Generating your own SSH keys for AWS

The Amazon AWS Management console allows you to generate an SSH key for your account, however, since Amazon’s AWS eco-system is broken into geographic regions, you cannot generate a single key to be used in all regions, in addition to this, the security minded amongst you, may not be comfortable having AWS generate the private key that you will be using in your SSH key-pair.

To address both of these issues, you can generate your own SSH key-pair offline, and then upload only the public key to AWS. You still have to upload the same public key to each region in which you wish to launch instances, but you will be able to use the same key in all regions after you have done this once. From a security perspective, if you generate your own keys, then AWS will never see your private key, as you only have to upload your public key to AWS.

AWS SSH specification

Amazon allow you to upload your public key in a number of different formats, however, your SSH key must meet each of the following criteria to be accepted:

  • It is an RSA SSH-2 key (DSA Keys, and SSH-1 keys are not supported)
  • Amazon only support 1024, 2048 and 4096 key-lengths
  • The key must be in OpenSSL format, Base-64 encoded DER format or SSH public key file format as defined in RFC4716

Generating your own SSH key

Generating your own SSH key is very straight forward, especially if you are using an Apple OSX machine, or a Linux machine, as the tools to do so are already on the operating system. On Windows it is slight more complicated, as it requires you to download and install a tool capable of generating an SSH key, fortunately their is no cost to doing so.

Using Linux or OSX

On Linux or OSX, you simply open a terminal and follow these steps (I always make 4096 bit SSH keys as they are the strongest ones you can get, and modern computers have no problem generating private keys this long, or authenticating with long keys):

$ ssh-keygen -t rsa -b 4096 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/coltoncat/.ssh/id_rsa): aws_ssh-key
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in aws_ssh-key.
Your public key has been saved in aws_ssh-key.pub.
The key fingerprint is:
89:b6:55:6a:f4:52:bf:a0:8a:92:21:d0:27:53:9a:67 coltoncat@MacBookPro.local
The key's randomart image is:
+--[ RSA 4096]----+
|                 |
|    .            |
| . +    . o      |
|. * E  o * .     |
|.  *  o S o .    |
|. .  . + o . .   |
| . o  . .   .    |
|  o  . .         |
|   .. .          |
+-----------------+
$ 

In this example, you are prompted for a name of your new private key. I named mine aws_ssh-key, and you will see from the output above that the ssh-keygen program automatically names your public key, which you will upload to AWS aws_ssh-key.pub.

During this process you are prompted for an optional passphrase for your private key. It is a very good idea to include one, the private key will then be encrypted and you would need to provide the passphrase each time you use it to SSH to an AWS instance at a later time. This protects you in the event that someone else has access to your computer, and can find your private key and use that to get access to your ec2 instances.

Using Windows

If you are using Windows, you would need to obtain a piece of software to generate your private an public SSH key. By far the most commonly used, almost to the point of ubiquity, is Putty. Grab Putty from the Putty Download Page, to generate an SSH key you only need to download puttygen.exe, however, you may as well download putty.exe as well as it is a great SSH client.

Once you have dowloaded puttygen, run it, and you will be presented with the following screen:

Puttygen Welcome Screen

On this screen, under the “parameters” section at the bottom of the screen, make sure that you have select “SSH-2 RSA” and that you set the “Number of bits in generated key” option to 4096. Once you have done this, click “Generate”, and you will be prompted to move your mouse around the blank part of the screen for a minute or so to create some entropy. Eventually, you will see that the key is being generated and putty will present you with the following screen:

PuttyGen ssh-key generation complete

Give the key a meaningful name in the “Key Comment” field — for example I called mine aws_ssh-key, and then be sure to specify a pass-phrase for your private key. You can save the private key by clicking the “Save Private Key” button. This will save a file with a .ppk extension, which is the format that Putty will use later on when you wish to connect to an instance using SSH.

As for the public key. That is displayed in the section “Key” and you can copy it from there and paste it somewhere safe to import into AWS, or you can use the “Save Public Key” function to save it to a file.

Importing the key

Login to the AWS Management Console and navigate to EC2 and then “Keypairs” under “Networking & Security” in the left menu panel. Click on the “Import Key Pair” button, and you can either load the public key from the file you saved it in, or you can give it a name and paste it into the “Public Key Contents” area in the popup screen.

