Disabling ssh password access

I am going away for a few days and have decided that I want to be able to access my main machine from my laptop. I normally use ssh for logging in from one machine to another and normally use private keys for all my ssh connections but do have password access available as well. However, this time, as I plan to leave TCP port 22 (the ssh port) open through my home router to my iMac and I want it to be as secure as possible. This means that I do not want password access at all, only private keys.

So, I have edited the /etc/sshd_config (or /etc/ssh/sshd_config) file to include the lines:

PasswordAuthentication no

UsePAM no

These lines turn password access off and force ssh to require the use of a private key. If you don't have a key that allows login then login is immediately rejected. I feel pretty secure as far as ssh is concerned now.

I just have to remember to copy the public key from my laptop to my iMac before I leave!

Opening Tabs in Safari 4

I've downloaded and have been using the new Safari 4 beta. It's great, I love the new tabs and the fact that I can drag them in and out of windows (using the little triangular icon in the top right of the tab) makes them very manageable. I've even given up using Camino, I'm very happy with the new version.

I'm still getting used to the tabs being at the top rather than under the address bar. I could change it, however it does make sense because the address bar belongs to the tab, so it should be included inside the tab. Another example of Apple doing things properly.

Ok, I have one slight problem, when I click on a link in GMail or Reddit I get a new window opened rather a new tab in the same window. The preferences don't help, they only have "open a new tab in the same window if a link is clicked on by an application like Mail or iTunes etc." The fix? Open a terminal window and enter the following at the prompt (this is one single line, it may have been broken into two by your browser):

defaults write com.apple.Safari TargetedClicksCreateTabs -bool true

Thereafter, Safari will preferentially open a new tab in the current window instead of a new window. This will not affect the normal links that replace the current page, they will still work in the same way. Give it a try, if you don't like it you can undo the action with:

defaults write com.apple.Safari TargetedClicksCreateTabs -bool false

As an extra, if you really don't like the tabs being above the address bar and want them in the old place then you can again use a terminal window and enter:

defaults write com.apple.Safari DebugSafari4TabBarIsOnTop -bool false

Using Bazaar with other people on Unix

I have been playing with setting up a repository and branches. I have had a few problems with permissions so I have come up with the following scheme:

Make sure all potential users belong to a common group e.g. mygroup, now do:

mkdir myrepository
chgrp mygroup myrepository
chmod g+ws myrepository

For each branch you or others want to create, do:

cd myrepository
bzr init abranch
chmod -R g+w abranch

There, now everyone should be able to branch/checkout and push/commit with no permissions problems.

In case you are interested, the g+ws above, changes the repository directory to allow members of the group to change it and also makes sure that any files created within that directory is owned by the same group: mygroup. Directories created within this directory will also have the 's' bit set.

Adding Bazaar and Mercurial to Mac OS X and Eclipse

This is simply a post on the steps for installing Bazaar and Mercurial on the Mac with the Eclipse plugins without have to search the web for the right pages and downloads.

Well, it's time to join the modern world and progress from Subversion to a Distributed Version Control System. I mainly use a Mac (Leopard) with Eclipse as my development environment but I also use Linux and Windows from time to time.

After looking around I decided to try Bazaar and Mercurial. I am not going to go into the pros and cons here of one over the other because I just want to cover some quick installation notes. If you want more information about them then check out this great comparison and read the reasons why someone choose Mercurial over Git and Bazaar.

I haven't quite made up my mind about which system to use yet so have installed both systems. I will do some things in one and some in the other to see how I like them.

Installing Bazaar on the Mac.

1. Grab the latest disk image from Launchpad download area via this page http://bazaar-vcs.org/MacOSXBundle.
2. Open the disk image and install by double clicking on the installer.
3. Take a well earned rest.

Installing the Bazaar Eclipse Plugin

For the Eclipse plugin to work, you need to add a Bazaar plugin to your distribution

1. Grab the bzr-xmloutput plugin
   
2. Untar it, you will get a directory called bzr-xmloutput-0.x.x
3. Rename the directory to xmloutput
4. Move the directory to /Library/Python/2.5/site-packages/bzrlib/plugins (This is correct for Leopard, I am not sure about Tiger)
   

Ok, now for the Eclipse plugin itself

1. Simply follow the instructions at the installation site and install the plugin using the normal installation process.
   

Here is a very nice tutorial for getting started with Bazaar.

Installing Mercurial on the Mac.

