Wxcafé//wxcafe.net/2020-05-14T19:21:00-04:00Security for the savvy leftist, Part Ⅰ: OpSec2020-05-14T19:21:00-04:002020-05-14T19:21:00-04:00Wxcafétag:wxcafe.net,2020-05-14:/posts/security_for_the_savvy_leftist_part_Ⅰ_opsec/<h1>Introduction</h1>
<p>This is the first in a series of post trying to give a few pointers and share a
bit of knowledge on securing your online presence and activism, targeted at
leftists.</p>
<p>The motivation behind this series is my own observation of the lack of technical
security education and/or …</p><h1>Introduction</h1>
<p>This is the first in a series of post trying to give a few pointers and share a
bit of knowledge on securing your online presence and activism, targeted at
leftists.</p>
<p>The motivation behind this series is my own observation of the lack of technical
security education and/or interest in leftists circles in the US, and the
anxious feeling that it’s direly needed.</p>
<p>These posts are to be considered in the current political context, and also
taken with a grain of salt, as I’m not a security professional and while I do
have some security knowledge, it is not my primary field of expertise.</p>
<p>Anyway, here goes</p>
<hr>
<h1>OPSec</h1>
<p>So, OpSec (operation security) is a very generic concept referring to
identifying what information is important or even critical to the security of
your operation, how it is potentially exposed to your adversary, how to
protect it from that adversary, and finally putting all of that into practice by
changing the organization of your operation to reduce the exposure to your
adversary.</p>
<p>That’s all pretty abstract so far, but basically you can think about it like this:</p>
<ul>
<li>Who’s my enemy</li>
<li>What must they absolutely not know</li>
<li>How can they currently learn that</li>
<li>How can I prevent them from doing that</li>
<li>Fix the issue, rinse and repeat</li>
</ul>
<h2>Who’s my enemy</h2>
<p>The purpose of this question isn’t to point at specific people, but rather to
understand what the scope of the potential attacks you’re facing are. If you’re
organizing a tenant union, your enemy is the landlord, and there’s not much they
can do to attack your organization. If you’re planning revolutionary action on
the US government, your enemy is the entire US government and all of its defense
branches, which can definitely come after you, in depth, and they <em>will</em>, and
you’d better be ready — if it’s even possible to be ready for that situation,
lots of revolutions have failed even without having the full attention of the
American empire…</p>
<p>But the point is that the degree to which you’re exposed, and the type of
response you’ll need to take, depends a lot on who your adversary is and what
kind of resources they have access to (and are willing to use against you).</p>
<h2>What must they absolutely not know</h2>
<p>This one should be obvious. If your adversary knows this, your operation is a
bust, all your efforts were for nothing, and you might be facing repercussions.
To keep going with the examples from the previous point, if the landlord knows
you’re the one who’s organizing the tenant union, they’ll find a pretext to
evict you, and then you’ve been organizing for nothing and you’re out of a place
to sleep. Of course the other example has worse outcomes (i.e. torture or death)
but the concept is the same.</p>
<p>Sometimes though, your adversary knows your identity and your organizing against
them is public, yet they can’t do anything from just these informations. There
are still things that they can learn that would compromise your efforts. Find
out what they are.</p>
<hr>
<p><strong>The answers to these two questions (“who’s my enemy” / “what must they absolutely
not know”) is known as your <em>threat model</em>, and it’s what you’re going to use to
tighten your security by identifying what are your current problems and what
measures are necessary to fix these.</strong></p>
<hr>
<h2>How can they currently learn that</h2>
<p>How are you exposed? That’s a trick question, of course, because if you knew
you’d have fixed it already, but there a few avenues of exposure that are easy
to explore and hopefully solve.</p>
<p>First of all, you could have an involuntary leak. Someone wasn’t careful enough
about where they were talking about something, or published something they
shouldn’t have, and now it’s been exposed (and by that I don’t mean your
adversary knows it for sure, I mean it has been exposed in a place where your
adversary <em>could</em> have seen it. That’s enough to be considered a leak). That’s
human error, and while it will always exist, there’s ways to reduce the
probability of it happening. This is the most common type of leak.</p>
<p>Second, you could have a member of your organization voluntarily leaking
information. It could be because they’re being blackmailed, corrupted, or
they’ve just been flipped, or it could be someone who’s infiltrating your org…
either way, these are harder to work around, because… well, because they’re
actively hostile. This is way less common, and mostly happens if you have
powerful adversaries (like always, your threat model should tell you what to
worry about)</p>
<p>Finally, you could have a leak that’s not within your organization. The company
you’re using to chat got hacked and all your messages are suddenly public. Your
storage space got broken into and documents are missing. Your Internet service
provider is just giving all of your data to the government. These things happen,
and you can fight them by running your own tech services and securing your data
properly, but this is honestly the least common avenue for an adversary. Once
again, trust your threat model.</p>
<h2>How can I prevent them from doing that</h2>
<p>The first and most effective line of defense against potential information leaks
in your organization is to <strong>not give the information in the first place</strong>.
Always think of OPSec in two layers: there’s your opsec as an individual, and
then there’s your organizational opsec. If you found that your name is
compromising, then use a nickname or a fake name in your organization. If your
address is compromising, don’t tell people where you live, and don’t take them
back there! Of course, this means not giving anyone access to any online profile
where your real name or address is, never letting anything slip, not letting
anyone see your ID, etc.</p>
<p>This is basically creating a new, separate identity, which you will use
exclusively in the context of the organization. This isn’t always easy, but it
can be necessary in some cases, and it’s always very effective.</p>
<p>Not giving information isn’t only a tool to protect yourself, though. It can
also be a tool inside your organization. The group that works on action A
doesn’t necessarily need to know about action B. Segment information, it keeps
everyone safer. Keep groups small: if you need to, coordinate multiple small
groups rather than making a large one, with a single person in each group in
charge of coordination. That way, no-one knows everyone. Take whatever
precautions are warranted by your threat model.</p>
<p>Of course, some information you need to share as a matter of running your org.
In these cases, the next step in defending against potential information leaks
in your organization is its cohesion. If everyone is close to everyone else, not
only will everyone be more careful (which is important for accidental data
leak), but it’ll also be very hard to corrupt/blackmail/flip one of your
members, and even harder to infiltrate your organization. Remember, OPSec is not
a tech concern, it’s a social concern. Find out who in your movement is
vulnerable, and take care of them. Think about your onboarding process, how much
you evaluate potential members, and how you start sharing information with them.
Without falling into paranoia, not telling every detail of your actions at
meetings with people you don’t know might be a good idea, depending on your
threat model (like everything else).</p>
<p>Your next line of defense should be making it hard to fail. Your processes
need to make it clear when sharing information is OK, and who with. You need to
establish clear communication lines inside your organization that are safe and
dedicated to a subgroup/action. Once again, this isn’t about tech, the best
encryption won’t help you if someone who works for your adversary is added to
the group chat about your action plan. At any point, it should be clear for
anyone in your organization how they can communicate with other members, and
what they can say on which channel. Separate messaging groups for different
projects are a good start, but there needs to be enforcement of the separation
(meaning reminding people when they start talking about sensitive stuff on the
misc channel), and deliberation before including someone in the group.</p>
<p>Finally, there’s damage control. Once something <em>has</em> been leaked, you need to
have provisions in place to keep your operation going as well as possible. If
the leak is the date and place you were planning to have your action, you have
to be able to change that, and quickly, while making sure everyone involved
knows (i.e. not only have the technical possibility of sending a message to
people, but having a mechanism to make sure it’s read in a defined amount of
time and getting acknowledgment that it has been. Picture having to reschedule
two hours before and work from there). If it’s someone who’s been added to the
wrong chat group, or someone who talked in the wrong place, make sure it’s clear
it shouldn’t have happened, do your best to scrub the information from there
(disappearing messages with a short-ish lifetime are great for this), and change
details if necessary. Sometimes you can’t do much, going back to our tenant
union example, if your identity leaks before you’re ready, you’re pretty much
done, all you can do is hope and share your knowledge/resources with other
members of your org.</p>
<p>All of these might be way too much for your threat model! If you’re only
fighting to have a new bike lane installed in your neighborhood, nobody’s going
to try and coerce the members of your organization into giving up your name.
They might try and find when your next action is, though, by walking into one of
your meetings. If you’re organizing a tenant’s union, you probably don’t need to
organize segmented groups who only communicate through one member: your landlord
isn’t going to torture anyone to know the names of the co-conspirators… But
you might want to be careful about where you organize your meetings, keep the
“security” cameras in the building in mind when you’re putting up rent strike
posters, and maybe don’t give your name and unit number to other members even if
it’s not that risky (they don’t really need it anyway!). Your threat model
really is what determines the measures you should take.</p>
<h2>Fix the issue, rinse and repeat</h2>
<p>Well, this part really depends on what you found out in the previous steps.
Fixing the issue, however, means not only fixing this particular instance but
rather changing the system within your org as best you can to make sure that
problem doesn’t show up again. Some of these you can’t fix definitely, as
they’re inherent to the system outside your organization, but you can orient
your group so that they’re less likely to happen. Some are entirely your
responsability, and you can fix them with a bit of effort, structuring your
organization correctly, and never letting your guard down. </p>
<h1>Conclusion</h1>
<p>That’s it for this post! Always keep in mind: OPSec is something you need to
have <em>before</em> you actually need it. Like everything else in security, it’s a
process, not a state: it’s basically impossible to tell if you’re secure, all
you can reliably know is if you’re insecure, and most of the time it’s because
you suddenly have handcuffs, or are being evicted from your appartment. It
can require constant vigilance, discipline, and every error can be extremely
costly… But it gives you a semblance of security and a fighting chance against
your adversaries.</p>
<p>I hope this post has at least provided a few pointers, and has made you
reflect on your organizational and personal OPSec. Don’t think it’s too late:
it’s always better to have at least a little bit of OPSec than none at all. And
if you don’t implement it for yourself, you should at least do it for other and
future members.</p>
<p>Finally, there are more posts like this one coming on other topics, including
how to communicate securely, which tools to use, what is effective, what isn’t,
and how to escape tech-based surveillance, and I hope you’ll come back to take a
look at these.</p>
<p>Good luck out there</p>36c3 talks2020-02-02T14:35:00-05:002020-02-02T14:35:00-05:00Wxcafétag:wxcafe.net,2020-02-02:/posts/36c3_talks/<p>So a bit over a month ago, like every year, hackers gathered in Leipzig, Germany
for the Chaos Communication Congress. This year, like the year before,
I couldn’t go to congress (last year because I was moving over an ocean, this
year because I didn’t plan early enough …</p><p>So a bit over a month ago, like every year, hackers gathered in Leipzig, Germany
for the Chaos Communication Congress. This year, like the year before,
I couldn’t go to congress (last year because I was moving over an ocean, this
year because I didn’t plan early enough and the trip from NYC to Leipzig needs
to be planned…), so I was stuck with watching the recordings of the talks (and
just miss spending time with friends, unfortunately…). </p>
<p>The problem with watching congress recordings is that they’re all uploaded at
the same time, and you don’t have the sort of curation effect of being
physically constrained on what you can watch: when you’re <em>at</em> congress, there’s
(at least) 4 talks at the same, plus assemblies, and friends to see, and more
things that mean you have to curate on-the-fly what you’re gonna see and what
you aren’t. On the other hand, when you get all the talks dumped on you at the
same time, you don’t have that effect, and you have to choose between like 60
talks and don’t know which are going to be interesting, and which aren’t.</p>
<p>Last year, I simply watched the infrastructure talk, and gave up because
I didn’t have time to spend on watching all of the talks. This year, for 36c3,
I decided to spend that time and watch everything that sounded vaguely
interesting. To spare you the work of going through everything, I’m collecting
them all here and giving them a short summary and a 1-5 ⭐ rating reflecting how
much it was interesting to me. So here goes:</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-11235-36c3_infrastructure_review">36c3 Infrastructure Review</a> ⭐⭐⭐⭐</p>
<p>Like each year, the infrastructure review talks about how congress works and the
people who make it work. I love watching these, I loved being an Angel when
I was there, and I really like learning about the parts of organizing I didn’t
know about. This time it’s a bit rushed unfortunately but it’s still a nice talk</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-oio-160-a-dozen-more-things-you-didn-t-know-nextcloud-could-do">A dozen more things you didn’t know Nextcloud could do</a> ⭐⭐</p>
<p>Good talk on nextcloud. Starts talking about the cloud in general and data
privacy and stuff like that, then presents upcoming and existing features of
nextcloud, many of which I didn’t know were there</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-oio-201-a-home-among-the-stars-galina-balashova-architect-of-the-soviet-space-programme">a home among the stars: Galina Balashova, architect of the soviet space programme</a> ⭐⭐⭐⭐</p>
<p>Great presentation of the Soviet space program interior design and of the
history of the person who designed all of it, Galina Balashova. I was riveted</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10531-all_wireless_communication_stacks_are_equally_broken">All wireless communication stacks are equally broken</a> ⭐⭐</p>
<p>Review of vulnerabilities in various wireless communications stacks. A bit light
imo, and a bit hard to follow, but a good reminder that you shouldn’t trust
these</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations">A systematic evaluation of OpenBSD’s mitigations</a> ⭐⭐⭐⭐</p>
<p>Ah, the infamous OpenBSD talk! Very interesting, honestly, most of the points
are very true and need to be fixed. I found he nitpicked a little bit though,
and he was kinda aggressive and not very sociable (“I haven’t interacted with
the OpenBSD community once”), and then he seems kinda surprised not to have
received a warm welcome. That being said, the talk is very informative and does
contain a lot of very worrying information and valid criticism</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10706-boot2root">Boot2root</a> ⭐⭐⭐⭐</p>
<p>Your bootloader, it’s been a while since you thought about it too much, huh?
Well, it’s a critical component of the security chain of trust, and they’re…
really bad. This talk explores exactly how bad they are.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-134-dc-dc-converters-everything-you-wanted-to-know-about-them">DC/DC Converters: Everything You Wanted To Know About Them</a> ⭐⭐⭐⭐</p>
<p>I approached this thinking “Everything I want to know about DC/DC converters?
uh… I can’t think of a thing…” and left with a better understanding of power
supplies and a now-satisfied curiosity for electronics. Good talk!</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10816-don_t_ruck_us_too_hard_-_owning_ruckus_ap_devices">Don’t Ruck Us Too Hard - Owning Ruckus AP Devices</a> ⭐⭐⭐</p>
<p>Classic junk hacking, still pretty fun to watch and examine</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10564-hacking_with_a_tpm">Hacking (with) a TPM</a> ⭐⭐⭐⭐⭐</p>
<p>Great talk about how TPMs work, how we can actually use them from linux, what we
can do with them… Wanted to learn about TPMs for years, this gave me exactly
what I wanted.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10567-hacking_sony_playstation_blu-ray_drives">Hacking Sony PlayStation Blu-ray Drives</a> ⭐⭐⭐</p>
<p>Interesting subject and great research, pretty old stuff by now though and the
talk itself isn’t that good (mostly reading his slides, stuff like that).</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10832-how_to_break_pdfs">How to Break PDFs</a> ⭐⭐⭐⭐</p>
<p>Fun talk about design problems in the PDF standard that allow for forged
signatures and stuff like that.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-73-infrastructure-of-wikipedia">Infrastructure of Wikipedia</a> ⭐⭐⭐⭐</p>
<p>Had no idea how wikipedia was run infrastructure-wise, this is a comprehensive
explanation of just that. Very surprised by how small their operation is given
the scale of wikipedia.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10694-intel_management_engine_deep_dive">Intel Management Engine deep dive</a> ⭐⭐⭐⭐</p>
<p>Missed all the previous Intel ME talks at congress, so this was a good
refresher. It’s an impressive talk from a technical point of view, and very
informative too</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10796-it_s_not_safe_on_the_streets_especially_for_your_3ds">It’s not safe on the streets… especially for your 3DS!</a> ⭐⭐⭐⭐</p>
<p>Very cool talk on the Streetpass protocol, how it works, and how it’s
exploitable. Definitely makes me wanna experiment with my 3ds again! (oops,
I forgot to play the games 😩)</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone">KTRW: The journey to build a debuggable iPhone</a> ⭐⭐⭐⭐⭐</p>
<p>iOS exploitation is always really cool. iOS kernel exploitation is even cooler.
Using that to make a step-by-step debuggable iPhone, with a demo on-stage?
Amazing. Admitting your exploit has been redundant/outdated since right before
you released it and all that work could have been avoided, with a smile?
Priceless</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-149-look-at-me-intel-me-investigation">Look at ME! - Intel ME Investigation</a> ⭐⭐⭐⭐</p>
<p>Good overview of what you missed in the previous ME talk (and also really helps
understanding that other talk, you should watch this one first!). No reverse
engineering has been performed in the making of this presentation, of course</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10497-messenger_hacking_remotely_compromising_an_iphone_through_imessage">Messenger Hacking: Remotely Compromising an iPhone through iMessage</a> ⭐⭐⭐⭐</p>
<p>Another iOS exploitation talk, this time 0 interaction, with memory corruption
through what’s essentially text messages? Really cool</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10693-no_body_s_business_but_mine_a_dive_into_menstruation_apps">No Body’s Business But Mine, a dive into Menstruation Apps</a> ⭐⭐⭐⭐</p>
<p>Important research on menstruation apps data sharing (mal)practices. Pretty good
talk too, a bit light on the research but it’s cool that they contacted and got
an answer from the companies in question.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10883-plundervolt_flipping_bits_from_software_without_rowhammer">Plundervolt: Flipping Bits from Software without Rowhammer</a> ⭐⭐⭐⭐⭐</p>
<p>I love hardware attacks and fault injection attacks, this is a hardware attack
using fault injection all from software. It’s great. It’s not very practical,
and the target is pretty small, but it’s really amazing to learn about, and the
presentation is great too</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10884-practical_cache_attacks_from_the_network_and_bad_cat_puns">Practical Cache Attacks from the Network and Bad Cat Puns</a> ⭐⭐⭐⭐</p>
<p>Yay, yet another CPU cache attack! And this one is over the network too, which
is way broader in application than the previous examples! Very good technical
talk.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-oio-143-refactoring-qaul-net-in-rust-internet-independent-mesh-communication-app-">Refactoring qaul.net in Rust (Internet independent mesh communication App)</a> ⭐⭐⭐⭐⭐</p>
<p>I love hearing about alternative communication platforms, and I love the ones
that don’t depend on a centralized or even federated infrastructure (we’re gonna
need them after the end of capitalism when we’re reducing our collective energy
consumption). This is about just that, and it’s fun, and my friend is speaking
too so.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10701-select_code_execution_from_using_sqlite">SELECT code_execution FROM * USING SQLite;</a> ⭐⭐⭐⭐</p>
<p>Is SQLite secure? It’s software so obviously not, but how insecure is it? This
talk goes into how to corrupt memory in SQLite, and that’s pretty good given the
number of things that use it.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10737-sim_card_technology_from_a-z">SIM card technology from A-Z</a> ⭐⭐⭐⭐</p>
<p>Smartcards are cool. SIM Cards are cool! I love learning about stuff like that
where there’s not a lot of (publicly-available) documentation and it’s hard to
experiment by yourself, and this goes into great detail</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-11008-server_infrastructure_for_global_rebellion">Server Infrastructure for Global Rebellion</a> ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐</p>
<p>Probably the most important talk of 36c3 in my opinion. Too many
activist/political groups don’t think nearly enough about infrastructure and
security, and act as if talking openly was fine and noone was spying on them.
Guess what.</p>
<p>There’s also a shortage of politically-invested systems and network admins, and
we need more, we need way more. The distributed architecture of the system
that’s presented here, with the implicit transfer of knowledge that goes with
it, is incredibly good and very effective against getting compromised.</p>
<p>I’ll leave the rest for when you to discover in the talk, but definitely watch
it.</p>
<p>Be warned though, the first… maybe 20 minutes? are not about infrastructure,
they’re about global warming. And while this is a very important topic it can
also be very overwhelming (and it definitely is here), so you might want to skip
that if it makes you anxious. Otherwise, be prepared.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-157-storing-energy-in-the-21st-centruy">Storing energy in the 21st century</a> ⭐⭐⭐</p>
<p>Everything you’ve ever wanted to know about batteries. Unfortunately cut a bit
short at the end because of poor time management, but still.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-139-system-transparency">System Transparency</a> ⭐⭐⭐</p>
<p>More TPM stuff, but also an interesting view of what secure systems could be on
the cloud (probably <em>won’t</em> be, but <em>could</em> be).</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-11034-tales_of_old_untethering_ios_11">Tales of old: untethering iOS 11</a> ⭐⭐⭐⭐</p>
<p>iOS talk again, the coolest humble brag talk I’ve ever seen (“yeah so we chained
this exploit with this exploit, then chained this exploit to it, then exploited
this and then this… and now we have code execution! So that was easy, next
up…”), and some comically bad patching by Apple.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10597-tamago_-_bare_metal_go_framework_for_arm_socs">TamaGo - bare metal Go framework for ARM SoCs.</a> ⭐⭐⭐⭐</p>
<p>That’s a very cool project, honestly. I’m all for better firmwares, and this
seems like order of magnitudes better than what’s out there to build these.
Hilarious watching the speaker clarify at every step he doesn’t think Go is
better than rust etc too.</p>
<p>Go /might not/ be the best language for the job, though. A rust equivalent would
be better (do not email me about this thanks)</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-11031-the_kgb_hack_30_years_later">The KGB Hack: 30 Years Later</a> ⭐⭐</p>
<p>Interesting topic, relating to the origins of the CCC and the cold war, but the
talk itself isn’t that well told unfortunately</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10760-the_large_hadron_collider_infrastructure_talk">The Large Hadron Collider Infrastructure Talk</a> ⭐⭐⭐⭐</p>
<p>Lots of infrastructure talks this year, huh? Very cool, I love hearing about
physics stuff when I don’t have to learn anything, and this is exactly that.
They have very, very tight and specific constraints, and it’s amazing how they
managed to build the hardware they needed to meet these constraints</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-11238-the_one_weird_trick_securerom_hates">The One Weird Trick SecureROM Hates</a> ⭐⭐⭐⭐⭐</p>
<p>ANOTHER iOS talk? Lots of iOS talks this year, huh? This one talks about an
unpatcheable exploit in the boot ROM of iPhones up to the last model. Boom.
Obviously a great talk</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10703-the_ultimate_acorn_archimedes_talk">The Ultimate Acorn Archimedes talk</a> ⭐⭐⭐⭐</p>
<p>A very british talk about an old RISC computer? I’m here for it.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-107-the-challenges-of-protected-virtualization">The challenges of Protected Virtualization</a> ⭐⭐</p>
<p>This one presents the concept of an Ultravisor, some sort of more privileged
hypervisor that would enable VMs that are protected from the host. I’m not
really convinced honestly but go give it a listen to make up your own mind</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10924-the_sustainability_of_safety_security_and_privacy">The sustainability of safety, security and privacy</a> ⭐⭐⭐</p>
<p>It’s hard to patch things for a long time, and yet we’re going to have to start
because we need to start being <strike>more</strike> sustainable. </p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-150-the-technical-is-political-tech-s-role-in-oppression-and-what-technicians-can-do-against-it"> The technical is political – tech’s role in oppression and what technicians can do against it</a> ⭐⭐⭐⭐</p>
<p>This one may be a bit obvious, honestly, but it’s still good and important to
see these things said at a hacker forum like congress is, and they aren’t told
too badly, so… yeah?</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10859-trustzone-m_eh_breaking_armv8-m_s_security">TrustZone-M(eh): Breaking ARMv8-M’s security</a> ⭐⭐⭐⭐</p>
<p>Fault injection is fun! Fault injection is cool, and that’s what he’s doing
here with very precisely timed undervoltage (he’s got a cute little device to
help too). Also gives all the context you need, good talk</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10942-uncover_understand_own_-_regaining_control_over_your_amd_cpu">Uncover, Understand, Own - Regaining Control Over Your AMD CPU</a> ⭐⭐⭐⭐</p>
<p>The Intel ME talk, but about the AMD PSP. They reverse-engineered it pretty
well, and explain not only how it works but also how they reimplemented part of
the firmware and a userland proxy too.</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10976-understanding_millions_of_gates">Understanding millions of gates</a> ⭐⭐⭐⭐⭐</p>
<p>Very interesting talk, about reverse engineering integrated circuits from
pictures of the chip surface. Hardware reverse-engineering and amazing-looking
graphs get a thumbs-up from me</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10933-what_the_world_can_learn_from_hongkong">What the World can learn from Hongkong</a> ⭐⭐⭐⭐⭐</p>
<p>I was a bit weary of this one because western liberals love to use revolts in
foreign countries as examples that liberalism is so good. But this talk is
politically well thought-out, and it has a lot of very good protest tactics
suggestions. Good stuff here too</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10565-what_s_left_for_private_messaging">What’s left for private messaging?</a> ⭐</p>
<p>Secure messaging rehash of old debates, the threat modelling is always the same
(the state or a state-like actor is spying on you), not much usability concern,
and no accessible suggestions. Meh</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10630-wifibroadcast">Wifibroadcast</a> ⭐⭐⭐⭐⭐</p>
<p>This guy is maybe the most nonchalant I’ve seen so far, and he gives a talk
that’s so mind-blowing that the tone difference made me feel weird. How the fuck
can wifi do that? What’s the catch? There has to be a catch, right?</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-87-x11-and-wayland-a-tale-of-two-implementations">X11 and Wayland: A tale of two implementations</a> ⭐⭐⭐</p>
<p>A guy implements his window manager on two different backends and lives to tell
the tale</p>
<hr>
<p><a href="https://media.ccc.de/v/36c3-10754-zombieload_attack">ZombieLoad Attack</a> ⭐⭐⭐⭐⭐</p>
<p>Yet Another Cache Leak in Intel CPUs, but this one is very well told! One of
these guys also worked on Plundervolt which is really impressive, stop breaking
Intel CPUs that much!</p>
<hr>
<p>So… Yeah that’s it. Not all talks are covered here, because I didn’t watch all
of them, because they didn’t all look interesting and I don’t have unlimited
time to do that! But you should have enough to keep busy for a few days.</p>
<p>That’s obviously far from the same experience as being at CCC, but I hope it
helps reconnect a little, and I definitely hope I can be there next year!</p>Using traceroute/mtr, or: Diagnosing network problems 1012019-12-13T16:39:00-05:002019-12-13T16:39:00-05:00Wxcafétag:wxcafe.net,2019-12-13:/posts/using_traceroute-mtr,_or:_diagnosing_network_problems_101/<p>I was a in a twitter discussion recently about <strong>Traceroute</strong>, and how it was not
necessarily as simple as it seemed, and that it caused a lot of confusion on the
user side and a lot of frustration on the network admin side. So I decided to
write this little …</p><p>I was a in a twitter discussion recently about <strong>Traceroute</strong>, and how it was not
necessarily as simple as it seemed, and that it caused a lot of confusion on the
user side and a lot of frustration on the network admin side. So I decided to
write this little guide on how <code>traceroute</code> and <code>mtr</code> work, how to use it, and
how to <s>read the tea leaves</s> interpret the output.</p>
<h3>How it works</h3>
<p><code>traceroute</code> and <code>mtr</code> (and similar tools) all work the same way: they send
packets with low TTL (Time to Live, the number of hops a packet will be
transmitted for before <s>dying</s> being dropped), and rely on the routers on
each step of the way to send an ICMP Type 11 packet (TTL Expired). <code>traceroute</code>
sends UDP by default, whereas <code>mtr</code> sends ICMP, but the idea is the same: first
you send a packet with a TTL of 1, it expires on the first hop, which tells you
it did. Then you send a packet with a TTL of 2, and the second router along the
way tells you it expired. And you do that again and again until you get to the
target.</p>
<p>The layer 4 protocol you’re using doesn’t matter (in general), because the TTL
is an IP-level option, so you’ll get an answer anyway. But you can switch which
one you’re using to debug different problems, whether it is reachability in
general or on a specific TCP port, or something else.</p>
<p><code>traceroute</code> only has a ‘report mode’, in that it immediately outputs to the
terminal and tries three times, and that’s it. <code>mtr</code>, on the other hand, uses
a curses interface by default, and tries until you tell it to stop, gathering
stats along the way, but it can also do reporting similarly to <code>traceroute</code>, and
can try multiple times even in report mode.</p>
<h3>How to use it</h3>
<p><code>traceroute</code> and <code>mtr</code> are pretty simple to use, you point them to your
destination and shoot. Here are a few common and useful flags:</p>
<h4><code>traceroute</code>:</h4>
<ul>
<li><code>-4</code>/<code>-6</code>: use IPv4/IPv6 (it will use <strong>v4</strong> by default)</li>
<li><code>-I</code>: use ICMP instead of UDP packets</li>
<li><code>-T</code>: use TCP SYN instead of UDP packets</li>
<li><code>-U</code>: use UDP but keep the port consistent (by default, the port is
incremented with each packet sent)</li>
<li><code>-n</code>: do not use reverse DNS to get hostnames in the results. Useful if your
DNS is broken.</li>
<li><code>-p <port></code>: destination port for TCP or UDP with <code>-U</code></li>
<li><code>-A</code>: lookup and show AS number of each hop</li>
<li><code>-N</code>: selects the number of packets sent simultaneously (default is 16. too
few will be slow, too many might get filtered)</li>
</ul>
<h4><code>mtr</code></h4>
<ul>
<li><code>-4</code>/<code>-6</code>: use IPv4/IPv6 (it will use <strong>v6</strong> by default)</li>
<li><code>-r</code>/<code>-w</code>: generate a report instead of going into the interactive interface
(<code>-w</code> is for the “wide” mode, which doesn’t cut hostnames)</li>
<li><code>-j</code>/<code>-x</code>/<code>-C</code>: output json/xml/csv, respectively</li>
<li><code>-n</code>: do not use reverse DNS to get hostnames in the results.</li>
<li><code>-z</code>: lookup and show AS number of each hop</li>
<li><code>-c</code>: number of cycles to run for</li>
<li><code>-s <size></code>: specify packet size</li>
<li><code>-u</code>: use UDP instead of ICMP packets</li>
<li><code>-T</code>: use TCP instead of ICMP packets</li>
<li><code>-P <port></code>: destination port for UDP and TCP</li>
</ul>
<p><code>mtr</code> also has an interactive mode (in fact, it’s the default). A few useful
shortcuts for that mode:</p>
<ul>
<li><code>p</code> will pause display updates, <code><SPACE></code> will unpause</li>
<li><code>d</code> will switch display mode between statistics and two per-packet displays</li>
<li><code>n</code> will toggle reverse DNS resolution on/off</li>
<li><code>r</code> will reset the display, dropping all history and starting from scratch</li>
<li><code>y</code> will toggle IP info and cycle between AS number lookup, IP address
display, country, RIR, and date of registration of the network.</li>
<li><code>q</code> will quit (useful to know 😁)</li>
</ul>
<h3>How to interpret the output (the most important part)</h3>
<p>So, now that we know all of that… how do we read the output?</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>> traceroute wxcafe.net
traceroute to wxcafe.net <span style="color: #f92672">(</span><span style="color: #ae81ff">62</span>.210.115.205<span style="color: #f92672">)</span>, <span style="color: #ae81ff">30</span> hops max, <span style="color: #ae81ff">60</span> byte packets
<span style="color: #ae81ff">1</span> bowser.wx <span style="color: #f92672">(</span><span style="color: #ae81ff">10</span>.0.42.1<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.224 ms <span style="color: #ae81ff">0</span>.272 ms <span style="color: #ae81ff">0</span>.324 ms
<span style="color: #ae81ff">2</span> * * *
<span style="color: #ae81ff">3</span> B3447.NYCMNY-LCR-22.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.50<span style="color: #f92672">)</span> <span style="color: #ae81ff">5</span>.967 ms B3447.NYCMNY-LCR-21.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.48<span style="color: #f92672">)</span> <span style="color: #ae81ff">2</span>.234 ms B3447.NYCMNY-LCR-22.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.50<span style="color: #f92672">)</span> <span style="color: #ae81ff">5</span>.959 ms
<span style="color: #ae81ff">4</span> * * *
<span style="color: #ae81ff">5</span> <span style="color: #ae81ff">0</span>.ae3.BR2.NYC4.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.1.59<span style="color: #f92672">)</span> <span style="color: #ae81ff">4</span>.696 ms <span style="color: #ae81ff">4</span>.692 ms <span style="color: #ae81ff">0</span>.ae2.BR2.NYC4.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.229.93<span style="color: #f92672">)</span> <span style="color: #ae81ff">4</span>.618 ms
<span style="color: #ae81ff">6</span> verizon.com.customer.alter.net <span style="color: #f92672">(</span><span style="color: #ae81ff">152</span>.179.78.154<span style="color: #f92672">)</span> <span style="color: #ae81ff">4</span>.245 ms <span style="color: #ae81ff">3</span>.719 ms <span style="color: #ae81ff">3</span>.251 ms
<span style="color: #ae81ff">7</span> ae-2-3211.edge7.Paris1.Level3.net <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span>.69.133.238<span style="color: #f92672">)</span> <span style="color: #ae81ff">112</span>.460 ms <span style="color: #ae81ff">111</span>.249 ms <span style="color: #ae81ff">109</span>.206 ms
<span style="color: #ae81ff">8</span> <span style="color: #ae81ff">212</span>.3.235.202 <span style="color: #f92672">(</span><span style="color: #ae81ff">212</span>.3.235.202<span style="color: #f92672">)</span> <span style="color: #ae81ff">87</span>.401 ms <span style="color: #ae81ff">87</span>.113 ms <span style="color: #ae81ff">86</span>.841 ms
<span style="color: #ae81ff">9</span> 49e-s202b-1-dc2-a9k1.dc2.poneytelecom.eu <span style="color: #f92672">(</span><span style="color: #ae81ff">195</span>.154.1.29<span style="color: #f92672">)</span> <span style="color: #ae81ff">86</span>.806 ms <span style="color: #ae81ff">86</span>.919 ms <span style="color: #ae81ff">87</span>.126 ms
<span style="color: #ae81ff">10</span> <span style="color: #ae81ff">51</span>.158.8.83 <span style="color: #f92672">(</span><span style="color: #ae81ff">51</span>.158.8.83<span style="color: #f92672">)</span> <span style="color: #ae81ff">87</span>.125 ms <span style="color: #ae81ff">86</span>.566 ms <span style="color: #ae81ff">88</span>.011 ms
<span style="color: #ae81ff">11</span> wxcafe.net <span style="color: #f92672">(</span><span style="color: #ae81ff">62</span>.210.115.205<span style="color: #f92672">)</span> <span style="color: #ae81ff">87</span>.847 ms <span style="color: #ae81ff">87</span>.766 ms <span style="color: #ae81ff">87</span>.778 ms
</pre></div>
<p>Here’s an example of a traceroute from my laptop to <code>wxcafe.net</code>. Just at a
glance, we can see a few things: I’m on verizon’s network. The first hop is my
private router (it has a private IPv4 address). The next hop does not send us
ICMP TTL Expired packets for some reason. After that, we got three answers:
verizon does some load balancing, we’re going over multiple paths. Then once
again a hop that doesn’t answer, then two ansers from verizon core (this NSFNET
block is now verizon’s…), then again verizon core, and suddenly we went over
the atlantic and we’re on Level3’s Paris1 router! Then another Level3 IP that
doesn’t have a reverse DNS entry, and we enter Online.net’s network
(poneytelecom is their ISP name). Finally we see the server’s gateway, and the
server itself!.</p>
<p>The numbers after the host part all show round trip time (there are three
because traceroute sends three packets to each host by default), so we can spot
very clearly the moment we went from the US over to France even without looking
at the router names: when it goes from 4.2ms to 112ms, it’s because the packet
took a trip in some submarine cables. We can also see that some later hops have
lower RTT than some earlier ones (for example hop 5 has a lower RTT than hop 3,
and hops 8, 9, 10 and 11 all have lower RTTs than hop 7). This is due to the
fact that traceroute gets data from each host independently: the replies from
host 8 have no link with the replies from hop 7, and in general network devices
are much faster at forwarding packets than they are at generating ICMP TTL
Expired replies. Thus the packets we got back from hop 7 didn’t take necessarily
take longer to travel back to us, they just took longer to be generated (though
they <strong>can</strong> sometimes take longer to travel back: the path the packets take
from our machine to the target is not necessarily the same that they take to get
from some random hop on the way back to our machine!)</p>
<p>Now, let’s see another one:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>> sudo traceroute -T -p <span style="color: #ae81ff">22</span> imaginair.es
traceroute to imaginair.es <span style="color: #f92672">(</span><span style="color: #ae81ff">188</span>.40.106.245<span style="color: #f92672">)</span>, <span style="color: #ae81ff">30</span> hops max, <span style="color: #ae81ff">60</span> byte packets
<span style="color: #ae81ff">1</span> bowser.wx <span style="color: #f92672">(</span><span style="color: #ae81ff">10</span>.0.42.1<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.169 ms <span style="color: #ae81ff">0</span>.165 ms <span style="color: #ae81ff">0</span>.206 ms
<span style="color: #ae81ff">2</span> * * *
<span style="color: #ae81ff">3</span> B3447.NYCMNY-LCR-21.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.48<span style="color: #f92672">)</span> <span style="color: #ae81ff">5</span>.816 ms <span style="color: #ae81ff">5</span>.821 ms <span style="color: #ae81ff">5</span>.868 ms
<span style="color: #ae81ff">4</span> * * *
<span style="color: #ae81ff">5</span> <span style="color: #ae81ff">0</span>.ae6.BR1.NYC1.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.228.131<span style="color: #f92672">)</span> <span style="color: #ae81ff">3</span>.578 ms <span style="color: #ae81ff">0</span>.ae5.BR1.NYC1.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.228.107<span style="color: #f92672">)</span> <span style="color: #ae81ff">3</span>.513 ms <span style="color: #ae81ff">0</span>.ae6.BR1.NYC1.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.228.131<span style="color: #f92672">)</span> <span style="color: #ae81ff">3</span>.572 ms
<span style="color: #ae81ff">6</span> ae13.cr0-nyc2.ip4.gtt.net <span style="color: #f92672">(</span><span style="color: #ae81ff">173</span>.205.47.145<span style="color: #f92672">)</span> <span style="color: #ae81ff">2</span>.903 ms <span style="color: #ae81ff">3</span>.714 ms <span style="color: #ae81ff">3</span>.695 ms
<span style="color: #ae81ff">7</span> et-0-0-49.cr11-fra2.ip4.gtt.net <span style="color: #f92672">(</span><span style="color: #ae81ff">89</span>.149.180.226<span style="color: #f92672">)</span> <span style="color: #ae81ff">85</span>.106 ms <span style="color: #ae81ff">84</span>.522 ms <span style="color: #ae81ff">83</span>.907 ms
<span style="color: #ae81ff">8</span> <span style="color: #ae81ff">46</span>.33.77.6 <span style="color: #f92672">(</span><span style="color: #ae81ff">46</span>.33.77.6<span style="color: #f92672">)</span> <span style="color: #ae81ff">88</span>.457 ms <span style="color: #ae81ff">88</span>.430 ms <span style="color: #ae81ff">89</span>.192 ms
<span style="color: #ae81ff">9</span> core21.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.217<span style="color: #f92672">)</span> <span style="color: #ae81ff">98</span>.676 ms <span style="color: #ae81ff">99</span>.107 ms <span style="color: #ae81ff">99</span>.088 ms
<span style="color: #ae81ff">10</span> ex9k1.dc13.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.238<span style="color: #f92672">)</span> <span style="color: #ae81ff">99</span>.047 ms <span style="color: #ae81ff">97</span>.777 ms ex9k1.dc13.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.242<span style="color: #f92672">)</span> <span style="color: #ae81ff">97</span>.651 ms
<span style="color: #ae81ff">11</span> * * *
<span style="color: #ae81ff">12</span> * * *
<span style="color: #ae81ff">13</span> * * *
<span style="color: #ae81ff">14</span> * * *
<span style="color: #ae81ff">15</span> * * *
<span style="color: #ae81ff">16</span> * * *
<span style="color: #ae81ff">17</span> * * *
<span style="color: #ae81ff">18</span> * * *
<span style="color: #ae81ff">19</span> * * *
<span style="color: #ae81ff">20</span> * * *
<span style="color: #ae81ff">21</span> * * *
<span style="color: #ae81ff">22</span> * * *
<span style="color: #ae81ff">23</span> * * *
<span style="color: #ae81ff">24</span> * * *
<span style="color: #ae81ff">25</span> * * *
<span style="color: #ae81ff">26</span> * * *
<span style="color: #ae81ff">27</span> * * *
<span style="color: #ae81ff">28</span> * * *
<span style="color: #ae81ff">29</span> * * *
<span style="color: #ae81ff">30</span> * * *
</pre></div>
<p>Here, we can see that it starts the same way as before, except it goes through
frankfurt and germany instead of paris, but then it stops inside hetzner’s
network… why? because the firewall of the target (imaginair.es) filters TCP
port 22, and won’t accept it nor forward it. So it’s dropped, and there’s no
ICMP TTL Expired for traceroute to receive! As it doesn’t know what happens, it
goes up to its maximum TTL (30 by default) and then gives up.</p>
<p>Alright, let’s move to <code>mtr</code>…</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>> mtr -w -T -P <span style="color: #ae81ff">5050</span> wxcafe.net
Start: <span style="color: #ae81ff">2019</span>-12-13T18:54:21-0500
HOST: cwh Loss% Snt Last Avg Best Wrst StDev
<span style="color: #ae81ff">1</span>.<span style="color: #f8f8f2">|</span>-- bowser.wx <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.5 <span style="color: #ae81ff">0</span>.4 <span style="color: #ae81ff">0</span>.3 <span style="color: #ae81ff">0</span>.6 <span style="color: #ae81ff">0</span>.1
<span style="color: #ae81ff">2</span>.<span style="color: #f8f8f2">|</span>-- tunnel536764.tunnel.tserv4.nyc4.ipv6.he.net <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">5</span>.0 <span style="color: #ae81ff">5</span>.3 <span style="color: #ae81ff">4</span>.3 <span style="color: #ae81ff">6</span>.1 <span style="color: #ae81ff">0</span>.6
<span style="color: #ae81ff">3</span>.<span style="color: #f8f8f2">|</span>-- ve422.core1.nyc4.he.net <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">2</span>.8 <span style="color: #ae81ff">3</span>.2 <span style="color: #ae81ff">2</span>.6 <span style="color: #ae81ff">4</span>.1 <span style="color: #ae81ff">0</span>.5
<span style="color: #ae81ff">4</span>.<span style="color: #f8f8f2">|</span>-- 100ge4-1.core1.par2.he.net <span style="color: #ae81ff">50</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">89</span>.8 <span style="color: #ae81ff">88</span>.0 <span style="color: #ae81ff">73</span>.8 <span style="color: #ae81ff">97</span>.3 <span style="color: #ae81ff">9</span>.0
<span style="color: #ae81ff">5</span>.<span style="color: #f8f8f2">|</span>-- ??? <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0
<span style="color: #ae81ff">6</span>.<span style="color: #f8f8f2">|</span>-- <span style="color: #ae81ff">2001</span>:bc8:400:1::8e <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">75</span>.1 <span style="color: #ae81ff">75</span>.0 <span style="color: #ae81ff">74</span>.4 <span style="color: #ae81ff">75</span>.8 <span style="color: #ae81ff">0</span>.4
<span style="color: #ae81ff">7</span>.<span style="color: #f8f8f2">|</span>-- <span style="color: #ae81ff">2001</span>:bc8:400:100::7f <span style="color: #ae81ff">20</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">74</span>.6 <span style="color: #ae81ff">126</span>.5 <span style="color: #ae81ff">74</span>.4 <span style="color: #ae81ff">591</span>.5 <span style="color: #ae81ff">163</span>.4
<span style="color: #ae81ff">8</span>.<span style="color: #f8f8f2">|</span>-- wxcafe.net <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">74</span>.3 <span style="color: #ae81ff">78</span>.3 <span style="color: #ae81ff">73</span>.8 <span style="color: #ae81ff">113</span>.9 <span style="color: #ae81ff">12</span>.5
</pre></div>
<p>Here I try to <code>mtr</code> from my machine to <code>wxcafe.net</code>, over TCP port 5050. At
first glance we can see that I use Hurricane Electric’s tunnel service to get
IPv6 (because Verizon won’t provide v6 yet… Come on, it’s 2019…), and that
this time most of the way goes through HE’s network (up to Paris). This is
probably because they peer directly with Online.net/Illiad in Paris, and don’t
want to pay for the traffic by sending it to one of their transits when they can
transport it over to the peering point.</p>
<p>We can also see that there’s a lot more info visible, and that the layout looks
a lot better! Here the fields are, in order: hostname, Loss percentage, number
of packets sent, RTT of the last packet, average RTT, best RTT, worst RTT, and
standard deviation of the RTTs.</p>
<p>From that we can deduce that it sent 10 packets, and thus the
Last/Average/Best/Worst/Standard Deviation fields are a lot more useful than the
simple three RTT values we got from <code>traceroute</code>!</p>
<p>We also notice that in the Loss% column, besides the host that didn’t answer our
probes, there’s also two hops that have respectively 50% and 20% loss. Now, we
could jump to the conclusion that this means these hops dropped our packets, and
that something’s wrong with them! But on closer inspection, later hops don’t
show that drop, and everything works well… That’s weird.</p>
<p>The reason why that’s happening is simple: sometimes, routers have other things
to do with their time than reply to any rando’s packet that has an expired TTL.
