Creating systemd Unit file

Create a unit file in the /etc/systemd/system/ directory and make sure it has correct file permissions. Execute as root:

# touch /etc/systemd/system/name.service
# chmod 664 /etc/systemd/system/name.service

Replace name with a name of the service to be created. Note that file does not need to be executable.

Open the name.service file created in the previous step, and add the service configuration options. The following is an example unit configuration for a network-related service:

[Unit]
Description=service_description
After=network.target

[Service]
ExecStart=path_to_executable
Type=forking

[Install]
WantedBy=default.target

Notify systemd that a new name.service file exists by executing the following command as root:

# systemctl daemon-reload
# systemctl enable name.service
# systemctl start name.service
Advertisements
Creating systemd Unit file

TOR hidden service

As for Fedora install tor package, nginx web service and SSH server for remote control:

[root@hiddensrv ~]# dnf install tor nginx openssh-server

Now change defaultSSH port and disable root login:

[root@hiddensrv ~]# vim /etc/ssh/sshd_config

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Enable and start SSH service:

[root@hiddensrv ~]# systemctl enable sshd
[root@hiddensrv ~]# systemctl start sshd

Edit TOR configuration file to uncomment next strings:

[root@hiddensrv ~]# vim /etc/tor/torrc

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 2222 127.0.0.1:2222

Enable and start TOR and NGINX services:

[root@hiddensrv ~]# systemctl enable nginx
[root@hiddensrv ~]# systemctl start nginx
[root@hiddensrv ~]# systemctl enable tor
[root@hiddensrv ~]# systemctl start tor

Now you can check generated hostname of your service to access:

[root@hiddensrv ~]# cat /var/lib/tor/hidden_service/hostname
v63z5ihn6uxx3kwf.onion

There you can see default NGINX index page.
But to access SSH you need to add settings on yor laptop:

user@laptop:~$ vim ~/.ssh/config

host hidden
    hostname v63z5ihn6uxx3kwf.onion
    port 2222
    user prouser
    proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

If you encounter problems with ncat command you can try nc -xlocalhost:9150 -X5 %h %p.

Try to access:

user@laptop:~$ ssh hidden
hidden's password:
prouser@hiddensrv:~$
TOR hidden service

Running GUI applications in LXD on Fedora 26

Create container:

[iaroki@fedora ~]$ lxc launch images:debian/stretch chrome

Install needed tools:

[iaroki@fedora ~]$ lxc exec chrome bash
root@chrome:~# adduser iaroki
root@chrome:~# apt update
root@chrome:~# apt install x11-apps mesa-utils alsa-utils

Map UID and GID ramges:

[iaroki@fedora ~]$ echo "root:1000:1" | sudo tee -a /etc/subuid /etc/subgid

Set UID/GUID ranges for container:

[iaroki@fedora ~]$ lxc config set chrome raw.idmap "both $UID 1000"
[iaroki@fedora ~]$ lxc restart chrome

Mount X11 socket and .Xauthority file:

[iaroki@fedora ~]$ lxc config device add chrome X0 disk path=/tmp/.X11-unix/X0 source=/tmp/.X11-unix/X0
[iaroki@fedora ~]$ lxc config device add chrome Xauthority disk path=/home/iaroki/.Xauthority source=${XAUTHORITY}

Passthrough GPU device:

[iaroki@fedora ~]$ lxc config device add chrome GPU gpu
[iaroki@fedora ~]$ lxc config device set GPU uid 1000
[iaroki@fedora ~]$ lxc config device set GPU gid 1000

Check results with:

[iaroki@fedora ~]$ lxc exec chrome -- sudo --login --user iaroki
iaroki@chrome:~$ export DISPLAY=:0
iaroki@chrome:~$ echo "export DISPLAY=:0" >> ~/.profile
iaroki@chrome:~$ glxgears

Now we can install and run chromium browser inside:

[iaroki@fedora ~]$ lxc exec chrome -- sudo --login --user iaroki
iaroki@chrome:~$ sudo apt install chromium
iaroki@chrome:~$ chromium
Running GUI applications in LXD on Fedora 26

