Network auto-detection scripts
Some time ago
I had to redo the network auto-detection scripts on
my laptop when the harddisk crashed and I had no backup.
Here's an attempt at documenting things.
The picture: My laptop has an ethernet and a wireless card,
tlp0 and ath0. Ethernet can be plugged in at times, and should have
precedence over wireless -- this is mostly to prevent a wifi network
bouncing up and down interrupting operating via the cable. Wireless can be
configured in several ways, including no security, WEP or WPA.
The machine should try to find network when
waking up from APM, when ethernet is plugged in, or when a
wireless network is found (using whatever SSID).
The idea is to use
to detect wifi networks and mark the ath0 interface as
to detect if either ethernet or wifi is "connected" or disconnected
when the machine's either running, or returning from sleep.
A shell script then runs dhcp and does assorted setup and cleanup.
The main engine in this setup is ifwatchd(8),
which basically handles all the work that's either induced by
kicking wpa_supplicant(8) via APM, wpa_supplicant(8) finding a
working wifi network, or by plugging in/out an ethernet cable.
With these four steps -- rc.conf, wpa.conf, ifwatch-script, and APM script
-- things should be in place to auto-detect cable and wifi networks,
and get things online.
wpa_supplicant_flags="-B -iath0 -c/root/wpa.conf"
ifwatchd_flags="-c /root/ifwatch-up -n /root/ifwatch-down tlp0 ath0"
- WPA supplicant config: /root/wpa.conf
Here's a sample config file for wpa_supplicant(8) that I use
for University, home and another place. Note that the WPA in there
is a bit more complex than in a home-setup with just a pre-shared key
% cat /root/wpa.conf
# WPA-enabled network with identities
# (used at uni-regensburg.de and fh-regensburg.de)
# An unencrypted (open) network:
# A WEP-encrypted network with pre-shared key:
- Watching interfaces: /root/ifwatch-updown
ifwatchd(8) can't pass parameters, so I'm using two different
scripts, and then look at $0 to see if we're going up or down:
% ls -la /root/ifwatch-*
lrwxr-xr-x 1 root wheel 14 Mar 10 12:27 /root/ifwatch-down -> ifwatch-updown
lrwxr-xr-x 1 root wheel 14 Mar 10 12:27 /root/ifwatch-up -> ifwatch-updown
-rwxr-xr-x 1 root wheel 760 Aug 16 11:45 /root/ifwatch-updown
Here is the script that handles ethernet and wifi networks
going up and down:
% cat /root/ifwatch-updown
# See if network is going up or down, to be called via ifwatchd(8)
# Copyright (c) 2007 Hubert Feyrer <email@example.com>
# All rights reserved.
case $0 in
case $1 in
# Disable wireless bouncing up and down if we're on wire
logger stopping wpa_supplicant
sh /etc/rc.d/wpa_supplicant stop
sh /etc/rc.d/network restart
sh /etc/rc.d/ntpd restart
case $1 in
# Re-enable wireless if we go off-wire
logger starting wpa_supplicant
sh /etc/rc.d/wpa_supplicant start
pkill -x ssh
sh /etc/rc.d/ntpd stop
sh /etc/rc.d/network stop
route delete 126.96.36.199/24
logger "$0 $@": unknown
logger "$0 $@" done.
echo ^G >/dev/console
A few comments:
- As the comment says, if the ethernet interface (tlp)
is found to be connected, wpa_supplicant(8) is stopped to prevent
it from bouncing up and down and possibly disrupt things.
- I stop the network at every time, to flush routes and everything.
This mostly works, but not completely, thus I remove one route
manually. Someone please fix "route flush"...
- I use NTP, and to prevent ntpd(8) from spamming the logs when
offline, I disable it when offline.
- When network goes away, I kill my ssh sessions. I prefer this
over dead sessions that I have to kill with ~.
- The echo-command in the last line sends a beep with ^G to give
a signal that network's up/down now.
- APM setup:
During my experiments, wpa_supplicant(8) died during suspend/resume,
I thus stop it before suspending, and start after resuming. This
may also have positive effects on power consumption (if not it should
probably be hooked in here). My machine uses APM, and I mostly use
/usr/share/examples/apm/script, see that file for install instructions.
