KDE and Qt programs look bad when in a different window manager

If you are using KDE or Qt programs but not in a full KDE session (specifically, you did not run “startkde”), then as of KDE 4.6.1 you will need to tell Qt how to find KDE’s styles (Oxygen, QtCurve etc.)

KDE and Qt programs: look without oxygen theme with gnome look
KDE and Qt programs: look without oxygen theme with gnome look
KDE and Qt programs: look with oxygen theme
KDE and Qt programs: look with oxygen theme

You just need to set the environment variable QT_PLUGIN_PATH. E.g. put

export QT_PLUGIN_PATH=$HOME/.kde4/lib/kde4/plugins/:/usr/lib/kde4/plugins/

into your /etc/profile (or ~/.profile if you do not have root access). qtconfig should then be able to find your kde styles and everything should look nice again!

Helper links:

KDE and Qt programs: qtconfig tool menu
KDE and Qt programs: qtconfig tool menu

How to securely activate SSH into your Synology DiskStation with SSH Keys and no root login

I like to have access to my private network at home, wherever I am, and for me the best choice is to have an ssh server available. I use it for privacy reasons, because i don’t want anyone to know what could be my email, what webs do i visit, etc. Like I explained while ago in Jump over private corporate proxy with Firefox (or git, or any SOCKS ready app) through a SSH tunnel.

As I’ve shutdown my own server to avoid the noise, power waste, gain some space, and to stop worrying about hardware or connection failures and I’ve recently purchased and advanced NAS (Synology DiskStation) I would to explain how to securely active ssh on it.

The Synology DiskStation supports both telnet and SSH, but you should never use telnet when dealing with passwords or when you don’t want to be spied, as it is completely insecure.
Everyone should instead use SSH as it is very secure and almost the standard option.

Synology DiskStation DS211
Synology DiskStation DS211

How to enable SSH and users to login

It’s easy to enable SSH on your DiskStation by going to Control Panel > Terminal & checking the box next to Enable SSH Service.
You can now log in with your root username & password. If you need to login with any other user, you need to enable user’s home and let them use login with a shell.
To enable your user’s home, go to Control Panel -> User -> User Home -> There enable the user home service.
To enable your user’s to login with a shell, you have to edit the file /etc/passwd. Here is an example with the common contents when you have 2 users, one with a enabled shell (/bin/sh) the other without:

How to enable SSH with SSH keys

But that’s not enough. Logging in with a username and password isn’t nearly as secure as requiring SSH keys. When you use password based authentication, anyone can try to reach the port and use bruteforce to gain login credentials.
With public keys authentication, you have a private key on your computer, a public key on the SSH server (the Synology DiskStation in this case). When someone tries to log in via SSH, the server looks at the public key and asks for the corresponding private key. No private key, no login.
NOTE: I’m assuming that you have already generated SSH keys. If you haven’t, you can easily find instructions on the Web.
The needed SSH daemon’s config file to allow access via keys differs from original in :
Edit /etc/ssh/sshd_config using vi, I’ve highlighted in a shortened example the changed options to harden SSH:

Save the file and restart the SSH daemon. The easier is to use the GUI/WEB login. Click on the Control Panel -> Terminal. Uncheck Enable SSH Service, apply, check it again, and press apply again.

Enabling your user public key in authorized_keys

Of course you have to copy to your home directory your ssh public key inside a ssh directory and file called authorized_keys. I would recommend to be careful with permissions.

Try logging in now, with a username enabled to login. You won’t be prompted for a password; instead, you’ll get a nice shell see:

To test our hardening Try logging in now, but use a username that doesn’t exist on the server. You won’t be prompted for a password; instead, you’ll see:

No key, no admittance. No passwords accepted. Excellent.

Extra point. No root login, just for localhost.

An allowed ssh root login for a hacker/juanker is like honey for a bear.
So what we will do is to enable ssh public key access just for our localhost..

Edit /etc/ssh/sshd_config using vi, I’ve highlighted in a shortened example the changed options to harden SSH:

And, next, include this Match rule at the end of file, as Match rules may affect all config options below it. Using without-password we allow root login using public key.

One more step is needed, repeat point “Enabling your user public key in authorized_keys” for root user.

Save the file and restart the SSH daemon. The easier is to use the GUI/WEB login. Click on the Control Panel -> Terminal. Uncheck Enable SSH Service, apply, check it again, and press apply again.

Extra point enable root login from a shell using su. DEPRECATED

DEPRECATED
Of course we still need to have root access to Synology, anything can happen.
If along any of the steps, or whatever, you have seen this error message while trying to use ‘su’:
‘su: must be suid to work properly

What is happening is that permissions on binary /bin/busybox are “wrong”, run this as root to fix it.

