Long Term Storage

Tiger warned me that IP fowarding was enabled this morning.  It’s behavior is definitely odd in terms of when it reports something is afoot.

NEW: --WARN-- [lin015w] The system has IP forwarding enabled


I digress.  Good article here on how to dis/enable IP Forwarding, but more importantly for my memory it also has the sysctl syntax which I forget on a regular basis.

Check if IP Forwarding is enabled

We have to query the sysctl kernel value net.ipv4.ip_forward to see if forwarding is enabled or not:
Using sysctl:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

or just checking out the value in the /proc system:


cat /proc/sys/net/ipv4/ip_forward
0

As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
As with any sysctl kernel parameters we can change the value of net.ipv4.ip_forward on the fly (without rebooting the system):

sysctl -w net.ipv4.ip_forward=1

or

echo 1 > /proc/sys/net/ipv4/ip_forward

the setting is changed instantly; the result will not be preserved after rebooting the system.
Permanent setting using /etc/sysctl.conf
If we want to make this configuration permanent the best way to do it is using the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

if you already have an entry net.ipv4.ip_forward with the value 0 you can change that 1.
To enable the changes made in sysctl.conf you will need to run the command:

sysctl -p /etc/sysctl.conf


There is some good stuff down in the comments too.
Thanks MDLog.

Apparently Dell’s TPM VT Trusted Execution is incompatible with 64bit virtual guests.  You must go into the BIOS and disable the VT Trusted Execution in the virtualization settings to get it to work.  Alternative is to disable TPM since it is highly unlikely you are using it anyway. (DISCLAIMER:  Be sure your corporate WDE does rely on it.)  If you go this route, you must actually POWER OFF for the changes to take effect.

In my efforts to build a new router, more to come on that topic, I had a need to make a ISO image bootable on a USB Drive.  My Googling let me to this simple, straight forward article.

Thanks Lnx2.

I have made some slight modifications and formatting to the original steps based on what I found to work.

There are two methods.  1 is to not use a partition table and write the file system directly to the device.  Method two is more traditional.

1. Method (/dev/sdX is your USB flash drive) :

A) Create a filesystem n the whole device without a partition table.(saves some space, and you don’t have to worry about the MBR)

sudo mkdosfs -I -v -n Ubuntu -F 32 /dev/sdX

B) Create “volume boot record” and the file ldlinux.sys using this command:

sudo syslinux /dev/sdX”

C) Mount the USB drive and the iso image file.

sudo mount -o loop /path/to/iso /mount/point
sudo mount /dev/sdX /mount/point

D) Copy all the files in the iso to the USB drive:

sudo cp -P --preserve=all -R /path/to/iso/* /path/to/iso/.* /usb/mount/point/

E) Rename the isolinux directory to syslinux and the isolinux/isolinux.cfg to syslinux/syslinux.cfg

sudo mv isolinux syslinux
sudo mv syslinux/isolinux.cfg syslinux/syslinux.cfg

F) reboot

2. Method (/dev/sdX is your USB flash drive):

A) Create a partition:

sudo parted /dev/sdX

In parted

mkpart primary 0% 100%
quit

B) Create a filesystem on the firstpartition

sudo mkdosfs -v -n Ubuntu -F 32 /dev/sdX1

C) Overwrite the MBR.

sudo dd if=/usr/lib/syslinux/mbr.bin of=/dev/sdX count=1

D) Create “volume boot record” and the file ldlinux.sys using this command:

sudo syslinux /dev/sdX1

E) mount the USB drive and the iso image file.

sudo mount -o loop /path/to/iso /mount/point
sudo mount /dev/sdX /mount/point

F)copy all the files in the iso to the USB drive:

sudo cp -P --preserve=all -R /path/to/iso/* /path/to/iso/.* /usb/mount/point/

F) rename the isolinux directory to syslinux and the isolinux/isolinux.cfg to syslinux/syslinux.cfg

sudo mv isolinux syslinux
sudo mv syslinux/isolinux.cfg syslinux/syslinux.cfg

G) reboot

The following steps outline the process of using Public Key authentication for SSH with Putty as your client.  If you follow the entire guide and get it right, you will not have to type in your username/password for the servers you have setup.