Here's the diff that I use to handle wpa_supplicant - dhclient is
restarted via ifwatchd:
% diff -u /usr/share/examples/apm/script /etc/apm/battery
--- /usr/share/examples/apm/script 2003-03-11 15:56:54.000000000 +0100
+++ /etc/apm/battery 2007-03-10 12:57:21.000000000 +0100
@@ -25,7 +25,7 @@
# What my network card's recognized as:
LOGGER='logger -t apm'
@@ -43,8 +43,11 @@
# In case some NFS mounts still exist - we don't want them to hang:
umount -a -t nfs
umount -a -f -t nfs
- ifconfig $if down
- sh /etc/rc.d/dhclient stop
+ sh /etc/rc.d/wpa_supplicant stop
+ cd /usr/tmp ; make off
$LOGGER 'Suspending done.'
@@ -62,7 +65,9 @@
- sh /etc/rc.d/dhclient start
+ sh /etc/rc.d/wpa_supplicant start
# mount /home
# mount /data
$LOGGER 'Resuming done.'
The "make off" when shutting down the machine unmounts the
cgf-encrypted data partition
that I'm using for SSH and PGP keys. I manually mount it when
I need it again.
The future -- more work on this would include
adding ACPI/powerd(8) scripts,
and putting all of this either into the default NetBSD install,
or at least into NetBSD's /usr/share/examples.
[Tags: apm, cgd, cgf, ifwatchd, networking, wlan, wpa]
Article: Verschluesselte Dateisysteme fuer NetBSD
The December 2006 issue of UpTime, the magazine of the German Unix User Group (GUUG) has an article by Stefan Schumacher titled ``Verschlüsselte Dateisysteme für NetBSD'' (encrypted file systems with NetBSD).
The german-language article introduces two ways to implement encrypted file systems under NetBSD. CGD is a NetBSD-specific solution which works on the disk-block layer, the other one is CFS, which uses the NFS server interface and works under BSD, Linux and Solaris. Thus, CFS can be used in heterogenous networks and on changable media to exchange data.
[Tags: Articles, cfs, cgd, Security]
CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop (Updated)
OK, a friend of mine
blogged the other day
about setting up encrypted disk on FreeBSD, which reminded me of this
thing I'm using on my laptop to carry sensitive things like SSH keys,
my address database etc. which I've come up with I went to the USA for
a few months last year.
the CGD chapter of the NetBSD Guide
I had a rough idea on how to do the whole thing on a disk partition, but I
wanted to keep everything in a file so I would not have to re-partition my
Ignoring the Guide's warning that cgd(4) on vnd(4) doesn't work
(and proving it wrong, for me :-), I've used vnd(4) happily since for
Below, I'll outline the tasks for
- setting up my "CryptoGraphicFile" (CGF) using cgd-in-vnd,
- what to do to use the data
- what to do to stash things away again
1) Setting up my CryptoGraphicFile (CGF)
We have created a filesystem inside a disk-file in $HOME/S in this
step. The file is protected by a password which needs to be entered
when used. Security of the data in that filesystem depends on this
password alone, e.g. if this is on your laptop and the laptop's
stolen, so make sure you use something non-trivial!
- Decide on a place for the actual data and the amount of
data you want to protect. "du -sm ~/.ssh ~/.gnupg"
tells me that 10MB is plenty, and I'll use these values here.
Also, the (decrypted) data will be mounted on /secure.
- The first step of creating a $size MB big file
and making it accessible as vnd(4) device is pretty easy:
# dd if=/dev/zero of=$base bs=1m count=$size
10+0 records in
10+0 records out
10485760 bytes transferred in 0.479 secs (21890939 bytes/sec)
# chmod go-rwx $base
# vnconfig vnd0 $base
- Next we create a parameter file for cgd(4). We use AES encryption
with 256 bit:
# cgdconfig -g -V disklabel -o $base.cgd aes-cbc 256
If this step fails with
cgdconfig: could not calibrate pkcs5_pbkdf2
cgdconfig: Failed to generate defaults for keygen
make sure that you have enough bits of entropy
available for /dev/random. Just open up an xterm and run something like
"ls -lR /" in it.
