that the Icons are so large, and that I have to click “see 31 more results” when there would be room for all of them at once.

Also, the menu bar is empty (cant see File, Edit, etc) until I move the mouse there. Well, it looks clean, but it can hardly help productivity.

I have not noticed any performance problems with video etc.

Citrix / LibMotif
A nice thing is is that Natty comes with Libmotif4, not Libmotif3, which makes Citrix ICA client work out of the box without stupid symlinks.