Colors of Noise

agx@sigxcpu.org

Entries tagged "gnome".

Kerberos authentication on the Librem 5
25th October 2022

The Librem 5 features a built-in smartcard reader. While most people use it for gpg I wanted to see if it can be used as an authenticator for services like email (SMTP, IMAP), access to web pages (HTTPS), calendars, etc without either having to retype a password often or having to store it on the device itself: single sign on for all my frequently used services.

Librem 5's smart card reader

For that one can leverage a feature called PKINIT of Kerberos (a network authentication protocol meant to allow secure communication over a non-secure network) which uses public key cryptography for initial user authentication (instead of a password). If the key material is saved on the smart card even a lost device can hardly be abused as the smart card is protected by a PIN and will lock itself after three incorrect tries (and you can easily revoke the certificate server side too).

On the service side one can use SASL/GSSAPI to make services like exim, postfix, dovecot, cyrus imapd, apache, nginx or prosodi use Kerberos to authenticate users and there's many more (like CalDAV servers, etc). The most prominent missing bit for me is currently the Synapse matrix server not supporting GSSAPI yet.

I won't go into the details of setting up the Kerberos server (KDC) or PKINIT itself or how to configure services as this is already done elsewhwere (1, 2) but rather focus on the Librem 5 and smart card side.

So for the following let's assume you have a Kerberos realm called MS20.NIX set up and your KDC has the DNS name kdc.ms20.nix, and your Kerberos principal (your user in the Kerberos database) is called foo@MS20.NIX. You also have an smtp and imap servers called smtp.ms20.nix and imap.ms20.nix set up to autenticate users via Kerberos. Finally we call the CA that signs all your certificates ca.pem (were're following the naming from 2).

What follows looks as if lots of things need to be done on the command line. I'll show a simplification at the very end but wanted those bits written down for reference/debugging. Note that this post is not meant as an exhaustive introduction but more like a quick summary of commands. I'm happy if someone grabs it and adds more details.

Kerberos Setup on the Librem 5

Let's first install the Kerberos client side packages on the phone and test that:

$ sudo apt install heimdal-clienets

The krb5-config package will ask for your Kerberos realm, KDC etc. With that in place you should be able to test if you can get a Kerberos ticket via

$ kinit

and entering your password.

If that worked the klist output will look something like:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: foo@MS20.NIX

Issued                Expires               Principal
Oct 24 12:55:13 2022  Oct 25 12:55:13 2022  krbtgt/MS20.NIX@MS20.NIX

Now that basic authentication worked We're ready to switch to certificates stored them on the smart card. Let's drop the credentials first:

$ kdestroy

Smartcard Setup

I have used an OpenPGP card smartcard and inserted that into the Librem 5. In my case it was salvaged from a Librem Key. As PKINIT uses OpenSC the OpenSC wiki was very helpful as it has details on how to get key material onto that particular card.

The software to use the Librem 5's smart card reader is enabled by default as part of the librem5-base package. You just need to add opensc to the mix:

$ sudo apt install opensc

With that you should already be able to see the card:

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             L5 built-in SmartCard Reader 00 01 00 00
1    Yes             L5 built-in SmartCard Reader 00 01 00 01

As there's only a single reader and the second entry can confuse opensc let's ignore that one:

$ cat <<EOF > /etc/opensc/opensc.conf
app default {
    ignored_readers = "TTXS serial 00 01 00 01","L5 built-in SmartCard Reader 00 01 00 01"
}
EOF

Which should make the output look like

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             L5 built-in SmartCard Reader 00 01 00 00

With the reader up and running we can now store the certificate and private key on it. For simplicity we create these on the KDC and transfer them to the phone (a more realistic setup would create those locally and use a certificate signing request so the private key never leaves your hands):

On the KDC:

