Author: olkn

Thinkpad R51

Model: 18299MG
Dock II/Mini Dock Port Replicator II
Bios: 1RETDHWW (3.13) 10/29/2004
Systemeinheit: 99WRGTO 4N09MGE
Platine: J1YPW51S2FX
UUID: 93132C01476411CB-A3D8C1
FFC2011EFF S/N 24R7787/62

rsyslog – remote logging including TLS encryption

I just enhanced my logging with rsyslog by enabling remote logging form other machines and here are the config sniplets:
on

    logging server side


$ModLoad imtcp # enable TCB module
$InputTCPServerRun # bind rsyslog remote logging to specific port

$AllowSender TCP, 127.0.0.1, / # restrict access to specified network

$template REMOTE,"/var/log/system-%HOSTNAME%.log" # template to seperate logfiles received from remote hosts
if $fromhost-ip startswith '' then -?REMOTE # from local ones
#&~ # do not discard messages because we wont to keep all

and on

    client side


$ModLoad imtcp # enable TCP module for rsyslog
*.* @@ # just send everything to remote logging host


Do not forget to adjust the firewall settings in order to allow remote access to the specified port.

And now to the encryption. On server side the following directivs are necessary:
# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
$DefaultNetstreamDriverCertFile /path/to/contrib/gnutls/cert.pem
$DefaultNetstreamDriverKeyFile /path/to/contrib/gnutls/key.pem

$ModLoad imtcp # load TCP listener

$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 10514 # start up listener at port 10514

On client side only the following directives are necessary:
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem

# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
*.* @@(o)server.example.net:10514 # send (all) messages

ssh without password – certificate based

create keys:
ssh-keygen -t rsa
ssh-keygen -t dsa

or even more detailed:
ssh-keygen -f -C -N -t rsa
ssh-keygen -f id_rsa -C "Keyfile for server" -N "" -t rsa

which will create the files id_rsa/id_dsa and id_rsa.pub/id_dsa.pub respectively. To copy the public keys to the target machine you may use:
ssh-copy-id -i id_rsa.pub user@remote-system
ssh-copy-id -i id_dsa.pub user@remote-system
or you may use ssh to copy the files:
cat *.pub | ssh user@remote-system 'umask 077; cat >>.ssh/authorized_keys'
Note that the key file is only one line and must remain one line also in the authorized_keys file.
To get access to the server via normal ssh shell the server is asking for a verification which will be generated by the client using the private key and the corresponding private passphrase. You may omit this part by leaving the passphrase empty when generating the keys.

The public keyfile part must be inserted as one line to the server side .ssh/authorized_keys file.
To explicetely connect to a remote server using a key file you use the command:
slogin -i ~/.ssh/secret-key-file remotehost

You may even further restrict the access to the remote server by including some options in the authorized_keys file like this:
#
from="client1",no-port-forwarding,no-pty ssh-rsa AAAAB
3NzaC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCDkV+kDsK8+A5OjaK5WgLMqmu38aPo
56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs+ozNPE8
3CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSSOazpPas8jXi5bEwNf7heZT++a/Q
xbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY94c/ieETO
XE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI+7hZu9XvN
fMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #1
#
#
from="*.domain",no-X11-forwarding,noagent-forwarding ssh-rsa
AAAAC4MybC1yD2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK5WgLMqm
u38aPo56Od10RQSEiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs
+ozNPE83CYDhK4XhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bENf7he
ZT++a/Qxbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY9
4c/ieETOXE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI
+7hZu9XvNfMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #2

    Problems:

A possible problem may be the access rights for the files under .ssh/ and especially .ssh/authorized_keys which must only be accessible by the owner.
The public key file must be appended to the detsination hosts ~/.ssh/authorized_keys file.
The secret private key is stored on the client machine you are trying to connect to the remote machine from.

useful commands

colorize your dmesg output:
dmesg -T|sed -e 's|(^.*'`date +%Y`'])(.*)|x1b[0;34m1x1b[0m - 2|g'

sort files in multiple directories by date:
find . -type f -exec ls -l --full-time {} + | sort -k 6,7

find files changed between two dates:
find . -cnewer -and ! -cnewer

remove unused kernels with apt:
aptitude remove $(dpkg -l|egrep '^ii linux-(im|he)'|awk '{print $2}'|grep -v `uname -r`)

checking details of a http url you call
curl -iv url

persistant connection to remote server via screen
s() { screen -d -RR -m -S "$1" -t "$USER"@"$1" ssh "$1"; }

list directories recursevly showing its sizes in human readable form:
ls -lhR | grep -e "total|:$"

Firefox Sync Server

After getting a lot of trouble with the Xmarks sync on the quit old iceweasel that is installed on my desktop machine (Debian lenny), I decided to look for alternatives and found the firefox sync server. To run my own sync server I followed the installation instructions from mozilla and also some other nice guides available via websearch. Here are the basic steps:
get the necessary packages:
aptitude install python-dev mercurial sqlite3 python-virtualenv

Create a new user for the sync server using the apropriate commands and include www-data, the apache user, in the newly created group to give acces to the python script.

install the server from source:

$ hg clone https://hg.mozilla.org/services/server-full
$ cd server-full
$ make build

Create some directories as there are

  • data for the sqlite files – I will switch to mysql very soon
  • tmp for some temporary python files
  • logs just to keep the synchronisation logs seperate from the rest – I am not sure about access rights when writing directly to the logs directory

And now edit the configuration files:

$ vi sync.wsgi
[..]

os.environ['PYTHON_EGG_CACHE'] = '/path/to/tmp/python-eggs'

[..]

$ vi development.ini

[..]

[handler_syncserver_errors]
class = handlers.RotatingFileHandler
args = (‘/path/to/logs/sync-error.log’,)
[..]

$ vi etc/sync.conf

[..]

[storage]
backend = syncstorage.storage.sql.SQLStorage
sqluri = sqlite:////path/to/data/usersettings.db
[..]

[auth]
backend = services.auth.sql.SQLAuth
sqluri = sqlite:////path/to/data/usersettings.db

[..]

fallback_node = https:///
[..]
And finally add the directives for apache to access the wsgi interface:

WSGIProcessGroup ffsync
WSGIDaemonProcess ffsync user=ffsync group=ffsync processes=2 threads=25
WSGIPassAuthorization On
WSGIScriptAlias /ffsync /home/ffsync/server-full/sync.wsgi

Cups Print Server with remote printer driver

To enable remote printing on a print server first setup the server with the correct printer drivers. In my case I had to install foo2zjs package in order to get my printer running. My network printer was than configured using the cups webinterface as socket://:9100 which is quiet specific for my HP printer.
The remote printing must be configured using the following entries in cupsd.conf:

Listen ip of printserver:631
BrowseOrder Deny,Allow
BrowseAllow From local net/255.255.255.0

Order deny,allow
Deny From All
Allow From localnet /255.255.255.0

on the client side please add the following directive to cupsd.conf:

BrowsePoll ip of printserver :631

In newer versions of cups the directive must be placed in cups-browsed.conf. The directive itself remains the same.

Do not forget to start both servers in order to get the new directives working. On the client machine the remote printers should be available in the webinterface as newly added printers ready for jobs.

In newer versions do not forget to restart the cups-browsed service also.