2022 – Tom's Development Blog

November 14, 2022

Python 3.10 on OL8

Step 1 – Install Required Dependencies

The latest version of Python is not included in the Oracle Linux 8 default repo, so you will need to compile it from the source.

To compile Python from the source, you will need to install some dependencies on your system. You can install all of them by running the following command:

dnf install curl gcc openssl-devel bzip2-devel libffi-devel zlib-devel sqlite-devel wget make -y

Once all the dependencies are installed, you can proceed to the next step.

Step 2 – Install Python 3.10.4 on Oracle Linux 8

Next, visit the Python official download page and download the latest version of Python using the following command:

wget https://www.python.org/ftp/python/3.10.8/Python-3.10.8.tgz

Once the download is completed, extract the downloaded file using the following command:

tar xzf Python-3.10.8.tgz

Next, change the directory to the extracted directory and configure Python using the following command:

cd Python-3.10.8
sudo ./configure --enable-optimizations --with-system-ffi --with-computed-gotos

Next, start the build process using the following command:

sudo make -j ${nproc}

Finally, install Python 3.10 by running the following command:

sudo make altinstall

After the successful installation, verify the Python installation using the following command:

python3.10 --version

You will get the following output:

Python 3.10.8

Step 3 – Create a Virtual Environment in Python

Python provides a venv module that helps developers to create a virtual environment and deploy applications easily in an isolated environment.

To create a virtual environment named python-env, run the following command:

python3.10 -m venv python-env

Next, activate the virtual environment using the following command:

source python-env/bin/activate

You will get the following shell:

(python-env) [root@oraclelinux8 ~]#

Now, you can use the PIP package manager to install any package and dependencies inside your virtual environment.

For example, run the following command to install apache-airflow:

pip3.10 install apache-airflow

If you want to remove this package, run the command below:

pip3.10 uninstall apache-airflow

To exit from the Python virtual environment, run the following command:

deactivate

Conclusion

In this guide, we explained how to install Python 3.10.8 on Oracle Linux 8. You can now install Python in the development environment and start developing your first application using the Python programming language.

November 8, 2022

How to check if AES-NI is enabled for OpenSSL on Linux

By Thomas Mullaney in Linux

Intel Advanced Encryption Standard New Instructions (AES-NI) is a special instruction set for x86 processors, which is designed to accelerate the execution of AES algorithms. AES-based symmetric encryption is widely used in a variety of security applications and protocol implementations (e.g., IPSec, SSL/TLS, HTTPS, SSH). OpenSSL crypto library supports AES-based ciphers as well.

To support available hardware extensions, OpenSSL provides so-called EVP crypto APIs (e.g., EVP_Decrypt/EVP_Encrypt) which can automatically leverage hardware acceleration like AES-NI (if available) and fall back to software implementation (if not available), via a single interface. If you want to check whether currently installed OpenSSL supports AES-NI hardware acceleration, you can test using OpenSSL’s EVP APIs.

Check if AES-NI is Available on CPU Processors

Before proceeding, first verify that current CPUs have the AES instruction set. For this you can inspect CPU flags as follows.

$ grep -m1 -o aes /proc/cpuinfo
aes

If the output shows aes, that means AES-NI engine is available on current CPUs.

Check if AES-NI is Enabled for OpenSSL

To check whether OpenSSL can leverage AES instruction sets, you can use OpenSSL’s EVP APIs. When EVP APIs are called, they can automatically detect the presence of AES-NI and accelerate AES encryption computations using AES instruction sets. Thus you can compare AES performance with or without EVP functions. If AES-NI is available for OpenSSL, you will see significant performance boost when EVP functions are used.

Let’s use OpenSSL’s built-in speed test.

To measure AES algorithm speed without AES-NI acceleration:

$ openssl speed -elapsed aes-128-cbc

To measure AES algorithm speed with AES-NI acceleration (via EVP APIs):

$ openssl speed -elapsed -evp aes-128-cbc

The above two example outputs show encryption rates for different block sizes. You can see that AES speed with AES-NI acceleration is about five times higher than non-acceleration. This confirms that AES-NI is enabled for OpenSSL. If OpenSSL cannot leverage AES-NI for any reason, two outputs would show the same performance.

