Too Far Afield

Yesterday night we once again changed the time on our clocks. I hadn’t noticed this until yesterday evening, when I wanted to withdraw cash from my account. The ATM had a note sticking on it. Due to technical maintenance regarding the time change all cashpoints would be out of service from midnight to 5 a.m. CET.
But even if I hadn’t noticed, this would not have been an issue for me. All my important clocks like alarm clock and computer clock changed time automatically. Only my mobile phone needed a manual adjustment. And that brings me to the point of posting this: Why can’t my mobile phone just change time automatically, too?

Today I was almost run down by a public transport bus at a crosswalk. Like yesterday. Twice in a week and each time a bus. That’s a bit weird. I mean, I’m used to cars ignoring crosswalks, but buses? I have to admit the drivers waved at me excusatory once they discovered me.

Yesterday our heating installation opted out of service. We still have warm water, but all radiators in the house are cold and it’s starting to get colder in here, too. First I didn’t notice it at all and now I’m not sure how to correct the problem. Seems I have to call building services tomorrow.

On Friday I had a meeting with a long-time customer. Unfortunately, he didn’t manage to get everything done on schedule and so he was not ready for our meeting when I arrived. So I had the opportunity to accompany him and his assistant to the roof of a block of houses in downtown Hamburg. While his assistant measured the size of the roof and made an architectural drawing of the site, we talked about a redesign of his website. By the time the assistant was ready and she told us we could go now, we had enjoyed one of the most amazing views of Hamburg downtown I have ever seen. And the weather was great, too.

No photos, though, as I left my camera at home.

This is the second part of a series on basic Linux commands and techniques for system administrators. In the last part of the series we asked and answered the question What is tail?. Today we take a look on file integrity checking.

If you are a system administrator and you do not leave the whole administration to the powerful package management system of your distribution of choice, you will most likely compile at least some software yourself. In that case you need to download one or more files from the internet. However, this is a potential security issue, as files could have been compromised by a third party – either directly on a mirroring server or on the way from the download server to your machine.

One-Way Encryption To The Resuce

To verify, that the file has not been touched by a third party, you can compare the MD5 sum of the downloaded file with a sum provided by the distributor of the file. MD5 is a cryptographic hash function, basically a one-way encryption. You take the data file as input and calculate the MD5 sum. Because its one-way, you can not regenerate the input (data file) from the output (MD5 sum). However, if you supply the same input (data file), you will always get the same output (MD5 sum). If a file had been compromised, the data file would have changed and you would get a wrong MD5 sum, because the input changed. If the MD5 sum you got from the distributor of the file and the MD5 sum you get on your local machine match, it means that you can use the file without any doubt.

On to a practical example. We’ll choose the popular mail server Exim. In the case of Exim, the MD5 sum of the data files is distributed with the announcement of each new release. In other cases, you might be able to download files that basically use the syntax filename.tar.gz.md5 from the main FTP server. Those files contain the MD5 sum of the respective file.

To get the MD5 sum download the file and use md5sum to calculate the MD5 sum of the local file.

1. wget ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.54.tar.gz
2. md5sum exim-4.54.tar.gz
3. 07632e59a1ba0e9c409d0c2ea5f58816 exim-4.54.tar.gz

Compare the MD5 sum you get with the MD5 sum provided in the original release annoucement. If it’s equal, the file has not been compromised and can be used safely.

However, there is a problem with the MD5 approach. This method of verifying file integrity can only be used, if you know that the MD5 sum you check against has not been altered itsself and is 100% correct. If the server of the distributor had been compromised and the files had been changed, the compromiser might have changed the MD5 hashes provided on the server as well.

Even More Security With A Digital Signature

A more secure method of verifying file integrity is to use public-key cryptography. The Exim developers used their cryptographic private keys to sign the distributed files digitally. You can use a tool like GnuPG to verify that digital signature.

First download the signature file (normally filename.tar.gz.sig or filename.tar.gz.asc) from the FTP server and use gpg to verify the signature. If gpg is not already installed, use apt-get install gnupg on Debian systems.

1. wget ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.54.tar.gz.sig
2. gpg exim-4.54.tar.gz.sig

When you verify a file of your favourite software for the first time, you will get an error message from gpg, because it does not have the key the deleveoper used to sign the file.

1. gpg: Signature made Tue Oct 4 10:55:47 2005 CEST using RSA key ID FB0F43D8
2. gpg: Can't check signature: public key not found

To verify the integrity of the file, you need to import the key from a public key server. You can find the key ID you need to import in the message you got earlier.

1. gpg --keyserver random.sks.keyserver.penguin.de --recv-key FB0F43D8
2. gpg: requesting key FB0F43D8 from hkp server random.sks.keyserver.penguin.de
3. gpg: key FB0F43D8: public key "Philip Hazel <ph10 @cam.ac.uk>" imported
4. gpg: no ultimately trusted keys found
5. gpg: Total number processed: 1
6. gpg: imported: 1 (RSA: 1)

If everything goes along well, gpg will tell you that it imported the key successfully. You can now make a second attempt at verifying the file.

1. gpg exim-4.54.tar.gz.sig
2. gpg: Signature made Tue Oct 4 10:55:47 2005 CEST using RSA key ID FB0F43D8
3. gpg: Good signature from "Philip Hazel <ph10 @cam.ac.uk>"
4. gpg: aka "Philip Hazel <ph10 @cus.cam.ac.uk>"
5. Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B 46E5 9766 E084 FB0F 43D8

Congratulations. If you get the message above, the file you downloaded is genuine and the software can be compiled on your machine without any security concerns.

Yesterday I missed three (in numbers: 3) appointments. I had totally forgotten about ‘em. A look into my date book a few minutes ago, however, made me think. Some disconcerting telephone calls seem to be in order later today. Doh!