There are a number of excellent guides to setting up public key
authentication for ssh, but they tend to stop short of describing how
to integrate presence events like a screensaver turning on. It’s a
topic that isn’t possible to cover in a generic way, since it depends
heavily on your operating system, distribution, desktop environment,
and preferred shell. I present here the information I’ve pulled
together to get things running under Linux, specifically Fedora 8 with
Gnome and Bash.
First off, if you’re not already quite familiar public key
authentication, go read the three part IBM developerWorks series on
the topic
(1, 2,
3), which
is the best primer I’ve found. I’m using public key authentication
with encrypted keys, am caching my credentials with ssh-agent, and am
using keychain as my interface to ssh-agent. My primary goal was to
automatically run keychain –clear to clear my credentials any time I
left my system unattended. I also outline how to run keychain
~/.ssh/id_rsa when you return to your system (or whenever you open a
shell) in order to reload your ssh key.
Login
When I log in to my system, keychain runs and does some housekeeping.
It starts an ssh-agent process if one isn’t already running and
prompts for the passwords to my ssh keys if they aren’t already
loaded, or if all that has already been done it just reports its
status and exits. The following lines can be placed in ~/.bash_profile
which is executed when you log into your system (via remote ssh
session, text console, and oddly enough gnome executes bash_profile on
login as well).
if [ "$PS1" ]; then
/usr/bin/keychain ~/.ssh/id_rsa
source ~/.keychain/yourhostname-sh
fi
The “if” statement ensures that keychain is only run for interactive
shells. Because keychain generates output on execution it can confuse
some programs that run non-interactively, notably sftp breaks if you
don’t do this.
New Shell
I actually like keychain to run every time I start a new shell, not
just when I first log in. This means that I can clear my credentials
manually if I won’t be using ssh for a while and when I open a fresh
terminal window (or “window” in a screen session, or whatever)
keychain automatically prompts me for my password. This can be done
by placing the same lines from above in ~/.bashrc instead of
bash_profile (bashrc is executed from bash_profile, so you only need
one or the other).
Screensaver
When my screensaver turns on, it’s an indication that I’m away from my
desk and that my credentials should be cleared. To my knowledge,
gnome-screensaver does not provide per-user screensaver-on and
screensaver-off scripts where you can easily add these sorts of things
(it should, if you ask me). It does, however, emit a DBUS signal that
you can listen for and act on. I found some folks using python scripts
to handle similar needs and adapted them for my purpose, others have
done similar things with bash script. Once you’ve customized your DBUS
signal listener script, add it to your default gnome session using
System –> Preferences –> Personal –> Sessions so that it’s
automatically started when you log in.
#!/usr/bin/python
import dbus
from dbus.mainloop.glib import DBusGMainLoop
import gobject
import os
def clear_keychain(state):
"""Called when screensaver on/off events occur"""
# clear ssh keys when screensaver turns on
if state == True:
os.system('/usr/bin/keychain --clear')
# Load ssh keys when screensaver turns off
# if state == False:
# os.system('/usr/bin/keychain id_rsa')
# Connect to the gnome session bus:
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SessionBus()
# Listen for SessionIdleChanged signals
bus.add_signal_receiver(clear_keychain,'SessionIdleChanged','org.gnome.ScreenSaver')
loop = gobject.MainLoop()
loop.run()
Logout
Logging out of the system (whether from a remote ssh session, a local
text console, or a graphical gnome session) is an indication that my
workstation is going to be idle for a while and that my credentials
should be cleared. This can be (mostly) accomplished by making an
addition to ~/.bash_logout. This file is run any time a non-gnome
login shell exits, like a remote ssh session or a local text console
session (but not terminal windows in gnome, screen windows, or other
non-login shells):
/usr/bin/keychain --clear
For some utterly insane reason, gnome doesn’t execute bash_logout even
though it does execute bash_profile on login, and it doesn’t
provide a sane alternative. The only method I’m aware of for running
a script on gnome-logout involves xsession hackery, but I’ve punted on
this issue since I rarely exit my gnome session. If you find an
elegant solution, leave a comment.
