Translate

April 18, 2013

Install ssh on ubuntu

Install ssh with
sudo apt-get install ssh

Say yes to everything it asks you to install.
Note, you will now have an /etc/ssh/ directory under which you will find a ssh_config and sshd_config file you may have to uncomment a few lines in later.
You then want to run this command:
ssh-keygen -t rsa 

On safer side, it is a good idea to throw a pass phrase in there. For little security.  Make sure it is difficult to guess and NOT the same as your log in password.
Note, it should default to generating 2048 bit encryption which is always better than 1024. You will get a public and private file i.e.
id_rsa and id_rsa.pub
You put the id_rsa which is the private key, in the ~/.ssh directory. You put the public key one up on the server you are remotely connecting too. You can cut and paste it in usually. Make sure you do not introduce any unwanted white space in it. DO NOT put the private key one up on the server you are connecting too.

Troubleshooting:
You may need to restart the service/deamon with
sudo service ssh restart 

This would be necessary if you changed anything in one of the config files. Make sure your permissions are right on the ~./.ssh directory and the files in there.
drwx------ # for .ssh directory
-rw------- # id_rsa for the private key 


Now type from your Ubuntu prompt:
ssh username@yourhost.com

April 15, 2013

Pymongo - TypeError: index 'password' cannot be applied to Cursor instances

In the 10Gen course I am taking of Mongo-db, we are using python to access mongo via pymongo.

I received this "TypeError : index … cannot be applied to Cursor instances" error while attempting to do the following:

user = self.users.find({'_id' : username})
...
salt = user['password'].split(',')[1]



where the "self" variable gave a connection to the mongo db, "users" was a collection on that db, and "username" was a string variable passed into a function containing this code. Initially I didn’t realize that the find() method will always return a full cursor rather than a single document, even if the where clause specifies the primary key field, _id. I’m currently working with iplbeats right now, which when retrieving a "cursor" (users) will always return a single "document" (sObect) if the primary key is supplied in the where clause.

The solution was clear: replace the find() method with the find_one() method to return a document rather than a cursor.

 

April 9, 2013

How to avoid SQL Injection in Rails

SQL injection is any situation in which a user can manipulate a database query in an unintended manner. Consequences of SQL injection vulnerabilities range from data leaks, to authentication bypass, to root access on a database server.

Most Rails applications interact with a database through ActiveRecord, the default and convenient Object Relational Mapping (ORM) layer which comes with Rails. Generally, use of ORMs is safer. ORM can provide abstraction and safety and allow developers to avoid manually building SQL queries. ORM can incorporate best practices and prevent loosely handling of user input.

sqlquery = "SELECT * FROM users WHERE name = '#{name}' AND password = '#{password'} LIMIT 1"
results = DB.execute(sqlquery)

Safer, simpler code like
User.where(:name => name, :password => :password).first

Rails framework will protect them as long as they avoid the "obviously dangerous" methods, like find_by_sql.
ActiveRecord does provide parametrization of queries or some methods. But for some methods it does not provide parametrization of sql queries, these methods are not intended to be used with user input.
Here is an example of using exists?
User.exists? params[:user_id]
However, there is no guarantee params[:user_id] is a string.
Hacker could send a request with ?user_id[]=some_hack_string, which Rails will turn into an array ['some_hack_string']. Now the argument is an array, the first element of which is not escaped.

To avoid this problem, we need to convert the user input to the expected type:
User.exists? :id => params[:user_id]
OR
User.exists? params[:user_id].to_i
This should be the approach for all uses of user input.

April 2, 2013

How to Install PostgreSQL on a Mac

This is a quick guide for installing PostgreSQL (Postgres) on a Mac with Homebrew. If you are planing to use Postgres in your Ruby on Rails App, this tutorial will get you up and running in no time.
I am assuming that you have Homebrew, Ruby on Rails, Xcode, git, rvm etc installed in your mac.

Step 1: Update Homebrew
Before you install anything with Homebrew, you should always make sure it's up to date and that it's healthy by executing following command
brew update
brew doctor

Step 2: Install Postgres

brew install postgresql

When you install Postgres, you will see a bunch of output in your Terminal. There are few instructions like, creating first database, migrating existing database, start/stop PostgreSQL etc. Keep this instructions aside for future reference if you want.

Step 3: Create/Upgrade a database
If this is fresh installation of Postgres with Homebrew, you’ll need to create a database with:

initdb /usr/local/var/postgres -E utf8

I copied this from Terminal output.

Step 4: Create a user
If you want a new user for your new rails app, you can create new user by using createuser command. This will ask few questions.

createuser username 

Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n

Step 5: Create a database for new user
Create the two databases you will need, development and test. With option -O we can specify the owner of the database.
createdb -Ousername -Eutf8 newapp_development
createdb -Ousername -Eutf8 newapp_test

Done.....
To Verify the installation and database users we can use shell similar to MySQL
psql -U username newapp_development

You will get following prompt

newapp_development=>

Type "help" for help.

April 1, 2013

How to turn off ri and rdoc installation

Most often we never refer to ri and rdoc for all the gems installed on our system.
Sometimes duplicate ri and rdoc are installed on our system when we use ruby version manager (rvm). These documentation takes up few MB of your harddisk. Even space is not a BIG issue.
These ri and rdoc took considerable time while installation. We can increase gem installation time 8x by turning off the ri and rdoc installation.
Turn off ri and rdoc installation. Sure, you can do this on the command-line, like so:

sudo gem install haml --no-ri --no-rdoc

If, like me and most developers, you would rather read the documentation online and have your gems install quickly, then you can disable the documentation generation by creating a file called ".gemrc" in your user's home directory

Better, though, is to set this up as the default in your ~/.gemrc file.

---
:verbose: true
:sources:
- http://gems.rubyforge.org/
- http://gems.github.com/
:update_sources: true
:backtrace: false
:bulk_threshold: 1000
:benchmark: false
gem: --no-ri --no-rdoc