Install Files
Copy putty.exe, puttygen.exe, pscp.exe, pftp.exe and pageant.exe to c:\windows\system32

Generat your key pair.

Start -> Run -> puttygen
Change the “Number of bits in a generated key” from 1024 to 2048 or what ever value you would like.
Click Generate
You will need to move the mouse around in the area with the progress bar till the bar completes.  This process is generating random data to create your key from.
Once complete, it will display the key contents.
In the key-comment box, change the value to something you will recognize.
Enter a passphrase and repeat it.
Click the “Save private key” button and save your private key.  I saved mine to My Documents with the same name I placed in the comments.
Click the “Save public key” button and do the same.  I changed the extension to .pub for identification.
Next you need to copy the Public key from the top box.  Be sure to get the entire thing.  It will start with ssh-rsa and end with what you typed in the comments.
Paste the contents below replacing the line that says “<Paste authorized key data here, overwriting this line>”.  None of the existing text should remain.
Log onto each server and paste the following lines.  This will create the .ssh folder, authorized_keys file, and correct the permissions.

cd
mkdir .ssh
chmod 0700 .ssh
cat << EOF > .ssh/authorized_keys
<Paste authorized key data here, overwriting this line>
EOF
chmod 0600 .ssh/authorized_keys


Close puttygen.

Setup your saved sessions in Putty.

Start -> Run -> putty

Adjust Default Session.
These steps will set the default settins of your instance of Putty to use the private key you just generated.

In the Saved Sessions box, select Default Settings and click load.
Browse the tree on the left to Connection -> SSH ->Data
Enter your username in the Auto-login username box.
Browse the tree on the left to Connection -> SSH -> Auth
Click the browse button and select the private key you saved earlier.  It will have a .ppk extension.
Browse back to the Session section on the left.
Click Save.

Existing Sessions.
Repeat this process for each server you created the authorized_keys file on either by changing an existing saved session or creating a new one.

Testing Public Key authentication
Using a session you have setup as above, connect to the server.
You should be prompted for your key passphrase.  If you are not, you have done something wrong and you need to troubleshoot.

Once you get it working, move onto the Putty Agent section.

Putty Agent
The following steps create a shortcut in the startup folder so each time you logon the Putty Agent will automatically start and load the private key.

Start -> All Programs -> Right-click on Startup, click open.
Right-click on the window, select New -> Shortcut
In the field enter: pageant "c:\path\to\private_key.ppk"
Mind the quotes around the path.
Click next.
Give it a name such as “Putty Agent”
Click finish.

Test Public Key authentication with Putty Agent.

Start -> All Programs -> Startup -> Putty Agent (Or what ever you named the shortcut.)
You will be promoted to enter the passphrase for your privage key.
Enter the passphrase.
You will now see a little computer screen with a hat on it in the system tray.
Open putty and use one the sessions setup previously for Public Key authentication.
This should log you in automatically with out prompting for a password or passphrase.

As you use Ubuntu, you are bound to come across a time when you want to build a custom file association.  Inevitably, you are bound to make a mistake in that file association and end up with a second entry in your available applications that is wrong.

I managed to do this while installing uTorrent via CrossOver.  The entry in the available application field also had a funky ^C5 something something something for the “mirco” which translated itself as the entry name automagically.

When I managed to get it all sorted out, I ended up with two entries in there.  One working with a crap-tastic name and the other not working with the right now.  That is when I started digging into how to manually create/remove those entires.

It turns out that it is very easy.

The available associations are located in ~/.local/share/applications

It should be fairly obvious which one you need to edit/delete when you list the contents of that directory.

This is the resulting file I had after correcting and assigning the icon.

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Icon=/home/jon/.cxoffice/utorrent/windata/Desktop.C^5E3A^5Fwindows^5Fprofiles^5Fcrossover^5FDesktop/^C2^B5Torrent.xpm
Exec="/home/jon/.cxoffice/utorrent/desktopdata/cxmenu/StartMenu.C^5E3A^5Fwindows^5Fprofiles^5Fcrossover^5FStart^2BMenu/^C2^B5Torrent" %f
Name=uTorrent
Comment=Custom definition for crossover uTorrent
NoDisplay=true


If you use this, a couple of things to note. My username is jon and the bottle I created in CrossOver is called utorrent. If you adjust it for those two changes, you should be able to copy/paste and have a file association ready to go for uTorrent including a spiffy icon.