Other SSH Tips
- SSH Aliases: This is somewhat off-topic for this article, but
is such a great timesaver that it bears a quick mention in any
article about ssh. You
can
define short names for
hosts you ssh to often in ~/.ssh/config.
- Clearing Credentials At Login: An alternative to all of this,
and one of the strategies suggested in the developerWorks series
is to start keychain with the –clear option in .bash_profile or
wherever you call it from. The assumption is that by clearing
your credentials on login instead of logout, you can stay
authenticated all the time (and gain the benefit of being able to
run cron scripts) but an attacker will lose access to your
credentials the moment they try to access your account. It’s an
interesting strategy, but not one I’m entirely comfortable with. I
prefer to clear my credentials when they’re not being used, and
designate special-purpose keys with
appropriate
constraints for
cron jobs.
Conclusion
With the tips in the developerWorks series, and the information in
this article, you can have an incredibly convenient ssh key management
setup while you’re using your computer and know that your credentials
will be automatically cleared when you’re away from your system.
Making good on the heels of
my
CISSP certification,
I’m going to be joining
the Security Services group at NYU
in May as a Senior Network Security Analyst. Security Services is
charged to protect the entire NYU network, which provides connectivity
to around 40,000 nodes.
I’m incredibly excited about the move. Since my partner lives in New
York, I’ve been job hunting there for almost a year and half and I’ve
found that it’s a very competitive market. I needed to do a lot of
professional development in order to be considered seriously for the
positions I wanted, and this was the most interesting position I saw
or applied for in my entire search. To have been hired into it just
fantastic.
So anyhoo… I’ll be selling or giving away most of my stuff this
month so Laura, Kip, and I can fit into an apartment the size of a
shoebox. Have a gander if you need anything.
Dawid Lorenz, myself,
and a number of other folks (read the comments on Dawid’s page, and
also on the product pages for the D620 batteries) have all experienced
poor battery life on Dell Latitude D620’s that are typically less than
six months old. There may or may not be a high failure rate for this
battery model, and this page details my experiences in diagnosing the
health of my battery and obtaining a replacement under warranty.
Determining Battery Health
There are several methods of determining your battery’s capacity
relative to it’s initial specification (aka “health”).
- Press and hold the status button located on the bottom of your
battery. The five LED lights will initially display your
battery’s current charge (five lights is charged, zero lights is
discharged), and if you continue pressing the status button for
three seconds the lights will blink off and back on again, now
displaying the health of your battery. If zero lights appear your
battery is operating at greater than 80% of its specified
capacity, if five lights appear your battery is operating at less
than 60% of its specified capacity. This information was pulled
from the D620 User Guide.
- If you enter the system BIOS by pressing “F2” during the Dell logo
while booting, there is a “Battery Health” option under the
“Sytem” menu which gives a qualitative assessment of battery
health.
- The power manager under FC6 tracks the maximum capacity of your
battery at its last full charge and generates a health percentage
based on the factory spec charge for your battery. To view this
information, right-click the battery meter in your gnome panel,
select “Information”, and expand the “More” area of the “Device
Information” panel.
- If you kept your initial Windows XP install, there is a battery
health meter under the Dell Quickset applet in the lower right
hand corner of the screen that gives the same information that is
available through the system BIOS.
Obtaining a Replacement Battery
Of course, you always have the option of purchasing a replacement
battery from Dell
(9-cell or
6-cell),
or simply living with degraded battery life. There are some
circumstances where you may be able to obtain a replacement under
warranty, though. If the BIOS/Quickset health gauges are showing the
battery as failed even though it’s less than a year old, Dell will
replace it under warranty. According to the phone rep that I spoke
to, a battery is considered to have failed when operating at less than
50% of its rated capacity. When I called, my battery was five months
old and operating at 50%-60% of it’s capacity (5 death lights, BIOS
noted lowered battery life but did not pronounce failure, FC6 power
manager rated health at 56%, observed battery life was 50%-60% of
expected). I was able to successfully make the case that the battery
was clearly borderline and would certainly be replaced within a month
or two, and that doing so now was an opportunity to provide excellent
customer service whereas forcing me to wait would serve no purpose
other than irritating me. To his credit, the phone rep immediately
acknowledged that my line of thinking was reasonable, spoke to a
supervisor, and was able to authorize the early replacement.