$ hxtool issue-certificate --ca-certificate=FILE:krbca.pem --generate-key=rsa --key-bits=2048 --type="pkinit-client" --pk-init-principal="foo@MS20.NIX" --subject="uid=foo,DC=ms20,DC=nix" --certificate="FILE:user.pem"

Then you'd copy the file to your phone and install certificate and private key on the smartcard like (this will delete any already existing keys on the card):

$ # Install needed packages
$ sudo apt install opensc wipe
$ # Delete old keys and install certificate and private key on smartcard
$ pkcs15-init --delete-objects privkey,pubkey,cert --id 1 --auth-id 3
$ pkcs15-init --delete-objects privkey,pubkey,cert --id 2 --auth-id 3
$ pkcs15-init --delete-objects privkey,pubkey,cert --id 3 --store-private-key user.pem  --store-certificate user.pem --id 3 --auth-id 3
$ # Wipe the file containing the private key
$ wipe user.pem

Afterward we can look at what's on the card

$ pkcs15-tool -D
Using reader with a card: L5 built-in SmartCard Reader 00 01 00 00
PKCS#15 Card [OpenPGP card]:
  Version        : 0
  Serial number  : <serial number>
  Manufacturer ID: ZeitControl
  Language       : de
  Flags          : PRN generation, EID compliant


PIN [User PIN]
  Object Flags   : [0x03], private, modifiable
  Auth ID        : 03
  ID             : 02
  Flags          : [0x13], case-sensitive, local, initialized
  Length         : min_len:6, max_len:64, stored_len:64
  Pad char       : 0x00
  Reference      : 2 (0x02)
  Type           : UTF-8
  Path           : 3f00
  Tries left     : 3

PIN [User PIN (sig)]
  Object Flags   : [0x03], private, modifiable
  Auth ID        : 03
  ID             : 01
  Flags          : [0x13], case-sensitive, local, initialized
  Length         : min_len:6, max_len:64, stored_len:64
  Pad char       : 0x00
  Reference      : 1 (0x01)
  Type           : UTF-8
  Path           : 3f00
  Tries left     : 3

PIN [Admin PIN]
  Object Flags   : [0x03], private, modifiable
  ID             : 03
  Flags          : [0x9B], case-sensitive, local, unblock-disabled, initialized, soPin
  Length         : min_len:8, max_len:64, stored_len:64
  Pad char       : 0x00
  Reference      : 3 (0x03)
  Type           : UTF-8
  Path           : 3f00
  Tries left     : 3

Private RSA Key [Authentication key]
  Object Flags   : [0x03], private, modifiable
  Usage          : [0x222], decrypt, unwrap, nonRepudiation
  Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
  Algo_refs      : 0
  ModLength      : 2048
  Key ref        : 2 (0x02)
  Native         : yes
  Auth ID        : 02
  ID             : 03
  MD:guid        : 135c302c-ddad-1a3c-f558-8beae7612f9f

Public RSA Key [Authentication key]
  Object Flags   : [0x02], modifiable
  Usage          : [0x51], encrypt, wrap, verify
  Access Flags   : [0x02], extract
  ModLength      : 2048
  Key ref        : 0 (0x00)
  Native         : no
  Path           : a401
  ID             : 03

X.509 Certificate [Cardholder certificate]
  Object Flags   : [0x00]
  Authority      : no
  Path           : 3f007f21
  ID             : 03
  Encoded serial : <serial>

The OpenPGP card's default admin PIN is 12345678 and the user pin 123456.

