note to self: January 2014

value too great for base (error token is XX)

When processing strings to numbers, eg, date +%S gives seconds, the output of "08", "09", will cause errors when used in an expression, because they are treated as base 8 (octal).

For example 60 - 08 will error as above. Nos 00 to 07 are also octal, but of course don't error and are the same as decimal, and 10 is treated as decimal 10. Only numbers with leading zero are octal. This string to number bug has caught some excellent shell script authors I know, usually when processing the output of date to do maths on dates and times. These scripts usually go wrong around August and September.

Tell BASH this is decimal with 10# prefix, 60 - 10#08

eg; wait until the next minute tick with:

sSec=$(date +%S); sWait=$(( 60 - 10#$sSec )); echo ${sSec} ${sWait}; sleep ${sWait}; date

sSec will be 08
sWait becomes 60-10#08, or 52 second sleep.

This example is creating inward routing to a network which at a
network level allows only outbound. Using four hosts, an appliance,
admin console (alanis), general purpose machine (smallfry) and a
workstation. Alanis creates the reverse tunnel with smallfry,
forwaring any traffic arriving at smallfry:2022, to appliance:22.

ssh -R 0:2022:localhost:22 peter@smallfry.dyndns.org

-R reverse tunnel
0 is the interface on smallfry, zero or * means any
:2022 is the listening port to bind on smallfry
:localhost replays the traffic to alanis' internal interface, it could
be any IP alanis can talk to
:22 is the interface to forward to on the destination machine
peter@smallfry.dyndns.org is the account and public name of the second machine.

-f -N (fork, no command) are also useful parameters to create the
tunnel and not create a command session or wait.

The diagram shows 192.168.2.7 as an applicance with a 22 listener.
ssh -R 0:2022:192.168.2.7:22 peter@smallfry.dyndns.org

The workstation issues a connection to smallfry:2022
or
ssh smallfry -p 2022

Green is the reverse tunnel, the secure network creates an inward path.
Black is tunnelled.

The item *:2022 in netstat -l (below) is the listener bound.

The smallfry device will only bind its network side, as opposed to
localhost side if GatewayPorts is yes in sshd_config. Otherwise it
will bind localhost:2022.

peter@alanis:~$ ssh -R 0:2022:localhost:22 peter@smallfry.dyndns.org
peter@smallfry.dyndns.org's password:
Linux smallfry 3.6.11+ #538 PREEMPT Fri Aug 30 20:42:08 BST 2013 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 16 01:12:08 2014 from static-77-257-227-57.rcmdpa.myisp.net
peter@smallfry ~ $ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:3128 *:* LISTEN
tcp 0 0 localhost:4700 *:* LISTEN
tcp 0 0 *:afpovertcp *:* LISTEN
tcp 0 0 *:2022 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
udp 0 0 smallfry.home:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp 0 0 *:36284 *:*
udp 0 0 *:38369 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:icpv2 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:10855 *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2753
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 481 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 2791
/var/run/avahi-daemon/socket
peter@smallfry ~ $

peter@smallfry ~ $ grep Gate /etc/ssh/sshd_config
GatewayPorts yes
peter@smallfry ~ $

note to self

Monday, January 27, 2014

sudo for a new user

leading zero, base 8

Thursday, January 16, 2014

Reverse tunnel ssh