Wednesday, January 17, 2018

How to get the SSL/TLS certificate chain right

After installing Firefox and Chrome on a new PC, I noticed that I was getting "issuer unknown" (Firefox: SEC_ERROR_UNKNOWN_ISSUER) errors on a website that I was checking connectivity against. The website was one that I was recently put in charge of and the organisation had a paid-for COMODO certificate for a Wordpress install.

On other computers there were no such errors reported by Firefox or Chrome for this website, so I initially missed the significance of the problem.

Background


Note: "Certificate" should be read as "public certificate". The private cert or key is not discussed in this document.
 
Websites that support HTTPS require a valid SSL/TLS certificate or the client will receive certificate warnings from the application or browser. Happily, your community organisation or personal website can get by with a free certificate courtesy of Let's Encrypt. At the same time, the website needs to provide a certificate chain, which essentially informs the client (your browser) about the identity of the host that signed your certificate.

Likewise, the certificate of the host that signed the previous host's certificate needs to be provided. This recursive method of providing the certificate of the previous "intermediary" signer continues until the root certificate authority (CA) is reached. The root CA certificate does not need to be provided because it should be specifically trusted on the client software or browser or the whole infrastructure of trust is useless. Browsers and other software will ship with root CA certificates, or you can manually add them if necessary.

Any intermediary CA needs to be included in the certificate chain, but the root CA should not be included.

Incomplete, Contains anchor


I turned to Qualys SSL Labs to see whether I could obtain a head start on the problem. I saw warnings, which told me where to look but didn't help in identifying exactly what was wrong.

"This server's certificate chain is incomplete. Grade capped to B."

And later in the report:

"Chain issues - Incomplete, Contains anchor"

 I had somewhere to investigate at least - the certificate chain.

Also worth noting was that curl also complained of certificate problems on my desktop even if Firefox and Chrome did not.

Examining the Certificate Chain


Note: example.com is a placeholder for the real URL I was investigating.
 
openssl is the obvious tool to turn to for seeing the nitty-gritty of an SSL/TLS session. I was able to easily view the certificate chain:

$ openssl s_client -connect www.example.com:443
...
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by webgo GmbH/OU=PositiveSSL/CN=www.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
To the untrained eye, the above output looks incomprehensible. But with a little understanding and research the problem can be clearly seen. The chain consists of three certificates (0,1,2) issued by the website. Each certificate has a (s)erver that the certificate belongs to and an (i)ssuer that signed the certificate for that server.

The first certificate (0) is for www.example.com and it was issued by COMODO RSA Domain Validation Secure Server CA

The second certificate (1) is expected to be for the COMODO issuer in the first certificate, but it is not. The certificate is for some other server AddTrust External CA Root, who is oddly also the issuer (a so called "self signed" certificate). Things are broken to bits from this point.

The third certificate (2) is completely superfluous because the second cert in this chain should not be there. In this third cert, we see it is for the server COMODO RSA Certification Authority and has been signed by the issuer AddTrust External CA Root.

Fixing the Mess


The solution was to provide a correct certificate chain. The first certificate (our certificate) was valid, but since it was signed by "COMODO RSA Domain Validation Secure Server CA" that needs to be the next public certificate found in the chain.

I first checked whether this was part of a typical Firefox CA set. The shipped CA certs can be viewed either on the Mozilla website or via the options->preferences of Firefox itself:



Yeah that's in German, sorry, but the English version will look basically the same.

In this case, notice that in the above screenshot "COMODO RSA Domain Validation Secure Server CA"  is actually in my certificate list in Firefox. I realised afterwards that at some point I had clicked through the invalid certificate warnings and added the certificate to my Firefox certificate store, to be trusted for next time. That's why I only noticed the problem after installing a new PC with Firefox and Chrome.

Just to repeat myself, the "COMODO RSA Domain Validation Secure Server CA" certificate is not part of the default suite of certificates trusted by Firefox. I needed to download the public certificate from COMODO here and tell apache2 (the site's web server) to use that certificate and only that certificate as part of the certificate chain.

