GPG and IRC
Hi, anybody know if there is a tool which allow chatting on IRC using GPG encryption?
Tnx
http://code.google.com/p/mirc-gpg/ - for Windows
http://wiki.bitcoin-otc.com/wiki/GPG_au … PG_Preface
Edit: http://www.gnupg.org/related_software/frontends.html doesn't list IRC clients, but has some IM ones.
Last edited by karol (2013-09-22 16:40:09)
Similar Messages
-
I'm preparing a report on how to securely send files and documents to external partners. I have settled on running GPG and SFTP key authentication through command calls to the Batch UNIX server. Does anyone have any experience in setting this up directly in the web interface? I ask because if I understand correctly, OpenSSL is included in the Encryption pages as wellas glue for PGP. Thanks for any info.
For non-interactive sftp you'll have to set up authentication keys. For doing that I think you need openssh and not just openssl.
You can possibly call your sftp scripts with system calls from inside an app engine.
OR
Open up PeopleBooks and go to
PeopleBooks > Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker > Using Listening Connectors and Target Connectors
and then scroll down to 'Working With the FTP Target Connector' -
Hi folks
Since my first thinkpad (too many years ago it was a 760LD I have had problems with scrolling in certain programs as for instance Live Messenger and irc programs as KVirc. As I still do with the newest - a T400s...
I believe it is in the windows driver for trackpoint and touchpad as the problem isn't there when running Linux. Nor is it there if you use Remote Desktop in windows. This way you can use a thinkpad to control another thinkpad and then you can scroll in those programs...
But I have seen it work on other laptops - so why not with a Thinkpad too?
Otherwise I am very pleased with the Thinkpads and I think the T400s feels like something that may have had IBM stamped on it too... so it is going to replace my trusted T41 that has traveled most of the world and never missed a beat so: Thank you Lenovo - keep up the good work - and please solve above at a for you comvenient time
Best regards from Denmark
TinaI have this issue regularly inside: Mail.app, Preview.app and Finder.app - It occurs independently of each app. (E.g. one may still allow scrolling while another is "frozen".)
Additionally Preview.app does not snap to pages correctly as per 10.8
The immediate work around is to manually click on the scroll handle and move it, this seems to restore the functionality. Additionally, sometimes a subtle visual glitch is present, with the scroll handle being moved slightly to the right. (As if it's stuck in this position.)
Hardware & Software
Mid 2010 Mac Pro, 2x2.4 Quad Xeon, 24GB 1066MHz DDR3, ATI Radeon HD 5770 1GB, 10.9 (13A603)
Magic Mouse A1296 -
[solved]partially working network, problems with ssl and irc
Hi,
for a weird reason I can't access any websites with https anymore nor can i connect to any irc servers with irssi and connection attempts with ssh time out. The system is up2date and I am using kdemod as DE.
My rc.conf looks like this:
# /etc/rc.conf - Main Configuration for Arch Linux
# LOCALIZATION
# LOCALE: available languages can be listed with the 'locale -a' command
# HARDWARECLOCK: set to "UTC" or "localtime", any other value will result
# in the hardware clock being left untouched (useful for virtualization)
# TIMEZONE: timezones are found in /usr/share/zoneinfo
# KEYMAP: keymaps are found in /usr/share/kbd/keymaps
# CONSOLEFONT: found in /usr/share/kbd/consolefonts (only needed for non-US)
# CONSOLEMAP: found in /usr/share/kbd/consoletrans
# USECOLOR: use ANSI color sequences in startup messages
LOCALE="de_DE.utf8"
HARDWARECLOCK="localtime"
TIMEZONE="Europe/Berlin"
KEYMAP="de"
CONSOLEFONT=
CONSOLEMAP=
USECOLOR="yes"
# HARDWARE
# MOD_AUTOLOAD: Allow autoloading of modules at boot and when needed
# MOD_BLACKLIST: Prevent udev from loading these modules
# MODULES: Modules to load at boot-up. Prefix with a ! to blacklist.
# NOTE: Use of 'MOD_BLACKLIST' is deprecated. Please use ! in the MODULES array.
MOD_AUTOLOAD="yes"
#MOD_BLACKLIST=() #deprecated
MODULES=(!b44 !mii !ipw2200 !libipw !ac97_bus !snd-mixer-oss !snd-pcm-oss !snd-page-alloc !snd-pcm !snd-timer !snd !snd-ac97-codec !snd-intel8x0 !snd-intel8x0m !soundcore b44 mii ipw2200 libipw ac97_bus snd-mixer-oss snd-pcm-oss snd-page-alloc snd-pcm snd-timer snd snd-ac97-codec snd-intel8x0 snd-intel8x0m soundcore)
# Scan for LVM volume groups at startup, required if you use LVM
USELVM="no"
# NETWORKING
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
HOSTNAME="horst-lp"
# Use 'ifconfig -a' or 'ls /sys/class/net/' to see all available interfaces.
# Interfaces to start at boot-up (in this order)
# Declare each interface then list in INTERFACES
# - prefix an entry in INTERFACES with a ! to disable it
# - no hyphens in your interface names - Bash doesn't like it
eth0="dhcp"
# Wireless: See network profiles below
#Static IP example
#eth0="dhcp"
eth0="dhcp"
INTERFACES=(!eth0 !eth1 !wlan0)
# Routes to start at boot-up (in this order)
# Declare each route then list in ROUTES
# - prefix an entry in ROUTES with a ! to disable it
gateway="default gw 192.168.0.1"
ROUTES=(!gateway)
# Enable these network profiles at boot-up. These are only useful
# if you happen to need multiple network configurations (ie, laptop users)
# - set to 'menu' to present a menu during boot-up (dialog package required)
# - prefix an entry with a ! to disable it
# Network profiles are found in /etc/network.d
# This now requires the netcfg package
#NETWORKS=(main)
# DAEMONS
# Daemons to start at boot-up (in this order)
# - prefix a daemon with a ! to disable it
# - prefix a daemon with a @ to start it up in the background
DAEMONS=(syslog-ng hal !network networkmanager avahi-daemon avahi-dnsconfd alsa cdemud kdm samba mpd lighttpd)
Earlier I had some problems with not resolving addresses, which I somehow got rid of. At the time I blamed my isp.
