Ubuntu Keyring Gotcha

» 08 June 2013

One nice feature you get for free with OSX is an automatic handy ssh keyring thingie that loads in all your private keys and optionally saves their passphrases to the native keychain app. This native keychain application has highly customizable security options that, when configured properly, make it difficult (impossible?) for someone without your account credentials to use your private key without providing the passphase, while still allowing for a “single sign on” experience of happiness.

I’m sure that I’m less secure by using this as I have it configured, which is slightly more relaxed than the voices in my head recommend, but a security plan in implementation is always a balance of convenience and security, and so I’m okay with the risks as long as I don’t think about them very long.

I’ve been experimenting with Ubuntu’s latest desktop release on my Zenbook Prime (it works nearly perfectly out of the box, by the way) and at first I was surprised there wasn’t something to do this automagically like on my Mac. As I’m sure you can guess, there is, but there is an associated gotcha.

On a Mac, all you need do is copy your private key to your .ssh folder with one of the default names, such as id_dsa. (it is possible it is even more flexible with names, but I didn’t test this) The next time you use the key, OSX will prompt you for the passphrase and offer to save it for you. I think it does this using an ssh-agent alike or plugin or something, but I don’t really know the details. It just works, like proper magic.

But when I tried this on the Ubuntu install, it didn’t prompt me on the gui level as I expected, but in the terminal like the ssh client normally does when you don’t have this magic happening. I puzzled around a bit, and after going down a few wrong paths, I figured it out.

Ubuntu expects to see a key-pair. That is, your private key (id_rsa or whatever) and the public key (id_rsa.pub or whatever). If it does not find both, the magic does not occur, and further, if you attempt to import your private key manually via sasquash or whatever the bizarrely named keychain management tool is on Ubuntu that I can never remember, you get an unhelpful error that doesn’t suggest it needs the public key file there too.

So the fix is to copy in your public key (properly named) and let the magic work. No fiddling is needed. Easy peasy!

One of my goals with the new server was to learn as much as possible. In that light, I decided I would use as many new (to me) bits of server software as I could. I will do a write up soon on the whole setup, but for now I want to talk briefly about Dovecot’s virtual plugin. (Dovecot is the IMAP server I selected for my setup.)

As a gmail convert, I’ve been trying to find ways to replicate the bits of the “gmail experience” that I liked. One of my first priorities was filter based, server-side labels. I used labels at gmail in a way that is probably similar to most people where the labels can be broken down into two types: labels as folders, fed via a filter rule (for mail lists and such) and labels as “flags” that I applied manually.

Replicating the filter/folder analogy server-side with IMAP would traditionally involve sieve and a folder, but having to set up an extra folder for each “label” bugged me. What if I wanted something to show up two places? My first attempt at a better way was to use Postbox’s smart folders. These allow you to set up a virtual folder that runs a search (either server side or on your local indexes) and populates the folder based on that search. This met half of my pair of requirements, but was not server-side, so I couldn’t use the folders on my phone without replicating them there, which is not DRY.

It turns out that the Dovecot developers thought of this, and have an elegant solution via the “virtual” mailbox plugin. At first glance, you might think this is meant to facilitate mailboxes for users without unix accounts on the machine, as that is often what this terminology means in the context of mail servers, but in this case it isn’t. What it is instead is easily configured, server-side smart folders!

Setting them up takes only a few minutes (the documentation) is well written) and I only ran into one gotcha.