Replying with an ICMP TTL Expired packet is actually very low priority for
routers, and when they have other stuff going on they sometimes simply don’t
answer. This obviously doesn’t mean that there’s something <em>actually</em> wrong on
the path, or the “Loss” would continue down to the later hops! This is actually
a very common error.</p>
<p>Let’s look at a last one:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>> mtr -4 -wbz -T -P <span style="color: #ae81ff">22</span> imaginair.es
Start: <span style="color: #ae81ff">2019</span>-12-13T19:44:34-0500
HOST: cwh Loss% Snt Last Avg Best Wrst StDev
<span style="color: #ae81ff">1</span>. AS??? bowser.wx <span style="color: #f92672">(</span><span style="color: #ae81ff">10</span>.0.42.1<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.6 <span style="color: #ae81ff">0</span>.5 <span style="color: #ae81ff">0</span>.3 <span style="color: #ae81ff">0</span>.7 <span style="color: #ae81ff">0</span>.1
<span style="color: #ae81ff">2</span>. AS??? ??? <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0
<span style="color: #ae81ff">3</span>. AS701 B3447.NYCMNY-LCR-22.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.50<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">5</span>.6 <span style="color: #ae81ff">6</span>.6 <span style="color: #ae81ff">4</span>.4 <span style="color: #ae81ff">8</span>.9 <span style="color: #ae81ff">1</span>.4
AS701 B3447.NYCMNY-LCR-21.verizon-gni.net <span style="color: #f92672">(</span><span style="color: #ae81ff">100</span>.41.130.48<span style="color: #f92672">)</span>
<span style="color: #ae81ff">4</span>. AS??? ??? <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0
<span style="color: #ae81ff">5</span>. AS??? <span style="color: #ae81ff">0</span>.ae5.BR1.NYC1.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.228.107<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">63</span>.9 <span style="color: #ae81ff">9</span>.7 <span style="color: #ae81ff">3</span>.1 <span style="color: #ae81ff">63</span>.9 <span style="color: #ae81ff">19</span>.1
AS??? <span style="color: #ae81ff">0</span>.ae6.BR1.NYC1.ALTER.NET <span style="color: #f92672">(</span><span style="color: #ae81ff">140</span>.222.228.131<span style="color: #f92672">)</span>
<span style="color: #ae81ff">6</span>. AS3257 4436ae13.cr0-nyc2.ip4.gtt.net <span style="color: #f92672">(</span><span style="color: #ae81ff">173</span>.205.47.145<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">3</span>.8 <span style="color: #ae81ff">4</span>.2 <span style="color: #ae81ff">2</span>.5 <span style="color: #ae81ff">6</span>.9 <span style="color: #ae81ff">1</span>.3
<span style="color: #ae81ff">7</span>. AS3257 4436et-0-0-49.cr11-fra2.ip4.gtt.net <span style="color: #f92672">(</span><span style="color: #ae81ff">89</span>.149.180.226<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">84</span>.0 <span style="color: #ae81ff">85</span>.8 <span style="color: #ae81ff">83</span>.7 <span style="color: #ae81ff">94</span>.8 <span style="color: #ae81ff">3</span>.4
<span style="color: #ae81ff">8</span>. AS3257 <span style="color: #ae81ff">443646</span>.33.77.6 <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">89</span>.0 <span style="color: #ae81ff">100</span>.1 <span style="color: #ae81ff">89</span>.0 <span style="color: #ae81ff">162</span>.4 <span style="color: #ae81ff">22</span>.6
<span style="color: #ae81ff">9</span>. AS24940 core21.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.217<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">98</span>.8 <span style="color: #ae81ff">100</span>.4 <span style="color: #ae81ff">98</span>.1 <span style="color: #ae81ff">115</span>.4 <span style="color: #ae81ff">5</span>.3
AS24940 core22.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.178<span style="color: #f92672">)</span>
<span style="color: #ae81ff">10</span>. AS24940 ex9k1.dc13.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.242<span style="color: #f92672">)</span> <span style="color: #ae81ff">0</span>.0% <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">98</span>.8 <span style="color: #ae81ff">97</span>.7 <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">0</span>.7
AS24940 ex9k1.dc13.fsn1.hetzner.com <span style="color: #f92672">(</span><span style="color: #ae81ff">213</span>.239.245.238<span style="color: #f92672">)</span>
<span style="color: #ae81ff">11</span>. AS??? ??? <span style="color: #ae81ff">100</span>.0 <span style="color: #ae81ff">10</span> <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0 <span style="color: #ae81ff">0</span>.0
</pre></div>
<p>Here again we chose a target that won’t work, <code>imaginair.es</code> on TCP port 22. In
this case, though, we can see that there is no long trail of <code>* * *</code>, mtr simply
shows <code>AS??? ??? 100.0</code>, 100% loss. It’s clear what’s happening, if the last hop
is unknown with 100% loss, clearly it’s blocked somewhere.</p>
<p>We can also see multiple addresses for some hops, once again these are due to
load-balancing. Some of the ASN lookups failed, and that happens sometimes.</p>
<p>There was also some display error on hops 6, 7 and 8, probably because the AS
lookup code got two results and displayed both, breaking the display… :/ here
the right address for hop 8 is <code>46.33.77.6</code>.</p>
<hr>
<p>Anyway, if you want to report a network problem to an engineer… generally,
you’re better off running <code>mtr -wbz <target></code> and letting the person on the
other hand figure it out. And don’t open a report if you’re not sure it’s
a network error!</p>My Keyboard.io2019-07-19T00:00:00+02:002019-07-19T00:00:00+02:00Wxcafetag:wxcafe.net,2019-07-19:/posts/keyboard.io/<h2>My Keyboard.io</h2>
<p>Over a year ago now I bought <a href="https://shop.keyboard.io">a keyboard</a>, and
I wanted to write about it then, but I figured I’d wait until I could type on it
correctly and actually tell if it was a good keyboard.</p>
<p>Turns out, it took me about three weeks …</p><h2>My Keyboard.io</h2>
<p>Over a year ago now I bought <a href="https://shop.keyboard.io">a keyboard</a>, and
I wanted to write about it then, but I figured I’d wait until I could type on it
correctly and actually tell if it was a good keyboard.</p>
<p>Turns out, it took me about three weeks to learn how to type correctly, and it’s
a really, really good keyboard… but I forgot about writing this 🤦 So here we
go.</p>
<p>So. The keyboardio is a split, ergonomic, very expensive keyboard. It’s shipped
with two “tent stands” that are basically tilted octopi that you can put the
keyboard halves on to give them a tilt, two “center bars”, one flat and one
tilted, that allow you to attach the two keyboard halves together, a usb-a to
usb-c cable, and two rj45 cables, one very short and one longer, that are used
to connect both halves of the keyboard… and of course both halves of the
keyboard itself.</p>
<p>Personally I use both tented stands and the tilted center bar now, and basically
use the keyboard like a normal single-body keyboard, except each half is tilted,
but you can use it in any way you want. Each half has a camera screw mount on
the bottom so you can even use it on tripods or camera arms I guess.</p>
<p>The layout is pretty different from what “standard” keyboards present. There’s
basically three groups of keys: the <code>fn</code> keys, that you use with your palms, the
‘modifier’ keys (<code>[ctrl]</code>,<code>[backspace]</code>, <code>[command/super]</code>, <code>[shift]</code>; and
<code>[shift]</code>, <code>[alt]</code>, <code>[space]</code>, <code>[ctrl]</code>), that you use with your thumbs, and
finally the “character” keys that you use with the last four fingers (these also
include <code>[AltGR]</code>, <code>[Enter]</code>, <code>[PgUp]</code> and <code>[PgDn]</code>, a <code>[num]</code> key that switches
to numpad mode, a <code>[Prog]</code> key that starts playing prog rock (uh, allows you to
flash the firmware, more on that later), <code>[esc]</code>, <code>[tab]</code>, a <code>[led]</code> key that
switches the led lighting mode, and finally the <code>[any]</code> key, which… outputs
a random alphanumerical character). As I said previously though, it’s not too
hard to get used to, and it’s actively more efficient once you’re used to it
(also it reduced my wrist pains from “hurts a bit after a day of work” to
“nonexistent even after 14 hours straight of typing”). The keys are shaped
differently too, as in they follow the shape of fingers resting naturally on the
keyboard.</p>
<p>So, yeah, this is a nice, comfortable, and
weirdly-but-actually-pretty-well-laid-out keyboard. But there’s a few more
things that make it worth the (admittedly very high) price:</p>
<ul>
<li>First, the body is entirely made of wood, the keys are high-quality, and the
whole thing is hand-assembled. It’s generally very well put together, and it
looks really good and will last for a while.</li>
<li>Second, and most important: the firmware is open-source and entirely
rewritable. The keyboard is basically an Arduino, and you can do anything you
want with it.</li>
</ul>
<p>Let’s talk about the build quality. Actually, let me show you a few pictures of
the build, outside and (more interestingly) inside!</p>
<table>
<thead>
<tr>
<th align="center"><img alt="The rainbow colors are good..." src="https://pub.wxcafe.net/img/keyboardio_dual_face_dark.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>The rainbow colors are good…</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="Look at that small rj45 cable! It's so cute!" src="https://pub.wxcafe.net/img/keyboardio_dual_back.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>Look at that small rj45 cable! It’s so cute!</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="Without the wooden enclosure..." src="https://pub.wxcafe.net/img/keyboardio_dual_open_front.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>Without the wooden enclosure…</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="The back of the PCBs have cute little messages! Thanks!" src="https://pub.wxcafe.net/img/keyboardio_dual_pcb_back.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>The back of the PCBs have cute little messages! Thanks!</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="The "octopi" that allow one to adjust the keyboard tilt" src="https://pub.wxcafe.net/img/keyboardio_dual_octopi.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>The “octopi” that allow one to adjust the keyboard tilt</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="The wooden enclosures" src="https://pub.wxcafe.net/img/keyboardio_dual_wood.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>The wooden enclosures</em></td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th align="center"><img alt="Finally, the right half just opened up" src="https://pub.wxcafe.net/img/keyboardio_right_open_dual.jpg"></th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>Finally, the right half just opened up</em></td>
</tr>
</tbody>
</table>
<!-- [insert images here] -->
<p>Now, I said the firmware was open-source. And it is, it’s named
<a href="https://github.com/keyboardio/Kaleidoscope">Kaleidoscope</a>. The repo you
probably want is actually <a href="https://github.com/keyboardio/Model01-Firmware">this
one</a>, though. It’s really easy
to configure through the <code>Model01-Firmware.ino</code> file. This allows you to remap
all the “useless” keys in the default layout, define new functions for these
keys, create “layers” (basically alternate layout that you switch to/from
through a shortcut), importing modules (libraries basically), change the LED
patterns, use the expansion pins if you want… You can do anything, it’s just
an arduino with a lot of inputs basically!! It’s great. My configuration is
available <a href="https://git.wxcafe.net/snippets/21">here</a> and is generally pretty
simple to read. The only thing that might be surprising is the third keymap:
<code>[2] = KEYMAP_STACKED ()</code>. This is a keymap for Steno, as provided by
<a href="https://github.com/keyboardio/Kaleidoscope/blob/master/src/Kaleidoscope-Steno.h">GeminiPR</a>,
an implementation of Steno protocols for Kaleidoscope, which is imported by
<code>KALEIDOSCOPE_INIT_PLUGINS(GeminiPR, [...]);</code></p>
<p>Steno… Should I talk about steno? Alright, let me talk about steno quickly:
Steno is an input method that allows one to type much, much faster than normal
by pressing multiple keys at the same time (like one would on a piano, for
example). The keys are then interpreted in the fixed order of the system to
reconstruct words, or parts of words. It’s pretty involved to learn, but it’s
amazing: the best touch typists can reach about 70 words per minute, while
regular stenographers can write at 225 words per minute. The system is entirely
customizable, so you can program on a steno keyboard (in fact the person who
introduced me to the concept, <a href="https://twitter.com/stenoknight">@Stenoknight</a>,
writes python on their steno system). Historically, Steno was used for note
taking in meetings and courtrooms, and the key presses made punches in a ribbon,
which was then read back to make a readable document. Nowadays, since we have
computers, we can have a program that does this translation automatically and in
real time: the free and open-source software that does that is called
<a href="https://www.openstenoproject.org/plover/">Plover</a>. When it comes to the
KeyboardIO, it can be programmed through GeminiPR to switch to a serial
communication mode, that works with plover. I’m still (very early…) in the
process of learning steno, the position of the keys, the combinations and the
vocabulary, but I’m very excited. It might not be very useful in everyday life
(even though typing at even 150wpm would be so cool…) but it’s fun and
interesting, so. There.</p>
<p>But yeah, the firmware allows you to switch to serial and then back to
presenting a regular HID keyboard, seamlessly. It allows you to execute code on
the keyboard, in fact I’m pretty sure you could reasonably implement a u2f
device in the keyboard (tho you’re lacking a real secure element, I guess…)
And it’s editable by someone like me, who doesn’t know shit about C or
programming or anything like that. It’s great.</p>
<p>So… I’m not saying you should buy this keyboard, obviously. It’s really great,
and it suits me really well, but it’s still very expensive, and it does take
a little time getting used to. Was this post just an excuse to clean my
keyboard? … maybe… But I also wanted finally make this, since it’s a tool
I use a lot and I had been meaning to write about it for a while…</p>‼️con2019-05-13T10:00:00+02:002019-05-13T10:00:00+02:00Wxcafétag:wxcafe.net,2019-05-13:/posts/!!con/<p>So, this past weekend I was at <a href="http://bangbangcon.com/">‼️con</a> (pronounced
bang bang con), a conference in NYC about “The joy, excitement, and surprise of
computing”. This was a great experience! I loved it! I met a lot of very cool
people, many who I knew from The Internet (mostly Twitter, let …</p><p>So, this past weekend I was at <a href="http://bangbangcon.com/">‼️con</a> (pronounced
bang bang con), a conference in NYC about “The joy, excitement, and surprise of
computing”. This was a great experience! I loved it! I met a lot of very cool
people, many who I knew from The Internet (mostly Twitter, let’s be honest), and
some I didn’t know at all and am very glad to have met there (moving to another
country can be a bit lonely, meeting people is a great remedy)! I watched a lot
of really good talks about computers and all the fun things people can do with
them! For a very short selection, there was <a href="http://bangbangcon.com/speakers.html#melody-starling">one about making Lo-Fi Hip Hop from
npm install logs</a>, an
<a href="http://bangbangcon.com/speakers.html#ayla-myers">exploration of what game feel
is</a>, a <a href="http://bangbangcon.com/speakers.html#em-lazer-walker">bike trainer game about
the food delivery
industry</a>, some
<a href="http://bangbangcon.com/speakers.html#allison-parrish">machine-learning assisted dadaist
poetry</a>, a primer on
<a href="http://bangbangcon.com/speakers.html#ellen-k%C3%B6rbes">designing 3d-printable dilators in
go</a>, some <a href="http://bangbangcon.com/speakers.html#tessa-alexanian">NOR gate
synthesis from bacteria</a>,
a <a href="http://bangbangcon.com/speakers.html#anjana-vakil">musical about tail-call
optimization</a>, and
a <a href="http://bangbangcon.com/speakers.html#peter-sobot">CD-quality music on a gameboy
demo</a>. I even discovered
(kinda late I guess) <a href="http://www.openstenoproject.org/">opensteno</a> by… talking
to <a href="https://twitter.com/stenoknight">Mirabai Knight</a>, the stenographer who was
transcribing the talks! From that list it might seem like I don’t know how to
choose (which is, admittedly, partly true), but also there were just so many
good talks there. It’s also a very actively inclusive conference, and it was
a generally queer experience, which is really cool and is a very nice change of
pace when it comes to tech conferences.</p>
<p>Now that I’ve talked about the basic stuff, let’s go into what I <em>really</em> want
to talk about. That will be split into three parts, because I don’t want to have
my points clash with each other. Let’s start off with the first point, which is
probably the one the conference organizers would most agree with:</p>
<h2>Having a con about the joy in computing is truly revolutionary</h2>
<p>And how. Tech is <strong>depressing</strong>. I mean, to be completely honest the world is
depressing, and the state of the US is even worse, <em>but</em> tech is <strong>depressing</strong>
in so many ways. <a href="https://pub.wxcafe.net/static/broken.mp3">Everything is
broken</a>. <a href="https://www.stilldrinking.org/programming-sucks">No, really, everything is
broken</a>. This isn’t (or, if it
is, shouldn’t be) news. </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>Broken hardware platforms,
broken operating systems,
broken network protocols,
people programming, in broken languages.
Broken ethics,
broken diversity,
broken idols,
broken tools.
Seems like every time you stop and turn around
Something else just hit the ground
</pre></div>
<p>I am talking technical here, obviously, because as exposed in that blog post
everything technical is broken, but I am also talking political, because we have
monopolies living on selling user data, companies funded by a guy who likes to
drink young people’s blood, so much sexism and racism that the about:blank page
isn’t the whitest thing in the domain, and collaboration with fascists (I’m
talking about the US government here to be clear).</p>
<p>Yes, everything is broken. And, from that perspective, it’s really easy to feel
discouraged and give up, believing that you can’t do anything and that tech is
unredeemable.</p>
<p>Tech might well be unredeemable, but computing has brought many of us joy in
various ways. To speak of my own experience, I’ve loved exploring,
understanding, and often breaking operating systems (and <em>systems</em> in general)
so much when I was a teenager (that isn’t very far, to be fair) that I made it
my job (and I love it sometimes!!). For many of the people at ‼️con, it’s <em>making
things</em>, feeling the power of getting the computer do what you want it to do; or
using the power of the dumb machine to help your community or your family; or
building the cool games you loved playing; or making art with that tool; or
a thousand other reasons that computing is exciting, fun, and sometimes
surprising.</p>
<p>And when our day-to-day outlook at tech is so gloomy and depressing, actually
remembering that tech can also be a <em>fun</em> thing is powerful, and even
revolutionary, in the sense that it turns the perspective that the field is
trying to push onto us around and tells the Thiels and the ESRs of the world
that we will have fun with this, and it doesn’t matter what you do.</p>
<p>In a way, ‼️con feels kind of like the CCC does, in that there’s acceptance and
a form of inclusivity, but also in the way it’s not centered on a specific topic
and welcomes all sorts of discussions. (Of course, the CCC isn’t focused on the
joy of computing, even though I’d argue it is very much on the excitement, and
all these things aren’t explicitely stated. It’s also a much bigger event.)</p>
<h2>That being said, taking joy in computing shouldn’t make us forget about our social struggles</h2>
<p>Having fun with computers is powerful. It can motivate us to fight and improve
things when we’re demotivated because of all the negativity. It’s also a way to
improve the diversity of the field, removing the seriousness enables people who
wouldn’t have dared to get started with programming, or to take on projects that
they wouldn’t have otherwise. Feeling that asking for help and that you’re in
a friendly circle is incredibly enabling too, especially for traditionally
disenfranchised people (women, PoC, queer people,… ).</p>
<p>But while it’s good to forget about the negativity, we should not forget that
liberating ourselves isn’t the end of the fight, and it’s actually only the
beginning. It’s a tool to help us fight, not a way to escape from the fight.</p>
<p>Let me be clear: I’m not accusing anyone at ‼️con of doing that. The
organizers are doing a huge amount of work on exactly this simply by making such
a inclusive and positive event, and many of the participants I’ve met were
involved in multiple political struggles themselves! And, as I said, I think
that ‼️con is a powerful tool in that fight.</p>
<p>What I’m saying here is that personally, when presented with this kind of
environment, I feel an impulse to satisfy myself of this. I feel comfortable,
and I don’t want to get out of that comfort, and I have to consciously take the
time to get back into the right mindset. Of course, a large part of that is that
I don’t <em>face</em> these oppressions much, and it’s clear that people who <em>do</em> don’t
feel that kind of things. But I also know there are people like me in the ‼️con
audience, and I feel like thinking about the effects the “think positive!!”
message can have on attendees can be a good thing</p>
<p>I also feel that the “act positive” attitude of ‼️con, while really good (it
allows people to talk about what they like freely, without dreading someone
telling them OH YOU USE SUCH AND SUCH?? DID YOU KNOW THAT OTHER TECH STACK IS
WAY BETTER LOL) also shuns some criticism, and criticism is sometimes valid!
That’s not a big deal! It’s a two-day con, there are other times for discussion
of these topics… but that “everything goes” attitude leaves me wondering</p>
<h2>There is a difference between building and making, and I’m on the other side</h2>
<p>Finally, and kind of unrelatedly, I’d like to talk about a thing that I felt and
realized during the con, while watching the talks, while listening to other
attendees talk, and while trying to talk about stuff I’m doing; and how I felt
kind of out of place (but this is not a critique!).</p>
<p>So ‼️con is special in that it’s a con that’s about <strong>makers</strong>. Not the “I have
a 3d printer and I love shop class” kind of makers, but the “I can just whip 300
lines of code to make this thing go” kind of makers.</p>
<p>As an Ops person, this makes me feel awed and humbled. I see people talk about
“simply” taking a few dozen libraries and suddenly a text file is transformed
into music. I see people talk about elm parsers, or Rust VMM bindings, and while
I <em>understand</em> the theory, and when I see the code I can follow it, I am awed by
their capacity of taking these disparate pieces and making a cohesive thing out
of them, and especially I am humbled by the way they talk about these things as
if they were so <strong>easy</strong>.</p>
<p>I don’t know why I’m so utterly unable to connect the dots when I really <em>get</em>
the theory and the syntax and everything that’s necessary, maybe I’m just
missing the creative spark that makes these people able to make things appear
out of thin air, but that’s possibly the subject for another post, not this one.</p>
<p>What I know how to do is building infrastructure. I know systems, I know
networks (mostly). I know how to build redundancy and (surprisingly, knowing my
living habits) I know how to be rigorous in setting up and managing complex pieces of
software interacting together. This is a thing I have, and similarly I don’t
know why. It’s clearly important and necessary, and I appreciate it accordingly.</p>
<p><strong>But</strong>. It is definitely not the same thing. It’s <strong>building</strong>, it’s not
<strong>making</strong>. And so, I felt kind of out of place at ‼️con sometimes, because I am
outside of the paradigm assumed by the con and the attendees. I don’t have any
“recent stuff I’ve made” to talk about! I don’t have anything to contribute to
their <em>making</em> apart from my awe. And the only additions I <em>can</em> provide are
actually restrictions: here’s how you could host this. You could make this part
more redundant. And even then, a lot of the “ops” tools used by devs now (FaaS,
docker and orchestration, stuff like that) are outside of my domain too.</p>
<p>I’m not saying ‼️con should change, because it really shouldn’t. It’s really cool
to have a place to see all those projects and small miracles shown off! But I’m
thinking of two things that were said in the second day of the con:</p>
<p>First, in the keynote talk, <a href="http://bangbangcon.com/speakers.html#jenn-schiffer">Jenn
Schiffer</a> was talking about
<a href="https://glitch.com">glitch</a>, a “programming social network” (a social space
that allows you to build programs with Javascript directly on the website and
share them with people, mostly on twitter, without hosting or deploying anything
yourself), and she said:</p>
<blockquote>
<p>by taking the DevOps part away from the app building experience, the Glitch
platform allowed Justin to focus on the impactful part of the app</p>
</blockquote>
<p>(link <a href="https://youtu.be/Bz3eZinhyoE?t=3133">here</a>)</p>
<p>And… she’s right. Yes, Ops (and in general, the “building” part) is
a limitation on the creativity and impact that the makers can express. And, this
being a maker-oriented con, her comment is totally on point! This is the first
thing that made me reflect on this maker/builder divide.</p>
<p>Secondly, in the outro, <a href="https://twitter.com/ertyseidohl">Erty Seidohl</a> said:</p>
<blockquote>
<p>there were three kinds of talk idioms this weekend:</p>
<ul>
<li>here’s a thing I did,</li>
<li>here’s a thing I found and want to share,</li>
<li>and […] here’s a thing I am doing”</li>
</ul>
</blockquote>
<p>(link <a href="https://youtu.be/Bz3eZinhyoE?t=25932">here</a>)</p>
<p>That made me reflect on the divide, too. These are very maker-oriented talk
idioms (the second one could be builder, too, but it’s still more maker). And
I think that talk formats from builders, talking to makers, could be something
like</p>
<ul>
<li>here’s a thing I know that I would love you to <em>make</em> things about</li>
<li>here’s how this infrastructure you use works underneath</li>
<li>here’s how you can build your own infrastructure</li>
</ul>
<p>These are the ones I found off the top of my head, I’m sure there are more.</p>
<p>But my point is that there could be positive exchanges between the two groups,
instead of the vaguely antagonistic relation that exists now. I’m thinking of
proposing a talk for next year’s ‼️con, among other things because the conference
seems very accessible (talks are short, the crowd is very positive, and subjects
are very broad), and I hope I can bring something new to the makers the same way
they give me that awe.</p>
<hr>
<h3>In conclusion</h3>
<p>I hope this post wasn’t too unclear to read (it should probably have been three
or four posts, honestly), and that what it conveyed what I wanted to express
correctly. Thank you for reading it, and please do contact me either by email,
twitter or mastodon if you have comments! I would really love to hear what other
people on both sides of the “divide” think about this, and if you think the
whole concept of the divide is complete and utter bullshit I’d love to hear
about that too!</p>
<p>I also hope it was clear that I’m really glad I went to ‼️con, that it was
amazing in a different way than CCC can be, and that the slight out-of-place
feeling I had was a) not the fault of the con and b) not at all enough to spoil
the fun!</p>When a toy isn't a toy anymore2019-04-28T09:58:00-05:002019-04-28T09:58:00-05:00Wxcafétag:wxcafe.net,2019-04-28:/posts/when_a_toy_isnt_a_toy_anymore/<p>Let’s say, for the sake of argument, that there’s this guy named Nick.</p>
<p>Nick is a nice person. He’s friends with a lot of queer people. Maybe he doesn’t
always get everything about Socialism or Communism but he agrees that the world
is unfair, and that …</p><p>Let’s say, for the sake of argument, that there’s this guy named Nick.</p>
<p>Nick is a nice person. He’s friends with a lot of queer people. Maybe he doesn’t
always get everything about Socialism or Communism but he agrees that the world
is unfair, and that a better distribution of resources would be way better.
He’s European, so he sees that the US “right wing” is a bunch of fascists, and
he doesn’t hesitate to say it. All in all, a pretty good guy.</p>
<p>Nick is also a developer. He believes that Free Software in and of itself is a
Good Thing for the world, and that you should use it if you can, but he also
sees that of course usability is important and that users can’t be blamed for
going with a proprietary solution if the FOSS one is too ugly or unusable.</p>
<p>Nick is getting weary, because the company that edits one piece of proprietary
software he uses (because he <em>has</em> to use it) doesn’t seem to want to do
anything except make its own product worse, and more hostile to its own users.
“No problem!”, thinks Nick, “I’ll make my own!”. And he’s a dev! So he can.</p>
<p>And so he does! For months, he takes of his own free time and works on this
concurrent product. And it gets better and better! He fixes all the problems he
sees in the product, and he shows it to his friends. And his friends get excited
about it too! So he decides to release what he has, which is already pretty
good, making sure everyone knows it’s only a beta release.</p>
<p>A few weeks go by. A lot of Nick’s friends have started using his software,
which is great! They’re reporting bugs and stuff, which help him make it better!
But they’ve also told all their friends, which is a little less great,
because these people don’t necessarily know it’s a beta release.
But Nick keeps at it, and improves his software, again and again. More and more
people are hearing about it, by word of mouth, and it’s getting better and
better.</p>
<p>And Nick is happy! Cause let’s be honest, we all like it when people use our
things. It’s only natural, we like when things we make are successful, and
especially when it helps others get out of a bad situation. But at the same
time, Nick is a bit frustrated, cause he’d like everyone who uses the company’s
product to switch to his. Cause his is so much better! If only they knew! And
that, too, is only natural. We don’t like seeing people struggle when they
shouldn’t have to, and it’s especially frustrating when you’re the one trying to
provide a solution.</p>
<p>But Nick overcomes this frustration for now, and decides to keep building his
product for the people who are using it. And he’s got some work to do! His
users, most of whom are queer people (remember, he has a lot of queer friends…
So when they told <em>their</em> friends, well…), have plenty of suggestions. Turns
out the company’s product has actually never satisfied them, and they actually
really hated it but used it nonetheless cause, well… there was no alternative.
But now that there <em>is</em>, there’s no reason to only make it as good (or as bad)
as the original was! Let’s improve it! And so they suggest lots of stuff. And
some of them are developers too, so they submit PRs and patches. Pretty soon,
entire features aren’t developed by Nick anymore.</p>
<p>Nick is very happy about this at first (obviously), because… well, it cuts his
development time, new features get added (most of which he wanted to add in the
first place), and some very good ideas that he wouldn’t have though of are
suggested. But more importantly, he’s really happy that others <strong>care</strong> about
his personal project. And of course he does. That’s only natural, when we build
things and others care about them enough to build them with us it makes us feel
loved and recognized!</p>
<p>But then, he starts to be less and less enthusiastic about these other
contributors. Yes, they’re great people and all, but… some of the stuff they
suggest is really not how he envisioned his project. They make good points
about it, too, which is really problematic for him because they’ve been really
helpful, and he doesn’t want to hurt them… And they’re also the fact that
they’re arguing that some of the features they’re suggesting are specifically
about them being queer, and he doesn’t want to seem like he doesn’t care about
queer people. But he starts to kinda feel like <strong>his</strong> project is being taken
out of his hands.</p>
<p>Time passes, and features are added to the software. Some are Nick’s ideas, some
are other people’s ideas that Nick like… and some he doesn’t feel great about
but hey, it’s helping other people, right? So he adds them anyway. But today,
a PR was opened by a contributor, someone who’s been very active in developing
the software, and Nick really, <em>really</em> doesn’t like it. He hates it so much,
he’s at the brink of answering that he won’t merge it. He doesn’t have any
<strong>rational</strong> reason for it, he just… doesn’t like it.</p>
<p>But then he has an idea. What if, instead of telling the contributor he won’t
merge the feature, he just ignores the PR. The contributors have write access to
the repository, but they always wait for an ok from Nick before merging stuff.
If he acts like he hasn’t seen the PR, and ignores it, it will slowly start to
develop merge conflicts until the contributor has to rewrite it entirely… And
then he can still ignore it, eternally. The upshot being that he doesn’t have to
start conflict with the contributor, something he really, <em>really</em> doesn’t want
to do.</p>
<p>So he ignores the feature. And he was right! It does develop merge conflict. The
contributor nags him once or twice about it, but then kinda forgets about it, so
everything is good. But after a few weeks, another PR he doesn’t like is opened
by someone else.
