KDE Post Install Changes

I’ve started using KDE on Fedora 18 and there were a few annoyances I needed to deal with. They are listed in this post.

Enable Trackpad Clicking

Fedora tries to not change the default settings for upstream projects. KDE, by default (it appears), disables clicking from the Trackpad. It’s a quick fix. Read How to enable touchpad click.

An alternative method, that works for only one user at a time, is this:

Open System Settings > Input Devices (under Hardware) > Touchpad > Tapping. Check/enable “Enable Tapping”. Apply changes.

Open the file ~/.kde/share/config/kcmtouchpadrc and change TapButton1=0 to TapButton1=1. Log out and log back in. Clicking through Touchpad/Trackpad should now work.

Hat tip: Re: KDE touchpad mouse click not working

Disable Software Update Checking from Apper

I like to do my software management from the command line. Most times Apper interferes with this. So I disable a service that checks for updates.

Open System Settings > Startup and Shutdown (under System Administration) > Service Manager. In the list for “Startup Services” disable/uncheck and stop Apper Monitor. Apply your changes.

Install Fedora to USB Drive

I have been looking for a notebook to run Fedora for a while. But due to certain personal limitations I haven’t been able to dedicate a notebook only to it. So the next best thing was to create a Fedora installation on a USB pendrive and boot off it. A USB stick is easy to carry around and is great for quickly booting a computer into your customized OS environment.

There are two ways to accomplish this. One is to create a Live USB with persistent storage and the other is to install to USB drive just like you would to a hard drive. After spending about two days trying out various ways to first install and then use it, I prefer to do a complete installation over a Live USB. In this post I’ll discuss how to do both.

Edit: See Felipe’s comment below for caveats when using a USB drive in this manner.

Things You’ll Need

I had either a Windows or a Mac available. My instructions were created and tested on a Windows machine.

  • VirtualBox
  • USB drive; mine was 32GB
  • Fedora Live CD; I used Fedora 18 KDE version
  • Computer capable of booting from USB drive

I used VirtualBox and a Fedora VM to install Fedora to my USB stick. The same setup can be used to install Live USB and a full installation.

Install Fedora in a VM. Make sure to assign at least 2 GB of memory to the VM. This is very important. If you assign less then during installation your VM may become unresponsive and your installation will remain incomplete.

Install gParted as it will help you to format and resize the USB drive quickly.

su -c 'yum install gparted'

Install as Live USB

Insert the USB drive in your machine. Start your VM and attach two things to it: the Fedora ISO file and the USB drive. Open gParted and unmount the USB drive (it was identified as /dev/sdb1 in my VM). Create a single partition and format it as ext4.

Install livecd-tools package on your VM. It’ll give you the livecd-iso-to-disk command we’ll use later.

su -c 'yum install livecd-tools'

Now you’re ready to install. But before you proceed, there are a few caveats with data persistence.

  • Any changes you make, either new data or updates, will increase the usage of the disk, with space eventually running out.
  • The size of the live-rw partition, on which / is mounted, may only be 3GB. You’ll need an overlay to add more space.
  • Even though I created a 25GB data persistence overlay, I ran out of space when I updated Fedora on the USB drive after installation. I don’t know why.
  • You should not upgrade your kernel on the USB stick, ever! Seriously, once you are done with everything and you are running your Live USB, DO NOT upgrade your kernel. To prevent kernel upgrades, add the line exclude=kernel* to /etc/yum.conf file.

Because of these issues I did a complete installation and not a Live USB. Nevertheless, the next step is to run the command on your VM to create Live USB.

su -c 'livecd-iso-to-disk --overlay-size-mb 25000 --unencrypted-home --delete-home Fedora-18-x86_64-Live-KDE.iso /dev/sdb1'

Here I created a 25GB overlay for data persistence. I specifically created an unencrypted home for ease of use. I also deleted any previous /home partition if there was any (although since we used gParted to create a single partition that shouldn’t be the case).

If you want a separate partition for /home, divide the 25GB between overlay and /home.

su -c 'livecd-iso-to-disk --overlay-size-mb 15000 --home-size-mb 10000 --unencrypted-home --delete-home Fedora-18-x86_64-Live-KDE.iso /dev/sdb1'

This will take some time to complete. When you are done, shutdown the VM and you are ready to boot from your USB drive.