But before the gotcha got me, I needed to find where to add the configuration on my Ubuntu 12.04 server. The dovecot configuration is broken into multiple files in the /etc/dovecot/conf.d/ folder which looks like this on my machine:

root@tonks:/etc/dovecot# ls conf.d/
10-auth.conf      10-master.conf  20-lmtp.conf    auth-deny.conf.ext        auth-system.conf.ext
10-director.conf  10-ssl.conf     90-acl.conf     auth-master.conf.ext      auth-vpopmail.conf.ext
10-logging.conf   15-lda.conf     90-plugin.conf  auth-passwdfile.conf.ext
10-mail.conf      20-imap.conf    90-quota.conf   auth-static.conf.ext

This makes it a little hard to guess where a configuration item ought to go, but grep helped out, and I found the mail_plugins and namespace options in 10-mail.conf. So, following the documentation, I added the virtual plugin to the mail_plugin line, and a namespace stanza for the virtual boxes, like this:

namespace {
  prefix = virtual/
  separator = /
  location = virtual:~/mail/virtual
}

A quick reload of dovecot, and things went kaboom. The error was a bit mysterious:

Jun  5 08:51:22 tonks dovecot: imap(greg): Error: user greg: Initialization failed: namespace configuration error: inbox=yes namespace missing

I added a namespace. Why did that make one go missing? A quick Google search gave me the answer, which also happened to be spelled out clearly in the comments (I didn’t read) inside the config file:

# REMEMBER: If you add any namespaces, the default namespace must be added
# explicitly, ie. mail_location does nothing unless you have a namespace
# without a location setting. Default namespace is simply done by having a
# namespace with empty prefix.

Ahah! So I added an explicit “root” namespace, following the sample:

namespace {
  prefix =
  type = private
  inbox = yes
  separator = /
  subscriptions = yes
}

After reloading again, all was well. It worked!

Adding virtual mailboxes is extremely easy, and is clearly spelled out in the documentation on dovecot’s wiki, but it boils down to creating a folder under the mapped location specified in your virtual namespace that contains a single file named “dovecot-virtual”. I won’t repeat the docs here, as they are clear enough and have several examples. I set up a folder for one of my mailing lists, and found it populates extremely quickly even on my large mailstore, and is available across all my clients. Hooray!

Next I need to find a way to do the other kind of label, that I manage myself. I’ll write something up once I figure that out. Have fun!

Jekyll Or Hyde

» 02 June 2013

So this blog is now based on Jekyll. The migration was…okay, I guess. I had to roll my own ruby script to do some massaging of the output of the wordpress converter, and I’m still missing a ton of features that I’d like to have back. But we’ll see if I get around to that, or not. Heh.

Loopback success

» 24 November 2011

I had one of those geekpride moments last night when trying to deal with a problem I was having with a Minecraft server running ModLoader. Modding Minecraft is not as easy as it could be, but since it is written in Java, it is not as hard as it could be either. A number of clever folks have built compatibility layers and wrappers to improve mod maintainability and compatibility. ModLoader is one of these wrappers widgets.

Its developer recently (well, somewhat recently anyway) added a feature that would merge zipped jar like class collections from a mods subdirectory into the classpath, preventing the need to edit minecraft_server.jar for each and every mod as you had to do in the past. It loads these in “random” order, which turns out to be alphabetical on some platforms, and in less easily manipulated order on others. Linux falls into the latter category, naturally.

When I looked to fix this, my first thought was to change ModLoader’s behavior so that it always loaded in alphabetical order. This would be trivial to do if I had the source for ModLoader, but less so without it. I don’t have much experience with Java decompilers and just didn’t feel like messing with that.

Instead, I implemented a fun easy hack that anyone running Linux can do. I created a small vfat loopback filesystem for the mods subfolder. This produced the expected alphabetical loading order and took a minute or two to set up. Here’s how you do it:

First, create a zeroed out virtual “disk” file to mount, using dd.

dd if=/dev/zero of=diskimage.100mb bs=1048576 count=100

dd stands for data description, but you don’t really need to know that. It looks more complicated than it is. The if and of parameters are “in file” and “out file.” Since we want a file filled with zeroes, we use /dev/zero (a convenience ”device” that returns zero) as the “in file.” Next, we have bs, for which the snarky among you will instantly have a definition in mind. However! It is actually “block size,” and determines the size of each copy block, or step in bytes. As I wanted a file that was roughly 100MB, I used the size of a megabyte here. Lastly, we have count, which simply determines the number of “bs” blocks to write. (Yes, yes, BS blocks)

Now! We have a nice empty file to use. Let’s format it. This is super easy.

mkfs.vfat diskimage.100mb

We use vfat because it is fast, simple, and Windowsy. Also, it worked.