Well, he can just ignore it too, right? Yes, he can… Until at some point, the
first contributor remembers about their PR… And they ask him, if he doesn’t
have the time to review the PR, if the other contributor could do it. Ah, now
that’s problematic… He can’t say yes, because the two contributors would
probably agree and merge that feature he really doesn’t like. But he can’t say
no either, because that would be weird and imply he doesn’t trust other
contributors.</p>
<p>So he tells them he’ll review the PR, and a few minutes later finally comments
that he doesn’t want to merge the feature. It’s great and all, but he doesn’t
like it. “But it helps me use the software, it’s a pain to use otherwise…”,
says the contributor. “Yes, but I don’t like it”, replies Nick. “Well, it’s an
accessibility issue”, says the contributor, “and queer people like me need this
kind of features to use the software”. Nick still doesn’t have any rational
argument, so all he finds is “well, it’s <em>my</em> project, isn’t it? And <em>I</em> don’t
want the feature, so <em>I</em> am not going to merge it”. And with that, he closes the
PR. Of course he feels bad, and he feels even worse when the contributor comes
to see him to talk about it in private and ask him what they can change about it
to make him like it better. “Nothing”, he says, “I really just don’t like the
idea”. And after a while, the contributor, who seems a bit upset, says that
they’re not really happy about that but it’s okay, whatever.</p>
<p>A few months go by, with a few other closed PRs, pretty much in the same way.
Then the company does another change to their software, and a lot of their users
really don’t like it. And instead of just acting upset a few days but sticking
with the company’s software like they’ve always done, this time a few of them
(the most technical of them) decide to move to Nick’s software, since it seems
better now.</p>
<p>Nick’s really glad about that, he’s wanted to attract power users of the
company’s product since he started building his own! The queer people are great,
but they only represent a fraction of the company’s software users, and they
have their own usage habits (as he’s seen from the PRs…). And, once again,
that’s understandable, because we all like things we build to be used and liked
by lots of people! And so the new users pour in, soon overnumbering the existing
userbase. And they’re a bit surprised about the specific features that have been
added to the software they’re used to, but they soon get used to it and start to
really like them. They also like the fact that the community is smaller, and
tighter-knit, than the one of the company’s software. So most of them are happy,
and keep using his software, and Nick’s feeling pretty popular.</p>
<p>And that keeps on for a few months, with irregular influxes of new users, and
still a few PRs he doesn’t like, but now the new power users have started to
suggest new features too, features that Nick didn’t bother implementing when
building his software but that they liked on the company’s product. And Nick
doesn’t feel either way about these features, but he thinks that if he
implements them other, less adventurous users of the company’s software might
migrate over. So he starts working on those, until one of the people from the
first cohort of contributors comes and tells him that that feature he’s starting
to implement actually really impairs their ability to use the software. And Nick
doesn’t really understand that, he doesn’t get how adding that feature could
cause them problems. So he keeps working on it and merges it into the codebase,
which (understandably) upsets the first contributor quite a lot. Nick feels
kinda bad about it, but after a bit a lot more new users start arriving, and he
moves on because he’s so excited about all these new uers.</p>
<p>After a few more weeks, one of the first cohort’s contributors opens a PR, but
merges it in with another contributor’s approval instead of asking Nick. Of
course, Nick is upset about this! It’s <em>his</em> project, it’s really nice of them
to contribute to it but they should still ask him before merging stuff. So he
makes an angry comment, and leaves it at that.</p>
<p>A few days later, this happens again. They tell him that he’s been working a lot
on the newer cohort’s features, and while that’s okay and he can do what he
wants with his project, there’s still a lot of open issues and work to do, and
since he has left PRs to die in the past they wanted to merge these before they
develop conflicts. He locks down merge access to only him, and tells them that
they’re right. It <em>is</em> still his project, and he’ll be the one deciding what
to merge. Then he goes back to work on those features ported from the company’s
software.</p>
<p>Contributors from the earlier cohort are slowly leaving the project, one after
the other. Some of them, who contributed a lot of important features, band
together and make a fork. Nick doesn’t like how they present it as a better,
community-driven version of his project. His also is community-driven, isn’t it?
Lots of people suggest features and open issues, and he accepts a lot of PRs!
The fork ultimately isn’t really successful anyway, few people use it and they
keep rebasing on his code every few weeks because they don’t want to miss out on
his software’s features. Nick ignores them.</p>
<p>Hey, some journalist contacted Nick to do an interview with him, about his
project! He’s been getting invitations to open-source software conferences, too,
to give talks about taking on the company. That makes him really excited, and
nervous too, but he’s really satisfied to finally get recognition for all the
hard work he’s done. He talks with the journalist, and tells them how hard it’s
been, and how he’s very happy to have implemented all those accessibility
features that the company wouldn’t add to their software; and how he’s happy
that company power-users are liking his project. He goes on and on about how the
company is hurting their own users, and the only ones that matter. He goes away
from that interview pretty happy with himself, and sure that this will bring
more users to try his software.</p>
<p>After the article is published, the old cohort of contributors isn’t really
happy. They’re not happy about how he called the power users “the only users
that matter”, and they’re <em>especially</em> not happy about how he said he was proud
to have implemented the accessiblity features when <strong>they</strong> did most of the work,
<strong>they</strong> submitted the ideas for the things they didn’t code themselves, and
<em>he still won’t merge some of the accessibility features they made</em>. He tries to
explain how the interviewer asked about the features and didn’t understand the
concept of collaborative work on software, and how they thought he made the
whole thing, but the contributors call him a lying hypocrite and leave it at
that, and they don’t wanna hear from him again. He’s kinda hurt by that, but he
still feels he didn’t do anything wrong, so…</p>
<p>Life continues like this. He keeps ignoring the (rarer and rarer) PRs that he
doesn’t like, because he doesn’t like confrontation. He keeps implementing
features that he thinks the company software’s users will like, to draw more and
more of their users towards his project. He’s getting paid through donations for
his work, so he quits his job and works on the project full time. After a while,
he hires a Project Manager, to try and manage everyone’s expectations and keep
everyone happy. But <em>they</em> start telling <em>him</em> what he should and shouldn’t
merge (the nerve! He hired them to manage <em>the contributors</em>, not <em>him</em>!), so he
doesn’t renew their contract. The project becomes larger and larger, the
userbase grows steadily. Sometimes old contributors come back to fight on
a particular issue or two, but they never stay long. He doesn’t get why, after
all he’s not confrontational at all!</p>
<p>Anyway. The project will continue, and the users will keep using it. But it
doesn’t feel as fun as it did for Nick… Nor does it for the contributors.</p>
<hr>
<p>Of course, this whole story is fictional, and any resemblance between it and
events or persons in real life is pure coincidence. In this blog post I wanted
to talk about Open-Source development, and how maintainers too often don’t see
that they have the responsibility of the community that uses their software.</p>
<p>I know the argument over “devs should be free to do whatever they want with
their own work!” vs “devs have a social responsibility to (at least) fix bugs in
the software they open-source and that people use” is a pretty old one, and both
sides have obvious points that are worth taking into account. My argument here
is that when either your project becomes too large, or your community is
composed of marginalized people, you <strong>do</strong> have a responsibility towards them,
and if you don’t want to assume it yourself responsibly you should either give
the governance of the project to someone else (and fork, if you’re not happy
with the direction the project takes without you) or direct contributors to
a fork that is community-driven.</p>
<p>Death of the author and all that, you know? People will do with your creation
whatever they want to, and if you’re not ready for them to do that, you
shouldn’t release it to the world.</p>
<p>When your toy becomes used by so many people… well, maybe it isn’t your toy
anymore.</p>
<p>That’s my opinion, anyway. But I’m not a dev, so what is my opinion even worth?</p>Moving to th̶e̶ ̶U̶S̶ ̶New York2019-02-04T20:08:00-05:002019-02-04T20:08:00-05:00Wxcafétag:wxcafe.net,2019-02-04:/posts/moving_to_new_york/<p>So, uh, yeah. Even though it might not have been evident if you extrapolated my
sleep cycle from my twitter activity, I’ve always lived in France, I was born
there and I grew up there. About a month and a half ago I took the plane to get
to …</p><p>So, uh, yeah. Even though it might not have been evident if you extrapolated my
sleep cycle from my twitter activity, I’ve always lived in France, I was born
there and I grew up there. About a month and a half ago I took the plane to get
to my next place of living: NYC.</p>
<h3>Why the <em>fuck</em> move to the US?</h3>
<p>So that’s the obvious question. Why, <em>why</em>, would anyone move from a civilized
country, with healthcare and free university and all the amenities that society
has given us and that allows us to leave less people dying in the streets
and more people living happily (don’t worry though, the liberal government in
France is well on the way of tearing apart those social protections like most of
the rest of Europe). Why leave friends, family, and familiarity to go live in
a quasi-fascist country, where the two political parties are slightly different
brands of the same right-wing soup and where history starts 250 years ago
(because the colonizers massacred most of those that actually had a history
there)?</p>
<p>Well, uh, that’s a good fucking question. It’s one I’m not actually sure I’ve
got a satisfactory answer to, actually. There are, however, <em>a few</em> points that
made me want to move to the US:</p>
<ul>
<li><strong>New York</strong>. That city is… Different. I wouldn’t know how to put it, but in the
few months that I’ve spent there over the years, I always wanted to live here.
The atmosphere there is special, and it feels magical to me. I feel at home
there.</li>
<li><strong>Opportunity</strong>. I <em>know</em> this is a cliché. I know. Still, it seems like the
US is where things happen, and where tech in particular <em>is</em>.</li>
<li><strong>Being where things are</strong>. I don’t know if I can express this clearly, but
living in France and yet having so many friends in the US, it seemed to me
like I was excluded from the world. I’m not saying the world outside of the US
doesn’t exist or doesn’t matter. I’m saying, at least to me, it feels like
there’s always where you live <em>and</em> the US. Most people don’t keep tabs on
Spanish or Finnish politics, at least not closely. But most everyone (at least
in Europe) keeps a close eye on US politics, because obviously it influences
and impacts every other country. I think living like that would be fine, and
I wouldn’t pay it any mind, if I didn’t know people in the US closely. But
I do, and it felt awful to me.</li>
<li><strong>I’m fucking dumb</strong>. Or rather, I <em>was</em> fucking dumb (I might still be, but
that’s not proven definitively. That I <em>was</em> is proven, on the other hand)
when I made that decision. In my defense, though, I was 15 and completely
oblivious to everything that made the US awful. I only saw the few points
I listed before, and I thought that this sounded great! Why not move to this
place!</li>
</ul>
<p>… I’ve matured a little bit since then.
- <strong>Privilege</strong>. This is obvious. I’m a cis white guy who works in tech. Yes,
I’m queer, but it’s not apparent. Yes, I have convictions, but once again it’s
not apparent. I don’t face any kind of discrimination, never did, and most
likely never will. All the “no healthcare, free university, …” points are
moot in my case. I’ve already graduated, and even if I wanted to do
get a postgraduate degree I just could, because I work in tech, and in that
industry salaries are incredibly high compared to the actual work done (and
even more so compared to the benefit to society provided…). Point here
being, I don’t actually have to worry too much for my safety. Of course,
I have convictions, so I will be (and am) fighting the authoritative regime
that’s in place, but still: I have the <em>possibility</em> to ignore it.</p>
<h3>Okay, that wasn’t very convincing, but alright. But <em>how</em> the fuck did you move there?</h3>
<p>So, yeah. That’s <em>why</em>. Now, what about <em>how</em>?
Becoming a US citizen is a painful and complicated process, that is also usually
pretty expensive. It generally involves getting a work visa to the US, then
a green card (or “permanent resident card”), which allows one to become a legal
permanent resident of the US. Then, after five years, one can ask to begin the
naturalization process, which after a test of English and of general knowledge
of US politics and history, allows you to get in a room, declare your allegiance
to the flag, and sing The Star Spangled Banner, after which you’re a US citizen.</p>
<p>I’m currently at the “has a green card” step, and I got there by… having
a father who’s a US citizen. I already talked about how I’m privileged in the
previous part, but uh. Yeah. Obviously, immigration for me isn’t the same as
immigration for a lot of people, and all the immigration workers have been
generally well-meaning and helpful, which is far from the norm in US immigration
services.</p>
<p>So, yeah, that’s how I moved. Took a place mid-December, stayed with family for
a few weeks until I found a place, then moved, and now I live in my apartment in
central Brooklyn.</p>
<h3>Alright, and what are you gonna do now?</h3>
<p>Well… pretty much the same as before. I’m still working at
<a href="https://gandi.net">Gandi</a>, only I’m working remote now. A few of the orgs I was
volunteering with in France, I can still help from here, or when I go back there
from time to time, but there is also plenty to do here, so I’m starting to
organize with local orgs (like DSA, for example), and I’m trying to help where
I can. And of course I’m still going to write stuff on here, maybe a bit more
regularly now that moving from a continent to another is mostly done. Mastodon
is still up, twitter is mostly still up, and I’m still fiddling with computers!
Only, now I’m doing it in the US, and we can get a drink sometime if you live
there too.</p>Yubikey for EVERYTHING2018-07-07T23:06:00+02:002018-07-07T23:06:00+02:00Wxcafétag:wxcafe.net,2018-07-07:/posts/yubikey_for_everything/<h6>EDIT: Update 07/07/2018, added <code>SSH_AUTH_SOCK</code> information, a few pointers about key generation and backup, and info about gpg-agent’s bad behavior.</h6>
<p>When I first started at the job I’m currently at at <a href="https://gandi.net">Gandi</a>,
I was given a Yubikey NEO, looked into it for a few minutes and …</p><h6>EDIT: Update 07/07/2018, added <code>SSH_AUTH_SOCK</code> information, a few pointers about key generation and backup, and info about gpg-agent’s bad behavior.</h6>
<p>When I first started at the job I’m currently at at <a href="https://gandi.net">Gandi</a>,
I was given a Yubikey NEO, looked into it for a few minutes and quickly decided
to not give more thought about it. I put it away and didn’t look back, partly
because the <code>yubikey-personalization-gui</code> is maybe the most unusable and
unintelligible interface I’ve ever seen, and partly because I had a 4096 bit key
and didn’t think to make smaller subkeys to put in the smartcard (the NEO only
supports 2048 bit keys).</p>
<p>A few weeks ago I decided to buy a Yubikey 4 on a drunken evening and got it in
the mail a few days later, having completely forgotten I had ordered it.
I decided to finally take a look at how this thing worked and what I could
actually do with it.</p>
<p>So, first things first. The Yubikey is basically a GPG smartcard, with an added
X.509 smartcard, WITH added U2F support. It can also be used to do TOTP/HOTP
with the Yubico app on android smartphones or computers. It can probably also be
programmed to solve quadratic equations, but I haven’t tried.</p>
<p>To clarify: functionally, a smartcard is a device that has an integrated small
CPU and storage space for keys, and that you can only write keys to, not read
from. The integrated CPU can then be asked to sign/encrypt/decrypt arbitrary
data, but the keys can never be compromised from the key itself.</p>
<p>Anyway, my use case is as such: beforehand, I stored my GPG and SSH keys on my
everyday computers, but I couldn’t use either of them on my work computers (I
didn’t want to leave personal stuff like that on work equipment). I wanted to be
able to connect to my servers and ideally decrypt files on any computer
I encounter (okay, decrypting files on anyone’s computer is not a great idea,
but there are a few computers I trust enough to decrypt files on them but not to
give them my private keys). I also use <a href="https://www.passwordstore.org/">pass</a> to
store my passwords, decrypting them with the yubikey everywhere is nice. Since
the key allows me to access my passwords, I feel like putting the second factor
of authentication on it just wouldn’t be reasonable, so I’m still using my phone
as a 2fa TOTP source. Finally, I stored an X.509 cert for OpenVPN to try and see
how it would work with the yubikey. I’m not using it for now but it’s there.</p>
<hr>
<h3>GPG key storage</h3>
<p>Anyways, here’s how to use this thing:</p>
<ul>
<li>
<p>First, always keep a backup of your private keys. You’ll need them to sign
other people’s keys at keysigning parties, and if you lose the yubikey you’ll
also need them to recover… well, everything. Anyway, keeping a good offline
backup or two is important.</p>
</li>
<li>
<p>We’re gonna start by adding our <a href="https://alexcabal.com/creating-the-perfect-gpg-keypair/">GPG
subkeys</a> to the
yubikey. That article covers pretty much everything, <em>except</em> generating an
Authentication subkey, which is done by doing <code>gpg --expert --edit-key
<KeyID></code>, then <code>addkey</code>. You now need to select “(8) RSA (set your own
capabilities)” as the type of key, then type <code>S</code> to toggle signing off, <code>E</code> to
toggle encryption off, and finally <code>A</code> to toggle authentication on. Type <code>Q</code>
to confirm and quit, then keep as usual for the key size/expiration date/etc.
You’re now done, and we can start by setting up the yubikey.
This is really easy, since the yubikey is detected as a smartcard by
gpg:</p>
</li>
</ul>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #960050; background-color: #1e0010">$</span> <span style="color: #f8f8f2">gpg</span> <span style="color: #f92672">--</span><span style="color: #f8f8f2">edit</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">card</span>
<span style="color: #f8f8f2">gpg</span> <span style="color: #f92672">--</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">status</span>
<span style="color: #f8f8f2">Reader</span> <span style="color: #f8f8f2">...........</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">Yubico</span> <span style="color: #f8f8f2">Yubikey</span> <span style="color: #ae81ff">4</span> <span style="color: #f8f8f2">OTP</span> <span style="color: #f8f8f2">U2F</span> <span style="color: #f8f8f2">CCID</span> <span style="color: #ae81ff">00</span> <span style="color: #ae81ff">00</span>
<span style="color: #f8f8f2">Application</span> <span style="color: #f8f8f2">ID</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">D2760001240102010006076003030000</span>
<span style="color: #f8f8f2">Version</span> <span style="color: #f8f8f2">..........</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">2.1</span>
<span style="color: #f8f8f2">Manufacturer</span> <span style="color: #f8f8f2">.....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">Yubico</span>
<span style="color: #f8f8f2">Serial</span> <span style="color: #f8f8f2">number</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">07600303</span>
<span style="color: #f8f8f2">Name</span> <span style="color: #f8f8f2">of</span> <span style="color: #f8f8f2">cardholder:</span> <span style="color: #f8f8f2">[not</span> <span style="color: #f8f8f2">set]</span>
<span style="color: #f8f8f2">Language</span> <span style="color: #f8f8f2">prefs</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[not</span> <span style="color: #f8f8f2">set]</span>
<span style="color: #f8f8f2">Sex</span> <span style="color: #f8f8f2">..............</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">unspecified</span>
<span style="color: #f8f8f2">URL</span> <span style="color: #f8f8f2">of</span> <span style="color: #f8f8f2">public</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">:</span> <span style="color: #f8f8f2">[not</span> <span style="color: #f8f8f2">set]</span>
<span style="color: #f8f8f2">Login</span> <span style="color: #f8f8f2">data</span> <span style="color: #f8f8f2">.......</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[not</span> <span style="color: #f8f8f2">set]</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">not</span> <span style="color: #f8f8f2">forced</span>
<span style="color: #f8f8f2">Key</span> <span style="color: #f8f8f2">attributes</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">rsa2048</span> <span style="color: #f8f8f2">rsa2048</span> <span style="color: #f8f8f2">rsa2048</span>
<span style="color: #f8f8f2">Max.</span> <span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">lengths</span> <span style="color: #f8f8f2">.</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">127</span> <span style="color: #ae81ff">127</span> <span style="color: #ae81ff">127</span>
<span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">retry</span> <span style="color: #f8f8f2">counter</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">3</span> <span style="color: #ae81ff">0</span> <span style="color: #ae81ff">3</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">counter</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">0</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">Encryption</span> <span style="color: #f8f8f2">key....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">Authentication</span> <span style="color: #f8f8f2">key:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">General</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">info..</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">admin</span>
<span style="color: #f8f8f2">Admin</span> <span style="color: #f8f8f2">commands</span> <span style="color: #f8f8f2">are</span> <span style="color: #f8f8f2">allowed</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">passwd</span>
<span style="color: #f8f8f2">gpg:</span> <span style="color: #f8f8f2">OpenPGP</span> <span style="color: #f8f8f2">card</span> <span style="color: #f8f8f2">no.</span> <span style="color: #f8f8f2">D2760001240102010006076003030000</span> <span style="color: #f8f8f2">detected</span>
<span style="color: #ae81ff">1</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">2</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">unblock</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">3</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">Admin</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">4</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">set</span> <span style="color: #f8f8f2">the</span> <span style="color: #f8f8f2">Reset</span> <span style="color: #f8f8f2">Code</span>
<span style="color: #f8f8f2">Q</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">quit</span>
<span style="color: #f8f8f2">Your</span> <span style="color: #f8f8f2">selection</span><span style="color: #f92672">?</span> <span style="color: #ae81ff">3</span>
<span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">changed.</span>
<span style="color: #ae81ff">1</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">2</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">unblock</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">3</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">Admin</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">4</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">set</span> <span style="color: #f8f8f2">the</span> <span style="color: #f8f8f2">Reset</span> <span style="color: #f8f8f2">Code</span>
<span style="color: #f8f8f2">Q</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">quit</span>
<span style="color: #f8f8f2">Your</span> <span style="color: #f8f8f2">selection</span><span style="color: #f92672">?</span> <span style="color: #ae81ff">1</span>
<span style="color: #f8f8f2">Pin</span> <span style="color: #f8f8f2">changed.</span>
<span style="color: #ae81ff">1</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">2</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">unblock</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">3</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">change</span> <span style="color: #f8f8f2">Admin</span> <span style="color: #f8f8f2">PIN</span>
<span style="color: #ae81ff">4</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">set</span> <span style="color: #f8f8f2">the</span> <span style="color: #f8f8f2">Reset</span> <span style="color: #f8f8f2">Code</span>
<span style="color: #f8f8f2">Q</span> <span style="color: #f92672">-</span> <span style="color: #f8f8f2">quit</span>
<span style="color: #f8f8f2">Your</span> <span style="color: #f8f8f2">selection</span><span style="color: #f92672">?</span> <span style="color: #f8f8f2">q</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">url</span>
<span style="color: #f8f8f2">URL</span> <span style="color: #f8f8f2">to</span> <span style="color: #f8f8f2">retrieve</span> <span style="color: #f8f8f2">public</span> <span style="color: #f8f8f2">key:</span> <span style="color: #f8f8f2">https:</span><span style="color: #75715e">//pub.wxcafe.net/wxcafe.asc</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">name</span>
<span style="color: #f8f8f2">Cardholder</span><span style="color: #960050; background-color: #1e0010">'</span><span style="color: #f8f8f2">s</span> <span style="color: #f8f8f2">surname:</span> <span style="color: #f8f8f2">Hertling</span>
<span style="color: #f8f8f2">Cardholder</span><span style="color: #960050; background-color: #1e0010">'</span><span style="color: #f8f8f2">s</span> <span style="color: #f8f8f2">given</span> <span style="color: #f8f8f2">name:</span> <span style="color: #f8f8f2">Clément</span>
<span style="color: #f8f8f2">Error:</span> <span style="color: #f8f8f2">Only</span> <span style="color: #f8f8f2">plain</span> <span style="color: #f8f8f2">ASCII</span> <span style="color: #f8f8f2">is</span> <span style="color: #f8f8f2">currently</span> <span style="color: #f8f8f2">allowed.</span>
<span style="color: #f8f8f2">Cardholder</span><span style="color: #960050; background-color: #1e0010">'</span><span style="color: #f8f8f2">s</span> <span style="color: #f8f8f2">given</span> <span style="color: #f8f8f2">name:</span> <span style="color: #f8f8f2">Clement</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">login</span>
<span style="color: #f8f8f2">Login</span> <span style="color: #f8f8f2">data</span> <span style="color: #f8f8f2">(account</span> <span style="color: #f8f8f2">name)</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">wxcafe</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">sex</span>
<span style="color: #f8f8f2">Sex</span> <span style="color: #f8f8f2">((M)ale,</span> <span style="color: #f8f8f2">(F)emale</span> <span style="color: #f8f8f2">or</span> <span style="color: #f8f8f2">space)</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">M</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">lang</span>
<span style="color: #f8f8f2">Language</span> <span style="color: #f8f8f2">preferences:</span> <span style="color: #f8f8f2">en</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f8f8f2">list</span>
<span style="color: #f8f8f2">Reader</span> <span style="color: #f8f8f2">...........</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">Yubico</span> <span style="color: #f8f8f2">Yubikey</span> <span style="color: #ae81ff">4</span> <span style="color: #f8f8f2">OTP</span> <span style="color: #f8f8f2">U2F</span> <span style="color: #f8f8f2">CCID</span> <span style="color: #ae81ff">00</span> <span style="color: #ae81ff">00</span>
<span style="color: #f8f8f2">Application</span> <span style="color: #f8f8f2">ID</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">D2760001240102010006076003030000</span>
<span style="color: #f8f8f2">Version</span> <span style="color: #f8f8f2">..........</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">2.1</span>
<span style="color: #f8f8f2">Manufacturer</span> <span style="color: #f8f8f2">.....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">Yubico</span>
<span style="color: #f8f8f2">Serial</span> <span style="color: #f8f8f2">number</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">07600303</span>
<span style="color: #f8f8f2">Name</span> <span style="color: #f8f8f2">of</span> <span style="color: #f8f8f2">cardholder:</span> <span style="color: #f8f8f2">Clement</span> <span style="color: #f8f8f2">Hertling</span>
<span style="color: #f8f8f2">Language</span> <span style="color: #f8f8f2">prefs</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">en</span>
<span style="color: #f8f8f2">Sex</span> <span style="color: #f8f8f2">..............</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">male</span>
<span style="color: #f8f8f2">URL</span> <span style="color: #f8f8f2">of</span> <span style="color: #f8f8f2">public</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">:</span> <span style="color: #f8f8f2">https:</span><span style="color: #75715e">//pub.wxcafe.net/wxcafe.asc</span>
<span style="color: #f8f8f2">Login</span> <span style="color: #f8f8f2">data</span> <span style="color: #f8f8f2">.......</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">wxcafe</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">not</span> <span style="color: #f8f8f2">forced</span>
<span style="color: #f8f8f2">Key</span> <span style="color: #f8f8f2">attributes</span> <span style="color: #f8f8f2">...</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">rsa2048</span> <span style="color: #f8f8f2">rsa2048</span> <span style="color: #f8f8f2">rsa2048</span>
<span style="color: #f8f8f2">Max.</span> <span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">lengths</span> <span style="color: #f8f8f2">.</span><span style="color: #f92672">:</span> <span style="color: #ae81ff">127</span> <span style="color: #ae81ff">127</span> <span style="color: #ae81ff">127</span>
<span style="color: #f8f8f2">PIN</span> <span style="color: #f8f8f2">retry</span> <span style="color: #f8f8f2">counter</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">3</span> <span style="color: #ae81ff">0</span> <span style="color: #ae81ff">3</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">counter</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">0</span>
<span style="color: #f8f8f2">Signature</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">Encryption</span> <span style="color: #f8f8f2">key....</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">Authentication</span> <span style="color: #f8f8f2">key:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">General</span> <span style="color: #f8f8f2">key</span> <span style="color: #f8f8f2">info..</span><span style="color: #f92672">:</span> <span style="color: #f8f8f2">[none]</span>
<span style="color: #f8f8f2">gpg</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">card</span><span style="color: #f92672">></span> <span style="color: #f92672">%</span>
</pre></div>
<p>The default PINs are <code>123456</code> for the user PIN and <code>12345678</code> for the admin PIN.</p>
<p>Do take caution to export the private keys for safekeeping <em>BEFORE</em> moving them
to the yubikey (the gpg <code>keytocard</code> command <em>MOVES</em> the keys, after you’ve run it
<em>you don’t have the private keys available anymore to backup</em>) (backups are
easily done with <code>gpg --armor --export-secret-keys <KeyID> > out.asc</code> and <code>gpg
--armor --export-secret-subkeys <KeyID> > subkeys_out.asc</code>. You obviously need
to save these to a secure location.)</p>
<p>Now that we’ve prepped the card, we’re gonna move the keys over to it. We’re
gonna move only the subkeys over, and since we’re gonna need to use the yubikey
for everything we’ll have an Encryption subkey, a Signing subkey and an
Authentication subkey.</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ gpg --edit-key wxcafe@wxcafe.net
gpg <span style="color: #f92672">(</span>GnuPG<span style="color: #f92672">)</span> <span style="color: #ae81ff">2</span>.2.7<span style="color: #f8f8f2">;</span> Copyright <span style="color: #f92672">(</span>C<span style="color: #f92672">)</span> <span style="color: #ae81ff">2018</span> Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">1</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb* rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> keytocard
Please <span style="color: #66d9ef">select</span> where to store the key:
<span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span> Signature key
<span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Authentication key
Your selection? <span style="color: #ae81ff">1</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb* rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">1</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">2</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb* rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> keytocard
Please <span style="color: #66d9ef">select</span> where to store the key:
<span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Encryption key
Your selection? <span style="color: #ae81ff">2</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb* rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">2</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">3</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb* rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> keytocard
Please <span style="color: #66d9ef">select</span> where to store the key:
<span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Authentication key
Your selection? <span style="color: #ae81ff">3</span>
sec rsa4096/58DD226B3EA71DC7
created: <span style="color: #ae81ff">2016</span>-12-29 expires: <span style="color: #ae81ff">2019</span>-06-18 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/11E99643DEE9E336
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: S
ssb rsa4096/E00F13324D0D1703
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: E
ssb* rsa4096/FD92FB8BD73D1D70
created: <span style="color: #ae81ff">2018</span>-06-29 expires: <span style="color: #ae81ff">2019</span>-06-29 usage: A
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">1</span><span style="color: #f92672">)</span>. Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">2</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">3</span><span style="color: #f92672">)</span> Wxcafé <wxcafe@wxcafe.net>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">4</span><span style="color: #f92672">)</span> Wxcafé <🖕@fu.cking.network>
<span style="color: #f92672">[</span>ultimate<span style="color: #f92672">]</span> <span style="color: #f92672">(</span><span style="color: #ae81ff">5</span><span style="color: #f92672">)</span> <span style="color: #f92672">[</span>jpeg image of size <span style="color: #ae81ff">22243</span><span style="color: #f92672">]</span>
gpg> key <span style="color: #ae81ff">3</span>
gpg> save
gpg> %
</pre></div>
<p>Now that this is done, we only need to <code>gpg --card-status</code> should show us this:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006076003030000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 07600303
Name of cardholder: Clement Hertling
Language prefs ...: en
Sex ..............: male
URL of public key : https://pub.wxcafe.net/wxcafe.asc
Login data .......: wxcafe
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 752F 1ED2 D038 BCB6 F09C A942 11E9 9643 DEE9 E336
created ....: 2018-06-29 22:27:20
Encryption key....: 37B4 4050 8744 344C 0975 2656 E00F 1332 4D0D 1703
created ....: 2018-06-29 22:28:22
Authentication key: 775D 1613 1B3F FEE7 843F D3BC FD92 FB8B D73D 1D70
created ....: 2018-06-29 22:29:29
General key info..: sub rsa4096/11E99643DEE9E336 2018-06-29 Wxcafé <wxcafe@wxcafe.net>
sec# rsa4096/58DD226B3EA71DC7 created: 2016-12-29 expires: 2019-06-18
ssb> rsa4096/11E99643DEE9E336 created: 2018-06-29 expires: 2019-06-29
card-no: 0006 07600303
ssb> rsa4096/E00F13324D0D1703 created: 2018-06-29 expires: 2019-06-29
card-no: 0006 07600303
ssb> rsa4096/FD92FB8BD73D1D70 created: 2018-06-29 expires: 2019-06-29
card-no: 0006 07600303
</pre></div>
<p>To actually use the keys we just copied over, we need to install a smarcard
daemon (<code>apt install scdaemon</code>) and authorize our user to access it. For that we
write a udev rule in (<code>/etc/udev/rules.d/70-yubikey.conf</code>) with this in it:
https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules</p>
<p>Now we should be able to use the yubikey to sign and encrypt whatever we want!
We can test this by doing <code>touch test; gpg -a --sign test</code>, which should prompt us
for the yubikey PIN and then create the <code>test.asc</code> file.</p>
<p>We can still do <code>gpg --export-secret-keys <key-id></code>, and while it looks like it
works (because GPG’s output is undecipherable and it’s UX is the worst thing
I’ve ever seen), it actually outputs “stubs”, which allows a system to “see” the
keys on the card. They’re not needed anymore since for a while now, gpg
–card-status automatically detects the keys on the card.</p>
<p>Now we want to use our gpg authentication key with SSH, to log in to our
servers. To do that, we need to tell gpg-agent to act as an ssh-agent, by adding
a single line to its configuration: <code>echo 'enable-ssh-support' >>
.gnupg/gpg-agent.conf</code>. Then we restart gpg-agent (<code>gpgconf --kill gpg-agent</code>).
Then, we need to tell ssh to use gpg-agent’s socket as its agent. We do this by
adding a small snippet to our <code>$shrc</code> (for me, <code>~/.zshrc</code>):</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">## use gpg agent as ssh agent</span>
<span style="color: #66d9ef">if</span> which gpgconf <span style="color: #ae81ff">2</span>><span style="color: #f8f8f2">&</span><span style="color: #ae81ff">1</span> >>/dev/null <span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #f8f8f2">unset</span> SSH_AGENT_PID
<span style="color: #66d9ef">if</span> <span style="color: #f92672">[</span> <span style="color: #e6db74">"${</span><span style="color: #f8f8f2">gnupg_SSH_AUTH_SOCK_by</span><span style="color: #66d9ef">:-</span><span style="color: #f8f8f2">0</span><span style="color: #e6db74">}"</span> -ne <span style="color: #f8f8f2">$$</span> <span style="color: #f92672">]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #f8f8f2">export</span> <span style="color: #f8f8f2">SSH_AUTH_SOCK</span><span style="color: #f92672">=</span><span style="color: #e6db74">"</span><span style="color: #66d9ef">$(</span>gpgconf --list-dirs agent-ssh-socket<span style="color: #66d9ef">)</span><span style="color: #e6db74">"</span>
<span style="color: #66d9ef">fi</span>
<span style="color: #66d9ef">fi</span>
</pre></div>
<p>Unplug the key, plug it back in, run <code>gpg --card-status</code>,
then <code>ssh-add -L</code> should show you a public key that ends with
<code>cardno:xxxxxxxxxxxx</code>. That means it’s done, you can now add this public key to
<code>.ssh/authorized_keys</code> on your remote systems and you should be able to log in
with that key.</p>
<p>Oh, and, side note. <code>gpg-agent</code> won’t actually delete your cached keys when you
<code>ssh-add -D</code>, which is fucking bullshit, but in the meantime the solution is to
<code>gpg-connect-agent</code>, then <code>KEYINFO --ssh-list --ssh-fpr</code> to list the cached
keys, and then you can <code>DELETE_KEY <FINGERPRINT></code> that particular key, with the
fingerprint being the part right after KEYINFO. Quit by saying <code>/bye</code></p>
<hr>
<h3>X.509 key and certificate storage</h3>
<p>Now for the X.509 storage, this is a bit easier. You will need to make a pkcs12
out of your certificate and associated key (<code>openssl pkcs12 -export -out out.p12
-inkey key.pem -in cert.crt --certfile ca.crt -nodes</code>), and then we can import
it into the yubikey (this will not destroy the .p12 file, nor the key or cert,
because this has a sensible UX, as opposed to gnupg): <code>yubico-piv-tool -s 9c -i
out.p12 -K PKCS12 -a import-key -a import-cert -k</code></p>
<p>In my case, I was using this with OpenVPN, so I needed to install opensc-pkcs11
(which is a library that allows applications to see certificates from
a smartcard), then to look up under which ID OpenVPN saw my certificate with
<code>openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</code>. After
that, I updated my OpenVPN configuration by replacing the cert and key lines
with</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>pkcs11-id 'piv_II/PKCS\x2315\x20emulated/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
</pre></div>
<p>And then it worked like a charm! What actually stopped me is that I use
networkmanager on my machines since <code>wicd</code> is dead, and it doesn’t support that
kind of config. Of course, wicd would since it can launch arbitrary scripts…
but I’m stuck with NM and so I can’t use this easily, sadly.</p>
<hr>
<h3>Pass</h3>
<p>So, technically <a href="https://www.passwordstore.org/">pass</a> is not related to the
yubikey at all, and doesn’t directly interact with it. If you haven’t heard
about it, it’s a simple password manager for unix written in bash by
<a href="https://www.zx2c4.com/">zx2c4</a>. <em>But</em> it uses GPG as an encryption mechanism,
and since I was moving towards using GPG to authenticate SSH connections,
I thought I might as well start using pass with the yubikey. So, here goes.</p>
<p>Pass is a very simple password manager, so simple that all it does is keep your
passwords for you and output them when you ask nicely. It’s installed on
basically all systems with the package manager (in my case, <code>apt install pass</code>),
and then it’s a matter of <code>pass init <keyid></code> to initialize the folder with the
specified gpg key id, <code>pass git init</code> and <code>pass git remote add origin <remote></code>
to use git to store the passwords (that’s optional, but it’s so much better it’d
be dumb not to do it…). Then you can add a password with <code>pass insert <path></code>,
or generate one with <code>pass generate <path> <length></code>. Don’t forget to <code>pass git
push</code> (it’ll commit automatically if it’s in git).</p>
<p>To see all the passwords you have in pass, use <code>pass ls</code>, and to read a specific
password use <code>pass <path></code>. The problem with that is that the password is
written to stdout, and we don’t really want to a) have people able to snoop the
password, nor b) open a terminal and copy-paste every time we want to get
a password. That’s where passmenu comes in! It’s a simple script included with
pass (at least it is in debian) in
<code>/usr/share/doc/pass/examples/dmenu/passmenu</code>, and it relies on dmenu to show
you all of your passwords. From there, you can type a few letters and select
which password you want, and once you confirm your selection it will copy it
into your clipboard, ready for you to paste into any password field. There are
extensions to have it support TOTP and other stuff too, but as previously I’m
not too comfortable with putting all my eggs in the same basket.</p>
<p>So yeah, move all your passwords to pass and make them as complex as possible!
