llongi's blog

First post of 2012, so let's start off with a "Happy New Year!" to everyone.
On an even happier note, I just got word that I passed all my exams. :-)

Now the real topic of this post is SSH, more specifically how to make your SSH connections even more secure than they already are. OpenSSH by default prefers slightly less strong cryptographic algorithms (like AES128 is preferred to AES256), and for its HMAC it still prefers MD5-based HMACs, which, while still kinda secure, are clearly less secure than the SHA2-512 based ones, for which OpenSSH added support in the 5.9 release.
Assuming you're running OpenSSH >=5.9 everywhere, like in my setup, configure your sshd's as following, so that they will only offer the most secure known algorithms in their strongest variants first. This will also only offer SSH protocol 2, as well as set some other miscellaneous login-related settings and make the server check periodically that clients are alive, and if not, terminate the connection.

Protocol 2
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 5
ClientAliveCountMax 3
ClientAliveInterval 5
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256

Configure your SSH client as follows to only connect to sshd's using secure algorithms, again trying the strongest first. This also enables SSH protocol 2 only, periodically checks that the server is alive (especially useful with sshfs and its '-o reconnect' flag, when working over unstable links like wireless). It further lowers the amount of data needed for a rekey, default would usually be between 1G and 4G.
Note that I had to split up some lines for better readability on the blog, you can notice those by the increased indentation, just always make sure everything is on one line!

Host *
  Protocol 2
  ServerAliveCountMax 2
  ServerAliveInterval 4
  Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,aes256-cbc
  KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,
    diffie-hellman-group-exchange-sha256
  MACs hmac-sha2-512,hmac-sha2-256,hmac-md5,hmac-sha1
  HostKeyAlgorithms ecdsa-sha2-nistp521-cert-v01@openssh.com,
    ecdsa-sha2-nistp384-cert-v01@openssh.com,
    ecdsa-sha2-nistp256-cert-v01@openssh.com,
    ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
    ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
  RekeyLimit 512M

Given both the server and client running OpenSSH >=5.9 and being configured correctly, you get an SSH connection using AES256-CTR as cipher, exchanging keys using ECDH-SHA2-NISTP521, and using HMAC-SHA2-512 for integrity checking. Basically AES-256 and SHA2-512 everywhere, which, as far as I know, are state-of-the-art in their respective application domains and still considered very secure.
Hope this helps increasing security, as well as reliability (the Alive options especially with sshfs).

As some of you may have noticed already, my blog suddenly looks very different.
I've abandoned Serendipity in favor of Blogofile, which is a Python-based static-site generator. This means I write posts as text-files, they get processed, merged with templates, HTML gets generated, and a fully static site is the result. In fact the only dynamic thing remaining are the comments, which are now powered by Disqus over JavaScript. This allowed me to ditch PHP and MySQL, and reduce the load on the server quite a bit. Search is powered by Google. I've also overhauled the template to look nicer and be fully XHTML 1.0 Strict compliant. Thanks to Free CSS Templates for the design!
I've also added a few more parts to the site, now it's not only a pure blog, there's a welcoming page, one about UZH and one about me. As well as a better media gallery. Everything is available via HTTPS, as usual. At the bottom I link to my projects, as well as interesting blogs I follow.
If you find anything not working, be it a link or post, please tell me right away, so I can fix it, thanks!

UPDATE: I've written an ebuild for Blogofile, you can get it from my overlay. It pulls in all required dependencies to run. For my own blog, I also needed dev-python/imaging for the gallery controller.

In my quest for portability, I wanted to test a few things on several operating systems, mostly BSDs and Sun Oracle Solaris.
Seeing as virtualization is the current hype, I decided to give Linux KVM a try, as it promised to be the more open solution, while requiring less effort to setup, which in my case, for a few dev-VMs to try stuff on, is kinda important, I don't want to spend hours maintaining this setup, but I also don't expect stellar performance to run heavy workloads on it.
Gentoo makes the installation quite easy, all you need is to enable KVM in your kernel and emerge app-emulation/qemu-kvm.

• clearly the kernel needs to have KVM support enabled for your CPU, but I have all the VirtIO stuff disabled, I don't need it and I tried VirtIO-blk to speed-up IO performance, but didn't notice any difference, it doesn't probably do much when you only have 1-2, max. 3 VMs running at any time, with not that much going on in them, for development.
• qemu-kvm, careful of the USE flags and the QEMU_*_TARGETS!

package.use entries:

media-libs/libsdl X audio video opengl xv
app-emulation/qemu-kvm aio sdl
# remember "alsa" if you use it, for both packages!

make.conf entries:

QEMU_SOFTMMU_TARGETS="arm i386 ppc ppc64 sparc sparc64 x86_64"
QEMU_USER_TARGETS="${QEMU_SOFTMMU_TARGETS}"

'aio' is important for native AsyncIO support and 'sdl' to get a window with your VM in it (unless you always want to use VNC to connect). Most people can also probably reduce QEMU_SOFTMMU_TARGETS to "i386 x86_64", but I wanted to keep the option to emulate some alternative architectures.
Once that's all done, KVM worked perfectly, and I started installing a Xubuntu image just to test it, but noticed that IO was incredibly slow, and set out to find out how to better its performance, I ended up with the following two Bash functions to install VMs from ISOs and start them, to get a somewhat usable performance. The options are explained below.

