My Keepass2 setup with Android, Firefox and sync

Motivation

A couple of weeks ago I read another article about a major security breach of a big online service and finally decided that I need a special password for every service I’m using. Up until then, I always used about 6 passwords for online stuff. More important sites got one of the better passwords, irrelevant sites one of the poor ones, but a lot of sites shared passwords. Since I try to use only three user names (private, gaming and work) if they are available, it wouldn’t have been too hard to try my password they stole from service X on service Y with not a bad chance of success.

It’s not my first try to use a central application for my passwords, but all failed because of trust or usability. I want to be able to use this on all my computers, on my mobile and on the go, so I needed a synced solution. There are a few around, but I don’t trust this kind of data hosted on a server thats not mine. So this is the first solution that was comfortable to use and secure for my needs. All the tools here are open source, which doesn’t makes them secure, but we can hope there are people checking them out. 🙂

I’ll show mostly my setup, all the tools described here are heavily customizable, so check all the options after the initial setup to adapt them exactly to your needs. But this will hopefully get you started.

KeePass

First we need to install KeePass2. There are versions for the major operating systems on their website, I tried Linux (used the packages shipped with Ubuntu) and Windows.

Create a new database
Create a new database

Now that we installed KeePass, we’ll first need to create a new database. After selecting where to save it, we’ll have to put in a master password. Obviously, this should be one of the better kind. I didn’t check out the possibilities of a key file or testing the existence of a USB drive, since it would be a problem for portability of the solution.

(src xkcd, CC BY-NC 2.5)
(src xkcd, CC BY-NC 2.5)

After putting in the password, it was asking for a few settings. Since I was fine with the standards, the KeePass file was created with a few sample entries. We can delete the samples and save it now.

Create a new password, e.g. 32 characters long.
Create a new password, e.g. 32 characters long.

To try it out, we could generate a new password (Tools -> Generate Password). I prefer to use A{32} as a pattern, which creates 32 lower and upper case letters and numbers. (I guess that is security wise dumb to tell, so I might change it in the future. ;)) It’ll create a blank entry in the database with a random password. If you edit it, you can add at a user name, but also URL (later useful for Firefox integration), custom notes, an icon and a lot of other fields.

Update: I changed that to use special characters as well.

If we want to login now, we can select the entry and press Ctrl-C to copy the password into the clipboard for a few seconds. If you want to copy the user name, use Ctrl-B and Ctrl-U will open the saved URL for you.

KeeFox: Firefox Integration

To make this far more comfortable to use, we should integrate this into our browser. Since I use Firefox at the moment, I used KeeFox for that, but there are supposed to be plugins for other browsers as well. KeeFox can fill out your forms automatically and save new passwords directly into KeePass, just like the internal Firefox password manager did. Running Windows, this is a breeze. Install KeeFox from Mozillas Addon Page, restart Firefox and follow the instructions. It’ll copy the KeeFox plugin into your KeePass directory. After restarting KeePass and maybe Firefox as well, you’ll get a connection window asking you to for a code and another one showing it to you. (Just to make sure that nothing connects without your consent.)

Linux users have a slightly harder time. On Ubuntu, you’ll need to install mono-complete for KeeFox to work, other distributions will have similar meta packages for a complete mono installation. (If anybody knows exactly the packets necessary, I would appreciate a comment, all the howtos simply install mono-complete.) The installation is covered in pictures very well on sysads.co.uk, so I will not write it down here again. 🙂

KeeFox asks if I want to save the password in my KeePass database
KeeFox asks if I want to save the password in my KeePass database

Now that we should be connected, we could try out logging in somewhere and saving the password. I’ll login to my blog backend and on the top of the screen KeeFox asks me if I want to save the password.

