Category: Linux

Posted on

MyLab: The Timekeeper

Overview

I like to keep accurate time in my lab for various reasons. The main reasons are for authentication and that I will be using Transport Layer Security (TLS) certificates. Other reasons are that I think it’s the right thing to do and it is simply my compulsion to keep accurate time.

For this service, I am going to use two Fedora Server 38 (at the time of this writing) virtual machines. To properly configure Network Time, I am going to configure each server as a client from two separate Time Servers (higher stratum). Then I will configure my two servers as peers (same stratum). Finally, since most of my lab will consist of Windows Servers and clients, I will configure the domain controller with the Primary Domain Controller (PDC) emulator Functional Single Master Operation (FSMO) role.

Continue reading “MyLab: The Timekeeper”
Posted on

Prepare Ubuntu 18.04 for Desktop Anywhere

This one was a little tricky to get set up. I am happy to say that after you follow this procedure, you will be able to access AFRC Desktop Anywhere from Ubuntu 18.04!

As always, I like to provide transparency. I am a traditional reservist in the Air Force Reserve and I also work for VMware. Anything provided here is from me and only me. Nothing here represents official notification from the USAF or VMware. Follow at your own risk. Your system and set up are most likely not identical to mine. I am using a VMware virtual machine for this guide but that should not matter for the purposes of this guide.

With that boring stuff out of the way…

Make sure your system is up-to-date.

Download Software and Packages

  • Open Terminal and type in the following: 
sudo apt install opensc opensc-pkcs11 pcsc-tools

Install the DoD Certificates into Firefox Certificate Manager

Open Firefox and select the three lines at the top-right of the window, then click on Preferences. In the Find in Preferences search box, type in Certificates. Click on the View Certificates… button.

In Certificate Manager, make sure you are on the Authorities tab and click the Import… button.

Navigate to where you downloaded and extracted the DoD certificates from earlier. Select the Certificates_PKCS7_v5.6_DoD.der.p7b file. Check the two boxes to trust the certificate. You will need to do this for each certificate you need to use. I recommend starting with DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5. The certificates will be added under the U.S. Government heading.

Add DoD Certificates to the Ubuntu Certificate Trust

While you are here, be sure to choose the DoD Root CA 3 certificate, and then press the Export… button. Make sure the X.509 Certificate (PEM) is selected at the bottom of the window. Also do this for the DOD SW CA-53 certificate necessary for Desktop Anywhere. When you are done exporting the certificates, you can close the Certificate Manager window.

Open Terminal and copy the two files to /usr/share/ca-certificates. Use the following image if you are unsure how to accomplish this.

Now we want to reconfigure the certificate store by typing in sudo dpkg-reconfigure ca-certificates. This will open the ca-certificates configuration window. Choose Ask, then press tab to select <OK>.

Press the Space bar on the top two DoD certificate and press tab to select <OK>.

When you select <OK>, the Terminal will display the operation of adding the chosen certificates to the certificate store. Make sure the number of certificates you selected are added. In this case, there should be two.

Verify the Smart Card Reader is Accessible to the System

On the Terminal, type pcsc_scan. For the purposes of demonstration in this guide, I am going to post an image of before I connected my Smart Card reader so you can see the difference.

And then, here is an image after I connected my Smart Card reader.

Installing VMware Horizon Client for Linux

On the Terminal, navigate to your downloaded file. Add the execution bit to the bundle by typing sudo chmod u+x <filename>. See the image below for a visual.

Type sudo ./VMware-Horizon and press tab. The rest of the filename should have auto-completed. Press Enter to continue to installation. Read and accept the EULA.

Customize the installation as needed. I am going to accept the defaults.

Verify all the product install files are ready, and click the Install button.

Check the box to Register and start…, and click the Scan button.

I had a few failed results, but this should not affect my use at this time.

Go ahead and close the installer.

Configure the Smart Card Module to be Accessible for Horizon Client

Ref: https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/5.4/horizon-client-linux-installation/GUID-6CB5F6EE-E7DC-4BF7-8E2A-4542E4A78182.html

On the Terminal, make a directory in /usr/lib/vmware/view/pkcs11.

Now we are going to create a symbolic link to the OpenSC module. The VMware article helps with the syntax, but points to the incorrect location of the module. As long as you have been following along up to this point, you should not have any errors. 

sudo ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopenscpkcs11.so

Follow the image below for the syntax.

Verify Horizon Client for Linux can use your Smart Card

Hopefully you ran the steps above to verify that Ubuntu could see and access your Smart Card reader. This step will check the log and verify that it is working for the Horizon Client.

Open up the VMware Horizon Client and wait for it to show up. Then, on the Terminal, type less /tmp/vmware-<username>/<log-file-name>. For instance I typed:

less /tmp/vmware-arombaut/vmware-horizon-client-15386.log

Look through the log until you find Initializing smartcard modules. You should see it Loaded 1 modules from /usr/lib/vmware/view/pkcs11 and see one or more certificates presented to you. The certificates that have populated UPNs are what is going to be presented to you in the Horizon UI. This information is also seen from the line, certsList has 1 certificates.

