Wednesday, April 28, 2010

Modes matter for password-less login

I typically setup keys to allow myself password-less access to remote development servers that I use all the time. Today the typical ssh-keygen/deploy public-key routine didn't work as expected. After deploying my public-key to the remote's authorized_keys, I still was getting prompted for a login.

Found this in /var/log/secure.


Apr 28 12:51:35 theserver sshd[16285]: Authentication refused: bad ownership or modes for directory /home/theuser


It turns out the the failure was due to the user's group permissions on the remote machine for two important folders. Both the home folder and the .ssh folder had the following permissions:


drwxrwx--- 36 theuser thegroup 4096 Apr 28 11:56 ..


chmod 700 for both /home/theuser and /home/theuser/.ssh fixed the problem.

Monday, April 26, 2010

Tulsa Developers tied to vendor technology

From time to time I take a look around to see what kind of programming talent is available in the Tulsa area. Most of what I find is tied to Oracle/Sun (Java) or Microsoft.

It's no secret that Tulsa has been heavy into Microsoft technology for years now. The community colleges and trade schools teach it, the recruiters can get their heads around it, and many conservative businesses would rather go with a name they know.

I remember a Williams employee steering me away from my Borland c++ compiler many moons ago, assuring me that Visual c++ was the future.

Well it was and it wasn't. I embraced Visual c++ and talked my first (serious) employer into letting me use it to write an application for a Phillips petroleum project. That work experience propelled me to my next development job, one I kept for almost a decade.

I wrote a heck of a lot of code using Visual c++ and the MFC framework, until it became my job to port the code to Unix flavors. For days, weeks, months I chased the not-quite-regular constants, the libraries that were similar but rarely identical to the standards. It was then that I started going cold on Microsoft.

I moved away from Microsoft development tools for a lot of reasons including a strong preference for open-source. There's so much free and truly open support on the web. When combined with Linux, open-source makes it possible to examine every nook and cranny of source code down to the kernel level.

Why would new developers gravitate to vendor tools when


  • they can't examine what is going on under the covers,

  • they can't control how long the technology will be supported before the vendor deprecates (or abandons) it in favor of new vendor tools,

  • they can't really have any substantial influence over the evolution of the technology?



I was thinking about these questions as I reviewed search results for "tulsa developers". It turns up these sites and not much more.

www.tulsadnug.org

tulsajava.com

Tulsa seems to have a flourishing Microsoft and Java community. Who is representing everything else that's happening in computer science?

According to Tiobe.com, the most popular programming language is JAVA. Microsoft-based technology doesn't rank until the fifth position, and then it falls off except for position eight. In Tulsa, I'm sure Visual Basic and C# would contend for two of the first three slots.

1. Java - 19.1%
2. C - 15.2%
3. C++ - 10.1%
4. PHP - 8.7%
5. Visual Basic - 8.4%
6. Perl - 6.2%
7. Python - 3.8%
8. C# - 3.7%
9. JavaScript - 3.1%
10. Ruby - 2.6%
11. Delphi - 2.1%

We all know that Tulsa, Oklahoma is a conservative city and not well known for risk taking. And perhaps there is more to the story that a simple web query immediately reveals. Ping.fm is Tulsa-based. Python-friendly Vidoop was founded here, though they relocated and then folded. Perhaps they should have stuck around.

Wednesday, April 21, 2010

Switch Primary Monitor in Ubuntu 10.4

The default Monitor Preferences dialog, while sweet, does not allow you to make your secondary monitor your primary. This is a problem if you want the top and bottom Ubuntu Panels displayed on the secondary monitor. Thankfully I found this sweet little script.


#!/bin/sh
#
# Change Primary Monitor for Gnome
# ver 1.0
#
# Copyright (c) 2010 michal@post.pl
#
# This file is free software. You can redistribute it
# and/or modify it under the terms of the GNU
# General Public License (GPL) as published by
# the Free Software Foundation, in version 3.
# It works for me. I hope it works for you as well.
# NO WARRANTY of any kind.
#


# get list of top-level gnome panels
getTopPanels() {
gconftool-2 --all-dirs /apps/panel/toplevels
}

# get monitor number for this panel
getMonitor() {
local PANEL=$1
gconftool-2 --get $PANEL/monitor
}

# set monitor to display on for given top-level panel
setMonitor() {
local PANEL=$1
local NEW=$2
gconftool-2 --set --type int $PANEL/monitor $NEW
}

# return number of connected monitors
getConnectedMonitors() {
xrandr --query | grep -c '^.* connected'
}

# compute next monitor
nextMonitor() {
# number of monitors
local CURRENT=$1
local MONITORS=$2
awk 'BEGIN{ print ('$CURRENT' + 1) % '$MONITORS'; }'
}

# logging finction
log() {
echo $@ 1>&2
}

# main logic below #############

MONITORS=`getConnectedMonitors`
log "Detected $MONITORS connected monitors"

getTopPanels | while read PANEL
do
MONITOR=`getMonitor $PANEL`
NEW=`nextMonitor $MONITOR $MONITORS`
log "Panel $PANEL is displayed on $MONITOR. Switching to monitor $NEW."
setMonitor $PANEL $NEW
done

Thursday, April 15, 2010

mod_security setup on Centos 5.4

Enable the EPEL repository.


rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm


Install via yum.


yum install mod_security


This will load your basic mod_security configuration including the core rules.

Next I had to set SecDataDir in the config. This was not initially set and errors in the following form appeared in the log file.


ModSecurity: Unable to retrieve collection (name "", key ""). Use SecDataDir to define data directory first.


Fixed this up by creating SecDataDir and creating a directory for this purpose, making sure to give apache permission to use it.


vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
( Added SecDataDir /usr/local/apache/modsec_data )
mkdir /usr/local/apache
mkdir /usr/local/apache/modsec_data
chown apache:apache /usr/local/apache/modsec_data
chown apache:apache /usr/local/apache


After a restart modsecurity successfully began applying rules, but rather than blocking problem requests (my intention) it merely logged warnings. I changed the SecDefaultAction in vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf from


SecDefaultAction "phase:2,pass"


to


SecDefaultAction "phase:2,deny,log,status:403"





vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf