Sunday, October 18, 2015

KEB/Hana online banking in Linux

KEB/Hana online banking in Linux

As of October 2015, following the KEB/Hana Bank merger, the security programs needed to access were updated. If you use Linux with a fully working Desktop Environment (like Gnome) then you probably didn't have any trouble installing those programs. But if you use a basic window manager, with only essential services and minimal packages installed then it could get a little bit tricky to set it up.

This guide is an attempt to help other fellow Linux users installing and configuring those programs manually in the command line. I tried the standard way, using the "unified installation program method" (veraport) provided by the bank but with no results. I always ended up in a "loop", with a pop-up window asking me to install the security programs, even though they were already installed and properly detected by the website.

The following procedure was done using Fedora 22 with no Desktop Environment, just plain old OpenBox window manager. It should work in other RPM-based Linux distributions as long as the binaries don't have missing or incorrect versions of libraries. For CentOS you need to enable the EPEL repository for dependencies.

For Google Chrome, you need to download and install these RPMs:

For Firefox you need this additional RPM:

You can download these RPMs from the KEB website, but I had trouble downloading the NewIPinside RPM, so I'm posting the URLs just in case someone else might encounter the same problem. If you have a 64-bit system then download the corresponding packages from the website.

Get ready to install those RPMs but first consider the following:

- Clean up your system of outdated KEB RPM packages before installing the new ones, take a look at /opt/wizvera and /usr/lib/mozilla/plugins/ for orphan binaries. Don't forget to remove the old veraport package.

- Use "sudo" for the installation because a postinstall script in the NewIPinside-RPM relies on the $SUDO_USER environment variable to reload your firefox plugin database. But if you prefer to use the root account directly for the installation, then afterwards as your regular user account, run the following command:

find $HOME/.mozilla/firefox/ -name "pluginreg.dat"  -delete

- Use dnf (or yum) instead of the standalone rpm, in order to avoid dependency issues. Additional packages will be installed, like cryptopp, beesu, and usermode-gtk.

If all went well, you don't have to reboot your system or log out of your session, just exit your browser and run the following commands as your regular user in a terminal:

- veraport
- delfino
- You also need to make sure the NewIPinsided service is running. If you just installed it, then it probably is, check it out with "pidof URIDaemon". If not, fire it up with "service NewIPinsided start" as root and be ready to restart it if it dies with "service NewIPinsided restart".

Those three processes (well, shell script wrappers) are needed for your online banking session. If there are non-fatal errors in your system log (journalctl -f) then open the KEB/Hana website with your favorite browser and log-in. You should be able to do it with no pop-up window asking you to install security programs and that would mean you are all set for your banking session.

I do log-in using my digital certificate located in $HOME/NPKI/yessign. If that is also your case, you should be greeted with the following window (that's delfino working):

KEB-Hana Certificate window


- During your banking session, always look at your system log. In my tests, NewIPinsided (URIDaemon) segfaulted a lot when trying to log-in with a digital certificate. Just restart the process and wait for a few seconds. Be patient, if you refresh your browser you will start all over again. Also, try to log-in first with the Korean version of the homepage, then you can change it to English.

- Interestingly enough, you can run the NewIPinsided service as a regular user. It works with some warnings and non-fatal error messages.

- Sometimes you won't be able to open more applications, getting the error message "Maximum number of clients reached - Can't open display". That is "delfino" misbehaving, just restart the process to fix it.

- At the end of your session, don't forget to kill "veraport" and "delfino" (pkill -f wizvera). Also, stop the NewIPinsided service (service NewIPinsided stop).

- If you don't do online banking very often and don't want KEB security programs running all the time across reboots, then as root disable the NewIPinsided service with "chkconfig --del NewIPinsided".

- For "veraport" and "delfino", they create desktop files in your ~/.config/autostart/ directory everytime they are launched. If you don't agree with that policy, then remove those files when you are done with your online banking:

rm $HOME/.config/autostart/delfino.desktop
rm $HOME/.config/autostart/veraport.desktop

A more drastic solution is to edit those binaries with a hex editor (I used bvi) and change a letter or two in their Exec variables.

No comments:

Post a Comment