host anapnea
hostname anapnea.net
user fakeusername
identityfile ~/.ssh/id

When I want to log in, I open my terminal program of choice and enter ssh ana<tab> and press enter. Pressing tab expands to anapnea and I make my connection saving 4 keystrokes.

Note: For those interested, SSH tab-complete will expand to the value of host or hostname. That’s handy if you can remember the actual hostname of the machine and you’ve forgotten what you entered as the value of host (yeah, I’ve done it). If that makes no sense to you, you can get more information on SSH config files with man 5 ssh_config.

Tab complete also works with lftp and some other programs when using Ubuntu. I’ve found the lack of it in Fedora a little frustrating (I keep pressing tab and get nothing). I did a little Googling to find out just what program sets up this functionality and checked the Fedora repos for it. Thankfully it can be found in all it’s glory and awaiting installation in Fedora extras.

su -c 'yum install bash-completion'

A few seconds later, you’re ready to bank your keystrokes and tab complete to your heart’s content.

Note: Any terminal sessions that were open when you installed the package won’t utilize it until you either restart the session or enter bash at the prompt. It seems that your shell needs to source the newly created /etc/profile.d/bash_completion.sh script. This is done when you invoke BASH by opening a terminal prompt or executing bash at the command line.

I figure sharing a system with others can teach me a few things, I looked at it from a newb’s point of view and here are some of the reasons I came up with for checking out Anapnea.

Community: The IRC channel is full of people buzzing about the service, asking questions, and giving each other help. It seems to be a combination of newish to seasoned Linux/Unix users that are excited about the service. If you’re just getting started with Linux, this is a great way to get some help. Everyone using that service is using the exact same software as you. If you have a question, ask, you’re almost sure to get an answer.

Introduction to Console Applications: You’ll have access to several well known communication applications. IRSSI, CenterICQ and others. These are common Linux tools for communicating on IRC and IM networks. You can read about some of them on the Anapnea home page. The apps are already installed for you, all you have to do is try them out. See what you like or don’t like. I would suggest reading up on IRSSI, if you’re totally green, it’s not the easiest application to configure. That said, it’s the IRC client I’ve been using since I first gave Linux a shot. It’s terrific!.

Resource Sharing: By sharing a system with others, you get a feel for the right and wrong things to do when on a multi-user system. Poking around in other people’s home dirs would fall into the “wrong” category. That is a sure way to get your account revoked. I watched somebody lose his account today because he was doing just that. You are permitted to protect your directory from peekers, and I would do so (chmod 700 $HOME).

Introduction to SSH: SSH (Secure Shell) is the most common way to remotely log into a Linux server. If you haven’t yet made the jump to Linux, you might not even be aware of how useful SSH is (trust me, it’s amazing). Why not try it out, you can use an app like PuTTy on your Windows box to log into your account and muck about with Linux applications.

Customizing a BASH Environment: OK, this may not be for the super newbie, BASH is the shell you’ll be using to interact with the computer. There are [insert some insanely high, random number] of things you can do with BASH. Again, this comes in really handy if you haven’t got your own Linux box to play with but want to poke around. Not to worry if you really are 100% new to Linux, BASH doesn’t require customization to use it.

An account on Anapnea isn’t a replacement for your own Linux machine, you will only have 5 MB of storage and access to a limited number of applications. It is however, a great way to get your feet wet AND have some free web space out there on the Internet.

Another cool note, when asked if you’re a Gentoo user, you can proudly say Yes!

About Anapnea.net:

This morning, I spent a few minutes talking to cyraq, I wanted to know just why the hell he was offering this service, and maybe find out a little bit about him. It turns out his reason for starting Anapnea, was to help people who needed a shell account but didn’t necessarily have the means to buy one. If you’re not sure why anyone would need/want a remote shell account, I can offer an example. I have a friend who’s university won’t permit the use of IRC on their network. Being a student, he doesn’t have extra money for a shell account. This is a perfect solution for him, he can use IRC resources without violating the University’s rules.