Editing an entry created from KeeFox
Editing an entry created from KeeFox

If we save, the entry appears in KeePass with the favicon of the page (my blog doesn’t have one) and title, user name, password and URL already filled. Sometimes it makes sense to change the URL or title, but mostly you are good to go and don’t need to edit anything. If you log out and open the login dialog again, the fields will be filled out and you only need to click the login button.

Sync with OwnCloud/Nextcloud

After the first two parts, we should have a comfortable setup for one computer. But most of us have more than one computer and want to use passwords all across them. Since I already use ownCloud (or rather now Nextcloud), I wanted to save the password database there. The server is administrated by myself, so I’m pretty sure that only I can access the data there. (Barring big security holes in PHP, bash, SSL, …) If you want to install it as well, you can follow the official documentation, but keep in mind that you’ll have to take care of security of the installation as well. In case you want to do this with Dropbox, you’ll have to trust them enough (whyever) and it should work just the same, I guess.

Password database in ownCloud
Password database in ownCloud

If you copy the password file anywhere in your local ownCloud (client) directory, the client will automatically sync it to the server. Now open the database file again from the ownCloud directory, every change you’ll make will be synced again. But since my password database is only about 50kb (I’m still migrating sites to the new password whenever I log in and have a minute), it’s no problem with nearly all internet connections.

When you now setup KeePass and KeeFox on a second computer (with ownCloud installed of course), you can open the database file from the local ownCloud directory and always get a current version of the database. I set up KeePass so that it closes the database after certain time of inactivity, so I never expect two KeePass instances adding new entries at the same time. But if you work with two computers side by side, make sure to save the database after adding a new entry and reopening it on the second computer before making any changes.

Update: I switched to nextcloud, but that doesn’t change the process here at all. But I discovered there is an app for nextcloud to open your Keepass database in the browser, Keeweb for nextcloud. Download the latest release and install it like any other nextcloud app. Then you can access your passwords easier, even when you aren’t at your own computer. Obviously you should only do that on trustworthy computers.

Keepass2Android: Android App

Now we should have a Firefox integrated password save, that is synced between our computers. Today smartphones are also used to connect to lots of services, each needing its own password. I for example need my Amazon password from time to time, to buy something while sitting in public transport. Instead of typing it in with people looking over my shoulder, I copy and paste it out of my password database now.

To do so, we can use Keepass2Android. Since the Android ownCloud client didn’t work well for me for keeping files local and updated, we connect directly via WebDAV to our ownCloud installation. Choose to open a password database:

Open a database on Keepass2Android
Open a database on Keepass2Android

There are a lot of services to connect to, but to connect to the ownCloud instance, we should use HTTPS and add the following (adapted) URL: https://owncloud.server.com/remote.php/webdav/path/to/the/pw.kdbx

Login with optional quick unlock feature
Login with optional quick unlock feature

Put in username and password of your ownCloud installation, and then the password for your database and you should be good to go. You can activate quick unlock, which doesn’t lock the database completely, but you only need to input the last three characters of the password to access it until you close the database manually. (At latest at a reboot.) If you don’t mind the reduced security, its a nifty feature.

The KeePass groups in the Android app
The KeePass groups in the Android app

After login you’ll get a list of all your passwords and groups. If we choose the amazon password entry, Keepass2Android will show two new entries in Androids notification area (next to the one that is already there because the database is open):

The username and password can be put into the clipboard from the notification screen
The username and password can be put into the clipboard from the notification screen

Those entries enable you to switch to your browser, pull down notifications, copy the password (or username) directly from the notification area and paste them in the website. There is a risk according to Keepass2Android that other apps might copy data from your clipboard, so the alternative is to use a special Keepass2Android keyboard instead the copy and paste solution. Whatever you decide.

Update: I switched to the integrated keyboard Keepass2Android provides. Whenever I open an entry, a dialog pops up that lets me switch the keyboard to a special keyboard that lets me access username and password with one button each. After closing the database, the keyboard switches back to my default one.