When you get to a new machine you can simply <code>git clone <repo> ~/.password-store</code>
and <code>apt install pass</code> and you’re all set! Don’t lose your GPG key though, or
you’re <strong><em>SCREWED</em></strong>.</p>
<p>Don’t lose it. Ever. Print it out and put it in the bank. Whatever. But don’t
lose it.</p>
<p>Anyway, that was it! I’m seriously happy with how this solution works for me,
and how secure it is without sacrificing much towards usability, even improving
it in most cases.</p>
<p>(P.S.: I don’t get anything by saying this, but my employer (gandi) has
a partnership thing in place with yubico, such that if you login on <a href="https://www.yubico.com/solutions/gandi/">this
page</a> with a gandi account, you get 20%
off your yubikey. You don’t even need to buy anything with gandi afaik, only to
have an account)</p>(Neo)mutt fuckery with multipart messages2018-07-03T23:40:00+02:002018-07-03T23:40:00+02:00Wxcafétag:wxcafe.net,2018-07-03:/posts/(neo)mutt_fuckery_with_multipart_messages/<p>I’ve been using Mutt, and then Neomutt, as an email client on my laptops for
a while (I generally use Evolution on my desktop, because it runs on GNOME,
while the laptops run on i3wm). Today while talking with colleagues who also use
a TUI, text-only email client, we …</p><p>I’ve been using Mutt, and then Neomutt, as an email client on my laptops for
a while (I generally use Evolution on my desktop, because it runs on GNOME,
while the laptops run on i3wm). Today while talking with colleagues who also use
a TUI, text-only email client, we realized we had one shared pain about this,
which was receiving multipart emails where the text/plain part was either the
HTML source of the text/html part or a single line saying “This email has no
plain text version, refer to the HTML version” (If you don’t know how multipart
emails and MIME work, <a href="https://en.wikipedia.org/wiki/MIME#Multipart_messages">wikipedia has a good
primer</a>).</p>
<p>We thought it might be fun as retaliation to send multipart emails, with the
text/html part saying “This email has no HTML version, please refer to the plain
text”. An hour and a few curses at mutt’s documentation later, I’d come up with
this solution:</p>
<p>First, create the HTML document:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"><!DOCTYPE html></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">html</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">head</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">meta</span> <span style="color: #a6e22e">charset</span><span style="color: #f92672">=</span><span style="color: #e6db74">"utf-8"</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">meta</span> <span style="color: #a6e22e">name</span><span style="color: #f92672">=</span><span style="color: #e6db74">"viewport"</span> <span style="color: #a6e22e">content</span><span style="color: #f92672">=</span><span style="color: #e6db74">"width=device-width, initial-scale=1"</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">style</span> <span style="color: #a6e22e">type</span><span style="color: #f92672">=</span><span style="color: #e6db74">"text/css"</span><span style="color: #f8f8f2">></span> <span style="color: #f92672">body</span> <span style="color: #f8f8f2">{</span> <span style="color: #66d9ef">margin</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">40</span><span style="color: #66d9ef">px</span> <span style="color: #66d9ef">auto</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">max-width</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">650</span><span style="color: #66d9ef">px</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">line-height</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">1.6</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">font-size</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">18</span><span style="color: #66d9ef">px</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">color</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">#444</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">padding</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">0</span> <span style="color: #ae81ff">10</span><span style="color: #66d9ef">px</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f92672">h1,h2,h3</span> <span style="color: #f8f8f2">{</span> <span style="color: #66d9ef">line-height</span> <span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">1.2</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2"></</span><span style="color: #f92672">style</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"></</span><span style="color: #f92672">head</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">body</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"><</span><span style="color: #f92672">h1</span><span style="color: #f8f8f2">></span>
Sorry, this email is not available in HTML<span style="color: #f8f8f2"><</span><span style="color: #f92672">br</span><span style="color: #f8f8f2">/></span>
Please refer to the plain text version!
<span style="color: #f8f8f2"></</span><span style="color: #f92672">h1</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"></</span><span style="color: #f92672">body</span><span style="color: #f8f8f2">></span>
<span style="color: #f8f8f2"></</span><span style="color: #f92672">html</span><span style="color: #f8f8f2">></span>
</pre></div>
<p>and put it in <code>~/.mutt/multipart.html</code></p>
<p>Then we simply need to add to our .muttrc this line:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>send-hook ~A "push 'a~/.mutt/multipart.html<enter>'\CDkTT&"
</pre></div>
<p>This is a send-hook that will match any outgoing email, add the html file as an
attachement, then tag it as inline, tag both parts of the message and merge them
into a multipart/alternative file (The <code>&</code> command only exists in ~recent (May
2, 2018) versions of neomutt).</p>
<p>You can now do anything you’d normally do with the email, add further
attachements, PGP sign it (or not), add ccs, whatever. When you send the email,
it will be sent as a multipart/alternative message with the HTML document we set
earlier as the text/html part and your message as the text/plain part, and
basically every graphical client will only display the HTML version.</p>
<hr>
<h3>Sample fuckery:</h3>
<p><img alt="example of the same email message opened in mutt and
Evolution" src="https://pub.wxcafe.net/img/mutt-fuckery.png"></p>
<hr>
<p>P.S.: I know I shouldn’t have to say this but please don’t actually use this to
annoy people who use graphical email clients. We’re the weird ones, basically
everyone uses a graphical email client, and they’re clearly the standard now,
plus it’s clearly a dick move to do this. Please refrain. Thank you for your
understanding ❤️</p>PoC||GTFO 0x182018-06-25T19:24:00+02:002018-06-25T19:24:00+02:00Wxcafétag:wxcafe.net,2018-06-25:/posts/poc||gtfo_0x18/<p>So PoC||GTFO 0x18 was released in PDF today. Contrary to issue 0x17, and like
all previous issues, I wasn’t able to get it in paper form, but I still got the
PDF (and haven’t had time to read it yet!!). In a flagrant example of
bikeshedding, I …</p><p>So PoC||GTFO 0x18 was released in PDF today. Contrary to issue 0x17, and like
all previous issues, I wasn’t able to get it in paper form, but I still got the
PDF (and haven’t had time to read it yet!!). In a flagrant example of
bikeshedding, I’ve used the opportunity to update my
<a href="https://wxcafe.net/pub/PoC||GTFO/">mirror</a> to look nicer than an nginx file
index.</p>
<p>This page is made by running the command on top:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">echo</span> <span style="color: #e6db74">"SHA256 \</span>
<span style="color: #e6db74">MD5 File"</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">for</span> f in *.pdf<span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">do</span>
<span style="color: #f8f8f2">echo</span> <span style="color: #66d9ef">$(</span>sha256sum <span style="color: #f8f8f2">$f</span> <span style="color: #f8f8f2">|</span> cut -d <span style="color: #e6db74">' '</span> -f <span style="color: #ae81ff">1</span><span style="color: #66d9ef">)</span> <span style="color: #66d9ef">$(</span>md5sum <span style="color: #f8f8f2">$f</span> <span style="color: #f8f8f2">|</span> cut -d <span style="color: #e6db74">' '</span> -f <span style="color: #ae81ff">1</span><span style="color: #66d9ef">)</span> <span style="color: #f8f8f2">$f</span>
<span style="color: #66d9ef">done</span>
</pre></div>
<p>which uses a very ugly hack to get titles on top of the columns, (but who cares
really?) (I do, please tell me if you have something better), then pasting the
whole thing in <code>vim</code> and using it’s <code>:TOhtml</code> tool to make an HTML page out of
it. I then run a simple <code>:%s/</code> command to turn the pdf names into links</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>:%s@\(pocorgtfo.*\)@<span style="color: #f92672"><a</span> <span style="color: #a6e22e">href=</span><span style="color: #e6db74">"https://wxcafe.net/pub/PoC||GTFO/\1"</span><span style="color: #f92672">></span>\1<span style="color: #f92672"></a></span>@g
</pre></div>
<p>and add <code>font-size: 16px</code> to the style block because I’m starting to have
trouble reading small text… and voilà! A perfect index.html file for my
PoC||GTFO mirror.</p>
<p>Anyways, I have a 64-page zine to run and it looks really good… Seeya!</p>
<h3>Update 2018-06-25T22:19+02:00 :</h3>
<p>I have now automated this whole task. Here’s the script:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">#!/bin/bash</span>
<span style="color: #f8f8f2">echo</span> <span style="color: #e6db74">'[wxcafe@yoshi] /srv/pub/mirror/PoC||GTFO $ echo "SHA256 MD5 File"; for f in *.pdf; do</span>
<span style="color: #e6db74">echo $(sha256sum $f | cut -d '</span> <span style="color: #e6db74">' -f 1) $(md5sum $f | cut -d '</span> <span style="color: #e6db74">' -f 1) $f</span>
<span style="color: #e6db74">done'</span> > index
<span style="color: #f8f8f2">echo</span> <span style="color: #e6db74">"SHA256 MD5 File"</span> >> index
<span style="color: #66d9ef">for</span> f in *.pdf<span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">do</span>
<span style="color: #f8f8f2">echo</span> <span style="color: #66d9ef">$(</span>sha256sum <span style="color: #f8f8f2">$f</span> <span style="color: #f8f8f2">|</span> cut -d <span style="color: #e6db74">' '</span> -f <span style="color: #ae81ff">1</span><span style="color: #66d9ef">)</span> <span style="color: #66d9ef">$(</span>md5sum <span style="color: #f8f8f2">$f</span> <span style="color: #f8f8f2">|</span> cut -d <span style="color: #e6db74">' '</span> -f <span style="color: #ae81ff">1</span><span style="color: #66d9ef">)</span> <span style="color: #f8f8f2">$f</span> >> index
<span style="color: #66d9ef">done</span>
vim -c <span style="color: #e6db74">'set ft=sh'</span> -c TOhtml -c <span style="color: #e6db74">"w index.html | qall!"</span> index <span style="color: #f8f8f2">&</span>> /dev/null
sed -i <span style="color: #e6db74">'s/\(pocorgtfo.*\)/<a href="https:\/\/wxcafe.net\/pub\/PoC||GTFO\/\1">\1<\/a>/g'</span> index.html
sed -i <span style="color: #e6db74">'s/\(body {\)\(.*\)/\1font-size: 16px; \2/'</span> index.html
</pre></div>
<h3>Update 2018-06-26T00:42+02:00 :</h3>
<p>I went too far…</p>
<script src="https://git.wxcafe.net/snippets/17.js"></script>
<p><a href="https://git.wxcafe.net/snippets/17">(Link for those poor souls without js)</a></p>Backups... and restores2018-05-07T14:17:00+02:002018-05-07T14:17:00+02:00Wxcafétag:wxcafe.net,2018-05-07:/posts/backups-and-restore/<p>So, as you might have noticed if you’re following me on twitter/mastodon, or if
you check your rss reader logs, or if you just happened to check this website in
the last week, my server has been down for about four days last week following
a hardware failure …</p><p>So, as you might have noticed if you’re following me on twitter/mastodon, or if
you check your rss reader logs, or if you just happened to check this website in
the last week, my server has been down for about four days last week following
a hardware failure. Here’s what happened.</p>
<p>So, on Monday morning (30th of April), I started seeing hardware errors in dmesg
and broadcast on consoles. I figured that a kernel message about a hardware
failure that was broadcast on all consoles was probably important enough to at
least investigate, and I found out that it was related to the motherboard dying.</p>
<p>I immediately opened a ticket with my hosting provider (Online.net) to ask them
to replace the motherboard. It took them 5 hours to react, and in the meantime
the server had gone down. I pressed them on, the support agent tried to reboot
the machine in rescue mode which obviously didn’t work since the mobo was toast,
and then decided that the machine was lost and <em>gave me a new one</em>. Which meant
that I didn’t have access to my data anymore.</p>
<p>I tried to have them plug the disk of the old machine in the new one, but they
“couldn’t do that on this hardware” (I’ve since checked, and that hardware uses
2.5” SATA drives, which means they’d only have had to unplug the disk from the
old machine and put it in the new one. At the most, four screws might be
involved. But anyway.), so they told me that they were sorry but I’d have to
restore from my backups.</p>
<p>Which, thankfully, I had! Complete backups from that same day, 4:15am. Obviously
the situation would have been much worse otherwise, and I thanked the day I had
decided to setup a sensible backup strategy. So I set to work on restoring
these.</p>
<p>My backups are managed via duplicity; I have a setup where the first puppet run
on a server installs some basic backup definitions, and some more targeted
configuration once they’re configured, depending on what they’re used for. This
setup is described at the end of the post, if you’re interested.</p>
<p>Anyway, these are broken up into what duplicity calls “targets”, which are
ensembles of folders that are backed-up with the same rules (frequency, time
before expiration, etc…). The main ones in my setup are <code>homedir</code>, which
includes… my home directory, yes; <code>conf_files</code>, which includes <code>/etc</code>, <code>/var</code>,
<code>/opt</code> and <code>/usr/local</code>; <code>srv_data</code>, which includes <em>most</em> of <code>/srv</code>, and
finally <code>mysql</code> and <code>pgsql</code>, which have a pre-run hook to dump the respective
databases and then backs them up.</p>
<p>So, on the evening of the 30th, I started restoring these. After fiddling for
a bit to figure out how duplicity restores work, I started restoring the
<code>homedir</code> target. And that’s when I found out that restoring data from an sftp
server running behind an ADSL connection takes <em>ages</em>, a fact that’s only made
worse by the insistence of duplicity to copy to the remote the signature files
and indexes for <em>all</em> the full backups, and not just the latest ones
applicable. In this case, it took about three days.</p>
<p>I managed to restore email first, as that was the most urgent, to avoid having
bounces (most MTAs retry for 3-5 days before giving up on delivery), and then
slowly walked my way back to restoring all of /var (including the cache, which
I had forgotten to exclude from my backups…), and /srv/pub, which holds
https://pub.wxcafe.net and https://wxcafe.net/pub, and which included (among
other things) a few HD movies, some taking over 4GB.</p>
<p>Needless to say, this restore took a long time. I’ve learned a few lessons from
that whole thing, though:</p>
<ul>
<li>never assume the hosting provider is gonna do the right thing,</li>
<li>decide how much downtime you are willing to live with</li>
<li>check your backups regularly and see how fast they restore</li>
<li>define prioritized restoration targets (i.e. website and mail server. That
xmpp server can probably wait.)</li>
<li>don’t stress out too much about this. it’s gonna be okay, and rebuilding can
always work. you’ll find a solution.</li>
</ul>
<p>Anyways, in the end all I lost was a few months of my RSS subscriptions, which,
while annoying, is definitely something I can live with. It worked out alright
in the end.</p>
<p>Now for that puppet/duplicity config…</p>
<p>I use the very good
<a href="https://github.com/tohuwabohu/puppet-duplicity">puppet-duplicity</a> module,
which defines most of what you need already. Then, it so happens that there’s
a bug in the paramiko version most of my servers have, so I have taken to
replacing the file with that bug with a fixed version, which you can find
<a href="https://git.wxcafe.net/snippets/13">here</a>
I then define a <code>backup</code> class, that can be used where ever it’s needed in
host definitions:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">## Puppet backups with duplicity</span>
<span style="color: #75715e"># definitions</span>
<span style="color: #66d9ef">class</span> <span style="color: #f8f8f2">backups</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'/var/backups/mysql/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">directory,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'/var/backups/pgsql/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">directory,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #66d9ef">class</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'duplicity'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">backup_target_url</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"sftp://censored//srv/backups/$hostname"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">backup_target_username</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'duplicity'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">backup_target_password</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'censored'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #75715e">## dirty hotfix</span>
<span style="color: #66d9ef">if</span> <span style="color: #f8f8f2">$facts</span><span style="color: #f92672">[</span><span style="color: #e6db74">'os'</span><span style="color: #f92672">][</span><span style="color: #e6db74">'name'</span><span style="color: #f92672">]</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">'freebsd'</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'/usr/local/lib/python2.7/site-packages/duplicity/backends/_ssh_paramiko.py'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">content</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">file(</span><span style="color: #e6db74">'base/backups/_ssh_paramiko.py'</span><span style="color: #f8f8f2">),</span>
<span style="color: #f8f8f2">require</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">Package</span><span style="color: #f92672">[</span><span style="color: #e6db74">'duply'</span><span style="color: #f92672">]</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span> <span style="color: #66d9ef">else</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'/usr/lib/python2.7/dist-packages/duplicity/backends/_ssh_paramiko.py'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">content</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">file(</span><span style="color: #e6db74">'base/backups/_ssh_paramiko.py'</span><span style="color: #f8f8f2">),</span>
<span style="color: #f8f8f2">require</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">Package</span><span style="color: #f92672">[</span><span style="color: #e6db74">'duply'</span><span style="color: #f92672">]</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #66d9ef">if</span> <span style="color: #f8f8f2">$facts</span><span style="color: #f92672">[</span><span style="color: #e6db74">'os'</span><span style="color: #f92672">][</span><span style="color: #e6db74">'name'</span><span style="color: #f92672">]</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">'freebsd'</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">package</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'py27-pip'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">package</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'py27-cryptography'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span> <span style="color: #66d9ef">else</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">package</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'python-pip'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">package</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'python-cryptography'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">profile</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'conf_file'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">full_if_older_than</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"2W"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">max_full_backups</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">3</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_hour</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'05'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_minute</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'20'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_enabled</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">true</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">gpg_encryption</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">false</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">profile</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'homedir'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">full_if_older_than</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"1M"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">max_full_backups</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">3</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_hour</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'04'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_minute</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'40'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_enabled</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">true</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">gpg_encryption</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">false</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">profile</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">full_if_older_than</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"1M"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">max_full_backups</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">3</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_hour</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'05'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_minute</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'35'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_enabled</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">true</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">gpg_encryption</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">false</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">profile</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'pgsql'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">full_if_older_than</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"1W"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">max_full_backups</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">2</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_hour</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'04'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_minute</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'20'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_enabled</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">true</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">gpg_encryption</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">false</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">exec_before_content</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'sudo pg_dumpall -h 127.0.0.1 -U postgres -f /var/backups/pgsql/db.sql'</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">profile</span> <span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'mysql'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">full_if_older_than</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">"1W"</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">max_full_backups</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">2</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_hour</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'04'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_minute</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'20'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">cron_enabled</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">true</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">gpg_encryption</span> <span style="color: #f92672">=></span> <span style="color: #66d9ef">false</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">exec_before_content</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'sudo mysqldump -pcensored --all-databases --result-file=/var/backups/mysql/db.sql'</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span>
</pre></div>
<p>And then here’s a sample from a node definition:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">node</span> <span style="color: #e6db74">'yoshi.wxcafe.net'</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">$physical_location</span> <span style="color: #f92672">=</span> <span style="color: #e6db74">"Illiad - DC2, Vitry-sur-Seine"</span>
<span style="color: #66d9ef">include</span> <span style="color: #f8f8f2">base</span>
<span style="color: #66d9ef">include</span> <span style="color: #f8f8f2">backups</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/var/backups/mysql/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'mysql'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'present'</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/var/backups/pgsql'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'pgsql'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'present'</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/etc/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'conf_file'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'present'</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/var/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'conf_file'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/usr/local/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'conf_file'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/opt/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'conf_file'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/lists/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/mail/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/pub/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/rpg/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/wallabag/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/srv/www'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'srv_data'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">duplicity</span><span style="color: #f92672">::</span><span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/home/'</span><span style="color: #f8f8f2">:</span>
<span style="color: #f8f8f2">profile</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'homedir'</span><span style="color: #f8f8f2">,</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span>
</pre></div>[N]olife2018-04-23T11:00:00+02:002018-04-23T11:00:00+02:00Wxcafétag:wxcafe.net,2018-04-23:/posts/nolife/<p>Exceptionally, this post will be in french, because it’s about a very
french-specific cultural phenomenon. <code>Nolife</code> was a french TV station that started
out in 2007, was centered on “geek, nerd and otaku” culture (but was done by
real enthusiasts), was run with almost no money nor means, and …</p><p>Exceptionally, this post will be in french, because it’s about a very
french-specific cultural phenomenon. <code>Nolife</code> was a french TV station that started
out in 2007, was centered on “geek, nerd and otaku” culture (but was done by
real enthusiasts), was run with almost no money nor means, and always stayed
true to the people who were running it. It died because of lack of funds after
11 years of broadcasts on the 8th of April, 2018. In this column I’m going to
talk about my personal relationship with it.</p>
<p>Bon, ça y est, <code>Nolife</code> est morte. Ça faisait longtemps que ça devait arriver,
depuis les débuts de la chaîne, en fait, mais… au bout d’un moment, après
l’avoir vue traverser toutes ces morts annoncées certaines et en ressortir sans
une égratignure, voire parfois plus grande encore, on pouvait finir par se dire
que ça n’arriverait en fin de compte jamais, que les personnes qui font tourner
la chaîne arriveraient toujours à trouver des solutions pour qu’elle continue.</p>
<p>Il se trouve que non.</p>
<p>J’ai bien conscience que pour beaucoup de gens, <code>Nolife</code> se situe entre “juste une
chaîne de télé” et “c’était sympa mais voilà quoi”, et c’est tout a fait normal
d’avoir ce point de vue. Mais <code>Nolife</code>, ça a été pour moi quelque chose d’un peu
différent.</p>
<p>J’ai découvert nolife quand j’étais en lycée, en seconde en fait. Je connaissais
déjà un peu les cultures traitées par la chaîne, parce que je lisais pas mal de
fantasy et de SF, et que je m’intéressais beaucoup au fonctionnement des
ordinateurs, et aux jeux vidéos; et j’avais déjà un certain contact avec des
communautés liées, notamment le <a href="https://www.netophonix.com/">Netophonix</a> (une
communauté dédiée aux sagas mp3). J’ai du coup assez vite accroché a <code>Nolife</code> et
aux émissions qui étaient présentes sur la chaîne, et ça a été une porte (parmi
d’autre, mon groupe d’ami.e.s de l’époque ayant aussi pas mal aidé) vers la
culture japonaise. C’était vers 2010, donc pas longtemps après la création de
<code>Nolife</code> Online (le service de VOD créé par la chaîne a l’époque), et comme
je n’avais pas énormément la possibilité de regarder la télé aux moments ou les
émissions (autres que des clips musicaux, donc, qui prenaient 50% du temps
d’antenne) passaient, j’ai rapidement décidé de m’abonner, et a partir de ce
moment là ma consommation des programmes de <code>Nolife</code> ne passait quasiment que par
<code>Nolife</code> Online.</p>
<p>Comme dit, j’avais un contact avec le Netophonix, notamment par le channel IRC
sur FreeNode. Logiquement, quand j’ai voulu connaître un peu la communauté qui
traînait autour de <code>Nolife</code>, je suis tout de suite allé trouver le channel IRC
associé. Et sur ce channel, j’ai recontré pas mal de gens, qui a leur tour et de
leur propre façon m’ont fait découvrir de nombreuses choses, techniques ou non,
dont l’exemple le plus parlant aujourd’hui est Twitter, qui bien qu’étant un
réseau social… assez imparfait, a tout de même eu le mérite de me faire
rencontrer énormément de gens qui ont été essentiels a la façon dont j’ai évolué
en grandissant. Sans ces gens, je ne serais probablement pas éveillé a de
nombreuses causes qui sont particulièrement importantes pour moi aujourd’hui (et
ont participé a faire de moi la personne que je suis), notamment le féminisme,
les luttes LGBT, et les luttes de classe. Je n’aurais pas découvert des domaines
entiers, de littérature, de cinéma, de jeux vidéos, des domaines techniques, …</p>
<p>Alors, bien entendu, <code>Nolife</code> en soit ne m’a pas apporté tout cela. Sa communauté,
et les gens que j’ai découvert par les amis que je me suis faits dans cette
communauté, m’ont permis de me construire de cette façon, et la chaîne n’a eu
qu’un apport mineur a ce sujet. Cependant, elle a tout de même eu des intérêts
intrinsèques. En produisant énormément d’émissions qui <strong>jamais</strong> n’auraient pu
être diffusées sur d’autres chaînes du paysage audiovisuel français (une
émission parlant du hardware des vieilles consoles en partenariat avec
<a href="http://mo5.com">Mo5.com</a>? Une émissions expliquant en détail le fonctionnement
de bugs utilisés par des superplayers et des speedrunners dans des jeux? … Un
top 5 de J-Music? Et même quelque chose qui semble évident aujourd’hui, mais…
des let’s play a la télé en 2007? Une émission sur l’e-sport, en 2010? Et il
y a plein d’autres exemples…), cette chaîne a bien montré qu’en se battant, on
pouvait faire des choses que tout le monde pensait impossible. En montrant des
gens passionnés, pas forcément parfaitement a l’aise devant une caméra mais
prêts a se mettre sur le devant de la scène pour présenter des choses qu’iels
aiment, elle a permit a beaucoup de gens d’accepter et d’assumer leurs passions.
Elle a démocratisé de nombreux sujets qui jusqu’ici étaient réservés à des
communautés minuscules (je pense notamment aux speedruns, aux démos, a l’e-sport
même, a la musique japonaise…). En diffusant des émissions japonaises ou
parlant de la culture japonaise, non pas en envoyant des occidentaux visiter le
japon et en rapporter ce qu’ils voulaient bien en montrer au public occidental,
mais en diffusant des programmes japonais entièrement traduits (et sous-titrés,
pas doublés!), type Japan in Motion, ou en employant des personnes japonaises
prêtes a montrer ce qu’elles connaissaient du japon (Tokyo Café), voire en
interviewant des personnes sur place pour qu’elles présentent leur vision de
leur quartier ou de leur ville et de la culture qui l’accompagnait (Toco Toco).</p>
<p>Bref, en donnant accès, a moi et a énormément d’autres personnes, non seulement
a ces cultures et a ces sujets fermés, mais aussi a la passion claire des gens
qui participaient a la chaine envers les sujets qu’iels traitaient, cette chaîne
a fait beaucoup pour la construction de beaucoup de personnes dans mon cas, et
a ouvert une fenêtre dans le paysage audiovisuel français.</p>
<p>Cette fenêtre s’est refermée voici deux semaines. Je n’ai maintenant plus aucun
regret a voir la télévision mourir.</p>
<p>Je voudrais par ce post remercier les personnes qui ont fait <code>Nolife</code>, devant ou
derrière (ou a côté de) la caméra. Je peux citer celles et ceux que je connais,
certains avec lesquels j’ai pu prendre un verre au Kawaii café ou au Dernier Bar
une fois ou deux (je n’étais pas encore majeur, je peux vous le dire
maintenant), Mathilde, Seb et Alex évidemment, Medoc et Moguri, Thierry,
Sylvain, Clément, Caroline, Benoît, Anne, Julien Pirou, Pili, Slimane, Radigo,
Mickey, Macha, DamDam, Obliv, Josaudio…</p>
<p>Merci pour ces 11 ans, merci pour votre acharnement a faire cette chaîne. Rien
ne sera jamais tout a fait pareil… Mais heureusement, y a pas que la vraie vie
dans la vie.</p>doing "real networking" on dn422018-01-29T11:21:00+01:002018-01-29T11:21:00+01:00Wxcafétag:wxcafe.net,2018-01-29:/posts/doing_real_networking_on_dn42/<p>So if you’re interested in learning about internet-scale networking and
experimenting with BGP and stuff on “real” networks, you have two basic options.</p>
<p>The first one, of course, is to register with a LIR to get an AS number, an IPv4
prefix, and an IPv6 prefix, then rent 1U …</p><p>So if you’re interested in learning about internet-scale networking and
experimenting with BGP and stuff on “real” networks, you have two basic options.</p>
<p>The first one, of course, is to register with a LIR to get an AS number, an IPv4
prefix, and an IPv6 prefix, then rent 1U in a DC nearby and put a server there,
and then get a cross-connect to your local IXP to start peering with people.</p>
<p>The problem with this, obviously, is that it’s gonna cost you:</p>
<ul>
<li>for the ASN and the IPv4/IPv6 prefixes</li>
<li>for the DC space</li>
<li>for the cross-connect</li>
<li>for the IXP port</li>
</ul>
<p>so potentially, quite a lot of money, and quite a lot of time to get started
too. The upside is that you’ll be a real organization on the real internet, and
that you’ll contribute to the IPv4 shortage, which is pretty good (it’s also
probably quite a good investment? I guess. Don’t register an AS just for that
tho. Please).</p>
<p>The other one is to get multiple routers (or servers) and have them on a switch,
and then build multiple networks with them using private addresses and ASN. This
works fine as long as you’re just experimenting, but it’s a little limited,
a lot more work (since you have to setup multiple ASNs and routers etc), and not
as fun at all.</p>
<p>So both of these aren’t great to use. There must be a better solution, some way
to run production networks with other network operators without spending a lot
of money, some way to use real IP addresses and AS numbers without disrupting
the existing net.</p>
<p>Well, rejoice, neighbor, because there is! And it’s really simple too, honestly.
It’s… an overlay network! The concept is simple: instead of using real
connections between the different networks, you use a VPN that acts functionally
the same way, over the public internet. Then, you use IP addresses from an
<a href="https://tools.ietf.org/html/rfc1918">RFC1918</a> range, private ASNs, and private
v6 addresses, and start doing BGP with other users of the overlay network. It
has the advantage of costing next to nothing (you only need a VM to have it
run) and actually working with other network operators. The only downside is
that you’re not on the actual internet, which isn’t that much of a downside for
experimenting with these kind of tech.</p>
<p>There are a few overlay networks, some of them connected with one another, some
private, and you can even start one with your friends (it’s not that useful, but
you can at least use it as an encrypted, hidden communications channel,
I guess). But the one I use (and, consequently, the one I’m suggesting you
should be using) is <a href="https://dn42.org">dn42</a>.</p>
<p>My setup is very simple: I got a VPS from <a href="https://vultr.com">vultr</a>, installed
OpenBSD on it (you can upload ISOs to vultr to do your install manually), and
from then installed all required tools to work on the system (vim, git, zsh,
…) and a few VPN tools (OpenVPN, tinc, …). I went on the dn42 irc channel
and said I was looking for peers, and started talking to the first person who
answered, who also was looking for their first peer. I’m running OpenBGPd and
they’re using Bird on Linux, so the process of getting our sessions (v4 and v6)
up and running took a bit of time, and once it started working they leaked all
their prefixes to me (which was swiftly corrected with filters and maxprefs 😁)</p>
<p>Anyway, I encourage you to try it if you’re interested in networks, come talk to
me on mastodon or twitter (or IRC) if you want some more details, some info to
get started, or to peer with me! My ASN is <code>4242421441</code>, and you can find more
info on there https://registry.dn42.us/registry/aut-num/AS4242421441 by clicking
on the 🗺️ (map) icon</p>
<p>Hoping to peer with you soon!</p>GPG key update and validity extension2017-12-24T19:34:00+01:002017-12-24T19:34:00+01:00Wxcafetag:wxcafe.net,2017-12-24:/posts/gpg-key-update-and-validity-extension/<p>Here’s a signed message about my GPG key update</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
</pre></div>
<p>So last year, during 33c3, I <a href="https://wxcafe.net/posts/key-migration/">wrote
about</a> how I was making a new GPG key
and hoped to use it more. I’m not going to look at how well it worked, because …</p><p>Here’s a signed message about my GPG key update</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
</pre></div>
<p>So last year, during 33c3, I <a href="https://wxcafe.net/posts/key-migration/">wrote
about</a> how I was making a new GPG key
and hoped to use it more. I’m not going to look at how well it worked, because
that wouldn’t be such a good look for GPG usage (it’s mainly been used in git
commits. I’ve receiveda grand total of… 2 emails during the year that were GPG
encrypted).</p>
<p>Anyway, back then I set it to expire after a year. I followed <a href="https://alexcabal.com/creating-the-perfect-gpg-keypair/">this
post</a> on how to make it
back then, and I followed that same post on how to make it this time, only <code>gpg
--edit-key</code>ing the key to change the expiration date and posting the public key
on keyservers afterwards.</p>
<p>I’ll be at 34c3 this year, so if you’d like to do a bit of keysigning with me
hmu using twitter or mastodon (or via email, or directly there, or any other way
I guess). I’ve also made a tweet
<a href="https://twitter.com/Wxcafe/status/945003553558581248">here</a> and a toot
<a href="https://social.wxcafe.net/@wxcafe/99230770820850055">here</a> to prove my
authenticity too. </p>
<p>Either way, hope too see yall at 34c3 and that you have a good time over the
holidays! 😄🎄🚀</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZDroKcxTGuCO4MGxjYC/gJdzRz8FAlo/+34ACgkQjYC/gJdz
Rz9C5BAApSLcBTL3tpt6UZDcsX/RpqD3Lozx5QUT7pSCc89B8eebdBfSff9LKwgr
AKPhNxgSyCwomknRKazTQDYks7fSVXw0wQVeyQFlidgl5B1+IbqPu87ko3vCyERm
EH1N9JH2fOR/ZUeBoFwZUJp9NP92qMRaZrxFvxkhjgyV+OwRiOkTh/DxMWy4KAkP
PIzwEDUM37GtdFHj2hFSCDLqAHN4mHMbRJbbbqCnlfc7sppkaqltbOQF6jNFkpo1
Gm/AawJV57l8YYPtj8LoL3aCGZ4ebst6oZeE+e0m5ap7hw36/+2QxKcOGf93R9Cr
zWW8cdUy5Ky07zT3+oRBHqPXSYbCFeR9yYhyFc9dRRcYfrsp0xCgce6yNl6D+pl6
b6dzOBeitTkahf4s6hKKhGaHqyVxm8Oj67u2txUu40qF7Dz+lEvXMaOjJZVRcp2K
SaaZ4we51y2CYoYPw4NlYyPhaCJcnVQxZhSeYFFgDs26Mo2GZICB0FD1SF9hrM5B
sMhOiMmo4XAu5cDJVpQOa5AUdmwdaffpo46PBnV6AG4oRfOX9nOSmYc/9k5yZW29
YtbODD9/eSn++YGd/6q5AXjKwy80bQUKCZb/Fph+h+OHjcY9dp2mKXoDmFaly/HU
Gy1KnuBlVteDNIK26ygAMCRKcwEWmxfRK43EWNsI+rxMdwpLwIQ=
=NvZ6
-----END PGP SIGNATURE-----
</pre></div>
<p>I’ll also make this message available on
<a href="https://pub.wxcafe.net/key_update_2017.asc">here</a> so that if copy-and-paste gpg
verification doesn’t work at least you can do it with a plaintext equivalent.</p>2fa SSH on Linux, and deploying it via Puppet2017-11-24T13:11:00+01:002017-11-24T13:11:00+01:00Wxcafétag:wxcafe.net,2017-11-24:/posts/2fa_ssh_on_linux,and_deploying_it_via_puppet/<p>So, I recently (on Monday, 11/20/17) started at a new job! Aside from all the new
stuff that implies, and that is much more important overall, I received
a Yubikey Neo key to be used for two-factor authentication on various internal
services. I found this pretty cool, started …</p><p>So, I recently (on Monday, 11/20/17) started at a new job! Aside from all the new
stuff that implies, and that is much more important overall, I received
a Yubikey Neo key to be used for two-factor authentication on various internal
services. I found this pretty cool, started using it, and thought no more of it.</p>
<p>Then the next day, I tried to SSH to my server for some reason and found out
that I could obviously not log in since I didn’t have my key. So I thought for
a minute, didn’t find any way to enter my infrastructure when I don’t have my
key, and took note to do whatever I was planning that evening.</p>
<p>After a bit of time I put two and two together and thought I could probably try
to add 2fa (TOTP, Time-based One Time Password + username) as an alternative
authentication method to RSA public key. So I looked a bit and ended up setting
that up. Here’s how it works.</p>
<p>So as you might know, authentication on Linux is handled by PAM (Pluggable
Authentication Modules). As the name implies, it’s made of modules that you can
simply plug onto the existing authentication mechanism. And thankfully, someone
developped a TOTP module for PAM, which is named <code>libpam_google_authenticator</code>
(which is not a very good name, but I’m not gonna complain if I can get it
working). So the plan is to install that module (pretty easy, since it’s
packaged by most linux distros), then configure ssh to use it to auth users.
<em>That’s</em> done by editing the <code>/etc/pam.d/sshd</code> file, and setting it up like so:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># PAM configuration for the Secure Shell service</span>
<span style="color: #75715e">### This is the important part. It adds the module and marks it as a required</span>
<span style="color: #75715e">### authentication method.</span>
<span style="color: #75715e">##</span>
<span style="color: #a6e22e">auth required pam_google_authenticator.so</span>
<span style="color: #75715e">##</span>
<span style="color: #a6e22e">@include common-auth</span>
<span style="color: #75715e"># Disallow non-root logins when /etc/nologin exists.</span>
<span style="color: #a6e22e">account required pam_nologin.so</span>
<span style="color: #75715e"># Uncomment and edit /etc/security/access.conf if you need to set complex</span>
<span style="color: #75715e"># access limits that are hard to express in sshd_config.</span>
<span style="color: #75715e"># account required pam_access.so</span>
<span style="color: #75715e"># Standard Un*x authorization.</span>
<span style="color: #a6e22e">@include common-account</span>
<span style="color: #75715e"># SELinux needs to be the first session rule. This ensures that any</span>
<span style="color: #75715e"># lingering context has been cleared. Without this it is possible that a</span>
<span style="color: #75715e"># module could execute code in the wrong domain.</span>
<span style="color: #a6e22e">session [success</span><span style="color: #f92672">=</span><span style="color: #e6db74">ok ignore=ignore module_unknown=ignore default=bad]</span>
<span style="color: #a6e22e">pam_selinux.so close</span>
<span style="color: #75715e"># ... nothing else interesting until end of file</span>
</pre></div>
<p>Now that this is done, we need to change sshd’s config, to allow it to present
the prompt for the TOTP code and tell it to fallback to keyboard-interactive if
publickey auth doesn’t work. To do that, we add these lines to
<code>/etc/ssh/sshd_config</code>:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>UsePam yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey keyboard-interactive:pam
</pre></div>
<p><strong>Be careful, this will allow users to login with TOTP+pass even if </strong>
<code>PasswordAuthentication</code> <strong>is set to</strong> <code>no</code></p>
<p>Once this is done, we need to generate a secret for the TOTP generator.
