National Characterset for Ubuntu Console

About Locales

It is not an in-depth guide but rather a briefing which I used to write down the most essential things about customizing locales.
Despite the post is focused on Polish locale, you might find it helpful because the procedure is similar for other languages.

Steps

Install possible missing packages. In the new Ubuntu release it is as simple as:

aptitude install language-pack-pl

Which automatically generates appropriate locales.

In older Ubuntu versions:

   aptitude install locale
   aptitude install localedef

lenny: apt-cache install locales-all

 X11

After "locale/language-pack" packages are installed and assuming proper fonts are already here, national characters should be visible without any issue in xterm and similar applications. However it still needs a proper keyboard layout.

For Redhat (Oracle Enterprise Linux) 6.4 it is as simple as going to System -> Preferences -> Keyboard -> Layouts and choosing Polish (or other) layout there, optionally making it the default one.

For Ubuntu 13.10: System Settings -> Text Entry -> Input source to use: pick your national keyboard here, make it default if you prefer.

Console Specific

vim /etc/default/console-setup:

CHARMAP=UTF-8
CODESET=Uni2
XKBLAYOUT=pl (can be in /etc/default/keyboard)

setupcon -v

Locale General

1. locale (examines standard environment settings for locales)
2. locale -a (examines what choices are possible)
3. If there is not Polish locales: locale-gen pl_PL.UTF8 (checkout /etc/locale.gen)
4. Files:
• /etc/default/locale - global system locale definition
• /etc/environment

References

1. Ubuntu Locale Help

Ubuntu freezing packages

Recently I decided to move my desktop environment to the latest Ubuntu 13 (Saucy) to gain the latest packages:

root@ubuntu13:~# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=13.10
DISTRIB_CODENAME=saucy
DISTRIB_DESCRIPTION="Ubuntu 13.10"
root@ubuntu13:~#

This is not LTS (long term) and it gets its packages updated very often.
From the other side - I'm running it through Oracle VirtualBox and I'm sick of recompiling modules each time the kernel gets updated. Having VirtualBox modules not aligned with the kernel (guest additions) means I'm loosing auto-resize guest display, cannot mount host filesystems and cannot use shared clipboard.

So I need simply ignore updates for a set of packages. And starting with Ubuntu 12 there is a possiblity to mark the packaged on hold. Here is what is enough to gain the goal:

apt-mark hold linux-generic
apt-mark hold linux-firmware
apt-mark hold linux-image-\*
apt-mark hold linux-headers-\*

apt-mark showhold

Nice!

1. Ubuntu Pinning Howto

Protecting SSH Accesss

Problem

In home instead of a typical router I have a PandaBoard with Debian installed. This very flexible solution allows for running fully customized firewall (iptables), web-proxy (squid) with parental-control and blacklists (dansguardian). This box is a front device of my internal network and allows SSH access. I was rather uncomfortable observing logwatch reports which say about continuous break-in attempts into root and other accounts. While it is quite impossible to guess my password, I rarely change it, so it could be somehow hijacked. So I made a few additional obstacles to reach the SSH while keeping it relatively simple to use.

First option is to limit the access to SSH service itself by terms of PAM. Here are requirements. First I edited /etc/pam.d/sshd file and uncommented third line in the excerpt below:

[...]
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so

Then I adjusted /etc/security/access.conf:

[...]
+ : root : 10.1.     89.174.214.
+ : root : kedra.org .kedra.org
# User "root" should be denied to get access from all other sources.
- : root : ALL
# jurek accesses from all sources
+ : jurek : ALL

Above looks good enough to limit unauthorized access for root. The local network and known remote locations are granted SSH access to root. Connection as root from other location is impossible.

OneTimePasswords

Google Authenticator is one time passwords generator, which is use to protect my Gmail and AWS accounts. It gives my a sense of security - without my phone which generates one time password, it is very hard to gain the access to the account. Naturally one time password is an additional level of access so it means I have to provide the classic password + the Google Authenticator one.

