Upgrading Debian 8 ‘Jessie’ to Debian 9 ‘Stretch’

Intro

Debian 9 Stretch was released as the latest stable version of the Linux Distribution: Debian. While it’s always possible to install Debian 9 fresh from scratch, it’s also possible to perform an in-place upgrade from Debian 8. The following post describes the necessary steps to do so.

For a incredibly thorough documentation of the process, I suggest you also read through the official release notes.

Notes:

  • Upgrading to Debian 9 Stretch is only supported from Debian 8 Jessie. If you are running a version older than 8, you must first upgrade to 8 before working through this process.
  • The upgrade involves a kernel update, so a reboot will be required toward the end of the process.
  • It is strongly recommended that you have a full system backup or backup of any important data before proceeding with the upgrade, ensure that you have a plan to roll back. In the case of a virtual machine, take a snapshot before starting.

Performing the upgrade to Debian 9 Stretch

Before proceeding with the upgrade, please read through the list of issues to be aware of when upgrading to Stretch.

  1. It is recommended that you have your Debian 8 Jessie installation completely up to date before starting, to do this run “apt-get update” followed by “apt-get upgrade” and install available updates.
root@debian8:~# apt-get update
root@debian8:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

In this case all updates have been applied already, so it’s fine to proceed.

Edit the /etc/apt/sources.list file, my file is shown below. As you can see all of the lines are currently specifying “jessie”. Note that your mirror sources will likely be different which is fine.

deb http://ftp.ch.debian.org/debian/ jessie main
deb-src http://ftp.ch.debian.org/debian/ jessie main

deb http://security.debian.org/ jessie/updates main contrib
deb-src http://security.debian.org/ jessie/updates main contrib

# jessie-updates, previously known as 'volatile'
deb http://ftp.ch.debian.org/debian/ jessie-updates main contrib
deb-src http://ftp.ch.debian.org/debian/ jessie-updates main contrib

Change the instances of “jessie” to “stretch”, you can either do this manually, or automatically with the below sed command.

sed -i 's/jessie/stretch/g' /etc/apt/sources.list

You can either use “stretch” or “stable”, as Debian 9 Stretch is now the current stable version as of writing. However note that if you use stable instead of the specific release name, in future when Debian 10 is released that will be the stable version so you may upgrade to that unintentionally.

The recommended way to upgrade Debian is with the ‘apt-get’ command. First update the list of available packages with the below command, as we’ve just updated the sources.list file.

apt-get update

Use “apt list –upgradable” command to quickly see what will be installed, updated, and removed during the upgrade process without affecting the system.

apt list --upgradable

Sample Output:

unattended-upgrades/stable 0.93.1+nmu1 all [upgradable from:0.83.3.2+deb8u1]
util-linux/stable 2.29.2-1 amd64 [upgradable from: 2.25.2-6]
uuid-runtime/stable 2.29.2-1 amd64 [upgradable from: 2.25.2-6]
vim/stable 2:8.0.0197-4 amd64 [upgradable from: 2:7.4.488-7+deb8u3]
vim-common/stable 2:8.0.0197-4 amd64 [upgradable from: 2:7.4.488-7+deb8u3]
vim-runtime/stable 2:8.0.0197-4 all [upgradable from: 2:7.4.488-7+deb8u3]
vim-tiny/stable 2:8.0.0197-4 amd64 [upgradable from: 2:7.4.488-7+deb8u3]

Now that the list of available packages has been updated from the mirror, run the below command to perform a minimal upgrade.

apt-get upgrade

This is known as a minimal system upgrade as it only upgrades packages that can be upgraded without needing any other packages to be removed or installed, so it’s a safe place to start. This upgraded 932 packages requiring 412MB on my system.

Now you’re ready to do the complete system upgrade, this will upgrade to the latest available version for all packages installed.

apt-get dist-upgrade

Ensure that you have enough free disk space to complete the operation, in my case it notes that afterwards 1,048MB of additional disk space will be used with 639 package upgrades and 479 newly installed packages.

