Tuesday, July 24, 2012

Linux Howto: Clone your active system to get a N-1 OS version available in case of update troubles or instability




If you are in the same situation as i am, your Linux XBMC Box became the Multimedia center for all the family, let's say it's now in "production" and as any client would, they won't accept any downtime due to system or application upgrade issue :-)

There is off course several solutions you may use to backup and restore your system if required, in my opinion the easiest is to have a secondary N-1 version system available and ready to run in case the last update you absolutely had to applied (because you're such a geek you cannot keep running an outdated system ^^) broke your nice and stable installation!

Naturally, this will be applicable for any Linux installation.


************************ CAUTION ***************************************************************

These operations may easily break your system if you don't pay attention, 
please follow this Howto with many cautions and very carefully!


*************************************************************************************************


Methods and requirements:


I recommend the following method using "partclone" to clone your system.

First and in any case, ensure you have a secondary partition with a size strictly identical to your base system. (obligatory for partclone)

This secondary partition will be uased by our cloned system.

Also, i would recommend you install "/home"' under a dedicated third partition.

So, let's say as an example you installation is partitioned that way (all formatted in ext4) :

  • "/dev/sda1" is your main OS installation
  • "/dev/sda2" will be your N-1 OS version
  • "/dev/sda3" is your "/home" partition

Note: With partclone, your 2 system partitions must have strictly the same size, use Gparted when you are in your Live OS to modify your partitions as required, you resize, create move and so on.
But be careful, you can easily break everything if you don't pay attention ^^


Clone your system with partclone


Limitations and constraints:

You can't clone a partition being used and mounted, so the easiest method is to use a USB Live Distribution you will use to boot and clone your system.

This is very easy, just download any Linux distribution (i recommend Xubuntu) and use "Unetbootin" to create the Live USB key.

Also, ensure your live system will be able to access to Internet as you will need to install some packages.

Step 1: Boot to Live OS


Insert your Live USB Key and boot the system, when the system is ready install some requirements:
sudo apt-get install partclone
Notes: Ensure you are connected to Internet before the apt-get, no need to update first but you also can do it if you want


Step 2: Clone the system


Recommended:

I recommend to first backup the partition to an external image you may need later and after that restoring it to the secondary partition:

First check and correct the filesystem if required:
sudo fsck.ext4 -yf /dev/sda1

Clone sda1 to an external image:
sudo partclone.ext4 -c -d -s /dev/sda1 -o <MY DESTINATION FOLDER>/sda1_partclone_ext4_MMDDYYYY.img

Restore sda1 image to sda2 partition:
sudo partclone.ext4 -r -d -s <MY DESTINATION FOLDER>/sda1_partclone_ext4_MMDDYYYY.img -o /dev/sda2

Step 3: Update secondary partition UUID and Label



This a very important operation, i you don't update the secondary partition UUID, it will have the same than your first OS and you can be sure you're going into big troubles!

Install requirements:
sudo apt-get install uuid e2label

List actual UUID, sda1 and sda2 have the same UUID and same label which is really is bad thing:

sudo blkid
Note: You can also use the command "sudo tune2fs -l /dev/sda1 | grep UUID"

Output example before update:
/dev/sda1: LABEL="SYSTEM1" UUID="affe0f48-6b88-43a5-b131-20a58cd776b8" TYPE="ext4"                                                          
/dev/sda2: LABEL="SYSTEM1" UUID="affe0f48-6b88-43a5-b131-20a58cd776b8" TYPE="ext4"

Update "/dev/sda2" UUID:
sudo tune2fs -U `uuid` /dev/sda2

Update "/dev/sda2" Label:
sudo e2label /dev/sda2 SYSTEM2

Check and note the new configuration:
sudo blkid
/dev/sda1: LABEL="SYSTEM1" UUID="affe0f48-6b88-43a5-b131-20a58cd776b8" TYPE="ext4"                                                          
/dev/sda2: LABEL="SYSTEM2" UUID="8e1e225a-d51e-11e1-b5aa-00012e409020" TYPE="ext4"

Everything is fine, we have different UUID and Labels for both partitions, let's mount the secondary partition and update "/etc/fstab" with this new information:

Mount the partition:
sudo mkdir /mnt/sda2 && sudo mount -t ext4 /dev/sda2 /mnt/sda2

Edit "/mnt/sda2/etc/fstab" and replace initial UUID by the new one, in this example we replace:
UUID=affe0f48-6b88-43a5-b131-20a58cd776b8 /               ext4    errors=remount-ro,noatime 0       1                                       

By:
UUID=8e1e225a-d51e-11e1-b5aa-00012e409020 /               ext4    errors=remount-ro,noatime 0       1                                       

Save and umount the partition:
sudo umount /dev/sda2 && sudo rm -rf /mnt/sda2


Step 4: Reboot to main system and update grub


Notes: Os prober from Grub should be able to generate a functional boot configuration finding our cloned system in "/dev/sda2", for an unknown reason this doesn't work so i recommend a manual operation which will be more reliable.


