Rsync backups with secure ssh key

After today’s Debian/Ubuntu OpenSSH fiasco I decided to tighten security in my backup system. I added a single-purpose SSH key which only allows access to rsync on the backup source hosts.

The main logic in the program is the same as my earlier attempt, although I added a check that the machine I am about to rsync from is the right one (this would fail due to ssh keys anyway). The ping check I previously did before starting a backup was insufficient if my laptop was on my home LAN, where NAT gave it the same IP address as my home gateway machine.

The other new part is the ssh authentication improvement. In order to use that, you need to create a single purpose ssh key on the backup server:

‘ssh-keygen -t dsa’ and save to $HOME/.ssh/rsync

Then edit the public part of the key (~/.ssh/rsync.pub) to limit the commands that can be run with this key. You would add this to the front of the key, with no spaces (the whole key should be on one line too):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,
no-pty,command=”/home/user/local/bin/secure-rsync.sh

This comes before the ssh-dss with a space before ssh-dss.

You will need to install this key in ~/.ssh/authorized_keys on the backup source machines, and also on those machines install the ‘secure-rsync’ wrapper. The secure rsync wrapper is from Barry O’Donovan, who has a thorough page explaining a very similar (but better!) backup system. The path in the public ssh key should correspond to this file. All this wrapper does is check that the command is a safe rsync command and start rsync:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
    *\&* | *\;* | *\|*)
        echo "Access denied"
        ;;
    rsync\ --server*)
        $SSH_ORIGINAL_COMMAND
        ;;
    hostname)
        $SSH_ORIGINAL_COMMAND
        ;;
    *)
        echo "Access denied"
        ;;
esac

Then you can use the ‘mybackup’ script to run the backups, with a simple config file that is explained in the script comments.

Building ROOT for Debian Lenny (testing)

Debian Lenny is currently the ‘testing’ version, but it is pretty stable and that’s what my workstation runs at work. However the annoying bug I had before with libroot-python-dev is still present (short version: the package wants (python < 2.5) but the version that ships with Lenny and Ubuntu Hardy is 2.5.)

Anyway, the easiest way around it is to build the packages from source. So add this to your sources.list

# Apt ROOT distribution.
deb http://mirror.phy.bnl.gov/debian-root/ unstable main contrib
deb-src http://mirror.phy.bnl.gov/debian-root/ unstable main contrib

Then do these commands

  • mkdir temp/root/
  • cd temp/root
  • apt-get source libroot-python-dev (this downloads the source)
  • cd root-system-5.17.07

Now we come up against another problem. The maxdb packages aren’t available in Lenny (I’m not sure why they were removed) but the source packages depend on them, so you’ll need to work around that. If the packages weren’t broken, you could do apt-get build-dep libroot-plugin-python. Instead, you can get the list of packages you need from debian/control. Here’s the dependencies:

apt-get install debhelper po-debconf libssl-dev comerr-dev libxpm-dev libfreetype6-dev libpcre3-dev zlib1g-dev python-dev libjpeg62-dev libpng12-dev libtiff4-dev libungif4-dev libxinerama-dev libpacklib1-dev gfortran libxmlrpc-c3-dev libxmlrpc-c-dev libcurl4-gnutls-dev fftw3-dev libkrb5-dev krb5-user libldap2-dev libgsl0-dev libmysqlclient15-dev libiodbc2-dev libglu1-xorg-dev libglu-dev ftgl-dev libpq-dev python-support libqt4-dev qt4-dev-tools ruby ruby-dev libxml2-dev

Now you have to edit the Debian control files to remove the maxdb dependencies.

Edit debian/rules, and

  • Delete the ‘–enable-maxdb‘ line. (You can’t comment it out in place, but you could move it down a few lines and comment it out there)
  • Comment out lines 35-45, just leaving ‘SAPDB = –disable-sapdb

Edit debian/control to remove the dependency on libsqlod-dev in the first stanza and delete the entire root-plugin-maxdb stanza.

mv debian/root-plugin-maxdb.install debian/root-plugin-maxdb.install.bak

If you like, you can edit debian/changelog and give it a new version number. The version extension must contain a digit, e.g.

root-system (5.17.07-1-ultrahigh1) unstable; urgency=low

Avoid this gotcha: I’d symlinked /usr/bin/gfortran to /usr/bin/gfortran4.3 for another project. ROOT’s config/Makefile.linux checks that gcc and gfortran are the same version, so I had to undo that symlink.