DEPRECATED

Restart ssh server from CLI

If you want to restart your ssh server from CLI, use this script. Running it in background guarantees that the command will be completed. Because when you launch it, your currrent ssh session will be lost/closed.

 


For some reason, this command is not fully restarting the server or not loading the modified config, so, a workaround in order to restart the ssh server is to restart the whole system.

Important

This adds a nice layer of security, but it also means that you’d better keep backups of your SSH keys, or you are hosed!
If you’ve fucked up and you can’t get a root shell or you need help because using vi is boring, try to look for a config file editor

vsftpd: refusing to run with writable anonymous root

Today i was trying to setup a simple ftp to recover some logs from different machines (set top boxes at work).
I wanted to use a python script to enter machines and repeat some commands, because i’ve found really useful telnet libraries, but, anyway, main topic….
My laptop at work uses ubuntu 10.04, so i installed vsftpd, but it was not so easy for ready to use using anonymous login.

After enabling a lot of anonymous options commented i found i needed to create some directory by hand to allow anonymous upload.
being /srv/ftp home directory for ftp user....
sudo mkdir /srv/ftp/uploads

At at last. vsftpd: refusing to run with writable anonymous root
I found out why it wasn’t going through.
/srv/ftp CANNOT be writable.
/srv/ftp/incoming CAN be writable.
sudo chmod -w /srv/ftp/ and problem solved
So the root directory can’t be writable, but subdirectories within the root directory can.

Hope this helps for anyone using a search engine.

Debian/Ubuntu and MacOS X. Sharing files using netatalk

Intro

If you are trying to share files using a fast protocol (that’s not samba) which fits into debian and MacOS you should install netatalk package.

You will find the trap only if you are using netatalk from the usual Debian apt-source and if you have altered MacOS X default to do not use clear text passwords.

You’ve 2 solutions:

  • MacOS X won’t connect to the Debian Linux server, just saying that the access name or password wasn’t right, but has never asked for one. Just enable clear text passwords in MacOS X when you connect to an afp server and it will work like a charm.
  • OpenSSL support is currently disabled, because of licensing issues: The Free Software Foundation and Debian consider the GNU General Public License (GPL) under which Netatalk is licensed to be incompatible with the OpenSSL license.You can build locally with OpenSSL using the following commands

Using netatalk you can use any Debian server as a time machine backup, just read some manuals to know how.

Quick reference

To be up to date, look into /usr/share/doc/netatalk/README.Debian
usuario@LOCAL:~/$ sudo aptitude install devscripts
usuario@LOCAL:~/$ sudo aptitude build-dep netatalk
usuario@LOCAL:~/$ apt-get source netatalk
usuario@LOCAL:~/$ cd netatalk-*
usuario@LOCAL:~/$ dch -l +ssl -D local –force-distribution “Local build with OpenSSL.”
usuario@LOCAL:~/$ DEB_AUTO_UPDATE_DEBIAN_CONTROL=1 DEB_BUILD_OPTIONS=openssl debuild -us -uc
(You my need additional build-dependencies not resolved automatically.)
usuario@LOCAL:~/$ dpkg -i ../netatalk*.deb

Alternatively you can subscribe to unofficial(!) precompiled packages by adding the following to your /etc/apt/sources.list:

usuario@LOCAL:~/$ cat /etc/apt/sources.list
….
#where following $DIST=stable, testing, unstable, wheezy, …
#look into http://debian.jones.dk/dists/ to know which one are available
deb http://debian.jones.dk/ $DIST netatalk

Here are my config files

usuario@LOCAL:~/$ cat /etc/netatalk/afpd.conf
# default:
# – -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword
– -transall -uamlist uams_dhx.so -nosavepassword -advertise_ssh
.
usuario@LOCAL:~/$ cat /etc/netatalk/AppleVolumes.default
# The line below sets some DEFAULT, starting with Netatalk 2.1.
: DEFAULT: options:upriv,usedots
/PATH/TO/MY/disk MYDISKNAME allow:myselecteduser cnidscheme:dbd options:usedots,upriv
# End of File

Links and references

Debian Tip. Purge Removed Packages

Some packages are not *totally* removed when you select them for removal in Debian &Co. They usually left some user customized info, etc. That’s why you should totally remove them, or in Debian world, purge them

dpkg -l |awk ‘/^rc/ {print $2}’ |xargs sudo dpkg –purge

Change desktop/virtualbox console/command line resolution for linux

Tired of using a little and poor window 640×480 terminal window with your virtualbox/desktop console

First, edit /etc/default/grub and change/uncomment variable GRUB_GFXMODE with your desired value.


