SSH tunnels and remote port forwarding

If you want you can skip the beginning blurb and go right to the recipe.

Every so often you face a tough problem then someone sayz to yuh, “Cliff, have you tried ssh tunnels?” (well that’s what hey would say to you if you were me, and if you were me you would have a habit of making easy problems way tougher than they need to be while you make tough problems easy.) That’s what happened to me a loooong time ago… like around last month. The I was chattin’ with the VP of technology about all things Maven and mobile related explaining how clever we were with our solution to on device testing when he suggested we try ssh tunneling. I read an article that day and got excited because it looked soo easy. Then I made a promise to our mobile dev team that I would prototype it over the weeken. Then I quietly forgot about it. Today the question came up again and I was like, “Oh crap! I never did try prototyping a solution to that problem!” I gave it a good hour of effort before getting stuck. It’s really not that difficult, and after leaving for the day, coming home and attacking it fresh I found that I only had one minor problem… I didn’t read the docs completely. (That’s how it goes when I see something cool. I jump in head first and complain because I always miss something simple and fundamental.) Silly babbling aside I present you the how to on what to do to get to your CPU thru EC2…
(or any other public remote web host)

1 Remote server running a flavor of ssh. (In my example I assume openSSH as it’s prevalent across many Linux distros.)
1 local computer that you desire to access also running a flavor of ssh (I’m using OS X in my example.)
2 Eggs slightly beaten whites removed.

1. Combine one additional parameter with the default sshd_config file under our server’s /etc/ssh folder. Use vi, nano, kate, gedit or a fancy command like the following.
sudo echo ” GatewayPorts yes” >> /etc/ssh/sshd_config
[For best results supply password when using the above crazy command.] The parameter name is GatewayPorts and the value should be yes to allow clients other than the server itself to tunnel into your local machine.

2. Execute one sshd restart command to allow the new parameter to be considered on the server. Eg.
sudo /etc/sshd restart

3. Add -R [remote port]:localhost:[local port] to 1 1/2 cup of ssh command typing slow to avoid error. The remote port is the port number you wish to tunnel through on the remote machine while the local port is the port you want all traffic to be directed to on the local machine. Eg.
ssh me@myremotehost -R 80:localhost:9002
This can be used to forward all web server requests to a server app running on the crappy Compaq that you used to execute the ssh command.

That’s it! The net result would be a service running on your desktop/laptop/MacBook in your garage appearing as if was running on the public remote web host. So then you point your browser to http://myremotehost and your home equipment gets all the traffic. The secret is the “GatewayPorts yes” property that must be set in the remote host’s /etc/ssh/sshd_config file. That secret value bypasses all common sense security allowing anybody on the internet to peek into your home located machine and access the pictures of you and the kids looking burnt up at Daytona Beach, FL.

Now why would you want to do that? There are all sorts of possibilities that arise when you start playing with tunnels. First off, they run through the security of secure shell, a robust tool that I’ve only begun to understand the capabilities of. (It seems like ssh can do everything from being a secure channel, to enabling sFTP, to being a mountable file system allowing Windows explorer like file browsing, to recording those 10:30am episodes of Judge Judy while you’re at work. Yes, ssh can do that too.) Tunnels work both ways, remote forwarding and local forwarding. If you were behind a firewall that allowed connections to remote ssh hosts but blocked some other port/protocol you could sidestep by doing something similar to the above but substituting the ‘-R’ with a ‘-L’ for a local forward. Then all the traffic sent to the machine you run the ssh command from would be forwarded to the remote host. It’s so simple! Setting up a tunnel is a matter of specifying the port you want to forward from and the port you want to forward to! Use your imagination, and happy port forwarding!

