PND4

/dev/notes

OpenSSH: Public Key Auth

I finally set up OpenSSH's Public Key Authentication on my NAS to incrementally backup my data daily. Despite there being lots of resources, I had to reference a few to get this working. Its kind of confusing figuring out where the public and private keys go in most guides. They don't really say what keys need to be on what box and what doesn't. A lot are pretty confusing about their naming conventions for remote/local and server/client. Also most completely leave out the user's .ssh/config in which you can specify the identity file to try in SSH. Naturally, I compiled a few snippets from the ssh manual page, and an example I cooked up from tonight's mucking around.. enjoi.

Public-Key Authentication:

  • The server knows the public key, and only the user knows the private key.

  • The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in.

  • When the user logs in, the ssh program tells the server which key pair it would like to use for authentication.

  • The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account.

Example: This will set up ssh without password connecting as foo@desktop (their account on their machine at home) to root@server (root account on machine at work)

On the desktop: Generate a key-pair

1
2
3
4

foo@desktop: ~/.ssh$ ssh-keygen -t rsa -f 'foo'
foo@desktop: ~/.ssh$ mkdir ~/.ssh/private-keys
foo@desktop: ~/.ssh$ mv ~/.ssh/foo ~/.ssh/private-keys
foo@desktop: ~/.ssh$ chmod -R go-rw ~/.ssh/private-keys

On the desktop: Create or modify the user's .ssh/config file to use the new private key

1

foo@desktop: ~/.ssh$ vi config
1
2

Host *
IdentityFile ~/.ssh/foo

On the desktop: Copy the public key to server's authorized_keys file.

1

foo@desktop: ~/.ssh$ cat ~/.ssh/foo.pub | ssh root@server 'umask 077; cat >>~/.ssh/authorized_keys'

On the server: Modify the sshd_config file to allow for Public-Key Authentication

1

root@server: ~/etc/ssh/# mv sshd_config sshd_config.orig ; sed < sshd_config.orig 's/^#Pubkey/Pubkey/' > sshd_config

On the server: Restart the ssh-daemon on the server

1

root@server: ~# systemctl restart sshd

On the desktop: Test it out.

1

foo@desktop: ~$ ssh root@server

Arch Install: Encrypted (LUKS on LVM)

"I remember new years eve 2010/11, crystal clear night, awesome fireworks in Zurich Switzerland, drinking with my bro and then he said "you have no soul do you?" – nohitall

Alright, so it's been awhile since I made an entry, 'boo-hoo'.. But I bring treats: Notes I took while replacing Gentoo with Arch on my desktop. Yeah, since I finally got my monitors in, I figured it would be a lot of wasted time compiling in Gentoo when I could be doing hood-rat stuff instead on Arch.. Well anyway I figured I'd kick things up a notch, having watched Inception recently. Using this install you get 3 things: block-disk-encryption (LUKS) on top of logical-volume-management (LVM2), and finally your OS (Arch) all warm up inside all of that.. Now you may ask yourself: "why did he use LVM when he seems to be using a pretty simple partition scheme?", and the answer is: "Because, pnd4 can." .. Yeah-see, I took that one out of nohitall's evil book of nerd things to do when you're lacking sleep and bored. Come say 'Hi' on #crunchbang (via Freenode); Im serving up 'Das Boot' to anyone who wants to complain about how pointless this block of text is.. enjoi!

Start by booting the installation media

Use fdisk to create 2 partitions

  • the boot partition can be pretty small at around 100MiB or so.

Write random data to drive

1
2

# cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvmname /dev/<device>
# dd if=/dev/urandom of=/dev/mapper/lvmname

Optional: In another terminal run a command to monitor progress

1

# watch -n 10 killall -USR1 dd

Remove volume of scrambled data.

