Jason Magee

Login via SSH Key

Mar 29 2015

This is a follow on to my previous post ‘ Simple Security on a Linux VPS ’ in which I said I would post about how to setup SSH key access on a server. SSH key access works by adding your local machines identify to a file on the server called authorized_keys. Once your key is in the file, you can login as that server user using your local key. Previously, I would SSH onto the server and paste my local SSH key into authorized_keys using nano but I’ve since found a much quicker way to do it by running this command.

s s h - c o p y - i d < u s e r n a m e > @ < h o s t >

Simples!

SSH Tunnelling with pgAdmin

Mar 23 2015

When working with remote PostgreSQL databases it’s nice to be able to use a graphical user interface to manage the data. Fortunately, it is very straight forward to setup by creating an SSH tunnel to the remote server and then connecting pgAdmin to the server as if it’s on localhost.

The first step is to create an SSH tunnel. Replace username and host respectively.

s s h - N - L 3 3 3 3 : l o c a l h o s t : 5 4 3 2 < u s e r n a m e > @ < h o s t >

Arguments

  • N: Do not execute a remote command. We just want port forwarding.
  • L: This is the bind target on the local client. In our case we’re asking that port 3333 on localhost be bound to localhost:5432 from the remote server. 5432 is the default PostgreSQL port.

If you want the command to go into the background so you can continue to use the terminal, add an -f argument.

Using pgAdmin, connect as you would to a local database except use the port we’ve bound to (3333):

Image

If you ran the command as suggested, CTRL+C in the terminal will kill the SSH tunnel. If you sent it into the background using -f then you will need to kill the command by finding the background process using ps aux and grep.

$ p s a u x | g r e p 3 3 3 3

This runs the command ps aux and returns any lines containing 3333 (the port we bound to locally). The number we’re interested in is the PID, which is the second number below.

j a s o n 6 6 7 4 0 . 0 0 . 0 4 8 2 8 0 9 1 2 ? S s 2 1 : 1 5 0 : 0 0 s s h - N f - L < u s e r n a m e > @ < h o s t >

With the PID we can kill the background process by doing.

k i l l 6 6 7 4

Running the ps aux command again will reveal that the background process is no longer running.

Tired of seeing the Rails asset pipeline logging?

Mar 4 2015

Tired of seeing the Rails asset pipeline logging in the console? Disable it by adding this code…

# c o H n i f d i e g . a a s s s s e e t t s p . i l p o e g l g i e n r e = l o f g a g l i s n e g

into…

c o n f i g / e n v i r o n m e n t s / d e v e l o p m e n t . r b

Boom! No more asset pipeline logging during development. Remember to turn it back on if you have asset problems, though.

Simple Security on a Linux VPS

Feb 17 2015

I maintain a number of Linux VPS (5 at the time of writing) and wanted to cover some basic security measures. When you sign up for a Linux VPS you tend to be given a root login to set it up. You should never leave it with root access as it’s a security risk. The minimum you want to do is create a new login and prevent root from logging on via SSH. Another good precaution is to change the default SSH port. For maximum security you want to use SSH keys for access which I’ll cover in another post.

For this example I’m going to create a new login called ‘admin’ which does not have root privileges and prevent people from using SSH to connect as root. The admin user will be able to switch users to root or run commands as root using sudo but will be prompted for the password.

The first step should always be to create the new user and make sure they can login and gain root privileges. Disabling root access and then finding out the new account can’t SSH onto the VPS is a less than ideal situation…

To add a new user we’re going to use the ‘adduser’ command. This will add the user, prompt you twice for the users password and ask you to provide Full Name, Room Number, Work Phone, Home Phone and Other. I’ve only filled in the Full Name.

r A A A C C E R p C E I o d d d r o n e a h n s o d d d e p t t s a t F R W H O t i i i a y e y s n e u o o o t t @ n n n t i r p w g r l o r m h h d g g g i n e d i l m k e e e i n g n : n t r s u n n g e n g h N N P P i c s e e f w e p e a u h h [ n u e w w h i w a t m m o o ] f s r o l U s h n e b n n : o s g u m e N U s e e e e e r : ` r s e s I N w w [ r m ~ a o e X I o u ] [ [ a # d u r d f X r s v : [ ] ] t m p i r p d e a ] : : i a i ` r o a p r l A : o d n ` a e m s a u u d n d ' a d c s s p i e m u d m t ` w s d n , i c s m i o / o w a f n o e i n r e r o t o o r r n ' y t d r e r r r ' c : d d m e a ( ` : a p c d ( 1 s s t r t m 1 0 h k u i e ? i 0 0 o e c o s n 0 0 m l c n s [ 0 ) e ' e Y ) s f E / w a s o N n i d f r T ] t m u E h i l a R y n l d g ' y m f r i o o n r u p t h ` e a d d m e i f n a ' u l t

If for some reason you do not have the ‘adduser’ command, you’ll need to use the less friendly version, ‘useradd’.

At this point you need to log out of the VPS and log back in as admin. Do not proceed until you can do so!

Next, we want disable root access which involves editing a file called ‘sshd_config’. You should backup this file to admin’s home directory first by doing the following…

a d m i n @ d i s c u s s : ~ $ c p / e t c / s s h / s s h d _ c o n f i g ~ / s s h d _ c o n f i g _ b a c k u p

Use nano to edit the file. You need to sudo this as it is a protected file. Input admin’s password.

a d m i n @ d i s c u s s : ~ $ s u d o n a n o / e t c / s s h / s s h d _ c o n f i g

In the file you want to find the variable ‘PermitRootLogin’ and set it to no. This is what is will look like…

P e r m i t R o o t L o g i n y e s

Set it to no.

P e r m i t R o o t L o g i n n o

If it has a # in front of it then you need to remove that, it’s a comment.

Lastly, you need to restart SSH for your changes to take effect.

a s s d s s m h h i n s s @ t t d o a i p r s / t c w / u a r s i u s t n : i n ~ n i $ g n g s , u d p o r o s c e e r s v s i c 2 e 7 9 s 5 s 1 h r e s t a r t

Once you’ve done that, whenever you try to login as root you will get the error message.

P e r m i s s i o n d e n i e d , p l e a s e t r y a g a i n .

Gamely Digest Follow Up

Feb 15 2015

This is a follow up post to this post in which I promised to post my solution to handling thumbnails when different reviewers submit different aspect ratio images, e.g…

Image

Well, here it is..

f o r f i n . j p g ; d o c o n v e r t " $ f " - r e s i z e " 5 7 6 x 3 2 4 ^ " - g r a v i t y c e n t e r - c r o p 5 7 6 x 3 2 4 + 0 + 0 + r e p a g e " $ { f % % . j p g } t . j p g " ; d o n e

This command does the following things:

  1. Resizes the image as close to 576×324 as possible based on the smallest fitting dimension (indicated by the ^).
  2. Sets the ‘gravity’ to the centre for the next command.
  3. Takes a central crop of the image (central due to previous command) to the size 576×324. The x and y offsets give the location of the top left corner of the cropped image with respect to the original. 0 and 0 in this case.
  4. Repage which removes image data to do with virtual image location. I’ve added this simply because the documentation recommends doing so as a pre-caution when using the crop command.