Well, its been quite a while since my last post. Quite a lot has happened - but I’ll break it down in a nutshell.

1) I finally got my Commercial Pilots License. The down side is that I had to do it through another training organisation. My flight school (National Aerospace Training) closed their doors and didn’t provide me with the training they should have. This means I had to pay out of pocket (again) for 10 hours in a C172RG and then pay for my CPL test/flight. This also means that I’ll never get my multi-engine endorsement or my instrument rating - which had already been paid for. End result, I’m down ~$35,000AUD in total - and will have to pay out of pocket again for any further training. Urgh.

2) I’ve still been working on my Xen packages for EL6. I’m currently building a new Xen version to fix a few security issues that have just been made public 11 hours ago.

3) I’ve stepped back down to Vice President of Pegasus Endurance now. We are still running an FEI event in a few weeks time, and trying to convince the state body (VERA) to endorse a national level competition as well. Endurance Riding really does seem to be a dying sport - but its not for lack of trying or enthusiasm - just a lack of events. I’ve also been busy helping out with 3 x fundraising BBQs to help finance some of the events planned throughout the year.

4) Out of a pure chance encounter, I’ve started doing some work on a 737-800 based flight sim in Niddre. Jet Flight Simulator Melbourne has opened their doors as of January. This sim is great fun - and good for practising instrument flying. I think its probably as close as you can get without jumping in a real aircraft. Pic for goodness:

So all in all, a lot has been going on - and sadly, its meant I haven’t posted here that often. Lets see if I can try to update my blog more often, eh? :)

The BBC is reporting that Microsoft is killing off Live Messenger (formally MSN Messenger) in favour of pushing the Skype client. This is slated to happen before March 2013.

As such, I’m trying to port across my contacts to Google Talk - or at least those who already have a Google Talk account.

For those who hate Skype (like me!), this might be your chance to convince your contacts to move to Google Talk. The client is much more lightweight and free of bloat than I believe Skype will ever be. Go Google.

This fixes the ext4 journal corruption bug as well as a few other issues.

1
2
3
4
5
6
7

Changelog:
* Sun Nov 11 2012 Steven Haigh <netwiz>
- Update to kernel 3.6.6
- Notable fixes in this kernel version:
  ext4: fix unjournaled inode bitmap modification
  blkcg: Fix use-after-free of q->root_blkg and q->root_rl.blkg
  md/raid1: Fix assembling of arrays containing Replacements.

Full 3.6.6 changelog: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.6.6

They’re building now. It should hit the mirrors after some quick testing.

In future, release notifications will be only posted to the mailing list.

Google have released a new wave of the Google Nexus devices. These devices all run Android and are not locked or limited in any way - paving a new path against carrier lockdown and interference. Their motto, “Openness at all costs” (Slashdot discussion)

Interestingly, these articles show:

• Nexus 4 - $349 (16Gb)
• Nexus 7 - $199 (16Gb)
• Nexus 10 - $399 (16Gb)

Now, these prices are all in the US, so they’re in $USD.

Imagine my surprise when I check the Google Play Store where they sell the devices only to find:

• Nexus 4 - $349 (8Gb)
• Nexus 4 - $399 (16Gb)
• Nexus 7 - $249 (16Gb)
• Nexus 7 - $299 (32Gb)
• Nexus 10 - $469 (16Gb)
• Nexus 10 - $569 (32Gb)

This means the ‘Australia Tax’ on the 16Gb Nexus 4 is $50AUD, The Nexus 7 is $50AUD, The Nexus 10 is $70AUD.

So, what I would love to see is that if the motto really is ‘Openness at any cost’, why are Australians being stung so much more per unit than in the US? It certainly can’t be shipping costs!

I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

• Get yourself a YubiKey
• Install and enable the epel repository
• Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

#%PAM-1.0
auth       required     pam_yubico.so id=16 authfile=/etc/yubikey_mappings
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example:

1
2

root:abcdabcdabcd
myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

 RequiredAuthentications[12]
         Specifies required methods of authentications that has to succeed before authorizing the connec-
         tion.  (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

             RequiredAuthentications1 method[,method...]
             RequiredAuthentications2 method[,method...]

         Example 1:

             RequiredAuthentications2 password,hostbased

         Example 2:

             RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn’t 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key….

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.