Category Archives: Ubuntu

Using the German electronic identity card (eID) in Ubuntu 20.04

The new eID functionality of the German identity card enables you to identify yourself with your real name towards government or commercial web services. It makes sure that it is really you who uses the web service, and not someone else who stole your online identity by email spoofing, SIM swapping, IMSI catcher, etc. .

In the following example, we will be using the eID to sign our PGP key. The new signature will uniquely identify the owner of the German identity card as the owner of the PGP key, which can then be used to e.g. sign and encrypt emails. That way PGP no longer relies on a web of trust, but works similar to the PKI concept of S/MIME certificates, in that the real identity of the owner of a certificate will be checked and then signed by a common public authority (CA) that everyone trusts.

Prerequisites

  • A German identity card with eID functionality.
  • A supported RFID card reader, e.g. from REINER SCT.
  • Operating system drivers for your card reader. In Ubuntu 20.04 drivers for all REINER SCT card readers (also called "cyberJack") are included in the package libifd-cyberjack6. You can download Ubuntu drivers from their website too, but they didn't work for me.
  • On Linux, the pcscd daemon that enables access to smart card readers.
  • An application called AusweisApp2 that handles authentication (PIN entry) and authorization (who wants to access what kind of information on your eID). In Ubuntu 20.04 AusweisApp2 is already included in the standard repositories (version 1.20.0). The app is also included as a snap install (newer version 1.20.2), but that didn't work for me (for the error message see below).

First steps

  • Make sure you have the letter with the initial PIN for your eID at hand.
  • IMPORTANT: Make sure your RFID card reader is updated to the latest firmware release. With most card readers, the firmware can only be updated while you install the card reader on a Windows system.
  • IMPORTANT: Remove usbguard. Even after I permanently added the card reader to the list of allowed devices, pcscd could not find my card reader, or AusweisApp2 did not properly recognize my card reader and complained about missing drivers.
  • Install all necessary software packages and drivers for Ubuntu 20.04:
    pcscd pcsc-tools libifd-cyberjack6 libusb-1.0-0 libusb-1.0-0 libccid libpcsclite1 libpcsc-perl libpcsclite-dev

Test your card reader

Start the pcscd daemon in debug mode:

$ sudo pcscd -df
00000000 [140135772616640] pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000086 [140135772616640] configfile.l:293:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000017 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: ..
00000006 [140135772616640] configfile.l:369:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00000029 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: .
00000009 [140135772616640] pcscdaemon.c:663:main() pcsc-lite 1.8.26 daemon ready.
00003514 [140135772616640] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0xABCD, PID: 0x1234, path: /dev/bus/usb/001/001
...

Plug in your card reader.

IMPORTANT: If you use a USB card reader, plug it directly into your PC or laptop. Do not use a USB hub, as the hub may not provide enough power for the USB device. Also make sure to use the USB cable that came with the card reader. Longer cables may result in unstable connections.

In the output of the pcscd daemon (after a couple of seconds, wait for it!), you will see something like this:

99999999 [140135764219648] hotplug_libudev.c:655:HPEstablishUSBNotifications() USB Device add
00000158 [140135764219648] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0x0C4B, PID: 0x0500, path: /dev/bus/usb/002/012
00000010 [140135764219648] hotplug_libudev.c:440:HPAddDevice() Adding USB device: REINER SCT cyberJack RFID standard
00000050 [140135764219648] readerfactory.c:1074:RFInitializeReader() Attempting startup of REINER SCT cyberJack RFID standard (1234567890) 00 00 using /usr/lib/pcsc/drivers/l
ibifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so
CYBERJACK: Started
00001347 [140135764219648] readerfactory.c:950:RFBindFunctions() Loading IFD Handler 3.0
00023288 [140135764219648] readerfactory.c:391:RFAddReader() Using the pcscd polling thread

Notice that the pcscd daemon uses the driver from the package libifd-cyberjack we installed earlier. You can also check the output from the pcscd client tool:

$ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: REINER SCT cyberJack RFID standard (1234567890) 00 00

Thu Nov 19 13:17:31 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 0
 Card state: Card removed,

As you can see, pcscd properly detected the card reader. Now insert your identity card into the card reader while pcsc_scan is running. The output of pcsc_scan will show something like this:

Thu Nov 19 13:21:24 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 3
 Card state: Card inserted,
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
       Personalausweis (German Identity Card) (eID)

Install and start the application AusweisApp2

Install the application AusweisApp2 from the general Ubuntu repository. Do not install the snap app! In my case, the snap version of AusweisApp2 did not work properly. I got the following error message in my system logs:

Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 07606784 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:0c4b/0500:libudev:0:/dev/bus/usb/002/006)
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000015 readerfactory.c:376:RFAddReader() REINER SCT cyberJack RFID standard (1234567890) init failed.
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000073 hotplug_libudev.c:526:HPAddDevice() Failed adding USB device: REINER SCT cyberJack RFID standard

After you start the application, go to Start -> Settings -> USB card reader to check if the app can communicate with your card reader.

If you haven't done so before, the app will ask you to change the initial PIN that you received by mail. You have to set your own PIN before you use any online service.

Test the authentication process

Go to Start -> Self-Authentication -> See my personal data. Here you can check the data that is stored on your eID, and also make sure that the authentication process is working properly.

Click on "Proceed to PIN entry". On your card reader, you will need to confirm the service provider who wants to access your card, and also which information is requested from your card. Of course you also need to enter your new PIN.

Sign your PGP certificate

Go to Start -> Provider -> Other services -> Schlüsselbeglaubigung. The key signing service is provided by Governikus, the company that develops AusweisApp2.

Click on "To online application". This will start your default web browser and open the URL https://pgp.governikus.de/pgp/ . Of course you can also enter the URL directly in your web browser. Just make sure that AusweisApp2 is running in the background.

On the website you may upload your PGP public certificate. After successful authentication by eID, you will receive an email with your certificate signed by Governikus. The signature certifies that the PGP key really belongs to you and not someone else who is impersonating you by using your email address (email spoofing) or smartphone number (SIM card swapping, IMSI catcher).

Summary

The whole eID authentication process on a website can be described as follows:

  1. Start the pcscd daemon, either by "sudo systemctl start pcscd", or if this doesn't work by "sudo pcscd -f".
  2. Plug in your card reader. You should see a confirmation in the daemon output (or by typing "systemctl status pcscd" if you started pcscd with systemctl):
    "CYBERJACK: Started"
  3. Start the application AusweisApp2.
  4. Go to the website that requests eID authentication ("elektronischer Personalausweis"), and click on "Login".
  5. Your webbrowser automatically transfers control to AusweisApp2. There you should see who is requesting what kind of information from your eID.
  6. Insert the identity card into your card reader.
  7. In AusweisApp2, click on "Proceed to PIN entry".
  8. Control is transferred to your card reader. There you need to:
    1. Confirm the service provider.
    2. Confirm the data he wants to have access to.
    3. Enter your PIN.
  9. On the display of your card reader, you should see something like "Tunnel established". AusweisApp2 shows something like "Authentication successful". The website should automatically proceed to its regular contents, just as if you would have entered username and password.
  10. That's it. You can remove your identity card from the card reader.

Troubleshooting

  • If you see the following error message in the output of pcsc_scan, it means that pcsc_scan cannot communicate with the daemon pcscd. Make sure that the daemon is running.
SCardGetStatusChange: RPC transport error.
  • If AusweisApp2 does not recognize your card reader, or complains about missing drivers, try to start pcscd from the command line ("sudo pcscd -f"), and not as a background service ("sudo systemctl start pcscd"). Also make sure that you removed usbguard and did a reboot afterwards.
  • If the authentication process is not working, try to update the firmware of your smart card reader to the latest version. This might only work under Windows 10 during Windows driver installation for the new smart card reader device.
Share

Upgrading from Ubuntu 16.04 LTS to 18.04 LTS

Overall changes

Canonical support has been dropped from the following packages. They have been moved to the universe repo.

