The two reasons I bought my Palm Tungsten T3 were the bright display, and the ability to listen to Podcasts and other audio content.

The built-in RealOne Player is not really useable. It misses bookmarks, and when operated without the stylus, the volume adjustment is too coarse for headphones. So I switched to Pocket Tunes. Another program you'll need is Card Export, which makes the SD card available as a USB drive under Linux. Hopefully, the next version of pilot-link or gnome-pilot will allow files to be installed on the SD card.

Finally, some MP3 files have to be converted to a different sampling rate, as the Palm does not support the 24 kHz used by Adam Curry. So I extended the mp32ogg script and added the switch --only-resample which will only convert the file if resampling is necessary. Usage example: mp32ogg --delete --only-resample *.mp3 will give you a directory with playable MP3 and OGG files, which can then be installed on the Palm. The modified script can be downloaded here.

The next thing I had to try was connecting my Palm to the Internet via Bluetooth, using Fedora Core 3. Thanks to this Usenet posting, it wasn't too hard.

The only Bluetooth adapter I have is in my IBM ThinkPad. It has to be switched on with a hardware button, so I first had to configure the Bluetooth services to be started whenever the device becomes available. After installing the bluez RPM packages, create the script /etc/hotplug/usb/hci_usb:

#!/bin/sh

if [ "${ACTION}" = "add" ] && [ -f "${DEVICE}" ]
then
 [ -e /var/lock/subsys/bluetooth ] || service bluetooth start
 [ -e /var/lock/subsys/dund ] || service dund start

 if [ "X$REMOVER" != "X" ]
 then
 cat >$REMOVER <<EOF
#!/bin/sh

[ -e /var/lock/subsys/dund ] && service dund stop
[ -e /var/lock/subsys/bluetooth ] && service bluetooth stop
EOF
 chmod +x $REMOVER
 fi
fi

Because the script is invoked for multiple devices, it has to check if the bluetooth and dund services are running or not. This only works if the bluetooth service is not started when the system boots, so we have to disable it:

service dund stop
service bluetooth stop
chkconfig dund off
chkconfig bluetooth off

As described in Blumf's posting, create /etc/ppp/peers/dun:

noauth
local
debug
115200
noipdefault
noipx
idle 0
ms-dns <DNS-SERVER-IP>
netmask 255.255.255.0

If you don't have a local DNS server, copy an IP address from /etc/resolv.conf after establishing your usual Internet connection.

In /etc/ppp/options.rfcomm1, the IP addresses of the PC and the Palm are given:

<PC_IP_ADDRESS>:<PALM_IP_ADDRESS>

In my network, I set the Palm IP address to 192.168.2.1.

Modify /etc/sysconfig/dund:

DUNDARGS='--listen --channel 1 call dun'

You also need to enable IP forwarding and masquerading. In /etc/sysctl.conf, set net.ipv4.ip_forward to "1". Run echo 1 >/proc/sys/net/ipv4/ip_forward to activate forwarding without a reboot.

In /etc/sysconfig/iptables, add these lines:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT

For this to take effect, you have to run service iptables start.

On the Palm side, just follow Blumf's instructions:

1. In prefs/Bluetooth add your PC to the trusted device list. Pass key is found in /etc/bluetooth/pin, default is "BlueZ".
2. In prefs/Connection create a new entry. (Connect to: PC, Via: Bluetooth, Device $YOUR_PC)
3. In prefs/Network create a new service. (Username/password same as your normal linux login, Connection to whatever you created in the previous step, no need to change details)
4. Tap 'Connect', if all's well you should see the palm connecting. Check the end of /var/log/messages to see the ppp log.
5. Tap 'Disconnect'.

If you want to synchronize a USB Palm under Fedora Core 3, and don't want to spend hours reading about udev and hotplug, here's how to do it.

The problem with USB syncing a Palm under Fedore Core 3 is that the device file will not be created until you press the Hotsync button. And when it is created, it is only accessible by root.

This can be fixed by creating /etc/udev/rules.d/10-visor.rules with this content:

BUS=="usb", SYSFS{product}=="Palm Handheld*", KERNEL=="ttyUSB[13579]", SYMLINK+="pilot"

For detailed information on writing udev rules, see Daniel Drake's excellent document. To create the above rule, I pressed the Hotsync button, looked for the newest symlink in /sys/bus/usb/devices, and then examined the product file in the directory to which the symlink pointed. Because the product string had a trailing space on my computer, I added the "*" at the end. The check for the kernel device name "ttyUSB[13579]" is necessary because I use Card Export II, which lets me access the Palm's memory card as a USB drive. Card Export II also identifies itself as a "Palm Handheld" product, but with a different kernel device name. Tim Harper suggested to use "[13579]" in the device name. This is important because udev creates two subsequent, but more or less random ttyUSB devices, and only the one with the odd number works.

