SSH Mastery Round-Up

I went to bed last night, satisfied that I had gotten SSH Mastery uploaded to the various ebook sites. I figured that I’d contact some people about doing reviews this weekend, maybe generate one or two sales. Awoke to discover ten copies sold while I slept. And I received a whole bunch of messages via Twitter, Facebook, and email. Rather than try to answer them all individually, I decided to answer here.

If you’ve bought the book: thank you! Please consider leaving a review on your ebook site and/or Amazon, it would seriously help me out.

SSH Mastery is currently available via Smashwords and Kindle, and Nook. The Nook version seems to be missing it’s cover, I’ll take that up with B&N once I post this.

Want it in your preferred format? Permit me to direct you to Smashwords. Buy the book once, get it in any or all of ten different formats, from epub to PDF to old formats like PalmDoc and LRF. It doesn’t sync to your device, but you can read it anywhere, and it’s stored “In The Cloud (ooooh!)”. There is no DRM, on any version where I control DRM. SSH Mastery is only $9.99. If someone goes to the trouble to illicitly download a tightly-focused, task-specific tech book that’s less expensive than lunch, well, they suck. Please tell them that.

Once Smashwords finishes digesting the book, they will feed it to iBooks, Kobo, and all the other online retailers. I have no insight into how long this will take. If you sight SSH Mastery on iBooks or Kobo, please let me know! Actually, I’m shocked that Smashwords was able to process the highly-formatted original document. Their Meatgrinder only takes Microsoft Word files, and my file was full of headers and in-document hyperlinks and text styles and images. It’s obviously much improved over the early days. Following their instructions works. Amazing, that.

There will be a print version. The print layout person works from the same files I feed to the ebookstores. The print will take time. She will lay out a chapter for me, so that I can approve a rough design. She will then lay out the entire book. That will give us a page count and let me do the index. We’ll proof that a few times, to catch any errors, and then kick it out to the printer. But I didn’t want to delay the ebook until the print was ready.

The page count is critical. Page count dictates the price. I’m 90% confident of the price, but I can’t announce it until I know. Once I have the price, we can start taking pre-orders. Now, I don’t have the infrastructure to take pre-orders. Any number of third-party companies would hold your money in escrow until I delivered the books to them. That would take a whole bunch of legal agreements, and frankly, I’m too dang lazy to be bothered.

Especially when the OpenSSH/OpenBSD folks already have that infrastructure, and they have an existing trust relationship with the community. I plan to let them have the books at my cost plus expenses (shipping and CreateSpace fulfillment costs, not sunk costs), to funnel some money into OpenSSH. CreateSpace is doing the printing, so I don’t think I can offer an exclusivity window — once I order a crate of books, Amazon will list and ship to their direct customers. But I will ship those books at the earliest opportunity.

I’m also looking for a solution to let me sell print/ebook combinations. That’s how I like my books, after all. I can work out a cost-effective solution that doesn’t involve me hand-mailing books, I’ll do it.

But you want the book now. You really do. Mind you, I know all of my readers are good people. You don’t use passwords with SSH. You tightly secured all of your SSH servers. You know when and how to forward ports, and X11, and when to use a SSH VPN. But you know people who need this book. You know people who think that SSH-ing in as root with a password is a good idea. Make them buy the book. For their own good.

SSH Mastery available at Smashwords

To my surprise, SSH Mastery is available at Smashwords.

I don’t know if this version will make it through to Kobo and iBooks, but you can buy it now. If I have to update it to get the book through the Smashwords Meatgrinder and into third-party stores, you’d get access to those later versions as well.

SSH Mastery ebook uploaded to Amazon and B&N

I just finished uploading the ebook versions of SSH Mastery to Amazon and Barnes & Noble. The manuscript is en route to the print layout person.

Amazon should have the book available in 24 hours or so, Barnes & Noble in 24-72 hours. Once they’re available, I’ll be able to inspect the ebooks to check for really egregious errors. The files were clean when I uploaded them, but both companies perform their own manipulation on what I feed them. There’s no way to be sure the books come out okay until I can see the final product.

