23 April 2013

394. Eduroam using wicd and network-manager

Eduroam is a "secure international roaming service" which is used by a great number of universities in Europe, the US and Australia, as well as being used by a limited number of campuses in Asia and Africa.

It's a pretty neat idea since there's frequent exchange of visitors between universities (visiting researchers, seminar speakers, PhD students visiting to do measurements etc.). Getting an account to set up with IT for a temporary user is too much hassle -- and this takes care of that.

While Eduroam might be implemented slightly different on different campuses, this is what I've had luck with in Melbourne (https://wiki.aarnet.edu.au/display/eduroam/For+End+Users).

Here are a couple of screenshots and instructions for network-manager and wicd

network-manager

Security: WPA & WPA2 Enterprise Authentication: Protected EAP (PEAP) Anon. Identity: CA certificate: Inner Authentication: MSCHAPv2 Username: uniusername Password: password


Wicd
I wiped my laptop a month or two ago and hadn't bothered reconnecting to eduroam after that, so when setting it up in wicd I first tried creating a script in /etc/wicd/encryption/templates, which I activated by including it in /etc/wicd/encryption/templates/active. I kept on getting 'bad password' errors though. Note that I've had no success whatsoever connecting to any network using wicd in virtualbox. What I show below works on physical hardware (i.e. my Thinkpad SL410) though.

Anyway, simple: click on Properties for the eduroam network you want to connect to, and set it up as shown below (version 1.7.2 as found in Wheezy)


For Encryption, pick PEAP with TKIP/MSCHAPv2, and input your university username and password.

You don't need to use the CA cert, so if you don't have access to the eduroam CA cert, don't worry, and don't include it (it improves security though).




Android
As a bonus, here are the settings in android.


Links to this post:
http://crunchbang.org/forums/viewtopic.php?pid=345087

20 April 2013

393. Solved: XpressConnect on Ubuntu vs Debian. Extra focus on Swinburne university (AU/Melbourne)

Update 4. It's fixed now. There are two fixes:
1. XpressConnect wants ubuntu and checks for it via /etc/lsb-release, a file that doesn't exist on debian. Set it up to pretend that you're using ubuntu, and XpressConnect works.
2. Just configure the network connection manually. This is by far the easiest, as long as you know the settings.

Either way you'll need network-manager, lshw and wireless-tools in order to use XpressConnect. See towards the end of the post for more details.

Presumably this should work on any distro (e.g. arch, centos, rhel, sles), not just debian.

Update 3: Someone at Swinburne managed to connect to the Wifi without using XpressConnect by simply manually configuring the network: http://forums.debian.net/viewtopic.php?f=10&t=103387&p=494412#p494145

Original post:

Until a few days ago I'd never heard of XpressConnect before, but apparently it's a program that sets up your wireless connection automatically, and is used by a number of universities ( http://lmgtfy.com/?q=xpressconnect+site%3A*.edu)

In short, it works on Ubuntu (32 bit 10.04 lts) but not Debian (64 bit wheezy, 32 or 64 bit squeeze). Note that Ubuntu 10.04 has Gnome 2, as does Squeeze. Wheezy has Gnome 3.


Description
You don't need to be anywhere near a uni network to reproduce the issue -- anyone, with or without a wireless card, can test it.

Note: I generated the logs with a copy of XpressConnect downloaded from Swinburne, not the generic version -- hence why it says swinwifi etc.

On debaian, first make sure to install lshw and wireless-tools, and to add /sbin to path in the terminal you're using.
sudo apt-get install lshw wireless-tools
export PATH=$PATH:/sbin

The 'installation' is simple
cd ~/Downloads
wget http://hosted.cloudpath.net/Xavier/Production/tools/XpressConnect-Linux.tar
tar xvf XpressConnect-Linux.tar
./XpressConnect-DoubleClickToRun 
Will download x64 version... --2013-04-18 21:11:16-- http://hosted.cloudpath.net/Xavier/Production//tools/XpressConnect-x64.tar.bz2 Resolving hosted.cloudpath.net (hosted.cloudpath.net)... 72.18.151.75 Connecting to hosted.cloudpath.net (hosted.cloudpath.net)|72.18.151.75|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6266475 (6.0M) [application/x-bzip2] Saving to: `/tmp/XpressConnect-x64.tar.bz2' 100%[==============================================================================================================================>] 6,266,475 780K/s in 10s 2013-04-18 21:11:27 (600 KB/s) - `/tmp/XpressConnect-x64.tar.bz2' saved [6266475/6266475] files files/logo.jpg network_config.xml resources.properties XpressConnect-x64

XpressConnect-DoubleClickToRun is a simple shell script that determines whether system is 32 or 64 bit, downloads a tar file to /tmp, untars it and launches a pre-compiled binary, XpressConnect-x64.
You can also launch XpressConnect-x64 directly by going to /tmp and running it.

