Rik Goldman - Tue, 2011/02/15 - 02:25

Original Post

I've been working for a few weeks on a TKLPatch for Psiphon. From their website:

Psiphon is content delivery technology that makes it possible for:

  1. Individuals to access Internet content anywhere, and anytime.
  2. Media producers, corporations, community groups to reach their audiences.

This is my take: it's an anonymous, SSL'd proxy server by which to circumvent autocrats' attempts at depriving citizens of information.

I discovered Psiphon about 5 years ago, when it ran on Windows. I fell in love with the software, its mission, and the priniciples driving the project - commitment to an open and accessible internet despite the urgent efforts of autocrats and oppressive regimes.

After it disappeared, I kept looking for signs of its reemergence. Finally it's back. They're not naive about the dangers one exposes oneself to by making a Psiphon instance available and they are tremendously honest about the software's weaknesses and the risks one runs by accessing or running an instance.

For the conf script, I'm using a modified version of their install script. Psiphon downloads, installs, and configures a customized Apache2 and its own MySQL instance.

I'm able to script the addition of the admin user and will be able to use an inithook to set the password (sha1(salt.password)). However, the first time it's accessed, it wants to be accessed from the localhost. For now, I'm installing lynx; from that first access, you configure a new proxy with the IP address that will be used for psiphon. I've looked at the pythonic mechanism confconsole uses to reckon the IP address, but I'm not sure how take advantage of that.

I'm handling the certificate generation through an inithook as well: it prompts for an IP address, and I can't seem to give an automated response to the request (the default is 127.0.0.1 - I just need to give it a carriagea return. I don't understand openssl well enough to parse the command that issues the prompt.

Any suggestions would be so very welcome. I'm eager apply this patch and make my first deployment to amazon.

I wish there were nobody who could benefit from it.

Couple of links:

https://launchpad.net/psiphon

http://psiphon.ca/

Update: Intended to be applied to Core 11.1. Revision R: Admin interface now somewhat intelligently configures admin access on every boot (in the event of IP change). Service now runs from init.d/psiphon rather /etc/rc.local. Revision Q: Administrative access now automatically configured for eth0's ip address on first boot. Revision P: Postfix seems in tests to be configured to work and send mail from the Psiphon interface. Revision N: User creates Psiphon admin password on first boot! yay. Revision M - Creation of db user and password, creation of cert, MySQL root password all created on first boot. /usr/local/bin has a script for reconfiguring postfix (cause I sure am having no success with it: mailconf.sh). Webmin modules for Apache2, postfix, phpini, and mysql are included.

Wish List: 

  • Configure webmin for the custom apache and php installations
  • phpmyadmin - can't figure out how to get it working without conflicting somehow with a the oddball apache2 psiphon compiles from source. I tried installing from source, tried from the package manager, but it just wasn't working. Strike it. Seems unnecessary.
  • Postfix - Psiphon has a feature to mail out invitations to use the proxy (individualized urls). I can't get mail out. hrmph
  • Mysql - I'd have liked to patch the mysql appliance, but MySQL on the appliance had problems importing one of the sql files as scripted. It returned something along the lines of "key too long". I researched and found solutions, but they didn't help in this case. So I went with what the devs called for.
  • The devs intended administrators to start with the user name "admin" and the password "admin." Immediately after logging in for the first time, it has the user change the password and set the email. I realize we're trying to avoid default passwords, but ... I need a break before I take on hash and salt and python.
  • The first proxy configured is for 127.0.0.1. I'd love for a proxy to be dynamically generated, using whatever voodoo confconsole uses to grab the ip, and then adding it to the MySQL psiphon.proxy table. But that is far beyond my grasp. Update: Now configures management proxy for eth0's ip address on first boot. Now, how to make it do that when the ip changes? Update: now checks on every boot and reconfigures admin access as necessary.

Usage Notes: Apply the patch to Core 11.1. (Consider changing the host name in the conf script - "psiphon" is a bit revealing perhaps.) On first boot, set root password, psiphon mysql password, mysql root password, and run security updates. Before version Q, The only way to access Psiphon was from localhost. 1 strategy is to use lynx: lynx https://127.0.0.1/001/. Another strategy is to add a proxy to the proxy table in the psiphon database - perhaps using Webmin. Both have worked for me.

Upon access, enter user admin and password admin. Upon access, enter username admin and the password you created on first boot. Read notification of what Psiphon does and does not do. After accepting, you'll be asked to change the password for user admin and to set an email address (Psiphon recommends a nice, anonymous gmail account).

This was quite a struggle for me, and is contrary to TurnKey best practice in several ways (default passwords, applications from source, etc. However, I was compelled by my own mission and by Psiphon's compelling mission to make this available. Unfortunately, it looks like a lot of people can benefit from access to an anonymous proxy right now. I certainly wish that weren't the case.