Perhaps something broke when I had a program running in wine to play with a car too and I had to switch the laptop off bc it didn't want to react anymore.
thx for reading
e: I don't know why, but it worked when I started Arch this morning.. while it didn't yesterday although everything worked correctly on my other PCs.
Last edited by dt (2009-11-07 09:02:46)Hi,
for a weird reason I can't access any websites with https anymore nor can i connect to any irc servers with irssi and connection attempts with ssh time out. The system is up2date and I am using kdemod as DE.
My rc.conf looks like this:
# /etc/rc.conf - Main Configuration for Arch Linux
# LOCALIZATION
# LOCALE: available languages can be listed with the 'locale -a' command
# HARDWARECLOCK: set to "UTC" or "localtime", any other value will result
# in the hardware clock being left untouched (useful for virtualization)
# TIMEZONE: timezones are found in /usr/share/zoneinfo
# KEYMAP: keymaps are found in /usr/share/kbd/keymaps
# CONSOLEFONT: found in /usr/share/kbd/consolefonts (only needed for non-US)
# CONSOLEMAP: found in /usr/share/kbd/consoletrans
# USECOLOR: use ANSI color sequences in startup messages
LOCALE="de_DE.utf8"
HARDWARECLOCK="localtime"
TIMEZONE="Europe/Berlin"
KEYMAP="de"
CONSOLEFONT=
CONSOLEMAP=
USECOLOR="yes"
# HARDWARE
# MOD_AUTOLOAD: Allow autoloading of modules at boot and when needed
# MOD_BLACKLIST: Prevent udev from loading these modules
# MODULES: Modules to load at boot-up. Prefix with a ! to blacklist.
# NOTE: Use of 'MOD_BLACKLIST' is deprecated. Please use ! in the MODULES array.
MOD_AUTOLOAD="yes"
#MOD_BLACKLIST=() #deprecated
MODULES=(!b44 !mii !ipw2200 !libipw !ac97_bus !snd-mixer-oss !snd-pcm-oss !snd-page-alloc !snd-pcm !snd-timer !snd !snd-ac97-codec !snd-intel8x0 !snd-intel8x0m !soundcore b44 mii ipw2200 libipw ac97_bus snd-mixer-oss snd-pcm-oss snd-page-alloc snd-pcm snd-timer snd snd-ac97-codec snd-intel8x0 snd-intel8x0m soundcore)
# Scan for LVM volume groups at startup, required if you use LVM
USELVM="no"
# NETWORKING
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
HOSTNAME="horst-lp"
# Use 'ifconfig -a' or 'ls /sys/class/net/' to see all available interfaces.
# Interfaces to start at boot-up (in this order)
# Declare each interface then list in INTERFACES
# - prefix an entry in INTERFACES with a ! to disable it
# - no hyphens in your interface names - Bash doesn't like it
eth0="dhcp"
# Wireless: See network profiles below
#Static IP example
#eth0="dhcp"
eth0="dhcp"
INTERFACES=(!eth0 !eth1 !wlan0)
# Routes to start at boot-up (in this order)
# Declare each route then list in ROUTES
# - prefix an entry in ROUTES with a ! to disable it
gateway="default gw 192.168.0.1"
ROUTES=(!gateway)
# Enable these network profiles at boot-up. These are only useful
# if you happen to need multiple network configurations (ie, laptop users)
# - set to 'menu' to present a menu during boot-up (dialog package required)
# - prefix an entry with a ! to disable it
# Network profiles are found in /etc/network.d
# This now requires the netcfg package
#NETWORKS=(main)
# DAEMONS
# Daemons to start at boot-up (in this order)
# - prefix a daemon with a ! to disable it
# - prefix a daemon with a @ to start it up in the background
DAEMONS=(syslog-ng hal !network networkmanager avahi-daemon avahi-dnsconfd alsa cdemud kdm samba mpd lighttpd)
Earlier I had some problems with not resolving addresses, which I somehow got rid of. At the time I blamed my isp.
Perhaps something broke when I had a program running in wine to play with a car too and I had to switch the laptop off bc it didn't want to react anymore.
thx for reading
e: I don't know why, but it worked when I started Arch this morning.. while it didn't yesterday although everything worked correctly on my other PCs.
Last edited by dt (2009-11-07 09:02:46) -
Hi, i am currently using the usb tethering on my ubuntu desktop(this also happened in win8 desktop) which the data network will be locked down when open 3 to 4 tab pages in 3-4 seconds or requesting large amount of data traffic (i.e. downloading movie)
This locked down will be recovered only after a few minutes (4 minutes at least) when there is no more request maked.
OR reboot the phone again.
This doesn't affect receiving calls, only the data network is locked down
I do see this is a software problem as i have asked for a exchange for phone, the same thing happened again.
