Category / My l337 skillz

NX server auth suggestion… local/passwd auth without allowing passwd auth on public sshd July 21, 2008 at 10:41 pm

I thought this was pretty simple, but after chatting with a few, apparently not a lot have thought of it.  If you want to use NX to connect to a server from the internet, but also want more security on that same host by only allowing known rsa/dsa keys the ability to login, and you don’t like the nx passworddb option; you can use the following setup:

  • Leave the “public” sshd process listening on port 22, only allowing known keys (and don’t allow root logins IMO).
  • Setup a 2nd “local” sshd process listening on another port.  My setup is as follows:
    • Create /etc/ssh/sshd_config_local, in that file there will be 2 differences…
    • Port 222
    • UsePAM yes (or set PasswordAuthentication yes if you don’t use PAM).
    • For extra super security, also set: ListenAddress 127.0.0.1
  • Setup another init script (I just copied sshd to sshd_local) and add the following to the line that spawns the sshd process:
    • -f /etc/ssh/sshd_config_local

Setup your links, run chkconfig, whatever your distribution does, and then start the service (sudo su – root -c ‘/etc/init.d/sshd_local start’).   You should now have another daemon running that looks like:
 /usr/sbin/sshd -f /etc/ssh/sshd_config_local

The only configs needed for nx (I’m using the free nomachine server, not freenx, might be slight differences) are (in /usr/NX/etc/server.cfg):

  • SSHDAuthPort to 222
  • EnablePasswordDB = 0

..and that’s it.  Now connections to the server connect to port 22 as user nx using the key that came with the client (or you can setup a custom key… you figure that out) and then it does the ssh step (to auth/fwd the connection) via basically doing an ‘ssh -p 222 -l $USER localhost’ on the server, so it uses your “local” sshd copy and passwords work.

Now that’s what I call recording time… May 21, 2007 at 8:16 pm

Following the info from the chatter on the web recently about being able to use the eSATA port on the Tivo Series 3, I ordered an Antec MX-1 enclosure and a 750Gig disk and updated mine to 1TB of storage.

Kicking it in was rather simple.

Here the Tivo is activating the disk during boot:

tivo_sees_disk.jpg

Note the new storage estimates.. w00t:

tivo_new_estimates.jpg

Yeah, that’s 51 DAYS of standard def programming storage. Wow.

IMDB broke WMDB…. again February 19, 2007 at 1:20 pm

So IMDB has massively changed their layout again. This broke most of the parsing bits that WMDB did.

I’ve put together a Diff against functions.php for fixing these changes.

note that I did remove the $end value from the end of several strpos calls so that it does more parsing of the data then it used to. Could probably fix orders so that it doesn’t have to, but it’s working this way. I’m guessing the order of how things appear in the html changed from how it was parsed before.

Get string from phone for iSync November 13, 2006 at 10:21 am

Apparently the software update for the Sprint V3m last week changd the string the phone sends, and so my previous post didn’t work for everyone. In fact, I tried re-doing my steps again to make sure, and found I couldn’t add back my own phone anymore because I’d updated the software (so if it was added to iSync before the update, iSync continued to work even with the updated string).

For those that haven’t seen, the new string is:
<string>Motorola CE, Copyright 2000+Motorola V3m-Sprint Phone</string>

I wrote up a quick shell script that will help you get the string from any V3* razr now (and change the grep for v3 to anything else, like k1 to get other model’s strings).

Script is getbtstring.sh For those not all that unix/Terminal savy.. save to your home directory, open a terminal, run:
chmod +x ./getbtstring.sh
./getbtstring.sh

I used sudo to do the few things that require root access, so just type in your password and it should work as is… it’ll pause and tell you to open iSync and try to add the phone, after you get the “iSync does not support his phone” hit return in the terminal, and it’ll print out what the string should likely be. it’ll also print out the raw data that you can share with me or others out there if the <string> bit doesn’t work.