The first two weeks of Anapnea’s life went well. News spread of its existence through word of mouth, people would sign up (who wouldn’t?) and a small community began to develop. Eventually, it was Dugg and In a period of 12 hours, cyraq went from being the sole administrator of 48 accounts, to the leader of a 3 person administration team that now had to manage 370 accounts (one of which I own). I can’t tell the story better than he, so…

(16:26) (mattds) and this was pretty much overnight?
(16:26) (cyraq) yeah, woke up at 3AM to get some water, and on the way checked my email
(16:26) (cyraq) You have 126 new emails.
(16:27) (cyraq) stayed up till 3PM
(16:27) (cyraq) went back to sleep at 6PM
(16:27) (cyraq) at one point, the emails were coming faster than i could answer them

I don’t have any info on the newest members of the team (lightdifference and Mike42), but I do know that cyraq is a young admin and by his own admission, very passionate about Linux. I think it’s great that he’s giving back to the community by offering this service. Another reason to embrace Linux and the people involved with it.

Disclaimer: I’m not a reporter, my apologies if that’s the lamest summary of an interview you’ve ever read

Now, ubuntu is only accessible from the LAN, so to make my life a little easier, I want to allow password-less logins, this is how it’s done.

This builds off of DD-WRT: SSH Remote Management with Public Key Authentication and DD-WRT: Samba Startup Script / Reconfigure Dropbear SSHd. Just to keep things fresh, the router only allows logins via public-key authentication, the machine ubuntu hosts the script that the router launches at startup on a Samba share (smb://ubuntu/ddwrt). The local path to that share on ubuntu is ~/ddwrt. The router will map that share to /tmp/smbshare during startup and will execute the dd-wrt-startup.sh script located there.

Configure public-key authenication on the Linux machine:

Since I used this machine to create a keypair earlier, I’m just going to recycle. Up until now, I’ve only configured this machine to make connections to other hosts using public-key authentication. Now I need to accept public-key auth connections from other hosts.

To do this, I need to create an authorized_keys file in ~/.ssh/. The command below will write my ~/.ssh/id_rsa.pub file to the bottom of a pre-existing authorized_keys file or create a new one if it doesn’t exist. This file allows me to authenticate with my private key on the computer ubuntu.

cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys

Copy private key to router and convert it:

Next, I need to get my private key someplace accessible to the router, I’m just copying it to the Samba share that auto-mounts when the router starts up.

cp -v ~/.ssh/id_rsa ~/ddwrt/

Now, I remove the password from the copy of the private key, this is mandatory. DD-WRT’s Dropbear client has its own format for private keys and cannot convert encrypted (password protected) OpenSSH keys. Not to mention that I actually WANT password-less logins . Just follow the prompts provided after executing the next command.

ssh-keygen -p -f ~/ddwrt/id_rsa

Note: This key will NEVER leave my personal network so I’m not worried about it getting into the hands of anyone I don’t trust.

Next I SSH into the router.

ssh root@192.168.1.1 -i ~/.ssh/id_rsa

Using dropbearkonvert I convert the OpenSSH key to a Dropbear key.

dropbearkonvert openssh dropbear /tmp/smbshare/id_rsa /tmp/smbshare/id_dropbear

Install private key to home dir at router startup:

The last step is to have the key installed to the /tmp/root/.ssh/ directory on the router whenever the router starts up. I could opt to leave the key on the Samba mount, but I decided to put it on the router because I actually have more than one machine I want to get to. If for some reason the machine running the Samba server is off-line, I wouldn’t have access to the private key.

To automagically install the key, I need to add the lines below to the router’s startup script, this can be done from the router, vi /tmp/smbshare/dd-wrt-startup.sh or from my desktop using my editor of choice nano ~/ddwrt/dd-wrt-startup.sh.

## install dropbear private key for passwordless login to other machines
cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/
chmod 600 /tmp/root/.ssh/id_dropbear

You can reboot the router to test the script or you can manually enter cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/ on the router and test it by entering ssh [username]@[hostname] -i ~/.ssh/id_dropbear. This should bring up a prompt similar to the one below:

Host ‘ubuntu’ is not in the trusted hosts file.
(fingerprint md5 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx)
Do you want to continue connecting? (y/n)

Answering “y” will add the host to ~/.ssh/known_hosts and I won’t be prompted about it again until I reboot the router. If I want to permanently add all of my machines to known_hosts, I can connect to each one of them and answer “y” at the Do you want to continue connecting? Prompt. After all of my hosts are known, I copy the file from the router to my Samba share (cp ~/.ssh/known_hosts /tmp/smbshare). Lastly, I go back to my startup script and add the line below.

cp /tmp/smbshare/known_hosts /tmp/root/.ssh/

that’s all folks, the router will install the files I need whenever it reboots and I have access to all of my machines through ONE tightly locked door.