You need to do this for each region in which you would like your key to be used, I just did it for each of the AWS regions, it only takes a few minutes, and then I know it will be ready for when I need to use it in the future.

Now you only need to make sure that you guard your private key file, make a copy onto USB media and keep is safe, as this is the only way that you will be able to login to your instances. If you lose this key, gaining access to your instance on AWS will result in downtime, and some possible dangerous file-system manipulation — you have been warned.

WordPress Maintenance Mode

I wanted to know how to force my WordPress installs to display a message that the site was in maintenance mode (as WordPress does when you are upgrading plugins and so on). Googling around for the answer only yielded various plugins to achieve this, and I really did not want to go and install yet another plugin for something this simple and which is obviously built into WordPress. [Read more...]

Outlook 2003 Unable to Connect to Exchange 2010

Microsoft have been making no secret of the fact that they do not want to continue having public folders in their flagship messaging server. With Exchange 2010, public folders are actively discouraged, with much of the Microsoft documentation suggesting that Sharepoint is a preferred alternative to public folders, this aside, if you still have legacy Outlook 2003 MAPI clients that need to connect to Exchange 2010 (or Exchange 2007 for that matter) you have no option, but to create and activate a public folder database on an Exchange 2010 server.

Having done created a public folder database on Exchange 2010 you may still, rather unexpectedly notice that Outlook 2003 clients cannot connect to the new Exchange 2010 mailbox server with Outlook producing an error indicating that it is unable to connect to the Exchange 2010 server due to a suspected network issue.

Exchange Server is unavailable

I have seen more than one version of this error, but unfortunately neglected to get some screen grabs at the time, if I find a machine exhibiting the error, I will update this post.

In Exchange 2010 MAPI connections are no longer handled directly by the Exchange server as they were in Exchange 2007, rather all MAPI connections to a Mailbox Server are handled by the CAS (Client Access Service) Server, and specifically by the new Exchange RPC Client Access Service. The reason for the sudden inability to connect to your new server via MAPI is caused by the fact that Exchange 2010 by default expects MAPI connections to be encrypted, while Outlook 2003 does not encrypt them by default.

You therefore have two potential solutions to this problem.

  • Reconfigure Outlook 2003 to use an encrypted MAPI when communicating with the server
  • Configure Exchange 2010 to globally disable encrypted MAPI connections

I would suggest the first method, as disabling encrypted MAPI connections by default just seems like a Bad Thing, however, read on if you want to know how to do this.

Configuring Outlook 2003 to use Encrypted MAPI Connections

First make sure that Outlook 2003 is not running. Then open the Control Panel and find the Mail applet, and double-click that:

Outlook 2003 Mail Control Panel Applet

On this page, click the “E-Mail Accounts” button:

Exchange Mail Settings

Check the radio button beside “View or change existing e-mail accounts” and click next:

Exchange e-mail accounts

Highlight your Exchange account and Click the “change” button to re-configure that account:

Exchange Server Settings

Click the “More Settings” button, and then select the “Security” tab:

Exchange Connection Settings Tab

Make sure that you have a check mark in the check-box in the Encryption section, hit OK, next, finish and close, and fire up Outlook and it should connect as before.

Configuring Exchange 2010 to use Unencrypted Mapi Connections

Much of what happens in Exchange 2010 is configured through the Exchange Management Shell. To obtain information about the RPC CAS service, open a management Power Shell session and execute the following command:

Get-RpcClientAccess | fl

Get-RpcClientAccess | fl in the EMS

Notice the line that reads “EncryptionRequired” is set to “True”. This indicates the default of the MAPI RPC CAS Service on the Exchange 2010 CAS server. To global set this to false, you should execute Set-RpcClientAccess –server CAS-Server –EncryptionRequired $false in the EMS.

Again, in my opinion, this is a bad idea. I haven’t checked this, but I would be pretty sure you would be able to use Group Policy to update the connection settings on your legacy Outlook 2003 clients to use an encrypted MAPI connection by default. This would be a much better plan.

Advertising Traffic During Superbowl 44

According to the news, Superbowl 44 (2010) has surpassed the final episode of “M*A*S*H” which set the record 27 years ago by attracting a mere 105.97 million viewers, to become the most watched television show in history, with an estimated 106.5 million pairs of eyeballs on the game.