Use ALSA for OSX Sounds

A follow up to a much earlier post using the same idea I’ve modified my old command line shell script to handle .m4a and partially .aif files. The catalyst was my neighbor on the other side of my cube wall. He got tired of hearing my Kopete blips and I’ll admit they do sound annoying. So now I opted for the much softer TokyoTrainStationAdiumSoundset from Apple’s adium IM client. Pulling these sounds over was the fun part. Using Konqueror, I drill into my Mac with the “fish://” protocol and navigate to /Applications/Internet/ where all of my Adium sound sets await, eager to invade my hungry little ear drums. I copy them to a folder locally. (Alternatively I could have opened the Adium application bundle in Finder by command tapping or right clicking or two-finger tapping and choosing “Show Bundle Contents”. I could then use MacFuse/MacFusion which is always broken after a run of Mac Janitor and mount my Linux box to push the files over.) I then dump my earlier shell script somewhere in my path (I named it alsa-play this time) and use it to configure Pidgin. (The same will work with Kopete though I’m using Pidgin now because Kopete has been acting very funny. The big problem is that Kopete refuses to communicate with my buddy’s WinXP install of Pidgin… so many variables, so little time to chase them all!) I apt-get install faad which is a command line tool for decoding Apple audio files. Here’s the painful part, figuring out which command line parameters to pass to both faad and aplay. (aplay is the command line tool for jamming audio 1s and 0s into your sound card which, in turn, shoves these 1s and 0s down the thin black cable connected to your speakers which eventually convert the numbers into sound by rattling those pricey paper cones located inside their towers. Its amazing how much I’ve learned about audio… can you tell how much I love the study of sound?) After various iterations of producing garbled nonsense from failed commands I learned that I was missing an “-f cd” flag on aplay. Who would have known? I’m not even sure I remember what the flag means. Here’s the finished script. (Remember it assumes you have faad, oggdec, and mpg123 installed for conversion puurposes.)


case $1 in

   *.m4a|*.aac|*.aif) faad -w -q $1 | aplay -q -t wav -f cd

   *.ogg) oggdec -Q -o - "$1" | aplay -q &

   *.wav|*.voc|*.wav|*.au|*.raw) aplay -q $1 &

   *.mp3) mpg321 -o alsa $1 &

   *) echo "unsupported file type $1"

Broken screen resolutions in Mepis 7

It’s been a while since I’ve been entrenched in Linux. I used to know this stuff like I know karate. (I took all of two months of Taekwondo which were Tuesday and Thursday evening courses back in the 6th grade.) There was a time I could dcopfrom KMenu through Amarok and generate Growl-like messages when new apps were installed. Now it feels like a struggle. Today I figured out how to fix my screen resolution in my recent Mepis 7 install. There’s a page on the wiki I used as a guide. For whatever the reason my resolution was too low in Twin View mode after installing the NVidia driver (2048×768 combined resolution) leading to some huge fonts that I couldn’t understand and other oddities. The fix was as simple as adjusting the MetaModes in my xorg.conf file. The meta modes is what seems to control the available resolutions in the twin view display settings. Also, if you’re gamma-configuring inclined you may wish to apt-get install the nvidia-settings program to fine tune things like Open-GL and other egg head parameters that I’ll only learn about two years from now when I’m stuck on the toilet looking for reading material and decide to pull out the mobile and do some web browsing finally noticing only few sites look good on the 8830 Wikipedia being one and JoelOnSoftware the other.

KDE Katapult Tip

I’ve done this before, all of it. Everything I’ve done to my new Mepis box is a repeat of two years ago but a lot of it I can’t remember… too hazy. That’s why the blog posts.

Today’s tip involves Katapult. I fell in love with it because of the way it lists my album art as I incrementally search my music selection. I used to rate it above anything on the Mac until I actually tried a Mac. (Silly me, right!) After having been exposed to QuickSilver for a while (and to that extent even Launchy has a thing or two on Katapult!) I miss the ability to re-index my catalog. What that means is being able to see the things right after you install them. Quicksilver (and I think even Launchy) does this automatically on an interval and gives you the option of manually starting a re indexing. Katapult, sadly, only indexes on startup. So I have this one line bash command that you can stick in your KDE menu (so Katapult can see it) that will force a rebuild of the index.

dcop katapult MainApplication-Interface quit; katapult

It restarts Katapult and if you put it in your KDE menu (and stick the Katapult icon on it all nice and cute like) just as I did then you can invoke katapult, right after you do something like install Pidgin, or Groovy, then restart and the next time you bring up Katapult your new install will be there.

Creative Sound Blaster X Fi on Ubuntu Hardy

I got a lot to say but no time to say it. For now just know that I’m back on Linux and fighting with audio incompatibility. It sux because most everything else works on my fresh new Mint Linux (that’s right I’m on Mint now, not Mepis, not Kubuntu…) install. For what it’s worth I think my answers may be here. If you have a Creative Sound Blaster X Fi card and are considering installing the latest version of Mepis, (K)Ubuntu, or Mint, look at this guide:

There’s a blurb about SLAB vs. SLUB don’t ask me what it means just follow along. I’m going to try this myself in another day or so.

