====== Time to relax... ====== It's the time of the your were I need to study for my upcoming exams. After I've noticed, that I am doing complete bullshit like //20 - 5 = 5//, I decided to do something to relax. I'm pretty good in relaxing in front of my computer, and here I am and also something useful - //oh my pizza arrived, brb//. During the last week, my IP address changed and I where unable to access my NAS from outside. This was part one on my todo list, the second and final part was to figure out why [[http://www.ubuntu.com/|Ubuntu]] doesn't ask for two passwords for my two encrypted partitions. ====== Dynamic DNS with Bind and ipupdate ====== When you call a server your own, where you have full control of the Bind configuration and wanted to have your own dynamic DNS for your home IP address, this is might for your interest. ===== Configuring Bind ===== ==== Setting up rndc key ==== The easiest way is: # dnssec-keygen -a # e.g.: $ dnssec-keygen -a HMAC-MD5 home.foo-bar.com Two file will be genereted, a K++.key and K++.private Open one of these files or use ''cat'' to get the output. If you opened the file //.key//, you take the last column, the string often ends with ''=='', if you opened the file //.private// you copy the string for ''Key:''. EXAMPLE0SEcr3tString00== ==== Editing your named.conf ==== or your ''named.conf.local'', or where ever you keep track of your different zones. I'll demonstrate with a small example what changes you should make. At first define the key, your client uses to authenticate: key "home.foo-bar.com" { algorithm hmac-md5; secret "EXAMPLE0SEcr3tString00=="; }; After that you need to update the zone configuration for ''foo-bar.com''. For example the section looks something like this: zone "foo-bar.com" { type master; file "db.foo-bar.com"; allow-transfer { 10.0.1.1; common-allow-transfer; }; }; You need to insert an //update-policy//((There are other ways to implement the updates, but this gives a better control and improves security. [[https://www.isc.org/software/bind/documentation/arm95#dynamic_update_policies]])). zone "foo-bar.com" { type master; file "db.foo-bar.com"; allow-transfer { 10.0.1.1; common-allow-transfer; }; update-policy { grant home.foo-bar.com name home.foo-bar.com. A; }; }; As a short conclusion for the //update-policy// syntax, the first parameter ''grant'' allows use to update, if the rest of the rule matches. The second parameter is our ''key'' we defined above, the third is a matching rule. I'm using the full domain name to check, You should have a look at the Bind documentation to see the other options. ''name'' is followed by the matching name and the last one is the type, 'A', 'CNAME', or 'TXT'((See Bind documentation for more. [[https://www.isc.org/software/bind/documentation]])). After everything is setup you need to reload your Bind DNS server. $ rndc reload Your Bind is now configured. ==== Configuring ipupdate ==== I came up with the idea using my DNS server to manage my dynamic address, while scrolling through the OpenWRT Kamikaze package list, and so I gave it a try. Edit your ''/etc/ipupdate.conf'': server "ns.foo-bar-com" { zone "foo-bar.com" { hosts "home" keyname "home.foo-bar.com" keydata "EXAMPLE0SEcr3tString00==" } } Now, execute ''ipupdate'' $ ipudate getconfig: loading '/etc/ipupdate.conf' Detected IP: 10.00.100.200 You also should see a success message. Sorry but I haven't copied it, but you'll recognize, when it is successful. Otherwise you'll see some errors. If you check in your Bind directory, (e.g.: /var/cache/bind) you should see a file named ''home.foo-bar.com.jnl''. After 15 minutes the changes will be merged with your ''db.foo-bar.com'' zone file. You can start ''ipupdate'' as daemon. $ ipupdate start If also installed a cronjob to check every 24h, if an update is needed. 59 23 * * * /usr/sbin/ipupdate ====== Ubuntu jaunty and two crpyted partitions ====== I've updated to [[http://www.xubuntu.com|Xubuntu 9.04]] recently and using encrypted LVM to secure my stuff. After I've set up a second partition encrypted with cryptsetup and hooked it up in my LVM. [[http://www.ubuntu.com/|Ubuntu]] didn't ask for two passwords during boot. I can remember using Debian using with two encrypted partitions and putting the entries into your ''/etc/crypttab'' and updating the initrd's was enough to get asked twice during boot. [[http://www.ubuntu.com/|Ubuntu]] seems to fail at this point. In this chapter I'll want to show you how I've solved this problem, for now. This solution isn't automated, yet, and using ''update-initramfs'' overwrites the changes. With [[http://www.ubuntu.com/|Ubuntu]] it unlocks my root partition and trying to bring up all volumes of my volume group. At this point boot will fail, because one of the volumes is encrypted separately. After a minute,[[http://www.ubuntu.com/|Ubuntu]] will drop you to a fail-over console. At the ''(initramfs)'' prompt I needed to unlock my second partition and hit Ctrl+d to resume to normal boot. ===== Updating the initrd ===== Extract the initrd of your current kernel: $ mkdir /tmp/initrd-$(uname -r) $ cd /tmp/initrd-$(uname -r) $ gzip -dc /boot/initrd.img-$(uname -r) | cpio -id Open the file ''conf/conf.d/cryptroot'' and add a separate line with your second device. You should know your UUIDs for this. Here is mine, after I've edited it. target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-root target=sdd1_crypt,source=/dev/disk/by-uuid/f6b68c07-ad87-46a6-8602-94889c1233b8,key=none,lvm=goat-home target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-swap_1 I've added the line starting with ''sdd1_crypt''. To complete the setup we need to pack the initrd back together. **Make a backup of your old initrd.img first!** $ cd /tmp/initrd-$(uname -r) $ find ./ | cpio -H newc -o | gzip -c > initrd.img-$(uname -r) $ cp initrd.img-$(uname -r) /boot/ You now should be asked twice for a password, or more, if you have more devices added. ~~NOTOC~~