# KVM support
kvm-start() {
    /usr/bin/kvm -net nic,macaddr=random -net user -cpu host -smp 4 -m 768 -usb
    -usbdevice tablet -vga cirrus -drive file=$1,cache=writeback,aio=native
}
kvm-install() {
    /usr/bin/qemu-img create -f raw $1 6G
    /usr/bin/kvm -net nic,macaddr=random -net user -cpu host -smp 4 -m 768 -usb
    -usbdevice tablet -vga cirrus -drive file=$1,cache=writeback,aio=native
    -cdrom $2 -boot d
}

• -drive's cache=writeback,aio=native are crucial for storage performance, while aio helped just a little, changing the cache mode to writeback massively improved IO performance! Also, raw disk images do perform better than qcow2!
• -cpu host -smp 4 -m 768 passes along all available CPU features, and raising memory from the default 128 helps too.
• -usb -usbdevice tablet was needed to fix the broken mouse (it just didn't react at all in my case!), it also makes it possible to drag the mouse off the screen of the VM and back without having to always CTRL+ALT, but this also kinda depends on the OS you're emulating.
• -vga cirrus enables support for resolutions up to 1024x768 and has very good compatibility all around. You could use -vga vmware for Linux guests to get very high resolutions, but it doesn't work that well with other (especially older) operating systems.
• -net nic,macaddr=random -net user is for the standard, software routed networking, documented as "slow", but more than fast enough for development work (of course not for some kind of high-traffic thousands-of-connections server). Remember to set a valid, random MAC address!

I finally did it: I tried out Nouveau, the open-source driver for Nvidia graphics cards, and everything went well, my dual head setup works as before, thanks also to XMonad, which is one of the few window-managers that implements virtual desktop management and multi-head setups the right way.
I've waited this long to be sure it all worked and got tested by lots of other people before me, as I simply can't have the main workstation not displaying anything and spend days getting stuff from Git repositories to try out fixes.
Needed a moment to get how XRandr wants the position of monitors specified in xorg.conf, but in the end everything worked out well, and I managed to also massively slim down my Xorg configuration.
So now I have a kernel with no proprietary drivers, and that also means I can finally build a monolithic hardened kernel, without any modules. Works great!
2.6.37 will also bring Temperature Sensors support to Nouveau from what I'm told, I'm waiting on that!
This also brings a fully hardened desktop a little bit closer, as every binary piece of software gone is a problem less there.

I also got fully rid of HAL, since it's being deprecated, and thanks to uam and pmount I can still mount/unmount USB drives, having only udev running, and I also don't need any of the Policy/Console/Udisk-Kit stuff, that I hope never to have to install.
And I'm taking Midori for a test-drive, looking for a good alternative browser to Firefox, maybe it will be, maybe it won't.

Just a quick note in case I or others run into this again...
I use Trac to manage a few projects, more specifically Gentoo's www-apps/trac package to ease its deployment. One feature of the package I take advantage of is the init-script to manage the tracd standalone server.
I now wanted to enable authentication for my Trac installs, and all guides out there tell you to add:

--auth="*,/path/to/digest/auth/file,domain"

to your commandline when starting Trac (notice the quotes!), I tried this on the shell, and it worked as expected. I thus changed the TRACD_OPTS variable in /etc/conf.d/tracd to the following:

TRACD_OPTS="--auth=\"*,/path/to/digest/auth/file,domain\"
--env-parent-dir /var/lib/trac/"

It started fine but authentication didn't work at all... Somewhat baffling, but after some investigation, I noticed that the quotes around the --auth argument were passed as-is to tracd, which then failed to find the environment *, since when splitting the --auth argument apart, "* would be used as environment name.
The solution is simply to not set any type of quotes when starting tracd through the provided init-script, so that TRACD_OPTS looks as follows:

TRACD_OPTS="--auth=*,/path/to/digest/auth/file,domain
--env-parent-dir /var/lib/trac/"

In hindsight logical, as the TRACD_OPTS variable gets evaluated only once and then passed to start-stop-daemon, which passes the arguments verbatim to tracd.

I'm officially retiring as a Gentoo developer, simply because I've not really done anything in the last year and will not be getting back into the swing of things anytime in the future, so I feel it's time to retire.
It's been a fun 4.5 years, even if I wasn't present much as developer in the last 1.5 years, and I will definitely continue using Gentoo as my distribution of choice, nothing will change that. I've had the honor of getting to know some amazing people during those years, and improve a lot of my skills and competences, and for that I'm grateful. See you all around!

