Monday, October 27, 2008

Some more fun with SSH port forwarding and socks proxy

Few days ago I made the following post:

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

#!/bin/bash
while [ 1 ]; do
ssh -C -o ServerAliveInterval=30 -R 4321:localhost:22 serververhostname
echo Retrying
done

Let us analyse what this code does.
First of all serververhostname is the hostname of the PIII server. For example if www.example.com resolves to the public ip of the PIII server, then www.example.com would have been used instead of serververhostname.
The -C option requests compression of all data, to improve data transfer speed over slow connections.
The -o ServerAliveInterval=30 makes the SSH client send a keepalive packet at the application layer every 30s, this is to prevent a timeout, in case the connection is idle.
-R 4321:localhost:22 is the most important part. There is a SSH server running in the Institute's workstation, listening on port 22. "-R 4321:localhost:22" specifies that port 22 of localhost, i.e. of the institute's workstation is to be forwarded to port 4321 of the PIII, such that whenever a connection is made to the PIII on port 4321, the connection gets forwarded over the secure channel to port 22 of the Institute's Workstation.
The while loop ensures that the connection gets re-established if it breaks. You need to use a passphraseless RSA or DSA key for authentication instead of a password, otherwise the ssh client will wait for a password input.
Now suppose in the midst of the night I feel an urge to log in to the machine in my college, but I am (say even a few hundred or thousand miles :D) away from the computational centre, all I need to do is log in to the PIII server in the hostel using ssh from anywhere in the internet. Once I am in there, I issue the command: "ssh -l username localhost -p 4321". Though I am ssh-ing into port 4321 of localhost, effectively the connection is made to port 22 of the Institute's workstation, thanks to the previous ssh port forwarding. No need for persuading the sysadmin to make changes to the NAT or Institute's firewall
.


This time I will talk a bit more on the same stuff.
Several websites are hosted in the Institute's network, which are accessible from the Institute's LAN only. Most of these are web pages by the faculty, meant to provide class notes and assignments. As such it gets difficult to access the stuffs from our hostel. One way is to connect to any of the Institute's workstations through ssh using the former tunnel and then fetch the required page or file using wget and scp. But I didn't like the idea of manually logging in every time I needed to access any file. Possessed by an unusual craving for automation, I set out fixing this itchy problem. Initially I used to set up a ssh SOCKS proxy by using ssh -l username -D *:9090 localhost -p 4321 . This sets up SOCKS proxy on Oak which listens on port 9090. Firefox can be configured to use SOCKS proxy directly. I could browse websites located in the Instiute's LAN, now using this proxy. Anyway this involved the "trouble" of reconfiguring Firefox's proxy settings every now and then. For sometime I was using the Firefox extension Foxyproxy to manage my proxy settings automatically. It recognizes URLs and can be configured to use different proxy settings for different sites. Still I was not completely happy with this solution. I craved for something more.


I had an old PIV named Mars lying around, being used as a torrent downloader. I decided to put it to some good use. My aim was to set up a cgi based proxy server on Mars, so that using a web browser I would get to the cgi proxy and be able to surf any website within the Institute's LAN using the CGI Proxy. For this purpose I set up Privoxy on Mars and made it forward connections to the SOCKS proxy listening on port 9090 on Oak. Apache was already running on Mars. I installed the CGIProxy 2.1beta18 CGI script from James Marshall's Home Page. It gives a nice web interface. Just enter the URL, and it loads the page by relaying the connection through whatever proxy it has been configured to use. In my case it was using Privoxy.
So in effect this is what was happening-

The CGIProxy 2.1beta18 CGI script was relaying connections through Privoxy, which relayed them through the ssh SOCKS proxy, which in turn was going through the encrypted secure tunnel established right at the beginning by the ssh session initiated by the workstation at the Institute. So far so good.

But life is never smooth sailing, there were quite a few more hurdles to overcome. Oak doesn't have 24x7 internet connectivity, it is connected to the net only for 12hours from 1530 UTC to 0330 UTC which corresponds to 2100 IST to 0900 IST. On top of that the connection is an unreliable ADSL connection, which breaks quite often. The script at the Institute's Workstation tries to connect to Oak whenever Oak is online. If unfortunately the ADSL link of Oak, suddenly breaks, the ssh client gets disconnected, but the ghost session persists in Oak. Next when the ADSL link gets re-established, the ssh client in the Institute's Workstation tries to reconnect back to Oak. However due to the previous ghost session, the client is now unable to forward the required port, since the same port is already reserved. So it was necessary to detect and exorcise these ghosts.