Anyway, XpressConnect-x64 then makes sure that you have network-manager running, and tries to determine what your network card is. Based on this, /tmp/netdata.txt is generated. Once this is done, XpressConnect allows you to enter your credentials and sets up your network connection.
Well, that's what happens if you use ubuntu. On Debian (or Arch) you get an error message about 'network configuration' missing.

Delving a bit deeper into it, the binary fails to generate the netdata.txt on debian (and arch), and it seems to have to do with network-manager (or dbus, possibly).


The logs:
XpressConnect-x64 generates a log file (/tmp/xpressconnect.log).

On ubuntu it looks like this:
Looking for id : 266 Looking for id : 259 Setting start page. Moving to widget 0. Loading configuration page. Starting configuration parse thread. Acquire processing lock. Building NIC data. Starting configuration parser. Validating checksum. Checking license. License validation checked out properly. Today is : 04/19/2013 License expires : The date validation checked out properly. Checking for valid networks for this platform. Only one network configuration found. Auto-selecting it. Auto-selected network 'swinwifi'. Interface : /org/freedesktop/NetworkManager/Devices/0 is in state 8 Interface : /org/freedesktop/NetworkManager/Devices/1 is in state 3 There were no interfaces found that could be autodetected for use. Checking that there are interfaces of the correct type available. Found 1 possible interface(s). Selected interface with object path of /org/freedesktop/NetworkManager/Devices/1 Int type : 2 Set profile index : 11 Going to page 3 Config parser terminated. Set 'static' window labels. ---- Gathering Data ---- Parsing OS information... Checking OS bit depth. OS bits info : i686 OS is 32 bits. Checking hardware information. Looking for extra NIC data. Found driver name for 'wlan0' from DBus. - Driver : rtl8187 Couldn't get capabilities from DBus, trying the hard way. Attempting to release lock. Release processing lock. Set welcome banners. Using DBus UUID for client ID. Using DBus UUID for client ID. Client ID : f3af3f95c2229c756e98556050ed0cc4 Session ID : 6980532961366355275 Upload value (1) : 0 Moving to widget 3.
And on Debian:
Looking for id : 266 Looking for id : 259 Setting start page. Moving to widget 0. Loading configuration page. Starting configuration parse thread. Acquire processing lock. Building NIC data. Starting configuration parser. Validating checksum. Checking license. License validation checked out properly. Today is : 04/22/2013 License expires : The date validation checked out properly. Checking for valid networks for this platform. No valid networks found in the configuration. Config parser terminated. Failed to parse configuration. Set 'static' window labels. ---- Gathering Data ---- Parsing OS information... Checking OS bit depth. OS bits info : x86_64 OS is 64 bits. Checking hardware information. Looking for extra NIC data. Found driver name for 'wlan0' from DBus. - Driver : rtl8187 Couldn't get capabilities from DBus, trying the hard way. Attempting to release lock. Release processing lock. Set welcome banners. Using DBus UUID for client ID. Using DBus UUID for client ID. Client ID : fe88ef3cf6716df910e7fa570000000b Session ID : 13542037211366584788 Moving to widget 9. User clicked 'Retry' on the bad config widget. Moving to widget 1. Selected network 'swinwifi'. Going to page 9 Adding page 1 Moving to widget 9.
The platform bit bothers me -- is it checking for ubuntu vs other distros?

XpressConnect then generates a file called /tmp/netdata.txt:
*-network description: Ethernet interface product: 82540EM Gigabit Ethernet Controller vendor: Intel Corporation physical id: 3 bus info: pci@0000:00:03.0 logical name: eth0 version: 02 serial: 08:00:27:53:23:4c width: 32 bits clock: 66MHz capabilities: bus_master cap_list ethernet physical configuration: broadcast=yes driver=e1000 driverversion=7.3.21-k5-NAPI firmware=N/A ip=10.0.2.15 latency=64 mingnt=255 multicast=yes resources: irq:10 memory:f0000000-f001ffff ioport:d010(size=8) *-network description: Wireless interface physical id: 1 logical name: wlan0 serial: 00:11:a3:08:12:1d capabilities: ethernet physical wireless configuration: broadcast=yes multicast=yes wireless=IEEE 802.11bg