1

# cryptsetup remove lvmname

Set up LVM logical volumes: root, swap, var, tmp, home

1
2
3
4
5
6
7

# lvm pvcreate /dev/<device>
# lvm vgcreate lvmname /dev/<device>
# lvm lvcreate -L 12G -n rootname lvmname
# lvm lvcreate -L 4G -n swapname lvmname
# lvm lvcreate -L 8G -n varname lvmname
# lvm lvcreate -L 1G -n tmpname lvmname
# lvm lvcreate -l 100%FREE -n homename lvmname

Encrypt root

1
2

# cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvmname/rootname
# cryptsetup luksOpen /dev/lvmname/rootname root

Set up root with chosen filesystem [for example; ext4]

1
2

# mkfs.ext4 /dev/mapper/root -L root
# mount /dev/mapper/root /mnt

Set up boot with chosen filesystem [for example; ext2]

1
2
3
4

# dd if=/dev/zero of=/dev/sda1 bs=1M
# mkfs.ext2 /dev/sda1 -L boot
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Create key for home and var store in /etc/luks-keys/home

1
2
3

# mkdir -p -m 700 /mnt/etc/luks-keys
# dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256
# dd if=/dev/random of=/mnt/etc/luks-keys/var bs=1 count=256

Encrypt, format, and mount var

1
2
3
4
5

# cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvmname/varname /mnt/etc/luks-keys/var
# cryptsetup luksOpen /dev/lvmname/varname var
# mkfs.ext4 /dev/mapper/var -L var
# mkdir /mnt/var
# mount /dev/mapper/var /mnt/var

Encrypt, format, and mount home

1
2
3
4
5

# cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvmname/varname /mnt/etc/luks-keys/home
# cryptsetup luksOpen /dev/lvmname/homename home
# mkfs.ext4 /dev/mapper/home -L home
# mkdir /mnt/home
# mount /dev/mapper/home /mnt/home

Connect to internet

Install arch via 'pacstrap'

  • Syslinux or GRUB, whatever floats your boat.

  • Wicd optional but great if planning to use Wi-Fi

1

# pacstrap /mnt base base-devel syslinux wicd

Generate new fstab

1

# genfstab -p /mnt >> /mnt/etc/fstab

Chroot into new install

1

# arch-chroot /mnt

Set hostname

1

# echo "h0stname" >> /etc/hostname

Set timezone

1

# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Edit /etc/locale.gen

1

# locale-gen

Configure /etc/locale.conf

1
2
3

LANG="en_US.UTF-8"
LC_COLLATE="C"
LC_TIME="en_US.UTF-8"

Edit /etc/mkinitcpio.conf and generate initrd

  • Put lvm2 and encrypt (in this order) before filesystems in HOOKS
1

# mkinitcpio -p linux

Change APPEND line in /boot/syslinux/syslinux.cfg

1

APPEND cryptdevice=/dev/mapper/lvmname-root:root root=/dev/mapper/root ro

Commit changes to /boot

  •  -i = Puts file

  • -a = Set boot flag

  • -m = Install MBR boot code

1

# syslinux-install_update -i -a -m

Add to /etc/fstab

1
2
3

/dev/mapper/tmp  /tmp      tmpfs   defaults            0 0
/dev/mapper/swap none      swap    sw                  0 0
tmpfs            /dev/shm  tmpfs   nodev,nosuid,noexec 0 0

Edit /etc/crypttab

1
2
3
4

var   /dev/lvmname/varname  /etc/luks-keys/var
home  /dev/lvmname/homename /etc/luks-keys/home
swap  /dev/lvmname/swap     /dev/urandom  swap,cipher:aes-cbc-essiv:sha256,size=256
tmp   /dev/lvmname/tmp      /dev/urandom  tmp,cipher:aes-cbc-essiv:sha256,size=256

Set root password

1

# passwd

Reboot

1

# reboot

[Fin]

RTMP Streaming

screenshot-100712-174012.png

Human beings must have action; they will make it if they cannot find it.

– Albert Einstein

Requirements

  • video player that supports rtmp streaming [ex: vlc, mplayer]

  • rtmpdump

Syntax

1

rtmpdump -v -r [rtmp://stream] -W "[webBasedApplet] -v | [localMediaPlayer] -

Example 1

1

rtmpdump -v -r rtmp://188.122.86.236:1935/live/_definst_/kdjfkdfksjkfs1 -W http://cdn.yycast.com/player/player.swf -p http://www.limev.com/ | mplayer -