News aggregator

Debian Bits: Debian 7 Wheezy LTS now supporting armel and armhf

Planet HantsLUG - Thu, 02/06/2016 - 07:00

Debian Long Term Support (LTS) is a project created to extend the life of all Debian stable releases to (at least) 5 years.

Thanks to the LTS sponsors, Debian's buildd maintainers and the Debian FTP Team are excited to announce that two new architectures, armel and armhf, are going to be supported in Debian 7 Wheezy LTS. These architectures along with i386 and amd64 will receive two additional years of extended security support.

Security updates for Debian LTS are not handled by the native Debian Security Team, but instead by a separate group of volunteers and companies interested in making it a success.

Wheezy's LTS period started a few weeks ago and more than thirty updates have been announced so far. If you use Debian 7 Wheezy, you do not need to change anything in your system to start receiving those updates.

More information about how to use Debian Long Term Support and other important changes regarding Wheezy LTS is available at https://wiki.debian.org/LTS/Using

Categories: LUG Community Blogs

Debian Bits: Debian 7 Wheezy LTS now supporting armel and armhf

Planet HantsLUG - Thu, 02/06/2016 - 06:39

Debian Long Term Support (LTS) is a project created to extend the life of all Debian stable releases to (at least) 5 years.

Thanks to the LTS sponsors, Debian's buildd maintainers and the Debian FTP Team are excited to announce that two new architectures, armel and armhf, are going to be supported in Debian 7 Wheezy LTS. These architectures along with i386 and amd64 will receive two additional years of extended security support.

Security updates for Debian LTS are not handled by the native Debian Security Team, but instead by a separate group of volunteers and companies interested in making it a success.

Wheezy's LTS period started a few weeks ago and more than thirty updates have been announced so far. If you use Debian 7 Wheezy, you do not need to change anything in your system to start receiving those updates.

More information about how to use Debian Long Term Support and other important changes regarding Wheezy LTS is available at https://wiki.debian.org/LTS/Using

Categories: LUG Community Blogs

Facebook app now self-defeating

Planet SurreyLUG - Wed, 01/06/2016 - 14:57

Since Facebook introduced the data-harvesting ‘Continuously Upload Contacts’ feature in settings, a change has occurred in the background (the Facebook API, for those inclined..) which prevents you downloading your friend list via a trusted 3rd party app.

In addition, the Facebook app itself no longer supports the older style ‘contact sync’ properly (or at all) on both Android and iOS.

In addition (and YMMV), the calendar sync no longer seems to work either. There is a workaround you can follow (link beneath), to create a Google calendar which syncs your Facebook contacts’ birthdays – and this is the primary reason for my post.

I used to rely on the app syncing calendar events to my phone, so that I could see at a glance whose birthday it is and send them my best wishes, but I’ve missed a few recently and now I know why.

I’m starting to wonder what benefit the native Android/iOS app is these days, versus good old mobile website access. I’m going to ditch the FB app on Android and start using ‘Tinfoil for Facebook’ instead, which looks and feels very similar but does away with the bloated spyware that the official app has become.

How to Create a Contact Birthday Calendar:
http://www.stechguide.com/how-to-sync-facebook-birthdays-with-google-calendar/

Tinfoil for Facebook:
https://play.google.com/store/apps/details?id=com.danvelazco.fbwrapper&hl=en_GB

iOS users can always ‘Save to Homescreen’ from mobile Safari when visiting facebook.com.

The post Facebook app now self-defeating appeared first on life at warp.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in May 2016

Planet ALUG - Tue, 31/05/2016 - 21:49

Here is my monthly update covering a large part of what I have been doing in the free software world (previously):