1. Grab the latest Mac OS X package from http://mercurial.berkwood.com/.
2. Open the package by double-clicking on it.
3. Inside you will find a mac install, double-click and run it.
4. Ok, Mercurial is now installed
   

Installing the Mercurial Eclipse Plugin

1. You can give the Eclise update manager this site http://www.vectrace.com/eclipse-update. If you don't know how to do this then follow the plugin instructions.
2. Done.
   

You can now read the Quick Start guide or read the fuller tutorial.

Gumstix - Missing Bluetooth Serial Port

I've been rebooting my Gumstix quite a lot and sometimes removing the Bluetooth pairing from my Mac.  When I try to pair the Mac and Gumstix again, quite often the serial port does not show up.  The only way I have found to get around this is to reboot and try pairing as soon as it is booted, if I leave it for a while I don't see the serial port.  Simply restarting the bluetooth software using:

/etc/init.d/bluetooth restart

does not work.  I am investigating ...

Gumstix - Forgotten the root password?

If you need to reset the root password on your Gumstix and don't want to reflash it you have to run Linux in single user mode. You do this by replacing the normal initialisation program with the shell.

Change the standard bootargs (your line may differ from mine) from:

bootargs=console=ttyS0,115200n8 root=1f01 rootfstype=jffs2 reboot=cold,hard

to:

bootargs=console=ttyS0,115200n8 root=1f01 rootfstype=jffs2 reboot=cold,hard init=/bin/sh

NB: The above bootargs lines are single lines, they have been wrapped by the browser.

You can change the line and reboot with the commands:

GUM> setenv bootargs $bootargs init=/bin/sh

GUM> boot

When the kernel boots you will be presented with a shell prompt, you can change the password using the passwd command.  Here is the output when changing the password to gumstix.  The word gumstix will not actually be echoed back to you but I have shown it here to show where it is entered.

$ passwd

Changing password for root

Enter the new password (minimum of 5, maximum of 8 characters)

Please use a combination of upper and lower case letters and numbers.

Enter new password: gumstix

Bad password: too simple.

Warning: weak password (continuing).

Re-enter new password: gumstix

Password changed.

$ reboot

Gumstix - The Bluetooth passkey

I installed a new OS into my Gumstix and then tried to pair the Bluetooth device with my Mac.  It failed because it would not accept the passkey.  I had to log into the Gumstix using the serial port from a PC and hunt around the system.

In /etc/bluetooth/hcid.conf you will find the passkey that you have to tell the Mac about.  Here is the relevant part of my file:

# HCId options

options {

        # Automatically initialize new devices

        autoinit yes;

        # Security Manager mode

        #   none - Security manager disabled

        #   auto - Use local PIN for incoming connections

        #   user - Always ask user for a PIN

        #

        security auto;

        # Pairing mode

        #   none  - Pairing disabled

        #   multi - Allow pairing with already paired devices

        #   once  - Pair once and deny successive attempts

        pairing multi;

        # Default PIN code for incoming connections

        passkey "BlueZ";    

}                           

There's the default password, this image is using BlueZ. You can either use this value as it is or edit it and use your new value.  After editing the file (if you choose to do this), you must restart the Bluetooth subsystem either by rebooting the Gumstix or by using the command:

/etc/init.d/bluetooth restart

  

Now you can use your new passkey for pairing from your host computer.

Gumstix - Getting started with Bluetooth

I've just been given a Gumstix so that I can put some of my software onto it and use it for demos.  It has taken a little time to feel comfortable with it so I thought I'd share some of my experiences and give a few pointers into the bewildering pages of documentation out there.

These notes are just my experiences with my particular Gumstix and my MacBook Pro.  I have a connex 400mt-bt.  It is a 400MHz ARM processor with 64 Mbytes of memory, 16 Mbytes flash and Bluetooth on board. I received it with a Compact Flash card adaptor, a wifi board and a USB adaptor which will supply power to the motherboard.  It also came with a serial card and a cable to plug into a PC DB9 serial port.  The Gumstix runs Linux which takes up around 9 Mbytes for the whole system!  Since my Gumstix had been used by someone else, it had an operating system on it already, more in a later post about replacing it.

I first tried the Gumstix with my MacBook Pro.   I put the BT antenna onto the motherboard and added the USB board. I then plugged it into my Mac's USB port.  A little light came on. Great.

