Brandon Checketts

Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia

Minimal AWS Permissions needed by the FluentSMTP WordPress Plugin

March 27, 2024 / / 0 Comments

FluentSMTP is a WordPress plugin that allows sending email via many different email providers. Amazon Simple Email Service (SES) is one of many that it supports.

The instructions for setting up an IAM user grant access to everything in SES and SNS by using the predefined AmazonSESFullAccess policy, and for some reason the AmazonSNSFullAccess policy. I’m not sure why they ask for SNS permissions at all!

I’m a proponent the principal of least privilege, so after some trial, I found that this policy grants access only to what is needed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": [
                "arn:aws:ses:us-east-1:127069677361:configuration-set/enter-your-configuration-set-name-here",
                "arn:aws:ses:us-east-1:127069677361:identity/enter-your-domain-name-here"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ses:ListIdentities",
            "Resource": "*"
        }
    ]
}

Make sure to change the placeholders enter-your-configuration-set-name-here and enter-your-domain-name-here with your actual values. If you want, you seem to be able to get rid of the separate permission for ses:ListIdentities after the Email Provider is saved. It just uses that permission to validate that the IAM credentials are valid.

I’m sure they are trying to keep the configuration steps to a minimum, and creating a separate policy would make a not-exactly-simple setup process even more complicated. But I wish that they would add these minimal permissions to their instructions as an option at least. And remove the mention of AmazonSNSFullAccess because it is not needed at all.

Twenty One Innovations From the Star Wars Galactic Star Cruiser

March 12, 2024 / / 0 Comments

After we heard that the Star Wars Galactic Star Cruiser was shutting down, my wife and I decided to make a second trip to enjoy it while we still could. Our first visit was shortly after it opened with our six teenage kids. This time it was just adults, so we got to “play” ourselves a little more than when kids were there.

The Star Cruiser is a very unique experience that has been tough for others to describe – which is probably why they haven’t been able to stay busy enough to keep it going. It’s a mix of hotel, restaurant, cruise ship, theater, improv, theme park, escape room and video game, all in the setting of a Galaxy Far, Far awayI

For the ~86,000 people that were able to experience it, there was an impressive amount of innovation on display and to experience.  Below are the things that I thought of, but please comment below if you can think of any that I missed or would like to clarify.

These are not in any particular order, except I tried to put some that I was most impressed with toward the end.

#1 – Custom music, songs for Gaya

The galactic superstar, Gaya, has a pretty important role throughout the voyage, often simply to distract the First Order from the smuggling going on under their noses.  Gaya has had custom songs written for her that I didn’t think were particularly great, but she belts them out with confidence as part of the story.

#2 – Custom Lighting and scents

By no means is this the first instance of Disney using custom lighting or smells, but it these elements are present from the moment you board the Halcyon, and throughout most of the “storytelling” parts of the experience.

#3 – Real emergency versus “in show” emergency

While “boarding” the ship, shortly after going through Security and before traveling “up” to the ship, there is a short orientation video that differentiates between a “Show” alarm and an actual emergency.  The In-Show alarm has strobing red lights and a droid voice stating to meet in the lobby. The actual emergency includes bright white lights and a human voice clearly stating that “this is a real emergency” and “this is not part of the show”.

#4 – Emergency exits from windowless rooms

The most under-utilized innovation which likely required a significant amount of design, construction, and testing is the emergency evacuation procedures from the windowless cabins.  Each stateroom has a small emergency exit window that is visible on the building exterior.  Within the cabin, this opens a narrow passage that presumably further opens to the exterior.  A phone and labels in the space are meant to connect guests to emergency staff that can assist in an evacuation.  

The Reedy Creek Fire Department was trained on how to assist guests in evacuating from these rooms and could do so quickly in an emergency.

#5 – Entire Bridge Experience

The bridge training experience, and subsequent story element where you commandeer the bridge is a pretty fun experience and one of the highlights for myself. There are four stations (Systems, Weapons, Cargo, and Shields). You get a chance at each of the four stations, where each one is taught in one to two minutes. Then you get a 1-2 minute practice round, and a 2-3 minute “real” round to count your score.

The controls are pretty simplistic and kind of “1990s” in design complexity.  But they are pretty effective for the short time frame in which you can learn and then use them.

#6 – Puzzles in the engineering room, access to doors, etc.

Similar to the Bridge Experience, the Engineering room has probably 8 different “puzzles” that you can solve with physical props like levers, buttons, and switches.  These can be fun to solve on their own, but they are also involved in several parts of the story. Depending on which storyline you are following, the First Order commander may meet you in the Engineering Room to “Take Over” the ship by everyone in the group solving the various puzzles simultaneously.  Or the Captain may take you to the Engineering room to also do the same puzzles and “take back” the ship.

#7 – Room droid’s voice recognition

Each cabin has a console where you can check in with the guest experience droid, who has an ongoing story of her own that ties in with the overall story on the ship. Guests can speak to the droid, which uses some now-commonplace speech recognition to understand what you are saying and respond mostly appropriately.

