Pass The Jäger

SSH is a wonderful thing.

If you you want to securely log into a remote machine there is nothing better but ssh has few other useful tricks up it’s well encrypted sleeves. You can tunnel TCP traffic, forward an X11 session and transfer files with sftp.

In Ubuntu by default any user who can login via ssh can also sftp and transfer files to an from the machine according to their permissions on that machine. Most graphical ftp clients support sftp these days and it can be very useful.

However what if you want someone to be able to securely transfer files to and/or from your machine but you don’t want them to be able to login or see any other part of the file system but their own personal directory? By default any user who can log in can seeother parts of the file system; in order to stop this we need a chroot jail.

The current implementation of ssh in use on Ubuntu (and just about everywhere else) is OpensSSH which is part of the OpenBSD project. The latest version as of writing is 5.1 and this ships in the repos for intrepid ibex.

In version 5.1 of OpenSSH setting up an chroot jail is much easier.

Hardy, on the other hand, ships with version 4.7 and this is not nearly as easy.

There is a good tutorial here that explains how to do this by compiling everything from source but this is not necessary on intrepid. All that is needed is a few small edits to a config file and some playing with directories.

Here’s how it works:

First, if it’s not installed already install openssh-server.

sudo apt-get install openssh-server

Next edit /etc/ssh/sshd_config (sudo with your favourite editor)

Change the line

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

next add the following to the end of the file

Match Group sftponly

ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
What does this do?

In simple terms it causes the three options (ChrootDirectory, ForceCommand and AllowTcpForwardinf) to be set to the vaules given for any user that belongs to the group sftponly. Other users are are not affected.

There are a few more things that will need to be done.

First, users need to be created and added to the sftponly group:

sudo groupadd sftponly

sudo useradd joe

sudo usermod -s /bin/false

sudo usermod -d /home/joe

sudo usermod -g sftponly

Here we have added the group; added a user, joe; stopped him from logging in normally by setting his shell to false with -s; set his home directory with -d; and added him to the group sftponly.

Next set a password

passwd joe

One final thing we need to do to allow chroot sftp access for joe is to set him home directroy as owned by root. A condition of the chroot jail is that all directories in the path to the jail must be owned by root. The /home directory should already be owned by root but now set the user’s home directory as owned by root and create another directory inside it, owned by the user, to allow uploading.

sudo chown root:root /home/joe

sudo mkdir -p /home/joe/upload

sudo chown joe:sftponly /home/joe/upload

Now if joe will not be able to login via ssh but if he logs in via sftp all he will see is an upload directory he will not be able to navigate up through the filesystem.

Summary:

• Make a few changes to /etc/ssh/sshd_config
• Create a group for sftp only users
• Create user and set group, home directory, shell &  password
• Make root the owner of the user’s home director.
• Create an upload directory owned by the user.

franki in #ubuntu-uk on irc.freenode.net suggest that this is “open sauce” chilli. 

The other day I was wondering what to eat. I thought of making some chilli and while sitting contemplating this I was reading the ubuntu-uk irc channel on freenode. By amazing coincidence brobostigon was doing the same and popey explained how to make some chilli. I decided to give it a go and made a few modifications. Now in the spirit of open source I’m going to contribute my changes back to the community.

For this recipe you will need:

• One Onion
• Olive oil
• Beef Mince (as good as you can afford) 500g
• Tomatoes (I used fresh and tinned)
• One tin kidney beans
• One red Pepper (Bell pepper)
• Two fresh chillies
• 2 or 3 cloves of garlic
• Crushed dried Chillies
• Paprika powder
• Dried Oregano
• Salt and black pepper
• Rice

 First dice the onion. Then put some olive oil in a pan and fry the onion on medium heat.

While the onion is frying place the fresh tomatoes in a bowl and cover with boiling water.

Finely chop the chillies and garlic and add the chillies.

 Add some oregano and crushed dried chillies to the frying onions.

Allow it to fry for minute or two to allow the flavours to start to develop.

