Archive for March, 2009

Dealing with SSH’s key spam problem

Recently I created a new virtual machine locally, and I tried to ssh into it.

[diablo@infinity ~]$ ssh tachikoma
Received disconnect from tachikoma: 2: Too many authentication
failures for diablo
[diablo@infinity ~]$

I didn’t put a key on tachikoma yet, and ssh didn’t ask me my password. It didn’t make any sense.

So, I ran the same command with -vvv and realized… its sending all my identity keys to tachikoma, and the sshd on that machine is kicking the connection due to all of them failing.

What bizarre behavior.

So I dug around in the man page for ~/.ssh/config, ssh_config and noticed I can just add…

host *
IdentitiesOnly yes

… to force ssh to only use specifically named identities which (what I’ve been doing for years, anyways) are written like this…

host some.remote.host.com
IdentityFile ~/.ssh/id_rsa_some.remote.host.com

… or something similar. With the IdentitiesOnly directive in there, it only sends specifically the identity keys I specify with IdentityFile instead of spamming all the keys I have.

I’m not sure if this is a Debian-only problem (both infinity and tachikoma are Debian machines), but even though its a security feature, its kind of annoying.

Evil solution to the XSLT empty xmlns probem

I’m currently using XSLT, and I’ve come across the dreaded empty xmlns problem. My XML contains elements that do not have rules in my XSL stylesheet and most XSLT engines append the attribute xmlns="" when it gets confused about what namespace the element belongs to… I get bitten by this because I do not have an input DTD as the document is not meant to be used as anything but fodder to create XHTML.

Many people even have this problem when using XSLT to transform XHTML into XHTML… the input and output namespaces are the same, and they’re using properly formated and validated XHTML documents (complete with the doctype statement and the xmlns attribute on the html element).

Many people just want to force the transforming engine to blindly copy the elements as is over to the new document, and ignore the namespace issue. The below XSL should do this, use wisely.

<xsl:template match="*|@*">
    <xsl:element name="{ local-name( . ) }">
        <xsl:apply-templates select="@*|node()"/>
    </xsl:element>
</xsl:template>

So, now I can go use XHTML in my input and have it spit back out unmolested.