jump to navigation

Ssh with host-based authentication 2006 November 19 19:13

Posted by diamond in : Skynet , 1 comment so far

The documentation for this appears to be badly scattered, so i thought i’d collect the bits i’d found. The most useful reference by far was, unsurprisingly, on the website of an o’reilly book: SSH: The Secure Shell (The Definitive Guide). However, it’s slightly out of date, and doesn’t cover a one of the important steps.

What i wanted to do was allow any users on host A be able to ssh to host B using ssh v2 and be automatically logged in. So, these are the steps i took:

  1. On A, i added the following to /etc/ssh/ssh_config:
    Host *
      EnableSSHKeysign yes
    Host B.example.com
      HostbasedAuthentication yes
  2. Also on A, I made sure that ssh-keysign was installed and suid root
    -rwsr-xr-x 1 root root 131640 2006-10-31 23:03 /usr/lib/ssh-keysign
  3. On B, i set the following config options in /etc/ssh/sshd_config:
    IgnoreRhosts yes
    HostbasedAuthentication yes
    Remember to reload the sshd config after editing
  4. On B, i added the fqdn of A to /etc/ssh/shosts.equiv:
    A.exmaple.com
  5. On B, i used the following to add the public RSA key of A to ssh_known_hosts:
    ssh-keyscan -vt dsa A.example.com >> /etc/ssh/ssh_known_hosts

Note: the fqdn of A used above has to be the same as the result of a reverse dns lookup on it’s IP.

And that’s all folks.

Google, food, food, more food, stuff 2006 June 27 22:17

Posted by diamond in : Cycling,Random,Skynet , 1 comment so far

I have a phone interview google on friday @ 10:30. I am filled with fear and wonder.

Went out on friday night with folks to celebrate sith’s birthday. We ate in Moll Darby’s (wow what an annoying website). The food, oh the food. Let me illustrate: molc ordered a fillet steak with pepper sauce. After a few bites, he decided that this was the best steak he’d ever had, and he’s quite a steak fan. Me, i ordered some roast lamb. I offered to swap molc some of my lamb for my steak. He refused saying he was too busy enjoying his. Later however he changed his mind. When he took a bite of the lamb, he turned back to me and announced that he had ordered the wrong dish.

And while the lamb was good, it wasn’t the best part of the dish. It came with what the menu described as ‘a wild Mushroom Croute’, whatever that means. In reality, it was a pastry item containing mushrooms and sauce. Best thing i’ve ever eaten. It was so good i was close to tears. Ask anyone else who was there. Just.. wow. Conal ordered a penne dish with mixed seafood in sauce. Next time i’ll be ordering that. It was also just that good. *drool*. It’s a pricey enough place, ~€38 for a starter and main course, but i’ll definetely be returning a few times before i flee this city -)

On saturday, my last day in the Wild Onion, noirin came down and joined me for lunch in the WO (followed by her joining donal and sonia for lunch 2.0 in the WO -). When i was leaving work ruth gave me my usual wages, and said “That’s not all you’re getting, but you won’t find that out till later”. I had no idea what that meant, decided that i was unlikely to figure out whatever scheme ruth had planned anyway. That evening myself and noirin went out for food in San Lorenzo, which though not as good as Moll Darby’s, was very tasty. I did manage to spill a glass of water over an unfortunate fellow customer, but they were very gracious about it (anyone else reminded of this?). At the end of the meal noirin revealed that ruth was in fact paying for the dinner. How very cunning and sweet of her -)

On sunday i went up to dublin to visit diane who was over on buisness. We ended up sitting in st stephen’s green (yes, the actual green. no, not the shopping centre.) chatting for about 4-5 hours. I’m very surprised i escaped un-sunburnt. It was really good to see her. There was some kind of crossword/treasure hunt event going on, we had multiple groups of young people running up to our bench asking if we’d mind moving so they could search the inscription for certain words. I was tempted to try insert some disinformation into the game, but i ran out of motivation. Maybe next time -)

Afterwards we met up with niall and maeve whom i went with for sushi in aya. I made a rather big miscalculation however. Niall and maeve had to leave in 45 mins, as she was catching a train back to galway. I therefore decided there was no point in going for sushi 55 (all-you-can-eat sushi for 55 minutes). The alternative was to pay-per-plate. That was fine, i wasn’t planning on eating that much anyway. Mistake. Sushi 55 costs €27.50. On the other hand, this much sushi at these prices adds up to €44. Doh.

Other photos uploaded today are:

On the subject of photos, my post about spiders got some truly terrifying stories in response.

It turns out i was wrong about having broken my record on thursday. I spent some time on friday noting down all the information from here on my cycles and graphed the result. Yes, i know it’s not very pretty, haven’t been able to figure out a useful way of displaying the data yet. In the process i found this which shows the max i’ve managed is actually 27.9kmph. Annoyingly, i went out tonight to try and beat that, and with about 1km to go i was averaging about 28.06, and then i got a major cramp in my left calf and had to pull back to walking speed -/ Even so i managed 25km @ 27.69kmph, which is pretty good, just not high enough for my goals. Next time.