Next add the garlic and fry briefly ensuring it does not start to burn then add the mince breaking it up a finely as possible as you add it. Fry the mince until it starts to brown.

Move the mince around and as popey says “give it a good kicking, people who don’t do this suck!” - Basically try to break up the mince as much as possible.

Next chop the red pepper

Add the pepper and the kidney beans.

  Now for the tomatoes. The fresh tomatoes in the hot water should now have split, if they haven’t nick them with a sharp knife, lift them out of the hot water (with a spoon or with your fingers if you enjoy pain) and place into a bowl of cold water.

After a few minutes in cold water the skins should be loose and fall off in your hands. After de-skinning roughly chop the tomatoes and add them to the pan with the tin of chopped tomaotes.

Add the fresh chillies some salt and black pepper and a generous shake of paprika powder.

Allow the finished chilli to simmer on a low heat for at least half an hour (while you boil some rice).

Serve the chilli with rice and/or bread (pita bread is good).

I grated some pecorino chese on top. Sour cream might also work well.

Thanks to popey for the inspiration.

Before I start I should just note that this may not be the most secure or “best” way to run pulseaudio but it is quite convenient.

Once I had my pulse server working I needed to find a way to make the settings permanent. What I mean by that is I wanted to have the server on the MPC (connected to the stereo) restart every time the machine started. I didn’t want to have to login to the MPC and start the server every time and I didn’t want to have to export the address of the server each time before starting my audio player.

What I wanted was to switch on any laptop, click on the audio player and have sound come out of the stereo.

To cut out all the experimentation, these are the changes I made:

change file /etc/default/pulseaudio
from:

PULSEAUDIO_SYSTEM_START=0
DISALLOW_MODULE_LOADING=1

to:

PULSEAUDIO_SYSTEM_START=1
DISALLOW_MODULE_LOADING=0

in /etc/pulse/default.pa

change:
#load-module module-native-protocol-tcp

to:
load-module module-native-protocol-tcp auth-anonymous=1

Once the changes are made the server needs to be restarted with:

/etc/init.d/pulseaudio restart

This should allow anonymous access to anyone with a network connection to the server but it is still necessary to start the app (rhythmbox) from the command line after exporting the PULSE_SERVER= environment variable.

The best way I found to avoid this is to write a very simple little script (I called it rhythm_pulse.sh).

#!/bin/bash
export PULSE_SERVER=192.168.1.10
rhythmbox

This plain text file needs to be made executable

chmod +x rhythm_pulse.sh

It turns out that ubuntu (and probably other distros)  add the directory ~/bin to the default path. So if you create a directory called bin in your home directory any executable file in there can be run without specifying a path. I created a bin directory and put the script in there.

Anyway, back at the point, I then created a menu item in the applications menu (right click,edit menus). Add a new item to the same menu as rhythmbox. Name could be “Rhythmbox (Pulse Server)” and in the command box rhythm_pulse.sh to run the script from before.

Now clicking the menu item runs the script, Exports the environment variable and starts rhythmbox. All I have to do is click play and music is piped to my stereo.

After getting myself a Viglen MPC-L thanks to a special deal announced on the UbuntuUK podcast. I set about putting it to some geeky uses.

One of the first things I intended to try and with with it was to set it up as an Audio device connected to a stereo.

My plan was to allow playback from various laptops to the stereo. Pulse audio (which comes as standard with Ubuntu Hardy) seemed to fit the bill nicely.

I had a minimal server install and apt-get install pulseaudio installs it if it’s not there already.

Right then, there are two steps to get audio to play back from a client computer on the network to the pulse server:

• Make sure pulseaudio is running on the server and the correct modules are loaded.
• Start an audio player on the local machine with the environment variable PULSE_SERVER set.

First log into the server

$ssh 192.168.1.10

Then run

$pulseaudio -D

This starts pulse audio as a daemon.

Next we need to load the module that will allow us playback across the network. The pactlcan configure the pulseaudio daemon and load modules whilst it’s running.

$pactl load-module module-native-protocol-tcp auth-anonymous=1

If all goes well this command should print a number to indicated that the module loaded sucessfully.