Build the packages:

dpk-buildbackage -rfakeroot

My build failed with this error but all of the packages seem to be there (including root-plugin-asimage, so I don’t know what it’s complaining about):

dpkg-genchanges -b >../root-system_5.17.07-1-ultrahigh1_i386.changes
dpkg-genchanges: binary-only upload – not including any source code
dpkg-genchanges: failure: cannot fstat file ../root-plugin-asimage_5.17.07-1-ultrahigh_i386.deb: No such file or directory
dpkg-buildpackage: failure: dpkg-genchanges gave error exit status 2

And if you are too lazy to build the packages and you trust me (why would you!), you can download my packages which should install OK.

Voice Over IP on Hardy

In a separate post I talk about how Pulseaudio has broken some proprietary applications on Ubuntu Hardy. What’s worse is that many of the open source voice over IP clients (SIP, in particular) are broken on Hardy, which is a shame since Pulseaudio has been in the works for a while now and most major distributions are shipping it by default these days.

Here’s a list of the SIP clients that I have tried.

Ekiga: Just doesn’t do any sound in the call when using ALSA-via-pulseaudio (a real shame since this is the most GNOME-flavoured app and I’d really expect it to work on Ubuntu).

Gizmo: Ringing/Dialling noises work if you set ‘paplay %s’ in the “Use command to play sounds” option. Audio in call is missing when using ALSA-via-pulseaudio. Won’t start with OSS using padsp.

OpenWengo: This is barely maintained at the moment, it’s sad. And it’s tied into the Wengo side of things which seems to have fallen by the wayside (incoming SIP via voip.wengo.fr doesn’t work). I’d like to see the client return, open to multiple VOIP providers since it’s pretty solid software. But the microphone doesn’t seem to work in calls with pulseaudio at the moment!

Twinkle: Confusing interface, but it does work. Set it to use OSS for audio input and output, set the ringing to use ALSA default device (which is pulseaudio) and start the program with ‘padsp twinkle’. Not ideal since you lose a lot of the benefits of Pulseaudio, but at least it works. Wish we had v1.2 in Hardy which figures out which network to use automatically – at the moment I need to restart the program if I move from wired to wireless.

Empathy: Cool idea but SIP support isn’t really ready yet. The SIP configuration dialog is insufficient, it doesn’t offer all the fields you need to login to something like voxalot.com or FWD. Actually, that’s not Empathy’s fault but the “Mission Control” configuration app. Also, I’d like to get an audio ringing sound for incoming calls, and I can’t add SIP contacts via the main interface (it silently fails). I think Empathy is basically alpha software so I’m looking forward to these issues getting fixed – it has the promise of being the ultimate IM/SIP/Video client for GNOME.

Linphone: Works pretty well! Use the default ALSA device (which is pulse) and you can take/recieve calls and the ringer works. Great! I have a few issues with the interface: I’d love to see a tray icon and better visual ringing notification, but this is a solid app that actually works. Good stuff.

Pulseaudio problems on Hardy

So Ubuntu 8.04 (Hardy) came out, and it rocks a lot. By default it enables the pulseaudio sound server, which also rocks but has caused a few of the ‘usual suspect’ proprietary apps to fail even more than usual.

Skype

First: Skype. Skype is the bane of my existence, and judging from the way their developers rail against change on the forums, Linux users like me are the bane of theirs. No sooner had they fixed their three-year avoidance of ALSA than we all move to a new system and theirs breaks. Well, actuallyour new system was supposed to work fine with ALSA apps, except they seem to have used ALSA in a weird way, which means that when you redirect your ALSA input and output to pulseaudio, Skype just ignores it and tries to access your hardware directly. Which breaks, because pulseaudio is using your hardware.

One fix proffered on the Ubuntu forums is to make pusleaudio use ALSA’s dmix, that way your pulse apps will have this chain app->pulse->dmix->hardware,whilst broken apps like Skype can be set to use app->dmix->hardware. And this fix does make Skype work OK… but it messes up everything else like audio players because pulse-over-dmix is crappy and uses all your CPU.

So here’s my fix for broken apps, and no, it’s not ideal. Guess what? It never will be while Skype is broken!

