Blog – Page 67 – Michael W Lucas

July 16, 2012

Cisco radius auth for users and enable

All authentication on my network (with carefully selected exceptions) should be centralized. This includes router administrative logins via telnet or SSH. My authentication information is in an OpenLDAP 2.4 server. Attaching Cisco gear to an OpenLDAP database is hard. But attaching Cisco gear to RADIUS is pretty easy. But my FreeRADIUS server uses LDAP as its back end, and attaching Cisco gear to RADIUS is pretty easy.

To have your enable password, you’ll need an LDAP user called $enab15$ . Take careful note of how that is spelled: dollar sign, ENAB, the number 15, and another dollar sign. There is no L, and no second E. Add this user to any LDAP groups needed for RADIUS access. This user’s password is your enable secret.

Create a loopback address for the router.

interface Loopback0 description management ip address 192.0.2.13 255.255.255.255

Use this address for all router management functions. If you use an IP for a real interface for management or monitoring, you can have trouble when that interface goes down.

Then tell the router about your RADIUS servers. Always list multiple RADIUS servers. If you have only one RADIUS server, get a second, preferably on a completely different part of your network.

ip radius source-interface Loopback0 radius-server host 192.0.2.253 auth-port 1812 acct-port 1813 key RadiusSecret radius-server host 192.0.2.252 auth-port 1812 acct-port 1813 key RadiusSecret

Create a local enable password and a local user with administrative privileges. These will come into play when your RADIUS servers fail. (Hopefully, they never will. But assuming things will go well sets yourself up for a really bad day.)

enable secret 5 $1$lnds$LNrkh4d8aoeuY/Q2Akm1k7 username admin privilege 15 password 7 1D1C1B050B8290E1

Now attach the radius servers to the authentication system.

aaa new-model aaa authentication login default group radius local aaa authentication enable default group radius enable

With this setup, your Cisco will try radius first, and then fall back to the local authentication file if your RADIUS server does not answer.

You might also need to attach your virtual terminals to your authentication settings.

line vty 0 4 login authentication default line vty 5 15 login authentication default

You should now have Cisco user names and the enable password synchronized with LDAP, through RADIUS.

July 6, 2012

I’m in BSD Magazine

The July 2012 issue of BSD Magazine has an article by yours truly: freebsd-update as an Intrusion Detection System.

It also has a code to get you 30% off of Absolute FreeBSD at No Starch Press. If you don’t have your copy of this book, here’s your chance.

It has other good articles too. None as awe-inspiring as mine, of course, but definitely worth a read.

June 11, 2012

Keeping Friends

I’m heading out to Oregon for Kris Rusch’s short story workshop in a little while. Additionally, I just got my story collection Vicious Redemption out in print. So, what the heck, here’s a story. It’s short enough that I’m not comfortable putting it out as a 99-cent short, but sufficiently solid that it deserves an audience.

Warning: not for children.

Keeping Friends

“I’m trying to decide if I should kill myself now, or wait five minutes.”

My precognition hadn’t warned me about Tom’s call, but I hadn’t asked it. I pressed the cellphone into my ear hard enough to hurt, trying to compensate for the crackling connection and the passing traffic. “You don’t really want to do that, dude. You still have options. There’s other meds out there.”

“They won’t work. Nothing works. There’s no hope.”

I sat on a bench and forced my hands to stay still. My friends are important to me – I have to keep them. If I failed, Tom might kill himself while talking to me. The thought heated my blood until the air felt cool. “Can I come down there?”

“Don’t bother. I tried a knife, but it wasn’t sharp enough to cut through my neck.”

Tom had fought clinical depression for two years. Medication had taken the edge off, but not enough that he could return to work. The electroconvulsive therapy his doctor had prescribed required Tom stop taking all his medications. The edge had returned, and he was using it on himself.

“Are you holding the knife now?” I said.

“Yes.”

“Do me a favor. Put it down.”

