Sunday, October 28, 2007

Getting SSH working on the DNS-323

Ok, now that I've fun_plugged my DNS-323, the next step is to get some core services up and running. Telnet is already enabled by default when you do the fun_plug. The next item in the list is SSH.

There are two options here really; OpenSSH or DropBear. I'm going with DropBear since Fonz has kindly got it all packaged up as an addon for his fun_plug as compared to having to use chroot in the case of OpenSSH (no native binaries unfortunately).

So the first step is to grab the package from his site and unpack it into the / directory. Once done, go into /mnt/HD_a2/fun_plug.d/start/ as root, give it executable permissions (i.e. "chmod u+x dropbear.sh") and run the start script.

The very first time the script is run, it will create the necessary host keys in the fun_plug's etc directory and start the daemon; Subsequent runs will just start the daemon. You can verify that the daemon has started by checking for its process (i.e. issue the command "ps -ef grep dropbear" and you should see something similar to 26654 root /mnt/HD_a2/fun_plug.d/bin/dropbear -d ...).

To check that your server is running properly, try to connect to it using a SSH client like Putty. Remember to change the connection type to SSH and verify that the port is 22. You should be able to login using your username and password and get to a BusyBox prompt just like a typical Telnet session would.

Note that Putty may throw a security alert about some unknown host key when the connection is attempted (before you see the login prompt). This message can be safely ignored (just click "YES" to add to putty's registry) if and only if this is your first time connecting to the host system. Otherwise, it could mean that your host is no longer the same as originally connected and you ought to get that checked out.

Once you get to the above, you are pretty much set for a safer and more secured alternative to Telnet... Unless you are looking at using public-key authentication for even stronger security or for running automated jobs over SSH (such as remote backups).

Public-key authentication in SSH works like this: If you are on a client system accessing a host system, you will need a PRIVATE key on your client system and have the corresponding PUBLIC key registered as an authorized key in the host system.

First thing you need to do in the DNS-323 is to setup the appropriate home directory with the right permissions for the user. To do so, use the fonz script using the syntax "change-homedir.sh " followed by "store-passwd.sh" to make this change permanent (i.e. survive resets).

Next, create the necessary key-pair using Putty on the client and upload to the host system using this excellent guide (comes with step-by-step screenshots!). For the lazy and people familiar with PKI, the steps are:

  1. Create the key-pair using PuttyGen (with or without passphrase)
  2. Login to host system using the desired account id
  3. Cd to home directory (i.e. "cd ~")
  4. Create the sub-directory .ssh if it does not already exist (i.e. "mkdir .ssh")
  5. Cd into this directory (i.e. "cd ./.ssh")
  6. Create the file "authorized_keys" if it does not already exist (i.e. "touch ./authorized_keys")
  7. Make sure the file has the right permissions (i.e. "chmod 600 ./authorized_keys")
  8. Open the file in your favorite editor (i.e. "vi ./authorized_keys")
  9. Add the public key to the end of the file in ONE line (the public key should look something like this ssh-rsa AAAAB3NzaC1yc2EAaaaBJQAaAIEAjL2xAU2kNrdMViUpMbYL+H5/h2KlLo7hG1RHu/mh/3qLPxSnTrprVXYMgb+T9iJ8PkkiSWtU83Av7WSHVlsGeRAMXlNtkjpEsF/SIXsplrLqDdk1Fmy8uin++rTsjcdAYlnsa5TuQbRJ4bVXBkGTOPbkHNz0bPqzy/rMBZDbsdE= user@host. Make sure there is no line break in between!)
  10. Save it and you are done! (Repeat the steps above for other users as necessary)

Saturday, October 27, 2007

Who's this little kitten?




So its the end of the school year for Joel's childcare and its time for their graduation ceremony cum concert. All students from N2 upwards will be participating in various performances and Joel, being in N2, will participate in an item featuring little kittens. Oh and what cute little kittens they are!


This little song and dance number lasted less than ten minutes but they practiced hard for it throughout the year. It's the first time Joel performed in front of a live audience but he was so brave and put in an excellent performance. We are so proud of you Joel!

Saturday, October 20, 2007

A better DNS-323... with fun_plug!

Ok, so the DNS-323 is a cheap entry level file, print and upnp media server. However, with the use of fun_plug, you can easily turn it into a something more! You can use it to run subversion, bittorrent, web server with PHP support (think dynamic websites!), backup server and more!

An excellent way to get started is to download and use the fun_plug package developed by Fonz. Just by copying the archive file into the root folder of the first volume (called Volume_1 in the default network share), do a reboot and you are done!

The base package includes telnet and an updated (busybox) shell. After the reset, wait a couple of seconds and telnet into the box using the hostname and the default port 23. The default settings in Fonz's package skips the login process and automatically grant you root access. You will probably want to get that changed especially if you are in an unsecured environment. Even for home users, I strongly recommend that you set up authentication just in case.

To do this, edit the telnetd.sh start script, comment the LOPT variable referring to "sh", and uncomment the LOPT variable using "login". Finally, reboot (or manually restart telnet).

IMPORTANT: You cannot login as root unless you have set a password! So before you do the above, use the "passwd" command to set a password for root. After that, use the script "store-passwd.sh" to write this information to flash memory so that it survives the next reboot.

