Mountain Lion

Posted on July 26th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , , .

26 07 2012

So, Mountain Lion came out yesterday. I bought Apple’s new Macbook Pro with Retina, so am entitled to a free upgrade.

Applied for the redemption code, had to give a load of info, like purchase date, serial number..etc (not quite sure why, surely Apple can check this against my AppleID). Anyhow, they send you out a password and a password protected PDF in separate mails. Received mine within the hour, go to use it, and it informs me the code has already been used. Took a look on twitter, and seems everyone was in the same boat. According to numerous reports, Apple Support are saying to wait 72 hours, when a new code will automatically be issued.

I’m sorry, but that just sucks. I buy their top of the range laptop (well as well as most other things), and now I have to wait for the new shiny! Boo. I have a MacMini I use in my home office, which I’ve read mixed reports if the upgrade code would work for, so decided to just pay for the upgrade, as I’ll probably have to anyway for the MacMini, and I can use that on multiple machines.

Upgrade was pretty painless, a few things are broken, whilst developers update their code (and more importantly, make it work within the App Sandbox). I was reading up on PowerNap, as this is one feature that I think is really cool. My MBP will update, backup..etc when in standby. The default is to have this disabled when on battery power – however I wanted to ensure that was the case. According to the Apple KB, it’s in Power settings, and then in the Battery tab. I don’t have that. OK, so I need a SMC update before I can enable PowerNap. Great – for their latest, flagship MacBook, it’s ‘coming soon’.


Noticed a few things are broken so far:
TruePreview – Stops mails being marked as read in Mail. Manual Fix Here.
GPGMail – PGP/GPG for Mail. Broken at current – devs say to follow their twitter.
Hal9000 Screensaver – As it says on the tin.


Using Google-Authenticator for free two-factor ssh authentication

Posted on February 12th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , .

12 02 2012

I’d consider myself a pretty security conscious person, so most of my stuff is either firewalled off, can only be access via a VPN, or requires a key of some sort (ssh keys), except for one box. That one box, is the weak kink in the chain, but is there out of convenience. I have a box out there I can jump to, connect in with a password, and then get to everything else. However I hate having the weak kink. The only reason I have it, is if I am not somewhere where I have access to say my laptop, I can still jump on a shared machine say, and connect back to my kit.

Last week I was on a course, and couldn’t use my laptop, so was using one of the training centre’s computers. Throughout the course, I’d check my emails, irc, etc etc. Just using their standard installed putty, connecting back to my server via ssh. However how do I know what they have installed on their hotdesk computer? for all I know, they could have a keylogger sitting there happily recording my password. (Noted: a bit paranoid). On the way home from the course, I really wasn’t happy with that risk, so when I got home, I naturally changed the password, checked logs, no access seen, so happy for now. However needed to find a way to fix this.

Googled about for a bit, then stumbled on Google-Authenticator, now I had read about this being released for google accounts, so two-factor auth to check your GMail..etc however what I hadn’t realised is they had released a PAM (Pluggable Authentication Module) to work with their authenticator. Neat! I span up a VM in my lab, and had a play, and was very very easy to get the module installed, and working with SSH.

After compiling the PAM module, installing, updating the PAM config, and SSHd’s, you’re pretty much ready to go. Users on the server have to enroll using the google-authenticator binary, which asks them a series of question, then presents URL,which displays a QR code. Crank up the authenticator app on your favourite smart phone, and it should add the OTP config, and start generating OTPs. Depending on if you chose time based or generated OTPs, you’ll see a countdown clock (until the next code) or a button to request a new code.

There are some really good guides on setting this up so I won’t duplicate. I’ve got it running on my Ubuntu jump box, and a few CentOS servers in my lab. Seems perfectly stable so far. What I do like about this OTP solution vs some others such as RSA, is it doesn’t need to ‘call home’, so if for some reason the server is isolated from the internet, I can still authenticate using the OTP, as it’s based on RFC 4226 so is time based.

I have read a few places that GA and SSH keys cannot be used together, and you should disable KeyAuthentication. Both can work alongside each other, however OpenSSH sees them as separate things. So if I try to authenticate using my private key, it will accept that, and ask for no further authentication. However what I think what people are saying here, is that if you want to still be challenged for your OTP when using your key, this wont fit your requirements. For me, if I have my key, that is enough for me.

One thing I did put in place, which stops a bit of a chicken and egg situation, is that if you have’t enrolled with google-authenticator on the jump box yet, you can still authenticate just using your password. I’ve given some people access to the jump box for various reasons, and not all use keys, so once I had implemented the dual-auth, some of them couldn’t connect, to be able to setup google-auth, ops. To get this to work you need to add nullok to your PAM config line. I also added a string to print the code as you’re typing.