- Next, the disk can be configured and newfs'd. This is the step
where the password for the CGF is set, and you'd better not forget
# cgdconfig -V re-enter cgd0 /dev/vnd0a $base.cgd
re-enter device's passphrase:
# newfs /dev/cgd0a
/dev/cgd0a: 10.0MB (20480 sectors) block size 4096, fragment size 512
using 4 cylinder groups of 2.50MB, 640 blks, 1184 inodes.
super-block backups (for fsck_ffs -b #) at:
32, 5152, 10272, 15392,
- Now the CGF can be mounted:
# mount /dev/cgd0a /secure
# df -h /secure
Filesystem Size Used Avail Capacity Mounted on
/dev/cgd0a 9.4M 512B 8.9M 0% /secure
# ls /secure
- Of course there's nothing on the newly created CGF. Let's
undo things for the first-time configuration to finish our
# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0
If you get a "Filesystem busy" in the first step,
remember to "cd /". :)
2) Using the encrypted data
After we have created a secure filesystem inside a file in $HOME/S now,
we can configure it for using with the following steps:
# vnconfig vnd0 $base
# cgdconfig -V none cgd0 /dev/vnd0a $base.cgd
# fsck -p /dev/cgd0a
# mount /dev/cgd0a /secure
The cgdconfig-command above will ask for the password. Be sure
to enter the same one that you gave it during the steps above!
After these steps, /secure is accessible again, and will be so
until you shutdown the system or unconfigure it as shown below.
Before repeating how to unconfigure the CGF, the disk should
probably be populated with a few precious files. To still make
the files accessible in a transparent way (when /secure is
mounted!), symlinks can be used. E.g the following will put
an especially precious SSH key onto this secure file:
# mv ~feyrer/.ssh/important_key /secure
# ln -s /secure/important_key ~feyrer/.ssh
With appropriate SSH configuration, I will be able
to use that key only when /secure is mounted. If
it's not: bad luck. (Of course this whole example
is somewhat artificial as you could just trust your
key to a proper passphrase as well, but well :).
Other examples I've used this with is are PGP keys,
my private addres database, calendar and some other
files I prefer to have near me when traveling.
3) What to do to stash things away again
To make things safe again, either shutdown the system, or run these steps:
# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0
Of course the steps to configure/unconfigure the CGF
can be put into shell scripts (which I've done; I should
probably make a package out of this...) for easy automation.
One such place where the above commands can be very handy
is when suspending a laptop via APM: Place them into
/etc/apm/suspend, and you won't have to worry
about your files when your laptop is in suspended state.
When you need your secured files again, a script with the
commands noted under 2) can be run.
I'm using this setup on my laptop, and I'm quite happy with
things that way. Maybe you will be, too!
Curt Sampson wrote me about a nice way to lock the machine
in case someon un-suspends it: simply run xlock *on suspend*.
When X is started in a way that it won't get back to the shell
upon ctrl-alt-backspace, this won't allow access to any file
in case the machine gets stolen.
One other precaution that could be taken is to use encrypted
swap, to prevent sensitive data getting into swap, and a
mallicious hacker getting it from there after taking
the disk out of the machine. A good hint, from someone (name
forgotten) on #NetBSD.
[Tags: cgd, cgf, Docs, Security]
Big numbers 2: cgd-on-vnd results (not only) on Xen
Johnny Lam was wondering what the best
algorithm was to protect his Xen "user" domains from being
read from the Xen "domain0" master domain. As such, he configured
CGD to use various algorithms and measured their read and write
speed in relation to filesystem block sizes. See his
posting to port-xen
for some interesting numbers on what algorithm to use or avoid.
[Tags: cgd, xen]
NetBSD CGD Setup
is another page describing a very brief setup of NetBSD's cryptographic
disk driver (cgd). Nice: Contains a list of other information,
the NetBSD guide's CGD chapter and
Roland Cowdeswell and John Ioannidis' original CGD paper.
[Tags: cgd, Docs, Security]
Grab the RSS-feed,
or go back to my regular NetBSD page
Disclaimer: All opinion expressed here is purely my own.
No responsibility is taken for anything.