Change primary monitor in Gnome 3

January 9th, 2012

If you use Gnome 3 with more than one monitor attached to your computer, Gnome 3 will make one of your displays the so-called primary display. It will display the Top Bar containing the Activities Button, Clock and Status Menu there. Also, the overview with the Dash and the Workspace list will be displayed on this screen only. Sometimes, Gnome 3 might choose the wrong monitor as the primary display and you need to change it manually. Unfortunately, Gnome 3 does not provide a GUI for this as of yet, so you’ll have to edit the configuration files yourself.

Permanently changing the primary display

If you want to permanently change your primary display, you need to edit the file ~/.config/monitors.xml in your home directory. It’s an XML file that contains a list of all the displays attached to your computer. Each monitor will have a tag called primary, which can be either yes or no. Here is an example containing configuration for two monitors, one connected via VGA and one connected via DVI, the latter one being the primary display:

  1. vi ~/.config/monitors.xml
  2. <monitors version="1">
  3. <configuration>
  4. <clone>no</clone>
  5. <output name="VGA-0">
  6. <vendor>IVM</vendor>
  7. <product>0x46d6</product>
  8. <serial>0x000051ac</serial>
  9. <width>1280</width>
  10. <height>1024</height>
  11. <rate>75</rate>
  12. <x>1280</x>
  13. <y>39</y>
  14. <rotation>normal</rotation>
  15. <reflect_x>no</reflect_x>
  16. <reflect_y>no</reflect_y>
  17. <primary>no</primary>
  18. </output>
  19. <output name="DVI-0">
  20. <vendor>IVM</vendor>
  21. <product>0x483c</product>
  22. <serial>0x000003b6</serial>
  23. <width>1280</width>
  24. <height>1024</height>
  25. <rate>75</rate>
  26. <x>0</x>
  27. <y>0</y>
  28. <rotation>normal</rotation>
  29. <reflect_x>no</reflect_x>
  30. <reflect_y>no</reflect_y>
  31. <primary>yes</primary>
  32. </output>
  33. </configuration>
  34. </monitors>

You need to find the right monitor, where you want your Top bar and Overview be displayed and change the content of the primary tag of that display to yes. Of course, all other monitors primary tags should be set to no. That’s it. On your next login into Gnome 3, the settings from this file will be applied and you are set.

Temporarily changing your primary display

If you just want to change your primary display until the end of your session, you could use xrandr to change the display temporarily.

First, run xrandr without any parameters to display a list of available monitors and their display ids.

  1. xrandr
  2. Screen 0: minimum 320 x 200, current 2560 x 1063, maximum 8192 x 8192
  3. VGA-0 connected 1280x1024+1280+39 (normal left inverted right x axis y axis) 340mm x 270mm
  4. DVI-0 connected 1280x1024+0+0 (normal left inverted right x axis y axis) 376mm x 301mm

In the example above, I’ve omitted some of the output. I only listed those lines that contain the display ids of the monitors. Again, we have two monitors attached to the computer, one via VGA and one via DVI. Suppose your current primary display is the VGA monitor and you wanted to set your DVI screen as the new primary monitor. Then you would call xrandr like so:

  1. xrandr --output DVI-0 --primary

To reset, call xrandr again and change the output parameter to VGA-0.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Get IP address from Samba share/NetBIOS name

January 5th, 2012

Suppose you’ve got a NetBIOS address of a Samba share like //SERVER/MyShare and you’d like to know the IP address of the server with the NetBIOS name SERVER. On Linux, you can use Samba’s nmblookup like so:

  1. nmblookup -I SERVER
  2. querying SERVER on 192.168.0.255
  3. 192.168.0.213 SERVER<00>

In our example above, the IP address of the machine with the NetBIOS name SERVER turns out to be 192.168.0.213.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Monitoring PowerDNS via the internal web server

February 16th, 2010

If you want to stay informed about the current status of your PowerDNS server, there is no need to scan the logs or use third party tools like logcheckd. Actually, you might want to do this anyway, but PowerDNS provides an internal web server, which summarizes all the status information (including log messages) in a very nice and compact way for you to view.

