Saturday, January 21, 2012

Launch software installers on Linux from Windows using Cygwin


If you are using SSH client to connect to Linux server from your Windows laptop, sometimes it may be necessary to launch UI application on the remote Linux server, but to display the UI on the windows laptop. Following are two typical reasons to perform this activity:
  1. Install software on Linux from Windows: To launch a UI based installer to install software on remote Linux server from windows laptop. For e.g. A DBA might want to install the Oracle on the Linux server where only the SSH connection to the remote server is available and not the console.
  2. Launch Linux X client software on Windows: To launch X Client software (for e.g. xclock) located on your remote Linux server to the Windows laptop.
Cygwin can be used to perform the above activities. Following 15 steps explains how to install Cygwin and launch software installers on Linux from Windows. Go to Cygwin and download the setup.exe. Launch the setup.exe on the Windows and follow the steps mentioned below.

1. Welcome Screen. Click next on the Cygwin installation welcome screen.
Welcome Screen
2. Choose a download source. Select the ‘Install from internet’ option
Download Source
3. Choose Installation directory. I selected C:\cygwin as shown below. This is the location where the Cygwin software will be installed on the Windows.
4. Select Local Package Install directory. This is the directory where the installation files will be downloaded and stored.
Local Package Directory
5. Select Connection Type. If you are connected to internet via proxy, enter the information. If not, select ‘Direct Connection’.
Connection Type
6. Choose a download site. You can either choose a download site that is closer to you or leave the default selection.
Download Site
7. Download Progress. This screen will display the progress of the download.
Installation Progress
8. Select Packages to install. I recommend that you leave the default selection here.
Package Selection
9. Installation Progress. This screen will display the progress of the installation.
Install Progress
10. Installation Completion.
Installation Complete
11. Start the Cygwin Bash Shell on Windows. Click on cygwin icon on the desktop (or) Click on Start -> All Programs -> Cygwin -> Cygwin Bash shell, which will display the Cygwin Bash Shell window.
12. Start the X Server on Windows. From the Cygwin Bash Shell, type startx to start the X Server as shown below. Once the X Server is started, leave this window open and do not close it.
startx
13. Xterm window: startx from the above step will open a new xterm window automatically as shown below.
xterm Window
14. SSH to the remote Linux host from the Xterm window as shown below. Please note that you should pass the -Y parameter to ssh. -Y parameter enables trusted X11 forwarding.
jsmith@windows-laptop ~
$ ssh -Y -l jsmith remote-host 
jsmith@remotehost's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Thu Jun 12 22:36:04 2008 from 192.168.1.102
/usr/bin/xauth:  creating new authority file /home/jsmith/.Xauthority
[remote-host]$ xclock & 
[1] 12593
[remote-host]$
15. xclock on windows laptop. From the Linux host, launch the xclock software as shown above, which will display the xclock on the windows laptop as shown below.
xclock on Windows
Use the same method explained above to launch any software installer on Linux (for e.g. Oracle database installer) and get it displayed on the Windows laptop.

Protect Your Java Code from Reverse Engineering


If you are developing java application, it is important to understand that the java class files can be easily reverse engineered using java decompilers. In this article, let us explore how a java class file is reverse engineered and how to protect your source code from being reverse engineered by someone.
The java source code is compiled to a class file that contains byte code. Java Virtual Machine needs only the class file for execution. The problem is that the class file can easily be decompiled into the original source code using java decompiler tools. The best solution to prevent reverse engineering is to obfuscate the class file so that is will be very hard to reverse engineer. According to the dictionary Obfuscate means “to make obscure or unclear”. That is exactly what lot of java obfuscator tool will do as explained below.

I. Decompile Java class file.

Before understanding how to obfuscate the java code, let us first try to understand how someone can reverse engineer your java application. Following 3 steps explains how a class file is reverse engineered to the original java source code.

