Rsync backups with secure ssh key

After today’s Debian/Ubuntu OpenSSH fiasco I decided to tighten security in my backup system. I added a single-purpose SSH key which only allows access to rsync on the backup source hosts.

The main logic in the program is the same as my earlier attempt, although I added a check that the machine I am about to rsync from is the right one (this would fail due to ssh keys anyway). The ping check I previously did before starting a backup was insufficient if my laptop was on my home LAN, where NAT gave it the same IP address as my home gateway machine.

The other new part is the ssh authentication improvement. In order to use that, you need to create a single purpose ssh key on the backup server:

‘ssh-keygen -t dsa’ and save to $HOME/.ssh/rsync

Then edit the public part of the key (~/.ssh/rsync.pub) to limit the commands that can be run with this key. You would add this to the front of the key, with no spaces (the whole key should be on one line too):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,
no-pty,command=”/home/user/local/bin/secure-rsync.sh

This comes before the ssh-dss with a space before ssh-dss.

You will need to install this key in ~/.ssh/authorized_keys on the backup source machines, and also on those machines install the ‘secure-rsync’ wrapper. The secure rsync wrapper is from Barry O’Donovan, who has a thorough page explaining a very similar (but better!) backup system. The path in the public ssh key should correspond to this file. All this wrapper does is check that the command is a safe rsync command and start rsync:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
    *\&* | *\;* | *\|*)
        echo "Access denied"
        ;;
    rsync\ --server*)
        $SSH_ORIGINAL_COMMAND
        ;;
    hostname)
        $SSH_ORIGINAL_COMMAND
        ;;
    *)
        echo "Access denied"
        ;;
esac

Then you can use the ‘mybackup’ script to run the backups, with a simple config file that is explained in the script comments.

Building ROOT for Debian Lenny (testing)

Debian Lenny is currently the ‘testing’ version, but it is pretty stable and that’s what my workstation runs at work. However the annoying bug I had before with libroot-python-dev is still present (short version: the package wants (python < 2.5) but the version that ships with Lenny and Ubuntu Hardy is 2.5.)

Anyway, the easiest way around it is to build the packages from source. So add this to your sources.list

# Apt ROOT distribution.
deb http://mirror.phy.bnl.gov/debian-root/ unstable main contrib
deb-src http://mirror.phy.bnl.gov/debian-root/ unstable main contrib

Then do these commands

  • mkdir temp/root/
  • cd temp/root
  • apt-get source libroot-python-dev (this downloads the source)
  • cd root-system-5.17.07

Now we come up against another problem. The maxdb packages aren’t available in Lenny (I’m not sure why they were removed) but the source packages depend on them, so you’ll need to work around that. If the packages weren’t broken, you could do apt-get build-dep libroot-plugin-python. Instead, you can get the list of packages you need from debian/control. Here’s the dependencies:

apt-get install debhelper po-debconf libssl-dev comerr-dev libxpm-dev libfreetype6-dev libpcre3-dev zlib1g-dev python-dev libjpeg62-dev libpng12-dev libtiff4-dev libungif4-dev libxinerama-dev libpacklib1-dev gfortran libxmlrpc-c3-dev libxmlrpc-c-dev libcurl4-gnutls-dev fftw3-dev libkrb5-dev krb5-user libldap2-dev libgsl0-dev libmysqlclient15-dev libiodbc2-dev libglu1-xorg-dev libglu-dev ftgl-dev libpq-dev python-support libqt4-dev qt4-dev-tools ruby ruby-dev libxml2-dev

Now you have to edit the Debian control files to remove the maxdb dependencies.

Edit debian/rules, and

  • Delete the ‘–enable-maxdb‘ line. (You can’t comment it out in place, but you could move it down a few lines and comment it out there)
  • Comment out lines 35-45, just leaving ‘SAPDB = –disable-sapdb

Edit debian/control to remove the dependency on libsqlod-dev in the first stanza and delete the entire root-plugin-maxdb stanza.

mv debian/root-plugin-maxdb.install debian/root-plugin-maxdb.install.bak

If you like, you can edit debian/changelog and give it a new version number. The version extension must contain a digit, e.g.

root-system (5.17.07-1-ultrahigh1) unstable; urgency=low

Avoid this gotcha: I’d symlinked /usr/bin/gfortran to /usr/bin/gfortran4.3 for another project. ROOT’s config/Makefile.linux checks that gcc and gfortran are the same version, so I had to undo that symlink.

Build the packages:

dpk-buildbackage -rfakeroot

My build failed with this error but all of the packages seem to be there (including root-plugin-asimage, so I don’t know what it’s complaining about):

dpkg-genchanges -b >../root-system_5.17.07-1-ultrahigh1_i386.changes
dpkg-genchanges: binary-only upload – not including any source code
dpkg-genchanges: failure: cannot fstat file ../root-plugin-asimage_5.17.07-1-ultrahigh_i386.deb: No such file or directory
dpkg-buildpackage: failure: dpkg-genchanges gave error exit status 2

And if you are too lazy to build the packages and you trust me (why would you!), you can download my packages which should install OK.

