Present Perfect


Picture Gallery
Present Perfect

Filed under: General — Thomas @ 2:32 pm

2:32 pm


Spun a new tarball yesterday because a translation got added. This also allowed me to try and put in a patch I had received for the thumbnailer but for which I didn’t have time or inclination to push it in before going on holidays. Having to respin the tarball anyway made me submit the patch to the release team together with some good arguments on why this patch makes sense. Nice to see that good arguments help make good decisions.

Then I made an RPM to test and got extremely puzzled by the fact that nautilus crashed as soon as I checked a property page on an audio file. After reading a bunch of bonobo, then ORBit code, which scared me senseless, I figured out the right way to run nautilus from gdb (remove nautilus from the session), and then the problem became readily apparent. It was not finding glade files, and it was not doing so because I forgot a “make” command in the spec file. So the actual build was done from %makeinstall, which overrides datadir and friends, causing the wrong – install-time – location for the UI files to be put in the binary.

So now I firsthand experienced the difference between running or not running make before make install.


With the recent break-in on GNOME servers I wanted to do my part in making sure I’m doing things correctly. I got told that using passphraseless ssh keys is worse than doing password-based ssh access, so I started looking into how it ought to be done instead. Some people asked me to let them know if I figured out the right set of things to do, so here it is.

Basically, I did the following:

  • mv .ssh ssh in my homedir
  • generate a completely new ssh-dsa key, with passphrase
  • replace the old public key in authorized_keys on all the servers I use this key on (for this step, ssh -i ssh/id_dsa is useful, since you want to get on the servers using your old key to install your new pubkey)

It is possible to add a passphrase to your current key, but since that doesn’t really change the public key it doesn’t help at all if someone might have gotten your old private key. So, don’t :)

After this, you want to set up your session so that you only get asked for your passphrase once, and ssh-agent takes care of authenticating when you move around. If you run Red Hat/Fedora, you can do the following:

  • run switchdesk, and choose the same type of session you are running. This will generate .Xclients and .Xclients-default
  • edit .Xclients and replace each “exec” instance with “exec ssh-agent”. This step makes sure that your session is run under ssh-agent.
  • edit .Xclients-default and add “ssh-add < /dev/null” BEFORE the exec gnome-session line. This step makes sure that before your gnome-session is loaded, a GUI window will pop up to ask you for your passphrase.

Now log out and back in, fill in your passphrase, and try logging into a server where you copied your new public key to. It should just let you in.

If I made an important security boo-boo, let me know please.


There’s this incredibly nut roasting store in Barcelona. If you’re ever around, go over and buy some almonds or hazel nuts. They taste so much better than the ones you buy anywhere else. I feel an addiction coming up.

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URL

Sorry, the comment form is closed at this time.