Briefly, this meant configuring these apache2 settings ...

SSLCertificateKeyFile /etc/apache2/ssl.key/www.example.com.key
SSLCertificateFile /etc/apache2/ssl.crt/www.
example.com.crt
SSLCertificateChainFile /etc/apache2/ssl.ca/www.
example.com.ca

... ensuring that SSLCertificateKeyFile  contained only the private key of the server, SSLCertificateFile contained only the public certificate associated with the aforementioned private key and that SSLCertificateChainFile contained only the public certificate for "COMODO RSA Domain Validation Secure Server CA". If you have multiple layers of signing, you need to add each intermediary CA to this file, in the correct order. 

This works because the certificate for the intermediary "COMODO RSA Domain Validation Secure Server CA" is issued by "COMODO RSA Certification Authority" and that root CA is part of the shipped set of certificates for Firefox, Chrome, curl, openssl and any other SSL/TLS client you care to name.

The certificate chain now looks like this, (see earlier openssl command syntax):
Certificate chain

 0 s:/OU=Domain Control Validated/OU=Hosted by webgo GmbH/OU=PositiveSSL/CN=www.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

 
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

In the first certificate, the (i)ssuer name is the (s)erver name of the second certificate. The second validates the first. There is no need for a third certificate because the issuer of the second certificate is part of an established set of known root Certificate Authorities.

Thursday, August 3, 2017

How the IPv6 link-local address is determined

The IPv6 (ip6) link-local address is of significance to the link on which the ip6 network address exists. In other words, in an ethernet world, the link-local address only has meaning within a VLAN and is not routeable. In principle, the address could be routed, but it is forbidden under rfc3513.
Routers must not forward any packets with link-local source or destination addresses to other links.
In this post I'm only going to discuss the link-local unicast address, prefixed by FE80::/10. When I need clarity on link-local addresses I end up on Wikipedia and then at rfc3513. Hopefully you can get a high-level grasp via this post and for deeper detail consult those resources.

What's The Point?

Link local addresses are integral to the ip6 Neighbor Discovery Protocol (NDP) that allows local services and routers to be detected with zero input from the user.

The local machine can build up a table of services and routers on each link. On a linux machine you can quickly view what's out there:
$ ip -6 neighbor show
fe80::250:56ff:fe86:1234 dev eth1 lladdr 00:50:56:86:12:34 STALE
fc01:e5:1102::111:21 dev vlan12  FAILED
But getting into NDP and what this table tells you is not something I have time to do here.

Why Is There A Link-Local Address On My Interface?

Operating systems that have an ip6 stack enabled will assign themselves a link local address. They will ordinarily do that even when DHCPv6 exists on the network. The mechanism itself is known as stateless address autoconfiguration (SLAAC).

When determining an address to use, a linux system appears to conform to rfc2464 although rfc4862 appears to ease the precise definition.
The OUI of the Ethernet address (the first three octets) becomes the
company_id of the EUI-64 (the first three octets).  The fourth and
fifth octets of the EUI are set to the fixed value FFFE hexadecimal.
The last three octets of the Ethernet address become the last three
octets of the EUI-64. -- rfc2464 p. 3
The "Universal/Local" (U/L) bit of the original MAC address is also flipped.

For example:
vnet0     Link encap:Ethernet  HWaddr fe:54:00:d7:40:40
          inet6 addr: fe80::fc54:ff:fed7:4040/64 Scope:Link
The MAC address is fe:54:00:d7:40:40. First ff:fe is inserted in the 4th and 5th octets to become fe:54:ff:fe:40:40 and then the locally-administered bit is flipped (0xe minus 2 equals 0xc). The result is fc:54:ff:fe:40:40 and the full address with the link-local network prepended is
fe80::fc54:ff:fed7:4040/64.