A simpler rule would match the kernel device name with KERNEL="ttyUSB1", but that would break if ttyUSB1 is occupied by some other toy when the Palm is connected.

As pointed out in the comments, it is not necessary to create a file in /etc/udev/permissions.d, because the configuration in /etc/security/console.perms takes care of setting the right permissions, once we have created the symlink /dev/pilot.

The rules.d file must have the given name so it is loaded before the default 50-udev.rules. Restarting udevd is not necessary for these changes to take effect.

If you use pilot-xfer to access your Palm, the following script allows you start it before pressing the Hotsync button.

#!/bin/sh

until [ -e /dev/pilot ]; do sleep 1; done
exec /usr/bin/pilot-xfer "$@"

During the last three weeks, I have set up Red Hat Enterprise Linux 4 on this server, watched Revolution OS and examined the kernel timeline to find out I must have started with Linux 0.99 in 1993, passed the Red Hat Certified Engineer exam, installed Fedora Core 3 on four machines, and I attend the RH423 course about Directory Services and Authentication this week.

In this course, I came across pam_ssh. When you work on multiple machines and use SSH to connect to them, using a public/private key pair for authentication is a great convenience. You no longer need to remember passwords for the different servers, but only the one for the private SSH key. And there is ssh-agent, which caches the private key, so you do not have to enter the password for every SSH login. Still, you do have to enter the password after login to your local machine.

Now, wouldn't it be cool if you could log in to your desktop machine, and never enter another password until you log out? That's where pam_ssh comes in. It hooks into the login process, asks you for the SSH password instead of your Unix account password, authenticates you and starts ssh-agent.

Configuring it is trivial if you know PAM. The instructions below assume that you use gdm for graphical login, but the process for kdm or xdm should be almost the same.

1. Save a copy of /etc/pam.d/gdm and make sure that you can log in on a text console before proceeding. Otherwise, you could easily lock yourself out.

2. Download and install pam_ssh, with the usual ./configure && make install

3. In /etc/pam.d/gdm, add this line before the line "auth required pam_stack.so service=system-auth":

   auth sufficient pam_ssh.so

   This will make gdm prompt for your SSH private key password, and if it is correct, authenticate you. Otherwise, it will proceed with the usual authentication, ie. ask for your Unix password.
   

4. At the end of /etc/pam.d/gdm, add this line:

   session optional pam_ssh.so

   This will set up ssh-agent after you have been authenticated.

5. On Fedora Core 3, the resulting /etc/pam.d/gdm should look like this:

   auth       required	pam_env.so
   auth	   sufficient   pam_ssh.so
   auth       required	pam_stack.so service=system-auth
   auth       required	pam_nologin.so
   account    required	pam_stack.so service=system-auth
   password   required	pam_stack.so service=system-auth
   session    required	pam_stack.so service=system-auth
   session    optional     pam_console.so
   session	   optional	pam_ssh.so
   

Update 11 Aug 2005: This also works with Fedora Core 4 x86_64, but only after manually installing the pam_ssh module. It is compiled for 64 bit, but installed in the 32 bit lib directory. To fix this, run the following command after make install:

mv /lib/security/pam_ssh.* /lib64/security

Update 14 Apr 2006: Fedora Core 5 comes with pam_ssh as one of the Extras RPMs. You still have to edit /etc/pam.d/gdm, though:

auth       required     pam_env.so
auth       sufficient   pam_ssh.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
session    optional     pam_ssh.so

Update 26 Nov 2006: When using pam_mount to mount your encrypted home directory during login, put a copy of your SSH key into the unencrypted mount point (usually /home/USERNAME/.ssh). pam_ssh needs to access it before pam_mount does its work. With both pam_mount and pam_ssh, my FC6 /etc/pam.d/gdm looks like this:

auth       required    pam_env.so
auth       required    pam_mount.so
auth       sufficient  pam_ssh.so use_first_pass
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so
session    optional    pam_ssh.so

Before stocking up on food supplies and preparing my car for the winter this morning, I walked around the empty parking lot of the Siemens Com headquarters. I was hunting for some photos for a Web site a friend is working on. Building 1756 is where we both started to work on ShareNet in March 2000, and building 1758 is where I currently have my desk.

Just finished uploading the pictures from the Sonnjoch hike I did on October 23. Not all are as pretty as this one, but they can mostly stand up against the pictures I took in 2001.