The script I’m creating is only useful if you have your router configured for remote SSH management (see DD-WRT: SSH Remote Management with Public Key Authentication for my how-to). The configuration process applies to setting up any startup script on a Samba share.

The script I want to execute on startup is going to change the configuration of the Dropbear SSHd. By default, when you connect to the router via SSH, you’re presented with a pre-login prompt advertising the firmware’s version. I prefer not sharing that info with anyone (not in such a blatant fashion at any rate), so I need to kill off the dropbear process and restart it without the banner flag. You might be wondering why I don’t just edit dropbear’s config file on the router… The simple answer is that there isn’t one.

I’m going to be using a Samba share I’ve created just for DD-WRT on the machine named ubuntu (also my desktop). The local path is ~/ddwrt and the network path is smb://ubuntu/ddwrt

Create the script:

Create a script on your Samba share named dd-wrt-startup.sh. One way to create the file is to enter the commands below in a terminal.

cd ~/ddwrt
touch dd-wrt-startup.sh

Open ~/ddwrt/dd-wrt-startup.sh with your editor of choice and add the text below (each command should be on its own line):

#!/bin/sh
## kill/restart dropbear; remove pre-logon message
killall dropbear
dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22 -s

Be sure that when you specify the port (-p 22), you use the same port that you have configured in the DD-WRT control panel.

The difference between the command to launch dropbear that I wrote, and the command the router defaults to, is that I’ve removed the banner file flag (-b [path to loginprompt]). If you want to see what the exact command line is on your router before you make the change, SSH in and enter a ps, someplace in the process list you’ll see the dropbear command line.

Configure Samba FS Automount:

Before going on, be sure that the Samba server has a static IP or (better yet) a static DHCP address. If you don’t use static DHCP, you may want to use the machine’s IP address instead of its name when configuring the share below. Check out the DD-WRT DNSMasq wiki page for more info.

Log into the DD-WRT Control Panel, Click Administration then select the Management tab. Scroll down to the Samba FS Automount section and configure as follows:

• SMB Filesystem: Enable
• Share: //ubuntu/ddwrt
• User Name: [valid smb user]
• Password: [smb user's password]
• Startscript: dd-wrt-startup.sh

Now all you need to do is click Save Settings and Reboot Router. The next time you SSH in, you’ll notice that no information about the router is given until you’ve provided your credentials and successfully authenticated. You will also notice that entering the mount command will show you that your Samba share is mounted to /tmp/smbshare.

When I set up a personal Internet facing SSH daemon, I only allow logins via public/private key files. This greatly improves security by eliminating the potential for brute force password cracking. If you aren’t familiar with public key authentication, the quick of it goes something like this; you have a key pair that consists of a public and a private key. The public key lives on the server you want to log into, and the private key lives on your computer (the client). You can share the public key with anyone, and you should physically protect the private key with your life. You can choose to encrypt the private key with a password (you will need to enter the password each time you attempt to authenticate with the key) or leave the password blank (which allows you to log in without a password). Note: It’s strongly suggested that you password protect your private key.

So what’s the point of it? Your public key can only be used with its partner private key. As long as your private key is safe (only you have access to it), nobody can crack your account and log in (even if they have the public key, you can’t generate a private key based on the data in the public key). This is why I suggest encrypting the private key with a password, if you have it on a thumb drive and lose the drive, the dweeb who picks it up and wants to see what you have access too will still need to get past the password on the private key. This gives you time to create a new keypair and update the machines you connect to.

I hope I made that clear, it makes more sense once you start using it. If you’re confused at all after going through all of this, please let me know in the comments of this post, I’ll clear up what I can.

Creating a keypair on your Linux box

If you haven’t previously used SSH to connect to a host, you won’t have a ~/.ssh/ directory on your machine. If you aren’t sure whether or not you’ve used SSH before, open a terminal and enter ls -lad ~/.ssh. If the folder doesn’t exist, you’ll want to create it and set the proper permissions now. The command below will create the directory with a mode of 700, only you as the owner will be able to list the contents of ~/.ssh

mkdir ~/.ssh -m=u+rwx,g-rwx,o-rwx

This next command will create a keypair in ~/.ssh/ as long as you have the OpenSSH Client package installed (chances are, you do). Basically we’re creating a (standard) 2048-bit RSA keypair with a custom comment (-C [comment]. If you decide not to customize the comment, ssh-keygen will insert your [username]@[host] as the comment). If you don’t enter a password for your key when prompted, you won’t need to enter one when attempting logins with this keypair. As convenient as this sounds, I would (again) suggest using a strong password to keep this keypair safe.

ssh-keygen -C [comment] -f ~/.ssh/id_rsa

Now that we have a keypair (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub), we need to log into the DD-WRT control panel, enable SSH and paste in our authorized key.