Two things to clarify:
  1. If the locally-administered bit is set, then it is unset and vice versa.
  2. In ip6 addresses :: (double colon) is shorthand for zeros. The full address is actually fe80:000:000:000:fc54:ff:fed7:4040/64.
Windows is a lot different, according to this Microsoft technet post, which references this microsoft technet post, the address is assigned randomly since Vista. It's not referenced in the technet post, but rfc4941 describes two randomised identifier processes.

Was CVE-2016-1409 A Link-Local Bungle?

I have a suspicion (read "guessing"), that CVE-2016-1409 was a mixture of two failures in violation of the RFCs. Namely that:
  1. Cisco and other vendors would route Neighbor Advertisements across hops.
  2. In-path routers did not decrement hop-limit when (1) happens or the final recipient was accepting NA messages when hop-limit did not equal 255.

     

Monday, June 26, 2017

Switching Your Drupal to HTTPS

This post describes the steps I undertook to take to switch my Drupal site over to HTTPS. I'd made several attempts at this after getting a certificate via Let's Encrypt but ran into problems with mixed content, meaning that Firefox would not render the page properly while there was a mixture of encrypted and non-encrypted objects being loaded from the website.

I finally found the time to sit down and work it out. There is a nice explanation on the Drupal website and to a large extent I followed the 'best possible' solution there. My post adds some extra points you should know.

Let's Encrypt

I've covered the topic of Let's Encrypt in some detail in other places on this blog, so there's no need for me to cover this off. Get your certificate from Let's Encrypt and make sure that your webserver (in my case apache2) is using the certificate and responds to the https:// form of your Drupal website.

Go Full Encryption

As I mentioned above, the explanation on the Drupal website is a good place to start. I fiddled around with the Secure Login module and also with using $conf['https'] = TRUE; in the settings.php file.  In the end the "best possible security" option was the simplest and strongest solution.

Redirect Everything To HTTPS

Take the information from the Drupal website and implement the VirtualHost configuration to redirect all HTTP to HTTPS. Invoking the "Redirect" example on the VirtualHost, rather than the "Rewrite" example is easier and more elegant.

Mixed Content Problems

It's at this point that you may encounter mixed content problems, meaning that the Drupal site will not render correctly and have a yellow icon where the green padlock should be in the URL bar.

There are two things to do. The first thing is to check for objects that are actually loading over HTTP. If you're using Firefox, press F12 to load firebug and you can audit/search the source of the page for "http" objects. Do not confuse an http link to an external site (such as in an <a href..> tag) with content that is actually loading.

Mixed content means that your page has actually caused the browser to download an object from over HTTP instead of HTTPS. In my case I discovered a logo image present on every page had a hard-coded http:// address. Once I fixed that, I still had mixed content errors.

The next thing to change is the $base_url of your Drupal site, to indicate a default to https on all urls. This should have the effect of changing all the relative links that Drupal generates on the fly when rendering pages.

/etc/drupal/7/sites/moff.tech/settings.php:
$base_url = 'https://moff.tech';
In my case, these two steps got me the green padlock. It's possible that your install could have hard-coded HTTP object sources inside pages. All of that would need to be tidied up and depending on the size of your site a tedious exercise.

Good luck and please do share here any tips (war stories) from your experience!

Sunday, June 18, 2017

Drupal 7 and upgrading Media module to 2.x

For a few years now I've been hosting and maintaining a Drupal 7 installation for a non-profit club. I chose Drupal because I needed to provide a website that a non-technical person could easily publish content on.

I've written this post in the hope that it might just help someone and also to vent some frustration over the house-of-cards that is Drupal.

Why Drupal?

I did not want to run Wordpress because at the time, Wordpress had a sorry security and upgrade reputation. I'll note now that Wordpress has slowly rehabilitated that reputation, but still not to the point that I'd be willing to look after a Wordpress site myself.

Drupal is no walk in the park. In fact, I've been constantly annoyed by just how difficult maintaining a Drupal installation is. Layers upon layers of modules need to be installed before you have a dynamic and user-friendly website.