What about, say, iBooks? Kobo? The short answer is: they’re coming. The long answer is: those sites are fed via Smashwords. Smashwords only accepts Microsoft Word files, and they have very strict controls on how books can be formatted. Their ebook processor, Meatgrinder, isn’t exactly friendly to highly-formatted books. I must spend some quality quantity time getting the book into Smashwords.

I’ll post again when the books are available on each site. In the meantime, I’m going to go put my feet up.

Consistency in Writing

For the last couple of weeks, the SSH Mastery copyeditor has said “There’s something wrong with Chapter 13, but I can’t figure out what it is.” I told her that I had confidence in her ability to figure it out and to just do her best. (I wasn’t actually confident, but telling her that would have guaranteed that she would not have found it.) The copyedits came back this weekend, along with the following table. Continue reading “Consistency in Writing”

New fiction collection: “Vicious Redemption”

My first collection of short fiction, Vicious Redemption: Five Horror Stories, has started to appear in online bookstores. So far it’s available at Amazon, Barnes & Noble, and Smashwords.

Today it’s ebook only. I have a few marketing things to finalize before it goes to print.

Within a couple weeks, it should appear in other online bookstores. Ebook distribution is faster than physical distribution, but still slower than you’d think. I expect it to be in Kobo & Apple by the end of the month.

Would you enjoy these stories? The first story from the collection, Wednesday’s Seagulls, is posted on my personal web site. Go read it and find out.

I’m giving out review copies to my regular readers. If you normally read this sort of thing, and if you’re willing to read it and post a review on Amazon (as well as anywhere else you’d like), drop me an email.

enable DNSSec resolution on BIND 9.8.1

With BIND 9.8, enabling DNSSec resolution and verification is now so simple and low-impact there’s absolutely no reason to not do it. Ignore the complicated tutorials filling the Internet. DNSSec is very easy on recursive servers.

DNS is the weak link in Internet security. Someone who can forge DNS entries in your server can use that to leverage his way further into your systems. DNSSec (mostly) solves this problem. Deploying DNSSec on your own domains is still fairly complicated, but telling a BIND DNS server to check for the presence of DNSSec is now simple.

In BIND 9.8.1 and newer (included with FreeBSD 9 and available for dang near everything else), add the following entries to your named.conf file.

options {
...
dnssec-enable yes;
dnssec-validation auto;
...
};

This configuration uses the predefined trust anchor for the root zone, which is what most of us should use.

Restart named. You’re done. If a domain is protected with DNSSec, your DNS server will reject forged entries.

To test everything at once, configure your desktop to use your newly DNSSec-aware resolver and browse to http://test.dnssec-or-not.org/. This gives you a simple yes or no answer. Verified DNSSec is indicated in dig(1) output by the presence of the ad (authenticated data) flag.

For the new year, add two lines to your named.conf today. Get all the DNSSec protection you can. Later, I’ll discuss adding DNSSec to authoritative domains.

SSH Mastery Cover Photo

Last summer, preparing for the OpenSSH book, I attended a course on being your own publisher. If you’re interested in publishing, I highly recommend the Think like a Publisher course. The hotel was decorated with a variety of nautical clutter.

This critter hung directly over the breakfast table.

A Real Blowfish
The Hand of Karma

This was obviously the Hand of Fate. I borrowed a couple of really good cameras from fellow workshop attendees and snapped a bunch of photos. I’m a lousy photographer, but with good equipment and enough tries, eventually one came out.

The cover artist has assured me he can strip out the background and arrange this real-life Puffy suitably.

Dec 2011 Updates

The OpenSSH book is in copyedit. I hope to get the copyedits back this year. I’ve seen the first round of copyedits, and they don’t look too bad. Once I make the corrections, the book goes to the print-on-demand layout person and I start on the ebook conversion. The ebook should be out next month.