Anyone who runs GNU/Linux is bound to need a console at some point.  Sometimes it is just easier to switch over to a virtual console and do what you need to do.  The default state of most consoles is an 80×30 character display which is basically useless if you want to see any kind of information.

The simple solution to this minimalist display is to set the vga kernel flag.  This allows you to set the resolution on your console framebuffer to something more useful.

The default settings example shows vga=791.  This puts your console in a 1024×768 resultion.  Which while not great is a significate boost over the standard 800×600.  If you simply enable this resolution, you will notice the Ubuntu usplash logo off center.  Very annoying.  The following steps are needed to make your Console Framebuffer something to look at.

1. Figure out what resolution your primary monitor supports.  This is typically what you have your desktop resolution set to.

2. Determine what your vga kernel flag needs to be set to.

The Wikipedia article on VESA BIOS Extensions will probably answer your questions.  Specifically, the section on Linux Video Modes.

For us widescreen users, we are not as lucky with our resolution choices.  Though, through my expirimentation, I did find that vga=840 works to give me a 1400×1050@16bit on my Dell Inspiron 1505 with the NVidia 7300 Go.  This is actually VESA 348 and does not follow the 512 rule stated in the Wiki article.  My assumption about why is probably due to manufacturers implementation.

Note: Don’t worry too much about getting it wrong.  One of two things will happen.  1. You will get no display or 2. you will get a grub screen telling you your video mode is unsupported.  I will cover how to correct this in a moment.

3. Edit your menu.lst file and add the vga= option in two places.  First, add it to the default options line.  You are looking for this line.
# defoptions=quiet splash

Change it to:
# defoptions=quiet splash vga=840

Be sure to set the 840 to the mode that represents your preferences.

Next change the default Boot menu kernel entry at the bottom. In a standard Ubuntu build, the default entry will be the first entry following this line.

## ## End Default Options ##

It will look something like this:
title Ubuntu 8.10, kernel 2.6.27-9-generic
uuid 636dc411-e53a-4776-a9e9-4fc9e277f445
kernel /boot/vmlinuz-2.6.27-9-generic root=UUID=636dc411-e53a-4776-a9e9-4fc9e277f445 ro quiet splash
initrd /boot/initrd.img-2.6.27-9-generic
quiet

You need to add the vga=### to the end of the kernel line so it looks like this.

kernel /boot/vmlinuz-2.6.27-9-generic root=UUID=636dc411-e53a-4776-a9e9-4fc9e277f445 ro quiet splash vga=840

4. Next you need to update the usplash config to match the resolution.  This is how you keep the logo centered.

sudo vi /etc/usplash.conf

Change the x and y resolution lines to match your chosen resolution.

# Usplash configuration file
xres=1400
yres=1050

5.  Update your initramfs to take advantage of the usplash settings change.

sudo update-initramfs -u

6. Reboot.

You should see a smaller, higher resolution Ubuntu logo and then Gnome startup.

Upon reboot, if you get a blank screen, that means you chose a resolution that is larger than what your display can support. In this case, you will need to boot your Ubuntu CD and chose rescue mode. From there, chose a command prompt for the rescue CD. CD to /target/boot/gurb. then edit menu.lst with nano. Remove the vga=840 line from the kernel entry at the bottom.

If you are getting a grub menu saying you have set and invalid mode, press the space bar to see a list of valid modes. If you would like to get a complete list. Type in scan and press enter. This table is what I used to help determine the 840 setting for my display.  Select the letter representing your choice and your machine will continue to boot.

The entries listed on the table are the only VESA modes your video card support. Find the entry that best matches your display preferences without exceeding the max resolution of your monitor.  Take that number, add 512 to it and update the menu.lst file.  If this results in the invalid mode error again, you will need to experiment to find the actual setting.

Note:  The number following the resolution is the color depth or the number of bits being used to describe color.  Unless you have a specific limitation, it is safe and preferable to chose the highest number following your chosen resolution.  You will typically see 8,16, and 32.