  • Modified LetsEncrypt's "certbot" tool (previously the Let's Encrypt Client) to ensure that the documentation is built reproducibly. The issue was that a Python default keyword argument was non-deterministic and was appearing in documentation with the function's definition. (#3005)
  • Sent a pull request to Mailvelope, a browser extension for GPG/OpenPGP encryption with webmail services, to ensure that passphrase field is cleared when entered incorrectly. (#385)
  • Proposed an optional addition to django-enumfield, a custom Django web development field for type-safe named constants, that automatically enumerations to the template context to save DRY violations in views, etc. (#33)
  • Fixed an issue in the cdist configuration management's build system to ensure that the documentation builds reproducibly. It was previously including various documentation sections non-deterministically depending on the filesystem ordering. (#437)
  • Various improvements to django-slack, my library to easily post messages to the Slack group-messaging utility from projects using the Django web development framework:
    • Raise more specific exception types (instead of the more generic ValueError) wherever possible so that clients can detect specific error conditions. (#45)
    • Pass through arbitrary Python keyword arguments to the backend, allowing custom behaviour for special case. (#46)
    • Ensure that the backend result is returned by the Celery distributed task queue wrapper. (#47)
  • Updated my Strava Enhancement Suite, a Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker, to hide more internal advertisements. (#49)
  • Sent a pull request to the build system for gtk-gnutella (a server/client for the Gnutella peer-to-peer network) to ensure the build is reproducible if the SOURCE_DATE_EPOCH environment variable is available. (#17)
  • Updated the SSL certificate for try.diffoscope.org, a hosted version of the diffoscope in-depth and content-aware diff utility. Thanks to Bytemark for sponsoring the hardware.
Debian

My work in the Reproducible Builds project was covered in our weekly reports. (#53, #54, #55, #56 & #57)

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

  • A week of "frontdesk" duties, triaging CVEs, assigning tasks, etc.
  • Issued DLA 464-1 for libav, a multimedia player, server, encoder and transcoder library that fixed a use-after free vulnerability.
  • Issued DLA 469-1 for libgwenhywfar (an OS abstraction layer that allows porting of software to different operating systems like Linux, *BSD, Windows, etc.) correcting the use of an outdated CA certificate bundle.
  • Issued DLA 470-1 for libksba, a X.509 and CMS certificate support library. patching a buffer vulnerability.
  • Issued DLA 474-1 for dosfstools, a collection of utilities for making and checking MS-DOS FAT filesystems, fixing an invalid memory and heap overflow vulnerability.
  • Issued DLA 482-1 for libgd2 graphics library, rectifying a stack consumption vulnerability.
Uploads
  • python-django (1.9.6-1) — New upstream bugfix release.
  • redis (3.2.0-1, etc.) — New upstream release, correct build on more exotic architectures and minor packaging fixups.
  • gunicorn (19.5.0-1 & 19.6.0-1) — New upstream releases and minor packaging fixups.
Bugs filed Patches contributed RC bugs

I also filed 74 FTBFS bugs against abtransfers, asedriveiiie, assword, astroquery, audit, bibtool, cargo, ccdproc, clearsilver, discover, emoslib, etsf-io, gfs2-utils, globus-io, gnunet, graxxia, groovycsv, gtkspell3, hg-git, hgsubversion, ices2, jekyll, jhighlight, libdist-zilla-plugin-ourpkgversion-perl, libetonyek, libgd-perl, libgnomekbd, libimager-perl, libint2, libnet-dns-zonefile-fast-perl, libnl3, libspring-java, libtkx-perl, ltt-control, lua-discount, lua-lgi, metview, montage-wrapper, networkmanager-qt, nevow, ngrok, obex-data-server, octave-interval, omnievents, pcl, php-arc, php-codecoverage, proguard, pyexcelerator, python-autobahn, python-babel, python-biopython, python-mne, python-pgmagick, python-shotgun, python-snuggs, python-urllib3, python-xdo, qemu, radicale, raptor2, rjava, ruby-albino, scamper, simpleparse, spectral-cube, specutils, sugar-browse-activity, sugar-memorize-activity, swift, telepathy-haze, telepathy-ring, unicap & vorbis-tools.

Categories: LUG Community Blogs

Wayne Stallwood (DrJeep): UPS for Octopi or Octoprint

Planet ALUG - Mon, 30/05/2016 - 21:13
So it only took one mid print power cut to realise I need a UPS for my 3D printer.

it's even worse for a machine like mine with a E3D all metal head as it requires active cooling to stop damage to the head mount or prevent a right mess of molten filament inside the heatbreak.

See below for instructions on setting up an APC UPS so that it can send a command to octopi to abort the print and start cooling the head before the batteries in the UPS are exhausted.

I used a APC BackUPS Pro 550, which seems to be about the minimum spec I can get away with, on my printer this gives me approximately 5 minutes of print time without power, or 40 minutes of the printer powered but idle, other UPS's would work but APC is the only type tested with these instructions

Test this throughly and make sure you have enough runtime to cool the head before the batteries are exhausted, the only way to do this properly is to set up a test print and pull the power.

