briancarper.net (λ) (Tag: SSH)

Working remotely

Tue, 26 Jan 2010 10:59:46 -0800

I'm sitting here in Canada trying to work for my employer back in the US for a month. It's been a few weeks already, and I'm surprisingly pleased (or pleasantly surprised) with how well it's working. At the same time, certain aspects of this rather suck.

One huge obstacle so far is (of course) Windows. Aside from the Linux server that I convinced IT to let me run out of a closet, the whole place is Microsoft. Whatever MS VPN software we're using is slow, clunky, unreliable, and generally annoying.

At one point I tried to fetch a file from a network drive and watched it download at 0.2 k/sec. Then I had someone back home copy it onto my Linux box, and I downloaded from there at 120 k/sec. The Windows and Linux servers are in the same room in the same building behind the same network connection; I don't understand how VPN overhead slowed things down by that many orders of magnitude.

After connecting to VPN, there's about a 25% chance that Outlook will be able to connect to the Exchange server at work. Generally I have to fire up the VPN, turn it off, turn it on, turn it off, turn it on and then Outlook will find it. Sometimes I close Outlook, but it lives on as a zombie, futilely hammering away at the server but unable to find it, until I CTRL-ALT-DEL and kill it. This is with Office 2007.

But the work I do on the Linux server is (of course) easy. No problems whatsoever. Working over SSH is how I did things when I was sitting in my office anyways. I tunnel in and use local GUI SQL clients. I put VirtualBox on my laptop and I do a bunch of stuff in a Linux VM and rsync it back home with no problems. I can edit files over SSH right in Emacs as if they were on my local box, if I care to.

Sometimes I wonder if my dislike of Microsoft is irrational. Any belief that is caused by or results in a strong emotional response should be subject to questioning. Then reality comes waltzing by and reminds me that no, MS software really does suck.

I've worked for this company for over two years before moving. I don't know how well I'd be doing if this was a company I just started with. It's hard to see how important face-to-face communication is until it's impossible. Email is OK, but the benefit of knowing people in person and knowing how they talk and how they think really goes a long way to being able to interpret and understand plaintext communication.

Passwords in log files = bad

Thu, 08 May 2008 19:31:38 -0700

In Linux when I use SSH I usually pass the host and port and username on the command line and then type the password when prompted. (In those rare cases I don't use certificates to log in without a password.) In Windows, PuTTY makes you pick a host and port and then prompts you for the username AND password.

This leads to unpleasant results. I'm so conditioned to open SSH and type my password at the prompt and hit Enter that I often end up typing my password as my username in PuTTY. Bad.

I've sometimes opened webpages that have some stupid Javascript bullcrap that tries to auto-focus the username field in a login form. But if you're a fast typist (and mouse-ist) like I am, you can focus the field, type your username, and hit tab to get to the password field before the long-loading Javascript bloat has a time to load and run. Which can result in auto-re-focusing the username field, which if it happens at just the right instant, results in my typing the password into it and pounding Enter before I have a chance to notice what's happened. Bad bad bad.

I use a computer far too often to have time too read every prompt, which leads to bad things. Anyone who's used to flying around an interface at light-speed by instinct and repeated learned behavior has experienced this kind of thing I'm sure.

This is horrendously bad because these programs often log the usernames of login attempts in plaintext in logs that lots of potentially evil people have the ability to read. The logs don't usually log the passwords of login attempts, but if you type a password AS a username, oops, you're screwed. Thankfully I'm root on most or all of the machines I ever SSH to, and I can go into /var/log and erase my mistake from the logs before anyone can see. But that doesn't help for web pages I don't know. And I wonder how often this kind of thing happens to other people. I wonder how many people who aren't familiar with computers accidentally send their password as their username to a bunch of websites.

After all the effort we go to to try to secure computer applications, these kinds of stupid human factors can still so easily ruin everything.

File transfer

Wed, 01 Aug 2007 20:18:19 -0700

I use ~~Gaim~~ Pidgin, and I often need to transfer files to someone. File transfer via instant messengers sucks. The file transfer for Yahoo Messenger protocol for example apparently uploads your file to some Yahoo server and then serves it to the person you're talking to. At least that's my guess judging by its behavior; I don't know for sure (which is another problem: I don't know what it's doing, which is scary enough that I can't use it to send any important files). Some protocols let you set up a "direct connection" to the person you're talking to, but this is always clumsy at best, or broken at worst (if you're behind a NAT router).

