Monday November 08, 2004

Cryptography in Solaris

The Solaris Cryptographic Framework has been my main project for the past 4 years at Sun. Solaris 10 will be the first release where we have public interfaces to cryptography APIs in userland and in the kernel. To find out more about the Solaris Cryptographic Framework have a look at the docs.sun.com guide. It has support for automatic failover between hardware and software and includes implementations of common cryptographic algorithms, some of them optimized for SPARCv9 and AMD64.

One of my favourite things about the Solaris Cryptographic Framework is the ability to specify system wide policy about what algorithms applications that use the framework are allowed to use. For example disabling the software DES from userland and kernel is as simple as this:

# cryptoadm disable provider=des mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
# cryptoadm disable provider='/usr/lib/security/$ISA/pkcs11_softtoken.so' mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC

Where "des" is the name of the kernel provider and "pkcs11_softtoken.so" is the userland provider.

In addition to the cryptographic support Solaris 10 also has support for SASL and improved GSS-API support with the introduction of an SPEGO mechanism.

( Nov 08 2004, 11:32:25 PM GMT ) Permalink

Zenity tools: GUI svcadm I recently saw a libcurses interface to svcadm that was written by coding directly to the libscf(3lib) interfaces. That gave me the idea for a GNOME GUI version. I didn't feel upto writting lots of GNOME GUI and libscf(3lib) code just to get a GUI interface that would allow me to see the state of all services and transition them - basically svcs and svcadm in a GUI. Enter once more to the party zenity(1)

You can get zsvcadm here. After download run

mv zsvcadm.txt zsvcadm ; chmod +x zsvcadm

( Nov 08 2004, 10:17:59 PM GMT ) Permalink

Zenity tools: GUI interfaces to SMF (Service Management Framework)

If you don't already know what SMF is jump over to Stephen Hahn's blog to find out more.

I run Solaris 10 on my laptop and quite often I want to start it up an not be connected to any network. Waiting on the time out for the svc:/network/physical service can be an anoying slow down to boot when you don't have a network cable connected and you have no wireless access point you are going to connect to. So I disabled the startup of the svc:/network/physical service. This means that my system comes up but with only the loopback network started. I can still loging to GNOME and get work done.

As a security geek one of the things I love most about SMF is the great security integration it has with the Solaris RBAC system. I can very easily setup a user who has the ability to start/stop/restart services but can't change the definition of them. Stephen talks about this in his blog here. I have my local user account on my laptop configured with the "Service Operator" profile:

     # usermod -P "Service Operator" darrenm

When I want to start the network I can just run `svcadm enable -t network/physical`, note the use of -t so that it is not enabled on next reboot.

But what if I didn't have a terminal window open ? Can't I just push a button to do this ? A very small zenity based shell script can do this for you:

#!/bin/ksh
PATH=/usr/bin:/usr/sbin
MYNAME='Network Control'

choosen=$(zenity --list --title="$MYNAME" --column="State" Up Down)

if [ "$choosen" = "Up" ]; then
    svcadm enable -t svc:/network/physical:default
elif [ "$choosen" = "Down" ]; then
    svcadm disable svc:/network/physical:default
fi

I then add this as a launcher on the gnome-panel. When combined with the GNOME "Network Monitor" this gives you a simple graphical view and control of your network interfaces.

One think you might notice here is that by default network/physical doesn't have a stop method defined in SMF. A later posting will show how easy it is to convert the existing start method so that it can also function as a stop method.

( Nov 08 2004, 04:12:04 PM GMT ) Permalink

Zenity tools: A simple GUI interface to ssh-add(1)

The ssh(1), and ssh-add(1) commands allow using an external program to do the prompting of passwords, or passphrases for encrypted private keys. The main use of this is to provide a graphical prompt when running under the X window system. The zenity(1) command is part of the latest JDS3 release on Solaris, it provides a simple way of creating common dialog boxes from inside shell scripts.The following very simple script can be uses as the SSH_ASKPASS program. Place this script in a directory in your path, lets say ~/bin, and set $SSH_ASKPASS to point to it.

#!/bin/sh
prompt=$(echo $1 | sed s/_/__/g)
ICON=/usr/share/pixmaps/blueprint-keyring.png
zenity --entry --title
"ssh(1) Authentication" --text="$prompt" --hide-text --window-icon=$ICON

I have also created a gnome-panel launcher for this so that I can add ssh private keys to my ssh-agent process just by clicking on the panel. Right click on the gnome panel: Add to Panel -> Launcher. For the command use "/usr/bin/ssh-add" (no quotes). Pick an icon (I use blueprint-keyring.png) and give it a name (this will be used in the tool tip , I use ssh-add). If you are using gdm to login to Solaris the ssh-agent will have been started for your. If you are using dtlogin then see the instructions on docs.sun.com.

( Nov 08 2004, 03:44:37 PM GMT ) Permalink

search

This is a personal weblog, I do not speak for my employer.

recent entries

• File notification in OpenSolaris - and a bit of shell internals
• Sending a Break to OpenSolaris hosted in Virtualbox
• (Secured) Remote Audit Trail in OpenSolaris
• TVOSUG First Meeting tonight (Mon 6th July)
• printf should not SEGV when passed NULL for %s format
• Encrypting ZFS pools using lofi crypto
• Running Privileged Applications in the OpenSolaris GNOME Desktop
• ZFS Crypto Update
• OpenSolaris "disk" encryption in snv_105
• ZFS Crypto update

navigation

links

rss feeds

All
/General
/Security
/Solaris