PKINIT Setup

Now add

[libdefaults]
pkinit_anchors = FILE:/etc/ssl/certs/ca.pem

to your /etc/krb5.conf and place the ca.pem in /etc/ssl/certs. With that you should be able to use pkinit. The -C option tells kinit to use your smart card for the crypto:

$ kinit -C PKCS11:/usr/lib/aarch64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so foo@MS20.NET
PIN code for L5 built-in SmartCard Reader 00 01 00 00:

After entering the pin and typing klist the output should be similar to the klist output above. If you connect to various Kerberized services in your realm (e.g. by sending mail) the list will grow without having to retype any PINs or passwords:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: foo@ms20.nix

  Issued                Expires               Principal
Oct 24 12:55:13 2022  Oct 25 12:55:13 2022  krbtgt/MS20.NIX@MS20.NIX
Oct 24 12:55:57 2022  Oct 25 12:55:13 2022  imap/imap.ms20.nix@
Oct 24 12:57:45 2022  Oct 25 12:55:13 2022  smtp/smtp.ms20.nix@
Oct 24 13:00:32 2022  Oct 25 12:55:13 2022  HTTP/http.ms20.nix@

Can we make this simpler?

The above is very command line heavy and thus hard to use on a phone. With krb5-auth-dialog things become easier to set up. There's no need to adjust /etc//krb5.conf or to copy any certificates. PKINIT via smartcard is being enabled by a single click and you can select your CA (KDC trust anchor) via UI too:

PKINIT setup PIN dialog

There's a graphical dialog to enter your PIN that can either be started via the menu or triggered via a simple DBus call:

 $ gdbus call -e -d org.gnome.KrbAuthDialog -o /org/gnome/KrbAuthDialog -m org.gnome.KrbAuthDialog.acquireTgt ''

and the good part is that it won't prompt you if you already have a valid ticket. So you can e.g. add this as a hook to your offlineimap config.

As far as I know there's no end user friendly tool to transfer the certificates to the smartcard yet but note that this doesn't even have to happen on the phone itself. You can provision those elsewhere and then add the card to the phone but it might make sense to add that functionality to either krb5-auth-dialog or seahorse.

I hope this post motivates people to try this out and to leverage Kerberos for authenticating to services via the Librem 5's built-in smartcard reader.

Pitfalls


Tags: gnome, librem5, phosh, single-sign-on.
On a road to Prizren with a Free Software Phone
12th August 2022

Since people are sometimes slightly surprised that you can go onto a multi week trip with a smartphone running free sofware so only I wanted to share some impressions from my recent trip to Prizren/Kosovo to attend Debconf 22 using a Librem 5. It's a mix of things that happend and bits that got improved to hopefully make things more fun to use. And, yes, there won't be any big surprises like being stranded without the ability to do phone calls in this read because there weren't and there shouldn't be.

After two online versions Debconf 22 (the annual Debian Conference) took place in Prizren / Kosovo this year and I sure wanted to go. Looking for options I settled for a train trip to Vienna, to meet there with friends and continue the trip via bus to Zagreb, then switching to a final 11h direct bus to Prizren.

When preparing for the trip and making sure my Librem 5 phone has all the needed documents I noticed that there will be quite some PDFs to show until I arrive in Kosovo: train ticket, bus ticket, hotel reservation, and so on. While that works by tapping unlocking the phone, opening the file browser, navigating to the folder with the PDFs and showing it via evince this looked like a lot of steps to repeat. Can't we have that information on the Phone Shell's lockscreen?

This was a good opportunity to see if the upcoming plugin infrastructure for the lock screen (initially meant to allow for a plugin to show upcoming events) was flexible enough, so I used some leisure time on the train to poke at this and just before I reached Vienna I was able to use it for the first time. It was the very last check of that ticket, it also was a bit of cheating since I didn't present the ticket on the phone itself but from phosh (the phones graphical shell) running on my laptop but still.

PDF barcode on phosh's lockscreen List of tickets on phosh's lockscreen

This was possible since phosh is written in GTK and so I could just leverage evince's EvView. Unfortunately the hotel check in didn't want to see any documents ☹.

For the next day I moved the code over to the Librem 5 and (being a bit nervous as the queue to get on the bus was quite long) could happily check into the Flixbus by presenting the barcode to the barcode reader via the Librem 5's lockscreen.