By default, the web server will listen on port 8081 on localhost. That means, that you can’t view the status information from the outside network. To view the page, you could use a command line browser like lynx. You could change the interface of the web server to a public IP address, but this is very insecure and not recommended. The PowerDNS web server provides some sensitive information about your DNS server and you should not expose this information to the public. Also, the PowerDNS web server is probably not as thoroughly tested and hardened as e.g. Apache or nginx. Another problem is, that you can only specify a single password and that you are limited to basic authentication, which is not very secure.

There is a secure way to retrieve the information provided by PowerDNS from outside your DNS server host. You could use Apache, nginx or any other web server you like as a proxy server. That way you can use more advanced authentication methods built into that web server to secure your status page. I will now show you how to do this using Apache 2 on Debian. We’ll need mod_proxy, mod_proxy_http and mod_headers enabled on the Apache 2 server. If you do not want to run an instance of Apache 2 on your DNS server, you could use an SSL tunnel or a secure back channel link to a remote Apache server to retrieve the status page. But this is beyond the scope of this post.

First, enable the internal PowerDNS web server by editing the configuration file.

  1. webserver=yes
  2. webserver-address=127.0.0.1
  3. webserver-port=8081
  4. webserver-password=PowerDNS

This tells PowerDNS to run the internal web server on port 8081 of the localhost interface. The user name will be admin and the password will be PowerDNS. Of course you should change the password to something more secure, it’s just an example. After a restart of PowerDNS you can connect to your server from your DNS server host. The password is optional, but it’s safer that way, especially in an environment where you’ve got other users on your DNS server box.

Now install and enable the required modules of Apache 2 by executing the following commands.

  1. apt-get install libapache2-mod-proxy-html
  2. a2enmod proxy
  3. a2enmod proxy_http
  4. a2enmod headers

The last module is only needed, if you set a password for your internal web server as recommended above. I assume that you’ve got some kind of virtual host configuration for your Apache server. You’ll want to add a new virtual host for the DNS status information. If you use a subdirectory, navigation might be a bit odd. Let’s add a new site to the available sites.

  1. vi /etc/apache2/sites-available/status.dns.example.net
  2. <VirtualHost 192.168.0.1:80>
  3. ServerName status.dns.example.net
  4. DocumentRoot /var/www/
  5. ProxyRequests Off
  6. <proxy *>
  7. Order deny,allow
  8. Allow from all
  9. ForceType 'text/html; charset=UTF-8'
  10. </proxy>
  11. ProxyPass / http://localhost:8081
  12. ProxyPassReverse / http://localhost:8081
  13. </VirtualHost>

Alright, so what are we doing here? Basically, we’re adding a new virtual host status.dns.example.net on our main interface of dns.example.net. We’re using a reverse proxy to to send all requests coming from the outside to our internal PowerDNS web server on port 8081. Also, we’re forcing a text/html content type in the proxy request filter, because otherwise we would just get text/plain and we would simply see the source code, which is probably not what you want. Let’s enable the site for a test:

  1. a2ensite status.dns.example.net
  2. /etc/init.d/apache2 reload

If you point your web browser to status.dns.example.net you should now see the internal status page of PowerDNS. If you set a password above, you will see a password dialogue. This is the password dialogue sent by the PowerDNS web server. The user name is admin and the password is your password. Try it out now, because we’ll get rid of this in a minute.

For security reasons, you probably want to use Apache 2 for authentication. E.g. you might want use a SSL connection and authenticate your co-workers using the internal LDAP server of your company intranet. You might even stay with the insecure basic authentication method, but use other user names. This is entirely up to you and beyond the scope of this post. Consult the Apache 2 documentation on how to do this. What you probably don’t want to do, however, is to authenticate twice (first your secure authentication method and then PowerDNS basic authentication. Luckily, we can configure the Apache 2 proxy to do the authentication for us. This is a bit tricky, though.
To authenticate at the PowerDNS server, Apache 2 needs to send an additional Authorization header line to the PowerDNS server with every request it handles. We use the RequestHeader directive to override any existing Authorization header with our own authentication data. Add the following lines just before the end of the virtual host container.