Leave the Live USB system and reboot to the main system, then open "/boot/grub/grub.cfg" and copy main system boot lines to clipboard or a temporary text editor, in our example we will find the original kernel lines:
menuentry 'Ubuntu, avec Linux 3.2.0-26-generic' --class ubuntu --class gnu-linux --class gnu --class os {                                   
        recordfail                                                                                                                          
        gfxmode $linux_gfx_mode                                                                                                             
        insmod gzio                                                                                                                         
        insmod part_msdos                                                                                                                   
        insmod ext2                                                                                                                         
        set root='(hd0,msdos1)'                                                                                                             
        search --no-floppy --fs-uuid --set=root affe0f48-6b88-43a5-b131-20a58cd776b8                                                        
        linux   /boot/vmlinuz-3.2.0-26-generic root=UUID=affe0f48-6b88-43a5-b131-20a58cd776b8 ro   quiet splash $vt_handoff                 
        initrd  /boot/initrd.img-3.2.0-26-generic                                                                                           
}                                                                                                                                           
menuentry 'Ubuntu, avec Linux 3.2.0-26-generic (mode de dépannage)' --class ubuntu --class gnu-linux --class gnu --class os {               
        recordfail                                                                                                                          
        insmod gzio                                                                                                                         
        insmod part_msdos                                                                                                                   
        insmod ext2                                                                                                                         
        set root='(hd0,msdos1)'                                                                                                             
        search --no-floppy --fs-uuid --set=root affe0f48-6b88-43a5-b131-20a58cd776b8                                                        
        echo    'Chargement de Linux 3.2.0-26-generic ...'                                                                                  
        linux   /boot/vmlinuz-3.2.0-26-generic root=UUID=affe0f48-6b88-43a5-b131-20a58cd776b8 ro recovery nomodeset                         
        echo    'Chargement du disque mémoire initial ...'                                                                                  
        initrd  /boot/initrd.img-3.2.0-26-generic                                                                                           
} 


Add "(on /dev/sda2) behind the kernel version in "menuentry" and replace "msdos1" by "msdos2" and the old UUID by the new one and put these lines into "/etc/grub.d/40_custom", in our example our new lines will be:
menuentry "Ubuntu, avec Linux 3.2.0-26-generic (on /dev/sda2)" --class gnu-linux --class gnu --class os {                                   
        recordfail                                                                                                                          
        gfxmode $linux_gfx_mode                                                                                                             
        insmod gzio                                                                                                                         
        insmod part_msdos                                                                                                                   
        insmod ext2                                                                                                                         
        set root='(hd0,msdos2)'                                                                                                             
        search --no-floppy --fs-uuid --set=root 8e1e225a-d51e-11e1-b5aa-00012e409020                                                        
        linux /boot/vmlinuz-3.2.0-26-generic root=UUID=8e1e225a-d51e-11e1-b5aa-00012e409020 ro quiet splash $vt_handoff                     
        initrd /boot/initrd.img-3.2.0-26-generic                                                                                            
}                                                                                                                                           
menuentry "Ubuntu, avec Linux 3.2.0-26-generic (mode de dépannage) (on /dev/sda2)" --class gnu-linux --class gnu --class os {               
        recordfail                                                                                                                          
        insmod gzio                                                                                                                         
        insmod part_msdos                                                                                                                   
        insmod ext2                                                                                                                         
        set root='(hd0,msdos2)'                                                                                                             
        search --no-floppy --fs-uuid --set=root 8e1e225a-d51e-11e1-b5aa-00012e409020                                                        
        linux /boot/vmlinuz-3.2.0-26-generic root=UUID=8e1e225a-d51e-11e1-b5aa-00012e409020 ro recovery nomodeset                           
        initrd /boot/initrd.img-3.2.0-26-generic                                                                                            
}  

Update grub:
sudo update-grub 


Reboot from your main system and test booting to the secondary OS, it should boot with no problem and you will get exactly the same system than the main one.

You can test whatever you need in the secondary system such as important system and application upgrade without the risk of breaking down your main system.

Therefore, don't forget that if you have a third partition for "/home", any issue not related to the system partition but related to the home partition (such as deleting user's files) will off course exist in both systems!

So a best practice will always be to also backup the /home partition ^^

As now you have 2 systems available, if you want to update the secondary system, you don't have to boot again with a Live OS:

  • Boot to secondary system
  • Create the partclone image from primary system to an external image
  • Boot to primary system
  • Restore the external image to secondary partition
  • Re do UUID change and fstab correction


Step 5: Optional - Home Directory


If you want to be completely independent of your first installation, you may also copy your initial main user home directory, example to "/home/user_system2".

Then just ensure to change the home directory in your second system by editing "/etc/passwd". (remember to adapt from where you edit it)





Feel free to comment :-)







Friday, July 20, 2012

Mini How-to : Installation of Avermedia Green Volar HD under Linux



****************************************************************************************************
Edit 10/11/2012:

This how-to is outdated, if you have this device, i recommend you to install a kernel beginning on 3.5, this DVB adapter will automatically be taken in charge by new kernels.
The only required operation will be to download the firmware as usual.

