Terminal tips

This page contains security-related terminal commands on Arch Linux which we use often. Commands on other Linux-based operating systems or Windows might differ and aren’t included.

Tools

chromium

Web browser Chromium can be configured by changing so-called switches. This allows you to restrict cipher suites used by Chromium by modifying the chromium.desktop file using sed:

1
2
3
#! /bin/bash
sudo cp /usr/share/applications/chromium.desktop /usr/share/applications/chromium.desktop.backup
sudo sed -i 's:Exec=/usr/bin/chromium %U:Exec=/usr/bin/chromium --cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0x000a,0xc013,0xc014 --ssl-version-min=tls1.2 %U:g' /usr/share/applications/chromium.desktop

The important part is --cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0x000a,0xc013,0xc014 --ssl-version-min=tls1.2. This disables all TLS versions except TLSv1.2 and disables weak cipher suites. Use Qualys’ SSL Client Test to check if all weak cipher suites are disabled. Important: Updates overwrite the chromium.desktop file and you have to repeat the process then.

dig

dig is part of BIND and can be used to check domains for DNSSEC:

  • $ dig [domain name] +multiline
    • “status” should be “NOERROR” (“SERVFAIL” means that there is a problem with the DNS server configuration, e.g. DNSSEC configuration is broken)
    • “flags” must contain “ad” (authentic data)
  • $ dig [domain name] +multiline +dnssec
    • This query sets the “DNSSEC OK” (DO) bit and requests DNSSEC records to be sent, if available
    • Look for “RRSIG” resource records

gpg

GnuPG is mostly already installed on your machine and can be used for e-mail encyption and signing. You can use it in your terminal, of course.

Asymmetric encryption

We save our cleartext as clear.txt. You can also use echo "your message", of course. The ciphertext is stored as cipher.txt.

  • Encrypt and sign: $ cat clear.txt | gpg -esar [key id of the recipient] -u [your key id] > cipher.txt
    • -e means encrypt
    • -s means sign
    • -a means ASCII format
    • -r means encrypt for the following key id of the recipient
    • -u means use the following (your) key id for signing
  • Decrypt: $ cat cipher.txt | gpg -d > clear.txt
    • -d means decrypt

Symmetric encryption

gpg can be used to symmetrically encrypt data, too:

  • Encrypt: $ gpg -c --cipher-algo AES256 clear.txt
    • -c means symmetrically encrypt
    • –cipher-algo AES256 means use AES-256 for encryption
  • Decrypt: $ gpg -d ciphertext.gpg > clear.txt
  • -d means decrypt

Please note that the key used for encryption/decryption is temporarily cached by your device. When you are running gpg 2.2.7 or newer, you can turn off caching by adding --no-symkey-cache.

imagemagick

Well-known tools use imagemagick, so it is likely that imagemagick is already installed on your machine. You can use it to remove metadata from photos:

  • Remove metadata: $ mogrify -strip [filename]
    • -strip means “strip the image of any profiles, comments or these PNG chunks: bKGD, cHRM, EXIF, gAMA, iCCP, iTXt, sRGB, tEXt, zCCP, zTXt and date”
  • View metadata: $ identify -format '%[EXIF:*]' [filename]
    • shows Exif metadata in the file

openssl

You can use openssl for many purposes. For example, whenever you need pseudo-random bytes:

  • Print bytes to terminal: $ openssl rand [number of bytes]
  • Hex format: $ openssl rand -hex [number of bytes]

pwgen

Do you need a password now? Use pwgen:

  • Create passwords containing upper-case and lower-case chars, digits and special chars: $ pwgen -scyn1 [number of characters] [number of password]
  • Create passwords containing upper-case and lower-case chars and digits: $ pwgen -scn1 [number of characters] [number of password]

qrencode

qrencode can be used to transform arbitrary strings into QR codes:

  • $ qrencode -o [qr filename].png "[string]"
  • Change the pixel size: $ qrencode -o [qr filename].png -s [pixel size] "[string]"

zbarimg + oathtool

Do you want to use two-factor authentication in the terminal? You can use OATH-TOTP with zbarimg + oathtool:

  1. Enable 2FA on the website. Normally, you will see a QR code. Save this QR code.
  2. Use $ zbarimg [file containing qr code] to show the string representation of the QR code. This looks like QR-Code:otpauth://totp/[blabla]?secret=T2LAELPYIS2NGNYE&issuer=[website owner]&algorithm=SHA1&digits=6&period=30.
    • secret=T2LAELPYIS2NGNYE is the important part here!
    • algorithm=SHA1 is the used hash function
    • digits=6 means that the OTP is 6 digits long
    • period=30 means that the OTP changes every 30 seconds
  3. Use $ oathtool --base32 --totp "T2LAELPYIS2NGNYE" to get your OTP each time.
  4. The output is like 608166.

WARNING: The secret (e.g. T2LAELPYIS2NGNYE) is a secret! Store it like a password and only use a second device to generate your OTPs. Do not use the device which you use for login! Do not store this secret and the normal password in the same database!