Using screen un multi-user mode

Standard

GNU Screen is a wondeful tool, it could be a little tricky to master, but once you know its power, you wonder why isn’t installed by default in every distro.

I recently had the need to connect to a existing screen owned by other user, and after a bit struggling, I did find the solution. This is what I did.

  • Check if the setuid is set to root on the screen binary.
    In arch linux is set on by default, which is what we want. If it set to group or others it would be a security issue. To know which bit is set, execute:
$ LC_ALL=C getfacl /usr/bin/screen
getfacl: Removing leading '/' from absolute path names
# file: usr/bin/screen
# owner: root
# group: root
# flags: s--
user::rwx
group::r-x
other::r-x

As you can see in line “flags”, the bit is set for the owner (root), which is fine. If you want to change the setuid to the owner, do:

$ sudo chmod u+s /usr/bin/screen
$ sudo chmod g-s /usr/bin/screen
$ sudo chmod -t /usr/bin/screen

Or just in one line with

$ sudo chmod 4755 /usr/bin/screen

Where the first digit (4) corresponds to the bit “owner” set to one, and group and sticky bit to zero, following the next logic

owner  group  sticky    number
  0      0      0         0
  0      0      1         1
  0      1      0         2
  0      1      1         3
  1      0      0         4
  1      0      1         5
  1      1      0         6
  1      1      1         7
  • User “A” starts the screen command
    For easyly identify the session, you can name it by doing
userA@localhost$ screen -S sharedSession

Where sharedSession will be the name of the session we want to set.

  • User “B” connects via ssh to the computer where user “A” started screen.
  • User “A” has to let user “B” to connect to the screen session by doin
Crtl + a: multiuser on
Ctrl + a: acladd user

Where userb is the username of the user “B”.

  • User “B” now can connect to the shared screen from user “A” by doing:
$ screen -x usera/sharedSession

Where usera is the username of user “A” and sharedSession the shared session name.

If the user who shares the session is root and a non-root account tries to connect, perhaps you need to give permissions to /var/run/screen/ to let everyone write it, the system will let you know if it is the case.

# chmod 777 /var/run/screen
Advertisements

How to create an access point using your wifi adapter

Standard

Imagine you have only a ethernet cable and more than a laptop to connect to the Internet (i.e.: your mobile phone, the laptop of a friend and his mobile phone, etc). Imagine you’re in a undergroun Data Center, or in a hotel’s room where you don’t have wifi (for example, in Japan). If you had an Access Point, you could simply connect that cable to it and every device would go through it…

Well, if you have GNU/Linux, you can accomplish it very easily. We’ll see how.

  • [OPTIONAL] Blacklist the manufacturer module

I faced some troubles when I tried to create the ad-hoc connection, and I solved it by blacklisting the manufacturer wmi module, so to see if you have any loaded you can do:

lsmod | grep wmi
acer_wmi 20480 0
sparse_keymap 16384 1 acer_wmi
wmi_bmof 16384 0
rfkill 20480 7 bluetooth,acer_wmi,cfg80211
wmi 20480 2 wmi_bmof,acer_wmi
video 36864 2 acer_wmi,i915
i8042 24576 1 acer_wmi
led_class 16384 4 sdhci,input_leds,acer_wmi,ath9k

As my laptop is an acer, the module obviously is acer_wmi. Select what you guess is yours and blacklist with something like

echo "blacklist acer_wmi" > /etc/modprobe.d/acer.conf

And reboot to apply.

  • Creating it with NetworkManager

With NetworkManager, creating an Access Pointy connection is pretty straight forward. You need to:

  1. Create a Wi-Fi Connection (Shared)
  2. Put a name for the connection (like Access Point Connection)
  3. Put a name for the SSID (like LinuxAP)
  4. On “Wi-Fi Security” tab, select “WPA/WPA2 PSK” and set the password for your network
  5. Save
  6. On the same computer you just created the Access Point network, connect to that “LinuxAP” network with the provided credentials.

Ready, now take your mobile phone and browse the Wi-Fi networs, you’ll see a new one named “LinuxAP” and you will be able to connect to it with the password you’d provide.

To bring down the Access Point, simply use NetworkManager to disconnect from “LinuxAP”. Immediatly, all devices connected will be disconnected as well.

  • Creating an Access Point within the command line

The easiest way to create an access point without NetworkManager is using the script create_ap.

sudo pacman -S create_ap

Once installed, let’s create our Access Point with

# create_ap ap0 WIRELESS_INTERFACE LinuxAP WPA2_PASSWORD

And let it run on a terminal. It will create and adapter called “ap0” as long as the create_ap script runs.

ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
 link/ether b8:ee:65:1e:13:95 brd ff:ff:ff:ff:ff:ff
 inet 192.168.12.1/24 brd 192.168.12.255 scope global ap0
 valid_lft forever preferred_lft forever
 inet6 fe80::2257:61cf:b9ce:5873/64 scope link 
 valid_lft forever preferred_lft forever

You can grab your mobile phone and connecto to “LinuxAP” using the WPA2_PASSWORD. When you want to bring down the Access Point, just go to the terminal where create_ap is running and Ctrl+C to shut it down.

Note: If you use the create_ap approach, it will blacklist your wireless device in NetworkManager. If you plan to manage that device with NetworkManager, take in mind that you will need to modify /etc/NetworkManager/NetworkManager.conf and comment out or delete the line unmanaged-devices and restart NetworkManager.service.

 

Evolution keeps asking for passwords on Plasma (KDE)

Standard

I don’t like Evolution so much because I’m very used to Thunderbird, but in some places, for a weird and strange reason, the security guys blocks SMTP/POP/IMAP ports and lets work only MAPI protocol. Those offices usually are Windows-only places and when I go as external consultor I face many troubles.

In my job, we use Exchange (and SOGo), and Evolution has a nice integration with Exchange. We only need the EWS/OBA URLs and domain credentials to set up our PIM and mail client. As those are using HTTP protocol, there is virtually no place where I can connect to my Exchange mail server.

On a recent installation I faced an annoting issue with Evolution. It keeped asking for a password when I launched the application, each time I wanted to write/answer an email and each time I wanted to send that email.

At first, I didn’t mind it asked for a password sometimes, but today I’ve configured a second exchange account, and Evolution asked TWICE for all those passwords. So put six passwords in order to send an email is just ridiculous.

The solution for this is quite simple. Evolution don’t use Kwallet password management but GNOME’ seahorse. So, to get Evolution stop asking passwords, we only must do:

sudo pacman -S seahorse

It will install only gnome-keyring and seahorse packages, 10MB in total. And those will be useful as well for other gnome-based applications which doesn’t consider any other password manager than gnome-keyring.

 

Lock and unlock the KDE desktop with a bluetooth device

Standard

Today my mouse right button stopped working, so I searched on my desk drawer and I have found a bluetooh mouse… I don’t usually like bluetooth devices, but if there is no more option… so, after install some basic bluetooth packages like bluez and the bluez-utils and start some daemons like bluetooth like this

sudo pacman -S bluez bluez-utils
sudo systemctl enable bluetooth
sudo systemctl start bluetooth

I finally could open System Settings and pair my new old mouse and continue working 🙂

But, some years ago, I played with a piece of software, called BlueProximity that can lock and unlock your computer based on a bluetooth device proximity you previously paired with the application.

I have taken a look into AUR and someone has prepared a package which works flawlessly. So first we can install it with

yaourt -S blueproximity –noconfirm

And then whe can start it right from the menu

Once started, first we must pair a bluetooth device. It’s supposed to work with any bluetooth device, when this application was developed, back in the ’00s, only PDA and phones were the only bluetooth powered devices, nowadays perhaps we can prefer to pair with a smartwatch or another IoT bluetooth enabled device 😉

The use is pretty straight forward

  • Make visible your desired device on its settings
  • Click on “Scan for devices”: your device should be shown on the list.
  • Select your device and click on “Use selected device”: its MAC now its copied to a text field below the former buttons.
  • Click on “Scan channels on device” to let the application scan for usable communication channels.

Now the device is paired with the BlueProximity. BlueProximity is a GNOME application, and if like me are using KDE, the lock and unlock commands will not work for you, so lets configure the right commands.

On “Locking” tab, we put this

The fields are

Locking:

dbus-send –type=method_call –dest=org.freedesktop.ScreenSaver /ScreenSaver org.freedesktop.ScreenSaver.Lock; xset dpms force off

Unlocking:

qdbus | perl -ne ‘qx/kquitapp $1/ if /(kscreenlocker_greet-\d+)/’; xset dpms force on

Proximity:
If you want to unlock the computer as you come near:

qdbus | perl -ne ‘qx/kquitapp $1/ if /(kscreenlocker_greet-\d+)/’; xset dpms force on

If you want only to wake up the screen

qdbus org.freedesktop.ScreenSaver /ScreenSaver SimulateUserActivity

If your version of KDE is below 4.13, perhaps you must use those other commands.

