Tuesday, May 15, 2012

SSH....(Part 2)

I regretted mentioning that I would get back with the key authentication in my previous SSH post since it did not look like I was getting to it. But thanks to the whim that I carry around..here it is..spent half a day today playing around with SSH key authentication. You may want to go over Part 1 in case you haven't...before proceeding.

In Part 1, I tried my hand at setting up an SSH connection based on basic fingerprint and then password authentication. Today spent half a day playing with SSH to try the public-key cryptography feature which is basically meant to erase the need to enter a password that has a lot of chances of being snooped.

Machines involved: 
1. HP Pavilion dv6000 laptop (L1) (with Windows Vista :-(   running and putty installed)
2. HP Pavilion desktop (D1) (Pentium 4!! really old..but good for playing such stuff): Installed the latest Ubuntu 12.04 LTS (codenamed Precise Pangolin) on it last week
3. An assembled Pentium dual core desktop (D2) ( running Ubuntu 11.10)
In my case, I have taken D1 to be my server, while L1 and D2 are client machines.

Brief:
To brief about the key cryptography,  the client machine that wants to access the server runs a key pair generator (like PUTTYgen in Windows or ssh-keygen command in Ubuntu Linux). This generates a pair of keys, a public key that the client shares with the server machine and is stored in a specific location on the server and the private key that is stored on the client itself. Whatever communication takes place between the two, is encoded in terms of these keys and can be decoded only if one has the other key. Various types of keys supported include DSA and RSA.

Generating keys:
Windows: 
On Windows (L1), I used the PUTTYgen to generate the key pair. I had selected the SSH-2 RSA (default) option and 2048 bit length (the more.. the harder to crack). Click on "Generate" to start the process. To bring in randomness to the number generation, it is good to give some random cursor movement as the app asks for. Once generated, save both the public key(no specific extension) and private key(.ppk).

Linux: 
In Ubuntu, the SSH client comes pre-installed. The "ssh-keygen" command is used

amit@Hp-desktop-ubuntu-11:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/amit/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/amit/.ssh/id_rsa.
Your public key has been saved in /home/amit/.ssh/id_rsa.pub.
The key fingerprint is:
22:7b:9d:0e:62:a9:ec:3c:29:2c:1d:15:e0:d0:1e:b6 amit@Hp-desktop-ubuntu-11
The key's randomart image is:
+--[ RSA 2048]----+
|....             |
| o+ .            |
| o.o .           |
|  E .            |
|   .. . S        |
|  .  + o .       |
|.. o= o o        |
|o++o o o         |
|.o=.    .        |
+-----------------+

Sending the public key to the server:
The public key needs to be stored in the file "authorized_keys" at the location 

/home/[username]/.ssh/authorized_keys

Linux: 
One has to run the command ssh-copy-id  on the client (D2) as shown below:


amit@Hp-desktop-ubuntu-11:~$ ssh-copy-id amit@192.168.2.5


where 192.168.2.5 is the IP address of the server and "amit" is the user account that I would log into when connected. You will be prompted for the password of the user account on the server. Once that is provided, the file gets saved at the appropriate location on the server.


Windows: 
In Windows, you can run the PSFTP application to transfer a file. Once transferred to the right location, ensure that the file is named as "authorized_keys" as is the requirement. Ideally this should have sufficed. But there is a complication here that took me some time and googling to realise. The text formatting that PUTTY provides for the public key is not directly compatible with OpenSSH format. An example:

PUTTY o/p:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20120514"
AAAAB3NzaC1yc2EAAAABJQAAAQEAx0O0uS31JUq4syTjV1Sufl3SNVfrV1dmPh8N
ZA6WSaAufBldoOwDTMutDZ1xcWwKkvK6xfbv6t9SX+BZOSRCpxrd6NPbPUZZxNra
94hKaO7depgn2OwCAsiMkYtbbta+k1q7rDu1Ri4mrfeFyl4dbnpphTnjF3quWMOF
zs7biu7YrBjgkYzGqbRdiFS4yH3Y03rFi4ZXPeioxfwaoka2enliKYmdeHDc0K8z
A0XBbnFrNYKKqPS7GIhGvwHJfEKt7IlxXhyL4/3prWfPd25Nd2uBmcGI3BCClTl2
ME+8UIsNtNEv7GshCj5o/VnlaOWxRyBeotp03H0i6gd/LIeXJw==
---- END SSH2 PUBLIC KEY ----