#8 – Custom schedule for each group

This is another not super-impressive innovation, because it is just scheduling, but I can’t think of another place in Disney Parks/Resorts or other places that schedules guests for smaller group events.  Sometime after checking in, you get events in your schedule (inside the Data Pad app) that assign you a custom time for Lightsaber Training, Bridge Training, and a departure time for the Batuu shuttle. The first two of these are specifically for you, and if you miss them, it may not be possible to make them up. The shuttle to Batuu is more flexible as it runs every ~5 minutes and you can come and go as you please after the majority of guests have exited.

#9 – All exterior Screens when ship goes to hyperspace

A nice integration that takes place on a wide scale is that every “exterior” window of the ship that looks out into space are all synchronized so that they all work together and display the status of the ship in the story.  When one of the bridge training crews jumps to Hyperspace, every window in every cabin, and throughout the ship also goes into Hyperspace.  When you arrive in an asteroid field, all of the “windows” show asteroids appropriately. 

#10 – Audio that follows characters on the upper stage area

One of the “stages” on which the actors play out their story is in the balcony above the atrium. From their elevated position, they argue with each other and eventually fight.  The characters often wander back and forth along the balcony and their amplified voices follow them impressively well by using disguised speakers on the railings. The speakers also have a few special effects in the closing battle.

#11 – Secret merchandise compartments

This low-tech innovation is kind of a fun part of the story.  If you talk with the merchandise cast members when the store is empty and subtly mention that you are part of the Resistance and tell them a certain phrase, they will use a magnet to unlock one of several secret compartments in the store that contains merchandise for those willing to help the resistance cause.

#12 – Constantly Progressing, Real-Time Story

After two visits, I still don’t know that I’ve completely followed the story, even with the character that I was following pretty closely. In every other theme park or interactive experience I can think of, the guest fully experiences the entire experience as it was intended. During the Galactic Starcruiser experience, it is literally impossible to catch every aspect of what is happening. Since the story progresses in real-time, things are happening which you have to learn about by other guests telling you about, or by context afterwards.  

On my first visit, I was a little put-off by this and having “missed out” on important things, but I was fascinated by it this time knowing that you aren’t supposed to see everything yourself.  It is much more “real” feeling as in the way we’d experience things outside of the fabricated “rides” and “lands” that we’re used to.

#13 – Lightsaber Training

The lightsaber training has been called elementary by some, and is an important part of the experience to others. I only got to experience it on one of my two trips because they were very strict about the start time and not letting anybody enter once it had begun.

#14 – Rey’s lightsaber 

Much has been written about Rey’s “real” lightsaber, which is seen for a few seconds while it extends before she (often clumsily) swaps it out for one that can be used in the fight.  They even went so far as to file a patent for this innovation

#15 – Custom Sabacc gameplay/rules

A custom version of the game Sabaac was created called “Coruscant Shift”. This version is easy to learn, and, probably more importantly, had rules that didn’t require anything too fancy for the custom Sabacc Holoboard to implement.

#16 – Sabacc holoboard

In the center of the Sublight Lounge is a large, custom Sabacc table game that displays the cards to each player using holograms.  There’s nothing like it and the Imagineers had to create it with custom electronics and screens that showed the holograms.  Again, the gameplay is pretty primitive and simple, but this was probably a fairly significant project to bring together.

#17 – ‘Nearness’ to the characters gains you ‘familiarity’

In the Data Pad app, under your profile, it displays a “nearness” and “trust”  of the main characters.  As far as I can tell, the “nearness” to a character has to do with time that you have actually spent in physical proximity to the character.  I’m unsure exactly how they accomplish this. Most likely it is some kind of NFC tracking built into the Magic Band, or Bluetooth scanner in the App. There are also times, I found, where the character asks for and repeats your name, so perhaps there is an audio prompt as well (or perhaps it is just the actor genuinely trying to remember your name).   

Being “near” to a character seems to unlock certain story arcs and messages you have with them in the app.  Note that according to this interesting video, being near to a character in public places may gain you familiarity with the character, but you have to take actions in favor of the character to gain reputation.

#18 – Transport to Batuu

The box truck that is decked out as a space transport ship does a great job of keeping you “in-world” for the ~5 minute ride between the Galactic Starcruiser building and the in-park entrance to Batuu.  If you think about it, you can tell that you’re riding in the cargo section of a box truck, but if you don’t think about it too much, the interior of the vehicle and the music do a good job of continuing the story.

#19 – Integration between app, characters, terminals, experiences on Batuu, Droid in the room

As a systems engineer and business owner, I have some glimpses at all of the various systems, both technical and people-related that have gone into putting this entire experience together.   One of the most impressive aspects to me is that it all “works” and relatively transparently to the guest. This involves multiple departments and mostly unrelated backend systems talking together.

