David North

I bought myself an Advent 4211 last week (you might know it as the MSI Wind; they’re essentially the same thing). So far, it’s lived up to expectations; there are just a couple of things to say…

• Mine seems to have the decent Synaptics touchpad - read The Register’s review for the warning about the other one.
• You really need to use headphones with it if apps you’re listening to don’t have a very good sound level - inevitably in a device this size, the speakers aren’t great, especially at full volume.

How the Linux install on it goes is something I shall let y’all know shortly…

I’ve been aware for some time that my DNS isn’t quite as securely configured as I’d like. http://crashrecovery.org/named/ looks pretty good, but the two main issues bugging me were:

1. Anyone could do a ‘dig @ns.dnorth.net dnorth.net AXFR’ to retrieve a listing of all my DNS records - not great from a security point of view. This is a capability that should only be turned on for secondary DNS servers which need to fetch from the master.
2. The server would perform arbitrary lookups [for any domain] on request. This means it’s operating in ‘recursive mode’, which is a Bad Thing for various reasons.

The solutions were:

1. Add “allow-transfer { “slaves”; };” (without the double quotes) to the section of the configuration beginning “zone ‘dnorth.net’”. Then add a section defining the “slaves” access control list to be the local server, plus the secondaries: “acl slaves { 127.0.0.1; 123.45.67.89; }” replacing 123.45.67.89 by the IP address(es) of your secondary nameserver(s).
2. Add “recursion: no;” to the “options” section of the configuration.

Then restart the BIND9 service - on Debian, this is “/etc/init.d/bind9 restart”.

Health warning: Don’t do (2) above if you rely on your server to do its own DNS resolution - follow the crashrecovery tutorial above instead.

I did a lightning talk to CompSoc last night on whether 64bit is ready for use on the desktop - if you’re bored, you can download the slides and the second of my famous sketch and scanned graphs.

gq has been a necessary evil in my life for some time now. I need a graphical LDAP client for use on the CompSoc systems, but gq (to be fair, the versions of gq packaged for Ubuntu) seems to be very buggy, segfaulting all over the place if you try to do anything other than browse with it.

Last week, after upgrading to a 64bit version of Ubuntu for the first time, I finally ditched gq, after running into identical symptoms to this Debian bug.

The good news is that there’s an alternative that actually works: it’s called Luma.

Have fun.

The epic tale of how my new mail setup was born

My personal email has been on a rough ride over the years: from a reasonably nice (Microsoft based!) school email setup in 1999, which sadly got removed when Windows 98 was introduced, I went through three Hotmail accounts. I had a brief flirtation with GMail, but not being all that keen on the means of delivering advertising, I ended up back on Hotmail.

Registering dnorth.net last year at least ensured my email address would no longer change, but the technical capabilities of the two mail servers holding the mail still left much to be desired: flaky, unreliable spam scoring, no facilities for server-side filtering/sorting, sheer lack of customisability…

Last week, I finally did something about it. At my disposal was my VPS, running Debian Linux 4 (’etch’). On the wishlist were:

• Accurate server-side spam scoring with SMTP-time rejection of the most obvious spam
• Sender verification
• Sieve filters for server-side sorting into folders
• All mail stored on the server and accessible over secure IMAP

Thankfully, none of the above is too difficult: some pretty good instructions are Out There for most of it. The ones I used were:

• Exim4 on Debian with SpamAssassin, ClamAV, Virtual Domain Alias Files and Message Size Limits per Domain
• Exim + Sieve + Avelsieve Howto
• Handling mail for multiple virtual domains with exim4

Please remember, I am not responsible for the content of external sites (e.g., the links above), nor can I accept any responsibility for the consequences of acting on the points below…

I ran into a couple of issues:

• Permissions on the .sievesource files generated by AvelSieve - I needed to chmod g+w on /var/lib/squirrelmail/data and chown it to www-data:www-data in order to reach a state where Exim could read the file, and Avelsieve could write it.
• Exim4’s native sieve implementation only has the core features in it, not the extensions defined in RFC 3431. I dodged the issue by matching the number of *s in the X-Spam-Score header using string matching, rather than numeric checks on the X-Spam-Score.