So what other options are there? SCP obviously. But I talk to people who (sadly) use Windows, and they don't run SSH servers. Nor do they have any interest in learning how to do it. Nor do they have any desire to use the command line for anything. Can't blame them really; not everyone is a geek.

I run a local Apache, and I can open it to the world and let people access my files that way, but that's not a lot of fun to try to secure and it's overkill just to transfer files. I'm certainly not going to leave a wide-open Apache server running all the time, which means I have to restart it every time someone wants to get a file from me. I've used Apache for this purpose before and it tends to go something like this:

Someone: I bet that song is nice. Can I have an MP3 of it?

Me: Sure! Just hold on while I edit /etc/apache2/httpd.conf and set the port and bound IP correctly, then reconfigure my firewall to allow incoming connections for that port, change DOCUMENT_ROOT to point to an empty directory for you or maybe set up a vhost, throw a .htaccess on there to prevent spying eyes, and restart the daemon.

I could run an FTP server, but same problem: overkill, and I don't want to have to secure it. I could set up a VPN, but that's not fun to configure ("Sure, I'll send you this file. Let's both install OpenVPN. First you need to set up a new TUN or TAP device. I'll wait while you do that.") There's always email, but that suffers from the same problem of my files having to pass through an intermediary server, and the inevitable problem of email mail box size limits (I don't have one, but other people may). I guess I could set up a local bittorrent server, maybe. Hmm.

It seems like such a simple problem: Quickly transfer a file from one computer to another given a port and IP address, using some kind of GUI. I'm thinking of writing my own little program that does this just so I can use it with people I know. Unless there's a good option I'm missing.

SSH continued

Thu, 12 Oct 2006 10:14:20 -0700

Password login on my SSH server is now disabled and the only way someone's getting in is if they steal my MP3 player and gank my private key. Thanks to all who posted comments in my last entry. I also found these Gentoo docs helpful, as well as this very nice tutorial on getting PuTTY to work with key files.

SSH security woes

Wed, 11 Oct 2006 12:21:27 -0700

I checked my /var/log/messages recently and it turns out my SSH server on my home machine is being hammered with login attempts. I suppose that's pretty common and it's probably just a bunch of bots. I carefully grepped through my logs and none of the login attempts were successful (so far as I can tell), which is good. One IP tried the following usernames one after the other:

staff sales recruit alias office samba tomcat webadmin spam virus cyrus oracle michael ftp test webmaster paul guest admin linux user david web apache pgsql info tony core newsletter named visitor ftpuser username administrator library test admin guest master admin admin admin admin test test webmaster username user admin test danny alex brett mike alan data www-data http httpd pop backup info shop sales web www wwwrun adam stephen richard george john angel pgsql ident webpop susan sunny steven ssh search sara robert richard party amanda rpm sgi users admins admins dean unknown securityagent tokend windowserver appowner xgridagent agent xgridcontroller jabber amavisd clamav appserver mailman cyrusimap qtss eppc telnetd identd gnats jeff irc list eleve proxy sys zzz frank dan james snort radiomail harrypotter divine popa3d aptproxy desktop workshop mailnull nfsnobody rpcuser rpc gopher

Are there really that many people in the world using "harrypotter" as their usernames? Other common login attempts seem to be for usernames "admin" and "oracle".

I've started taking SSH security more seriously since then. I limited the number of login attempts you can make before it blocks you. I made sure root login in SSH is disabled entirely. And I have SSH listening on a non-standard port. That last one is "security though obscurity", sure, but it seems to defeat bots. I've had 0 login attempts at all since I've moved to a different port. I've had a lot of garbage connection attempts, but those are apparently bots looking for a different service since they don't provide any identification at all. My next step is probably limiting login to using a key file I'll carry around with me on a flash drive, if I can figure out how to get that working.

Installing FreeBSD

Fri, 22 Sep 2006 23:40:17 -0700

I have an extra computer here, so I decided to install FreeBSD today. I've never used FreeBSD before. Never touched it. So to make this fun, I decided to try the install without reading any directions. What better way to tesout t an installer? It's also arguably a stupid way to install an OS, but stupid is fun sometimes.

