Category: Linux

Laptop Power Saving with powertop on Fedora 22

Post author By chris
Post date 2015-06-19
No Comments on Laptop Power Saving with powertop on Fedora 22

The most important thing you want from a laptop is long battery life. Ever ounce of power you can get to work, read or simply just entertain on a long jaunt. Therefore, it’s always good to know what is consuming your power.

Intel’s powertop utility shows what’s drawing power when your system’s not plugged in. Use dnf to install powertop:

sudo dnf install powertop

powertop requires direct access to the hardware to measure power usage so you have to run it with root privileges:

sudo powertop

The powertop ouput will look similiar to the screenshot below. The measured power usage as well as system wakeups per second will most likely be different:

Screenshot of Powertop — Powertop 2.7 on Fedora 22

To switch between the multiple tabs use either the Tab or Shift+Tab keys. To quit the application, simply hit the Esc key.

The utility not only shows the power usage for various hardware and drivers but also displays the CPU stepping modes as well as systems wakeups per second. Processors are often so fast that they idle for the majority of the time.

The best way to maximize battery power is to minimize the number of wakeups per second. The best way to achieve that is to use powertops’ Tunable tab to optimise your laptop’s power savings. “Bad” usually indicates a setting that’s not saving power. In contrast, it might actually enhance the performance. “Good” indicates a setting is tuned to save power. Use the Enter key to turn any tunable on/off.

If you like to automatically turn all tunables on, the powertop package also includes a service that automatically sets all tunables to “Good” for optimal power saving. To start the service enter the following command:

sudo systemctl start powertop.service

To automatically start the service on boot time enter the following command

sudo systemctl enable powertop.service

Probably the only caveat about this service and the tunables in general: Certain tunables may risk your data or result in some odd hardware behavior. For example, the “VM writeback timeout” settings affects how long the system waits before writing any changes of data to the actual disk. So you actually trade off data security for power savings. If the system loses all power for some reason, you might lose all the changes you made in the last 15 seconds, rather than the default 5. Nevertheless, for most laptop users this isn’t an issue since the system should warn you about low running battery.

Tags fedora, intel, linux, powertop

Linux

Limiting ssh user to SFTP using restricted shell

Post author By chris
Post date 2014-11-16
No Comments on Limiting ssh user to SFTP using restricted shell

This is a follow up to the recent article about restricting ssh login to sftp. Back then I showed you how to restrict an ssh user who can login into a system by configuring openssh to prevent user logins of users associated with a specific group.

To do things differently I will show you an alternative and in my personal opinion easier way of restricting a ssh user to sftp. rSSH is a restricted shell that can be used with OpenSSH to only allow sftp and scp. It also includes support for rsync, rdist and cvs. This enables the creation of shell users without providing them full login access to the server except for transferring files.

First, make sure that the rssh package is installed (can be found in the usual repository). Since Debian is still my favourite distro I use aptitude. Use the equivalent on yours (yum, zypper etc.)

[bash]
# aptitude install rssh
The following NEW packages will be installed: rssh
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives. After unpacking 185 kB will be used.
Get: 1 http://mirror.switch.ch/ftp/mirror/debian/ wheezy/main rssh amd64 2.3.3-6 [65.8 kB]
Fetched 65.8 kB in 0s (752 kB/s)
Preconfiguring packages …
Selecting previously unselected package rssh.
(Reading database … 137643 files and directories currently installed.)
Unpacking rssh (from …/rssh_2.3.3-6_amd64.deb) …
Processing triggers for man-db …
Setting up rssh (2.3.3-6) …
[/bash]

In order to restrict a user to SFTP the rssh shell needs to be configured as the login shell for the user. The following example adds a new user bubu to the system with the shell set to /usr/bin/rssh

[bash]
# useradd -m -d /home/bubu -s /usr/bin/rssh bubu
# passwd bubu
[/bash]

To change the shell of an existing shell use either usermod or the chsh command. Whichever you prefer.
[bash]
# usermod -s /usr/bin/rssh <old-user-name>
# usermod -s /usr/bin/rssh chris2

# chsh -s /usr/bin/rssh chris2
[/bash]

Afterwards, if you try logging in via ssh or sftp you will receive a similar response to this since by default rssh locks down the system completely leaving the user without any sort of access.