“I need to sharpen it. That’ll take both hands.”

The phone clicked and I heard only silence, then the dial tone.

I forced myself to take a deep breath, then another, and willed my heart to slow. “I’ll do nothing,” I said. “He’s not really going to do it. He’s just trying to get attention.” With that decision, I twisted the deformation in my brain.

The world around me skipped, displaying shattered fragments amidst frozen moments. Tom’s cat lapping at pooled blood. Sheryl finding Tom. Accusations and counter-accusations over a closed coffin. Tears, and years of recriminations.

My gut burned, and I shuddered back to the moment. I couldn’t do nothing.

“I’ll call the police,” I said aloud, cementing the decision in my brain. “Give them his address. Tell them what he told me. I’m going to do that next.”

The decision changed my future, but weakened my precognition. The new future wasn’t strong yet and hadn’t yet solidified. Colors streaked the new images, and sounds skewed from lips like a badly dubbed film. Blood on Tom’s neck. A police officer tumbling down the apartment stairs, Tom’s knife buried in his arm. The stench of urine and blood. Parallel metal bars and scored, battered Plexiglas between Tom and I, new gaps in Tom’s bared teeth as he spit at me.

Prison would be better than a coffin, maybe. But Tom wouldn’t be my friend any more. Precognition had already stolen my family, my children, and too many friends. I couldn’t stand losing another.

“I’ll go down there myself,” I said. “See him in person. It’s only thirty minutes to his apartment. Talk to him where he can’t hang up on me.”

Yet another change to my future distorted the new visions to the jagged edge of uselessness. I saw shards of Tom bleeding and my fingers fumbling at a phone. Tom’s voice was unintelligible, but the anger was unmistakable. A glimpse of him at a party, the years turning his hair white; he laughed, then he saw me, and he turned away. The sudden set of his jaw reminded me of my wife when we left the divorce hearing.

The bench wobbled beneath me, the stench of bus exhaust more bitter. Tom would never forgive anyone for finding him like that. I’d save his life, but I’d lose him.

“I’ll call him back,” I said. “I’ll talk him out of this.” I’d never viewed four futures in quick succession. My precognition showed only an unintelligible jumble that hurt my ears and eyes and left the taste of hot copper in the back of my mouth. I didn’t think that calling Tom would delay him more than a few minutes, though.

I licked my lips and made a call.

“Jimmy? Listen, I just heard from Tom. He’s really really upset. I’m worried about him. You live right by him, don’t you? Could you go and check on him?”

Jimmy would find Tom, and call for help. Tom would be there for me. Tom would never forgive Jimmy for finding him, but I’d be there to console Jimmy. My friends are important. I have to keep them.

If you enjoy this, you might look at my other free story, my available short stories or my fiction collection. If you don’t enjoy this, that’s OK. If you now feel like crossing the street when I approach, that’s fine too.

June 6, 2012

Splitting blog?

I usually post two different sorts of items here: tech articles, and publishing articles. Would you lot prefer I did two separate blogs? I would probably still feed both to third parties such as Twitter and Facebook, but it appears that most of my readers use RSS.

If nobody cares, I’ll leave things as they are.

June 1, 2012

Floating business ideas past my readers

As I beaver away on the new Absolute OpenBSD book, I’m pondering options for what to do afterwards. Part of that pondering concerns the business aspect of publishing. And I want your opinion.

This blog post is about tech books — or, more generally, “highly researched non-entertainment nonfiction,” a category which includes but is not limited to technology books. I’m explicitly excluding fiction and entertainment nonfiction. I’m discussing books meant to help the reader make more money, or at least keep their job.

I’ve wanted to write about certain technologies for years, but there aren’t enough buyers to support a traditional publishing run. They’re topics that would appeal to a majority of my blog readers, but a few hundred readers just can’t support a traditionally-published book. If I self-publish on such topics, I would get more money per reader. This could make special-interest books sufficiently profitable for me to invest a year writing them.

