I discovered that I have quite a few ssh articles on my website, but none of them include how to simply setup SSH-keys. It's so simple and so convenient, lets have a closer look.

First, on your workstation, create ssh-keys using ssh-keygen. I use OpenBSD for this example, the output might slightly differ when using another operating system.

(The username, hostname and fingerprint have been obfuscated in this example.)

For the record:

• /home/username/.ssh/id_rsa is your private key. Keep it secure
• /home/username/.ssh/id_rsa.pub is your public key. Distribute is to all machines your want to connect to.

Be sure to use a good passphrase, together with the private key it is the key to your locked world of machines you will connect to. Also; safe the keys to a secure location, like your USB-stick, or a CD-rom. Loosing the private key or its passphrase means you'd have to do this all over again.

Now you need to put the contents of your ~/.ssh/id_rsa.pub file into ~/.ssh/authorized_keys on every machine you will want to connect to. Specifically; append your public key to the authorized_keys file, as there might be other public keys in there already. Use this ssh distribute script for it or do it manually.

From now on you can start using your ssh-key, but ssh will constantly prompt you for a passphrase. Annoying, so read on.

You can use an ssh-agent to manage your keys and enter your passphrase just once, as you add your private key to the agent. An article exists that describes these ssh-agent tricks.

That's it, good luck using your ssh-keys.

Here is a very simple trick to use serial connection on your apple, a usb port, a usb-serial converter and a serial cable.

1. Install all drivers for that usb-serial converter.
2. Open a terminal. (Find it with spotlight or in the finder.)
3. Type: screen $device $speed. Where device is some /dev/tty.... device and speed something like 9600, 19200, etc.

See how great screen is?!

Do you ever have the situation (say at work using windows) where you would like to connect to a machine over ssh (say at home using Linux/UNIX) but it's not possible because of firewall rules? There might be an http-proxy server available that you could use. Be aware that applying this trick might be technically possible but not permitted. Probably best to discuss it with someone in your organization first. Here are the ingredients:

1. A windows machine to be used as a client.
2. A Linux/UNIX machine to be used as an ssh server.
3. Get Putty or Portable Putty to your client.
4. Find out what http proxy your organization is using on your client.
5. Configure Putty to use that proxy on your client.

Finding out what proxy your organization uses.

There are a few options, going from easy to difficult, you don't have to do each, just one. See what works for you.

1. Open Internet Explorer, click Tools Internet Options.... Go to the tab Connections and click LAN Settings.... In the Proxy server. area, you will find the proxy server and the port. If not; continue and try the next trick.
2. On your windows machine, open a good website and click Start or whatever, then Run... and enter cmd. You will be presented with a crippled terminal. Type netstat -an and search for ESTABLISHED and 8080 or 3128 on one line, the IP can be found in the third column. Mine looks like this: TCP 192.168.1.2:2210 192.168.1.1:3128 ESTABLISHED. The 192.168.1.1 is my proxy server, 3128 the port.

Configuring Putty to use a proxy.

Now that you have the proxy server and the port, lets configure Putty.

1. Open Putty and enter the Host Name where you would like to connect to.
2. Open the plus before Connections and select Proxy. Enter the Proxy hostname and Port.
3. Now select Open. You should be presented with a password challenge.

Congratulations, you are connected!

Here is a first attempt to explain the basis of shell scripting in a screencast. This video is almost 25Mb, 16 minutes and includes explanation of:

1. What is a shell script
2. Why would you want to use a shell script
3. What scripts could you use
4. One sample script that warns a user when a disk is amost full

This screencast covers only simple things like: #!/bin/sh, chmod, df, echo, while-loop, if test, etc.

The format is .mp4, encoded in h.264, a tool like VLC will be able to play it.

In my endless battle for automation, I have written a script that automatically upgrades OpenBSD one release further. This script is usable but requires more attention to be fully utilized. It was able to upgrade my Soekris 4801 from OpenBSD 4.1 to OpenBSD 4.2 without troubles!

The script runs through a few "stages":

1. Check for new OpenBSD release, download kernels and extract firmware.
2. Download other sets and extract them.
3. Upgrade packages.

I recently found a scripts to update /etc from somebody else to cheat a bit.

Some uglinesses:

• Solved - thanks Clint Pachl. It uses wget. Wget is not installed on every box.
• Solved - using bc now. It does some nasty sed&awk tricks to determine the next release.
• It does not apply specific changes per release as described in the OpenBSD upgrade guide
• Solved - using binpatch now. Patches are not applied, only major releases.
• It needs the user to configure what sets need to be upgraded. Would be nice if the script could figure this out autonomously.

The intention of this script is that you run it, reboot if the script requires you to and run it again. The script will guide you though this process.

Please let me know if it works for you, or you had to modify something!

An article describing how to install openbsd fully automatically might also help you.

You might be working in an environment where you always ssh from your machine to the middle machine and then connect to the destination machine. What a waste of time, lets see how you could automate it. The middle machine is frequently referred to as stepstone host.

Requirements

• A workstation. In this example, the hostname is workstation.
• A stepstone machine, the machine in the middel. The hostname is stepstone in this example.
• The command nc (netcat) installed on the stepstone.
• A destination machine, likely a server or your other workstation. (at work for example.) The hostname is destination in this example.

Implementing it

On your workstation, add this sniplet to ~/.ssh/config

Replace destination with the machine your will eventually will connect to. Replace stepstone with the machine that is in the middle. Normally, you always login to that box first, then continue. the -w 180 and ServerAliveInterval 60 are hints that Peter S. has given, see comments below.