So first I went to the FreeBSD website (which looks pretty spiffy, by the way) and went to "Get FreeBSD". At this point I admit I did glance around a bit to make sure I wasn't going to download a gigabyte of ISOs that I wouldn't be able to use. But it's pretty straightforward, so I got the latest version ISOs (2 of them) for i386. (I did also look for mirrors or a torrent download (just to be polite), but I couldn't find a link for those.)

A couple hours and two burned CDs later, I was ready to go. I booted from the CD and I was presented with something looking vaguely like Grub, but with way more options (Boot with APM? Boot into single-user mode?) Faced with a 10-second countdown which I apparently could not stop, I picked the default.

I was then presented with a nice ncurses menu. Again there were lots of options. The second was "Standard install" or something similar. There was also "Expert install" but given that I have no idea what I'm doing and that I'm not reading any directions, I went with standard.

There were a bunch more screens of text which I read through quickly. Then I got to disk partitioning, which is what I was expecting. So far so good. The disk partitioning system was different from fdisk; it was ncurses based. There was a nice key of commands at the bottom indicating which key to press for which function. Included was an option A which would auto-partition everything. I found this system extremely easy to use.

Partitions were called "Slices" for some reason beyond me. But making a new slice gave me options similar to fdisk. For example I could list a size in cylinders or in megabytes. And I had to give a number for the partition type. Here I met my first bit of confusion. It only listed 3 partition types in the on-screen text: DOS, Linux, or FreeBSD. Now, knowing that Linux can read MANY kinds of "DOS" partitions, from FAT16 to FAT32 to who knows what else, I was a bit stumped here. Would DOS work OK to install Windows XP someday?

Faced with this, I decided to install a very small Windows XP install first, then come back to FreeBSD later. So I started pounding Escape like a monkey until the installer exited.

Fast forward a half hour. Windows is installed. (I had the pleasure of waiting for that stupid blue circle thing to start babbling about giving me a tour, and then hard-cutting the power to my computer. All I wanted is a partition. I honestly hope I broke something.)

Back to the FreeBSD installer, back to partitioning. It now recognized the Windows partition I made; it called it a "DOS" partition, so I may have been OK making a "DOS" partition in the FreeBSD installer to begin with. Who knows.

The installer then asked me to install "FreeBSD partitions". I suppose these differ from "slices" in some way. Perhaps "FreeBSD partitions" are some kind of pseudo-partitions? I picked "A" which auto-allocated a bunch of mount points and partitons etc. Couldn't be easier.

FreeBSD offered to install a boot loader. There were three options. One was if I want to install a boot loader to the MBR so I could boot Windows. A second option said I should pick it if I only plan to use FreeBSD. A third option would install nothing. I picked the first option, but I found it strange that there was any difference between the first and second options. (I found out why this was so later.)

There were options somewhere along here to pick a type of software I wanted to install. Developer? Developer with X-windows? User? User with X-windows? I liked how it gave me the option of not installing X, because I don't want X. I liked the additional groups beyond "User" and "Developer". It also gave me the option to install individual packages if I wanted, which was also nice.

At this point files started copying from the CD. It probably took 10 minutes or less. Remembering how horribly long a Gentoo install is in comparison, I was quite pleased.

I did hit a snag at the network configuration menu. The installer did auto-recognize both of my network cards, which is pretty impressive, given that I sometimes have problems with that even in Linux. The installer then asked "Do you want to use IPV6" to which I said no. And then it said "Do you want to use DHCP" to which I said yes. After saying yes I realized I didn't want to use DHCP after all. I was taken to a screen where I could change the hostname/domainname etc., so I cancelled on this screen. However instead of taking me back to the network configuration menu, it went right on to the next step, something not related to networking at all. This was no fun. However I was later able to come back to the network screen after all the rest of the install questions were done. So no big deal. It also brought my network interface online right then and there, which was also very helpful. I could test whether the network was configured properly without even having to reboot.

The installer then started asking me a bunch of (I think) quite useful questions. "Do you want this machine to be an SSH server?" (The installer also offered to START the SSH server, without interrupting the install. Very helpful.) "Do you want to enable anonymous FTP login?" Etc. etc. The questions were all in plain English, and quite easy to answer yes/no quickly.

