ssh-add tricks

 

From spike (https://stuff-things.net/2016/02/11/stupid-ssh-add-tricks/)

Listing

You can list the currently loaded keys with -l and -L. The former displays the keys’ fingerprints while the latter displays the entire public key. Both list the path of file the key came from, which it the only way I recognize them.

Deleting.

ssh-add -d file removes the key the file from the agent. ssh -D clears out all keys, taking you back to square one.

Locking

You can simply run ssh-add -D to remove all of your keys from the Agent, but then you have to go through the trouble of adding them back. However, if you just want to step away and make sure your keys are protect, you can use ssh-add -x:

1
2
3
4
% ssh-add -x
Enter lock password:
Again:
Agent locked.

The Agent still has your keys, but won’t allow them to be used until unlocked with ssh-add -X:

1
2
3
ssh-add -X
Enter lock password:
Agent unlocked.

Expiring

Instead of locking your keys, you can set an auto-expiry with -t after which the key will automatically be deleted from the agent:

1
2
3
4
ssh-add -t 60  ~/.ssh/random_rsa
Enter passphrase for /Users/spike/.ssh/random_rsa:
Identity added: /Users/spike/.ssh/random_rsa (/Users/spike/.ssh/random_rsa)
Lifetime set to 60 seconds

OS X Specific

On OS X ssh-add is integrated with the system keychain. If you give the -K option, as in ssh-add -K, when you add a key, that key’s password will be added to the keychain. As long as your keychain is unlocked, a key that has been stored in this way doesn’t require a password to be loaded into the agent.

All keys with their password stored in the keychain will automatically be loaded when you run ssh -A. This happens automatically on login.

I have mixed feeling about this feature, preloading your keys makes life easier, but it does remove a layer of security. If someone access your Mac, they get your keys. On the other hand, the probably get a lot of other things too. Typically, I take the lazy approach for everyday keys and keep the high-security ones out of the keychain.

When a password has been stored in keychain, ssh -K -d key-file both removes the key from the agent and removes it password from the keychain. Without -K, -d does not change the keychain and the key can be reloaded without a password. -D silently ignores -K.

There you have it, a pretty small but surprisingly helpful set of features, you now have in your bag of tricks.

Setup public key ssh login and troubleshooting

Short note on how to setup ssh to login without a password

Generate and copy key

ssh-keygen -t rsa

Copy key

ssh username@remotehost mkdir -p .ssh
cat .ssh/id_rsa.pub | ssh username@remotehost 'cat >> .ssh/authorized_keys'

Try logging in!

If that doesn’t work

Some host need proper permission and a second authorized_keys2

At the remote host

chmod 700 .ssh
cd .ssh
cp authorized_keys authorized_keys2
chmod 600 authorized_keys
chmod 600 authorized_keys2

SSH may settings may need to be modified

At the remote host

cd /etc/ssh
sudo vi sshd_config

Find the AuthorizedKeysFile line and uncomment it (or add it if it doesn’t exist)

AuthorizedKeysFile %h/.ssh/authorized_keys

Save file, restart sshd with

sudo service sshd restart

Further troubleshooting

Start a second instance of sshd on the remote machine, dump all output to console so you can diagnose

/usr/sbin/sshd -d -p 2222

On your machine, do

ssh -p 2222

Look for Authentication refused: in the logs, it should contains the reason your connection fails

Installing subversion support for Eclipse on Linux

You have two choice: subversive (Belongs to the Eclipse project) or subclipse (hosted on tigris.org).

Even though Subversive is the more ‘official’ option, I find it prohibitively confusing to install. You have to go to an external site (polarion) and download a bunch of stuff nobody told you what. It took me 2 hours fiddling back and forth between Eclipse site and Polarion site only to install the wrong stuff. Highly not recommended! Agrh!

I have a better start with subclipse. The only URL from their site worked perfectly with eclipse’s ‘install new software’ dialog. Better still, you don’t really need to install JavaHL (which is also ridiculously hard to install), you can use the SVNKit package in the same repository and everything will work.

To install subclipse, go here

 

For those of you who prefer JavaHL, here is how to install JavaHL on Fedora 16. JavaHL is another middle layer required between any Eclipse plugin and SVN (I don’t know why things are so complicated when it come to designing on Linux). Most of the sites on the internet recommends you to install that by

sudo apt-get install libsvn-java

But there is no such package on Fedora, so I tried to use add/remove software and searched for various part of the name. I finally found it when searching for ‘JavaHL’, the correct package name is

subversion-javahl

Documentation and tutorial and another thing the Linux community didn’t do well!

Building WS4D-gSOAP on Linux

WS4D-gSOAP is a framework that assists development of web services on multiple platforms. These includes mobile phones, server, computers or embedded system.

WS4D Features

WS4D can run as a standalone application or based upon a server and has been used in many commercial products. Despite being the most prominent framework for embedded system SOAP services, WS4D seems to be lacking behind in version support and documentation. Namely, you cannot build the latest version of WS4D-gSOAP with the latest version of gSOAP, even though both frameworks’ last version were one or two years ago. Development doesn’t seem to be active, so does the community. Finding help is a big hassle!

So, this post outlines some problems i encountered while working with the framework and how to solve them, hoping that the next follower won’t have as much trouble starting in a new environment.