LXD installation on Fedora 26

LXD is not working with enabled SELinux so we need to disable it with comand:

[root@fedora ~]# setenforce permissive

Enable ganto repository to download neded packages:

[root@fedora ~]# dnf copr enable ganto/lxd

Now time to install LXD:

[root@fedora ~]# dnf install lxd lxd-client lxd-tools

In order to run lxc tools our user need to be in a lxd group, so add it:

[root@fedora ~]# usermod -aG lxd iaroki

Set sub{u,g}id’s range for containeraized root user:

[root@fedora ~]# echo "root:1000000:65536" >> /etc/subuid
[root@fedora ~]# echo "root:1000000:65536" >> /etc/subgid

Enable and start LXD daemon:

[root@fedora ~]# systemctl enable lxd.service
[root@fedora ~]# systemctl start lxd.service

Finally run LXD initialization:

[root@fedora ~]# lxd init

And now as a normal user (iaroki in my case) start container:

[iaroki@fedora ~]$ lxc launch images:debian/stretch mydebian
[iaroki@fedora ~]$ lxc exec mydebian bash
root@mydebian:~#

Enjoy LXD!

LXD installation on Fedora 26

Arch Linux crypto installation

After live cd is loaded you need to setup network connection. For ethernet follow the next steps:

ip link set eth0 up #set interface up
ip addr add 10.69.0.100/24 broadcast 10.69.0.255 dev eth0 #set ip address
ip route add default via 10.69.0.1 #set gateway

Setting gateway in the example above may fail. If so, you can try next commands:

ip route add 10.69.0.1 dev eth0
ip route add default via 10.69.0.1 dev eth0

It is good to set right time now:

timedatectl set-ntp true

Next step is to prepare our filesystems. We will be using LVM on LUKS. For /boot i am using partition on my USB flash drive /dev/sdb1 formatted to ext2. Encrypted partition with LUKS is /dev/sda1, you may choose whatever you want.

So lets create LUKS encrypted partition:

cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/sda1

You need to enter secure password in prompt, so choose wisely. Now open our partition:

cryptsetup luksOpen /dev/sda1 lvm

We opened encrypted partition /dev/sda1 as lvm name and it is now available at /dev/mapper/lvm. To create LVM follow the next steps:

pvcreate /dev/mapper/lvm #create physical volume
vgcreate ArchVol /dev/mapper/lvm #create volume group named ArchVol
lvcreate -L 4G ArchVol -n swap #in ArchVol create 4GB partition named swap
lvcreate -l 100%FREE ArchVol -n root #in ArchVol create partition named root filled all remaining space

After this time to format our new logical partitions:

  • root available at /dev/mapper/ArchVol-root
  • swap available at /dev/mapper/ArchVol-swap
  • boot is my USB flash drive at /dev/sdb1
mkfs.ext4 /dev/mapper/ArchVol-root
mkswap /dev/mapper/ArchVol-swap
mkfs.ext2 /dev/sdb1

Mount aour filesystems and activate swap:

mount /dev/mapper/ArchVol-root /mnt
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot
swapon /dev/mapper/ArchVol-swap

Okay, now exact Arch installation:

pacstrap /mnt base

This bootstraps base system. To generate our /etc/fstab accordingly to mountpoints:

genfstab -U /mnt >> /mnt/etc/fstab

Now lets chroot to our system:

arch-chroot /mnt

Inside we need to set proper timezone and time:

ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc

To setup locales just select and generate them:

nano /etc/locale.gen
locale-gen
/etc/locale.conf LANG=en_US.UTF-8

Fill the hostname:

nano /etc/hostname
nano /etc/hosts

Arch Linux has many available ways to configure network. So i am using systemd-networkd. For wired ethernet connection create the next config /etc/systemd/network/wired.network:

[Match]
Name = eth0

[Network]
Address = 10.69.0.100/24
Gateway = 10.69.0.1
DNS = 8.8.8.8

We are almost done. The few things which are left is generating initramfs image and installing bootloader. Our initramfs image must be configured with extra features such as lvm and encrypt. Edit configuration file /etc/mkinitcpio.conf:

HOOKS="...  encrypt  lvm2  ...  filesystems  ..."
MODULES="i915"  #if you use intel graphics

Generate initramfs: mkinitcpio -p linux

Set root password: passwd root

Install and configure bootloader:

pacman -S grub

Next you need to add your encrypted partition UUID to grub config. You can get it by running next command:

blkid /dev/sda1

# example output
/dev/sda1: UUID="cddd0a60-8281-4a09-8cce-1c5cb8849f62" TYPE="crypto_LUKS" PARTUUID="61979b00-998a-409d-aeb1-08e50f45023c"

Note the UUID part. Add it to /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=cddd0a60-8281-4a09-8cce-1c5cb8849f62:lvm"

Install bootloader to MBR of our USB flash drive and generate config:

grub-install --target=i386-pc /dev/sdb1
grub-mkconfig -o /boot/grub/grub.cfg

At this point we have everything done. Time to unmount our partitions and reboot.

exit
umount /mnt/boot
umount /mnt
swapoff /dev/mapper/ArchVol-swap
reboot

Congratulations! Enjoy your fresh Arch Linux system on encrypted partition and boot USB flash drive as a key!

Arch Linux crypto installation

Network Manager restart after suspend/hibernate

Open a terminal and type the following:

sudo nano /etc/systemd/system/wifi-resume.service Now paste the script in there with a right click. Exit with CTRL + X and press Y to save. Now to activate it: sudo systemctl enable wifi-resume.service

Script:

#/etc/systemd/system/wifi-resume.service
#sudo systemctl enable wifi-resume.service
[Unit]
Description=Restart networkmanager at resume
After=suspend.target
After=hibernate.target
After=hybrid-sleep.target

[Service]
Type=oneshot
ExecStart=/bin/systemctl restart network-manager.service

[Install]
WantedBy=suspend.target
WantedBy=hibernate.target
WantedBy=hybrid-sleep.target

Hope this helps. It works on my laptop.

Network Manager restart after suspend/hibernate

GPG Quick Start

A quick HOWTO for getting started with GnuPG.

Your Key

Private and public keys are at the heart of gpg’s encryption and decryption processes. The best first step is to create a key pair for yourself.

Generate a private key.

gpg --gen-key

You’ll have to answer a bunch of questions:

What kind and size of key you want; the defaults are probably good enough.

How long the key should be valid. You can safely choose a non-expiring key for your own use. If you plan to use a key for public signing, you might want to consider a yearly expiration.

Your real name and e-mail address; these are necessary for identifying your key in a larger set of keys.

A comment for your key, perhaps to distinquish a key used for special tasks like signing software releases. The comment can be empty.

A passphrase. Whatever you do, don’t forget it! Your key, and all your encrypted files, will be useless if you do.

Keyserver Registration

You might also want to register your key with public keyservers so that others can retrieve your key without having to contact you directly.

First up, you need to identify your key’s ID or fingerprint. The former is easier to use, the latter a bit more secure.

In the example below,

  • the ID is 8F54CA35; it’s on the line marked pub;
  • the fingerprint is 00E5 2D6D 91C0 20D0 F596 2CC5 1E36 9C62 8F54 CA35.
[~]$ gpg --fingerprint heinlein
pub   1024D/8F54CA35 2000-11-10
      Key fingerprint = 00E5 2D6D 91C0 20D0 F596  2CC5 1E36 9C62 8F54 CA35
uid                  Paul Heinlein <heinlein@madboa.com>
uid                  [jpeg image of size 3853]
uid                  Paul Heinlein (Galois, Inc.) <heinlein@galois.com>
sub   1024g/6088B91E 2000-11-10

To send them, you’ll need to locate a public key server. MIT’s is well known, but there are others.

# using ID (GnuPG versions 1 and 2)
gpg --keyserver pgp.mit.edu --send-keys '8F54CA35'
# using fingerprint (GnuPG version 2 and higher)
gpg --keyserver pgp.mit.edu \
    --send-keys '00E5 2D6D 91C0 20D0 F596  2CC5 1E36 9C62 8F54 CA35'

ASCII Version

You may also want to generate an ASCII version of your public key for distribution by e-mail or posting on a web site.

gpg --armor --output pubkey.txt --export 'Your Name'

Encrypting a file for personal use

Encrypting files for your personal use is quite easy.