When switching to the bus to Prizren I didn't get to use that feature again as we bought the tickets at a counter but we got a nice krem banana after entering the bus - they're not filled with jelly, but krem - a real Kosovo must eat!).

Although it was a rather long trip we had frequent breaks and I'd certainly take the same route again. Here's a photo of Prizren taken on the Librem 5 without any additional postprocessing:

Prizren

What about seeing the conference schedule on the phone? Confy(a conferences schedule viewer using GTK and libhandy) to the rescue:

Confy with Debconf's schedule

Since Debian's confy maintainer was around too, confy saw a bunch of improvements over the conference.

For getting around Puremaps(an application to display maps and show routing instructions) was very helpful, here geolocating me in Prizren via GPS:

Puremaps

Puremaps currently isn't packaged in Debian but there's work onging to fix that (I used the flatpak for the moment).

We got ourselves sim cards for the local phone network. For some reason mine wouldn't work (other sim cards from the same operator worked in my phone but this one just wouldn't). So we went to the sim card shop and the guy there was perfectly able to operate the Librem 5 without further explanation (including making calls, sending USSD codes to query balance, …). The sim card problem turned out to be a problem on the operator side and after a couple of days they got it working.

We had nice, sunny weather about all the time. That made me switch between high contrast mode (to read things in bright sunlight) and normal mode (e.g. in conference rooms) on the phone quite often. Thankfully we have a ambient light sensor in the phone so we can make that automatic.

Phosh in HighContrast

See here for a video.

Jathan kicked off a DebianOnMobile sprint during the conference where we were able to improve several aspects of mobile support in Debian and on Friday I had the chance to give a talk about the state of Debian on smartphones. pdf-presenter-console is a great tool for this as it can display the current slide together with additional notes. I needed some hacks to make it fit the phone screen but hopefully we figure out a way to have this by default.

Debconf talk Pdf presenter console on a phone

I had two great weeks in Prizren. Many thanks to the organizers of Debconf 22 - I really enjoyed the conference.

Tags: debian, gnome, librem5, phosh, planetdebian, planetfsfe, planetgnome.
Introducing gtherm
7th January 2020

Continuous temperature monitoring from the kernel's /sys/class/thermal/ in an application can be cumbersome. gtherm aims to make that simpler by providing a daemon (gthd) that exports thermal zones and cooling cells over DBus and providing a small library libgtherm (and GObject introspection bindings). gthcli is a simple command line client that displays the currently found values:

Thermal Zones
-------------
      dbus path: /org/sigxcpu/Thermal/ThermalZone/0
           type: cpu-thermal
    temperature: 53,00°C
cooling devices: /org/sigxcpu/Thermal/CoolingDevice/0

      dbus path: /org/sigxcpu/Thermal/ThermalZone/3
           type: max170xx_battery
    temperature: 36,60°C

      dbus path: /org/sigxcpu/Thermal/ThermalZone/2
           type: vpu-thermal
    temperature: 54,00°C

      dbus path: /org/sigxcpu/Thermal/ThermalZone/1
           type: gpu-thermal
    temperature: 54,00°C
cooling devices: /org/sigxcpu/Thermal/CoolingDevice/1

Cooling Devices
---------------
    dbus path: /org/sigxcpu/Thermal/CoolingDevice/0
         type: thermal-idle-0
    max state: 100
current state: 0

    dbus path: /org/sigxcpu/Thermal/CoolingDevice/1
         type: 38000000.gpu
    max state: 6
current state: 0

There's support for gnome-usage in the works:

gnome-usage thermal view

Next up is support for trip points (and maybe tuning cooling behaviour from userspace later on).