Once you’re using your USB drive, the regular df -h will give you incorrect information about the space used by live-rw. Instead use dmsetup status live-rw to get more accurate information.

Install as Hard Drive

In this scenario you don’t need to install a Fedora VM. You just need the Fedora ISO and the USB stick attached to a VM. When you start the VM boot from the ISO and start the installer. Instead of installing to a virtual hard drive of your VM, choose the USB drive as your installation destination. Perform a regular install. Again, it’s important to assign at least 2GB memory to the VM for a successful install. Once the installation is complete shutdown the VM and you’re ready to boot from your USB.

You can use this installation just like you would on a hard drive. You can update Fedora as much as you like, although it took approximately 12 hours to run my first update. Yeah, it can be really slow. But if you run regular updates afterwards it shouldn’t be that long.

Hat Tip

The only resource you need for detailed information is How to create and use Live USB.

Use Private Certificate Authority to Sign Certificate Signing Request on Linux

I’ll assume that you created a private CA using my tutorial. I also make the following assumptions before proceeding with the tutorial.

  • OpenSSL has been installed
  • CA private key is in /home/cg/myca/private/
  • CA root certificate is in /home/cg/myca/certs/
  • CA’s config file, caconfig.cnf, is in /home/cg/myca/conf/
  • serial is in /home/cg/myca/
  • index.txt is in /home/cg/myca/

Copy CSR

You should copy/download the CSR to /home/cg/myca/csr/ directory.

Sign CSR

Then run the following command to sign it.

openssl x509 -days 3650 -CA certs/crt.ca.cg.pem -CAkey private/key.ca.cg.pem -req -in csr/csr.server1.pem -outform PEM -out certs/crt.server1.pem -CAserial serial

You’ll be asked to provide the passphrase for the CA root certificate key. The final file, crt.server1.pem, is to be sent to the person who initiated the CSR. This is the final certificate they’ll use.

Generate Certificate Signing Request on Linux

You create a CSR and have it signed by a CA before you can use a certificate. This tutorial is a continuation from my tutorial on creating a CA. However, you do not need to create a CA to generate a CSR.

Install Prerequisites

I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.

su -c 'yum install openssl'

Create Directory Structure

mkdir /home/cg/mycert

cd /home/cg/mycert/

mkdir private conf csr

We will run all commands by default in the /home/cg/mycert directory, unless stated otherwise.

Config File

vim /home/cg/mycert/conf/serverconfig.cnf

This file would serve as the config file if you wish to use it. An example file is below.

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/cg/mycert/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = codeghar@example.com

[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name

[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03

[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Generate CSR

You can use the config file (serverconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in serverconfig.cnf.

openssl req -new -config conf/serverconfig.cnf -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

If you want to provide your own custom values you may run the following command instead.

openssl req -new -newkey rsa:4096 -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

You will be asked relevant questions. Following is an example output of the process.

Generating a 4096 bit RSA private key
..............................................................................++
.................++
writing new private key to 'private/key.csr.server1.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (city, district) [New York]:
Organization Name (company) [Code Ghar]:
Organizational Unit Name (department, division) [IT]:
Common Name (hostname, FQDN, IP, or your name) [CGIT]:
Email Address [codeghar@example.com]:server1@example.com

Two files, key.csr.server1.pem and csr.server1.pem, will be created in $dir/private and $dir/csr directories respectively. Keep these files in a safe location and back them up.

You will submit csr.server1.pem to the CA who will sign it. The CA will sign the file and return the resulting file to you. That will be the certificate you will finally use.

Create Private Certificate Authority on Linux

This tutorial will show you how to create your own private CA or Certificate Authority. This will give you the opportunity to sign your own certificates without having to pay someone else. However, since your private CA will not be trusted by others it may prompt warnings when others use it. You will need to add your root certificate to the machines you want to trust your CA.

I had written a similar article in 2008 (Create a Certificate Authority and Certificates with OpenSSL) but this tutorial supersedes the instructions for creating CA in the older one.

Install Prerequisites

I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.

su -c 'yum install openssl'

Create Directory Structure

mkdir /home/cg/myca

cd /home/cg/myca/

mkdir private certs newcerts conf export csr

echo '01' > serial

touch index.txt

We will run all commands by default in the /home/cg/myca directory, unless stated otherwise.

