Brought to you by Ciconia
May 7th, 2021: We only support the latest Untochat 34. The old versions are available for historical reasons, but they are not supported!
The initial Untochat release based on Fedora 28 happened back in October 2018. Thinking about it now, we still think that the system was all right considered from a strictly technical point of view, and hence the basic structure of Untochat remains largely unchanged. It still uses Fedora, Tor, SELinux, modified IRC software, and its own restricted shell. Simplicity is what we strive for, but that is not always possible when trying to maximize security and anonymity.
Unfortunately the initial release suffered from one major drawback: Even though we had semi-automated the installation procedure with a customizable kickstart file and Ansible tasks, it required too much expertise to be practical. Having worked intensely on the Untochat project trying to get the system itself as secure and anonymous as possible, we did not pay enough attention to the installation procedure. The initial Fedora 28 based installation procedure is almost embarrassing, because like we already admitted, it just expects way too much from the casual users.
The goal of Untochat is to serve as many people as possible, so something had to done about it.
As of May 6th, 2019, Fedora 30 is already out, and Fedora 28 is nearing the end of its support cycle, we were forced to re-think Untochat's installer. We are happy to announce that the installation procedure is now very much easier than before. Instead of requiring many steps from the users, we now offer a bootable ISO-image file that can be used for installing Untochat to the hard drive.
The ISO-image boots as Live Linux (modified Fedora Xfce Spin), but we do not support running Untochat from the Live Image. It just might work, but we think all changes (i.e. user database) will not persist. The recommended way of installing Untochat is to:
We recommend using virtual guest machine for running Untochat. The host machine can be Linux, *BSD, macOS, or even Windows. Oracle's VirtualBox is a free virtualization tool that anyone can use. QEMU + KVM + libvirt is also a good combination on Linux hosts.
When Untochat was first released, we also published pretty comprehensive documentation describing its chat infrastructure. The document was called Building a secure chat infrastructure. The good news is that it is still mostly valid except for the section 6. Applying theory into practice. The new ISO-image based installation procedure makes the old Fedora 28 related installation instructions completely obsolete. But if you are interested in the Untochat system overview and technical details, then we recommend reading that document.
From now on, Untochat releases will be Fedora Remixes with custom software and configurations added. We have absolutely no intention to go through any formal Red Hat procedures to become an "official" Spin. Untochat will be a special-purpose chat infrastructure and Untochat releases will follow Fedora releases. For example, Untochat based on Fedora 30 will be called Untochat 30, and so on.
/tmp directories are no longer activated so pam_namespace.so is not used.
InaccessibleDirectories=/home /usr/bin /usr/sbin /usr/local -/opt/bin from ngircdus.service systemd unit file. SELinux checks have changed between Fedora 28 and Fedora 30, and if we remember right, init_t domain lacked { mounton } rights to make InaccessibleDirectories setting to work. Instead of modifying SELinux rules, we were lazy and removed the offending setting from ngircdus.service.No important changes compared to Untochat 30 except for a few RPM packages having a different name.
No important changes compared to Untochat 31 except for compiling ngircus with -Xlinker -zmuldefs.
No important changes compared to Untochat 32.
No changes compared to Untochat 33.
Let's get started with the installation and configuration. Use GNU Privacy Guard gpg to find Unto Sten's GPG public key. You need it to verify files. Issue command:
You should see a reply like the following. Type Q to quit.
Download and import Unto's public key:
Reply should be like:
NOTE: If you do not have PGP/GPG software, you can verify the Untochat installation ISO-image by comparing SHA1 and SHA256 hashes, but be warned: DOING SO COULD BE LESS SECURE! Always use the PGP/GPG verification method when possible!
Download:
If you have no PGP/GPG software, download SHA1 and SHA256 hashes:
PGP/GPG verification:
Expect to see a reply similar to this:
You can ignore the "This key is not certified with a trusted signature!" warning. It means only that nobody has signed our key.
WARNING! IF THE SIGNATURE VERIFICATION FAILS, FIRST CHECK YOUR gpg --verify COMMAND. IT IS A COMMON MISTAKE TO GIVE THE FILENAMES IN A WRONG ORDER.
IF THE COMMAND IS CORRECT AND VERIFICATION STILL FAILS, DO NOT USE THE INSTALLER!
If you use hash verification instead of PGP/GPG, on Linux, *BSD or macOS, you can do:
diff <(cut -d' ' -f1 SHA1SUM-untochat-34-1) <(sha1sum untochat-34-1.iso | cut -d' ' -f1) && echo SAFE || echo DANGEROUS
diff <(cut -d' ' -f1 SHA256SUM-untochat-34-1) <(sha256sum untochat-34-1.iso | cut -d' ' -f1) && echo SAFE || echo DANGEROUS
We recommend that you use VirtualBox or some other virtualization technology. We use QEMU + KVM + libvirt on Linux. It is a good choice to run Untochat in a dedicated guest virtual machine that you can destroy anytime at will. Remember that while running Untochat straight from ISO-image's Live Linux might work, it is not supported.
Due to some strange bug, at least VirtualBox 6.0.6 is painfully slow to boot Untochat with its default graphics controller. It can take between 10-30 minutes, so the problem is serious. Until the bug is fixed, choose Settings, then Display and change Graphics Controller to type VBoxSVGA.
Recommended resources for the Untochat guest virtual machine:
Next:
sudo)After succesful installation to hard drive, restart your guest virtual machine with ISO-image removed. When Untochat is up and running, login to Xfce desktop. Then open a terminal window and issue command:
sudo untochat-enable-firewall
This manual step is necessary because Red Hat's Anaconda installer gets stuck if firewalld is in a disabled state.
See section 7. Untochat administration in document Building a secure chat infrastructure and section 8.2.2 tor daemon for configuring Untochat as Tor Onion Service.
Good luck and have fun.
Brought to you by Ciconia