1. Create HelloWorld.java as shown below.
public class HelloWorld {
    public static void main (String args[]) {
        String userMessage = "Hello World!";
        int userCount = 100;
        userCount = userCount + 1;
        System.out.println(userMessage);
        System.out.println(userCount);
    }
}
2. Compile HelloWorld.java program and execute it to make sure it works properly.
$ javac HelloWorld.java
$ java HelloWorld
Hello World!
101
Java class file contains only byte code. If you try to view a class file, it will be non-readable as shown below.
$ vi HelloWorld.class
Ãþº¾^@^@^@2^@
^@^G^@^P^H^@^Q  ^@^R^@^S
^@^T^@^V^G^@^W^G^@^X^A^@^F^A^@^C()V^A^@^DCode^A^@^OLineNumberTable
^A^@^Dmain^A^@^V([Ljava/lang/String;)V^A^@
SourceFile^A^@^OHelloWorld.java^L^@^H^@ ^A^@^LHello World!^G^@^Y^L^@^Z^@^[^G^@^\^L^@^]^@^^^L^@^]^@^_^A^@
HelloWorld^A^@^Pjava/lang/Object^A^@^Pjava/lang/System^A^@^Cout^A^@^ULjava/io/PrintStream;^A
^@^Sjava/io/PrintStream^A^@^Gprintln^A^@^U(Ljava/lang/String;)V^A^@^D(I)V^@!^@^F^@^G^@^@^@^@^@^B^@^A^@^H^@  ^@^A^@
3. Decompile HelloWorld.class file and view the original source.
For this demonstration let us use Jad decompiler which is free for non-commercial use.Download the appropriate jad for your platform. Use jad to reverse engineer the HelloWorld.class file to get the original source as shown below.
$ unzip jadls158.zip
$ ./jad HelloWorld.class
Parsing HelloWorld.class...
Generating HelloWorld.jad
$ vi HelloWorld.jad 

II. Obfuscate your java application

Let us review how to obfuscate and protect your source code from reverse engineering usingProGuard a free GPL licensed software.
1. Download and Install ProGuard
$ cd /home/jsmith
$ unzip proguard4.2.zip
2. Create a proguard config file
Create myconfig.pro that contains all the information about your java application.
  • -injar : Specify the location of your jar file. i.e the compiled java application that contains the class files
  • -outjar: This is the jar file proguard will create after obfuscation. This will contain all the mangled, obscure naming convention of the methods and variables in the class file if someone tries to reverse engineer.
  • -printmapping: ProGurad outputs all the mapping information in this file for your reference.
  • -keep: Indicate the class files or the methods that you don’t want ProGuard to obfuscate. For e.g. mypkg.MainAppFrame contains the entry point for the application with the main class, which will not get obfuscated in this example.
$ cat myconfig.pro
-injars /home/jsmith/myapp.jar
-outjars /home/jsmith/myapp-obfuscated.jar This is the obfuscated jar file
-libraryjars /usr/java/jdk1.5.0_14/jre/lib/rt.jar
-printmapping proguard.map
-verbose
-keep public class mypkg.MainAppFrame
3. Execute ProGuard.
$ cd /home/jsmith/proguard4.2/lib
$ java -jar proguard.jar @myconfig.pro
This creates the following two files:
  • myapp-obfuscated.jar: Contains the obfuscated class files of your application. You can distribute this without having to worry about someone reverse engineering your application easily.
  • proguard.map: This file contains the mapping information for your reference.
4. Sample proguard.map file
This is a sample proguard.map file that indicates the original name of the java source objects (classfile, methods, variable etc.) and the new obfuscated name.
myapp.AppToolBar -> myapp.ae:
javax.swing.JButton btnNew -> d
javax.swing.JButton btnOpen -> e
5. Sample java source code (myapp.AppToolBar) before obfuscation.
btnNew = changeButtonLabel(btnNew, language.getText("new"));
btnOpen = changeButtonLabel(btnOpen, language.getText("open"));
6. Sample java source code that was decompiled from the class file (myapp.ae) after obfuscation.
d = a(d, n.a("new"));
e = a(e, n.a("open"));
You can see that the line “btnNew = changeButtonLabel(btnNew, language.getText(“new”));” got translated to “d = a(d, n.a(“new”));”, by the ProGuard, which will not make any sense to someone who is using java decompiler tools to reverse engineer the class file.

The Ultimate Guide for Creating Strong Passwords


“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months” – Clifford Stoll
 
When you create an account on a website, you may have the “password dilemma” for a second. The dilemma is whether you should provide a weak password that is easy to remember or a strong password that is hard to remember. Following are the rules and guidelines that may help you in overcoming the password dilemma and help you in creating a strong password that are secure. These are the things that I’ve used over years based on my own interest in the area of keeping the password safe and secure.