Run the Hardy stock setup with ALSA-over-pulse, but manually run pasuspender when you need to take/make a call. I have this script which is called from a button on my panel which I press.

#!/bin/sh

# temporarily pause pulseaudio so I can use Skype or whatever
pasuspender — /usr/bin/zenity –info –text “Click OK to resume Pulseaudio”

Works OK, although you won’t hear Skype ringing.

Flash

Next up, Flash. Flash on Linux just sucks, absolutely. In Hardy, as of this moment, if you install the library that allows Flash to do audio output over pulseaudio, the Flash will crash every time you do something unusual like, say, open a frickin’ hilarious YouTube video, your browser will crash. Awesome huh! In fact, you can alleviate this by installing nspluginwrapper, in which case you will just have a gray square instead of your YouTube video. Also awesome.

My workaround for this is… just hit refresh a billion times until Flash stops sucking and plays the stupid video. It’s some sort of race condition between Flash and libflashsupport, at least that’s what the Pulseaudio developers claim. Lame!

Every Voice-over-IP App, ever

WTF guys! We all knew Pulse was coming for over a year… so why is it so hard to find a SIP client that works in Hardy? Check out my other post for listings of what’s broken about the different clients. Short answer: Linphone works well, Twinkle can be coaxed into working.

One Keyboard, Two Computers: x2x Over SSH

I just set up my laptop at work as a docked second screen next to my main workstation (yeah, I know, procrastination central). I wanted to use the network to control the second machine (laptop) from the nice keyboard of my workstation. I knew I could do it because I use to use x2x when we had the remote HiRes station here (4 old junker PCs with one or two screens each, two keyboard/mice setups).

For some reason I was trying to use synergy, which is completely insecure. The only advice offered on the synergy site about securing it was setting up port forwarding via ssh first, then connecting over those ports. Yuck.

Anyway, since ssh automatically forwards X11 connections, it’s dead easy to use x2x for this task in a secure way (with all the usual nice stuff like ssh key authentication too).

On my wokstation, with my laptop to the right, I run the command
ssh -X laptop "x2x -east -to :0"

That’s it. Run the mouse over to the right hand side of teh workstation screen, it travels over to the laptop screen. Even X middle-click cut-n-paste works. Sweet.

Oh, well, one more cool thing, if you have sshfs installed (and fuse, and have added yourself to the fuse group, and re-logged in, and loaded the fuse module…), you can do this to automatically cross-mount the laptop home directory on your workstation:

#!/bin/sh
# Tunnel a x2x connection to a second machine, presumed to be at 
# the right of this machine's screen.

host="$1"
mount_dir="$HOME/$host"
direction="east"  # west means the OTHER screen is to the left

echo "Creating $mount_dir"
mkdir -p $mount_dir
echo "Mounting remote machine at $mount_dir"
sshfs cactus: $mount_dir

echo "Connecting to remote machine for x2x over ssh"
ssh -X $host "x2x -$direction -to :0"

# after ctrl-C killing above session, clean up sshfs stuff
# sshfs automatically unmounts when you ctrl-C out of above command
echo "Removing mount point"
rmdir $mount_dir

Thank you to the developers of FUSE, sshfs and x2x… You rock!

The Pastels

I just discovered the Pastels, in particular the best-of Truckload of Trouble. Fantastic!

Truckload of Trouble

I’m going to look at the whole C86 ‘scene’ since they are supposed to be so representive of that sound, in particular the first Primal Scream album Sonic Flower Groove seems interesting. It is supposed to be very Byrds-esque and apparently was a major influence on early Stone Roses.

Sonic Flower Groove

Until today I only really knew Primal Scream from after Screamadelica onwards. I can’t decide if this album cover is more or less embarrassing for them than the confederate flag on Give Out.

Making a shared data folder in Linux

I wanted to set the file permissions properly on our shared music folder (accessed by Samba/scp/directly on the computer by different users). Basically, I want anyone in the ‘data’ group able to read and write everything.

First, I created the data group.
sudo groupadd data

Then I edited /etc/group and made all the relevant users members of that group
data:x:1002:user1,user2

Then I set the ownership and permissions on the directory using the following script. One note is that the last line sets the 'setgid' permission on the directories (chmod g+s ...) which makes the permissions 'sticky'.

