On this thin client I've set up, I wanted pulseaudio to run before logging in, and not have any specific users on the machine. System mode was called for.
On Wheezy, pulseaudio is by default configured for per-user sessions. To remedy this, edit /etc/default/pulseaudio, putting PULSEAUDIO_SYSTEM_START=1
Then, edit /etc/pulse/system.pa - this is the file that configures the server when system mode is used, as opposed to /etc/pulse/default.pa. At the end of said file, I added two lines and some comments:
### Enable TCP and CLI load-module module-native-protocol-tcp port=1500 auth-anonymous=1 load-module module-cli-protocol-unix
Please keep in mind that the above tcp line allows access from any host. This is a potential security problem. I restrict access using shorewall and iptables, but an alternative would be the auth-ip-acl option with a list of approved IP's. More here. Restart pulseaudio:
/etc/init.d/pulseaudio start /etc/init.d/pulseaudio restart
The above restart includes "start", because pulseaudio's default script does not start it on "restart" unless it's not already running. Stupid.
Because pulseaudio now runs as the "pulse" user, commands like pacmd are a pain to use. However, as we made sure to load module-cli-protocol-unix above, they are actually usable, you just have to run them as the "pulse" user, and point it at the correct directory.
sudo PULSE_RUNTIME_PATH=/var/run/pulse -u pulse pacmd
To get access to playing sound, you now need to run anything as "pulse"... or you can simply use the TCP socket you made. Edit /etc/pulse/client.conf and set "default-server" to "localhost:1500" or similar:
default-server = localhost:1500
Now set up SSH port forwarding for port 1500, or whichever port you used above, with something like autossh and public key logins, and you've got remote sound playing over an encrypted tunnel. Neat.
Remember to set the default-server for client computers as well.
On my Debian KVM hosts, and on the firewalls that guard them, I noticed that every two minutes, plus a couple seconds or so each time, I'd see blocked IGMP packages from 0.0.0.0 to 126.96.36.199. Googling around, I found this post, explaining that it's the multicast_snooping option for bridge-utils that's causing it. Being KVM hosts, they are indeed configured with bridges.
I added the following line to my Bash startup scripts in /etc/rc.local, and the issue is now gone:
( shopt -s nullglob; for ms in /sys/devices/virtual/net/br*/bridge/multicast_snooping; do echo -n 0 >"$ms"; done )
In short, it runs a subshell, sets the nullglob option to prevent running on a file with an asterisk in the name if no bridges were found, then puts a 0 into all found multicast_snooping configuration files. Problem solved!
Note: If you use virtual interfaces, those are in /sys/devices/virtual/net/virbr and require the same treatment.
Programs like virt-manager and gedit commonly use dbus. Dbus running will prevent a clean exit of ssh -X, making it hang on exit until you press ctrl+c or kill dbus manually.
To avoid having to kill dbus manually, let's kill it automatically
Now, normally if I want to run virt-manager (or anything else graphical) on a remote machine with X forwarding, I'd use a command like
ssh -X root@remote-server virt-manager
Instead, I want to use dbus' ability to output sh-compatible commands to set invironment variables and kill the PID I get from that before exiting, like so:
ssh -X root@remote-server 'eval $(dbus-launch --close-stderr --sh-syntax); virt-manager --no-fork; kill -TERM $DBUS_SESSION_BUS_PID'
Problem solved! The remote shell (bash) now starts dbus manually instead of letting virt-manager do it, waits for virt-manager to exit (--no-fork), then kills dbus and exits.
While public and private keys with decent pass-phrases are an excellent way of logging in securely to a remote system, it's sometimes simply not feasible. Your Android device which normally does the job for you is out of battery, you are in a remote country with only a wired connection in a shady Internet café, or - <diety> forbid - your laptop was stolen while logged in and you desperately need to get on that system right now.
Anyway, one-time passwords, implemented as "opie" in earlier Debian versions, are now available as "otpw". These allow you to generate securely stored single-use passwords that are safe to use "in the field", and even have counter-measures to attacks like a keylogger opening several SSH connections to your host, trying to guess the last character of the one-time password before you type it.