For the REALLY poor terminal people.. you can update the file with the following steps:
(Note that \n means hit return)
1. Save the MetaClasses.plist file with the proper string in your homedir as MetaClasses.plist
2. run: vim /Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/PlugIns/PhoneModelsSync.phoneplugin/Contents/Resources/MetaClasses.plist
3. Press the ‘j’ key 3 times and the cursor should be on the first <dict> in the file…
4. Press the ‘o’ key and you should see “– INSERT –” on the bottom of the terminal.
5. Press the ‘esc’ key and the “– INSERT –” should go away.
6. Press the following keys in order: :set noai\n
7. Press the following keys in order: :r /Users/<your username>/MetaClasses.plist
\n
You should now see the updated V3m part added to the file.
8. Press the following keys in order: :wq\n
The file should now have saved and quit.

In #7 above, replace <your username> with your username on the mac… if you’re not sure what it is, on the terminal command line, type id and hit return.. it’ll show your name.. mine is mmarion, id for me shows:
uid=501(mmarion) gid=501(mmarion) groups=501(mmarion), 81(appserveradm), 79(appserverusr), 80(admin)

You might need to reboot now (or try killing the SyncServer process if you know how).. open iSync again and try adding the phone again.

Update (11/16/2006 2:32PM): Oops.. guess I can’t link inside comments… here’s the getbtstring2.sh file for people.

Update (9/27/2008): Anyone that asked about the script with Leopard… download the script again (getbtstring.sh) and give it another shot. Unfortunately I can’t really test it because I have completely downed the Apple Kool-aid and got an iPhone 3G a month or so ago.. and can’t find the RAZR.. I know it’s still around here somewhere, but I’m not sure where. :-/ If it doesn’t work, Mail me the /tmp/blued.trace file the script outputs and I’ll see if I can get how it’s dumping the info from dtruss. It should be in there.. just might be different.

Update (minutes after last): Apparently Apple supports the V3m now so the above is likely unecessary anymore.

Getting iSync to work with a new Sprint Motorla RAZR V3m November 8, 2006 at 1:31 pm

[ Listening: Finally Woken from the album “Finally Woken” by Jem ]

So I exchanged my new Samsung A900 in for a RAZR, in the hopes of using iSync to sync my calendar and address books over bluetooth. Wasn’t too happy to find that iSync gave the “Device is not supported by iSync” message when I tried to add the device. I however, am not quick to give up on tech things like this and figured I might be able to get it working myself. I saw hits on the net of people using V3m phone from other carriers, often requiring direct editing of files in the iSync.app tree itself.

Basing changes on this thread about the KRZR K1m I changed the MetaClasses.plist file on my MacBookPro… but still couldn’t get iSync to recognize the device.

I figured that the strings used to recognize the device were likely wrong, and needed to figure out my phone’s strings… to do this, I used the ktrace and kdump commands to trace the blued process on the mac when trying to add the phone again. Aha.. I found things that looked helpful:

manzana:~ mmarion$ egrep 'GMM:|GMI:' blued.txt | grep -i motorola | sort -u
+GMI: Motorola CE, Copyright 2000\r
+GMM: Motorola NC-V3m Phone\r

Now we’re getting somewhere… (don’t ask me what gmi and gmm are.. I don’t know, I just looked for things that were in the MetaClasses.plist file and might be related). Anyone else that has a newer phone/carrier’s model that isn’t being recognized yet.. this will probably work for you too (finding the strings your phone is using that is.. not the exact strings I found).

So I added a new <string> line like so:

<string>Motorola CE, Copyright 2000+Motorola NC-V3m Phone</string>

Killed and restarted iSync.. and voila, my phone was added.

Now I can sync iCal and my Address book.

Note.. it’s not perfect, after sleeping the MBP, the phone isn’t seen on bluetooth sometimes.. I just open the bluetooth “browse device” bit to kick in a connection between the MBP and phone, and then iSync works.
The sync also fails sometimes when deleting calendar events.. so I just blow the whole calendar away (which is pretty simple… there’s a quick “deleted all events” choice under options) and sync. That might not work for people that really want 2 way syncing to work, I just need my phone to have a copy of what my computer has (from exchange at work).