#!/bin/bash

DIR=/data/music

echo "Changing Group ownership to 'data'"
chgrp -R data $DIR
echo "Changing permissions of files to ug=rw,a=r"
chmod -R 664 $DIR
echo "Changing permissions of directories to a+rx, g+rwx, g+s"
find $DIR -type d -exec chmod a+rx,g+rwx,g+s '{}' \;

Now set the umask so that the group gets write permission by default. In /etc/profile:
umask 002

Finally, set the same permissions in Samba too. In /etc/samba/smb.conf:

[data]
path = /data
available = yes
browsable = yes
public = yes
writable = yes
create mask = 664
directory mask = 775

Now files and directories are created group-writable.

drwxrwsr-x 2 user1 data 4096 2008-02-15 11:29 temp
-rw-rw-r-- 1 user1 data    0 2008-02-15 11:29 test

Update:

When you copy files via scp, the umask is not set properly because the bash doesn't read startup files in this situation.

In order to get scp to set the umask properly, you need to add umask 002 to /etc/default/ssh (in Debian/Ubuntu, on Redhat-derived systems try /etc/sysconfig/sshd).

This will set the 002 umask for all users. If you want something more fine-grained you'll need a more complex solution.

How to fix VLC crash on startup in Gutsy

IN Ubuntu Gutsy, when I tried to run the VLC it would crash (segfault) complaining of  “double free or corruption” in g_slice_alloc().

The problem is actually in the underlying WxGTK library that VLC uses for the user interface. It was a bug that didn’t cause any problems until some non-standard memory allocation function was fixed in glib and exposed the mis-use of this function in some applications. It also affects WxGlade and even the Gimp apparently.

Anyway, it’s dead easy to fix. Put the following in your environment:

G_SLICE=always-malloc

i.e.

Add
G_SLICE=always-malloc
to /etc/environment or

export G_SLICE=always-malloc
to ~/.bash_profile and/or ~/.gnomerc.

More old virtual machines

After my adventures with RedHat 7.2 in VMWare, I decided to make a redistributable VM that was more or less compatible. The main reason is that VMWare Player is not available out-of-the-box on Ubuntu Gutsy (that’s what you get for messing with proprietary freebies!). Instead, I’ve been playing with the open source rather excellent VirtualBox virtualization software.

Actually, the first thing I did was convert my RH7.2 VMWare image into a VirtualBox image. Through the magic of qemu-img I first converted it to a raw disk image: (In fact, you can use a VMWare .vmdk file directly in VirtualBox, but you won’t get some of the fancier features like snapshots.)
qemu-img convert redhat72.vmdk redhat72.bin

Then I used a VirtualBox tool to convert the raw image into the “vdi” VirtualBox format (you might need a lot of disk space for this step):

vboxmanage convertdd redhat72.bin redhat72.vdi

That image worked fine in VirtualBox (noticably slower than VMWare though, even with the vboxdrv kernel module loaded.) When it first loaded, the RedHat hardware utility kudzu discovered the changes in virtual hardware and set everything up with no problems.

I also created a CentOS 2 virtual machine for VirtualBox. CentOS 2 is a clone of RedHat Advanced Server 2.1, built from source with the RedHat trademarks removed and therefore it is permissible to redistribute it. This OS is very similar in vintage to RedHat 7.2, and most statically compiled programs will work on both platforms (which is what I need it for)

As per my VMWare image, I have installed subversion (3.4.2 from source, works with svn+ssh:// protocol but probably not for https://); GCC v3.4.6; Boost v3.4.1; and GSL v1.9. The source directories are in /root/temp/installation.tar.bz2. I also updated the OS using yum to get the final version of all the packages. I don’t think that CentOS 2 is still being updated though, so this is really not a safe OS to have on your network.

After installing I ran vboxmanage modifyvdi centos2.vdi compact which doesn’t do anything at all on it’s own. Apparently it only shrinks zeroed sectors, so first you need to run
dd if=/dev/zero of=filler
then
rm filler
then the modifydvi command again. This got it down to 2GB.

Anyway, if you’re looking for a virtual machine that’s 100% compatible with RedHat AS 2.1 and 95% compatible with RedHat Linux 7.x, you can download the VDI image for VirtualBox here. The root password is ‘centos2’ and the file weighs in at 560MB.