Voodoo Programming » Terminal

Smooth SSH Passwordless Authentication

Constantinos — Tue, 05 Feb 2008 14:36:17 +0000

This post first appeared on the Voodoo Finance blog which is maintained by my friend Constantinos Michael, and I’m recreating it here with some extensions so I can find the code more easily when I need it.

Using computers remotely is a big part of what I do. Whether I’m at home and need to connect to a computer in the lab, or in the lab or the road and need to connect to my home computer. The way I (and pretty much most other linux users) is through SSH. If you’ve ever had to open more than one ssh connection however, it gets old pretty quickly. First you need to remember the host (and potentially the port, if it’s not standard) of the machine you’re connecting to, and also your username on that machine. After those are typed in, you need to enter your password every time you initiate a new connection. Well, all of the above can be automated with a few quick keystrokes in the terminal.

The first step is to generate an SSH key pair. This private / public key pair will be used to authenticate you on the target machine. As it’s using an RSA key pair, you can probably leave the passphrase empty as the attacker would first need access to your private key. If you’re really paranoid, you can type in an easy password (but you’ll need to type this password in every time you use the key). To generate this key, type the following in a terminal window:

ssh-keygen -t rsa

After this is done, you’re ready to install this key on any remote machine you wish to access. Before you do that however, I suggest setting up some aliases to the target machine so you don’t have to type the host and username every time you wish to log in. To do that, you need to edit (or create) a file called ~/.ssh/config. In this file, you can enter a block of text for each host you wish to create an alias for. You can add as many hosts you want, just make sure there’s an empty line between each configuration. This is an example of what needs to go in this file:

host lab
user admin
HostName www.example.com
port 12345

There are many more options that can go in there, and it mostly depends on your setup. But for anything that you don’t need to specify in the ssh command line, you don’t need to add an option for in this file. For example with the text I provided above, when you type ssh lab in the command line, it will try to connect to www.example.com using the username admin on port 12345. This would be equivalent to typing ssh admin@www.example.com -oPort=12345. Much easier, isn’t it?

Now on to the juicy stuff. Create a script that will install your key on the remote machine. To do that, paste these instructions in the terminal:

sudo touch /usr/bin/ssh-install-key ;
sudo chmod a+w /usr/bin/ssh-install-key
echo "cat ~/.ssh/id_rsa.pub | ssh \${1} \"cat - >> ~/.ssh/authorized_keys\"" \
     > /usr/bin/ssh-install-key
sudo chmod a-w+x /usr/bin/ssh-install-key

At this stage, you’re done with the setup. All you need to do is type

ssh-install-key lab

in the terminal window (assuming you’ve set up the above config file with a host called lab), enter your password as many times as you’re prompted, and you’re done! Every subsequent time you wish to connect to this machine, all you need to do is type ssh lab, and you’re immediately connected, no questions asked! (Unless of course you provided a passphrase for your key pair, in which case you will be prompted for that password).

Spoofing Leopard’s MAC address

Constantinos — Sat, 19 Jan 2008 19:34:50 +0000

There are many legitimate reasons why someone would want to spoof a system’s MAC address. In my case, my University binds our network ports to a specific computer’s MAC address, and only allows you to reset that address once a week. My problems start when I want to switch my two computers for whatever reason, and connect my smaller iBook to the wall (let’s say I want to keep a web server online, but wish to take my MacBook Pro on the road).

In Tiger, it was very easy to spoof a MAC address:

sudo ifconfig en0 ether 00:00:00:00:00:00

where en0 is the network interface you wish to change the MAC address of, and 00:00:00:00:00:00 is the target MAC address. With Leopard, that line no longer works. No matter how much I searched, I couldn’t find a solid alternative. Turns out, it’s extremely simple:

sudo ifconfig en0 lladdr 00:00:00:00:00:00

That’s it!
Note: This has been tested under 10.5.1 with both en0 and en1, and at least for the wired interface it works as advertised.

Bandwidth throttling in OS X

Constantinos — Sat, 19 Jan 2008 14:27:52 +0000

It’s been a while since my last post, and that’s because I’ve been busy with coursework, so I haven’t had time to mess around with OS X. However there was one feature I needed to figure out out of necessity if anything else. I have certain files I wish to freely share with some friends of mine, and the easiest way for me to do that was put them on my local web server and serve them over http. The only problem with this approach, is that the university has a weekly data transfer limit of 5Gb per week during peak hours, those being between 6pm and midnight. Additionally, local traffic doesn’t count towards that limit, and if that limit is exceeded then my Internet would be blocked and limited to only the local network for the remainder of that week.