Some info:
The path to the MetaClasses.plist file in question is:
$ pwd
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/PlugIns/PhoneModelsSync.phoneplugin
/Contents/Resources
Remember that one… 🙂

I’ve put a copy of the section I added to the MetaClasses.plist file here: MetaClasses.plist

Update: Oops.. I forgot to add, for some reason the calendar bits sync ok, except for the location of the meeting.. trying to figure that one out still.

Update (Nov 15, 12:45): People have asked for my full MetaClasses.plist file so here it is.

Read in a sig file in horde/imp August 19, 2006 at 12:27 pm

[ Listening: Gina Escapes from the album “Battlestar Galactica: Season 2” by Bear McCreary ]

I’ve had a cron job that randomly updates my .signature file on my unix systems every 5 minutes for years now and I really wanted to have the same kind of random signatures in IMP as well. So I made a very simple change to the imp.php file (in <horde>/imp/lib/Identity) that allows you to read in a file rather then only read the signature that you’ve saved in the database. Syntax is very easy.. set your signature in the horde prefrences to FILE:<filename> like FILE:/home/mmarion/.signature and this small bit I added will read in that file instead of printing out the value set in the database.

Patch is simple, download here and here’s how it looks:

--- imp.php.orig        2006-08-19 11:53:24.000000000 -0700
+++ imp.php     2006-08-19 11:53:50.000000000 -0700
@@ -455,6 +455,15 @@

$this->_signatures[$ident] = $val;

+       if (preg_match('/FILE:/',$val)) {
+                       $sigFileSplit=preg_split('/:/',$val);
+                       $sigFile=$sigFileSplit[1];
+                       $sigFileSize=filesize($sigFile);
+                       $sigFilePtr = @fopen($sigFile, 'r');
+                       $val = "-- \n" . fread($sigFilePtr, $sigFileSize);
+                       fclose($sigFilePtr);
+       }
+
return $val;
}

Obviously I didn’t add any kind of error checking for FILE: without a valid file, or for empty files, or files that can’t be read.. but eh.. works for me.

We are Grey. We stand between the darkness and the light. March 25, 2006 at 6:49 pm

[ Viewing: “Babylon 5 – The Complete Fourth Season” (Tony Dow) ]

Yeah, I’ve been running through B5 again, and have it on the brain.. watching season 4 now… but…

I finally had a chance to take a real crack at installing Grey-Listing on our colo box (which also serves as MX for several of us), and holy crap does it make a difference. I got it up and running at 2:45PM on Thurs (Mar 23rd, 2006) and already it’s had a massive effect. In just over 48 hours now, the database the program uses already has 4037 records of mails that never properly tried to resend again (most likely spam) vs 365 mails that have properly resent after the initial delay (most likely not spam). Just goes to show that most spam is just blasted out from hosts that are hacked or setup just for spamming and they don’t want to deal with the bandwidth required to retry.

On top of that, I found I had a bug in spamassassin that was allowing it to pass quite a few spams into my inbox (and my sister’s as well) because the mail was never actually scanned properly. Only when I went to test a mail by hand to see why it hadn’t been flagged as spam (by cat’ing it into spamc myself) did I see the error, then I grep’d a ton out of the mail logs. The error was:
Mar 23 23:46:07 www spamd[15003]: error: Can’t locate object method “new” via package “Net::DNS::RR::TXT” at /usr/lib/perl5/vendor_perl/5.8.5/x86_64-linux/Net/DNS/RR.pm line 240._ , continuing

I looked on google and saw mention of updating that pkg, which I did. It had no effect. Then I started to noticed that the above has version 5.8.5 in the path, and I’d updated perl to 5.8.7 previously (back in Jan). Turns out the spamd process had been running for months… well back into 2005. So a quick restart of the daemon, now using the updated perl (and modules) and it fixed the problem. So spamassassin is catching more mails, which, coupled with grey-listing, has dropped spam down to almost nothing. I used to get 50+ spams in my inbox a day (on top of what spamassassin filtered out) and in the last 2 days I’ve had 2!

