OpenSSH: Environmental Override

prerequisite concepts: prelude, basic configuration

This post is as much about customizing the root shell as it is about SSH environment variables, but I'm adding this to my OpenSSH collection because it's applicable to any user.

I occasionally work on servers where, for a variety of reasons, I share an account with one or more other users; this is almost always suboptimal, but it does happen nonetheless. Over time I've grown somewhat partial to zShell, so one method I've used is to log in to a default shell, usually bash, then run zsh.

OpenSSH: Proxy Connections

prerequisite concepts: prelude, basic configuration, port forwarding

Network address translation (NAT) is a very common method of providing secure access to hosts on a private network. Given the limited amount of IPv4 addresses, computer networks with relatively few, very few, and even a single public IP address are common. A typical small business customer of my consulting practice has one or more Linux servers on an office network protected by a firewall. The following is a close look at Example Industries, the theoretical owners of example.com; this customer receives support for two Linux servers, a mail server and a PBX, but only one public IP address between them. Through NAT, public services (namely mail and VoIP) on both servers are accessible via example.com. This works well for inbound mail and phone calls, which only need to access one or the other host, but SSH access is the lifeblood of remote system administration, and there's the rub-- when I enter ssh example.com I land at the mail server. SSH access to the PBX would seemingly threaten to litter my command line with unsightly extra characters, if not subsequent commands outright.

My carpals are tunneled enough, I don't want to type more than ssh mail and ssh pbx to access these servers, and while I'm at it I want to have scripted log-ins as well-- securely, not those namby-pamby no-password keys. In fact, I don't even want to have private keys on either server.

Fear not! With the power of OpenSSH, I can fix this.

Open SSH: Port Forwarding

prerequisite concepts: prelude, basic configuration

Port forwarding is a versatile feature which informs several popular concepts, including X Forwarding and tunneling which are briefly explained below; more advanced port magic will be addressed elsewhere.

X Forwarding
At the end of the previous installment of this series is an example SSH client configuration file, usually located at ~/.ssh/conf; a more complete description of the global declarations shown was deferred until this section, where they are more relevant.

I have seen the light.

Having discovered the advantages of á la carte VoIP pricing, I pondered how to extrapolate my experience for general discussion while avoiding the pitfalls of interpolation and abridgement. The Reference Book of Rates, Price Indices, and Household Expenditures for Telephone Service published by the FCC's Wireline Competition Bureau provides a rough estimate of wireline telephone expenses averaging $45 per month in 2007, based on market research by TNS Telecoms. This isn't too far from my own experience with residential VoIP plans which have tended to average about $35 monthly, including additional fees and charges, which can be significant: on BroadVoice's "Unlimited World" plan, for example, "Taxes & Surcharges" account for about 35% of the monthly total. Based on these data, I use an estimated $35-$45 for generic comparison of monthly residential phone bills, or an average average of $40. As I designed our current, á la carte plan, I surmised that after discounting business use, the residential remainder was unlikely to ever exceed $30 in a single month. As the plan took shape, however, I realized that intelligent planning could lower that even further; somewhere in the neighborhood of a $20 monthly average would certainly exemplify what custom VoIP plans can offer, and half the average isn't a bad talking point. ;-)

OpenSSH: Basic Configuration

prerequisite concepts: prelude

If you're not already using a config file (~/.ssh/config) you should peruse the documentation to see what it offers; an ongoing benefit I enjoy is that it allows me to accomplish more while typing less. Suppose, for example, you need to access two mail servers which are both behind a firewall and sharing a single public IP address. One server uses NAT (port forwarding) to provide user access via IMAP-SSL, POP3-SSL, and perhaps even webmail, all on default ports; similarly SSH can be accessed on port 22. The other server happens to be a mail relay, which handles all of the spam and virus scanning for inbound and outbound mail; while the SMTP, SMTPS, and submission services all enjoy a NAT configuration using default ports, SSH access is on port 23 because port 22 already forwards to the IMAP server and the sysadmin hasn't read this series of articles.

OpenSSH Prelude: Requisite Knowledge

This is a prelude to a series of articles focused on how the sophisticated power of OpenSSH may be harnessed to great advantage with less effort than one might think. Readers already familiar with OpenSSH and passwordless authentication may wish to skip ahead:



OpenSSH: Basic Configuration
OpenSSH: Port Forwarding
OpenSSH: Proxy Connections
OpenSSH: Environmental Override
SSH Coolness ... Even On Windows

Doctor, I've got audit complaints about my kernel log.

AppArmor, introduced to Ubuntu with Gutsy, is yet another security tool unleashed upon the infosphere. In part, AppArmor is intended as an alternative to SELinux, which can easily be seen as daunting to configure; unfortunately, many such projects are daunting for those admins forced to walk the plank of unfamiliarity above a sea of expectations. Despite a troubled history, the project seems to be here to stay so it is likely only a matter of time before audit messages crop up in one's kernel log. For those who find AppArmor unnecessary, unpalatable, or just untimely, herein lies a quick-and-dirty guide for telling AppArmor where to stick its audit complaints.

Arrrgh!

Avast ye corned jiggers; it be Talk Like a Pirate Day.

Three Things to Avoid in a VoIP Provider

Like many others, when I set up my first Linux PBX I knew little about VoIP providers and with few sources of reliable, current information, I made a decision based on name recognition, perceived value, and minimal research. Like many others, I looked for companies who advertised a BYOD plan under the false assumption that said companies would have a clue regarding said devices, despite the cautionary warnings which politely explained that BYO, as used here, means “unsupported”. Like many others, I signed up with BroadVoice believing I had a pretty good deal; in fact, among similar plans offered by cable companies and Vonage, BroadVoice compares rather well.

By the time I started to suspect BroadVoice of stockpiling probiscus laden mammals and bleach, I had already paid setup fees and number transfer fees, and chagrined the thought of early termination fees, more number transfer fees, and a potential three to seven week transfer period. Rather than add to the copious corpus of BroadVoice complaints, I thought I'd focus on what to avoid when choosing a VoIP provider.

But I already have a router!

Verizon is a great company, doing great things, but that doesn't mean they're not evil. I've found that this is an effective maxim which allows me to extol the virtues of Verizon without sounding like I'm drinking the kool-aid. Today I'm hoping it works inversely as well.

When in doubt, test.

Shortly after I last upgraded my mail server, one user reported that his mail client was failing to connect with the message:

"Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server..."

He was the only one known to be having this issue, so after a cursory check of the server with no obvious problems, I suggested that this might be an error on his end, such as connecting to the secure IMAP port without using SSL/TLS. Occam’s Razor suggests that a server error is more likely than a client error which just happens to coincide with a server upgrade, so I eventually decided to dig up some infrequently used commands and perform a thorough analysis.