The following guide will disable the use of ordinary passwords, keeping public/private key login enabled, followed by otpw if no key is provided. Thus, you can log in with your key if you have one, without being asked for a one-time password, but if you don't provide one you get the password prompt.
To install this beauty, we need the pam module and the client program:
apt-get install libpam-otpw otpw-bin
Next, we need to configure /etc/pam.d/sshd to use the newly installed module. For my setup, I want to disable normal passwords, so I comment out the common-auth line, then add otpw.
# Standard Un*x authentication. #@include common-auth #OTPW auth required pam_otpw.so session optional pam_otpw.so
/etc/ssh/sshd_config needs some changes too. These are the relevant lines:
ChallengeResponseAuthentication yes PasswordAuthentication no PubkeyAuthentication yes UsePrivilegeSeparation yes
The only really important line is the ChallengeResponseAuthentication one, which is what we'll be using for otpw. Public keys and privilege separation are normally enabled by default, and as I mentioned I wanted to disable PasswordAuthentication, which covers the use of normal account passwords.
Because we changed the config, we need to restart sshd:
# /etc/init.d/ssh restart
Time to generate some one-time passwords:
$ otpw-gen --help One-Time Password Generator v 1.2 -- Markus Kuhn otpw-gen [options] | lpr Options: -h <int> number of output lines (default 60) -w <int> max width of output lines (default 79) -s <int> number of output pages (default 1) -e <int> minimum entropy of each one-time password [bits] (low security: <30, default: 48, high security: >60) -p0 passwords from modified base64 encoding (default) -p1 passwords from English 4-letter words -f <filename> destination file for hashes (default: ~/.otpw) -d output debugging information $ otpw-gen -h 20 -e 48 -p1 Generating random seed ... If your paper password list is stolen, the thief should not gain access to your account with this information alone. Therefore, you need to memorize and enter below a prefix password. You will have to enter that each time directly before entering the one-time password (on the same line). When you log in, a 3-digit password number will be displayed. It identifies the one-time password on your list that you have to append to the prefix password. If another login to your account is in progress at the same time, several password numbers may be shown and all corresponding passwords have to be appended after the prefix password. Best generate a new password list when you have used up half of the old one. Enter new prefix password: Reenter prefix password: Creating '~/.otpw'. Generating new one-time passwords ... OTPW list generated 2013-01-24 23:17 on slave 000 csce stub neat rope down 016 keep ness mine mock bile 001 pubs ever judo pert kemp 017 blip stan nana file shaw 002 ecsc bone hare hiss make 018 serb ills swam torn rump 003 page type owen dark lent 019 avid bran avid amps lair 004 unto hype fits bets loco 020 putt rout disc gogh bile 005 kits hard sums lime sore 021 hand rash rigs eels vain 006 foci path call spat tins 022 ship what loos chin pine 007 vote sold book gait name 023 yolk mont pubs main kilt 008 band cone draw mats fact 024 para must mala curd tire 009 oboe mill hair chad mont 025 pope slid olds ores dive 010 maps head frog eden teal 026 bony leas bcci jerk need 011 chas memo ives duck revd 027 womb pahl bird ruby naff 012 graf gosh rays roar pour 028 obey bear iona area gain 013 slab sons damn dell pass 029 sort jazz sega rigs onus 014 erik rags tact roar rags 030 lost lump cubs seat film 015 bees aces thee pump kant 031 aura road funk laid hibs !!! REMEMBER: Enter the PREFIX PASSWORD first !!!
Now you should be good to go. The next time you connect, you'll be asked for one, or three, one-time passwords. Three passwords are requested when multiple logins happen simultaneously and other potentially suspicious situations. See /usr/share/doc/otpw-bin/otpw.html for details.
REMEMBER: The password you typed as your "prefix password" has to be entered before the password otpw asks for. If my prefix password was "hello", and the application asked for password 031, I'd enter "helloauraroadfunklaidhibs". Spaces can be typed if you want, but they are ignored.
This is what a typical login looks like for me.
$ ssh home.sweet.home -l bolt Password 026: <This would be hellobonyleasbccijerkneed if my prefix password was still "hello"> Linux home.sweet.home 3.2.0-4-686-pae ..........