I. Two essential password rules:

Following two rules are bare minimal that you should follow while creating a password.

Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.
Rule 2 – Password Complexity: Should contain at least one character from each of the following group. At least 4 characters in your passwords should be each one of the following.
  1. Lower case alphabets
  2. Upper case alphabets
  3. Numbers
  4. Special Characters
I call the above two rules combined as “8 4 Rule” (Eight Four Rule):
  • 8 = 8 characters minimum length
  • 4 = 1 lower case + 1 upper case + 1 number + 1 special character.
Just following the “8 4 Rule” will be a huge improvement and instantly make your password much stronger than before for most of you who don’t follow any guidelines or rules while creating a passwords. If your banking and any financially sensitive website passwords doesn’t follow the “8 4 Rule”, I strongly suggest that you stop everything now and change those passwords immediately to follow the “8 4 Rule”.

II. Guidelines for creating strong passwords:

  1. Follow “8 4 Rule”. Like I mentioned above this is the foundation of creating a strong password.
  2. Unique Characters. Should contain at least 5 unique characters. You already have 4 different character if you’ve followed “8 4 Rule”.
  3. Use Password Manager. Strong passwords are hard to remember. So, as part of creating a strong password you need a reliable and trustworthy way of remembering the strong password. Using password management tool to store passwords should really become a habit. Anytime you create a password, note it down on a password manager tool, that will encrypt the password and store it safe for you. I recommend Password Dragon (Shameless plug. I’m the developer of this software), a free, easy and secure password manager that works on Windows, Linux and Mac. This can also be launched from the USB drive. There are lot of free password manager tools available, choose the one that best suites your taste and use it.
  4. Use Passphrase. If you don’t want to use password management tool, Use Passphrase to easily remember the passwords. You can use initials of a song or a phrase that are very familiar to you. for e.g. “Passwords are like underwears, change yours often!” phrase can be converted to a strong password “Prlu,Curs0!”

III. Guidelines for avoiding weak passwords.

Avoid the following in your passwords. Even part of your passwords should not be anything in the following items.

  1. Password same as username or part of the username
  2. Name of family members, friends or pets.
  3. Personal information about yourself or family members. This includes the generic information that can be obtained about you very easily, such as birth date, phone number, vehicle license plate number, street name, apartment/house number etc.
  4. Sequences. i.e consecutive alphabets, numbers or keys on the keyboard. for e.g. abcde, 12345, qwert.
  5. Dictionary words. Dictionary words with number or character in front or back
  6. Real word from any language
  7. Word found in dictionary with number substitution for word look alike. for e.g. Replacing the letter O with number 0. i.e passw0rd.
  8. Any of the above in reverse sequence
  9. Any of the above with a number in front or back.
  10. Empty password