  1. <Location />
  2. RequestHeader Set Authorization "Basic YWRtaW46UG93ZXJETlM="
  3. </Location>

The above example works only for our example password, which is PowerDNS. Try it for a test. This is, because part of the header value is encrypted using the base64 algorithm. You need to change the encrypted part YWRtaW46UG93ZXJETlM=. In plain text the encrypted string would read admin:PowerDNS, where admin is the user name and PowerDNS is the password. To use your own password, you need to encrypt the string admin:yourownpassword using the base64 algorithm and replace our example string. Be sure to keep the Basic and the space. It is crucial for success, that you’ve got the right encrypted string. There are a number of online tools, to encode and decode these strings. To ensure, that you’ve got the correct encryption method, encode the example string and compare it to the string above for a reference. If you’ve got the wrong string, it will not work.

Restart the Apache 2 server. To clear your password cache, restart your browser. Now surf to the site again. You will see, that the password dialogue is gone. Now, don’t forget to secure the page again using Apache 2. Under any circumstances, do not use Directory containers in the configuration. These will not apply to the proxy, because the proxy is not a physical directory on your server. Use Location containers like we did above for setting the RequestHeader directive. Also, you could still use insecure basic authentication to secure the page, if you wanted. It would work regardless of the RequestHeader magic.

A light-weight alternative

For those of you, who think that Apache is too heavy, here is an example for the nginx web server:

  1. vi /etc/nginx/sites-available/status.dns.example.net
  2. server {
  3. listen 192.168.0.1:80;
  4. server_name status.dns.example.net;
  5. root /var/www/nginx-default;
  6. location / {
  7. index index.html
  8. proxy_pass http://localhost:8081;
  9. proxy_redirect off;
  10. proxy_set_header Authorization "Basic YWRtaW46UG93ZXJETlM=";
  11. }
  12. }

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Display MySQL query output on the command line

January 19th, 2010

If you are using the MySQL command line client regularly, the following scenario might be familiar to you: You run a select on a table, which contains a lot of fields. The output will not fit on one line, which means that it will be unreadable. Consider the following example:

  1. mysql> SELECT * FROM posts LIMIT 1;
  2. +----+-------------+---------------------+---------------------+--------------------------------+--------------+-----------
  3. ----+--------------+----------+----------+-------------+----------------+-------------+---------------+-------------+----
  4. -----+--------+---------------------+---------------------+-----------------------+-------------+-------+------------+----
  5. -------+----------------+---------------+
  6. | ID | post_author | post_date | post_date_gmt | post_content | post_title |
  7. post_category | post_excerpt | post_lat | post_lon | post_status | comment_status | ping_status |
  8. post_password | post_name | to_ping | pinged | post_modified | post_modified_gmt |
  9. post_content_filtered | post_parent | guid | menu_order | post_type | post_mime_type |
  10. comment_count |

  11. +----+-------------+---------------------+---------------------+--------------------------------+--------------+-----------
  12. ----+--------------+----------+----------+-------------+----------------+-------------+---------------+-------------+----
  13. -----+--------+---------------------+---------------------+-----------------------+-------------+-------+------------+----
  14. -------+----------------+---------------+

  15. | 1 | 1 | 2004-01-17 18:17:37 | 2004-01-17 16:17:37 | We'll see what time brings ... | Hello world! | 1
  16. | | NULL | NULL | publish | closed | closed | | hello-world
  17. | | | 2004-01-17 18:17:37 | 2004-01-17 16:17:37 | | 0 | /?p=1
  18. | 0 | post | | 0 |

  19. +----+-------------+---------------------+---------------------+--------------------------------+--------------+-----------
  20. ----+--------------+----------+----------+-------------+----------------+-------------+---------------+-------------+----
  21. -----+--------+---------------------+---------------------+-----------------------+-------------+-------+------------+----
  22. -------+----------------+---------------+
  23. 1 row in set (0.00 sec)

There is actually a nice solution for this. By default, the command line client uses horizontal mode to display the results of MySQL queries. If you use \G instead of ; or \g at the end of the line, your query result will be displayed in vertical mode, which will look a lot better:

