George MacKerron: code blog » System admin

MySQL gem for Ruby 1.9.1/1.9.2 on Snow Leopard (Mac OS X 10.6)

George — Thu, 04 Aug 2011 14:47:11 +0000

The secret to getting the MySQL gem to install and function with Ruby 1.9.1/1.9.2 on Snow Leopard is:

Install MySQL using the 64-bit .DMG package installer from dev.mysql.com
Install Ruby using RVM (that’s Ruby 1.9.2 or 1.9.1-p378 — at the time of writing the latest 1.9.1, p429, is buggy)
Add these to lines to ~/.bash_login or ~/.bashrc:

export PATH="/usr/local/mysql/bin:$PATH"
export DYLD_LIBRARY_PATH="/usr/local/mysql/lib:$DYLD_LIBRARY_PATH"

In a new shell (Terminal window), type gem install mysql as normal.

I’m posting this mainly as a record for myself, having wasted a lot of time in the past trying strange incantations from comments on various other blogs posts.

Blocking the weakest passwords

George — Tue, 14 Dec 2010 12:24:04 +0000

The recent Gawker passwords leak once again highlights the widespread use of passwords that offer essentially no security.

Some years ago, when working on a secure web app for a large organisation — let’s call them Secret Testing Ltd — I was keen that people shouldn’t choose hopelessly weak passwords. I was particularly concerned by my sysadmin colleague’s fondness for passwords of the form ‘p/\55w0rd’ or ‘S3cr3t-T35t|ng’.

I therefore wrote some simple Ruby code to try to catch very weak passwords:

class PasswordUtils
 
  def self.look_and_sound_alikes(original)
    look_or_sound_alikes = { \
      '0' => ['o'] ,
      '1' => ['i', 'l'],
      '2' => ['to', 'too'],
      '3' => ['e'],
      '4' => ['a', 'for'],
      '5' => ['s'],
      '6' => ['g'],
      '8' => ['b', 'ate'],
      '9' => ['g'],
      'i' => ['i'],
      '$' => ['s'],
      '|' => ['i', 'l', ''],
      '!' => ['i', 'l', ''],
      '@' => ['g', 'a'],
      '(' => ['c'],
      '[' => ['c', 'e'],
      '{' => ['e'],
      '&' => ['and'],
      '*' => ['star'],
      ')' => ['d'],
      '^' => ['a'],
      '/' => ['a', 'v'],
      '\\' => [''],
      '<' => ['k']
    } 
    # the penultimate two substitutions catch /\ (A) and \/ (V), albeit without
    # distinguishing them, and the last (in conjunction with the empty options 
    # for ! and |) catches !< and |< (K)
    versions = ['']
    original.downcase.each_char do |c|
      versions.collect! do |v|
        alikes = look_or_sound_alikes[c] || [c]
        alikes.collect { |c1| v + c1 }
      end
      versions.flatten!
    end
    versions
  end
 
  def self.obvious?(password, custom_banned_list = '')
    standard_banned_list = File.read("#{RAILS_ROOT}/config/banned_password_words.txt")
    banned_words = standard_banned_list.downcase.split(/\W+/) + 
      custom_banned_list.downcase.split(/\W+/).delete_if { |w| w.length < 4 }
    alike_words = [password.downcase] + PasswordUtils.look_and_sound_alikes(password)
    banned_words.any? do |banned_word|
      alike_words.any? { |alike_word| alike_word.include? banned_word }
    end
  end
 
end

The first method of the class undoes some common substitutions:

> PasswordUtils.look_and_sound_alikes('p/\55w0rd')
=> ["password", "pvssword"]
>  PasswordUtils.look_and_sound_alikes('S3cr3t-T35t|ng')
=> ["secret-testing", "secret-testlng", "secret-testng"]

And the second method uses this in conjunction with a list of banned words to check that an entered password isn’t hopelessly weak.

> PasswordUtils.obvious?('p/\55w0rd')
=> true
>  PasswordUtils.obvious?('S3cr3t-T35t|ng')
=> true
> PasswordUtils.obvious?('gkAsd76!o')
=> false

Obviously, you need a good banned words list — perhaps starting with some top N passwords lists, and including the name of your company, the web app, and words related to the area of business, local pubs, and so on.

It’s also a good idea to include custom banned words for individual users. For example:

custom_banned_list = "#{first_names} #{surname} #{department} #{organisation} #{email}"
PasswordUtils.password_obvious?(password, custom_banned_list)

Passing these tests isn’t a sufficient condition for ruling out a weak password, but it’s arguably a necessary one, and a good start.

Growling Mac backups with rsync

George — Sat, 01 Aug 2009 11:40:01 +0000

Between Time Machine and services like Dropbox, paranoid levels of backup are surprisingly painless to achieve on the Mac these days.

Still, just one more copy of your data, in just one more continent, surely can’t do any harm, right? One that won’t burn down with your house, but also isn’t just wafting vaguely in the Cloud at someone else’s whim. One that elevates your backup system from sensibly paranoid to borderline OCD. One, in this case, brought to you by rsync, find and Growl.

What it does

This script does the following:

recursive, incremental, remote backup of the contents of folders you choose
safely archiving anything that changed since last time
and excluding things by name or folder (all this is just rsync so far)
and also excluding anything unfeasibly big (this is down to find)
all the while using Growl to keep you apprised of the situation, as exemplified below (thanks to growlnotify).

On the remote server, you end up with a file structure as below, with your current files under Current and any files that have moved, changed, or been deleted in a dated folder under Archive:

What you’ll need

You’ll need:

a remote backup server you have rsync access to, with (passwordless) public key authentication set up.
Growl installed, obviously, and also growlnotify (by running ./install.sh in the Extras folder on the Growl installation .dmg).
a way to schedule the script to run — iCal, cron, or launchd (for the management of which last I recommend Lingon).