IV. Common sense about passwords:

All the following points are nothing new and very much common sense. But most of the time, we tend to ignore these items.
  1. Create unique password every time. When you are changing a password for an existing account, it should not be the same as the previous password. Also, do not use incremental passwords while changing it. i.e password1, password2 etc.
  2. Change your passwords for all your accounts once every 6 months. Since passwords have a fixed length, a brute-force attack to guess the password will always succeed if enough time and processing power was available to the attacker. So, it is always recommended to change the passwords often. Schedule an recurring appointment on your calendar to change your passwords once every 6 months.
  3. Never write down your passwords. Creating a very strong password and writing it down on a paper is as bad as creating an easy to remember weak password and not writing it down anywhere. There are several interesting surveys done on this subject, where it was found that several people write down the password and keep it somewhere next to the computer. Some of them think keeping the post-it note below the mouse pad is secure enough. You should never write down the password on a paper. If you want to carry your password along with you all the times, use a password manager tool that runs from USB stick and take that with you all the times.
  4. Don’t share with anyone. Anyone includes your friends and family. Probably you might have heard the phrase “Passwords are like underwear, don’t share with anybody”. We teach our kids several things in life. Teaching them about online safety and not sharing the password with anybody should be one of them.
  5. Never keep the same password for two different sites. It is very tempting to create one set of passwords for all your emails, another password for all the banking sites, another password for all the social networking sites etc. Avoid this temptation and keep unique passwords for all your accounts.
  6. Don’t type your password when someone is looking over your shoulder. This is especially very important if you type slowly and search for the letters in the keyboard and type with one finger, as it is very easy for someone looking over your shoulder to figure out the password.
  7. Never send your password to anybody in an email. If you follow #3 mentioned above, this should not be an option. But the reason I’m specifically saying about this is because several hackers send emails as a support person and asking for your user name and password through email. Legitimate website or organization will never ask you for your user name and password either via email or over telephone.
  8. Change password immediately when they are compromised. Even if you have the slightest doubt that someone might have stolen your password, change it immediately. Don’t even waste a minute.
  9. Don’t use the “Remember password” option on the browser without setting the Master Password. Don’t use this feature of the browser to store your username and passwords without enabling the “Master Password” option. If you don’t set master password on the firefox browser, anybody who uses your firefox browser can see all the passwords that are stored in the firefox browser in plain text. Also, be very careful with this option and say ‘Not Now’ in the remember password pop-up, when you are using a system that doesn’t belong to you.
  10. Don’t type your password on a computer that does not belong to you. If possible, don’t use someone else computer that you don’t trust to login to any website, especially to very sensitive website such as banking. It is a very common practice for hackers to use key loggers that will log all the key strokes on a system, which will capture everything you type including the passwords.
Please leave your comments about this post. If you follow different methods or rules for creating a strong password, please share them with everybody in the comments.

5 Basic Linux SSH Client Commands


Let us review the following 5 basic command line usage of the ssh client.
  1. Identify SSH client version
  2. Login to remote host
  3. Transfer Files to/from remote host
  4. Debug SSH client connection
  5. SSH escape character usage: (Toggle SSH session, SSH session statistics etc.)

1. SSH Client Version:

Sometimes it may be necessary to identify the SSH client that you are currently running and it’s corresponding version number, which can be identified as shown below. Please note that Linux comes with OpenSSH.
$ ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu

2. Login to remote host:

  • The First time when you login to the remotehost from a localhost, it will display the host key not found message and you can give “yes” to continue. The host key of the remote host will be added under .ssh2/hostkeys directory of your home directory, as shown below.
localhost$ ssh -l jsmith remotehost.example.com

Host key not found from database.
Key fingerprint:
xabie-dezbc-manud-bartd-satsy-limit-nexiu-jambl-title-jarde-tuxum
You can get a public key’s fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
Host key saved to /home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub
host key for remotehost.example.com, accepted by jsmith Mon May 26 2008 16:06:50 -0700
jsmith@remotehost.example.com password:
remotehost.example.com$
  • The Second time when you login to the remote host from the localhost, it will prompt only for the password as the remote host key is already added to the known hosts list of the ssh client.
localhost$ ssh -l jsmith remotehost.example.com
         jsmith@remotehost.example.com password: 
         remotehost.example.com$
  • For some reason, if the host key of the remote host is changed after you logged in for the first time, you may get a warning message as shown below. This could be because of various reasons such as 1) Sysadmin upgraded/reinstalled the SSH server on the remote host 2) someone is doing malicious activity etc., The best possible action to take before saying “yes” to the message below, is to call your sysadmin and identify why you got the host key changed message and verify whether it is the correct host key or not.
localhost$ ssh -l jsmith remotehost.example.com
         @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         @       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
         @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
         Someone could be eavesdropping on you right now (man-in-the-middle attack)!
         It is also possible that the host key has just been changed.
         Please contact your system administrator.
         Add correct host key to "/home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub"
         to get rid of this message.
        Received server key's fingerprint:
        xabie-dezbc-manud-bartd-satsy-limit-nexiu-jambl-title-jarde-tuxum
        You can get a public key's fingerprint by running
         % ssh-keygen -F publickey.pub
         on the keyfile.
         Agent forwarding is disabled to avoid attacks by corrupted servers.
         Are you sure you want to continue connecting (yes/no)? yes
         Do you want to change the host key on disk (yes/no)? yes
         Agent forwarding re-enabled.
         Host key saved to /home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub
         host key for remotehost.example.com, accepted by jsmith Mon May 26 2008 16:17:31 -0700
         jsmith @remotehost.example.com's password: 
        remotehost$