Key format expected by OpenSSH:
ssh-rsa(single space)AAAAB3NzaC1yc2EAAAABJQAAAQEAx0O0uS31JUq4syTjV1Sufl3SNVfrV1dmPh8NZA6WSaAufBldoOwDTMutDZ1xcWwKkvK6xfbv6t9SX+BZOSRCpxrd6NPbPUZZxNra94hKaO7depgn2OwCAsiMkYtbbta+k1q7rDu1Ri4mrfeFyl4dbnpphTnjF3quWMOFzs7biu7YrBjgkYzGqbRdiFS4yH3Y03rFi4ZXPeioxfwaoka2enliKYmdeHDc0K8zA0XBbnFrNYKKqPS7GIhGvwHJfEKt7IlxXhyL4/3prWfPd25Nd2uBmcGI3BCClTl2ME+8UIsNtNEv7GshCj5o/VnlaOWxRyBeotp03H0i6gd/LIeXJw==(single space)amit@HP-LAPTOP

The expected key should start with the string "ssh-rsa" followed by a single space then the actual key with no spaces after any character, a single space again in the end followed by an optional mention of the name of the user account that will be logged in as the client.

I spent quite some time debugging this. I kept getting the error "Server refused our key" and then prompting for a password which is what we do not want. One has to be very sure there are no extra characters like spaces, new lines etc. within the key due to the formatting that windows adds to the files. That was the issue in my case as also faced by another user:

Thanks to him, it was easy to debug...

Finally, firing an SSH session from client:
Windows: 
This is the last step where you get to know if everything is correct or not. In Windows, open PUTTY application. You can configure a session and save it with the right IP address and user account on the server eg. amit@192.168.2.5. Under the menu for Category, go to Connection > SSH > Auth. Give the path of the private key file (.ppk) that was stored earlier. Once the connection is opened, if everything goes well, you should be greeted by the command prompt of the server machine. Else, you would be prompted for the account password since the key based authentication did not work out well.

Linux:
Run the command "ssh [IP address] -l [username]" and you should get the same result as mentioned above. For user "pradeep", the output would look as follows:




If you do mention a passphrase when generating the keypairs you will be prompted at this point for the same before logging you in. Else the log in will be unobstructed. 

Now if you have more users logging to the same account on the server, the public keys get appended in the authorized_keys file. I think a linux client is much much easier to use since you avoid the incompatibility and manual editing of the key file and every client that does a "ssh-copy-id" automatically appends the keys in the file. No extra effort or editing needed... 


Thats all folks!! (reminds me of looney tunes..  :-)  )

By the way learnt one more thing in this process. People using Ubuntu might know that the first user they create automatically gets into the sudoers list, but every other user account is just a general user account with no sudo privileges. So if one wants to add a user to  a sudoers group, first "su" to the sudo-capable account and run the command

sudo  usermod -a -G sudo [username]

Try to log out and log into the specific user account which needs the rights. The "-a" flag is important since it tells that this group is to be appended to the already existing groups to which the user belongs to.

Also do check out the wikipedia page for more theory on this topic...

Wednesday, May 9, 2012

Grate expectations!!


Is it possible not to expect? Is it humanly possible for anyone to do that perpetually? The inertia of this stupid mind does not let me go off many thoughts that have been bugging my mind since some time now. Disappointments at college, at work, at home and everywhere else when looked closely seem to have a different reason each time, but when looked through the reverse telescopic view ( a figment of my imagination..dont bother..in case you do..there's a post about it too...though I know you won't..but just in case..), everything seems to have their roots at "expectations". The property to visualise getting something in return the moment an idea strikes your mind. It is not the fault of the idea. The idea is a harmless, dimensionless (forgive me, physicists..not talking science here) seed that is planted either by external factors or your own subconsciousness. But you do not want to nurture the idea just like that. You start with, "What's in it for me?" and when you get a valid answer like fame, money, love, attention blah blah and you agree to water the seed. This very "me" makes that idea important to you and it grows and grows and you can't leave it. In fact, it is so ingrained that it gives you a high of "feel good" when good things happen. But what happens when things don't work out the way they should have been? The same clay that makes a pot of "feel good" turns into a quagmire. Considering your oneness with the idea, you cannot believe how it could fail. You start fighting aggressively and no wonder the more you struggle, the more you go deeper into it.