The following script ensures that all ghosts are killed and a successful connection has been established from the Institute's Workstation. Only then does it creates the ssh SOCKS proxy server.

#!/bin/bash
while [ 1 ]; do
echo talkback started.
if [ `/usr/bin/w | /bin/grep -wc IPaddress` == "0" ]
then
echo talkback: Sleeping...
sleep 120
elif [ `/usr/bin/w | /bin/grep -wc IPaddress` == "1" ]
then
if [ `/bin/ps aux | /bin/grep ssh | /bin/grep -wc localhost` == "0" ]
then
echo "talkback: logging in..."
/usr/bin/ssh -N -l students -D *:9878 localhost -p 4321 -i $HOME/id_rsa &
else
echo talkback: already logged in.
sleep 60
fi
else
echo talkback: already logged in. shall kill ssh session :D
/usr/bin/skill -KILL username
fi
echo talkback: sleeping...
sleep 60
done
exit 0

IPaddress is replaced by the IP address from which the connection is being made. If no connections exists, which is the generally the case during 0900IST to 2100IST, the script sleeps for 2min and checks again. If there is a connection, then the script checks whether Oak has already logged in to the Institute's workstation or not. If not it logs in and creates the ssh SOCKS proxy listening on port 9878. If more than one connection were made from the Institute's workstation to Oak and the previous sessions didn't get timed out, then the script kills all the sessions of "username", reruns and waits for a new connection to be made to Oak from the Institute's workstation.
P.S. This post has slightly technical stuff and my way of explaining things is somewhat ugly. Leave a comment if something is not clear.

XHTML 1.0 Standards - who cares?

It has been quite a few days, since I started Blogging. On the source code of my blog, it was proudly proclaimed <!DOCTYPE html PUBLIC "-⁄⁄W3C⁄⁄DTD XHTML 1.0 Strict⁄⁄EN" "http:⁄⁄www.w3.org⁄TR⁄xhtml1⁄DTD⁄xhtml1-strict.dtd">
I rushed off to W3C Markup Validator . The fist run showed up 437 errors! Quite high a number it was. Most of them were petty errors like unencoded ampersands in URLs, improper comments and the like. It is true, the extremely demanding XHTML 1.0 Strict standards sometimes becomes too much for web designers, but no one forces a designer to declare <!DOCTYPE html PUBLIC "-⁄⁄W3C⁄⁄DTD XHTML 1.0 Strict⁄⁄EN" "http:⁄⁄www.w3.org⁄TR⁄xhtml1⁄DTD⁄xhtml1-strict.dtd"> either. If Google Blogger is so keen to show off its "XHTML 1.0 Strict" compliance, then it should take up the responsibility that it remains true to its words. Simply asserting some compliance and then relying on the browser to do the rest of the hard work is something that one doesn't expect from Google.

Sunday, October 26, 2008

Snapshots of my room in IISERK Hostel

... Neat and tidy .. isn't it ?
At the bottom of the rack (in the first pic) you can see Oak - our unofficial webserver, fileserver and network router for the hostel. On the table lies Mars - my Torrent Downloader and Music Player. It doubles up as a local mirror for some websites of our Institute's LAN. On the table also lies Pluto my almost always-on Compaq Presario V3018TU. All of them runs some flavor or the other of Ubuntu GNU/Linux. Oak and Mars runs Hardy Heron 8.04.1 LTS while Pluto runs Intrepid Ibex 8.10.

