It's the time of the your were I need to study for my upcoming exams. After I've noticed, that I am doing complete bullshit like 20 - 5 = 5, I decided to do something to relax. I'm pretty good in relaxing in front of my computer, and here I am and also something useful - oh my pizza arrived, brb. During the last week, my IP address changed and I where unable to access my NAS from outside. This was part one on my todo list, the second and final part was to figure out why Ubuntu doesn't ask for two passwords for my two encrypted partitions.
When you call a server your own, where you have full control of the Bind configuration and wanted to have your own dynamic DNS for your home IP address, this is might for your interest.
The easiest way is:
# dnssec-keygen -a <alg> <name> # e.g.: $ dnssec-keygen -a HMAC-MD5 home.foo-bar.com
Two file will be genereted, a
K<name>+<alg>+<id>.key
and
K<name>+<alg>+<id>.private
Open one of these files or use cat to get the output. If you opened the file
.key, you take the last column, the string often ends with ==, if you
opened the file .private you copy the string for Key:.
EXAMPLE0SEcr3tString00==
or your named.conf.local, or where ever you keep track of your different zones.
I'll demonstrate with a small example what changes you should make.
At first define the key, your client uses to authenticate:
key "home.foo-bar.com" {
algorithm hmac-md5;
secret "EXAMPLE0SEcr3tString00==";
};
After that you need to update the zone configuration for foo-bar.com. For
example the section looks something like this:
zone "foo-bar.com" {
type master;
file "db.foo-bar.com";
allow-transfer {
10.0.1.1;
common-allow-transfer;
};
};
You need to insert an update-policy1).
zone "foo-bar.com" {
type master;
file "db.foo-bar.com";
allow-transfer {
10.0.1.1;
common-allow-transfer;
};
update-policy {
grant home.foo-bar.com name home.foo-bar.com. A;
};
};
As a short conclusion for the update-policy syntax, the first parameter
grant allows use to update, if the rest of the rule matches. The second
parameter is our key we defined above, the third is a matching rule. I'm
using the full domain name to check, You should have a look at the Bind
documentation to see the other options. name is followed by the matching
name and the last one is the type, 'A', 'CNAME', or 'TXT'2).
After everything is setup you need to reload your Bind DNS server.
$ rndc reload
Your Bind is now configured.
I came up with the idea using my DNS server to manage my dynamic address, while scrolling through the OpenWRT Kamikaze package list, and so I gave it a try.
Edit your /etc/ipupdate.conf:
server "ns.foo-bar-com"
{
zone "foo-bar.com"
{
hosts "home"
keyname "home.foo-bar.com"
keydata "EXAMPLE0SEcr3tString00=="
}
}
Now, execute ipupdate
$ ipudate getconfig: loading '/etc/ipupdate.conf' Detected IP: 10.00.100.200
You also should see a success message. Sorry but I haven't copied it, but you'll
recognize, when it is successful. Otherwise you'll see some errors.
If you check in your Bind directory, (e.g.: /var/cache/bind) you should see a
file named home.foo-bar.com.jnl. After 15 minutes the changes will be merged
with your db.foo-bar.com zone file.
You can start ipupdate as daemon.
$ ipupdate start
If also installed a cronjob to check every 24h, if an update is needed.
59 23 * * * /usr/sbin/ipupdate
I've updated to Xubuntu 9.04 recently and using encrypted LVM to secure my
stuff. After I've set up a second partition encrypted with cryptsetup and hooked it
up in my LVM. Ubuntu didn't ask for two passwords
during boot. I can remember using Debian using with two encrypted partitions and
putting the entries into your /etc/crypttab and updating the initrd's was
enough to get asked twice during boot. Ubuntu seems
to fail at this point. In this chapter I'll want to show you how I've solved
this problem, for now. This solution isn't automated, yet, and using
update-initramfs overwrites the changes.
With Ubuntu it unlocks my root partition and trying
to bring up all volumes of my volume group. At this point boot will fail,
because one of the volumes is encrypted separately. After a
minute,Ubuntu will drop you to a fail-over console. At
the (initramfs) prompt I needed to unlock my second partition and hit
Ctrl+D to resume to normal boot.
Extract the initrd of your current kernel:
$ mkdir /tmp/initrd-$(uname -r) $ cd /tmp/initrd-$(uname -r) $ gzip -dc /boot/initrd.img-$(uname -r) | cpio -id
Open the file conf/conf.d/cryptroot and add a separate line with your second
device. You should know your UUIDs for this. Here is mine, after I've edited it.
target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-root target=sdd1_crypt,source=/dev/disk/by-uuid/f6b68c07-ad87-46a6-8602-94889c1233b8,key=none,lvm=goat-home target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-swap_1I've added the line starting with
sdd1_crypt.
To complete the setup we need to pack the initrd back together. Make a backup of your old initrd.img first!
$ cd /tmp/initrd-$(uname -r) $ find ./ | cpio -H newc -o | gzip -c > initrd.img-$(uname -r) $ cp initrd.img-$(uname -r) /boot/
You now should be asked twice for a password, or more, if you have more devices added.
FOOBAR!