You may have obtained my password, but you can’t type it like me!

This could be the summary of the excellent article, titled Identify and verify users based on how they type by Nathan Harrington, which demonstrates how it is possible to enhance a computer system’s security by using a special algorithm which, in addition to the validity of the password, checks whether the keyboard buttons have been pressed/released in the user’s pre-recorded and unique way of typing that particular password. The author provides all the necessary code in order to add this biometric technique to the GNOME Display Manager (GDM).

It may sound like a relatively easy implementation, but, taking into account that it is almost impossible for our neuro-myo-skeletal system to produce two identical patterns while performing a complicated action such as typing, user identification and verification using this biometric technique becomes a real challenge. The article author notes:

As a biometric, keystroke dynamics are relatively imprecise. Unlike Iris scans or fingerprints, even the most highly repetitive individuals make subtle variations in their typing patterns. The challenge in using keystroke dynamics in an authentication or verification context is to discern acceptable variations from incorrect credentials.

One could say that the pros and cons of such an implementation are quite obvious.

• Unlike iris or fingerprint scanners, this biometric does not require any special hardware equipment. It is just an algorithm that can be compiled and run on any computer system. This generally means: cheap biometric methods.
• It can be added on top of the currently used authentication systems without requiring any extra action from the users at all.
• The combination of such a biometric method with the existing user/password authentication scheme greatly enhances security.

On the other hand::

• It is extremely easy for anyone who has privileged access to the computer system to record each user’s typing pattern. This could be done by using keylogging software or, worse, using a specially crafted keyboard in case of physical access to the system.
• It requires that the users are actually familiar with the keyboard, at least to the extend that they are able to repeat the password typing pattern without big variations.
• Depending on the strictness of the algorithm, false negatives might occur.

I didn’t have the necessary free time to patch GDM with the provided code, compile it and test the algorithm’s effectiveness.

I mainly found this article very interesting because it is proof that we have just scratched the surface of biometrics. The simplicity of the concept behind this biometric method indicates that there are many new human identification techniques to be discovered and implemented (not only in computer systems), possibly at a cost in terms of personal freedom as a result of misuse of such technologies. But, I guess this has always been the problem with the technological progress, so, once again, we will have to deal with and resolve any issues that may arise in the future.

Related Articles

• Descramble Passwords from gftp Bookmarks using Python
• VeriTAR – Verify checksums of files within a TAR archive
• Effective data wiping with a single complete overwrite
• GRUB background image
• Verify a burned CD/DVD image on Linux

Related Articles

• Operating Systems do not matter any more
• CentOS – Community ENTerprise Operating System
• Awesome AWK Tutorial
• Almost saying goodbye to innovation
• Root Certificate Programs – The root of all trust

Related Articles

• Evince instead of Adobe Reader in Linux
• Critical vulnerability in Adobe Reader
• Creative Commons v3.0 Licenses Launched
• Error when using old run/bin installers under Linux
• Python Crash Course

Related Articles

• Desktop now uses Fedora 9
• Send to Desktop – Create Symlink
• Creole – Standard Wiki Markup Language
• YUM-Priorities Configuration for a CentOS Desktop
• Dictionary Lookups Anywhere

• GParted-CloneZilla Live CD – This project by LarryT combines the gparted hard disk partitioning tool with CloneZilla.
• Clonezilla-SysRescCD – This is another excellent combination of tools made by Spiros Georgaras. This liveCD combines the system repair and data recovery collection of tools of the SysRescCD with CloneZilla.

Related Articles

• Partition images with Partimage and Partimaged
• The importance of regular data backups
• Filesystem Backup Again
• More Data Recovery Tools
• How to recover lost files

For all those who have not tried Epiphany yet, I’d like to say the following:

Using Epiphany is not about reaching the sense of uniqueness by using a less popular browser. It is also nowhere near trying to seem elite. Moreover, you will never manage to impress the ladies by using it…

Epiphany is a tool; a stable, lightweight piece of software, which offers better integration into the GNOME environment than any other browser, the powerful engine of Firefox and some of the most futuristic features that are available among today’s web browsers, for example tagged bookmarks.

Related Articles

• Epiphany Browser Review
• Smart Bookmarks in Epiphany
• A Note About The Epiphany Extensions on Fedora
• Some thoughts about Epiphany extensions
• Epiphany Python Console – Open New Tab

I’ve been experimenting with the Minimalist for the last days and all I can say is that this software Just Works™ … and I like it when software works! Actually, I liked it so much that I have devoted a significant amount of time in writing a program that acts as a bridge between the Minimalist’s mailing list archives and MHonArc. This program (a MHonArc wrapper actually), which also includes a set of resource files in order to heavily customize MHonArc’s HTML output (in an attempt to be like the popular Mailman web archives), is called BenzinArc (Benzin Archiver) and can be used both as a cron job and as a standalone application. BenzinArc is still work in progress. No code has been released yet. An overview of the HTML version of the CodeTRAX Mailing List Archives is available. Currently, only one read-only mailing list, codetrax-bugs, exists. This is a dedicated list to the bug reports of all projects hosted by CodeTRAX, but it is enough to serve as an example.