I also did a strace on both ubuntu and debian, but strace generates a lot of information. A major difference I observed was the presence of CLOCK_MONOTONIC in the ubuntu log, but this is to synchronize for the CA certificate (or something -- I don't know what I'm talking about). Anyway, it probably just indicates what we already know -- the binary doesn't detect the card on debian but it does on ubuntu.

ldd XpressConnect-x64 gives the following on ubuntu (32 bit):
linux-gate.so.1 => (0x006a3000) libdbus-1.so.3 => /lib/libdbus-1.so.3 (0x007b3000) libXrender.so.1 => /usr/lib/libXrender.so.1 (0x00c8b000) libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x008b8000) libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00da4000) libXext.so.6 => /usr/lib/libXext.so.6 (0x00225000) libX11.so.6 => /usr/lib/libX11.so.6 (0x00480000) libz.so.1 => /lib/libz.so.1 (0x00110000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00125000) librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0x00665000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x006f2000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00ac3000) libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x002d8000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00129000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x002fe000) libexpat.so.1 => /lib/libexpat.so.1 (0x00148000) libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00a12000) /lib/ld-linux.so.2 (0x00637000) libXau.so.6 => /usr/lib/libXau.so.6 (0x00c7a000) libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x0096f000)

and this on debian (64 bit):
linux-vdso.so.1 => (0x00007fff50dfb000) libdbus-1.so.3 => /lib/libdbus-1.so.3 (0x00007f2bbb807000) libXrender.so.1 => /usr/lib/libXrender.so.1 (0x00007f2bbb5fd000) libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x00007f2bbb3c7000) libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007f2bbb13f000) libXext.so.6 => /usr/lib/libXext.so.6 (0x00007f2bbaf2d000) libX11.so.6 => /usr/lib/libX11.so.6 (0x00007f2bbabf1000) libz.so.1 => /usr/lib/libz.so.1 (0x00007f2bba9da000) libdl.so.2 => /lib/libdl.so.2 (0x00007f2bba7d6000) librt.so.1 => /lib/librt.so.1 (0x00007f2bba5cd000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007f2bba3b1000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f2bba09d000) libm.so.6 => /lib/libm.so.6 (0x00007f2bb9e1a000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f2bb9c04000) libc.so.6 => /lib/libc.so.6 (0x00007f2bb98a2000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f2bb9679000) libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00007f2bb945d000) /lib64/ld-linux-x86-64.so.2 (0x00007f2bbba58000) libXau.so.6 => /usr/lib/libXau.so.6 (0x00007f2bb9259000) libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00007f2bb9054000)

Evidence of evil and a fix

The evidence
Here's a snippet of the strace output from ubuntu
2200 write(8, "The date validation checked out "..., 42) = 42 2200 write(8, "Checking for valid networks for "..., 47) = 47 2200 open("/etc/lsb-release", O_RDONLY|O_LARGEFILE) = 15 2200 read(15, "DISTRIB_ID=Ubuntu\nDISTRIB_RELEAS"..., 8191) = 104 2200 read(15, "", 8191) = 0 2200 close(15)
and here's Debian:
3079 write(8, "The date validation checked out "..., 42) = 42 3079 write(8, "Checking for valid networks for "..., 47) = 47 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 open("/etc/lsb-release", O_RDONLY) = -1 ENOENT (No such file or directory) 3079 write(8, "No valid networks found in the c"..., 46) = 46 3079 close(11)

The evil is that it's highly misleading -- it's not checking for valid networks, it's checking whether you've got ubuntu. And it didn't fail to find a valid network -- it failed to find /etc/lsb-release.
Here's /etc/lsb-release from ubuntu
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.04 DISTRIB_CODENAME=lucid DISTRIB_DESCRIPTION="Ubuntu 10.04.4 LTS"

The fix
Debian doesn't have an lsb-release file, so I simply copied the /etc/lsb-release file from ubuntu to debian. Guess what? XpressConnect now works on debian!

And no, having an empty /etc/lsb-release file doesn't work. Also, editing it (replacing 'ubuntu' with 'debian') also causes XpressConnect to stop working.



Another 'fix' -- manual Configuration:
XpressConnect does not do more than set up your wireless connection i.e. sets the required settings and installs the CA certificate for your particular network. In other words, you can just manually configure your network and you'll probably be fine.