Drupal Drawbacks

Upgrading modules is generally easy, but still a chore in particular because I do not personally like the automated upgrade methods. For anyone maintaining many Drupal installations or a popular site where quick adoption of security patches is mandatory I am sure automated updates are a lifesaver.

I'll skip mentioning the scores of transient errors (Drupal love your system memory long time) and tedious frustrations (I cannot for the life of me work out how to get clean URLs working) that one encounters with Drupal in general, because I want to cover off some notes about the Media module and the version change to 2.x.

There was a major security problem discovered in the Media module version 1.x, which required an upgrade to 2.x. The upgrade instructions were so convoluted and the user problems post-upgrade were so frightful that I elected to wait it out and let other people suffer the bugs and pain. Meanwhile, I didn't need to take any action to implement the workaround to the security issue, I already had restricted access for untrusted users:
Prevent anonymous or untrusted users from accessing the media browser through permissions configuration -- 7.x-2.8 release notes
The Drupal cron job pestered me for months about needing to upgrade and it didn't feel good to ignore a necessary security update. I finally found the time to go back and review the upgrade process again and review the potential challenges. This exercise revealed an exemplar of how Drupal support and documentation can go woefully wrong.

Upgrade Documentation

The users and developers bravely struggled through the issues, attempting to document things within the framework of the Drupal website. Meaning that in order to upgrade from 1.x to 2.x and understand all the potential issues before upgrade, I needed to review these pages and hope that I'd discovered all the relevant documentation.
  1. Media
  2. media 7.x-2.8
  3. upgrading from 1.x to 2.x support
  4. Upgrading Media 7.x-1.x to 7.x-2.x
  5. Document Upgrade Path from Media 1.x to Media 2.x/3.x
  6. Comparison between Media 1.x and 2.x
  7. Critical database error after updating to this version
  8. Media + CKEditor + Media CKEditor recipe for setup
  9. File Entity (fieldable files) 
I was lucky in that I didn't have to mess around with the Views or Features modules or rework any fields (see link 4 above). This wasn't entirely luck, in that I've taken the approach with Drupal modules (and pages) to make customisations only when absolutely necessary; stemming from my abject fear of the nightmare scenario the Media upgrade represented.

How I Upgraded from 1.6 to 2.8

Well I hope this helps someone.
  1. Download the module tarball and extract it into the usual modules directory, overwriting the original module files.
  2. Download the File Entity module and extract it into the usual modules directory. File Entity is a new module to install because the functionality used to be a part of Media but has now been removed.
  3. Delete the file_entity directory in the Media module's directory. This is a directory resident from the older 1.x Media install. See link 6 above for more info.
At this point the site was generally working, but I was not able to run the database update mechanism (update.php) because of an issue I had not seen coming. My Drupal runs on an Ubuntu 14.04.5 LTS trusty install and the Database Update mechanism would not run unless the System version was 7.33. The Drupal version I had was 7.26.

Okay, they got me. Insert slow-clap here.

Since my Drupal install appeared to be operating okay, I considered waiting it out until a newer version of the drupal7 package was available and then running the database update. However, while I was doing some other maintenance on the Drupal install, the site came back with an error similar to the critical database error described in link 7 above and it was immediately obvious that the database update needed to be run in order to restore the site.

I considered doing a restore from backup. Eventually, I elected to add another dpkg source and install a newer Drupal version. I selected a Debian source for this although on reflection, taking the Ubuntu xenial source surely would have been the smarter option.

Before you do this yourself, read the rest of this post because I do not recommend mixing Ubuntu and Debian sources.