  1. mysql> SELECT * FROM posts LIMIT 1\G
  2. *************************** 1. row ***************************
  3. ID: 1
  4. post_author: 1
  5. post_date: 2004-01-17 18:17:37
  6. post_date_gmt: 2004-01-17 16:17:37
  7. post_content: We'll see what time brings ...
  8. post_title: Hello world!
  9. post_category: 1
  10. post_excerpt:
  11. post_lat: NULL
  12. post_lon: NULL
  13. post_status: publish
  14. comment_status: closed
  15. ping_status: closed
  16. post_password:
  17. post_name: hello-world
  18. to_ping:
  19. pinged:
  20. post_modified: 2004-01-17 18:17:37
  21. post_modified_gmt: 2004-01-17 16:17:37
  22. post_content_filtered:
  23. post_parent: 0
  24. guid: /?p=1
  25. menu_order: 0
  26. post_type: post
  27. post_mime_type:
  28. comment_count: 0
  29. 1 row in set (0.00 sec)

While vertical output uses a lot more vertical space than the horizontal output, the vertical output is a lot more readable. Now you can probably see what I used as example query. It is actually the first post from this blog. Yes, this blog just got 6 years old ;).

If you want your command line client to use vertical mode by default, you can add vertical to the client section ([client]) of your .my.cnf file. This would look something like this:

  1. [client]
  2. vertical

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Introducing TwoZero

December 10th, 2009

Some of you might have already seen TwoZero running on my laptop last year at the 25th Chaos Communication Congress. It’s a very basic web application written utilizing the Django web development framework. It’s task is to provide meyou with a personal conference schedule. It imports a schedule XML file from Pentabarf, which is used to manage the conferences organized by the Chaos Computer Club. You can then select talks you’d like to attend. These talks will be presented to you in a separate personal schedule.

As the 26th Chaos Communication Congress is just around the corner, I’ve set up a public instance of TwoZero. Try it out and tell me what you think. You can also download the source code (see the About section) and hopefully send in your excellent patches.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Type Hinting in PHP

September 5th, 2009

PHP 5 introduces Type Hinting. But it does so in the usual PHP way: It’s neither fish nor fowl. You’ll be exited at first when you discover the new feature. And then you’ll be disappointed. Because things do not work like you’d expect. Suppose you do something like this:

  1. <?php
  2.  
  3. function foo ( string $bar) {
  4. echo $bar;
  5. }
  6. foo ('Hello World!');
  7.  
  8. ?>

What happens, when you execute the above code? You will get a rather cryptic error message:

  1. Catchable fatal error: Argument 1 passed to foo() must be an instance of string, string given.

So the method expected a string as the first parameter and you passed a string to it, but PHP chose to throw up regardless. Great, isn’t it? Of course, the reason for this is right at the very bottom of the PHP documentation on Type Hinting. All the way down the page below a number of examples:

Type Hints can only be of the object and array (since PHP 5.1) type. Traditional type hinting with int and string isn’t supported.

Doh!

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Amazing Australian broadcasters

September 1st, 2009

Totally unrelated to anything, but it just came to my mind: Australian radio service is great. They’ve got great radio shows all through the night on a weekday presented by hosts with very strange Australian accents. I can get the whole Australian radio experience on a any European evening. In my bathroom. Or anywhere else. Australian radio: Amazing! The internet: Amazing! Australian radio and the internet combined: You guess what!

PS: I know that it’s early morning in Sydney right now. Never mind.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Printer-less printing

September 1st, 2009

Sometime in February I got rid of my ink-jet printer. Ever since I’ve spent a total of 3,15 EUR on printing the occasional file, form or letter at a nearby copy-shop. Way cheaper than the ink cartridges I had to buy regularly (while I didn’t print that much, the printer used a lot of ink during self-cleaning operations). And a lot friendlier to the environment. Yay!

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Checking mail quota during SMTP transaction in Exim

August 31st, 2009

Introduction

The Exim mail server comes with out of the box quota support. All you need to do is to set the quota, quota_warn_threshold and quota_warn_message options on your transport and you will be fine (see Chapter 26 of the Exim Specification). Combine this with a few custom database lookups and you’ve got a great way to handle your user’s mailbox quota. By utilizing some additional options and the power of regular expressions you could even define different quotas for each folder of your user’s IMAP mailboxes.

The problem

Using Exim‘s quota management has a major drawback, though: Quota checking takes place after the message has been accepted for delivery. What does that mean in practise?

