SSH Trusted CA Key

It is now possible in openssh to authentic using trusted certificate authority keys. You can sign a key using a CA key. On the server side the CA key resides. Any key signed by the CA key will be authenticated. This is different from a user generating their own public and private keys (the typical key based scheme for ssh authentication). The mechanics of making it work can be found here.

From the previous link:

client:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

Server(s):
2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
location you like

3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it

Client:
4) for a user generate a certificate of its public key
ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
This will generate an id_rsa-cert.pub certificate file

Client:
5) ssh user [at] serve # connect to server using the certificate
Posted in Geek, Tips | 3 Comments

FTDI USB to Serial Linux Driver

If you are like me you work with the FTDI brand of USB to serial converter chips frequently. These chips are incredibly useful and thus are utilized in many different products. I recently had the situation where I had a slightly outdated ftdi-sio driver but a new (ish) FTDI chip. I found a workaround here.

There are two parameters, vendor, and product that you can pass to the driver to allow it to communicate with a chip that has customized product and vendor codes. You can find the product and vendor codes using `lsusb` and you can pass the parameters using modprobe (`modprobe ftdi-sio vendor=0x1b3d product=0x0157`). You could put “ftdi-sio vendor=0x1b3d product=0x0157” inside ‘/etc/modules’ if you wanted to automate the process a bit. Don’t forget to prefix your product and vendor codes with 0x!

Posted in Geek, Tips | 2 Comments

ssh-copy-id

I recently learned about `ssh-copy-id`. It’s a script that, at least on Debian systems, comes in the openssh-client package. It does what you might expect: it installs your public key in a remote machines authorized_keys. It wasn’t all that hard to do this yourself but this makes it a single step process.

Posted in Geek | Leave a comment

Using Qemu to Create a PowerPC Emulator

The title of this entry is wrong but I couldn’t think of a better or more accurate one. This is really a simple post about setting up qemu to launch install Debian (ppc). It turns out to be really simple. It’s just that qemu is so powerful that it is difficult to wade through all of the options.

First create a disk image. You use `qemu-img` to do that. I chose to use the qcow2 filesystem format but there are a few other options. If you leave out the format it will choose one for you (according to the man page). I don’t need much space so I’ll create a 512MB image. The size of the image on disk is 256K after creation.

$ qemu-img create -f qcow2 debian-ppc.qemu 512M

Next download a PPC cdrom image from debian.org.

$ wget http://cdimage.debian.org/debian-cd/5.0.6/powerpc/iso-cd/debian-506-powerpc-netinst.iso

Now launch the qemu using the disk installer image as a cdrom image and tell qemu to boot from the CD drive.

$ qemu-system-ppc -hda debian-ppc.qemu -cdrom debian-506-powerpc-netinst.iso -boot order=d

After you install your Debian system to the emulator you can skip the “-boot order=d”.

And now you have a Debian based PPC emulator.

Posted in Geek, Tips | Leave a comment

Posix ACL Example

I ran into a situation where I wanted to have one user account to have access to a number of other accounts.  The situation is for web hosting.  On the server I administer we have domain accounts and user accounts.  Every email account gets an actual account on the system.  This makes it easy to use tools like spamassassin and have per-user preferences.  The email accounts do not have shell access.  The domain accounts can be thought of as mini root accounts.  They should have access to all of the data for their account (obviously) as well as access to all of the data in the email user accounts.  This allows for a user to backup their domain.  On my system the email user account home directories are located inside the domain account home directory:

/home/therowes.net                 # therowes.net domain account home directory
/home/therowes.net/users/greg # greg's home directory
/home/therowes.net/users/joe   # joe's home directory

Posix ACLs, which as supported by most filesystems in Linux such as ext2, ext3, and XFS, allow such a setup. I will not go into massive amounts of detail about Posix ACLs because I don’t feel that I know enough to make an informed post. Instead I’ll show an example that makes the situation of having a master account have access to slave accounts.

If you already have the files in place you have two steps. If you are just starting out you have just one step.

Step 1 is to set the default ACLs. These ACLs are automatically applied when new files and directories are created.

# setfacl --recursive --default --modify user:MASTER_ACCOUNT_NAME:rwx TARGET_DIRECTORY

Step 2 is to set the ACLs for the existing files. This step is optional if you don’t have existing files. I feel like there’s a better way to deal with the execute bit on directories than the way I do it below. If you know of a more elegant way please post a comment.

# find TARGET_DIRECTORY -type f -exec setfacl  -m u:MASTER_ACCOUNT:rw {} ';'
# find TARGET_DIRECTORY -type d -exec setfacl  -m u:MASTER_ACCOUNT:rwx {} ';'
Posted in Geek, Tips | 1 Comment

Android Universal Remote Control

I was part of a conversation a while ago about how nice it would be to have an Android app that made it work as a universal remote control.  The major stumbling block, and the reason why there aren’t boundless remote control apps already, is that most (all?) android devices lack an IR transmitter.  I thought of two ways to work around this limitation:

  1. Attach an IR transmitter to a device on your local LAN and then send the remote control codes via TCP.  The downside here is that there are actually some people (and I know this can be hard to believe) that do not have a LAN in their home much less a PC near their entertainment center.
  2. Attach an IR transmitter to the 3.5mm audio output jack.  I wasn’t sure how difficult it would be to get the transmitter to work correctly by responding to an analog audio signal but it seemed possible.

The Global Cache iTach family of products would work for option #1.  In particular the WF2IR looks attractive.  The prices I’ve seen are over $100 and so I probably won’t be buying one any time soon.  To create a popular remote control app the hardware required for it must be cheap and easy to come by.

Thinkflood took the approach in option #2 with their RedEye products.  The RedEye mini plugs into the 3.5mm hack and it just a little IR transmitter.  At $50 I’m much more inclined to use a RedEye mini.   I hope they create an Android application.

Posted in Geek | 10 Comments

Motorola Droid Bluetooth Profiles

The following profiles are supported by the Motorola Droid (Milestone).  I generated this list with links because I haven’t found a good location with everything written down in a clear manner.

Sources:
Motorola
Wikipedia

Posted in Geek | Leave a comment