I tried to connect to it using Bluetooth. The BT models have a BT serial port for talking to the Linux system on board.  This is covered in an excellent page, with pictures entitled Bluetooth on OSX.  Here are my distilled instructions for doing this (note the passkey may be 1234 or it may be BlueZ)

1. Run the B setup assistant
   
2. Select Any device
   
3. Select the device called Gumstix (0)
   
4. Click on Passkey options and select Use a specific passkey. This is because unlike a keyboard you have no way of entering the random number that you are normally given for pairing.  The Gumstix has a passkey built in so you have to tell your Mac what it is so it knows what to expect.
   
5. On the next screen you are asked to give the passkey that the Gumstix will send.  When I first got the Gumstix the passkey was 1234, when I put another system into it the passkey became BlueZ, so if one fails try the other.
   
6. The Mac will then add the Gumstix to its list of devices.
   

If all went well that is all you have to do because the Mac sets up a special serial port for you to communicate with the Gumstix.  

To talk to the Gumstix, you simply have to start a terminal and then run one of my favourite programs - screen (before we had windowing systems I used to use screen to give myself multiple logins to the same machine and it also allowed me to login at work, start jobs, go home, dial in and pick up my session. Those were the days!)

Ok, back to business, at the terminal prompt enter:

• screen /dev/tty.Gumstix-1 921600

Press return a couple of times and you will get a login prompt and will be able to log in. To leave screen enter: ^Aky  - that is three characters: control-A, k and y.

I have done this procedure several times now and a couple of times no serial port was set up.  In this case you have to add it yourself, here is the relevant window under Leopard:

If no ports are shown, click on the + and add a port.

Wordpress and Gallery2

Over the Christmas break I found myself setting up a blog and associated picture album for my wife and me to use to share our travel experiences and pictures. I came across the excellent v-slider theme from Rui Pereira. It is a great theme that integrates smoothly with the equally excellent Gallery2. One of the big plusses is that Rui has created many option pages for the theme. One of them is the colour editor, you can change all the colours simply by clicking on a colour and using the colour wheel to change it; no messy fiddling with set-up scripts.

Changing the v-Slider theme colours

One or two things I came across when I was installing it that might be useful for others include:

Photo and WPG link appearing on the links line.
The Gallery2 embedding is done with the help of a Wordpress plugin called WPG2. This automatically creates a link to the gallery called WPG at the top of the page. The v-slider theme also creates a link to the gallery called Photos. The v-Slider link cannot be removed easily but the WPG one can be removed by going to manage pages in Wordpress and changing the status of the page to private or unpublished. It disappears from the link line. Don't delete the page otherwise the gallery linking no longer works.

More columns in Gallery
After setting everything up I found that gallery only had two columns for the thumbnails but I wanted three or four. First, I changed the column width in the v-slider2 theme in Gallery. I set it to 200 pixels (from 250, I think), saved it and found that I now had three columns.

Unfortunately, due to the fact that Gallery2 is embedded within wordpress, I found that larger pictures were getting chopped when I looked at them. I had also set v-Slider to be fluid width rather than fixed and the gallery was certainly too narrow now. I increased the size of the embedded Gallery to 900 and now have a wider Gallery and four columns of thumbnails. Very nice! To switch the Gallery width, go to WordPress admin and click on WPG2. Choose the "WPG2 Output" tab and change the width in the header, this is my finished one:

.g2_column {width: 900px;margin: 0px 1px 0px 12px;}

Save it and go back to the Gallery.

Subclipse - old client?

After updating my Mac with Subversion 1.4.4 and running a status on one of my Java folders I go the following error in Eclipse:

Unsupported working copy format svn: This client is too old to work with working copy '/Users/fred/workspace/Project/lib'; please get a newer Subversion client

Well, I immediately made sure that I was up-to-date, I am running Subclipse 1.2.4. To find your version, go to Help|Software Updates|Manage Configuration. You will see your version number there.


Obviously Subclipse 1.2.4 is running the old Sunversion client. I searched in several places to try to find a newer version but to no avail. I then explored SVNKit and found instructions for switching it on in Subclipse. SVNKit uses the newer Subversion 1.4 protocol and comes with Subclipse but it is not enabled by default.

To turn SVNKit on, goto Eclipse preferences and select SVNKit under the SVN option:



Click OK and you are ready to go with the latest version of SVN under Eclipse.

You will be asked to enter your password again or to choose your private key to use with the remote site if you are using ssh.

OpenID

OpenID is a new way of authenticating yourself on the net. "[It's] an open, decentralized, free framework for user-centric digital identity." (http://openid.net) It's very simple and seems to me to be very versatile although the descriptions of it leave a little to be desired. I've had a close look at it and I like it, so here's my interpretation of OpenID.