  • tcpd
  • xinetd
  • isc-dhcp-server-ldap
  • ntp, ntpdate
    There might be problems to automatically start previously configured ntp service at boot time. As a replacement, systemd-timesyncd.service is now enabled by default and provides SNTP client services. Default time server is ntp.ubuntu.com, or the one obtained from systemd-networkd.service (s. "man timesyncd.conf" for configuration).
  • firewalld
  • ssmtp

New versions

  • kernel 4.4 -> 4.15
  • bind 9.10.3 -> 9.11.3
    https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/
    https://www.isc.org/downloads/bind/bind-9-11-new-features/
  • bacula-fd 7.0.5 -> 9.0.6
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_4_0.html
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_9_0_0.html
  • systemd 229 -> 237
    https://github.com/systemd/systemd/blob/master/NEWS
  • libvirt 1.3.1 -> 4.0.0
    https://libvirt.org/news.html
  • virt-manager 1.3.2 -> 1.5.1
    https://github.com/virt-manager/virt-manager/blob/master/NEWS.md

Installing Bacula client from source

Again the new bacula-fd version 9.0.6 might be a problem, if you are running a Bacula server with an older version (s. Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS). In your job output, you will see an error like this:

25-Apr 02:15 server-dir JobId 5638: FD compression disabled for this Job because AllowCompress=No in Storage resource.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/inputrc

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/db.empty

25-Apr 02:15 server-sd JobId 5638: Fatal error: bsock.c:547 Packet size=1073742451 too big from "client:192.168.0.1:9103. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/Kexample2.+163+42584.private

25-Apr 02:15 server-sd JobId 5638: Fatal error: append.c:149 Error reading data header from FD. n=-2 msglen=0 ERR=No data available
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/zones.rfc1918

25-Apr 02:15 server-sd JobId 5638: Elapsed time=00:00:01, Transfer rate=186  Bytes/second
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615307 client-fd JobId 5638: Error: bsock.c:649 Write error sending 884 bytes to Storage daemon:192.168.0.1:9103: ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=3 level=1524615307 client-fd JobId 5638: Fatal error: backup.c:843 Network send error to SD. ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615317 client-fd JobId 5638: Error: bsock.c:537 Socket has errors=1 on call to Storage daemon:192.168.0.1:9103

25-Apr 02:15 server-dir JobId 5638: Fatal error: bsock.c:547 Packet size=1073741935 too big from "Client: client-fd:client.example.com:9102. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Fatal error: No Job status returned from FD.

Here is how to install bacula-fd 5.2.13 from source on Ubuntu 18.04:

  • systemctl stop bacula-fd
  • Install packages required for building bacula client from source:
    apt-get install build-essentials libssl1.0-dev
  • Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
  • Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5  29F5 9E98 BF32 10A7 92AD):
    gpg --recv-keys 10A792AD
    gpg --fingerprint -k 10A792AD
  • Check signature of downloaded files:
    gpg --verify bacula-5.2.13.tar.gz.sig
  • tar -xzvf bacula-5.2.13.tar.gz
  • cd bacula-5.2.13
  • ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula --with-systemd
  • check output of previous configure command
  • make && make install
  • check output of previous command for any errors
  • create new file /etc/ld.so.conf.d/local.conf:
    /usr/local/lib
  • ldconfig
  • Delete the following files:
    rm /lib/systemd/system/bacula-fd.service
    rm /etc/init.d/bacula-fd
    (In fact you can remove the bacula-fd 9.0.6 package completely, just make sure to copy the directory /etc/bacula somewhere safe before you do, and restore it afterwards.)
  • Create file /etc/systemd/system/bacula-fd.service (see below)
  • systemctl daemon-reload
  • systemctl start bacula-fd

