Thu, 05 Aug 2010

Windows, ssh keys, forced commands and you

As part of the CIFS provisioning process at work we need to be able to set access control lists on the top-level directory of the shares we are offering to end users. After observing the horror that is Samba and beating it about for a bit, the next solution that presented itself was learning enough scripting to cause a Windows machine to do this for us.

Eventually, enough Powershell knowledge manged to knock its way into my head (the best description I have for Powershell is to paraphrase what my friend Nick said about Google Mail the first time he used it, "It's like eating normally all of your life and now suddenly you have to eat by shoving a basketball up your ass") that I could make it do what I wanted to do on that side. Now, I'd give a large batch of cookies if a remctld for Windows existed, but, as it does not, the next best thing is to fire off the command via ssh.

The end goal here is to have an ssh-key that allows the Perl Net::SSH2 module (which I'm calling from the rest of the provisioning setup) to fire off an ssh command to this Windows machine and have the script do its thing. Even better would be to restrict the command that this key is allowed to run to a "dispatch" script, that would vet what you've asked it to do before running it — this way, the key can't actually log into the machine and run whatever, it's minimizing what it can do to what we need it to do.

The forced command part would be easy, I thought (I was wrong, see the second half of this post). The first thing to write is a dispatch command. This is a trivial bit of scripting, that takes the command you've given it, does some sanity checking, and then fires off the command, returning the output. Simple, right?

The problem comes when you ssh in using an ssh-key. This authenticates you to the Windows server, but doesn't actually get you any credentials. This causes a problem, because all the shares we need to do things on are on remote filers, and it doesn't think you have any credentials to do anything.

In a unix world, this is a solved problem for me: generate a keytab, store it locally, the dispatch script creates an environment that isolates what credentials it has, fetches them from the keytab, and you get on with life. But this is either an impossible or undocumented option on Windows. The first clue came from a post here, discussing how to create a System.Diagnostics.ProcessStartInfo object, populate the various fields of it, and use it to start a process. One of the things you can specify is a username and password, which the child process will use to get credentials.

That's fine, but the password supplied has to be supplied as a "secure string" object. There are functions for reading something in as a secure string, persisting it, and then reading it back in. Good, right? The problem comes in the persisting part — the string you write out to a file is encrypted, and by default, Windows seems to encrypt it based on ... the credentials you have when you're logged in. So, not only can you not create the secure string and store it unless you are logged in with a password — that's fine, I only have to do that once, right? — but also, even after you've stored the file, when you try to read it in with no credentials in place you can't, because Windows doesn't have anything to decrypt the string with.

All of the common examples for using secure strings in Powershell suffer from this problem, but this post, down on the comment from "16 Jan 2008 10:39 PM", presents the option to supply the key you want to use to encrypt and decrypt the secure string. So, you use that key, store it in a file, persist the encrypted secure string, and when you need the secure string back, you read in the key and use it to decrypt the stored secure string. In many ways, this feels like a keytab again — the only difference is that with the encryption key and the stored secure string, you can recover the original password, where with the keytab you can't (although having the keytab is functionally equivalent to having the original password).

The end script I created can be found here

Now to actually set up being able to use an ssh-key. While Tectia (the ssh server we are using on the Windows side) claims to be able to read OpenSSH keys (and use nearly all the options in an OpenSSH key), I couldn't make it work. What I managed to get working is the "old-style" Tectia authorization file.

And there it is. You can now ssh in using an ssh-key, run a command with cached credentials, and have the use of the ssh-key be limited to the dispatch command you've created.

Posted at: 15:49 | category: /computers/win | Link

Sun, 09 May 2010

Quinoa with marinated artichoke hearts and roasted red peppers

Rinse well two cups of quinoa. Put that in a pan and toast it for a bit --- let all the water steam off and then let it go until you get a nice smell coming out of it. Add in one chopped onion, three cloves of garlic and four cups of vegetable broth. Bring to a boil and then simmer.

While that's going on, drain the liquid from two jars of roasted red peppers and two jars of marinated artichoke hearts, reserving the liquid. Chop both of them up roughly. Add the reserved liquid to the quinoa.

