My Keepass2 setup with Android, Firefox and sync

Motivation

A couple of weeks ago I read another article about a major security breach of a big online service and finally decided that I need a special password for every service I’m using. Up until then, I always used about 6 passwords for online stuff. More important sites got one of the better passwords, irrelevant sites one of the poor ones, but a lot of sites shared passwords. Since I try to use only three user names (private, gaming and work) if they are available, it wouldn’t have been too hard to try my password they stole from service X on service Y with not a bad chance of success.

It’s not my first try to use a central application for my passwords, but all failed because of trust or usability. I want to be able to use this on all my computers, on my mobile and on the go, so I needed a synced solution. There are a few around, but I don’t trust this kind of data hosted on a server thats not mine. So this is the first solution that was comfortable to use and secure for my needs. All the tools here are open source, which doesn’t makes them secure, but we can hope there are people checking them out. 🙂

I’ll show mostly my setup, all the tools described here are heavily customizable, so check all the options after the initial setup to adapt them exactly to your needs. But this will hopefully get you started.

KeePass

First we need to install KeePass2. There are versions for the major operating systems on their website, I tried Linux (used the packages shipped with Ubuntu) and Windows.

Create a new database
Create a new database

Now that we installed KeePass, we’ll first need to create a new database. After selecting where to save it, we’ll have to put in a master password. Obviously, this should be one of the better kind. I didn’t check out the possibilities of a key file or testing the existence of a USB drive, since it would be a problem for portability of the solution.

(src xkcd, CC BY-NC 2.5)
(src xkcd, CC BY-NC 2.5)

After putting in the password, it was asking for a few settings. Since I was fine with the standards, the KeePass file was created with a few sample entries. We can delete the samples and save it now.

Create a new password, e.g. 32 characters long.
Create a new password, e.g. 32 characters long.

To try it out, we could generate a new password (Tools -> Generate Password). I prefer to use A{32} as a pattern, which creates 32 lower and upper case letters and numbers. (I guess that is security wise dumb to tell, so I might change it in the future. ;)) It’ll create a blank entry in the database with a random password. If you edit it, you can add at a user name, but also URL (later useful for Firefox integration), custom notes, an icon and a lot of other fields.

Update: I changed that to use special characters as well.

If we want to login now, we can select the entry and press Ctrl-C to copy the password into the clipboard for a few seconds. If you want to copy the user name, use Ctrl-B and Ctrl-U will open the saved URL for you.

KeeFox: Firefox Integration

To make this far more comfortable to use, we should integrate this into our browser. Since I use Firefox at the moment, I used KeeFox for that, but there are supposed to be plugins for other browsers as well. KeeFox can fill out your forms automatically and save new passwords directly into KeePass, just like the internal Firefox password manager did. Running Windows, this is a breeze. Install KeeFox from Mozillas Addon Page, restart Firefox and follow the instructions. It’ll copy the KeeFox plugin into your KeePass directory. After restarting KeePass and maybe Firefox as well, you’ll get a connection window asking you to for a code and another one showing it to you. (Just to make sure that nothing connects without your consent.)

Linux users have a slightly harder time. On Ubuntu, you’ll need to install mono-complete for KeeFox to work, other distributions will have similar meta packages for a complete mono installation. (If anybody knows exactly the packets necessary, I would appreciate a comment, all the howtos simply install mono-complete.) The installation is covered in pictures very well on sysads.co.uk, so I will not write it down here again. 🙂

KeeFox asks if I want to save the password in my KeePass database
KeeFox asks if I want to save the password in my KeePass database

Now that we should be connected, we could try out logging in somewhere and saving the password. I’ll login to my blog backend and on the top of the screen KeeFox asks me if I want to save the password.

Editing an entry created from KeeFox
Editing an entry created from KeeFox

If we save, the entry appears in KeePass with the favicon of the page (my blog doesn’t have one) and title, user name, password and URL already filled. Sometimes it makes sense to change the URL or title, but mostly you are good to go and don’t need to edit anything. If you log out and open the login dialog again, the fields will be filled out and you only need to click the login button.

Sync with OwnCloud/Nextcloud

After the first two parts, we should have a comfortable setup for one computer. But most of us have more than one computer and want to use passwords all across them. Since I already use ownCloud (or rather now Nextcloud), I wanted to save the password database there. The server is administrated by myself, so I’m pretty sure that only I can access the data there. (Barring big security holes in PHP, bash, SSL, …) If you want to install it as well, you can follow the official documentation, but keep in mind that you’ll have to take care of security of the installation as well. In case you want to do this with Dropbox, you’ll have to trust them enough (whyever) and it should work just the same, I guess.