So yes, Superbowl 44 was big, it is debatable, however, if it was as big as the “M*A*S*H” finalé that held the previous record, when one considers that 27 years ago there were far fewer televisions in households than there are today and consequently the television watching population was a lot smaller. That however is not the point of Mr Cat’s post here when it occurred to him that advertising has become totally invasive in our lives since the early 80s, and that the primary way that revenue is generated from a televised event such as Superbowl 44 is through paid advertising. These days, Mr Cat would imagine that the bulk of that advertising would somehow result in a trip to the web by a party interested in this advertising, so Mr Cat headed over to try to get some graphs, because he likes graphs, of the Internet traffic during Superbowl 44.

Akamai, one of the largest Content Delivery Networks CDNs it turns out keeps figures of exactly this.

Notice the spike in the graph at the end of the 4th quarter, with the advertising consumption according to Akamai reaching around 1.17 million visitors per minute, well up from the average of about 300 thousand visitors per minute.

These are pretty astronomical figures, and Mr Cat can understand why so many people are making so much money now from online advertising on their blogs and affiliate websites; there is just so many clicks to go around and even if you started an affiliate site today, you need only a small fraction of that modest average of 300 thousand visitors per minute to make yourself very comfortable.

Mr Apple and the iPad

Mr Cat noticed this morning that Mr Apple was showing off their brand new iPad – which looks like it is really just an iPhone with a bigger screen – although you sure as hell will look ridiculous with that thing stuck to your ear making a call.

There were millions of opinions out there today, however I stumbled on this hilarious little video on YouTube today on the new device:

Unfortunately Mad-TV has disabled embedding on this clip, so you have no choice by to watch it on YouTube. It is still worth while.

Using Post Thumnails with WordPress 2.9

Probably like many others who dabble with WordPress, I was excited to read about the new post thumbnail support in WordPress 2.9. Of course, after upgrading, I could not figure out how to use them – only to discover that the feature is disabled by default. I finally discovered how to turn the feature on, and here is how you can do it to.

Edit the functions.php file that came with your favourite theme, and add the following:

if (function_exists('add_theme_support'))   
      add_theme_support('post-thumbnails');

The if statement checks to see if we actually can use the add_them_support() function, so we do not break our themes compatibility with versions of WordPress prior to 2.9. Save the file, and you can simply set the post thumbnail in the back-end.

Update: Mark Jaquith, a lead developer on the WordPress Personal Publishing System, has written a very comprehensive post on his blog on the recommended way to use this feature in a theme. It is clear and explains the official WordPress Way to do this. Definitely a must read.

The Cygnet – Aston Martin’s Concept Ultra-Compact

Interesting when I read that Aston Martin have announced an ultra-compact concept car, based on the Toyota IQ, that will be known as the Cygnet. Quite a little stablemate for the insane V12 engined Vantage. By contrast this machine will be powered by a small 1 liter mill with only 3 cylinders and developing 50kW (67HP) in the base model — which is not actually too shabby for such as small motor, when you think about it — or by an optional 1.3 liter four cylinder that will develop about 76kW (102HP).

[Read more...]

Westjet Waive Excess Baggage Fees to the USA

This afternoon I happened to be checking for flight pricing on some flights for a possible January trip to the USA on both Air Canada and Westjet’s websites. I noticed the following travel advisory on both sites, stating that carry on luggage would no be limited to one small item, ie., no more roller cases etc.

[Read more...]

Call to undefined function ctype_digit() in /wordpress/wp-admin/includes/file.php on line 238

After upgrading to WordPress 2.9, self-hosted WordPress installations may receive this error:

Call to undefined function ctype_digit() in /wordpress/wp-admin/includes/file.php on line 238

When trying to use either the Flash uploader or the browser uploader to upload new media to WordPress, or when trying to save a new post as a draft, post it and so on. This happens because PHP on your host has not been compiled with ctype support. Simple to fix, if you have control of the host, make sure that you pass the --enable-ctype flag to the configure program when you compile PHP. For more information check here http://us2.php.net/manual/en/ctype.installation.php.

If you happen to be using FreeBSD and PHP5, simply install the textproc/php5-ctype port, and reload your Apache.

Trust this helps out some folks.