All this mailing-list-related stuff has kept me away from working on the 0.7.1 release of the TraxAuth Account System, but I assume all that was absolutely necessary. Although my free time will be very little in the upcoming weeks, I guess I will be able to release a new version of TraxAuth and the first public test release of BenzinArc.

Related Articles

• Organizing Mailing List messages with Evolution
• Next time, come prepared
• TraxAuth
• Mozilla Thunderbird 3 is out!
• Blog Freeze

• The Mailman is too bloated. I admit it has (almost) all the features one would need, but much of this stuff is not actually that useful. Its sources alone consume 22+ MB of disk space.
• The actions (configuration) that need to be performed in order to make the software work on an SSL virtual host are not obvious and are only stated into the FAQ, but not in the main installation documentation. This means merciless waste of time.
• As soon as I finished configuring the Mailman, I realized that this 22MB software which supports features that would satisfy the Earth’s most weird users and whose main reason of existence is to send emails to lists of email addresses does not support SMTP authentication. This means that if your SMTP service requires authentication in order to send emails to domains for which it is not the final destination or if the SMTP service runs on a separate machine, you will have to loosen the server’s security in order to make the SMTPdirect mailman’s delivery method work. (fixing this by hacking the SMTPDirect.py source is rather easy, but – for me – not acceptable when it comes to the flagship of mailing list managers)

Currently, I experiment with another (less popular) mailing list manager, which seems to be lean and mean enough for my needs – allow me not to disclose the software’s name at this moment. If all goes well, I will publish a guide on how to set it up.

I admit that I should have done some research before sticking with the mailman. This was a lesson.

Related Articles

• Mailing List Manager
• Organizing Mailing List messages with Evolution
• Mozilla Thunderbird 3 is out!
• Blog Freeze
• More Data Recovery Tools

Introduction

Searching the web for mod_gnutls binary distribution packages or information on how to set it up returned very few relevant results. This was a surprise, as, at this moment, the only implementation that supports SNI is mod_gnutls. So, I decided to write a tutorial on how to set things up for a test. I hope you find it useful.

The test that is described in this guide includes:

1. The compilation of the mod_gnutls module.
2. The generation of SSL certificates.
3. The configuration of the SSL-enabled name-based virtual hosts.

This test was performed on a server that runs Fedora 7.

Installation

In order to compile mod_gnutls, you will need the development tools for Fedora:

# yum groupinstall "Development Tools"

Install the mod_gnutls dependencies:

# yum install httpd-devel gnutls-devel

As an unprivileged user, download the mod_gnutls distribution and compile it.

$ wget http://www.outoforder.cc/downloads/mod_gnutls/mod_gnutls-0.2.0.tar.bz2
$ tar -xjvf mod_gnutls-0.2.0.tar.bz2
$ cd mod_gnutls-0.2.0
$ ./configure --prefix=/usr
$ make

Do not use the ‘make install‘ script, but perform the installation manually – it is only one library.

As root, copy libmod_gnutls.so to the directory that holds the Apache modules (usually /usr/lib/httpd/modules) and rename it to mod_gnutls.so for consistency:

# cp mod_gnutls-0.2.0/src/.libs/libmod_gnutls.so /usr/lib/httpd/modules/mod_gnutls.so

During the compilation, two keys, dhfile and rsafile, have been generated in the mod_gnutls-0.2.0/data/ directory. It is absolutely important to copy these files in httpd’s configuration directory (usually /etc/httpd/conf/), otherwise mod_gnutls will never work. This is undocumented, and I found out about it after some trial&error.

As root:

# cp mod_gnutls-0.2.0/data/{dh,rsa}file /etc/httpd/conf/

Installation is complete.

SSL certificates

In this test installation, two virtual hosts will be used. Thus, two SSL certificates will be required. Please read my article on how to generate SSL certificates for your servers, as this information is beyond the scope of this document. Alternatively, you may use a ready-made script which will create those certificates for you quickly. Such scripts are shipped will almost all Linux distributions. Please consult your distribution’s documentation for more information.

HTTPd Configuration

The configuration of the Apache web server includes two phases:

1. The configuration of the main server.
2. The configuration of the virtual hosts.

In the following instructions, some brief notes about what each directive does is included. For more detailed information, please consult the mod_gnutls documentation.

Main Server Configuration

This includes setting some general mod_gnutls options, which will be inherited by all virtual hosts.

