SW Designs

Xubuntu Intrepid Ibex has done away with the traditional hacking of X11 config files for monitor, mouse, keyboard and other I/O devices. In this latest release uses X uses HAL to automatically configure itself with ‘reasonable defaults’. For me however, these defaults don’t play nicely with my IBM Thinkpad and Apple keyboard combination.

To emulate the standard wheel functionality,

$ cat /etc/hal/fdi/policy/mouse-wheel.fdi
<match key="info.product" string="TPPS/2 IBM TrackPoint">
<merge key="input.x11_options.EmulateWheel" type="string">true</merge>
<merge key="input.x11_options.EmulateWheelButton" type="string">2</merge>
<merge key="input.x11_options.XAxisMapping" type="string">6 7</merge>
<merge key="input.x11_options.YAxisMapping" type="string">4 5</merge>
<merge key="input.x11_options.ZAxsisMapping" type="string">4 5</merge>
<merge key="input.x11_options.Emulate3Buttons" type="string">true</merge>
</match>

And turn off the brightness, volume, eject, etc button by defaults add this to /etc/modprobe.d/options

options hid pb_fnmode=2

My hosting companies recent upgrade from Virtuozzo Power Panel to HyperVM resulted in a change to how RAM usage is calculated (and therefore restricted).  Despite top telling I was only using ~80% of my RAM, after the upgrade I started receiving frequent emails from cron informing me that processes were running out of memory and I even had problems opening SSH connections to the server.

The only options I was offered by Tektonic support were to upgrade to a more expensive product or reduce my RAM consumption.  Neither were feasible, particularly as I had not changed anything.  Anyway a month later Tektonic corrected the problem by announcing a free 15% RAM and 30% disk space upgrade for all customers.  This is shown by the jump in unused RAM in the graph below.

Thankfully I’ve not any further problems since then, however I think I’ll keep the company I was going to migrate to, Linode, bookmarked.  They use Xen for virtualization which is the only such software that supports swap files meaning this problem almost guaranteed not to happen.

Since the Debian security advisory was published there has been plenty of discussion about who is to blame and how such a bug has gone unnoticed since September 2006. While they are important discussions that need to be had, I’ll focus on how to protect your Debian based PCs, laptops, servers, etc. First thing’s first, upgrade OpenSSH and the relevant packages.

$ sudo apt-get update
$ sudo apt-get upgrade

Where you have OpenSSH installed, the host keys must be regenerated.

$ sudo rm /etc/ssh/ssh_host_*
$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

SSHing onto the server will display a warning because the client’s host key in the known_hosts file does match what the server presents. Just delete the referenced line from known_hosts.

$ ssh server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

If you use public key authentication you’ll need to regenerate those keys, remembering to remove the old entry from authorized_keys on the server. The same goes for SSL certs used by web servers.

After installing Xubuntu Hardy Heron on my laptop I found that ctrl+alt+del was not activating the screensaver. To understand why this happens we look at /usr/bin/xflock4 - the script that Xfce uses to enable a screensaver,

$ cat /usr/bin/xflock4
if ps aux  grep x[s]creensaver &gt /dev/null 2&gt&amp1 then
xscreensaver-command -lock
elif ps aux  grep gnome-[s]creensaver &gt /dev/null 2&gt&amp1 then
gnome-screensaver-command --lock
else
xlock $*
fi
exit 0

And manually running the script gives us,

$ xflock4
/usr/bin/xflock4: 28: xlock: not found

This means neither xscreensaver, gnome-screensaver or xlock are installed and running. Of the three, I prefer gnome-screensaver. This is already installed so we just need to make it run during login. Goto Xfce menu > Settings > Settings Manager > Autostarted apps > Add. Enter an appropriate name and set the command to gnome-screensaver.

It’s common practice to use self signed certs in development environments. Here’s how to do it for Lighttpd.

$ openssl req -new -x509 -keyout ~/cert.pem -out ~/cert.pem -days 365 -nodes
Generating a 1024 bit RSA private key
....++++++
...................................................................................................++++++
writing new private key to '/root/cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SW Designs
Organizational Unit Name (eg, section) []:SW Designs
Common Name (eg, YOUR name) []:*.sw-designs.co.uk
Email Address []:</code>
 
Move the cert to its new location,
 
<code>sudo mkdir /etc/lighttpd/private
sudo mv ~/cert.pem /etc/lighttpd/private
sudo chown -r root:root /etc/lighttpd/private/
sudo chmod -r 0600 /etc/lighttpd/private/

Finally load the cert in the Lighttpd config,

ssl.engine  = "enable"
ssl.pemfile = "/etc/lighttpd/private/cert.pem"
ssl.use-sslv2 = "disable"