3. File transfer to/from remote host:

Another common use of ssh client is to copy files from/to remote host using scp.
  • Copy file from the remotehost to the localhost:
localhost$scp jsmith@remotehost.example.com:/home/jsmith/remotehostfile.txt remotehostfile.txt
  • Copy file from the localhost to the remotehost:
localhost$scp localhostfile.txt jsmith@remotehost.example.com:/home/jsmith/localhostfile.txt

4. Debug SSH Client:

Sometimes it is necessary to view debug messages to troubleshoot any SSH connection issues. For this purpose, pass -v (lowercase v) option to the ssh as shown below.
  • Example without debug message:
localhost$ ssh -l jsmith remotehost.example.com
        warning: Connecting to remotehost.example.com failed: No address associated to the name
        localhost$
  • Example with debug message:
locaclhost$ ssh -v -l jsmith remotehost.example.com
        debug: SshConfig/sshconfig.c:2838/ssh2_parse_config_ext: Metaconfig parsing stopped at line 3.
        debug: SshConfig/sshconfig.c:637/ssh_config_set_param_verbose: Setting variable 'VerboseMode' to 'FALSE'.
        debug: SshConfig/sshconfig.c:3130/ssh_config_read_file_ext: Read 17 params from config file.
        debug: Ssh2/ssh2.c:1707/main: User config file not found, using defaults. (Looked for '/home/jsmith/.ssh2/ssh2_config')
        debug: Connecting to remotehost.example.com, port 22... (SOCKS not used)
        warning: Connecting to remotehost.example.com failed: No address associated to the name

5. Escape Character: (Toggle SSH session, SSH session statistics etc.)

Escape character ~ get’s SSH clients attention and the character following the ~ determines the escape command. 
Toggle SSH Session: When you’ve logged on to the remotehost using ssh from the localhost, you may want to come back to the localhost to perform some activity and go back to remote host again. In this case, you don’t need to disconnect the ssh session to the remote host. Instead follow the steps below.

  • Login to remotehost from localhost: localhost$ssh -l jsmith remotehost
  • Now you are connected to the remotehost: remotehost$
  • To come back to the localhost temporarily, type the escape character ~ and Control-Z. When you type ~ you will not see that immediately on the screen until you press and press enter. So, on the remotehost in a new line enter the following key strokes for the below to work: ~
remotehost$ ~^Z
    [1]+  Stopped                 ssh -l jsmith remotehost
    localhost$ 
  • Now you are back to the localhost and the ssh remotehost client session runs as a typical unix background job, which you can check as shown below:
localhost$ jobs
    [1]+  Stopped                 ssh -l jsmith remotehost
  • You can go back to the remote host ssh without entering the password again by bringing the background ssh remotehost session job to foreground on the localhost
localhost$ fg %1
    ssh -l jsmith remotehost
    remotehost$
SSH Session statistics: To get some useful statistics about the current ssh session, do the following. This works only on SSH2 client.
  • Login to remotehost from localhost: localhost$ssh -l jsmith remotehost
  • On the remotehost, type ssh escape character ~ followed by s as shown below. This will display lot of useful statistics about the current SSH connection.
remotehost$  [Note: The ~s is not visible on the command line when you type.] 
        remote host: remotehost
        local host: localhost
        remote version: SSH-1.99-OpenSSH_3.9p1
        local version:  SSH-2.0-3.2.9.1 SSH Secure Shell (non-commercial)
        compressed bytes in: 1506
        uncompressed bytes in: 1622
        compressed bytes out: 4997
        uncompressed bytes out: 5118
        packets in: 15
        packets out: 24
        rekeys: 0
        Algorithms:
        Chosen key exchange algorithm: diffie-hellman-group1-sha1
        Chosen host key algorithm: ssh-dss
        Common host key algorithms: ssh-dss,ssh-rsa
        Algorithms client to server:
        Cipher: aes128-cbc
        MAC: hmac-sha1
        Compression: zlib
        Algorithms server to client:
        Cipher: aes128-cbc
        MAC: hmac-sha1
        Compression: zlib
        localhost$