ssh tunnelling again

this damn small tool is surprising and delightening again!
i had to move some virtual machines at work, and wanted to do it from home. however, i was not sure whether i would experience problems using the citrix server at work as i was also moving vms that provide the user home directory etc. i chose to let my notebook at work and open an ssh connection with a reverse port forwarding, like so:
ssh -R 2222:127.0.0.1:22 user@my.server.at.home (of course, as i am the sysadmin i could as well just open the port on the firewall, but i dont like to create security holes that i might forget about…)

when i arrived at home, i connected from my desktop to my server, “taking” the ssh port (which ‘leads’ to the notebook) onto my desktop;
ssh -L 2222:127.0.0.1:2222 user@my.server.at.home
now i could use ssh -p 2222 user@127.0.0.1 to connect to my notebook “directly”.

ok, everything nice so far, but for connecting to the windows server using rdp, and the esxi using ssh, i would have to create many portforwardings… luckily, remmina (my rdp client / connection manager) supports tunnelling through ssh natively. this is really really nice! you just enter the internal ip of the server you want to connect to, and in the last tab, you specify the ssh tunnel server (in this case 127.0.0.1:2222) and it creates port-forwardings on the fly. great tool!

so i had a nice way to connect to the rdp servers… but what about the ssh connections? i could have used putty on a windows server at work, but i prefer ssh’ing with a local terminal instead.
luckily, i found this blog post: tunneling ssh over a socks proxy, and as we know from a previous post, ssh -D 1234 user@host basically ‘creates’ a socks proxy (on port 1234 in this example) which forwards traffic to the ssh server.
as i did not want to set options for connecting to 127.0.0.1 in ssh_config, i just opened another connection to my notebook, like this:
ssh -D 2223 -p 2222 user@127.0.0.1
and i created an entry in my ssh_config:
Host 10.100.*
ProxyCommand /usr/bin/nc -x 127.0.0.1:2223 %h %p
(10.100.0.0/16 is our internal subnet at work)
after that, i can ssh root@10.100.1.1 without any other options and ssh uses the already running portforwardings to connect to the esxi at work….
nice

if you dont want to give a certain user create database permissions, he can run this script

#!/bin/bash
MUSER="$1"
MPASS="$2"
MDB="$3"

# Detect paths
MYSQL=$(which mysql)
AWK=$(which awk)
GREP=$(which grep)

if [ $# -ne 3 ]
then
echo "Usage: $0 {MySQL-User-Name} {MySQL-User-Password} {MySQL-Database-Name}"
echo "Drops all tables from a MySQL"
exit 1
fi

mysql --user=$MUSER --password=$MPASS -BNe "show tables" $MDB | tr '\n' ',' | sed -e 's/,$//' | awk '{print "SET FOREIGN_KEY_CHECKS = 0;DROP TABLE IF EXISTS " $1 ";SET FOREIGN_KEY_CHECKS = 1;"}' | mysql --user=$MUSER --password=$MPASS $MDB

new citrix client for linux

maybe it’s not too new anymore, but it’s nice nevertheless: citrix releases version 12 of the citrix receiver for linux. they have seperate versions for x86 and x64 and i could install the deb without having problems with dependencies on my ubuntu 11.10

one problem they have has still not been fixed though: the client brings its own CA-Certificates… well… look at the list:

iso@iso-i7:~$ ls /opt/Citrix/ICAClient/keystore/cacerts/
BTCTRoot.crt  Class3PCA_G2_v2.crt  Class4PCA_G2_v2.crt    GTECTGlobalRoot.crt  Pcs3ss_v4.crt

this is just a bad joke – to fix it, just create a link to a reasonably filled list of CA-Certificates, e.g. from mozilla:
iso@iso-i7:/opt/Citrix/ICAClient$ cd /opt/Citrix/ICAClient/keystore/
iso@iso-i7:/opt/Citrix/ICAClient/keystore$ sudo mv cacerts cacerts_citrix
iso@iso-i7:/opt/Citrix/ICAClient/keystore$ sudo ln -s /usr/share/ca-certificates/mozilla cacerts

done, you may now connect to citrix servers which use secure gateway to encapsulate the ICA-traffic in HTTPS

holiday gran canaria

take a look at the photos here:

http://pascal-schwarz.ch/gallery2/main.php?g2_itemId=7631

i tried to better understand how float values are stored on a computer so i decided to write a little class that should help me with this.

IMPORTANT NOTE: i can’t be held responsible for anything that this class does or does not, you’ve been warned :p

list of know issues:

  • the methods floatUnderstandingFromLongValue() and floatUnderstandingFromDoubleValue() return WRONG FLOATS!
  • maybe the method getMantissaBitsSignificanceString() is also not working correctly, especially with really small numbers (E=-126)
  • code has gotten a little confusing
  • things could probably be coded more efficiently

you can download the source from here:
http://pascal-schwarz.ch/stuff/FloatUnderstanding/FloatUnderstanding.java
http://pascal-schwarz.ch/stuff/FloatUnderstanding/TestRecalcMultiThread.java

if you have any feedback, please use the comment-functionality under this post.

