Configuring ssh server for pubkey + password authentication

In a struggle to secure my home computer I did battle with the ssh server once again to configure it “just the way I want it” ™. I prefer pubkey + password since this ensures that if I lose the laptop/phone/whatever then the lucky finder will not find his/her way into my home computer.

So, without further fanfare here are various bits that need to be done.

Configuring the ssh server
edit /etc/ssh/sshd_config and use the following entries:
Protocol 2 # protocol 1 is outdated
PubkeyAuthentication yes # I want public key to be used for authentication (and possibly to be combined with a pass phrase)

And of course there a bunch of authentication protocols that are not needed:
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PasswordAuthentication no
UsePAM no

Creating the keys
Still on the server in the home folder of the user you want to login remotely with, create the private/public pair using ssh-keygen -t dsa in ~/.ssh (the default location for ssh-keygen). You get two files: id_dsa (private key) and id_dsa.pub (public key).

I used dsa keys in this post and you can use rsa keys if you pass -t rsa to ssh-keygen.

In the same folder on the server create a file called authorized_keys which has the public key (it can just be a copy of id_dsa.pub but has the potential to contain many keys – possibly one per user that can connect to said account or one per roaming device).

When creating the key pair you will be prompted for a pass phrase. This is where you choose whether or not you will need a pass phrase (which acts as a password) in order to access this account. If you leave the pass phrase empty you’re allowing key only access with no password which is dangerous since if anyone gets a hold of your roaming device he/she can access your account with no extra data.

Distributing the keys
Copy the private key ~/.ssh/id_dsa to the roaming devices you want to access the server from (laptop, phone, whatever). If the roaming device is a Linux box then put the private key in the same location (~/.ssh/id_dsa) in the home folder of the user that wishes to access the server. If you are using some other ssl tool besides command line ssh on a Linux box to access the server then it should have a place where you plug the private key into. If it doesn’t have such a place then dump it. Putty (a widely used ssh client on windows) has an option to use a private key for connection.

Note:
While trying this out a lot of people seem to fail because they do all the experimentation on a desktop. In a desktop there is a system called ssh-agent which does the authentication for you in order to save you typing the same password multiple times. This agent is a problem when doing experimentation since it needs to be notified that you switched keys. So, every time you switch keys (regenerate the ~/.ssh/{id_dsa,id_dsa.pub} files) you need to run ssh-add to let the agent know this. Another option is not do all of the experimentation from a desktop but rather from a login shell (Ctrl+Alt+1 or whatever) so that the agent does not come into the game (which is complicated enough without it). Only after everything is setup re login to the graphical desktop and try everything out.

Real time programming tips: running critical tests at application startup

There is much accumulated wisdom in the embedded systems programming field as to how to correctly write a real time application. Examples of this wisdom could be found in the methodology of breaking up the application to a startup phase and a run phase, avoiding exiting the application, avoiding dynamic memory allocation and deallocation at runtime and more. There is also much accumulated wisdom in the programming field in general where a very important principle is ones control of ones software, as opposed to the other way around, and the notion of finding bugs and problems early whether that be in code writing, QA, deployment or beginning of execution.

The combination of the two aforementioned elements forms the principle of critical condition testing at application startup. According to this principle you should put all environmental concerns as tests to be executed at the startup phase of your embedded application. Environmental conditions to be checked may include, among others, the following:

  • Operating system or C library versions as the software may be adjusted for specific versions of these.
  • Real time patch availability and version as the software may require real time capabilities.
  • System real time clock accuracy as the software may require the availability of an accurate system clock.
  • User under which the software is running as the software may require special permission or user at some point in it’s execution.
  • Free disk space availability as the software may require some disk space.
  • Free memory availability as the software may accidentally be run on a system with less than the required amount.
  • A previously running instance of the same or other software that may hinder the softwares operation.
  • The availability of certain API’s of the kernel or certain kernel modules which are required.
  • The availability of certain devices (/dev files) with permission to access these.