My goal is to make “enough” money so that I feel it’s worth spending my evenings and weekends writing a book. The exact value of “enough” varies with the topic, how hard the book is to write and research, how much I have to spend to write the book, who I have to work with to write the book, and what exactly I gave up in favor of writing the book. (Yes, I’d like to make great big steaming HEAPS of money. But that’s not realistic.) To achieve this, I must set the price of a book such that the reader feels he’s getting fair value, but still puts “enough” money in my pocket.

The problem comes in the payments I receive on the book.

You’ve probably heard that Amazon pays 70% royalties on self-published ebooks. That’s not quite accurate. It pays 70% royalties on self-published ebooks with a retail price of $9.99 or less. Barnes & Noble has a similar policy (look under Pricing and Payment Terms). Smashwords has a more complex royalty system, because they feed multiple ebook vendors. Royalties on books bought directly from Smashwords are about 85%, but royalties through various platforms that they feed pay varying percentages up to certain ceilings. For example, Kobo pays 60% up to $12.99, and 38% above that.

Physical book pricing is simpler. I get a certain amount for sales through Amazon, and a lower amount for sales through third parties such as Barnes & Noble or indie bookstores. Those royalties don’t have artificial ceilings.

I have no problem giving an ebook retailer their fair cut for delivery. I don’t wish to waste my time building and maintaining an ebook store when I could be writing. But the royalty scheme used by the large ebook retailers is clearly aimed at novels.

Companies like Amazon and B&N want self-published novels to be priced under $10. But there’s a definite difference between a 100,000-word novel with a potential audience of millions and a 300,000-word technology book with a potential audience of hundreds.

I cannot afford to spend a year writing a book with 500 expected buyers and sell it for $9.99. The income is not “enough.” Once I raise the price over $9.99, however, my royalty is halved. To raise my income a penny, I must increase the ebook price to over $20.

Unfair? Probably. Unnecessary? I’d say so. But that’s the retailer’s business decision, and I cannot change it, waste my time griping about it, or go on a long rant about how companies X, Y, and Z are destroying all that is good and wholesome in the world. (They aren’t, by the way. But that’s a separate blog post.)

So, for the sake of a purely hypothetical business decision, let me make up some numbers and facts. The pedantic will note that I’m rounding everything to the nearest dollar, but I’m already making up my own numbers, so who cares?

Assume I want to write a hefty book about a hypothetical project, MaguffinBSD. This project will take a year, expenses are minimal, and I have friends, allies, and supporters in the community. I decide that $14,000 gross is “enough”. My research indicates that maybe 500 people will buy the book. (How do I get that number? The community is about 1/10th the size of FreeBSD’s, and Absolute FreeBSD sold about 5000 copies in the first three years, with a dwindling long tail thereafter.) Let’s also assume that the book is up to my usual standards; it’s readable, mostly free of really blatant errors, and so on.

500 customers to raise $14,000 means that I must extract $28 from each buyer.

Option 1: I set the ebook price at $80, and sell it at that price across all platforms. Per various terms of service, the ebook must be priced at least 20% cheaper than the physical book retail price, so the print book is $100. My profit on the physical book is much higher, but sales are much lower.

Option 2: I write four smaller books: “MaguffinBSD, vol 1: Base Configuration,” “vol. 2, services,” “vol. 3, ongoing support,” and “vol 4: stupid MaguffinBSD Tricks.” Each of these books is available at all ebook retailers. I price each at $9.99.

A “MaguffinBSD, vols 1-4” is available as a print book, with a consolidated index and Table of Contents.

The version that appears in print is available as an ebook via Smashwords, and only Smashwords. It would not go to the other ebook retailers fed by Smashwords. Where you would pay $39.96 to buy each individual volume, I could sell the compendium for $32.

People who want individual volumes have the option to get them. People who want the compendium can get it in any desired format.

