Category: Linux

After today’s Debian/Ubuntu OpenSSH fiasco I decided to tighten security in my backup system. I added a single-purpose SSH key which only allows access to rsync on the backup source hosts.

The main logic in the program is the same as my earlier attempt, although I added a check that the machine I am about to rsync from is the right one (this would fail due to ssh keys anyway). The ping check I previously did before starting a backup was insufficient if my laptop was on my home LAN, where NAT gave it the same IP address as my home gateway machine.

The other new part is the ssh authentication improvement. In order to use that, you need to create a single purpose ssh key on the backup server:

Then edit the public part of the key (~/.ssh/rsync.pub) to limit the commands that can be run with this key. You would add this to the front of the key, with no spaces (the whole key should be on one line too):

This comes before the ssh-dss with a space before ssh-dss.

You will need to install this key in ~/.ssh/authorized_keys on the backup source machines, and also on those machines install the ‘secure-rsync’ wrapper. The secure rsync wrapper is from Barry O’Donovan, who has a thorough page explaining a very similar (but better!) backup system. The path in the public ssh key should correspond to this file. All this wrapper does is check that the command is a safe rsync command and start rsync:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
    *\&* | *\;* | *\|*)
        echo "Access denied"
        ;;
    rsync\ --server*)
        $SSH_ORIGINAL_COMMAND
        ;;
    hostname)
        $SSH_ORIGINAL_COMMAND
        ;;
    *)
        echo "Access denied"
        ;;
esac

Then you can use the ‘mybackup’ script to run the backups, with a simple config file that is explained in the script comments.

So Ubuntu 8.04 (Hardy) came out, and it rocks a lot. By default it enables the pulseaudio sound server, which also rocks but has caused a few of the ‘usual suspect’ proprietary apps to fail even more than usual.

Skype

First: Skype. Skype is the bane of my existence, and judging from the way their developers rail against change on the forums, Linux users like me are the bane of theirs. No sooner had they fixed their three-year avoidance of ALSA than we all move to a new system and theirs breaks. Well, actuallyour new system was supposed to work fine with ALSA apps, except they seem to have used ALSA in a weird way, which means that when you redirect your ALSA input and output to pulseaudio, Skype just ignores it and tries to access your hardware directly. Which breaks, because pulseaudio is using your hardware.

One fix proffered on the Ubuntu forums is to make pusleaudio use ALSA’s dmix, that way your pulse apps will have this chain app->pulse->dmix->hardware,whilst broken apps like Skype can be set to use app->dmix->hardware. And this fix does make Skype work OK… but it messes up everything else like audio players because pulse-over-dmix is crappy and uses all your CPU.

So here’s my fix for broken apps, and no, it’s not ideal. Guess what? It never will be while Skype is broken!

Run the Hardy stock setup with ALSA-over-pulse, but manually run pasuspender when you need to take/make a call. I have this script which is called from a button on my panel which I press.

# temporarily pause pulseaudio so I can use Skype or whatever
pasuspender — /usr/bin/zenity –info –text “Click OK to resume Pulseaudio”

Works OK, although you won’t hear Skype ringing.

Flash

Next up, Flash. Flash on Linux just sucks, absolutely. In Hardy, as of this moment, if you install the library that allows Flash to do audio output over pulseaudio, the Flash will crash every time you do something unusual like, say, open a frickin’ hilarious YouTube video, your browser will crash. Awesome huh! In fact, you can alleviate this by installing nspluginwrapper, in which case you will just have a gray square instead of your YouTube video. Also awesome.

My workaround for this is… just hit refresh a billion times until Flash stops sucking and plays the stupid video. It’s some sort of race condition between Flash and libflashsupport, at least that’s what the Pulseaudio developers claim. Lame!

Every Voice-over-IP App, ever

WTF guys! We all knew Pulse was coming for over a year… so why is it so hard to find a SIP client that works in Hardy? Check out my other post for listings of what’s broken about the different clients. Short answer: Linphone works well, Twinkle can be coaxed into working.

I just set up my laptop at work as a docked second screen next to my main workstation (yeah, I know, procrastination central). I wanted to use the network to control the second machine (laptop) from the nice keyboard of my workstation. I knew I could do it because I use to use x2x when we had the remote HiRes station here (4 old junker PCs with one or two screens each, two keyboard/mice setups).

For some reason I was trying to use synergy, which is completely insecure. The only advice offered on the synergy site about securing it was setting up port forwarding via ssh first, then connecting over those ports. Yuck.

Anyway, since ssh automatically forwards X11 connections, it’s dead easy to use x2x for this task in a secure way (with all the usual nice stuff like ssh key authentication too).

On my wokstation, with my laptop to the right, I run the command
ssh -X laptop "x2x -east -to :0"

That’s it. Run the mouse over to the right hand side of teh workstation screen, it travels over to the laptop screen. Even X middle-click cut-n-paste works. Sweet.

Oh, well, one more cool thing, if you have sshfs installed (and fuse, and have added yourself to the fuse group, and re-logged in, and loaded the fuse module…), you can do this to automatically cross-mount the laptop home directory on your workstation:

#!/bin/sh
# Tunnel a x2x connection to a second machine, presumed to be at 
# the right of this machine's screen.

host="$1"
mount_dir="$HOME/$host"
direction="east"  # west means the OTHER screen is to the left

echo "Creating $mount_dir"
mkdir -p $mount_dir
echo "Mounting remote machine at $mount_dir"
sshfs cactus: $mount_dir

echo "Connecting to remote machine for x2x over ssh"
ssh -X $host "x2x -$direction -to :0"

# after ctrl-C killing above session, clean up sshfs stuff
# sshfs automatically unmounts when you ctrl-C out of above command
echo "Removing mount point"
rmdir $mount_dir

Thank you to the developers of FUSE, sshfs and x2x… You rock!

I wanted to set the file permissions properly on our shared music folder (accessed by Samba/scp/directly on the computer by different users). Basically, I want anyone in the ‘data’ group able to read and write everything.

First, I created the data group.
sudo groupadd data

#!/bin/bash

DIR=/data/music

echo "Changing Group ownership to 'data'"
chgrp -R data $DIR
echo "Changing permissions of files to ug=rw,a=r"
chmod -R 664 $DIR
echo "Changing permissions of directories to a+rx, g+rwx, g+s"
find $DIR -type d -exec chmod a+rx,g+rwx,g+s '{}' \;

[data]
path = /data
available = yes
browsable = yes
public = yes
writable = yes
create mask = 664
directory mask = 775

drwxrwsr-x 2 user1 data 4096 2008-02-15 11:29 temp
-rw-rw-r-- 1 user1 data    0 2008-02-15 11:29 test