Therefore, the solution I was looking for would not require me to turn off my web server (as I’d like to still access it locally), and would ideally simply limit the outgoing traffic automatically between those two times.

One aspect that made this particular solution usable, was the fact that port 80 is firewalled from the external world. This means that if I want to run a web server on my local machine accessible from the outside, I have to do it on a different port. Therefore I use port 80 to access the web server locally, and port 8080 to access it from the outside. This gives me a dedicated point of entry for the traffic that I wish to limit the bandwidth.

The solution is fairly simple, and involves only two tools: cron, for enabling and disabling the filter at specific times, and ipfw for actually setting up the filters. The idea is this: create a pipe using ipfw that limits outgoing traffic on port 8080 to a specified rate (let’s say 15KByte/s), and using a cron job add the pipe to my network interface at 6pm, and delete it at midnight. That’s it! Theoretically you only have to create the pipe once, but in order to have this survive across restarts, I added another cron job at 5:59pm that re-creates the pipe. The full contents of the crontab file (located at /etc/crontab) are as follows:

# Set the bandwidth limit at 5:59pm
59 17	* * *	root	/sbin/ipfw pipe 1 config bw 15KByte/s
# Add the bandwidth limit to the specified port at 6:00pm
0 18	* * *	root	/sbin/ipfw add 1 pipe 1 src-port 8080
# Lift the bandwidth limit at 12:00am
0 0	* * *	root	/sbin/ipfw delete 1

The problem with this is if the computer boots up or reboots after 6pm and before midnight, the filters will not be set. The solution is to use anacron for executing the ipfw commands, But as I rarely shut down or reboot my computer, it wasn’t worth it for me to make that happen. If I do make those modifications, I will post an update here. Also note that the ipfw commands need to be executed as root.

WP-Cron-Mail plugin

Constantinos — Tue, 14 Mar 2006 18:20:30 +0000

Another tool I decided to use was WordPress’ post-by-email feature. However this was very limiting, as after posting via email usually action was required within WordPress – visit the wp-mail.php page, and then modify the post to place it in the necessary categories etc.

The first problem is overcome by using the wp-cron-mail plugin which comes with the wp-cron plugin. However I still wanted some more functionality from this.

My modification to wp-cron-mail.php accomplishes the following things:

Adds the option of specifying which categories the post should be placed in. This is accomplished by (optionally) having the first non-empty line of your email message be in the form of:

{* Category Name, Another category name, catID *}

where “Category Name” can be any text. If the specified category exists it will be correctly identified, if not it will be created. catID needs to be the ID number of an existing category. You can use either method to define categories, or both of them together.
Limits posting to registered users only. When an email is received the plugin will try to match the Reply-To: address (or if that does not exist, the From: address) with all the emails of the registered users. If such an address is found, then the owner of that email address will be assigned as author (as with the default version of this plugin). Even though posting this way is strictly limiting, the option to override this is provided through the Options page, where you have the ability to either allow all email addresses, or provide a list of additional allowed email addresses (which can be empty – the default). With either of the last two options, if a message is posted from a non-registered email address, it will be marked as authored by the admin of the blog.
Added the ability to replace wp-mail.php with a single function call to take advantage of the wp-cron-mail improvements, with the option of sending a notification email if posts are retrieved through this file, instead of just outputing the results to the browser.
Added an Options page in the admin section to manage a lot of the configurable options of this plugin.

You can download a copy of this file in a zip archive or a tarball, which include a README file with instructions for replacing wp-mail.php. Before you use these files however, you should make sure of two things: that your wp-mail.php file is indeed working (to ensure that you do not suffer from the known bug that WordPress is still suffering from), and also that you have a working installation of wp-cron-mail. Then you can go ahead and replace that file with the one found here.

As always, no guarantees, and there is always room for improvement. I haven’t changed the code from the original wp-cron-mail, merely added to it. And it seems to be working, both this and the previous post were posted using this plugin . Feel free to comment.

UPDATE: Apparently something went wrong with this plugin… If you visited this site in the first 3 hours after this post was posted, you would notice something very strange… all spaces were encoded as “=20″!!! I need to track this down…