All of these checks should be run in the first second or so of the software’s execution and, contrary to normal wisdom, should cause the software to halt and not proceed with normal execution. The reasons for this scary tactic is that:

  • You may miss error printouts from your application and so run around trying to find errors in all the wrong places.
  • You want the errors to show up early and anything that can be made to show up early should be made so.
  • I have seen programmers confidence in their hardware/OS/environment break too many times and lead to endless hours of wasted effort which could have been prevented by using this strategy.
  • Some requirements are of the make or break type and you really should not go on running without them.
  • Some of the requirements of real time and embedded systems are so subtle that you would not even notice these break as error in runtime but rather get weird behavior from your system. These are very hard to pin point and should be avoided.

These checks should also be written in a way which enables them to be easily removed when the system has stabilized, when it’s environment has stabilized (like when the system moves to production) or in order to reduce boot time.

This principle is especially important to real time and embedded systems programmers because of a few factors:

  • real time and embedded systems are harder to debug and monitor.
  • real time and embedded systems have less tools on them that enable one to find bugs.
  • real time and embedded applications are much more sensitive than other types of applications to various changes in the environment.
  • embedded systems programs usually interact with other systems which are in the debug phase as well and so may throw the developers on endless bug hunts which waste valuable time and cause the developers to mistrust their entire design or the system and tools that they are using.
  • embedded software systems usually run 24/7 and have only an end user interface. if at all. Due to this many embedded applications only output a long log and as such either encourage the user to disregard the log completely or make the task of discerning which log lines pertain to critical errors a daunting task.

Command line id3 2.4 tagging in Linux

In the past couple of weeks I have been dabbling with command line to tag and inspect tags of mp3 files. Linux has an abundance of tools to fill this niche and it’s confusing to know what to use. What follows are my conclusions.

id3: only handles 1.1 tags.
id3v2: does not handle 2.4 tags.
id3tool: does not handle 2.4 tags. Not maintained.
eyeD3: handles everything (especially 2.4 tags), has lots of options and seems to be supported.

So it’s fairly obvious what to choose. Please let me know if you have any more candidates to add to this list or you disagree with any of my conclusions.

Musical tempo name to BPM table

I needed a concise, modern and easy to use tempo names table and couldn’t find a good one on-line (which came as a surprise to me – maybe I’m not adapt at this Google thing…). The article on “Tempo” in Wikipedia has a lot of information but lacks in this regard. So here is a table for my and hopefully your use. This table is derived from a standard modern metronome that I use (Korg KDM-2).

NameBPM range
Largo(-)40-60
Larghetto60-66
Adagio66-76
Andante76-108
Moderato108-120
Allegro120-168
Presto168-200
Prestissimo200-240(+)

Finding broken symbolic links

I sometimes need to find all broken symbolic links in a folder, recursively or not. find(1) is the all UNIX right tool for the job as far as finding files is concerned but it does not have an explicit -and -type brokenlink option…

Some solutions involve sending the output of find(1) to some other tool. These solutions are sub-optimal in that once you leave the comfort of find(1) you give up the ability to use many of it’s fine features and run into other problems (file names with white space characters just to name one such problem).

Other solutions involve doing find -L . -type l which forces find(1) to follow all symbolic links and ultimately only print those which it cannot follow. This solution has other drawbacks. One is that you do not necessarily want find(1) to follow every symbolic link since this may cause it to wander to huge areas of your hard drive that you do not wish to scan. Another deficiency is the fact that there is a difference between a symbolic link that cannot be followed and one which cannot be read.

My solution is this:

find . -type l -and -not -exec test -e {} \; -print

Altering the character set of a MySQL database

It happens often that I forget to change the default character set of a database to utf8 and so find out late in the development cycle that many of my fields are based on non utf8 character sets (mostly latin1). Then I go in and modify each field in turn using ALTER TABLE [table] MODIFY [field name] [field type] CHARACTER SET [charset]. After some digging I found the ALTER TABLE $TABLE CONVERT TO CHARSET [charset] syntax which converted all fields in a table to a certain character set. I looked for a similar syntax to convert the entire database and found ALTER DATABASE which, unfortunately, only changes the default character set and collation but does not affect the existing tables, fields or data.

