An additional div is implemented to be double sure to hide unwanted overlapping and to make sure the area is correctly collapsed.

Put this code into your iFrame body:
 
window.onload = function() {

my_parent.getElementsByTagName('iframe')[0].style.height =
my_scrollHeight + "px";
my_parent.style.height = my_scrollHeight + "px";
}
 
// collapse div container and iframe if content is bigger than 60 pixel
else if ( my_scrollHeight < 60 ) {
my_parent.getElementsByTagName('iframe')[0].style.height = "0px";
my_parent.style.height = "0px";
}
}

In case you found this to be useful please consider upvoting it or follow me on Twitter at @nottinhill.

We all heard the useless tipp: ‘Go and add your ssh-keys in the GitHub FrontEnd.’

Let me suggest a different solution entirely. It might very well be that you mistyped your project name when adding it to your local git.
 

Remove and Add Origins

Let’s remove the old name:

git remote rm origin

 
Add it again, and don’t mistype this time:

git remote add origin git@github.com:Username/Projectname
Voilà I hope that helps.

Prerequisites

You will need to download JSpider for this tutorial. After extraction change directory into the bin folder. I highly recommend you to read the documentation of JSpider, on how to use a Proxy Server, how to limit the crawling depth and so forth. Even if it is just to get a feeling of this powerfool free software tool.

If GEO location is an issue, you should think about changing to a different proxy server by editing this configuration file: jspider.properties in the conf/checkErrors folder.

In the first step we will start crawling the page in the default settings and redirect the raw output to a textfile.

 
./jspider.sh http://www.allthingsbeautiful.org > atb.txt 
Now, this is going to take a while. Depending on the size of the Web site and in particular the depth of your configuration, this might take a while.

When you are done, now let’s get to the interesting part, parsing. jspider-tool.sh is another nice tool shipped with the Jspider package.

JSpider-tool

With the Jspider-tool you can grab HTTP headers, mime-types, download the resource or fetch and display it. We will focus on fetching the entire Web site or to be more specific the pages your JSpider config finds being worthy of getting parsed.

Before putting jspider-tool to use let’s filter that textfile we produced earlier for the keyword “parsed“.
 
cat abt.txt | grep parsed
Hopefully above command did output a line similar to the following:

[Plugin] http://www.abt.org/about parsed (handled)

In the final step we will send above URL to jpider-tool and fetch its source by utilising xargs’ handy replace string switch.

Finally we count the number of occurrences of the keyword ‘ads’ with grep -c.

This is what I’m using to parse a Web site and count the occurrences of any keyword.
 
cat abt.txt | grep parsed | awk -F " " '{print $2}' | xargs -I replaceStr ./jspider-tool.sh fetch replaceStr | grep ads 
Please note that the phrase replaceStr is just a variable name and you could use any name, like foobar. awk -F ” “ sets the delimiter to a whitespace. A whitepsace is the default, but I use it anyway. The output of above line should be some number like 1337.

If jspider-tool doesn’t work for you, you can use curl replaceStr?AnyParameters | grep keyword.

Summary

We used a license-free, extensible free software solution in above tutorial to spider virtually any huge Tier 1 digital property and count the number of occurrences of any keyword. Take a step back and think of the possibilities here.

Now go and try that on patent-restricted software. Exactly.

Hint: It’s never too late to ask your manager for approving you a Free Software box. Step over to our world..

Let’s go. First you need a running ATI Graphics Card under Linux. For this task you WILL need the proprietery driver by ATI/AMD, because it has to work seamlessly together with the AMD SDK which we will install, too.

Add RPM Fusion NoArch Repos.
 
rpm -Uv http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
We need some libraries (libGLU) from here:
 
yum install openssl-devel mesa-libGLU-devel
Get the AMD APP SDK version 2.1 and if you have to version 2.4, e.g. http://developer.amd.com/Downloads/ati-stream-sdk-v2.1-lnx64.tgz

Untar the SDK anywhere convenient, e.g. /opt
 
cd /opt
sudo mv Downloadlocation/ati-stream-sdk-v2.1-lnx64.tgz /opt
sudo tar xfzv ati-stream-sdk-v2.1-lnx64.tgz
Download http://developer.amd.com/Downloads/icd-registration.tgz and unpack it into root directory.
 
cd /
sudo mv Downloadlocation/icd-registration.tgz /
tar zxfv icd-registration.tgz
Add these lines to your .bash_rc in your user’s home directory and NOT in your /etc/profile or .bash_rc, since that won’t work.
 