Option 3: Kickstarter. I include this because someone’s going to suggest it. I don’t like kickstarting books. Yes, some people do it, but publishing is a business. If I ever hope to make a living at writing, I need to treat it as a business. You can apply this same reasoning to asking for donations.

Model 2 increases my expenses and production time. I must prepare one book five times, in three different formats. But I might pick up some extra readers who are only interested in one or two volumes of the set, so I’ll consider that a wash.

But my gut reaction to model 1 is: oh dear God, NO.

So, my question to you lot is: which model would you accept more? Which would be more offensive? Or should I give up on writing specialty tech books and start writing about Windows, Apple, and Linux?

May 29, 2012

New review of “SSH Mastery”

Samiuela LV Taufa was kind enough to write a review of SSH Mastery. Thank you, sir!

For those who are wondering why I haven’t posted much lately: I’m beavering away at the new Absolute OpenBSD, getting ready for a summer writing workshop with Kris Rusch, trying to get an article together for BSD Magazine, and when my brain is too tired to put words together, assembling a print version of Vicious Redemption.

So yes, I’m working. You just can’t see any results yet.

May 18, 2012

Truth versus Art

There’s been a slow-burning furor over dishonesty in “creative nonfiction,” most recently in this Fact vs. Artistic License in Creative Nonfiction post. Now and then someone accuses me of making stuff up in my books. For the record, here’s the truth.

I lie. I make stuff up all the time. But not technical stuff.

One technique I use in each tech book is to create a narrator. The narrator is not me. I don’t actually blackmail coworkers, as the narrator of Network Flow Analysis recommends. The narrator’s role is to bring life to the material, point out possibilities that are difficult to expose in pure technical text, and try to jolt the reader into paying attention.

I don’t create the narrators beforehand. They evolve from the material. The narrator of AO2e is worryingly like forensic blood spatter analyst Dexter Morgan. I’m trying to change that, but he’s fighting back.

Of course, some things are true. The afterword for Absolute OpenBSD 2nd ed. is the true story of a really bad night. But I don’t have enough of those stories to color a book.

This technique works. It helps the reader pay attention. Some people even find reading my books enjoyable (for example, there’s this review that made me giggle madly). There are readers who hate my books for exactly this reason. But I’m not going to change my writing style to chase a readership.

If I’m giving instructions on how to fdisk and disklabel a hard drive, the information is as correct as I can make it. Facts are inviolate.

If it’s more personal, it might be true. It might be fictional. I am a writer, and am not to be trusted.

So don’t try to call me out on this. I know. I don’t care.

May 14, 2012May 14, 2012

Death of a Web Server

My first day at BSDCan, my Web sites died. Hard drive failure. The latest backups are defective. I think I’ve recovered the blog, but some links have changed, dang it. I’ll have to learn more about mod_rewrite to fix them. Web site is next. RSS readers will see some repeats, sorry.

Other than that, BSDCan was awesome. As usual. In fact, it was just awesome as expected. So it was kind of routine. But still awesome.

May 14, 2012

50% off sale on my No Starch ebooks through O’Reilly, 4th May only

Yep, Cisco Routers for the Desperate and Absolute FreeBSD are 50% off when you buy through No Starch Press’s O’Reilly distributor.

And other books. By other authors. Most of whom are more awesome than I am, so I’m not going to mention any names. Like Peter Hansteen. Or Joe Kong. Or Tom Limoncelli. Or Chris Sanders. Because they sure don’t need the press.

This is part of the EFF’s Day Against DRM. Use the code DRMFREE to get 50% off ebooks via O’Reilly.

Go to the O’Reilly site for all the details.

For the record, my tech books are all DRM-free. (I have one short story with DRM on Amazon. It was the first story I put up. Amazon doesn’t allow you to change your DRM choice without removing and republishing the title. And I have two good reviews on that story, which I would lose if I did so. So I’m stuck. But you can get that story DRM-free on other sites.)

