Fedora 8 works quite well on the D620 right out of the box, and with a few tweaks can be just about fully supported. This guide summarizes what I’ve done to get things working to my satisfaction. It is not a step by step howto, but does attempt to link to more detailed resources when they are available. The table below shows at a glance what is and isn’t working well on my system. Green items worked immediately after install without manual intervention, yellow items were made fully functional after some manual configuration, red items have significant unsolved issues associated with them.

Output of lspci

It’s not always possible to ssh to a host directly. Many networks require high-value systems to be accessed via an intermediate bastion/proxy host that receives extra attention in terms of security controls and log monitoring. The added security provided by this connection bouncing comes with a cost in convenience, though. It requires multiple logins to access the protected systems and substantially complicates scp/stfp file transfers.

Fortunately, there are a number of ways to automate connection bouncing and make it as convenient as direct connection. There are already a number of web-sites detailing the approaches to this issue, and I won’t repeat their contents, to get a broad overview of the topic read the following:

• SSH Bouncing Part 1 from Hacking Linux Exposed
• SSH Bouncing Part 2 from Hacking Linux Exposed
• Using rsync through a firewall, the concepts in this document apply to all SSH setups, not just those integrating rsync

Terminology

SSH Connection “Chaining”

Connection “chaining” refers to any approach that involves sshing to an intermediate host, and then sshing from the intermediate host to the next host (for example: ssh 1 ’ssh 2 “ssh 3″‘). This solution is attractive for setups with many hops because it’s easy to extend, for example sshto makes this very easy. The primary disadvantage is that end-to-end encryption is lost. The connection is decrypted by every host in the chain, and an attacker with sufficient privilege on an intermediate system can sniff the connection without compromising either of the endpoints. I consider this to be a significant failing, and have a strong preference for “stacked” connections wherever they are logistically feasible.

SSH Connection “Stacking”

Connection “stacking” refers to any solution that involves tunneling ssh connections inside each other. “Nesting” strikes me as a better term, but stacking seems to be more widely agreed upon. It is typically implemented with proxy-commands or with ssh port-forwarding. It can be more difficult to manage for connections with many hops, and it forces one of the endpoints to bear the encryption load of all the connections (in chained setups, the load is spread evenly among all the hosts in the chain). It does maintain end-to-end encryption, preventing connection/credential sniffing by intermediate hosts.

My Setup

The key properties for my setup are:

• End-to-end encryption is maintained using stacked connections
• Only a single intermediate host is involved, the proxy features I utilize do not trivially scale to longer connection paths
• Putty is used for shell connections, and WinSCP is used for scp/sftp connections
• No special software is required beyond a default Putty installation, WinSCP, and an SSH server with port forwarding enabled. Specifically, netcat is not required on the intermediate host as is common with ProxyCommand setups.

WinSCP Config

The WinSCP Config is quite simple and utilizes its “tunnel” feature. Open WinSCP and configure a saved session for the final destination host as follows:

1. On the Session page, fill in the hostname and user name for the final destination host. Leave the password blank.
2. Check the “Advanced options” box in the login dialog.
3. Select the Connection –> Tunnel page.
4. Check the “Connect through SSH tunnel” box.
5. Fill in the Host name and user name of the intermediate host. Leave the password blank.
6. Save the session using the button in the lower right-hand corner of the window.

When you log in using the new profile, you will be prompted for two passwords. The first is for your account on the intermediate host, and the second is for your account on the final-destination host. After login, the bounce is entirely transparent and WinSCP works as if you had connected directly to the final-destination host. The connection process can be made even more transparent and secure by using public key authentication with Pageant instead of passwords.

Putty Config

The Putty setup is slightly more complicated and requires that public key authentication be used on the intermediate host. It utilizes Putty’s “local proxy” feature, which allows you to specify an arbitrary command on the local machine to act as a proxy. Instead of creating a TCP connection, PuTTY will communicate using the proxy program’s standard input and output streams. Our local proxy will be plink, which is a command-line ssh connection program included in the Putty default installation. Plink’s -nc option provides functionality similar to the ProxyCommand/netcat approach, but does so using the ssh server’s native port-forwarding interface and does not require that netcat be installed on the intermediate system. To set things up, configure a saved session for the final destination host:

1. Configure public key authentication for the intermediate host and make sure it works.
2. Start putty and on the “Session” page of the “Putty Configuration Dialog” that appears, fill in the host name and user name for the final destination host.
3. Switch to the Connection –> Proxy page, select “Local” as the proxy type enter the following as the local proxy command: plink.exe intermediate.proxy.host -l username -agent -nc %host:%port\n
4. Save the session.

