How to Make a Custom Service on Windows

The next step is to make a custom start-up service for Windows. That is , if we reboot it remotely, the connection will also be established automatically.

First, for a startup service, the reference page is: Set up an SSH tunnel as a Windows service using putty (plink).

1. Download the kit and install it.

2. Use the command to insert a new service with srvany:

cmd > insrsrv {service name} {location of srvany program}

3. Install the service’s detail for register. Coping the following entries to a .reg file, modifying the corresponding commands, and then double-click it to install. Note: the reverse-slash (‘\’) must write twice for escape.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters]
“Application”=”{location of plink}\\plink.exe”
“AppDirectory”=”{location of directory of plink}
“AppParameters”=”{ssh arguments}

4. After install it. You can use this command for testing.

cmd > net [start/stop] {service name}

5. When start up the service, check at the server side by netstat.

Second, for the detail when plink could not detect the host ssh key, the reference here: Add host keys for putty (plink) for the system user.

In default the connection is established by the owner. But a service is ran by the system who cannot retrieve the host key we presently used. To overcome this problem, the steps listing:

1. Connect server by hand to get the host key in local pc (as a double check).

2. Open regedit and find out the key: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.

3. Export these entries from menu and modify the exported file’s entry header to:

[HKEY_USERS\.DEFAULT\Software\SimonTatham\PuTTY\SshHostKeys]

4. Save and install it by double click. Then check the service for correctness.

Till now, the auto-login ssh tunnel service on Windows constructed. Then the next step is to check its connection and may it keep alive.

SSH Tunnel and Auto-login with Plink and Puttygen

The first part to finish my own Remote Desktop environment is to established a reverse tunnel connection. And by the way, to use auto-login without a plain-text password shown on command line.

First, to established a ssh tunnel, the command and corresponding arguments are:

plink -ssh -2 -R {dest pc ip}:{dest pc port}:{local pc ip}:{local pc port} -l {username} -i {ppk file} {remote pc tunnel ip}

This command indicate that we construct a Reverse tunnel with version 2 protocol from SSH. We will also bind a tunnel of the two specific ip:port pair. And we use auto-login method with the key-pair file (-i) which was generated from PuttyGen.

The references for common ssh and the specific server setting is at Reverse Tunneling. It is more important for the GatewayPort and the ClientAliveInterval settings. The detail will be shown in the later articles.

Second, to the automatic login strategy, the hint is to use PuttyGen, which also provided by the same vendor of Putty. The reference is Use PuTTYgen to generate a private/public key pair. And the short brief steps are listing:

1. Open PuttyGen, and generate your own DSA or RSA key-pair.

2. You can input the phrase for protecting the saved private key-pair file.

3. Copy the text in the public key section and paste it into your server, the ~/.ssh/authorized_keys file (one key per line).

4. Use plink/putty to check the auto-login function.

Now, the reverse tunnel connection established. The next step is to make it as a start-up service.

Remote desktop behind NAT on Windows

My network accessing rights in the rental hosting is behind NAT. What IPs we have are all private (192.168.x.x). Although we can use SSH to build a tunnel (even reverse tunnel) to bind the port for remote accessing and ignore the effects of NAT, there are many issues need to be solved.

The whole view of my chosen configuration is:

HOME (192.168.x.x) <– NAT <–> NETWORK <–> DEST_TUNNELED (LINUX)

And here I list the problems I encounter here. The solution may be written as another topic and linked externally.

First, for the Remote Desktop (RDP) in Windows XP SP3 (seems since SP2), it does not support the lookback (127.0.x.x) connections. The reason may be to avoid some user to connect from the same PC locally. In this situation, the connection will be disconnected and the only way to recover is rebooting forcedly.

But we still need the loopback function. Because if we using SSH tunnel for connections, the binding port is localhost (127.0.0.1) in local. But the default policies of Windows is to denied this kind of connections.

So I turn to use UltraVNC, a well-known remote control application on Windows. Another reason for chosen VNC is that almost 90% of my work (and home)  PC environments are Linux-based. Despite of VNC and RDP, I don’t wanna to install another clients in which not provided by the distribution.

P.S. Although UltraVNC provided some plug-ins such as NAT-to-NAT, single-click and so on, they are not feasible for my environments. One reason is that my destination computer are all Linux (and Windows PC are still behind another firewall too). So the solution based on listen mode, the NAT-to-NAT plug-in are all revoked by myself.

Second, to simplify the software installation in Windows, the SSH application I used is plink. Plink is a command-line interface for Putty’s back-end where Putty is also another well-known SSH clients in Windows. Because it can be used within command line, it is the best choice – to be a Windows services on system start-up and auto-connection.

The main reason I chosen plink for connection are: 1) It is small but compact; 2) It is installed-free (green); And 3) it is well-known and still in maintenance.

Details of SSH Tunnel and Auto-login with Plink and Puttygen.

Third, to insert a new services for Windows, I use the Windows Resources Kit which provided by Microsoft. Because it is also produced from the same vendor, the compatibilities and stabilities may be the highest one, I think.

Details of How to Make a Custom Service for Windows.

Fourth, to check the connection established periodically, I wrote a simple batch script to achieve. The script will check for the connection from local. Restart the tunnel service when disconnected. And with the Windows’ scheduler abilities, it will check periodically.

Details of Script to check tunnel status periodically on Windows.

Fifth, to maintain the connection, we change the server setting for SSH. The parameter will ask the clients whether it is still alive. This will prevent the connection be disconnected by the network devices between the edges.

