Vvvegard!

I’ve played around with SSH to some extent, and thought I’d write down a few nifty features that I like. Kind of a little follow-up on my Key-based authentication and Accessing ArcHTTP-post. Keep in mind that you have to change things like host and user to fit your appropriate needs.

scp foo user@host:~/bar
# To copy a folder use the prefix -R foo/, like this
scp -R foo/ user@host:~/

ssh -l user host -D 8080

ssh -l user host -L 8080:localhost:80

Host foo
        User root
        HostName host
        IdentityFile ~/.ssh/otherkey
        Compression yes
        CompressionLevel 9
        KeepAlive Yes
Host bar
        User foo
        HostName host

As OS/X does not ship with ssh-copy-id, a utility to copy your public ssh-id to a remote server, you have to manually “install” it. Do the simple steps as described below, or – get it yourself from a server running OpenSSH. It’s located in /usr/bin/ssh-copy-id.

First, create the file

sudo nano /usr/bin/ssh-copy-id

Insert bash-script. Optionally you can get the script another OpenSSH installation, like Debian or Ubuntu. See “cat /usr/bin/ssh-copy-id”.

#!/bin/sh

# Shell script to install your public key on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/id_rsa.pub"

if [ "-i" = "$1" ]; then
  shift
  # check if we have 2 parameters left, if so the first is the new ID file
  if [ -n "$2" ]; then
    if expr "$1" : ".*\.pub" > /dev/null ; then
      ID_FILE="$1"
    else
      ID_FILE="$1.pub"
    fi
    shift         # and this should leave $1 as the target name
  fi
else
  if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then
    GET_ID="$GET_ID ssh-add -L"
  fi
fi

if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
  GET_ID="cat ${ID_FILE}"
fi

if [ -z "`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
fi

if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
  exit 1
fi

{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

cat <<EOF
Now try logging into the machine, with "ssh '${1%:}'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF

Then make it executable by the system.

chmod +x /usr/bin/ssh-copy-id

ArcHTTP will only listen to localhost, for security purposes. But say you are in a situation where you need to configure a Areca-controller without rebooting and you have no installed browser, or even worse, you cannot install a local browser. Normally you’d only find your self in that situation running a Linux-server, and you are probably using OpenSSH to manage it. Like I did.

To access the ArcHTTP web interface you can tunnel your own connection inn via Socket 5 and configure whatever you needed (… to not mess with!) as localhost. When you are done you terminate the connection congratulate your self on a job well done.

ssh -l root host -D local_port

In this article I will focus on how to squeeze (No, not the SID/testing release of Debian) the last drop of juice from your Apache2-installation with small measurements, focusing on PHP performance. And if you’re really serious you might want to look into my articles about Varnish as well! Welcome to the world of caching dynamic data! Not really, just some parts of it… Continue reading ‘Benchmarking opcode php-cachers with Apache2 on Debian Lenny’ »

In this article i will i will focus on how to install, configure and setup Nginx. Nginx is a popular web server, load balancer and reverse caching proxy for many high traffic sites. Personally I prefer to use Apache2 with proper configuration and Varnish as frontend. In some cases you might want to use Nginx as frontend for compressing data after it has been received from the backend server, either to ease the load on the backend servers or because the backeds does not support this feature, as is the case with Varnish. Continue reading ‘Setting up nginx on Debian Lenny’ »

Update 12.2001: Varnish-software.com now offers an official debian repo, you should use that instead of installing it via source. Check www.varnish-software.com for more information!

Due to the strict rules of Debian many of the packages in stable releases are very old. In some cases though we want to run the latest version of a program, mainly due to new features and increased speed. The latest version of Varnish under Debian Lenny’s repositories is 1.1.2 (apt-cache show varnish), but in most cases we’d want to run the latest, especially with rapidly developed programs like Varnish. Varnish 2.0.6 is alos available in the Debian repository for SID/Squeeze or via backports.

Continue reading ‘Setting up Varnish 2.0.6 on Debian Lenny’ »

Hvis man administrerer et stort antall datamaskiner og servere kan det være ganske tricky å holde styr på alle passordene, ikke minst, holde styr på dem på en sikker måte. Å lagre dem i et dokument er ikke å regne som sikkert. Folk som benytter seg av Windows må nok gjøre noen slight forandringer i forhold til det som står nedenfor, men det bør være forståelig hvis man har vært borti SSH og SCP en gang eller to før.

Personlig administrerer jeg en rekke servere, og det gjør at jeg har en drøss passord å holde styr på. For å gjøre hele jobben litt lettere har jeg satt opp key-basert autentisering med nøkkel. Det vil si at så lenge jeg har keyen så trenger jeg bare ett passord. Men jeg opprettholder samtidig tilnærmet lik(om ikke sikrere, det er litt omdiskutert) sikkerhet men øker min egen workflow betraktelig.

Skal du lage nøkler på Windows anbefaler jeg at du laster ned PuTTy sin egen RSA-generator og WinSCP til å sende selve nøkkelen på en sikker måte når du har laget den. Når det kommer til flytting av id_rsa.pub (public key) så er det ganske irrelevant, om noen andre skulle få den så utgjør det ikke akkurat noen harme. Det er ikke mye de kan gjøre med bare den filen. Men hvis du mot formodning skulle måtte flytte rundt på id_rsa (private key) så er det smart å gjøre det via sikre kanaler, slik som SCP. Jeg foretrekker selv SCP til det meste da jeg ikke trenger en ekstra klient for å benytte meg av det.

I Linux, BSD og OS/X er det relativt enkelt. Du fyrer opp en terminal og skriver “ssh-keygen -t rsa“. Du vil først bli spurt om hvor du vil lagre nøkkelen og om du eventuelt vil knytte et passord opp til denne nøkkelen. Jeg anbefaler deg på det sterkeste å knytte et passord opp mot nøkkelen.

ssh-keygen -t rsa

Når nøkkelen er generert sender du den til den eksterne maskinen via SCP. Nøkkelen kan du legge på så mange steder du vil og den du vil kunne logge inn med samme passord (hvis du valgte passord i det hele tatt!). Merk at kommandoen under overskriver eventuelle andre entries du skulle ha i .ssh/authorized_keys.

scp .ssh/id_rsa.pub user@host:.ssh/authorized_keys

Nyttige linker:

1) PuTTy: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
2) WinSCP: http://winscp.net/eng/index.php
3) ssh-keygen: http://www.manpagez.com/man/1/ssh-keygen/