If all is working properly, when you log in using the new profile plink will handle the login to the intermediate system silently. Putty isn’t smart enough to prompt if the proxy command requires user input, so you’ll get a connection error if public key authentication on the intermediate host isn’t working. If you use password authentication on the final destination host you’ll be prompted for your password, or if you use pubkey authentication there as well you’ll land at a prompt with no fuss at all.

If you have trouble, make sure plink is executing properly. You may need to enter the full pathname, usually c:\program files\putty\plink.exe. You can also try executing the plink command from a prompt, remembering to substitute the %host and %port values of your final destination host. If it’s working properly, you’ll be logged into the intermediate system with your pagean-cached private key, and instead of a prompt you’ll be presented with the SSH banner for your final destination system.

First off, if you’re not already quite familiar public key authentication, go read the three part IBM developerWorks series on the topic (1, 2, 3), which is the best primer I’ve found. I’m using public key authentication with encrypted keys, am caching my credentials with ssh-agent, and am using keychain as my interface to ssh-agent. My primary goal was to automatically run keychain –clear to clear my credentials any time I left my system unattended. I also outline how to run keychain ~/.ssh/id_rsa when you return to your system (or whenever you open a shell) in order to reload your ssh key.

Login

When I log in to my system, keychain runs and does some housekeeping. It starts an ssh-agent process if one isn’t already running and prompts for the passwords to my ssh keys if they aren’t already loaded, or if all that has already been done it just reports its status and exits. The following lines can be placed in ~/.bash_profile which is executed when you log into your system (via remote ssh session, text console, and oddly enough gnome executes bash_profile on login as well).

if [ "$PS1" ]; then
   /usr/bin/keychain ~/.ssh/id_rsa
   source ~/.keychain/yourhostname-sh
fi

The “if” statement ensures that keychain is only run for interactive shells. Because keychain generates output on execution it can confuse some programs that run non-interactively, notably sftp breaks if you don’t do this.

New Shell

I actually like keychain to run every time I start a new shell, not just when I first log in. This means that I can clear my credentials manually if I won’t be using ssh for a while and when I open a fresh terminal window (or “window” in a screen session, or whatever) keychain automatically prompts me for my password. This can be done by placing the same lines from above in ~/.bashrc instead of bash_profile (bashrc is executed from bash_profile, so you only need one or the other).

Screensaver

When my screensaver turns on, it’s an indication that I’m away from my desk and that my credentials should be cleared. To my knowledge, gnome-screensaver does not provide per-user screensaver-on and screensaver-off scripts where you can easily add these sorts of things (it should, if you ask me). It does, however, emit a DBUS signal that you can listen for and act on. I found some folks using python scripts to handle similar needs and adapted them for my purpose, others have done similar things with bash script. Once you’ve customized your DBUS signal listener script, add it to your default gnome session using System –> Preferences –> Personal –> Sessions so that it’s automatically started when you log in.

#!/usr/bin/python
import dbus
from dbus.mainloop.glib import DBusGMainLoop
import gobject
import os

def clear_keychain(state):
     """Called when screensaver on/off events occur"""

     # clear ssh keys when screensaver turns on
     if state == True:
          os.system('/usr/bin/keychain --clear')

     # Load ssh keys when screensaver turns off
     #     if state == False:
     #          os.system('/usr/bin/keychain id_rsa')

# Connect to the gnome session bus:
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SessionBus()

# Listen for SessionIdleChanged signals
bus.add_signal_receiver(clear_keychain,'SessionIdleChanged','org.gnome.ScreenSaver')
loop = gobject.MainLoop()
loop.run()

Logout

Logging out of the system (whether from a remote ssh session, a local text console, or a graphical gnome session) is an indication that my workstation is going to be idle for a while and that my credentials should be cleared. This can be (mostly) accomplished by making an addition to ~/.bash_logout. This file is run any time a non-gnome login shell exits, like a remote ssh session or a local text console session (but not terminal windows in gnome, screen windows, or other non-login shells):

/usr/bin/keychain --clear

For some utterly insane reason, gnome doesn’t execute bash_logout even though it does execute bash_profile on login, and it doesn’t provide a sane alternative. The only method I’m aware of for running a script on gnome-logout involves xsession hackery, but I’ve punted on this issue since I rarely exit my gnome session. If you find an elegant solution, leave a comment.

