Showing posts from August, 2014

OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users

Server setup./easyrsa init-pkidon't do this twice! ./easyrsa build-caUser key and cert signing request on complete separate machine./easyrsa init-pkidon't do this twice! ./easyrsa gen-req myuserServer signs user cert req./easyrsa import-req myuser.req myuser./easyrsa sign-req client myuser Generate your server key and cert in a similar manner to a user.

Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.

Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.

Very fast editing over sshfs

Update: this can cause some of your ssh sessions to hang, so be aware of that.

Add this to your ~/.ssh/config

  ControlMaster auto
  ControlPath /tmp/%r@%h:%p

Then, say you have root access via your ssh pub key

mkdir tmp001
sshfs -o uid=1000 tmp001

Now, the files in tmp001 map to your remote /var/www directory. And access to them uses an ssh session that is maintained in your /tmp directory, i.e. all interactions are performed over the same ssh session.

To see the tmp file, if you just opened the sshfs session in the last 10 mins

find /tmp -mmin -10 -ls

AWS cli: rework EBS volume on AMI launch: switch to SSD, "delete on termination" to true

aws ec2 run-instances --image-id ami-aaaaaa --instance-type hi1.4xlarge --security-group-ids sg-eeeeeeee --subnet-id subnet-cccccccc --block-device-mappings '[ { "DeviceName":"/dev/sdb", "VirtualName":"ephemeral0" }, { "DeviceName":"/dev/sdc", "VirtualName":"ephemeral1" }, { "DeviceName":"/dev/sdd", "Ebs": { "SnapshotId":"snap-6", "VolumeType":"gp2", …