Linux Neophyte

So, I’ve been spending a fair amount of time mucking about on my DD-WRT based router and I have a few topics to cover. They’ll all sort of build on each other and I’ll ping-back when appropriate. I initially attempted to do them all in one colossal post and then realized that it just wouldn’t work. So first things first, SSH.

When I set up a personal Internet facing SSH daemon, I only allow logins via public/private key files. This greatly improves security by eliminating the potential for brute force password cracking. If you aren’t familiar with public key authentication, the quick of it goes something like this; you have a key pair that consists of a public and a private key. The public key lives on the server you want to log into, and the private key lives on your computer (the client). You can share the public key with anyone, and you should physically protect the private key with your life. You can choose to encrypt the private key with a password (you will need to enter the password each time you attempt to authenticate with the key) or leave the password blank (which allows you to log in without a password). Note: It’s strongly suggested that you password protect your private key.

So what’s the point of it? Your public key can only be used with its partner private key. As long as your private key is safe (only you have access to it), nobody can crack your account and log in (even if they have the public key, you can’t generate a private key based on the data in the public key). This is why I suggest encrypting the private key with a password, if you have it on a thumb drive and lose the drive, the dweeb who picks it up and wants to see what you have access too will still need to get past the password on the private key. This gives you time to create a new keypair and update the machines you connect to.

I hope I made that clear, it makes more sense once you start using it. If you’re confused at all after going through all of this, please let me know in the comments of this post, I’ll clear up what I can.

Creating a keypair on your Linux box

If you haven’t previously used SSH to connect to a host, you won’t have a ~/.ssh/ directory on your machine. If you aren’t sure whether or not you’ve used SSH before, open a terminal and enter ls -lad ~/.ssh. If the folder doesn’t exist, you’ll want to create it and set the proper permissions now. The command below will create the directory with a mode of 700, only you as the owner will be able to list the contents of ~/.ssh

mkdir ~/.ssh -m=u+rwx,g-rwx,o-rwx

This next command will create a keypair in ~/.ssh/ as long as you have the OpenSSH Client package installed (chances are, you do). Basically we’re creating a (standard) 2048-bit RSA keypair with a custom comment (-C [comment]. If you decide not to customize the comment, ssh-keygen will insert your [username]@[host] as the comment). If you don’t enter a password for your key when prompted, you won’t need to enter one when attempting logins with this keypair. As convenient as this sounds, I would (again) suggest using a strong password to keep this keypair safe.

ssh-keygen -C [comment] -f ~/.ssh/id_rsa

Now that we have a keypair (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub), we need to log into the DD-WRT control panel, enable SSH and paste in our authorized key.

Configure SSHd

Open ~/.ssh/id_rsa.pub with your editor of choice, select all of the text and copy it.

Next, open your browser and enter the address of the router, Click on the Administration tab, and then on Services. Scroll down to the Secure Shell section and set it up as follows:

• SSHd: Enable
• Password Login: Disable
• Port: 22
• Authorized Keys: Paste in the contents of your id_rsa.pub file. The actual key (the ugly part of the file) must NOT wrap, it needs to be on one line.

Note: I ALWAYS change the port from 22 to some high number that’s easy for me to remember. It cuts down on attempted break-ins, do whatever works for you.

Now that SSHd is configured, click Save Settings and then Reboot Router. At this point, you can only use SSH to log into the router from your LAN (in other words, we haven’t opened SSH up to the world yet).

Once the DD-WRT control panel is visible again, open a terminal and enter the command below:

ssh root@192.168.1.1 -i ~/.ssh/id_rsa

If all goes well, should see a login prompt like the one below. You’ll need to enter the password for your private key. After that you should be at a shell prompt. If yes, Congrats! You’re communicating with your router via SSH.

DD-WRT v23 SP2 std (c) 2006 NewMedia-NET GmbH
Release: 09/15/06 (SVN revision: 3932)
Enter passphrase for key ‘/home/[username]/.ssh/id_rsa’

Now that it’s all tested, we can open SSH up to the Internet. This is optional of course, if you don’t want SSH access to your router from remote locations, then skip it.

Log into the DD-WRT control panel and select the Administration tab and then the Management tab. In the Remote Access section configure as follows.

• Web GUI Management: Disable
• SSH Management: Enable
• SSH Remote Port: [same port you selected in the Secure Shell configuration]

Again, click Save Settings and Reboot Router. After the reboot, you’re SSHd is available to you from anywhere

Extra bit to make life easier

Finally, if you think that’s an annoying amount of text to enter whenever you want to SSH into your router, create an SSH Config file. Use whatever editor you like, enter the text below and save the file to ~/.ssh/config

host ddwrt
hostname 192.168.1.1
port 22
user root
identityfile ~/.ssh/id_rsa

Now all you need to do is enter ssh ddwrt to connect to your router.