When the liquid is all absorbed, add in the chopped peppers and artichokes, stir to combine.

Posted at: 22:22 | category: /food/2010 | Link

Fri, 19 Feb 2010

2010 Coffeeshop of Record Report

Ever since May of 2005 I've had the habit of designating a local coffeeshop as my "Coffeeshop of Record" — it's the place I always hang out at, and my favorite local caffeine establishment. Or, as I sometimes put it, "my drug dealers". Because I'm also that kind of person, I keep statistics of how much I spend there.

Shortly after moving to Ypsilanti I designated the Ugly Mug Cafe as my CsoR. This previous year's statistics (16 February 2009 - 15 February 2010) are:

It adds up, doesn't it? (This is the reason I keep track of it). But, the way I figure it hanging out at the Ugly Mug is my primary form of entertainment, and $7 a week is relatively cheap as those things go.

Notes for those who care: supplies I purchase at the CsoR do not count, e.g. beans I purchase at the Mug for use at home or at work are not counted.

Posted at: 17:37 | category: /random | Link

Sat, 23 Jan 2010

Happiness is Organized Zines

For several years my zine collection has lived in a couple of cardboard document boxes. Initially just piled in, I took some effort a while back to sort everything alphabetically by title, stacked haphazardly in a couple of the boxes set on end.

This was unwieldy, and also made it hard for me to easily sort new stuff in. I finally got aggrivated enough by this process to buy a few plastic file bins and a box of two inch expanding file jackets, and today I got enough gumption to sort things out.

Each file jacket holds some number of titles. Some zines, where I have several issues, have their own file jacket. Others are grouped together. The tab at the top of the jacket is an ideal place to pencil in what zines are in that jacket.

Those all neatly fit into the file boxes, which stack nicely on my bookshelves.

Now we'll see how long they stay this neat....

Posted at: 20:14 | category: /zines | Link

Tue, 15 Dec 2009

Lentil Escarole Soup

Continuing on the theme of Glorious Kale, I was in a cooking frenzy last night and made a variation on this Lentil Escarole Soup from The Postpunk Kitchen. It's the first time I've cooked with escarole, and I'm pretty happy with it. Like all green leafy vegetables, you'll want to wash it completely — there's a lot of dirt and grit in a head of escarole.

Sweat the onion, garlic and carrots in olive oil until tender. Add the lentils and tomatoes, a little salt and pepper and 9 cups of water. Note: remember in the Glorious Kale recipe when I said to keep the liquid at the bottom of the steamer from making that dish? This is why, I used that for about 1-1/2 cups of the water I added. Bring to a boil, then simmer for 45 minutes. Add the escarole and nutritional yeast, cook for an additional five minutes or so.

Freezes well, tasty with croutons.

Posted at: 12:03 | category: /food | Link

Glorious Kale

The past couple of weeks I haven't been eating well — a combination of being really busy, getting sick and work being a pain left me eating rather unhealthy. After I do this a while I can really tell it, and I get a strong urge to build up my vitamins, so to speak.

Tonight I felt this way, and when I need to stock up on nutrients, especially in the winter, I think of kale. I started with this recipe, for "Kale with Root Vegetables", but with a few additions it became what I call Glorious Kale.

Get yourself a large pot, put an inch or so of water in it and put in the steamer basket. While that's starting, prepare 2 lbs of kale — I just bought a bag of it that size, already chopped up. Peel and chop one parsnip and two turnips into bite sized pieces. Chop up six smallish red potatoes. Throw all of that into the steamer basket, drizzle a bit of kosher salt over it, and cover.

In another pan, sweat a diced yellow onion and 3 minced cloves of garlic in a little bit of oil with a pinch of salt. When all of that is good and soft, the root vegetables in the steamer should be soft but not mushy and the kale completely done. Kick up the heat on the onions and garlic, drop in all the kale and veggies, and saute a bit. Drizzle over just a little bit of sesame oil, balsamic vinegar and some Braggs liquid aminos. Grind on some pepper. If I had some toasted sesame seeds, I'd throw them in now.