One Username for all

The idea is that you create a unique id that you register somewhere with a password. Then you use your unique id and password at all the sites you visit. One id, one password, very simple. Sounds very much like the derided Microsoft Passport, right? Well, the basics are there but OpenID is so very much more versatile and not in the control of one single corporation.

One way of creating a unique id is to use a URL that you can prove you are the owner of. You register a name and password at any OpenID server, you can have your own on your own server if you want. You get back a URL that you can use to sign in to OpenID enabled sites. Mine is http://specialk.myopenid.com. When I give that name to a site, it contacts the OpenID server at the URL given and the OpenID server asks me for my password.

Ok, so far, neat but not earth shattering, it's still very much like MS Passport.

Persona

The OpenID server tells me which site wants me to login (well, that's obvious) and also about the fields of information that the site is asking for. It allows me to create a new persona showing optional and required fields that the site is asking for or to use an existing persona. I can then opt to allow the login and give the credentials once, or always.



One Password Site

From a security point of view, my password goes to the server site, not the site I am logging in to. One nice thing about this is that the server does not always require my password because once I have signed into the OpenID server site, the server knows who I am, it just asks which persona I want to use.

Myopenid.com also keeps track of sites that have asked for my credentials but there are anonymous servers around too, one where you can just make up an OpenID URL and start using it.

Ok, pretty neat now, but what if I want to change my OpenID server or it goes belly up, do I have to re-register with all the sites I want to use? Well, no, because I don't have to use the server's URL for my identity I can use one that I will always have e.g. one from my own domain and redirect that page to the OpenID server of my choosing.

I have set up a page on my site to use as my OpenID URL, it is at http://www.somewhere.com/openid/myname. This page contains:

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<link rel="openid.server"
 href="https://www.myopenid.com/server">
<link rel="openid.delegate"
 href="http://specialk.myopenid.com">
</head>

<body/>

What it does is redirect the request from the site you want to log into, to the real OpenID server. This allows mt to have a permanent OpenID URL entirely under my control and I can change the server whenever I like. The sites I log in to will know me by my somewhere.com URL.

Neato or what?

Links

There are only a handful of sites using OpenID so far but Digg are planning to use it, Microsoft and AOL are involved, this could be big.

There are already many software libraries to make it easy to use OpenID for your sites.

Public OpenID servers offer different service extras, you can shop around.

The Rudest Place On Earth?

This location in Austria has to be the rudest place on Earth. Not only that, where else can you get nine F***ing swear words on one single Google map? Literally! There is no trickery to this, just zoom out and see for yourself.

If you want to go there, the town's GPS co-ordinates are 48' 03"N 13' 51"E. Apparently the Brits have been heading over in droves and nicking the signs. I looked for the town on Google Maps after someone sent me this clipping, which I think has been making the rounds for quite a few years now. Click on the image for the full text:

Cygwin and Eclipse over X11

Problem
My MacBook HD has died. While I am awaiting its repair I've switched to my Windows XP machine. I needed to run Elcipse on a remote site where I will be running some demos next week. Shouldn't be difficult, simply run ssh into the remote Unix system, allow X11 to use the open connection and "Bob's your Uncle."

So, I installed Cygwin with X11 on XP and Eclipse on a remote Linux system. I opened the ssh connection, tested X11 with an xterm then started Eclipse but received several of the following errors

winMultiWindowXMsgProcErrorHandler -
     ERROR: BadWindow (invalid Window parameter)

A few seconds later Eclipse/Java gave a fatal error and died. I tried running Firefox remotely, it had the same BadWindow errors but carried on running and worked perfectly.

Solution
After a long search on the Internet I came across CISC474, Unix Knowledge. It suggested using -Y instead of -X to start the ssh session i.e.

ssh -Y user@host.example.com

I tried Eclipse again, same errors but this time Eclipse carried on running.

The difference between -X and -Y?
From NC State University

Trusted vs. Untrusted X11 Forwarding

Due to security concerns (highlighted by a vulnerability in using SSH with Trusted X11 Forwarding), OpenSSH (as of version 3.8) now supports both untrusted (-X) and trusted (-Y) X11 Forwarding. The difference is what level of permissions the client application has on the X-server running on the client machine. Untrusted (-X) X11 Forwarding is more secure, but unfortunatley most applications do not support running with less priviledges as of yet. So when attempting to remotely access applications, using Trusted (-Y) X11 Forwarding will have less applications problems for the near future.