Friday, February 24, 2012

Configuring Procmail: Adding Growl Notifications

I use a Mac and like to have Growl notify me when procmail process a new message.
  • Open your procmail config for editing. (ie. vim ~/.procmailrc)
  • Added the following procmail rule at the end:
| /usr/bin/formail -X Subject  | /usr/local/bin/growlnotify -n mutt -a >/dev/null 2>&1


Configuring GNU Screen: adding the caption

The above gnu screen session has the caption enabled.  This provides the bottom line which contains a clock, the date and all the shells in your screen session.  To add the same caption to your screen session:

Open your screen configuration file for editing. (ie. vim ~/.screenrc)
Add the appropriate caption line.

# Caption
caption always "%?%F%{= kw}[%{= g}%c%{+b g}%D%{= kw}] %{= c}%Y%{+b c}%M%{= c}%d%{= w} -*-%?%F%? %L=%-Lw%45>%{+r} %n%f* %t %{-}%+Lw%-0<"


Saturday, February 18, 2012

Configuring SSH: Always Forwarding Your Agent

Configure you ssh agent to always forward and while your at it reuse existing connections to the same server.
  1. Open up your ssh config for editing. (ie. vim ~/.ssh/config)
  2. Add the following entries:
ForwardAgent yes
ControlPath /tmp/m-%l-%r@%h:%p
ControlMaster yes
ControlPersist yes


Thursday, February 16, 2012

Configuring GNU Screen or tmux: Retain ssh-agent access when a session is reattached

For those that use terminal multiplexers like screen or tmux a common problem is to "lose" your ssh-agent after ending an ssh session.

The Problem

1. ssh to a remote server and start the terminal multiplexer for the first time.

The terminal multiplexer starts and all your shells capture the value of SSH_AUTH_SOCK at that time.  You can access your agent because the value of the environment variable in each shell is current.

2. Detach from the terminal multiplexer and exit from your ssh session.

The multiplexer still running on the remote server (along with all your shells).

3. ssh to the remote server and reattach.

So now you've reattached, but the environment variable SSH_AUTH_SOCK in each of your running shells is out of date. As a result you can't access your ssh-agent from your shells unless you update SSH_AUTH_SOCK.

The Solution
  1. Open up the shell config file you store your aliases in. ie. vim ~/.bashrc
  2. Add an alias for screen or tmux that will transparently update the auth-sock location to the same location every time.
alias screen='ln -sf $SSH_AUTH_SOCK $HOME/.ssh-auth-sock; env SSH_AUTH_SOCK=$HOME/.ssh-auth-sock screen'
alias tmux='ln -sf $SSH_AUTH_SOCK $HOME/.ssh-auth-sock; env SSH_AUTH_SOCK=$HOME/.ssh-auth-sock tmux'


Configuring Emacs: Remote Editing

TRAMP provides Emacs the ability to remotely edit file over a number of protocols including ssh.

To get a directory listing of the home directory on the remote server:

C-x C-d

You can add the following snippet to also support sudo'ing on the remote box.

(require 'tramp)
(set-default 'tramp-default-proxies-alist (quote ((".*" "\\`root\\'" "/ssh:%h:"))))
Now you can remotely edit the /etc/motd file as root without needing to login as root.  Instead you will login as your user and then sudo to root.

C-x C-f


Wednesday, February 15, 2012

Configuring SSH: Suppressing the Banner

Tired of receiving cronmail because the ssh banner is sent to STDERR?  Tired of not being able to see real errors because the banner pollutes your log?

For interactive sessions:
  • ssh -q
This sets ssh's LogLevel to Quiet.  This means *only* Fatal logging events are logged.  This suppresses Error logging events that you may be interested in.

  • ssh -o LogLevel=error
This sets ssh's LogLevel to Error.  This may not work in older ssh clients.  This allows you to see Error logging events that may be important.  You can also set this in your client config.

Or modify your config:
  1. Open your ssh config for editing. ie. vim ~/.ssh/config
  2. Add a host entry for the servers you want to access through the ssh proxy.
LogLevel error


Configuring SSH: Transparent Multihop Connections

OpenSSH, the client that comes with most Unix/Linux systems, provides the capability for proxying through one ssh server to another. This is a completely client side configuration.

  1. Setup your Secure Passwordless Login for ssh.
  2. Open your ssh config for editing. ie. vim ~/.ssh/config
  3. Add a host entry for the servers you want to access through the ssh proxy.
ForwardAgent yes
Host gateway0?
        HostName %h.domain
Host *.domain !gateway0?
        ProxyCommand ssh gateway01.domain exec nc %h %p

Now you should be able to login to internal servers transparently from your workstation. This will hold true for interactive ssh, sftp, and scp.


Configuring SSH: Secure Passwordless Login

  • Create a passphrase protected ssh key.
> ssh-keygen -b 2048 -t rsa
  • Add an ssh-agent to your session startup. (ie. SSHKeychain on Mac OS)
  • Whenever you start a session add your ssh key to your agent. (ie. ssh-add)
  • Make sure your agent follows you.
ForwardAgent yes
  • ssh to a server and put your public key in the authorized_keys file. (ie. ssh-add -L > ~/.ssh/authorized_keys)
  • Fix the permissions, just in case. (ie. chmod 600 ~/.ssh/authorized_keys)
  • Logout, and try and log back in without a password.