PGP Smart Card + SSH Login + GPG Agent + Ubuntu

I have setup a pgp smart to use with ssh on Ubuntu. Since some of the steps were less than intuitive, I have decided to write this guide. I will not cover how to create a key pair since there are plenty of easy to find guides on that topic.

The Goal

The card must be able to do the following

  • Sign / verifiy / encrypt documents as you would expect with gpg
  • Use gpg-agent
  • Use the private key on the card to log into remote ssh servers

The Hardware

The Steps

1. Plug in the card :-)

apt-get install gnupg2 gnupg-agent pcscd libpcsclite1 opensc gpgsm

I don’t know if they are all necessary, but I installed all of them before it worked for me. I know that gpgsm and gnupg-agent are needed.
2. Disable gpg and ssh parts of gnome-keyring:

mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.inactive
mv /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-ssh.desktop.inactive

3. Make sure pcscd is running:

ps -e | grep pcsc

if nothing shows up, try running “sudo pcscd”
4. Enable ssh support in gpg:

echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

5. Restart the computer
6. To see if things are working, try the following commands:

gpg --card-status

You should see many lines of output something like:

Application ID …: DA0209843
Version ……….: 2.0
Manufacturer …..: ZeitControl
Serial number ….: 002340
Name of cardholder: [not set]
Language prefs …: de
Sex …………..: unspecified
URL of public key : [not set]
[More Lines Here]

ssh-add -l

Should output your key fingerprint. If it says “The agent has no identities”, you will have trouble.
7. Put your key on the ssh server you want to log into:
This command will output the value you need to append to .authorized_keys on the server

gpgkey2ssh [key id]

8. Try it out:

ssh -v

The “-v” flag just makes ssh output more info so you can see if your key is being used. You do not need to use it normally.

The following post was helpful in discovering how to make this work:

Update for Ubuntu 14.04

I was unable to get it to work on Ubuntu 14.04 with just the instructions above. There seems to be a problem with multiple instances of gpg-agent running. If the one that captures the smart card doesn’t have ssh-support enabled, there will be problems. To work around this, I have added the following bash code to my .bashrc file:

if [ ! -f /tmp/gpg-agent.env ]; then
        killall gpg-agent;
        eval $(gpg-agent --daemon --enable-ssh-support > /tmp/gpg-agent.env);
. /tmp/gpg-agent.env

To make GUI programs able to use the gpg-agent, I made new launchers for the programs that called the same code before spawning the program. Here is an example for thunderbird:

if [ ! -f /tmp/gpg-agent.env ]; then
        killall gpg-agent;
        eval $(gpg-agent --daemon --enable-ssh-support > /tmp/gpg-agent.env);
. /tmp/gpg-agent.env

I just put this code in a bash file and then pointed the .desktop file to launch it.

Posted in Linux, Networking, System Administration | Tagged , , , , , , , , , , , , , | Leave a comment

Icon Set Released


Today we are releasing a new icon set under a creative commons license. It was created for the Ozone Solutions website (where you can see it in use). Feel free to download a copy from here to use if you wish (under the terms of the license).

The icons are in a svg file. They are lined up nicely to make it easy to use for css sprites. If you need a program to edit svg files, you can download Inkscape for free. Inkscape was used to create the icons.

The version on the Ozone Solutions website contains a few additional icons (with logos) which are not included in the version licensed under the creative commons license.

Posted in Uncategorized | Tagged , , , | Leave a comment

Configure CUPS with CFEngine 3

I use CFEngine3 to manage several Ubuntu computers. One task I wanted to do the other day was centrally manage printers. That way, when I setup a new computer, I don’t have to worry about setting up printers. Thankfully, cups uses simple plain text config files (unlike gsettings…). To set up the printers on a new machine, all you have to do is copy the /etc/cups/printers.conf file and all files in the /etc/cups/ppd/ directory to the new machine. This method could also be used to easily backup printer configuration or to transfer printers from an old computer to a new one.