Tags: gnome, librem5, phosh, planetgnome.
krb5-auth-dialog 3.15.4
17th January 2015

To keep up with GNOMEs schedule I've released krb5-auth-dialog 3.15.4. The changes of 3.15.1 and 3.15.4 include among updated translations, the replacement of deprecated GTK+ widgets, minor UI cleanups and bug fixes a header bar fix that makes us only use header bar buttons iff the desktop environment has them enabled:

krb5-auth-dialog with header bar krb5-auth-dialog without header bar

This makes krb5-auth-dialog better ingtegrated into other desktops again thanks to mclasen's awesome work.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome.
Testing a NetworkManager VPN plugin password dialog
12th October 2014

Testing the password dialog of a NetworkManager VPN plugin is as simple as:

echo -e 'DATA_KEY=foo\nDATA_VAL=bar\nDONE\nQUIT\n' | ./auth-dialog/nm-iodine-auth-dialog -n test -u $(uuid) -i

The above is for the iodine plugin when run from the built source tree. This allows one to test these dialogs although one didn't see them since ages since GNOME shell uses the external UI mode to query for the password.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome.
CrystalHD progress
30th November 2013

Following up on my port of the crystalhd plugin to the gstreamer 1.0 api I realized that the CrystalHD repo is pretty dormant. After reading slomo's nice article about GStreamer and hardware integration and a short off list mail exchange I decided to split the GStreamer part out of the CrystalHD repo and to try to get the plugin into gst-plugins-bad.

Since the kernel part is already in linux kernel's staging area there would not be much left in the repo except for the libcrystalhd library itself and the firmware blobs. So I split them out as well and started to clean them up a bit by moving it to autoconf/automake, dropping the need for a C++ compiler and adding symbol versioning among other things.

So up to know video is still smooth with:

gst-launch-1.0 filesrc location=sample.mp4 ! decodebin ! xvimagesink

after jhbuilding up to gst-plugins-bad.

There are #ifdefs for macosx and windows but I doubt they're functional but in case anybody is building libcrystalhd on these these platforms it'd be great to know if it still works.

Should these efforts lead to the crystalhd plugin being merged into GStreamer getting the kernel driver out of staging would be a great next step.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome, wetab.
gst0.10-crystalhd ported to gstreamer 1.0
22nd March 2013

Following up on using Debian on the WeTab with GNOME Shell I figured accelerated video using the built in CrystalHD to save battery power and CPU cycles would be nice to have. There's even a Debian package available but not for gstreamer 1.0 (which is used by GNOME 3.6) so I had a look at gstreamer's plugin writers guide and porting guide and updated the driver. Packages are here until there's a new upstream version or Debian package release.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetgnome, wetab.
Accelerometer and screen orientation in GNOME3
23rd February 2013

Following up on using Debian on the WeTab with GNOME Shell I had a look at automatically adjusting the screen orientation when rotating the device.

The accelerometer is handled in the asus_laptop module since kernel 3.2, so this shows up in /proc/bus/input/devices:

I: Bus=0019 Vendor=0000 Product=0000 Version=0000
N: Name="Pegatron Lucid Tablet Accelerometer"
P: Phys=pega_accel/input0
S: Sysfs=/devices/platform/asus_laptop/input/input4
U: Uniq=
H: Handlers=event4 js0 
B: PROP=0
B: EV=9
B: ABS=7

Whenever the screen orientation changes the driver emits a udev event. The helper in /lib/udev/accelerometer processes it thanks to /lib/udev/rules.d/61-accelerometer.rules, determines the orientation and adds the ID_INPUT_ACCELEROMETER_ORIENTATION property to the event which can be checked with udevadm monitor --property:

UDEV  [5778.534171] change   /devices/platform/asus_laptop/input/input4 (input)
ABS=7
ACTION=change
DEVPATH=/devices/platform/asus_laptop/input/input4
EV=9
ID_FOR_SEAT=input-platform-asus_laptop
ID_INPUT=1
ID_INPUT_ACCELEROMETER=1
ID_INPUT_ACCELEROMETER_ORIENTATION=right-up
ID_PATH=platform-asus_laptop
ID_PATH_TAG=platform-asus_laptop
MODALIAS=input:b0019v0000p0000e0000-e0,3,kra0,1,2,mlsfw
NAME="Pegatron Lucid Tablet Accelerometer"
PHYS="pega_accel/input0"
PRODUCT=19/0/0/0
PROP=0
SEQNUM=1550
SUBSYSTEM=input
TAGS=:seat:
UDEV_LOG=3
USEC_INITIALIZED=6154288

