Vista fonts

Microsoft Vista comes with some new fonts. Download the Microsoft PowerPoint Viewer 2007. Use cabextract to unpack it. It has these fonts in regular, bold, italic, bold italic: Calibri, Cambria, Candara, Consolas, Constantia, Corbel

Drop the fonts somewhere useful:

cd /usr/local/share/fonts
mkdir vista
chcon system_u:object_r:fonts_t:s0 vista
cp ~/*.ttf vista
chown -R root:root vista
chmod -R ug=rw,o=r vista
chmod ug=rwx,o=rx vista

And tell /etc/fonts/local.conf where to find them:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<!-- local.conf Settings for this machine. -->
<fontconfig>
<dir>/usr/local/share/fonts</dir>
</fontconfig>

# fc-cache -s -f

Fedora TCP Wrappers

Fedora ships with TCP Wrappers and every application that supports TCP Wrappers is shipped with libwrap enabled.

Less thrillingly, the default configuration disables TCP Wrappers. Let's fix that. Edit /etc/hosts.deny to deny access by default:

ALL: ALL

Obviously the local machine should be able to access itself using IPv4 and IPv6, so edit /etc/hosts.allow to read:

ALL: 127.
ALL: [::1]/128

Now for every application that needs access, add a line to /etc/hosts.allow. For example, Fedora runs sshd:

sshd: ALL

Another example, a e-mail server might have:

sendmail: ALL
imapd: ALL

The scanner used on the local NATed network might be:

saned: 192.168.1.0/255.255.255.0

One trick is the XINetD meta-daemon. The name used in hosts.allow is the program basename on the "server =" line, not the name in the "service" line.

For example, a TFTP daemon could have a /etc/xinetd.d/tftp of:

service tftp
{
  socket_type = dgram
  protocol    = udp
  wait        = yes
  user        = root
  server      = /usr/sbin/in.tftpd
  server_args = -U 117 -c -s /tftpboot -vvv
  disable     = no
  per_source  = 11
  cps         = 100 2
  flags       = IPv4
}

would have a hosts.allow of:

in.tfptd: 192.168.1.0/255.255.255.0

Securing Fedora's sshd

Fedora is installed with sshd running and permitted through the firewall and root login permitted. That's a gift for SSH door knockers. The consequences of choosing a poor root password are poorly spelt out during installation.

The first thing to do is to disable remote access for root. Anyone that needs root access can use sudo. Edit /etc/ssh/sshd_config.

PermitRootLogin no

Not every user needs remote access via SSH. So let's limit access to members of the sshers group (such as the user "fab").

# groupadd -r sshers
# usermod fab -a -G sshers

AllowGroups sshers

Cost those door knockers some bandwidth.

Banner /etc/issue.net

Now let's get rid of password access altogether and replace it with public keys. On the client box run

[fab@client]$ ssh-keygen -t dsa

This generates two files, ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The id_dsa.pub file contains the public key and is placed on the remote machines you want to access. That is done by:

[fab@server]$ ( umask 077; touch ~/.ssh/authorized_keys )
[fab@server]$ vi ~/.ssh/authorized_keys

Place the one line content of id_dsa.pub into ~/.ssh/authorized_keys.

Once all that is done for all users, remove password and other access.

RSAAuthentication yes
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

To dream the impossible dream

Graphics card in the kid's Windows box used for The Sims has failed. AGP8x, low profile, DVI output -- all good so far. 210W power supply --that hurts since the worst card I can find says on the box it needs a 250W power supply. The card is the same design as the current one but the heat sink is worryingly 25% longer.

Being used to routers I hunt through all the Windows control panel stuff looking for the reported current drawn from the power supply. Nope, not instrumented. Being used to networking gear I look for the actual current draw in the card documentation rather than the recommended power supply size. Nope. No wonder the average person finds computing hard.

Looking at Dell OptiPlex GX270 on the web I find some with Nvidia Geforce 6200 cards, although these seem to be upgrades and my box has a full set of RAM and thus no headroom on the power supply. The original ship seems to have had the Nvidia FX5200 with 128MB.

Oh, and it looks like there's a known fault with some motherboard capacitors. Great :-(

Election

Over it already.

Joe Hockey has spent $121m on the WorkChoices ads. WTF? This for ads he said were "simple and without spin". Simple would have been a letter in the post, $0.60 x 8m households = $5m. We've got the third world happening in the Pittlands: sending $115m to TV owners rather than to aboriginal education, housing and health is criminal.

The suggested reduction in tax is stupid economic policy. That money will go directly into consumption and push up consumer goods demand. Since that's the demand that is currently driving interest rates, they will go up. So all we get is a transfer from income earners to bank shareholders.

However, government revenues do need to be reduced. The question is how to do this. The Hawke-Keating government once gave a non-inflationary wage increase by diverting it into superannuation. Given that most people still do not have enough retirement savings, that's probably the approach to take to a non-inflationary disbursement of the government's windfall revenue. And I think it would be good politics too, people are more scared of their welfare in retirement than is apparent.

Good old Nick Xenophon is running for the Senate. He needs about 15% of the vote, in the state election he got about 10%. In theory his election should depend on preference deals. Needless to say, Labor, Libs and Family First aren't interested in helping Nick. Which might be stupid of them, since I reckon Nick might actually get voted #1 by 15% of South Australians, which means that the party which does the preference deal would pick up the "odds and ends" seat.

As I said, I'm over this election on Day Two. It's not about the good of the people. It's about political dynasties fighting for the prize of government largesse.

Oh, bring me Pitt the Younger, we need his type in these times. His first and dying concern the guidance of his country through its worst hours. His eye on the money (he had to pay to defeat Napoleon and to lose the American Colonies), but his heart with the poorest people. But even more, bring me his friends. Bring me Wilberforce, that hedonistic dandy with the head of a politician but the heart of of a lion. Bring me the solid Grenville, the brilliant Nelson, the precocious Wellesley (so much cleverer than the older Wellington).

Even Homer thought the people of the Illiad better men than his contemporaries. What I would give for just one Worthy! But we have Paris rather than Hector: Daimoni' ou men kala cholon tond' entheo thumôi, laoi men phthinuthousi peri ptolin aipu te teichos marnamenoi: seo d' heinek' aütê te ptolemos te astu tod' amphidedêe: su d' an machesaio kai allôi, hon tina pou methienta idois stugerou polemoio. all' ana mê tacha astu puros dêïoio therêtai.