Does anyone get the same problem as i experienced?
The firmware is v.114
Thanks for helpHi z1CUser
based on your information, i believe there is not problem with the phone, since even second phone is doing same thing as first, what I can suggest is
>check with different phone if possible and see whether it does same, incase 'Yes" then its might be with the internet connection i believe, you can give a call to Internet Service Provider, stating the issue faced in 2 different phones
>if possible Refresh the Router and try to connect it again
>Last you can try to restore the phone once
Manjuboyz
NOTE:
Rate me(Kudos) If you are happy with my Resolution, Thanks -
Progams that work with Alltel and Suddenlink are no longer working with VERIZON (IRC)
I have worked this issue TO DEATH already and am getting FED UP!
I have been polite and nice and called customer support to get very short and not very explicit answers to this issue.
Complaint #1: When I call technical support and ask questions more complicated than " How do I plug in my computer?" they inform they are transferring me to TECHNICAL support. Okay so who did I call in the first place if not tech support.
Problem: IRC ( Internet Relay Chat) Is one of the main things that I enjoy doing online. Some do games, some do work. I do it all through my little IRC program. When I was with Alltel and had my little blackberry pearl. I could even get onto irc just fine that way. Getting on via a cell phone is kind of a pain. Small keyboard and lots of typing isn't my idea of that relaxing but.. okay whatever at least I could get on. Since Alltel became Verizon I was told to upgrade my phone to the brand new Blackberry Curve. Well now IRC didn't work. I upgraded to the LG Vortex. Now it works on my phone. So I upgraded my wireless card too and IRC worked just fine for a long time. NOW we are back to the same old same old.
For those of you not familiar with the program just wiki it. I have been told by NUMEROUS customer support reps that this program is not being blocked so this is the list of things I went through to make sure it was indeed NOT me or my computer.
Step 1: System restored before most recent updates to the last date that it was working.
NO GO
Step 2: Disabled firewall and virus software temporarily and even turned down my security on my browser
NO GO
Step 3: Re updated my computer and updated my firmware on my MIFI2200 card.
No go
Step 4-7 Called customer Support
NOPE.
Still waiting. I am paying for a service that is not providing. My entire family was with Alltel and is now with Sprint. I just keep asking myself why am I still with Verizon when all we ever do is fight. I hate to admit it to the kids but I think it's time for a divorce from you if we can't get this issue resolved. Before upgrading to these devices I even asked store reps if irc programs would work and they assured me " OH YES! With these new upgrades things will be better than ever!"
I realize to some this seems like not a very big deal, but when I am paying for a service so that I can come home relax, maybe take a few art commisions while chatting on irc and all the sudden I either can't use it or can use it when I couldn't before it's amazingly frustrating. I have taken my computer over to other people's houses to see if turning my security all the way back up as well as my firewall made a difference, but on any provider OTHER than verizon I can connect just fine.
Tell me WHY Verizon. Tell me why you either can't fix this.. or won't fix this.
Security issues? That's my problem. If I want to connect to a DNS server based program that connects via different ports.. that should be MY decision. You should NOT get to make that choice for me.
It's amazing I went to the customer support for IRC and they told me that Verizon doesn't allow you to use IRC. I have checked NUMEROUS boards and discussion forums only to have them tell me that VERIZON does NOT allow you to use IRC. However when I talk to Verizon they say " No it must be you.. " Well I am not taking that excuse anymore. I've done my share of work on this problem. Now it's your turn. Sorry to be rude.. but I paid for the mIRC program, and take artwork commisions over it as well. I probably pay more for verizon's service than I would with sprint (so says the rest of the family).
Please give me some real answers and real tech support.
Thanks for any help.I choose option 3. The moment I talk to them about anything more complicated than the bare basics of getting connected they tell me they will transfer me to " tech support." Very frustrating lol. I always wonder who I was on the phone with prior to that because it says Tech support but clearly there must be different levels of their support lines. Sometimes I get someone who will talk and work with me, but generally I get someone who says " Okay I have down your issue and I'll pass it along.." then they hang up. However I have been transferred twice in one sitting from "tech support" to Tech support. So I dunno. I think they don't have an answer and so they run me in circles.
-
System encryption using LUKS and GPG encrypted keys for arch linux
Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO -
Help with gpg-agent, ssh, and pinentry-curses
I use gpg-agent to manage my ssh keys, and for a system that I regularly ssh into, I would like to use pinentry-curses instead of the default pinentry-gtk-2. However, this doesn't work.
Specifically, I start gpg-agent using script from the arch wiki, /etc/profile.d/gpg-agent.sh:
if [ $EUID -ne 0 ] ; then
envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export SSH_AUTH_SOCK # enable gpg-agent for ssh
fi
and have the following config files
~/.gnupg/gpg-agent.conf:
# Keyboard control
no-grab
# PIN entry program
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
#pinentry-program /usr/bin/pinentry-gtk-2
~/.gnupg/gpg.conf:
use-agent
~/.bashrc:
GPG_TTY=$(tty)
export GPG_TTY
Whenever I attempt to ssh using the key that's already been added to gpg-agent, I get the following message:
Agent admitted failure to sign using the key.
Permission denied (public key).
If I change my ~/.gnupg/gpg-agent.conf file to the following:
# Keyboard control
#no-grab
# PIN entry program
#pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-qt4
#pinentry-program /usr/bin/pinentry-kwallet
pinentry-program /usr/bin/pinentry-gtk-2
then everything works fine, and I'm prompted for my passphrase when using ssh.