Backup

I hope that we have a comfortable synced password solution now, that we can access from our Android mobile as well. My last fear now was, what happens if the database gets deleted or corrupted in some way? In theory there is an ownCloud feature to keep old versions of a file around. But I don’t trust that. I want to have a backup with more than one version simply in my computers (or home servers) filesystem.

If you use windows (or don’t want to use self written scripts on Linux), I recently stumbled over Duplicati, an open source GUI backup tool, that also supports WebDAV. I’m sure it wouldn’t be hard to setup a backup job to save a copy of the password file from the ownCloud (WebDAV) server.

But I didn’t try it yet and I prefer this simple solution I can easily completely understand. I created a very short script using cadaver (a command line WebDAV client.) Create a directory, e.g. ~/.pwdatabase where you want the file saved and adapt the following script to your needs, I called it ~/bin/pwdatabase-backup.sh:

#!/bin/bash

cd ~/.pwdatabase-backup
rm pw.kdbx
echo "get pw.kdbx" | cadaver https://owncloud.server.com/remote.php/webdav/directory/of/database/
mv pw.kdbx pw.kdbx-`date +%Y-%m-%d_%H%M%S`

After that we still need to save our ownCloud access data in a file ~/.netrc: (If you are more paranoid than I am, create a dedicated user just for the backup task.)

machine owncloud.server.com
login foo
password bar

Make sure to make the script executable and the .netrc as well as the backup directory only accessible by you:

lenfers@waxford:~$ chmod +x ~/bin/pwdatabase-backup.sh
lenfers@waxford:~$ chmod 600 ~/.netrc
lenfers@waxford:~$ chmod 700 ~/.pwdatabase-backup/

Last but not least, add a cronjob to run this script. This will run now every hour at the 42nd minute. Run ‚crontab -e‘ and put the following line in the editor that opens now:

42 * * * * /home/lenfers/bin/pwdatabase-backup.sh

You’ll now get files in your backup directory named like pw.kdbx-2014-10-12_193002 every hour. If you want the script to run at different intervals, check out a cron howto.

Conclusion, Security opinion and Todo

We should have installed and used the following software by now:

You should now have the possibility to create a password per webpage and sync it between different computers and mobile phones. If you haven’t done so, I would recommend to change a few passwords from sites that are important to you into long automatically generated ones. The password file should be in a lot of places, just in case it gets corrupted (which didn’t happen to me, I’m just cautious.)

I’m by far no security expert, but I want to provide you with my view on how secure this setup is. It shouldn’t be good enough for missile launch codes (but might be) or if you are in a position where you might be targeted directly (instead if being one among many victims of a site hack.) If someone were to breaks into your cloud account, they would only need to break your KeePass password offline and got access to all your accounts! Since I don’t expect to be targeted directly (shouldn’t have said that, should I? :-)) this will immensely increase security for me, because the damage resulting from big hacks on websites won’t affect me anymore outside of the hacked site. Also brute force attacks on my online accounts should be far harder now. Last but now least, I use two factor authentication as much as possible.

Update: Keeweb added in the cloud section. In the future I want to look into integrating a web interface into ownCloud (maybe based on WebKeePass?) so I could access my passwords easier from a friends computer without having to copy them manually from my mobiles screen, but I’m not sure when I’ll find time for that. If anybody has a working solution or good hints on how to do that easily, I would appreciate a pointer.

I hope this helped you to switch from a small array of simple to medium passwords to a system of one secure password per site. Any feedback is appreciated!