The simplest of examples is that your excursion into Batuu includes meals, which integrates with Disney Dining Plans to make them included.

As a more complexe example, consider that  boarding the shuttle to Batuu unlocks messages in the datapad app opon your arrival in the park.  They also scan you into the park (similar to going through the front entrance), and they enable Lightning Lanes in yet another Disney system so that you can experience the two attractions without waiting in the full line.  These are many separate backend systems that are integrated together fairly seamlessly to the guest.

#20 – Storytelling with improv

Improv certainly isn’t new.  And acting certainly isn’t new.  But it seems to be a pretty new skill to move a story forward while interacting with guests in the context of a different universe. I was surpsised by the depth of knowledge from the actors about obscure characters and designs. For example, my brother-in-law wearing a logo of some kind, and a couple of characters on the “antique” design as it was from the timeline of the original movies, but the StarCruiser is set during the last trilogy.  

The actors also did a fantastic job of being accessible and including everybody that wanted to participate in their story.  On each of my trips, there were a couple of guests that stood out in being on their side” and the actors would include in the story and narrative.

#21 – Letter from Croy after he’s arrested

And finally, after the story concludes, the actors stay around for a bit and the guests tend to tell them “thank you” and kindof wind up that relationship.  The actors, of course do a great job of staying in character while being gracious.  However Lt Croy is arrested as part of the final event, so he’s not around to talk with.  That was a bit of a disappointment as we spent most of our time with him and the First Order on our second trip.  

In one of my favorite little details, when we arrived back at the cabin at the end of the night, there was a letter from Lt Croy explaining that he’s devising a way to get back to his station, and thanking us for efforts in assisting the First Order!

Letter from Lt Croy

Letter from Lt Croy

What else did you notice that I missed?  I’m sure there is plenty more. Let me know in the comments below!

Adding ed25519 SSH Host Keys via cloud-init

February 27, 2024 / / 0 Comments

SSH Host Keys are they Public / Private keys that identify a server when connecting to it via SSH.
Most people don’t understand very well how these work, and just quickly click, or type ‘yes’ to approve the Key Fingerprint
when you connect via SSH to a server.

The first time you connect to a server, you will see something like this:

The authenticity of host '[myremoteserver.com]:22 ([12.34.56.78]:22)' can't be established.
ED25519 key fingerprint is SHA256:Vqfv339yJU/zRADJ4SlgF8DcZ0d7Cy1zWX69C33d3e4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

This means that it is the first time your computer has connected to the remote SSH. It is asking if the Key Fingerprint is what you expected. Since we don’t tend to communicate key fingerprints in advance, we usually trust that this is correct and just type ‘yes’.

But this is an important part of the Authentication process. There are a number of possible ways that the remote server may NOT be the server you intend. You could have simply typed the hostname wrong. More nefarious examples might include DNS hijacking or rerouting of your traffic.

When you answer ‘yes’ to that question, the host key fingerprint is saved to a file on your machine in ~/.ssh/known_hosts. If you connect to the same host again, it won’t ask that question again, since you’ve already approved it.

Note that SSH Host Keys (sometimes called SSH Instance Keys) are in the same format, but have a different purpose than SSH User Keys with which most people are familiar. The Host Keys are intended to identify the MACHINE, while your user key is meant to identify YOU.

The SSH Host Key is usually created when an instance is turned on for the first time. When the SSH Server Starts, if it doesn’t find existing host keys, it creates them using a pseudo-random number generator. It kindof just magically happens without anyone having to think about it.

I happen to connect to a lot of servers that are turned on by AWS Auto Scaling Groups. Whenever a new server is launched, that instance creates new SSH Host Keys. If a server has been recreated since I last connected to it, I get this nasty error message:

user@my-machine ~ % ssh ubuntu@myremotemachine
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:Vqfv339yJU/zRADJ4SlgF8DcZ0d7Cy1zWX69C33d3e4.
Please contact your system administrator.
Add correct host key in /Users/myusername/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/myusername/.ssh/known_hosts:16
Host key for [myremotemachine]:22 has changed and you have requested strict checking.
Host key verification failed.

This error message explains that the SSH Host Key of the machine to which I’ve attempted to connect doesn’t match what it used to be. This could be due to a man-in-the-middle attack, or it could be that the host key legitimately changed, as is what happens when my Auto-Scaling group creates a new instance.

You can “fix” this error by editing your ~/.ssh/known_hosts file and removing the offending line that is mentioned. In this example, it is line 16.

I’ve recently gotten tired of fixing my known_hosts file and have started changing my Auto-Scaling groups so that they use the same Host Key each time that the instance starts. That means I don’t get the error message, and it saves me ~10 seconds (and doesn’t break my train-of-thought) when connecting to an instance that has been replaced.

This is an example of what I enter into the UserData section of my CloudFormation template inside the LaunchTemplate section. It specifies two pre-generated SSH Keys so that each time the instances launches, it will have the same host key.

