tricks

Trac, MySQL and authentication

2008-09-27T19:06:10+05:30

work :

A wiki
VPN
A bug/issue tracker

Trac gave us the first and the last, and OpenVPN gave us the middle. The newer versions of Trac can use MySQL as a database instead of SQLite and have a nice AccountManager plugin.

And it all comes together with pam_mysql. The only problem was that Trac likes to store passwords hashed as HTTP-Digest style hashes (not the most secure, I know) with an empty realm, and pam_mysql doesn't work for that. The solution was a simple patch to pam_mysql which adds support for such hashes. I'll publish that soon - I'm making it more general by adding support for realms rather than assuming that realm would be empty.

OpenVPN (and apache - via mod_auth_pam) etc. can authenticate via PAM and adding authentication to anything is a simple matter of placing the right .htaccess file. And this is a *common* password across all services, which users can change on the wiki, in their browsers, with a nice polished interface. No unix shells for people who can't deal with them.

This is no Kerberos, but is infinitely simpler - which means a lot for a small startup.

There are a few gotchas though :

Apache doesn't like empty realms. This can be worked around by switching to Basic authentication where passwords are passed on to PAM and we ignore realm. Yes, Basic is worse, but there's always SSL. Thus, one can supply _any_ value of realm (the AuthName in .htaccess). The situation might improve if my pam_sql patch accepts realms and we manage to modify the Trac AuthManager plugin to use the same realm.
SSH doesn't like to authenticate users which don't have an account on the machine. It does a getpwent() call, and if it fails, it sets the password to '^H ^M INCORRECT' (the ^H and ^M represent the control chars here, but this is what you see in your logs if you debug PAM). One (ugly, in my opinion) way out is to LD_PRELOAD your own getpwent() method for sshd. The other is to grant ssh access to people on a machine by machine basis. This doesn't scale beyond a point but is good enough for small setups and the most secure. We use this. The cleaner solution of course, is to use something like nss_mysql. This might be our next step, but not in the immediate future.

Patch to come Real Soon Now.]]>

SPG - Simple Password Generator

2008-07-22T21:40:42+05:30

comment on a blog post. You just need to remember one secret passphrase. Every time you need a unique password, append that secret to a unique string identifying the use (the website URL, or the domain name), hash the result and use the first n characters of it as the password. Unique, and there's only one thing to remember.

The script is useful enough, and I'm finally getting around to releasing it. There are other password generators (like Crypt::RandPasswd, Data::SimplePassword, String::MkPasswd, Text::Password::Pronounceable, Crypt::PassGen etc.), but they focus on creating random passwords - leaving it upon the user to manage and remember them.

This might be useful as a firefox extension as well. I eventually plan to convert it to one, but if someone else wants to do it, or has already done so - even better. It's a very simple idea, and I'm sure it can be implemented purely in chrome/javascript.

I need a place to announce it and I will let this be that place.]]>

Gutsy to Hardy - upgrade hiccups

2008-07-12T12:52:53+05:30

So I decided to upgrade to Hardy after doing a Wubi install on a couple of machines. With some gotchas of course.

I couldn't login. Not even as root. It wouldn't even ask for a password, but straightaway said "login failed" (on the console) and "authentication failed" (gdm).

That seemed like a PAM problem and it was. My encrypted HOME setup uses pam_encfs which had a problem loading into PAM.

The fix : a recompile, but after the patch mentioned in this bug.

Also, my network profiles stopped working - which turned out to be because of sudo. Adding a 'env_keep=NETSCHEME' to the Defaults in sudoers fix that too.]]>

Location aware GTD trick

2008-07-05T12:20:17+05:30

gtdo to manage the TODOs, and it shows me the list every time I open a terminal (via a 't ls' in my .bashrc). But what to do when my '@work' TODO list grows long and is shown to me on every terminal spawn, even at home?

what I also have is my network profiles setup. Till today, my office profile was called "office" - which I changed to "work". This makes my profile name the same as my context name ('work' and '@work' - we can manage the @ in the context). Do I need to say more? :)

Every time I do a 'NETSCHEME="work" sudo ifup ath0' and the network comes up, the '/var/run/network/ifstate' contains a line like 'ath0=ath0-home'. Which means, I can get the profile I'm using. Which means, if I name my profiles carefully, I can get the location I'm at. Which then means, if I name my contexts carefully, I can get the relevant context.

Adding this:

LOCATION=`grep -m 1 '-' /var/run/network/ifstate | awk -F '-' '{ print $2 }'`
t ls @$LOCATION

to my .bashrc works like magic.

By the way, I *could* scan for known SSIDs and select a network (and hence a location and a context) automagically, but I don't do that yet - one of the reasons being that I *think* there might be an information leak hidden somewhere. But I haven't thought it through. But I might, and then I might get around to doing it.]]>

Being too smart is annoying

2008-06-25T19:19:20+05:30

I was on my machine and wanted to run a remote instance on Firefox, with the display forwarded back to my machine. I had X forwarding over SSH and my DISPLAY enviroment variable all set up. But when I started 'firefox' on the remote commandline, it opened up an instance of firefox *locally*. WTF!!?

