Interesting gadget hickups

Time machine and crontab

noreply@blogger.com (jolt) — Sat, 11 Jun 2011 16:53:00 +0000

Time machine backups of OS X is nice, especially since you can restore your full system from them. What is not so nice is that they run all the time, and they transfer a huge amount of files, so you don't want it to run very often.

Recognize the problem? Add it to crontab instead! Just edit your crontab (crontab -e) and add something like this:

25 3-7 * * * /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper &

This means that backupd-helper will run between 25 minutes past 03 to 07 (3-7 AM) everyday. backupd-helper is the same thing that is run if you would press "backup now" in the Time Machine preferences.

Oh, in time machine prefs, set it to NOT run (since the point is to run it by crontab). And no, backups will not be taken if you computer is asleep (since cron would be asleep as well..)

Use a specific proxy connection with Chrome Web Browser in OSX

noreply@blogger.com (jolt) — Thu, 28 Apr 2011 19:18:00 +0000

I travel a little bit now and then so I use a few different wireless or fixed networks that I'm a guest at. I tend to use Firefox a lot, and in FF i have set FF to always browse via my proxy server at home (tinyproxy). The handy thing with FF is that the proxy setting is only for FF, and that is a feature I've been missing in Chrome which I tend to use more often these days.

In OSX, there is a setting to use a proxy in System Preferences, but then that setting will be applied to all programs (except FF in my case), which is not what I want. So today I googled if there were any new addons for Chrome that could do that, and lo and behold, here is the solution (but not from a addon...)

Type the following in a Terminal.app (or iTerm2, which is awesome)

open -a /Applications/Google\ Chrome.app --args --proxy-server=proxy.home.over.vpn:8888

I saved that string as an alias in .bashrc for reuse.

Taken from http://hints.macworld.com/article.php?story=20100213001826236

Exim4, dovecot with sqlite authentication

noreply@blogger.com (jolt) — Wed, 16 Mar 2011 11:01:00 +0000

As I am moving away from courier to dovecot I also wanted to move away from the old courierauth DB and use something newer and slicker: sqlite3. Having all my SMTP and IMAP users in sqlite3 is nice, since you don't need them to have a actual system user.

Creating the sqlite3 db is easy, just "sqlite3 /etc/dovecot/authdb.sqlite". I used the SQL query from the dovecot page:


CREATE TABLE users (
    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL,
    home VARCHAR(255) NOT NULL,
    uid INTEGER NOT NULL,
    gid INTEGER NOT NULL
);

The next step was to edit the /etc/dovecot/dovecot.conf and /etc/dovecot/dovecot-sql.conf. I just created the entries in the sqlite db manually (my courierdb is small)

insert into users values ('jolt', 'mekk.com','oldcryptedpw', '/home/courier/jolt','104','105');

where all of the values are directly from the /etc/courier/userdb.

Now the fun part: get exim4 to play well with sqlite. ( I leave out the Exim dovecot config, since I used the exact same one from courier (i.e. it's the same path. Read the Dovecot-courier migration document for config details).

In exim I commented out my existing login: and plain: sections and replaced it with this:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :

server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $1

The above lines are just a modified version of the MySQL authentication example at the Exim wiki.

Now I tried exim4 and and after changing the select clause a bit it actually worked!

Now back to dovecot. Dovecot needs to be configured (in /etc/dovecot/dovecot.conf) to use both passdb sql and fetch userdb info at the same time (enable userdb prefetch). I missed that myself, of course, so be warned:


# SQL database 
passdb sql {
  # Path for SQL configuration file
  args = /etc/dovecot/dovecot-sql.conf
}

userdb prefetch {
}

And dont forget to disable PAM (just comment it out, don't forget the }).

Then I needed to change the default crypt method to CRYPT (thats what my courierdb used, remember?). Here is the /etc/dovecot/dovecot-sql.conf config file for your reading pleasure:


# Database driver: mysql, pgsql, sqlite
driver = sqlite
connect = /etc/dovecot/authdb.sqlite


# Default password scheme.
#
# List of supported schemes is in
# http://wiki.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = PLAIN-MD5
default_pass_scheme = CRYPT

# and enable the last line for user and pw prefetch:
password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u'

I think that's pretty much it, so good luck!

Printing with Konica Minolta PP1300W in OSX Snow Leopard (over Time Capsule)

noreply@blogger.com (jolt) — Sat, 23 Oct 2010 12:09:00 +0000

I was supposed to do this years ago, and I actually tried to, but I never got the gutenprinting stuff to work with the built in CUPS of OSX. However, today was the day I thought I might just do it!

Turns out it was quite easy (after I tried all the different combinations that is...)

Go to Linuxprinting and download the min12xxw dmg (min12xxw-0.0.92-ub.dmg).
Download the Ghostscript stuff from the same page (gplgs-8.71.dmg)
Run the installer for min12xxw
Run the Ghostscript installer
Add your printer (it will auto select the Foomatic/min12xx driver
Save and print!