In order to generate these, I usually just launch an instance the first time without it, then grab the four files mentioned. The files are contained in:

  • /etc/ssh/ssh_host_ecdsa_key
  • /etc/ssh/ssh_host_ecdsa_key.pub
  • /etc/ssh/ssh_host_ed25519_key
  • /etc/ssh/ssh_host_ed25519_key.pub

You could also create these files in advance using ssh-keygen.
My example below uses the newer ecdsa and ed25519 keys, and avoids using the older rsa and dsa keys. This should work fine for most modern distributions and SSH Clients.

UserData: !Base64 |
  #cloud-config
  write_files:
    - path: /etc/motd
      owner: root:root
      permissions: '0644'
      content: |
        You are connected to my-hostname

  ssh_keys:
    ecdsa_private:
      -----BEGIN OPENSSH PRIVATE KEY-----
      put-your-private
      key-contents
      here
      -----END OPENSSH PRIVATE KEY-----
   ecdsa_public:
      ssh-ed25519 AAAAyour-public-key-contents-here ecdsa-my-hostname

    ed25519_private:
      -----BEGIN OPENSSH PRIVATE KEY-----
      put-your-private
      key-contents
      here
      -----END OPENSSH PRIVATE KEY-----
   ed25519_public:
      ssh-ed25519 AAAAyour-public-key-contents-here ed25519-my-hostname

There is one downside, that the host keys are now stored in my CloudFormation template, so I need to make sure and keep that secure. Anybody that has access to these keys could impersonate the server on which it is used.

Query to view the InnoDB History List Length

February 16, 2024 / / 0 Comments

The InnoDB History List Length is an important metric the I continuously need to check and monitor. Especially on database servers with a write-heavy workload. I’ve been bitten several times when the MySQL server seems to be operating fine, but it gets a huge backlog of writes.

You can issue the show engine innodb status; command to see the whole InnoDB status, which includes the History List Length, like this:

------------
TRANSACTIONS
------------
Trx id counter 725255284309
Purge done for trx's n:o < 725255284309 undo n:o < 0 state: running but idle
History list length 12

But that can be easily lost in the huge wall of text.

Somewhere around the release of MySQL 8, you can obtain this important metric from a straightforward query

select count from information_schema.innodb_metrics where name = 'trx_rseg_history_len';

mysql> select count from information_schema.innodb_metrics where name = 'trx_rseg_history_len';
+-------+
| count |
+-------+
|    16 |
+-------+
1 row in set (0.01 sec)

I've you're an AWS / RDS customer, I'd love to have the History List Length to be a native graph available with all MySQL instances. I wrote a request for this on AWS re:Post if you feel like voting it up.

Unexpected Behavior with PHP DateTime::createFromFormat(‘U.u’)

October 10, 2023 / / 0 Comments

I recently came across what felt like a Bug in PHP and was about to file a bug report. I found a couple of people talking about workarounds, but no explanation about why this “bug” exists and is allowed to persist. Hopefully this post helps to explain this unintuitive behavior.

The problem has to do with the PHP DateTime::createFromFormat() function. The desire here is usually to create a DateTime object that represents a precise point in time, up to 1/100,000th of a second. This code would normally work as expected:


$time = microtime(true);
$dateTimeObj = DateTime::createFromFormat('U.u', $time);
echo $dateTimeObj->format('Y-m-d H:i:s.u')."\n";

However, I was observing a problem that occurred infrequently that said

PHP Fatal error: Uncaught Error: Call to a member function format() on bool

So somehow, despite working the vast majority of the time, the $dateTimeObj would sometimes return a boolean (false) instead of a DateTime object.

After some looking into the failed cases, I found that the time 1696832681.000019 return false, but 1696832681.000119 would work as expected. The difference there is 100 microseconds apart. Clearly 0.000019 is close to zero, and somewhere being rounded down, and unexpectedly causing a problem. The DateTimeImmutable::GetLastErrors function tells me that the error is about “Data missing”


calling createFromFormat('U.u') with
float(1696832681.000049)
Array
(
[warning_count] => 0
[warnings] => Array
(
)

[error_count] => 1
[errors] => Array
(
[10] => Data missing
)

)

In order to understand what is occurring, you need to notice that the second argument for DateTime::createFromFormat is expected to be a string. So when using a float as the second argument, PHP internally converts it to a string first. And converting a high precision float to a string in this case, results it in rounding the float “1696832681.000049” to the string “1696832681”. Thus, the createFromFormat function is complaining about the “Data Missing” because it is expecting to see the period and microsecond portion of the string.

The fix is fortunately, very simple. Simply wrap the float around number_format($float, 6, '.', '') which will return a string representation including the six decimal places intended. It’s not a elegant looking, but it doesn’t suffer from the occasional problem of returning false and having a fatal error!