Voice Over IP on Hardy

In a separate post I talk about how Pulseaudio has broken some proprietary applications on Ubuntu Hardy. What’s worse is that many of the open source voice over IP clients (SIP, in particular) are broken on Hardy, which is a shame since Pulseaudio has been in the works for a while now and most major distributions are shipping it by default these days.

Here’s a list of the SIP clients that I have tried.

Ekiga: Just doesn’t do any sound in the call when using ALSA-via-pulseaudio (a real shame since this is the most GNOME-flavoured app and I’d really expect it to work on Ubuntu).

Gizmo: Ringing/Dialling noises work if you set ‘paplay %s’ in the “Use command to play sounds” option. Audio in call is missing when using ALSA-via-pulseaudio. Won’t start with OSS using padsp.

OpenWengo: This is barely maintained at the moment, it’s sad. And it’s tied into the Wengo side of things which seems to have fallen by the wayside (incoming SIP via voip.wengo.fr doesn’t work). I’d like to see the client return, open to multiple VOIP providers since it’s pretty solid software. But the microphone doesn’t seem to work in calls with pulseaudio at the moment!

Twinkle: Confusing interface, but it does work. Set it to use OSS for audio input and output, set the ringing to use ALSA default device (which is pulseaudio) and start the program with ‘padsp twinkle’. Not ideal since you lose a lot of the benefits of Pulseaudio, but at least it works. Wish we had v1.2 in Hardy which figures out which network to use automatically – at the moment I need to restart the program if I move from wired to wireless.

Empathy: Cool idea but SIP support isn’t really ready yet. The SIP configuration dialog is insufficient, it doesn’t offer all the fields you need to login to something like voxalot.com or FWD. Actually, that’s not Empathy’s fault but the “Mission Control” configuration app. Also, I’d like to get an audio ringing sound for incoming calls, and I can’t add SIP contacts via the main interface (it silently fails). I think Empathy is basically alpha software so I’m looking forward to these issues getting fixed – it has the promise of being the ultimate IM/SIP/Video client for GNOME.

Linphone: Works pretty well! Use the default ALSA device (which is pulse) and you can take/recieve calls and the ringer works. Great! I have a few issues with the interface: I’d love to see a tray icon and better visual ringing notification, but this is a solid app that actually works. Good stuff.

Pulseaudio problems on Hardy

So Ubuntu 8.04 (Hardy) came out, and it rocks a lot. By default it enables the pulseaudio sound server, which also rocks but has caused a few of the ‘usual suspect’ proprietary apps to fail even more than usual.

Skype

First: Skype. Skype is the bane of my existence, and judging from the way their developers rail against change on the forums, Linux users like me are the bane of theirs. No sooner had they fixed their three-year avoidance of ALSA than we all move to a new system and theirs breaks. Well, actuallyour new system was supposed to work fine with ALSA apps, except they seem to have used ALSA in a weird way, which means that when you redirect your ALSA input and output to pulseaudio, Skype just ignores it and tries to access your hardware directly. Which breaks, because pulseaudio is using your hardware.

One fix proffered on the Ubuntu forums is to make pusleaudio use ALSA’s dmix, that way your pulse apps will have this chain app->pulse->dmix->hardware,whilst broken apps like Skype can be set to use app->dmix->hardware. And this fix does make Skype work OK… but it messes up everything else like audio players because pulse-over-dmix is crappy and uses all your CPU.

So here’s my fix for broken apps, and no, it’s not ideal. Guess what? It never will be while Skype is broken!

Run the Hardy stock setup with ALSA-over-pulse, but manually run pasuspender when you need to take/make a call. I have this script which is called from a button on my panel which I press.

#!/bin/sh

# temporarily pause pulseaudio so I can use Skype or whatever
pasuspender — /usr/bin/zenity –info –text “Click OK to resume Pulseaudio”

Works OK, although you won’t hear Skype ringing.

Flash

Next up, Flash. Flash on Linux just sucks, absolutely. In Hardy, as of this moment, if you install the library that allows Flash to do audio output over pulseaudio, the Flash will crash every time you do something unusual like, say, open a frickin’ hilarious YouTube video, your browser will crash. Awesome huh! In fact, you can alleviate this by installing nspluginwrapper, in which case you will just have a gray square instead of your YouTube video. Also awesome.

My workaround for this is… just hit refresh a billion times until Flash stops sucking and plays the stupid video. It’s some sort of race condition between Flash and libflashsupport, at least that’s what the Pulseaudio developers claim. Lame!

Every Voice-over-IP App, ever

WTF guys! We all knew Pulse was coming for over a year… so why is it so hard to find a SIP client that works in Hardy? Check out my other post for listings of what’s broken about the different clients. Short answer: Linphone works well, Twinkle can be coaxed into working.