Conclusion
I love my laptop, and in general I’m very happy with it. It does look
like there’s a trend toward premature battery failure, though, and if
your situation is severe enough you may be eligible for a warranty
replacement. Once your replacement arrives, go read about how to
monitor and optimize battery performance.
Dawid Lorenz already has a very comprehensive set of notes on running
Fedora Core 6 on the Dell Latitude D620, but I’m going to drop in my
two cents as well for variety’s sake.
FC6 works quite well on the D620 right out of the box, and with a few
tweaks can be just about fully supported. This guide summarizes what
I’ve done to get things working to my satisfaction. It is not a step
by step howto, but does attempt to link to more detailed resources
when they are available. The list below shows at a glance what is and
isn’t working well on my system. Most items worked immediately after
install without manual intervention, italic items were made fully
functional after some manual configuration, and bold items have
significant unsolved issues associated with them.
- Dual-core Processor: Both cores are detected on the 2.17GHz Intel
Core Duo processor, the 32bit i686 smp kernel is installed and
just works. Dynamic CPU frequency scaling works well and if you
wish to monitor/change the scaling behavior there’s a gnome panel
applet to do so.
- USB: Works, no config needed.
- PCMCIA Slot: Works, no config needed.
- Touchpad/Track Stick: Works, no config needed.
Install gsynaptics from
Extras if you want to customize the trackpad behavior, or
copy/modify Dawid’s xorg.config settings (search for “touchpad”).
- Suspend to Ram: Works with kernel 2.6.18-1.2869, wireless
networking needs to be restarted on wakeup and you need to nudge
the volume control to wake up the soundcard.
- Hibernate to Disk: Doesn’t work, system hangs during
hibernation and needs a hard reset. This worked in Fedora Core 5,
so I imagine it will get fixed again relatively soon.
- Ethernet: Works, no config needed.
- Wireless Networking: Install dkms-ipw3945, ipw3945d and
ipw3945-firmware from freshrpms, install the kernel-devel package
for your kernel, and reboot. Once you’re configured, don’t forget
to
enable the network manager applet so
you don’t have to iwconfig from the terminal all the time. The
Intel 3945 has much better linux support than
the
awful Broadcom 4310
in the Dell Truemobile 1390 that was previously installed in this
laptop.
- Bluetooth: Works, no config needed.
- 2D Video: Works, no config needed.
- 3D Acceleration: The NVidia Quadro 110M works well after
installing nvidia-x11-drv from freshrpms. Don’t forget to install
kernel-devel for your kernel version and reboot.
Battery
life drops by about 40% while running the NVidia driver, even if
you’re not doing 3D
work.
I had a bad battery.
- External Monitor: If all you want is to switch to the external
output instead of the internal LCD, you can do so easily right out
of the box. Use the screen resolution control panel to set your
resolution, and Fn-F8 to toggle between the displays. If you
choose to install the NVidia driver, it includes a simple dialog
for setting up multimonitor support using TwinView. TwinView
isn’t perfect, windows maximize dumbly (across both displays) and
if the resolutions of the two monitors are mismatched there’s an
area where it’s possible to move the mouse and place windows that
doesn’t show up in any monitor. All in all, it’s a bit lame but
does get the job done in a pinch.
- CD/DVD Burning: Works out of the box,
but
this tweak substantially
improves burn speed and system responsiveness while burning.
- Sound Playback: Works, no config needed.
- Sound Recording: Works, no config needed. If you’re not getting
recorded sound, check the Volume Control app to make sure that
capture is enabled and the recording level isn’t way down.
- Volume Keys: Go into System –> Preferences –> Keyboard
shortcuts and assign the multimedia keys to vol down/up/mute (or
whatever you want them to do).
- Radio On/Off Switch: Works fine, and has a noticeable effect on
battery life. You may need to “up” the interface with the
connection manager of your choice if you enable the radio while
the system is running.