Once you have installed the power leads to and from the UPS and got the printer powered through it (not forgetting the Rpi or whatever you have running octoprint also needs power...mine is powered via the printer PSU ) You need to install acpupsd, it's in the default repo for raspian so just install it with apt.

sudo apt-get install apcupsd

Now we need to tweak apcupsd's configuration a bit

Edit the apcupsd configuration as follows, you can find it at /etc/apcupsd/apcupsd.conf, just use your favourite editor.

Find and change the following lines

UPSCABLE smart

UPSTYPE usb

DEVICE (this should be blank)

BATTERYLEVEL 50

MINUTES 5

You might need to tweak BATTERYLEVEL and MINUTES for your printer and UPS. this is the percentage of power left before the shutdown will trigger or the minutes of runtime, whichever one happens first

Remember this is minutes as calculated whilst the printer is still running. Once the print is stopped the runtime will be longer as the heaters will be off, so setting 5 minutes here would in my case give me 20 minutes of runtime once the print has aborted for the hot-end to cool

Plug the USB cable from the UPS into a spare port on the Rpi

Now activate the service by editing /etc/default/apcupsd and changing the following line

ISCONFIGURED=yes

Now start the service, it will start by itself on the next boot

sudo service apcupsd start

If all is well typing acpaccess at the prompt should get you some stats from the UPS, battery level etc

If that's all good then apcupsd is configured, now for the script that aborts your print

First go into the octoprint settings from the web interface, make sure API access is turned on and record the API key carefully

Back on the rpi go to the home directory

cd ~

Now download my custom shutdown script with wget

wget http://www.digimatic.co.uk/media/doshutdown sudo cp doshutdown /etc/apcupsd cd /etc/apcupsd

Set the permissions so the script can run

chmod 755 doshutdown

Don't be tempted to rename the file, leave it as this name

Now edit the script and change the variable at the top API_KEY to the API key you got from your copy of octoprint earlier

That should be it, the script does 3 things when the power fails and the battery goes below one of the trigger points

Prints a warning on the printer's LCD screen

Records the current printer status and print file position to a file in /home/pi, so that maybe you can work out how to slice the reminder of the model and save the print

Aborts the print

This hasn't had a massive amount of testing and there are a few bugs, if you have a really big layer going on when the power goes you might not have enough power to make it to the end, octoprint only aborts at specific points in the print, same if you are at the first stages and are heating the bed, octoprint will wait until the bed is up to temp before running the next command (abort).

The sleep at the end of the script stops the rpi from shutting down, we need to wait here and make sure the printer has taken the abort command before killing the pi so that's an unknown amount of time so I leave it running by sleeping indefinitely here

If I get time I will make a proper octoprint plugin for all this

Categories: LUG Community Blogs

Steve Kemp: A mixed weekend

Planet HantsLUG - Mon, 30/05/2016 - 04:26

This past seven days have been a little mixed:

  • I updated documentation on my simple object store.
  • I created a simplified alerting system.
    • Heavily inspired by something we use at work.
    • My version is much much simpler, but still useful enough to alert me of outages (via hearbeats) and unread email. (Both of which are sent via pushover notifications.)
  • I bought a pair of cheap USB "game controllers"
    • And have spend several hours playing SNES games such as Bomberman 2, and Super Mario Brothers 3.
    • I'm using mednafan, as it supports cheats, fullscreen, sound, and is pretty easy to drive.

Finally I spent the tail end of the weekend being a little red, sore, and itchy. . I figured this was a surprising outbreak of Dyshidrosis on my hands, and eczema on my body. Instead I received a diagnosis of Scarlet Fever. So now I feel somewhat Dickensian!

Apparently this infection is on the rise!

Categories: LUG Community Blogs

Star Wars for hold music? Sweet!

Planet SurreyLUG - Sun, 29/05/2016 - 11:22

On phone to car insurer.  While on hold, incidental theme music for Star Wars plays.  Please keep me on hold!  #starwars #customerservice

The post Star Wars for hold music? Sweet! appeared first on life at warp.