September 13, 2022

Using a Yubikey for SSH on macOS

By Thomas Mullaney in MacOS, SSH

SSH 8.2 introduced support for using any U2F key in place of a private key file. Using it on macOS with full support for ssh-agent is a bit more complex.

Generating the keys

You must choose between ed25519-sk and ecdsa-sk. Try ed25519-sk (Options 1 or 3) first. If it does not work due to device incompatibilities, fall back on ecdsa-sk (Options 2 or 4)
You must choose if you want to store the key handle as a resident key on the device. If you want to, use options 1 or 2. If not, use options 3 or 4.

A U2F attestation requires a key handle to be sent to the device. When generating the key, ssh-keygen will create private and public key files that look similar to normal ssh key. The private key file is actually a key handle that cannot be used without the hardware token, however, the hardware token can also not be used without the key handle.

A resident key solves this problem by storing the key handle on the device. However, your key may or may not support it and only a limited number of resident keys may be stored on a device. Additionally, it may reduce the security of your ssh key as they could use it if they steal the hardware device. For this reason, a good pin is important.

It is your choice whether to use a resident key. If you do, you can load it directly to the ssh-agent using ssh-add -K, or write the key handle and public key to disk using ssh-keygen -K

ssh-keygen -t ed25519-sk -O resident # 1
ssh-keygen -t ecdsa-sk -O resident   # 2
ssh-keygen -t ed25519-sk             # 3
ssh-keygen -t ecdsa-sk               # 4

Updating SSH

SSH v8.2 or higher is required to use a security key. Install it with brew.

brew install openssh opensc

You can specifiy the path to the private key handle in your ssh config. Otherwise, you can configure the ssh-agent. The configuration in this guide assumes brew installed ssh and opensc into /opt/homebrew/bin/ this might be different on your system and should be verified.

ssh-agent on macOS

To be used with a security key, the ssh-agent must be on v8.2, which the system default is not.

First, disable the macOS default ssh-agent for your user.

launchctl disable user/$UID/com.openssh.ssh-agent

Next, add a new launchd service for your ssh-agent. Add the following file to ~/Library/LaunchAgents/com.zerowidth.launched.ssh_agent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.zerowidth.launched.ssh_agent</string>
  <key>ProgramArguments</key>
  <array>
    <string>sh</string>
    <string>-c</string>
    <string>/opt/homebrew/bin/ssh-agent -D -a ~/.ssh/agent -P /opt/homebrew/lib/*,/opt/homebrew/Cellar/opensc/*/lib/*.so</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>

And load it with launchctl load -w ~/Library/LaunchAgents/com.zerowidth.launched.ssh_agent.plist.

In your .bashrc or .zshrc, set SSH_AUTH_SOCK="~/.ssh/agent"

This plist was created using the launchd plist generator over at zerowidth. It runs the command /opt/homebrew/bin/ssh-agent -D -a ~/.ssh/agent. -D prevents ssh-agent from forking, and -a ~/.ssh/agent directs the agent to create a socket file at that location that is referenced in $SSH_AUTH_SOCK.

If you are having any issues you can always unload the launchd service and manually run the ssh-agent with the following command and read the errors
/opt/homebrew/bin/ssh-agent -d -a ~/.ssh/agent -P /opt/homebrew/lib/*,/opt/homebrew/Cellar/opensc/*/lib/*.so

Storing keys in the keyring

The following stanza can be adapted and placed in ~/.ssh/config. It removes the need to manually ssh-add keys with nonstandard names and stores key passwords if set in the macOS keyring.

Host *
  IgnoreUnknown UseKeychain
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_ecdsa_sk
  IdentityFile ~/.ssh/id_ed25519_sk

The first two lines direct ssh to use the macOS keychain to store passwords. The third automatically adds keys that are used to the agent and the last two specify additional keys to use. All of this can also be configured on a per host basis.

Reloading the Yubikey if it times out and fails to sign

Sometimes you might see an error where the Yubikey will not work with SSH. In order to solve this you simply have to re-add it to the agent. I wrote a simple function that works with my setup. You may need to make minor changes for it to work for you.