If the quota limit of a mailbox is exceeded, messages for this mailbox are still accepted for delivery, but deferred temporarily. At each queue run, Exim checks, if the quota limit is still exceeded. If the user has deleted mails from her mailbox since the last queue run, the mail will be delivered. If not, the mail will be deferred again. At some point, Exim will give up and finally bounce the mail back to the sender. How long Exim will try to deliver the message depends on your retry rules. While this is good for your user, because she has some more time to clear up her mailbox before she effectively looses mail, it is bad in a number of ways:

  • The deferred mails add up to the queue and clutter it up.
  • If the user does not delete messages from her mailbox (e.g. she is no longer using it actively), messages will sit in your queue for a long time, before they are finally bounced back to the sender. During this time, the sender does not know about the status of the mail. You need to provide disk space for these mails. If you set up quota limits to better manage the disk space at your disposal, this may hit you hard.
  • If your user gets a lot of spam from faked sender addresses, you may generate a lot of collateral spam by bouncing her messages back to the faked sender addresses.

A possible solution

Exim were not Exim, if there wasn’t some way to get around this limitation and check quota right at RCPT time during the SMTP transaction. Actually, there are a number of ways to implement this. And all have pros and cons. I’d like to show you a way that is relatively easy to implement, but does have some minor issues.

Basically, the idea is to set up a database of those users that are over quota. You’d use an external script to periodically check, if a user exceeded her quota limit, and manage the database accordingly. You could use a flat file to store mailbox names of these users or – if you’re already using a relational database (e.g. MySQL, PostgreSQL) or an LDAP directory for mailbox management – add an additional property (e.g. isOverQuota) to your mailbox object.
Additionally, you need to configure Exim to check our file or database during the SMTP transaction and reject an incoming message, if it is for a mailbox that is over quota. How to do this depends a bit on your current configuration. Chances are, you’re already verifying the recipient of a message before you accept it (check your ACLs for require verify recipient). In this case, the fastest way to implement this in Exim is to add an additional router somewhere before (probably immediately before) the router that handles routing of messages to your user’s mailboxes (the router with the quota option). If you used a MySQL database it might look something like this:

  1. virtual_mailbox_overquota:
  2. driver = redirect
  3. domains = +local_domains
  4. condition = ${if eqi{$local_part} {${lookup mysql {SELECT username FROM exim.mailbox WHERE username='$local_part' AND domainname='$domain' AND enabled='1' AND overquota='1' LIMIT 1}}}{yes}{no}}
  5. data = :fail: Mailbox is full, quota limit exceeded
  6. allow_fail

Note: You’ll probably want to change the domains and condition options before you use this router in your configuration. But you get the idea, don’t you?

By default Exim calculates quota by adding the size of the new message to the size of the mailbox and comparing this to the quota limit of the mailbox (inclusive checking). This means that a user can’t go over quota. The mailbox will always remain below the quota limit. This is great, but it doesn’t work for us. Our script depends on users going over quota, because otherwise it would not detect the mailboxes that are over quota. Again, there are a number of possible solutions to this problem. You could increase the quota limit of every mailbox by 1% and check for mailboxes at 99%. Alternatively, you could disable inclusive quota checking. To do so, add the following option to the router, which handles routing of messages to your user’s mailboxes (the router with the quota option):

  1. quota_is_inclusive = false

Testing the new configuration

To test, if the new configuration works, you might use Exim‘s basic address deliverability checking.

  1. $exim -C exim.new.conf -f sender@example.org -bt not.over.quota@example.org
  2. not.over.quota@example.org
  3. router = virtual_mailbox, transport = appendfile
  4. $exim -C exim.new.conf -f sender@example.org -bt exceeded.quota@example.org
  5. exceeded.quota@example.org is undeliverable: Mailbox is full, mailbox quota exceeded

If you get anything close to the above, you’re probably okay. Of course you need to have a mailbox that exceeded its quota limit for this test to work.

Some issues

There are two minor problems with this solution. Depending on your situation, these might be acceptable or not.

First, there is the checking interval. If a user exceeded her quota limit, mail to her mailbox wouldn’t be blocked at SMTP time until the checking script’s next run. This is not such a big problem, because the message won’t be delivered anyway. Instead it would be deferred and bounced back later (see above). Unfortunately, it’s the same the other way around. If a user deleted messages from her mailbox, this would not be recognized by Exim before the checking script’s next run. Mail would be rejected at SMTP time, although there might actually be enough space in the mailbox. This is a much bigger problem. Generally spoken, the interval between the runs of your checking script should be as low as at all possible. But don’t burn your mail server on the way ;).