My monitor supports 1650×1050 max resolution. The max resolution my video card supports is 1600×1200. Since the 1200 is greater than the 1050, if I chose this resolution, my monitor will not display and/or give me an error indicating that it is out of range. In my case, my next best choice was 1400×1050@16bit. The menu displayed this resolution as VESA 348. My next step was to convert the VESA mode to a linux VGA mode. Per the VESA BIOS Wiki I linker earlier, the standard is to add 512 to the VESA mode which would give me 860. I set vga=860 and rebooted. Same problem but it gave me an error stating 361 was not a valid mode. Since my goal was 348, I tried decreasing it by 12. I set vga=853 and rebooted. I got the grub error again, but it said that 355 was not a valid mode. Some simple math showed that I moved from 361 to 355 by subtracting 12 from the VGA mode, this time I need to move 7. I subtracted 13 this time which gave me the 840 and no grub errors on boot.

I have a Ubuntu 8.10 AMD64 Server.  In the syslog, I was getting the following error every few minutes.

console-kit-daemon[5013]: CRITICAL: cannot initialize libpolkit

The error is triggered by the update-modt cron job which runs ever 10 minutes.

This is a bug in Intrepid.  console-kit-daemon requires PolicyKit as a dependancy, but Intrepid (Server AMD64) does not install it when it installs console-daemon-kit.

The simple fix is to install policykit.

sudo apt-get install policykit

Next run of the update-motd job and the error is gone.

A year or so ago a friend of mine told me about this little app called Synergy.  It is an open source utility which allows you to use a single KB/mouse to manage multiple PCs.  It is a very slick little tool that works on linux, windows, and OS X.

It is a client-server setup.  The server is the PC which has the keyboard and mouse attached to it.  The client is a very small agent running on each PC.  Configuration for the client is simply providing the DNS name or IP of the server.  The server config is a just a hair more involved.  You have to tell it which clients are connecting to it and how they relate to each other for mouse movement.

The behaviour acts like you have multiple monitors.  Simple move the mouse to the edge of the screen you have defined in the layout and it starts moving on the other PC.  I don’t see any limitations to the number of PCs you can have connected, though I am sure there is a point where it would become cumbersome to move between all of the screens.

Of course Ubuntu Communities has nice documentation on how to configure it including for autostartup at various points.

During Defcon a new tool was mentioned that would automate the hacking of GMail accounts.   This only applies that those of you using GMail, not the Google Hosted Apps.

The problem is in how GMail encrypts traffic.  It only does SSL encryption during the login session.  As described here and here, this leaves your actual email unencrypted and a door for someone to get into your account later.

The simple fix is to go into your account Settings, scroll to the bottom, select “Always Use HTTPS” and click save changes.  This will cause your entire session with GMail to be encyrpted and mitigate the risk of your account being hijacked.  Combine this with Perspectives and you have a pretty solid security setup.

I nice guide that covers the most common commands and functions in VI.

A nice set of Linux How-tos and guides over at linuxscrew.com covering Bash, utils, the file system, iptables, advanced routing topics and hardening.

I guess I missed it.. RC2 was released on the 19th.  As I am writing this, I am downloading the latest and greatest from VMWare.  The first thing I notice is HOLY BATBYTES.  The thing is 532MB.  Last I looked, ESX wasn’t 532MB and it is a LOT more server.  It is a freaking OS AND server.  What the hell are they including in this thing?  Now, I agree, that a lot of that size could be symbols and other debuging stuff since this is an RC.  But jebus, 532MB!!!

Anyway.. the download is complete.  Lets proceed with the update!

Download Update- check
unpack update- check
stop vms- check
get cold sweat from the thought of dealing with the WebUI- check

The install is just like all of the others.  Very straight forward and nothing new.  One nice perk though, it didn’t have to compile any modules for my Ubuntu Server.

First complaint.. it did not keep my certificate settings.  It renamed them, but did not retain what I had already.  So this acted more like a reinstall than an upgrade.  :/

Odd.. it did keep some of my other configuration changes though.

A new ‘feature’ to be a gotcha.. everytime they update the plugin for the remote console, you will have to restart your browser.  Nothing like being forced to restart your browswer because you upgraded VMWare on a different box.  At least the console worked after an upgrade.