The fix to this is a 'MOZ_NO_REMOTE' env variable. Duh.]]>

Widescreen monitors and modelines

2008-03-19T20:28:26+05:30

This one does. The catch is the 60Hz - which is more like 59.91, which goes in as 59.73 in the textbox on that page. It does tell you the different values ("actually 59.91"), but you have to keep an eye. Another important thing is the monitor's 'Dot Clock' frequency. If you're exceeding that (and the tool will warn you if you are), it's most probably a mistake. Go re-read the specs of the monitor again.

FWIW, here's the modeline for the Acer AL1516W that I generated for the Eee :

"1280x800@59" 83.44 1280 1312 1624 1656 800 816 824 841

]]>

Git-Bugzilla integration

2008-03-08T19:47:35+05:30

There's always SCMBug, but you can cook your own Git-Bugzilla integration very easily. SCMBug's fine, but it's a lot of code if all you want is simple cross-linking between Git, Bugzilla and Trac (btw - GitPlugin for Trac would throw up an error unless you have at least *two* commits in your repository - talk about undocumented easter bugs!).

Anyhoo - here's what I want :
1. Git should disallow any commit where the commit message does not have a bug number.
2. Git should add a comment to the corresponding bug on a commit, mentioning the author, the Trac changeset link, the commit message and the list of files which changed.

And here's the code to do it. First, the post-receive hook :

#!/usr/bin/perl -w
use strict;

# A hook script which integrates with bugzilla. It looks for bug IDs in
# commit messages and adds the commit message as well as a link to the
# changeset as a comment on the bug.

# This program is released under the terms of the GNU General Public License
# version 2. A copy of the license may be obtained by emailing the author,
# or at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
#
# The absolute lack of warranty and other disclaimers as per the license
# apply.
#
# Copyright 2008, Devendra Gera. All rights reserved.
#
# Author : Devendra Gera 

### user configurable section

# The bugzilla has contains the server, username and password for the targeted
# bugzilla installation. There's NO 'http://' in the server line.
my $bugzilla = {
        server          => "10.147.251.90/bugzilla",
        user            => "demonuser",
        password        => "daemonuserspassword",
};

# __PATH__ and __REVISION__ are replaced in $browser->{changeset} and
# $browser->{revision} to get the changeset and revision URLs respectively. 
my $browser = {
        changeset       =>
        "http://10.147.251.90/projname/changeset/__REVISION__",
        revision        =>
        "http://10.147.251.90/projname/browser/__PATH__?rev=__REVISION__",
};

# The bug_regex should extract the bug id from the commit message and place
# it in $1
my $bug_regex = 'bug #(\d+)';


##### End user configurable section

use WWW::Bugzilla;

my $input = <>;
chomp $input;

my ($oldrev, $newrev, $refname) = split /\s+/, $input;
my $commit_msg = `git-whatchanged $oldrev..$newrev`;

# prepare the changeset URL
my $changeset_url = $browser->{ changeset };
$changeset_url =~ s/__REVISION__/$newrev/g;

# author
my ($author) = ( $commit_msg =~ /^Author:\s+(.*)$/m );

# files
my @filelist = grep ( /^:/, split( /\n/, $commit_msg ) );

# prepare comment
$commit_msg =~ s/^.*?Date://s;  # eat everything till the Date: heder
$commit_msg =~ s/^.*?\n//m;     # eat the date line completely
$commit_msg =~ s/^:.*?$//mg;    # eat the file list from the msg.
chomp $commit_msg;
my ($bug_number) = ( $commit_msg =~ /$bug_regex/ );

my $comment = <new(
        server          => $bugzilla->{ server },
        email           => $bugzilla->{ user },
        password        => $bugzilla->{ password },
        bug_number      => $bug_number
);

die "cannot connect to bugzilla" unless defined $bz;

$bz->additional_comments( $comment );

$bz->commit;

And here's the update hook :

#!/usr/bin/perl -w
use strict;

my $refname = shift;
my $oldrev = shift;
my $newrev = shift;

my $commit_msg = `git-whatchanged $oldrev..$newrev`;

# check if the commit message contains a bug number
if($commit_msg !~ /bug #\d+/) {
        exit -1;
}

exit 0;

The TODO :
1. Push every configurable thing to git's config file and access it via git-config.
2. Code cleanups. One definition of the bug regex (which is hardcoded in the update for now).

edit : the here doc in the code was causing a problem with formatting, eating up some of the code. Fixed now.

]]>

Network profiles in Ubuntu

2008-03-04T22:03:31+05:30

There are various ways of managing multiple network profiles in Ubuntu, but I've never been a fan of NetworkManager. Commandlines work for me very well, and even there - multiple solutions exist with the help of packages like resolvconf etc. Here's my setup which is very Debian-ish and depends on this nice package called ifupdown.