Categories: LUG Community Blogs

Monthly Meeting 30th May

West Yorkshire LUG News - Fri, 27/05/2016 - 17:48

This coming Monday 30th May,the wylug monthly meeting will be in The Lord Darcy at 7:30pm, roughly, as usual. Join us for computer related chit chat. I (Darren) will be bringing a sony vaio with slackware half-installed on it. Find out how lvm is supposed to work and how it works in practice. Or bring your own conundrum!

Busy weekend lined up! #beer #bankholiday

Planet SurreyLUG - Fri, 27/05/2016 - 17:23
from Instagram: http://ift.tt/1XCvSc9

The post Busy weekend lined up! #beer #bankholiday appeared first on life at warp.

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Eurodivision

Planet ALUG - Sat, 21/05/2016 - 15:14

I'm going to a Eurovision party tonight because I'm not the only person of impeccable taste who was away last week :)

I really don't know what it is about Eurovision that makes for such a fun evening but I've had a fantastic Eurovision party every year since I was at uni.

For the next 5 weeks, I'm at home alone as my wife and child are staying with family in Turkey. In order to make sure I won't be bored, I appear to have overfilled my calendar and now I find myself worrying I won't have a moment to myself. Ah well, busy is better than leaving myself open to the temptation of sitting in front of the telly for evenings on end.

I've ordered a Raspberry Pi 3 with the intention of setting it up as a retro gaming machine. I want something that can live permanently attached to my telly so that I can just pick up a controller and have a 10 minute blast on Sonic or Mario at the drop of a hat. I tried doing this before with my original Pi but it was just too slow.

In other news, I posted this on Facebook a while ago and decided it might as well live here too:

I'll be voting that we stay in thanks very much. I know the EU is far from perfect but I hate the idea of slumping backward into a world of tribes. Hating the other guy because he’s on the other side of a fence or believes in a particular magical sky man is ridiculous and childish and exactly the kind of thing we in the west deride and see as the cause of conflicts in the east.

I’m proud of my country. And like any prized possession, I want to show it off to everyone. I want free movement so that I can visit (and maybe one day live and work in) some of the wonderful places that other people are proud of.

I'm married to a foreigner; I frequently meet, work with, and have many friends who are foreign; I love travelling and being the foreigner. I’d love to be in a world where this post doesn’t make any sense because “foreign” and “country” don’t mean anything any more. It’s one planet, guys.

Try this one weird trick to help you realise why I think your ideas about borders are daft: You want tighter border control in the UK... Why the UK? Why not Great Britain? Make the Irish need visas to get in. Why not individual countries? Who wouldn’t enjoy a nice driving break while you queue for passport control at the Welsh border? In fact, why stop there; we could do this regionally! The great wall of East Anglia? County? District? City? Neighbourhood? Street? Why do you draw the line where you draw it?

If you must have a border, draw it around the planet for now. I wouldn’t mind working as a passport officer aboard the ISS.

Be excellent to each other and party on dudes.

Categories: LUG Community Blogs

Steve Kemp: Accidental data-store .. is go!

Planet HantsLUG - Thu, 19/05/2016 - 19:38

A couple of days ago I wrote::

The code is perl-based, because Perl is good, and available here on github:

..

TODO: Rewrite the thing in #golang to be cool.

I might not be cool, but I did indeed rewrite it in golang. It was quite simple, and a simple benchmark of uploading two million files, balanced across 4 nodes worked perfectly.

https://github.com/skx/sos/

Categories: LUG Community Blogs

Jonathan McDowell: First steps with the ATtiny45

Planet ALUG - Wed, 18/05/2016 - 22:25

These days the phrase “embedded” usually means no console (except, if you’re lucky, console on a UART for debugging) and probably busybox for as much of userspace as you can get away with. You possibly have package management from OpenEmbedded or similar, though it might just be a horrible kludged together rootfs if someone hates you. Either way it’s rare for it not to involve some sort of hardware and OS much more advanced than the 8 bit machines I started out programming on.

That is, unless you’re playing with Arduinos or other similar hardware. I’m currently waiting on some ESP8266 dev boards to arrive, but even they’re quite advanced, with wifi and a basic OS framework provided. A long time ago I meant to get around to playing with PICs but never managed to do so. What I realised recently was that I have a ready made USB relay board that is powered by an ATtiny45. First step was to figure out if there were suitable programming pins available, which turned out to be all brought out conveniently to the edge of the board. Next I got out my trusty Bus Pirate, installed avrdude and lo and behold:

$ avrdude -p attiny45 -c buspirate -P /dev/ttyUSB0 Attempting to initiate BusPirate binary mode... avrdude: Paged flash write enabled. avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9206 (probably t45) avrdude: safemode: Fuses OK (E:FF, H:DD, L:E1) avrdude done. Thank you.

