Cryptographic Filesystem

Yesterday’ve been playing around with CFS in my Ubuntu. I’ve never tried a cryptographic filesystem before, altough I knew there were many flavours laying out there.

CFS has two main advantages, as far as I know:

  • It doesn’t require any special kernel patch (at least, not for Ubuntu), because it uses NFS to do loopback mounting of crypted directories.
  • It uses directly the underlying filesystem, avoiding the need of creating fs images to mount by loopback. Crypted directories and files are mapped to normal directories and files with its name and contents crypted.

The package provides some utilities:

  • cmkdir: Creates and initializes a crypted directory on the host filesystem.
  • cattach: Attaches a crypted directory, making it available (as cleartext) under /crypt/*.
  • cdetach: Dettaches a previously mounted crypted directory.

I’ve tried CFS successfully, and added it to my list of useful tools. It’s clean, easy and powerful. 🙂

Limited lifetime scripts

While helping Xavi with a small task (batch converting ODT documents to PDF via a web form), I’ve remembered a little recipe I’ve written some time ago.

It’s a way to force some script to die after a defined timeout. So, you can perform a command by ssh inside a script or perform any blocking task you want, and it will always return.

The only thing you have to do is to put these single 3 lines of code at the start of your bash script:

SECURITY_TIMEOUT=60
CMD_PID="$$";
{ sleep $SECURITY_TIMEOUT; kill -9 $CMD_PID; } 2>/dev/null &
Enjoy it!

SMTP and Cisco PIX firewall

Some months ago, I configured a complete mail gateway and other services for a client. As for almost every deployment, there were things that had to be investigated and one always learn something new.

One of the most surprising “curiosities” I found was about SMTP. When I telneted the SMTP gateway at port 25 from inside the intranet or localhost, the usual welcome message was displayed. But when I did the same from the internet, I received this weird welcome string:

220 **************************************

And when I tried to issue an ESMTP command (like EHLO), the server said that it wasn’t supported. What the hell??!! It can’t be! Someone or something is changing my packets!

After doing some searching at Google, I discovered who was the little guilty: a Cisco PIX firewall configured with the “fixup protocol smtp 25” option turned on. That was preventing internet users from authenticating and using TLS.

Thank you debian-administration.org guys!