Password database in ownCloud
Password database in ownCloud

If you copy the password file anywhere in your local ownCloud (client) directory, the client will automatically sync it to the server. Now open the database file again from the ownCloud directory, every change you’ll make will be synced again. But since my password database is only about 50kb (I’m still migrating sites to the new password whenever I log in and have a minute), it’s no problem with nearly all internet connections.

When you now setup KeePass and KeeFox on a second computer (with ownCloud installed of course), you can open the database file from the local ownCloud directory and always get a current version of the database. I set up KeePass so that it closes the database after certain time of inactivity, so I never expect two KeePass instances adding new entries at the same time. But if you work with two computers side by side, make sure to save the database after adding a new entry and reopening it on the second computer before making any changes.

Update: I switched to nextcloud, but that doesn’t change the process here at all. But I discovered there is an app for nextcloud to open your Keepass database in the browser, Keeweb for nextcloud. Download the latest release and install it like any other nextcloud app. Then you can access your passwords easier, even when you aren’t at your own computer. Obviously you should only do that on trustworthy computers.

Keepass2Android: Android App

Now we should have a Firefox integrated password save, that is synced between our computers. Today smartphones are also used to connect to lots of services, each needing its own password. I for example need my Amazon password from time to time, to buy something while sitting in public transport. Instead of typing it in with people looking over my shoulder, I copy and paste it out of my password database now.

To do so, we can use Keepass2Android. Since the Android ownCloud client didn’t work well for me for keeping files local and updated, we connect directly via WebDAV to our ownCloud installation. Choose to open a password database:

Open a database on Keepass2Android
Open a database on Keepass2Android

There are a lot of services to connect to, but to connect to the ownCloud instance, we should use HTTPS and add the following (adapted) URL: https://owncloud.server.com/remote.php/webdav/path/to/the/pw.kdbx

Login with optional quick unlock feature
Login with optional quick unlock feature

Put in username and password of your ownCloud installation, and then the password for your database and you should be good to go. You can activate quick unlock, which doesn’t lock the database completely, but you only need to input the last three characters of the password to access it until you close the database manually. (At latest at a reboot.) If you don’t mind the reduced security, its a nifty feature.

The KeePass groups in the Android app
The KeePass groups in the Android app

After login you’ll get a list of all your passwords and groups. If we choose the amazon password entry, Keepass2Android will show two new entries in Androids notification area (next to the one that is already there because the database is open):

The username and password can be put into the clipboard from the notification screen
The username and password can be put into the clipboard from the notification screen

Those entries enable you to switch to your browser, pull down notifications, copy the password (or username) directly from the notification area and paste them in the website. There is a risk according to Keepass2Android that other apps might copy data from your clipboard, so the alternative is to use a special Keepass2Android keyboard instead the copy and paste solution. Whatever you decide.

Update: I switched to the integrated keyboard Keepass2Android provides. Whenever I open an entry, a dialog pops up that lets me switch the keyboard to a special keyboard that lets me access username and password with one button each. After closing the database, the keyboard switches back to my default one.

Backup

I hope that we have a comfortable synced password solution now, that we can access from our Android mobile as well. My last fear now was, what happens if the database gets deleted or corrupted in some way? In theory there is an ownCloud feature to keep old versions of a file around. But I don’t trust that. I want to have a backup with more than one version simply in my computers (or home servers) filesystem.

If you use windows (or don’t want to use self written scripts on Linux), I recently stumbled over Duplicati, an open source GUI backup tool, that also supports WebDAV. I’m sure it wouldn’t be hard to setup a backup job to save a copy of the password file from the ownCloud (WebDAV) server.

But I didn’t try it yet and I prefer this simple solution I can easily completely understand. I created a very short script using cadaver (a command line WebDAV client.) Create a directory, e.g. ~/.pwdatabase where you want the file saved and adapt the following script to your needs, I called it ~/bin/pwdatabase-backup.sh:

[cc lang=“bash“]
#!/bin/bash

cd ~/.pwdatabase-backup
rm pw.kdbx
echo „get pw.kdbx“ | cadaver https://owncloud.server.com/remote.php/webdav/directory/of/database/
mv pw.kdbx pw.kdbx-`date +%Y-%m-%d_%H%M%S`
[/cc]

After that we still need to save our ownCloud access data in a file ~/.netrc: (If you are more paranoid than I am, create a dedicated user just for the backup task.)