And how do I feel about doing this as part of a “GNU promotion”? Despite what a lot of people think, I have no objections to the GPL. I think it’s morally inferior to the BSD license. Sharing with the condition that people share back is generous. A pure gift is even better, however.

May 14, 2012

Debugging RANCID

I’m a big fan of RANCID for managing configurations for embedded devices, such as most routers and switches. While you can go buy CiscoWorks, OpenView, or any number of proprietary products, RANCID is good enough for the overwhelming majority of us. (Those products do have other advantages, but simple configuration revision control isn’t one of them.)

For those who haven’t used RANCID: it logs into your devices every hour, gets the device configuration, and compares it to the stored configuration. If the configuration has changed, RANCID checks the new version into CVS. Combined with CVSWeb, RANCID really simplifies embedded device management.

Every now and then it breaks, however. Last week, I started getting an email every hour, whining that RANCID couldn’t get the configuration of one of my Mikrotik border routers. I hadn’t changed the router configuration in several days. My cow-orkers claimed they hadn’t touched the router.

So, let’s see what RANCID is having trouble with.

Log into the RANCID server, and su – to your RANCID account. Use clogin(1) to log into the device.

%clogin edge-1 edge-1 spawn ssh -c 3des -x -l admin+ct edge-1 admin+ct@edge-1.lodden.com's password: ... [admin@edge-1] >

So, I can log in.

The main command to get a Mikrotik configuration is export. I run the command. It completes, but takes a few minutes. Not really a shock — this device has several full BGP feeds on IPv4 and IPv6, packet filtering, traffic shaping, and folds my socks in its spare time.

So, it’s not the obvious problem; the router can export its config, and RANCID can log into the router.

So, run RANCID for the group that includes the trouble router.

%rancid-run mikrotik %

No error messages, but let’s check the log. It’s full of messages like this:

... Trying to get all of the configs. edge-1: End of run not found Error: TIMEOUT reached ===================================== ...

Well, that’s not good. Let’s try running a single command on the router, setting the timeout to the usual 90 seconds.

%clogin -t 90 -c "export;quit" edge-1 edge-1 spawn ssh -c 3des -x -l admin+ct edge-1 admin+ct@edge-1.lodden.com's password: ... /ipv6 nd prefix default set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d

Error: TIMEOUT reached %

So, the export takes longer to run than RANCID’s default timeout. How long does it need? Run RANCID under time(1) to find out. Add -t 1000 to set the timeout to 1000 seconds.

% time clogin -t 1000 -c “export;quit” edge-1

Walk away. Eventually, come back to look at it.
... set accounting=yes default-group=read exclude-groups="" interim-update=0s \ use-radius=no [admin@edge-1] > quit interrupted Connection to edge-1.lodden.com closed.

Error: EOF received 0.102u 0.094s 2:57.84 0.1% 87+948k 0+0io 0pf+0w

This export took almost three minutes, or 180 seconds. Twice the default timeout. Ick.

Now we have to tell RANCID to use a different timeout. I didn’t find anything in the manual pages, so I asked on the rancid-discuss mailing list. John Heasley quickly answered. It seems that the timeout option in .cloginrc should cover this, but that the feature is missing from the Mikrotik login script. He included a patch. I applied the patch and added

add password edge-1 blahblah add user edge-1 admin+ct add method edge-1 ssh add noenable edge-1 {1} add timeout edge-1 500

I then re-run RANCID. It completes silently. I can’t be sure that the change actually works until I see RANCID check in a change. I logged into the router, corrected a typo in the login message, and tried again. This time, changes appeared in CVS and I received my email. So I can conclude the patch works.

The most important thing to do in all of this, though? Close the loop with John Heasley. Verify the patch works, so others can benefit from my annoyance.

On a related note, RANCID is one of those tools that gets less attention than it deserves. I’m pondering writing a short book about it, rather like SSH Mastery. Would anyone actually be interested, however?