That's about it. Remember there is no reason your prefix password needs to match your actual password on that system. They have no relation. It is a good idea to choose a different prefix password, especially if you happen to have "sudo" installed and set up for your user, so you're not typing a password that can potentially make you root to log in from a shady web café. Someone just might take over your machine.
There is, at the time of writing, a bug in Debian Wheezy preventing the "session optional pam_otpw.so" line from displaying a count of your remaining one-time passwords upon a successful login. Until that is resolved, you might want to add the small snippet Wolfgang Kroener posted on the bug to your login scripts.
CheckInstall keeps track of all files installed by a "make install" or equivalent, creates a Slackware, RPM, or Debian package with those files, and adds it to the installed packages database, allowing for easy package removal or distribution.
Use CheckInstall instead of just running "sudo make install", as that will likely put files all over the filesystem, with no easy way of removing them if things go wrong. If in the future you try to install a package that contains the same file as the software you are compiling, you will receive errors and the software you compiled may stop working.
(In fact, checkinstall can keep track of files modified by any command line, not just a "make install", so you can use it for any type of installation task outside of apt, and it will keep track of the installation in the package manager.)
aptitude install checkinstall
When called with no arguments, checkinstall will call "make install". If you need other arguments, they can be supplied:
checkinstall make install_package
The installed package can then also easily be removed:
dpkg -r <package>
Use CheckInstall with auto-apt
You can use auto-apt when you want to build a simple package from source with checkinstall. You need to have auto-apt installed!
auto-apt run ./configure
If the dependencies are available, a dialog box opens and ask you to install them
The rest remains the same:
My weekend project: A top-down space shooter in Bash
Note: Bash is SLOW. This requires an Intel Core Solo or better to run well.
geirha in #bash on irc.freenode.net had this solution, which I rather liked and wanted to keep for later use:
If you want to pause a process while you do something else, like for instance stop a heavy file operation while you're just moving some stuff around quickly, there are two signals to pay attention to: STOP and CONT.
STOP will pause a process (not actually stop it - it doesn't die)
CONT continues a stopped process, and does nothing if the process isn't stopped.
An easy way to experiment with this is to start xeyes:
$ xeyes &  26114
In this case, xeyes got the Process ID (PID) 26114. You can use "ps" to find Process ID's of running processes.
To pause this process I use, in my case "kill -STOP 26114". Notice the eyes stop moving to follow the mouse pointer. "kill -CONT 26114" resumes the application.
The Mac Mini doesn't save this information in its BIOS (or equivalent), so you need to set it on each boot. I use my distribution's /etc/rc.local file for this.
Either way, these are the commands to run (copy, and uncomment the correct line for your Mini):
## PPC Mac Mini #echo server_mode=1 > /proc/pmu/options ## Intel Mac Mini #setpci -s 0:1f.0 0xa4.b=0 ## nVidia Mac Mini #setpci -s 00:03.0 0x7b.b=0x19 ## Unibody Mac Mini #setpci -s 0:3.0 -0x7b=20
Many people seem to get the following error message when trying to manipulate a remote git/-olite repository:
fatal: 'foo' does not appear to be a git repository
fatal: The remote end hung up unexpectedly
The problem here, which is absolutely not explained by the above error message, is likely to be that the remote command gitolite specifies in "~/.ssh/authorized_keys" is not used.
This can in turn be caused by two things, as far as I know:
- You are using an ssh key which appears in the authorized_keys file without gitolite's "command=..." configuration, in which case the solution is to use a separate public/private key pair for git
- Your SSH server has a ForceCommand directive in sshd_config (/etc/ssh/sshd_config on debian) which overrides the "command=..." setting in authorized_keys. To solve this, that directive has to go, or an exception needs to be added for your git user with a Match clause in sshd_config.
In the latter case, there does not seem to be any sane way to retrieve the contents of the "command=..." statement. While the user supplied command is available in the environment variable $SSH_ORIGINAL_COMMAND while using ForceCommand, the command supplied by authorized_keys seems nowhere to be found. Thus you need an exception for the ForceCommand directive. If you find another way to avoid this, please leave a comment below?