/etc/apt/sources.list:
deb http://ftp.debian.org/debian jessie-backports main
Then I ran a package update and installed drupal7 from this source. I got a couple of questions from the package installer about the database to use (as if it was a first install), but that was okay.
# apt-get -t jessie-backports install drupal7
I commented out the jessie-backports source and put a hold on the package, because at this stage I'm not clear what I'll do next.
# dpkg --set-selections drupal7 hold
The xenial source is Ubuntu 16.04 and so that is the next upgrade path for me, except that the xenial Drupal version is currently a lower version than the jessie-backports version I now have installed. To be clear, I believe that I should have used the xenial source. Quite a mess I made here, but I can figure this one out later.

Meanwhile, because I'd hosed Drupal earlier, I couldn't access the database update page. I had to put the site into "update_free_access" mode so that I could run the update engine without actually being logged in.

/etc/drupal/7/sites/moff.tech/settings.php:
$update_free_access = TRUE;
Then I could access the update.php page and run the database update, which completed successfully but with some vague messages but the site was up and running. If you do this, remember to set the "free access" back to FALSE after you're done.

Final Notes

The Media upgrade from 1.x to 2.x is a monster and it's likely that everyone who undertakes it will strike their own unique set of issues.

The Media module has been folded into Drupal 8 and so upgrading to 8 might skip this headache.

The File Entity module has not been folded into Drupal 8 so if you need that functionality then you need to install it as a module. Under Drupal 7, you must install File Entity with the upgrade of Media.

Check your Drupal version before you run the Media upgrade. You need System version 7.33 before you can run the database update.

Sunday, February 5, 2017

Roll Your Own Linux Distro for Children


Looking for a kid-friendly linux distro? I recommend you review "In search of a Linux distro for a kindergarten kid" about distros for children. Want to custom build your own? Then you're in the right place.

You better already be handy with Linux, otherwise this is going to be a steep learning curve, but worthwhile.

The summary of "In search of a Linux distro for a kindergarten kid" was that I didn't really like any of the distros on offer. There were a couple of worthy options and it does depend on your expectations. I decided to make my own. This describes how I went about it.

I'll stress again that I wanted a system for a Kindergarten aged child - meaning from 3 until 6 years old. By 5 or 6, a number of these applications will be of little interest.

Steps


The major tasks are:
  1. Install a base system.
  2. Install a GUI and login manager.
  3. Configure the login manager.
  4.  Install the desired applications.
  5. Customise the GUI.

Install Basic System


This whole post is about getting a low-spec system going. This was all set up on an IBM x24 laptop:
root@x24:~$ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 11
model name      : Mobile Intel(R) Pentium(R) III CPU - M  1066MHz
stepping        : 4
microcode       : 0x2
cpu MHz         : 731.500
cache size      : 512 KB

root@x24:~$ cat /proc/meminfo
MemTotal:         628804 kB
MemFree:          396500 kB
MemAvailable:     466904 kB
Yep, 1066MHz CPU on 628MB RAM.


What About Default Ubuntu?


If you've got a machine that can handle the overhead of a default Ubuntu install. You could simply install the Ubuntu desktop and hope that your child doesn't find their way into terriffic trouble. Otherwise, every other day, you're going to need to reinstall Ubuntu.

If you're going the default Ubuntu route, the "junior" group may be problematic. The "junior" group caused all kinds of unexpected headaches. Make sure that user is in related device and sound groups. Edit /etc/group or use:
Debian-Applications->System->Administration->User accounts Admin.


Custom Ubuntu


Just to repeat, my aim was to have a system with a lightweight as possible desktop environment, while still easy to use.

Download and Install the Ubuntu mini distributon. It should be about 50MB in size. The system that you will have installed after that will likely/hopefully not have any GUI. If you encounter an option to install a desktop environment, skip it.

When you set up a user, use the child's first name as the username and password*. It's fun to teach them how to type out their name and then amazing see them do it later without your help.

Installing that won't take long. Soon you'll be rebooting into non-GUI system and will need to login with the user credentials you set during the install.