LD_LIBRARY_PATH=/opt/ati-stream-sdk-v2.1-lnx64/lib/x86_64/:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

Do an additional manual export for the current session with
 
export LD_LIBRARY_PATH=/opt/ati-stream-sdk-v2.1-lnx64/lib/x86_64/:$LD_LIBRARY_PATH
Now -and no other Tutorial got these steps right- rewrite Xorg.conf with
 
sudo aticonfig --initial -f --adapter=all
Reboot X or your whole computer system.

Then test:
 
./CLInfo |grep CL_DEVICE_TYPE_GPU
You have to see 3 GPUs here – don’t continue this tutorial until it outputs three dstinct lines saying Device Type: CL_DEVICE_TYPE_GPU

Troubleshooting above step:
 
export DISPLAY=:0
aticonfig --list-adapters
aticonfig --crossfire=off --adapter=all

Finally, the Miners:

Do a numpy package install through the KDE or Gnome panel, which works for many.

Download PyOpenCL
 
cd /home/YourUser/Downloads/ && wget http://pypi.python.org/packages/source/p/pyopencl/pyopencl-0.92.tar.gz && tar zxfv pyopencl-0.92.tar.gz && yum install scipy libboost* gcc-c++ subversion git-core -y &&./configure.py --cl-inc-dir=/opt/ati-stream-sdk-v2.1-lnx64/include/ --cl-lib-dir=/opt/ati-stream-sdk-v2.1-lnx64/lib/x86_64 && make && sudo make install
Wheww.. hang in there, we are almost finished, now get and install pyopencl:
 
cd pyopencl-0.92 &&./configure.py --cl-inc-dir=/opt/ati-stream-sdk-v2.1-lnx64/include/ --cl-lib-dir=/opt/ati-stream-sdk-v2.1-lnx64/lib/x86_64 && make && sudo make install
Download, configure and install python-jsonrpc
 
svn checkout http://svn.json-rpc.org/trunk/python-jsonrpc && cd python-jsonrpc && sudo python setup.py install && git clone git://github.com/m0mchil/poclbm poclbm && cd poclbm && chmod +x poclbm.py
Get Phoenix:

http://forum.bitcoin.org/?topic=6458.0

That’s it! Congratulations.

Now keep in mind that you have to control fan, clock and memory speeds and monitor temperature closely in order to mine efficiently and not overheat your precious hardware. In Linux one would use ATI’s command-line tool aticonfig, which is excellent. However, it gets tiresome to start-up all cards and set-up all parameters after a reboot. So I wrote a graphical app for that. You can grab it here. Of course it’s totally free, as in freedom.

To give everything a nice finish, why not install Compiz? I like to mine with style. This step is completely optional!
 
yum install ccsm emerald-themes compizconfig-backend-kconfig fusion-icon-qt emerald compiz-fusion libcompizconfig compiz-bcop compiz compizconfig-python compiz-fusion-extras compiz-kde compiz-manager
Don’t forget: it’s not about the money – it’s about modding and fun! Money comes and goes, especially if its easy money – it won’t stay for long with its owner.
 

Asia style.

If you found this tutorial helpful why not donate a tiny amount of Bitcoins to my address: 15DNbzruPy6b6MDutAqRE6BnruhpktGbiH and let me know in the comments below.

Preparation of the Kernel

Become root for the ease of use of this tutorial.

yum update
Reboot.

yum install kernel-headers kernel-devel gcc
Check if lib/modules/`uname -r`/source is correctly linked to build and if the kernel headers with the correct kernel version (uname -r) are in the build directory. Maybe you have to reboot into the correct kernel version first after doing update.
 