Since last weekend, the Web and mail servers for clasohm.com have been running on the new machine without too much problems. So let's look at the mail setup.

SpamAssassin 2.6 -> 3.0

After upgrading to the latest version of SpamAssassin, I got more spam than before! As I couldn't find any postings from disappointed users on the mailing list, and training the Bayesan filter did not help, I finally ran spamassassin -D <spam. Because SpamAssassin uses all installed tools and packages it can, but silently ignores those it cannot find, analysing the output is a bit tedious, but worth it. Looking for messages about skipped tests, I quickly found out what was missing. While I installed Mail::SpamAssassin, CPAN did not upgrade the DNS package. So SpamAssassin complained about an old DNS package in the debug output, and skipped all blackhole tests and other DNS-related checks. This was easily fixed by running cpan Net::DNS.

To further improve SpamAssassin's performance, install tools like Vipul's Razor or the Distributed Checksum Clearinghouses (DCC).

MailScanner and ClamAV

MailScanner sits on top of MTAs like Sendmail or Postfix, and scans for viruses and dangerous HTML before delivering mails. It supports a long list of virus scanners, including ClamAV. The way it works is pretty cool - you have one sendmail daemon listening for incoming mail and putting mails into the incoming queue, one sendmail daemon processing the outgoing mail queue, and MailScanner shovelling mails from the incoming to the outgoing queue. If a mail contains a virus, it is discarded or put into a quarantine directory. The great thing is that you don't have to modify your MTA configuration at all. The init script of MailScanner takes care of starting the two sendmail daemons in the right way. And the MailScanner configuration is very flexible, so you can have different settings for different domains hosted on the same machine.

Greylisting with DCC

With more than 1,000 spam mails a day, I decided to give greylisting a try. DCC both offers a Milter interface and a greylisting mode. To configure it, modify /var/dcc/dcc_conf like this:

GREY_ENABLE=on
GREY_SRVR_ID=32702
DCCM_ARGS=-G
DCCIFD_ENABLE=on

The last parameter is not for greylisting, but allows Spamassassin to use the dccifd daemon instead of spawning a new process for every mail. The server ID is copied from the "auto local greylist server-ID" in /var/dcc/ids.

To activate the greylisting check in sendmail, one translates /etc/mail/sendmail.mc with DCC's hackmc script instead of the usual m4 invocation. With RHEL, these lines in /etc/mail/Makefile do the trick:

%.cf: %.mc
        umask 022
        mv -f $@ $@.bak
        /var/dcc/libexec/hackmc -T $< > $@

The "-T" parameter tells hackmc to not greylist mail when SMTP AUTH is used, which would obviously be a bad idea.

To prevent loss of mail, it is important to extend the default whitelist. Currently, Evan Harris provides a good whitelist. DCC uses a different format, so here is the file I currently use. To activate it, add this line to /var/dcc/whiteclnt:

include white-puremagic

The rest is standard DCC setup - /etc/init.d/dcc and the daily execution of /var/dcc/libexec/cron-dccd.

To prevent spam bots from automatically creating accounts and posting content, people have come up with these distorted images of numbers and letters, which only a human can decipher and type into a text field. Since our corporate blog became the target of spammers recently, I read a bit about captcha images, and found out that spammers have devised a clever way to decode them. Optical character recognition would be too easy to block. What you need is a human to decode the image for you. So the spam bot takes the image from the site it wants to access, puts it onto the entry page of a free porn site run by the spammer, and waits for a human to decode it for him, without knowing that the captcha is recycled from somewhere else.

With the server move done, I had some to time to check out what could be the next big thing on the Web, or the Pointcast of 2005: Podcasting. The first thing I listened to was an interview with Adam Curry, a good introduction to podcasting itself and the rationale behind it. Not to mention Adam's stories about mtv.com and his former business partners, who either turned out to be on Scotland Yard's wanted list, or who ran off to Columbia.

Even more entertaining was Steve Wozniak's Gnomedex presentation, where he talks about his high school pranks, Captain Crunch and the founding of Apple.

Paul Graham's OSCON presentation was not much more than a reading of his (excellent) essays, but the interview is worth the download. One thing he says is that programming languages which people wrote to use themselves, like C, are superior to Frankenstein languages designed in a lab, like Java. I'm not sure if this is true for languages, but it certainly is for application frameworks. David Hansson mentions it in his two-hour video about Ruby on Rails, when he compares the current J2EE frameworks with Rails. And I learned it the hard way when we ported Siemens ShareNet to OpenACS in 2001. Since then, OpenACS has matured, but people still stick to four-year old lab-designed stuff which we gladly threw overboard while making ShareNet work.