In a few words:


For Ubuntu 12.04:

Go to http://kernel.ubuntu.com/~kernel-ppa/mainline/

Then choose your kernel, eg. http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.5.5-quantal/

32 bits kernel, download:
linux-headers-3.5.5-030505_3.5.5-030505.201210021510_all.deb
linux-headers-3.5.5-030505-generic_3.5.5-030505.201210021510_i386.deb
linux-image-3.5.5-030505-generic_3.5.5-030505.201210021510_i386.deb
linux-image-extra-3.5.5-030505-generic_3.5.5-030505.201210021510_i386.deb



64 bits kernel, download:
linux-headers-3.5.5-030505_3.5.5-030505.201210021510_all.deb
linux-headers-3.5.5-030505-generic_3.5.5-030505.201210021510_amd64.deb
linux-image-3.5.5-030505-generic_3.5.5-030505.201210021510_amd64.deb
linux-image-extra-3.5.5-030505-generic_3.5.5-030505.201210021510_amd64.deb


Then install:

$ sudo dpkg -i *.deb


Reboot.

Download firmware:

cd /lib/firmware
sudo wget http://xgazza.altervista.org/Linux/DVB/dvb-usb-af9035-02.fw


And you're done, just plug, and check your kernel log (command "dmesg")

****************************************************************************************************



So you bought this cheap DVB Tuner USB key and was thinking it would work under Linux with no efforts...well not absolutely in fact :-)

Let's see how to deal with this key, see my post on tvheadend and XBMC for more information on getting live TV using such DVB Tuners:
http://youresuchageek.blogspot.fr/2012/07/xbmc-pvr-how-to-enhance-your-xbmc-media.html

We will use v4l-DVB drivers from Linux TV:

First install some requirements:
For Ubuntu 12.04:

sudo apt-get install libdigest-sha-perl make gcc git patch patchutils libproc-processtable-perl linux-source linux-headers-`uname -r`


For Ubuntu 11.10 and previous:

sudo aptitude install libdigest-sha1-perl make gcc git patch patchutils libproc-processtable-perl linux-source linux-headers-`uname -r`


Download modules, when the process will begin to compile abort it with "ctrl+c", this is very unusual but we don't need the compilation to complete:

git clone git://linuxtv.org/media_build.git
cd media_build 
./build


So you aborted compilation, then we will compile and install DVB modules (NB: I you have double core processor using "make -j 2" will speed up the compilation, you may also use standard command with "make")

make allyesconfig
make -j 2
sudo make install


NOTE for Ubuntu kernel 3.2.0-26, compilation could fail, proceed with:
creating "media_build/linux/include/linux/v4l2-common.h" with the following content and relaunch compilation

#ifndef V4L2_COMMON_H
#define V4L2_COMMON_H

/* Hints for adjustments of selection rectangle */
#define V4L2_SEL_FLAG_GE        0x00000001
#define V4L2_SEL_FLAG_LE        0x00000002

/* Selection targets */

/* Current cropping area */
#define V4L2_SEL_TGT_CROP        0x0000
#define V4L2_SEL_TGT_CROP_ACTIVE        0x0000
/* Default cropping area */
#define V4L2_SEL_TGT_CROP_DEFAULT       0x0001
/* Cropping bounds */
#define V4L2_SEL_TGT_CROP_BOUNDS        0x0002
/* Current composing area */
#define V4L2_SEL_TGT_COMPOSE        0x0100
#define V4L2_SEL_TGT_COMPOSE_ACTIVE     0x0100
/* Default composing area */
#define V4L2_SEL_TGT_COMPOSE_DEFAULT    0x0101
/* Composing bounds */
#define V4L2_SEL_TGT_COMPOSE_BOUNDS     0x0102
/* Current composing area plus all padding pixels */
#define V4L2_SEL_TGT_COMPOSE_PADDED     0x0103

#endif //V4L2_COMMON_H


Download Firmware:

cd /lib/firmware
sudo wget http://xgazza.altervista.org/Linux/DVB/dvb-usb-af9035-02.fw


Plug your DVB USB Key and check kernel message, if you're ok you will get this kind of message:

dvb-usb: found a 'AVerMedia AVerTV Volar HD/PRO (A835)' in cold state, will try to load a firmware
dvb-usb: downloading firmware from file 'dvb-usb-af9035-02.fw'
af9035: firmware version=11.5.9.0
dvb-usb: found a 'AVerMedia AVerTV Volar HD/PRO (A835)' in warm state.
dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
DVB: registering new adapter (AVerMedia AVerTV Volar HD/PRO (A835))
dvb-usb: MAC address: 00:00:00:00:00:00
af9033: firmware version: LINK=11.5.9.0 OFDM=5.17.9.1
DVB: registering adapter 0 frontend 0 (Afatech AF9033 (DVB-T))...
tda18218: NXP TDA18218HN successfully identified.
Registered IR keymap rc-empty
input: IR-receiver inside an USB DVB receiver as /devices/pci0000:00/0000:00:12.2/usb1/1-1/rc/rc0/input7
rc0: IR-receiver inside an USB DVB receiver as /devices/pci0000:00/0000:00:12.2/usb1/1-1/rc/rc0
dvb-usb: schedule remote query interval to 250 msecs.
dvb-usb: AVerMedia AVerTV Volar HD/PRO (A835) successfully initialized and connected.
usbcore: registered new interface driver dvb_usb_af9035

That's all you're done :-)

Some sources:











Wednesday, July 18, 2012

Mini Howto XBMC : Install an MCE remote control to take over your Linux XBMC Box


The Goal: 

The better and easiest way to control your XBMC box is naturally a remote control. (moreover for the rest of the family ^^) 

If your HTPC wasn't provided with one or if you want to change, that's my opinion but my advise would be to buy an MCE remote, also called Microsoft remote control.