Second there is the exclusive quota checking. Because we depend on the mailbox actually going over quota, we need to disable inclusive checking or – alternatively – increase quota limits and flag mailboxes as over quota at 99% or less.
If we do the latter, there is always the possibility, that the quota of a mailbox isn’t above the checking threshold and there are new messages coming in, which are too large for the mailbox. These messages would be queued. Consider an example: A user get’s 30 messages of 1 GB, but his mailbox is only 500 MB. He gets no small messages in between, so our checking script will not flag the mailbox in subsequent runs and the size of the queue will rise a lot. This is especially a problem, because this probably affects mostly messages that are quite large. Also, if you can’t check fast enough and get a lot of small messages, there might be a lot of mailboxes that go way above the checking threshold before you can flag them. If you have a very large user base, this might be a problem. A run of the script probably takes longer, if you have a lot of mailboxes, so this adds to the problem.
If we disable inclusive checking, the last message that brings a mailbox over quota will always be delivered. Depending on the message this might be okay (in case of small messages) or really bad (in case of very large messages). But: The mailbox will be flagged at the next run of our checking script, so the queue will remain relatively clear compared to our scenario above.
If you do not have a lot of users and your resources are limited, you might not like this option. If you’ve got a large user base, exclusive checking is probably better.

Of course, there are other solutions, that do not have these issues. But they are a lot harder to implement and to maintain.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

New Mozilla.org

August 26th, 2009

Yesterday the new Mozilla.org site went live. I contributed to the redesign project by helping with the feed parser, that aggregates the Latest news from Mozilla and Community Ticker sections on the front page.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Greetings from Sylt

August 23rd, 2009

Sylt Ellenbogen (Denmark in the back)

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

A Thunderstorm…

August 21st, 2009

… at 7 a.m. in the morning. Something different for a change. Good morning everyone!

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Getting rid of Apache pass-phrase dialogs

August 20th, 2009

Throughout the internet, HTTPS is used to encrypt traffic between a web server and its clients and thus provide a secure way of communicating with a server. Unfortunately, the best encryption is (somewhat) worthless, if you can’t be 100 percent sure that you are communicating with the right server. If Alice wants to send her credit card number to Bob, all encryption is worthless, if Mallory can trick her into thinking that he is Bob. SSL certificates to the rescue. If Alice trusts Carol and Carol has issued a SSL certificate to Bob, Alice can be sure that Bob is actually Bob and not someone else. SSL certificates are usually protected by private keys. You need the private key to use the SSL certificate. These private keys are usually encrypted with a pass-phrase. If Mallory manages to compromise Bobs server and steal the private key file, he can not (mis-)use it, because it is encrypted. That’s the theory.

However, Bobs web server needs to read the private key file to utilize the SSL certificate. If it is encrypted, Bob has to either store the pass-phrase somewhere or enter it by hand every time he starts the web server. If Bob uses Apache, he will get a so-called pass-phrase dialog. By default it looks like this (on the command line):

  1. https-www:/etc/apache2-itk/# /etc/init.d/apache2-itk start
  2. Some of your private key files are encrypted for security reasons.
  3. In order to read them you have to provide the pass phrases.
  4. Server secure.example.org:443 (RSA)
  5. Enter pass phrase:
  6. OK: Pass Phrase Dialog successful.
  7. .

While entering the pass-phrase of an SSL certificate by hand is a very secure approach, it has its share of problems:

  • Upon reboot of Bobs server, the web server will not start automatically. It will hang, because it waits for the pass-phrase to be entered. Likewise, if the web server is restarted automatically for some reason (e.g. by monitoring software) the web server will hang on start-up, because it waits for the pass-phrase to be entered.
  • For security reasons, it is unwise to use the same pass-phrase for all private keys. Also, Bob shouldn’t use overly simple pass-phrases, that are easy to remember. If Bob needs tenths (or even hundreds) of private keys he can’t possibly remember every single pass-phrase.
  • It takes some time until Bob has looked up the corresponding pass-phrase in his mind or in his secure pass-phrase store. Even if he manages to immediately know every pass-phrase in use at his web server, it takes some time until he has entered the pass-phrase.