You can close the log and the Terminal.

This actually completes the setup of VMware Horizon Client for Linux. From here you can add a Server and select the appropriate CAC certificate to authenticate.

Due to customer-sensitive information, I am not able to provide further information beyond this point here. I can help you individually if you need more assistance from here though.

[email protected]

Posted on

Ubuntu 18.04 Automatic Zime Zone

While traveling outside of my home time zone, I opened my computer and found that the time was incorrect. This was to be expected because I had yet to connect to the Internet. So naturally, I connected the Wi-Fi, and checked the date and time to see that nothing happened. Hmm, OK.

I restarted my computer thinking it will restart the ntp client, still no luck, so now Google time. Looks like a little utility called ‘gnome-clocks’ might be able to give me multiple clocks which is also something I was looking for. Once installed, I had to reboot again. Sure this is a neat utility, but it still didn’t update the clock and timezone on my computer.

On this reboot, however, I noticed a little location symbol near the system menu and it dawned on me. Of course my computer would need to have location services in order to figure out where I am. Now I just wonder why when setting the ‘Automatic Zime Zone’ toggle, that I am not prompted or warned that I must also have location services turned on.

Afterthought — Read the Fucking Manual (RTFM)

Yes, that’s right, the Ubuntu Desktop Guide literally spelled out what I needed to do and it was there the whole time.

Posted on

Create and Change Hard and Symbolic Links

Exam Objectives Covered:

  • Create links
  • Identify hard and/or soft links
  • Copying versus linking files
  • Use links to support system administration tasks

Links in Linux are synonymous with shortcuts in the Windows world. They are not identical, but the idea is similar.  Specifically, the command ‘ln’, is used to make links between files. There are two types of links, symbolic and hard. The following definitions come from Practice Labs:

Symbolic links: It is a pointer to the source file. The permissions that apply to the source file also apply to the symbolic link. It can point to a source file on the local or remote filesystem.

Hard links: It is another directory entry for the source file and carries that same properties, such as file permissions, of the source file. If you delete one file, the other file remains intact. A hard link must exist in the same local filesystem.

The interesting thing about links is that a hard link is tied to the original file, but not dependent on it. This means that if you create a hard link to a file and then delete the original, the linked file will still work. This is not the case with a symbolic link. If you create a symbolic link and remove the original file, the symbolic link will not have anything to link to. A way to be sure that your links are bound, or not, to the original file is by listing the directory, using ‘ls’, with the -i option. This prints the index number of each file.

To support system administration, links are useful when you do not want to make multiple copies of the same file. If you were to update a file, you would have to make the same changes on all the files. If you use hard links, then when you update the file, your changes are seen in all links.

Another situation in which links support system administration is when linking shared objects. The link can make it easier to reference frequently used libraries. It also aides in version control. Application developers can link to shared objects using major versions. Administrators can link shared objects to the major versions. This allows multiple versions to exist for compatibility reasons. If you list the contents of the ‘/lib64’ directory, you will see something like this:

libcrypt.so.1 -> libcrypt-2.17.so

The developer can reference the ‘libcrypt.so.1’ shared object, but the administrator can install any variant of the libcrypt library. This means that if an update were to come out or an older version was needed, it could be located in /lib64 under the naming conventions and linked to the single named variant.

Hard Links and Symbolic Links

To view examples of creating symbolic and hard links, take a look at the screenshots below. You will see the hard link and the original file have the same inode. The symbolic link has a different inode and therefore is not the same file.

To create a hard link:

Syntax: ln TARGET LINK_NAME
Example: ln original-file hard-link


To create a symbolic link:

Syntax: ln [-s|--symbolic] TARGET LINK_NAME
Example: ln -s original-file symbolic-link

Posted on

Filesystem Hierarchy Standard (FHS)

I wanted to begin with the Filesystem Hierarchy Standard (FHS) which is currently at version 3.0. The standard can be referenced below as well as at http://refspecs.linuxfoundation.org/fhs.shtml.

Filesystem Hierarchy Standard 3.0

When I first began using Linux, I realized that all the files and directories were arranged in a particular way. I wondered why Linux always seemed to have this organization and what each directory was for. After many years of just “going with it” I finally came across this resource. It was originally written in 2004 but version 3.0 was released in 2015. Its goal is, “to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems.”

The hierarchy is as follows:

Directory Description
bin Essential command binaries
boot Static files of the boot loader
dev Device files
etc Host-specific system configuration
lib Essential shared libraries and kernel modules
media Mount point for removable media
mnt Mount point for mounting a filesystem temporarily
opt Add-on application software packages
run Data relevant to running processes
sbin Essential system binaries
srv Data for services provided by this system
tmp Temporary files
usr Secondary hierarchy
var Variable data