Configure SSHd

Open ~/.ssh/id_rsa.pub with your editor of choice, select all of the text and copy it.

Next, open your browser and enter the address of the router, Click on the Administration tab, and then on Services. Scroll down to the Secure Shell section and set it up as follows:

• SSHd: Enable
• Password Login: Disable
• Port: 22
• Authorized Keys: Paste in the contents of your id_rsa.pub file. The actual key (the ugly part of the file) must NOT wrap, it needs to be on one line.

Note: I ALWAYS change the port from 22 to some high number that’s easy for me to remember. It cuts down on attempted break-ins, do whatever works for you.

Now that SSHd is configured, click Save Settings and then Reboot Router. At this point, you can only use SSH to log into the router from your LAN (in other words, we haven’t opened SSH up to the world yet).

Once the DD-WRT control panel is visible again, open a terminal and enter the command below:

ssh root@192.168.1.1 -i ~/.ssh/id_rsa

If all goes well, should see a login prompt like the one below. You’ll need to enter the password for your private key. After that you should be at a shell prompt. If yes, Congrats! You’re communicating with your router via SSH.

DD-WRT v23 SP2 std (c) 2006 NewMedia-NET GmbH
Release: 09/15/06 (SVN revision: 3932)
Enter passphrase for key ‘/home/[username]/.ssh/id_rsa’

Now that it’s all tested, we can open SSH up to the Internet. This is optional of course, if you don’t want SSH access to your router from remote locations, then skip it.

Log into the DD-WRT control panel and select the Administration tab and then the Management tab. In the Remote Access section configure as follows.

• Web GUI Management: Disable
• SSH Management: Enable
• SSH Remote Port: [same port you selected in the Secure Shell configuration]

Again, click Save Settings and Reboot Router. After the reboot, you’re SSHd is available to you from anywhere

Extra bit to make life easier

Finally, if you think that’s an annoying amount of text to enter whenever you want to SSH into your router, create an SSH Config file. Use whatever editor you like, enter the text below and save the file to ~/.ssh/config

host ddwrt
hostname 192.168.1.1
port 22
user root
identityfile ~/.ssh/id_rsa

Now all you need to do is enter ssh ddwrt to connect to your router.

Finally, I should mention that allowing remote “root” logins is a really bad idea. I’ve made an exception in this case as DD-WRT is unique in that it only has one user account. There are ways of renaming the account, if I explore them, I’ll (of course) tell you about it.

Firstly, I powered up the router and performed a hard reset (hold the reset button down for 30 seconds). This just ensures that the router is using its factory default configuration. I then unplugged my Ubuntu Edgy machine from the old router and connected it to the WRT54GL. I reconfigured my network interface from a static address to DHCP and renewed my IP. I did this from the command line so it looked like sudo ifdown eth0 ; sudo ifup eth0.

The firmware installation is done from the router’s web based administration panel, so using Firefox 2.0.0.1 I logged in and navigated to the firmware upload administration tab. I used the browse button to locate dd-wrt.v23_generic.bin (which I had downloaded and extracted when I ordered the router) and clicked upgrade. After a few moments, I received a page telling me that the upload was successful and I walked away from the whole project for 5 minutes (as the wiki instructed me to. I wanted a beer anyway).

Time passes…

Back at the keyboard now, I click the Continue button and I’m presented with a white page and some fields asking for my username and password. I close Firefox, perform another hard reset of the router, open Firefox again and enter the address of router. Just like magic, I’m presented with the DD-WRT configuration pages of the router. Success!

Since it’s late and I just want to get things working, I’m only doing the basics, setting up static DHCP and a new wireless SSID.

Step one, change the default password from “admin” to something much, much better. Next, I collect all of the MAC addresses from the machines on my network and make my way to the Administration/Services tab. There, I assigned the MAC addresses to host names/IP addresses and configured my LAN domain name (just something I like to play with). I started testing DCHP by connecting to each of the Linux machines, changing them from a static to a DHCP configuration and renewing the IP address (same commands as above). Flawless! With the Linux machines done I configure the rest of the machines on the network the same way.