Installation of the ATI drivers

Download the drivers from the ATI homepage and finally install them.

bash ati-driver-installer-11-5-x86.x86_64.run
Check in Ati install log if the drivers compiled a kernel module against the kernel headers with cat /usr/shr/ati/fglrx-install.log

Reboot and test your install.

fglrxinfo

This is what you want to see in the end:

display: :0 screen: 0
OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: AMD Radeon HD 6450
OpenGL version string: 4.1.10750 Compatibility Profile Context

Test your framerate:

fgl_glxgears

You should see at least 200/300 FPS (depending on your GPU) in Gnome3

Using GLX_SGIX_pbuffer
1539 frames in 5.0 seconds = 307.800 FPS
1838 frames in 5.0 seconds = 367.600 FPS
1828 frames in 5.0 seconds = 365.600 FPS
1835 frames in 5.0 seconds = 367.000 FPS


This is what I got in KDE with Compiz-Fusion

Using GLX_SGIX_pbuffer8002 frames in 5.0 seconds = 1600.277 FPS
7999 frames in 5.0 seconds = 1597.831 FPS
8106 frames in 5.0 seconds = 1621.128 FPS
6598 frames in 5.0 seconds = 1319.523 FPS


Above great framerates I achieved with the propietary drivers. However, I get a nasty right corner sticky-mouse bug with Compiz. Users of other distributions are also repporting this with the 11.5 ATI drivers. That's why I switched to the akmod drivers, they lack 3D support (glxgears at 60fps I call hardly 3D support), but 2D is fine with Compiz - and no bugs.

Troubleshooting

If you screw up during install and cannot get back into the system you have to check with your BIOS and boot from USB or LiveCD and try to fix your drive or re-install. With nowadays Processor power and a SSD a OS reinstall should take below 60 seconds. Try to beat that while charging no money for your OS, Microshaft and Crapple!

For instance I did reboot without checking if ATI did compile a kernel module (you will need that one!). So my OS (FC15) hanged during the boot sequence when entering init.rd, maybe when switching to runlevel 5. I therefore booted to the live usb stick and mounted my system disk, which can be a bit confusing if you are new to Logical Volume Groups.

pvs
lvdisplay /dev/VolumeGroupName
vgchange -a y VolumeGroupName
mkdir /mnt/system
mount /dev/VolumeGroupName/lv_root /mnt/system/

You now can edit either edit Xorg mnt/system/etc/X11/xorg.conf or switch of automatic boot to the XServer with /etc/inittab. However, in Fedora Core 15 the Init Dameon is legacy (there goes the usefullness of your LPIC or RHCL certification). So we have to link to the text-mode, which was referred to as initlevel 3.

rm /mnt/system/etc/systemd/system/default.target
ln -s /mnt/system/lib/systemd/system/runlevel3.target /mnt/system/etc/systemd/system/default.target

In case you need to chroot to your mounted system, do it like this. It will load the proper environment variables and add a reminder that you are chrooted to your shell:

chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile
export PS1="(chroot) $PS1"

Switch to OpenSource Drivers

It might be necessary to uninstall the ATI drivers. Remember to keep your important files somewhere hidden on a USB HDD or NAS during re-install and cutting edge experiments like this.

Remove ATI propietary drivers

sudo yum remove xorg-x11-drv-ati

Force them to vanish (could lead to errors)

sudo /usr/share/ati/amd-uninstall.sh --force

Repair Mesa

yum reinstall mesa-libGL

Install the F15 Drivers from the RPM-Fusion repository

rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
yum install akmod-catalyst xorg-x11-drv-catalyst xorg-x11-drv-catalyst-libs.i686

 

Conclusion

Overall it can be quite the hassle to getting OpenGL work in Linux, especially if you are a newbie. However it's absolutely worth the effort. I ditched Gnome3 because it's absolutely bollocks. I use KDE with Compiz-Fusion now and it's absolutely goregous (http://www.youtube.com/watch?v=Y4wB3GUemVw).

Suddenly MacOSX or Windows 7 feels like going by foot, while KDE 4.6.3. with a 2.8 Linux Kernel empowered by yum package management feels like riding a Full Suspension Bike. So good bye WindoZe and WackOS, I am home.

