Here's a quick HOWTO for setting up your own secure pseudo-dynamic DNS (DDNS) server.
It's not a "real" DDNS service, i.e. you won't be able to use standard DNS tools or protocols to talk to the server, but it covers 98% of all functionality I expect from a service such as DynDNS or similar ones: It tells me the IP address of a certain box which doesn't have a static IP address (e.g. my home-server).
On the homeserver:
5,15,25,35,45,55 * * * * user ssh -x user@publicserver ls
On the publicserver:
command="echo $SSH_CLIENT | cut -d \" \" -f 1 > /home/user/homeserverip.txt && chmod 644 /home/user/homeserverip.txt",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAAAAAAA...AAAAAAA user@homeserver
So to summarize: the homeserver's user simply executes the above commands on the remote publicserver, which in turn abuses the $SSH_CLIENT environment variable which contains the public IP the ssh connection was coming from (which is exactly what we're looking for). We store that IP in the homeserverip.txt file, which will always contain the latest-known IP address of the homeserver (because of the cronjob).
You can now retrieve the current IP address of your homeserver easily from anywhere (e.g. from your laptop when you're in another, possibly hostile network) in order to connect to your homeserver:
$ ssh -x otheruser@publicserver cat /home/user/homeserverip.txt
To make this a bit more convenient you can add a shell alias (e.g. into ~/.bashrc):
alias homeserverip='ssh -x otheruser@publicserver cat /home/user/homeserverip.txt'
Or, to conveniently login to your homeserver as johndoe:
alias homeserverlogin='ssh -x johndoe@`ssh -x otheruser@publicserver cat /home/user/homeserverip.txt`'
This may not be the most elegant solution, and it has a number of drawbacks when compared to services such as DynDNS, but it's sufficient for me and it also has some advantages:
Personally I'm currently using this mechanism for two things, more might follow:
So far it works pretty nicely.
Update 2008-06-24: Various fixes and simplifications. SSH key must be password-less. Don't run cronjob once per minute, that's overkill.
Update 2008-07-02: Simplify setup by removing the need for extra scripts. Limit the commands the user can perform via ssh in the authorized_keys file. Make the RSA keys 4096 bits strong.
Remix of the first version of this song, specially crafted to protest against the GEZ/GVL mafia (German RIAA/MPAA) and their methods.
Die 2004 von der GVL angepeilte völlig unverhältnismässige Gebührenerhöhung veranlasste uns, unseren Beitrag zum Protest gegen diese Willkür zu leisten. Herausgekommen ist ein Remake des Tracks "Was Ist Hart".
OK, so I've been hacking on and testing my shiny new One A110 mini-laptop during the last few days and I must say I'm very happy with it. I'll write up some more details later (check the wiki if you're impatient), but today I want to highlight a very nice feature of this laptop (compared to, for instance, the Eee PC): The VIA C7-M ULV CPU in the laptop has VIA Padlock support.
VIA Padlock is a hardware feature in recent VIA CPUs which provides hardware-accelerated AES and SHA-1/SHA-256 support, among other things. This can be used in Linux (with the proper drivers and patches) to improve performance of dm-crypt, OpenSSL (and all programs using it), scp, sha1sum, OpenVPN, etc. etc.
I have written a quite extensive VIA Padlock HOWTO and benchmarks in the A110 wiki (but all of this will work on other systems which have VIA Padlock, too). To summarize, here are the most important benchmarks:
Without VIA Padlock support:
$ hdparm -tT /dev/mapper/hdc2_crypt /dev/mapper/hdc2_crypt: Timing cached reads: 448 MB in 2.00 seconds = 223.47 MB/sec Timing buffered disk reads: 22 MB in 3.07 seconds = 7.17 MB/sec
With VIA Padlock support:
$ hdparm -tT /dev/mapper/hdc2_crypt /dev/mapper/hdc2_crypt: Timing cached reads: 502 MB in 2.00 seconds = 250.41 MB/sec Timing buffered disk reads: 90 MB in 3.07 seconds = 29.36 MB/sec
The native speed of the SSD in the laptop is 31.01 MB/sec, so there is almost no performance penalty when using VIA Padlock.
OpenSSL speed benchmark, first line without Padlock, second line with Padlock enabled:
$ openssl speed -evp aes-256-cbc [-engine padlock] type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 9187.18k 10572.28k 11054.32k 11179.36k 11218.02k aes-256-cbc 47955.92k 150619.73k 325730.73k 458320.11k 520520.79k
Without VIA Padlock support:
$ scp -c aes256-cbc bigfile.dat localhost:/dev/null bigfile.dat 100% 159MB 5.9MB/s 00:27
With VIA Padlock support:
$ scp -c aes256-cbc bigfile.dat localhost:/dev/null bigfile.dat 100% 159MB 14.5MB/s 00:11
A real speed benchmark is pending (not measurable easily on 100MBit LAN, will try on a slower link), but as OpenVPN uses OpenSSL it should have roughly the same speedup iff you tell OpenVPN to use AES (it uses Blowfish per default).
Also, there's a measurable difference in CPU load while tranferring large files over OpenVPN: 8% CPU load with VIA Padlock (vs. 20% CPU load without VIA Padlock).
phe_sum is a small C program which can be used as drop-in replacement for sha1sum (which doesn't support VIA Padlock yet). Quick benchmark:
sha1sum, without VIA Padlock:
$ time sha1sum bigfile.dat real 0m6.511s user 0m5.864s sys 0m0.412s
phe_sum (with VIA Padlock support):
$ time ./phe_sum bigfile.dat real 0m1.149s user 0m0.704s sys 0m0.424s
All in all VIA Padlock gives you a pretty impressive speedup for many crypto-using applications on Linux, which is especially useful on the A110 mini-laptop (think OpenVPN or scp for mobile usage, and dm-crypt for an encrypted SSD, of course).
Great pience from Jan Morgenstern's soundtrack/score for the fantastic Big Buck Bunny animated movie (which is freely downloadable and CC licensed).
Just in case you haven't yet watched it: Big Buck Bunny.
Great animated video created mainly using Blender, released under the Creative Commons Attribution 3.0 license.
The soundtrack/score is now also available under a CC license (as is lots of other "raw" material for the movie).