Tuesday, October 14, 2008

Fun with SSH Remote Port Forwarding

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

#!/bin/bash
while [ 1 ]; do
ssh -C -o ServerAliveInterval=30 -R 4321:localhost:22 serververhostname
echo Retrying
done

Let us analyse what this code does.
First of all serververhostname is the hostname of the PIII server. For example if www.example.com resolves to the public ip of the PIII server, then www.example.com would have been used instead of serververhostname.
The -C option requests compression of all data, to improve data transfer speed over slow connections.
The -o ServerAliveInterval=30 makes the SSH client send a keepalive packet at the application layer every 30s, this is to prevent a timeout, in case the connection is idle.
-R 4321:localhost:22 is the most important part. There is a SSH server running in the Institute's workstation, listening on port 22. "-R 4321:localhost:22" specifies that port 22 of localhost, i.e. of the institute's workstation is to be forwarded to port 4321 of the PIII, such that whenever a connection is made to the PIII on port 4321, the connection gets forwarded over the secure channel to port 22 of the Institute's Workstation.
The while loop ensures that the connection gets re-established if it breaks. You need to use a passphraseless RSA or DSA key for authentication instead of a password, otherwise the ssh client will wait for a password input.
Now suppose in the midst of the night I feel an urge to log in to the machine in my college, but I am (say even a few hundred or thousand miles :D) away from the computational centre, all I need to do is log in to the PIII server in the hostel using ssh from anywhere in the internet. Once I am in there, I issue the command: "ssh -l username localhost -p 4321". Though I am ssh-ing into port 4321 of localhost, effectively the connection is made to port 22 of the Institute's workstation, thanks to the previous ssh port forwarding. No need for persuading the sysadmin to make changes to the NAT or Institute's firewall.

Monday, October 13, 2008

Changing the favicon for your blog

People who are not happy with the Orange and White Blogger favicon, can use their own instead. First create a 48 X 48 px image using Gimp or whatever software you prefer. Save the image as a .ico file, say myicon.ico. Upload the image to some webhost like Google Pages or Geocities (Picasa WebAlbum doesn't accept .ico files).
Next go to your Blogger DashBoard --> Layout --> Edit HTML.
Locate the line <head>
After the line insert the code-
<link href="http://imagelocation/myicon.ico" rel="icon">.
Replace http://imagelocation with your webhost's address. Save the template. The job is done. Refresh your Blog page, your own icon will appear instead of Blogger's.

Saturday, October 11, 2008

Adding Social Bookmarking links like Digg, Delicious etc. in Blogger

With a little tinkering of the HTML code of the Blogger template, it is very easy to insert social bookmarking links like Digg, Delicious, Technorati etc. so that readers can directly bookmark the Blog post.
To add these links:
Go to your Blogger Dashboard, Click Layout --> Edit HTML. Then check - Expand Widget Templates
Search for the line: post-footer-line
Just after the line, add the following code:
<p/>Add to: <a expr:href='"http://digg.com/submit?phase=2&url=" + data:post.url + "&title=" + data:post.title' target='_blank'><img HEIGHT='20' WIDTH='50' src='http://lh4.ggpht.com/sambitbikaspal/SPAyI0pMJYI/AAAAAAAAAm0/THLvsaJKvJo/s144/digg-logo.gif'/></a> <a expr:href='"http://del.icio.us/post?url=" + data:post.url + "&title=" + data:post.title' target='_blank'><img HEIGHT='20' WIDTH='75' src='http://lh6.ggpht.com/sambitbikaspal/SPAyIYm0_YI/AAAAAAAAAms/WCVRbA5dBto/s144/delicious_logo.jpg'/></a> <a expr:href='"http://technorati.com/faves?add=" + data:post.url + "&title=" + data:post.title' target='_blank'><img HEIGHT='20' WIDTH='75' src='http://lh3.ggpht.com/sambitbikaspal/SPAyI6EDxdI/AAAAAAAAAm8/foKy9hP8qe4/s144/technorati_logo.jpg'/></a>
<p/>

The links- http://lh6.ggpht.com/sambitbikaspal/SPAyIYm0_YI/AAAAAAAAAms/WCVRbA5dBto/s144/delicious_logo.jpg and the likes correspond to the logos for the respective sites, stored in my Picasa WebAlbum. Alternatively if you want you can upload the logos to some other free image host and change the links accordingly.The net effect of this will be, the social bookmarking links will get added below each of your posts.
Kindly Digg the story if you liked it!

Thursday, October 9, 2008

Rendering LaTeX in Blogger.