You'll need to get to the machine remotely of course!
# sudo apt-get install ssh
Find the IP of the machine (run from terminal on machine):
# /sbin/ifconfig

Install GUI and Login Manager


We'll install LXDE, because it's lightweight and works. Use "slim" as the login manager.
apt-get install lxde slim
Life will be easier if you also install these package immediately:
apt-get install aptitude ssh lxsession-logout lxde-common
To get wireless networking right on LXDE, I recommend removing network-manager and installing wicd:
sudo apt-get remove network-manager
sudo apt-get install wicd

Configure Login Manager


Under this setup, I was always needed to specify the session when logging in. That's hopeless if you expect a 3 year old to step through the login process. Set the default session permanently as so:

   # vi /usr/share/xsessions/LXDE.desktop

      Exec=/usr/bin/startlxde

   # vi /etc/slim.conf

      login_cmd           exec /bin/bash -login /etc/X11/Xsession startlxde


Applications


After looking at all the other distros, see also my aforementioned post I determined that these apps were the most suitable as well as being available in the debian repository. Meaning that they could be installed without hacking, compiling or sacrifices to some Diety.

Most of these will install with "apt-get install <name>" but if the package is not found then install something like aptitude to search for similarly named packages. Packages do change names occasionally.
  • tuxpaint
  • tux math
  • tux typing
  • PySyCache
  • Childsplay
  • pySioGame
  • gCompris
  • Potato Guy
  • BamBam* 
  • Numpty Physics **
* to exit BamBam, actually type "quit".
** Numpty Physics is really cool, but hard on the CPU.

There are a number of KDE only apps (bundled into Edubuntu)  that you cannot use on LXDE. I tried, I failed, if they're not listed above, they didn't work for me.

Customise the GUI


Although the earlier steps sound hard, they really aren't and customising the desktop is where you'll spend the majority of your time. It's a matter of personal preference after all.

Customise the desktop simply by right clicking.
  • Clear all icons including "Trash Can". 
  • Add game icons to the desktop by right clicking on the relevant icons in the "Menu".
Add the LXTerminal shell as an icon on the desktop - yeah this is a risk in itself, but life will get really interesting if you lose the taskbar or menus after junior hacks away at your work. 

Tidy up the menu bar. Right click on the bar to add and remove applets and so on. Remove as much as you dare. Removing the menu bar completely is possible, but getting it back is not necessarily easy. If you need to recover your menu or task bar, start by looking here.

You can add the panel item "Keyboard Layout Handler" if you need to be able to switch between keyboard types. Meaning, if you need to switch between German and US keyboard layouts then this is the applet to use. I'm not talking about actual languages.

If you need to change the default keyboard layout then you'll have to edit /etc/default/keyboard. See /usr/share/X11/xkb/symbols/ to review the syntax of the types.

   $ cat /etc/default/keyboard

      # KEYBOARD CONFIGURATION FILE
     
      # Consult the keyboard(5) manual page.
      XKBMODEL="pc105"
      XKBLAYOUT="us"
      XKBVARIANT=""
      XKBOPTIONS=""
      BACKSPACE="guess"


Quick Problem Suggestions


Have no login screen? Switch to the console using ctrl-alt-f1. Then install SSH (see above).

Have problems with sound? Install alsa-base.

The power button (added by default) did not work for me and you may need to fix the logout button on the menu bar by installing lxsession-logout.

Check whether the ACPI packages are installed. Depending on the age of your machine, ACPI might be supported but not work very well. For example on the laptop I had, it stopped the system from powering off at shutdown, so I removed it:
# sudo apt-get install acpi acpid

Finally


Even if the final version is not perfect in your own eyes, your child will love having their own system. Creating the system is a great learning exercise, but fixing it later is even more so. The reward really is in watching kids excitement in interacting with the games and solving puzzles.

Have fun! Any questions or comments, drop me a line. 