DSL installs in minutes

I was falling off. Not able to find the right wizardry to dynamically figure out the home folder of the current executing script. (FWIW use `dirname $0`) Not able to substring a string. Losing familiarity with regex. Seeing “grep” as a typo for grab. I couldn’t even figure out how to install Icewm! Now I’m starting to get over all of that. I’m also noticing my hit counter slowly increase from 20 (the neighborhood kids and that funny looking guy at the supermarket) to an average of 23! (I believe that funny looking guy told a couple of his co-workers about me.) I know why my stats have been so low. It’s because I ain’t been talking about nothing productive. All that’s going to change. I’m going to get back in the Groove with Groovy and link up with Linux. Best of all I’ll bring all of the wholesome goodness of DSL dynamicism and hidden config properties back to the forefront of these pages. That coupled with my eventual foray into Objective C for iPhones and Applescripting will hopefully make the above address worth bookmarking.

Starting today I wanna talk about DSL. There are a few ways to interpret DSL. Digital Subscriber Line, Domain Specific Language are common expansions. Using them in the below text would lead to loss of context. It would spur an overconfident feeling of familiarity. It would inspire the usual geek eggheadedness that results in comments that address questions that were never asked and oppose arguments that were never originated. Simply put, it would confuse the batcrap out of you. The DSL I’m referring to is Demi-Sized Linux or better known by it’s street name Damn Small Linux. Its called Damn Small because it’s damn small! Weighing in at under 50MB small enough to fit on a USB stick from four years ago, and powerful enough to launch Firefox and browse the far corners of YouTube it’s a quite interesting collection of ones and zeros. I’m using it to power these old PCs that I’m fixing up for a local community center. Let me tell you about these machines. They were all donated from various sources (banks, schools, construction plants, etc.) and most of them have between 64 and 128MB of RAM, barely PII class processors with these tiny 2GB hard drives. Some of them don’t boot and when they do they run the old Win98 scan disk which flags half of the hard drive as dead. I’ve run through about 4 or 5 different distros trying to find one that’ll work for such a task. Starting with Xubuntu because the Ubuntu project is soo off the rails hype and working my way past Mepis, I eventually weeded my selection down to Puppy and DSL. These are the two most popular mini distros and if you’re looking to revitalize a low end box or if you just want something you can sport on your key chain most people look to one of these. Puppy looks much more visually appealing with the little doggy and I managed to get it to load and partly install on one box with a bum hard drive. The others, Xubuntu, Mepis, Knoppix, etc. wouldn’t get past the splash screen. I started using DSL because no matter how crappy the hardware was it always, always booted up. And it boots in about a minute or less.

So now I got this one box I’ve been really working hard on. I pulled the thing apart, and managed to replace the hard drive with an old Maxtor I had sitting in a desk for about a decade. I started to boot Puppy but opted for DSL. You know what? within 10 minutes I not only had the thing booted, I ahd a fresh reboot with a working hard drive install of DSL. Try that with any Windows CD! Try that with any operating system!!! I’ve had similar experiences installing other Linux distros like Mepis and Mint but DSL really takes the cake… and eats the cake. I just thought I’d share my tale with anyone else out there who may be looking to rebuild an old box or something like that.

Losing the Linux touch

I thought I was picking Linux up rather quickly at my last job. Alas, since I’ve started working here, at the leading Mapping provider, I’ve been far removed from the Penguin. I find myself struggling with the simplest things, like how to extract a tar.gz fom the command line. I special requested a Linux machine which sits on the corner of my desk unused since my hire date. I just haven’t had the time to get back into it. I feel sooo dirty. So shameful! Not only have I neglected GSpec (by the way, y’all check out EasyB) I’ve turned away from Linux. I’m not the same guy I used to be. The other day I spent an hour trying to figure out how to evaluate the parent folder of the current executing script in bash. I still don’t have it. this is a problem I encountered long ago. I found the solution. I just can’t remember what it was! Linux is a lot unlike learning to ride a bike. Y’know how once you learn how to balance on two whells you never forget? Well Linux is the exact opposite of that. It’s one of those things where if you cheat and go back to Windows or some other GUI you have to re-learn everything you knew or thought you knew on Linux. At home I’ve been struggling with DSL. I could barely get Synaptic installed. And after that I installed IceWM but couldn’t figure out how to launch it. It’s getting real bad. If I had the time I’d change the header picture on this blog and remove the Linux background part. I wouldn’t even replace it with OS X because I’ve just been feeling very under-confident lately. It’s like I know where to look, I have a rough idea of how to do things but getting things done has become way more involved than it used to be. I used to have a solution in a few mouse clicks. A command or two. A quick Google search. Nowadays, I can’t query my way out of a parked car. I’m losing it y’all! Help!!!

My empire for an INSERT KEY!!!

I had almost gotten over my loss of an insert key when I switched to OS X. While Windows/Idea works magic all over with Alt+Insert Ctrl+N seemed to fit the bill on the Mac. Several months went by with my only feeling occasionally bother by no insert key. Somtimes I needed block copy while running Idea over a remote windows session. A quick trip to the edit menu was only mildly painful during these times. Today… today I’m trying to push a Tomcat bundle to a remote Linux server with no UI. I get the bundle over there and decide to disable the Tomcat manager in conf/tomcat-users.xml. I pull up vi because it’s the only Linux text editor I’ve taken any serious time to somewhat learn. (By that I mean I know how to insert characters, quit, and quit while writing changes to disk, nothing more.) Ah… a remote vi session from iTerm on my Mac, how nice! Now lets change the document and… hey!!! WTF???!! How do I get into insert mode???!!!

Set the $PATH for the Run (Alt+F2) Dialog

Here’s another gem for Linux Hacks that’s bugged me far too long. We start with a story. You’re new to Linux. (Maybe you aren’t but just pretend you are.) You start playing with some bash scripts eventually accumulating a collection of little knick-knacks and doo-hickeys. They’re living in a folder titled “scripts” in some odd location under your home folder. (Maybe under Documents or something.) You know those brilliant ideas you spend hours on in the beginning only to find out there was already a bash command or combination that does the same thing but you still use your homemade utility because it was sooo cool to write and you spent so much time and effort and you have to justify the time somehow so why not eat your own dog food even if it literally looks, tastes, and smells like Purina. Yeah those kind of scripts! After a while your scripts grow up and start doing big boy things like opening little dialogs or starting the beanshell gui in a certain directory with a preset classpath, or sending DCOP commands to your music player or whatever. You want to run them other places instead of from the command line. You’ve read some quick start bash tutorials and discovered that any command you add to your $PATH can be run without specifying it’s absolute folder location. You also learned about the magic files `/.profile, `/.bash_profile, and `/.bashrc that are read by the bash interpreter when you start a session. Maybe you came from Windows XP or Win2000 and you draw a parallel between these magic files and the system environment settings under “My Computer -> properties -> Advanced Settings”. Whatever the case you have the understanding that editing one or all of these files and setting the PATH variable accordingly will result in the desired behavior allowing you to run your commands directly from your desktop’s run dialog. (In KDE, Gnome, and I believe XFCE the run dialog is typically enchanted by summoning the Alt+F2 key sequence.) After setting your PATH and closing/re-opening your konsole, err command shell you are content to see the environment has been set to your liking. You later attempt to open your run dialog and directly enter your command which results in a round of random profanity and swearing. It doesn’t work!