Details of how to avoid SSH connection closed. (TBD)

Finally, my own remote desktop environments built successfully. And it works fine. Although the uploading from my home is still slow, I can control its status remotely.

ClientAliveInterval

Upgrade to Python 2.7 on gentoo

Gentoo has unmask the python:2.7.1 x86 package days ago. Although I compile and install it successfully, there still some tricky points should be noted. After installing the python:2.7 successfully, what we should do are:

1. Change to the current python version with eselect

# eselect python set python2.7

2. Run the python-updater for broken libraries

# python-updater

After procedures, most packages which depended to python:2.6 will be re-emerge and linking to python:2.7. But if you run it many times, you will notice there still a package – sys-libs/tdb:0, always exists. The problem may due to its ebuild file’s dependency:

PYTHON_DEPEND="python? 2:2.6"

But it’s easy to solve, just to remove python:2.6 and rebuild it.

3. Run clean-up and check for rebuilding broken dependencies

1
2
# emerge --depclean
# revdep-rebuild

(But I think it is no work for the dependencies, so I re-run the python-updater.)

4. Re-run the python-updater

# python-updater

5. Finally, all the dependencies clean. And my box works fine. If you encounter this problem, enjoy it.

Note for IPV6 support for DNS and SMTP

For the ipv6 test, I’ve lost some check. To support all ipv6 services, here I list some note for the configuration.

1. Postfix:

Add inet_protocols = all to main.cf. For security, adding your ipv6 networks to mynetworks if needed.

2. BIND

Change the listen setting of ipv6 as: listen-on-v6 { ::1; }; in named.conf. And to add a ipv6 reserve zone configuration for your domains.

3. This note will be updated if I try other services successfully.

Add SSL support for ssmtp, imaps, pop3s, https, ftp

OS: Gentoo Linux

Services: WEB(lighttpd), SMTP(postfix), IMAP/POP3(courier-imap), ftp (Proftpd)

1. To generate your own certification file, referenced given by Apache2/SSL Certificates, the steps are similar.

And I am using verification by CACert.org (because it is free, although limited browser acceptance it). For example, using the command to generate a csr file:

$ openssl req -nodes -new -keyout private.key -out server.csr

and then submit it to CA to get the crt file for your request.

Note: After certification, there will be some files, such as root.crt from cacert, a crt file for your server from cacert. And then merge the key file and the crt file to a pem file by:

$ cat {server crt file} {server key file} > {server pem file}

Till now, we finished the preparation.

2. For lighttpd (https): reference from Howto: Linux Lighttpd SSL (Secure Server Layer) Https Configuration And Installation, the Step #4.

All we need just to add a section for ssl port (443) and setup the cert files. For example:

$SERVER["socket"] == "[::]:443" {
 ssl.engine    = "enable"
 ssl.pemfile   = "{location for server pem file}"
 ssl.ca-file   = "{location for cacert crt file}"
}

3. For Postfix (smtps): reference from Virtual Mailhosting System with Postfix Guide on the Code Listing 6-1. What we need is to setup as for example:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = {location for server key file}
smtpd_tls_cert_file = {location for server crt file}
smtpd_tls_CAfile = {location for cacert crt file}

4. For courier-imap (imaps, pop3s): referenced given by Courier IMAP SSL Server Certificate Installtion and Configuration.

At imapd-ssl and pop3d-ssl configuration file, we need to modify the two strings:

TLS_CERTFILE={location for server pem file}
TLS_TRUSTCERTS={location for cacert crt file}

5. Proftpd (secure ftp): referenced from FTP and SSL/TLS.
To add the settings in configuration file:

TLSEngine on
...
TLSRSACertificateFile {location for server crt file}
TLSRSACertificateKeyFile {location for server key file}

6. Finally, almost all services are support the SSL protocol. You can verify the settings via openssl’s tool:

$ openssl s_client -connect {server ip}:{server port}

For example: 465 (ssmtp), 993 (imaps), 995 (pop3s). Enjoy it.

Some tricky points when using Google App Engine with Eclipse and pydev

Last semester, my term project is to build a site using Google App Engine. As my work environment are all Linux, my choice of IDE is Eclipse directly. For fast develop and deploy, I list some tricky points I encounter when set up the environment. May this help for the newbie like me.

This article will hide much more install details which let reader self to search because it is easy.

1. Download Eclipse and Google App Engine SDK.

2. Install the Pydev plugin: referenced by Configuring Eclipse on Windows to Use With Google App Engine.

Note: The main plugin site of Pydev is move to http://pydev.org/updates .

3. Install the Google plugin: referenced by Using the Google Plugin for Eclipse.

4. New a project: File > New > Pydev > Pydev Google App Engine Project

In Next step: The Grammar version must set as 2.5 to fit the GAE setting.

In Next step: To point to the GAE SDK you download and select all packages by default.

(In Next Step: To set up your app id and template.)

Finish the setting.

5. Construct your application. And next we must set up to run it locally.

6. Run Configurations > Pydev Google App Run

First, new a configuration. In the setting window – Main:

a) Browser which project you want to run

b) IMPORTANT: The Main Module must set as GAE SDK’s dev_appserver.py.

Second, in Arguments window:

a) The program arguments must set as ‘.’ (a dot, which means this directory).

b) The Working directory must set as Other and use the button Workspace to choose this project (to the src directory).

For example: ${workspace_loc:[project_name]/src}.

7. Now, you can run your project locally on port 8080.

Enjoy it.