First step is to install libpam-google-authenticator (apt-get install), then create an access file which allows to skip pam_google_authenticator when connecting from local network (/etc/security/access-local.conf) with the following content:

# only allow from local IP range
+ : ALL : 10.1.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

then adjust /etc/pam.d/sshd:

[...]
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so

# skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session
[...]

The last change is to allow for one time passwords authentication in /etc/ssh/sshd_config:

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Restart the SSH daemon /etc/init.d/ssh restart and generate the key by google-authenticator. The command is verbose and intuitive. On my Android phone I use "Google Authenticator" - it supports QR code scanning or I have to retype just generated key from google-authenticator command. The google-authenticator command creates ~/.google_authenticator only-owner-readable file which stores the key. That's should be it - it works. Well not really.

Configuration Extension

Google Authenticator setup in a way as above is a global configuration for all users. It means the given user has to create its own .google_authenticator file (can't be system shared file until you want to have it world readable) or the user won't be able to login. This is not really what I want here. I'd like to have a situation when user (actually me only) has an option to decide by himself if he wants or not to be protected by it. I'd like also an option to have only a single key (.google_authentication file) but I don't like the idea of having it readable for all users.

There are multiple options to archive above goals. The most straightforward is suggested by the google-authenticator man page. It requires to add a following line:

auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup root
auth required pam_google_authenticator.so

It requires for user to be in group "root" (last argument) before GoogleAuth is required. I'm not PAM guru so in effect it removed the effect of previous line, that with accessfile=/etc/security/access-local.conf. There is probably an option to overcome it somehow but there was no curiosity to follow this path.

apt-get remove libpam-google-authenticator
apt-get install libpam0g-dev libqrencode3
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

You can check if there is a new version here.

tar jvxf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0/
make
make install

Now I can log in without one time password for users where .google_authenticator file is not present the home directory. I also can preview one-time-passwords when typing. The sshd_config needs to be adjusted:

auth required pam_google_authenticator.so nullok echo_verification_code

This is something good to know and good to have. However, since I'm the only user of the system, I'd rather have a common .google_authenticator file, root owned, root only readable. For the internal network I'd like to login without one time passwords, but for the external I want to have it as mandatory. So the final solution is:

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
#account required pam_access.so

# skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so user=root secret=/root/.google_authenticator echo_verification_code

Finally I decided to open the SSH world wide, no exceptions (pam_access.so commented out in /etc/pam.d/sshd).

References

1. Remi Bergsma's blog
2.  How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins

Corkscrew

   I work in a place where I have no direct access to the outside world in a way other than HTTP (through an authenticated proxy) and email. However sometimes I need to access the external world, usually through SSH to pick some external resources, push GIT repository or so. And this is not a problem with PuTTY for it has a variety proxies build-in:

   But while working on my Linux running on Oracle VirtualBox I have to rely on pure OpenSSH only. And there is no HTTP proxy support in OpenSSH just out of the box. And there is a solution for OpenSSH as well - this is Corkscrew, a small utility but it does the work and supports HTTP authentication even!

For github.com purpose I use following config in the file ~/.ssh/config:

Host github.com
  ProxyCommand corkscrew proxy.acme.com 80 %h %p ~/.ssh/proxyauth
  ServerAliveInterval 60

In the ssh config above the clause "Host github.com" means the configuration applies only for the target like ssh git@github.com. And this is exactly what git is doing when pushing to a github repository. It pushes through ssh. Following clause "ProxyCommand corkscrew [...]" means ssh has to run corkscrew commands with the following arguments. Here you have the simplest corkscrew syntax:

$ corkscrew -h
corkscrew 2.0 (agroman@agroman.net)
usage: corkscrew <proxyhost> <proxyport> <desthost> <destport> [authfile]
$

First two arguments identify the proxy and its port Proxy.acme.com 80. The target hostname and the port is delivered by ssh itself through variables %h and %p. The last argument is the auth file - if you need credentials for your proxy, create a file, insert the username:password inside (just one line) and your connection through proxy will be authenticated. Usually you don't need it.
The extra line with ServerAliveInterval is useful when I have an idle interactive ssh connection. You can safely remove it from github.com configuration.

That's it! Try it out.

Links

1. Corkscrew homepage.
2. Corkscrew, how to setup.