Unfortunately, I haven't found a URL for the CA cert for Swinburne, which is the example that I'm working with (based on a forum post)

I managed to extract most of that by running it in an ubuntu VM. Note that I am nowhere near Swinburne, not staff/a student there and actually can't test this to completion.
ubuntu -- apparently it's no longer brown...
The settings are:
Security: WPA & WPA2 Enterprise Authentication: Tunneled TLS Anonymous identity: anonymous CA certificate: swinwifi.der Inner authentication: PAP Username: ***@swinburne.edu Pasword: ******

You'll need swinwifi.der. Because it is in binary I can't easily post it. However, you can generate it from the .pem file which is in ascii armour:
-----BEGIN CERTIFICATE----- MIID9zCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCQVUx ETAPBgNVBAgTCFZpY3RvcmlhMRIwEAYDVQQHEwlNZWxib3VybmUxKzApBgNVBAoT IlN3aW5idXJuZSBVbml2ZXJzaXR5IG9mIFRlY2hub2xvZ3kxDDAKBgNVBAsTA0lU UzEeMBwGA1UEAxMVcmFkaXVzLmNjLnN3aW4uZWR1LmF1MSMwIQYJKoZIhvcNAQkB FhRuZXR3b3Jrc0Bzd2luLmVkdS5hdTAeFw0wNzAxMTcwMzU3MDVaFw0xNzAxMTQw MzU3MDVaMIG0MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExEjAQBgNV BAcTCU1lbGJvdXJuZTErMCkGA1UEChMiU3dpbmJ1cm5lIFVuaXZlcnNpdHkgb2Yg VGVjaG5vbG9neTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVyYWRpdXMuY2Muc3dp bi5lZHUuYXUxIzAhBgkqhkiG9w0BCQEWFG5ldHdvcmtzQHN3aW4uZWR1LmF1MIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGwvfVz2DnKxFMYTG1k0QklSHC7vk5 kjIiDkdU3sRTdQ07cQUOI/8wFN4zZXowEz0DwlO1o/YWaZqw27EP85cp9XBndwRK ZZpIv57zrxo8nxJV/mKBpOM7MHpkclju20XoEtrQ7FwTHPbWaaKmSuaMVitWcFVg C3CIYkvQn9pozQIDAQABo4IBFTCCAREwHQYDVR0OBBYEFEo9WNtNMY7jUvvASrE9 Z/OdaeU9MIHhBgNVHSMEgdkwgdaAFEo9WNtNMY7jUvvASrE9Z/OdaeU9oYG6pIG3 MIG0MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExEjAQBgNVBAcTCU1l bGJvdXJuZTErMCkGA1UEChMiU3dpbmJ1cm5lIFVuaXZlcnNpdHkgb2YgVGVjaG5v bG9neTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVyYWRpdXMuY2Muc3dpbi5lZHUu YXUxIzAhBgkqhkiG9w0BCQEWFG5ldHdvcmtzQHN3aW4uZWR1LmF1ggEAMAwGA1Ud EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEASFZ/5oRvTpgs0yQmdXxczUvJhUam 5KTP8MAb8owh1v65VkBFXLdJ27THEDt0SX3ZzwlYIvKcVMoiJcXjE6uLgZPI4AZv 7ogHIU5TOvQsYXWNeCqQMqOTnZtVQPvZmOcHcM1aqiBCAVX3YhIU1S04SccYdKBA PaggsSjsagqoZvA= -----END CERTIFICATE-----

openssl x509 -in swinwifi.pem -out swinwifi.der -outform DER

Put it in the folder ~/.certificates.

The md5sum should be
11843b7d38bc0b024e8356f11d4d7c42 swinwifi.der
I've also tried that java version of xpress connect.

Finally, do NOT as a rule download certificates from third parties! How can you trust that my intentions are good? At the moment you're choice is between trusting me and Shuttleworth though...



Why bother?
Because an increasing number of university networks have adopted this -- frankly broken -- piece of software, I think it's of some interest to users of other distros to investigate whether there are any simple solutions. This in particular since not all uni networks have instructions for manual configuration anymore. Besides, a challenge is a challenge.



19 April 2013

392. Wheezy release date set

...assuming that nothing happens in between now and then of course. See here:
We now have a target date of the weekend of 4th/5th May for the release. We have checked with core teams, and this seems to be acceptable for everyone. This means we are able to begin the final preparations for a release of Debian 7.0 - "Wheezy".

While that's interesting, the real cause for excitement will of course be Jessie.

For those following testing instead of wheezy in their /etc/apt/sources.list, now might be a good time to replace all instances of testing with wheezy and installing apt-listbugs in anticipation. Jessie might be a bit wobbly in the beginning...

Links to this post:
http://crunchbang.org/forums/viewtopic.php?id=26012