The installer did fail miserably when I tried to install exim; it made me swap CDs twice and then claimed it couldn't find the installer. However that was one of the few snags I ran into.

Fast forward to the end. I rebooted from the hard drive and I was faced with a VERY plain prompt, compared to even the barest version of GRUB. Something like "1 DOS" and "2 FreeBSD". I picked DOS, and Windows booted OK. Nice how that worked without my ever having to touch a configuration file. I rebooted again into FreeBSD. After the first boot prompt, I got another which was identical to what I'd seen on the CD. So apparently FreeBSD has a pseudo boot-loader of some sort. Very interesting.

At this point it's up and running, without ever having read any directions. The whole install took maybe an hour (not counting installing Windows). I was VERY impressed with how nice and easy the installer was to use. I think ncurses is the PERFECT balance between a command line and graphical install. X is just too big and buggy to rely upon for something as important as installing an OS. But ncurses seems like it works anywhere a console window works (for the most part). I think the Gentoo GUI installer might've benefitted from taking this route or something similar.

I'm looking forward to learning ports and seeing how it differs from Portage. I wonder if I'll need to read the directions for that.

Tunneling is fun

Mon, 11 Sep 2006 13:08:19 -0700

My girlfriend is stuck behind a very restrictive firewall at college. It hides her behind some kind of NAT. No open ports whatsoever. In a way I can understand it; when you have thousands of Windows machines running on a high-speed network, you need all the help you can get. In another way, I just couldn't live with that kind of crippled access. I know I'm not really a typical user, but I needs me my open ports for SSH and whatnot.

We wanted to play ZSNES over the internet, which needs a direct connection between two computers. It took me forever to figure out how to get a reverse SSH tunnel set up, but I finally did. The terminology is always very confusing. "Local" vs. "remote"; is that from the point of view of the client, or the server?

Just so I have a record of how to do this:

ssh -R 12345:localhost:6881 SERVER_NAME

-R means SSH will LISTEN for connections on the REMOTE host ("remote" from the point of view of the PERSON RUNNING THE COMMAND, i.e. the client). (-L is the opposite.) It will listen for connections on port 12345 on the machine where the server resides; it will forward the data to incoming port 6881 on the machine where the client resides.

After getting that working, it turns out we needed UDP forwarding too, so I had to look for something else. I ended up using OpenVPN. That program is pretty amazing. It only took a short while to install, by following the HOWTO. Even on Windows (though it has Linux versions too). I used had to use TAP devices instead of TUN; I have no idea what either of those things is, but TAP seems to create imaginary network devices. The program uses some nice encryption too. And using this program, you can do anything you could do with someone who was physically on your LAN.

Turns out OpenVPN is in portage, too. I wish I'd have noticed it sooner.

SSH Tunneling VNC

Tue, 14 Mar 2006 12:50:48 -0800

Just so I don't forget this: How to SSH-tunnel VNC. It took me forever to figure out. (This will work with any service, not just VNC.)

Home: 2 computers, both behind a firewall. Linux = 192.168.15.15, OS X = 192.168.15.16. The Linux computer is running sshd (but you can only SSH to the Linux box via the LAN, i.e. it's behind the firewall). The OS X computer is running sshd too; port 22 is the only port open on the firewall, and it's forwarded to the OS X machine only. Remote: 1 computer, Windows. Can't run any services, but can run TightVNC viewer. Goal: Run VNC on the home Linux computer and use TightVNC at the remote site to view it.

Here's how I did it. First SSH to my home IP using PuTTY on the remote computer, which takes me to the OS X machine. SSH from there to the Linux box. Run VNC on the Linux computer:

x11vnc -display :0

This shares an already-running X session. To run an independent session I could've run

vncserver :1

Leave that running. Now, I SSH again in a separate session to my home IP. In the Tunnels section, put Source port 5900 (or 5901, whatever port VNC is using on the Linux machine). For Destination put 192.168.15.15:5900 (or 5901). Open the connection and login.

Now on the remote machine, run TightVNC and connect to 127.0.0.1::5900 (or 5901). That's it! Now I see my Linux desktop on the remote machine. The whole "local" vs. "remote" distinction for SSH tunnels is a bit confusing, especially when you're bouncing around to a bunch of different computers.