First, there's the /etc/network/interfaces file :

# we always want the loopback
auto lo
iface lo inet loopback

# mappings
mapping eth0
  script /etc/network/map-scheme
  map dhcp eth0-dhcp
  map emergency eth0-emergency

mapping ath0
  script /etc/network/map-scheme
  map office ath0-office
  map home ath0-home

iface eth0-dhcp inet dhcp
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface ath0-office inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/office.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface eth0-emergency inet static
  address 10.9.5.201
  gateway 10.9.4.1
  netmask 255.255.254.0
  up iptables -F
  up lokkit -q --high
  up echo nameserver 172.31.6.5 > /etc/resolv.conf
  up echo nameserver 203.197.12.30 >> /etc/resolv.conf

iface ath0-home inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/home.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

Notice the mappings section (and see 'man interfaces') - that allows me to say :

NETSCHEME="home" sudo ifup ath0

NETSCHEME="office" sudo ifup ath0

because the specified script (/etc/network/map-scheme) just looks up the NETSCHEME environment variable and spit out the correct mapping to go to. This thing, by the way, could be rigged to do arbitrarily complex tasks (look in /usr/share/doc/ifupdown/examples/ for sample scripts, including one which tries to ping some known IPs, and decides its location/profile based on successful pings - you could write one which looks for all known wireless SSIDs and then decide which profile to switch to). Here's my trivial script :

#!/usr/bin/perl -w
use strict;

my $scheme = $ENV{NETSCHEME} || "home";

while(<>) {
        if ( s/$scheme\s+// ) {
                print;
        }
}

The conf files in /etc/wpa_supplicant/* are of course wpa_supplicant configuration files. See 'man wpa_supplicant.conf' for details.

]]>

Eee PC!

2008-02-06T23:29:09+05:30

encrypted $HOME howto worked, but I kept /real_home on a SD card and added "noatime" to every FS mount.

One fallout is that I can't suspend - the SD card is a USB device and gets reset on suspend/resume. Also, the /var/log, /var/run, /var/tmp and /tmp are tmpfs filesystems. /var/cache/apt/ is a bind mount from the SD card to save the SSD from excessive writes.

Processing RAW images from my camera was a problem till I swapped the RAM with one of the modules from my Vostro 1400. GIMP works pretty smoothly now.]]>

Date::Manip, remind and remindme

2008-01-29T17:00:44+05:30

I use remind(short howto) to keep my calendar of events and reminders. Its a wonderful utility - and all commandline. I split up the birthdays, anniversaries, personally important days, and the usual stuff into different files, and include them in my ~/.reminders file. Here's what my .reminders looks like :

gera@gera-laptop:~$ cat .reminders 
include /home/gera/reminders/birthdays
include /home/gera/reminders/anniversaries
include /home/gera/reminders/impdates
include /home/gera/reminders/stuff

All this works well, except for a small issue. It takes too much time for me to add reminders for my day-to-day tasks. Firing up an editor and typing all that remind syntax is something that can be avoided. Also, it really hurts to look at the calendar to figure out fuzzy dates like "tomorrow", or "sat". I was planning to write this big Perl script which would do the heavy lifting for me. Instead, I found Date::Manip which already does the heavy lifting. It understands stuff like "tomorrow" and "sun". I just needed a small 'remindme' script then :

#!/usr/bin/perl -w
use strict;

use Date::Manip;
use Fcntl qw(:flock);

my $reminders = "$ENV{HOME}/reminders/stuff";

my $argstring = join (" ", @ARGV);
my ($when, $what);

(undef, $when, $what) = ($argstring =~ /^(on |)(.*?) to (.*)$/);
quit("what?") unless $what;
quit("when?") unless $when;

# form the line to be appended
my $date = ParseDate($when);
quit("cannot parse date") unless $date;

my $line = UnixDate($date, "REM %b %e %Y +1 MSG");
$line .= " $what %b.%\n";

# write in file

# open lock file
open LOCK, ">$reminders.lock" or quit("cannot open $reminders.lock : $!");
flock LOCK, LOCK_EX or quit("cannot obtain lock : $!");

# open data file, write and close data file
open REMINDERS, ">>$reminders" or quit("cannot open $reminders : $!");
print REMINDERS $line;
close REMINDERS;

# release locks
flock LOCK, LOCK_UN;
close LOCK;

exit (0);

sub quit
{
        my $msg = shift;
        print STDERR $msg, "\n";
        exit (-1);
}

Now, I can use it like this :

$ remindme on sat to eat everything I can
$ remindme tomorrow to pay the phone bill
$ remindme next week to think up of something useful to say
$ remindme next thursday to find something better to do

nifty, eh?

update: bugfixed the script. An extra space creeped up between the '+' and the '1'. Thanks to AmitU for pointing that out.
update 2: added the capability to get reminded n days in advance - a feature suggested by AmitU in the comments, but with a different syntax ("remindme next week to do this for 2 days"). Also, remindme's git repository and home page. The repository contains the bash-completion script as well.

]]>