Locking:

qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock

Unlocking:

killall -9 kscreenlocker

‘authentication key already exists’ error when adding a proxmox node to a cluster

Standard

Today I shall not write about Arch linux but about Proxmox VE, since I faced a problem after rebooting one of the cluster’s nodes and see it had lost all network configuration due the horrible and broken Debian’s apt autoremove feature… one is used to pacman and apt needs a major rewrite to avoid those dependency hell which it cannot leave.

Returning to the topic, if you need to add or readd a node to a existing cluster you should do it with this command from the node you want to add:

# pvecm add clustered_node_IP_or_name

Then, the usual behavior if you add the node for the first time, is to copy the keys from the cluster node to the new node, and modify cluster.conf to add an entry for the new node, and the start all related daemons, like cman or rgmanager.

But if you are adding again this node, you probably end with this error:

# pvecm add clustered_node_IP_or_name
authentication key already exists

I’d searched on Internet for this message and many people ended reinstalling the conflicting node, not a good solution at all, so I tried to get a better one.

Obviously, somwhere on the current cluster configuration is the key for that node, and after some time searching for it everywhere on the system, I decided to do some trick, taking the advantage that the key is already on the configuration.

So, the first thing we need to do is to modify cluster.conf manually and add this node, in proxmox, we need to copy /etc/pve/cluster.conf into a file called /etc/pve/cluster.conf.new and edit that copied file

# cp /etc/pve/cluster.conf /etc/pve/cluster.conf.new
# nano /etc/pve/cluster.conf.new

<?xml version=”1.0″?>
<cluster name=”pvecluster” config_version=”5“>

<cman keyfile=”/var/lib/pve-cluster/corosync.authkey”>
</cman>

<clusternodes>
<clusternode name=”pve01″ votes=”1″ nodeid=”1″/>
<clusternode name=”pve02″ votes=”1″ nodeid=”2″/>
<clusternode name=”quormox” votes=”1″ nodeid=”3″/>  
</clusternodes>

</cluster>

We need to increase the config_version value in one, and then we will add the line <clusternode name=”quormox” votes=”1″ nodeid=”3″/>  giving the desired name and ID.

Then, on the proxmox GUI, under the HA tab, we’ll press “Activate” as shown down here

And we will see the changes with the new node.

Now, we need to copy all needed files on the node we want to add. So first we will delete (do a backup first just in case) the folders on that node, but for that, we need to do it in this order, following the red lines commands. In my example, the node I want to add is called quormox and the node with the working configuration is pve01. I also removed all references to quormox on .ssh/known_hosts in all nodes on the cluster.

root@quormox:~# /etc/init.d/pve-cluster stop
Stopping pve cluster filesystem: pve-cluster.
root@quormox:~# umount /etc/pve
umount: /etc/pve: not mounted
root@quormox:~# /etc/init.d/cman stop
Stopping cluster:
Stopping dlm_controld… [  OK  ]
Stopping fenced… [  OK  ]
Stopping cman… [  OK  ]
Unloading kernel modules… [  OK  ]
Unmounting configfs… [  OK  ]
root@quormox:~# rm /etc/cluster/cluster.conf
root@quormox:~# rm -rf /var/lib/pve-cluster/*
root@quormox:~# scp pve01:/etc/cluster/cluster.conf /etc/cluster/
The authenticity of host ‘pve01 (192.168.96.11)’ can’t be established.
ECDSA key fingerprint is 89:02:2e:79:f3:2a:54:30:2d:78:a8:9c:2c:55:03:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘pve01,192.168.96.11’ (ECDSA) to the list of known hosts.
root@pve01’s password:
cluster.conf                                                100%  340     0.3KB/s   00:00
root@quormox:~# mkdir -p /var/lib/pve-cluster
root@quormox:~# scp pve01:/var/lib/pve-cluster/* /var/lib/pve-cluster/
root@pve01’s password:
config.db                                                   100%   64KB  64.0KB/s   00:00
config.db-shm                                               100%   32KB  32.0KB/s   00:00
config.db-wal                                               100% 1028KB   1.0MB/s   00:00
corosync.authkey                                            100%  128     0.1KB/s   00:00
root@quormox:~# /etc/init.d/pve-cluster start
Starting pve cluster filesystem : pve-cluster

After that, a reboot is needed to start all the daemons in the right order. Once rebooted the node is correclty added to the cluster! 😀