They will easily work in any Linux installation and will work without any suffering effort in XBMC !

What you need:

  • A functional XBMC Linux installation
  • An MCE remote control associated with its IR receiver. (prefer an external USB IR receiver)
For my personal installation, i bought this one (french link):


It works perfectly in Linux and XBMC and comes with a great IR USB reveiver.
The remote itself has a good quality, nothing to regret.

You may also look for one on ebay, you'll easily find a lot of MCE remotes that will work with no issues in XBMC and Linux.

Step 1: Install and configure LIRC

Plug the IR and check kernel messages:

First plug the IR receiver and check kernel messages, you should find such a message telling your the IR receiver has been detected and installed:


[   11.560051] input: MCE IR Keyboard/Mouse (mceusb) as /devices/virtual/input/input9                                                       
[   11.563329] IR MCE Keyboard/mouse protocol handler initialized                                                                           
[   11.572910] lirc_dev: IR Remote Control driver registered, major 249                                                                     
[   11.574374] rc rc0: lirc_dev: driver ir-lirc-codec (mceusb) registered at minor = 0                                                      
[   11.574382] IR LIRC bridge handler initialized
[   11.624101] mceusb 4-2:1.0: Registered Topseed Technology Corp. eHome Infrared Transceiver with mce emulator interface version 1         
[   11.624110] mceusb 4-2:1.0: 2 tx ports (0x0 cabled) and 2 rx sensors (0x1 active)      


Here you can see Linux recognized the IR device has an "mceusb", the driver will be loaded directly by the kernel itself.

Install and configure LIRC:

If LIRC is already installed in your system, my advise is to completely uninstall it, you could use "dpkg-reconfigure lirc" but it my case it was not completely working as expected.

Moreover, in Ubuntu 12.04 there seems to be problem identiying a kernel directory when installing LIRC, if you have any issue starting LIRC, the workaround is:

$ sudo ln -s /lib/modules/3.2.0-26-generic/kernel/drivers/staging/media/lirc /lib/modules/3.2.0-26-generic/kernel/drivers/staging/lirc


NB: Replace with your kernel version (eg. 3.2.X-XX-....), use the command "uname -a" if you don't know it


So backup your config files if required (in directory "/etc/lirc") and:

sudo apt-get remove --purge lirc


Install LIRC:

sudo apt-get install lirc


Accept the installation and when requested in first configuration screen, choose the "Windows Media Center Transceivers/Remotes [all]" :



And choose none for the second screen and valid.


Step 2: Test


use the LIRC provided tool to test your remote control:

$ irw


Press some randoms remote keys, if your MCE remote works, you will get keys signals.
If you don't have nothing, you might have a problem with LIRC or with your configuration:

  • double check that LIRC is started, in case of and to check messages restart it (sudo /etc/init.d/lirc restart)
  • If LIRC is failing to start, check the workaround at the beginning of this article, a kernel directory location change seems to break LIRC!
  • check your receiver, on various IR receivers you'll get a red light when pressing a remote key
  • perhaps your remote control will need a other driver, ask Google :-)


Step 3: XBMC Test


Restart XBMC and test your remote control, in my case (and in general with an MCE remote) you absolutely have nothing more to configure ^^

And you're done, enjoy :-)











Monday, July 16, 2012

Mini How-to : Google Drive under Linux: Synchronize your Google Drive under Linux with grive ! (waiting for the official Google client ^^)



Edit 10/18/2012:
Take a look at new project https://www.insynchq.com/, it's very easy to install and use, offers much more integration in Linux desktop than grive.

Very great !!!



Official Linux Google drive version is still lacking... if you are as i am addicted to various Google Services this lack is very frustrating ! (what does Google waits for ???)

Fortunately, you can now, thanks to "grive" and its author, synchronize your local documents to your Google Drive in command line :-)

Here's how in a few command lines:

Install grive:

Install grive (under Ubuntu and derived distributions)

sudo add-apt-repository ppa:nilarimogard/webupd8

sudo apt-get update

sudo apt-get install grive

Configure first launch to authorize grive to access to your Google Drive:

Go to the directory you to be synchronize with Google Drive and configure grive

$ cd <My Local Directory to synchronize>
$ grive
-----------------------                                                                                                                     
Please go to this URL and get an authentication code:                                                                                       
                                                                                                                                            
https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2F
auth%2Fuserinfo.profile+https%3A%2F%2Fdocs.google.com%2Ffeeds%2F+https%3A%2F%2Fdocs.googleusercontent.com%2F+https%3A%2F%2Fspreadsheets.goog
le.com%2Ffeeds%2F&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=22314510474.apps.googleusercontent.com                
                                                                                                                                            
-----------------------                                                                                                                     
Please input the authentication code here:   


Open your Web browser, paste this URL and login with your Google account when asked and finally copy the code that Google will provide to paste into the terminal

grive will execute the first synchronization:

Reading local directories
Synchronizing folders
Reading remote server file list
Detecting changes from last sync
Synchronizing files
Finished!  