But, first of all, httpd needs to be set to listen on port 443 (in addition to port 80). Instead of specifying the SSL port only (Listen 443) which will lead httpd to listen to all the available network interfaces, you may specify the exact network interface on which the server will listen. For example:

Listen 192.168.0.1:443

Next, load mod_gnutls:

LoadModule gnutls_module modules/mod_gnutls.so

Add some MIME-types for downloading Certificates and CRLs from your web sites (taken from the mod_ssl configuration):

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

It is suggested that you use a session cache for mod_gnutls. This will increase its performance. In this example, the dbm cache type is used. This cache type requires a directory where mod_gnutls will actually save SSL session data. So, creating a directory for this purpose and giving ownership to the user that runs Apache (usually apache or www-data) is needed. Assuming that the Apache user is apache, as root issue the commands:

# mkdir -m 0700 /var/cache/mod_gnutls_cache
# chown apache:apache /var/cache/mod_gnutls_cache

Now, back to the Apache configuration. The following directive sets the dbm SSL Session Cache for mod_gnutls:

GnuTLSCache dbm "/var/cache/mod_gnutls_cache"

Set a timeout for the SSL Session Cache entries. Usually, this is set to 300 seconds:

GnuTLSCacheTimeout 300

Finally, specify that on the 192.168.0.1:443 interface and port there will be name-based virtual hosts; that is vhosts that share the specified interface and port:

NameVirtualHost 192.168.0.1:443

Virtual Host Configuration

The example virtual hosts are: v1.example.org and v2.example.org. It is assumed that two SSL certificates with the canonical name (CN) correctly set to each of the aforementioned vhost domains have been generated.

In the following vhost configs, only the absolutely required directives have been used. The rest of the options are inherited from the main server.

<VirtualHost 192.168.0.1:443>
    ServerName v1.example.org:443
    GnuTLSEnable on
    GnuTLSCertificateFile /etc/pki_custom/certs/v1.example.org.crt
    GnuTLSKeyFile /etc/pki_custom/private/v1.example.org.key
    DocumentRoot "/var/www/v1/public_html"
</VirtualHost>

<VirtualHost 192.168.0.1:443>
    ServerName v2.example.org:443
    GnuTLSEnable on
    GnuTLSCertificateFile /etc/pki_custom/certs/v2.example.org.crt
    GnuTLSKeyFile /etc/pki_custom/private/v2.example.org.key
    DocumentRoot "/var/www/v2/public_html"
</VirtualHost>

Testing the setup

Having finished with the configuration, review the changes, restart the server and check the error logs for any errors.

Use a web browser to visit each of the virtual hosts by using the HTTPS protocol:

https://v1.example.org/

https://v2.example.org/

Until now, the web server did not support the SNI TLS extension. Therefore, when visiting the v2.example.org virtual host, you would see two warnings in your browser. The first one would be because the vhost’s certificate has not been issued by a trusted Certificate Authority – this is normal as it was you who issued that certificate – and the other one because on a server without SNI support it is actually the V1 vhost’s certificate that is used when visiting V2 vhost over https. Remember the limitation with SSL and name-based virtual hosts?

With mod_gnutls, the server supports the SNI TLS extension. Although the virtual hosts are name-based, no matter which one you visit, the relevant certificate for each vhost is used and the only warning you see is the one about the certificates being self-signed. You can get rid of these by purchasing a certificate that is issued by a trusted Certificate Authority.

Conclusion

mod_gnutls works. Actually, it was a real pleasure to see SNI work!

It is important to note though that mod_gnutls is still in experimental phase. Therefore, performance issues should be considered as normal when using it.

At the moment of writing, my server uses Fedora 7 as an operating system. As I haven’t upgraded my desktop to F7 yet and my server does not have any development tools installed, I compiled mod_gnutls on a Fedora 6 system and used it on Fedora 7. I do not know if that was the reason – and I did not have the necessary free time to investigate – or anything else, but, during the use of mod_gnutls, my server’s load average increased significantly.

I will test mod_gnutls again soon and post the new results, if they are different than the ones I present in this article. I highly recommend that you try it, as it is currently the only way to easily achieve SSL-enabled name-based virtual hosts using the SNI TLS extension. Note, that this extension will be supported by openssl 0.99, so the moment that SNI goes mainstream and such a setup becomes easy and cheap to implement with any Linux distribution is close.

One last thing that has not been mentioned at all is about SNI support in web browsers. Currently, with the exception of Safari (this is unconfirmed, please correct me if I am wrong), the latest versions of all major web browsers, Firefox and other Mozilla-based browsers, Internet Explorer, Opera, support SNI.

Related Articles

• mod_gnutls binary for Apache
• Assign Virtual IPs to your NIC
• Use mod_deflate to Compress Web Content delivered by Apache
• Be your own Certificate Authority (CA)
• Script for Apache Error Report

I highly recommend that all – not only the Greek readers – read the article. I suggest you download the PDF version from this page, so you can enjoy, together with the excellent content, the creative and informative illustration as well.

More information and links to news sites that host comments about the article can be found in this blog post by Diomidis Spinellis.

Related Articles

• CC Configurator plugin version 1.0 is out!
• Creative Commons v3.0 Licenses Launched
• Threads In Python
• Howto: Run VMWare on a Physical Windows Partition
• WordPress… I’m counting on you