Saturday, February 4, 2017

Top 5 Moments of Fallout Shelter of Before Time Ever Existed

Some of my favourite moments, when I had enough wits about me to grab a screenshot. If it's not clear, click on the picture to get a better view of what's going on.
Eye of the Beholder
There's something in the air.
Bad Overseer: Send a man out in his Vault Suit and the game feels so bad for him, it immediately awards Merc Gear.
Black Friday
MCSE - Check
CCNA - Check
A+ - Check
RHCE - Check
CISSP - Check
VCP - Check
PMP - Check
No experience - Check
Unemployed - Check
"Careful, he's got a gun."



Wednesday, January 4, 2017

In search of a Linux distro for a kindergarten kid

tl;dr


I gave up and made my own kid-friendly install nominally based on Ubuntu. That took a few hours and is a hell of a lot more interesting than researching distros for children.

I do a wrap up at the end, go read that if you hate multi-syllabic sentences.

Never Mind All That: Introduction


It's not easy to say when the best time is to meaningfully introduce a computer into a child's life. At age 3 they already have a pretty good handle on navigating YouTube and a tablet. I'm not an advocate of getting kids into computers as early as possible, despite being a tech geek. In any event, I recently found myself hunting for a Linux distro for kids.

Kids Need to Know the Linux, Right?


I wasn't sure that there were any kid-friendly distros when I started my search, but I quickly found several prominent blog posts that pointed to a number of 'kids' and 'educational' distros. These posts generally spend a good deal of time waxing lyrical over how learning Linux was of paramount importance. I don't know that I followed these arguments.

In general you're putting a child down in front of a graphical user interface. You don't expect your 5 year old to run the Ubuntu package manager or need them to figure out how to get Eclipse's bash interpreter to work. Using a GUI is not learning open source; it simply helps a kid come to grips with the oddball ways that adults structure the world.

What Do You Need? 


My expectations for a distro aimed at a kindergarten aged child were along these lines:
  • Something to keep a 3 to 5 year old entertained. 
  • Educational in nature, but in the form of fun games.
  • Simple to switch on and off.
  • Simple to start and stop applications.
  • Safe web browsing options when browser available.
  • No need to customise applications, i.e. applications 'just work'.
  • Distro is lightweight in size and resource requirements.
The principles were that the distro would run on old hardware. Once running, the child couldn't wreck the whole install simply trying to work how to use (or even just start) an application.

At the start of my search it seemed hopeful, but when I dug into the recommended distros the results were disappointing overall. I share here my notes on each distribution in the hope that it will quickly guide caregivers in the right direction.

Did You Really Try This Carnival of ISOs?


Unless stated otherwise, I tried the distros on a Toshiba Satellite Pro A200 laptop, which is certainly not new hardware, but has capable and fully Linux-supported hardware. The distros were put in front of a 3 year old to gauge response and interest levels.

The Results 


Remember that I'm interested in Kindergarten distros.

Sugar on a Stick

 
Apparently this grew out of the One Laptop Per Child initiative. The GUI concept is inventive, but from personal experience it's not appealing to a youngster. On the live CD, the games appeared to be dry, some application wouldn't start (paint & physics) and the only usable application to keep a 3 year old entertained was "Maze". The project is still alive.

I deemed it unsuitable for the kindergarten age-group, not just because of the applications, but because the test-child took zero interest in the user interface.

Doudou Linux


The project is dead but a live CD image can still be downloaded. The UI is fugly, but I think quite appealing to children. This one really is aimed at youngsters. There's nothing extensible about it and I don't think it can be installed to disk. It's tidily put together (apart from the weird application switching) and not a resource hog - takes about 150MB of memory before an application is launched.

Qimo


The project is dead and the iso image is hard to find but downloadable via torrents, which is how I got my copy (and who knows what else). When you boot the Qimo iso you can decide whether to run as a live CD or install to disk. Based on the applications, tt's suitable for kids starting school. The xfce GUI is nice and the install isn't full of unnecessary applications. It uses 500MB of memory before any applications are started.

Unfortunately the live CD experience was terrible with actual hardware, although worked perfectly in VMWare Workstation. I probably would have installed and used Qimo had the live CD worked well. Since the project is dead, I didn't want to be fighting hardware detection problems on a base install that had no update path.