This is captured by gnome-settings-daemon (>=3.2) that adjusts the screen rotation using xrandr2 accordingly. This can be checked by running gnome-settings-daemon with --debug. The old way of using xinput events is no longer supported.

Unfortunately Debian's udev has a minor bug that misdetects the input device so this patch is needed to have the screen orientation changed automatically on the WeTab.

This blog is flattr enabled.

Tags: gnome, planetdebian, wetab.
GTK+3 CSS for touch screens
17th February 2013

Following up on using Debian on the WeTab with GNOME Shell I've put together a bit of GTK+3 CSS to make it more touch friendly. It's in the same git repo as the OSK extension. If you put the gtk.css into ~/.config/gtk-3.0/gtk.css scrollbars will be a bit larger and the padding between widgets will be increased over the default theme:

Larger scroll bar Larger scroll bar

This will need more work since some of the sliders look a bit a awkward now so any enhancements will be greatly appreciated. The docs for GTK3's CSS are here.

This blog is flattr enabled.

Tags: gnome, planetdebian.
GNOME Shell and On Screen Keyboard
28th December 2012

Running Debian on the WeTab with GNOME Shell without an external keyboard works pretty nicely. The on screen keyboard - if enabled via the accessibility menu - folds out automatically in the shell itself within text input fields. To have this within GTK+3/GTK+2 applications you need libcaribou-gtk3-module and libcaribou-gtk-module installed. For other cases I stitched together a small extension that puts a keyboard "Button" prominently into the middle of the panel. Clicking/touching it will fold it out, clicking again will hide it again. You can fetch it from

git clone git://honk.sigxcpu.org/git/gnome-shell-oskb-extension.git ~/.local/share/gnome-shell/extensions/OnScreenKeyboardButton@sigxcpu.org

and activate it via

 gsettings set org.gnome.shell enabled-extensions "['OnScreenKeyboardButton@sigxcpu.org']"

OSK Button Screenshot

For kinetic scrolling in Iceweasel I'm currently using Grab and Drag which is not yet packaged for Debian.

Thanks to the Debian's GNOME packaging team gnome-shell 3.6 is already available in experimental.

This blog is flattr enabled.

Tags: debian, gnome, planetdebian.
Iodine plugin for Network Manager 0.0.4
26th December 2012

Finally found the time to add external ui support to network-manager-iodine. This makes for nicer authentication dialogs when using Gnome Shell and warrants a 0.0.4 release. Debian packages can be fetched from unstable once they passed the NEW queue.

This blog is flattr enabled.

Tags: gnome.
Iodine plugin for network-manager
24th February 2012

During FOSDEM I finally got around to hack on a iodine plugin for network manager. Given a suitably prepared server on the other end this allows you to tunnel connections over DNS when all other traffic is firewalled. The basic configuration only needs the domain name set:

Network Manager Iodine Configuration

You can grab the sources from git.gnome.org, a Debian package is also available.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetgnome.
GNOME Prepaid Manager 0.0.3
28th December 2011

A recent trip to Switzerland made me dig out my prepaid card for UMTS usage again. This resulted in some minor enhancements for Prepaid Manager. The new release handles disabled and missing modems more reliably. It also has some visual feedback if we know the length of the top up code:

GNOME Prepaid Manager screenshot

This blog is flattr enabled.