Finally, I should mention that allowing remote “root” logins is a really bad idea. I’ve made an exception in this case as DD-WRT is unique in that it only has one user account. There are ways of renaming the account, if I explore them, I’ll (of course) tell you about it.

written by M@ \\ tags: CLI, Console, DD-WRT, Hardware, SSH

Installing DD-WRT on the Linksys WRT54GL went pretty much as the installation instructions said it would. I made it a point to follow them EXACTLY. Before getting started, I reviewed a lot of the info on the wiki pertaining to my particular router model as well as others.

Firstly, I powered up the router and performed a hard reset (hold the reset button down for 30 seconds). This just ensures that the router is using its factory default configuration. I then unplugged my Ubuntu Edgy machine from the old router and connected it to the WRT54GL. I reconfigured my network interface from a static address to DHCP and renewed my IP. I did this from the command line so it looked like sudo ifdown eth0 ; sudo ifup eth0.

The firmware installation is done from the router’s web based administration panel, so using Firefox 2.0.0.1 I logged in and navigated to the firmware upload administration tab. I used the browse button to locate dd-wrt.v23_generic.bin (which I had downloaded and extracted when I ordered the router) and clicked upgrade. After a few moments, I received a page telling me that the upload was successful and I walked away from the whole project for 5 minutes (as the wiki instructed me to. I wanted a beer anyway).

Time passes…

Back at the keyboard now, I click the Continue button and I’m presented with a white page and some fields asking for my username and password. I close Firefox, perform another hard reset of the router, open Firefox again and enter the address of router. Just like magic, I’m presented with the DD-WRT configuration pages of the router. Success!

Since it’s late and I just want to get things working, I’m only doing the basics, setting up static DHCP and a new wireless SSID.

Step one, change the default password from “admin” to something much, much better. Next, I collect all of the MAC addresses from the machines on my network and make my way to the Administration/Services tab. There, I assigned the MAC addresses to host names/IP addresses and configured my LAN domain name (just something I like to play with). I started testing DCHP by connecting to each of the Linux machines, changing them from a static to a DHCP configuration and renewing the IP address (same commands as above). Flawless! With the Linux machines done I configure the rest of the machines on the network the same way.

Next, I create a new wireless SSID and configure my two wireless machines to associate with it. This is where I had a little trouble. Everything but the Ubuntu install on the laptop connected without issue. For whatever reason I just can’t get the bcm4306 based wireless card to associate with the router using manually configured NDISwrapper. I’ll revisit this when I’m not so tired

Update: I think I have this fixed, I’ll tell you how in another post

I know I said I was only doing the basics, but I had to try SSH. So back to the Services tab, I enable SSH management (and disable Telnet as I’ll never use it) and click the Reboot Router button. Next, I open a terminal session and enter ssh dd-wrt. I log in with my user/pass and I’m at an ASH shell prompt. The output from a uname -r reads like Linux DDWRT 2.4.34-pre2 #170 Fri Sep 15 20:10:21 CEST 2006 mips unknown. Pretty sexy

All in all it was a satisfying experience. I’m running Linux on my router and there’s a LOT of cool things I can do. I haven’t scratched the surface yet, I’ll be exploring options for a while and when I come across something sweet I’ll post about it here. If you’re at all interested in exploring DD-WRT, start by checking out the compatibility list and reading up on the features. The wiki is a great place to start. I had no trouble ordering a 100% compatible router for around $55.00 US (there was a rebate).

If you’re new to Linux and don’t want to have to manage your router from a command shell, no worries. The web configuration pages are extremely useful and cover the full configuration of the router in a point and click fashion. You just can’t go wrong

written by M@ \\ tags: DD-WRT, Edgy, Firefox, Hardware, Mozilla, SSH, Ubuntu

Well, it’s here! What you ask? My shiny new WRT54GL router of course! For Christmas I was given some gift cards and wisely decided to replace the evil Netgear WGT624 router I’ve been hating on for about a year and half. I will soon be free of ANYTHING Netgear in my home, and that will be a joyous day.

If you haven’t read between the lines, I have a really bad Netgear taste in my mouth. Don’t get me wrong, they’re great unless you want a quality product or some type of service when you eventually give up and call for support. I digress.

I chose this model because you can replace the stock firmware with third-party stuff. I’ve been reading for months about the DD-WRT project and wishing I had a compatible router. If you haven’t checked this project out, and you want to be able to do some really neat and powerful things with your router, what are you waiting for?

I mention this here because DD-WRT firmware is Linux based and open source. I’ll be posting about installing and configuring the router here as soon as I get it configured/tested and my notes are cleaned up. If all goes well, I can use the machine I’ve had acting as an SSH server (among other things) as a test bed for some play I want to do.