[cc lang=“bash“]
machine owncloud.server.com
login foo
password bar
[/cc]

Make sure to make the script executable and the .netrc as well as the backup directory only accessible by you:

[cc lang=“bash“]
lenfers@waxford:~$ chmod +x ~/bin/pwdatabase-backup.sh
lenfers@waxford:~$ chmod 600 ~/.netrc
lenfers@waxford:~$ chmod 700 ~/.pwdatabase-backup/
[/cc]

Last but not least, add a cronjob to run this script. This will run now every hour at the 42nd minute. Run ‚crontab -e‘ and put the following line in the editor that opens now:

[cc]
42 * * * * /home/lenfers/bin/pwdatabase-backup.sh
[/cc]

You’ll now get files in your backup directory named like pw.kdbx-2014-10-12_193002 every hour. If you want the script to run at different intervals, check out a cron howto.

Conclusion, Security opinion and Todo

We should have installed and used the following software by now:

You should now have the possibility to create a password per webpage and sync it between different computers and mobile phones. If you haven’t done so, I would recommend to change a few passwords from sites that are important to you into long automatically generated ones. The password file should be in a lot of places, just in case it gets corrupted (which didn’t happen to me, I’m just cautious.)

I’m by far no security expert, but I want to provide you with my view on how secure this setup is. It shouldn’t be good enough for missile launch codes (but might be) or if you are in a position where you might be targeted directly (instead if being one among many victims of a site hack.) If someone were to breaks into your cloud account, they would only need to break your KeePass password offline and got access to all your accounts! Since I don’t expect to be targeted directly (shouldn’t have said that, should I? :-)) this will immensely increase security for me, because the damage resulting from big hacks on websites won’t affect me anymore outside of the hacked site. Also brute force attacks on my online accounts should be far harder now. Last but now least, I use two factor authentication as much as possible.

Update: Keeweb added in the cloud section. In the future I want to look into integrating a web interface into ownCloud (maybe based on WebKeePass?) so I could access my passwords easier from a friends computer without having to copy them manually from my mobiles screen, but I’m not sure when I’ll find time for that. If anybody has a working solution or good hints on how to do that easily, I would appreciate a pointer.

I hope this helped you to switch from a small array of simple to medium passwords to a system of one secure password per site. Any feedback is appreciated!

What do you think of this post?
  • Awesome (30)
  • Interesting (29)
  • Useful (26)
  • Sucks (9)
  • Boring (7)

selfoss: Self hosted alternative to Google Reader

Screenshot of selfoss with the special source to get the full article in the heise feed
Screenshot of selfoss with the special source to get the full article in the heise feed

Update: I switched to Tiny Tiny RSS, which already has far more features I wanted, I also blogged about my experiences.

Since Google Reader announced that it is going down, lots of articles describing alternatives came up. I wanted to host my own RSS-Reader for some time so this was the final reason to do it. Since I couldn’t make Newsblur work on my own host last time I tried it, I tried selfoss which is a great deal easier. Here are my first impressions of selfoss:

  • Nice user interface, even on my android phone.
  • Got keyboard shortcuts very similar to Google Reader.
  • Not only RSS sources but some special sources to get full content of sites that only have a teaser in their RSS feed.
  • The article text is divided into three panes much like a newspaper.
  • Easy to install (only PHP needed, MySQL optionally.)
  • At the moment there is sadly no way to read by feed, only by category or tag. Hope this will be integrated in the future. I would like to be able to have a view just like in Google Reader, where I can view whole categories but also a single feed from the category. But I’m managing by creating categories with only one feed in them.
  • I’m also missing an option to automatically mark an item read when I open it.

So selfoss isn’t a perfect solution for me, but I might try and add some of the missing features myself and I bet after todays news more user will use and therefore enhance it. If you just want to install it on your hoster without MySQL, it is really simple. To let it run in my Ubuntu server I had to enable the rewrite and headers modules and create a cronjob for the updates:

[cc lang=“bash“ line_numbers=“off“]
sudo a2enmod headers
sudo a2enmod rewrite
sudo service apache2 restart
sudo echo „*/5 * * * * nobody wget -o /dev/null http://your.domain/selfoss/update“ >> /etc/cron.d/selfoss
[/cc]

Update: If you are running on a Debian with default settings or get a 500 server error on other distributions, try to add „AllowOverride All“ in your webserver/vhost config. (source)

I’m running it with MySQL and authentication with this configuration file (config.ini in the selfoss directory):

[cc lang=“ini“ line_numbers=“off“]
db_type=mysql
#db_file=data/sqlite/selfoss.db
db_host=localhost
db_database=selfoss
db_username=selfoss
db_password=YOUR_DB_PASS
db_port=3306
logger_level=ERROR
items_perpage=50
items_lifetime=400
base_url=
username=username
password=YOUR_PASSWORD_HASH
salt=YOUR_RANDOM_SALT
public=
rss_title=selfoss feed
rss_max_items=300
rss_mark_as_read=0
[/cc]

What do you think of this post?
  • Interesting (4)
  • Awesome (2)
  • Useful (2)
  • Sucks (2)
  • Boring (0)

Switch from Unity to XFCE

I tried using Unity since Ubuntu removed Gnome2. I don’t like Gnome3 so I stuck with Unity for quite some time, hoping I would get used to it. But I did not and bugs that hide the dock depending on uptime (Bug) really got me over the edge to look elsewhere. (I’m ashamed to admit I rebooted my computer many times before I even took the time to researched it.)

