Older blog entries for hands (starting at number 12)

Securing passphrase-less ssh, using ssh-agent, command=, sudo and rrsync

I just came across yet another example of someone assuming that it's OK to create a passphrase-less ssh key and grant it root access on a remote machine.

Prompted by that, I've written how to do passphraseless-ssh properly.

One trick that I mention is having a script like this:

  #!/usr/bin/ssh-agent /bin/sh
ssh-add
ssh -A remote-server ~/bin/kick-off-job

allowing the remote machine to access us, but only when we're talking to them.

Syndicated 2009-06-26 09:13:44 from chezfil

going to debconf9

I've known I was going for ages, but yesterday I finally got train tickets despite renfe's efforts to stop me. I'm flying London Gatwick to Lisbon on TAP, then getting the TRENHOTEL train to Cáceres, arriving at 05:05 on the 15th, afterwards reversing the journey, leaving Cáceres at 01:53 on Aug 1st.

If you're in the UK (or if you are losing the will to live fighting with renfe's hopeless website) you should probably get in touch with http://spanish-rail.co.uk/, which turns out to consist of one person (Mercelo Saito) who is a nice chap, but is currently rather busy, so if you fail to get him on the phone (+44 (0)20 7725 7063) your best bet is to mail info@spanish-rail.co.uk telling him what tickets you are after, and a phone number where he can call you back.

It seems that the renfe system's meltdown is due to the combined effects of going from 30-day to 90-day advance booking, and a festival that's occurring on the east coast somewhere. Mercelo thought that it's possible that the discount tickets could well still be available, but that the system that lets you get these was totally unavailable over several days of trying, so I ended up deciding to pay the extra so that I could get the tickets in my hand.

spanish-rail.co.uk are the official agent of renfe in the UK, and as such have a renfe ticket printing machine, so they can print tickets on the spot. If you do turn up in person, they're in a managed office building (Regent House) with no sign on the outside of the building, so don't assume (like I did) that you'll be able to walk down the street and see a shop-front with "Spanish Rail" emblazoned across it.

Syndicated 2009-06-23 12:56:28 from chezfil

Booting USB sticks via grub4dos lets you boot (some) CD images

Having spent about 3 days getting my new USB stick to boot exactly similarly regardless of whether the machine supports USB-HDD or only USB-ZIP, as well as letting you to choose between a few fun things to boot (including debian-installer, which on a stick big enough to carry a DVD image makes it rather useful) I thought I'd better describe how to build my attempt at the ultimate-usb-stick.

The next trick is going to be getting debian-live and debian-installer ISO's to be clever enough to look around for an ISO image, and if found, loop mount it, rather than just getting in a strop when they realise that they don't know where they came from.

Syndicated 2009-06-15 00:20:30 from chezfil

HTTPS VirtualHosts

Until a couple of weeks ago, I was under the impression that one could only have a single HTTPS site per IP address, but it seems I was wrong.

The procedure is described here on the CACert wiki.

In short, you need multiple SubjectAltName fields on your server's certificate, such that all the VirtualHost names that you want to work are either directly mentioned, or will match via wildcards.

The page above includes a link to a nice script that generates a key and CSR (Certificate Signing Request) ready to be pasted into CAcert's Server Certificate page.

Note: the CN is pretty much ignored by some browsers, so you'll want to put the machine's main name as one of the SubjectAltNames as well.

BTW if you get a warning like:

    [warn] _default_ VirtualHost overlap on port 443, the first has precedence

you probably need to add

    NameVirtualHost *:443

to your /etc/apache2/sites-enabled/ssl before the <VirtualHost *:443> line.

Of course, this glosses over the details of doing things like setting your name and address in the certificate, but since CAcert will strip all that out anyway, it only matters if you wanted to get it signed by someone else. Even so, this should get you started -- you can always edit those details into the csr script.

Syndicated 2008-12-08 19:26:23 from chezfil

There's probably no god. Now stop worrying and enjoy your life

Alain Williams just sent me a link to the Atheist Bus Campaign which was started to raise £5,500.00 GBP in order to buy adverts on the sides of busses in London.

As I write they have raised £111,832.43, so over 20 times what they needed for the London busses. I'm so impressed with this that I gave them £100.00

Update: I note the campaign's page, where among other things they link to a clip from the BBC's Have I got news for you which is rather amusing about this, particularly the last joke. Also, Justgiving's blog seems in awe about how this has taken off. As they mention, there's even a wikipedia page about this.

Syndicated 2008-10-28 00:00:00 from chezfil

Virgin Media (ex. NTL) support Linux just fine, despite their claims not to.

Today I helped a friend sign up with Virgin Media's broadband service. He was having trouble, as their front-page at http://activation.virginmedia.com/ does a brain-damaged test, and tells you that they only support Windows and MacOS X and that if you have anything else you'll need to phone them at a pound a minute so you can talk to some idiot until you lose the will to live (or some such).

After a brief rummage, I noticed that if instead of doing what they tell you to do, you go to https://autoreg.autoregister.net/ you get prompted for whether you're signing up for Broadband or Dialup, and on clicking Broadband, you're lead through the sign-up procedure with no complaints about compatibility, and within 5 minutes he was online with his GNU/Linux (Ubuntu) system and Firefox browser.

This makes me wonder why Virgin Media bother putting extra effort into turning users away when in fact the sign-up procedure would work perfectly if they hadn't bothered with the stupid browser test.

Syndicated 2007-12-21 00:00:00 from chezfil

Linus' new T-Shirt

Nice to see the British Computer Society finally run Linus to ground after 7 years, so that they could pin the Ada Lovelace Medal on him, but I reckon he looked even more pleased when he got a new T-Shirt:

Syndicated 2007-09-04 23:00:00 from chezfil

In case you're wondering...

In case you're wondering...

The answer is: No

Syndicated 2007-06-09 23:00:01 from chezfil

DebConf7 Office Phone

DebConf7's phone number is now live: +44 (0)131 516 8575

At present, that number goes through to a phone in the hacklab, so don't be surprised if it gets answered by someone that has little clue about what's going on organisation-wise. We'll get it setup in the office ... when we have an office

Syndicated 2007-06-09 23:00:00 from chezfil

Debian Tartan Kilts expected to be ready on Friday

... which is a nice surprise, since when I phoned the weavers up last week, they said something like "You want the kilts by WHEN?!?" (and that despite me specifying the target date as the first thing I said to them in January -- good job I lied, and told them I wanted them by 1st June, eh?)

Seems that was all due to an internal communications failure, and they've pulled all the stops out to get the order done by the end of the week, so no harm done.

In related news, it seems that there's a few yards more cloth than was expected (due to it shrinking somewhat less between weaving and finishing than expected). That being the case, it's possible that we'll be able to get one more kilt made, so if you're reading this thinking "Damn, I wish I'd signed up for one of them" feel free to get in touch

Alternatively, if the ties we've had made prove popular, I'll use the spare cloth for making more of them.

So, if you do fancy a kilt, if you can get your measurements to me pretty much immediately, it's just possible that the tailors will be able to make a kilt for you before the end of DebConf.

Finally, if people are interested, but not desperate about the timing, there is a table on the wiki to which you could add yourself so that a critical mass for a second order can be accumulated.

Syndicated 2007-06-04 23:00:00 from chezfil