After you have altered your ~./ssh/config go ahead and try to connect directly to your destination machine.

Wow your automated it! The only thing is these stupid passwords. Check out how to implement ssh-keys into your session and how to distribute keys. This is not required, but after a few days of password typing, you will want to setup ssh-keys properly.

Extras

Here is a sniplet of a more complicated configuration:

Setting values without specifying a host, makes that value count for every host. The ServerAliveInterval is set for every host. If I connect to stepstone, I will use the username myotherusername. In the bottom declaration a * is used. This implies that all machines in the 192.168.1.0/24 network will be using this part of the configuration. When logging in to a machine in the 192.168.1.0/24 network, then you will use the username yourusername.
You can do many tricks with openssh, check out the manpage of ssh for more information.

What a good month for geeks like us that like to upgrade!

• OpenBSD 4.2 is coming on 1st of November 2007 - party
• Ubuntu Gutsy Gibbon 7.10 is already released since the 18th of October 2007 -party
• Apple Mac OS X 10.5 Leopard is coming the 26th of October 2007 - party

November and December are scheduled to be the upgrade months!

You know it can be cumbersome to copy over your public ssh-key to every server you have ever been to, so you push the action "automate ssh login" further and further into your personal planning.

Now it's time to distribute keys for once and for all. Let's use a script to speed things up a bit.

Update, check out ssh-copy-id(1). It does the same thing but is packaged with a openssh, far better than custom scripts! Thanks Davee

What this script does it copy over your public ssh key to a server and set the permissions of the directories correct. This can be difficult from time to time.

The script will ask you once for your password on the remote server and do everything in that one session.

Here is how you could use the script:

Or if you have a list of server (extract them from ~/.ssh/known_hosts) you could use this list like this:

Here is a recipe to boot OpenBSD (4.1) from an OpenBSD (4.1) box. This can be used to boot any machine that has no disks and supports pxeboot. The advantage is you save a little money on not buying hard-disks, but on the other hand, the "server" that serves everything must be always on.

This could be a good solution in a clustered environment.

Well, if you decide you would like to play, follow these instructions.

Install an OpenBSD system. This will be your boot-server. Just select generic settings that you prefer.

Here is the IP-scheme I have used:

When the install is done, modify these files on the boot server to look like this.

First, configure an IP-address.

Then make sure some daemons are started at boot time on the boot server.

For rarp, add an entry like this to represent the client "diskless". The first column, the mac-address will need to be changed to the mac-address of the client you would like to boot. You can find out a MAC-address of your client by typing ifconfig on it, but you then need some sort of an os. Try a livecd from whatever distribution you like.

Also add this machine to the hosts file. I gave my client the 192.168.1.253 IP-address, change it to anything you like. This IP-address is the address the kernel will boot with.

Tell the clients kernel where to get the root directory and swap from.

Configure DHCP. This is used by PXEBOOT, and by the running Operating System, but not by the kernels IP address. It is logical and wise to use the same IP address here and in /etc/ethers, /etc/hosts, but it's not required.

Make sure tftp is started in inetd.conf. (I enables only the default, not the ipv6 version.)

The /tftpboot directory must contain the pxeboot code and an openbsd kernel called bsd. (By the way, replacing that bsd by bsd.rd makes this an install-server!) You can get these file form any openbsd mirror in the pub/OpenBSD/4.1/i386/ directory.

Now export a few filesystems in /etc/exports.

And create the 128 megabytes swap space like this:

Now you will have to unpack some sets (the minimal base41.tgz and etc41.tgz) into the diskless root and create a few devices. The sets can be downloaded from one of the openbsd mirrors. The devices, like /dev/console also need to be created.

Be aware about the -p option in the tar extract, it preservers permissions and that is required.

Also edit the /export/diskless/root/etc/fstab.

At the end of this all, reboot the server to start everything.

When the server is booted, boot up the client and see the magic! Here is an overview of what happens:

1. The machine boots and runs the built in PXEBOOT.
2. PXEBOOT will do a DHCP request.
3. The DHCP server will tell the client it IP-address and what to boot (pxeboot).
4. The /ftpboot/pxeboot is downloaded using tftp.
5. The downloaded pxeboot is executed. This downloads the kernel (bsd) and start that kernel.
6. The bsd kernel does a rarp (/etc/ethers, /etc/hosts, /etc/bootparams) request to find out who he is, and where to get the swap and root filesystem.
7. The kernel mounts swap and root and starts /sbin/init.
8. From here on init takes over and normal OpenBSD boot will proceed.

Now check if it boots, there is still a few things to do. Lets set a hostname in /export/diskless/root/myname and set the password.

Now you are done! have fun with it!

I have installed this setup in a virtual host on my intel mac, you can download a packed-up version of the images and the configuration to peek around. The root password installed on these images is "OpenBSD"
The Vmware Fusion boot-server. (229 Mb packed)
The Vmware Fusion client. (27 Kb packed)

Yesterday I heard a lecture about marketing from Karen Romme.

One thing I remembered was this simple trick:

Whenever you go to a lecture/congress/information-event/etc. Stand up once to ask a question but introduce yourself like this: (Modified to my situation)
"Hi, I am Robert de Bock, a UNIX/Linux consultant. (insert question here)"

Chances are that somebody will approach you afterward. The person that comes to you could be interesting for your network...