It’s 2023. You Should Be Using an Ed25519 SSH Key (And Other Current Best Practices)

September 10, 2023 / / 0 Comments

I often have to ask other IT professionals for the Public SSH key for access to a server or for other tasks. I really cringe when they ask me what that is or how to create one. I kindof cringe when they give me one from PuttyGen in its native format. I feel a little better when they provide a 4096-bit RSA key without needing an explanation. When somebody provides an Ed25519 key, I feel like I’m working with somebody who knows what they are doing.

A 4096-bit RSA Keys look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDowuIZFbN2EWbVwK9TG+O0S85yqr7EYc8Odv76H8+K6I7prrdS23c3rIYsKl2mU0PjOKGyyRET0g/BpnU8WZtDGH0lKuRaNUT5tpKvZ1iKgshdYlS5dy25RxpiVC3LrspjmKDY/NkkflKQba2WAF3a5M4AaHxmnOMydk+edBboZhklIUPqUginLglw7CRg/ck99M9kFWPn5PiITIrpSy2y2+dt9xh6eNKI6Ax8GQ4GPHTziGrxFrPWRkyLKtYlYZr6G259E0EsDPtccO5nXR431zLSR7se0svamjhskwWhfhCEAjqEjNUyIXpT76pBX/c7zsVTBc7aY4B1onrtFIfURdJ9jduYwn/qEJem9pETli+Vwu8xOiHv0ekXWiKO9FcON6U7aYPeiTUEkSDjNTQPUEHVxpa7ilwLZa+2hLiTIFYHkgALcrWv/clNszmgifdfJ06c7pOGeEN69S08RKZR+EkiLuV+dH4chU5LWbrAj/1eiRWzHc2HGv92hvS9s/c= someuser@brandonsLaptop

And for comparison, an Ed25519 Key looks like this:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLEURucCueNvq4hPRklEMHdt5tj/bSbirlC0BkXrPDI someuser@ip-172-31-74-201

The Ed25519 key is much shorter, so initially you might think it is less secure. But these keys use a totally different algorithm, so although the key has fewer characters, it is, for all practical purposes, as secure as the RSA key above. You can ask your favorite search engine or AI for more details about the differences.

The Ed25519 algorithm has been around for ~10 years now. It is widely supported by any modern software, and as such is the current standard for most professional users. Creating a key is simple with the ssh-keygen command. But before jumping to the actual command, I wanted to also explain a couple other tips that I use, and think others should pick up as well.

Keys should be issued to individuals, not groups

You should never, ever share your private key with anybody. Ever. If a key is ever shared, you have to assume that the other party can impersonate you on any system in which it is used.

I’ve seen some organizations who create a new machine and use a new SSH Key on it. Then share the key with all of the individuals who need to access the machine. Perhaps this practice comes from AWS or other hosting providers who create an SSH key for you, along with a new machine, and the user not knowing any better.

Although it kindof works, that’s the backwards way of doing it. Individuals should own their own keys. They should be private. And you can add multiple public keys to resources where multiple people need access. You then revoke access by removing the public key, instead of having to re-issue a new key whenever the group changes. (Or worse, not changing the key at all!)

Rotating your keys

You should rotate your SSH keys on some kind of schedule. The main risk you are trying to avoid here is that if you have used the same key for 20 years, and then your laptop with your private key gets lost, or your key compromised, every machine that you’ve been granted access to over that time is potentially at risk, because administrators are notoriously bad about revoking access. By changing out your key regularly, you limit the potential access in the case of a compromised key. Generating a new SSH key also ensures that you are using more modern algorithms and key sizes.

I like to start a new key about every year. To remind my self to do this, I embed the year I created the key within its name. So I last created a key in March 2023, which I have named brandon+2022-03@roundsphere. When it gets to be 2024, I’ll be subtly reminded each time I use it that it’s time to create a new key. I keep all of my older keys if I need them. But they aren’t in memory or in my SSH-Agent. If I do need to use one, it is enough of a process to find the old one, that the first thing I’ll do is update my key as soon as I get in a system where an old key was needed.

Don’t use the default comment

Make the comment meaningful. If you don’t provide a comment, it defaults to your_username@you_machine name which just might be silly or meaningless. In a professional setting, it should clearly identify you. For example BrandonChecketts as a comment is better than me00101@billys2017_macbook_air. It should be meaningful both to you, and to whomever you are sharing it.

I mentioned including the creation month above, which I like because when sharing it, it subtly demonstrates that I am at least somewhat security conscious and I know what I’m doing. The comment at the end of the key isn’t necessary for the key to work correctly, so you can change it when sharing it. I often change the comment to be more meaningful if someone provides me with a key that doesn’t clearly indicate its owner.

Always use a passphrase

Your SSH key is just a tiny file on disk. If your machine is ever lost, stolen, or compromised in any way by an attacker, the file is pretty easy for them to copy. Without it being encrypted with a pass phrase, it is directly usable. And if someone has access to your SSH private key, they probably have access to your history and would know where to use it.