Other SSH Tips

• SSH Aliases: This is somewhat off-topic for this article, but is such a great timesaver that it bears a quick mention in any article about ssh. You can define short names for hosts you ssh to often in ~/.ssh/config.
• Clearing Credentials At Login: An alternative to all of this, and one of the strategies suggested in the developerWorks series is to start keychain with the –clear option in .bash_profile or wherever you call it from. The assumption is that by clearing your credentials on login instead of logout, you can stay authenticated all the time (and gain the benefit of being able to run cron scripts) but an attacker will lose access to your credentials the moment they try to access your account. It’s an interesting strategy, but not one I’m entirely comfortable with. I prefer to clear my credentials when they’re not being used, and designate special-purpose keys with appropriate constraints for cron jobs.

Conclusion

With the tips in the developerWorks series, and the information in this article, you can have an incredibly convenient ssh key management setup while you’re using your computer and know that your credentials will be automatically cleared when you’re away from your system.

I’m incredibly excited about the move. Since my partner lives in New York, I’ve been job hunting there for almost a year and half and I’ve found that it’s a very competitive market. I needed to do a lot of professional development in order to be considered seriously for the positions I wanted, and this was the most interesting position I saw or applied for in my entire search. To have been hired into it just fantastic.

So anyhoo… I’ll be selling or giving away most of my stuff this month so Laura, Kip, and I can fit into an apartment the size of a shoebox. Have a gander if you need anything.

Determining Battery Health

There are several methods of determining your battery’s capacity relative to it’s initial specification (aka “health”).

• Press and hold the status button located on the bottom of your battery. The five LED lights will initially display your battery’s current charge (five lights is charged, zero lights is discharged), and if you continue pressing the status button for three seconds the lights will blink off and back on again, now displaying the health of your battery. If zero lights appear your battery is operating at greater than 80% of its specified capacity, if five lights appear your battery is operating at less than 60% of its specified capacity. This information was pulled from the D620 User Guide.
• If you enter the system BIOS by pressing “F2″ during the Dell logo while booting, there is a “Battery Health” option under the “Sytem” menu which gives a qualitative assessment of battery health.
• The power manager under FC6 tracks the maximum capacity of your battery at its last full charge and generates a health percentage based on the factory spec charge for your battery. To view this information, right-click the battery meter in your gnome panel, select “Information”, and expand the “More” area of the “Device Information” panel.
• If you kept your initial Windows XP install, there is a battery health meter under the Dell Quickset applet in the lower right hand corner of the screen that gives the same information that is available through the system BIOS.

Obtaining a Replacement Battery

Of course, you always have the option of purchasing a replacement battery from Dell (9-cell or 6-cell), or simply living with degraded battery life. There are some circumstances where you may be able to obtain a replacement under warranty, though. If the BIOS/Quickset health gauges are showing the battery as failed even though it’s less than a year old, Dell will replace it under warranty. According to the phone rep that I spoke to, a battery is considered to have failed when operating at less than 50% of its rated capacity. When I called, my battery was five months old and operating at 50%-60% of it’s capacity (5 death lights, BIOS noted lowered battery life but did not pronounce failure, FC6 power manager rated health at 56%, observed battery life was 50%-60% of expected). I was able to successfully make the case that the battery was clearly borderline and would certainly be replaced within a month or two, and that doing so now was an opportunity to provide excellent customer service whereas forcing me to wait would serve no purpose other than irritating me. To his credit, the phone rep immediately acknowledged that my line of thinking was reasonable, spoke to a supervisor, and was able to authorize the early replacement.

Conclusion

I love my laptop, and in general I’m very happy with it. It does look like there’s a trend toward premature battery failure, though, and if your situation is severe enough you may be eligible for a warranty replacement. Once you’re replacement arrives, go read about how to monitor and optimize battery performance.

Dawid Lorenz already has a very comprehensive set of notes on running Fedora Core 6 on the Dell Latitude D620, but I’m going to drop in my two cents as well for variety’s sake.

FC6 works quite well on the D620 right out of the box, and with a few tweaks can be just about fully supported. This guide summarizes what I’ve done to get things working to my satisfaction. It is not a step by step howto, but does attempt to link to more detailed resources when they are available. The table below shows at a glance what is and isn’t working well on my system. Green items worked immediately after install without manual intervention, yellow items were made fully functional after some manual configuration, red items have significant unsolved issues associated with them.