Update (20.03.2011):

  • better handling of denormalized values (getMantissaValue(), getMantissaSignificanceString(), getExponentValue(), …..)
  • included a multithreaded recalcFloatValue-Tester
  • the fabric-methods floatUnderstandingFromLongValue() and floatUnderstandingFromDoubleValue() ARE NOT FIXED yet

remember this?

just love it :)

nice ssh option for tunneling

didn’t know about this so i always used a little http proxy (tinyproxy) on my server, but this is not needed as i just learned;

see here: http://dltj.org/article/ssh-as-socks-proxy/

strange n900 pricing

i’ll probably buy a nokia n900 to (finally!) replace my nice htc touch hd which is broken because of windows mobile (how could htc do this, after all?!).
i was quite surprised about the price differences between digitec.ch and mobilezone and swisscom-shop;

  • price with extending my contract another year at swisscom shop: about chf 750.-
  • price with extending my contract another 2 years at mobilezone: about chf 730.-
  • price WITHOUT CONTRACT at digitec: chf 690.-

strange eh?

what sucks about sbb

following situation

  • i’m living near olten (egerkingen)
  • normally i work in aarau, so i have a subscription for egerkingen – aarau
  • sometimes i have to visit clients around zurich

now you think: “easy, you’ll just have to buy a ticket from aarau to zurich”… but that isnt the case:
if the train stops in aarau (and its enough if it just stops, no need to change the train or something), you may buy a ticket aarau – zurich and won’t have any problem. but if the train goes directly from olten to zurich, without stop in aarau, you have to buy a ticket olten – zurich, or you’ll have to pay a monetary fine (CHF 80.-)…as if you would not have any ticket at all!

but…. what is the difference for sbb?

updating windows 7 rc to final

just wanted to create a little post about the possibility and my experiences with the upgrade;

  1. to allow the update, steps as described on this howtogeek post are needed.
  2. the upgrade must be run from your running windows 7 rc installation, not from the cd or usb-stick
  3. it will take around 30 minutes to complete

there were only a few problems after the upgrade;

  • nvidia driver was still working, but no games had antialiasing nor anisotropic filtering – after upgrading the driver, this works fine again
  • according to the upgrade compatibility check hamachi would have to be reinstalled, i just removed it
  • tricky: daemon tools (sptd) has problems after the upgrade, however, this can be fixed like described on this blog

this was strange;

usually, when xrandr outputs the following:

  1. Screen 0: minimum 320 x 200, current 1680 x 1050, maximum 1680 x 1680
  2. VGA-0 connected 1680×1050+0+0 (normal left inverted right x axis y axis) 465mm x 291mm
  3.    1680×1050      60.0*+
  4.    1600×1000      60.0  
  5.    1280×1024      75.0     60.0  
  6.    1440×900       59.9  
  7.    1280×960       60.0  
  8.    1152×864       75.0  
  9.    1152×720       60.0  
  10.    1024×768       75.0     60.0  
  11.    832×624        74.6  
  12.    800×600        75.0     60.3  
  13.    640×480        75.0     59.9  
  14.    720×400        70.1  
  15. DVI-0 connected (normal left inverted right x axis y axis)
  16.    1360×768       59.8  
  17.    1152×864       60.0  
  18.    1024×768       60.0  
  19.    800×600        60.3  
  20.    640×480        59.9  
  21. LVDS connected 1680×1050+0+0 (normal left inverted right x axis y axis) 331mm x 207mm
  22.    1680×1050      60.1*+   50.1  
  23.    1400×1050      60.0  
  24.    1280×1024      59.9  
  25.    1440×900       59.9  
  26.    1280×960       59.9  
  27.    1280×854       59.9  
  28.    1280×800       59.8  
  29.    1280×720       59.9  
  30.    1152×768       59.8  
  31.    1024×768       59.9  
  32.    800×600        59.9  
  33.    640×480        59.4  
  34. S-video disconnected (normal left inverted right x axis y axis)

(don’t ask me where dvi-0 comes from…)
one would think a simple xrandr --output VGA-0 --auto would activate the second monitor. however, this doesn’t change anything. instead, i have to use the following:

xrandr --output VGA-0 --auto --same-as LVDS
after closing the notebook lid, i get a picture on my monitor… but i may not turn off lvds or dvi-0, or the monitor (on vga) will turn off…

just installed the new ubuntu beta ond my notebook which i use for work. i need vmware on it for the xp vm that i have to use at work.
as always with new kernels and x-servers, vmware doesn’t just work even when using the newest version (6.5.3). in order to get it to work more or less, i needed to do the following things:

  1. start the installer with a special option and killing all tries to compile the modules, as described in here: blog post by Sebastian Mogilowski
  2. add the line export VMWARE_USE_SHIPPED_GTK=force to the file /etc/vmware/bootstrap, as described in this vmware thread (go to page 3)

i think it’s really time to change to virtualbox which is completely open, has better integration and works more reliable…

compression using fifo’s

little problem, smart solution;

i’m backing up my citrix xenserver vm’s using the command

  1. xe template-export

i write the backup directly to a cifs-mounted share on the network. however, i need to compress those images, ideally before i send them over the network. the problem is that the template-export command doesn’t support writing to stdout, which would allow me to pipe it through gzip.

fortunately, there’s a way which allows me to pipe it through gzip nevertheless. i’m using a fifo;
1st step: create a fifo

  1. mkfifo gzipfifo

2nd: start gzip and let it wait for data from the fifo and write to another file (in my case on the cifs-share)

  1. gzip -c > /mnt/backup/PMIRZ_Firewall_Demo.xva.gz < gzipfifo &

3rd: write your backup to the fifo, instead of the mounted volume

NHAAAA, just noticed that the template-export command doesn’t want to write to files that already exist… but the above works for other things as well

just had a little problem to fix;

when i opened an encrypted or signed message in thunderbird, the error “the enigmime service is not available” was shown. however, enigmail and thunderbird were installed and even setting the path to the gpg binary manually doesn’t fix the problem.

however, it’s not too difficult to fix;

  1. apt-get remove –purge enigmail

this uninstalls enigmail, including global settings. it’s not enough however, you’ll have to open thunderbird and remove it using the extras – add-on’s dialogue. afterwards, you may reinstall enigmail and it works as always.

System Administrators Day

well, not much to say, just read it.
SysAdminDay

Next »