- ACPI Power Management: All the power management features work (fan
speed autoadjusts, cpu frequency scaling works, there’s a gnome
applet to easily control it)
, but battery life is
inexplicably poor. Under FC5, my battery life was over 4 hours
with a 9-cell battery, wifi/bt off, backlight dimmed, and cpu
locked to 1GHz. After migrating to FC6, battery life is less than
3 hours and the laptop runs noticeably warmer when performing
routine
tasks.
I had a bad battery.
- Fingerprint Reader: Untested.
- Modem:Untested.
Output of lspci
00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express PCI Express Root Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controller IDE (rev 01)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
01:00.0 VGA compatible controller: nVidia Corporation Quadro NVS 110M / GeForce Go 7300 (rev a1)
03:01.0 CardBus bridge: O2 Micro, Inc. OZ601/6912/711E0 CardBus/SmartCardBus Controller (rev 40)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)
Useful Links
As of Thursday I’ve fulfilled all the requirements
for CISSP certification, my papers
should be in the mail by Monday. I haven’t wanted to talk about it
online until I had some firm results, but folks who know me in
meatspace know I’ve been studying on and off since August. I’m a
little
more amped about this credential because
they’re not handed out like party-favors and people who have them seem
to be doing interesting things.
Although my study schedule was 4 months, my intensity level for the
second and third month varied a lot. I also spent a lot of time doing
cover-to-cover reading, which in retrospect isn’t a terribly efficient
way to approach an exam with this much breadth. I kind of wish I had
done more practice tests early in my study process so I could have
spent more time on weak areas and less time agonizing over the
subtleties of topics that I already fundamentally understood.
Most folks use a number of study resources, and I was no exception:
- I started with Shon
Harris’
CISSP All in One Exam Guide.
Like most Osbourne books, it’s a little bit chatty, has some
laughably bad diagrams, and more than it’s share of ambiguities,
errors, and bad practice questions. Even still it’s a pretty good
book, especially if you need to bootstrap yourself a bit before
you feel prepared for the more no-nonsense books.
- Once I felt comfortable with Harris, I started working through the
Hansche/Berti/Hare
Official (ISC)2 Guide to the CISSP Exam,
published by Auerbach. Although dry, I think it’s important to
work with this book. Because of the strict confidentiality
requirements surrounding the test it’s hard to get reliable
information about which topics are emphasized, what the editorial
style of the questions is like, and how to disambiguate words that
may have a number of meanings depending on what part of the
industry you work in but which are used in a specific and
consistent way by (ISC)2. I found that I simply absorbed a lot of
useful information about the (ISC)2 writing style when reading
this book that gave me a tangible edge in the exam room. Plus
it’s generally well done and has the best practice questions I was
able to find. The worst thing I can say about it is that the CBK
sections at the end of each chapter are fantastically vague,
needlessly scary, and completely useless. They’re easy to ignore,
though, and that’s what I recommend doing with them.
- Cccure.org is an excellent resource for free
practice questions. Quality does vary, but at the high end is
very good and on average is pretty ok.
- I also bought a set
of Boson practice
questions and was extremely disappointed, to the point of not even
using most of them. Some of the highlights of my Boson experience
were:
- A fill in the blank question with a nine word answer that
needed to be typed exactly to be graded correctly. The answer
was obviously not a standard phrase worth memorizing, and the
CISSP exam is entirely multiple choice.
- A multiple-choice question that offered only one answer
option… er… I mean… a single-choice
question… or… um… would that just be a statement?
- An email conversation with a Boson support rep that took three
rounds of explanation before understanding why a
multiple-choice question with no alternate options is
defective, and who offered to take no corrective action other
than passing the complaint up the chain.
- I did a lot of Googling to fill in gaps on topics I wasn’t familiar with.
If you’re thinking of becoming a CISSP, have a look at the flash video
introduction on cccure.org.
Instructions for getting Fedora Core 5 humming on the Dell Latitude
D620 probably fall into the category of better late than never at this
point. Since FC6 was recently released, this post will primarily serve
as a comparison against a future (and more
timely)
guide for FC6 on the D620.
