chrooted sftp with pubkey authentication

Method adopted from OpenSSH Cookbook.
I've automated user creation and added ability to use public key authentication.

Create a group for users that will be using chrooted sftp:
groupadd sftpusers

Append at the bottom of /etc/ssh/sshd_config
Match Group sftpusers
         ChrootDirectory /sftp/%u
         ForceCommand internal-sftp
         AuthorizedKeysFile     /home/%u/.ssh/authorized_keys

Save the following script and run as root/sudo, for example:
./addsftpusers.sh bob "ssh-rsa AAAA...."

Code:

#!/bin/sh

set -e

G="sftpusers"
U=$1
P=$2

if [ -z "$1" ]
  then
    echo "no username given"
    exit 1
fi

if [ -z "$2" ]
  then
    echo "no pubkey given"
    exit 1
fi

echo "Adding $U to $G"
useradd -g $G -d /incoming -s /sbin/nologin $U

echo "Creating sftp dir"
mkdir -p /sftp/$U/incoming
chown $U:$G /sftp/$U/incoming

echo "setting pubkey access"
mkdir -p /home/$U/.ssh
echo "$P" > /home/$U/.ssh/authorized_keys
chmod 600 /home/$U/.ssh/authorized_keys
chmod 700 /home/$U/.ssh/
chown -R $U:$G /home/$U
echo "Done"

Raspberry Pi with RT5370 Wireless Adapter

My PI worked flawlessly for some time hooked up to ethernet, but I wanted to move it away from router, and for this I bought some noname wifi dongle. After hooking it up, I run lsusb and it showed up as:

ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

Google told me that it should work out of the box. I used vanilla configuration:

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
iface wlan0 inet manual
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
update_config=1
network={
        ssid="MYSSID"
        scan_ssid=1
        mode=0
        proto=WPA2
        auth_alg=OPEN
        pairwise=CCMP
        group=CCMP
        key_mgmt=WPA-PSK
        psk="MYPASSWORD"
}

The system behaved weirdly, it worked for some time with very sluggish connection speed, but most of the times, ssh connections where just timing out. People complaining about unstable performance, where told to hook it through powered USB hub, since it is possible that power supply on Raspberry cannot produce enough power.

Raspberry Pi emulator on OSX

I've ordered Raspberry Pi computer, but it didn't arrive yet, so I decided to try out the OS image provided from their site: http://www.raspberrypi.org/downloads.

I've found multiple articles on the net on how to do it on OSX, they all boil down to:

Get yourself qemu ARM software (in my case: sudo port install qemu +target_arm)
Get qemu ARM kernel from here.
Get wheezy image from raspberry site.
Launch:
qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -serial stdio -append "root=/dev/sda2 rootfstype=ext4 elevator=deadline rootwait panic=1" -hda 2013-02-09-wheezy-raspbian.img -redir tcp:5022::22

On my system with qemu 1.4.0 this image hangs after printing few SCSI timeout erros.
Commenting out /etc/ld.so.preload did not help, instead of SCSI errors i got kernel panic.
But soft-float image: 2012-08-08-wheezy-armel.zip.torrent works as expected.

After booting, you can access shell with ssh localhost -p 5022.

Slow start of java servers on linux VM

During server boot sequence, java process hangs with no apparent IO/CPU activity.
Running "cat /proc/sys/kernel/random/entropy_avail" prints low number < 100.
Usually this means that server tries to read random data from /dev/random, and blocks.
Sample stack of such process might look similar to this:

...    at java/io/FileInputStream.read(FileInputStream.java:220)    at sun/security/provider/NativePRNG$RandomIO.readFully(NativePRNG.java:185)    at sun/security/provider/NativePRNG$RandomIO.implGenerateSeed(NativePRNG.java:202)(NativePRNG.java:202)    ^-- Holding lock: java/lang/Object@0x9e5d2e80[biased lock]    at sun/security/provider/NativePRNG$RandomIO.access$300(NativePRNG.java:108)    at sun/security/provider/NativePRNG$RandomIO.access$300(NativePRNG.java:108)    at sun/security/provider/NativePRNG.engineGenerateSeed(NativePRNG.java:102)    at java/security/SecureRandom.generateSeed    at java/security/SecureRandom.generateSeed(SecureRandom.java:495)...

What happens?

Linux keeps track of how much random data was read, and blocks /dev/random reading if there is no "entropy" available.
Entropy regeneration depends on entropy sources: some semi-random events, like network card/disk keyboard/mouse signals. On a machine without keyboard/mouse/display (virtual machine as an example), kernel has less sources of randomness, and regeneration could be slow.

What I can do?

Blocking random source, might make sense in security-sensitive environment, on production servers, but in most cases pointless on dev/test VM, and just wastes your time.
Attaching hardware random noise generator, redefining randomness source to /dev/urandom, are possible  solutions, but there is a simple hack: this script (http://pastebin.com/jxEDbbXK).
It will copy data from /dev/urandom to /dev/random, feeding it with "fake entropy", and thus unblocking pending reads from /dev/random.

The script should to be run as root/sudo (to be able to write into /dev/random). Upon completion it will print random bits count before, and after injection. Usually, number <= 100 means that your system was "starving". It is possible to execute it as cron job, but I usually just run it manually before/during service restart.

Disclaimer: it's probably a bad idea to run this script on production environment! Random data, used to generate cryptographic keys for ssl/ssh is "less random".