Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

Securing Administration of Shared Hosting

If you didn’t already know, ssh can be used to tunnel a single TCP port from the client to the server. I wanted to use this ability to prevent my site credentials and cookies from being sent in plaintext over the internet (since I’ve been trying to avoid paying for SSL/TLS). This works on Dreamhost, but should work on pretty much any shared hosting provider that allows you to ssh into the server.

In short it takes a few hacks to get everything to play together and requires super user privileges on the machine you are connecting from, but does not require any special privileges on the remote server.

First establish a specific subdomain (or alternative domain) to ssh into (for example ssh.tidgubi.com). This will prevent DNS conflicts with the main domains (www.tidgubi.com and tidgubi.com).

Next edit your local hosts file. Create entries so your computer resolves your webserver to your local machine (127.0.0.1 www.tidgubi.com).

Login with an administrator account or console session (for a long time I didn’t realize you could just open a console and type login <admin_account>).

Create an ssh tunnel between your computer and your webserver by running command sudo ssh kenji@ssh.tidgubi.com -L 80:www.tidgubi.com:80
This command breaks down as follows:

  • sudo – requires root permissions to listen on local port 80
  • ssh – run the ssh client program
  • kenji@ssh.tidgubi.com – username and ssh server
  • -L – specifies local port forwarding
  • 80 – local port to listen for data on
  • www.tidgubi.com – remote webserver. This is resolved by the ssh server, so it does not conflict with the hosts file change
  • 80 – remote port to forward traffic to. Assuming you’re forwarding traffic to a standard webserver, this should be port 80

Notes

  • This does not work well if you try to use a different local port, because different servers and web-apps redirect traffic differently and may override explicitly set ports in the URL
  • This commands only forwards traffic coming from the local client. You can add the -g option to the ssh command if you want to allow other computers to send data to the webserver
  • Ideally you can ssh directly into your webserver, so the forwarded traffic does not get sent out on any network once it is plaintext again.

Next use .htaccess to restrict access to administrative pages.

Stopping a Logitech Unifying Receiver from being detected as a keyboard

On MacOS, plugging in a Logitech Unifying Receiver brings up the detect keyboard dialog. Unfortunately this happes every time a user logs in if the user is not an Administrator. Following the onscreen instructions doesn’t work. MacOS just gives you an error, saying you’re using the wrong keyboard. Even opening the System Preferences, authenticating as an Administrator, and trying to configure the new “keyboard” doesn’t seem to work.

The solution I found doesn’t make complete sense from an OS design point of view. You need to log in with an Administrator account. When the Keyboard Setup Assistant launches, click Continue. Press any key on your keyboard. Click Skip when told your keyboard can’t be identified. Select “ANSI” and click Done.

Note: If the Keyboard Setup Assistant did not automatically launch, open System Preferences, click Keyboard, and click “Change Keyboard Type…”.

gpg for Mac

Lately I’ve been building a bunch of “Linux” command line tools for my Mac. As I focus on security, I decided GPG would be the next tool. You can download my GPG public key at KenjiYoshino.pub.

Download

  1. gpg-1.4.13.tar.gz
    • SHA-1 of gpg-1.4.13.tar.gz: 45901f228377c65b445104d7037ad26dde70fe7a
    • Signature: gpg-1.4.13tar.gz.sig
    • SHA-1 of the gpg executable: 361b9beec3667abdc01d30b0b5ac0b215b3d4d48
    • SHA-1 of the gpgv executable: 006c7ac41d63f1a1a7aa695428f42acd9f7a54e3
  2. Open the Terminal and navigate to the downloaded archive
  3. Extract the files by running tar xzf gpg-1.4.13.tar.gz
  4. Login with an account with Administrator privileges
  5. Copy /bin/gpg and /bin/gpgv to /usr/local/bin
  6. Copy /man/gpg.1 and /man/gpgv.1 to /usr/local/share/man/man1
  7. Make sure all users have execute/read access to these files

Compile

Note: You must have Xcode installed.

  1. Download the GPG 1.4.13 source from http://www.gnupg.org/download/
  2. Open a terminal window and browse to the downloaded archive
  3. Extract the archive using tar xzf gnupg-1.4.13.tar.gz
  4. Open the gnupg-1.4.13 directory
  5. Run ./configure
  6. Run make
  7. You will have the gpg and gpgv binaries in the /g10 directory and the man page in the /doc directory
  8. Copy /g10/gpg and /g10/gpgv to /usr/local/bin
  9. Copy /doc/gpg.1 and /doc/gpgv.1 to /usr/local/share/man/man1
  10. Make sure all users have execute/read access to these files

Showing VIM Location

When working with Linux, every VIM editor automatically shows the little status bar at the bottom of the page. It displays useful tidbits of information like line number, column number, and location (as a percent). For some reason, Apple didn’t think to enable this in MacOS’s VIM editor. Fortunately that’s easy to fix by following these steps:

  1. Open a Terminal window
  2. If you’re not at the root of your home directory run cd ~
  3. Run command vi .vimrc This will create or open the .vimrc file which are you personal VIM “preferences”
  4. Enter set ruler on an empty line
  5. Save and quit

wget for Mac

I’m working on a Google Chrome extension to allow users to check the URL they are being forwarded to when they click on shortened URLs. I wanted to make sure I’m parsing responses and forwards properly, so wget came to mind. I’ve used wget a few times on Linux, but I’m doing my development on my Mac, so I compiled wget for my Mac.

Download

  1. wget-1.14.tar.gz
    • SHA-1 of wget-1.14.tar.gz: fedb008d414b87e44962e5e17671230aebe88189
    • Signature: wget-1.14.tar.gz.sig
    • SHA-1 of the wget executable: 062e17849d46cecc3d1e6d4a42b88e7eba16d96a
  2. Open the Terminal and navigate to the downloaded archive
  3. Extract the files by running tar xzf wget-1.14.tar.gz
  4. Login with an account with Administrator privileges
  5. Copy /bin/wget to /usr/local/bin
  6. Copy /man/wget.1 to /usr/local/share/man/man1
  7. Make sure all users have execute/read access to these files

Compile

Note: You must have Xcode installed.

  1. Download the wget source (wget-1.14.tar.gz) from http://ftp.gnu.org/gnu/wget/
  2. Open a terminal window and browse to the downloaded archive
  3. Extract the archive using tar xzf wget-1.14.tar.gz
  4. Open the wget-1.14 directory
  5. Run ./configure --with-ssl=openssl
    If you have GNUTLS installed, you can omit “–with-ssl=openssl”
  6. Run make
  7. You will have the wget binary in the /src directory and the man page in the /doc directory
  8. Copy /src/wget to /usr/local/bin
  9. Copy /doc/wget.1 to /usr/local/share/man/man1
  10. Make sure all users have execute/read access to these files