Perfect. I then read the existing flash image off the device, disassembled it, worked out it was based on V-USB and then proceeded to work out that the only interesting extra bit was that the relay was hanging off pin 3 on IO port B. Which led to me knocking up what I thought should be a functionally equivalent version of the firmware, available locally or on GitHub. It’s worked with my basic testing so far and has confirmed to me I understand how the board is set up, meaning I can start to think about what else I could do with it…

Categories: LUG Community Blogs

Steve Kemp: Accidental data-store ..

Planet HantsLUG - Wed, 18/05/2016 - 19:49

A few months back I was looking over a lot of different object-storage systems, giving them mini-reviews, and trying them out in turn.

While many were overly complex, some were simple. Simplicity is always appealing, providing it works.

My review of camlistore was generally positive, because I like the design. Unfortunately it also highlighted a lack of documentation about how to use it to scale, replicate, and rebalance.

How hard could it be to write something similar, but also paying attention to keep it as simple as possible? Well perhaps it was too easy.

Blob-Storage

First of all we write a blob-storage system. We allow three operations to be carried out:

  • Retrieve a chunk of data, given an ID.
  • Store the given chunk of data, with the specified ID.
  • Return a list of all known IDs.

 

API Server

We write a second server that consumers actually use, though it is implemented in terms of the blob-storage server listed previously.

The public API is trivial:

  • Upload a new file, returning the ID which it was stored under.
  • Retrieve a previous upload, by ID.

 

Replication Support

The previous two services are sufficient to write an object storage system, but they don't necessarily provide replication. You could add immediate replication; an upload of a file could involve writing that data to N blob-servers, but in a perfect world servers don't crash, so why not replicate in the background? You save time if you only save uploaded-content to one blob-server.

Replication can be implemented purely in terms of the blob-servers:

  • For each blob server, get the list of objects stored on it.
  • Look for that object on each of the other servers. If it is found on N of them we're good.
  • If there are fewer copies than we like, then download the data, and upload to another server.
  • Repeat until each object is stored on sufficient number of blob-servers.

 

My code is reliable, the implementation is almost painfully simple, and the only difference in my design is that rather than having an API-server which allows both "uploads" and "downloads" I split it into two - that means you can leave your "download" server open to the world, so that it can be useful, and your upload-server can be firewalled to only allow a few hosts to access it.

The code is perl-based, because Perl is good, and available here on github:

TODO: Rewrite the thing in #golang to be cool.

Categories: LUG Community Blogs

Debian Bits: Imagination accelerates Debian development for 64-bit MIPS CPUs

Planet HantsLUG - Wed, 18/05/2016 - 08:30

Imagination Technologies recently donated several high-performance SDNA-7130 appliances to the Debian Project for the development and maintenance of the MIPS ports.

The SDNA-7130 (Software Defined Network Appliance) platforms are developed by Rhino Labs, a leading provider of high-performance data security, networking, and data infrastructure solutions.

With these new devices, the Debian project will have access to a wide range of 32- and 64-bit MIPS-based platforms.

Debian MIPS ports are also possible thanks to donations from the aql hosting service provider, the Eaton remote controlled ePDU, and many other individual members of the Debian community.

The Debian project would like to thank Imagination, Rhino Labs and aql for this coordinated donation.

More details about GNU/Linux for MIPS CPUs can be found in the related press release at Imagination and their community site about MIPS.

Categories: LUG Community Blogs

Debian Bits: New Debian Developers and Maintainers (March and April 2016)

Planet HantsLUG - Mon, 16/05/2016 - 23:10

The following contributors got their Debian Developer accounts in the last two months:

  • Sven Bartscher (kritzefitz)
  • Harlan Lieberman-Berg (hlieberman)

Congratulations!

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Today's discoveries

Planet ALUG - Sun, 15/05/2016 - 23:47
  1. Dorock have opened a new bar in Kadıköy and it's good :)

  2. A home win for Beṣiktaṣ means a crazy street party with fireworks, marching, and a lot of shouting.

    Uber thankfully provided us a taxi so we didn't have to walk through it all with our sleeping 4 year old.