Automatically upgrade Debian with security updates

noreply@blogger.com (jolt) — Mon, 04 Oct 2010 19:32:00 +0000

So, one of the boring tasks of being a sysadmin is to do updates. Well, it's not really boring, just a boring task of doing it if you have more than 10 systems or so.

Since I'm lazy and not really a sysadmin full-time, I'm cheating by using the unattended-upgrades package. Here is how you do it:

Install unattended-upgrades
Add the following to /etc/apt/apt.conf
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
See if you need to modify
/etc/apt/apt.conf.d/50unattended-upgrades
(I didn't)
Watch your logs for any errors during updates (I use logcheck for this)
Read the additional info at https://wiki.ubuntu.com/AutomaticUpdate s for more details about this feature if you want to.

iPhone 3G iOS4 improved speed

noreply@blogger.com (jolt) — Sat, 10 Jul 2010 11:24:00 +0000

After installing ios4 the phone became extremely sluggish, so I thought "why not google around when I'm at home with this shitty cold".

So, first you need to jailbreak your phone (i.e. redsnow or equivalent).
Then install OpenSSH, adv-cmds erica utilities, vim, bash from Cydia or Rock (i prefer Rock to cydia any day).

Now: start with changing your password on root and mobile user to something not guessable,

First tip:

The first one I found was to enable some swap memory by uploading a plist that enable the dynamic pager:

Download com.apple.dynamic_pager.plist, scp it to the iphone and place it in /System/Library/LaunchDaemons/ and reboot.

If you are lazy the iMemory Enhancer is available from Cydia (but I like to know which file they are actually touching).

The second one is to disable some of the daemons that take care of background tasks.

Login via SSH and perform this:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

and continue with these (if they exist)

com.apple.CrashHousekeeping.plist
com.apple.DumpBasebandCrash.plist
com.apple.DumpPanic.plist
com.apple.ReportCrash.DirectoryService.plist
com.apple.ReportCrash.Jetsam.plist
com.apple.ReportCrash.SafetyNet.plist
com.apple.ReportCrash.SimulateCrash.plist
com.apple.ReportCrash.plist
com.apple.powerlog.plist
com.apple.racoon.plist (this is used by VPN subsystem, so don't remove if you use that)
com.apple.scrod.plist (used for voice, which the 3G doesn't support)
com.apple.tcpdump.server.plist
com.apple.apsd.tcpdump.en0.plist (thought to be used by push notification logging)
com.apple.apsd.tcpdump.pdp_ip0.plist ( -"- )
com.apple.wifiFirmwareLoader.plist (thought to be used for the new OTA (over-the-air) updates)

Oh, and you can do the same with sshd if you want to:
launchctl unload -w /Library/LaunchDaemons/com.openssh.sshd.plist

You can then start SSH when you want by using SBSettings

Now lets, deactivate locationd from startup but let it startpup on request

cd /System/Library/LaunchDaemons

plutil -convert xml1 com.apple.locationd.plist
vim com.apple.locationd.plist
------------------

search for RunAtLoad

change true ----> false

----------------
plutil -convert binary1 com.apple.locationd.plist
reboot

Do this under your own risk.

Found the info at modmyui

--

iPhone 3G has shadows enabled default for icons and the dock, which sucks some power, removing some of the png's are supposedly helping the graph libs giving you more memory and power. So, remove/move these files from /System/Library/CoreServices/SpringBoard.app:

WallpaperIconShadow*.png

WallpaperIconDockShadow?.png

Also, on another note, people have seen some improvements by removing additional language from applications. Not sure if it really matters or not, your milage will vary:

http://a-common-hades.blogspot.com/2010/02/final-script-for-deleting-iphone.html

Startssl certificate (free) + exim + courier (Debian/Lenny)

noreply@blogger.com (jolt) — Wed, 23 Jun 2010 20:54:00 +0000

So, my godaddy SSL cert finally expired. I wanted a new cert, but I weren't up to paying $29/year/domain for something I only have a few users on, but I still wanted a verified CA (no more adding exceptions). Looking around I found the great startssl.com, a CA that exists in most of todays browsers and email clients, and the best of all, their certs are free for non-business users!

The host I run is a Debian Lenny machine with exim4 and courier as MTA/IMAP server. So, here we go:

1) Sign up for a cert at StartSSL, follow the instructions (you will eventually end up with a client cert you need to install in your browser
2) Login, verify your email / domain, go into the certificate wizard and create a "Web Server SSL/TLS Certificate"
3) Create a new private key (2048 keylength is default, stick with it). Remember the password, you will need it later.
4) Save the cert as server.crypted.key. Create a keyless version with

openssl rsa -in server.crypted.key -out server.key

, or just use the toolbox and paste the cert and your key.
5) Select one of the validated domains to create a server cert, enter a subdomain such as mail.domain.com, or whatever. My cert was for the domain.com level, and that name wll also be included in the mail.domain.com cert.
6) The cert is eventuall created, so save it as server.crt
7) Go to the toolbox and download the Server Certificate Bundle with CRLs (PEM encoded) as ca-bundle.pem.
8) Copy ca-bundle.pem to /etc/ssl/certs