I added the following to my .zshrc you can also add it to your .bashrc

function reload_ssh {
  # pkcs11_path="/usr/lib/ssh-keychain.dylib"
  # pkcs11_path="/usr/local/lib/opensc-pkcs11.so"
  pkcs11_path="/opt/homebrew/lib/pkcs11/opensc-pkcs11.so"
  ssh_add_path="ssh-add"
  ssh_agent_path="ssh-agent"

  $ssh_add_path -D
  if [ "$1" = "-f" ]; then
    echo "Forcibly killing off previous process"
    launchctl unload ~/Library/LaunchAgents/com.zerowidth.launched.ssh_agent.plist
    pkill -9 ssh-agent
    pkill -9 ssh-pkcs11-helper
    launchctl load -w ~/Library/LaunchAgents/com.zerowidth.launched.ssh_agent.plist
  else
    $ssh_add_path -e $pkcs11_path >> /dev/null
    if [ $? -gt 0 ]; then
      echo "Failed to remove previous card. Retry or run with -f option"
    fi
  fi

  $ssh_add_path -s $pkcs11_path
  $ssh_add_path
}

After adding this function you can run reload_ssh to re-add your Yubikey and fix the most common errors.

September 13, 2022

Install Remote Desktop Server on Oracle Linux

By Thomas Mullaney in Linux

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP) that allows you to graphically control a remote system. With RDP, you can log in to the remote machine and create a real desktop session the same as if you had logged in to a local machine.

This tutorial explains how to install and configure Xrdp server on Oracle Linux 8.

Installing Desktop Environment

Generally, Linux servers don’t have a desktop environment installed. If the machine you want to connect to doesn’t have GUI, the first step is to install it. Otherwise, skip this step.

Gnome is the default desktop environment in Oracle Linux 8. To install Gnome on your remote machine, run the following command

sudo dnf groupinstall "Server with GUI"

Depending on your system, downloading and installing the Gnome packages and dependencies may take some time.

Installing Xrdp

Xrdp is available in the EPEL software repository. If EPEL is not enabled on your system, enable it by typing:

sudo dnf install epel-release

Install the Xrdp package:

sudo dnf install xrdp

When the installation process is complete, start the Xrdp service and enable it at boot:

sudo systemctl enable xrdp --now

You can verify that Xrdp is running by typing:

sudo systemctl status xrdp

The output will look something like this:

● xrdp.service - xrdp daemon
   Loaded: loaded (/usr/lib/systemd/system/xrdp.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-02-02 18:30:43 UTC; 11s ago
  ...

Configuring Xrdp

The configuration files are located in the /etc/xrdp directory. For basic Xrdp connections, you do not need to make any changes to the configuration files. Xrdp uses the default X Window desktop, which in this case, is Gnome.

The main configuration file is named xrdp.ini . This file is divided into sections and allows you to set global configuration settings such as security and listening addresses and create different xrdp login sessions.

Whenever you make any changes to the configuration file you need to restart the Xrdp service:

sudo systemctl restart xrdp

Xrdp uses startwm.sh file to launch the X session. If you want to use another X Window desktop, edit this file.

Configuring Firewall

By default, Xrdp listens on port 3389 on all interfaces. If you run a firewall on your Oracle Linux machine (which you should always do), you’ll need to add a rule to allow traffic on the Xrdp port.

Typically you would want to allow access to the Xrdp server only from a specific IP address or IP range. For example, to allow connections only from the 192.168.1.0/24 range, enter the following command:

sudo firewall-cmd --new-zone=xrdp --permanentsudo firewall-cmd --zone=xrdp --add-port=3389/tcp --permanentsudo firewall-cmd --zone=xrdp --add-source=192.168.1.0/24 --permanentsudo firewall-cmd --reload

To allow traffic to port 3389 from anywhere use the commands below. Allowing access from anywhere is highly discouraged for security reasons.

sudo firewall-cmd --add-port=3389/tcp --permanentsudo firewall-cmd --reload

For increased security, you may consider setting up Xrdp to listen only on localhost and creating an SSH tunnel that securely forwards traffic from your local machine on port 3389 to the server on the same port.

Another secure option is to install OpenVPN and connect to the Xrdp server trough the private network.

Connecting to the Xrdp Server

Now that the Xrdp server is configured, it is time to open your local Xrdp client and connect to the remote Oracle Linux 8 system.

Windows users can use the default RDP client. Type “remote” in the Windows search bar and click on “Remote Desktop Connection”. This will open up the RDP client. In the “Computer” field, type the remote server IP address and click “Connect”.

Tom's Development Blog

Archive November 14, 2022