/etc/systemd/system/bacula-fd.service:

[Unit] 
Description=Bacula File Daemon service 
Documentation=man:bacula-fd(8) 
Requires=network.target 
After=network.target 
RequiresMountsFor=/var/lib/bacula /etc/bacula /usr/sbin 
 
# from http://www.freedesktop.org/software/systemd/man/systemd.service.html 
[Service] 
Type=forking 
User=root 
Group=root 
Environment="CONFIG=/etc/bacula/bacula-fd.conf" 
EnvironmentFile=-/etc/default/bacula-fd 
ExecStartPre=/usr/local/sbin/bacula-fd -t -c $CONFIG 
ExecStart=/usr/local/sbin/bacula-fd -u root -g root -c $CONFIG 
ExecReload=/bin/kill -HUP $MAINPID 
SuccessExitStatus=15 
Restart=on-failure 
RestartSec=60 
PIDFile=/run/bacula/bacula-fd.9102.pid 

[Install] 
WantedBy=multi-user.target

Make sure that in you bacula-fd.conf, you have:

Pid Directory = /run/bacula

... and that the directory actually exists.

Some notable changes to systemd

When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e. g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options.

systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead.

systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53.

The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set.

Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation.

Share

Secure download of Ubuntu ISO installation images

Please follow the instructions on this page:
https://help.ubuntu.com/community/VerifyIsoHowto

There is another website, but it doesn't use SSL / HTTPS:
http://www.ubuntu.com/download/how-to-verify

The procedure is the same as I have already described for CentOS or Debian in my previous posts:

  1. Import the GPG-key and verify its fingerprint.
  2. Download the checksum file and verify its signature with the GPG-key.
  3. Check the iso file with the checksum file.

Again the fingerprint of the GPG-key is on a SSL encrypted website where you have to check the website certificate and its root CA.

Firefox ships with its own set of root CAs ("Builtin Object Token" as the Security Device in advanced preference settings). Here is a list of all root CAs included in Firefox along with their fingerprints:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

Builtin root CAs are hardcoded in /usr/lib/firefox/libnssckbi.so

CAs marked as "Software Security Device" are usually intermediate certificates that are downloaded from websites and stored locally. These CAs that are not builtin are either stored on a PKCS#11 compatible smartcard attached to your PC/laptop or saved to your home directory:
certutil -d ~/.mozilla/firefox/xxx.default -L

Chromium / Google Chrome does not ship with its own CA list but uses the CAs from the underlying operating system:
https://www.chromium.org/Home/chromium-security/root-ca-policy

On Ubuntu 16.04 these CAs are hardcoded in /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so which is part of the package "libnss3".

Important things to note:

  • Verification of ISO images is based on GPG-keys which have to be checked by its fingerprints. You can get that fingerprint from a SSL secured website.
  • The security of a website depends on the root CA which is used to sign the website certificate. These CAs are stored locally in different locations based on the browser you are using.
  • Neither Firefox nor Chromium / Google Chrome are using CAs from the package "ca-certificates".
Share

Farmville 2 on Ubuntu Linux (Flash)

If you have trouble running Farmville 2 on you Linux installation in your browser, you should consider upgrading to the latest Ubuntu 16.04 version. I was experiencing some strange problems with an older Ubuntu 14.04 installation and from one day to the next could not run Farmville 2 any longer:

  • Farmville 2 was showing the initial loading screen with the progress bar right in the center, but the progress bar was not moving at all. There was no sound, no error message. Other flash applications were working fine.
  • I tried different browsers with no success: Chromium, Google Chrome, Firefox
  • I tried different Flash versions with no success: adobe flash, pepperflash

Upgrading to Ubuntu 16.04 (see one of my previous posts) solved the problem. I am using the following versions:

  • Chromium (chromium-browser 50.0.2661.102)
  • Flash (pepperflashplugin-nonfree 1.8.2, flash version 21.0.0.242)

Make sure your browser is using the right flash plugin by typing "about:plugins" in the address bar of your Chromium browser (UPDATE: this page is not working anymore, s. https://bugs.chromium.org/p/chromium/issues/detail?id=615738). It might be that you have several flash versions installed on your computer and Chromium is using an old one. Check your flash version on the official Adobe website: http://www.adobe.com/software/flash/about

Chromium is storing flash plugin information in the folder /etc/chromium-browser/customizations. For every installed flash plugin, there is a flash configuration file:

  • 10-flash (adobe-flashplugin / flashplugin-installer)
  • pepperflashplugin-nonfree (pepperflashplugin-nonfree)

Move the file of the flash package you are not using to a backup location and restart Chromium. The flash configuration file also sets the file location of the flash plugin that gets loaded into your browser. Make sure the plugin file path is pointing to the official flash plugin shared object (/usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so).

With that configuration I am now able to run Farmville 2 on Facebook and use all of its features (which were not all working before either):

  • Full screen mode
  • Sound on/off toggle
  • Screenshot

WARNING:

  • Flash is known to have frequent security issues. If you do not absolutely need Flash, you should remove it from your computer.
  • If you choose to install it, at least make sure to only run Flash applications after you have confirmed them manually. Both Firefox and Chrome/Chromium allow you to configure this option.
  • You might also want to install a second browser without Flash for regular internet surfing, and only use your Flash enabled browser for Farmville 2.
  • Make sure to regularly update your Flash package as soon as there is a new version available.
Share

Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS (KDE desktop)

I just upgraded from Ubuntu Desktop 14.04 LTS to 16.04 LTS. It worked without major problems and didn't take a long time. I am not using the Kubuntu distribution, only the native Ubuntu Desktop version. You can still use KDE as the standard desktop. Here are some notes:

- "do-release-upgrade" didn't work for some reason. It just showed "No new release found". I had to use "do-release-upgrade -p".

- Versions:

  • Kernel 4.4.0-21
  • KDE Framework 5.18.0
  • libvirt 1.3.1
  • virt-manager 1.3.2
  • MySQL 5.7.12
  • Apache 2.4.18
  • ClamAV 0.99
  • OpenSSL 1.0.2g-fips
  • OpenSSH 7.2p2
  • Bacula 7.0.5
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_0_0.html

- No problems upgrading LVM root partition on LUKS encrypted disk partition.

- Virtual Machine Manager now supports snapshots and cache modes "directsync" and "unsafe" for disk devices. Some options are missing though, like cpu pinning.

- KDE did not work after upgrading and rebooting. I had to install the meta package "kubuntu-desktop" manually, which pulls in all necessary dependencies to run KDE as the standard desktop manager. The display manager "kdm" is now replaced by "sddm", which works great. So the "kdm" package is missing now and no longer part of the default repositories.

You can change the default display manager by editing /etc/X11/default-display-manager or by running "dpkg-reconfigure sddm".

- KDE desktop theme Breeze looks very nice. Take a look here:
http://kde-look.org/content/show.php/Elegant+Breeze?content=166630

- Upstart has been replaced by systemd. Make sure to know some basics about the command line interface "systemctl" before upgrading in case there are problems during the upgrade process.

Typing "systemctl<tab><tab> gives you a list of command line options. Just typing "systemctl" lists all services. The column "SUB" shows you if the service is running or not.

With the switch to systemd, consolekit is no longer required. kubuntu-desktop depends on either systemd or consolekit. As systemd is installed now, you can safely delete all consolekit packages, especially if the package is no longer supported by Ubuntu anyway (e.g. consolekit, libck-connector0).

- ZFS is part of the standard repositories. You do not have to add any 3rd party repository to try it out.