What do you think of this post?
  • Awesome (32)
  • Interesting (30)
  • Useful (27)
  • Boring (7)
  • Sucks (9)

Tiny Tiny RSS: More open source Google Reader alternatives

I posted about selfoss last week, an open source and self hosted rss reader as alternative to Google Reader. After installing it and posting about it, I stumbled across an even feature richer software: Tiny Tiny RSS. Despite the name, TTRSS really isn’t tiny, it’s features are for example:

  • Very good import from Google Reader (OPML import and export.)
  • Nice clean AJAX interface, as well as a mobile interface and mobile apps.
  • Keyboard shortcuts.
  • Easy installation, requires PHP&MySQL.
  • Multiuser support.
  • Plugin support.
  • Multiple language support
  • Filtering and scoring, I’m quite curious if I find a cool use for that feature.
  • API to access it with other services, for example desktop clients

Tiny Tiny RSS Screenshot

Installation is quite easy, the official documentation should be sufficient to get you going. After installation you might want to do one or more of the things I did:

First I got my Google Reader data imported: Export your feeds from Reader and extract the subscriptions.xml from the archive. You can upload it to ttrss in the settings dialog under feeds, OPML. Next I activated some plugins under settings and plugins. I activated the Google+-sharing plugin and the mail plugin, but there might be others that could be useful to you. After that I installed a plugin for Chrome to be able to subscribe to feeds directly from the browser. Install the plugin and open the plugins settings to add „http://yourservername/public.php?op=subscribe&feed_url=%s“ as a service. Firefox users might want to check this article instead. If you prefer a more Google Reader like interface, check in this forum, there are lots of CSS snippets going around that try to accomplish that.

And I guess that’s it, ttrss is filling the hole Reader left quite well for me. My workflow hasn’t changed much and the differences might prove to be valuable additions in the future. I’m very curious what kind of plugins the new users create and what more they are going to do with the API. What are you using as a feed reader now?

What do you think of this post?
  • Awesome (24)
  • Interesting (17)
  • Useful (16)
  • Boring (7)
  • Sucks (10)

selfoss: Self hosted alternative to Google Reader

Screenshot of selfoss with the special source to get the full article in the heise feed
Screenshot of selfoss with the special source to get the full article in the heise feed

Update: I switched to Tiny Tiny RSS, which already has far more features I wanted, I also blogged about my experiences.

Since Google Reader announced that it is going down, lots of articles describing alternatives came up. I wanted to host my own RSS-Reader for some time so this was the final reason to do it. Since I couldn’t make Newsblur work on my own host last time I tried it, I tried selfoss which is a great deal easier. Here are my first impressions of selfoss:

  • Nice user interface, even on my android phone.
  • Got keyboard shortcuts very similar to Google Reader.
  • Not only RSS sources but some special sources to get full content of sites that only have a teaser in their RSS feed.
  • The article text is divided into three panes much like a newspaper.
  • Easy to install (only PHP needed, MySQL optionally.)
  • At the moment there is sadly no way to read by feed, only by category or tag. Hope this will be integrated in the future. I would like to be able to have a view just like in Google Reader, where I can view whole categories but also a single feed from the category. But I’m managing by creating categories with only one feed in them.
  • I’m also missing an option to automatically mark an item read when I open it.

So selfoss isn’t a perfect solution for me, but I might try and add some of the missing features myself and I bet after todays news more user will use and therefore enhance it. If you just want to install it on your hoster without MySQL, it is really simple. To let it run in my Ubuntu server I had to enable the rewrite and headers modules and create a cronjob for the updates:

sudo a2enmod headers
sudo a2enmod rewrite
sudo service apache2 restart
sudo echo "*/5 * * * * nobody wget -o /dev/null http://your.domain/selfoss/update" >> /etc/cron.d/selfoss

Update: If you are running on a Debian with default settings or get a 500 server error on other distributions, try to add „AllowOverride All“ in your webserver/vhost config. (source)

I’m running it with MySQL and authentication with this configuration file (config.ini in the selfoss directory):

db_type=mysql
#db_file=data/sqlite/selfoss.db
db_host=localhost
db_database=selfoss
db_username=selfoss
db_password=YOUR_DB_PASS
db_port=3306
logger_level=ERROR
items_perpage=50
items_lifetime=400
base_url=
username=username
password=YOUR_PASSWORD_HASH
salt=YOUR_RANDOM_SALT
public=
rss_title=selfoss feed
rss_max_items=300
rss_mark_as_read=0
What do you think of this post?
  • Awesome (2)
  • Interesting (4)
  • Useful (2)
  • Boring (0)
  • Sucks (2)