For the sacrifice of some security, you can mitigate these issues. If you really don’t care much for security, you can either not use a pass-phrase in the first place or – if you somehow entered a pass-phrase by accident – remove the pass-phrase from the key file. To remove the pass-phrase from an RSA private key use:

  1. openssl rsa -in secure.example.org-2009.key -out secure.example.org-2009.key.unprotected

If you want a somewhat more secure approach (depending on the implementation), you can check out the SSLPassPhraseDialog directive of the Apache mod_ssl module. Using this directive, you can tell Apache to ask an external script for the pass-phrase of your certificates:

  1. SSLPassPhraseDialog exec:/path/to/script

Apache will supply two arguments to the script. The first argument is of the form servername:portnumber, e.g. secure.example.org:443 and the second argument is either RSA or DSA. The script would print the corresponding pass-phrase to stdout. Of course, you still need to store the pass-phrases somewhere. How much security you sacrifice using this construct depends on the implementation of your external script. But it might be a slight bit more secure than just using no pass-phrase for the private key files at all.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Choppy Flash video in full-screen mode on Ubuntu

August 19th, 2009

When I originally upgraded to Ubuntu 9.04 (Jaunty), I noticed that Flash video in full-screen mode was kind of choppy. I never took the time to debug this and instead worked around this by either not watching Flash videos in full screen mode, not watching Flash videos at all or using the excellent Youtube integration of Totem. However, today I did some research into the problem and found a bug in Launchpad, which solved the problem for me. It turns out that there is a bug affecting the Intel stack (in this case Intel stack means not necessarily an Intel graphics card, but Intel processor). The bug is a miscommunication between X.org and the Kernel, which results in a misconfiguration of the Memory Type Range Registers (MTRR) in the Kernel. The result is poor performance in video playback and everything that involves graphics in general. This bug has been fixed upstream and in Karmic. A fix for Jaunty has been developed, but is yet to be released.

You can test, if you are affected, by running cat /proc/mtrr on the command line. If you can’t see a line, which ends in write-combining you are most certainly affected by this. You can further check with lspci -vv and check the Region 0 memory range of your VGA adaptor. If you cant find that memory range in your mtrr file, you are probably affected.

Until the fix is released, one solution is to run this shell script as root after every restart of your X.org server. Warning: Audit any external file before you run it as root on your computer! The script should update the MTRR configuration of the Kernel with the correct settings. If you are affected by the bug, you will notice a slight improvement in overall graphics performance and the full-screen Flash videos should now play as originally intended.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Where have all the records gone?

August 16th, 2009

I’m currently working on a web application and I set up a development version of this application on my local box. For my convenience I set up a number of unit tests to ensure that I do not accidentally break stuff when implementing new features. A number of unit tests that involved DNS failed repeatedly with a time-out. For various different reasons I’m using a router provided by my telco. During my investigation of the matter, I found out that the internal DNS server of the router did only answer requests for A records. Requests for any other record types timed out. I wonder why they do this. The only reason I can think of is that it’s part of my ISPs fight against malware installed on their customers Windows boxes, so this is not exactly evil. On the other hand, it is not very nice of them, because I’m sure that it cost me a few hours to debug problems that resulted out of this. I think that I’ll call them and at least tell them that there are customers out there who really need the real, full, unfiltered DNS service to get their work done.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Commenting out multiple lines in Vim

August 8th, 2009

Somtimes you want to comment out multiple lines in Vim. There’s an easy way to do this out of the box without any rc magic or plugin.

  1. Navigate with the cursor to either the first or last line you want to comment out.
  2. Pess Control and v to select a new visual block.
  3. Move your cursor down (or up respectively) to the last (or first) line you want to comment out. You just formed a visual block of your comment.
  4. Press I to insert text before all selected lines.
  5. Type your comment code (for example // or # or ;).
  6. Press Escape. Your comment code will be inserted before every line of the visual block.

To uncomment, do exactly the same, but instead of executing step 5 apply a regular expression. The regular expression should look something like this: :s/^#/. This will replace every # at the beginning of the line with nothing. If your comment code has only one character, you can also press d to delete the first character of every line.