Last step! We need to mount it. In Linux, there are no pesky drive letters. One can mount a filesystem anywhere. Everything lives as a child of root, which is simply /. So let us assume our Minecraft server lives in /home/minecraft. The mods folder needs to be /home/minecraft/mods. So create the empty folder first. (Move your existing mods folder out of the way if needed.)

mv mods mods-old (if needed)
mkdir mods

And the mount: (You need to be able to run things as sudo/root to do this. Discussions about sudo are outside of the scope of this article.)

sudo mount diskimage.100mb /home/minecraft/mods -t vfat -o loop,owner,group,umask=000

The gist of this is probably obvious. The flags tell mount the type of the filesystem and to map all the files as 777 (readable and writeable by all) since vfat does not support these things natively. It’s fine for our needs, though not secure enough for some other situations, such as a folder accessible via the web, so make sure you understand the implications of this before you use it elsewhere.

Now, you are set! You can copy your mod zip files and rename them so that they are in the order you’d like and it will Just Work(TM). Hooray!

One last thing. If you want this to mount automatically, you will need to edit /etc/fstab, adding this: (all on one line)

/home/minecraft/diskimage.100mb /home/minecraft/mods vfat loop,owner,group,umask=000 0 0

I’ll leave the details of this to you to read about. Have fun!

Android’s security situation is pretty dire. Considering how well Google architected Chrome, I know they understand how to create a secure system. Perhaps Google don’t care about security on Android? If a user needs to worry about downloading malware on Android Market, which has apps that leak or maliciously steal personal data, and others that send spam SMS messages, among other nasty things, something has gone terribly wrong. Asking users to review a complex and obtuse permissions list is not even close to the answer. Time and time again, we’ve seen that this sort of thing can’t be left to the users by default. They will always click yes. Google has not learned this lesson, obviously, and as such, I expect the Android platform will turn into the Windows of old, where nearly every smartphone is jam-packed with Spy/Malware. Hopefully I’m wrong and Google will wake up.

phpBB3 and add user mod

» 15 July 2011

If you use the add user mod with phpBB3 with new user registration disabled you may find it is not sending passwords in the user welcome email. To fix this, you’ll need to edit the language template for the user welcome email to include the password token.

You can find the tempate in language/en/emails. WIth user registration disabled, the one you want is user_welcome.txt. Use _inactive.txt or admin_welcome_inactive.txt as appropriate if you use those registration modes.

All you need to do is add “Password: {PASSWORD}” somewhere (the token is the important bit) and you’ll be set. You might need to clear your board’s cache by clicking the “clear cache” button on the main admin window.

I hope this helps you if you find yourself in the same puzzling predicament.

iPad?

» 04 April 2010

So far, this thing has not left my side. I can almost touch type with this keyboard. What I hadn’t expected was for it to replace my iPhone in my mind such that I am puzzled by the tiny screen when I use my iPhone. I think this means Iphones need a higher res screen.

My box can has shinies!

» 23 November 2009

Found on a forum:

I think of my inner world like a child holding a box of their most precious treasures and when they show it to someone the person laughs and teases that that they aren’t treasures, they are worthless knickknacks and stones. What hurts isn’t being told that they are worthless, what hurts is that something so wonderful could not be shared. What doesn’t do any good is locking the box up and showing no one ever again. You have to learn to show someone else and keep doing it until you find someone who appreciates it just as you do.

Really. Dr. Horrible’s Sing-Along Blog

Awesome. Watch now. Thanks.

Reverse a dictionary

» 23 June 2008

Have you ever wished your dictionary of <K,V> was in fact of <V,K>? I might be the last person to figure this out, but with LINQ (and a couple lambdas) you can do this with one magical line of code:

var newDict = oldDict.ToDictionary(l => l.Value, l => l.Key);

Neat, eh?