Anyway, here is some cfengine code to do the job:

	"printerPPDsInstalled" expression => fileexists("/etc/cups/ppd/myPrinter.ppd");
		create => "true",
		copy_from => secure_cp("/my/network/location/printers/ppd",""),
		depth_search => recurse("inf"),
		perms => mog("755","root","lp");
		create => "true",
		perms => mog("755","root","lp"),
		classes => if_repaired('restart_cups'),
		copy_from => secure_cp("/my/network/location/printers/printers.conf","");
		"/usr/sbin/service cups restart";

Posted in Linux, Networking, System Administration, Uncategorized | Tagged , , , , , , , , | Leave a comment

Easy Understandable Way to Remove Old Kernels

ubuntu-logo32I have several servers where old kernels become a problem.  Generally either /usr or /boot fills up or runs out of in-nodes.  There are a couple of how-tos that give you a command line one-liner that will fix the problem; however, they are all very long and scary.  I would rather execute something that I can understand.  Thankfully, some kind soul has written a nice simple walk through here.  If you are having problems with old kernels piling up, I would suggest taking a look.

If you have to do this on multiple servers, you can simplify the process by just copying and pasting the package name from “dpkg –list | grep linux-image” into one large purge statement. Just remember not to remove your currently running kernel.

sudo apt-get purge linux-image-3.2.0-23-generic linux-image-3.2.0-48-generic linux-image-3.2.0-51-generic
Posted in Linux, System Administration | Tagged , , , | Leave a comment

Thoughts on Netsuite PHPToolkit v2013_1

Netsuite LogoNetsuite has released their 2013_1 version of their PHPToolkit (php library for accessing Netsuite Backend API). Since I had last looked into their toolkit, the Netsuite developers have completely rewritten their toolkit, so I thought I should mention some of my thoughts on the new version:

The Good Stuff

  • Object Orientated.  The new toolkit makes much better use of objects.  Rather than one object (nsComplexObject), there are now objects for logical units like “items” or “customers”.
  • Easier to Explore: It is now easy to see what properties an object has.  You used to have to look at the webservices documentation to see what properties an object had (and what name they used).  However, now you can just look at the php object’s properties.
  • Some backwards compatibility: they created a method called setFields() which allows you to set object values via arrays like the older toolkits.  A nice touch to reduce code rewriting.
  • More Support: now there are more objects and properties accessible via the API

The Not So Good Stuff

  • Not backwards compatible: I had to rewrite almost every call to the Netsuite API.  The old methods of using the toolkit are broken.  The setFields method is nice, but is still used differently than the old toolkit.
  • setFields() fails to handle nullFieldList — Looks like a simple bug in the code (not hard to fix though).
  • Not namespaced: The toolkit defines hundreds  of objects with names like “Customer”, “Item”, and “Task”.  Chances are pretty good that at least one of these names will cause a collision. Note: the toolkit does check for existence of a class before defining their own, but that prevents the use of their class.  Namespaces would be a much cleaner solution.


Overall I would say the change is for the better.  There is still work to be done, and it would have been nice if there was more backwards computability, but overall the change is a good one.

Posted in Netsuite PHPToolkit | Tagged , , , | 2 Comments

Move Project from Subversion To Git Without History

Today I had a couple of projects that I wanted to move from a subversion repository to a Git repository (since I find it easier for branching). Since I will still have the subversion server around, I wan’t really interested in all the extra work needed to transfer all the subversion history. Here is how you can quickly switch a project from subversion to git:

1. Go to the project directory

cd /home/username/myproject/

2. Remove the .svn files

find . -name .svn -exec rm -rf {} \;

3. Create git repository

git init

4. Commit your files

git add -A && git commit

And thats it: the quick and easy way to move a project (if you don’t care about your history). It’s worth noting that if you are using an IDE the process may be more complicated. For Netbeans 7.3 all I had to do was close the project, and restart the IDE, but I can’t vouch for anything :)