[bash]
$ sftp bubu@server.pretendco.com

$ ssh bubub@server.pretendco.com
[/bash]

Response:

[bash]
bubu@server.pretendco.com’s password: TYPE-THE-PASSWORD
Linux bubu@server.pretendco.com 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.10-1~bpo70+1 (2014-04-23) x86_64 GNU/Linux
Last login: Sun Nov 16 07:03:04 2014 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to server.pretendco.com closed.
[/bash]

The default action for rssh is to lock down any access. To adjust the default setting edit the rssh.conf file. Append or uncomment the following two lines: allowscp, allowsftp:

[bash]
# vi /etc/rssh.conf

…

# Leave these all commented out to make the default action for rssh to lock
# users out completely…

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve

…
[/bash]

The user should be able to login into the system now:

[bash]
$ sftp bubu@server.pretendco.com
Connecting to server.pretendco.com…
ubu@server.pretendco.com’s password:
sftp> pwd
Remote working directory: /home/bubu
sftp>
[/bash]

Tags Administration, Debian

Linux

Permitting SFTP file access while denying shell login

Post author By chris
Post date 2014-04-24
No Comments on Permitting SFTP file access while denying shell login

When you google on how to configure remote file access on linux most tutorials and how-tos will guide you towards ftp (file transer protocol) which has existed for ages and is well supported across all devices from mobile to desktop. However using FTP in these day and age without securing it using SSL is kind a naive. User credentials are sent over in clear-text and I don’t have to tell you that sooner or later the credentials will be compromised and your data might be at risk.

FTP similar to Telnet was never a protocol designed with security in mind. There are several solutions to FTP’s shortcomings. As mentioned, you can use FTP in combination with SSL or you can use SSH’s File Transfer Protocol SFTP for securily transferring data using the SSH network protocol.

In general, SSH is used for securely logging into a system remotely. By default, every user with SSH access automatically also has SFTP file access. The issue with simply adding a user to the system for SFTP access is that they also automatically receive shell-access. This grants them the right to run processes and potentially administer your system you may not wish them to run on your server. This tutorial will show you how to add a user to your system without granting them shell permissions but still allowing them file-access.

First, if you haven’t yet installed the openssh server yet, do so now (prepend every command with “sudo” if not logged-in as root):

[bash]
# apt-get install openssh-server
[/bash]

Once the ssh-server is installed we need to add a user we wish to only allow SFTP access. Add a new usegroup to consolidate multiple users that should only receive SFTP access:

[bash]
# addgroup sftponly
[/bash]

Next, edit the ssh-daemon configuration file: /etc/ssh/sshd_config (you can use vim or whaever editor you prefer)
Look for the following line:

[bash]
Subsystem sftp /usr/lib/openssh/sftp-server
[/bash]

and replace the line with this instruction (you can also simply comment out the above line using # and insert the following line below):

[bash]
Subsystem sftp internal-sftp
[/bash]

At the end of the same file add the following lines to restrict the access of the users bleonging to the sftponly user-group:

[bash]
# Rules for sftponly group
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
[/bash]

Save the file and restart the ssh-daemon via:

[bash]
# /etc/init.d/ssh restart
[/bash]

Next, create the directory which the users will be jailed too:

[bash]
# mkdir /srv/sftponly/
[/bash]

Optionally you can use a mount-bind to map a specific filesystem into that folder. My share is located at /mnt/fs and I use mount-bind to map the shared-folder to sftponly:

[bash]
# mount –bind /mnt/fs /srv/sftponly/
[/bash]

Add a new user to the system and specify the previously created group as the user’s primary group. Disable shell-login and don’t create a home directory. See man-pages about adduser for more information about the available command-line switches:

[bash]
# adduser –home /srv/nfs4/fs/ –no-create-home –ingroup sftponly –disabled-login <username>
[/bash]

Set a password for the new user:

[bash]
# passwd <username>
[/bash]

In order for the user to be chrooted (jailed) to the specified directory the user’s home directory must be owned by root as well as only be writable by root:

[bash]
# chown root:root /srv/sftponly/
[/bash]

In case you are not able to log-in using the newly added user or even worse if the user is not getting jailed it’s best to check the auth.log in /var/log/auth.log