If you hit any problems with Fonz's fun_plug, the first place to check is the log file fun_plug.log in the directory /mnt/HD_a2/fun_plug.d/log.

Now that you got a some-what secured telnet access, consider the following mods:

The many faces of Jarrett


Introducing Jarrett, my number 3 man in the house. Here he is showing us one of his many talents.... "making faces at daddy while he tries to take a picture of me" trick. Thank goodness for digital cameras!
Posted by Picasa

HomePlug, HomePNA or WiFi?

You know you have a problem when you find out that your new house does not come equipped with an Ethernet cabling infrastructure. And you know you have a bigger problem when your house span a few levels. *sigh*

So what are my options? Well, I can take the opportunity to wire up the house before I move in but this is a very costly option due to the amount of hacking and cable laying involved. Alternatively, I can go with something less destructive such as wireless or "no new wires" technologies.

WiFi is a wireless technology that seems attractive at first as it gives me the most flexibility in terms of equipment placement. In real life however, I will have to watch out for weak spots and dead zones created by thick walls and other obstructions. In addition, I will have to invest in additional AP/range extenders to cover all 4 floors. To make matters worse, wifi is prone to signal pollution from other 2.4GHz devices around the house (like your cordless phone, baby monitor, bluetooth devices, microwave oven, and most likely, your neighbour's AP) resulting in degraded performance and dropped connections. Obviously not practical when one of the primary usage of my home network is for video and audio streaming from my central media library (located in my level 3 study) to the various networked media players spread all around the house (furthest being the basement).

A HomePlug network falls into the "no new wires" category as it works over existing power lines. This is especially useful since multiple power sockets can be found in every room of the house. Considering that most of my networked equipment have to be plugged into a power socket, this approach is indeed convenient. Now comes the bad news. Firstly, the adaptor has to be plugged directly to a wall socket as extension cords and surge protectors will interfere with the high frequency signals used by HomePlug. Secondly, they don't come cheap at almost $120 per adapter. Lastly, and most importantly, although the latest specs HomePlug AV allows for speed up to 200 Mbps, reviews (here and here) showed that real word performance is way below that presumably because of the cabling as well as the signal quality which is seldom clean (i.e. spikes (sudden rises in energy), surges (prolonged overvoltages), and brownouts (prolonged undervoltages)) due to heavy duty home appliances such as air conditioners, fridge, vacuum cleaners, etc.

A HomePNA network is in the same class as the HomePlug network except that it works over existing phone lines rather than power lines. Luckily for me, my new place has not one but two phone jacks (independent lines) in every room, including living and basement. Although the technology itself can co-exist with voice and data (i.e. fax and even DSL) traffic, I get to setup a completely isolated network just for the LAN. With the latest standard HPNA 3.1 introducing a theoretical speed limit of 320 Mbps, this will indeed be my top choice (barring gigabit Ethernet of course). The bad news? Well, apparently, there aren't many backers of this technology and the few vendors who are (like 2Wire, Motorola, Conexant) only offer them via service providers (such as AT&T) and not in the retail market. I was hoping to find a few resale units on ebay but I was out of luck there too. Damn.

So until I find a supplier for some HomePNA adapters, I guess I will have to live with the patchy wifi. :(

Monday, October 1, 2007

Cheap DR strategy for your home data? Yes its possible!

Disaster Recovery. You have probably heard of (and dread) this term if you are an IT manager in a sizable company. With the proliferation of mission-critical enterprise IT systems and the implications of losing such systems as a result of natural or human-induced (think 9/11) disasters, DR is fast becoming, if not already, a key concern for most companies.

On the home front, as we start acquiring more digital assets (e.g. music purchased from itunes, family pictures and videos, electronic documents and books), it certainly make sense to think about DR to protect your data, especially those that are irreplaceable and have high sentimental values.

If you live in Singapore, you will probably think that DR is excessive since we are relatively safe from natural disasters and no one is likely to drop a bomb (or plane) on your house. But what about other threats like household fire and theft? Living in a densely populated city, with shrinking apartments packed tightly together in high rise blocks, coupled with increasing number of electrical appliances and electronics found in homes, fire accidents are common and can cause widespread damage.

So we have established that DR is something that both business and home owners should be concerned with. However, unlike the business, home owners typically do not have the capital (nor is it feasible) to invest in elaborate DR setups (think redundant data centers and distributed setups) or even offsite backup services like Cisco's Recall.

The good news is that with widespread availability of cheap unlimited broadband and online backup services, home users (and small offices that cannot afford the big bucks) can have the cake and eat it.

One of my favorites is MozyHome. This is a cheap, under five US dollars monthly, solution that offers unlimited storage, 30 days backup window and is really easy to setup and use. They even offer a free version that limits you to 2GB of data!

Alternatively, for the technically savy and those who are simply paranoid about storing personal data on some unknown servers and have no control over them, you can roll your own offsite backups with rsync and a little help from your family and friends. Details on how to do this can be found here. For obvious reasons, choose a friend or family member who stays as far away from you as possible!

Some closing words. Offsite backups do take a significant amount of time to recover hence it should be considered as part of a total backup strategy.