Config File

vim /home/cg/myca/conf/caconfig.cnf

This file would serve as the default config file for the CA. It should look something like the following:

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/cg/myca/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = codeghar@example.com

[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name

[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03

[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Thanks to http://wwwneu.secit.at/web/documentation/openssl/openssl_cnf.html for helping with this file.

Generate Root Certificate

You can use the config file (caconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in caconfig.cnf.

openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

Although we specified the default number of days in caconfig.cnf file, we still have to specify the days flag when using the x509 flag. If we don’t the certificate is created with a default value of 30 days. Thanks to Re: default_days problem and OpenSSL req(1).

If you want to provide your own custom values you may run the following command instead.

openssl req -new -x509 -days 3650 -newkey rsa:4096 -extensions v3_ca -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

You will be asked for a passphrase. Make sure you use a secure passphrase and don’t forget it. You will also be asked other relevant questions. Following is an example output of the process.

Generating a 4096 bit RSA private key
..............................................................................++
...........................................................................................................................................................................................................................................++
writing new private key to 'private/key.ca.cg.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (city, district) [New York]:
Organization Name (company) [Code Ghar]:
Organizational Unit Name (department, division) [IT]:
Common Name (hostname, FQDN, IP, or your name) [CGIT]:
Email Address [codeghar@example.com]:

Two files, key.ca.cg.pem and crt.ca.cg.pem, will be created in $dir/private and $dir/certs directories respectively. Make sure you keep these files in a secure place and make their backups.

crt.ca.cg.pem is your root certificate and will be used to sign all the other certificates.

Verify Root Certificate

You should verify that the certificate was created properly with accurate information.

openssl x509 -in certs/crt.ca.cg.pem -inform pem -noout -text

Export Root Certificate

Since this newly created CA and its root certificate are not recognized and trusted by any computer, you need to import the root certificate on all other computers. By default an OS will have a list of trusted CAs and you need to import your CA to that list. The process varies for different OSes.

Windows

The root certificate we created is in PEM encoded format. For Windows we need it to be in DER encoded format. A great resource on the differences between the two is DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them.

openssl x509 -in certs/crt.ca.cg.pem -outform der -out export/ca.cg.crt

Verify the certificate was created successfully.

openssl x509 -in export/ca.cg.crt -inform der -noout -text

Once you have the exported file, copy it to your Windows machine. You can follow the instructions provided by How To Import a Trusted Root Certification Authority In Windows to import the certificate to the Trusted Root Certification Authorities store on Local Computer.

You can also export the certificate to PKCS12 format. Thanks to Importing a User Certificate to the Windows Certificate Store for this information.

openssl pkcs12 -export -out export/ca.cg.p12 -in certs/crt.ca.cg.pem -inkey private/key.ca.cg.pem

You will be asked to provide the passphrase you used to create the root certificate. You will also be asked for a new “Export Password”.

Copy the .p12 file to Windows and double-click it. A wizard will open and guide you to install it.

Conclusion

The process to create a CA is very simple. Next I will write about signing a certificate request.

Further Reading

Linux Ecosystem is Less About Technology More About Ideas

I was watching The Real Story Behind Wayland and X, a talk by Daniel Stone. The way he described the X server, we had been using a terrible piece of technology for years (still are). Linux had an inferior product doing critical things for the user. There were developers trying to fix its issues but were hindered by many other issues. A fresh start was needed and Wayland it was. It could even have been Mir.

My epiphany was that it’s not about a particular piece of technology. Its design or implementation could be highly undesirable but it keeps doing something useful-ish. The Linux ecosystem encourages you to fix the issues in existing technology or start from scratch. In the long run the Linux ecosystem is all about getting to a perfect OS from a technological standpoint. The users and developers should be prepared to throw everything out. That’s what innovation is all about. Of course, you’ll lose a few features here and there but that might not always be a bad thing. There’s more work to do when building something new and it takes longer to complete it. But at the end of the day, after all the pain and suffering, something beautiful and useful does emerge.

Letting go of X was a simple decision. These decisions may not always be as simple in other situations. But we should support those who want to improve things for everyone.

Follow

Get every new post delivered to your Inbox.

Join 30 other followers