As such, it is important to protect your SSH private key with a decent pass phrase. Note that you can use SSH-Agent so you don’t need to type the passphrase every time you need to use the key.

The Command

This is the command you should use to create your ED25519 Key:

ssh-keygen -t ed25519 -f ~/.ssh/your-key-filename -C "your-key-comment"

That will ask you for a pass phrase and then show you a cool randomart image that represents your public key when it is created

 $ ssh-keygen -t ed25519 -f ./deleteme -C "brandon+2023-09@roundsphere"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./deleteme
Your public key has been saved in ./deleteme.pub
The key fingerprint is:
SHA256:HiCF8gbV6DpBTC2rq2IMudwAc5+QuB9NqeGtc3pmqEY brandon+2023-09@roundsphere
The key's randomart image is:
+--[ED25519 256]--+
| o.o.+.          |
|  * +..          |
| o O...          |
|+ B *. .         |
|.B % .  S        |
|=E* =  . .       |
|=+o=    .        |
|+==.=            |
|B..B             |
+----[SHA256]-----+

Obsessive/Compulsive Tip

I maybe have spent 10 minutes creating a key over an over until I found a key that ended in a few character that I like. One of my keys ends in 7srus, so I think of it as my “7’s ‘R’ Us” key. You can do that over and over again until you find a key that you like with this one-liner:

rm newkey; rm newkey.pub; ssh-keygen -t ed25519 -f ./newkey -C "brandon+2023-09@roundsphere.com" -N ''; cat newkey.pub;

That creates a key without a passphrase, so you can do it over and over quickly until you find a public key that you “like”. Then protect it with a passphrase with the command

ssh-keygen -p -f newkey

And obviously, then you rename it from newkey to something more meaningful.

What else? Any other tips for creating an SSH key and looking like a professional in 20223?

MySQL 8.0.34 Upgrade and tons of MY-013360 ‘mysql_native_password’ is deprecated warnings

August 18, 2023 / / 5 Comments

After upgrading a busy server to MySQL 8.0.34 I noticed that my error logs was filling up with tons of these errors. Hundreds of them a second is causing some noticeable cost when they are going to CloudWatch Logs. It looks like the deprecation notice started in MySQL 8.0.34.

2023-08-18T22:01:12.183036Z 19100582 [Warning] [MY-013360] [Server] Plugin mysql_native_password reported: ''mysql_native_password' is deprecated and will be removed in a future release. Please use caching_sha2_password instead'

I could see that all of my active users were using the mysql_native_password plugin with this query:

mysql> select user, host, plugin from mysql.user;
+------------------+-------------+-----------------------+
| user             | host        | plugin                |
+------------------+-------------+-----------------------+
| user1            | %           | mysql_native_password |
| user2            | %           | mysql_native_password |
| user3            | %           | mysql_native_password |
| mysql.infoschema | localhost   | caching_sha2_password |
| mysql.session    | localhost   | caching_sha2_password |
| mysql.sys        | localhost   | caching_sha2_password |
| rdsadmin         | localhost   | mysql_native_password |
+------------------+-------------+-----------------------+
7 rows in set (0.01 sec)

Some googling pointed me to this Stack Overflow article which was somewhat related, and where I figured out how to change the authentication plugin for each user with the command:

ALTER USER user2@'%' IDENTIFIED WITH caching_sha2_password BY 'the_password';

After updating each account, they look correct in the mysql user table:

mysql> select user, host, plugin from mysql.user;
+------------------+-------------+-----------------------+
| user             | host        | plugin                |
+------------------+-------------+-----------------------+
| user1            | %           | caching_sha2_password |
| user2            | %           | caching_sha2_password |
| user3            | %           | caching_sha2_password |
| mysql.infoschema | localhost   | caching_sha2_password |
| mysql.session    | localhost   | caching_sha2_password |
| mysql.sys        | localhost   | caching_sha2_password |
| rdsadmin         | localhost   | mysql_native_password |
+------------------+-------------+-----------------------+
7 rows in set (0.00 sec)

But the error continued at the same volume, so even though the Database user accounts seem to be configured correctly, the MySQL client library that I’m using must still be falling back to mysql_native_password. This application is using PHP 7.4.3, so it’s not too old, and some references indicate that support for caching_sha2_password was released in PHP 7.2, so that shouldn’t be the problem.

I see that the default_authentication_plugin variable is set to mysql_native_password, but this database instance is hosted on RDS, and that configuration value is not modifiable.

I see that the MySQL log_error_suppression_list is also available and could be configured to suppress only the MY-013360 error. Unfortunately, this value is not configurable using MySQL8 Parameter groups.

In the mean time, I’m spending several dollars per day in Cloudwatch logs for this, so to turn it off, I was able to disable deprecation notices from being logged by setting the global log_error_verbosity value to 1 (instead of the default of 2).