I've read posts having to do with a similar issue:
https://bbs.archlinux.org/viewtopic.php?id=138546
https://bugs.archlinux.org/task/29156
It looks like the difference between those and my issue is that I'm using ssh, not just gpg, and I'm not using su. In fact, if I have pinentry-curses set in gpg-agent.conf, and I try to use gpg to encrypt and decrypt a file, everything works fine. The file encrypts, and when decrypting, I am prompted by pinentry-curses for my passphrase. It's just ssh combined with pinentry-curses that gives me troubles.I think it actually is the tty capability bug that's biting you...try adding '--without-libcap' to the pinentry-curses PKGBUILD from ABS (/var/abs/core/pinentry/) and rebuilding the package.
Scott -
[SOLVED] gpg-agent and the magical passphrase
Hey fellas,
I encountered a strange problem. I just copied my gpg and my ssh keys to my laptop
to use them with gpg-agent.
So I setup gpg-agent as described in the wiki, did a ssh-add, entered my ssh-key and
specified a new passphrase (test). "ssh-add -l" looked good, but ...
After that I tried to ssh to some of my server, gpg-agent asked for the passphrase, but it seemed i misstyped "test" .... misstyped it again .... and so on, i tired every fuckin password i got, readded the key etc.
But nothin helped, even the debug-level guru wasnt helpful.
What could be wrong?
Best regards,
b52
Last edited by b52 (2010-02-15 14:55:04)If got the same Problem.
Tried a lot but nothing worked it out.
ssh-add ask for passphrase of Key and after this for passphrase for the Keyring through my pinetry program.
But after re-entering the passphrase it won't work.
Seems to be a bug !?
(PS: I am using Gentoo) -
Canon IR 3025 and Canon IRc 3225 paper jamming issue in the Fixing Unit.
I am facing frrequent paper jamming issues in the fixing unit in my IR 3025 and IRc 3225 copiers. I have tried changing my Teflon and also the fuser grease. Spoke to my support enginerr and he had suggested me that its the grease or teflon thats creatig the problem. Could somebody tell me the right teflon and grease to be used in the same.
Also, please guide me how to check if the teflon is nice or bad? and whats the brand of teflon and grease actually used in these machines by canon itself.Nathaniel Mccance wrote:
In the interest of curiosity, I created a document in InDesign CS4 to see if I could choose "Tab Paper (Letter)" and, lo and behold, there it was in the Adobe print "Setup" dialog box (but is peculiarly missing from the OS X "Page Setup" dialog box).
Tried ID CS4 also and could see the same paper sizes. CS4 must be referencing the different section of the PPD compared to OS X's page setup.
For some reason, InDesign CS5 does not see "Tab Paper (Letter)" as a Paper Size option.
Don't have CS5 to confirm this but if it is relying more on the OS X print system rather than doing it own thing, which CS4 and earlier certainly did, then this makes some sense.
One of the concerns I have with using the method prescribed by you is that when the page area is rasterized to the printer, it may cut off the image at the edge of the tabs that is not included in the "Letter" page size.
Understood but it is worth trying. I could only see this as an issue if you were trying to print on the tab ear. -
How do I configure Kwallet to manage SSH and GPG keys? [SOLVED]
I'm using a select few KDE programs (not the DE) such as Kontact (and with that KMail, Korganizer, Kaddressbook...) and Kwallet. I've got a GPG and an SSH key which I need in Git to sign commits and push. I'd like to have Kwallet manage ALL of these passwords/passphrases, (e-mail, SSH, GPG) and only be prompted for a password to unlock my wallet once per session - or better yet, have the wallet unlocked by logging in (like the keychain in OS X). I'm currently using SLiM (systemd, slim.service) as the login manager. I had a glance at this tutorial for inspiration but to no success...
This is my ~/.xinitrc:
#!/bin/sh
if [ -d /etc/X11/xinit/xinitrc.d ]; then
for f in /etc/X11/xinit/xinitrc.d/*; do
[ -x "$f" ] && . "$f"
done
unset f
fi
# Hide mouse cursor when idle
unclutter -idle 4 &
# Background image
hsetroot -fill $HOME/img/08.jpg &
# Window manager
xmonad
This is my ~/.zprofile (failed attempt, fake GPG-key name)
#!/bin/sh
# Load keychain to handle ssh and gpg keys
export SSH_ASKPASS=/usr/bin/ksshaskpass
eval `keychain --eval id_rsa 1234ABCD`
$HOME/.keychain/`hostname`-sh
$HOME/.keychain/`hostname`-sh-gpg
This is my ~/.gnupg/gpg.conf (commented lines not included)
no-greeting
require-cross-certification
charset utf-8
keyserver hkp://keys.gnupg.net
Last edited by totte (2012-10-25 10:49:52)No success so far, really, need more ideas.
Neither of /etc/kde/env/{gpg,ssh}-agent-startup.sh seem to be run by anything automatically on my system upon boot and logging in. I tried going back to the beginning and I got GPG working alright, when signing a commit I was automatically authenticated. SSH however still prompts me by CLI to enter my passphrase when I try to git-push or ssh into a server. I set an empty password for the wallet to have it "unlocked by logging in". I thought setting "export SSH_ASKPASS='/usr/bin/ksshaskpass'" in ~/.zprofile would have it prompt for the password in some manner of Qt window related to Kwallet, but apparently it doesn't. In top both ssh-agent and gpg-agent are displayed as running - but if I run gpg-agent in Konsole I get the output "gpg-agent: no gpg-agent running in this session", ssh-agent on the other hand outputs "SSH_AUTH_SOCK=/tmp/ssh-noaDS3C4AP8M/agent.1830; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1831; export SSH_AGENT_PID;
echo Agent pid 1831;".