<code>libpam_google_authenticator</code> has a tool for this named …
<code>google-authenticator</code>. Once you run it, it’ll ask a few questions, display
a QR-code on the screen, give you a private key and a few recovery codes, and
write all this into a file named <code>~/.google_authenticator</code>. Scan the QR code or
add the private key into your TOTP client (an app on your phone, a linux CLI
client, whatever. I use OTP Auth on iOS.)</p>
<p>Once that’s done, you can try to use that authentication by running <code>ssh -o
PubkeyAuthentication=no whatever.space</code>. It should ask you for your
“Verification Code”, which is the TOTP, and then your password, and then let you
log in. Done, you have 2fa on SSH now 😄</p>
<p>Now for the puppet setup:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> <span style="color: #f8f8f2">package</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'libpam-google-authenticator'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/etc/pam.d/sshd'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">content</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">file(</span><span style="color: #e6db74">'base/pam/sshd'</span><span style="color: #f8f8f2">),</span>
<span style="color: #f8f8f2">owner</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'root'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">group</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'root'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/home/wxcafe/.google_authenticator'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">content</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">file(modules</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">base</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">google_authenticator,</span>
<span style="color: #f8f8f2">owner</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'wxcafe'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">group</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'wxcafe'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">mode</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'0600'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">file</span> <span style="color: #f8f8f2">{</span><span style="color: #e6db74">'/etc/ssh/sshd_config'</span><span style="color: #f8f8f2">:</span>
<span style="color: #66d9ef">ensure</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">present,</span>
<span style="color: #f8f8f2">content</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">file(</span><span style="color: #e6db74">'base/ssh/sshd_config'</span><span style="color: #f8f8f2">),</span>
<span style="color: #f8f8f2">}</span>
</pre></div>
<p>Yeah, I know, this is pretty generic. It was a bit harder for me because I use
a git repo for my dotfiles, and as such I have a <code>git</code> block and an <code>exec</code> block
to chmod 600 the .google_authenticator file, and I had a bit of trouble trying
to use a <code>file</code> block inside another <code>file</code> block (setting the mode of the file
inside dotfiles git repo) (if you’re wondering, puppet simply ignores the
least-specific block here… I spent a while wondering why my files wouldn’t
copy…)</p>
<p>Either way it should work alright. You might also notice that I just deploy the
.google_authenticator file on every machine, and think that’s not a very good
security practice. I think it’s alright, a TOTP is basically identical
security-wise to 10 TOTPs, as long as the key doesn’t leak, and the increased
usability of not having to keep tens of TOTP codes on my phone is clearly worth
it.</p>The poor fella's KVM over IP2017-10-13T19:06:00+02:002017-10-13T19:06:00+02:00Wxcafétag:wxcafe.net,2017-10-13:/posts/the_poor_fellas_kvm_over_ip/<h1>Or, how I learned to stop worrying about which hosting providers supported my OS and love QEMU/KVM</h1>
<hr>
<h3>Story part</h3>
<p>So uh recently I was thinking about migrating my main server (the one that
hosts, among other things, this website) to a new, improved, cleaner server. The
one that runs …</p><h1>Or, how I learned to stop worrying about which hosting providers supported my OS and love QEMU/KVM</h1>
<hr>
<h3>Story part</h3>
<p>So uh recently I was thinking about migrating my main server (the one that
hosts, among other things, this website) to a new, improved, cleaner server. The
one that runs this is on debian, lived through wheezy, jessie and stretch, and since
I’ve experimented on it a fair bit in the ~4 years it’s been running, is
littered with weird projects and packages that shouldn’t be installed and stuff.
Yeah, that’s practically the definition of “bad admin practices”, but I was
young(er) when this server started running.</p>
<p>Anyway, I was thinking of upgrading to a new server with FreeBSD, and using
Jails to isolate the services (it’s, uh, still a WIP). Since I like Online.net
a lot when it comes to hosting servers (they’re relatively cheap and they
provide good service, which is all I ask generally), and that they support
FreeBSD, I decided to order a server from them and work on the migration over
the next few weeks.</p>
<p>Alas! After ordering the server, it appears they only support FreeBSD on UFS!
Since I was born after 1983, I didn’t want to use UFS as root on a FreeBSD
server, that would be a waste! So, obviously, I decided to use the KVM-over-IP
access they provide to load up an ISO and install things my way.</p>
<p>Well, I was a fool, cause the class of server I ordered (the cheapest) don’t
have KVM-over-IP! That’s a feature reserved for the slightly more expensive
ones. But I didn’t want to upgrade and pay more per month, so I thought and
thought, and I ended up coming with the following solution</p>
<h3>Technical part</h3>
<p>So the idea is pretty simple: spawn a Qemu VM, with its first disk being the
server’s physical disk, and the ISO of the OS you want to install. Then perform
a simple installation, fix things up a bit (network interface name/IP, stuff
like that), reboot, and profit.</p>
<p>What I did for FreeBSD 11 specifically was</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo apt install qemu-kvm
wget http://ftp.fr.freebsd.org/mirrors/ftp.freebsd.org/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-disc1.iso
qemu-system-x86_64 -hda /dev/sda -cdrom FreeBSD-11.1-RELEASE-amd64-disc1.iso -net nic,model<span style="color: #f92672">=</span>e1000 -curses -boot d
</pre></div>
<p>Then, do the install in the, uh, even-uglier-than-usual environment of the
curses Qemu interface. Nothing special about this, it’s a standard FreeBSD
install. Afterwards, spawn a shell, edit /etc/rc.conf</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>ifconfig_igb0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.xxx"
</pre></div>
<p>Reboot, and your server should come up. If it doesn’t, well, you can always boot
the recovery FreeBSD system to see what’s wrong, or reinstall and retry.</p>
<p>Of course, I’m speaking about FreeBSD here but this works with any target OS,
linux, FreeBSD, Windows, Haiku, Plan9… whatever.</p>
<p>It’s kinda hacky, but </p>
<h2>WOЯKƧ ꟻOR MƎ</h2>EuroBSDCon 20172017-09-29T14:03:00+02:002017-09-29T14:03:00+02:00Wxcafétag:wxcafe.net,2017-09-29:/posts/eurobsdcon_2017/<p>So, as you might know if you follow me on twitter/mastodon (and if you don’t,
what are you doing here) and/or if you read the title, EuroBSDCon 2017 took
place in Paris last weekend (September 23rd-24th). I was there, but not as an
attendee! I actually am …</p><p>So, as you might know if you follow me on twitter/mastodon (and if you don’t,
what are you doing here) and/or if you read the title, EuroBSDCon 2017 took
place in Paris last weekend (September 23rd-24th). I was there, but not as an
attendee! I actually am part of a student organization called GConfs (a pun on
Gconf, the gnome configuration tool, and conferences) that’s composed of
students of Epita (a french CS engineering school) and organizes conferences.
Since we also have some competence in recording/streaming talks, we were
selected to do the A/V work for all talks.</p>
<p><img alt="opening_talk" src="https://pub.wxcafe.net/img/eurobsdcon_opening_talk.jpg"></p>
<p>As a member of that org (and a BSD enthusiast), I volunteered to help with that
and got the chance to go and watch a few talks from the A/V table :) This was
an amazing experience! I didn’t know much about recording video and audio and
streaming when the weekend started, and now I can work out something from
a mixing table in a hurry with little trouble.</p>
<p><img alt="mixing_table" src="https://pub.wxcafe.net/img/eurobsdcon_table_mixage.jpg"></p>
<p>I’m glad I got the chance to be there, meet a few people I’ve wanted to have
a chat with for a long time, and lend my laptop to Theo de Raadt for his talk
(he ended up using another one, but hey :p). I didn’t think doing A/V work was
this intensive, and as a result I couldn’t follow the talks as much as I wanted,
so now I have a motivation for doing the post-production work and publish the
recordings so I can actually <em>watch</em> the talks!</p>
<p><img alt="Michael W. Lucas" src="https://pub.wxcafe.net/img/eurobsdcon_mwl_talk.jpg"></p>
<p>Anyway, it’s been a pretty good time. I’d like to thank the organization of the
conference again here, and other people in GConfs who made it possible for us to
work on this and were there with me to fiddle with the recording and microphones
and to make everything work. See you next year in Romania (uh I’m not actually
sure we can make it there… sorry)</p>
<p><img alt="Theo De Raadt" src="https://pub.wxcafe.net/img/eurobsdcon_theo_talk.jpg"></p>
<p>PS: catch me at 34c3 if you want one of these stickers :p</p>
<p><img alt="Stickers" src="https://pub.wxcafe.net/img/eurobsdcon_stickers.jpg"></p>From Bind9 to NSD, a (relatively short) DNS journey2017-09-24T11:44:00+02:002017-09-24T11:44:00+02:00Wxcafétag:wxcafe.net,2017-09-24:/posts/from_bind9_to_nsd_a_relatively_short_dns_journey/<p>Hey! It’s been a while…</p>
<p>I’m sorry, I’ve had a lot on my plate in august and at the beginning of
september.</p>
<p>Anyway. Recently (meaning, last week) I started having a bit of time on my hands
again, and as I had been planning for a few …</p><p>Hey! It’s been a while…</p>
<p>I’m sorry, I’ve had a lot on my plate in august and at the beginning of
september.</p>
<p>Anyway. Recently (meaning, last week) I started having a bit of time on my hands
again, and as I had been planning for a few months I set to migrate my DNS
servers from Bind9 to NSD. There are a few reasons for that, mainly related to
how Bind has found itself in the subject line of several CVEs in the last few
months and that I wasn’t using any of the thousand of features that Bind offers.
Okay, I’ll admit that the “hype” around NSD/Unbound, if you can call it that,
played a bit of a role in the decision.</p>
<p>Anyways, my setup is pretty simple: I have two servers. Both are primary for
some zones and replicas for other zones, and one of them is behind a v4 NAT
(it’s on my home network) and has to do recursive resolution in addition to
being an authoritative server. Both are IPv6-accessible.</p>
<p>So, the previous setup was a bind9 server on both, with a port-forwaring rule
for IPv4 for the server behind the NAT, and <code>allow-transfer {}</code> blocks instead
of keys to transfer the zones from the primary to the replica. It was pretty
ugly, but it worked fine and didn’t have any glaring security problems (at
least, not that I could think of).</p>
<p>I set on moving the first part of the setup, which is the distant server (the
one that’s not behind a NAT). The setup went like this:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ sudo apt install nsd
$ sudo mkdir -p /etc/nsd/zones/<span style="color: #f92672">{</span>primary,replica<span style="color: #f92672">}</span>
$ sudo cp /etc/bind9/zones/primary/* /etc/nsd/zones/primary/
$ sudo vim /etc/nsd/nsd.conf
</pre></div>
<p>And here is the <code>nsd.conf</code> file:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># NSD configuration file</span>
<span style="color: #f92672">server</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">do-ip4</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">yes</span>
<span style="color: #f92672">ip4-only</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">no</span>
<span style="color: #f92672">hide-version</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">no</span>
<span style="color: #f92672">zonesdir</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/zones/"</span>
<span style="color: #f92672">logfile</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/var/log/nsd.log"</span>
<span style="color: #f92672">pidfile</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/run/nsd/nsd.pid"</span>
<span style="color: #f92672">key</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"push-key"</span>
<span style="color: #f92672">algorithm</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">hmac-sha256</span>
<span style="color: #f92672">secret</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"redacted"</span>
<span style="color: #f92672">pattern</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-to"</span>
<span style="color: #f92672">notify</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's IP> push-key</span>
<span style="color: #f92672">provide-xfr</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's IP> push-key</span>
<span style="color: #f92672">pattern</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-from"</span>
<span style="color: #f92672">allow-notify</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's IP> push-key</span>
<span style="color: #f92672">request-xfr</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">AXFR <other server's IP> push-key</span>
<span style="color: #75715e"># Primary Zones</span>
<span style="color: #f92672">zone</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">wxcafe.net</span>
<span style="color: #f92672">zonefile</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">primary/wxcafe.net</span>
<span style="color: #f92672">include-pattern</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-to"</span>
<span style="color: #75715e"># [other zones ...]</span>
<span style="color: #75715e"># Replica zones</span>
<span style="color: #f92672">zone</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">home.wxcafe.net</span>
<span style="color: #f92672">zonefile</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">replica/home.wxcafe.net</span>
<span style="color: #f92672">include-pattern</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-from"</span>
<span style="color: #75715e"># [other zones ...]</span>
</pre></div>
<p>That should be pretty straightforward, but basically the first block defines
basic server options, the second one defines the push key and its settings, the
third and fourth define “patterns” that are repeatable configuration for zones,
and the rest are zone definitions.</p>
<p>Aaaaaand, that’s it! Nothing more to do, everything works. Just</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ sudo systemctl stop bind9 <span style="color: #f92672">&&</span> sudo systemctl disable bind9
$ sudo systemctl start nsd <span style="color: #f92672">&&</span> sudo systemctl <span style="color: #f8f8f2">enable</span> nsd
</pre></div>
<p>and you’re done. Now, of course, since the other server isn’t configured, the
replication doesn’t actually happen yet. So let’s configure the other server
then!</p>
<p>Well, we want it to do recursive resolving, so, since NSD doesn’t do that, we’re
gonna need to run Unbound too. So, to start off of course we need to install
Unbound so we’re doing an <code>apt install unbound</code>. Then we start with the unbound
configuration:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># Unbound configuration file for Debian.</span>
<span style="color: #f92672">include</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/unbound/unbound.conf.d/*.conf"</span>
<span style="color: #f92672">server</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">logfile</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">""</span>
<span style="color: #f92672">interface</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">0.0.0.0</span>
<span style="color: #f92672">access-control</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">10.0.0.0/8 allow</span>
</pre></div>
<p>That’s it. That’s all we have to do to configure Unbound. Now we start it and
enable it: <code>sudo systemctl start unbound && sudo systemctl enable unbound</code>, and
we’re done with unbound</p>
<p>You’ll notice that the server doesn’t listen on v6. That’s because it’d be
useless, since the DNS server is given to hosts on my network via DHCP, that
there’s no v6-only hosts on my network, and that we’re gonna play with the v6
port later in ways that would render the server inaccessible either way.</p>
<p>Anyways, it’s now time to install and configure NSD on that server. Installation
is the same as earlier, and even the config file differs only a little bit:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># NSD configuration file for Debian.</span>
<span style="color: #f92672">server</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">do-ip4</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">yes</span>
<span style="color: #f92672">ip4-only</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">no</span>
<span style="color: #f92672">hide-version</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">no</span>
<span style="color: #f92672">zonesdir</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/zones/"</span>
<span style="color: #f92672">logfile</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/var/log/nsd.log"</span>
<span style="color: #f92672">pidfile</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/run/nsd/nsd.pid"</span>
<span style="color: #f92672">port</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">1053</span>
<span style="color: #f92672">remote-control</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">control-enable</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">yes</span>
<span style="color: #f92672">control-interface</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">127.0.0.1</span>
<span style="color: #f92672">control-port</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">8952</span>
<span style="color: #f92672">server-key-file</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/nsd_server.key"</span>
<span style="color: #f92672">server-cert-file</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/nsd_server.pem"</span>
<span style="color: #f92672">control-key-file</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/nsd_control.key"</span>
<span style="color: #f92672">control-cert-file</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"/etc/nsd/nsd_control.pem"</span>
<span style="color: #f92672">key</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"push-key"</span>
<span style="color: #f92672">algorithm</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">hmac-sha256</span>
<span style="color: #f92672">secret</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"redacted"</span>
<span style="color: #f92672">pattern</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-to"</span>
<span style="color: #f92672">notify</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's ip> push-key</span>
<span style="color: #f92672">provide-xfr</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's ip> push-key</span>
<span style="color: #f92672">pattern</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-from"</span>
<span style="color: #f92672">allow-notify</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff"><other server's ip> push-key</span>
<span style="color: #f92672">request-xfr</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">AXFR <other server's ip> push-key</span>
<span style="color: #75715e"># Primary Zones</span>
<span style="color: #f92672">zone</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">home.wxcafe.net</span>
<span style="color: #f92672">zonefile</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">primary/home.wxcafe.net</span>
<span style="color: #f92672">include-pattern</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-to"</span>
<span style="color: #75715e"># Replica zones</span>
<span style="color: #f92672">zone</span><span style="color: #f8f8f2">:</span>
<span style="color: #f92672">name</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">wxcafe.net</span>
<span style="color: #f92672">zonefile</span><span style="color: #f8f8f2">:</span> <span style="color: #ae81ff">replica/wxcafe.net</span>
<span style="color: #f92672">include-pattern</span><span style="color: #f8f8f2">:</span> <span style="color: #e6db74">"copy-from"</span>
</pre></div>
<p>As you can see, it’s pretty similar, the only differences being that the primary
zones of the other server replicas on this one and vice-versa, and that the port
is 1053. This is the interesting part.</p>
<p>So, of course, since we now have two DNS servers running on the same host, one
is going to bind to port 53 and then the other one won’t be able to. That’s
problematic, obviously, since most hosts are going to do DNS queries on port 53
and I can’t really change that. Since the authoritative part of this server is
behind a NAT, I can easily just port forward packets from the external IP’s port
53 to any internal port, which is the obvious solution considering I have no
recourse changing which port internal hosts who get their DNS resolver through
DHCP query on.</p>
<p>Once I added the NAT port forwarding, there was still a small problem, tho…
external IPv6 hosts don’t benefit from that port forward, they still get a reply
from Unbound (telling them they’re not in the allowed range) instead of from
NSD.</p>
<p>To make that happen, I had to do something pretty ugly… a port forward in
IPv6. I used this <code>ip6tables</code> rule:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 1053
</pre></div>
<p>YES, I KNOW, port forwarding in v6 is dirty, but right now it works! Next step
is moving each service (the authoritative name server and the recursive one) to
their own VM. For now, it works fine and was really easy to setup!</p>
<p>Hope that might be useful, or at least interesting, to you 😊! I’ll be posting
a write-up of EuroBSDCon soon…-ish!</p>
<p>See ya!</p>PocketBook Dissassembly and root2017-08-01T21:39:00+02:002017-08-01T21:39:00+02:00Wxcafétag:wxcafe.net,2017-08-01:/posts/pocketbook_dissassembly_and_root/<p>So uh a few years (! time flies) back I wanted to get an ereader to…
<em>(e-read?)</em> read books for cheap and not carry a suitcase of paperbacks whenever
I traveled (plus a lot of other advantages. I like ebooks, they’re tiny,
convenient and disposable. There are lots of books …</p><p>So uh a few years (! time flies) back I wanted to get an ereader to…
<em>(e-read?)</em> read books for cheap and not carry a suitcase of paperbacks whenever
I traveled (plus a lot of other advantages. I like ebooks, they’re tiny,
convenient and disposable. There are lots of books I prefer reading on paper,
but I can’t deny ebooks are neat sometimes. Anyway).</p>
<p>I already had a Kindle Touch (I think that’s the 3rd version of the kindle? idk
tho) but I wanted something both more recent and with a bigger screen, because
I kinda enjoy being able to read PDFs and doing that on a Kindle is torture.</p>
<p>So I went looking for a reasonably sized ebook reader, of which there were (at
the time) none. After much digging I finally found the <a href="http://www.pocketbook-int.com/fr/products/pocketbook-inkpad">PocketBook
InkPad</a> which is an
8” e-reader with backlight and physical buttons, which sounded exactly like what
I wanted! So I ordered one and got it delivered a few days later.</p>
<p>Now this device works pretty well on its own. It’s a bit small to read full-size
PDFs but it’s still better than 6” readers are, and even tho it doesn’t have
access to a bundled ebook shop you can always load your own books (which is what
I intended to do anyway, hello <a href="http://gen.lib.rus.ec/">Library Genesis</a>). But
after a bit I wanted to try and do more with it, so I installed
<a href="https://github.com/koreader/koreader">koreader</a>, which is an aftermarket ebook
reader app for kindle, kobo, etc, and supports this thing. The installation is
really easy, it’s a matter of dropping the code into an <code>applications</code> folder
(there are a few system libraries to install too and that’s done the same way:
drop the code into the root of the usb mount).</p>
<p>So then I spent a few months reading books on this (I recommend The Unix Haters
Handbook, which, while I largely don’t agree with much that’s on it and it’s
pretty outdated, is really entertaining), and before I knew it I found myself
disassembling it, and owning the embedded OS running on it. Here’s how that
went (with recent pictures, since I opened it up again to write this!)</p>
<p>So first of all, here’s how it looks, before I get my hands on it. Pretty plain,
no screws, no visible point of entry. </p>
<p><img alt="untouched" src="https://pub.wxcafe.net/img/01_glamour_shot.JPG"></p>
<p>The right way (there is never only <em>one</em> way to open a device. In fact, there is
always a very large number of ways to open a device, but most often there’s only
a few ways to open it up while being able to get it working again afterwards) to
open this thing is to unclip the front (display plus button area) from the back.
No glue! Yay! It’s just a bunch of clips, pretty stiff too, so keep going at
them and after a while they’ll unclip</p>
<p><img alt="pick_one" src="https://pub.wxcafe.net/img/02_pick_1.JPG">
<img alt="pick_two" src="https://pub.wxcafe.net/img/03_pick_2.JPG"></p>
<p>After that, just pull the front and the back apart and it’s open. Easy! I’m not
going to elaborate further into the disassembly because from then on there’s
glue everywhere and since I <em>do</em> use that ereader I don’t want it to be FUBAR.</p>
<p>Anyway, here are a few shots of the open device:</p>
<p><img alt="open_double" src="https://pub.wxcafe.net/img/04_open_double.JPG">
<img alt="open_single" src="https://pub.wxcafe.net/img/05_open_single.JPG"></p>
<p>and a few closeups. My favorite thing about this device is that it’s advertised
as 4 Gigs of flash storage and… well, it does contain 4Gigs of flash, but not
really how other manufacturers do it</p>
<p><img alt="closeup_flash" src="https://pub.wxcafe.net/img/06_closeup_microSD.JPG"></p>
<p>Here are a few closeups of the mobo. It looks pretty good, considering. It could
probably be 50% smaller but since the device itself is so large and the battery
consumption of eInk screens is so low, why bother?</p>
<p><img alt="closeup_top" src="https://pub.wxcafe.net/img/07_closeup_top.JPG"></p>
<p><img alt="closeup_SN" src="https://pub.wxcafe.net/img/08_closeup_SN.JPG"></p>
<p>Also, my device got a note at manufacture time (I’m guessing QC but who knows?)
and I have <em>no idea</em> what it says/means. If you have something, please tell me</p>
<p><img alt="closeup_note" src="https://pub.wxcafe.net/img/09_closeup_note.JPG"></p>
<p>Anyway. Of course, once I was done admiring the board, I wanted to dig into the
OS. Since I had the “flash”, I could just dump the OS from there, take a look,
and be done with it, but knowing my motivation if I just dumped it I would never
have gotten around to take a look at it, so I decided to get a shell on the damn
thing. Since there are serial headers on there, I popped out my USB<->serial
cable and plugged it right in.</p>
<p><img alt="closeup_serial" src="https://pub.wxcafe.net/img/10_closeup_serial.JPG"></p>
<p>This thing listens at 115200 bauds, instead of (the more usual) 9600. So just
start <code>screen /dev/ttyUSB0 115200</code> and it’s all good. Then boot the thing.
You’ll see a nice bootlog pass by, and then you’ll be stuck without any response
to inputs.</p>
<p>Here’s such a bootlog from my device (it also contains a suspend event and
a shutdown event): <a href="https://pub.wxcafe.net/pocketbook_log_boot.html">html</a> and
<a href="https://pub.wxcafe.net/pocketbook_log_boot.txt">text</a></p>
<p>Of course, that’s nice, but at some point we said we wanted to get a shell on
it. Well, worry not, because a manufacturer who misspells <strong>attached</strong> as
<strong>Atached</strong> can’t be that good on security. And well, of course,, pressing <code>^C</code>
while the device is booting will interrupt the boot process and give us a nice,
cozy root shell that we can then use to do anything to the device… which we
pretty much already could do anyway since a good part of the system folders are
exposed through the USB mode. But let me enjoy my victory and take a look at the
way to enable an SSH server at boot, so that it becomes a little more
comfortable hacking on this thing:
<a href="https://pub.wxcafe.net/pocketbook_log_root.html">html</a> and
<a href="https://pub.wxcafe.net/pocketbook_log_root.txt">text</a></p>
<p>Once that’s done don’t forget to either drop your key into root’s trusted keys
folder or to set root’s password, and you can now, uh, ssh to your e-reader. Why
would you want to do that? WELL I DON’T KNOW YOU GO FIGURE IT OUT!</p>
<p>Anyway, that’s all I had for today. Oh and don’t worry, the e-reader still
works, perfectly! I did say at the beginning that I was gonna use the <em>right</em>
way to open it!</p>IPv6 at Online.net, with libvirt2017-07-14T00:21:00+02:002017-07-14T00:21:00+02:00Wxcafétag:wxcafe.net,2017-07-14:/posts/ipv6_at_online.net,with_libvirt/<p>So, I have this server at <a href="https://online.net">Online</a>, a french hosting
company, part of Illiad. They do an all-around amazing job hosting servers,
their interface is great, they datacenters are top-notch, etc.</p>
<p>But like every other hosting company out there, IPv6 isn’t yet a first-class
citizen. Oh, it’s supported …</p><p>So, I have this server at <a href="https://online.net">Online</a>, a french hosting
company, part of Illiad. They do an all-around amazing job hosting servers,
their interface is great, they datacenters are top-notch, etc.</p>
<p>But like every other hosting company out there, IPv6 isn’t yet a first-class
citizen. Oh, it’s supported all right. The official way to make it work involves
not one, not two, but <em>three</em> configuration methods:</p>
<ul>
<li>The address must be configured statically, manually</li>
<li>They use Prefix Delegation (PD), so you have to run a DHCPv6 client to get the
prefix delegated to you</li>
<li>And then you need to get a default route, and since they don’t implement the
DHCPv6 extension for this (yet?) so you have to accept SLAAC (stateless
address autoconfiguration) Router Advertisements (RAs).</li>
</ul>
<p>So, generally, on Linux, this is a bit of a hassle. You come and configure your
static address, the kernel accepts RAs by default so that’s taken care of, and
then you configure a DHCPv6 client (they have a nice tutorial for that) and
you’re good to go.</p>
<p>Of course, there’s a catch: the title of that post says “with libvirt” and
I wouldn’t have written a blog post to tell you “they have a good tutorial, just
follow it!”.</p>
<p>So libvirt is a common interface for a bunch of virtualization technologies
(Xen, Qemu/KVM, bhyve, virtualbox, etc…). It also does a bunch of nice stuff
for you, like set up a SPLICE or a VNC server for each VM, handle the resource
management in a standardized way, all that stuff. But it also handles the
network stuff for you. Which is really nice in a way, since it sets up a bridge
for the VMs to communicate, firewall rules for forwarding and stuff, a DHCP
server for the VMs, etc. And you can configure it however you want! I can just
bridge out to the NIC, or setup a v4 NAT, or whatever. It’s really nice. But
then you turn on IPv6 on your libvirt network config. And just like that, poof,
your host v6 connectivity goes down.</p>
<p>That’s weird. Reboot, the v6 connectivity doesn’t even go up! Even tho you have
an address and … wait, the default route is gone?</p>
<p>Yeah, so <em>here’s</em> the catch. libvirt, when it starts up and one of the
configured networks has v6 enabled, launches a Router Advertisement daemon
(radvd) and starts sending RAs to <em>all host interfaces</em>. <strong>TO ALL OF THE HOST’S
INTERFACES!!</strong> But it doesn’t know any default route to advertise to the egress
interface, so it just sends a RA without a default route. And, of course, Linux
sees that and overwrites the old default route it received from the older RA,
cause <em>of course</em> a newer RA would have better information, <em>even</em> if it says it
has no route.</p>
<p>Anyway, so now there isn’t an easy answer to this, so I went the cheap and
dirty route : I disabled the libvirtd service, and wrote the following into my
<code>/etc/network/interfaces</code>:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>iface eth0 inet6 static
address 2001:bc8:30b9:<whatever>/64
accept_ra 2
post-up ip6tables-restore < /etc/ip6tables.conf
post-up sleep 30; \
echo $(ip -6 r | grep default | cut -d ' ' -f 3) > /tmp/v6_route ; \
systemctl start libvirtd; \
sleep 10; \
ip -6 r a default via $(cat /tmp/v6_route)
pre-down ip6tables-save > /etc/ip6tables.conf
</pre></div>
<p>(yeah, I know the code block is )</p>
<p>So, okay. Please, consider this. Yes, this is absolutely disgusting. But it
<em>works</em>. </p>
<p>Please don’t hit me</p>
<p>Anyways if you were looking for a way to make this work, here it is.</p>RPGs, teardowns, ...2017-06-16T21:52:00+02:002017-06-16T21:52:00+02:00Wxcafétag:wxcafe.net,2017-06-16:/posts/RPGs,_teardowns,_.../<p>It’s starting to look more and more like a real blog here, I make less posts
about a specific thing and more about what I’ve done recently. I mean sure it’s
only been two months but still.</p>
<p>Anway. What’d I do this past month? Well, not …</p><p>It’s starting to look more and more like a real blog here, I make less posts
about a specific thing and more about what I’ve done recently. I mean sure it’s
only been two months but still.</p>
<p>Anway. What’d I do this past month? Well, not much. I didn’t get much time,
cause of school work. Thankfully tho I’m done with that for a while.</p>
<p>Anyways, here’s what I <em>did</em> do:</p>
<ul>
<li>First, I made a bunch of posts (in french) abour pen and paper RPGs on
<a href="https://imaginair.es/tags/unjourunjdr">that hashtag</a>. These talk only about
indy RPGs that I like, and there’s like 6 of them. I stopped doing them when
I started working on the school stuff, but I might start again (not once a day
tho, but still) in a while.</li>
<li>I also moved social.wxcafe.net from a VPS on Vultr to a VM on the same server
that hosts imaginair.es</li>
<li>Since this, I also moved that server to another one, still at Online.net,
taking advantage of the summer sales. I’ve been having some issues with IPv6
recently for some reason, but I’m still debugging that for now. It’s not that
much of a blocking bug, as I can just reboot and that fixes it, but it’s still
2-5 minutes downtime every time the IPv6 disconnects, and it’s a bother.
I didn’t have that problem on the older server for some reason, with the exact
same configuration. But yeah IPv6 with Online.net has always been finicky, so
I guess it’s to be expected. I’ll try to spend some time fixing this in the
next month or so… But it might just end up working fine on its own after
a while. IDK.</li>
<li>uh I guess that’s pretty much it? I’ve painted some miniatures at
https://imaginair.es/@wxcafe, too, and I’m pretty excited for HOU prerelease,
but that’s beyond our concern here I think.</li>
</ul>
<p>Hmm. That doesn’t feel a lot like a real blog post. I might just do another one
in the coming days, but that’s all I got for you for now.</p>
<p>See ya…</p>
<p>P.S.:
Oh wait I said I’d talk about teardowns! I’ll do that in that next post then.
Not only does that clearly separate concerns, it also makes this post have
a great misleading title, which is perfect.</p>mastodon2017-05-20T18:18:00+02:002017-05-20T18:18:00+02:00Wxcafétag:wxcafe.net,2017-05-20:/posts/mastodon/<p>…</p>
<p>So. What have I been up to these last weeks, you ask (or maybe you don’t care,
in which case I’m gonna tell you anyway, cause it might still be interesting to
you).</p>
<p>Also, why am I writing this blog post? Why, you see, I made a promise …</p><p>…</p>
<p>So. What have I been up to these last weeks, you ask (or maybe you don’t care,
in which case I’m gonna tell you anyway, cause it might still be interesting to
you).</p>
<p>Also, why am I writing this blog post? Why, you see, I made a promise of some
kind (I’m also kinda cheating here, but whatever). I have a patreon now
(<a href="https://patreon.com/wxcafe">here</a>). I ask for money to fund the Mastodon
server I’m running, <a href="https://social.wxcafe.net">here</a>, that has almost 900 users
at the time of writing. I say <em>server</em>, but it’s actually <strong>servers</strong>, since I’m
also hosting <a href="https://imaginair.es">this one</a>, less generalistic and more geared
towards creators and people who enjoy what we call “les cultures de
l’imaginaire” in french, which loosely include SF/Fantasy type settings, role
playing games, TCGs, etc. More on that one soon, but for now let’s stay on
subject : why am I writing this blog post? Well, enough people were nice (or
foolish, depending on your opinion of me) enough to give me money that now
I have to keep my engagement to write a blog post a month (which means you’ll
see way more posts since the last one is from… february (and I had to check)).</p>
<p>Anyway, yeah. That’s mostly what I’ve been up to these last few weeks. I’ve
started hosting a mastodon server on social.wxcafe.net about a month back, I’ve
spent a while working on the mastodon codebase and issue tracker (I haven’t had
time to do that as much as I’d like lately, I’ve been working on other project
with more urgent deadlines…), and the imaginair.es project started developing
with the help of <a href="https://imaginair.es/@Ekzael">Ekzael</a> and
<a href="https://imaginair.es/@Eutrapelie">Eutrapélie</a> about two and a half weeks ago.
I then worked a bit on automation and stuff (more on that soon) and the
imaginair.es mastodon instance was launched about a week and a half ago.</p>
<p>So, about imaginair.es. The idea with this is not to make it a single mastodon
instance, but rather to have it be a nebulæ of mastodon instances. Basically,
the main domain is to be an open discussion board, with creators and people
interested, as I said before, in SFF, etc. But then, seeing how mastodon could
be amazing for role playing, subdomains are available for, well, roleplaying
groups. Meaning you can get your own mastodon instance for your RP/RPG group,
and play online through that. I don’t know about you, but I think that mastodon
would be a pretty nice medium for that. Anyway, I’m going to talk about the
technical details now so if you don’t care skip the next two paragraphs.</p>
<p>So, how do I plan on running that many mastodon instances (ah, the rethorical
question, best friend of bloggers)? Well, that question requires a bit of
insight into how Mastodon works. First, Mastodon is comprised of three services:
web workers, a sidekiq process, and a streaming (websocket) server. Combined,
without much activity, these use up about 1 gig of RAM. I rent a <a href="https://www.online.net/en/dedicated-server/dedibox-classic">Dedibox Classic
2016</a> at Online.net,
a french provider. That server has 1 Xeon (6C/12T) at 2.2Ghz and 32 Gigs of RAM.
That means that I should have enough memory to run 32 low-activity servers,
which typically RP servers should be. That would be if I did traditional
virtualization (Xen, etc), but not with KVM/Qemu, because Linux now has
a feature called KSM (Kernel Samepage Merging), that allows it to merge memory
pages that are the exact same. Meaning if I run 10 mastodon instances on that
same server, that are all copies of one another, it <strong>should</strong> use only 1 gig of
RAM. Of course, since users are present and different from instance to instance,
since the content they post isn’t the same either, and since the system (like
all systems) isn’t perfect, its not 100% efficient. But I can envision hosting
at least 100 instances on that server, for about 30€/month.</p>
<p>“But isn’t that a security problem?” I hear you ask. Well, yes and no. Yes, it
could be a security problem, it <em>sounds</em> less secure than strictly separating
each VM and never letting them interact through the hypervisor. <strong>But</strong> given
the number of high-profile providers who use KVM/Qemu with KSM, I feel pretty
secure using it too, and we’ve seen more bugs in Xen than in KVM/Qemu (I’m talking
about KVM/Qemu specifically here, not about the kernel itself…) in recent
years. Anyway, if someone manages to get a shell on one of these and then gets
root and then uses KSM to jump between VMs and/or escape the VM entirely <strong>AND
THEN</strong> gets root on the host, well, I can only pray they’re not pissed at me
enough to fuck with my other machines.</p>
<p>Anyway, so here are the projects I’ve been working on these last weeks. I’m
gonna continue working on these, of course, even tho I have some more pressing
projects right now, and I hope then can be useful to some people. If you’d like
to join either, feel free, of course, and if you’d like to get a private RP
instance, HMU at <a href="https://social.wxcafe.net/@wxcafe">@wxcafe@social.wxcafe.net</a></p>So I got an iPhone2017-02-11T17:38:00+01:002017-02-11T17:38:00+01:00Wxcafétag:wxcafe.net,2017-02-11:/posts/so-i-got-an-iphone/<p>So I’ve been using an Android phone since I got an HTC Desire HD, I think in
late 2010, so for a little over 7 years. I went from 2.2 Froyo to 6.0.1
Marshmallow, and used basically all of the versions in between except
Honeycomb (3 …</p><p>So I’ve been using an Android phone since I got an HTC Desire HD, I think in
late 2010, so for a little over 7 years. I went from 2.2 Froyo to 6.0.1
Marshmallow, and used basically all of the versions in between except
Honeycomb (3.x).</p>
<p>Before that, I had an iPhone 3GS, which I had a great deal of fun jailbreaking
on iPhone OS 3.1.2/3.1.3, and gave up at the end of iOS 4.</p>
<p>Of course, I had a lot of fun playing with the android phones too, flashing the
bootloaders, installing “custom ROMs”, and even different OSes on some of them.
That was all fine when I was looking to <em>play</em> with my phones, I had <em>time</em> to
do so, and it didn’t really matter to me if things were broken half the time.</p>
<p>I’m not in that situation anymore. As sad as it makes me to admit it, android,
or at least the experience I’ve had with it, doesn’t work consistently. There
are always small things that are broken that you have to constantly fix. There’s
always that <em>thing</em> that should work fine but doesn’t. And then there’s the
security aspect, which, I’m not even going to <em>try</em> going in there. Go look at
the list of CVEs on Android, look at those that are over severity 9, and have
a good laugh (or a good scare I guess).</p>
<p>Anyway, my phone (a Moto X Play, so supposedly a pretty flagship, not too
modified android phone) was starting to require a reboot a day to keep on
receiving texts, which was /a slight problem/ to me. I couldn’t fix it by
installing a clean “ROM”, because for all the ones I’ve tested with this phone
either the radio (so 2G/3G/4G) OR the wifi stops working, which is, as they say,
not optimal. I tried to fix it, nobody had the same problem, I couldn’t figure
out where it was coming from, whatever.</p>
<p>So I got an iPhone. Of course, another part in this is that I now have a regular
income, so buying an iPhone doesn’t mean eating pasta for two or three months
anymore.</p>
<p>Anyway. I bought an iPhone SE, because I want a headphones jack, and it was
cheaper. I can’t just churn out 770€ for a phone, even when I have regular
income. My first impression of that phone was that it was very lightweight, the
screen was pretty small, and it looked and felt very good. Everything looks like
it makes sense, on that phone.</p>
<p>The “first time on” experience is very good, with everything working fine, no
popups interrupting you from typing, the importation of data from your old phone
(be it an Android phone or an iPhone) is very easy and works perfectly. The
settings are all in one place, the third-party software works generally better
than on Android (okay, my bank’s app doesn’t work that well, but what do you
expect from a bank…). I have working push notifications in all my messaging
apps. My emails are not in an app called “Gmail”, but in an app called “emails”.
