Privileged SSH Port Forwarding with Sudo

There are many articles about privileged SSH port forwarding but not much about properly using SSH keys and config files.

The problem is that upon typing:

ssh dakara -L 80:localhost:80

the response is:

Privileged ports can only be forwarded by root.

The obvious solution is to just use sudo:

sudo ssh dakara -L 80:localhost:80

but this produces:

ssh: Could not resolve hostname dakara: Name or service not known

Unfortunately, “dakara” is a host configured in ~/.ssh/config and not available to root. This can be fixed with:

sudo ssh -F ~/.ssh/config dakara -L 80:localhost:80

but this tries to connect as root and prompts for a password. Adding “-l $USER” sets the user name to my user name (This could also be set in the SSH config file.), and adding “-E” to sudo preserves the environment allowing my SSH agent to be used.

sudo -E ssh -F ~/.ssh/config -l $USER dakara -L 80:localhost:80

Now everything connects, and I am not prompted for a password.

FreeNX on Ubuntu

I have been using FreeNX on Ubuntu Linux as a terminal server for remote graphical access. (It’s similar to Remote Desktop on Windows.) It’s fast and works quite well on slow Internet connections. NoMachine provides clients for Mac OS X, Windows, and Linux, which means I can connect to my machine from anywhere.

Most of the instructions are available in Ubuntu’s documentation for FreeNX. First, add the repository, update the package listings, and install the FreeNX package:

add-apt-repository ppa:freenx-team
aptitude update
aptitude install --quiet --assume-yes freenx

Finally, set up FreeNX. I opt to use the default SSH key pairs (“–setup-nomachine-key”) because it doesn’t require additional configuration for the client to connect. I added the “–clean –purge” to fix authentication errors that I began having after I upgraded to Ubuntu 9.10.

/usr/lib/nx/nxsetup --install --setup-nomachine-key --clean --purge

After I install a client, I can connect to my computer from anywhere and use it as though I were sitting in front of it.

Simple Scan on Ubuntu

I have an HP ScanJet 5300C scanner and have had no luck getting it to run on Mac OS X after 10.3 Panther, Windows Server 2003, and Ubuntu Hardy Heron. After I upgraded to Ubuntu Karmic Koala, the XSane Image Scanner applications would scan a preview but would not actually save the image. (That’s more progress than I have had for a few years.) Next, I installed Simple Scan, which scanned and saved the image nicely. The program is a little simpler than I would like, but it beats the complexity of XSane. More importantly, it worked.

Review of Lake Erie Systems

I recently purchased an HP Color LaserJet 2550 Fuser from Lake Erie Systems. It was a little pricey, but it arrived quickly and functioned as promised. Apparently I was not particularly observant when I purchased a new fuser because I did not see that they also had an exchange program for refurbished fusers. I inquired via email as to options to return my old (empty) fuser and possibly receive some sort of credit. The representative that I worked with explained that credit is only available for refurbished fusers but that he would refund me $10 regardless. I informed him that I had not received a shipping label to return the current fuser. He apologized and sent out a shipping label, which arrived promptly. I mailed the fuser back and received my $10 credit.

Bottom line: Lake Erie Systems delivers their products promptly and as advertised. Their customer service is attentive and accommodating.

Ubuntu 9.10 Karmic Koala

I finally upgraded my brother’s desktop computer and my desktop computer to Ubuntu 9.10 Karmic Koala. Prior, both had been running Ubuntu 8.04 Hardy Heron, which was stable but was starting to show its age. I’ve always found that bleeding edge works well for desktops and tried and true works better for servers.

Ubuntu 9.10 works well, but I have discovered a few unresolved bugs that have proven to be annoyances. I’ve resigned myself to not being able to burn optical discs under Karmic because of a bug. This extends beyond Brasero to include the Wodim command line burning tool. After I upgraded, I switched from Rhythmbox to Banshee because it has better iPod syncing capabilities. However, those capabilities are a bit flaky, and I had to use this hack to make things work.

Regardless, it was a helpful and necessary upgrade. I look forward to the Ubuntu 10.04 Lucid Lynx update in April.