Tags: gnome, planetdebian, planetgnome.
Slides of GNOME3 talk at FroSCon 2011
22nd August 2011

The slides of my talk about GNOME3 at the FroSCon 2011 in Sankt Augustin are now available. The source code including the examples can be found here:

git clone git://honk.sigxcpu.org/git/talks/2011-08-gnome3-froscon.git

It was a great conference that I really enjoyed being at. Thanks a lot to all who made that event possible and happen!

Tags: gnome.
GNOME Prepaid Manager 0.0.2
14th August 2011

The new release switches to GDBus and adds an application icon. Together with the recently released Modem Manager 0.5 it's now able to fetch the balance information via USSD on Huawei and ZTE modems as well.

GNOME Prepaid Manager Icon

This blog is flattr enabled.

Tags: gnome, planetdebian, planetgnome.
GNOME Prepaid Manager, ModemManager and Huawei modems
31st May 2011

I've made a first release of GNOME Prepaid Manager a couple of days ago after switching to GTK+3, GSettings and PyGObject's GObject introspection but it still wasn't that useful since the very common Huawei chipsets (present in many UMTS USB sticks) weren't working due to some missing code in ModemManager.

GNOME Prepaid Manager screenshot

Thanks to Dan's great description I just got around to add that which should make ppm useful to more people.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetgnome.
GNOME Prepaid-manager-applet status
22nd March 2011

Thanks to Dan merging my changes into mobile-broadband-provider-info and ModemManager the prepaid-manager applet now doesn't need any external dependencies patched which is great news. However I still didn't get around to make it work on the very common Huawei 3G chipsets though. Once this is done the ui needs a lift up badly.

This blog is flattr enabled.

Tags: gnome, planetgnome.
krb5-auth-dialog GNOME3 status
16th March 2011

Hello Planet GNOME! As of 2.91.91 krb5-auth-dialog should be fairly usable in GNOME3. The status icon is gone if the notification service supports persistence, we migrated to GDBus and to the new Control Panel.

notification with gnome-shell

The move to DConf is still missing though.

Tags: gnome, planetgnome.
Prepaid GSM/UMTS cards please meet the GNOME Prepaid-manager-applet
6th December 2010

During a trip to Switzerland I needed some internet connectivity for my laptop and so I got myself a prepaid UMTS SIM card. That's a lot cheaper than roaming with the UMTS card from my local provider. NetworkManager worked great: after putting the SIM card into the laptop a dialog popped up asking for the PIN, then selecting the provider, ready to go!

After I used up my prepaid credit things got a bit more rough. The connection was failing for now "obvious" reason. So I put the SIM card into a mobile phone, pulled out the manual that came with the SIM card, found how to check the balance and dialed:

*130#

and the mobile phone returned that I didn't have enough credit left. So I got myself a top up code from the next supermarket, dialed:

*130*<topupcode>#

put the card back into my laptop and could connect again.

That's a bit cumbersome to repeat since you not only have to know the above USSD sequences (those vary between providers) but also need a mobile phone to put the SIM card into. So I added prelimanary USSD support to ModemManager, extended mobile-broadband-provider to support balance top-up information and hacked together a simple prepaid-manager-applet that allows you to check and top-up your prepaid balance right from your GNOME desktop. This needs more work (and a nice icon) but it's basically usable.

Flattr this

Tags: gnome.
Building GNOME 3 with jhbuild on Debian
3rd November 2010

In case somebody else wants to jhbuild current GNOME 3 prereleases on Debian here's the current set of dependencies and the jhbuildrc I'm using. With the necessary fixes applied upstream now this allows me to build gnome-shell, gnome-control-center and others via

jhbuild build <program>

It needs libmozjs3d-dev from experimental for the shell but the rest comes out of squeeze.

Flattr this

Tags: debian, gnome.
system-config-printer-udev
10th August 2010

Those old school ones among us that still need a printer who are new school enough to want to get rid of HAL should try system-config-printer from experimental. After replacing hal-cups-utils by system-config-printer-udev aptitude tells me:

    The following packages will be REMOVED:
      hal{u} hal-info{u} 
    0 packages upgraded, 2 newly installed, 2 to remove and 121 not upgraded.