Easy. Now tell me how to do this in Emacs. Christine graciously commented on how to do this in Emacs. Looks similar, except that Emacs seems to be a bit smarter about what comment code to use.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Self-signed encryption. Do you care?

August 8th, 2009

I’m impressed. Really. And I tell you why in a second: Due to a misconfiguration, a secure connection (HTTPS) has been enforced for all visitors coming to this blog for a few months now. I didn’t notice this at first, because I use a special WordPress plugin to enforce HTTPS for the admin user (myself) only. Actually, administering this blog in a secure way is the only reason I started to offer HTTPS access to this blog at all. To safe myself a few bucks, I used my own certificate authority to issue myself a certificate. I guess that a maximum of 5 visitors/day trust this certificate authority by default. And this is a very optimistic guess. This means that for most visitors, it was very difficult to actually access this blog, because modern browsers nag the user very much, if they detect any certificate issues with a site. Still – and that’s what I am so impressed with – I lost only about one third of the visitors by enforcing a secure connection. And I get a lot of visitors – especially through search engines. It seems that most visitors, that are coming in via Google for example, do not really care, if they need to dismiss a number of security warnings to access this site. Or most visitors of this blog have disabled these checks. I don’t know. What this probably means is that

  1. most of you are technically savvy
  2. and you care enough to take the additional work required to access the content on this site.

Still, I disabled HTTPS enforcement again because

  1. it kept most feed readers out (I can only guess how many people were affected by this, because I don’t really track the number of subscribers to my RSS feed)
  2. and one third of the visitors of this blog are still a lot of visitors, if you just look at the bare numbers.

Anyway, I thought that I would loose a lot more visitors by enforcing HTTPS with a self signed certificate. You proved me wrong ;).

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Tomatoes, mozzarella and radish

July 28th, 2009

Once again a life sign to prove that neither this blog nor its author are dead as of yet ;). When I arrived at my flat yesterday evening, my fridge was of course totally empty. So the first thing I did today was to head out for shopping. Only to be greeted by a closed store. The local press calls this Netto-Umstellung. The store will open up again in August. With a new product line and a new branding. So I walked all the way up to the Aldi store, which is located right at the border to West Berlin ;). I walked out again with lots of tomatoes, mozzarella and radish. As usual, I made some mistakes: Back at home I had two packs of coffee left. But no filters for the coffee machine. Which is bad, because without coffee filters, no coffee. So I wrote Kaffeefilter on my list. But what did I buy? I’m sure you guessed it already. Another pack of coffee. Now I’ve got three packs of coffee and no filters for the machine. Sounds like (Greek|Turkish) coffee is the way to go.
I’ve got lots and lots and lots of things to do for this week. I hope that I can get some things done, finally. At the end of the week I’ll head to Hamburg for a short visit. I’ll be there from Friday night till Wednesday morning, so drop me a line, if you want to meet for a cup of tea. I’ll start tackling my overfull inbox from bottom to top, so chances are I’ll see your mail in time.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

Add missing GPG public key to Debian’s apt

June 8th, 2009

Just a quick post, because I always have to look it up: If you get a message like this while installing a new package through apt

  1. W: GPG error: http://ppa.launchpad.net intrepid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C514AF8E4BA401C3

… you can do the following to get rid of it:

  1. gpg --keyserver pgpkeys.mit.edu --recv-key C514AF8E4BA401C3
  2. gpg -a --export C514AF8E4BA401C3 | apt-key add -

Works on Ubuntu and other derivatives of Debian all the same, of course. Hope this post will safe me some time the next time I run into this.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

EU Parliament elections 2009

June 3rd, 2009
EU Parliament elections postal vote ballot and envelope

EU elections

The ballot doesn’t really fit into the envelope. It’s totally crumpled right now. Epic FAIL! Anyway, if you’re living in Europe, vote. Tomorrow, on Friday, on Saturday or on Sunday, depending on where you live. The parliament doesn’t have to say as much on EU policy as it should have, but it’s gaining influence. Some people say that European policy affects up to 80% of your local legislation right now. While I do not necessarily agree to such statements, it’s probably a good idea to vote anyway. That much for a public service announcement.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!