Category Archives: Debian

Making the Yubikey 4 talk to GPG on Debian Jessie

I’ve just bought myself a Yubikey 4 to experiment with.

The U2F and OTP features are of some interest, but the main thing I bought it for was PGP via GnuPG. I was disappointed to discover that it works (at least as far as gpg –card-status showing the device) on current Ubuntu (15.10) and even on Windows (!), but not Debian stable (Jessie). Still, this is quite a new device…

In every case on Debian/Ubuntu, you need to apt-get install pcscd

For the non-internet-connected machine on which I generate my master PGP key and do key signing, I can just use the Ubuntu live CD, but since my day-to-day laptop and desktop are Debian, this does need to work on Debian stable for it to be of much use to me. A bit of digging revealed this handy matrix of devices, and the knowledge that support for the Yubikey 4 was added to libccid in 1.20. Meanwhile, jessie contains 1.4.18-1. Happily, a bit more digging revealed that retrieving and using the testing package’s version of /etc/libccid_Info.plist was enough to make it all start working:

[[email protected]:~]$ gpg --card-status                            (28/11 20:20)
gpg: detected reader `Yubico Yubikey 4 OTP+U2F+CCID 00 00'
Application ID ...: XXX
Version ..........: 2.1
Manufacturer .....: unknown
Serial number ....: XXX
Name of cardholder: David North
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: david
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

I’ve raised a bug asking if the new config can be backported wholesale to stable, but meanwhile, you can copy the file around to make it work.

For U2F to work in Google Chrome, I needed to fiddle with udev as per the suggestions you can find if you Google about a bit. The OTP support works straight away, of course, as it’s done by making the device appear as a USB keyboard.

APT and HTTP redirects

Recently, I was issued with a rather nice Thinkpad X230 for my new work laptop. Not being a huge fan of Windows 8, I decided to go for Debian as my operating system. And this presented me with a problem: my company has a local mirror of the Debian archive which I’d like to use in my /etc/apt/sources.list, as when I’m at the office, I have a fast network connection to it. But if I configure things that way, I’m out of luck outside the office if I want to install or update packages, as the private mirror isn’t visible to other networks.

Inspired by the Raspberry Pi’s mirror director (which takes advantage of the way APT follows HTTP redirects), I put together a solution to redirect me to the right mirror depending on where I am (based on a fairly naive reverse DNS lookup). Note that when you don’t have a private mirror around, you can use to apply the same redirection trick to point you at a nearby mirror based on geolocation of your IP address, etc.

It’s been running for a couple of weeks for my laptop’s use and seems to work. The only disappointment is that apt-get doesn’t print out the redirect chain, so you have to take it on faith that you really have been directed to the right place (of course, you can get a good idea of that by hitting up the redirector URL in a browser).

See Bitbucket for the code and deployment instructions. Let me know if you’re using it!

EDIS’ Raspberry Pi colocation

A few weeks ago, the story broke that hitherto unheard of (by me, at least) Austrian hosting firm EDIS was offering free co-location of Raspberry Pis in their data centre. Since I hadn’t really found a use for mine (like almost every geek I know who bought one ‘just because’), I decided to give it a go. The plan is to use it to run Nagios to keep an eye on various machines I run back here in the UK.

This guy describes how you can make a start, and I pretty much followed his lead – install the basic Debian image from the official RPi site, then rip out everything graphical, set up an SSH server, firewall it and expand the root partition to fill the SD card. In my case, I didn’t bother shipping a USB stick in it – the 16GB SD card should be all the storage a basic monitoring installation will ever need.

The last thing to do before posting it (along with a USB cable to power it) is configure the IP addresses they gave you (you were cool enough to ask for IPv6 too, right?). I wrote /etc/network/interfaces like this:

auto eth0
allow-hotplug eth0
iface eth0 inet static
  address w
  gateway x
iface eth0 inet6 static
  address  y
  # we're assigned a /112, but the routing is /48 based
  netmask 48
  gateway z

Obviously, replace the ws, xs, ys and zs with the settings they e-mailed you.

It’s worth noting (I had to ask EDIS to clarify this) that they don’t provide IPv4 DNS servers for you to use – go for Google public DNS or similar, with /etc/resolv.conf like this:


There’s not much you can do to test you’ve got the networking right, but I did boot it and check eth0 came up when a cable was plugged in, with the right IPs on it. You can also check the output of ‘sudo route -a’ to make sure the default route goes via the gateway it should.

I posted my Pi (Royal Mail’s standard air mail – cost about £2) this morning. I’ll write a follow-up when it’s arrived and running.

British Gas find a new way to annoy me…

As if they weren’t an inefficient enough organisation to deal with in other respects, today a division of British Gas asked me to send them a remittance advice to:

CardiffC&[email protected]

Yes, that really is an ampersand in the local part. Sufficiently unusual that trying to send to it upset my default-configured installation of Exim:

rejected RCPT <CardiffC&[email protected]>: restricted characters in address

You can tone down the (perfectly reasonable) check for these iffy characters by exempting from it: edit /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt and edit the domains line of the second ‘restricted characters in address’ ACL to read:

domains = !+local_domains : !