Posted in Uncategorized | Tagged , , , , | Leave a comment

Installing Simple LDAP in WordPress “undefined function ladp_connect()”

ubuntu-logo32When trying to install a wordpress site with the LDAP simple plugin (on Ubuntu Server), I got a blank page for the login page and found the following error in my /var/log/apache2/error.log:

PHP Fatal error:  Call to undefined function ldap_connect() in /var/www/wp-content/plugins/simple-ldap-login/Simple-LDAP-Login.php on line 263

Thankfully the fix was pretty simple, just run the following command in a terminal on the server:

apt-get install php5-ldap
Posted in Linux, System Administration | Tagged , , , , , | Leave a comment

CFEngine3 Allow Clients Access to File on Server

The other day I was trying to copy a file from a CFEngine hub to a client machine. My test bundle was as follows:

body common control
        bundlesequence => { "mycopy" };
        inputs => { "libraries/" };
bundle agent mycopy
#               copy_from => local_cp("/tmp/srcfile1");
                copy_from => secure_cp("/tmp/srcfile1","");

However, I kept getting an error about “Could not stat file”. When I ran the file in verbose mode (add the –verbose parameter), I noticed that the server was connecting but then refusing to send the file. What I needed to do was add an access rule in /var/cfengine/masterfiles/control/ on the hub to allow access to the file:

"/tmp" #or wherever your file is located
      admit   => { ".*$(def.domain)", @(def.acl) };
Posted in Linux, Networking, System Administration | Tagged , , | Leave a comment

Error Installing CFEngine 3 on Ubuntu 12.04

I was trying to install CFEngine3 using the following commands:

apt-key add gpg.key
rm gpg.key
apt-get update
apt-get install cfengine-community

However, I got the following error:

Failed to fetch Unable to find expected entry ‘main/source/Sources’ in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.

Apparently this is an open bug. Thankfully, there is an easy work-around. Simply edit /etc/apt/sources.list and comment out the following line (by adding a “#”):

deb-src precise main

You can still install the binary packages without the src repository.

Posted in Linux, Networking, System Administration | Tagged , , , | 2 Comments

Logarithms on the Web: Using Mathematics to Display a Tag Cloud

A Logarithm in Creation

Although I am a computer programmer, I also studied Mathematics in college. Naturally, I was excited when a computer program I was working on involved some “complex” math (don’t worry, no integrals or infinite series ahead).

The Problem

The tags using a basic linear scale. The other tags are so small you can’t see them

I was trying to display a tag cloud on my company’s website. However, there was a problem; the tag “Ozone” appeared about 100 times more often then almost any other tag. When I tried to display them using a linear scale the results looked like this:

What I tried

I linear transformation. The “Ozone” tag still clobbers all the other tags.

My first thought was to adjust the linear scale. To make the other tags visible, I could just increase the slope of the equation so instead of using something like y=1x+2 I would use y=5x+2. Here is what I got:

The Solutions

Notice the data fits a power curve pretty well.

Once I realized the linear transformation wouldn’t work, my next thought was logarithms. When I graphed the data it fit a power curve quite nicely (R2 of .917). Since the data fit a power curve, I was pretty sure I could make logarithms work. However, I had a few other constraints. In order to keep the tag cloud a consistent size, I needed the maximum of the equation to be 1 and the minimum to be 1/3.

Starting Equation: y = log(x)

Adjusting the Maximum

To bring the maximum value down to 1, I just divided by the log of the biggest value in the data set:

y = log(x)/log(xmax)

Ajusting the Minimum

Tag Cloud

The final result; much better than before!

To adjust the minimum, I just preformed a simple linear transformation on my previous result:

y = f(x)/1.5 + 1/3

This gave me a final equation of

y = log(x)/log(xmax)/1.5 + 1/3

The results were exactly what I was looking for :)

If you would like to see the data for yourself, here is a spreadsheet in odf format that contains the data, the equations, and the graph: Log-Transformations.ods (you can download a viewer here).

Posted in Mathematics | Tagged , , , , , , , | 2 Comments