Makes about 4 nice sized servings. And, if you have any love at all for all things good and pure, you'll save the liquid in the bottom of the steamer pot and put it in your next soup.

Posted at: 00:43 | category: /food | Link

Mon, 07 Dec 2009

Vulgar Bulgar Vegetarian Chili

Winner of the 2009 ITS Chili Cookoff "Luke Skywalker Award". This is less a recipe and more a general guideline for what to dump together to get this chili, because that's exactly what I did.

Take 3 cups of bulgar wheat and soak it in cold water --- it doesn't take long. Drain any remaining water off and put the bulgar in a 6 quart crock pot. Make or buy 1-1/2 cups of sofrito and dump that in. Take a small can of chipotle chilies in adobo sauce, dump the adobo sauce in, mince up the chilies and dump those in. Add a 28 ounce can of tomato puree and two 14.5 ounce can of diced peeled tomatoes. Dump in 2 14.5 ounce cans of navy beans and 2 of kidney beans. Add a 4 ounce can of roasted and diced green chilies. Dump in 1 cup of nutritional yeast, and toast and grind up 2 tablespoons of cumin and throw in. Mix everything together and salt to taste. Cook overnight in a crock pot on low, adding water if necessary.

It's not overly spicy --- I'm a fan of flavor over fire, but it has a nice residual heat.

Posted at: 17:39 | category: /food | Link

Thu, 29 Oct 2009

In the criminal justice system, there are two separate but equally important groups...

...my bicycle, and the dude who stole my bicycle.

As I discussed back here my bike got stolen back in August, and the guy was caught up the hill from my apartment by the Ypsilanti Police. A bit over a month ago I got a letter in the mail from the District Attorney's office, telling me that there was a final settlement conference in the case, and that I had to appear in court for it.

I'll write more about that later --- in short, court is a lot like what you see on TV, just much more boring. There really is a guy who tells you to stand when the judge comes in, and people do in fact say "your honor". But it's less drama and more like recitation of the justice incantation or something.

Anywho, the guy who stole my bike was charged with larceny. He was going to request a jury trial for that. The same guy was also there for a domestic assault case. There was a slightly harried middle-aged woman I talked to, who said the guy would plead guilty to a lesser charge, and was I okay with that. Since I have my bike and don't really care about the minor damage done to my bike rack, I really didn't care. He did that, there was the whole incantation of "you're saying you are guilty, here's what this means, do you understand each of these bits", and it was over. Then it moved into the guy asking for a jury trial in the domestic assault case, and then they moved on to the next guy.

When I left the courtroom the lady asked if I understood what had happened, and she explained a few things. She said I could appear at the sentencing part of the case, but I told her I wasn't really interested, and that the guy seemed like he had bigger issues than how long he's going to be in jail for yanking my bike. She sighed and nodded yes as I left the building.

Posted at: 17:28 | category: /bicycle/2009/10 | Link

Sat, 19 Sep 2009

Puffer Red's Facade

This evening I was meandering about Ypsilanti, and walking through downtown I noticed that the facade above Puffer Reds has been removed — looks like it's going to be repaired or something like that. I snapped a few photos of what's below, since I'd never seen it before and have no idea how long it's been since this has been exposed.

Under the facade, an old Hallmark Cards sign

My favorite photo is this one. Looks like the west half of Reds at least used to be an old Hallmark Cards store. I absolutely love the stained glass window sign. I wish more places had stuff like this. See the rest of the photos I snapped here.

Posted at: 20:45 | category: /ypsi/2009 | Link

Fri, 28 Aug 2009

On the Unknotting of Shoes, pt 1

Problem Statement: on the pair of shoes I conventionally wear for day-to-day activities, my right shoe has a tendancy to become unknotted frequently, while the left shoe has not, in my memory, ever became unknotted. Both shoes are tied with the same knot.

Hypothesis: the lace on my right shoe is responsible for this unknotting.

Experiment: swap the laces between my right and left shoes.

Posted at: 21:24 | category: /science! | Link