I have saved my files to /etc/ssl/startssl/. With this as the base, the real work begins:
Create a dhparam file
1) openssl dhparam -out dhparam.pem 1024
2) openssl gendh >> dhparam.pem

For Exim4:
1) Edit /etc/exim4/exim4.conf. Add/edit this fields:


tls_advertise_hosts = *
tls_certificate = /etc/ssl/startssl/server.crt
tls_verify_certificates = /etc/ssl/certs/ca-bundle.pem
tls_privatekey = /etc/ssl/startssl/0x2a.key
tls_dhparam = /etc/ssl/startssl/dhparam.pem
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 465 : 587 : 10025

2) Your done! Restart exim4 and be a happy camper

For Courier
1) cat server.key server.crt > server.pem
2) cat server.pem dhparam.pem > /etc/courier/imapd.pem
2) Edit /etc/courier/imapd-ssl, Add/edit the following:


TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

3) Restart courier-ssl

That's how I got it to work. Good luck!

iOS4 pictures missing

noreply@blogger.com (jolt) — Wed, 23 Jun 2010 20:40:00 +0000

After my gf upgraded to iOS4, her camera pictures disappeared. Seems like the discussion forums are swamped with people with the same problem. Here is the solution: (oh, she's running linux, so she are forced to run iTunes in vmware, and these instructions are thus for windows)

Fix iPhone iOS4 "empty camera roll"

Tools:
iphone explorer (http://www.macroplant.com/iphoneexplorer/)

1) Connect your iPhone
2) Launch iPhone explorer and select the "/var/mobile/Media" as the path
3) Backup and then delete the following files:
/DCIM/.MISC/Info.plist
/PhotoData/Photos.sqlite
/PhotoData/PhotosAux.sqlite
4) Unplug your iPhone, launch Camera Roll and wait as it rebuild the database.

Credits: discussion thread at Apple discussion forum

Mount remote filesystem with sshfs in crontab

noreply@blogger.com (jolt) — Sat, 08 May 2010 09:30:00 +0000

So, I use my remote fileserver for XBMC by mounting it via sshfs (live-stream 1080 video FTW!).

Sometimes the server has to be rebooted though, and I want the mount to be automatically re-mounted when the system is back up again, and I use crontab for that. One problem still exist, and that is that the key I use is passphrase protected, something that is good, and since I use ssh-agent it's not really a problem:

*/5 * * * * test -d /mounts/remote.sys/video || . /home/myuser/.ssh/environment ; /usr/bin/sshfs remote.sys:/data /mounts/remote.sys/ -o Cipher=blowfish -o transform_symlinks -o follow_symlinks -o allow_other

So, what does it do? test -d will test if "/mounts/remote.sys/video" is a directory (the -d). If not, "||" means "not equal", so if it isn't a directory, then do the command following "||". Here I first source the environment variables from ssh-agent, then I just run sshfs to mount the remote system.

Very nice indeed!

Install a new SSL CA cert to your iPhone

noreply@blogger.com (jolt) — Wed, 24 Feb 2010 23:08:00 +0000

My company uses SSL certificates from IPSCA. They are cheap (especially for wildcard certs), but they also kind of suck (since they had a short validity and their level 1 intermediate cert expired 31 of Dec 2009).

To login to our Zimbra email over HTTPS I need to accept the new level 1 intermedia CA every time I want to read my email! Not funny and hence this:

Download the new SSL cert bundle from your CA. Send it as an email to any email account you have configured in your iPhone, press the attachement and you will enter a config program, select Install on your certificate, (it will complain about it not being signed, but nevermind).

Presto! Now I can visit the email server again without the pesky SSL error.

Tip-of-the-hat goes to this forum that provided the clues for the answer.

---

Ok, so I was stupid, which goes hand in hand with reading blogs instead of thinking for oneself: I could have just visited the website and clicked on the .crt link in the browser. When that happens, the "Install Profile" pops up. Just click install, enter your pin and you are done. KTHXBYE.

Track your laptop?

noreply@blogger.com (jolt) — Wed, 24 Feb 2010 23:01:00 +0000

I used to use Adeona (http://adeona.cs.washington.edu/) for laptop tracking, but since OpenDHT closed down Adeona kind of lost all usability. Today, after the whole story about the school that remotely enabled the webcam in the schools laptop to track their students, I got reminded of Adeona again :)

Oh, the irony in this! A-ny-way: I wanted something to replace Adeona, and I found http://preyproject.com/download instead. Just download and install! It is written in Bash/Perl so it is highly customizable. Since I rather prefer to keep my information myself I created a SSH cert and set it to upload files to one of my public systems instead of using their information center.

Wanna know more? Check them out! It's free, and it's even available for android!

BTW:

To enable scp of the data, set "post_method" to "scp" in /usr/share/prey/config, and set username/hostname at the bottom of that file. Also, since you probably want to run it as root, "sudo su -" and do "ssh-keygen" to generate a new cert. Upload this to a prey-user at your server and there you go!