Here's my ~/.zprofile, ~/.xinitrc, ~/.gnupg/gpg.conf, ~/.gnupg/gpg-agent.conf and ~/.zshrc (probably irrelevant but included anyway):
~/.zprofile
export EDITOR='vim'
export GIT_EDITOR='vim -fg'
export GPG_TTY=$(tty)
export GREP_COLOR='1;34'
export GREP_OPTIONS='--color=auto'
export LANG='en_GB.UTF-8'
export PAGER='less'
export PINENTRY='/usr/bin/pinentry-kwallet'
export SSH_ASKPASS='/usr/bin/ksshaskpass'
export VISUAL='vim'
~/.xinitrc
#!/bin/sh
if [ -d /etc/X11/xinit/xinitrc.d ]; then
for f in /etc/X11/xinit/xinitrc.d/*; do
[ -x "$f" ] && . "$f"
done
unset f
fi
# Kwallet
kwalletd &
# Keychain (SSH & GPG)
eval `keychain --eval id_rsa 1234ABCD` &
# Hide mouse cursor when idle
unclutter -idle 4 &
# Background image
hsetroot -fill $HOME/img/08.jpg &
# Akonadi
akonadictl start &
# Music Player Daemon
mpd &
# Window manager
xmonad
~/.gnupg/gpg.conf
no-greeting
require-cross-certification
charset utf-8
keyserver hkp://keys.gnupg.net
use-agent
~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-kwallet
no-grab
~/.zshrc (probably irrelevant)
# PATH
# System executables
PATH0="/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin"
# My executables
PATH1="$HOME/bin"
export PATH="$PATH0:$PATH1"
# COLOURS
autoload colors; colors;
eval "`dircolors -b ~/.dircolorsrc`"
# GENERAL
HISTFILE=$HOME/.zsh_history
HISTSIZE=10000
SAVEHIST=10000
setopt append_history
setopt extended_history
setopt hist_expire_dups_first
setopt hist_ignore_dups
setopt hist_ignore_space
setopt hist_verify
setopt inc_append_history
setopt share_history
setopt prompt_subst
setopt correctall
setopt auto_menu
setopt complete_in_word
setopt always_to_end
setopt extendedglob
# ALIASES
alias rezsh='. ~/.zshrc'
alias _='sudo '
alias l='ls -lh --color'
alias la='ls -lAh --color'
alias -- -='cd -'
alias ..='cd ..'
alias df='df -h'
alias g='git'
alias tmux='tmux attach'
alias cp='cp -v'
alias mv='mv -v'
alias rm='rm -v'
alias rmdir='rmdir -v'
alias d='dirs -v'
bu(){cp -v $1 ${1}.backup}
cmds(){history | awk '{print $2}' | sort | uniq -c | sort -rn | head}
md(){mkdir -p $1; cd $1}
# OS-specific aliases
if [[ $(uname) == "Darwin" ]]; then
# Mac OS X
alias pkgs='port search' # Search
alias pkgi='sudo port install' # Install
alias pkgu='sudo port selfupdate && sudo port upgrade outdated' # Update & Upgrade
alias pkgr='sudo port uninstall --follow-dependencies' # Remove package and unused dependencies
alias pkgl='port installed' # List installed packages
alias python='/usr/local/bin/python3'
alias pip='pip-3.2'
alias pips='pip-3.2 search'
alias pipi='pip-3.2 install'
alias pipu='pip-3.2 install -U'
alias pipr='pip-3.2 uninstall'
alias pipl='pip-3.2 freeze'
alias v='mvim'
elif [[ $(uname) == "Linux" ]]; then
alias pips='pip search'
alias pipi='pip install'
alias pipu='pip install -U'
alias pipr='pip uninstall'
alias pipl='pip freeze'
alias v='vim'
case $(lsb_release -d | cut -f2 | cut -d " " -f1) in
(Arch) # Arch Linux
alias equa='alsamixer -D equal'
alias pkgs='pacman -Ss' # Search
alias pkgi='sudo pacman -S' # Install
alias pkgu='sudo pacman -Syu' # Update & Upgrade
alias pkgr='sudo pacman -Rns' # Remove package, configuration backups and unused dependencies
alias pkgl='pacman -Q' # List installed packages
alias pkgd='whoneeds' # List packages depending on specified package
alias poweroff='sudo systemctl poweroff'
alias reboot='sudo systemctl reboot'
alias nw='wicd-curses'
(Debian|Ubuntu) # Debian and Ubuntu
alias pkgs='aptitude search' # Search
alias pkgi='sudo aptitude install' # Install
alias pkgu='sudo aptitude update && sudo aptitude upgrade' # Update & Upgrade
alias pkgr='sudo aptitude purge' # Remove package, configuration files and unused dependencies
alias pkgl='aptitude search -F "%p" "~i"' # List installed packages
alias reboot='sudo shutdown -r now'
alias shutdown='sudo shutdown -h now'
esac
fi
# Host-specific aliases
if [[ ${HOST:r} == "betre" ]]; then
alias poff='sudo /sbin/write-magic 0xdeadbeef && sudo /sbin/reboot'
fi
# TAB COMPLETION
autoload compinit
compinit
# Case-insensitive (all),partial-word and then substring completion
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
zstyle ':completion:*:*:*:*:*' menu select
zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories
cdpath=(.)
