This is something that has kept coming back to bite me recently.

When you are setting up public-key authentication on OpenSSH, you must be very careful of file ownerships and permissions. In many stock unix setups, this isn’t a problem. But in any environment where you are relying on a lot of group access to files, it is easy to slip up and earn yourself a system that will silently fail to authenticate (unless you turn on debug level verbosity).

1. The private key must be readable only by the user initiating the connection.
2. The authorized_hosts file must be writable only by the account accepting the connection.

Sounds simple enough, ne?

The real trick is that group write permission anywhere up the directory tree can render these precautions meaningless. Who cares if I can’t see into .ssh in your home directory if I can manipulate your home dir itself?

3. $HOME and $HOME/.ssh must be locked down on the destination host.

A general good rule of thumb for permissions might be something like this:

ammon@farnsworth:~$ chmod 755 .
ammon@farnsworth:~$ chmod 700 .ssh
ammon@farnsworth:~$ chmod 600 .ssh/authorized_keys

Obviously, this gets kind of tricksy if you want to do something like allow SCP file transfers to the Apache user on a system… and their home dir is /var/www… and your web developers have group write access to this dir.

In situations like that, you have two options. First, you could disable the permissions checks (by turning off StrictModes in the sshd_config), but that’s not advisable. Second, you could make a separate home dir for the apache user with the restrictions in a place where they won’t interfere with anyone’s work.

Posted by Ammon as howto, play, security, ssh, sysadmin, work at 3:40 PM EDT

No Comments »

The other day, I heard a few people talking about needing an easy way to browse images on a remote Apache server that has Indexes disabled.

They had a ~20 line php script that they were dropping into each directory in order to generate indices. The problem came when they started organizing the images into subdirectories. Eventually, it became necessary to copy the new script into a mind-bogglingly large number of directories. Inevitably, dirs were missed, etc...

I interjected that I could probably fix their problem in 30 minutes.

So I did.

It's not elegant. It's not pretty. It has plenty of room for improvement - it'll generate links to Windows explorer thumbnail db's, etc... But it is fast and should be moderately secure. Just drop it in the root directory of your image structure and you're good.

Posted by Ammon as howto, php, programming, sleep, work at 10:26 AM EDT

No Comments »

For the longest time, I have been suffering with problems of changes whitespace rendering SVN diffs useless.

Sometimes it's the spaces vs tabs issue. Sometimes it's file line endings (silly Windows-only editors and their CRLF). And sometimes it's just people adjusting whitespace arbitrarily on lines (like adding spaces around parens or leaving spaces at the end of lines, etc...).

Regardless of the individual manifestation, it's a silly problem, but one that causes more than its share of tears among developers everywhere.

Perhaps the easiest and smartest solution is to browbeat your co-developers into compliance. Force people to use editors that preserve line endings, force them to strip trailing whitespace and conform to a universal standard of indentation, etc... but it's not always the nicest or most reliable solution. People will make mistakes, even if it's only once a month... going over that diff might cost you an hour to figure out what had actually changed.

There are a few other solutions out there. They're not new, and they're not for everyone... but they can be phenomenally helpful at times. I'll go over the two simplest ones.

dos2unix

Ever gotten a diff that reads like this?

ammon@binky:~/test$ svn diff one
Index: one
===================================================================
--- one (revision 2)
+++ one (working copy)
@@ -1,11 +1,11 @@
-One is the loneliest number that you'll ever do
-Two can be as bad as one
-It's the loneliest number since the number one
-
-No is the saddest experience you'll ever know
-Yes, it's the saddest experience you'll ever know
-`Cause one is the loneliest number that you'll ever do
-One is the loneliest number, worse than two
-
-It's just no good anymore since she went away
-Now I spend my time just making rhymes of yesterday
+One is the loneliest number that you'll ever do
+Two can be as bad as one
+It's the loneliest number since the number one
+
+No is the saddest experience you'll ever know
+Yes, it's the saddest experience you'll ever know
+'cause one is the loneliest number that you'll ever do
+One is the loneliest number, worse than two
+
+It's just no good anymore since she went away
+Now I spend my time just making rhymes of yesterday

This is what happens when something changes the line endings of a file. In this case, the original file was created with LF endings and was then edited slightly by an application that converted them to CRLF.

Now... if this were a 1000 line perl script in stead of an 11 line lyrics snippet... it would be soulcrushingly difficult to find the one actual change in the file.