Terminology

It seems that the WS4D documentation assumes that you have a certain level of understanding on Unix-based build system and working across platform. You cannot find definition for several new terminologies used in the documentation, so the docs may be quite confusing and intimidating for new users. I find these words particularly weird:

  • In source build: The binaries will be generated inside the same directory as the source. This has the advantage of simplifying the make files as you don’t have to link and copy libraries over, but the directory may look extremely messy.
  • Out-of-source build: Separate source and binary directories. This is the configuration used by WS4D tutorial and code. The sample make file in the tutorial already to the hard work and creates the most common directories used in almost all WS4D projects.
  • Cross-compile (and compilation): This means instead of compiling only one binary to use on your development platform, it will compile another binary for another platform. What do you do with this second binary is up to you: you can push it to the device or run it in a simulator, but cmake’s job in this case is only generating the binary file for you.
  • Tool-chain: A set of compiler and linker for a specific device or platform. Cross-compiling uses two or more tool-chain to generate two or more executable.

Proper version

The documentation for WS4D is a bit disorganized, so it may not relevant for first-time readers that you must compile WS4D with specific versions of gSOAP, doing otherwise will lead to make-errors and build headaches. It is mentioned in Features page (which is not visible from the first page of documentation). I was reading only the installation instruction and tutorial when I started to build the system, so I missed this important fact! How should I know that Getting Started is not a good place to get started?

ws4d-gsoap 0.7.x ws4d-gsoap 0.8.x ws4d-gsoap trunk
 gSOAP 2.8.0 Not yet supported Not yet supported Not yet supported
 gSOAP 2.7.17 Not yet supported supported with patch supported with patch
 gSOAP 2.7.16 Not yet supported supported with patch supported with patch
 gSOAP 2.7.15 Not yet supported Not yet supported Not yet supported
 gSOAP 2.7.14 Not yet supported Not yet supported Not yet supported
 gSOAP 2.7.13 supported supported supported
 gSOAP 2.7.12 supported supported supported
 gSOAP 2.7.11 supported supported supported
 gSOAP 2.7.10 supported supported supported

So the latest version of the stack you can use is gSOAP 2.7.17 with WS4D-gSOAP 0.8. I don’t know why it is so complicated, maybe due to the fact the gSOAP 2.8 also implemented WS-Discovery (a feature overlap with WS4D), and the auther didn’t have enough time to adjust WS4D-gSOAP to the new changes.

Build steps and permissions

Supposed you have decent Linux knowledge, you can use this inside the directory where WS4D-gSOAP was extracted to

  1. ./configure
  2. ccmake .
  3. Edit path to gSOAP directory (the source you downloaded, do not ‘make install’ this)
  4. Press g to generate, there may by some warning, ignore them
  5. Press c to configure
  6. make (I don’t know why this step is needed, but if you misses this step, the next step will result in various errors. This step will result in errors)
  7. su -c ‘make’ – (You can’t use sudo, you have to use su with a trialing dash to load root user’s environment. Root permission is required to install binaries to their proper locations)

Web service for device (WS4D) and using make, cmake with Integrated Development Environments (IDEs) on Linux

WS4D-gSOAP is a framework to deploy web services on multiple environments (computers, embedded devices, phones…) without having to rewrite code. More introduction information can be found in this post. The downside for WS4D is that the build system is based on cmake, and it’s a bit complicated to use. I have since managed to successfully build the stack from source (there’s no binary distribution). But I ran into numerous problems during my time getting familiar with the stack. Namely following the tutorial.

Even for such a simple task of copying and pasting code from the tutorial (The Air Conditioner tutorial), I did not succeed. The client and device doesn’t seem to be able to communicate with each other. Even though the tutorial have been kind enough to include logging code (send, received and memory allocations), I’m still unable to figure out where the problem lies. And that’s when I think I’m forced to perform debugging on the project. That leads to a big problem: what am I supposed to use to debug this?

So I tried to install Code Blocks, but it doesn’t support cmake projects, it couldn’t import the CMakeList.txt. Then reading through several articles revealed Eclipse to be a pretty good gdb front-end, I installed it, and have successfully imported the project, but I was hit with several problems:

  • I couldn’t build the project, Eclipse’s project structure was make-based, not cmake-based, trying to ‘make all’ or ‘make clean’ with Eclipse obviously would generate errors
  • Editing  the code is an eyesore because Eclipse doesn’t seem to be able to recognize include and libraries directories even after I added them manually in project properties.
After several more hours of analyzing WS4D-gSOAP documentation (not really helpful, they are only related to build and run with command line), cmake (wiki pages after wiki pages with no structure between pages and in articles), Eclipse and Code Blocks’ documentation on make projects; I finally realized the right way to do this: cmake supports generating make-based projects for both Code Blocks and Eclipse, and it’s as simple as this:
  1. Go to the directory where you would normally run cmake to build your project from the command line
  2. Perform

    cmake -G"Eclipse CDT4 - Unix Makefiles" -D CMAKE_BUILD_TYPE=Debug ../certi_src
    cmake . -G "CodeBlocks - Unix Makefiles"
  3. Import

    The project directory
    ProjectName.cbp file
You can now work with the project normally within your preferred IDE