You're done, now every time you want to synchronize your local data with your Google Drive, just enter a terminal, "cd" to your directory and enter "grive" command line.

It is not necessary anymore to run it with "-a" option as its purpose was to configure and associate your computer with your Google drive account, just run grive with no option to initiate synchronization.

You may also want to see others options such as "-v" to enable more verbose mode or "--dry-run" to simulate execution, just see help:

grive --help                                                                                                         
Grive options:                                                                                                                              
  -h [ --help ]         Produce help message                                                                                                
  -v [ --version ]      Display Grive version                                                                                               
  -a [ --auth ]         Request authorization token                                                                                         
  -V [ --verbose ]      Verbose mode. Enable more messages than normal.                                                                     
  -d [ --debug ]        Enable debug level messages. Implies -v.                                                                            
  -l [ --log ] arg      Set log output filename.                                                                                            
  -f [ --force ]        Force grive to always download a file from Google Drive                                                             
                        instead of uploading it.                                                                                            
  --dry-run             Only detect which files need to be uploaded/downloaded,                                                             
                        without actually performing them.  



Really great work from the author (see man):

AUTHOR                                                                                                                                      
       The software was developed by Nestal Wan.                                                                                            
                                                                                                                                            
       This manpage was written by Jose Luis Segura Lucas (josel.segura@gmx.es)   


  
Now we (all Linux Google services users) are still waiting from Google to finally provide us their official client... Google listen to us, it would be nice not to forgive Linux users :-)












Sunday, July 15, 2012

SSH / Google 2-Step Authentication How-To : Enhance your SSH security with Google Two factor Authentication Service



*** Updated March 9, 2013  ***

Major changes:
03/09/2013 - Added missing pam settings upon user comment

The Goal:


Google provides for free a great service to enhance your Google account security called "Google 2-Step Authentication"  (also called two factor authentication) and offers a real strong authentication mechanism.

This service can also easily be used to enhance your SSH access security.
In a few words, you will be able to protect your SSH access with strong authentication using your smartphone as a software token.

Do not hesitate to read official Google page if you need more information:

You may also read my article about configuring it to protect your Google account access:

Other useful sources (thanks to various authors):

What you need:

  • A running Linux Box with SSH installed and accessible
  • A smartphone : Iphone, Android or RIM

Step 1: Install Google Authenticator


Tested under Ubuntu 12.04 TLS:
sudo apt-get install libpam-google-authenticator

Step 2: Configure SSH to use Google Authenticator


Edit "/etc/pam.d/sshd" with your favorite text editor and add:
auth required pam_google_authenticator.so

Edit "/etc/ssh/sshd_config" and set:
ChallengeResponseAuthentication yes

Edit "/etc/pam.d/common-auth" and set:


auth required pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok_secure


As the user you want to connect with, configure your Google two factors authentication:

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@host%3Fsecret%3DZDTR6VU5FR5OIZ3G

<BAR CODE>
       
Your new secret key is: ZDTR6VU5FR5OIZ3G
Your verification code is 843231
Your emergency scratch codes are:
  31043901
  75807840
  98606066
  42902460
  31208347

Do you want me to update your "~/.google_authenticator" file (y/n)

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y


Note: 
Emergency codes are provided in case of your phone would be unavailable, you should keep it somewhere 

Open your Google Authenticator application on your phone, click on "+" and "read bar code", get the bar code provided by the terminal, it will be added automatically in the application.


Restart ssh:
sudo service ssh restart



Note:
I recommend you to keep your opened terminal up in case you would be unable to connect 


Step 3: Check authentication



Try to connect to your host using Google code provided by your phone:

ssh user@host
Password: 
Verification code: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-26-generic x86_64)

Last login: Sun Jul 15 11:28:17 2012 from XXX.XXX.X.XX
user@host:~$ 













Sunday, July 8, 2012

XBMC PVR How-to : Enhance your XBMC Media Center Experience with Live TV


*** Updated August 2012:  ***
- Debian/Ubuntu package 3.0
************************

The Goal:


Configuring Live TV on XBMC is a great way to complete your Media Center Experience, that's called "PVR" and will allow you to watch real Live TV on your XBMC Box!

For now, XBMC does not take in charge TV Backend functionality, it will only act as a frontend to a backend software that will manage the TV Tuner.