FC5 can be made to work fairly well on the D620, but many things
require tweaking to work properly. This guide summarizes what can be
made to work and how. It is not a step by step howto, but does attempt
to link to more detailed resources when they are available. Most items
worked without any manual configuration, those that required some
tweaking to be fully functional are in italics, and issues that
couldn’t be resolved are in bold. It’s worth noting that essentially
all of my issues with the laptop stem from the use of a Broadcom
wireless card, it’s a very well supported system when paired with the
Intel wireless option.
- Dual-core Processor: Both cores are detected on the 2.17GHz Intel
Core Duo processor, the 32bit i686 smp kernel is installed and
just works.
- USB: Works, no config needed.
- PCMCIA Slot: Works, no config needed.
- Touchpad/Track Stick: Works, no config
needed. Install gsynaptics
from Extras if you want to customize the trackpad behavior.
- Suspend to Ram: Works after updating kernel to 2.6.18-1.2200.fc5smp.
- Suspend to Disk: Works after updating kernel to 2.6.18-1.2200.fc5smp.
- Ethernet: Works, no config needed.
- Wireless Networking: Works with ndiswrapper, but conflicts
with 3D acceleration (see the 3D section for details). I
accidentally purchased the Dell Truemobile 1390 wireless card
option, which is based on the awful Broadcom BCM4310. You should
order the Intel wireless option instead, but if you already have
an icky Broadcom it can be made to work using ndiswrapper. Follow
the standard installation instructions using
the
r115321.exe driver available
from Dell. Once you’re configured, don’t forget
to
enable the network manager applet so
you don’t have to iwconfig from the terminal all the time.
- 2D Video: The native display resolution is incorrectly detected,
add the correct modeline to xorg.conf to fix (ignore the
915resolution stuff if you have an NVidia card like me). (Update
2010-10-18: The link with the modeline instructions is now dead)
- 3D Acceleration: The NVidia Quadro 110M works well after
installing NVidia drivers from livna, but causes the Broadcom
wireless card to stop working reliably. I’m not aware of a
workaround other than to use the open source nv driver which
doesn’t offer 3D acceleration (or to purchase the Intel wireless
option, which doesn’t suffer from the issue). Track progress on
the
issue
here.
- External Monitor: If you don’t use the NVidia driver, hooking up
to the VGA out is painful. Changing to a standard (non-wide)
resolution and back again requires editing xorg.conf (some update,
not sure which, added the correct resolution to the screen-res
dialog so changing resolutions isn’t that painful anymore),
there’s no proper resolution scaling, and no graphical interface
for configuring dual-head.
- CD/DVD Burning: Works out of the box,
but
this tweak substantially
improves burn speed and system responsiveness while burning.
- Sound Playback: The audio drivers for the Intel High Definition
Audio devices used in this system had problems in the initial
release of FC5, but it should work fine after a yum update.
- Sound Recording: Works after updating. If you’re not getting
recorded sound, look in the preferences for the Volume Control
app, make sure that “capture” is enabled and the recording level
isn’t way down.
- Volume Keys: Go into System –> Preferences –> Keyboard
shortcuts and assign the multimedia keys to vol down/up/mute (or
whatever you want them to do).
- Radio On/Off Switch: Works fine, and has a noticeable effect on
battery life. You may need to “up” the interface with the
connection manager of your choice if you enable the radio while
the system is running.
- Fingerprint Reader: Untested.
- Bluetooth: Untested.
- Modem: Untested.
- ACPI Power Management: Auto fan speed and cpu frequency scaling
work without configuration. Right-click the top gnome panel (the
bar with the applications menu and the clock) and add the cpu
frequency scaling monitor if you want some feedback and control
over frequency scaling (which definitely affects battery life and
laptop temperature during use).
Output of lspci
00:00.0 Host bridge: Intel Corporation Mobile Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile PCI Express Graphics Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controllers cc=IDE (rev 01)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
01:00.0 VGA compatible controller: nVidia Corporation Unknown device 01d7 (rev a1)
03:01.0 CardBus bridge: O2 Micro, Inc. OZ601/6912/711E0 CardBus/SmartCardBus Controller (rev 40)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Broadcom Corporation BCM4310 UART (rev 01)[/text]
Useful Links