Changed remote layout for my samsung tv with kodi/xbmc

When you connect the Raspberry Pi with Raspbmc (or OpenELEC or probably any Kodi distribution) to a CEC enabled TV like my Samsung UE40ES6710, it is possible to control it directly with the TV remote without the need for another remote and the quest to find a working IR receiver. Sadly some buttons on the remote were not mapped in a useful way with my TV. For example the exit button quits all menus, while the return button closes only the current one. Those two were switched while using Raspbmc, which is quite confusing and annoying.

You cannot map all keys, because the TV keeps control of some of the keys like volume control or switching source. I put all the keys that I might want to change (and that can be changed) into my config file and set them up or deactivated them. (The red button was always trying to load the PVR addon, which I don’t use at the moment.) The config can be found in ~/.xbmc/userdata/keymaps/remote.xml, which you usually  have to create manually. It overwrites the default config in ~/.xbmc-current/xbmc-bin/share/xbmc/system/keymaps/remote.xml. You can check out the default config for inspiration, but you should only add your changes to ~/.xbmc/userdata/keymaps/remote.xml since they might be overwritten otherwise. There is also a list of actions you can use on the XBMC-wiki.

This is how my config looks like at the moment:

<!-- general key mappings -->


<!-- return -->

<!-- exit -->
ActivateWindow(shutdownmenu)
<!-- pre-ch -->
FullScreen
<!-- guide -->

<!-- chlist -->

XBMC.ActivateWindow(Favourites)

<!-- color keys -->

ToggleWatched
ContextMenu
Info

<!-- keys during video playback -->&nbsp;

<!-- return --><!-- exit -->
ActivateWindow(shutdownmenu)
<!-- pre-ch -->
FullScreen
<!-- guide -->
RunScript(script.xbmc.subtitles)
<!-- color keys -->

subtitledelay
ContextMenu
Info

Download remote.xml

I tried to emulate my TVs return/exit behavior with opening the shutdown menu on exit. The important context menu action is on the yellow key (since it is labeled with „C“ on my remote) and I put the info action next to it on the blue button. I also switched some other stuff around, but you don’t need it really. The important buttons you need (which mostly where mapped in the default setting) are cursor keys, ok, back, play/pause/stop and the context menu. Then you should be able to control your XBMC very well, everything else are shortcuts like the info button or the button to toggle if you saw a video already.

What do you think of this post?
  • Awesome (39)
  • Interesting (25)
  • Useful (20)
  • Boring (2)
  • Sucks (8)

Switch from Unity to XFCE

I tried using Unity since Ubuntu removed Gnome2. I don’t like Gnome3 so I stuck with Unity for quite some time, hoping I would get used to it. But I did not and bugs that hide the dock depending on uptime (Bug) really got me over the edge to look elsewhere. (I’m ashamed to admit I rebooted my computer many times before I even took the time to researched it.)

Now I switched to XFCE 4.10 with a gnome-session for keyring and nautilus, which I prefer to Thunar. (This german tutorial was helpful in achieving this.) I added a dock with Avant Window Navigator and changed a few key bindings. Now I’m nearly happy, there seems only one thing missing: I would like to have AWN react to Win+1…9 like the dock does on Unity or Win7.

switch_from_unity_to_xfce-screenshot

This is how my left screen looks like. I think optics are nice and it is a useful more traditional setup than the unity stuff.