Your PAM config (eg /etc/pam.d/common-auth) should have a line like for this to work.
auth    required               nullok echo_verification_code

You can get the modules over at google code. All in all, a pretty neat solution to my issue, whatever machine I log in now, sure you can steal my password, but unless you also have my unlocked phone, to generate you a new OTP, you won’t be able to get in. The weak link is now a bit stronger  :mrgreen:



Posted on December 10th, 2011 by Luke Sheldrick.
Categories: Rant.
Tags: , , .

10 12 2011

I started a new job a few weeks back, which means, I am now home based. Which is working out pretty well so far. When I worked in an office all day, I’d always get things delivered to the office, and never really had any issues with the post. I’d occasionally get a ‘we tried to call’ redslip at home, but just assumed these were all genuine.

However, now I work at home, I’m in during the day. However now I get my post delivered home, I’ve noticed something, which well, really isn’t on – I’m still getting those slips. Not once, but every delivery this week, has failed, with “We tried to call, but no one was in” “The item was too big for the letterbox” type excuse.

This has happened with RoyalFail, DPD, HDNL, all of them pretty much. Most of the things I’ve ordered from Amazon, with Amazon Prime (which gives next day delivery). However when I’ve picked this up with them, they say the next day isn’t guaranteed if there are any issues with their courier.

I really don’t get that, I have a contract with Amazon, for them to deliver the next day. They then outsource the delivery to a courier company, yet if there is an issue with that contract, then it’s me, that paid for the Prime service – yet don’t get the item.

My theory here, is that most delivery drivers/postmen who deliver to home addresses, know that 99% of the people won’t be in during day, so rather than carrying around a big postbag, just pre-fill out the redslips.



GlobalSAN Fail

Posted on November 14th, 2011 by Luke Sheldrick.
Categories: Fail, IT / Tech.
Tags: , , , , .

14 11 2011

I bought a MacMini the other day to replace my old nettop at home. Until I get the new storage for it, I figured I’d quickly setup a LUN on my NAS for it. It seems OS X, even Lion, still doesn’t include an iSCSI initiator (wtf, really?). Anyway the typical freebie that you’d use on Leopard/Snow Leopard was GlobalSAN’s free initiator. However seems that as of version 5, it’s not a freebie.

I gave it a try, and went through their process (read giving them my details twice – once to download, then again to get a trial key)… tried it out, and didn’t rate it. So using their provided uninstall script I see the below:

WTF is that all about? Their uninstaller is trying to delet / . .. /sbin ..etc, someone really hasn’t QA’ed their code.

Have emailed them to see what they say about it. Poor show.


KVM + KSM = Big Bag of Win

Posted on September 26th, 2011 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , .

26 09 2011

I bought a HP Microserver a few months ago, to expand my media storage at home. HP had a promotion where you’d buy the server, and they’d give you £100 cash back. Not bad considering you can pick them up online for around £220. £29 for 8GB of DDR3 for it, and it’s quite an ample home server. I bought four 3TB disks, and have them in Raid-5 for the main storage, and I also have an E-Sata disk shelf with four more 2TB disks, also in Raid-5. The main storage array gives me around 8TB of usable storage, and the other around 5.5TB, so I have quite a bit at home to be getting on with.

A colleague at work today pointed out that HP had extended the offer until the end of September, so I thought I would pick up another one. My reasoning is they’re bloody cheap for what they are, and it’ll make HA testing in my lab a lot easier, with two identical machines.

However I decided to see actually how loaded the server was with what I run on it. The tasks that usually run on it backups of my various colos, streaming to the AppleTVs at home, transcoding up to 8 channels via the DVB cards, and downloading various media online. Well, basically, it isn’t breaking a sweat.

It’s currently running Ubuntu Server 11.04, which has pretty good support for KVM, so decided to spin up a few VMs to see how it handled it. I wasn’t overly optimistic, as AMD Turion™ II processor, which is basically designed for netbooks. However after spinning up a another Ubuntu Server instance, the server seemed to have no issue with this at all.

At that point I decided to clone the VM a couple of times, and then spin them all up to load test. 4 clones later, they all booted fine, and the box carried on with no real issues. I showed another colleague at work, and he’d asked how it would cope with Windows guests. The reason he was interested is he has just completed his MSITP qualification, and had quite a bit of difficulty running all the required server instances using his laptop and VMWare Workstation.

This evening I installed a base install of XP, and cloned that 4 times. Again, no real issues, so I decided to give every host 1G of memory (the server only has 8GB total), and see how KSM got on with the VMs. At the moment, it’s still scanning through memory pages, however it’s been running for around 20 minutes, and it’s already reclaimed 2.5GB of memory. No doubt given it some more time, it’s going to reclaim even more.

To say I am impressed by the Microserver, and KVM + KSM would be an understatement.Think I’ll setup a HA cluster when I get the other server, and see how that compares the likes of ESX.

Below just the quick setup I was playing with this evening.


2 of 1712345...10...»»