During the distribution upgrade, services installed on your system needs to be restarted after up gradation of each service packages (ex. Apache, NTP) which may cause you the service interruptions. You can choose to restart automatically during upgrade or manually after the upgrade. Here, I opted to do “an automatic restart of services during the OS upgrade“.

Verify upgrade:

Reboot your machine after the distribution upgrade.

reboot

Verify the current version of Debian operating system.

lsb_release -a

Distributor ID: Debian
Description: Debian GNU/Linux 9.0 (stretch)
Release: 9.0
Codename: stretch

Users susceptible to man-in-the-middle attacks due to corporate https inspection

A large number of companies use “security” products to inspect HTTPS traffic for detecting malware and prevent other types of attacks. However, they might inadvertently make their user’s more susceptible to man-in-the-middle attacks by  decrypting and re-encrypting HTTPS connections.

The U.S. Computer Emergency Readiness Team (US-CERT) warns in an advisory that HTTPS inspection products don’t mirror the security attributes of the original HTTPS connections between the client and the server (Mirror: HTTPS Interception Weakens TLS Security | US-CERT).

HTTPS inspection is deployed in companies for checking the encrypted traffic coming from an HTTPS website to make sure it does not contain any malware or any other type of attacks. It basically performs a decryption and re-encryption of the client’s connection to an HTTPS server. The “security” products (proxy, web-gateway, firewall etc.) establish the connection on the client’s behalf by first decrypting the client’s HTTPS connection and re-encrypting the traffic sent to the HTTPS server. The client is served with a different, locally generated certificate by the security product which essentially perform a man-in-the-middle attack.

In some enterprise environments, an HTTPS connection may even be intercepted and re-encrypted multiple times. For example, at the network perimeter by a security gateway product and later, on the endpoint by a client’s antivirus program which needs to inspect the traffic for malware.

The problem revolves around the fact that the client’s browser no longer validates the real certificate issued by the server because its replaced with a locally generated certificate from the security product. In return, the task of validating the certificate now falls to the intercepting proxy.

According to the published advisory, those security products are evidently pretty bad at validating server certificates. An investigation conducted by researches from Google, Mozilla, Cloudfare, and multiple Universities states that the intercepted connections use weaker cryptographic algorithms (Source: interception-ndss17). The security products even advertise support for known-broken encryption ciphers that would allow an active man-in-the-middle attack by intercepting and downgrading a connection in order to decrypt it.

The analysis by the researches found that at least 32 percent of connections to e-comerce sites and 54 percent of Cloudflare HTTPS connections, which were intercepted, became less secure than they would have been if the user had connected directly to the server.

Browser makers had a long time to properly unterstand the quirks of TLS connections and certificate validation. Therefore, there is no better client-side implementation of TLS, the protocol used for encrypting HTTPS connection, than the one found in modern browsers.
In comparison, security product vendors use outdated, customised TLS libraries where they even back-port new protocol features. Re-implementing those features found in newer libraries makes them susceptible to serious vulnerabilities.

Furthermore, the US-CERT points out another widespread problem that many products intercepting HTTPS don’t properly validate the certificate chain presented by servers. Certificate-chain verification errors are infrequently forwarded to the client, leading the client to believe that operations were performed with the correct server.

The BadSSL website allows organisations and even employees to check if their HTTPS inspection products improperly validate certificates or allow for insecure ciphers. The client test from Qualys SSL Labs also provides checks for some known TLS vulnerabitiles and weakenesses.

 

Laptop Power Saving with powertop on Fedora 22

The most important thing you want from a laptop is long battery life. Ever ounce of power you can get to work, read or simply just entertain on a long jaunt. Therefore, it’s always good to know what is consuming your power.

Intel’s powertop utility shows what’s drawing power when your system’s not plugged in. Use dnf to install powertop:

sudo dnf install powertop

powertop requires direct access to the hardware to measure power usage so you have to run it with root privileges:

sudo powertop

The powertop ouput will look similiar to the screenshot below. The measured power usage as well as system wakeups per second will most likely be different:

Screenshot of Powertop
Powertop 2.7 on Fedora 22

To switch between the multiple tabs use either the Tab or Shift+Tab keys. To quit the application, simply hit the Esc key.