I don’t need a google account to use my phone. I <em>need</em> an apple account only to
get apps, but since that’s all I do with apple they have far less information on
me than google has in the same situation.</p>
<p>For some reason, even though the screen is smaller, the soft keyboard seems to
work better for me, I hit the keys that I want more often, which is a pretty
important thing because autocorrect doesn’t always work for me, since I type in
two languages using the same keyboard. AUTOCORRECT WORKS FOR MULTIPLE LANGUAGES
OUT OF THE BOX! You don’t need to download a recent update to Google Keyboard to
be able to enable it in a submenu of the settings, you just get the dictionary
and it starts correcting in multiple languages.</p>
<p>Okay, let’s talk about things I miss:</p>
<p>Firstly, I miss having <a href="https://github.com/mariotaku/twidere">Twidere</a> with an
official twitter API key. Being able to have all the features of the official
twitter client in an app that doesn’t suck (and Twidere is actually amazing).
I use <a href="https://tapbots.com/tweetbot/">Tweetbot</a> instead, and it’s great, but
since it doesn’t use the leaked official Twitter API keys, it can’t do what
Twidere does. I guess that’s on twitter being assholes.</p>
<p>Secondly, I miss being able to copy files from my computers to my phone. Android
phones use MTP, which is a shitty protocol but works with Linux and Windows (and
very badly with OSX). iPhones use the iTunes sync thingy, which works for OSX
and Windows as long as you have iTunes installed, aaaaaand doesn’t on Linux.
Well, there’s <a href="http://www.libimobiledevice.org/">libimobiledevice</a>, which at the
time I was using an iPhone 3GS was described as “teaching penguins to talk to
fruits”. It works, but the version packaged on debian is not the latest one, so
it can’t talk to iOS 10. I tried installing the latest one manually, which
worked, but for some reason the desktop still can’t detect the iPhone, so I can
mount it with <code>ifuse</code> but I can’t do anything with it since none of the software
that could use that mount actually detect it. Anyway.</p>
<p>Third, I miss… wait, no, actually, I think that’s it. Everything else works
just the way I want.</p>
<p>Anyway, that was the story of how I got an iPhone. I won’t be jailbreaking it,
but I’ll be posting stuff here if I find out how to make that thing work with my
Linux computers.</p>Key Migration2016-12-29T03:49:00+01:002016-12-29T03:49:00+01:00Wxcafétag:wxcafe.net,2016-12-29:/posts/key-migration/<p>Here’s a signed message about my key migration</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
</pre></div>
<p><br/>
Hey</p>
<p>I’m at 33c3 at the moment, and I was inspired to make a new GPG key, since my
old one is from 2012 (and was revoked by me almost 6 months ago), and …</p><p>Here’s a signed message about my key migration</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
</pre></div>
<p><br/>
Hey</p>
<p>I’m at 33c3 at the moment, and I was inspired to make a new GPG key, since my
old one is from 2012 (and was revoked by me almost 6 months ago), and back
then I didn’t do it the way I’d like to now</p>
<p>Anyways, so I made a new key, <strong>0x58dd226b3ea71dc7</strong>, which is both on
<a href="http://pgp.mit.edu/pks/lookup?op=vindex&search=0x58DD226B3EA71DC7">pgp.mit.edu</a>
and <a href="https://pub.wxcafe.net/wxcafe.asc">here</a>. Of course, in these
kind of situations you’re supposed to publish a message signed with both keys.
However, since I revoked the old one without thinking about this a few months
ago, it would be basically meaningless. Moreover, basically all the signatures
on that old key were from keys that expired since then, so it’s not like that
old key was very trustable either.</p>
<p>Anyways, I’m signing this with the new key, and I’m also including <a href="https://twitter.com/Wxcafe/status/814300732849553408">this
link</a> to a tweet I made,
which contains the key ID.</p>
<p>This should suffice to link this key to my identity, and I hope to gather some
signatures at 33c3 too 😃💯🚀</p>
<p>Thanks for your understanding</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEZDroKcxTGuCO4MGxjYC/gJdzRz8FAlhkgXEACgkQjYC/gJdz
Rz/r8A//alMfDwRARH/+eCYkesSfkpNS66GjkXp7CUUU+3j0hGT/54MonZSuoj97
md9AdVMjw2NqevFvEusA1QVijFBdqA5j4IZ+gPxmq2B/UG6lTcf0MNaw7/k0YzPk
CwAeTpBqq27wo4VMLwvmxMfZi0QK1QXL2JFiMxDwmIsep4KNzhuhymlpstBMxeOp
/uRw1Atq2mYa6+9j7aVb98OsgC+Ma4C03yU71EGwMkdCGdDPQzdVtBMnnUmB2tuX
nZQ/MmG7pwr/gRdllHWiTbJvaXFLiNIh8mE44ihinIrwAwdRpiLmohl9LIIr6VdM
Ry7AojwDWKeAEGj2Z2MlUbGlIHJ2GbTn8ScKpbhJLtMJv3kCQZ0sBdMeZSP8WeW2
ZO5pAc2/0UAK2NERnSCx8Ow4SDIVVavk2TOPHFqN9oOa4pm8dhi5bA2S5czuXaqz
y25wIdaoDZw5v5O77ATobWvc+NU/U0trFWW6jVoQlcR9OK5Jh2QraM5lKNL4nBAM
Ou1JqrwYojhprbhc1047ntCBe3z2bkfNCj94FYv2IwrEmOxsRVfUs6aJo+jQXa8B
HxCi1m8mFsnoU1jEUsqrf4MXbmlSKdUGCLyz4CW8u3uRoU/NU+XHogE31m3pk8N6
62rYGWBWLGAkGGC0JvOPbrf/kOIAZXXJvaMcQcRLirXX1q/bgwQ=
=PIuW
-----END PGP SIGNATURE-----
</pre></div>
<p>I’m also linking this message <a href="https://pub.wxcafe.net/key_migration.asc">over
here</a> so that even if you can’t verify
this by copy/pasting from the webpage you can still get the message unmodified
and verify it.</p>
<p>Thank you</p>Email Security2016-12-24T00:24:00+01:002016-12-24T00:24:00+01:00Wxcafétag:wxcafe.net,2016-12-24:/posts/email-security/<p>So, nowadays, everyone knows emails are <strong>not</strong> secure. If you didn’t know that,
you should. Emails are to be treated like postcards : everyone between you and
the person you’re talking to can read them. Don’t write military secrets in
them. Back in the good old days, when …</p><p>So, nowadays, everyone knows emails are <strong>not</strong> secure. If you didn’t know that,
you should. Emails are to be treated like postcards : everyone between you and
the person you’re talking to can read them. Don’t write military secrets in
them. Back in the good old days, when the protocols they rely on were devised,
the people creating them didn’t really need to secure them (and they didn’t have
computers powerful enough to do encryption. Emails are <strong>old</strong>. Like, really
old. Like older than I am. By decades.)</p>
<p>There are, of course, a few methods to “secure” email. I’m ready to bet at this
point over 75% of the people reading this are at least thinking very hard “PGP”.
Some might be thinking “S/MIME”. Maybe a few of you who didn’t think I was
talking about encryption by the user are thinking about STARTTLS in SMTP, or
SPF/DKIM/DMARC.</p>
<p>If this previous paragraph confused you, at least a bit, there’s a very good
summary about these things over in the latest issue of <em>the IP Journal</em>,
<a href="http://ipj.dreamhosters.com/wp-content/uploads/issues/2016/ipj19-3.pdf">here</a>
(pdf). I also am going to start mirroring the issues of that journal over on
<a href="https://wxcafe.net/pub/IPJ/">https://wxcafe.net/pub/IPJ/</a>. I encourage you to
subscribe to the paper version of the IP Journal, it’s <strong>free</strong> and the content
is generally very good and informative.</p>
<p>That was all, see ya</p>OpenVPN on OpenBSD2016-11-30T23:59:00+01:002016-11-30T23:59:00+01:00Wxcafétag:wxcafe.net,2016-11-30:/posts/openvpn-openbsd/<p>So this is a small article, because I wanted to see if I could write more if
I just wrote small things like that about a single, simple thing I did, without
too much detail and fluff</p>
<p>Also, I’m writing this in English, while I usually write in French …</p><p>So this is a small article, because I wanted to see if I could write more if
I just wrote small things like that about a single, simple thing I did, without
too much detail and fluff</p>
<p>Also, I’m writing this in English, while I usually write in French. I’m
switching language because I believe English is a lot easier to express
technical concepts in, or at least I’m more fluent in it when it comes to
expressing technical concepts, and I believe now that my audience (at least, the
people I know/talk to on twitter/IRC/etc…) speak or read English much more
than French, and so it makes more sense for me to write in English here.
Therefore, I’ll be writing in English only on this blog from now on.</p>
<p>(French version :)
De plus, j’écris ceci en Anglais, alors que j’écrivais ici habituellement en
Français. Je change de langue, parce qu’il me semble qu’il est plus facile
d’exprimer des concepts techniques en Anglais qu’en Français, ou en tout cas
que cela m’est plus facile personnellement, mais aussi parce que je pense que
mon audience (ou en tout cas, les gens que je connais/auxquels je parle sur
twitter/IRC/etc…), parlent ou lisent l’Anglais bien plus que le Français, et
il est donc plus logique pour moi d’écrire en Anglais ici.
J’écrirais donc uniquement en Anglais sur ce blog a partir de maintenant.</p>
<p>So, now that that’s done, I can go on and write that “small article” I promised
at the top.</p>
<p>So, the idea is that I had a FreeBSD OpenVPN box that I used to have
a semi-decent Internet connection while at school (my school blocks all ports
that are not tcp/80 or tcp/443 or udp/53, basically. And apparently udp/443
too…). I wanted to try running that VM on OpenBSD, because of three things :</p>
<ol>
<li>I really like OpenBSD, and wanted to have a VM that I could do some
experiments on without breaking all of my stuff,</li>
<li>I found a way to run OpenBSD on the provider I used for that box,
<a href="https://vultr.com">vultr</a>, and</li>
<li>why not?</li>
</ol>
<p>Anyway, so once you’ve installed the OS, the first thing to do is</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas pkg_add openvpn
</pre></div>
<p>…</p>
<p>well okay the first thing to do is to</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span># vi /etc/doas.conf
</pre></div>
<p>and put this in it :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>permit keepenv :wheel as root
permit nopass root as root
</pre></div>
<p>once this is done, you can now go and install the packages, before creating the
CA:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas pkg_add vim openvpn easy-rsa
$ <span style="color: #f8f8f2">cd</span> /usr/local/share/easy-rsa
$ doas ./easyrsa init-pki
$ doas ./easyrsa gen-dh
$ doas ./easyrsa build-ca <span style="color: #f92672">[</span>nopass<span style="color: #f92672">]</span>
$ doas ./easyrsa build-server-full <span style="color: #f92672">[</span>CN of the server<span style="color: #f92672">]</span> <span style="color: #f92672">[</span>nopass<span style="color: #f92672">]</span>
$ doas ./easyrsa build-client-full <span style="color: #f92672">[</span>CN of a client<span style="color: #f92672">]</span> <span style="color: #f92672">[</span>nopass<span style="color: #f92672">]</span>
</pre></div>
<p>please note that you can use passwords on all of those, but then you’ll have to
type them every time you use one of them. I see no problem with having
a password on the CA and the client, but the server should be able to restart by
itself in my opinion.</p>
<p>Anyway, now we can write the config for OpenVPN:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas mkdir /etc/openvpn/
$ doas vim /etc/openvpn/openvpn.conf
</pre></div>
<p>We’ll run with these settings :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>dev tap
tls-server
cert /usr/local/share/easy-rsa/pki/issued/[CN of the server].crt
key /usr/local/share/easy-rsa/pki/private/[CN of the server].key
ca /usr/local/share/easy-rsa/pki/ca.crt
dh /usr/local/share/easy-rsa/pki/dh.pem
proto udp
port 53
verb 3
status /var/log/openvpn-status.log
ifconfig 172.16.0.10 255.255.0.0
route-gateway 172.16.0.10
persist-key
persist-tun
keepalive 10 120
server 172.16.0.0 255.255.0.0
client-to-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
push "route 172.16.0.0 255.255.0.0"
</pre></div>
<p>Of course, feel free to edit that to match whatever you need.</p>
<p>Anyway, the next thing we need to do is to configure pf.</p>
<p>What, you thought that was it? Of course we’re gonna filter this, it’s an
internet-facing server!</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas vim /etc/pf.conf
</pre></div>
<p>So, here is the pf configuration file :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span># $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set block-policy drop
set skip on lo0
block return in on ! lo0 proto tcp to port 6000:6010
match in all scrub (no-df random-id max-mss 1440)
block log all
match out on egress from (tap0:network) to any nat-to (egress:0)
pass out quick
# ssh
pass in on egress proto tcp from any to (egress) port 22
# mosh
pass in on egress proto udp from any to any port 60000:61000
# snmp
pass in on egress proto udp from [IP of my SNMP server] to any port 161
pass in on egress proto udp from [IPv6 block of my SNMP server]/48 to any port 161
# openvpn
pass in on egress proto udp from any to (egress) port 53
pass in on egress proto udp from any to (egress) port 443 rdr-to (egress:0) port 53
pass in on tap0
</pre></div>
<p>So, this should be easy enough to read, but just in case : we skip lo, we block
X, we scrub weird packets, we block and log by default.</p>
<p>Then, we NAT everything that comes out of the VPN and to the ‘net. We let what
comes from the server out too, tho that could be improved…</p>
<p>The next three blocks are easy, and then in the OpenVPN block, we let in port
udp/53, we redirect port udp/443 to udp/53, and we let everything in from the
VPN.</p>
<p>We have to reload pf and add a sysctl knob if we want to actually route packets
coming from the VPN:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas pfctl -f /etc/pf.conf
$ <span style="color: #f8f8f2">echo</span> <span style="color: #e6db74">'net.inet.ip.forwarding=1'</span> <span style="color: #f8f8f2">|</span> doas tee -a /etc/sysctl.conf
</pre></div>
<p>And now, we simply enable the OpenVPN service, and we’re done:</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>$ doas rcctl <span style="color: #f8f8f2">enable</span> openvpn
$ doas rcctl <span style="color: #f8f8f2">enable</span> pflogd
$ doas rcctl start openvpn
$ doas rcctl start pflogd
$ doas rcctl ls on <span style="color: #75715e"># to check</span>
</pre></div>
<p>That’s it! It was actually pretty easy, I guess.</p>
<p>Also, if you don’t know what’s wrong and want to get a detailed log, run
<code>/usr/local/sbin/opvnpn --verb 11 --config /etc/openvpn/openvpn.conf</code></p>
<p>Seeya!</p>PoC||GTFO; now on a NEW MIRROR near you thanks to A NETWORKING STUDENT and world-famous NGINX REDIRECTION2016-10-12T16:31:00+02:002016-10-12T16:31:00+02:00Wxcafetag:wxcafe.net,2016-10-12:/posts/PoC||GTFO/<p>Le titre dit a peu près tout : j’ai récemment commencé a lire les PoC||GTFO
(Proof of Concept OR Get The Fuck Out), dont j’avais entendu parler depuis
quelques années mais pour lesquels je n’avais jamais réussi jusqu’ici à prendre
du temps pour les lire. C …</p><p>Le titre dit a peu près tout : j’ai récemment commencé a lire les PoC||GTFO
(Proof of Concept OR Get The Fuck Out), dont j’avais entendu parler depuis
quelques années mais pour lesquels je n’avais jamais réussi jusqu’ici à prendre
du temps pour les lire. C’est désormais chose faite (je les ai imprimés, c’est
plus confortable, vous pouvez en voir pas mal d’extraits sur
<a href="https://twitter.com/wxcafe">twitter</a>).</p>
<p>Pour celleux qui ne seraient pas au courant, je vais résumer vite fait :
PoC||GTFO est un journal publié depuis 2013 par un groupuscule composé de pas
mal de gens faisant de la sécurité informatique (Manul Laphroaig, the Grugq,
Ange Albertini, notamment…) et composé d’articles soumis par de nombreuses
personnes sur des sujets techniques en général centrés sur la sécurité et/ou
l’exploitation. Un ton très spécifique, et de nombreux easter-eggs cachés dans
chaque numéro, associés a une qualité exceptionnelle des articles, à très vite
fait connaître ce journal. Une des clauses de la licence autorisant la lecture
étant de le partager, je fais donc un mirroir.</p>
<p>Le mirroir est situé ici : <a href="https://wxcafe.net/pub/PoC||GTFO">https://wxcafe.net/pub/PoC||GTFO</a>.
A noter qu’il faut bien distinguer https://wxcafe.net/pub de
https://pub.wxcafe.net, et que d’autres publications intéressantes pourraient un
jour se trouver dans ce dossier (je ferai a ce moment la un post pour en
avertir, ou pas.)</p>
<p>Informationellement,</p>Redondance de routeurs, avec OpenBSD et FreeBSD2016-07-29T17:53:00+02:002016-07-29T17:53:00+02:00Wxcafétag:wxcafe.net,2016-07-29:/posts/redondance-routeurs-openbsd-freebsd/<p>Depuis le début de mon DUT (il y a deux ans), j’ai découvert le monde du réseau,
alors que j’étais plus système auparavant. Au cours de ce processus, j’ai
pu observer quelques coutumes étranges de ce milieu. Ainsi donc, dans cet étrange
domaine, il arrive parfois qu …</p><p>Depuis le début de mon DUT (il y a deux ans), j’ai découvert le monde du réseau,
alors que j’étais plus système auparavant. Au cours de ce processus, j’ai
pu observer quelques coutumes étranges de ce milieu. Ainsi donc, dans cet étrange
domaine, il arrive parfois qu’on cherche à avoir un réseau stable pendant une
période relativement longue. Bien évidemment, ceci se trouve être un problème
Complexe®, a cause notamment des différents constructeurs de matériel réseau, et
des différents systèmes d’exploitation des machines qui font passer les chatons
dans les tuyaux.</p>
<p>Bref, en général on règle ce problème de façon relativement simple : en
utilisant un système stable, <em>par exemple</em> OpenBSD. Cependant, ça ne suffit pas
toujours: on peut aussi rencontrer des erreurs hardware. Et puis même OpenBSD
peut rencontrer des problèmes softwares aussi, de temps en temps. Il paraît.
J’ai lu un truc la dessus quelque part.</p>
<p>Bref, après cette intro complètement objective, on va parler de redondance de
routeurs (c’est a dire la mise en place de deux routeurs hardwares en même
temps, avec un qui prend le relai de l’autre en cas de problème). On va aussi
faire en sorte qu’ils utilisent deux réseaux externes différents (d’opérateurs
séparés, par exemple), pour faire bonne mesure.
Vu que c’est un projet pour mon DUT à la base, et qu’on a fait que du Linux la
bas, j’ai décidé de le réaliser avec un OpenBSD et un FreeBSD, sur un laptop et
une Cubieboard 2 (une board ARM qui traînait chez moi), en utilisant des VLANs
(puisqu’ils n’ont qu’une seule NIC). C’est aussi pour ça qu’il y a un FreeBSD,
vu que la Cubieboard ne supporte qu’assez mal OpenBSD (en tout cas d’après mon
expérience)</p>
<p>Tout d’abord, je vais mettre <a href="https://pub.wxcafe.net/static/redondance.pdf">ici</a>
le rapport produit pour mon DUT, comme le veut la tradition du TL;DR (tu le sens
mon LaTeX?). Si vous voulez pas lire cette explication, vous pouvez lire l’autre
explication qui est en PDF et orientée pour des profs de DUT. Si vous êtes prof
de DUT j’imagine que ça peut être intéressant.</p>
<p>Bon, donc la première chose a faire c’est de définir quelques trucs. La
redondance, on l’a dit, c’est le fait d’avoir plusieurs équipements effectuant
une tâche similaire, pour qu’en cas de panne l’un prenne la place de l’autre
sans interruption. Quelques acronymes :</p>
<ul>
<li>
<p>CARP, <em>Common Address Redundancy
Protocol</em>, est un protocole (développé par OpenBSD pour remplacer VRRP) qui
permet de faire de la redondance entre des équipements IP, en leur permettant
de partager une adresse IP en switchant rapidement en cas de problème avec l’un
des équipements.</p>
</li>
<li>
<p>PF, <em>Packet Filter</em>, est le firewall d’OpenBSD et de FreeBSD.
Enfin, des versions différentes. Mais l’idée est la. (en pratique, la version de
FreeBSD est plus ancienne mais supporte le multi-CPU, contrairement a celle
d’OpenBSD (mais bon, on connait le support multi-CPU d’OpenBSD…)).</p>
</li>
<li>
<p>PfSync, <em>Packet Filter Synchronisation</em>, est un service qui permet de
synchroniser la table d’état de deux instances de PF. De cette façon, quand un
des deux crashe, le second peut reprendre les connexions en cours et évite de
couper trop de transmissions.</p>
</li>
<li>
<p>IfStated est un petit programme qui permet de vérifier l’état d’une interface
réseau régulièrement et de lancer des commandes en fonction de l’état de celle
ci.</p>
</li>
</ul>
<p>Bon, maintenant que ces définitions sont claires, passons à la réalisation. Le
système OpenBSD sera le serveur primaire, et le FreeBSD sera la réplique, car
OpenBSD est capable de routage multipath (répartition du traffic entre deux
routes de manière égale), ce que FreeBSD ne sait pas faire. Ainsi, si R1 (la
machine OpenBSD) est primaire, elle est capable de transférer une partie du
traffic vers R2 (la machine FreeBSD). Si elle s’arrête de fonctionner, R2 n’a
pas besoin de faire de multipath, puisqu’a ce moment la une seule route valide
est encore disponible.</p>
<p>La première chose à faire est de configurer le réseau sur nos deux machines.
Puisqu’elles ont toutes les deux une seule interface réseau, nous utilisons des
VLANs (en conjonction avec un switch correct, je vous laisse trouver la
configuration de celui-ci. Il faut connecter les deux machines sur des ports
Trunk). Le VLAN 300 sera utilisé pour le réseau interne, le 400 pour le réseau
externe A et le 500 pour le réseau externe B. Ainsi, on aura un réseau qui
ressemble à ceci :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>╭──╮ ╭─────────────╮ ╭──╮
│ │ │ Switch │ │ │
│R1│ │ │ │R2│
│ │ │ │ │ │
╰──╯ ╰─────────────╯ ╰──╯
╚════════╝ ╚═════════╝
</pre></div>
<p>en terme physique, et ceci :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> ╔══════╗ ╔══════╗
╭──╮ ╭────╮ ╭─────╮ ╭────╮ ╭──╮
│OP│ │ │ │ │ │ │ │OP│
│ │ │ R1 │ │ LAN │ │ R2 │ │ │
│A │ │ │ │ │ │ │ │B │
╰──╯ ╰────╯ ╰─────╯ ╰────╯ ╰──╯
╚════════╝ ╚════════╝
</pre></div>
<p>au niveau réseau.
On va aussi utiliser le réseau 30.30.30.0/24 sur le réseau interne pour cet
exemple.</p>
<p>Pour ce faire, on configure les routeurs ainsi :</p>
<h4>R1 (OpenBSD):</h4>
<p><strong>/etc/hostname.em0:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>up
</pre></div>
<p><strong>/etc/hostname.vlan0:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>inet 30.30.30.1 255.255.255.0 30.30.30.255 vlan 300 vlandev em0
</pre></div>
<p><strong>/etc/hostname.vlan1:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>dhcp vlan 400 vlandev em0
</pre></div>
<h4>R2 (FreeBSD):</h4>
<p><strong>/etc/rc.conf</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #66d9ef">[...]</span>
<span style="color: #a6e22e">vlans_dcw0</span><span style="color: #f92672">=</span><span style="color: #e6db74">"300 500"</span>
<span style="color: #a6e22e">ifconfig_dwc0_300</span><span style="color: #f92672">=</span><span style="color: #e6db74">"inet 30.30.30.2 netmask 255.255.255.0"</span>
<span style="color: #a6e22e">ifconfig_dwc0_500</span><span style="color: #f92672">=</span><span style="color: #e6db74">"DHCP"</span>
</pre></div>
<p>Une fois ceci fait, nos machines sont configurées sur leurs réseaux externes
respectifs (via DHCP, adaptez si votre réseau externe utilise une autre
méthode) et sur le réseau interne. Il faut bien entendu remplacer les noms
d’interfaces (<code>em0</code>, <code>dcw0</code>) par le noms des interfaces présentes sur vos
machines.</p>
<p>Nous allons maintenant configurer la redondance elle même avec CARP. Le réseau
avec lequel nous allons nous retrouver ressemble à ceci :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> ╭───────╮
╔═════│ VIP │══════╗
║ ╰───────╯ ║
║ ║ ║
╭──╮ ╭────╮ ╭─────╮ ╭────╮ ╭──╮
│OP│ │ │ │ │ │ │ │OP│
│ │ │ R1 │ │ LAN │ │ R2 │ │ │
│A │ │ │ │ │ │ │ │B │
╰──╯ ╰────╯ ╰─────╯ ╰────╯ ╰──╯
╚════════╝ ╚════════╝
</pre></div>
<p>La configuration de CARP se fait en fait comme pour une interface réseau
classique :</p>
<h4>R1:</h4>
<p><strong>/etc/hostname.carp0:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>vhid 125 pass pwd12345 carpdev vlan0 advbase 3 advskew 1 state master
30.30.30.254 netmask 255.255.255.0
</pre></div>
<h4>R2:</h4>
<p><strong>/etc/rc.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #66d9ef">[...]</span>
<span style="color: #a6e22e">ifconfig_dwc0_300_alias0</span><span style="color: #f92672">=</span><span style="color: #e6db74">"vhid 125 advbase 3 advskew 200 \</span>
<span style="color: #e6db74"> state backup pass pwd12345 alias 30.30.30.254/24"</span>
</pre></div>
<p>Une fois que CARP est mis en place, nous configurons PF, pour filtrer les flux
que nous laissons passer sur notre réseau. Les configurations suivantes,
différentes pour R1 et R2 (puisque FreeBSD et OpenBSD n’utilisent pas les mêmes
versions de PF), sont évidemment à modifier en fonction de votre installation:
elles sont très minimales (ne laissant même pas passer le http…)</p>
<h4>Pour R1:</h4>
<p><strong>/etc/pf.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>set skip on lo
# définition des variables
int="30.30.30.0/24"
ext="0.0.0.0/0"
int_addr="30.30.30.1"
int_if="vlan0"
ext_if="vlan1"
# defaut : bloquage
block all
# vérification des paquets, anti-spoofing
antispoof for $int_if
antispoof for $ext_if
# nous laissons passer l'icmp
pass proto icmp
# nous mettons en place le NAT de l'interieur vers Internet
pass in on $int_if from $int to any keep state
pass out on $ext_if from $int to $ext nat-to $int_if keep state
# carp, pfsync et dhcpsync
pass out on $int_if proto carp keep state
pass quick on $int_if proto pfsync keep state
pass in on $int_if proto udp to any port 8067 keep state
pass out on $int_if proto udp to any port 8067 keep state
# nous laissons passer les connexions SSH vers le routeur
pass in on $int_if proto tcp from $int to $int_addr port ssh keep state
pass out on $int_if proto tcp from $int_addr port ssh to $int keep state
</pre></div>
<h4>Et pour R2:</h4>
<p><strong>/etc/pf.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>set skip on lo
# définition des variables
int="30.30.30.0/24"
ext="0.0.0.0/0"
int_addr="30.30.30.2"
int_if="dwc0.300"
ext_if="dwc0.500"
# défaut : bloquage
block all
# vérification des paquets, anti-spoofing
antispoof for $int_if
antispoof for $ext_if
# nous laissons passer l'icmp
pass proto icmp
# nous mettons en place le NAT de l'interieur vers Internet
nat on $ext_if from $int to any -> ($ext_if)
pass in on $int_if from $int to any keep state
pass out on $ext_if from any to $ext
# carp, pfsync et dhcpsync
pass out on $int_if inet proto carp keep state
pass quick on $int_if inet proto pfsync keep state
pass in on $int_if inet proto udp to port 8067 keep state
pass out on $int_if inet proto udp to port 8067 keep state
# nous laissons passer les connexions SSH vers le routeur
pass in on $int_if inet proto tcp from $int to $int_addr \
port ssh keep state
pass out on $int_if inet proto tcp from $int to $int_addr \
port ssh keep state
</pre></div>
<p>Une fois que PF est configuré, on passe a pfsync, qui permet de synchroniser
l’état de deux instances de PF, même de versions différentes (je trouve ce truc
génial):</p>
<h4>Pour R1:</h4>
<p><strong>/etc/hostname.pfsync0:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>syncdev vlan0 syncpeer 30.30.30.2
</pre></div>
<h4>Et pour R2:</h4>
<p><strong>/etc/rc.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>pfsync_enable="YES"
pfsync_syncdev="dwc0.300"
pfsync_syncpeer="30.30.30.1"
</pre></div>
<p>Passons à ifstated. Puisque R1 supporte le multihoming mais pas R2, nous allons
faire en sorte que R1 aie une route multipath vers R2. De cette façon, R1 (qui
est la machine principale pour CARP, et reçoit donc toutes les connexions venant
du réseau interne), transmet la moitié de ces connexions vers R2, qui les gère
comme nécessaire. Si R1 arrête de fonctionner, R2 récupère l’ensemble des
connexions (grâce a CARP), qui ne sont pas interrompues (grâce a pfsync). Si R2
arrête de fonctionner, ifstated rentre en action et retire la route multipath de
R1 vers R2, ce qui permet d’éviter de transmettre la moitié des connexions à un
routeur qui ne fonctionne plus (c’est en général une chose a éviter).</p>
<p>Par conséquent, la configuration d’ifstated n’a à être effectuée que sur R1 :</p>
<p><strong>/etc/ifstated.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>peer = '( "ping -q -c 1 -w 3 30.30.30.2>/dev/null" every 5 )'
state auto {
if $peer
set-state multihome
if ! $peer
set-state singlehome
}
state multihome {
init {
run "route add -mpath default 30.30.30.2"
}
if ! $peer
set-state singlehome
}
state singlehome {
init {
run "route delete default 30.30.30.2"
}
if $peer
set-state multihome
}
init-state auto
</pre></div>
<p>Enfin, dernier point a configurer, la synchronisation DHCP. Elle nous permet de
faire en sorte que les machines gardent les mêmes adresses IP même si un des
deux routeurs reste en rade pendant une période prolongée. On configure donc
<code>isc-dhcpd</code> sur les deux routeurs, comme suit:</p>
<h4>R1:</h4>
<p><strong>/etc/dhcpd.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>authoritative;
ddns-update-style none;
failover peer "dhcp-failover" {
primary;
address 30.30.30.1;
port 8067;
peer address 30.30.30.2;
peer port 8067;
}
subnet 30.30.30.0 netmask 255.255.255.0 {
option routers 30.30.30.254;
option domain-name-servers 30.30.30.254;
pool {
failover peer "dhcp-failover";
max-lease-time 86400;
range 30.30.30.10 30.30.30.250;
}
}
</pre></div>
<h4>Et pour R2:</h4>
<p><strong>/usr/local/etc/dhcpd.conf:</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>authoritative;
ddns-update-style none;
failover peer "dhcp-failover" {
secondary;
address 30.30.30.2;
port 8067;
peer address 30.30.30.1;
peer port 8067;
}
subnet 30.30.30.0 netmask 255.255.255.0 {
option routers 30.30.30.254;
option domain-name-servers 30.30.30.254;
pool {
failover peer "dhcp-failover";
max-lease-time 86400;
range 30.30.30.10 30.30.30.250;
}
}
</pre></div>
<p>Et voilà! Notre réseau ressemble désormais à ça (j’ai repris le schéma de mon
rapport, j’ai pas le courage de le refaire en texte encore):</p>
<p><img alt="schéma" src="https://pub.wxcafe.net/img/schema_redondance_routeurs.png"></p>
<p>avec le PC1 qui représente le réseau local.</p>
<p>Si vous avez bien lu la configuration du serveur DHCP, il reste encore à mettre
en place un serveur DNS écoutant sur l’IP virtuelle, donc a priori synchronisé
entre les deux routeurs. Comme c’est quelque chose de simple a mettre en place
et que c’est assez bien documenté ailleurs, je laisse cette tâche comme exercice
aux lecteurs-ices.</p>Envie partout, temps nulle part2016-06-13T09:11:00+02:002016-06-13T09:11:00+02:00Wxcafétag:wxcafe.net,2016-06-13:/posts/envie-partout-temps-nulle-part/<p>Ça fait assez longtemps que j’ai pas posté ici, j’en suis bien conscient, et
j’écris donc ce petit post pour dire que c’est le cas, pourquoi c’est le cas, et
que ça va pas durer.</p>
<p>J’ai beaucoup de choses qui me prennent pas mal …</p><p>Ça fait assez longtemps que j’ai pas posté ici, j’en suis bien conscient, et
j’écris donc ce petit post pour dire que c’est le cas, pourquoi c’est le cas, et
que ça va pas durer.</p>
<p>J’ai beaucoup de choses qui me prennent pas mal de temps en ce moment,
notamment:</p>
<ul>
<li>un boulot, je suis en stage</li>
<li>la rédaction d’un rapport, puisque… je suis en stage</li>
<li>la recherche d’une alternance, pour l’an prochain</li>
<li>un bon nombre de démarches administratives variées</li>
<li>insert autre raison here.</li>
</ul>
<p>par contre, j’ai /énormément/ de choses dont j’aimerais parler, notamment:</p>
<ul>
<li>de la redondance de routeurs, avec CARP, PfSync, dhcpsync et ifstated</li>
<li>du backup de confs réseau avec Oxidized</li>
<li>des mésaventures avec debian et nvidia</li>
<li>du junk hacking sur une liseuse ukrainienne</li>
<li>des backups automatisés via puppet</li>
<li>encore d’autres trucs, que j’ai oublié la comme ça mais ça va revenir</li>
</ul>
<p>Du coup, vous inquietez pas, j’ai pas oublié ce blog, et je reviens vite.</p>Let's Encrypt, enfin2015-12-13T18:48:00+01:002015-12-13T18:48:00+01:00Wxcafétag:wxcafe.net,2015-12-13:/posts/lets-encrypt-enfin/<h3>Update 2016-09:</h3>
<p>Ça fait un certain temps maintenant (depuis mai 2016, en fait) que le script
letsencrypt a été renommé <code>certbot</code>. Le dépot est donc maintenant
<a href="https://github.com/certbot/certbot">https://github.com/certbot/certbot</a>, mais
<code>letsencrypt-auto</code> est toujours un lien symbolique vers le bon script, il n’est
donc pas nécessaire de changer …</p><h3>Update 2016-09:</h3>
<p>Ça fait un certain temps maintenant (depuis mai 2016, en fait) que le script
letsencrypt a été renommé <code>certbot</code>. Le dépot est donc maintenant
<a href="https://github.com/certbot/certbot">https://github.com/certbot/certbot</a>, mais
<code>letsencrypt-auto</code> est toujours un lien symbolique vers le bon script, il n’est
donc pas nécessaire de changer les commandes.</p>
<hr>
<p>Vous avez peut être vu que ce blog, entre autres sites que j’administre, n’est
disponible depuis quelques jours qu’en HTTPS, et avec un certificat valide. Bon,
si vous êtes là, vous avez déjà entendu parler de Let’s Encrypt, mais pour les
deux trois du fond on va résumer:</p>
<p>LE est une nouvelle autorité de certification (ceux qui valident les certificats
SSL), basée sur une organisation, et dont le but est de fournir des certificats
valides, automatiquement et gratuitement. Leur certificat racine est signé par
IdenTrust, et est donc considéré valide par tous les navigateurs modernes.</p>
<p>Bon, maintenant qu’on est tous au même point, voyons comment ça marche. Depuis
dix jours LE est ouvert en bêta publique, donc il n’est plus nécessaire de
préciser les domaines pour lesquels on veut un certificat sur un formulaire,
comme c’était le cas pendant la période de bêta fermée. Le système qui est
utilisé repose sur le protocole ACME (Automatic Certificate Management
Environment), qui automatise complètement la signature des certificats. Du coup,
les certificats que délivre LE ne sont valides que 90 jours, ce qui serait super
chiant avec une autorité de certification classique, mais qui la veut simplement
dire qu’il faut mettre un cron en place.</p>
<p>Bref, comment mettre en place vos certificats? On va faire ça sans trop modifier
vos sites, et en automatisant au maximum. LE utilise, dans son système par
défaut, un fichier sur le site web, dont le serveur de certification vérifie
l’existence lors de la requête (si le fichier est présent avec le bon contenu,
c’est que le client tourne bien sur ce domaine, et donc que la personne qui
a demandé le certificat contrôle bien le domaine). Ce fichier est situé dans un
dossier dans la racine, <code>.well-known</code>. Plutôt que de se faire chier a gérer ce
dossier pour tous nos vhosts nginx, on va simplement créer un alias vers un
dossier commun sur le système de fichier, que tous les vhosts partagerons, et
qui permettra aussi de valider tous les domaines pour lesquels on veut un
certificat à la fois (avec un AltName) (sur un seul serveur, par contre. Enfin
si vous voulez vraiment vous pouvez faire des mounts cross-serveurs (avec du
sshfs ou des trucs du genre), mais c’est un peu sale quand même. Et faudra quand
même distribuer le certificat après, donc bon…).</p>
<p>Donc, on va rajouter ça dans nos blocs <code>server</code> :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>location /.well-known <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">alias</span> /srv/letsencrypt/.well-known<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span>
</pre></div>
<p>(bien sûr il faut créer le dossier, hein.)<br>
Après, on <code>git clone https://github.com/letsencrypt/letsencrypt</code>, dans <code>/opt/</code> ou
dans <code>/usr/local/</code>, peu importe, on le clone quelque part, et on cd dans le
dossier en question. Une fois là, on demande un certificat :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo ./letsencrypt-auto certonly <span style="color: #ae81ff">\</span>
-a webroot <span style="color: #ae81ff">\</span>
--webroot-path /srv/letsencrypt/ <span style="color: #ae81ff">\</span>
-d <domaine> <span style="color: #ae81ff">\</span>
-d <altName1> <span style="color: #ae81ff">\</span>
-d <altName2> <span style="color: #ae81ff">\</span>
--server https://acme-v01.api.letsencrypt.org/directory
</pre></div>
<p>Normalement, maintenant, on a un certificat valide dans
<code>/etc/letsencrypt/live/<domaine>/</code>. Reste à configurer nginx pour qu’il serve
nos sites en https en utilisant notre nouveau certificat. Perso, j’utilise une
template qui ressemble à ça :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>server <span style="color: #f92672">{</span>
listen <span style="color: #ae81ff">80</span><span style="color: #f8f8f2">;</span>
listen <span style="color: #f92672">[</span>::<span style="color: #f92672">]</span>:80<span style="color: #f8f8f2">;</span>
server_name SERVERNAME<span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">return</span> <span style="color: #ae81ff">302</span> https://<span style="color: #f8f8f2">$server_name$request_uri;</span>
<span style="color: #f92672">}</span>
server <span style="color: #f92672">{</span>
listen <span style="color: #ae81ff">443</span> ssl<span style="color: #f8f8f2">;</span>
listen <span style="color: #f92672">[</span>::<span style="color: #f92672">]</span>:443 ssl<span style="color: #f8f8f2">;</span>
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem<span style="color: #f8f8f2">;</span>
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem<span style="color: #f8f8f2">;</span>
ssl_dhparam /etc/nginx/dhparams.4096<span style="color: #f8f8f2">;</span>
ssl_protocols TLSv1 TLSv1.1 TLSv1.2<span style="color: #f8f8f2">;</span>
ssl_ciphers <span style="color: #e6db74">"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"</span><span style="color: #f8f8f2">;</span>
ssl_prefer_server_ciphers on<span style="color: #f8f8f2">;</span>
add_header Strict-Transport-Security <span style="color: #e6db74">"max-age=15552000; includeSubDomains; preload"</span><span style="color: #f8f8f2">;</span>
root SERVERROOT<span style="color: #f8f8f2">;</span>
index index.html index.htm<span style="color: #f8f8f2">;</span>
server_name SERVERNAME<span style="color: #f8f8f2">;</span>
server_tokens off<span style="color: #f8f8f2">;</span>
client_max_body_size 5m<span style="color: #f8f8f2">;</span>
access_log /var/log/nginx/access.log<span style="color: #f8f8f2">;</span>
error_log /var/log/nginx/error.log<span style="color: #f8f8f2">;</span>
location /.well-known <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">alias</span> /srv/letsencrypt/.well-known<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span>
location / <span style="color: #f92672">{</span>
try_files <span style="color: #f8f8f2">$uri</span> <span style="color: #f8f8f2">$uri</span>/ <span style="color: #f92672">=</span><span style="color: #ae81ff">404</span><span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span>
<span style="color: #f92672">}</span>
</pre></div>
<p>Alors c’est pas /tout à fait ça/ d’un point de vue parano du TLS (genre je
devrais désactiver TLS 1.0 et EECDH+aRSA+RC4, notamment) mais ça marche pas trop
mal et c’est plus compatible comme ça (mon telephone est sous Android 4.4, donc
je suis content d’avoir encore TLS 1.0 par exemple).</p>
<p>Vous pouvez ajouter votre domaine à la liste préloadée dans Chrome/ium, Firefox,
IE, Edge, Safari, le Tor Browser Bundle, etc…
<a href="https://hstspreload.appspot.com/">ici</a> (oui ça fait clairement site de
phishing, mais apparemment c’est serieux…)</p>
<p>Enfin, il nous faut un renouvellement automatique, puisque notre certificat ne
sera valide que 90 jours. On va utiliser un cron tout con, avec un script :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #ae81ff">00</span> <span style="color: #ae81ff">01</span> */14 * * /usr/local/bin/cert-renew <span style="color: #ae81ff">2</span>><span style="color: #f8f8f2">&</span><span style="color: #ae81ff">1</span> <span style="color: #f8f8f2">|</span> mail -s <span style="color: #e6db74">"certificates renewal report"</span> <votre email>
</pre></div>
<p>(oubliez pas que ça doit aller dans le crontab du root)
Et le script qui va bien :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">#!/bin/bash</span>
<span style="color: #66d9ef">if</span> <span style="color: #f92672">[[</span> <span style="color: #f8f8f2">$UID</span> !<span style="color: #f92672">=</span> <span style="color: #ae81ff">0</span> <span style="color: #f92672">]]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #f8f8f2">echo</span> <span style="color: #e6db74">"please run as root"</span>
<span style="color: #f8f8f2">exit</span> <span style="color: #ae81ff">1</span>
<span style="color: #66d9ef">fi</span>
<span style="color: #f8f8f2">cd</span> /opt/letsencrypt/
git pull <span style="color: #ae81ff">2</span>><span style="color: #f8f8f2">&</span><span style="color: #ae81ff">1</span> >> /dev/null
<span style="color: #75715e"># Renewing the cert</span>
./letsencrypt-auto certonly <span style="color: #ae81ff">\</span>
-a webroot --webroot-path /srv/letsencrypt <span style="color: #ae81ff">\</span>
-d <domaine> <span style="color: #ae81ff">\</span>
-d <altName1> <span style="color: #ae81ff">\</span>
-d <altName2> <span style="color: #ae81ff">\</span>
--server https://acme-v01.api.letsencrypt.org/directory <span style="color: #ae81ff">\</span>
--renew <span style="color: #ae81ff">\</span>
<span style="color: #ae81ff">2</span>><span style="color: #f8f8f2">&</span><span style="color: #ae81ff">1</span>
systemctl restart nginx
<span style="color: #f8f8f2">exit</span> <span style="color: #ae81ff">0</span>
</pre></div>
<p>Notez bien le <code>--renew</code> qui spécifie qu’on renouvelle le certificat, le <code>git pull</code>
qui met à jour le client, et le <code>systemctl restart nginx</code> qui prend en compte le
nouveau certificat automatiquement</p>
<p>Et puis voilà, normalement avec ça vous devriez pouvoir chopper des certificats
valides. C’est plutôt cool, en pratique.</p>
<p>Merci Let’s Encrypt</p>OpenWRT, l'USBNet, et l'histoire des 4Mo2015-10-16T10:27:00+02:002015-10-16T10:27:00+02:00Wxcafetag:wxcafe.net,2015-10-16:/posts/openwrt-usbnet/<p>Donc, j’ai récemment obtenu un <a href="http://www.dx.com/p/tp-link-tl-mr12u-portable-5200mah-mobile-battery-3g-router-white-231188">TP-Link
TL-MR12U</a>,
qui est vendu comme “routeur 3G portable”, mais qui est en réalité une grosse
batterie avec une antenne wifi, un port USB, et un port Ethernet. Perso, ça me
va, vu que je comptais de toute façon pas prendre un deuxième abonnement …</p><p>Donc, j’ai récemment obtenu un <a href="http://www.dx.com/p/tp-link-tl-mr12u-portable-5200mah-mobile-battery-3g-router-white-231188">TP-Link
TL-MR12U</a>,
qui est vendu comme “routeur 3G portable”, mais qui est en réalité une grosse
batterie avec une antenne wifi, un port USB, et un port Ethernet. Perso, ça me
va, vu que je comptais de toute façon pas prendre un deuxième abonnement 3G
juste pour ce truc là (surtout vu la couverture 3G qu’on se tape en France…)</p>
<p>Bref, tout ça pour dire : quand j’ai reçu ce truc, j’ai tout de suite commencé
par y installer OpenWRT (parce que de 1, je parle pas chinois, et de 2, j’aime
bien avoir des firmwares corrects sur mes routeurs). Bon, c’est super simple, il
suffit de chopper ce fichier
[binaire] <a href="http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/openwrt-15.05-ar71xx-generic-tl-mr12u-v1-squashfs-factory.bin">la</a>,
et de trouver la page d’update (pas forcément super simple en chinois, mais avec
un peu de temps, ça se fait. C’est celle avec un bouton upload). Ensuite on
upload l’image sur le bouzin, et c’est parti. Pas de signatures, pas de
vérifications, osef total, mais bon pour le coup ça m’arrange.</p>
<p>Une fois ceci fait, je me trouva bien démuni de ne pas pouvoir utiliser le
partage de connexion USB de mon intelliphone android, car l’image OpenWRT par
defaut ne comprend pas USBNet, et ne peut donc pas créer de réseau sur de l’USB.