# Use /etc/hosts and known_hosts for hostname completion
[ -r /etc/ssh/ssh_known_hosts ] && _global_ssh_hosts=(${${${${(f)"$(</etc/ssh/ssh_known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
[ -r ~/.ssh/known_hosts ] && _ssh_hosts=(${${${${(f)"$(<$HOME/.ssh/known_hosts)"}:#[\|]*}%%\ *}%%,*}) || _ssh_hosts=()
[ -r /etc/hosts ] && : ${(A)_etc_hosts:=${(s: :)${(ps:\t:)${${(f)~~"$(</etc/hosts)"}%%\#*}##[:blank:]#[^[:blank:]]#}}} || _etc_hosts=()
hosts=(
"$_global_ssh_hosts[@]"
"$_ssh_hosts[@]"
"$_etc_hosts[@]"
`hostname`
localhost
zstyle ':completion:*:hosts' hosts $hosts
# KEYBINDINGS
bindkey '^[[A' history-beginning-search-backward
bindkey '^[[B' history-beginning-search-forward
bindkey "^[[H" beginning-of-line
bindkey "^[[1~" beginning-of-line
bindkey "^[OH" beginning-of-line
bindkey "^[[F" end-of-line
bindkey "^[[4~" end-of-line
bindkey "^[OF" end-of-line
# Make the delete key (or Fn + Delete on the Mac) work instead of outputting a ~
bindkey '^?' backward-delete-char
bindkey "^[[3~" delete-char
bindkey "^[3;5~" delete-char
bindkey "\e[3~" delete-char
# TITLES
tmux_title="%16<..<%~%<<"
term_tab_title="%m"
term_title="Terminal"
function title(){
if [[ "$TERM" == screen* ]]; then
print -Pn "\ek$tmux_title:q\e\\"
elif [[ $TERM == rxvt* ]] || [[ "$TERM_PROGRAM" == "iTerm.app" ]]; then
print -Pn "\e]2;$term_title:q\a"
print -Pn "\e]1;$term_tab_title:q\a"
fi
function title_precmd(){
title $tmux_title $term_tab_title $term_title
function title_preexec(){
emulate -L zsh
setopt extended_glob
local tmux_title=${1[(wr)^(*=*|sudo|ssh|-*)]}
title $tmux_title $term_tab_title $term_title
# ZSH VCS_INFO MODULE
autoload -Uz vcs_info
#zstyle ':vcs_info:*+*:*' debug true
zstyle ':vcs_info:*' enable git
zstyle ':vcs_info:git*' formats '%fon $(rou)%b%f%c%u%m'
zstyle ':vcs_info:git*' actionformats '%fon $(rou)%b%f:$(rou)%a%f%c%u%m'
zstyle ':vcs_info:git*:*' stagedstr ' (staged)'
zstyle ':vcs_info:git*:*' unstagedstr ' (unstaged)'
zstyle ':vcs_info:git*:*' get-revision true
zstyle ':vcs_info:git*:*' check-for-changes true
zstyle ':vcs_info:git*+set-message:*' hooks git-stash git-untracked
# Display count of stashed changes
function +vi-git-stash(){
local -a stashes
if [[ -s ${hook_com[base]}/.git/refs/stash ]] ; then
stashes=$(git stash list 2>/dev/null | wc -l)
if [[ $stashes > 1 ]] ; then
hook_com[misc]+=" (${stashes} stashes)"
else
hook_com[misc]+=" (${stashes} stash)"
fi
fi
# Display message if untracked files are present
function +vi-git-untracked(){
if [[ $(git rev-parse --is-inside-work-tree 2> /dev/null) == 'true' ]] && \
git status --porcelain | grep '??' &> /dev/null ; then
hook_com[unstaged]+=" (untracked files present)"
fi
function prompt_precmd(){
vcs_info
# PROMPT
# Root or user?
function rou(){
if [[ $UID -eq 0 ]] ; then
echo "%{$fg[magenta]%}"
else
echo "%{$fg[blue]%}"
fi
# Display ± if we're in a git repository and » at all other times
function prompt_character(){
git branch >/dev/null 2>/dev/null && echo '%{$fg[white]%}±%{$reset_color%}' && return
echo '%{$fg[white]%}»%{$reset_color%}'
# Set the prompt
function set_prompt(){
PROMPT="$(rou)%n %{$reset_color%}at $(rou)%m %{$reset_color%}in $(rou)%~ ${vcs_info_msg_0_}
%{$reset_color%}$(prompt_character) "
# HOOKS
autoload -U add-zsh-hook
add-zsh-hook preexec title_preexec
add-zsh-hook precmd title_precmd
add-zsh-hook precmd prompt_precmd
add-zsh-hook precmd set_prompt -
Weechat Highlight Monitor Script for IRC and Localhost (Bitlbee)
Hey guys.. I've been struggling with this one for some time now, thought I might as well get some feedback
So bacically, I have the weechat plugin 'highmon.pl' and I have the Channel, Nick, and Message (when highlited) output to conky on my desktop.