Output of lspci

Useful Links

• Fedora Core 6 on the D620
• My previous guide to Fedora Core 5 on the D620
• Linux on Laptops page for Dells (search the page for 620)
• Debian on the D620
• Fedora Core 5 on the D620
• Another guide to Fedora Core 5 on the D620

Although my study schedule was 4 months, my intensity level for the second and third month varied a lot. I also spent a lot of time doing cover-to-cover reading, which in retrospect isn’t a terribly efficient way to approach an exam with this much breadth. I kind of wish I had done more practice tests early in my study process so I could have spent more time on weak areas and less time agonizing over the subtleties of topics that I already fundamentally understood.

Most folks use a number of study resources, and I was no exception:

• I started with Shon Harris’ CISSP All in One Exam Guide. Like most Osbourne books, it’s a little bit chatty, has some laughably bad diagrams, and more than it’s share of ambiguities, errors, and bad practice questions. Even still it’s a pretty good book, especially if you need to bootstrap yourself a bit before you feel prepared for the more no-nonsense books.
• Once I felt comfortable with Harris, I started working through the Hansche/Berti/Hare Official (ISC)² Guide to the CISSP Exam, published by Auerbach. Although dry, I think it’s important to work with this book. Because of the strict confidentiality requirements surrounding the test it’s hard to get reliable information about which topics are emphasized, what the editorial style of the questions is like, and how to disambiguate words that may have a number of meanings depending on what part of the industry you work in but which are used in a specific and consistent way by (ISC)². I found that I simply absorbed a lot of useful information about the (ISC)² writing style when reading this book that gave me a tangible edge in the exam room. Plus it’s generally well done and has the best practice questions I was able to find. The worst thing I can say about it is that the CBK sections at the end of each chapter are fantastically vague, needlessly scary, and completely useless. They’re easy to ignore, though, and that’s what I recommend doing with them.
• Cccure.org is an excellent resource for free practice questions. Quality does vary, but at the high end is very good and on average is pretty ok.
• I also bought a set of Boson practice questions and was extremely disappointed, to the point of not even using most of them. Some of the highlights of my Boson experience were:
  1. A fill in the blank question with a nine word answer that needed to be typed exactly to be graded correctly. The answer was obviously not a standard phrase worth memorizing, and the CISSP exam is entirely multiple choice.
  2. A “multiple-choice question” that offered only one answer option… er… I mean… I “single-choice question”… or… um… would that just be a statement?
  3. An email conversation with a Boson support rep that took three rounds of explanation before understanding why a multiple-choice question with no alternate options is defective, and who offered to take no corrective action other than passing the complaint up the chain.
• I did a lot of Googling to fill in gaps on topics I wasn’t familiar with.

If you’re thinking of becoming a CISSP, have a look at the professional experience requirements to make sure you qualify and look through the FAQ. Cccure.org also provides an introduction to the process as a flash video tutorial which brings a lot of public information into one place where it’s easy to digest.

FC5 can be made to work fairly well on the D620, but many things require tweaking to work properly. This guide summarizes what can be made to work and how. It is not a step by step howto, but does attempt to link to more detailed resources when they are available. The table below shows at a glance what is and isn’t working well on my system. Green items worked immediately after install without manual intervention, yellow items were made fully functional after some manual configuration, red items have significant unsolved issues associated with them (it’s worth noting that essentially all of my issues with the laptop stem from the use of a Broadcom wireless card, it’s a very well supported system when paired with the Intel wireless option).

Output of lspci

Useful Links

• Linux on Laptops page for Dells (search the page for 620)
• Debian on the D620
• Fedora Core 5 on the D620
• Another guide to Fedora Core 5 on the D620
• My guide to Fedora Core 6 on the D620
• Another guide to Fedora Core 6 on the D620

The project was displayed in a group exhibit at the 2006 Venice Biennale, and is also featured in this month’s edition of

• Dwell Magazine, which published an article in June of 2007
• Allegedly NBC planned some coverage, but I’m not sure if it was ever released
• The New York Times, who published an article in November of 2006
• AIA, who awarded the project an AIA New York State Design Award in September of 2006

• Parsons site for the Design Workshop
• Announcement of 2006 exhibition
• Announcement of exhibit at the Biennale
• 2005 Retrospective announcement
• Writeup of the 2005 project
• Writeup of the 2004 project
• Writeup of the 2003 project

• Comments now render properly in IE6. This is a moderately severe bug.
• Posts with complex HTML tags now display properly in the category archives.
• All theme variants are now validating again (thanks for the patch Brian).
• The comments link now correctly links to the comment form when a post has no existing comments.

By now, you know the drill: Download the one-column layout, the two-column layout, the new three-column layout, or the image sources (which haven’t changed since 0.10.0) in Gimp XCF format. Read the project page for the latest downloads and more information.