Qu’à cela ne tienne, me dis-je! Je vais l’installer!
Je courra donc installer le package grâce à <code>opkg</code>. Las! Le système n’avait plus
de place.</p>
<p>… Atta. Le système avait plus de place? J’ai encore rien mis dessus!</p>
<p>Eh bah ouais. Il se trouve que TP-Link, en 2015, trouve que 4Mo de flash sur un
routeur, c’est largement suffisant, et que de toute façon personne aura jamais
besoin de plus.</p>
<p>Serieux, mettre 8Mo c’était tellement plus cher? u_u</p>
<p>Bon, bref, je vais pas m’étendre la dessus. J’ai décidé de saisir mes petits
bras, et de tenter de pousser bien fort pour convaincre OpenWRT qu’il était tout
a fait possible de faire rentrer à la fois le système de base avec LuCi, uhttpd,
un serveur DHCP, etc; et USBNet, dans 4Mo. Ça à pas été vraiment facile, et j’ai
du virer pas mal de trucs, mais… ça fonctionne!</p>
<p>Bon, alors, comme je suis quelqu’un de sympa, je vais vous filer à la fois le
fichier de config et l’image finale. Si vous voulez pas utiliser une image qui
vient d’un mec que vous connaissez pas, vous pouvez toujours la rebuilder vous
même. Mais avant ça, je vais vite fait expliquer ce qui est dans l’image et ce
qui n’y est pas</p>
<p>Alors, pour faire rentrer tout ça, vous vous doutez que j’ai du faire quelques
concessions. J’ai donc viré tout ce qui a trait à <em>PPP</em>, <em>PPPoE</em>, le client
<em>DHCPv6</em>, tous les <em>outils de debug</em>, quelques <em>fonctionnalités de busybox</em>, et
bien sûr <em>opkg</em>. Dans ce qui à été ajouté, simplement ce qui est nécessaire au
fonctionnement de <em>l’USBNet</em>.</p>
<p>Une petite modification doit être effectuée pour que le tout fonctionne : le
fichier <code>package/feeds/luci/luci/Makefile</code> doit être modifié pour que la
dépendance sur <code>luci-proto-ppp</code> ne soit plus présente. Ainsi, on passe de</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">LUCI_DEPENDS</span><span style="color: #f92672">:=</span> <span style="color: #ae81ff">\</span>
+uhttpd +uhttpd-mod-ubus +luci-mod-admin-full +luci-theme-bootstrap <span style="color: #ae81ff">\</span>
+luci-app-firewall +luci-proto-ppp +libiwinfo-lua +IPV6:luci-proto-ipv6
</pre></div>
<p>à</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">LUCI_DEPENDS</span><span style="color: #f92672">:=</span> <span style="color: #ae81ff">\</span>
+uhttpd +uhttpd-mod-ubus +luci-mod-admin-full +luci-theme-bootstrap <span style="color: #ae81ff">\</span>
+luci-app-firewall +libiwinfo-lua +IPV6:luci-proto-ipv6
</pre></div>
<p>Une fois que c’est fait, ça devrait mieux marcher (et ça sauve un peu
d’espace…)</p>
<p>Bon. Le fichier de config est
<a href="http://pub.wxcafe.net/static/openwrt/tl-mr12u/config">là</a>, l’image finale est
<a href="http://pub.wxcafe.net/static/openwrt/tl-mr12u/openwrt-15.05-wx-ar71xx-generic-tl-mr12u-v1-squashfs-factory.bin">là</a>,
et j’ai une petite surprise.</p>
<p>Bien sûr, le switch situé sur le côté du TL-MR12U ne fonctionne pas sous
OpenWRT de base, parce que c’est un truc lié au hardware et que du coup c’est
assez compliqué à gérer sur une base de matos aussi grande que celle d’OpenWRT.
Bah j’ai à peu près trouvé comment le faire fonctionner.
Voilà le code :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">#!/bin/sh</span>
<span style="color: #66d9ef">if</span> <span style="color: #f92672">[</span> <span style="color: #f8f8f2">$ACTION</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">"released"</span> <span style="color: #f92672">]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #66d9ef">if</span> <span style="color: #f92672">[</span> <span style="color: #f8f8f2">$BUTTON</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">"BTN_0"</span> <span style="color: #f92672">]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #75715e"># Position is 3G</span>
logger <span style="color: #e6db74">"slider 3G"</span>
<span style="color: #66d9ef">elif</span> <span style="color: #f92672">[</span> <span style="color: #f8f8f2">$BUTTON</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">"BTN_1"</span> <span style="color: #f92672">]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #75715e"># Position is Router</span>
logger <span style="color: #e6db74">"slider Router"</span>
<span style="color: #66d9ef">fi</span>
<span style="color: #66d9ef">elif</span> <span style="color: #f92672">[</span> <span style="color: #f8f8f2">$BUTTON</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">"BTN_1"</span> <span style="color: #f92672">]</span> <span style="color: #f92672">||</span> <span style="color: #f92672">[</span> <span style="color: #f8f8f2">$BUTTON</span> <span style="color: #f92672">==</span> <span style="color: #e6db74">"BTN_0"</span> <span style="color: #f92672">]</span><span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #66d9ef">if</span> grep -qe <span style="color: #e6db74">"sw1.*in hi"</span> /sys/kernel/debug/gpio<span style="color: #ae81ff">\</span>
<span style="color: #f92672">&&</span> grep -qe <span style="color: #e6db74">"sw2.*in hi"</span> /sys/kernel/debug/gpio<span style="color: #f8f8f2">;</span> <span style="color: #66d9ef">then</span>
<span style="color: #75715e"># Position is AP</span>
logger <span style="color: #e6db74">"slider AP"</span>
<span style="color: #66d9ef">fi</span>
<span style="color: #66d9ef">fi</span>
</pre></div>
<p>Et ça va dans <code>/etc/hotplug.d/button/00-buttons</code> (créez le chemin, il existera
pas à la base). Du coup là comme ça ça fait rien, ça loggue juste les events.
Mais comme vous êtes pas cons vous avez peut être deviné qu’on pouvait très bien
activer l’USBNet que quand l’interrupteur est en position 3G, le wifi et
l’ethernet quand il est en position AP, et juste la batterie quand il est en
position Router. Par exemple.</p>
<p>Tiens, d’ailleurs. Pour activer le partage de connexion, suffit pas d’ajouter le
support USBNet. Il faut aussi configurer le système pour qu’il demande un lease
DHCP, toussa. Du coup vous pouvez (peut être, j’ai pas testé) le faire par LuCi,
mais sinon vous pouvez le faire en CLI :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>uci del network.wan
uci <span style="color: #f8f8f2">set</span> network.wan<span style="color: #f92672">=</span>interface
uci <span style="color: #f8f8f2">set</span> network.wan.ifname<span style="color: #f92672">=</span>usb0
uci <span style="color: #f8f8f2">set</span> network.wan.proto<span style="color: #f92672">=</span>dhcp
uci commit network
ifup wan
</pre></div>
<p>Et pouf, ça marche.</p>
<p>Voilà. Amusez vous bien avec votre grosse batterie portable, qui fait maintenant
point d’accès wifi/partage de connexion 3G/whatever.</p>les NUCs et le HDMI-CEC2015-08-22T02:43:00+02:002015-08-22T02:43:00+02:00Wxcafetag:wxcafe.net,2015-08-22:/posts/nuc-hdmi-cec/<p>J’ai récemment récupéré une télé. Ce post ne se centrant pas sur cette télé,
passons rapidement sur ce qui y est lié : ne souhaitant pas “profiter” du
paysage audiovisuel français (ou PAF), et ayant nombre de films et séries acquis
tout a fait légalement (hmm hmm) stockés sur mon …</p><p>J’ai récemment récupéré une télé. Ce post ne se centrant pas sur cette télé,
passons rapidement sur ce qui y est lié : ne souhaitant pas “profiter” du
paysage audiovisuel français (ou PAF), et ayant nombre de films et séries acquis
tout a fait légalement (hmm hmm) stockés sur mon serveur local, je souhaitais
brancher sur ma télévision un système me permettant de regarder ces films et
séries, et possiblement quelques sources de vidéos en ligne (Youtube, Netflix,
etc…) simplement.</p>
<p>Ayant un <a href="https://www.raspberrypi.org/">Raspberry Pi 1</a> qui trainait, j’ai
décidé d’installer <a href="http://openelec.tv/">OpenELEC</a> dessus et de voir ce que ça
donnait. Le résultat n’étant pas satisfaisant (a cause des difficultés du RPi
a faire fonctionner tout ça), j’ai décidé d’upgrader le système.</p>
<p>J’ai donc acquis un <a href="http://www.amazon.fr/gp/product/B00GPJ83EU">NUC D34010WYK</a>
(attention, les nouveaux modèles ne fonctionnent pas pour ce qui suit), un
<a href="http://www.amazon.fr/dp/B00WU5F8MS/">adaptateur HDMI-CEC</a> pour celui-ci, et un
<a href="http://www.amazon.fr/gp/product/B00INTR4ZE">SSD mSATA</a>, en me disant que je
pourrais sans trop de problème faire tourner <a href="http://kodi.tv/">Kodi</a> sur un
debian, avec en plus Steam pour faire du streaming depuis mon desktop. L’autre
avantage de tourner sur du Intel, c’est de pouvoir mater Netflix (puisque le
plugin kodi approprié utilise chrome, et ne fonctionne (a ma connaissance) que
sur x86).</p>
<p>J’ai donc reçu après un certain temps le matériel sus cité, que j’ai avidement
monté, avant de me rendre compte que le manuel de l’adaptateur Pulse-Eight était
[PDF]<a href="https://www.pulse-eight.com/Download/Get/30">assez médiocre</a>. J’ai donc
cherché plusieurs heures, avant de trouver [DE]<a href="http://www.technikaffe.de/anleitung-293-pulse_eight_intel_nuc_hdmi_cec_adapter_im_test">ce
post</a>
expliquant comment brancher l’adaptateur. Je vais donc résumer ici le processus,
ce qui devrait rendre la tache a la fois plus simple pour les autres personnes
cherchant l’information, et pour moi si je dois remonter ce système.</p>
<p>Pour faire simple, le NUC présente trois headers séparés : un dual-USB, un dit
“Front Panel”, et un appelé “Custom Solution Header”. Les trois sont utilisés
ici. La première chose a faire est de brancher les fiches grises et rouges sur
le Custom Solution Header: le branchement doit être fait ainsi :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>Custom Solution
┌─┬─┬─┬─┬─┐
│g│ │·│r│·│
├─┼─┼─┼─┼─┤
│·│·│·│·│·│
└─┴─┴─┴─┴─┘
g ➔ fiche grise
r ➔ fiche rouge
· ➔ pin inutilisé
➔ espace vide (sans pin)
</pre></div>
<p>Une fois cela fait, il faut brancher le Front Panel. Heureusement, c’est plus
facile, puisqu’il n’y a qu’une seule fiche a brancher ici : la orange.</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> Front Panel
┌─┬─┬─┬─┬─┐
│·│·│·│·│·│
├─┼─┼─┼─┼─┤
│ │·│o│·│·│
└─┴─┴─┴─┴─┘
o ➔ fiche orange
· ➔ pin inutilisé
➔ espace vide (sans pin)
</pre></div>
<p>Enfin, il faut encore brancher les fiches restantes sur le header dual-USB.
Étant donné que ce header contient deux fois les pins nécessaires a un
branchement USB, il est possible de brancher les cables de plusieurs façons. </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> Dual-USB
┌─┬─┬─┬─┬─┐
│b│B│v│n│·│
├─┼─┼─┼─┼─┤
│·│·│·│·│ │
└─┴─┴─┴─┴─┘
b ➔ fiche bleue
B ➔ fiche Blanche
v ➔ fiche verte
n ➔ fiche noire
· ➔ pin inutilisé
➔ espace vide (sans pin)
</pre></div>
<p>Tous les branchements étant effectués, il faut maintenant remonter la bête
(attention a ne pas déranger les branchements avec les antennes Wifi, par
exemple), la brancher, et vérifier que tout démarre bien. Il faut aussi changer
un paramètre dans le BIOS intel : dans Power➔Secondary Power Settings, il faut
que “Deep S4/S5” soit <em>dés</em>activé. Ceci permettant a la connection HDMI-CEC de
démarrer et le NUC.</p>
<p>Ne reste plus ensuite qu’a installer un système digne de ce nom dessus!</p>SSL - STARTTLS2015-05-16T02:00:00+02:002015-05-16T02:00:00+02:00Wxcafetag:wxcafe.net,2015-05-16:/posts/ssl-starttls/<p>Le chiffrement SSL pour les services en ligne est un problème relativement
récent, par rapport a l’histoire d’Internet. Sa mise en place pose
problème : les protocoles existants ne s’accommodent qu’assez mal de recevoir
soudainement un flot de données chiffrées, mais développer de nouveaux
protocoles est complexe …</p><p>Le chiffrement SSL pour les services en ligne est un problème relativement
récent, par rapport a l’histoire d’Internet. Sa mise en place pose
problème : les protocoles existants ne s’accommodent qu’assez mal de recevoir
soudainement un flot de données chiffrées, mais développer de nouveaux
protocoles est complexe et n’apporte rien d’intéressant. Pour palier a ce
problème, deux solutions sont apparues.</p>
<p>Le première consiste à faire écouter les services sur un
autre port, dans un tunnel SSL. De cette façon, le service existant écoute
normalement, mais il ne répond pas directement aux requêtes. A la place, un
tunnel SSL est mis en place, et les requêtes et les réponses passent dans le
tunnel (ou elles apparaissent donc chiffrées pour l’extérieur). Cela permet de
proposer un service chiffré en modifiant de façon minimale le programme, au prix
de devoir aussi changer tous les clients, et de devoir les orienter sur un autre
port.</p>
<p>L’autre approche qui a été utilisée est une approche d’<em>upgrade</em>. La
communication commence en mode non chiffré, puis le client demande l’upgrade de
la connexion vers le mode chiffré s’il le supporte, les deux machines
machines font un <em>handshake</em> SSL et la communication continue a travers le
tunnel SSL. Le service peut continuer a écouter sur son port habituel, et seuls
les clients capables de passer en SSL le feront, ce qui permet de faire la “mise
a jour” en douceur.</p>
<p>Il est souvent demandé quelle est la meilleure méthode pour mettre en place un
service – laisser un port pour le SSL et un pour le trafic non chiffré, ou bien
un seul, avec <code>STARTTLS</code>, qui <em>upgrade</em> les connexions si nécessaire.<br>
La réponse est que <code>STARTTLS</code> est plus interessant, pour plusieurs raisons. Tout
d’abord, il permet de n’utiliser qu’un seul port : ça permet de simplifier la
configuration du firewall. En plus de ça, il permet aux clients “anciens” (ceux
qui ne supportent pas SSL, donc ceux qui devraient être changés) de toujours se
connecter, même si cela signifie que leurs informations seront transmises en
clair. Surtout, il permet d’éviter aux utilisateurs d’avoir a configurer leurs
clients. Si le client supporte le chiffrement, il l’activera de lui même s’il
voit qu’il est disponible.<br>
Bref, mettez en place du <code>STARTTLS</code>, et pas du SSL. C’est mieux pour la sécurité
de tout le monde.</p>Manettes : Hori vs. PDP2015-04-19T21:59:00+02:002015-04-19T21:59:00+02:00Wxcafetag:wxcafe.net,2015-04-19:/posts/hori-vs-pdp/<dl>
<dt>Si vous avez comme moi une Wii U et Smash 4, vous vous êtes probablement rendus</dt>
<dt>compte de quelques petits trucs : tout d’abord, Smash est bien plus drôle</dt>
<dt>a plusieurs. Ensuite, la Wii U peut être contrôlée avec énormément de “choses”</dt>
<dd>sans trop réflechir, il y a le Wii …</dd></dl><dl>
<dt>Si vous avez comme moi une Wii U et Smash 4, vous vous êtes probablement rendus</dt>
<dt>compte de quelques petits trucs : tout d’abord, Smash est bien plus drôle</dt>
<dt>a plusieurs. Ensuite, la Wii U peut être contrôlée avec énormément de “choses”</dt>
<dd>sans trop réflechir, il y a le Wii U Gamepad, les Wiimotes, les Pro
Controllers pour Wii et Wii U, et d’autres. Vous aurez aussi remarqué que le
Gamepad n’est pas du tout un moyen de jouer a Smash acceptable, ni les wiimotes.
Les pro controllers fonctionnent, mais ne valent pas les bonnes vieilles
manettes Gamecube.</dd>
</dl>
<p>Cela étant, si comme moi vous avez, euh, “ouvert” le mode vWii de votre Wii U,
vous avez surement un disque dur/une clé USB connecté au dos de votre Wii U, et
donc pas assez de ports libres pour connecter <a href="http://www.amazon.com/Super-Smash-GameCube-Adapter-Wii-U/dp/B00L3LQ1FI">l’adaptateur GC pour Wii
U</a>
a votre console. </p>
<p>Heureusement pour vous, Nintendo a pensé a une solution (et comme d’habitude
avec Nintendo, c’est une solution a moitié satisfaisante…) : les classic
controller, mais en forme de manettes Gamecube.</p>
<p>Nintendo a donc filé ses licences et ses designs a deux boites, qui se sont
empressées de faire des manettes et de ramasser des brouettes d’argent, en
faisant des manettes Gamecube qui se connectent a des Wiimotes.</p>
<dl>
<dt>Nous allons ici voir deux modèles, un de chacune des boites en question</dt>
<dd><a href="http://www.pdp.com/">PDP</a> et <a href="http://stores.horiusa.com/">Hori</a>. </dd>
</dl>
<p><strong><em>Toutes les photos présentes dans cet article sont disponibles en plus grande
taille en cliquant dessus</em></strong></p>
<p>Commençons par le modèle de chez Hori :</p>
<p><a href="//pub.wxcafe.net/img/Hori_face_fd.jpg"><img alt="Hori_face" src="//pub.wxcafe.net/img/Hori_face_ld.jpg"></a></p>
<p>Comme vous pouvez le voir, la manette ressemble beaucoup a une véritable manette
de Gamecube : a part le bouton Turbo et le bouton Home, le reste est
parfaitement identique a une véritable manette Gamecube. A noter que les boutons
centraux (Home, Start, Select, et Turbo) sont en caoutchouc mou et pas en
plastique dur.</p>
<p><a href="//pub.wxcafe.net/img/Hori_dos_fd.jpg"><img alt="Hori_dos" src="//pub.wxcafe.net/img/Hori_dos_ld.jpg"></a></p>
<p>Nous voyons déjà le premier gros problème de cette manette : les gâchettes ne
sont en réalité que des boutons : c’est logique puisque c’est comme ça que les
classic controller sont faits, mais c’est décevant tout de même</p>
<p><a href="//pub.wxcafe.net/img/Hori_CM_fd.jpg"><img alt="Hori_CM" src="//pub.wxcafe.net/img/Hori_CM_ld.jpg"></a></p>
<p>On peut voir ici que la qualité de l’assemblage n’est pas extraordinaire, et on
remarque une soudure mal faite a l’emplacement du stick gauche.</p>
<p><a href="//pub.wxcafe.net/img/Hori_Cstick_fd.jpg"><img alt="Hori_Cstick" src="//pub.wxcafe.net/img/Hori_Cstick_ld.jpg"></a></p>
<p>Le stick c n’est pas fixé au reste de la manette.
J’ai essayé de démonter plus avant les différentes parties de la manette, mais
les câbles n’avaient pas l’air de très bonne qualité, et j’ai préféré abandonner
l’idée plutôt que de casser la manette.</p>
<p><a href="//pub.wxcafe.net/img/Hori_coque_fd.jpg"><img alt="Hori_coque" src="//pub.wxcafe.net/img/Hori_coque_ld.jpg"></a></p>
<p>On peut voir que la coque est complètement vide, et que les gâchettes sont bien
en réalité de simple boutons. Il y aurait presque la place de mettre la carte
mère d’une Wiimote entière la dedans…</p>
<hr>
<p>Passons maintenant a la manette PDP.</p>
<p><a href="//pub.wxcafe.net/img/PDP_face_fd.jpg"><img alt="PDP_face" src="//pub.wxcafe.net/img/PDP_face_ld.jpg"></a></p>
<p>Au premier coup d’œil, on remarque que la manette PDP ressemble beaucoup moins
a une manette gamecube. Cependant, la prise en main est exactement la même. On
regrettera tout de même les sticks, pas aussi agréables que ceux de la Gamecube,
et les boutons transparents (mais c’est un problème de goût).</p>
<p><a href="//pub.wxcafe.net/img/PDP_dos_fd.jpg"><img alt="PDP_dos" src="//pub.wxcafe.net/img/PDP_dos_ld.jpg"></a></p>
<p>Les gâchettes sont des vraies gâchettes! C’est impossible normalement, mais PDP
a été très intelligent sur le coup, comme on va le voir juste après.</p>
<p><a href="//pub.wxcafe.net/img/PDP_CM_fd.jpg"><img alt="PDP_CM" src="//pub.wxcafe.net/img/PDP_CM_ld.jpg"></a></p>
<p>Comme vous pouvez le voir, la qualité générale est bien meilleure, avec bien
moins de colle, et pas de soudage raté. Toutes les cartes filles sont bien
attachées a la carte mère, et la structure en plastique est renforcée. Mais
surtout, on peut voir deux cartes filles qui sortent de façon étrange de la
carte mère, de façon <strike>péremptoire</strike> perpendiculaire…</p>
<p><a href="//pub.wxcafe.net/img/PDP_CF_fd.jpg"><img alt="PDP_CF" src="//pub.wxcafe.net/img/PDP_CF_ld.jpg"></a></p>
<p>Vous l’avez deviné, ces deux “cartes filles” servent en réalité de connecteurs
aux boutons situés sur les gâchettes, qui sont de “vraies” gâchettes en cela
qu’elles sont faites de la même manière que les vraies (avec un ressort, etc)
mais qui sont en réalité des boutons (évidemment, puisque cette manette est en
fait un classic controller), par opposition aux véritables gâchettes
analogiques.</p>
<p>Quelques photos des gâchettes en question :</p>
<p><a href="//pub.wxcafe.net/img/PDP_G1_fd.jpg"><img alt="PDP_G_1" src="//pub.wxcafe.net/img/PDP_G1_ld.jpg"></a></p>
<p><a href="//pub.wxcafe.net/img/PDP_G2_fd.jpg"><img alt="PDP_G_2" src="//pub.wxcafe.net/img/PDP_G2_ld.jpg"></a></p>
<p><a href="//pub.wxcafe.net/img/PDP_G3_fd.jpg"><img alt="PDP_G_3" src="//pub.wxcafe.net/img/PDP_G3_ld.jpg"></a></p>
<p><a href="//pub.wxcafe.net/img/PDP_G4_fd.jpg"><img alt="PDP_G_4" src="//pub.wxcafe.net/img/PDP_G4_ld.jpg"></a></p>
<hr>
<p>Vous l’aurez compris, je préfère la version PDP de ces “Fight Pad”, la finition
semble plus solide, les gâchettes sont parfaites, les boutons centraux ne sont
pas en caoutchouc cheap, et bien que les sticks soient moins confortables, le
reste est parfait. Si vous préférez avoir une manette dont la prise en mains est
<strong>totalement</strong> identique a celle des manettes Gamecube, cependant, la version
Hori vous conviendra probablement mieux, a part les gâchettes, malheureusement.</p>Docker et les ebooks sur Twitter2015-02-28T14:11:00+01:002015-02-28T14:11:00+01:00Wxcafetag:wxcafe.net,2015-02-28:/posts/docker-et-les-ebooks-sur-twitter/<p>Vous avez peut être déjà entendu parler de <a href="https://www.docker.com/">Docker</a>. Si
ce n’est pas le cas, voila les bases : Docker est un système de containers. Les
containers sont une forme particulière de virtualisation, ou le kernel n’est pas
virtualisé, mais ou les processus du système hôte sont séparés de …</p><p>Vous avez peut être déjà entendu parler de <a href="https://www.docker.com/">Docker</a>. Si
ce n’est pas le cas, voila les bases : Docker est un système de containers. Les
containers sont une forme particulière de virtualisation, ou le kernel n’est pas
virtualisé, mais ou les processus du système hôte sont séparés de ceux des
systèmes invités. Cela est possible depuis longtemps sous FreeBSD avec les <a href="https://www.freebsd.org/doc/en/books/handbook/jails.html">Jails</a>,
mais n’est devenu possible sous linux que récemment grâce aux <a href="https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups</a>,
qui permettent justement de séparer des groupes de processus. Le principe de
Docker est donc d’avoir une machine hôte sur laquelle s’exécutent plusieurs
conteneurs Dockers, chacun séparé des autres et de l’hôte, mais utilisant tous
le même kernel. Cela pose quelques questions en terme de sécurités, puisque la
séparation est bien plus fine qu’avec de la virtualisation classique. En effet,
ici, en trouvant un exploit kernel, un attaquant aurait potentiellement la
capacité de remonter jusqu’à l’hôte, puisqu’il n’est pas vraiment séparé des
invités. </p>
<p>Quoi qu’il en soit, Docker permet donc de virtualiser a moindre coût des
systèmes GNU/Linux. “Mais pourquoi utiliser Docker, dans ce cas”, vous
demandez-vous peut être, “puisque Xen peut faire la même chose, et plus
(notamment, Xen est capable de virtualiser autre chose que GNU/Linux)?”. Et bien
c’est très simple : Docker apporte la simplicité de déploiement d’applications.
Les conteneurs Dockers peuvent être décrit en un fichier, nommé Dockerfile, qui
permet de répliquer un conteneur en quelques minutes sur un autre hôte, en une
commande. Le <a href="https://hub.docker.com">Docker Hub</a> permet aussi de récupérer
rapidement et facilement un grand nombre d’images déjà configurées. </p>
<p>Maintenant que nous avons expliqué rapidement ce qu’était Docker, voyons le
rapport avec les ebooks et Twitter.</p>
<p>Les comptes dits “ebooks” (le nom vient a l’origine de <a href="https://twitter.com/horse_ebooks">horse_ebooks</a>,
voir <a href="https://en.wikipedia.org/wiki/Horse_ebooks">ici</a> pourquoi) sont des bots
twitter utilisant des <a href="https://en.wikipedia.org/wiki/Markov_chain">Chaines de Markov</a>,
avec les tweets d’un utilisateur “source” comme corpus, pour produire des tweets
ressemblant a ceux de l’utilisateur source. Nous allons voir maintenant comment
en installer un.</p>
<p>C’est, comme disent certaines personnes, “fun”.</p>
<p>Il existe de nombreuses librairies écrites pour créer ce genre de bots,
cependant dans ce cas nous nous concentrerons sur
<a href="https://github.com/mispy/twitter_ebooks">celle-ci</a>, qui est une lib ruby créée
par <a href="https://twitter.com/m1sp">@m1sp</a>, qui gère pour nous a la fois l’API
twitter et la génération des messages.</p>
<p>Cependant, cela n’explique toujours pas le lien avec Docker. Ce lien est très
simple : nous utilisons un container pour faire tourner les bots. Depuis la
version 3, la gem twitter_ebooks permet de faire tourner plusieurs bots dans une
seule instance. Cependant, il est toujours plus sûr d’isoler les bots, et les
containers dockers permettent de les déployer sur n’importe quelle machine
(celleux qui ont déjà tenté de mettre en place une application basée sur ruby
sauront le problème que cela pose habituellement). Pour ce faire, j’ai créé <a href="https://github.com/wxcafe/ebooks_example">un
repo github</a> qui contient toutes les
pièces nécessaires pour mettre cela en place : le bot en lui même, les deux
Dockerfiles, etc.</p>
<p>Le fonctionnement du bot est
simple : après avoir installé la gem twitter_ebooks, vous archivez le corpus de
l’utilisateur source avec <code>ebooks archive <username> <filename></code> (c’est du json)
, puis vous convertissez le json en fichier utilisable par le bot : <code>ebooks
consume <filename></code>. Cela fait, démarrer le bot revient a lancer le container :
<code>docker run -d <container name></code> Pour plus d’informations, allez voir <a href="https://docs.docker.com/articles/basics/">la
documentation Docker</a></p>
<p>Bien entendu, dans l’idéal il faudrait mettre a jour les corpus de chaque
utilisateur régulièrement. Cela est très simple a mettre en place avec un simple
script cron : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>00 00 * * * /usr/local/bin/ebooks archive username /usr/local/ebooks/main/corpus/username.json >> /var/log/ebooks/update.log 2>&1
00 05 * * * cd /usr/local/ebooks/main/ && /usr/local/bin/ebooks consume corpus/username.json >> /var/log/ebooks/update.log 2>&1
00 10 * * * docker rm -f bots >/dev/null 2>&1
00 15 * * * docker rmi bots > /dev/null 2>&1
00 20 * * * cd /usr/local/ebooks/main/ && docker build --rm -t bots . >> /var/log/ebooks/build.log 2>&1
00 25 * * * docker run -d --name bots bots >> /var/log/ebooks/run.log 2>&1
</pre></div>
<p>Les 5 minutes entre chaque commande sont laissées pour empécher que deux
commandes ne s’executent en même temps.</p>
<p>Et voila, vous avez un container Docker qui fait tourner une application en ruby
toute sale, et votre système hôte reste propre. Bien sûr, ce n’est qu’un exemple
des possibilités de Docker : par exemple, on peut aussi faire tourner <a href="https://blog.jessfraz.com/posts/docker-containers-on-the-desktop.html">des
applications “usuelles”
dedans</a>,
puisque l’overhead de Docker est minimal, et beaucoup d’autres applications
existent.</p>OpenSMTPd comme serveur mail sous debian2014-11-07T13:04:00+01:002014-11-07T13:04:00+01:00Wxcafétag:wxcafe.net,2014-11-07:/posts/opensmtpd-debian/<p>J’avais dit il y a un certain temps que j’allais écrire un tutoriel expliquant
comment gérer ses mails soi-même. Il se trouve que j’ai récemment décidé de
changer le serveur qui héberge (entre autres) ce blog, et que ce dernier héberge
aussi mes emails. J’ai donc …</p><p>J’avais dit il y a un certain temps que j’allais écrire un tutoriel expliquant
comment gérer ses mails soi-même. Il se trouve que j’ai récemment décidé de
changer le serveur qui héberge (entre autres) ce blog, et que ce dernier héberge
aussi mes emails. J’ai donc totalement changé d’infrastructure quand a la
gestion de mon système de mails.</p>
<p>Ainsi, j’ai décidé de passer de Postfix a OpenSMTPd, changement que je voulais
effectuer depuis un certain temps. <a href="https://opensmtpd.org">OpenSMTPd</a> est un
projet originaire d’<a href="http://openbsd.org">OpenBSD</a> qui a pour but de fournir un
serveur SMTP fiable, simple, rapide, et surtout sécurisé (les même buts que ceux
qu’a le projet OpenBSD, globalement).</p>
<p>Pour rappel, le système d’emails fonctionne d’une façon très simple : votre MUA
(Mail User Agent, ou client email) contacte le MTA (Mail Transport Agent, ou
serveur SMTP) de votre fournisseur email, qui contacte le MTA du fournisseur du
destinataire, qui lui même contacte le MDA (Mail Delivery Agent) qui délivre le
mail au destinataire.</p>
<p>Si vous avez bien suivi, vous pouvez voir que je n’ai pas parlé de récupération
ni de lecture des mails. C’est pour une raison simple, qui est que ces taches
sont remplies par d’autres services encore (IMAP/POP pour la récupération depuis
le serveur, des yeux pour la lecture).</p>
<p>Or ce qui nous intéresse ici, ce n’est pas simplement d’envoyer et de recevoir
des emails mais bien aussi de pouvoir les récupérer et les lire, et c’est pour
ça que ce tutoriel ne parlera pas que d’OpenSMTPd mais aussi de
<a href="http://dovecot.org/">Dovecot</a> qui fait office de serveur IMAP et
<a href="http://www.ijs.si/software/amavisd/">amavis</a>/<a href="http://spamassassin.apache.org/">spamassassin</a>
pour filtrer les mails entrants et sortants.