The script

There’s some rather superstitious quoting. Even then, it’ll probably still bite you in case of spaces.

#!/bin/bash
 
# --- Set backup parameters ---
 
# What local files/folders are we backing up?
SRC="/Users/gjm06/Development /Users/gjm06/Documents /Users/gjm06/Sites"
 
# What server are we backing up to?
DESTSERVER="george.example.com"
 
# What's our user name on the server?
SSHUSER="george"
 
# What's the remote shell command for this server 
# (slight obscurity/security by avoiding port 22)
RSH="ssh -p 2244"
 
# What location on the server shall we back up to?
DESTPATH="/home/george/backups"
 
# Any non-valuable stuff to exclude by name/location?
EXCLUDE=".DS_Store,.svn/,.Trash/,tmp/,log/,vendor/"
 
# Exclude things that are *how* big? 
# e.g. I don't want GBs of virtual machines going over the wire
# (NB. this is in bytes)
MAXFILESIZE=100000
 
 
# --- Set Growl parameters ---
 
# What will this script be called in the Growl prefpane?
GROWLNAME="Remote backup script"
 
# And what app's icon will appear in Growl notifications?
APPICON="Time Machine"
 
 
# --- Do it! ---
 
echo Checking not already running 
 
PROCS=`ps -A -o "pid=,command="`
MYNAME="$0"
MYBASENAME=`basename $MYNAME`
MYPID=$$
 
# The next line works like so:
# * take the process list (for all users),
# * filter *in* processes named like this script (making sure we're on word boundaries),
# * filter *out* (-v) the one that *is* this script (by PID), and finally
# * filter *out* the grep commands themselves.
 
MERUNNING=`echo "$PROCS" | grep -E -e "\b$MYBASENAME\b" \
  | grep -E -v "\b$MYPID\b" | grep -v grep`
 
# Then, if anything's left (i.e. MERUNNING isn't a zero-length string...)
 
if [ ! -z "$MERUNNING" ]; then
  /usr/local/bin/growlnotify --name "$GROWLNAME" --appIcon "$APPICON" \
    --message "Another backup seems to be in progress" \
    "Ignoring scheduled backup"
  exit 1
fi
 
 
echo Finding large files to exclude...
 
OVERSIZELIST="/tmp/files_over_backup_limit"
find $SRC -size +$MAXFILESIZE > $OVERSIZELIST
 
# If you ever want to know what's excluded -- and you should! -- just do
# a 'cat /tmp/files_over_backup_limit' in the Terminal
 
# Next, 'wc -l' counts the *lines* in our oversize list, and we extract 
# just the number from the output
 
NUMOVERSIZE=`wc -l "$OVERSIZELIST" | grep -o -E [0123456789]+`
 
 
echo Rsyncing...
 
# date makes up the name for our archive folders, while
# eval is used to invoke shell expansion on the list of file names to exclude,
# turning them into a list of --exclude= statements
 
BDATE=`date "+%y_%m_%d-%H.%M.%S"`
EXPEXCLUDES=`eval "echo --exclude={$EXCLUDE} "`
ERRORS="/tmp/rsync_backup_errors"
 
# The && and || operators give us a simple way to respond to zero and 
# non-zero (= error) rsync exit codes, thanks to lazy evaluation by the shell
 
rsync --rsh="$RSH" \
  --recursive --partial --delete --delete-excluded \
  --links --times --relative --compress \
  --backup --backup-dir="$DESTPATH/Archive/$BDATE/" \
  --exclude-from="$OVERSIZELIST" \
  $EXPEXCLUDES \
  $SRC \
  $SSHUSER@$DESTSERVER:"$DESTPATH/Current/" \
  2>"$ERRORS" \
&& 
/usr/local/bin/growlnotify --name "$GROWLNAME" --appIcon "$APPICON" \
  --message "Backed up to $DESTSERVER, $NUMOVERSIZE oversized files excluded" \
  "Completed backup" \
|| \
/usr/local/bin/growlnotify --name "$GROWLNAME" --appIcon "$APPICON" -s \
  --message "`cat "$ERRORS"`" \
  "Failed backup"

Hope it’s useful in your own paranoid backup endeavours. And, by the way, if you ever hear me say “surely a simple Bash script couldn’t take that long”, please don’t stop reminding me just how much I hate Bash until I change my mind.

iPhone + public key SSH authentication: lovely

George — Thu, 28 May 2009 13:03:20 +0000

I’ve been unhappy for a while having the SSH daemon on my web server VPSs with password authentication enabled. Of course, it’s on a non-standard port, blocks root logins, and takes a strong-ish password… but the risk of a successful dictionary attack has still felt too non-zero for comfort.

Equally, though, I’ve not wanted to give up the ability to log in to the servers from anywhere to fix things in an emergency, so I didn’t want to turn password authentication off and rely on public keys alone.

Until now, that is. I realised yesterday that, since I have iSSH on the iPhone, which does public key authentication, I can log into my servers from anywhere, even with password authentication turned off. Granted, doing anything serious on a tiny screen and slow connection is difficult. But all I actually need to be able to do from there is temporarily turn password authentication back on.

And to make this easy, I’ve put two ultra-simple scripts in ~/bin:

pwd_login_on.sh

#!/bin/bash
sudo sed -r -e 's/^PasswordAuthentication no$/PasswordAuthentication yes/' \
  -i.previous /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

pwd_login_off.sh

#!/bin/bash
sudo sed -r -e 's/^PasswordAuthentication yes$/PasswordAuthentication no/' \
  -i.previous /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

(These paths are suitable for Ubuntu 8.04).

Lovely.