At work, I remember, I had decided from not day one, but somewhere midway that I would not care about grades. I would work as hard as I can without expecting anything in return. I would not care about what people talked about me. I was gonna learn without keeping any expectations. So when I was the last person to leave office or coming on a weekend, people joking as they made their way out, I would just smile. It never affected me, as if there was a separate personality handling these comments and just dumping them. Then also as I heard that, " You were worthy of a very good grade. But.." I could not get good grades twice because I made my intentions clear much ahead of time, I did not feel bad. Instead I replied, " I can understand. There are other people who are gonna stay back and need more encouragement than me." ( Believe me..I was made the laughing stock cum epitome of idiocy as I relayed the story to my parents). It did not pain me at all. Repeated telecasts of the story at home, however, thanks to my parents, were enough to plant the seeds of expectations and now suddenly, I feel so bad about it. Add to that hearing about other colleagues who made a good plan about when to inform and whom to inform about their plan to quit and managing to get the best grade. Cheers to being over-frank!!

Coming across a rich guy or a well settled guy or a learned guy or a healthy guy and feeling the inferiority eat you in as you know you are light years away from getting there. One may say the reason for disappointment is competition, but deep down it comes to expectations; expecting that you be like him.

I could go on and on..proving examples..unsure though if I am right..

I feel expectation begets sorrow, disappointment and the ideal way is not to....expect. I am gonna try and do it, thinking about the smallest thought and nurturing it without expectations. Even partial success is good enough for me..and it starts from not checking facebook periodically for comments, likes..:).....I am at war.....with myself.....har har mahadeo.... 

Thursday, May 3, 2012

Broadband plans

I keep changing my broadband (triband from MTNL) plans every few months..keep checking the mtnl website or come across some hoarding somewhere about new data plans.

I started with the 399 plan (1GB limit 1Mbps) few years back. Never bothered to change until two years back. Once the overseas skype calling started and also when the internet usage widened from just email to chat, music, videos etc..the data plan had to change when the bills started to shoot. I found out from my usage summary that my downloads were close to 2-3 GB So changed it to a Rs. 750 plan (5GB download limit). It worked well for 2-3 months. Then one of the months we had some long skype talks. I think it was triggered when I bought a Belkin Wifi Router and now we could keep moving the laptop wherever we wanted and still keep Skyping. So as we say in marathi.."thode laadat aalo..." The next month the bill showed the usage going to 9GB and we had to pay the extra usage charges...whoa..burned the pocket..Immediately changed to an unlimited plan and after that I changed the unlimited plan twice trying out different speeds. The first one had low speed during the day and it changed to close to 1 Mbps at night when I was back home. But 384 kbps during the day was very slow..my dad cribbing about him not able to open even gmail (had to select basic html mode for that too). So tried to get an uniform speed one..one that gave 700 kbps during the day and some 800 kbps during the night for Rs. 749. That was cool..but then there was greed..the more speed the better..heard about the "xpress unlimited plans" from MTNL. So got it changed yesterday. So for Rs. 750, I get 2 Mbps speed till 15GB download and then 752 kbps for further downloads. Sounds good. Checked the speed using speedtest.net and found a peak of 1.8 Mbps now. I think 2 Mbps is gonna be the limit considering the bottleneck of ADSL technology. The next step can only be a continuous unlimited 2 Mbps connection whenever MTNL offers it for close to Rs. 600-800. After that, either MTNL changes the cabling to Fiber and changes the modems too or we have to switch to Wifi for higher speeds......