GRUB_GFXMODE=1680×1050

Later on, you should also edit /etc/grub.d/00_header and insert “gfxpayload=keep” as seen next:


if loadfont make_system_path_relative_to_its_root ${GRUB_FONT_PATH} ; then
set gfxmode=${GRUB_GFXMODE}
set gfxpayload=keep
insmod gfxterm
insmod ${GRUB_VIDEO_BACKEND}
if terminal_output gfxterm ; then true ; else
# For backward compatibility with versions of terminal.mod that don’t
# understand terminal_output
terminal gfxterm
fi
fi

If you want to know which resolutions have you got available, you can use hwinfo (hwinfo package in Debian and so)

jack-sparrow:/home/enrgar# hwinfo –framebuffer
02: None 00.0: 11001 VESA Framebuffer
[Created at bios.464]
Unique ID: rdCR.h_b_dKkqAnF
Hardware Class: framebuffer
Model: “NVIDIA MCP79 Board – mcp7a-uo”
Vendor: “NVIDIA Corporation”
Device: “MCP79 Board – mcp7a-uo”
SubVendor: “NVIDIA”
SubDevice:
Revision: “Chip Rev”
Memory Size: 14 MB
Memory Range: 0xd1000000-0xd1dfffff (rw)
Mode 0x0300: 640×400 (+640), 8 bits
Mode 0x0301: 640×480 (+640), 8 bits
Mode 0x0303: 800×600 (+800), 8 bits
Mode 0x0305: 1024×768 (+1024), 8 bits
Mode 0x0307: 1280×1024 (+1280), 8 bits
Mode 0x030e: 320×200 (+640), 16 bits
Mode 0x030f: 320×200 (+1280), 24 bits
Mode 0x0311: 640×480 (+1280), 16 bits
Mode 0x0312: 640×480 (+2560), 24 bits
Mode 0x0314: 800×600 (+1600), 16 bits
Mode 0x0315: 800×600 (+3200), 24 bits
Mode 0x0317: 1024×768 (+2048), 16 bits
Mode 0x0318: 1024×768 (+4096), 24 bits
Mode 0x031a: 1280×1024 (+2560), 16 bits
Mode 0x031b: 1280×1024 (+5120), 24 bits
Mode 0x0330: 320×200 (+320), 8 bits
Mode 0x0331: 320×400 (+320), 8 bits
Mode 0x0332: 320×400 (+640), 16 bits
Mode 0x0333: 320×400 (+1280), 24 bits
Mode 0x0334: 320×240 (+320), 8 bits
Mode 0x0335: 320×240 (+640), 16 bits
Mode 0x0336: 320×240 (+1280), 24 bits
Mode 0x033d: 640×400 (+1280), 16 bits
Mode 0x033e: 640×400 (+2560), 24 bits
Mode 0x0345: 1600×1200 (+1600), 8 bits
Mode 0x0346: 1600×1200 (+3200), 16 bits
Mode 0x0347: 1400×1050 (+1400), 8 bits
Mode 0x0348: 1400×1050 (+2800), 16 bits
Mode 0x0349: 1400×1050 (+5600), 24 bits
Mode 0x034a: 1600×1200 (+6400), 24 bits
Mode 0x0352: 2048×1536 (+8192), 24 bits
Mode 0x0360: 1280×800 (+1280), 8 bits
Mode 0x0361: 1280×800 (+5120), 24 bits
Mode 0x0362: 768×480 (+768), 8 bits
Mode 0x0364: 1440×900 (+1440), 8 bits
Mode 0x0365: 1440×900 (+5760), 24 bits
Mode 0x0368: 1680×1050 (+1680), 8 bits
Mode 0x0369: 1680×1050 (+6720), 24 bits
Mode 0x037b: 1280×720 (+5120), 24 bits
Mode 0x037c: 1920×1200 (+1920), 8 bits
Mode 0x037d: 1920×1200 (+7680), 24 bits
Config Status: cfg=new, avail=yes, need=no, active=unknown

Links and references

Change trash IMAP folder in Mozilla Thunderbird (Icedove in Debian)

  1. Exit icedove (thunderbird)
  2. Insert a line like the code attached next into “prefs.js”, with the correct server# and correct name for the Trash folder:
  3. Start icedove (thunderbird)

enrgar@jack-sparrow:~$ emacs .mozilla-thunderbird/0w697id6.default/prefs.js

user_pref(“mail.server.server6.trash_folder_name”, “[Gmail]/Trash”);

References and links

Speed up Gnome

This can do a bit of magic on your desktop.

enrgar@jack-sparrow:~$ gtk-update-icon-cache -f /usr/share/icons/THEMENAME/

Links and references