Most unix distros have at their disposal the dos2unix / unix2dos utilities. On Red Hat, you can yum install dos2unix to get them. On Debian/Ubuntu, you can apt-get install tofrodos. I don't have any other unices lying around at present to check on, but you can always just get the source at http://www.thefreecountry.com/tofrodos.

ammon@binky:~/test$ dos2unix one
ammon@binky:~/test$ svn diff one
Index: one
===================================================================
--- one (revision 2)
+++ one (working copy)
@@ -4,7 +4,7 @@

 No is the saddest experience you'll ever know
 Yes, it's the saddest experience you'll ever know
-`Cause one is the loneliest number that you'll ever do
+`cause one is the loneliest number that you'll ever do
 One is the loneliest number, worse than two

 It's just no good anymore since she went away

Much easier to figure out what has changed this way.

For extra credit, look into the svn:eol-style property. Set this on files as you commit them - or just use autoprops to do the dirty work for you...

diff-cmd

Of course, some times it's not line endings. Sometimes the problem is random meaningless whitespace changes. Maybe somebody used an editor that auto-indents with spaces when the file was already indented with tabs, etc...

Subversion allows you to specify an alternate command to use to generate your diffs (in stead of relying on svn's internal diff generation).

ammon@binky:~/test$ svn diff ----diff-cmd /usr/bin/diff -x -w one
Index: one
===================================================================
7c7
< `Cause one is the loneliest number that you'll ever do
---
> `cause one is the loneliest number that you'll ever do

But what if (for some bizarre reason) you don't care about the case of letters?

ammon@binky:~/test$ svn diff ----diff-cmd /usr/bin/diff -x -iw one
Index: one
===================================================================

If you always want to use your custom diff utility you can set it in your runtime config to save yourself the hassle of having to type it manually each time.

For those using TortoiseSVN, you can always just specify graphical diff/merge utils to use in stead of Tortoise's builtin ones. Personally, I'm a big fan of WinMerge, but there are several other good ones out there.

Posted by Ammon as howto, svn, sysadmin, work at 11:57 PM EDT

No Comments »

Wow. Well, I guess it had to happen sooner or later. My backlog of roughly 2 years of uncompleted blog posts was getting ridiculous. I have decided to throw away 15 or 16 stale posts that were never going to see the light of day anyway.

What got deleted:

• How I'd build an internet radio station if I had to do it again. (Distributed network of listening sources, magical listening preferences dj algorithms).
• What I'd like to see in an internet television station. (I built a prototype, but VP6 encoding is hard to automate - h.264 support in Flash makes that concern moot now).
• A rant in response to all of the uninspired flames I received for my LOTRO stress test review. (I wasn't impressed with either the game or the apparent education level of the trolls).
• A gory description of the innards of an AS1 project I had inherited and wrestled into usability. (Don't let script kiddies write your website for you).
• Several WoW rants, ui mod reviews, and spec discussions. (The stock quest interface needs help in a very big way, Dark Pact warlocks are awesome - so is saccing your felpuppy, Combat Experience and Careful Aim aren't worth it, Every class needs a panic button or three, Protadins need to choose carefully between Sanctuary and Kings).
• Part 6 of my 2007 spring anime lineup review series. (Lucky Star absolutely terrifies me).
• A rant on the differences between Adobe AIR and MS Silverlight. (They're entirely not the same thing, btw).
• A lossless way to get video out of .mov and into .avi wrappers for editing in utilities that can't read Quicktime but can use arbitrary DirectShow codecs. (Huffyuv + ffmpeg).
• A few benchmarking experiments with AS3/Flash 9 performance. (Setting a DisplayObject's alpha to zero is almost, but not quite as good as setting its visible to false; For some strange reason, switch statements appear to be slower than if-else blocks).
• A review of Rogue Galaxy. (One of the best console RPG's I've played in a while).
• Walraven needs quest journals badly. (EQ2's is the closest to what I want; Need the ability to set one quest as a pre-requisite for another).
• The four part epic story of how I sweat blood in order to build an SVN/Trac account management system that ran on a windows server... and then wound up getting to port it to Linux after a week when the windows box blew an hdd controller. (It took something like 4 weeks to build the original, it took 8.5 hours to port it).
• A 2-year-old idea for a little web comic about chibi pirates. (Still probably going to revisit this one).

The queued articles I didn't delete and still pretend I might write one day are:

• Why it's futile for me to pretend that I have any privacy online, and why I'm not splitting this blog up into three separate sites any time soon.
• How to set up apache to write its logs to a remote host over an encrypted tunnel.
• Two more character classes for my TSRPG idea.

But I'm probably just kidding myself. Part of the reason these ideas wind up getting shelved is that the spark of the idea is lost after an interruption. I'll start recording some fascinating insight I had about humanity after watching Kurosawa's Rashomon... only to be interrupted by feeding time for the baby. By the time she's taken care of and happy again, I've lost half of the idea and can't bring myself to post a 75% written entry.