Rendering LaTeX in Blogger is pretty easy thanks to the JavaScript LaTeX equation render engine from http://www.yourequations.com.
To enable LaTeX rendering go to the Blogger Dashboard --> Layout --> Edit HTML . Then add the line
<script> type="text/javascript" src="http://tex.yourequations.com/"></script>
<script type="text/javascript" src="http://tex.yourequations.com/"></script>
just before <body/>
. Half the job is now done.
Then, for example to render:
\int_{0}^{\pi}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx =\frac{22}{7}-\pi
Use the code:
<pre lang="eq.latex">
\int_{0}^{1}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx
=\frac{22}{7}-\pi
</pre>

The LaTeX code will now be displayed as:
\int_{0}^{1}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx=\frac{22}{7}-\pi

Ofcourse Javascript needs to be enabled in the Browser for the renderer to work.

Durga Puja 2008



Photographs taken with Sony DSC W130 DigiCam, during the Durga Puja 2008 at Kharagpur.
Durga Puja is an autumn festival celebrated widely, mainly in the states of WestBengal and Tripura in India in honour of the Hindu Goddess Maa Durga.


Some snippets about Verisign's Personal Identity Portal

Recently I stumbled upon Verisign's Personal Identity Portal - pip.verisignlabs.com. Though still in Beta, I found it immensely impressive as an all-in-one Personal Identity Management Service.
It has a cool feature named One-Click Sign In, which allows signing in to a host of websites including Google, Yahoo, Flickr, Youtube among many others. The login credentials for the respective sites are required to be submitted. These will be encrypted using the users passkey. The only caveat for this excellent service is that one has to take Verisign's word for it, when it comes to security and privacy of the login credentials. Having trusted Verisign fully with one's secrets, all that is required is Bookmarking the One-Click sign-in link provided after submission of the credentials. Clicking on the bookmark leads to a list of the added sites, clicking on any of the sites directly signs the user in, ofcourse one has to be signed in to pip.verisignlabs.com prior to that.
Another feature is the ability to create a Personal Identity Page with a unique pip url, where one can publish personal details like name, address, email, date of birth etc. that one wants to share publicly.
The pip url also acts as an OpenID for quick sign in to any website supporting openid.
Since pip.verisignlabs.com starts acting as a one stop shop for personal identity, it becomes important to protect the PIP account, as any compromise of the PIP account leads to compromise of all the accounts listed under One-Click sign-in, as well as compromise of the OpenID. As an extra security measure, Verisign provides an optional browser authentication certificate. Even if the username and password are compromised, unless the illegitimate user has the browser authentication certificate, it is impossible to gain access to the account.
If this is still not enough for some paranoids, then Verisign provides an added layer of security by providing an optional hardware security token for a nominal fee. It generates a secret key every 30sec which is required during every login. This should be more than enough to provide considerable peace of mind to the most paranoid person on this planet.

Why the name - Bot Cyborg ?

The name of the blog followed the name of the domain I had registered. I was interested in the domain hack - cyb.org . Unfortunately it was already registered by someone. Looking for an alternative I registered botcyb.org . As one of my friends has correctly said, the domain name sounds as if it belongs to some spam bot :D . The blog was named just after the domain name.

Why blog?

A few days ago I was caught up in a discussion on this topic with one of my friends. Personally I was ( and still am ) somewhat against the idea of writing blogs. Naturally when I have set out writing my first blog, I've got to justify atleast myself why I am doing so.
Prologue:
I had been maintaining a tiny personal website on Googlepages. Coming to know about Google's decision to phase out their Googlepages service and replacing it with Google Sites, I started looking out for some other reliable but free host. I didn't find Google Sites very appealing. It doesn't allow hosting of custom HTML pages. Being a student shelling out bucks for paid hosting would have hurt my pocket a lot. Unfortunately most free webhosts will litter the page with crappy and tasteless ads. Yahoo! Geocities' free hosting was a good compromise.
Temporarily I moved my site to http://www.geocities.com/sammy_pal123 but was not very happy (somewhat happy to speak the truth) with it either as it didn't allow me to use my own domain.

It was at this time when the idea of using Blogger as a replacement for a personal website occurred to me. It was not too bad an idea, atleast experimenting with it won't hurt much. With this thought in mind I gave myself a big - GO AHEAD !