Now the part I cant figure out is how can I get the same scripts that do that to also output the highlights i get from my bitlbee session (which is open in a separate terminal window connected to localhost)
As long as I am in my home dir, I can get this to work for each individually, but as I like to use tmux, weechat in one tab, weechat --dir ~/.weechat/bitlbee in another so I can watch my facebook chat and irc chat without having to log in and out of servers. But because my Bitlbee session is started in ~/.weechat/bitlbee my scripts no longer work...
further to this, I've tried to modify them to work just in ~/.weechat/bitlbee but havent succeeded there either...
ok, the scripts
highmon_channel.sh
echo -e $(cat ~/.weechat/logs/perl.highmon.weechatlog | awk 'END{split($2,a,"#"); print a[2]}')
highmon_msg.sh
echo -e $(cat ~/.weechat/logs/perl.highmon.weechatlog | awk 'END{print $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18}')...
highmon_nick.sh
echo -e $(cat ~/.weechat/logs/perl.highmon.weechatlog | awk 'END{print $3}' | cut -f1 -d'>' | cut -f2 -d'<' | cut -f3 -d '!' )
these scripts get called by conky to output my highlighted message on the desktop..
If anyone knows how I can ammend these scripts to also work with a weechat instance started in the directory of ~/.weechat/bitlbee that wold rock my world
[i tried changing the directories in these scripts to ~/.weechat/bitlbee/logs/perl.highmon.weechatlog ... that didn't really work tho]
If anyone can tell me its possible to connect to both freenode and localhost in the same weechat session id also be impressed!
you know how there is always just one more thing you'ld like to do to your desktop... that one last thing that if you achieved it, it would make you relax and feel complete? this is that for me
any help is much appreciated..
(for the record, I didn't write these scripts, I came across them throughout my life)
Last edited by CoolWhip (2011-11-03 01:20:04)Of the second and third scripts, the latter could perhaps be deemed the "most secure"; however, it might block more than you want. If you really want to use one of those, then I'd suggest using the second script. Otherwise, I'd recommend that you take a look here. (I only slightly examined the first script.... I do not understand the language of the comments, and I'm no iptables whiz. )
Also, note that you don't have to use an actual script to set up the rules; rather, you can save the rules you want to a file that will be read by iptables automatically (/etc/iptables/iptables.rules). Here's a modified version of mine:
# /etc/iptables/iptables.rules
# These rules (and the commented instructions) derived from:
# http://ubuntuforums.org/showthread.php?t=159661
*nat
:PREROUTING ACCEPT [163:50538]
:POSTROUTING ACCEPT [40:2451]
:OUTPUT ACCEPT [40:2451]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FIREWALL - [0:0]
:TRUSTED - [0:0]
-A INPUT -j FIREWALL
-A FORWARD -j DROP
-A FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FIREWALL -i lo -j ACCEPT
-A FIREWALL -j TRUSTED
-A FIREWALL -j DROP
# put your own exceptions here, like so (replacing <tcp/udp> with either "tcp" or
# "udp" -- minus the quotes -- and <port number> with the port you'd like to open):
# -A TRUSTED -p <tcp/udp> -m <tcp/udp> --dport <port number> -j ACCEPT
COMMIT
Of course, there are benefits to keeping the rules in a script. For instance, you could then easily set the default iptables rules, allow all traffic, etc. Plus, some firewall-related things (such as the various echo commands in the scripts you provided) cannot (to my knowledge) be done by iptables alone.
If you already have a script that sets up the rules you would like to use, you can save yourself the hassle of creating a rules file by following the directions outlined here.
Last edited by ssjlegendx (2008-08-06 20:17:00) -
How to use FileDescriptors other than in out and err?
I have a Unix process I am shelling out to using runTime.exec(command) which requires two input streams and two output streams (file descriptors). How can I do this in java when there is only in, out and err available without using physical files.
For information the process is GnuPG (GPG) and the command line will be something like:
./gpg command-fd 98 status-fd 2 -o- --decrypt
This uses standard in for the encrypted file content and std out for the decrypted data. The command (98) and status(2) file descriptors are for sending and receiving command messages. Note that 98 is an arbitary number.What about FIFO's (named pipes)?
-
Hi,
I need to encrypt a target ftp file with GPG and i think that calling an os script (remote) could serve.
But i dont know if that's the best solution.
There is any other way to do that?
Thanks in advance,
CarmeHi Carme,
If you are looking for a tool for PGP ,you can have a look at the links below
http://www.aedaptive.com/index.php/solutions
http://www.aedaptive.com/index.php/solutions/pgp-for-sap-netweaver
If you are planning to develop adapter module or want to evaluate which one is better ,please refer following posts .
/people/dijesh.tanna/blog/2008/09/15/sap-pi-integrating-macafee-e-business-server-with-sap-pi-70-for-pgp-encryptiondecryption
Encrypting a file using PGP
Thanks, -
[Solved] gpg --list-public-keys (removed duplicate - see my last post)
I followed https://wiki.archlinux.org/index.php/GnuPG#Create_key and https://wiki.archlinux.org/index.php/Talk:Pacman-key, but I have ended up with my public key being listed twice. It's both first and last in the full list of public keys. Here is just mine:
/home/colin% gpg --list-public-keys colin
pub 4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
uid [ultimate] Colin Keenan <[email protected]>
uid [ultimate] [jpeg image of size 6283]
sub 4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
pub 4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
uid [ultimate] Colin Keenan <[email protected]>
uid [ultimate] [jpeg image of size 6283]
sub 4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
How do I remove just the 2nd entry so that my public key is only listed one time?
I am afraid to start signing my packages (https://wiki.archlinux.org/index.php/De … ge_signing) before I fix this issue.
Edit to add what I've tried so far:
gpg -o colin.gpg --export colin # to create a backup of my public key in a file called colin.gpg
cp pubring.gpg pubring-backup.gpg # in case I screw up pubring.gpg
gpg --import colin.gpg # hoping it will magically merge the duplicate, but it left both unchanged
gpg --delete-key colin # hoping it would delete both copies of the public key so I could import it again
It refused to delete the public key until I delete the private key which I don't want to do.