Next, I create a new wireless SSID and configure my two wireless machines to associate with it. This is where I had a little trouble. Everything but the Ubuntu install on the laptop connected without issue. For whatever reason I just can’t get the bcm4306 based wireless card to associate with the router using manually configured NDISwrapper. I’ll revisit this when I’m not so tired

Update: I think I have this fixed, I’ll tell you how in another post

I know I said I was only doing the basics, but I had to try SSH. So back to the Services tab, I enable SSH management (and disable Telnet as I’ll never use it) and click the Reboot Router button. Next, I open a terminal session and enter ssh dd-wrt. I log in with my user/pass and I’m at an ASH shell prompt. The output from a uname -r reads like Linux DDWRT 2.4.34-pre2 #170 Fri Sep 15 20:10:21 CEST 2006 mips unknown. Pretty sexy

All in all it was a satisfying experience. I’m running Linux on my router and there’s a LOT of cool things I can do. I haven’t scratched the surface yet, I’ll be exploring options for a while and when I come across something sweet I’ll post about it here. If you’re at all interested in exploring DD-WRT, start by checking out the compatibility list and reading up on the features. The wiki is a great place to start. I had no trouble ordering a 100% compatible router for around $55.00 US (there was a rebate).

If you’re new to Linux and don’t want to have to manage your router from a command shell, no worries. The web configuration pages are extremely useful and cover the full configuration of the router in a point and click fashion. You just can’t go wrong

Beryl:

I gotta say, the Beryl project is extremely cool. I had a great time picking out a skydome wallpaper and just tweaking out the desktop effects. I had to kill off the trailfocus plugin in beryl, I was getting annoyed with the fading out of apps. Other than that, I couldn’t be happier with the software. It’s just amazing. I have a nice fresh looking desktop with fun effects that just may help convince a few others to give Linux a shot (you KNOW anyone coming into this abode will be visiting my machine). Yeah, yeah, eye candy isn’t the reason to switch operating systems. That doesn’t mean that it won’t have an impact on some of those who are more reluctant to make the change. Who knows?

On the topic of Beryl, it seems that the folks over at Fedora are creating packages for it. That’s excellent news! I’ve noticed that Beryl core and Beryl devel have made it into the repos. I’m hoping that they’re planning to create packages for the plugins and extra toys as well.

*Note: if you followed the instructions for installing Beryl 0.1.1 in this post, and you update to the latest version in the Fedora repos, you WILL break Beryl. The good news is that it’s easy to fix. The RPMs referenced in the post have been updated to v 0.1.2. You can just download and install all of the packages except for core and devel (the post explains how if you don’t know what I’m talking about). After that, Beryl will be back, and up-to-date. Be sure to play with the “burn” animation. It looks NICE, but IMO it gets too annoying to use regularly. I wouldn’t mind seeing a “smoke” animation. Something that turns into wisps of smoke when you close an app could be pretty sexy

VMware:

I took some time today to set up some test VMware appliances for LinuxWorldNet. I’ll be using these “machines” to explore software and record my steps so I can post some how-to’s here. I’ve mostly completed the Fedora install, I’ll be working on Edgy shortly and I’ve created a Debian stable server for testing.

Upcoming Things:

I’ll be using the Debian VM to test out some FTP servers for Linux. I currently use Gene6 for Windows and would like to make the move to one of my Linux machines. I have no idea how well this will work out, I’ll post about my ups and downs here. Its going to be tough for any FTP server to beat G6, that’s just an amazing app. As I get into it, I’ll tell you what my requirements are and we’ll see how far I can get

I also plan on covering the configuration of OpenSSH server for both Fedora and Ubuntu. I’ll explain how to set them up in the most paranoid way I know how. I’m hoping that any newbies stumbling upon this blog will be able to open his/her SSH server to the evils of the Internet and still feel confident that they will be as safe as can possibly be.

That’s pretty much it for now. The only other thing I’d like to put out there is this; I’d like to hear from anyone that checks this blog out and has a few minutes to fire off a comment or email (matt at linuxworldnet dot com). Let me know what you think or if there’s a topic you’d like covered (I’ll do what I can, I’m still new to this Linux thing myself).

I need to get back to my beer and play, laydah!