Line 3
- legacy Charset Windows-1252, from 1998. 8 bit (e.g. UTF-8 has 4 Byte thus 11.000 times more characters than the Microsoft format the FDP uses (2^21/191).

Line 8 (et seq.)
- multiple external, self-hosted Javascript files. Thus useless HTTP requests occur, resulting in very bad usability.
- a torrent of global variables, for instance referenced to with x, y (!sic), far from being compatible to ECMA Script 5.
- bug-prone coding style, e.g. multiple boolean operators without parentheses, a && b || c != d.
- vulnerable to type cohersion by not using triple equality operators like in wmtt != null.
- Semicolon insertion possible by not using 1TBS (One True Brace Style).
- The DOM is accessed before it has even started to load. Ouch!
- Tables. Ow!

The list even goes on, like they’ve not already made every single error there is to make. But for the sake of the health of your eyes, I will stop here.

All in all, I give the page a F for fail. And I would suggest you don’t vote for the FDP if you want Germany to play at least a minor role in the future of the World Wide Web. Let me kindly suggest participating at http://piratenpartei.de as an alternative. Voting is overrated.

• Competitive testing
• Parallel design
• Iterative design

You have to try (and test) multiple design ideas. Competitive, parallel, and iterative testing are simply 3 different ways to consider design alternatives. By combining them, you get wide diversity at a lower cost than simply sticking to a single approach.

Iterative: Keep going for as many iterations as your budget allows. Test iterations via Heuristic Evaluation.

The goal of heuristic evaluation is to find the usability problems in the design so that they can be attended to as part of an iterative design process. Heuristic evaluation involves having a small set of evaluators examine the interface and judge its compliance with recognized usability principles (the “heuristics”).

3-5 evaluators check the proposed Design/Wireframe against the Heuristic list each iteration.
 

‘Heuristic (pronounced /hjʉˈrɪstɨk/) or heuristics (from the Greek “Εὑρίσκω” for “find” or “discover”) refers to experience-based techniques for problem solving, learning, and discovery.’ – Wikipedia.

Parallel Design

In a parallel design process, you create multiple alternative designs at the same time. You can do this either by encouraging a single designer to really push their creativity or by assigning different design directions to different designers, each of whom makes one draft design.

Use cheap methods if parallel designing, e.g. Wireframing

 
After wireframing you could go to interactive wireframing and then the actual visual design. Let the the user test up to 2-3 designs. The first one will be the one where the testers are the freshest, so variate the order. When finished take the best elements out of all different designs and merge the designs. Then refine this new design with iterative testing.

• Out of 4 parallel versions,  pick the best one and iterate on it. This approach resulted in measured usability 56% higher than the average of the 4 designs.
• Follow the recommended process and use a merged design, instead of picking a winner. Here, measured usability was 70% higher.
• After one iteration, measured usability was 152% higher.

Stanford University took this approach to the domain of Internet advertising. Ads created through a parallel design process performed 67% better.

In a competitive usability study, you test your own design and 3–4 other companies’ designs. Competitive testing is advantageous in that you don’t spend resources creating early design alternatives. But as always, quantitative measurements provide weaker insights than qualitative research.

Combining these 3 methods prevents you from being stuck with your best idea and maximizes your chances of hitting on something better.

At each step, you should be sure to judge the designs based on empirical observations of real user behavior instead of your own preferences.

Ten Usability Heuristics

These are ten general principles for user interface design. They are called “heuristics” because they are more in the nature of rules of thumb than specific usability guidelines.

Visibility of system status

The system should always keep users informed about what is going on, through appropriate feedback within reasonable time.

 

BaseCamp by 37Signals
 

Match between system and the real world

The system should speak the users’ language, with words, phrases and concepts familiar to the user, rather than system-oriented terms. Follow real-world conventions, making information appear in a natural and logical order.

 

iTunes

 

User control and freedom

Users often choose system functions by mistake and will need a clearly marked “emergency exit” to leave the unwanted state without having to go through an extended dialogue. Support undo and redo.