What do you think of this post?
  • Awesome (2)
  • Interesting (8)
  • Useful (2)
  • Boring (1)
  • Sucks (0)

XMBC in my car

Today I went through my things looking for a device with composite video output, since that is (in 2012!) the input the display in my Seat Altea XL understands. The only and yet so fitting thing I could find was my Raspberry Pi. I installed Raspbmc (an XBMC specially prepared for the Raspi) on an sdcard, plugged the audio and video cables into the car, added power through a 12V adapter in the car and booted away. The result can be seen in the pics at the end. The Raspi doesn’t need much power (~0.7-1.0A), stays cool and has no movable parts, making it perfect for usage in a car. Of course if you don’t connect audio to the car, you can just use headphones instead so you could watch something in the back while listening to music on your cars stereo. (Preferably deactivate sound on the speakers in the back, but that isn’t a problem.) Next thing on my list is a remote. I have a ATI/X10 USB remote lying around somewhere, that is supposed to work out of the box.

What do you think of this post?
  • Awesome (14)
  • Interesting (11)
  • Useful (7)
  • Boring (0)
  • Sucks (0)

100% CPU usage with vdr and epgsearch

A few days ago I noticed that my server is at 100% cpu utilization, caused by vdr. I found out that epgsearch, a plugin to automatically schedule recordings, was at fault. To make a long story short, the solution is quite simple: I accidently removed localhost from the /etc/vdr/svdrphosts.conf, which caused the plugin problems. Simply add 127.0.0.1 to the file and you should be good again. (Thanks to umaier@vdr-portal for the solution!)

What do you think of this post?
  • Awesome (2)
  • Interesting (2)
  • Useful (5)
  • Boring (0)
  • Sucks (0)

My first look at Google Events

I just created an event on Google+, since I invited some people over and I wanted to try test it. First I find it visually really cool, the animated images already there look very nice and you can of course upload your own.

Google wanted to structure „Events“ in three phases. Firstly before the event in the planing stage: Date, place (with integration into calendar and maps of course), RSVP (you can invite people without Google accounts as well) and I guess discussion. It is nothing you couldn’t do via mail, but getting directions with one click and having everybody included into the discussion (nobody forgetting to answer to all recipients) is a nice bonus. All in all, the first part is of course a necessity, but done good.

The second stage is during the event. You can activate „Party mode“ on your smartphone and all your images you shoot during that time are automatically added to the event. I don’t really see the big use in this, I could just upload my photos later. Since everyone who could see the images is at the event, there is no need to look at photos in real time in my opinion… Seems useless to me, but maybe I’m missing something here.

What I liked was the third phase: Afterwards everyone can upload all of his photos to the event and all participants (and only participants in the default setting) can see them together chronologically. Thats a sooo simple but nice thing. Normally if you get photos from friends after an event, they are usually numbered differently to yours, so you would need to (hopefully automatically) rename them into some date-time thing to mix them with yours or just leave them in the separate folder. In Events you can seen them all, but you can also filter by author if you want to see only photos a specific friend made. This is something I look forward to. I just hope there will be a download feature as well, because even though I like to have a few pictures online, I always want to have a copy on my hard drive.

I still have to find out how it works for people without a Google account, but I guess they get an RSVP mail with the details and a link to RSVP. But I think thats a good enough solution.

During the streaming of the Google IO keynote yesterday I thought this is an unnecessary and dumb feature. And maybe it is unnecessary (especially for people like me, where a lot of friends don’t have Google+ accounts or don’t use them), but it is surely not done dumb. Instead Google put some thought into what might be useful and did it in an visually nice way as well. Looking forward to using it for a few occasions. (Videos and more on Googles official Events page)

What do you think of this post?
  • Awesome (0)
  • Interesting (7)
  • Useful (1)
  • Boring (0)
  • Sucks (0)

Sluggish Ubuntu during disk I/O solved

I finally found a solution for the most annoying linux problem I had for years! 🙂 TL;DR: System is now far more responsible during disk I/O with the lowlatency kernel, source: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/131094/comments/390

I have a linux box (waxford) that is used as a home server for all my needs at home (media, file server, dev server, backup, …) but also as an always on desktop. It’s an old (by current standards) AMD 4450e with 2×2.3Ghz and 3GB RAM and a (software) RAID5. If I remember correctly, I installed it as an Ubuntu 08.04 server and upgraded up to 12.04 over time.