You lose another point VMWare.

Here is a CRAZY idea.. you already created a browser plugin.. give me the ability to power-on/off, restart, and upgrade vmware tools from it.  Maybe that would be an acceptable compromise to forcing us to use Apache, Tomcat, and a crappy web interface/browser plugin.  GRRR

On the tools upgrade.. I didn’t have to compile the modules.  I know.. that will last probably 2-3 more weeks till the next kernel patch for Ubuntu comes out.

A new feature – VMWare Sync.  A backup solution of some sort.. it states go look at the KB for more info..  LOOKING…..  Nothing found.. That also brings up another interesting point..

Per the release announcement, this is the final RC and it will contain

The RC2 build primarily incorporates fixes that we have incorporated since RC1 was released on July 1. So, no new features…….

It clearly states during the tools install.. this is a new beta feature.  I think someone is confused.

The damn prompting for a client certificate is still there. WTF, over?

All in all.. a smooth update.  They didn’t fix anything that was apparently broken aside from the Remote Console plugin now works with Fx 3.0.1.  How long till it has to be fixed again?

The number one take away is.. Don’t forget to update your console plugin before you get too far into the upgrade.

Getting the Citrix ICAClient to work in Linux or Ubuntu specifically is a fairly simple task. There is one catch that will get cause the most hangup.

The hangup comes from the design of the ICAClient and a common issue with linux distros.

The ICAClient requires that it trust the certificate chain back to your citrix server or xenapp server as it is now called. Unfortunately, the client only ships with a handful of Root CA certs. This means you must manually import your own.

If you are running Ubuntu ( I am sure there are others that can benefit from this), you can take advantage of the very complete store you likely already have on your install.

First step. Check to see if you have the ca-certificates package installed and if not, install it.
sudo apt-get install ca-certificates
This places all of your root ca-certificates in the /usr/share/ca-certificates directory. The one we are interested in is those for mozilla.

Next step is to link the citrix directory to the mozilla collection of certs.
cd /usr/lib/ICAClient/keystore
sudo mv cacerts cacerts.orig
sudo ln -s /usr/share/ca-certificates/mozilla cacerts
And that is it. Fire up Firefox or your browser of choice and connect to your citrix apps.

For those of you that utilize public/private keys for what ever reason, chances are you have a few that are encrypted.  You can tell if they are encyrpted if you are prompted for a passphrase when you try to sign/encyrpt/use the private key.  It is a good practice to get in to change the passphrase on occasion.  I would personally recommend you do so everytime you change your primary password, which is ofcourse ever 30-45 days isn’t it?

To change the passphrase an en encrypted private key using OpenSSL you issue the following command.

openssl rsa -in encyrpted.key -aes256 -out encrypted.key.new
encrypted.key = the filename of your private key.
encrypted.key.net = the key that is now encrypted with your new passphrase.
Note: These can be the same file, but it is a good idea to test your passphrase before you delete/overwrite the old key.

The -aes256 line can be replaced by des, 3des, aes128, or aes192. I would recommend you stick with the aes options. 3DES has been broken.

It is no secret that ATI drivers in Linux suck.  After dealing with them for a while, specifically.. not having any flexibility in how my external/internal display function, I decided to switch my video card over to the NVidea GeForce 7300 Go which was an option at purchase time.

I find a card on eBay for a reasonable price from a retailer by the name of TXcess Surpluss.  Install the card and start tweaking the settings.  Sure enough the NVidia drivers are a LOT better interms of the control and functionality the control panel provides as well as the stability in modifing the xorg.conf file.  In short, I am very happy with the NVidia Drivers in comparison to the ATI drivers.  I can even (GASP!) turn off my internal display when the lid is closed!!!  ATI, I had to turn the brightness all the way down and just deal with the additional heat it put off.

Plug:  TXCess Surpluss did me right when I wanted to return the card due to some artifacting.  Go check it out.  It is always good to support a quality business.

Anyway.. I had never changed the video card in a laptop before so I am off to Google with great results.  Thanks to huskermania and his two videos, I was able to quickly and confidently replace the video card.