The utility not only shows the power usage for various hardware and drivers but also displays the CPU stepping modes as well as systems wakeups per second. Processors are often so fast that they idle for the majority of the time.

The best way to maximize battery power is to minimize the number of wakeups per second. The best way to achieve that is to use powertops’ Tunable tab to optimise your laptop’s power savings. “Bad” usually indicates a setting that’s not saving power. In contrast, it might actually enhance the performance. “Good” indicates a setting is tuned to save power. Use the Enter key to turn any tunable on/off.

If you like to automatically turn all tunables on, the powertop package also includes a service that automatically sets all tunables to “Good” for optimal power saving. To start the service enter the following command:

sudo systemctl start powertop.service

To automatically start the service on boot time  enter the following command

sudo systemctl enable powertop.service

Probably the only caveat about this service and the tunables in general: Certain tunables may risk your data or result in some odd hardware behavior. For example, the “VM writeback timeout” settings affects how long the system waits before writing any changes of data to the actual disk. So you actually trade off data security for power savings. If the system loses all power for some reason, you might lose all the changes you made in the last 15 seconds, rather than the default 5. Nevertheless, for most laptop users this isn’t an issue since the system should warn you about low running battery.

Limiting ssh user to SFTP using restricted shell

This is a follow up to the recent article about restricting ssh login to sftp. Back then I showed you how to restrict an ssh user who can login into a system by configuring openssh to prevent user logins of users associated with a specific group.

To do things differently I will show you an alternative and in my personal opinion easier way of restricting a ssh user to sftp. rSSH is a restricted shell that can be used with OpenSSH to only allow sftp and scp. It also includes support for rsync, rdist and cvs. This enables the creation of shell users without providing them full login access to the server except for transferring files.

First, make sure that the rssh package is installed (can be found in the usual repository). Since Debian is still my favourite distro I use aptitude. Use the equivalent on yours (yum, zypper etc.)

# aptitude install rssh
The following NEW packages will be installed: rssh
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives. After unpacking 185 kB will be used.
Get: 1 http://mirror.switch.ch/ftp/mirror/debian/ wheezy/main rssh amd64 2.3.3-6 [65.8 kB]
Fetched 65.8 kB in 0s (752 kB/s)
Preconfiguring packages ...
Selecting previously unselected package rssh.
(Reading database ... 137643 files and directories currently installed.)
Unpacking rssh (from .../rssh_2.3.3-6_amd64.deb) ...
Processing triggers for man-db ...
Setting up rssh (2.3.3-6) ...

In order to restrict a user to SFTP the rssh shell needs to be configured as the login shell for the user. The following example adds a new user bubu to the system with the shell set to /usr/bin/rssh

# useradd -m -d /home/bubu -s /usr/bin/rssh bubu
# passwd bubu

To change the shell of an existing shell use either usermod or the chsh command. Whichever you prefer.

# usermod -s /usr/bin/rssh <old-user-name>
# usermod -s /usr/bin/rssh chris2

# chsh -s /usr/bin/rssh chris2

Afterwards, if you try logging in via ssh or sftp you will receive a similar response to this since by default rssh locks down the system completely leaving the user without any sort of access.

$ sftp bubu@server.pretendco.com

$ ssh bubub@server.pretendco.com

Response:

bubu@server.pretendco.com's password: TYPE-THE-PASSWORD
Linux bubu@server.pretendco.com 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.10-1~bpo70+1 (2014-04-23) x86_64 GNU/Linux
Last login: Sun Nov 16 07:03:04 2014 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to server.pretendco.com closed.

The default action for rssh is to lock down any access. To adjust the default setting edit the rssh.conf file. Append or uncomment the following two lines: allowscp, allowsftp:

# vi /etc/rssh.conf  

...

# Leave these all commented out to make the default action for rssh to lock
# users out completely...

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve

...

The user should be able to login into the system now:

$ sftp bubu@server.pretendco.com
Connecting to server.pretendco.com...
ubu@server.pretendco.com's password:
sftp> pwd
Remote working directory: /home/bubu
sftp>