The problem was, that after one of the updates the machine was unusable as soon as some disk I/O happened. Playing MP3s while running updatedb, installing updates or starting Thunderbird was impossible and the mouse would stand still for seconds. Very annoying and embarrassing. 🙁

Yesterday I read a comment in the bug report for that problem, which I’m subscribed to for years as well, with a possible solution. As described there I switched from the server kernel to the lowlatency kernel. That surely brings some throughput penalties in benchmarks, but in real live usage my machine is usable again. It doesn’t feel sluggish all. I’m really happy about that simple solution.

The bug existed since 2007 and still isn’t officially closed. In the roughly 13 years of using linux little annoyed me as this did. I had to fight with so many drivers and incomplete implementations of stuff – after all its free software, I’m free to extend or not to use it. But this drove me crazy, in a lot of ways my linux desktop in e.g. 2004 was far more usable than my way more powerful machine during the the last few years.

What do you think of this post?
  • Awesome (0)
  • Interesting (0)
  • Useful (0)
  • Boring (0)
  • Sucks (0)

Mozilla / Thunderbird Update Service

Thunderbird and Firefox are updating very frequently with their new policy. Since we need a a few special addons for SOGo, it was quite hard to make sure our users didn’t use the automatic update to a newer version. To make the update to Thunderbird 10.0 ESR smoother and make sure we control future updates, I wanted to have an update server for Thunderbird. (Works with Firefox and other Mozilla products as well.) Since the documentation was quite thin and there wasn’t an easy ready solution, I’ll try to provide ours. We are going to use only Mozillas long term releases (ESR), so we only need to add security updates and every year a new Thunderbird version. I’m not sure how comfortable this is going to be if you need to manage a lot of updates.

Sources are a lot of googling and especially the following links:

To setup the Thunderbird update service, I wrote a simple PHP script. I setup an apache virtual host for this task, but a sub directory surely works as well. Make sure that in the apache config for this directory the following settings are set, either in the config or in the .htaccess:

ForceType application/x-httpd-php
php_flag short_open_tag off

Now you need to change a config setting in Thunderbird (Preferences -> Advanced -> Config Editor) to let it know where to get the updates. Create the new setting „app.update.url.override“ (don’t just change app.update.url, it gets ignored) and set it to the following URL (adapt to your circumstances of course):

http://mozilla-updates.yourdomain.com/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

If you have an SSL certificate that is recognized by Thunderbird, best use a secure connection, but if it is self signed, you need to rely on http.

If you want using it company wide, the configuration of the client is surely better done automatically. We are using the SOGo-plugins that already include this possibility, but there should be other ways to do that. (If you know a good one, a comment would be nice as I didn’t research into that direction.)

Now put this script as „update“ (not update.php!) onto your web server. Read it and adapt it to your circumstances, the comments should be thoroughly enough.

<!--?php <br ?--> /* Script to manage a small count of Thunderbird update files.
* Author: Jakob Lenfers &lt;jakob@drss.de&gt;
* This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
*/


header("Content-type: text/xml");
// set 'php_flag short_open_tag off' for this to work
echo '<!--?xml version="1.0"?-->';

// set this to the URL where the updates can be found, ideally the same web
// server as this script
$update_host = "http://mozilla-updates.yourdomain.com";
// where the files lie in the filesystem. Important so the hash can be generated.
$updates_path = "/opt/mozilla-updates/";