Decommissioning of LFS2 Mac OS X Server after 4.5 years

After four and a half years, I am turning LFS2 off for good.

According to the “/var/log/OSInstall.custom” log, “Native install completed 2005-08-14 18:55:58 -0700,” which is just under four and a half years ago. I have finally migrated all of the data and functionality (print, file, and LDAP) from Lund File Server 2 (LFS2) to Athos. LFS2 held up surprisingly well considering it was only a 533 MHz G4 with 768 MB RAM. When I set it up, I installed three used 120 GB Western Digital hard drives. After four and a half years of running continuously, all three drives still appear operational.

ISP Technical Support Sucks

Ars Technica has a nice writeup about “Dropped DSL and missing e-mail: two tales of moving woes.” I think one of the authors sums up technical support for any company perfectly:

If there were any doubts that Verizon has helpful dedicated people, this experience put them to rest. Unfortunately, I know that I’ll never encounter any of them the next time that I have a problem that requires me to dial in to the standard tech support line.

I rarely encounter competent technical support, whether it is at Embarq/CenturyLink, AT&T, Comcast, Time Warner, or Apple. What should take five minutes regularly takes multiple calls and even more tech support agents. On occasion, I do get someone helpful, but it is unfortunately not the norm.

Delaying Email Delivery Using Procmail and Cron

Because I use Mutt, any mailbox that has new mail tends to get my attention when I check my email. This became particularly annoying because I kept opening my spam mailbox to check a single spam message. Therefore, I decided to come up with a way to delay the delivery of my spam to once per day.

I started by changing my “.procmailrc” to deliver spam messages to a different mailbox that Mutt does not check.

MAIL=`echo $HOME/Mail`
[...]
:H
* ^X-Spam-Status: Yes
$MAIL/delay_spam
[...]

Then I created a new procmailrc file called “spam.procmailrc” that would deliver mail to my checked spam mailbox.

MAIL=`echo $HOME/Mail`

:0
$MAIL/spam

Next, I wrote a short Bash script to use Formail and Procmail to deliver all of the messages in the delayed delivery spam mailbox to the normal spam mailbox.

#! /bin/bash

FORMAIL=/usr/bin/formail
PROCMAIL=/usr/bin/procmail
PROCMAILRC=$HOME/.procmail/spam.procmailrc

MAIL=$HOME/Mail
DELAY=$MAIL/delay_spam
TEMP=$MAIL/.spam
LOCK=$TEMP.lock

# Make sure there is delayed mail and we can get the lock (retry once)
if ( test -s $DELAY && lockfile -r 1 $LOCK 2>/dev/null ); then

    # Add the delayed mail to the temp mailbox and empty the delayed mailbox
    cat $DELAY >> $TEMP && cat /dev/null > $DELAY
    # Process each delayed message
    $FORMAIL -s $PROCMAIL $PROCMAILRC < $TEMP && rm -f $TEMP

    # Delete the lock now that we are done
    rm -f $LOCK
fi

Finally, I set the script to run daily using Cron. Now I am only interrupted by spam when I choose to be instead of every time a new message arrives. I have used the same technique to delay the delivery of emails to unimportant mailing lists so I only read them hourly instead of every time a message arrives.

Allowing RSS Access on a Private MediaWiki

I run two Private MediaWiki which do not allow unauthenticated users to create accounts, edit pages, or read pages. I have whitelisted a few special pages including the login page. An example configuration is displayed below.

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgWhitelistRead = array (
    "Special:Userlogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js",
    "MediaWiki:Monobook.css",
    "MediaWiki:Monobook.js",
    "-"
    );

The problem with this is that I want to be able to monitor these private wikis in my RSS client. Therefore, I added another two lines to the configuration to allow my desktop unauthenticated access to the recent changes RSS feed on my wikis. This could be changed to make it easy to punch a hole for multiple clients. The additions are shown below.

if ($_SERVER['REMOTE_ADDR'] == "192.168.1.42")
    $wgWhitelistRead[] = "Special:RecentChanges";

Now I can monitor both of my private wikis from my RSS client on my desktop computer. However, all other machines will still require authentication to get to the wiki.