Over the last 3-4 weeks, the irc daemon for skynet has been having many ‘issues’. There’s been a long-running file descriptor leak, which meant we had to restart it every few months. It’s a pain in the ass, but not the end of the world. However, recently the ircd started crashing, randomly. Strace and gdb turned up nothing useful. Eventually i spotted debian bug #300638. The description didn’t quite match up with our situation (the bug only talks about ppc and amd64), but it was the same area of the code that our ircd was crashing in, so i decided to apply the patch and see.

Patch applied, updated package rolled, .deb installed. The crashing stopped, so it looks fairly clear that the patch fixed that (though we still have no idea why it worked without crashing for 6-8 months before starting to crash every few hours). However, the file descriptor leak became much much worse. Before the patch, it could take a few months for the process to run out of fds. After the patch, it would lose one fd per connection. At that rate it could fall over in days, if not hours.

I spent a fair chunk of thursday night trying to debug the fd leak. Looked through the relevant parts of openssl, the pam auth patch we’ve applied to the ircd, some of the pam libraries that were handling the auth etc. Disabling pam auth stopped the fd leak completely, so it was clear that the issue was being caused by that patch. Having gone over the patch with a fine-tooth comb multiple times, i came to the conclusion that it was actually a pam bug we were triggering due to the way the auth patch worked. So, i re-wrote the pam invocation code so that it would only call pam_start()/pam_end() once, and have the original handle persist, and voila, fd leak is no longer triggered. It’s such a relief to have a reliable service again after so many weeks of random outages.

How not to do goods delivery 2006 April 24 14:17

Posted by diamond in : Skynet , add a comment

A case study:

http://diamond.nonado.net/misc/pics/skynet%20racked/

So, we’re awaiting the replacement of the ~€1k of rack that was somewhat ‘adjusted’ in transit.

*sigh*

Answers to the pop-quiz 2006 April 5 23:26

Posted by diamond in : Cycling,Skynet,Work , 2 comments

So, here are the answers that you’ve all been no doubt waiting for -) (for those who’ve just tuned in, see here). These are the exact answers used for judging the round in the table-quiz, complete with notes.

  1. What does PERL stand for?
    Practical Extraction and Report Language [1]
  2. What year was linux 1.0 released in?
    1994 (13th of march to be precise -)
  3. What does CIDR stand for?
    Classless Inter-Domain Routing
  4. Which company does Linus Torvalds work for?
    Open Source Development Lab (OSDL) (as of june ’03)
  5. Which language does Alan Cox write his diary in?
    Welsh
  6. What does the 206 status code mean in http 1.1?
    Partial Content
  7. What is the reverse dns zone for ul’s class-b ip allocation?
    201.136.in-addr.arpa. (exactness required)
  8. What is the prefix of link-local in ipv6?
    fe80::
  9. What does MIME stand for?
    Multipurpose Internet Mail Extensions
  10. Name the most common metasyntactic variable.
    foo
  11. Assuming no ls, how would you list the contents of the current directory in unix? Bonus points for any answer in a compiled language.
    echo * (diamond judges this one)
  12. Bonus question: Best Text Editor: Vim or Emacs?
    Vim. We want a text editor, not an os.

[1] PERL did not initially stand for anything, the above is a bacronym, but taken from the PERL man page and i count it as official.

So.. seeing as some people did make attempts at answering the quiz, i’ll score their attempts here:

So, there you have it. No-one resorted to calling me names either, so no points for that. Ah well.

In completely unrelated news, my dual-core intel mac mini arrived yesterday. So far it’s been wiped twice, but is generally behaving itself. And, still unrelated, some random cycling over the last few weeks:

*Update*
My bad. Reilly did indeed include profanity directed at me. As such i am retroactively upping her score to 2.5.

Pop-quiz 2006 March 23 23:36

Posted by diamond in : Skynet , 4 comments

Last year skynet ran a table quiz. I was given the task of writing the questions for a technical round (the rest being more general-knowledge-type rounds, to not scare everyone off). Dan told me to be a bastard. So i was. I just discovered a text file with the questions in my skynet account. So, for your amusement, here they are:

  1. What does PERL stand for?
  2. What year was linux 1.0 released in?
  3. What does CIDR stand for?
  4. Which company does Linus Torvalds work for?
  5. Which language does Alan Cox write his diary in?
  6. What does the 206 status code mean in http 1.1?
  7. What is the reverse dns zone for ul’s class-b ip allocation?
  8. What is the prefix of link-local in ipv6?
  9. What does MIME stand for?
  10. Name the most common metasyntactic variable
  11. Assuming no ls, how would you list the contents of the current directory in unix? Bonus points for any answer in a compiled language
  12. Bonus question: Best Text Editor: Vim or Emacs?

You should bear in mind that most of the people who attended the table quiz hadn’t heard of linux. In the end we awarded bonus points to those teams which cursed me particularly fluently on their answer sheet. Good times, good times. -)

Feel free to answer in comments. I’ll post my answers (from the same file) in a few days.

*Update*
Fixed typo – thanks niall -)