Now I switched to XFCE 4.10 with a gnome-session for keyring and nautilus, which I prefer to Thunar. (This german tutorial was helpful in achieving this.) I added a dock with Avant Window Navigator and changed a few key bindings. Now I’m nearly happy, there seems only one thing missing: I would like to have AWN react to Win+1…9 like the dock does on Unity or Win7.

switch_from_unity_to_xfce-screenshot

This is how my left screen looks like. I think optics are nice and it is a useful more traditional setup than the unity stuff.

What do you think of this post?
  • Interesting (8)
  • Awesome (2)
  • Useful (2)
  • Boring (1)
  • Sucks (0)

Sluggish Ubuntu during disk I/O solved

I finally found a solution for the most annoying linux problem I had for years! 🙂 TL;DR: System is now far more responsible during disk I/O with the lowlatency kernel, source: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/131094/comments/390

I have a linux box (waxford) that is used as a home server for all my needs at home (media, file server, dev server, backup, …) but also as an always on desktop. It’s an old (by current standards) AMD 4450e with 2×2.3Ghz and 3GB RAM and a (software) RAID5. If I remember correctly, I installed it as an Ubuntu 08.04 server and upgraded up to 12.04 over time.

The problem was, that after one of the updates the machine was unusable as soon as some disk I/O happened. Playing MP3s while running updatedb, installing updates or starting Thunderbird was impossible and the mouse would stand still for seconds. Very annoying and embarrassing. 🙁

Yesterday I read a comment in the bug report for that problem, which I’m subscribed to for years as well, with a possible solution. As described there I switched from the server kernel to the lowlatency kernel. That surely brings some throughput penalties in benchmarks, but in real live usage my machine is usable again. It doesn’t feel sluggish all. I’m really happy about that simple solution.

The bug existed since 2007 and still isn’t officially closed. In the roughly 13 years of using linux little annoyed me as this did. I had to fight with so many drivers and incomplete implementations of stuff – after all its free software, I’m free to extend or not to use it. But this drove me crazy, in a lot of ways my linux desktop in e.g. 2004 was far more usable than my way more powerful machine during the the last few years.

What do you think of this post?
  • Awesome (0)
  • Interesting (0)
  • Useful (0)
  • Boring (0)
  • Sucks (0)

tsclient no more in Ubuntu Oneiric 11.10

If you have to connect to Windows machines from time to time and have been an Ubuntu user like me, you most probably have been using tsclient to connect to it. But what I missed during the upgrade a couple of weeks ago was the fact that the previous Ubuntu standard tsclient has been removed. AFAIU because it’s not developed anymore and won’t get an upgrade to GTK3. Well, those reasons are all right, but the GNOME client can’t do shit, it’s utterly useless in my eyes. After a search on google I finally found the replacement for it: Remmina. Does what I need it to do, looks good and is included in Ubuntu. I just don’t understand why it isn’t automatically installed, like tsclient was before. If Ubuntu sees the need to remove a software, I think it would be good for users if they would replace it with something new, especially since it already exists in Ubuntu. They saw the need for a good RDP client in Ubuntu before, why not now?

What do you think of this post?
  • Interesting (6)
  • Awesome (3)
  • Useful (2)
  • Boring (0)
  • Sucks (0)

Netvault 8 & Ubuntu 10.04 64bit

Today I had to add a new server to our backup. It was the first 64bit installation of Ubuntu (10.04 LTS), because all the other virtual machines were still running 32bit. (Why? I cannot remember.) The backup system is a Netvault from BakBone, running on a Ubuntu 08.04 LTS 32bit.

Two things I discovered today, that might be important for some of you:

  • Even though you normally don’t do that, I had the installation script in a path that contained a space. The install script is sadly badly enough written that it didn’t work with that. But that is easily corrected.
  • The second problem is that without deeper knowledge on that topic it seems as if the 64bit client package from Netvault contains 32bit binaries. So the installation fails because some 32bit libraries are missing. Running getlibs revealed that the following packages need to be installed prior to installing netvault, because the install scripts already calls them: ia32-libs lib32bz2-1.0 lib32nss-mdns lib32z1 lib32ncurses5 lib32asound2
    I’m not sure if they are all needed, but it works now without any problems.
What do you think of this post?
  • Awesome (3)
  • Useful (3)
  • Interesting (0)
  • Boring (0)
  • Sucks (0)