Also, The Matrix style screensaver rather dates it :-D

I persevered after reading a blog post that Qimo could be installed on Ubuntu using the qimo-session and qimo-wallpaper packages. After trying it for myself, I can tell you that this is no longer the case. Qimo package support was possible in Ubuntu 12 (quite old now), but it is no longer an option.

LinuxKidX


The sourceforge website screenshots look amazing, but there is no official homepage although an old blog still exists. Even the donation link was broken.

The download from sourceforge works. I really like the art concept. I tried this on a VMWare Workstation environment only. The distro appears to be simply a live CD and it suffered from a few technical issues, namely that some applications would not start and I couldn't switch into a getty - if that means something to you, you'll know why it's annoying.

The distro is cute, but it comes with unnecessary applications and has a KDE interface, so this will drag on old hardware. The running memory footprint is 580MB before you even start applications, which makes it one of the more resource hungry distros.

Foresight for Kids


This project is well dead, including the website. I didn't try to find the downloads as the 'top distros for kids' reviews that I read on the website reviews didn't distinguish Foresight as particularly different or special.

As a side note, the reviews always mentioned the Conary package management system, which I'd never heard of. I think that the reason they keep mentioning it was because these reviews eat off each other. The first popular post that mentioned Foresight probably mentioned Conary and because nobody actually tries this stuff before reviewing it. Reviews of Foresight are still appearing on the web even though the distro can't be obtained. And yet. here I am, reviewing Foresight....ugh.


Kiddix


I'm not sure what happened here. The distro got reviews and there is a nice page by the author, but the distro is unobtainable - assuming it ever was a distribution. There's a nice screenshot. This post and similar make me wonder whether it was a cynical vapourware project for someone out to make a quick buck.

Edubuntu


This is a Canonical sourced framework, which is the organisation behind Ubuntu. I didn't try this because I didn't see the need to download gigabytes of installer data for something I already knew was not what I was needed.


What's useful to see is the installation on an existing Ubuntu system on the download page and specifically it's the ubuntu-edu-preschool package which is promising. I've verified that Ubuntu version 16 has this package, so simply installing the latest Ubuntu and then the "edu" package of choice is all you really need to do here.

A quick review of the packages that come down with ubuntu-edu-preschool reveal a few applications that are not bundled with the other distros I looked at, namely: blinken, kanagram, khangman, klettres, ktuberling, and pairs. A few of those are a variety of alphabet drills. All of them are KDE applications and will not run unless the full KDE environment is installed.

The advantages of the Edubuntu route is that the install is easy and that the distribution will be supported long term.

The downsides are that you'll need to install on a device that has some processing power along with ample memory and storage. A young child will not be able to sit down in front of this and intuitively navigate around an Ubuntu system. You get a whole Ubuntu system, not a cut-down kid friendly one.

ubermix



This is a specifically school targeted distro and not kindergarten-kid friendly in any way. It looks like a great high school (college) distribution.


In Summary - Kindergarten


For kindergarten kids the options are limited. There's a niche here waiting to be exploited!
  • Try Doudou and Qimo. Both distros are dead but they may work on your hardware
  • LinuxKidX may work on an old system.

 In Summary - Post Kindergarten


Give the Edubuntu packages a try if you're an Ubuntu user, otherwise ubermix is an interesting and fllexible option especially for your teenager on the go.It'd just be nice to know where they're going, but spyware doesn't seem to be a part of any of these distribiutions.

Altogether Now!

  • Green - Impressive.
  • Yellow - Meh.
  • Red - Not a great option, avoid.
  • Grey - Not evaluated.
  • Black -  Not possible to test

Distro
Ages
Active
Obtainable
Live CD
Local
Friendly
System
Sugar Stick
5+






Doudou
2+






Qimo
2+






LinuxKidX
?






Foresight
?






Kiddix
?






Edubuntu
10+






ubermix
5+