// get all the vars out of the URL
$url_params=explode("/",$_SERVER["REQUEST_URI"]);
$product=$url_params[3];
$version=$url_params[4];
$build_id=$url_params[5];
$build_target=$url_params[6];
$locale=$url_params[7];
$channel=$url_params[8];
$os_version=$url_params[9];
$dist=$url_params[10];
$dist_version=$url_params[11];
$filename=$url_params[12];

//
// default values
//
// no update until we found a valid version
$update = false;
// per default use this version, usually the newest
$update_ver = "10.0.2";
// not sure where this is used in TB
$update_type = "major";
// is it a complete install file or a diff. If its a diff, set
// it to "partial".
$update_patchType = "complete";
// A simple HTML page that is shown during the update process. Usually
// contains new features or relevant information for the update.
$update_detailsURL = "http://yourwebserver/tb-update10.html";
// default lang. Will be pushed regardless of the client language
// if not changed below.
$update_lang = "en-us";

// we have only german and english language files. Remove or change
// this if you only plan to have the english update files or if you
// want to support other languages.
if($locale == "de"){
$update_lang = $locale;
}

// In the following block are the definitions for the update. We usually want to
// update straight to the newest version and don't have partial updates, because
// bandwidth isn't an issue in the internal network.
// You can change any setting that was set above as default here. If you want a
// different detailsURL on a partial update for example.
//
// we don't update firefox atm, only thunderbird
if($product=="Thunderbird"){
// example for a partial update
/* if(version_compare($version, "10.0.1", "=")){
$update = true;
$update_patchType = "partial";
// filename changes with the settings
}
*/

// if there are no more specific rules, upgrade all version to the
// current complete ESR version (default settings defined above)
if(version_compare($version, "10.0.2", "&lt;")){
$update = true;
}
}

// set the update filename
$update_file = strtolower("$product-$update_ver-$update_patchType-$build_target-update_lang.mar");

// if an update should be done and the file is readable, print the xml
// otherwise print just the empty update element
if($update &amp;&amp; is_readable($updates_path . $update_file)){
// $update_file_hash = hash_file("sha512", $updates_path . $update_file); // doesn't work with TB2
$update_file_hash = hash_file("sha256", $updates_path . $update_file);
$update_file_size = filesize($updates_path . $update_file);
echo "

"
;
}
else{
echo "";
}
?&gt;

Finally you need the actual .mar (Mozilla Archive) files. They can contain diffs between two Thunderbird versions or the complete installation. We are pushing only the full installations since bandwidth isn’t an issue, but the partial updates are just as easy. Only generating them myself seemed quite tricky, so I copied the ones from mozilla. Find a mirror here, the mar files are in update subdirectories (like for example here.) Put all the different systems (Win/Linux/Mac) and languages you want to support to your webserver and rename them into this naming schema in lower case: „$product-$update_ver-$update_patchType-$build_target-update_lang.mar“. It looks like this on our web server:

root@maunaloa:/opt/mozilla-updates# ls -1
thunderbird-10.0.2-complete-darwin_ppc-gcc3-de.mar
thunderbird-10.0.2-complete-darwin_ppc-gcc3-en-us.mar
thunderbird-10.0.2-complete-linux_x86_64-gcc3-de.mar
thunderbird-10.0.2-complete-linux_x86_64-gcc3-en-us.mar
thunderbird-10.0.2-complete-linux_x86-gcc3-de.mar
thunderbird-10.0.2-complete-linux_x86-gcc3-en-us.mar
thunderbird-10.0.2-complete-winnt_x86-msvc-de.mar
thunderbird-10.0.2-complete-winnt_x86-msvc-en-us.mar
update
root@maunaloa:/opt/mozilla-updates#

I hope this was helpful, please leave a comment if you have questions or ideas. In the next days I’m going to put together another article on our way to update our SOGo-Installations with Thunderbird2 and Thunderbird3 to Thunderbird10 including the addons.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

What do you think of this post?
  • Awesome (1)
  • Interesting (5)
  • Useful (3)
  • Boring (0)
  • Sucks (0)