So here is a script that repeats ALTER TABLE / CONVERT TO on each table in your database:

#!/bin/bash
 
# parameters...
USER='[your db user name]'
PASS='[your db password]'
DB='[your db]'
CHARSET='[character set (utf8?)]'
COLLATION='[collation (utf8_unicode_ci?)]'
 
# here we go...
QUERY="SELECT table_name FROM information_schema.TABLES WHERE table_schema = '$DB';"
TABLES=$(mysql -u $USER --password=$PASS $DB --batch --skip-column-names --execute="$QUERY")
for TABLE in $TABLES; do
        echo "ALTER TABLE $TABLE ......"
        mysql -u $USER --password=$PASS $DB -e "ALTER TABLE $TABLE CONVERT TO CHARSET $CHARSET"
        #mysql -u $USER --password=$PASS $DB -e "ALTER TABLE $TABLE CONVERT TO CHARSET $CHARSET COLLATE $COLLATION"
done

Switching Java versions on a Debian/Ubuntu system

I recently found some issues with the openjdk Ubuntu/Debian default Java implementation. Specifically I had issues with their web start support (javaws). I found that the Sun implementation of Java did not have such a deficiency and the Sun implementation is available through the regular Ubuntu/Debian package sources. I installed the Sun implementation and wanted to switch the default Java to that version.

So what have I found out ?

When you want to switch to the Sun implementation:

sudo update-java-alternatives --set java-6-sun

When you want to go back to the openjdk implementation:

sudo update-java-alternatives --set java-6-openjdk

Notice that once you do any of the above you leave “auto” mode which means that new installation of Java implementation will not switch your default one. If that is what you want then ok. If not you can return to “auto” mode with:

sudo update-java-alternatives --auto

Using “noatime” on a running Linux system

When upgrading my Ubuntu system my /etc/fstab got overwritten by the upgrade process. It seems that the new /etc/fstab file did not keep my old preferences for file systems. I didn’t notice this for some time but what I did notice was that my system was sluggish. After some time I recalled that I had previously used noatime as a mount option for all of my hard drives which gave me some more speed and treated my hard drives with a softer touch.

First lets explain what noatime means. atime or Access Time is an attribute stored by all well behaved UNIX file systems for each and every file. It is one of 3 dates stored: meta info modification time – ctime, last modification time – mtime and last acces time – atime. Out of the 3 atime is the most controversial since it means that for every read from the disk there is a write operation. This is one of the worst defaults in your UNIX system.

The solution is just to disable atime altogether. Warning – this may cause some weird applications that rely on atime to break. If you want your system to be as “default” as possible don’t do what I suggest. If you want better performance and hard disk lifetime and on the other hand don’t mind parting ways with one or two misfit applications then this trick is for you.

How do you do it? Just edit /etc/fstab and add noatime at the 4′th column where file system mount options are for any file system you want to avoid access time updating. Reboot your system. Run mount(1) to see that all your file systems are mounted correctly. Enjoy.

What applications break? Actually – I have yet to see an application break because of this change. I have been running with “noatime” for 2 years now and all the applications seem to behave well. If you know of an application that breaks please let me know…

Producing MySQL dates on the command line

I often find myself in need of inserting data manually into a MySQL database using some kind of database editor. In a database editor you find yourself manually inserting values into cells of a table and in most of them you are not allowed to enter an SQL expression (the MySQL Query Browser is a prime example). In this case I need some way to generate the current date and time as per the MySQL format quickly on the command line. I will usually use:

alias date_mysql="date +'%F %T'"

WordPress and UNIX security (part 2)

In an effort to secure my blog I once again did battle with the mighty Word press. It seems that you can run a perfectly healthy blog with no write permissions by the HTTP server (usually www-data) to your service directory.

What do I suggest? Change owner ship to root on your blog area. When you know that you need to upload stuff to Word press then open the permissions on the relevant folders. This happens when you want to add or remove plug-ins, upload media, themes etc. After the relevant operation clamp down on security again. There are plugins (like xLanguage) that write all kinds of junk log files into the upload folder as part of their operation. Obviously you cannot use these if you want better security.

Advantages: better security.
Disadvantages: A little discomfort and the need to write very simple short script to do the chmod for you. The Inability to use certain brain dead plug-ins.