This is also why I keep having long breaks between posts. The goals need to be less lofty and more frequent. We'll see if I can't manage better over the next few weeks.

Posted by Ammon as confession, eat, play, sleep, work at 1:43 AM EDT

No Comments »

Well, it took me twelve years, but I finally did it. As of about noon-thirty yesterday, I have a max level healing character in an MMORPG. Kikichikki's fourth major incarnation is now a level 70 draenei priest in Warcraft.

I did it right this time. Kiki spent the vast majority of her post-newbie levels as a holy/discipline hybrid build and eventually ended up at 28/33/0. Smite and mana efficiency FTW.

I also planned ahead. Not only did I have 5 pieces of lvl 70 eq waiting for me (including the Primal Mooncloth set). Not only did I have enough money saved up to buy my flying mount, but I actually "camped the chicken spawn". I hit level 70 less than 30 yards from the riding trainer in Wildhammer, bought my chicken, and flew away.

Kiki currently has 6741 hp, 9266 mana, just shy of 1250 bonus healing and 154 mp5 while casting (354 while not casting). She has over 400 int and spirit. Her /played is just over 10 days.

boring history

(Seriously, I'm about to ramble for a few hours... Hey, I said this took 12 years...)

I've always enjoyed healing in RPG's, and I like to think that I've gotten fairly good at it over the years. I play clerics and druids in pen and paper RPG's. I cried like a baby when Aeris died - and not just because I was emotionally involved in the story (which I was), but also because she was my healer. My first MUD character became a priest on September 10th, 1996.

I'm not sure what exactly it is about healing in games that I enjoy so much, but I like it more than summoning (a close second - playing healers who can summon makes me giddy). I'm pretty sure my original obsession with clerics was strictly the result of numberchasing munchkinitis. In AD&D, clerics felt like the most flexible class to me. They could heal, they could smite, they could summon at very low levels, they had good hp and could wear heavy armour and hit things with big hammers. My online handle "Allaryin" comes from my first successful D&D character, a chaotic good dwarven cleric of Tempus - the Forgotten Realms god of war.

However, in subsequent games, I recanted this position. Somewhere along the line, the idea of being able to do anything and everything at any time started losing its appeal. I became less interested in whacking things with hammers and calling down fire to consume my enemies whole... and more interested in passively altering events. Why wield the hammer yourself when the fighter can do a better job at it - especially with my help keeping him alive?

Future incarnations of Allaryin stopped following warrior gods like Tempus and started following Lathander the god of light and creation... and eventually evolved into followers of Ilmater the martyr's god. I became obsessed with keeping my party members standing, even if it meant they had to find another priest to raise me when I fell.

When '96 rolled around and I was introduced to muds, it was a happy coincidence that the guys who kickstarted the addiction were a knight and a priest. I quickly gravitated toward the priest's guild and when the time came, chose to play as a priest of Morike, the game world's goddess of healing. Though I eventually played almost every other class in the game, I always came back to Morike. If I logged into the mud right now, Allaryin would still be there, a very dusty and unplayed but still very fervent follower of the light.

Fast forward to March of 2004, FFXI hit my PS2 and I was all ready to reinvent Allaryin again as a Tarutaru white mage, but the game's user interface had other plans. I was unable to figure out how to choose a name of my own, and after several attempts finally gave up and decided to use the random generator. Kikichikki was born.

Kiki was also doomed to failure by a game that made solo play absolutely impossible, especially for the entirely defensive white mage class. I don't think I ever hit level 21, but I hit level 20 about 50 times... having not quite mastered the fine art of controlling aggro in order to avoid getting killed in groups.

Kiki saw a brief reincarnation as an Agatean Pishite on the Discworld mud that lasted a few months before real life conspired to prevent me from playing. When I returned, the character had been wiped for inactivity

In early 2006, Kiki's next stop was City of Heroes. I rolled the character four or five times but never really got into it - however, when City of Villains came out, I rolled Columns, a Necromancy/Poison mastermind who spent most of his time keeping people alive (or reanimating them as the case may be).

When World of Warcraft launched, I was unimpressed with my options for healers. During the open beta, I determined that paladins, druids, and shamans were too confusing and priests were too squishy. Summoning was where it was at, and a few months later when I was finally bullied into opening an account, I rolled Allaryin as a dwarven hunter.

In the intervening years, I have tried leveling healers several times, but the closest I ever got was a 40 paladin (who isn't even healer spec any more). Priests were always squishy, I hit level 15-20 with several attempts but always gave up at my inability to solo with the class - but I had always tried to level as a shadow priest since that's what common convention states is the best build for soloing.

shadow is overrated

I repeat. Shadow is overrated.

I originally (like 2 months ago when the topic was fresher on my mind) meant for this to be a separate rant, but as I never wrote it I may as well go into the subject briefly here.