Please take a look on my Full XBMC post to help you installing and configuring XBMC:
xbmc-install-and-config-howto-for-linux

What you need:


  • A working XBMC installation embedded with PVR (if you used my post, PVR is part of XBMC compilation)
  • A TV Tuner: USB Tv tuner, PCI, HD HomeRun... I used an "Elgato Eye TV Diversity"
  • A Backend software to manage TV flow, i recommend you to use tvheadend

Step 1: Install the TV Tuner and check configuration

First, plug the TV Tuner to your Linux Box and check kernel log, if everything are right you should get this kind of message:

[30943.681707] dvb-usb: found a 'Elgato EyeTV Diversity' in cold state, will try to load a firmware
[30943.690351] dvb-usb: downloading firmware from file 'dvb-usb-dib0700-1.20.fw'
[30943.929564] dib0700: firmware started successfully.
[30944.432325] dvb-usb: found a 'Elgato EyeTV Diversity' in warm state.
[30944.432550] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[30944.432693] DVB: registering new adapter (Elgato EyeTV Diversity)
[30944.700631] DVB: registering adapter 0 frontend 0 (DiBcom 7000PC)...
[30944.936519] DiB0070: successfully identified
[30944.936530] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[30944.936749] DVB: registering new adapter (Elgato EyeTV Diversity)
[30945.106998] DVB: registering adapter 1 frontend 0 (DiBcom 7000PC)...
[30945.348653] DiB0070: successfully identified
[30945.348689] Registered IR keymap rc-dib0700-nec
[30945.349030] input: IR-receiver inside an USB DVB receiver as /devices/pci0000:00/0000:00:12.2/usb1/1-1/rc/rc1/input8
[30945.349535] rc1: IR-receiver inside an USB DVB receiver as /devices/pci0000:00/0000:00:12.2/usb1/1-1/rc/rc1
[30945.349911] dvb-usb: schedule remote query interval to 50 msecs.
[30945.349924] dvb-usb: Elgato EyeTV Diversity successfully initialized and connected.

You can see here that the kernel successfully identified the USB TV Tuner ind installed appropriated driver, i recommend you to double check Linux compatibility before buying your TV Tuner.

Step 2: Install tvheadend as the Backend for Live TV


Download and install the backend, we will use "tvheadend".
In my opinion, this a very good TV Backend that comes with a nice web interface.

So we will use the last version which is still running underdevelopment to get all tvheadend functionalities. Tvheadend is small and does not have much dependencies, so compilation will be easy.

(You can also install the version provided by your package system, on Debian derived systems: sudo apt-get install tvheadend)

Install tvheadend:

Source:
$ wget https://github.com/downloads/tvheadend/tvheadend/tvheadend_3.0_amd64.deb
$ sudo dpkg -i tvheadend_3.0_amd64.deb

Answer to installation questions, admin username and password.

After installation, you should find the process up (ps -ef - grep tvheadend) and an init script in "/etc/init.d/tvheadend".

Configuration files will be located in "/home/hts/.hts" and "/home/hts/.xmltv".

Step 3: Configure tvheadend

Connect to tvheadend web interface using your localhost URL (change localhost by appropriated backend IP or Hostname if required) :



Click on "Configuration" then "TVAdapters" and choose your adapter:


Scan for channels:

Select "Add DVB Networks By Location" and add your country and/or city, in my case i choosed defaults and my country to ensure i would get all channels.

Immediately after that, tvheadend will start to scan for channels.
Be patient, this will required a long time to end.
In "General" screen (middle right page), you will see the scan result and running "services". (which mean channels found by the adapter)

Take a look on "Multiplexes", if your antenna and your TV Tuner works fine you should see something like that:



When the scan process will be over, you will see channels in "Services":



Wait for the full process to end, then in "General", click "Map DB services to channels".

Additionally, edit others services and map them manually to channels.

Edit channels to end configuration:

Go in "Channels" panel and edit any channel to set channel number and so on.

If you want channels logo to appear in XBMC (and you will because that's pretty), we will have to use an apache instance for it, so create an apache instance, download channels logo (use google image) and save them to the root folder of the apache instance.

In a few words:

  • Edit new Apache service (don't forget to add the port if new in ports.conf) and tune to your needs:

<VirtualHost *:10000>
        ServerAdmin webmaster@localhost
        ServerName      xxxxxxxxxxxxxxx
        DocumentRoot /media/xbmc/logo
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
        LogLevel notice
        CustomLog /var/log/apache2/access.log combined
        ErrorLog /var/log/apache2/error.log
        ServerSignature On
</VirtualHost>


  • Restart apache and add channels logo pictures to the apache root folder
  • Ensure it works by get one logo as for an example with your web browser
  • In tvheadend "Channels" panel, configure the logo, configuration example:


You're done with tvheadend configuration, i recommend you to simply add it to your session automatic run. (if your are using a desktop session)

You may also simply write an initrc script shell to start and stop it as a service.

Finally configure the XML Grabber:

On Debian derived systems, install xmltv:

sudo apt-get install xmltv

Go to XML TV panel, select your country and follow instruction.


Step 4: Configure XBMC


Go back in XBMC and activate the PVR addon for tvheadend frontend (system>settings>add-ons>activated addons):


If you don't run tvheadend on same host, or if you wanted to set an admin user in tvheadend, configure it.

If you haven't changed anything, default configuration is fine and will work.



Save, and Go to "Live TV", XBMC will automatically get channels configuration, final result:




Everything works ^^ Take a look on time-shift function or record, some of them are still under improvement and may not be as stable as it should but work.

As a conclusion, your XBMC Media Center is now really complete, enjoy :-)

FAQ and issues:

  • Failing to start tvheadend with message of segmentation fault

I experienced this several time for unknown reasons after reboots, it was always caused by some king o epg file corruption.

