August 2012 – My Thoughts

ssh without password – certificate based

create keys:ssh-keygen -t rsa ssh-keygen -t dsa
or even more detailed:ssh-keygen -f -C -N -t rsa ssh-keygen -f id_rsa -C "Keyfile for server" -N "" -t rsa

which will create the files id_rsa/id_dsa and id_rsa.pub/id_dsa.pub respectively. To copy the public keys to the target machine you may use:ssh-copy-id -i id_rsa.pub user@remote-system ssh-copy-id -i id_dsa.pub user@remote-system
or you may use ssh to copy the files:cat *.pub | ssh user@remote-system 'umask 077; cat >>.ssh/authorized_keys'
Note that the key file is only one line and must remain one line also in the authorized_keys file.
To get access to the server via normal ssh shell the server is asking for a verification which will be generated by the client using the private key and the corresponding private passphrase. You may omit this part by leaving the passphrase empty when generating the keys.

The public keyfile part must be inserted as one line to the server side .ssh/authorized_keys file.
To explicetely connect to a remote server using a key file you use the command:slogin -i ~/.ssh/secret-key-file remotehost

You may even further restrict the access to the remote server by including some options in the authorized_keys file like this:# from="client1",no-port-forwarding,no-pty ssh-rsa AAAAB 3NzaC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCDkV+kDsK8+A5OjaK5WgLMqmu38aPo 56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs+ozNPE8 3CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSSOazpPas8jXi5bEwNf7heZT++a/Q xbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY94c/ieETO XE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI+7hZu9XvN fMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #1 # # from="*.domain",no-X11-forwarding,noagent-forwarding ssh-rsa AAAAC4MybC1yD2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK5WgLMqm u38aPo56Od10RQSEiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs +ozNPE83CYDhK4XhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bENf7he ZT++a/Qxbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY9 4c/ieETOXE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI +7hZu9XvNfMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #2

Problems:

A possible problem may be the access rights for the files under .ssh/ and especially .ssh/authorized_keys which must only be accessible by the owner.
The public key file must be appended to the detsination hosts ~/.ssh/authorized_keys file.
The secret private key is stored on the client machine you are trying to connect to the remote machine from.

useful commands

colorize your dmesg output:dmesg -T|sed -e 's|(^.*'`date +%Y`'])(.*)|x1b[0;34m1x1b[0m - 2|g'

sort files in multiple directories by date:find . -type f -exec ls -l --full-time {} + | sort -k 6,7

find files changed between two dates:find . -cnewer -and ! -cnewer

remove unused kernels with apt:aptitude remove $(dpkg -l|egrep '^ii linux-(im|he)'|awk '{print $2}'|grep -v `uname -r`)

checking details of a http url you callcurl -iv url

persistant connection to remote server via screens() { screen -d -RR -m -S "$1" -t "$USER"@"$1" ssh "$1"; }

list directories recursevly showing its sizes in human readable form:ls -lhR | grep -e "total|:$"

Firefox Sync Server

After getting a lot of trouble with the Xmarks sync on the quit old iceweasel that is installed on my desktop machine (Debian lenny), I decided to look for alternatives and found the firefox sync server. To run my own sync server I followed the installation instructions from mozilla and also some other nice guides available via websearch. Here are the basic steps:
get the necessary packages:
aptitude install python-dev mercurial sqlite3 python-virtualenv

Create a new user for the sync server using the apropriate commands and include www-data, the apache user, in the newly created group to give acces to the python script.

install the server from source:

$ hg clone https://hg.mozilla.org/services/server-full
$ cd server-full
$ make build

Create some directories as there are

data for the sqlite files – I will switch to mysql very soon
tmp for some temporary python files
logs just to keep the synchronisation logs seperate from the rest – I am not sure about access rights when writing directly to the logs directory

And now edit the configuration files:
$ vi sync.wsgi [..]


os.environ['PYTHON_EGG_CACHE'] = '/path/to/tmp/python-eggs'

[..]
$ vi development.ini


    [..]

[handler_syncserver_errors] class = handlers.RotatingFileHandler args = (‘/path/to/logs/sync-error.log’,) [..]
$ vi etc/sync.conf


    [..]
    [storage]

    backend = syncstorage.storage.sql.SQLStorage

    sqluri = sqlite:////path/to/data/usersettings.db

    [..]
    [auth]

    backend = services.auth.sql.SQLAuth

    sqluri = sqlite:////path/to/data/usersettings.db
    [..]

fallback_node = https:/// [..]
And finally add the directives for apache to access the wsgi interface:
WSGIProcessGroup ffsync WSGIDaemonProcess ffsync user=ffsync group=ffsync processes=2 threads=25 WSGIPassAuthorization On WSGIScriptAlias /ffsync /home/ffsync/server-full/sync.wsgi