Welcome 
to Orb Designs

Home

Graffiti

About

Sitemap

Visual

DevWork


Email Brian Bilbrey

Email Brian

GPG Key

GRAFFITI -- April 09, 2007 thru April 15, 2007

>> Link to the Current Week <<

Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week


Search this site :

Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable.     About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message.

Ron Paul in 2008

Creative Commons License

Read LinuxGazette, get a clue.

MONDAY    Tues    Wed    Thu    Fri    Sat    Sun   
April 9, 2007

No Post.

Top  /  Email Brian


Mon    TUESDAY    Wed    Thu    Fri    Sat    Sun   
April 10, 2007

1319 - Good afternoon. I suppose staying busy and out of trouble is better than the alternative ... but that doesn't leave time for very much else. As usual, Mondays bring their special set of chores into my life - they all got done, but I forgot to put anything at all up here. But now, instead, I'll inflict some random thoughts on y'all.

Today is patch Tuesday. Of course, so was last Tuesday, at least for the ANI vulnerability. For the vast majority of users, Automatic Updates just took care of that issue. Of course, if you had already been affected, and infected by a unknown variant of evilness ... you're out of luck. And even if you're safe, you can get confusing messages because of your hardware. Those users with RealTek sound chips have issues - the ANI vulnerability patch breaks the RealTek DLL. There are updated drivers which in application worked for a remote family member, and a page from Microsoft that addresses that issue as well. There are a lot of stories I've heard about this, but the reality of the situation is that the vulnerability should have been fixed back in 2005 by the OS vendor, but wasn't. One processing path was patched, and they called it done. There were other ways to get the borked data past the validators. Lovely, just lovely.

There's more, but I should be busy again. Lunch is done. Ciao!

Top  /  Email Brian


Mon    Tues    WEDNESDAY    Thu    Fri    Sat    Sun   
April 11, 2007

0701 - Good morning. Last night, I got an email from Willie...

Subject: keychain KDM

Hi Brian

You are #4 on google with the above search term. I too can't get nice KDM-keychain integration and end up booting into console mode, letting .bashrc run keychain for me, and then I "startx" manually.

And it bugs the hell out of me....

I'm bookmarking your blog and will check back every few days to see if you have found a better solution. Did you get much/any feedback on this topic? A quick search shows no further mentions.

I've occasionally approached that problem over the last few years. Some vendors seem to deal with it well in their default installs, others ... not so much. And I don't know why. If the Xsession (whatever manager/environment is starting up) can detect that you have a ~/.ssh/id_dsa file, then why doesn't it just do the right thing: start ssh-agent and prompt for the passphrase during the X login/startup process?

Well, I went digging again. One of the problems is that there are so many different ways to ask the right question (and so many wrong questions) that it's hard to separate the wheat from the chaff. But this time I broke lucky. Here's what I wrote back to Willie:

This is all on the latest Kubuntu Beta, YMMV:

I have a file I found just now:

/etc/X11/Xsession.d/90x11-common_ssh-agent

The contents seem to indicate that ssh-agent is started at X startup.

root@vimes:/etc/X11/Xsession.d# ps ax | grep ssh-agent
5847 ? Ss 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager

So I installed ssh-askpass and ssh-askpass-gnome (you never know).

So good, so far. So, on a clean boot and login, I fire up konsole, and type ssh-add, I type the passphrase and get the CLI prompt back.

SSH to someplace with my public key, and Bingo! Cool.

So I navigate (with Konqueror as file manager) to ~/.kde/Autostart

Right click there, select Create New ... -> Link to Application.

On the General tab, I named it ssh-add, and on the Application tab, I put /usr/bin/ssh-add in the Command: field.

On next KDE startup, I was prompted for my SSH passphrase, and the credentials are available and useful both in the command line and fish:// kio_slave tools. Yay!

I failed to note that this does NOT work like keychain, the SSH key management tool written by Daniel Robbins (of Gentoo fame). That is, when I log out of the X session, the ssh-agent isn't accessible from the virtual consoles, or from inbound ssh-sessions. I suppose that's a good thing, but it's awfully handy to do keychain-like things (being able to source a file that uses the credentials in cron jobs, for example). I may keep poking at this until I solve it to my content, or until it hurts too much to keep after it ... yet again. Hmmm.

I would also point out that it never bothered me much to login from VC1, then explicitly start the X Window system. That way, when I was mucking about with X configurations, I could break something and reboot without system thrashage to follow. And when things were running well, I could go weeks or months without either leaving my login session or X.


Okay. I solved that problem, I think to my satisfaction. First, I installed keychain. (running sudo apt-get install keychain from a terminal window). Then I created a file in the bin directory in my home: keychain.sh ... it contains these lines:

#!/bin/bash

/usr/bin/keychain --clear id_dsa
[ -f $HOME/.keychain/$HOSTNAME-sh ] && \
        . $HOME/.keychain/$HOSTNAME-sh

Then I made sure that the script was executable:

bilbrey@vimes:~$ chmod 700 bin/keychain.sh 
bilbrey@vimes:~$ ls -al bin/keychain.sh 
-rwx------ 1 bilbrey bilbrey 120 2007-04-10 22:00 bin/keychain.sh

I also pasted the last three lines of that shell script into my ~/.bashrc file, so that I would be able to make use of the ssh-agent when logged in remotely (and with --clear, forced to re-enter my passphrase when logging in).