I you experience this, just remove the file and restart:


rm ~/.hts/tvheadend/epgdb








Tuesday, July 3, 2012

Google Account Howto - Protect and secure your Google Account (gmail, google+, Google Drive...) with Strong Authentication (turn your phone into a Software Secure Token, use 2 steps authentication)

The Goal:

How much is your Google account precious to you ? Does Google host your mails, contacts, documents of all sorts (thanks to Google Drive), professional or confidential datas ? Do you think only protecting it with a password (even strong) is enough ? You may be wrong !

Google offers you a great and free service which is almost the better way to secure your account access and really improves the security of your Google services and your personal data security.

They call it "2 Steps Authentication", in professional environment you may already know it as "Strong Identification" such as RSA SecureID and others professional solutions.

Off course Google gives you all required explanations here:

My Goal here is to present you and easily help to activate this great Google service in a few simple steps.
It will drastically improve your account Security!

With this service, the only way to connect to your account will be to get your login name, your current password and to steal your Smartphone!


What you need:


  • First of all, a Google account ! ^^
  • A computer
  • A smartphone that will act as the Security device, IOS, Android or RIM (even an Ipad or could do the job you will have to always keep it in the pocket !)
  • Optionally a printer to be able to print your personal code for safety 

Step 1: Connect to your Google Account and activate the 2 Steps authentication


  • Connect to your Google account management interface and sign in:
 (you may also connect to any Google service such as gmail, Google Drive..développement. and access to your account properties) :

  • When connected, click on "Security" (bottom left page) :

















  • In this new page, look a at the middle of the page and click on "Edit" :
  • In the animation page, Click on "Start Setup" (bottom right):
  • Enter your (real) phone number and select Text message for the way to transmit you the activation code and submit:

  • You will receive a text message from Google, Enter the received code:
  • Select if you want or not trust the computer you are connected to for 30 days:
If you are on your personal computer you can activate this to avoid having to systematically submit your verification code using Google Authenticator.

If you are a non private computer, don't activate this this is not a computer you can trust !

  

  • Confirm to activate:


  • In the new page, Sign in (you do not yet need to provide a verification code because not things are not yet over ^^), the following page will open :

  • Answer "Do this later", we will take care of that a small bit later
  • VERY IMPORTANT: Print your backup code in case of loose of your Phone !!!

Print the code provided by Google and keep it always on you (or at home if you prefer), with this code you will be able to connect to your account and deactivate 2 Steps Authentication if you loose your phone and can't get a new code quickly.

Without this code and without your phone or being able to access to a text message Google could send you if required, you will irremediably loose your account access !!!

  • Configure your Phone, click on your smartphone System:


  • You will get this page:


  • Take your Phone and install the Google application "Google Authenticator" :
With Apple's Iphone:



  • Open Google Authenticator:
NB: 
Sorry Screenshots will be in french :)

As i already had a Google account configured, you will see one at the bottom of the screen.
As a consequence, you know now that you can have various Google account configured using 2 Steps authentication !



  • Select the "plus" sign and then select the option "Read bar code":




  • Use your smartphone camera to get the Bar code, Google Authenticator will detect it and automatically add the associated service in the application !
  • Last Step, enter the validation code provided by your phone into your web browser and submit, you're done and 2 steps authentication has been activated


Step 2: Sign out and access to your account using 2 steps authentication

How does it work:

Google Authenticator automaticaly generates a new validation code associated with your account every minute.

When you will sign in in any non trusted computer, you will obligatory have to provide :

- Your login name
- Your account password

And now the Google verification code, it has to be still valid when your enter it in your browser and submit, if not you have to try again using the re-generated code.

 As explained before, you also have the possibility to you allow the computer you are connecting with to be associated as a trust computer.
In other words, if you allow that, there is no validation code required during 30 days and so no 2 steps authentication.

Off course, you should do that only with your own personal computers.
  • Sign in into your account as usual (if not done before, sign out before signing in again)
You will get this new Window on any non trusted computer:

If you want to trust this computer, tick the box.

In any case, enter the code provided by Google Authenticator and Submit "Verify", if your code is valid then you'll be connected.

You have to this every time you connect from a non trusted computer.

Step 3: Configure "Applications codes" for additional access to your account

Any application that was connecting to your account won't work anymore after you activated the 2 steps authentication.

As far an example, your Apple mail Application will be unable to connect to your account until you configure a specific application code to allow it : Iphone, Chrome synchronization...

It will be the case for any application that automatically connects to your Google account and for any Google service associated with your account.

  • Configure a specific Application code for any access needed (you'll do it one time per application that needs an access)
Go back to your account management.

Select "Authorizing applications and sites":

On the new page, Choose a description for your Application and click "Generate Password":


You will get a dedicated password for you application:


And then simply configure your application (in the example your gmail account configuration in your Iphone) and use this password instead of your account password, and you're done !

Repeat this operation for any application that needs access to your account.


Conclusion:

You're done, your Google account access is now much more secured than simply using a standard password mechanism protection.