Get to the point! How do we fix it???
I can’t jump right into the sauce without giving the background of what’s wrong. I’m not the brightest man in the world but I’m going to explain things to the best of my knowledge. The problem of your desktop (Gnome gdm, KDE kdm) not picking up your PATH settings in your home profile scripts stems from the fact that your desktop has not been run as a login shell. To understand a little better put the following command in your `/.bash_profile:
If fortune is unfortunately not installed on your system run “apt-get install fortunes” (or “apt-get install fortune” I can’t remember which one.) If you don’t “get” apt-get (some of you may be running Gentoo based or Suse with Yast) just look in your package manager for the fortune program. Try not to make this another project. Worst case use the following command instead:
echo "Your fortune: People who live in glass house should not throw stones. Throwing parties is an acceptable alternative." > ~/fortune
Now login to your system from the command line using “su <your_user_account>” You should not see anything different than usual. Now exit that shell and login again but this time with the magic dash ‘-‘ after the su command: “su <your_user_account>” You should see your fortune echoed back to you. (If you’re running the Beryl desktop then flip the command shell around to the back and read me your lucky lotto numbers!) The dash character makes your new shell a login shell. In other words your .bash_profile is sourced on startup. That’s what’s missing by default in the window managers on many Linux distributions. To correct the problem we must make the window manager a login shell. (I’m not sure of the consiequences of such change. If there are side affects please let me know because I’m just as new to things as most people.) On my Mepis-6.5 system I navigate into my /etc/kde3/kdm/Xsession file and make my adjustment at the top. Originally it has the typical she-bang:
I introduce the login parameter:
#!/bin/sh -l
For those who don’t know, the she-bang is the standard prelude to a bash script. It is the 1st line of the file that the system reads which tells it which interpreter to use to process the file. It’s like a mini command line for running the source file and it can be parameterized like any typical command line. Appending the -l (or –login) parameter to the /bin/sh command tells the system to use a login shell. That’s all there is to it. Restarting X (logging out from the run menu and hitting Ctrl+Alt+Backspace from the login screen) will then load my mindow manager with the settings from my `/.bash_profile or `/.bashrc files. To double check I open the run dialog, key the following command “echo $PATH”, hit the advanced button, set it to run the command in a console, and execute.

The tricky part is knowing which file to edit for your particular system. You might get away with editing /etc/X11/Xsession or you might need to find the Xsession that is executed, for example, under a Gnome based system. An alternative approach in KDE is to put a bash script in the env folder under ~/.kde. Scripts here get sourced on KDE startup and are much safer than editing files under /etc. That’s the tip for today. Show your love in the square below…

KDE, KMenu and Katapult

Today’s entry in Linux Hacks involves a little issue I’ve been having in KDE. You see I sometimes need to add entries to my KMenu (the Linux/KDE equivalent to the Windows Start menu) but here’s the interesting thing. I never use my KMenu directly. Have you heard of Katapult? Me neither until my OSX obsessed buddy introduced my to some spotlight search thing on his Mac and we went a strolling looking for a Linux equivalent. Katapult is a cool way to interact with your system, it combines the Alt+F2 run dialog (also available in Windows via the WinKey+R sequence) with a Google Desktop Search allowing you to incrementally search your Run or K menu and launch whatever it has in it. The real cool thing is how it searches other areas too. If you have a huge collection of MP3 files on your desktop and you run Amarok along side Katapult then key Alt+Space and start typing the name of one of your favorite artists or songs. (Make sure it’s one that has album art downloaded and make sure your running the latest version of KDE/Katapult for the full effect!)

Anyway that’s not why I’ve summoned you here today. I wanted to explain what a pain it is to add stuff to Katapult’s catalog. Here’s the thing. Katapult scans the K Menu on start up and then live’s life believing it knows everything. Have you ever dealt with a hard headed individual where no matter how hard you try to tell them, “Bro, your fly is unzipped!” they go on to ignore you? Well that’s kinda how Katapult behaves. You add entries to your KMenu and no matter what Katapult won’t listen. I recently added an entry for GroovyConsole complete with a png of the Groovy logo. I bring up Katapult (on my system it’s mapped to the Win+R key) and type g-r-o-o-v-y and it bypasses an image of a spooky looking ghost (I have an entry for GV, what the heck is that?) and then gives up looking. Long story short, Katapult will not include any entries added to the KMenu after it starts. You have to kill Katapult and restart it to refresh it’s catalog. The first 462 times I encountered this problem I didn’t even know how to kill katapult. I mean I didn’t know its process name and I was running a version of Kubuntu that hid it’s tray icon by default.

Katapult Quick Fix
The answer ladies and gentlemen (do any ladies even read my blog?) is to include an easy way to refresh Katapult. The refresh involves two commands that must be run from the command line:
kill -9 katapult

They can be glued together on one line with a semi colon, “kill -9 katapult; katapult”. You can then add, guess what? A KMenu entry to refresh Katapult using the super-glue enabled two command sequence. I associated that with the Katapult icon and a title, “Refresh Katapult”. Then when I manually restarted Katapult I was able to find the refresh option by typing Win+R-r-e and viola! Now when I add entries to the KMenu or install apps via synaptic I can easily refresh Katapult and then locate the new app as if it ewre always there.