The Pulseaudio server should be ready to use.

Back on the client machine (laptop in my case) open a terminal and set the address of the server as and environment variable:

$export PULSE_AUDIO=192.168.1.10

then from the same terminal try

$rhythmbox &

(Or substitute the name of your favourite player.)

And as if by magic anything played through this program is played back remotely on the server. In my set up the output from the MPC is fed into a stereo.

Next… How to make this all permanent so that these steps aren’t needed every time.

Being a sucker for Linux devices and working on the general principle that you can never own too many computers I recently got myself a Viglen MPC-L.

I got it for the staggering price of £79 including VAT and delivery thanks to a special deal on the Ubuntu UK Podcast.

Other people have blogged about this machine so I won’t bother saying to much, I’ll just post some pretty pictures.

It comes in a hugely over-sized box.

With a small box inside…

Unpacking…

 What you get…

 Plug it in!

 The BIOS is quite limited.

 It ships with Xubuntu

And yes! it even comes with a Microsoft mouse!

The low power CPU means default OS is fine for web browsing and email but it is a little sluggish for doing any real work. Where I think this machine really shines (and the reason why I bought one) is as a tiny low power server on the home network. I’ve installed a minimal Ubuntu server and am playing with ideas about connecting storage and using it as a backup machine, using it hooked up to a stereo and playing music from other computers on the network, an ssh box in the DMZ on the network so that I can transfer/use stuff when I’m not at home…. the possibilities are endless.

I don’t know if the deal is still going but for details listen to episode 11 of the Ubuntu UK podcast.

The 20th of Sept. was Free Software Day! I met some guys from the local LUG who had set up a stall in market square. They did a great job educating people and handing out free CDs and they also had been sent some Elonex webbbooks which, it turns out, are available from Carphone Warehouse (a large mobile phone retailer).

These webbooks are actually very cool, they run a standard ubuntu desktop (with compiz), have a 10 inch screen, 80GB harddisk, VIA C7-M 1.6GHz CPU and they will sell you one for about £230 (or you can get them free with the a phone contract).

The same day I was wandering around John Lewis (which is a big department store in the UK) and I found that they were selling the Acer Aspire One with a choice of Windows XP or Linux based OS.

I say “Linux based OS” because what they ship with is Linpus lite, which I’m afraid to say is arse gravy but lookng at the spec I’m sure these machine could run any distro.

I was so shocked I snapped a few pics and bit of prodding around I managed to bring up a terminal.

These machines retail for £229 (or £299 for the XP version) and I’m sure it wouldn’t take very much effort to install a decent linux disto.

So, in one day I found two British high mainstream street retailers selling linux powered netbooks. This is all on the back of the huge mainstream appeal of the eeePC, this type of computer is really bringing linux into the consumer market.

Yet more problems with Hardy. When I unplugged the laptop from the ethernet cable and tried the wireless (which had worked perfectly on gutsy) it became very very slow.

A quick iwconfig confirmed that the rate had dropped to the slowest possible

Rate=1 Mb/s

Pages took several minutes to load.

A quick search confirmed my worst fears, it’s a bug in the rt2500 driver.

One quick work around is to force the card to work at maximum speed with the command:

iwconfig wlan0 rate 54M

This works for now. The only other solution I’ve found involves compiling the serialmonkey driver from CVS source. Normally I wouldn’t mind doing this but chances are it’ll break network-manager and probably need recompiling for every kernel update.

This is quite disappointing.

There is a thread about the issue here.

I’ve found since upgrading this laptop to Hardy that sound sometimes stops working in all applications.

I have a feeling this is an issue related to pulseaudio.

If you try to play a sound file from the command line with something like ogg123 then there is an error message:

ALSA lib pcm_dmix.c:874:(snd_pcm_dmix_open) unable to open slave

Anyway, the solution:

It is probably caused by bugs in flashplayer, installing the package libflashsupport seems to have cured it.

We’ll see…

I decided (against my better judgment) to try and upgrade my laptop to Hardy from Gutsy via the update manager.