 

 
CollabFinder

 

Consistency and standards

Users should not have to wonder weather different words, situations, or actions mean the same thing. Follow platform conventions

Gmail

 

Error prevention

Even better than good error messages is a careful design which prevents a problem from occurring in the first place. Either eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action.

 

Web Form Design by Luke W.

 

Recognition rather than recall

Minimize the user’s memory load by making objects, actions, and options visible. The user should not have to remember information from one part of the dialogue to another. Instructions for use of the system should be visible or easily retrievable whenever appropriate.

 

Keynote

 

Flexibility and efficiency of use

Accelerators — unseen by the novice user — may often speed up the interaction for the expert user such that the system can cater to both inexperienced and experienced users. Allow users to tailor frequent actions.

 

Numbers

 

Aesthetic and minimalist design

Dialogues should not contain information which is irrelevant or rarely needed. Every extra unit of information in a dialogue competes with the relevant units of information and diminishes their relative visibility.

 

Kontain

 

Help users recognize, diagnose, and recover from errors

Error messages should be expressed in plain language (no codes), precisely indicate the problem, and constructively suggest a solution.

 

 
Digg

 

Help and documentation

Even though it is better if the system can be used without documentation, it may be necessary to provide help and documentation. Any such information should be easy to search, focused on the user’s task, list concrete steps to be carried out, and not be too large.

 

Flickr

 
Heuristic evaluation is performed by having each individual evaluator inspect the interface alone. This procedure is important in order to ensure independent and unbiased evaluations from each evaluator. The results of the evaluation can be recorded either as written reports from each evaluator or by having the evaluators verbalize their comments to an observer as they go through the interface.

During the evaluation session, the evaluator goes through the interface several times and inspects the various dialogue elements and compares them with a list of recognized usability principles (the heuristics).

Software specific Heuristics

One way of building a supplementary list of category-specific heuristics is to perform competitive analysis and user testing of existing products in the given category and try to abstract principles to explain the usability problems that are found (Dykstra 1993).

One approach that has been applied successfully is to supply the evaluators with a typical usage scenario, listing the various steps a user would take to perform a sample set of realistic tasks.

The output from using the heuristic evaluation method is a list of usability problems in the interface with references to those usability principles that were violated by the design in each case in the opinion of the evaluator. Detailed answers are needed.

Debriefing Meeting: A debriefing is also a good opportunity for discussing the positive aspects of the design, since heuristic evaluation does not otherwise address this important issue.

Example Interface

DeviantArt (Creative Commons)

Accessibility

A good site, service or application also takes into account if it needs to be used by the hearing impaired and a screen reader, or weather your users use mobile devices, such as smartphones, tablet PCs or others. Evaluate if your users prefer or are bound to a keyboard and provide shortcuts.
 
I hope you enjoyed this tutorial on Usability. Why don’t you subscribe to my RSS feed? I also appreciate any comments in the section below. Thanks for reading.

sudo chmod 775 -R /var/www/html/dekiwiki/bin/cache/luceneindex/

If that doesn’t help you might want to tweak the mod_rewrite settings in your apache configuration. Just add deki to the mod rewrites, this could solve issues you might experience when using Mindtouch with SSL, for instance if the WYSIWYG ckEditor 3.0 doesn’t load.
 

RewriteCond %{REQUEST_URI} !^/(@api|editor|skins|config|deki)/

You can also empty the cache in the backend of Mindtouch to work around issues. Also give the Wiki’s error log file a visit to pinpoint the root cause.
 

tail -n 20 /var/log/dekiwiki/deki-api.log

That’s it for now, but I might extend this troubleshooting document at a later date.

In case you enjoyed this tutorial, please leave a comment below – every comment enlightens my day.

I leave it up to you to decide who is breaking the law in this case.
 

Disclosures

If you are still not sure if more transparency in our governments is a good thing, then maybe the following selection of the 2010 Wikileak cables will change your mind.

Foreign contractors hired Afghan ‘dancing boys’
http://j.mp/hXNvtV

US manipulated climate accord in Copenhagen
http://j.mp/hGvkw0

US wrote Spain’s proposed copyright law
http://bit.ly/epFDf5

Supporters

An US Senator from Texas says:

 
You can follow Ron Paul on Twitter.