[bash]
Apr 20 12:34:04 fs sshd[12015]: Server listening on 0.0.0.0 port 22.
Apr 20 12:34:04 fs sshd[12015]: Server listening on :: port 22.
Apr 20 12:34:09 fs sshd[12018]: Accepted password for <username> from 10.1.1.185 port 54493 ssh2
Apr 20 12:34:09 fs sshd[12018]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
Apr 20 12:34:09 fs sshd[12023]: fatal: bad ownership or modes for chroot directory "/srv/sftponly"
Apr 20 12:34:09 fs sshd[12018]: pam_unix(sshd:session): session closed for user<username>
Apr 20 12:34:25 fs sshd[12029]: Accepted password for <username> from 10.1.1.185 port 54494 ssh2
Apr 20 12:34:25 fs sshd[12029]: pam_unix(sshd:session): session opened for user username by (uid=0)
Apr 20 12:34:25 fs sshd[12037]: fatal: bad ownership or modes for chroot directory "/srv/sftponly"
Apr 20 12:34:25 fs sshd[12029]: pam_unix(sshd:session): session closed for user <username>
Apr 20 12:37:02 fs sshd[12076]: Accepted password for <username> from 10.1.1.185 port 54516 ssh2
Apr 20 12:37:02 fs sshd[12076]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
Apr 20 12:37:02 fs sshd[12081]: fatal: bad ownership or modes for chroot directory "/srv/sftponly"
Apr 20 12:37:02 fs sshd[12076]: pam_unix(sshd:session): session closed for user <username>

[/bash]

In my case the specific user wasn’t getting jailed because the permissions on the root-folder were not correctly set. Make sure the home directory is owned by root and not the user itself.

Remove write permissions from others:

[bash]
# chmod go-w /srv/sftponly/
[/bash]

Tags Administration, Debian, SSH

Linux

NFSv4 performance woes on Debian

Post author By chris
Post date 2014-04-15
No Comments on NFSv4 performance woes on Debian

Over the weekend I took the opportunity to reinstall the OS on my workstation at home. Instead of choosing Debian unstable I decided to go with Debian stable + backports this time. The reason is simply to not deal with package upgrades braking the current system again. Manually fixing my local gitlab installation after a ruby upgrade annoyed the hell out of me and I simply can’t be bothered with manually going through package management and pinning down a working version of ruby and ruby-gems just to keep my current setup working.

When I started to configure system services such as ssh, nfsv4, ftpd etc. I noticed that mounting NFSv4 shares on Debian 7 (Wheezy) was quite slow (around 11 to 15 seconds). Oddly enough, once the NFS share was mounted into my local filesystem I was able to copy files as quickly as usual.

I checked dmesg and /var/log/messages after mounting the NFS share and noticed the following entries:

[bash]
[17603.799651] Key type dns_resolver registered
[17603.804909] NFS: Registering the id_resolver key type
[17603.804918] Key type id_resolver registered
[17603.804918] Key type id_legacy registered
[17618.828292] RPC: AUTH_GSS upcall timed out.
[17618.828292] Please check user daemon is running.
[/bash]

According to the following thread, rpc-svcgssd is responsible for the nfs Kerberos authentication at the server side. I have no intention of using Kerberos at home as the time required for the set-up outweigh the benefits of single-sign-on for just a single user. I can simply set-up the same account with the same credentials on my computers. Therefore kerberos authentication should also be optional at the client side. Well it actually is, but the implementation at the moment is rather tedious. It waits for a timeout that occurs after roughly 15 seconds which introduces the delay when mounting a share.

On Redhat’s bugtracker the following entry was posted: Bug 1001934 – 15 sec timeout when mounting with nfs4:
Marcindulak provided the following workaround to fix the issue until the client is updated

blacklist the rpcsec_gss_krb5 module on the client and reboot or simply unload the kernel module

[bash]
echo "blacklist rpcsec_gss_krb5" > /etc/modprobe.d/blacklist-nfs-gss-krb5.conf
reboot
[/bash]

or instead of rebooting you can simply use rmmod to unload the currently loaded module:
[bash]
rmmod rpcsec_gss_krb5
[/bash]

This should eliminate the delay when mounting NFSv4 shares on Debian.

Tags Debian, NFS, OSX