Skip to content

SSHd chroot and PAM

Gentoo

SSH with chroot patch has been working fine for a number of years. Since PAM v0.99 things have broken though, if users are chrooted with the "/home/username/./" syntax as their homedir.

SSH sessions will just terminate immediately after successful logon. Doh.

Two solutions exist:

  1. Put UsePAM no into /etc/ssh/sshd_config and use the chroot patch and /./ in users homedirs
  2. Keep UsePAM yes. Emerge sys-auth/pam_chroot and add session required pam_chroot.so to /etc/pamd.d/sshd setup /etc/security/chroot.conf or add a chroot_dir=/home/username/ to the pam_chroot.so line.
    This will currently not work for amd64 though as the Gentoo bug regarding pam_chroot has not cought any attention from the arch testers. Since July...

Bugging the arch testers in #Gentoo-amd64 didn't help either:

Continue reading "SSHd chroot and PAM"

Wikimedia Fundraiser Webpage now cuts off at the last 10.000 donations

Other

The Wikimedia Foundation has changed their donation web pages again. Now they cut off the "Recent contributions" at 400 pages of (max.) 25 donors each. Thus the commands I gave in the Wikimedia Fundraiser analysis article can't be repeated to give the full picture anymore. You can now only get a view of the last 9-10 days.

The implementation has obviously been done quite hastily. If you select the "Filter" to show only one page of results, you'll still get the (now hard-coded) 0 .. 400 pages selector at the bottom.

I've been pointed at two other resources on the recent fund raiser for information:

Updates

09.11.07: Casey Abell has added http://donate.wikimedia.org/en/node/22 to the comments which lists a daily report of the funds collected. Thanks Casey! The numbers match very well with my analysis. Wikimedia currently reports $27,97 average donation. I measured $27,85 six days ago. That seems stable. Interim conclusion:There are still major individual donations required to get anywhere above $2m.

10.11.07: Casey generates a nice graph of the daily funds collected here.


Wikimedia Fundraiser Analysis

Other

The Wikimedia Foundation, the organisation behind Wikipedia, is running their annual fund raiser since October 22nd. There have been numerous complaints that the Wikimedia Foundation did not name a target sum to be achieved or is in other way acting intransparent. There may be good reasons for that:

  • The last fund raiser was "tough" to get through already and raised about one million dollars with $20 average contribution as to what Bruno Giussani reported from Lift '07.
  • The foundation grew from $56,666 turn-over in it's fiscal year 2003/2004 to $283,487 (2004/2005) and $1,066,785 (2005/2006). The 2006/2007 figures are still not reported, but it's safe to estimate that the 4x increase of the previous year has slowed down a bit.(see Updates section below) See http://wikimediafoundation.org/wiki/Finance_report for the scarce details.
  • The budget planning for fiscal year 2007/2008 totals $4.611m. The break-down is very rough and little effort is spent to explain the figures to the general public.
  • The suggested donations have been set high at $200 to $40 with marketdroid speak to sell that:
    "If you and 99 other people donate .. $200 – We can ...".
  • It's not very likely a target in the range of the planned budget can be achieved from Joe, Dick and Harry's contributions. Wikimedia may need Larry, Sergey or Mark here. (I'll leave that without links for you to think about :-))

So - to make the best of this - and continue being unnecessarily intransparent, Wikimedia (cough Jimmy Wales, cough) has decided to only list the number of donors as the "progress report".

Their "meter" currently looks like this:

Wikimedia fund raising meter as displayed 03.11.07 around 22:00

You can easily analyse the scale to find that Wikimedia hopes 100.000 people will contribute.

Continue reading "Wikimedia Fundraiser Analysis"

Multiple Apache VHosts on the same IP and port

Apache

I just learned yesterday again, what I knew a few years ago, but since had forgotten:

You cannot put multiple SSL-enabled virtual Apache hosts onto the same IP and port.

Apache cannot identify which VirtualHost to serve a request from because the payload is encrypted in its entirety. So a

Host: servertwo.tld

header cannot be parsed until the encryption has been removed. Which requires the key, which is listed in the VHost section that could not be identified in the first place... So a name-based VirtualHost-configuration like this won't work:

  1. Listen 443
  2. NameVirtualHost *:443
  3. <virtualhost>
  4.    SSLEngine On
  5.    ServerName serverone.tld:443
  6.    SSLCertificateFile /etc/apache2/ssl/serverone.crt
  7.    SSLCertificateKeyFile /etc/apache2/ssl/serverone.key
  8.    [...]
  9. </virtualhost>
  10. <virtualhost>
  11.    SSLEngine On
  12.    ServerName servertwo.tld:443
  13.    SSLCertificateFile /etc/apache2/ssl/servertwo.crt
  14.    SSLCertificateKeyFile /etc/apache2/ssl/servertwo.key
  15.    [...]
  16. </virtualhost>

It will just serve any request out of the first VirtualHost (serverone.tld) regardless of the hostname in the request headers.

There is some light at the end of this tunnel though: RFC4366 describes an optional field to the TLS (Transport Layer Security) client request called "Server Name Indication" (SNI). With this the client just includes a list of ServerNames (usually one) that it's trying to contact. Apache can easily match the supplied name from the client against a ServerName (or ServerAlias) directive from it's configuration files.

SNI will be supported with OpenSSL v0.9.9 in mod_ssl. Sometime in the future. There is a backport to v0.9.8 available from Steven Henson linked here. Or you can use mod_gnutls as described by George Notaras in a recent blog entry.

In either cases the above configuration snippet will "just work" once SNI is understood by Apache.

Currently Internet Explorer 7 (on Vista only, wanna upgrade :-)), Mozilla Firefox 2+, Opera 7.6+, KDE Konqueror 3.5+ support sending the SNI. You can test your browser at Kaspar Brand's SNI testpage. He also has a patch available to make Apache 2.2 mod_ssl SNI capable when compiled against a CVS-version of OpenSSL.

I'm rather sure that spreading SNI capable hosts will also provide new hacking opportunities: Let's assume a system serves both Intranet and Internet traffic. A client contacts the Internet IP with SSL but specifies the Intranet Hostname in it's TLS SNI entry. Guess what will happen? Yup.

Update

02.09.2009: Gee, after two years people still read this blog entry. So I'll point you to a few updates. 2009 is not 2007 :-) SNI has made some slow progress since the original article. But major steps forward only came this summer: Apache has official support for SNI since 2.2.12 (tracking bug). Gentoo has been early to support SNI and Tobias Scheerbaum has written a blog entry on Apache, SSL und SNI in Gentoo (in German) summarizing how it works out of the box. Support for SNI has also been added to Debian (tracking bug) but for now the default config files don't reflect SNI capability yet. Ubuntu will see SNI in Karmic Koala, the release scheduled for next month i.e. "9.10" (tracking bug). Fedora has a SNI enabled Apache from httpd-2.2.13-1.fc11 onwards (tracking bug). Tobias also states that SP3 for Windows XP enables IE6 to send the SNI (SP2 is not sufficient).