I can’t wait to get started

written by M@ \\ tags: DD-WRT, Hardware

I’m having two problems with my FC6 install at work (I’m running a Dell OptiPlex GX270, ya know, a basic office machine). One of the issues is more of an annoyance, the other limits my capabilities and I’m bothered that it’s still a problem on this machine.

The lesser of the issues causes slow boot times. While the kernel is loading and before the GUI boot screen, Linux is probing my SATA ports and not finding any drives. That makes sense since there aren’t any SATA drives in this box. I found 2 posts about this issue on Red Hat’s bugzilla, ID 212581 & ID 212737, I see no confirmation of the problem, so who knows when there will be a fix. Its not really a show stopper as the scan times out, gives up, and eventually boots normally.

This issue is the bugger! CIFS mounts with roughly 100 or more files cannot be read. If you’re unfamiliar with CIFS, its the filesystem type used when mounting Samba/Windows shares. As I’m using this machine at work, this one makes me growl. I have up to 15 shares I need to mount from time to time in order to get my work done. Most of them have well over 100 files just in the root of the share. When attempting to navigate offending mounts with Nautilus, I receive an error that reads “The folder contents could not be displayed“. The error I receive when trying to list the contents of the folder via the command line reads “ls: reading directory .: Invalid argument”. This is a real problem for me as I’m responsible for a lot of documentation, I sort them by directory, I have thousands of folders/files (I’m anal about it and document everything) and I can’t access them through file system mounts.

There is a workaround, I can mount using Gnome VFS (Places > Connect to Server), and I can browse using Nautilus (smb://server/share). This isn’t ideal, I would prefer to have a genuine mount. Not all programs are Gnome VFS aware and I don’t see a way to direct Gnome to mount to an actual file system location. That means that if I create a file with an app that can’t utilize Gnome VFS, I need to save the file to my home dir and then copy it off to the VFS mount. If you know of a way to force VFS mounts use a genuine mount point, PLEASE let me know.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212123 says that this problem has been fixed in CVS and an update will be released shortly. That was posted on October 28th and I still haven’t seen an update addressing the issue.

When Looking at this from a Linux newbie point of view (and I do know that Fedora isn’t a newbie focused distro) this is a real problem. There is no fix for the CIFS problem, well, not unless you want to compile your own kernel from CVS (and that’s nothing more than a drug store chain to many people new to Linux) and the potential fix listed for the SATA problem (mentioned in bug 212581) isn’t something a newb would/should be comfortable doing. If I was just giving Linux a shot and started out with Fedora I might be tempted to just say that Linux is broken and go back to Windows.

written by M@ \\ tags: CIFS, Desktop, FC6, Fedora, Gnome, Gnome VFS, Hardware

Well this has been a tough day. I’m on vacation and decided that it’d be fun to install Edgy to another partition on my machine. The Ubuntu team announced the release candidate yesterday and I REALLY want to see how the changes to startup impact boot times and to play with some AIGLX eye candy.

Sadly I can’t get it to install on my Intel D945GTP mATX board. I found that the installer would hang in different places or report corrupt files during install. I doubt that there are corrupt files, I always test the MD5 sums when I download an ISO (because whenever I skip that step I regret it). After the MD5 passed, I started the system with the CD and ran the CD test from the menu. No problems there either. I figured I’d do some updating, I grabbed the latest BIOS for the board and applied the image, I updated the firmware on the DVD ROM (LiteOn SHW-160P6S). That was a chore as LiteOn hasn’t realized that there are other operating systems besides windows (oh and LiteOn, you should ZIP your files, not RAR them!). So far nothing has worked, I still get random hangs during install with the only visible activity on the system being a rapidly flashing CDROM access light.

I tend to use the alternate installs as I have a single partition I use for booting and don’t install GRUB to the Master Boot Record. I’ve burned that CD twice and have inconsistent problems with both.

I hope this is a problem with the installer and not my hardware.

Oh and be careful when buying the latest and greatest hardware, I’m setting up a machine for a pal of mine, Core 2 Duo on an Intel DG965WH motherboard. On that system I can’t get Ubuntu (I tried both Dapper and Edgy) or Fedora to install. For some reason once the system boots from the CDROM, it can’t locate drivers for the CDROM to continue the install (huh??? I just stare and shake my head). It just asks for a driver floppy. No gots, none of my new machines even have a floppy drive (the same is true for this build)

Boo. This HAS NOT been a fun day. I may try the desktop install later and maybe play with some of the boot parameters on the alternate install. I may try and install Edgy on my notebook later on. I may actually just wait until the final release and HOPE that I can install it. Hope you’re having better luck.

written by M@ \\ tags: Edgy, Hardware, Ubuntu