This prevented the error from filling up the logs for now. Next I can try upgrading the application to PHP 8 and checking into specific connection parameters that may force it to use caching_sha2_password.

Do you have more or updated information? Or just questions? Please let everybody know in the comments below. FWIW, I’ve created an AWS Re:Post topic requesting the addition of log_error_suppression_list in a parameter group. Feel free to vote that up if you run into this issue.

Star Wars Galactic Starcruiser – By the Numbers

July 1, 2023 / / 4 Comments

With the Galactic Starcruiser at Walt Disney World closing at the end of September 2023, I was able to visit a second time and made a lot of notes on this amazing experience.    This is part of a series of posts as I contemplate what made it so unique, why it was cancelled, and what may happen with the building after September

Number of Voyages

First Sailing: March 1st -3rd 2022 

Final Sailing Sept 28th-30th 2023

There are 576 days between those dates, so 288 voyages were possible

Sailings Canceled:

Sept 27th and Sept 29th due to Hurricane Ian

Nine voyages were said to be canceled due to low attendance, but probably were filled since the termination was announced:  (July 4, 12, 17, August 1, 7, 15, 27, September 4, and 12)

Total Voyages:  286 voyages

 

How many guests are on each voyage?

I’m looking to arrive at two different numbers: the absolute maximum capacity, and the expected capacity, since not every room is filled to the full capacity all of the time.

 

Available Cabins:

I found this graphic from wdwnt.com:

Star Wars Galactic Cruiser Floor Plan

 

Based on the above floor plan from wdwnt.com, I calculated 102 total cabins, with maximum occupancy of 504)

  • 72 regular cabins (up to 5 guests)
  • 24 suites (up to 4 guests)
  • 6 captain suites (up to 8 guests)

But that is assuming the same layout on each of the three floors.  Another of their articles cites 100 cabins, which consists of 94 Standard cabins, 4 Suites, and only two Grand Captain Suites.  That equates to 506 possible guests, so basically the same number.

It’s important to note that both of these calculations are with every bed of every room filled to capacity. However cabins frequently only have two guests per cabin. So how can I estimate the expected capacity? I did this by counting the number of seats in the dining room.

 

Dining Room Seats

Version One – My observation

  • Higher Level, outside bench seats
    • 13x 4 seaters (52 total)
  • Floor level, outside
    • 11x  4-seat one side (44 total)
    • 6x 4-seat other side (24 total)
  • Floor Level, inside
    • 2x 8 seats (16 total) 
    • 1x long 12 seats (12 total)
    • 2x round 5 seats (10 total)
    • Captains table with 12 seats (12 total)
    • 2x round 5 seats (10 total)
    • 1x long 12 seats (12 total)
  • 2x corner 4 seats (8 total)

Total by my count: 200

 

Dining Room Seats, based on Floor Plan:

  • Higher Level, outside bench seats
    • 13x 4 seaters on (52 total)
  • Floor level, outside
    • 42 on bottom (42 Total)
    • 28 on top (ramp takes up some space) (28 Total)
  • Floor Level, inside
    • 0x 8 seats 0
    • 2x long 12 seat 24
    • 4x round 5 seats 20
    • Captains table with 12 seats 12
    • 2x corner ~6 seats 12

Total Seating Capacity, based on image: 190

Since there are two dinner seatings, around 380-400 seems to be the max planned capacity, which equates to an average of 4 guests per room.

Total Guests experiencing Galactic Starcruiser:

Some early voyages were filled to capacity, and we know that some of the latest voyages had few enough guests that the voyages were cancelled and there was only one dinner seating, so those must have had fewer than 200 guests. Both times that I visited (once when it was pretty new, and once after the cancellation was announced), the dining rooms were mostly full. So I’m comfortable guessing an average of about 320 guests on an average voyage.

With 285 voyages, that means around 91,200 guests will have been able to experience the Galactic Starcruiser

Repeat Visitors

Some guests have been able to visit the Galactic Starcruiser more than once.  On our first visit, just a couple months after it opened, the security guard mentioned that “some crazy Club 33 member” had been eleven times already. Antecdotally, from the couple facebook groups I’ve been a part of, and from talking with others while there, I’d estimate 5% of guests on any voyage that have visited before, so I’l estimate that around 86,000 unique guests will have been able to experience it before it closes at the end of September, and around 4,000 guests have been able to visit it more than once

Cast Members:

How much staff does it take to operate the Galactic Starcruiser?  Below are my estimates, based on observation and some reasoning.