Which means faster startup times and one daemon less on Squeeze's GNOME desktop. The new version also uses PolicyKit instead of gksu for finer grained permission control.

Tags: debian, gnome.
krb5-auth-dialog: Simple AFS plugin
9th July 2010

I've just added a simple afs plugin to krb5-auth-dialog. It just calls either aklog or afslog after acquiring or renewing your Kerberos ticket to get you into your AFS cell. To activate it use

gconftool-2 --set --list-type=string --type=list /apps/krb5-auth-dialog/plugins/enabled [afs]

and restart krb5-auth-dialog. A package with the above enabled has been uploaded to Debian. Thanks to the test account in the global2000.at cell provided by Jörg Herzinger I could test this easily and I have to say that AFS looks like a cool thing.

Tags: debian, gnome, single-sign-on.
krb5-auth-dialog: DBUS signals and plugins
3rd May 2010

Krb5-auth-dialog now sends DBus signals when you acquire or renew your Kerberos ticket granting ticket and when the ticket expires. When using OpenAFS This can e.g. be used to trigger a call to aklog on ticket renewal. It's simple to catch the DBus signals from a Python script:

import dbus
bus = dbus.SessionBus()
bus.add_signal_receiver(tgt_renewed_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_renewed")
bus.add_signal_receiver(tgt_acquired_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_acquired")
bus.add_signal_receiver(tgt_expired_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_expired")

The tgt_*_handler will then be called when the signal is received. The shipped Python example allows to execute a script already:

tgt-signals.py -q --acquired-action=aklog --renewed-action=aklog

Krb5-auth-dialog also got a plugin system so you could use a loadable module for these kind of things instead. It already ships a PAM plugin that can be used to run some typical actions like calling pam-afs-session or getting kx509 set up.

You need to tell krb5-auth-dialog which plugins to load via gconf. To load the dummy and PAM plugins use:

gconftool-2 --set --list-type=string --type=list /apps/krb5-auth-dialog/plugins/enabled [pam,dummy]

Since I'm not using AFS or kx509 myself I'd be interested to know if this works out as expected.

If you want to write your one plugins you can use the dummy plugin as a basis.

A package with the above enabled has been uploaded to Debian experimental.

Tags: debian, gnome, single-sign-on.
Simple git data provider for Zeitgeist
13th April 2010

gnome-activity-journal recently entered Debian and it could become a great tool to keep track of hacking activities. The underlying zeitgeist can log these and other events and make the information available via DBus. I couldn't find a data provider that feeds the information about Git commits to it so I wrote a simple post commit hook. This way one can easily see when one worked on a source repository:

gnome-activity-journal

Now is there a nice way to store additional information like current branch or commit message along with that?

Tags: debian, gnome.
Negotiate support for libsoup
30th November 2009

I've finally added basic Negotiate (Kerberos) support to libsoup. Git is available here. Using:

git clone http://git.debian.org/?p=users/agx/libsoup.git;a=summary
./autogen.sh
make
# for nautilus:
killall gvfsd
LD_LIBRARY_PATH=libsoup/.libs/ gvfsd
# epiphany:
LD_LIBRARY_PATH=libsoup/.libs/ epiphany
# totem:
LD_LIBRARY_PATH=libsoup/.libs/ totem

you can protect your music, files, whatever on a webserver using mod_auth_kerb and access them without storing a passwort just using your Kerberos ticket. Would be nice to get this merged #587145.

Tags: gnome, single-sign-on.
krb5-auth-dialog 0.13
29th September 2009

Besides quiet some bug fixes krb5-auth-dialog 0.13 now features a ticket dialog that lists your current tickets.

Tags: gnome, single-sign-on.

RSS Feed