It happens very often that well known Internet companies are hacked and password databases stolen, if you have the bad idea to use the same password (or even same syntax) it is not really difficult to associate it with your Google account and gain access to it...

With strong Authentication as Google provides, things are much more complicated, hacking your account won't be easy anyway!

As a conclusion, with constant development of Clouds services like Google Drive, a such security mechanism becomes necessary and something you really have to consider if you are interested in protecting your data. 














Monday, July 2, 2012

Ajaxterm - Howto: SSH access to your host through an SSL secured Web page

Ajaxterm - Howto: SSH access to your host through an SSL secured Web page


Author's official page:

The Goal:

Ajaxterm will you provide you a way to access with SSH to your server through a Web server page secured with SSL. (recommended)

In a few words, you will be able to access to your SSH session without the need of an SSH client and as if it was any simple web Page :)

What you need:

- An SSH running server
- Opened and / or redirected ports to allow connection from outside to your Web SSH page
- Apache Web server and Openssl
- Optionally a third party server you may use as an SSH gateway to access to your final SSH server (improves security by avoiding direct connection to your real system, see my previous post: http://youresuchageek.blogspot.fr/2012/06/apache-2-reverse-proxy-howoto-protect.html)

Step 1: Install Ajaxterm


Nothing more simple, on Debian based system:
sudo apt-get install install ajaxterm


Step 2: Base configuration

Configuration is really easy, you will find 2 configurations files.

"/etc/default/ajaxterm":

  • Change Web server listening port if needed, by default it will listen to 8022 : 
# Allow to change the default port used by Ajaxterm                                                                                         
#PORT="8022"                                              


  • Change SSH server listening port if needed, if you your SSH server isn't listening to standard port, you have to change it :
# Allow to use a different port than 22 to connect to the ssh server                                                                        
#SERVERPORT="22"                    



"/etc/ajaxterm.conf":

Adapt your Width and Height preferences:


// Sets the terminal width (default: 80)                                                                                                    
width=140;                                                                                                                                  
                                                                                                                                            
// Sets the terminal height (default: 25)                                                                                                   
height=50;   


After installation, Ajaxterm will immediately be available accessing your localhost : http://localhost:8022


Step 3: Apache configuration


You may have or not a third party server running Apache and acting as a reverse proxy.

In both cases (third party or not), configure an apache instance secured by SSL:

If not yet installed and configured, in the example we will use 443 as the standard SSL port but you can change it to whatever you want:

Install Apache 2 on Debian and derived systems:
sudo apt-get install apache2 openssl
Activate required Apache modules:
sudo a2enmod proxy proxy_http proxy_connect ssl
Deactivate defaults http and https sites (we don't need it and don't want it):
sudo a2dissite default
Configure Apache to listen to required ports:
edit "/etc/apache2/ports.conf" as follows:


NameVirtualHost *:443
Listen 443



Create your auto signed certificate to encrypt and secure Web traffic with SSL (use whatever you want when asked by openssl) :

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -out /etc/apache2/server.crt -keyout /etc/apache2/server.key

Configure an "htpassword" file for simple authentication (at least recommended)

generate an .htpasswd file to protect your site by authentication (adapt your username) :
NB:

  • "-c" option will create a new file
  • "-m" option will use MD5 to secure password, by default htpasswd uses DES which will only consider first 8 characters 
sudo htpasswd -c -m /etc/apache2/.htpasswd username



Create your ajaxterm reverse proxy site:
create a new file "/etc/apache2/sites-available/ajaxterm:


NB: 

  • If your are using a third party server, adapt HOSTNAME to match SSH running host or IP
  • If not, change HOSTNAME to localhost
<VirtualHost *:443>                                                                                                                         
  ServerName XXXXXXXXXXXXXX                                                                                                              
  ProxyRequests Off                                                                                                                         
  ProxyVia Off                                                                                                                              
    <Proxy *>                                                                                                                               
     Order deny,allow                                                                                                                       
     Allow from all                                                                                                                         
    </Proxy>                                                                                                                                
  ProxyPass / http://HOSTNAME:8022/                                                                                                        
  ProxyPassReverse / http://HOSTNAME:8022/                                                                                                  
  <Location />                                                                                                                              
    Order allow,deny                                                                                                                        
    Allow from all                                                                                                                          
    AuthName "Access Restricted"                                                                                                            
    AuthType Basic                                                                                                                          
    AuthUserFile "/etc/apache2/.htpasswd"                                                                                                   
    Require valid-user                                                                                                                      
  </Location>                                                                                                                               
  LogLevel info                                                                                                                             
  CustomLog /var/log/apache2/access_ajaxterm.log combined                                                                                   
  ErrorLog /var/log/apache2/error_ajaxterm.log                                                                                              
  SSLEngine on                                                                                                                              
  SSLCertificateFile /etc/apache2/server.crt                                                                                                
  SSLCertificateKeyFile /etc/apache2/server.key                                                                                             
</VirtualHost>                                        




Enable the site:
sudo a2ensite ajaxterm

Restart Apache:
sudo service apache2 restart (or "sudo apachectl restart" if you prefer)

Test your ajaxterm by accessing https://<reverse_proxy_ip>


You're done and should have now access to your with SSH through an SSL secured Web page :)