Youtube: Ron Paul – Don’t Blame Wikileaks!

I also want to quote John F. Kennedy, the assassinated US President, who once said:
 

‘The very word secrecy is repugnant in a free and open society. Inherently and historically, we as a people are opposed to secret proceedings and concealment.’

– John F. Kennedy, New York City, April 27, 1961

How can you help?

In case you also think, that a free and open society should not penalize individuals who reveal findings of greater public interest, even if it is classified, you can support WikiLeaks by sending them money or join your state’s Pirate Party at the next election.

I myself decided to quit PayPal and just received my last shipment ever from Amazon as both companies pulled their support of wikileaks with no legal obligation in my opinion, but I am no law expert, so I leave it up to you. I for my part look forward to conduct my christmas shopping at alternative online-stores.

If you want to, you can also help by using this iconset to spice up your Social Media Avatar. (wikileaks-avatar.zip)

If you are not confident with Graphics you can just grab one of these:
 
         
 

Links

I put together a link list mostly containing links to the free press and media, which I found to be interesting.

CNN: Times and NYT editors discuss Wikileaks

Washington Times: Wave goodbye to Internet freedom

Gawker: US gov starts censoring Foxnews.com, CNN.com, MSNBC.com

Ron Paul calls Wikileaks Heros in speech

Slate.com: Why I Love WikiLeas by Jack Shafer

Reporters Without Borders condemns the blocking, cyber-attacks and political pressure being directed at wikileaks.org.

MSNBC: Assange ‘rape’ accuser has CIA ties.

Rixstep Blog: Julian Assange & Anna Ardin: The person behind the police complaint identified.

Google Android: Host a WikiLeaks mirror from your phone.

The Sunday Mail (Qld): Sweden’s justice system may become a laughing stock over the rape charges against Wikileaks figurehead Julian Assange by James D Catlin

USA, UK, Canada, Australia join China in blocking the Internet.

Youtube: Transparency will be the touchstones of this presidency. By B Obama

 
After some thorough evaluation weather to put direct links to Wikileaks on this site I came to the conclusion that it was the right thing to do to support those who are censored and hunted. Let me say it with the words of Beatrice Hall:
 

‘I detest what you write, but I would give my life to make it possible for you to continue to write’

— Evelyn Beatrice Hall in The Friends of Voltaire (1906)

 
Hence since the cyber attacks from the ‘dark’ continue — if you are a responsible journalist — you can reach Wikileaks on any of these mirrors or directly here. I also recommend to read about developments on the Guardian, Time Magazine, El Pais, Der Spiegel, other independent media and the blogosphere.

Please follow the independent media like blogs, twitter, facebook, tumblr, identi.ca since the USA and other governments have started to censor their heart out. This censorship agenda of the States and the EU is the biggest threat to freedom of speech, thought and press, that the world has ever faced.

It comes to no surprise that the US is planning to roll out programs like SHIELD and ACTA* that will effectively silence the media. ACTA* was signed by the EU member states last week. Senator Liebermann said they will charge the New York Times with espionage and censor US media for ever. You also know from the cables who created the European censorship law and with what unlawful methods.

Our Corporate world made it very clear from the beginning on which side they are on. Google already stopped indexing new Wikileaks mirrors and Mastercard, Visa, Amazon and Paypal have withdrawn without legal obligation their business relationship to Wikileaks. Only the Web 2.0 with Reddit, Twitter and Facebook seems -so far- not willing to join in into this beginning era of censorship. However keep in mind Twitters OAuth is anything but secure as every OAuth allowance you have nodded to can manipulate your account anytime.

I would be interested in your thoughts on weather wikileaks is right or wrong and any other useful links in the comments section below.

sftp user@hostname.tld

The connection itself is tunneled over SSH now. However the user will have access to your entire file system and even worse if anyone gained these credentials, he could login via ssh to your server.