I also realized the export may have the duplicate as well. I tested that with:
gpg colin.gpg
And, sure enough, it listed my key twice.
Another edit: I have tried a lot and exposed a bug that I will try to submit upstream. Here is what I have done:
gpg --edit-key colin # this selected the first of the duplicate keys to be edited
gpg> adduid
Real name: Colin N Keenan
Email address: [email protected]
Comment:
You selected this USER-ID:
"Colin N Keenan <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a passphrase to unlock the secret key for
user: "Colin Keenan <[email protected]>"
4096-bit RSA key, ID 0940E3F9, created 2014-11-18
pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage: SC
trust: ultimate validity: ultimate
sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage: E
[ultimate] (1) Colin Keenan <[email protected]>
[ultimate] (2) [jpeg image of size 6283]
[ unknown] (3). Colin N Keenan <[email protected]>
gpg> save
gpg --edit-key "Colin N Keenan"
Secret key is available.
pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage: SC
trust: ultimate validity: ultimate
sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage: E
[ultimate] (1). Colin N Keenan <[email protected]>
[ultimate] (2) Colin Keenan <[email protected]>
[ultimate] (3) [jpeg image of size 6283]
gpg> 2
pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage: SC
trust: ultimate validity: ultimate
sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage: E
[ultimate] (1). Colin N Keenan <[email protected]>
[ultimate] (2)* Colin Keenan <[email protected]>
[ultimate] (3) [jpeg image of size 6283]
gpg> deluid
Really remove this user ID? (y/N) y
pub 4096R/0940E3F9 created: 2014-11-18 expires: 2015-11-18 usage: SC
trust: ultimate validity: ultimate
sub 4096R/EDA19F9C created: 2014-11-18 expires: 2015-11-18 usage: E
[ultimate] (1). Colin N Keenan <[email protected]>
[ultimate] (2) [jpeg image of size 6283]
gpg> quit
Save changes? (y/N) y
And now the bug:
/home/colin% gpg --delete-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: there is a secret key for public key "Colin Keenan"!
gpg: use option "--delete-secret-keys" to delete it first.
/home/colin% gpg --delete-secret-key "Colin Keenan"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: key "Colin Keenan" not found: Unknown system error
gpg: Colin Keenan: delete key failed: Unknown system error
So, --delete-key fails because there is a secret key, and --delete-secret-key fails because it can't find the secret key!
Last edited by colinkeenan (2014-11-19 16:26:31)I have solved the issue. Since I had made a backup of .gnupg while there was a duplicate of the public key for "Colin Keenan", I realized the secret key in the backup was also for "Colin Keenan", so I didn't want to delete that one. I should delete "Colin N Keenan" by deleting the secret and public key matching it, then copy the resulting public key file to the backup, then restore the backup. That solved the issue, as follows:
gpg --delete-secret-key "Colin N Keenan"
gpg --delete-key "Colin N Keenan"
cp .gnupg/pubring.gpg .gnupg-backup
rm -r .gnupg
cp -r .gnupg-backup .gnupg
Here is a full outline of the commands I ran to eliminate the duplicate public key, in case anyone else runs into this very unusual problem:
cd # just making sure I'm in home directory so don't have to type dreaded ~
cp -r .gnupg .gnupg-backup
gpg --edit-key colin
gpg> adduid (added Colin N Keenan, original was Colin Keenan)
gpg> save
gpg --edit-key "Colin N Keenan"
gpg> 2 (because "Colin Keenan" was the 2nd uid)
gpg> deluid
gpg> save
gpg --delete-secret-key "Colin N Keenan"
gpg --delete-key "Colin N Keenan"
cp .gnupg/pubring.gpg .gnupg-backup
rm -r .gnupg
cp -r .gnupg-backup .gnupg
Last edited by colinkeenan (2014-11-19 16:41:03)
Maybe you are looking for
-
Upgrade Oracle Identity Manager Middle Tier (oim 9.1 Upgrade to oim 11g)
Hi All, Our environment details are OIm 11.1.1.5.0 and SOA 11.1.1.5.0 DB: Oracle 11.2 OS: Linux redhat 5 x86_64bit AppServer: Weblogic 10.3.5 (64 bit) We are upgrading oim 9.1 to oim 11.1.1.5, followed the tasks explained in the link (http://download
-
Installation problems (Solaris 10 3/05 release, on x86 system)
Late last year, i recieved a Solaris 10 installation DVD case, containing the intallation DVDs for SPARC and x86 systems. after finally getting another hard drive (the other was too full), i tried booting the computer off the x86 disc, to install. it
-
IMP. ME21N Store Business Document maximum attachment size.
Hi, Could you please let us know, while attaching documents in PO thorough the functionality ' Store Business Documents' what is the maximum permisible size of the file that can be attached. Also, is there any limit to the number of files that can be
-
Select line in 2D array from contest
I need some help regarding looking in data log-file. Every minute in the log file is there a timestamp that I need to filter out and post the first one for user. I use "Read From Spreadsheet File VI" to fill in the data and delete some columns with d
-
G/L Account is missing [Good Receipt-rows-Warehouse Code]
G/L Account is missing [Good Receipt-rows-Warehouse Code] '702' message 131-46 Hi everyone, I know this is a simple question with a simple answer. However i have run through all the basics and still get the same error. Worst of all i had posted to t