I have had bad experiences in my fedora days trying to upgrade from one distro version to another. That several years ago using CDs to upgrade. Surely by now this sort of upgrade should be possible without too many headaches!

Wrong.

Long story short after clicking the upgrade button every thing seemed fine until the installer stopped dead and the CPU usage jumped to 100%.

I waited half an hour or so and nothing happened.

Dropping down the “details” window I found that the install process seemed to have stalled at:

Generating locales…
en_AU.UTF-8…

I tracked it down to this bug.

The fix that worked for me was to:

• reboot
• At the grub menu choose kernel 2.6.22-14 (not -15)
• When at the login screen press ctrl-alt-F1 to bring up a terminal
• log in
• run “sudo dpkg –configure -a” (this takes ages)
• type “sudo shutdown -r now”

This seems to have worked and I am now running Hardy on this machine.

I decided to install ubuntu to the hard drive (solid state drive) on my eee for several reasons

1. I like ubuntu
2. I like the massive community support
3. I like the extensive repos full of debs.

…and I decided to use the alternate install CD image because the installer fits nicely on the eeePC screen…

There are many ways to install ubuntu on the eeePC and a some are detailed on the eeePC user wiki.

I did it using a USB stick (2GB but 1GB would be enough) which I prepared on another linux computer but it should be possible to do this on the eee it’s self. (Note, to do it on the eee you’d need to install syslinux and mtools packages.)

An easy way to create the USB installation key is to use the hd-media kernel (downloadable from ubuntu archive)

Instructions:

Make fat16 partition on USB stick (at least 750MB, 1GB recommended)
Make partition bootable.
Download http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/vmlinuz
Download http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/initrd.gz
(both to root dir)

Something like this from the terminal:
$ cd /media/usb_disk
$ wget http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/vmlinuz
$ wget http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/initrd.gz

(Important note: hd-media kernel image must match the kernel version on the install CD image so that it can use the same compiled modules from the .iso. The above kernel and initrd should match the Gutsy iso images. If you wish to install a different version of ubuntu, for instanence when Hardy Heron is released, then use the hd-media kernel in the archive for that release.)

download the iso image you wish to install to the root directory of the partition next to the kernel and initrd which have just been downloaded.

Something like this from the termainal:
$ cd /media/
$ wget http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/vmlinuz
$ wget http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/hd-media/initrd.gz
$ wget http://releases.ubuntu.com/gutsy/ubuntu-7.10-alternate-i386.iso

Issue the following command in the root directory of the USB stick to create a minimal config file for the syslinux boot loader
$echo -e "DEFAULT vmlinuz\nAPPEND initrd=initrd.gz" > syslinux.cfg

First find out the device name of your usb stick, from the root directory of the partition (where the the four files should be) give the command:

mount | grep `pwd`|cut -d" " -f1 -

The command should tell you the device name of your USB stick.

To make the device bootable you need to install a master boot record and the syslinux boot loader to the usb device. To do this you should have the device plugged in but not mounted. Once you have finished copying files to the device and found it’s device file (/dev/sdXx) unmount it (right click the icon and click safely remove) but leave the stick plugged in.

Now to make the device bootable.

Install syslinux if required.

$sudo apt-get install syslinux

Install the master boot record which comes with syslinux replacing the X below with the letter identifying your USB device.

$cat usr/lib/syslinux/mbr.bin > /dev/sdX

(note there should be no partition number here. Also this step might not be necessary if the stick contains a valid mbr but won’t hurt))

Make the device bootable with sys.

$syslinux -sf /dev/sdX1

You should now have a working USB install key. Plug it into any USB port on the eee and reboot. when the boot screen shows hold down the escape key and select it from the list. The installer should now boot.

Summary

1. Prepare an empty USB stick
2. Download 3 files to it (vmlinuz, initrd.gz, iso install CD image)
3. Create minimal config file (command above)
4. Find /dev/ file (command above)
5. Fix master boot record (command above)
6. Make partition bootable with sys linux.
7. Reboot hold esc and install.