The best title I’ve had suggested was “SSH: You’re Doing It Wrong.” I love that title, but it’s not really appropriate. Instead, it’ll be “SSH Mastery: OpenSSH, PuTTY, Tunnels, and Keys.” That’s what the book is about, after all.

Progressing on Absolute OpenBSD 2 slowly, thanks to the holidays.

sudo auth via ssh-agent

One of the nicest things about writing a book is that your tech reviewers tell you completely new but cool stuff about your topic. While I was writing the OpenSSH book, one of the more advanced reviewers mentioned that you could use your SSH agent as an authentication source for sudo via pam_ssh_agent_auth.

I have dozens of servers. They all have a central password provider (LDAP). They’re all secured, but I can’t guarantee that a script kiddie cannot crack them. This means I can’t truly trust my trusted servers. I really want to reduce how often I send my password onto a server. But I also need to require additional authentication for superuser activities, so using NOPASSWD in sudoers isn’t a real solution. By passing the sudo authentication back to my SSH agent, I reduce the number of times I must give my password to my hopefully-but-not-100%-certain-secure servers. I can also disable password access to sudo, so that even if someone steals my password, they can’t use it. (Yes, someone could possibly hijack my SSH agent socket, but that requires a level of skill beyond most script kiddies and raises the skill required for APT.)

My sample platform is FreeBSD-9/i386, but this should work on any OS that supports PAM. OpenBSD doesn’t, but other BSDs and most Linuxes do.

pam_ssh_agent_auth is in security/pam_ssh_agent_auth in ports and pkgsrc. There are no build-time configuration knobs and no dependencies, so I used the package.

While that installs, look at your sudoers file. sudo defaults to purging your environment variables, but if you’re going to use your SSH agent with sudo, you must retain $SSH_AUTH_SOCK. I find it’s useful to retain a few other SSH environment variables, for sftp if nothing else.

Newer versions of sudo cache the fact that you’ve recently entered your password, and let you run multiple sudo commands in quick succession without entering your password. This behavior is fine in most environments if you’re actually typing your password, but as sudo will now query a piece of software for your authentication credentials, this behavior is unnecessary. (Also, this caching will drive you totally bonkers when you’re trying to verify and debug your configuration.) Disable this with the timestamp_timeout option.

To permit the SSH environment and set the timestamp timeout, add the following line to sudoers:

Defaults env_keep += "SSH_AUTH_SOCK",timestamp_timeout=0

You can add other environment variables, of course, so this won’t conflict with my earlier post on sftp versus sudo.

Now tell sudo to use the new module, via PAM. Find sudo’s PAM configuration: on FreeBSD, it’s /usr/local/etc/pam.d/sudo. Here’s my sudo PAM configuration:

auth sufficient /usr/local/lib/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth required pam_deny.so
account include system
session required pam_permit.so

By default, sudo uses the system authentication. I removed that. I also removed the password management entry. Instead, I first try to authenticate via pam_ssh_agent_auth.so. If that succeeds, sudo works. If not, the auth attempt fails.

Now try it. Fire up your SSH agent and load your key. SSH to the server with agent forwarding (-A), then ask sudo what you may run.

$ sudo -l
Matching Defaults entries for mwlucas on this host:
env_keep+="SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK",
timestamp_timeout=0

Runas and Command-specific defaults for mwlucas:

User mwlucas may run the following commands on this host:
(ALL) ALL
(ALL) ALL

Now get rid of your SSH agent and try again.

$ unsetenv SSH_AUTH_SOCK
$ sudo -l
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

The interesting thing here is that while you’re asked for a password, you never get a chance to enter one. Sudo immediately rejects you three times. Your average script kiddie will have a screaming seizure of frustration.

The downside to this setup is that you cannot use passwords for sudo on the console. You must become root if you’re sitting in front of the machine. I’m sure there’s a way around this, but I’m insufficiently clever to come up with it.

Using the SSH agent for sudo authentication changes your security profile. All of the arguments against using SSH agents are still valid. But if you’ve made the choice to use an SSH agent, why not use it to the fullest? And as this is built on PAM, any program built with PAM can use the SSH agent for authentication.