- Bacula client (bacula-fd 7.0.5) is not compatible with previous version of Bacula server (bacula-director/bacula-sd 5.2.6) on Ubuntu 14.04. Checking the status of the client works in bacula director, but running a job on bacula-fd in debug mode (bacula-fd -c /etc/bacula/bacula-fd.conf -f -d 100) shows the following output:

bacula-fd: job.c:1855-0 StorageCmd: storage address=x.x.x.x port=9103 ssl=0
bacula-fd: bsock.c:208-0 Current x.x.x.x:9103 All x.x.x.x:9103 
bacula-fd: bsock.c:137-0 who=Storage daemon host=x.x.x.x port=9103
bacula-fd: bsock.c:310-0 OK connected to server Storage daemon x.x.x.x:9103.
bacula-fd: authenticate.c:237-0 Send to SD: Hello Bacula SD: Start Job bacula-data.2016-05-29_07.53.26_05 5
bacula-fd: authenticate.c:240-0 ==== respond to SD challenge
bacula-fd: cram-md5.c:119-0 cram-get received: authenticate.c:79 Bad Hello command from Director at client: Hello Bacula SD: Start Job bacula-data.2016-05-29_07.53.26_05 5
bacula-fd: cram-md5.c:124-0 Cannot scan received response to challenge: authenticate.c:79 Bad Hello command from Director at client: Hello Bacula SD: Start Job bacula-data.2016-05-29_07.53.26_05 5
bacula-fd: authenticate.c:247-0 cram_respond failed for SD: Storage daemon

It is however quite simple to download and compile the latest 5.2.x version of bacula (5.2.13):

  • systemctl stop bacula-fd
  • Install packages required for building bacula client from source:
    apt-get install build-essentials libssl-dev
  • Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
  • Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5  29F5 9E98 BF32 10A7 92AD):
    gpg --recv-keys 10A792AD
    gpg --fingerprint -k 10A792AD
  • Check signature of downloaded files:
    gpg --verify bacula-5.2.13.tar.gz.sig
  • tar -xzvf bacula-5.2.13.tar.gz
  • cd bacula-5.2.13
  • ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula
  • check output of previous configure command
  • make && make install
  • check output of previous command for any errors
  • create new file /etc/ld.so.conf.d/local.conf:
    /usr/local/lib
  • ldconfig
  • edit file /etc/init.d/bacula-fd and change variable DAEMON:
    DAEMON=/usr/local/sbin/bacula-fd
  • systemctl daemon-reload
  • systemctl start bacula-fd

- I experienced a problem with the ntp service. "systemctl start ntp" did not show any error messages, but the ntp service was not running afterwards. There were no suspicious entries in the log files. I had to remove / purge the "upstart" package and then reinstall the package "ntp" to make it work again. ntp does still use the old init-script under "/etc/init.d". Starting the service with the init-script did work, but using "service ntp start" or "systemctl start ntp" did not start the ntp process. It did not even try to run the init-script in "/etc/init.d". Not sure what the real cause for the problem was, but as I said removing upstart and reinstalling ntp fixed the problem.

- Changes in configuration files or software features:

  • New default for /etc/ssh/sshd_config / permit_root_login: "yes" -> "prohibit-password"
    With this default setting, root is no longer able to login to SSH with username/password.
  • chkrootkit is trying to run "ssh -G" which is not working without a hostname (false positive, ignore):
    "Searching for Linux/Ebury - Operation Windigo ssh...        Possible Linux/Ebury - Operation Windigo installetd"
  • "dpkg-log-summary" shows a history of recent package installations (install, update, remove)

- Post-installation task: Remove all packages that you don't need or which are no longer supported by Ubuntu:

ubuntu-support-status --show-unsupported
  • upstart packages (upstart, libupstart1)
  • unity
  • ubuntu-desktop
  • lightdm
  • anacron (if running Ubuntu on a 24x7 installation)
  • bluez, bluedevil (if you don't need bluetooth)
Share