Forum: 
General
Tags: 
humanitarian
apache
php
server
mysql
proxy
postfix
psiphon
encrypted
anonymous
Alon Swartz's picture

Alon Swartz - Tue, 2011/02/15 - 13:43

Regarding the SSL certificate, if you can't update Psiphon to use the default cert (/etc/ssl/certs/cert.pem) which is generated on first boot, then I can offer some other ideas:

Maybe you can use a symlink to where psiphon looks for the certificate, and point it to the default.

If that doesn't work, you could copy the default certificate to where psiphon wants it.

Lastly, if you want to create a new certificate, take a look at /usr/lib/inithooks/firstboot.d/15-regen-sslcert - by default it will regenerate the default ssl certificate, but you can customize the certificate it generates by setting some environmental variables:

# /usr/lib/inithooks/firstboot.d/15regen-sslcert -h
Generate SSL certificate

# VARIABLE      EXPLANATION          [VALUE]
  C             Country Code
  ST            State or province
  L             Locality (city)
  O             Organization name    TurnKey Linux
  OU            Organizational unit  Software appliances
  CN            Common name
  emailAddress  Email address

  DAYS          Duration in days     3650
  BITS          RSA bits to use      1024
  KEYPASS       Key password         

  CERTFILE      Output file          /etc/ssl/certs/cert.pem

# NOTES
  Warning: only set password if you know what your doing
  Display certificate: openssl x509 -text < /etc/ssl/certs/cert.pem

Rik Goldman - Mon, 2011/02/21 - 21:18

Thanks Alon! I'll work through your suggestions on the next round of revision - I've grown road worn and weary from this one.

Introducing Psiphon

The launchpad.net page for Psiphon 2.5 sums it up best:

Psiphon is a user-friendly, simple to administer, web-based proxy application. It allows users in regions with unrestricted Internet access to provide access to denied content to their friends, family, and associates in regions with restricted access.

Learn more here.

Procedure

Given: Installed TurnKey Linux Core 11.1 in a VM. Know the IP address of the VM.

Given: Expect to commit 40 minutes to the install - config notwithstanding.

Set Hostname

Set hostname to psiphon in /etc/hosts and /etc/hostname. For the safety, integrity, security of your site and users, you'll want the hostname to betray the purpose of the server less than "psiphon" will.

Install Dependencies

apt-get install build-essential

If you want to send invitations through Psiphon, perhaps postfix. Somehow it needs to be configured to accept connections from localhost on port 25. Those are the only instructions I have.

apt-get install webmin-postfix postfix

Download Psiphon

wget http://launchpad.net/psiphon/2.5/2.5/+download/psiphon-2.5.tar.gz -O /tmp/psiphon-2.5.tar.gz
tar xzvf /etc/psiphon-2.5.tar.gz -C /tmp
rm /tmp/psiphon-2.5.tar.gz
mkdir -p /opt/psiphon

Install Psiphon

cd /tmp/psiphon-2.5/
tools/psiphon_install.sh /opt/psiphon
#at the prompt, y to install from repos
#at the dialog, set mysql root password, enter twice
#Prompts for certificate request info: IP or DN of the server 
#Enter the psiphon database password at the prompt

Edit Services.txt

vim /etc/confconsole/services.txt

Insert the following at the top of the file:

Psiphon:    https://$ipaddr/001

Start Psiphon

/opt/psiphon/apache2/bin/apachectl start

Access Psiphon

Navigate to https://$ipaddr/001, and indicate that you understand the risks, add an exception, confirm security exception.

Only proxy set up is for localhost. Without phpmyadmin, the only way I could see to configure another proxy is

apt-get install lynx
lynx https://127.0.0.1/001

Login with admin/admin. Accept the terms of use.

Change admin account information.

Add a proxy with proxy address $ipaddr.

Set Psiphon to start on start up?

I'm not confident of the best way to do this: Editing /etc/rc.local to start

/usr/share/psiphon/apache2/bin/apachectl start

is the only way that worked for me. I tried modifying /etc/init.d/skeleton and that failed. So I tried to modify a package install of the init.d for apache2, but that failed as well.

Rik Goldman - Wed, 2011/02/23 - 01:31

and I can't get an inithook to set the admin password for Psiphon.

Given this from source php:

$pass_salt = bin2hex(secure_rand());

and this:

$password = sha1($_POST["create_account_password"].$pass_salt);

I've tried and failed with many combinations in Python. The closest I've come is this:

salt = binascii.hexlify(str(random))

hashpass = hashlib.sha1(password + salt).hexdigest()

I've been using the mahara and Django scripts for reference. And by I've gotten close, I guess I mean it no longer throws errors when it runs, and it's putting data in the right fields in the right table in the right database. Unfortunately, I'm not able to log in with the password I assign in the dialog box. What am I missing?

Help?

 

Rik

Rik Goldman - Wed, 2011/02/23 - 22:10

Now all passwords are set by the user on first boot. That's two Pythonic successes in one day. Now, how to enable the app to mail out?

Rik

Add new comment