Again, this time with feeling. Shadow is overrated.

Maybe I'm just complete noobsauce, but I just couldn't make a shadow priest work. I've got a level 50 warlock, which you'd think would be comparable. But it isn't. In World of Warcraft, playing a low level shadow priest is more like playing a melee hunter. Just because the game lets you spec for stupid doesn't mean it actually works.

I'm not saying that the shadow talent tree is worthless. I'm not saying that high level shadow priests aren't amazing and viable in groups. Nor am I saying that shadow priests can't be obnoxiously effective in PvP, and I am certainly not suggesting anyone try to solo to 70 w/o picking up any offensive talents.

I am saying that shadow priests are pointless in low level (<50 or so) PvE solo content. I am saying that the holy and discipline talent trees have much better options for solo players at lower levels.

When Kiki was in her early 40's, I figured I'd give shadow another chance. I had been a holy smite build until this point and had intentionally waited to respec shadow until I could buy enough talents to make it worthwhile. I advanced two levels as a shadow priest before giving up in disgust.

What is wrong with shadow priests? Let me count the ways.

At level 10, a priest is highly squishy. They're going to be healing themselves a lot - their fights take longer since they do less damage and they've got less defense (not getting the first rank of their personal armour spell until level 12).

Going immediately into either of the available shadow talents means delaying or neglecting Healing Focus (2 points for 70% resistance to interruption while healing). Time wasted trying to heal through interruptions means a corpse run.

Waiting until level 12 to take your first shadow talent point means you can't get Mind Flay (the first really useful shadow talent) until 22.

Everyone talks up Spirit Tap (increased mana regen for 15s after a kill) but water really is very cheap and low level priests really shouldn't be using mana to kill things anyway. Wand DPS is much more reliable and even outperforms smite at low levels. Lowbie priests should never run out of mana since they've offloaded their spells to before the mob closed into melee and are spending the rest of their time in combat wanding and regenning for the next fight.

Blackout is even more useless at low level. 10% chance to stun the target for 3 seconds with your shadow spells? There is only one direct damage shadow spell before Mind Flay, and it's on an 8 second cooldown.

For the same five talent points that would have been wasted in regen you don't need or stuns that you can't depend on... you could have 70% resistance to interruption while healing AND one of:

• +15% wand dps (up to 25% after 2 more points).
• +15% healing over time from your renew spell (which should be your most commonly cast spell at this level).
• +3% crit from your holy spells (up to +5% after 2 more points, this includes heals and nukes).

Shadow damage can be mitigated. There is no such thing as holy resistance. Smite always works. And it's not on a cooldown, so you can actually spam it.

Shadow priests' damage output is highly equipment-dependent. To truly be worth the pain of playing a shadow priest, you need gobs of +shadow damage equipment. The soonest a character can be effectively loaded up with +shadow gear is level 40.

Shadowform requires level 40 at the absolute minimum. That's if you completely ignore the other two talent trees...

Can't cast holy spells while in shadowform. Since you still have access to discipline spells, this isn't a huge nerf (unlike a druid's specialized caster forms which pretty much limit you to nuking or healing)... but it is still inconvenient. If for whatever reason you do need to cast a holy spell while soloing in shadowform, switching back costs a huge amount of mana.

DoT's don't crit.

Shadow priests blow through mana like nothing I've ever seen before. With one's primary sources of damage being a DoT and a channeled DoT, you waste a lot of mana. Shadow Word: Pain suffers from the same problem that all DoT's have - it rarely has a chance to tick to conclusion. Likewise, with Mind Flay, any hit you take while channeling will reduce the damage/mana ratio of the spell dramatically.

When hunting trolls as a shadow priest in Arathi, Kiki had to stop and drink after every other kill, even with Spirit Tap. As a smite priest, both her dps and her mana efficiency were higher. She could take 3 or 4 mobs before resting.

After the failed adventures in shadowform, Kiki gave a heavy discipline build a whirl. It too was disappointingly less effective than the heavy holy build had been - but, while she did less damage and her heals were weaker... at least she was sturdier and had more mana to cast the weaker spells with.

So, I guess what I'm trying to say is that from a purely munchkin standpoint, shadow spec is not a good idea for solo PvE before level 50, and is just... well, unplayable before 40.

If you want to play a shadow priest, do yourself a favor and either always party or level a hybrid build of some sort or another and respec to shadow when you get to Outland.

Let the flames commence.

Oh wait, that's right. You can't do that in shadowform

(Yes, I know the pun was horrendous. I'm sorry. Kind of.)

Posted by Ammon as final fantasy, games, mmorpg, mud, numberchasing, play, warcraft at 7:15 AM EDT

3 Comments »