I blew away the ssh-add item in my ~/.kde/Autostart directory and created a new one, called keychain, with the application command field: /home/bilbrey/bin/keychain.sh

I hope this helps, Willie!


Enough fun! Time to go jump into traffic.

Top  /  Email Brian


Mon    Tues    Wed    THURSDAY    Fri    Sat    Sun   
April 12, 2007

0647 - Good morning. So, I didn't do enough testing on yesterday's KDE/SSH/keychain integration. When I rebooted after updating the kernel yesterday evening, I got promted for the SSH passphrase in each terminal session. Urk! Okay, one problem at a time. First, in each terminal application... okay, I can suss this out: .bashrc is sourced by every terminal to setup the environment. .bash_profile is sourced only by a login session. So I moved the keychain chunk of code (slightly rewritten):

keychain --clear id_dsa 
[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
[ -f $HOME/.keychain/$HOSTNAME-sh ] && \
   . $HOME/.keychain/$HOSTNAME-sh

I took it out of .bashrc, and plunked it in a freshly created .bash_profile. The rewrite ensured that $HOSTNAME is properly set before using it. So, the move fixed one problem, but now when I logged in to KDE, I got prompted twice for the passphrase. So, something in the X login sequence is running .bash_profile. Okay, I can hang with that. So I removed the recently created Autostart application that called my keychain init script, ~/bin/keychain.sh. Now everything is working the way I expect. Keychain initialized with X, with VC logins, with remote SSH logins. Agent stays active when logged out, and clears on any login, forcing a reentry of the passphrase (a nice security feature). So, just having at least the following in my ~/.bash_profile seems to have solved the problem that Willie posed on Tuesday:

d
. ~/.bashrc

/usr/bin/keychain --clear id_dsa
[ -f $HOME/.keychain/$HOSTNAME-sh ] && \
        . $HOME/.keychain/$HOSTNAME-sh

If there's one constant in life, change fits the bill. There's likely to be change coming in the near future. But I can't be sure what form it'll take yet. You'll know shortly after I do. Happy Thursday.

Top  /  Email Brian


Mon    Tues    Wed    Thu    FRIDAY    Sat    Sun   
April 13, 2007

No Post.....

Top  /  Email Brian


Mon    Tues    Wed    Thu    Fri    SATURDAY    Sun   
April 14, 2007

0913 - Good morning. I left off a couple of days ago talking about change. Sometimes change comes in odd forms. One of the changes is that we've decided to stop talking about moving.

For the last several months, Marcia and I have been mulling over the possibilities in getting out of this market, taking our equity cash out, and getting into someplace cheaper, with 50 to 75% initial downpayment. In part, we have the freedom to consider such a move because Marcia can be pretty much anywhere on the right side of the continent and still do her job. There are real estate markets with much less expensive properties, and enough of an economy that I could find work easily. But we like this house, and the friends we've made in the area. Also, there's a lot to do and see around here, and we just won't make the time to see and do, unless we're here for an extended stay. So we think we'll stay. The change here is ... no change.

The next change is vehicular. Marcia's wanted a car that can go top-down for the longest time. We can afford that without denting anything financial, so we're going to go look at the VW Eos this afternoon. If money were truely no object, I'd probably put her in an Audi A4 Cabriolet Quattro. But those are selling for between 45 and 50K, and at her current pace, that would never pay off for Marcia - she's currently driving about 4000 miles a year. The Eos is a bit smaller, but solid, and about 15K less expensive than the Audi. It's got a fold-in hardtop, and pop-up rollover bars. If that was offered in the Toyota Solara, we might have leaned that way. It's interesting that the mid-size ragtops don't offer that sort of protection.


I want to get out into the garden for a while ... But another shot of winter is coming - or at least a strong storm. And if it spins enough cold air down our way, then we may be due for more snow on Sunday night and Monday. Yeah, mid-April. Boggle. Maybe I'll just mow the front, or simply prep the mower for bagging - I have a blade to sharpen and install. Next weekend, I'm hopeful enough that I've taken Monday and Tuesday (23rd and 24th) off to make a four day stint of get-the-whole-yard-ready possible. Now if only the weather will cooperate.

Enough for now. Happy Saturday.

Top  /  Email Brian


Mon    Tues    Wed    Thu    Fri    Sat    SUNDAY  
April 15, 2007

1226 - Good afternoon. While Marcia was very appreciative of my concern for her well-being in my selection of automobiles with active rollover protection (popup rollbars), all of them were too small for her taste... she could only have legless friends riding in back, and there's not much in the way of trunk space either. So she went with her first choice - a shiny red Solara convertable. No pictures yet, because it hasn't stopped raining since she bought it. If there are 40 days and 40 nights of rain, now y'all know who to blame.


Our troops surely watch the news and wonder WTF the ongoing political struggle is going to mean to their mission, and to their safety. Our fine men and women serve, and fight, and sometimes die. Honor them, remember them, do them proud! Here's two weeks of sad news, 60 souls to remember with pride...

Top  /  Email Brian


Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week


Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.

All Content Copyright © 1999-2011 Brian P. Bilbrey.

Creative Commons License
Except where otherwise noted, this site is licensed under the
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.