Minority Opinions

Not everyone can be mainstream, after all.

Archive for the ‘Linux’ Category

DNS Service Discovery

leave a comment »

Recently, I’ve been annoyed by trying to jam too many websites into a single IP address.  An obscure detail of Apache configuration caused half an hour of downtime for one of our sites, and is threatening to cause more.  Somewhere in the middle, I remembered something about DNSCurve, a project to encrypt and authenticate all traffic on the internet, starting at the DNS level.

Basically, DNSCurve is starting with the premise that public keys can be published via the DNS protocol itself.  In fact, if the nameserver’s public key has been published, then those keys can be used to encrypt and authenticate the DNS traffic itself.  For other services, the server can decrypt traffic using the corresponding private key either as part of the service’s protocol, or as part of the network stack itself.  For extra protection, a symmetric key can be negotiated as part of setting up a streaming transport.  The keys don’t even have to be signed by a trusted authority, as long as you can trust your DNS cache and each of the servers it contacts.  (If you don’t, then you have bigger problems anyway.)

The weakest link in the chain is adoption.  DNS-based attacks haven’t yet been severe enough for everyone to be clamoring for encrypted traffic, nor has it been entirely clear that this is the best solution.  Worse, name servers are largely run by registry companies, and name caches are largely run by internet service providers, neither of whom are the ones truly affected by an attack.  They need some pressure to switch, either from the (uninformed and unorganized) consumer base, or from (inertial and slightly less uninformed) companies.  To provide that pressure, the companies need to know that they’re going to get something out of it.

As long as we’re meddling with DNS, it might be nice to get rid of the idea of well-known ports, and throw load-balancing in for free.  It turns out that this isn’t a new idea, either; in fact, it’s the sole purpose of the SRV record type.  A few major protocols and plenty of minor ones seem to be using it, but not the most important ones.  Am I missing something important?  If I were to publish _https._tcp.example.com records, would anything use it?  In particular, would getaddrinfo() look for it?

If that’s the case, then a little DNS trickery is all we would really need to make Apache serve the right SSL certificate for each domain name, without having to put the port number into every URL.  (Yes, I know that modern browsers and SSL implementations allow for server name indications, but we’re forced to deal with IE 7.  And still get complaints from IE 6 users.)  Sadly, there might still be some firewall issues to work around; some of our clients might be restricted to ports 80 and 443.  Then again, certain firewalls are already configured with our domain names, so maybe the firewall could dynamically open the right ports if it knew that it would need to.

For an ideal connection, the two ideas could be combined.  Take a hostname and service, and open an encrypted connection to any of several load-balanced servers listening on arbitrary ports.  It would still take quite a bit to overcome the inertia of well-known port numbers, but even that can be promoted in the name of security.  I’m already dealing with SSH servers with goofy port numbers, for example; the default ones were collecting too much brute-force traffic, even with passwords completely disabled.

I imagine we’d get some pushback from certificate authorities, though.  How much of their business model is based on making people pay for a bit of assurance against man-in-the-middle attacks?  There might also be complaints from people worried about every last bit of performance, particularly in embedded systems, and from Iran, where all encrypted connections are blocked in the name of national security.

It’s also possible that IPv6 has some of this baked in.  One of these days, I may get around to trying it out.

Written by eswald

5 Feb 2013 at 6:53 pm

Posted in Linux, Technology

The Right Extraction

leave a comment »

At one point, I got annoyed with the sheer number of compression methods used to distribute source code and other packages, so I wrote a simple bash function to collapse the various incantations into a single word:

extract () {
  if [ -f $1 ] ; then
    case $1 in
      *.tar.bz2) tar xvjf $1 ;;
      *.tar.gz) tar xvzf $1 ;;
      *.bz2) bunzip2 $1 ;;
      *.rar) rar x $1 ;;
      *.gz) gunzip $1 ;;
      *.tar) tar xvf $1 ;;
      *.tbz2) tar xvjf $1 ;;
      *.tgz) tar xvzf $1 ;;
      *.zip) unzip $1 ;;
      *.Z) uncompress $1 ;;
      *.7z) 7z x $1 ;;
      *) echo "Don't know how to extract '$1'" ;;
    esac
  else
    echo "'$1' is not a valid file!"
  fi
}