All in all, though, it’s working a treat. Email perfection at last!

Twelve months ago, I installed Linux (Kubuntu) on my laptop.

Twelve minutes ago, I got the wireless card working with my WPA-PSK home network.

A combination of the progress made on drivers over the last year, and finding which of the squillions of instruction sets out there Actually Worked has finally got things going - rather than recount it all here, I’ll point owners of the HP Pavilion dv5157eu to this page, and advise everyone else as to how I found it: do a Google search for some combination of ‘ubuntu’, ‘wireless’ and your laptop’s exact model number.

Edit: My wireless happiness sadly didn’t survive a hibernate or a reboot. Turns out the line of the page which says do ’sudo echo ndiswrapper > /etc/module’ actually means, as far as I can tell, that you should do:

sudo -s
echo ndiswrapper >> /etc/modules

As ever, follow my advice at your own risk.

A problem which has been bugging me for a while is my Konsole and Yakuake terminal sessions ceasing to respond to input for no apparent reason. The symptoms are always the same: the session seemingly stops responding to key presses, yet if I was running screen inside the session, reattaching it elsewhere reveals the characters from the missing key presses.

The answer turns out to be that hitting scroll lock locks the terminal so that the arrow keys scroll it rather than cycling through previous commands, and this also prevents key presses updating the display. My Yakuake hotkey is F12, which is next to scroll lock on my laptop.

So now you know.

See the relevant RFC for the background.

Here’s how I implemented this for my Debian server, with Bind9 handling my DNS:

1. Generate the DNS records by typing this at a shell prompt on the system whose fingerprints you want to publish (make sure you include the trailing dot after the hostname):

   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_dsa_key.pub
   
   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_rsa_key.pub

2. The above will print two records, each a line beginning “thehost.thedomain.wherever IN SSHFP”. Paste them into the Bind9 zone file on the primary DNS server for the relevant domain/subdomain, each on a new line.
3. Reload Bind9 service on the DNS server by typing

   sudo /etc/init.d/bind9 reload

Before:

$ ssh jasper.dnorth.net
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Are you sure you want to continue connecting (yes/no)?

After:

$ ssh jasper.dnorth.net -o VerifyHostKeyDNS=yes
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Note that you have to force the OpenSSH client to check for the key in DNS with the -o VerifyHostKeyDNS=yes option, which you can of course put in your ~/.ssh/config file too - see “man 5 ssh_config” for more.

Note also that PuTTY has yet to implement the RFC, as per this page, and I agree with their doubts over whether it’s worth any immediate attention. Still, it’s quite nice to have around as an extra layer of reassurance.

Last week, I gave a Lightning talk to CompSoc on the subject “Linux vs. Windows- which is better?”. It seemed to go down fairly well (I wasn’t lynched outside afterwards…), and following a request from Will for the, er, “interesting” graph that was on one of my slides, here they are. There’s also a JPEG of the graph as I scanned it, and my speaker’s notes.

So, as those not reading via one of the planets will be aware, I’ve rolled out the fourth (or is it fifth?) new theme for this site since May 2007. I’m definitely more pleased with this one than any of its predecessors, and intend to stick with it for a good while.

In other news, I blew £160 on new technology for my desk this week: specifically, a new 4GB USB pendrive to replace my ailing 256mb one, a 250GB external hard disk for my backups, and best of all, a 19 inch TFT monitor to act as a second screen for my laptop.

All of the above were very reasonably priced over at Dabs, and the £100 inc delivery cost of the monitor in particular came as a very pleasant surprise.

This is the first time I’ve given multiple monitors a serious go under Linux (specifically Kubuntu), and KDE certainly puts Windows (at least up to and including XP) into the shade here: a taskbar on each monitor? Yes, it can do that. Separate background images per monitor (without silly hacks involving stitching image files together)? Yes. Only show the buttons for the windows on this monitor on this monitor’s taskbar? Certainly, sir.

It’s only been two days, but I’m already wondering how I ever managed without a secondary screen. It certainly made finishing the new theme for this site a lot easier.