  • Entertainment Staff:
    • Actors   (17 roles x 2 cast members per roll = 34 + a couple shadowing/training)
      • Raithe Kole
      • Gaya
      • Ouannii (musician)
      • Sandro
      • Captain Keevan
      • Cruise Director Lenka Mok
      • Sammie
      • Lt Croy
      • Chewbacca
      • Stormtrooper
      • Stormtrooper
      • Rey
      • Kylo Ren
      • 4x Saja
    • Back Stage (estimates)
      • Tech Crew:  6
      • Makeup 6
      • Costuming 4

 

  • Food & Beverage
    • Servers 15
    • Bartenders (Chemists) 8
    • Cooks/Kitchen 15

 

  • Valet: 2
    • (Educated Guess. Perhaps they valet on arrival day and drive the shuttle between Batuu on the other day)
  • Housekeeping 8
    • (100 rooms, 12 rooms each = 8, again every other day)
  • Merchandise: 8
    • Estimate, based on observations
  • Front Desk / Guest Service 8
    • Estimate, based on observations
  • Management
    • Food & Beverage 3
    • Hotel Operations 3
    • Entertainment 3

 

What do you think? Did I miscalculate anything or are my estimates way off?  Do you have any additional knowledge that you’d like to share? Anything I missed that you’d like to see?  Please let me know in the comments

Temporarily Repair Your Home Internet After a Cable is Cut

May 29, 2023 / / 1 Comment

I’ve been having some landscaping work done in my yard, and despite having all of the utility lines marked, the crews have managed to cut my cable internet line on several occasions. Since I work from home, and we don’t have hardly any cellular reception at the house, it was pretty devastating. I couldn’t even call the cable company to repair it without driving somewhere with better reception.

So when they said it would be a few days to get a technician to come and repair the cut cable, I decided to try out some repairs on my own. I happen to have some coax crimpers, spare cable, and ends at home, so I first attempted to terminate the cut ends, but the direct-burial cable that is used outdoors is quite a bit thicker than indoor cable, so my ends and crimpers wouldn’t work.

Without any of the correct tools, I was left with just the most primitive of methods: simply twist the center wire together with some needle nose plier, and tie them together with wire ties.

Here’s one of my first attempts when they cut the coax. I tied it into my own coax and which ran back to the house. On this first attempt, I tried to leave some extra shielding and twist that together from each end.
Black Coax Wire Tied in Grass

A subsequent cut, with newer cable had enough slack that I could just tie the two ends together directly. After it was repaired, this is what the technician left so you can see how I first twisted the ends together as much as I could with some pliers before adding a wire tie onto it. I just cut the shielding clean off and didn’t attempt to mess with it, which still resulted in it working fine.

Orange Outdoor Coax Twisted

Orange Outdoor Coax Wire-Tied

It didn’t result in the full 200 Mbps+ speed that I should be getting, but 50+ Mbps was absolutely better than nothing for the few days until the technician could come and re-terminate the ends properly:

Speed Test - 66 Mbps down, 10 Mbps up

Installing snmpd on Ubiquity Dream Machine Pro

May 19, 2023 / / 0 Comments

I was surprised that the Ubiquity Dream Machine Pro doesn’t have SNMP available. I recall that there was an option to enable it in older versions of their software, but the current 3.0.20 version doesn’t even have an option to enable it (and I don’t think that it worked correctly in previous versions).

Fortunately, its basically just a Debian machine, so you can enable it yourself! These are the steps that I took to enable snmpd so that I could add it to my network monitoring system:

First, update the respositories and install the snmp and snmpd packages:

apt update
apt install -y snmp snmpd

Then, you have to edit the snmpd.conf file in /etc/snmp/snmpd.conf and change these two lines from the View section. This change makes it so that instead of providing information only about the host system, it provides information about all of the attached interfaces as well.

view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1

To these two lines (note you remove the final .1 from the end of each).

view systemonly included .1.3.6.1.2.1
view systemonly included .1.3.6.1.2.1.25.1.1

Also, you’ll probably want to configure the snmpd deamon so that it will be available on a local network interface, so change the agentaddress line to this (obviously, with your box’s IP address if it isn’t 192.168.0.1):

agentaddress  127.0.0.1,[::1],192.168.0.1

Then restart the snmpd deamon

service snmpd restart

You can test that it is working by running snmpwalk with a command like this:

 snmpwalk -Os -c public -v 2c 192.168.0.1

Which should output hundreds of lines of stuff that start out similar to this:

brandon@auvik:~$ snmpwalk -Os -c public -v 2c 192.168.0.1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux dream-machine-pro 4.19.152-ui-alpine #4.19.152 SMP Thu Apr 6 21:41:48 CST 2023 aarch64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (377603) 1:02:56.03
iso.3.6.1.2.1.1.4.0 = STRING: "Me "
iso.3.6.1.2.1.1.5.0 = STRING: "dream-machine-pro"
iso.3.6.1.2.1.1.6.0 = STRING: "mycommunity"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."

If that works, congratulations! You’ve got snmpd installed on your Ubiquity Dream Machine Pro. Your network monitoring system may take a little time for it to notice that SNMP statistics are now available on the device.

Note that upgrading the device will probably lose these configs and they’d have to be re-done.

« Older posts

© 2024 Brandon Checketts

Theme by Anders NorenUp ↑