I even setup a cron job to graph the number of filtered spam vs inbox (vs 2 lists I’m on) here. Should be interesting to see how low the spam levels stay over the next few weeks. I notice that I’m still getting some spam, but spamassassin is filtering off so much more. Some of that is stuff that I signed up for long ago and forgot, or that I was signed up automatically for by using some website… working on getting off those lists as well.

Man it’s nice to have mailboxes that are more manageable again.

The quote from B5 is really fitting though.

Patch to Wuff’s Movie DB to track borrowers November 16, 2005 at 11:06 pm

[ Music: Disappearing World from the album “Life In Slow Motion” by David Gray ]

I coded this ages ago, but noticed a few queries for it in the feature request page for WMDB. So here’s a quick bit on it..

Fairly simple, adds a borrowers bit similar to type, language, etc. Can do simple searches on what someone has borrowed, etc. I also added it in the base listing on the main display page so it’s clear up-front to friends or family if something new is already borrowed.

Here’s a diff patch you can download and patch against the latest 2.02 base.

Any problems? lemme know..

BTW, I saw the other request for ability to send a reminder email to borrowers.. shouldn’t be too hard to implement that, but I don’t have time right now.

Update: I guess I should explain for those that are wondering what the hell Wuffs Movie DB is… it’s the software I’m using to catalog my DVD collection online.

Yes… I am a gadget geek. July 28, 2005 at 3:36 pm

Went online and downloaded the new 2.00 firmware for my PSP before it was available via the normal online upgrade link.. not even sure if it’s available there yet.

You can see a (very blurry) snap of the new menu entry for the browser:

Photo_072805_001

And here I’m viewing my site:

Photo_072805_002

Pretty cool, but entering text is way too slow.

Apache logs for the browser hits look like so..

192.168.1.117 – – [27/Jul/2005:17:50:41 -0700] “GET /styles-site.css HTTP/1.1” 200 4160 “http://miguelito.org/” “Mozilla/4.0 (PSP (PlayStation Portable); 2.00)”
192.168.1.117 – – [28/Jul/2005:01:42:41 -0700] “GET /styles-site.css HTTP/1.1” 200 4160 “http://miguelito.org/” “Mozilla/4.0 (PSP (PlayStation Portable); 2.00)”

Screw the referer spammers…. May 16, 2005 at 11:17 pm

So, because of what I talked about in my [previous http://www.miguelito.org/mig-archives/000213.html post] I’ve edited awstats a little and added in my own referer URL checker… so ha!

Output from awstats shows this now:

www httpd {566}$ /usr/local/awstats/wwwroot/cgi-bin/awstats.pl -update -config=www.miguelito.org
Update for config “/etc/awstats/awstats.www.miguelito.org.conf”
With data in log file “/var/log/httpd/access_log”…
Phase 1 : First bypass old records, searching new record…
Direct access after last parsed record (after line 5230)

CheckReferer called with Referer URL: http://www.ua-princeton.com/
Rejecting Refer URL http://www.ua-princeton.com/ base on hit count of 106
Warning: awstats has detected that some hosts names were already

resolved in your logfile /var/log/httpd/access_log.
If DNS lookup was already made by the logger (web server), you should change your setup DNSLookup=1 into DNSLookup=0 to increase awstats speed.
Jumped lines in file: 5230
Found 5230 already parsed records.
Parsed lines in file: 38
Found 27 dropped records,
Found 1 corrupted records,
Found 0 old records,
Found 10 new qualified records.

If I get any requests, or just have the time to make some diffs soon.. I’ll post the code for download here for anyone that wants it.