Since we don’t want that, we will have to chroot (jail root) the sftp user and forbid him to use ssh itself. For this you will need openSSH 5 or greater. At the time of this blog post, CentOS 5.5 still ships with the year old openSSH 4.6. Therefore we will have to make a rpm package with the latest openSSH 5.6 sources and install it on our CentOS.
 

rpm -qa | grep ssh
yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build
wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz
wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz.asc
wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import
gpg openssh-5.6p1.tar.gz.asc
tar zxvf openssh-5.6p1.tar.gz
cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/
cd /usr/src/redhat/SPECS/
perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
rpmbuild -bb openssh.spec
cd /usr/src/redhat/RPMS/`uname -i`
uname -i
ls -l
rpm -Uvh openssh*rpm
/etc/init.d/sshd restart

Alright what does all this command lines do? First yum installs the gnu compiler with important tools like make, then yum installs openssl development packages and rpm-build. Then I choose a repository from Aachen, Germany, which is nearest from my server’s location. We also get the gpg signature and import it to our local gpg databse then we check it. The rest is building the rpm package; without GUI support like X11 or gnome, because it’s not really usable on a server. I must credit some of these steps to someone else on the interwebs: http://binblog.info/2009/02/27/packaging-openssh-on-centos/
I found perl -i.bak -pe ‘s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec to be very elegant and I liked also cd /usr/src/redhat/RPMS/`uname -i` very cool. The latter changes directory to the correct build version of your kernel.

Did I mention you should be root to do this?

I do it in one go, absolute hardcore.
 

rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-5.6p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-5.6p1.tar.gz.asc  && tar zxvf openssh-5.6p1.tar.gz && cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec  && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpm

Better check if it worked.
 

rpm -qa | grep ssh
openssh-clients-5.6p1-1
openssh-5.6p1-1
openssh-server-5.6p1-1

This were the pre-requisites for using chroot with SFTP. I will show how to setup SFTP and prepare your directory structure.

First, setup two new groups. One group fullssh is going to have full access to the Linux filesystem. Just add your main user to the fullssh supplementary group. The other group is called sftponly for our SFTP users that will be jailed to a particular directory.
 

groupadd sftponly
useradd pete
usermod -aG sftponly pete

In above snippet one could also use useradd -G sftponly pete, but in case the user pete exists already the -a switch ensures he is added to the supplemental group sftponly instead of deleting existing supplemental groups.

Now go into /etc/ssh/sshd_config and comment out the default entry for the sftp service.
 

#Subsystem      sftp    /usr/lib64/misc/sftp-server
Subsystem       sftp    internal-sftp
AllowGroups fullssh sftponly

Match Group sftponly
        ChrootDirectory /var/www/html
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

Now let’s set permissions on the directory structure. This has to be done with great care.
 

chown root:sftponly /var/www/html
chmod 755 /var/www/html
mkdir -p /var/www/html/yourDomain
chown pete:sftponly /var/www/html/yourDomain

Some tutorials on the web suggest setting permissions to 750, but as it turns out this will lock out apache and produces a HTTP 403 Forbidden when accessing your website. We don’t want that.
With chown you change the owners of the directory to root user-wise and to sftponly group-wise. The user pete should be a member of that group by now. You can check that with groups pete.

Creating the directory with the -p shouldn’t be necessary in above example, but I included it nonetheless. The switch would take care of creating all necessary parent folders.

This is how the permissions must look like in order to make the ssh / sftp login chain to work.
 

ls -lishad /var/www/html
inode 4.0K drwxr-xr-x 3 root sftponly 4.0K Nov  9 10:27 /var/www/html

ls -lishad /var/www/html/yourDomain
inode 4.0K drwxr-xr-x 8 joe sftponly 4.0K Nov  9 11:33 /var/www/html/yourDomain

Now if you login, ssh has root permissions and handles the login process until the user pete is authenticated. The user is then jail chrooted to the yourDomain directory, at least in my understanding. With SFTP we don’t need a proper chroot environment with access to /dev or any hardlinks – therefore it should be rather difficult for an attacker to escape the jail. There exists an exploit [1] since 1999. That is why Solaris and Linux stopped to consider chroot a secure solution. However it is possible to harden [2] a shell chroot environment.

I hope you enjoyed this article. I would appreciate any thoughts on the topic of server security in the comments below.

 
References