  3. When all of your podcasts are on a server somewhere and you want to copy them to your mp3 player but all you have to hand is a Chromebook, you're in for some fun.

    Really. There's not enough internal storage to download it all and then copy over. There's no scp client. No command line from which to cd to the mp3 player and wget everything.

  4. rclone is badical!

    Really! rclone config holds your hand through setting it up and then it was a simple rclone sync ./podcasts google:/podcasts to get my podcasts folder copied into Google Drive. Once that was done, I could use the file manager to copy from Drive over to the mp3 player. Simples. Ish.

  5. Autocorrect helpfully invented my new catchphrase: Weird up!

Categories: LUG Community Blogs

Debian Bits: What does it mean that ZFS is included in Debian?

Planet HantsLUG - Sun, 15/05/2016 - 21:55

Petter Reinholdtsen recently blogged about ZFS availability in Debian. Many people have worked hard on getting ZFS support available in Debian and we would like to thank everyone involved in getting to this point and explain what ZFS in Debian means.

The landing of ZFS in the Debian archive was blocked for years due to licensing problems. Finally, the inclusion of ZFS was announced slightly more than a year ago, on April 2015 by the DPL at the time, Lucas Nussbaum who wrote "We received legal advice from Software Freedom Law Center about the inclusion of libdvdcss and ZFS in Debian, which should unblock the situation in both cases and enable us to ship them in Debian soon.". In January this year, the following DPL, Neil McGovern blogged with a lot of more details about the legal situation behind this and summarized it as "TLDR: It’s going in contrib, as a source only dkms module."

ZFS is not available exactly in Debian, since Debian is only what's included in the "main" section archive. What people really meant here is that ZFS code is now in included in "contrib" and it's available for users using DKMS.

Many people also mixed this with Ubuntu now including ZFS. However, Debian and Ubuntu are not doing the same, Ubuntu is shipping directly pre-built kernel modules, something that is considered to be a GPL violation. As the Software Freedom Conservancy wrote "while licensed under an acceptable license for Debian's Free Software Guidelines, also has a default use that can cause licensing problems for downstream Debian users".

Categories: LUG Community Blogs

Steve Engledow (stilvoid): s3cmd ls

Planet ALUG - Fri, 13/05/2016 - 22:22

I'm currently having a very enjoyable holiday with my family in Bodrum. We're staying in an all-inclusive hotel by the beach. This is the first time either of us have ever had such a holiday; we usually like to go rushing around seeing as many sights as we can cram in to a few days before moving on to another place. It's the final night of our time here and I feel like I'm just settling in to it. Next time, we'll do two weeks. (By way of compromise, we had decided to do a week in Bodrum followed by a week in Istanbul/Adapazarı.)

The good

In what feels like a very short week of doing very little, here are some of my highlights:

Bodrum Castle

The castle doesn't look much from the outside and it advertises itself as "Museum of Underwater Archaeology" but once you get through the doors you realise it's a magnificent ruined castle with beautiful gardens and a smattering of museum about the place. We barely stopped to look at the museum pieces (mostly shipwrecks and amphora dredged up from the Aegean) and it took us a good couple of hours to walk around the castle. Do not make the mistake we made in a parallel universe by deciding we didn't fancy a museum that day!

Boat tour

There are a lot of places offering boat tours and I can only vouch for the one we took: Gencel Water Sports. The boat tour takes a full day (ours was 10:30 to 16:30) and stops off at a number of interesting locations around Bodrum. The highlights for me were Aquarium Bay: snorkeling with thousands of fish around; and the place that I can't recall the name of where I ticked off an ambition (I don't know why): to swim to shore. OK it was only 50 metres or so but it was in proper sea and I'm hardly an olympic swimmer ;)

In all, I did a lot of swimming that day.

Tent bar, Gümbet

This bar is hardly a tourist hot spot but it was a short walk from the hotel and we had a really good evening sitting and chatting with the barman (whose name is either Ricardo or Bora depending on which language you ask him in).

Spending a day doing not very much

This really was a revelation! One such day went like this: wake, breakfast, steam room, swim, turkish bath, beer by the pool, lunch, swimming, lazing around by the pool with a beer, swimming, lazing, beer, swimming, lazing, beer, beer and lazing, dinner, rakı, sleep.