Slow outbound e-mail?

I’d noticed for years that sending outbound e-mail from Thunderbird to my server on port 587 took far longer than it should have – about six seconds of staring at the progress bar.

Today, I was finally bored enough to work out the cause: Exim is configured to perform ident checks, which take 5 seconds to time out. Since port 587 only accepts mail from authenticated users, we can disable the ident checks for it:

rfc1413_hosts = ${if eq{$interface_port}{25}{*}{! $sender_host_address}}

If you’re running Debian, change the above in /etc/exim4/conf.d/main/02_exim4-config_options.

update-grub not working on your Debian Squeeze domU?

We‘ve been having a spot of bother with update-grub not working on our Debian Xen guests since upgrading them to squeeze.

The symptom: update-grub (as run after the installation of a new kernel package) fails because it’s ‘unable to find [a] GRUB drive for /dev/sda2 – check your’. This happens using both grub-legacy and the new grub-pc package.

You’ll probably have run into this if your guests were created using xen-tools.

Skipping over the related bugs, the long and short of it seems to be:

  • The way Xen pokes /dev/sda1 and /dev/sda2 (which are probably LVMs on your dom0) into your guests without a corresponding block device confuses grub
  • grub used to be dumb enough to ignore the mysterious presence of ‘partitions’ with no block device and carry on anyway
  • The versions in Debian Squeeze are just clever enough to be dangerous and fall over in this situation

Happily, we’ve worked out the fix. Grub is hard-coded to do the right thing in this situation if your disk devices are called ‘/dev/xvd[a-z]’, so you need to:

  1. Fix all references to ‘/dev/sda2’ to read ‘/dev/xvda’ (and /dev/sda1 to /dev/xvdb). In practice this means grub’s menu.lst and possibly your /etc/fstab if that isn’t by UUID
  2. Edit the /etc/xen/guest-name file on the dom0 to rename the partitions (change the ‘root’ specifier and the lines in the ‘disk’ list)
  3. Destroy (sudo xm destroy) your guest. Note that you must destroy and recreate it; rebooting won’t give Xen a chance to rename the devices.
  4. Bring it up again with xm create -c config-file
  5. Profit.

2011 geek wishlist

In no particular order…

  • That Debian Squeeze will release in Q1 2011
  • That I’ll discover a J2EE Servlet Container which isn’t totally horrible
  • That some kind of reconciliation between the JCP and Apache will occur
  • That Java 7 won’t be delayed forever
  • That Python 3 will get adopted faster than PHP 5 or Java 1.5 did
  • That we’ll finally see some major UK ISPs offering IPv6

Leave a comment if you can see anything I’ve missed, and we’ll check on them all at the end of the year…

Converting Word documents to PDF with OpenOffice and Python

The problem

A word document (plain old .doc, not 2007) should be received by e-mail, fed to a script, turned into a PDF and published on a website.

At my disposal

My server running Debian ‘Lenny’, which does not have a display of any kind.

How hard can it be?

Harder than it should have been, as ever. Here are my steps:

# aptitude install python-uno xvfb unoconv

You’ll note the inclusion of Xvfb there, because it turns out that “headless” mode in OpenOffice isn’t really headless at all. Sigh. Also sigh some more at the broken dependencies of the unoconv Debian package.

Now we can write our script to do the actual conversion. Shame it took twice as long as it should have…

mod_wsgi delivers on the promise

It’s been over a year since I deployed Django in production, and I wasn’t looking forward to it. Last time, I had a lot of trouble with mod_python, sessions and decimal objects refuising to pickle.

Thankfully, all this really seems to have grown up in the last year – mod_wsgi is now the recommended way of deploying Django in production, and following the mod_wsgi django instructions, I was in business in 20 minutes. No fuss, no mess, no drama, and best of all, using daemon mode, no noticeable performance hit when serving static files and PHP off the same Apache installation. The ability to run the django project as its own unprivileged user when using daemon mode is also real handy.

On leaving Slicehost

Just over 18 months ago, I signed up for a 256slice from Slicehost to host this website, my email, etc. Later this week, I shall be shutting the machine down and cancelling my account with them.

For the record, this has nothing to do with the level of service I’ve received from them – I’ve always found their support team quick to respond and helpful, and their articles site and wiki are both very handy.

However, a combination of fluctuations of the pound against the dollar, a surge in demand for RAM by my applications and sites, and my getting increasingly fed up with transatlantic ping times of 130ms meant the machine was becoming unfit for purpose and overloaded.

Thus, I have now found a reasonably cheap way to bring “my stuff” home to hosting in the UK. About which, I will be writing more shortly!

So goodbye, Slicehost, and keep up the good work. I’d certainly recommend you to anyone who lives in America and needs a VM.