Encrypt a file called foo.txt. The argument to the --recipient option should be the all or part of the name you used when generating your private key.

# the long version
gpg --encrypt --recipient 'Your Name' foo.txt

# using terse options
gpg -e -r Name foo.txt

The encrypted version of the file will by default be named foo.txt.gpg. You can modify that behavior using the --output (-o) option.

Decrypt the encrypted file. You’ll be asked to provide the passphrase you used when generating your private key. If you don’t use the --output option, the contents of the encrypted file will be sent to standard output.

gpg --output foo.txt --decrypt foo.txt.gpg

Encrypting a file for someone else

The really cool thing about GnuPG is that you can safely encrypt files for others using publicly available keys.

Import your friend’s key, which you might have received via e-mail or on a floppy. If the file is named key.asc, then just use the --import option to add it to your keyring:

gpg --import key.asc

That’s it! You can verify the import using the --list-keys option.

Alternatively, you might be able to find your friend’s key on a public keyserver. Here’s what a session looks like when someone searches for my key.

[~]$ gpg --keyserver pool.sks-keyservers.net --search-keys 'paul heinlein'
gpg: searching for "paul heinlein" from hkp server pool.sks-keyservers.net
(1)  Paul Heinlein <heinlein@madboa.com>
       1024 bit RSA key 8F54CA35, created: 2014-06-16 (revoked)
(2)  Paul Heinlein <heinlein@ohsu.edu>
     Paul Heinlein <heinlein@madboa.com>
     Paul Heinlein <heinlein@cse.ogi.edu>
     Paul Heinlein (Galois, Inc.) <heinlein@galois.com>
       1024 bit DSA key 8F54CA35, created: 2000-11-10
Keys 1-2 of 2 for "paul heinlein".  Enter number(s), N)ext, or Q)uit > Q
[~]$

A few notes on this:

  • The first result (marked “revoked”) was the result of a failed test I conducted. You can ignore it.
  • My key has several e-mail addresses attached to it. That’s perfectly normal.
  • In the example above, I chose the Q)uit option. Had I pressed 1 or 2, that key would have been downloaded and added to my local keyring.

Once you’ve got the other person’s public key, encrypt a file using it.

gpg --encrypt --recipient 'myfriend@his.isp.net' foo.txt

You’ll end up with a file called foo.txt.gpg that you can send as an e-mail attachment or make available for downloading via ftp or the web.

Decrypting a file from someone else

If someone sends you an encrypted file, the file has typically been encrypted using your public key. Decrypting it is no different than decrypting a file you’ve encrypted for your own use.

gpg --output foo.txt --decrypt foo.txt.gpg

Detached Signatures

GnuPG can come in handy when you want to be assured that the file you’ve just downloaded is the one its creator wants you to have. The OpenVPN developers, for instance, release GnuPG signatures for all their downloads.

To verify a file using its detached signature, you must first have imported the signer’s public key. Assume we’ve downloaded crucial.tar.gz and the developers have also released a signature file, crucial.tar.gz.asc. Once you’re confident that you have the developers’ public key in your local keyring, then the verification step is easy:

gpg --verify crucial.tar.gz.asc crucial.tar.gz

Creating a detached signature is similarly easy. The following example will create a signature for your-file.zip called your-file.zip.asc.

gpg --armor --detach-sign your-file.zip

People who have imported your public key into their keyrings can then verify that their version of your file is identical to theirs.

Basic Key Management

After a while, you will probably have several keys in your ring. It’s easy to list them all:

gpg --list-keys

Should you lose trust in or contact with a person with a key in your ring, you’ll want to delete it:

gpg --delete-key 'myfriend@his.isp.com'

For further reading

To move beyond these simple instructions, consult the GnuPG Documentation.

Source: https://www.madboa.com/geek/gpg-quickstart/

GPG Quick Start