For nearly three years, this simple recipe sufficed.  I added lines for .jar and .tar.xz files, and wrapped the logic in a loop over each parameter, but that was it.  I intended to write bash completion for it, and perhaps honor a -q flag to decrease the verbosity, but it worked well enough.

Recently, however, I discovered dtrx, and it’s even better.  It handles even more compression types, it ensures that everything extracts to a single directory, it has a parameter to list the archive contents instead of extracting them, and it’s easier to type.  Most surprisingly, it handles the kind of .zip files that 7-zip creates, with a compression method that the standard unzip command can’t extract.  It requires Python, but that was barely an inconvenience even in a new Linux From Scratch environment.

It could still use a better bash completion method, though.  Maybe I’ll get around to that sometime.

Written by eswald

22 Jan 2013 at 7:00 pm

Posted in Linux, Python, Technology

Magic Git Commit

leave a comment »

I’ve finally implemented a magic `git ci` command to resolve my most serious complaint with the version control system I use most.  Now I just have to train myself to use the new `git df` command instead of diff.

Read the rest of this entry »

Written by eswald

18 Dec 2012 at 5:48 pm

Posted in Linux, Technology

Initial Linux Kernel Configuration

leave a comment »

It has been over a week since I started configuring the Linux kernel.  It has over six thousand options, and many of them are decidedly non-obvious.  Half of the acronyms have been unfamiliar to me, and the rest I only know from a long history of poking around in computer internals.  Common words like “gadget” can have specific, sometimes unintuitive meanings.  The help text often gives me just enough information for a web search to teach me most of what I need.  I’ve made at least two major mistakes that I had to go back and fix in order to enable essential pieces.

Read the rest of this entry »

Written by eswald

30 Oct 2012 at 5:25 pm

Posted in Linux, Technology

Re-Installing Linux

leave a comment »

At the moment, my best video card is stuck in a machine with an operating system that I can no longer upgrade.  If I can get Pyglet to work on it, I just might be able to run Dandelion, the recent PyWeek winner.  I had considered wiping the whole machine, but it has some backups that I would rather not disturb, particularly given that some of them are from a laptop that no longer turns on.

That machine has three partitions: The operating system, swap space, and my home directory.  Unfortunately, that leaves no decent space to install a new operating system.  (Note to self: In the future, use five partitions.  Small /boot, two 10-20 GB roots, swap, and large /home.)  Fortunately, I had installed gcc before losing access to the package repositories, so I made the crazy decision to compile Linux From Scratch.  Again.

Read the rest of this entry »

Written by eswald

23 Oct 2012 at 6:35 pm

Posted in Linux, Technology

git cat perfectionism

leave a comment »

At one point, I found a situation where I wanted something like svn cat, but for a git repository.  I managed to find something mostly right, with some links to discussion of various commands involved.  I’m not the first with this problem, which makes me think that a decently perfect script might be helpful.

Read the rest of this entry »

Written by eswald

24 Jul 2012 at 10:21 pm

Posted in Linux, Technology

Impressions of PCLOS

leave a comment »

I’ve been fortunate to collect a few cheap or free computers from organizations that no longer needed them.  At the end of 2010, I obtained one with a freshly-wiped hard drive, and decided to try a new Linux distribution.  After some quick research, I settled on PCLinuxOS.  I had already tried Red Hat, Knoppix, Linux From Scratch, Ubuntu, Mint, and openSuSE to various degrees, with Ubuntu having squeaked out LFS for the majority of my time.

Read the rest of this entry »

Written by eswald

22 May 2012 at 10:37 pm

Posted in Linux, Technology