I'm finally back on the net, after not having any internet access at my new apartment in Zürich after I moved there. I now started my bachelor studies at the ETH Zürich, of course in Computer Science, though there's a little bit too much maths right now for me to be really excited about it, future semesters will be better I hope. So I'll try to get back to a few Gentoo things in the near future, now that I also finally fixed up my main dev system (which had its disk die just before I moved)... Still this blog entrys main focus is to tell you the name of a package I discovered today:

app-misc/tmux

After reinstalling this system I, as always before, emerged screen to take care of my detached terminal needs, I always had the problem with backspace not working correctly from the desktop, which I was never able to fix correctly, but it was bearable. This time it seems something else went wrong too, and inside my screen sessions it didn't source .bashrc or .bash_profile (which sources .bashrc), even if the shell was correctly set to a bash login shell...
So, while perusing Gentoo Wiki's Screen TIPs to see if anyone had seen something like this, at the end of that page I came across the mention of tmux, a "simple, modern, BSD-licensed alternative to GNU Screen".
Seeing that it only depends on ncurses (which is usually installed everywhere), and was only like 100kb of source, I installed it and tried it out. I have to say I'm impressed, this little tool does everything I did with screen too (mainly just having multiple, detached terminals and resuming them, which is probably no "advanced screen usage", but what most people will likely need), backspace works without any fiddling, the Bash stuff is correctly sourced, and the few commands are easy to adapt to, here a little overview:

• tmux - Starts a new tmux session
• CTRL-b d - Press CTRL-b, then d, to detach the terminal
• tmux a - Reattach to the detached terminal

Still, read man tmux to get the full overview, and then happily emerge -C screen, as I just did.

This I just wrote to gentoo-dev and gentoo-server, finally ending Apache-1* support in Gentoo.

Hi all!
As announced in the 30 April 2007 edition of GWN, net-www/apache-1* as well as all packages depending/using it were masked, pending removal on 12 June 2007.
I fixed all packages, dependencies, etc. I could find to work correctly after the masking (generally removing Apache 1.X support from them).
If you find any issue still, please open a bug about it, assign it to apache-bugs@gentoo.org and make it block bug 178189.
If you use or plan on using the apache-module or depend.apache eclasses, be aware that the need_apache function doesn't anymore export the apache2 USE flag to IUSE, since now it directly depends on Apache 2.X, so be sure to declare it in your ebuilds IUSE (I fixed the few cases where this wasn't already done).
Thanks and happy upgrading to Apache 2.X!

Tomorrow to FOSDEM 07 /me goes, along with hansmi, KillerFox and blubb from the swiss crowd!
Later on both flo and EleRas will join us too, so for me not only will it be "the great Gentoo dev gathering", but also "the great SysCP dev gathering", will all three of us present. As flo correctly guessed, I'll be sporting the black Gentoo t-shirt, which is amazingly comfortable, but flo's SysCP t-shirt intrigues me... Is it possible to have more of those @ flo? In black? /me loves black! We'll be able to discuss that at FOSDEM I suppose...
Now off to bed, as I have to get up early (~4AM) to catch the first train to get to Basel, where the others await, and from there off to Bruxelles. Lugano-Basel-Frankfurt Am Main-Köln-Bruxelles is the exact route, almost 1000 Km, for a total en-route time of about 11 hours, yay!

On the PHP front, I've finally put PHP 5.2.1 and PHP 4.4.5, with all the needed patches and, of course, Suhosin support, into the PHP Overlay. I'll test it all during the next days and hopefully commit to the tree on Monday at the latest. Many bugs are fixed with the latest releases, concurrentmodphp support was greatly improved and fixed (especially wrt 64bit arches), and the new MySQL extension patches are included to have the connection charset configurable per-SAPI, for each PHP version, using php.ini, instead of my.cnf.

Work on VCD is also going steady, we should be near feature-completion soon, so expect some form of pre-release in the next two weeks... Poke Hollow on #gentoo-vserver for more info.

Yo! Greetings from the 23C3, the Chaos Computer Congress in Berlin.

Great talks and great people here, at the moment I'm attending a talk about JSON RPC (who knows, maybe that can/will be used someday to improve SysCP), and before that I attended a really great talk about backbone hacking. As you can see from this blog post, the wireless network works well (as does the wired one). :)

With regards to Gentoo devs, I've already seen and got to know hansmi, KillerFox and Pylon. I've also been told that mabi is around and hanno should be too (at least based on the fact he gave a Lightning Talk about XGL yesterday, which I sadly missed), we should really define a place to meet and get to know eachother... That goes for Gentoo and SysCP users too.
I myself can usually be found attending some talk or down in the Hackcenter (central position, at a round table). Have fun!