As I said, neither of us had ever had a holiday that didn't involve loads of walking and sightseeing. I'm amazed at how much I enjoyed just relaxing.

The bad

On the somewhat less positive side I lost a filling and the hole is really annoying.

The unrealised

Next week: Istanbul, second only to Bruges in my favourite places list :)

Categories: LUG Community Blogs

A Probably Inaccurate History Of LibVirt, KVM and QEMU

Planet SurreyLUG - Mon, 09/05/2016 - 18:38

A while ago I was explaining the difference between QEMU, KVM and LibVirt, and I ended up by emailing this nonsense. I don’t claim it’s accurate, it certainly isn’t. It’s probably not even funny. Enjoy :).

In the beginning there was QEMU, but it was slow and the people grieved.

Then KVM was forked from QEMU with a kernel module to use the CPU’s virtualisation features to work much faster and there was much rejoicing. Linus also rejoiced and welcomed KVM’s kernel module into the mainline kernel.

But the people did not rejoice, as they were mostly using Sun’s VirtualBox (also forked from QEMU).

QEMU awoke from its slumber and joined with KVM and their union caused almost no rejoicing, in fact I am not convinced anyone really noticed.

But the System Administrators were still dissatisfied and complained that there should be standardisation of commands across different hypervisors. And thus LibVirt was born and the System Administrators rejoiced.

Yet still the people used VirtualBox. But lo! The evil Oracle slew the Sun and VirtualBox moved into darkness, and there was much gnashing of teeth and wearing of sackcloth; although this was generally considered a step forwards from the t-shirts that they usually wore.

But still the people could not use QEMU-KVM, without issuing complex incantations, and so Virt-Manager was born and finally the people rejoiced, with much clicking of mice.

The End.

Categories: LUG Community Blogs

Andy Smith: Using a TOTP app for multi-factor SSH auth

Planet HantsLUG - Fri, 06/05/2016 - 17:34

I’ve been playing around with enabling multi-factor authentication (MFA) on web services and went with TOTP. It’s pretty simple to implement in Perl, and there are plenty of apps for it including Google Authenticator, 1Password and others.

I also wanted to use the same multi-factor auth for SSH logins. Happily, from Debian jessie onwards libpam-google-authenticator is packaged. To enable it for SSH you would just add the following:

auth required pam_google_authenticator.so

to /etc/pam.d/sshd (put it just after @include common-auth).

and ensure that:

ChallengeResponseAuthentication yes

is in /etc/ssh/sshd_config.

Not all my users will have MFA enabled though, so to skip prompting for these I use:

auth required pam_google_authenticator.so nullok

Finally, I only wanted users in a particular Unix group to be prompted for an MFA token so (assuming that group was totp) that would be:

auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup totp auth required pam_google_authenticator.so nullok

If the pam_succeed_if conditions are met then the next line is skipped, so that causes pam_google_authenticator to be skipped for users not in the group totp.

Each user will require a TOTP secret key generating and storing. If you’re only setting this up for SSH then you can use the google-authenticator binary from the libpam-google-authenticator package. This asks you some simple questions and then populates the file $HOME/.google_authenticator with the key and some configuration options. That looks like:

T6Z2KSDCG7CEWPD6EPA6BICBFD4KYKCSGO2JEQVII7ZJNCXECRZPJ4GJHD3CWC43FZIKQUSV5LR2LFFP " RATE_LIMIT 3 30 1462548404 " DISALLOW_REUSE 48751610 " TOTP_AUTH 11494760 25488108 33980423 43620625 84061586

The first line is the secret key; the five numbers are emergency codes that will always work (once each) if locked out.

If generating keys elsewhere then you can just populate this file yourself. If the file isn’t present then that’s when “nullok” applies; without “nullok” authentication would fail.

Note that despite the repeated mentions of “google” here, this is not a Google-specific service and no data is sent to Google. Google are the authors of the open source Google Authenticator mobile app and the libpam-google-authenticator PAM module, but (as evidenced by the Perl example) this is an open standard and client and server sides can be implemented in any language.

So that is how you can make a web service and an SSH service use the same TOTP multi-factor authentication.

Categories: LUG Community Blogs
Syndicate content