There are many resources on the Internet for correctly securing apache web sites with X.509 client certificate authentication. This isn’t one of them. What follows is a three step guide to the fastest, easiest method for setting up self-signed server and client certificates. You are advised not to run any of the commands below in a production environment, they are presented only as an aid for those who learn kinesthetically.
A good solution applied with vigor now is better than a perfect solution applied ten minutes later.
- General George Smith Patton III (source)
Read more…
One thing to note about the United States Court of Appeals for the District of Columbia Circuit decision in Comcast vs. F.C.C.– it doesn’t restrict the F.C.C.’s ability to regulate Internet services; rather, the court ruled that the broad regulatory powers enjoyed by the F.C.C. were overstepped when they told Comcast to stop discriminating against BitTorrent traffic . Many individuals dismiss this as a “bad decision” of the court, but to do so ignores important issues relevant to this ruling.
I generally favor ‘net neutrality, and I certainly don’t take a kindly view of the arbitrary packet discrimination employed by unscrupulous companies; left unchecked, such practices easily (perhaps inevitably) lead to “the pseudo service scenario of bribery … extortion“, but the same slippery slope analogy could slide the other way. Had the appellate court ruled in favor of the F.C.C. it would have set a precedent for allowing a regulatory authority to essentially invent new powers not specifically delegated to it by any act of Congress. If you would prefer that Congress pass such a law, you may wish to ask your representatives to support H.R. 3458.
In most cases, Ubuntu desktop systems will automatically detect and mount removable media, and this is largely done with software that is part of the X Windows system; for server systems without X Windows however, this sort of thing requires a bit of work.
Now some may ask, “Why automount removable media at all?” It is unwise to remove an active device, such as unplugging a USB drive without first unmounting it, and automounting may encourage this sort of recklessness. I don’t contend this, but if one runs a server using an external USB drive, there are two words which should spark an immediate interest in automatic mounts: power failure.
Read more…
Sound problems fall in to three basic categories, and the first thing you want to do is determine which one you’re dealing with. The easiest thing you can do is test your speakers with something else, using the same cable. If your speakers and cable are confirmed to be in good working order, then the problem must be either: Read more…
prerequisite concepts: prelude, basic config., port fwd, proxy conn.
I don’t often have the opportunity to experiment on computers running Windows, but every 
once in a long while it simply cannot be avoided. I recently found myself wanting to look up a password in Revelation, a password manager for the Gnome Desktop on Linux; I have previously written about using OpenSSH’s ProxyCommand directive to tunnel through a firewall and forward X11 (GUI) applications remotely from a an isolated workstation on a private LAN, the difference here was that I needed to forward that application to a Windows workstation.
Read more…
prerequisite concepts: prelude, basic configuration
This post is as much about customizing the root shell as it is about SSH environment variables, but I’m adding this to my OpenSSH collection because it’s applicable to any user.
I occasionally work on servers where, for a variety of reasons, I share an account with one or more other users; this is almost always suboptimal, but it does happen nonetheless. Over time I’ve grown somewhat partial to zShell, so one method I’ve used is to log in to a default shell, usually bash, then run zsh. Read more…
prerequisite concepts: prelude, basic configuration, port forwarding
Network address translation (NAT) is a very common method of providing secure access to hosts on a private network. Given the limited amount of IPv4 addresses, computer networks with relatively few, very few, and even a single public IP address are common. A typical small business customer of my consulting practice has one or more Linux servers on an office network protected by a firewall. The following is a close look at Example Industries, the theoretical owners of example.com; this customer receives support for two Linux servers, a mail server and a PBX, but only one public IP address between them. Through NAT, public services (namely mail and VoIP) on both servers are accessible via example.com. This works well for inbound mail and phone calls, which only need to access one or the other host, but SSH access is the lifeblood of remote system administration, and there’s the rub– when I enter ssh example.com I land at the mail server. SSH access to the PBX would seemingly threaten to litter my command line with unsightly extra characters, if not subsequent commands outright.
My carpals are tunneled enough, I don’t want to type more than ssh mail and ssh pbx to access these servers, and while I’m at it I want to have scripted log-ins as well– securely, not those namby-pamby no-password keys. In fact, I don’t even want to have private keys on either server.
Fear not! With the power of OpenSSH, I can fix this.
Read more…
prerequisite concepts: prelude, basic configuration
Port forwarding is a versatile feature which informs several popular concepts, including X Forwarding and tunneling which are briefly explained below; more advanced port magic will be addressed elsewhere.
X Forwarding
At the end of the previous installment of this series is an example SSH client configuration file, usually located at ~/.ssh/conf; a more complete description of the global declarations shown was deferred until this section, where they are more relevant. Read more…
Having discovered the advantages of á la carte VoIP pricing, I pondered how to extrapolate my experience for general discussion while avoiding the pitfalls of interpolation and abridgement.
The Reference Book of Rates, Price Indices, and Household Expenditures for Telephone Service published by the FCC’s Wireline Competition Bureau provides a rough estimate of wireline telephone expenses averaging $45 per month in 2007, based on market research by TNS Telecoms. This isn’t too far from my own experience with residential VoIP plans which have tended to average about $35 monthly, including additional fees and charges, which can be significant: on BroadVoice’s “Unlimited World” plan, for example, “Taxes & Surcharges” account for about 35% of the monthly total. Based on these data, I use an estimated $35-$45 for generic comparison of monthly residential phone bills, or an average average of $40. As I designed our current, á la carte plan, I surmised that after discounting business use, the residential remainder was unlikely to ever exceed $30 in a single month. As the plan took shape, however, I realized that intelligent planning could lower that even further; somewhere in the neighborhood of a $20 monthly average would certainly exemplify what custom VoIP plans can offer, and half the average isn’t a bad talking point. 
Read more…
prerequisite concepts: prelude
If you’re not already using a config file (~/.ssh/config) you should peruse the documentation to see what it offers; an ongoing benefit I enjoy is that it allows me to accomplish more while typing less. Suppose, for example, you need to access two mail servers which are both behind a firewall and sharing a single public IP address. One server uses NAT (port forwarding) to provide user access via IMAP-SSL, POP3-SSL, and perhaps even webmail, all on default ports; similarly SSH can be accessed on port 22. The other server happens to be a mail relay, which handles all of the spam and virus scanning for inbound and outbound mail; while the SMTP, SMTPS, and submission services all enjoy a NAT configuration using default ports, SSH access is on port 23 because port 22 already forwards to the IMAP server and the sysadmin hasn’t read this series of articles.
Read more…