Le schéma suivant explique la façon dont les mails sont gérés sur le système</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> ╭────────────────╮ ╭──────────╮
│╭──────────────>│────> to filter ───>│─╮ │
mail in ││ │ │ │ amavis │
───────────>│╯ OpenSMTPd ╭──│<─── from filter<───│<╯ │
│ │ │ ╰──────────╯
mail out │ │ │ ╭──────────╮
<───────────│<────────────┴─>│─────> to MDA ─────>│─────────>│──> to user's
│ │ │ dovecot │ mailbox
╰────────────────╯ ╰──────────╯
</pre></div>
<p>Normalement, ceci devrait être a peu près clair.
Pour expliquer vite fait, les emails entrants (venant des utilisateurs mais
aussi d’autres correspondants) sont transmis a OpenSMTPd, qui envoie tout a
<code>amavis</code>, qui vérifie a la fois les spams et les malwares pour les mails
venants de l’exterieur, et qui signe avec DKIM pour les mails venants de
nos utilisateurs, puis qui rentransmet les mails filtrés/signés a OpenSMTPd,
qui a ce moment-ci trie en fonction de la destination : les mails gérés
par le domaine vont via dovecot dans les boites mail des destinataires
locaux, les mails exterieurs vont directement vers le MTA du serveur
distant.</p>
<p>Voyons comment mettre cela en place. Tout d’abord, il faut décider de la façon
dont les différents services vont communiquer.</p>
<p>Déjà, amavis étant configuré par défaut pour écouter (en SMTP) sur le port
10024 et répondre sur le port 10025 quand il s’agit de filtrer et
écouter sur le port 10026 et répondre sur le port 10027 quand il s’agit de
signer, nous allons profiter de cette configuration et donc lui parler en SMTP
sur ces ports.</p>
<p>Quand a Dovecot, nous allons lui transmettre les emails en LMTP (Local Mail
Transfer Protocol), non pas sur un port mais via un socket (dans ce cas précis,
<code>/var/run/dovecot/lmtp</code>).</p>
<p>Ainsi, pour reprendre le schéma présenté plus haut :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> ╭───────────────╮ ╭───────────╮
│╭─────────────>│──> SMTP (10026) ──>│─╮ │
SMTP in ││ │ │ │ amavis │
────────> 25│╯ OpenSMTPd ╭──│<── SMTP (10027) <──│<╯ (sign) │
│ │ │ ╰───────────╯
SMTP out │ │ │
25 <────────│<───────────╯ │
╰───────────────╯
</pre></div>
<p>Pour les mails sortants; et</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> ╭───────────────╮ ╭────────────╮
│╭─────────────>│──> SMTP (10024) ──>│─╮ │
SMTP in ││ │ │ │ amavis │
────────> 25│╯ OpenSMTPd ╭──│<── SMTP (10025) <──│<╯(filter) │
│ │ │ ╰────────────╯
│ │ │ ╭────────────╮
│ ╰─>│──> LMTP (socket) ─>│───────────>│──> to user's
│ │ │ dovecot │ mailbox
╰───────────────╯ ╰────────────╯
</pre></div>
<p>Pour les mails entrants.</p>
<p>Maintenant que la théorie est claire, mettons en place tout cela. Je me baserai
ici sur le fait que vous utilisiez une plateforme Debian ou OpenBSD. Pour
d’autres plateformes, la configuration devrait être sensiblement la même</p>
<p>(Vous aurez besoin de certificats SSL pour ce guide, même auto-signés.
Si vous ne savez pas comment en créer, vous pouvez aller voir <a href="http://wxcafe.net/posts/05/30/14/SSL-ou-la-securite-sur-internet/">ce
post</a>)</p>
<p>Tout d’abord, commençons par installer les programmes nécessaires :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo apt-get install opensmtpd dovecot dovecot-pigeonhole amavisd-new dovecot-managesieved
sudo pkg_add dovecot dovecot-pigeonhole amavisd-new
</pre></div>
<p>Continuons en configurant OpenSMTPd tel que nous avons vu plus haut :</p>
<p><code>/etc/smtpd.conf</code></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># This is the smtpd server system-wide configuration file.</span>
<span style="color: #75715e"># See smtpd.conf(5) for more information.</span>
<span style="color: #75715e">## Certs</span>
pki exem.pl certificate <span style="color: #e6db74">"/etc/certs/exem.pl.crt"</span>
pki exem.pl key <span style="color: #e6db74">"/etc/certs/exem.pl.key"</span>
<span style="color: #75715e">## Ports to listen on, and how to listen on them</span>
listen on eth0 port <span style="color: #ae81ff">25</span> tls pki exem.pl hostname exem.pl auth-optional
listen on eth0 port <span style="color: #ae81ff">465</span> tls-require pki exem.pl hostname exem.pl auth mask-source
listen on eth0 port <span style="color: #ae81ff">587</span> tls-require pki exem.pl hostname exem.pl auth mask-source
<span style="color: #75715e">## Aliases</span>
table aliases file:/etc/aliases
<span style="color: #75715e"># coming from amavisd, checked for spam/malware</span>
listen on lo port <span style="color: #ae81ff">10025</span> tag Filtered
<span style="color: #75715e"># coming from amavisd, signed with DKIM</span>
listen on lo port <span style="color: #ae81ff">10027</span> tag Signed
<span style="color: #75715e">## Receiving</span>
<span style="color: #75715e"># if the (incoming) mail has been through amavisd, then we can deliver it</span>
accept tagged Filtered <span style="color: #66d9ef">for</span> any <span style="color: #f8f8f2">alias</span> <aliases> deliver to lmtp <span style="color: #e6db74">"/var/run/dovecot/lmtp"</span>
<span style="color: #75715e"># we directly tranfer incoming mail to amavisd to be checked </span>
accept from any <span style="color: #66d9ef">for</span> domain <span style="color: #e6db74">"exem.pl"</span> relay via <span style="color: #e6db74">"smtp://localhost:10024"</span>
<span style="color: #75715e"># we have to put these lines in this order to avoid infinite loops</span>
<span style="color: #75715e">## Sending</span>
<span style="color: #75715e"># if the (outgoint) mail has been through amavisd, then we can deliver it</span>
accept tagged Signed <span style="color: #66d9ef">for</span> any relay
<span style="color: #75715e"># we tranfer the outgoing mail to amavisd to be signed</span>
accept <span style="color: #66d9ef">for</span> any relay via <span style="color: #e6db74">"smtp://localhost:10026"</span>
<span style="color: #75715e"># same, we have to put these lines in this order or infinite loops...</span>
</pre></div>
<p>Expliquons un peu ce fichier de configuration :</p>
<ul>
<li>Tout d’abord, le paragraphe nommé “Certs” contient les déclaration
d’emplacement des certificats SSL.</li>
<li>Ensuite, le paragraphe contenant les ports externes sur lesquels nous écoutons :
port 25 avec TLS optionel et ports 465 et 587 avec TLS obligatoire</li>
<li>Les alias sont définis juste après</li>
<li>Le paragraphe suivant contient les ports locaux sur lesquels nous écoutons :
10025 (port de sortie du filtre de amavis) dont on taggue les mails sortants
comme “Filtered” et 10027 (port de sortie des mails signés par amavis) dont on
taggue les mails sortants comme “Signed”</li>
<li>Nous avons ensuite le paragraphe qui traite les mails rentrants. Si le mail
traité est taggué comme Filtered, alors il a été vérifié par amavis, et on
peut donc le transmettre au destinataire. Sinon, c’est qu’il n’a pas encore
été vérifié par amavis, donc on lui transmet pour analyse (sur le port 10024
donc). Il est important de mettre les déclarations dans ce sens, car la
première règle qui matche l’état du paquet est appliquée. Ici, la deuxième
ligne matchant tous les mails arrivant et la première seulement ceux filtrés,
inverser leur sens voudrait dire que les mails seraient toujours renvoyés a
amavis</li>
<li>Enfin, le dernier paragraphe traite les mails sortants. De la même façon que
pour le paragraphe précédent, si le mail sortant est déjà taggué comme Signed
on le transmet au MTA du destinataire, sinon il n’a pas encore été signé par
DKIM par amavis et on le transmet donc a amavis pour qu’il le signe. Le
problème de l’ordre des lignes se pose encore, pour la même raison qu’au
dessus.</li>
</ul>
<p>Nous allons maintenant configurer dovecot. Comme nous l’avons vu, dovecot doit
écouter en LMTP via la socket <code>/var/run/dovecot/lmtp</code> et transmettre les
emails a la boite email de l’utilisateur. Il serait aussi interessant
qu’il nous permette de récuperer les mails. Pour cette configuration, on ne
mettra en place que du IMAPS. Cependant, si vous voulez mettre en place du
POP3[s], différents guides sont trouvables facilement sur internet.</p>
<p><code>/etc/dovecot/dovecot.conf</code></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">## Dovecot configuration file</span>
<span style="color: #75715e"># basic config</span>
<span style="color: #f8f8f2">info_log_path</span> <span style="color: #f92672">=</span> /var/log/dovecot-info.log
<span style="color: #f8f8f2">log_path</span> <span style="color: #f92672">=</span> /var/log/dovecot.log
<span style="color: #f8f8f2">log_timestamp</span> <span style="color: #f92672">=</span> <span style="color: #e6db74">"%Y-%m-%d %H:%M:%S "</span>
<span style="color: #f8f8f2">mail_location</span> <span style="color: #f92672">=</span> maildir:%h/mail
<span style="color: #75715e"># authentication</span>
passdb <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">driver</span> <span style="color: #f92672">=</span> pam
<span style="color: #f92672">}</span>
userdb <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">driver</span> <span style="color: #f92672">=</span> passwd
<span style="color: #f92672">}</span>
<span style="color: #75715e"># the protocols we use</span>
<span style="color: #f8f8f2">protocols</span> <span style="color: #f92672">=</span> imap lmtp sieve
<span style="color: #75715e"># ssl config</span>
<span style="color: #f8f8f2">ssl_cert</span> <span style="color: #f92672">=</span> </etc/certs/exem.pl.cert
<span style="color: #f8f8f2">ssl_key</span> <span style="color: #f92672">=</span> </etc/certs/exem.pl.key
<span style="color: #f8f8f2">ssl_cipher_list</span> <span style="color: #f92672">=</span> HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL
<span style="color: #f8f8f2">ssl</span> <span style="color: #f92672">=</span> yes
<span style="color: #75715e">## configuring services </span>
<span style="color: #75715e"># disables imap login without SSL (yes dovecot is dumb that way)</span>
service imap-login <span style="color: #f92672">{</span>
inet_listener imap <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">port</span><span style="color: #f92672">=</span><span style="color: #ae81ff">0</span>
<span style="color: #f92672">}</span>
<span style="color: #f92672">}</span>
service lmtp <span style="color: #f92672">{</span>
unix_listener lmtp <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">mode</span> <span style="color: #f92672">=</span> <span style="color: #ae81ff">0666</span>
<span style="color: #f92672">}</span>
<span style="color: #f92672">}</span>
<span style="color: #75715e">## configuring protocols</span>
<span style="color: #75715e"># the dovecot lda, we set it to use sieve</span>
protocol lda <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">mail_plugins</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">$mail_plugins</span> sieve
<span style="color: #f92672">}</span>
protocol lmtp <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">postmaster_address</span> <span style="color: #f92672">=</span> whoever@exem.pl
<span style="color: #f8f8f2">mail_plugins</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">$mail_plugins</span> sieve
<span style="color: #f92672">}</span>
plugin <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">sieve</span> <span style="color: #f92672">=</span> ~/.dovecot.sieve
<span style="color: #f8f8f2">sieve_dir</span> <span style="color: #f92672">=</span> ~/sieve
<span style="color: #f92672">}</span>
</pre></div>
<p><strong>ATTENTION: Sous OpenBSD, remplacez</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>passdb <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">driver</span> <span style="color: #f92672">=</span> pam
<span style="color: #f92672">}</span>
</pre></div>
<p><strong>par</strong></p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>passdb <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">driver</span> <span style="color: #f92672">=</span> bsdauth
<span style="color: #f92672">}</span>
</pre></div>
<p><strong>pour identifier les utilisateurs système</strong></p>
<p>Ici aussi, voyons comment ce fichier est structuré :</p>
<ul>
<li>Tout d’abord, les configurations de base : ou iront les logs, comment formater
leur datation, et l’endroit ou seront stockés les mails des utilisateurs.</li>
<li>Nous configurons ensuite la gestion de l’authentification des utilisateurs.
Ici nous identifions les utilisateurs avec le fichier /etc/passwd et leurs
mots de passe avec PAM (ou BSDAuth)</li>
<li>Nous configurons ensuite les protocoles que nous servons. Ici, nous voulons de
l’IMAPS, du LMTP local et Sieve (qui sert pour trier les messages).</li>
<li>Nous configurons le SSL</li>
<li>Le section suivante contient la configuration des services. Nous avons en
premier lieu le service IMAP, dont la configuration sert uniquement a
désactiver IMAP. En effet, dovecot ne permet d’activer IMAPS qu’en activant
IMAP avec. Comme nous ne voulons pas d’IMAP sans SSL, nous le désactivons.
La configuration de lmtp sert a attribuer des permissions plus correctes au
fifo qu’il utilise</li>
<li>Nous configurons maintenant les protocoles, pour faire fonctionner Sieve</li>
<li>enfin, nous configurons le plugin sieve en lui indiquant quel fichier et
quel dossier utiliser pour sa configuration.</li>
</ul>
<p>Enfin, il nous reste a configurer amavis. Comme expliqué, amavis va nous servir
a deux choses : signer les emails sortants, et filtrer les emails entrants. Il
doit donc écouter sur les port 10026 pour les signatures et 10024 pour le
filtrage, et répondre respectivement sur les ports 10027 et 10025 (le tout, en
SMTP. Comme toutes les transactions se font sur le loopback, il n’y a aucun
risque a utiliser des protocoles non chiffrés.
Pour OpenBSD, pensez a copier la configuration par défaut depuis
<code>/usr/local/share/examples/amavisd-new/amavisd.conf</code> et ajoutez les
modifications nécessaires a la fin du fichier.</p>
<p><code>/etc/amavis/conf.d/99-local.conf</code> (debian)
<code>/etc/amavis.conf</code> (OpenBSD)</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #66d9ef">use</span> <span style="color: #f8f8f2">strict;</span>
<span style="color: #f8f8f2">$enable_dkim_verification</span> <span style="color: #f92672">=</span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">;</span>
<span style="color: #f8f8f2">$enable_dkim_signing</span> <span style="color: #f92672">=</span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">;</span>
<span style="color: #f8f8f2">dkim_key(</span><span style="color: #e6db74">"exem.pl"</span><span style="color: #f8f8f2">,</span> <span style="color: #e6db74">"main"</span><span style="color: #f8f8f2">,</span> <span style="color: #e6db74">"/etc/certs/dkim.key"</span> <span style="color: #f8f8f2">);</span>
<span style="color: #f8f8f2">@dkim_signature_options_bysender_maps</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">(</span>
<span style="color: #f8f8f2">{</span> <span style="color: #e6db74">'.'</span> <span style="color: #f92672">=></span>
<span style="color: #f8f8f2">{</span> <span style="color: #f8f8f2">ttl</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">21</span><span style="color: #f92672">*</span><span style="color: #ae81ff">24</span><span style="color: #f92672">*</span><span style="color: #ae81ff">3600</span><span style="color: #f8f8f2">,</span> <span style="color: #f8f8f2">c</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'relaxed/simple'</span> <span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">}</span>
<span style="color: #f8f8f2">);</span>
<span style="color: #f8f8f2">$inet_socket_port</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">[</span><span style="color: #ae81ff">10024</span><span style="color: #f8f8f2">,</span> <span style="color: #ae81ff">10026</span><span style="color: #f8f8f2">];</span>
<span style="color: #f8f8f2">$policy_bank{</span><span style="color: #e6db74">'MYNETS'</span><span style="color: #f8f8f2">}</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">originating</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">os_fingerprint_method</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">undef,</span>
<span style="color: #f8f8f2">};</span>
<span style="color: #f8f8f2">$interface_policy{</span><span style="color: #e6db74">'10026'</span><span style="color: #f8f8f2">}</span> <span style="color: #f92672">=</span> <span style="color: #e6db74">'ORIGINATING'</span><span style="color: #f8f8f2">;</span>
<span style="color: #f8f8f2">$policy_bank{</span><span style="color: #e6db74">'ORIGINATING'</span><span style="color: #f8f8f2">}</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">{</span>
<span style="color: #f8f8f2">originating</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">allow_disclaimers</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">virus_admin_maps</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">[</span><span style="color: #e6db74">"root\@$mydomain"</span><span style="color: #f8f8f2">],</span>
<span style="color: #f8f8f2">spam_admin_maps</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">[</span><span style="color: #e6db74">"root\@$mydomain"</span><span style="color: #f8f8f2">],</span>
<span style="color: #f8f8f2">warnbadhsender</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">1</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">forward_method</span> <span style="color: #f92672">=></span> <span style="color: #e6db74">'smtp:localhost:10027'</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">smtpd_discard_ehlo_keywords</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">[</span><span style="color: #e6db74">'8BITMIME'</span><span style="color: #f8f8f2">],</span>
<span style="color: #f8f8f2">bypass_banned_checks_maps</span> <span style="color: #f92672">=></span> <span style="color: #f8f8f2">[</span><span style="color: #ae81ff">1</span><span style="color: #f8f8f2">],</span>
<span style="color: #f8f8f2">terminate_dsn_on_notify_success</span> <span style="color: #f92672">=></span> <span style="color: #ae81ff">0</span><span style="color: #f8f8f2">,</span>
<span style="color: #f8f8f2">};</span>
<span style="color: #75715e">#------------ Do not modify anything below this line -------------</span>
<span style="color: #ae81ff">1</span><span style="color: #f8f8f2">;</span> <span style="color: #75715e"># ensure a defined return</span>
</pre></div>
<p>A nouveau, expliquons ce fichier :
- le premier paragraphe définit que nous voulons qu’amavis signe les emails
sortants, vérifie la signature DKIM des emails rentrants, et l’endroit ou se
trouve la clé privée servant a signer les emails.
- le second définit les options DKIM que nous souhaitons utiliser comme défaut.
Je vous invite a consulter la <a href="https://tools.ietf.org/html/rfc4871">RFC 4871</a>
- nous définissons ensuite les ports sur lesquels nous allons écouter, puis les
paramètres que nous utiliserons pour les emails venant de nos utilisateurs :
ils seront traités comme “originating” et nous ne vérifierons pas l’OS duquel
ils viennent.
- nous savons que les emails venants du port 10026 sont sortants, nous les
traitons donc comme tel
- le paragraphe suivant décrit le traitement que nous faisons subir aux emails
sortants : tout d’abord, nous réaffirmons qu’ils viennent bien de notre
serveur. Nous autorisons les disclaimers (voire encore une fois la <a href="https://tools.ietf.org/html/rfc4871">RFC
4871</a>. Nous déclarons l’adresse a
prévenir en cas de spam/virus venants de notre système, et que nous voulons
être prévenus. Nous déclarons ou envoyer les mails une fois signés et filtrés,
puis qu’il est nécessaire de convertir les emails au format 7 bits avant de
les envoyer au MTA, que nous autorisons tous les types et noms de fichiers, et
les notifications de succès d’envoi. Et voila!</p>
<p>Vous avez pu remarquer qu’a aucun moment nous ne configurions ni la signature
des emails sortants ni le filtrage des emails entrants. Ces paramètres sont en
fait inclus par défaut dans amavis.</p>
<p>Il nous reste cependant quelques opérations a faire, encore.
Tout d’abord, il nous faut générer notre clé DKIM. Pour cela, il existe
différentes méthodes, j’ai personnellement utilisé opendkim (<a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy">un
tutorial</a>)
mais de nombreuses autre méthodes existent.
Il nous reste encore a configurer spamassassin :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">#rewrite_header Subject *****SPAM*****</span>
<span style="color: #75715e"># report_safe 1</span>
<span style="color: #f8f8f2">required_score</span> <span style="color: #ae81ff">2.0</span>
<span style="color: #75715e"># use_bayes 1</span>
<span style="color: #75715e"># bayes_auto_learn 1</span>
<span style="color: #75715e"># bayes_ignore_header X-Bogosity</span>
<span style="color: #75715e"># bayes_ignore_header X-Spam-Flag</span>
<span style="color: #75715e"># bayes_ignore_header X-Spam-Status</span>
<span style="color: #f8f8f2">ifplugin</span> <span style="color: #f8f8f2">Mail::SpamAssassin::Plugin::Shortcircuit</span>
<span style="color: #75715e"># shortcircuit USER_IN_WHITELIST on</span>
<span style="color: #75715e"># shortcircuit USER_IN_DEF_WHITELIST on</span>
<span style="color: #75715e"># shortcircuit USER_IN_ALL_SPAM_TO on</span>
<span style="color: #75715e"># shortcircuit SUBJECT_IN_WHITELIST on</span>
<span style="color: #75715e"># shortcircuit USER_IN_BLACKLIST on</span>
<span style="color: #75715e"># shortcircuit USER_IN_BLACKLIST_TO on</span>
<span style="color: #75715e"># shortcircuit SUBJECT_IN_BLACKLIST on</span>
<span style="color: #f8f8f2">shortcircuit</span> <span style="color: #f8f8f2">ALL_TRUSTED</span> <span style="color: #f8f8f2">off</span>
<span style="color: #75715e"># shortcircuit BAYES_99 spam</span>
<span style="color: #75715e"># shortcircuit BAYES_00 ham</span>
<span style="color: #f8f8f2">endif</span> <span style="color: #75715e"># Mail::SpamAssassin::Plugin::Shortcircuit</span>
</pre></div>
<p>Comme vous pouvez le voir, les modifications se résument globalement a baisser
le required_score pour ma part.</p>
<p>Pour finir, activez les services nécessaires : opensmtpd, dovecot, amavisd, et
spamassassin, et tout devrait fonctionner parfaitement</p>
<p>Bon courage pour votre hosting de mail ensuite…</p>Installer FreeBSD sur un serveur Online avec MfsBSD2014-08-28T12:16:00+02:002014-08-28T12:16:00+02:00Wxcafetag:wxcafe.net,2014-08-28:/posts/freebsd-online-mfsbsd/<p>J’ai récemment eu l’occasion de louer un serveur chez Online.net (filiale de Illiad)
Voulant depuis pas mal de temps gérer un serveur sous FreeBSD (et tester <a href="http://bhyve.org/">bhyve</a>)
et n’ayant pour différentes raisons pas eu l’occasion de le faire sur mon
<a href="http://home.wxcafe.net">serveur auto-hebergé</a> ni sur <a href="http://wxcafe.net">ce …</a></p><p>J’ai récemment eu l’occasion de louer un serveur chez Online.net (filiale de Illiad)
Voulant depuis pas mal de temps gérer un serveur sous FreeBSD (et tester <a href="http://bhyve.org/">bhyve</a>)
et n’ayant pour différentes raisons pas eu l’occasion de le faire sur mon
<a href="http://home.wxcafe.net">serveur auto-hebergé</a> ni sur <a href="http://wxcafe.net">ce serveur ci</a>,
j’ai commencé a chercher comment le faire sur ce serveur.</p>
<p>Étant donné que Online ne propose pas directement d’image FreeBSD sur ses serveurs, il m’a fallu
chercher un peu plus loin. Il se trouve que <a href="http://forum.online.net/index.php?/topic/3557-installation-de-freebsd-91-amd64-sur-une-dedibox-lt15k-2013/">ce post</a> sur les forums
d’online explique une procédure, mais celle-ci ne fonctionnait pas pour mon serveur en particulier. </p>
<p>J’ai donc cherché un peu sur internet, puis demandé sur irc (#freebsd-fr@freenode),
ou l’on m’a dirigé vers <a href="http://mfsbsd.vx.sk/">mfsbsd</a>, un projet d’installeur
alternatif, minimaliste et simplifié pour FreeBSD.</p>
<p>Pour installer FreeBSD sur votre serveur, donc, il vous faudra accéder a une
console KVM (dans mon cas personnel, iLO). Cela doit être faisable depuis le
panel Online. Une fois cela fait, lancez une console, puis téléchargez l’image
mfsbsd. Dans la console iLO, choisissez de booter sur une image CD/DVD, puis
choisissez l’image mfsbsd. Ensuite, rebootez le serveur. Choisissez de booter
sur l’image CD/DVD (F11 puis 1). Une fois ceci fait, un FreeBSD a l’air tout
a fait classique va démarrer. Une fois ceci fait, la partie importante arrive:
mfsbsd contient un script d’installation root-on-zfs, nommé logiquement
zfsinstall, qui va se charger de tout le travail pour nous.</p>
<p>Utilisez donc ce script ainsi : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># tout d'abord, wipons le MBR :</span>
dd < /dev/zero > /dev/da0 <span style="color: #f8f8f2">count</span><span style="color: #f92672">=</span><span style="color: #ae81ff">1</span>
<span style="color: #75715e"># maintenant, installons le système</span>
zfsinstall -g da0 -u ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/10.0-RELEASE/ -s 2G -p root -c
</pre></div>
<p>Avec <code>-g da0</code> votre disque dur principal, <code>-s 2G</code> la quantité de swap désirée,
<code>-p root</code> le nom du zpool, et <code>-c</code> pour activer la compression. D’autres options
sont disponibles, je vous invite a faire un <code>zfsinstall -h</code> si mon setup ne vous
convient pas.</p>
<p>Une fois ceci fait, faites un chroot dans /mnt (ou doit se trouver le nouveau
système) et éditez /etc/rc.conf :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">zfs_load</span><span style="color: #f92672">=</span><span style="color: #e6db74">"YES"</span>
<span style="color: #f8f8f2">sshd_load</span><span style="color: #f92672">=</span><span style="color: #e6db74">"YES</span>
<span style="color: #f8f8f2">hostname</span><span style="color: #f92672">=</span><span style="color: #e6db74">"whatever"</span>
<span style="color: #f8f8f2">ifconfig_igb0</span><span style="color: #f92672">=</span><span style="color: #e6db74">"DHCP"</span>
</pre></div>
<p>Remplacez whatever par votre hostname, et igb0 par le nom de votre interface
physique connectée a internet. Quittez le chroot, rebootez, et voila, vous avez
maintenant un système FreeBSD tout propre installé sur zfs a découvrir et
utiliser!</p>
<p>Voila, c’est la fin de ce tutoriel.
(Cela dit, bon courage pour tester bhyve, vu que l’IPv6 chez online est… peu
crédible, disons)</p>
<p>Bon sinon sur d’autres sujets, j’ai mis en place des bots twitter :
<a href="https://twitter.com/wxcafe_ebooks">wxcafe_ebooks</a>,
<a href="https://twitter.com/petitefanfare">petitefanfare</a>,
<a href="https://twitter.com/capet_ebooks">capet_ebooks</a>,
<a href="https://twitter.com/zengisse">zengisse</a>,
et <a href="https://wxcafe.net/kim_ebooks">kim_ebooks</a>. Ils sont tous basés sur <a href="https://github.com/wxcafe/ebooks_example">ce
code</a>, qui vient de
<a href="https://twitter.com/m1sp">@m1sp</a>
(<a href="https://github.com/twitter_ebooks">github.com/twitter_ebooks</a>). Donc voila.</p>
<p>A plus</p>SSL ou la sécurité sur l'internet2014-05-30T08:25:00+02:002014-05-30T08:25:00+02:00Wxcafetag:wxcafe.net,2014-05-30:/posts/SSL-ou-la-securite-sur-internet/<p><em>Disclaimer: Ce billet est écrit après le visionnage de la conférence de Moxie
Marlinspike suivante: <a href="https://www.youtube.com/watch?v=ibF36Yyeehw">More Tricks for Defeating SSL</a>,
présentée a la DefCon 17 (en 2011), et la lecture du billet suivant:
<a href="http://www.thoughtcrime.org/blog/lavabit-critique/">A Critique of Lavabit</a>,
ce qui peut avoir l’effet de rendre légèrement parano. Si vous considérez …</em></p><p><em>Disclaimer: Ce billet est écrit après le visionnage de la conférence de Moxie
Marlinspike suivante: <a href="https://www.youtube.com/watch?v=ibF36Yyeehw">More Tricks for Defeating SSL</a>,
présentée a la DefCon 17 (en 2011), et la lecture du billet suivant:
<a href="http://www.thoughtcrime.org/blog/lavabit-critique/">A Critique of Lavabit</a>,
ce qui peut avoir l’effet de rendre légèrement parano. Si vous considérez que
c’est le cas ici, veuillez ne pas tenir compte de ce billet (et vous pouvez dès
a présent dire coucou aux différentes personnes qui écoutent votre connection)</em></p>
<p>Si vous venez ici souvent (vous devriez), et que vous utilisez SSL pour vous
connecter a ce site (vous devriez, vraiment, dans ce cas), vous avez peut être
remarqué quelque chose récemment : il se trouve que le certificat qui permet de
desservir ce site a changé.</p>
<p>Cela fait suite aux évènements évoqués dans le <em>Disclaimer</em>, mais aussi a des
doigts sortis d’un endroit particulier du corps de l’admin/auteur de ce “blog”,
qui a pris <strong>enfin</strong> les 5 minutes nécessaires a la compréhension superficielle
du fonctionnement de SSL, et les 10 nécessaires a la mise en place d’un système
fonctionnel utilisant cette compréhension récemment acquise.</p>
<p>Bref, le certificat a changé. Mais de quelle façon, vous demandez vous peut
être (ou pas, mais bon, je vais expliquer de toute façon). Et bien c’est très
simple : il existait auparavant un certificat pour <code>wxcafe.net</code>, un pour
<code>paste.wxcafe.net</code>, un pour <code>mail.wxcafe.net</code>, etc… Bref, un certificat
différent pour chaque sous-domaine.</p>
<p>Il s’avère que c’est a la fois très peu pratique a utiliser (les utilisateurs
doivent ajouter chaque certificat a leur navigateur séparément, chaque
changement de sous-domaine conduit a un message d’erreur, etc) et pas plus
sécurisé que d’avoir un seul certificat wildcard. J’ai donc généré un certificat
pour <code>*.wxcafe.net</code> hier, et il sera dorénavant utilisé pour tous les
sous-domaine de <code>wxcafe.net</code>; et un certificat pour <code>wxcafe.net</code>, qui ne matche
pas <code>*.wxcafe.net</code>, et qui sera donc utilisé… bah pour <code>wxcafe.net</code>.</p>
<p>Il serait préférable de faire des redirections automatiques des adresses http
vers les adresses https, cependant, étant donné que le certificat est
self-signed, il me semble préférable que l’arrivée sur le site ne commence pas
par une page firefox disant “Something’s Wrong!”, et ces redirections ne seront
donc pas mises en place.</p>
<p>De plus, après la lecture de l’article de blog sur Lavabit dont le lien est plus
haut, il semble intéressant (et assez important) de faire en sorte que le
serveur utilise en priorité (et si possible, uniquement) des ciphers supportant
PFS, soit EDH et EECDH (Ephemeral Diffie-Helmann et la version Elliptic Curves
de ce même algorithme). Cela permet de faire en sorte que toutes les
communications avec ce serveur soient future-proof, c’est a dire que, même si
quelqu’un récupérait la clé privée, elle ne serait pas utile pour déchiffrer les
communications passées.</p>
<p>Bon, maintenant que les explications basiques sont faites, voyons
l’implémentation : <br>
Pour générer la clé, tout d’abord, il convient d’utiliser les commandes
suivantes: </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo openssl genrsa -out example.key 4096
# nous utilisons ici une clé de <span style="color: #ae81ff">4096</span> bits, la taille est laissée a votre appréciation
sudo openssl req -new -key example.key -out example.csr
# OpenSSL va ici vous demander de nombreuses informations, <span style="color: #e6db74">"Common Name"</span> devant contenir le FQDN
sudo openssl X509 -req -days 1095 -in example.csr -signkey example.key -out example.crt
# enfin, nous générons la clé, d<span style="color: #960050; background-color: #1e0010">'</span>une durée de vie de <span style="color: #ae81ff">3</span> ans
</pre></div>
<p>Bien entendu, si vous voulez utiliser une clé wildcard, il vous faut préciser
<code>*.example.com</code> comme common name.
Une fois la clé générée, il faut dire aux différents services de l’utiliser, et
de n’utiliser que des ciphers PFS. La méthode dépend donc du service.
Je vais lister ici les methodes pour quelques services que j’utilise :</p>
<h3>apache :</h3>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># /etc/apache2/mods_enabled/ssl.conf</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #f8f8f2">SSLProtocol</span> <span style="color: #66d9ef">all</span> -SSLv2 -SSLv3
<span style="color: #f8f8f2">SSLHonorCipherOrder</span> <span style="color: #66d9ef">on</span>
<span style="color: #f8f8f2">SSLCipherSuite</span> <span style="color: #960050; background-color: #1e0010">"</span>EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS<span style="color: #960050; background-color: #1e0010">"</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #75715e"># /etc/apache2/sites-enabled/default-ssl</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #f8f8f2">SSLEngine</span> <span style="color: #66d9ef">on</span>
<span style="color: #f8f8f2">SSLCertificateFile</span> <span style="color: #e6db74">/etc/certs/example.com.crt</span>
<span style="color: #f8f8f2">SSLCertificateKeyFile</span> <span style="color: #e6db74">/etc/certs/example.com.key</span>
<span style="color: #75715e"># [...]</span>
</pre></div>
<h3>nginx :</h3>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># /etc/nginx/nginx.conf </span>
<span style="color: #75715e"># [...]</span>
<span style="color: #66d9ef">ssl_protocols</span> <span style="color: #e6db74">TLSv1</span> <span style="color: #e6db74">TLSv1.1</span> <span style="color: #e6db74">TLSv1.2</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">ssl_prefer_server_ciphers</span> <span style="color: #66d9ef">on</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">ssl_ciphers</span> <span style="color: #e6db74">"EECDH+ECDSA+AESGCM</span> <span style="color: #e6db74">EECDH+aRSA+AESGCM</span> <span style="color: #e6db74">EECDH+ECDSA+SHA384</span> <span style="color: #e6db74">\</span>
<span style="color: #e6db74">EECDH+ECDSA+SHA256</span> <span style="color: #e6db74">EECDH+aRSA+SHA384</span> <span style="color: #e6db74">EECDH+aRSA+SHA256</span> <span style="color: #e6db74">EECDH+aRSA+RC4</span> <span style="color: #e6db74">\</span>
<span style="color: #e6db74">EECDH</span> <span style="color: #e6db74">EDH+aRSA</span> <span style="color: #e6db74">RC4</span> <span style="color: #e6db74">!aNULL</span> <span style="color: #e6db74">!eNULL</span> <span style="color: #e6db74">!LOW</span> <span style="color: #e6db74">!3DES</span> <span style="color: #e6db74">!MD5</span> <span style="color: #e6db74">!EXP</span> <span style="color: #e6db74">!PSK</span> <span style="color: #e6db74">!SRP</span> <span style="color: #e6db74">!DSS"</span><span style="color: #f8f8f2">;</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #75715e"># /etc/nginx/sites-enabled/default-ssl</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #66d9ef">ssl</span> <span style="color: #66d9ef">on</span><span style="color: #f8f8f2">;</span>
<span style="color: #66d9ef">ssl_certificate</span> <span style="color: #e6db74">/etc/certs/example.com.crt</span>
<span style="color: #e6db74">ssl_certificate_key</span> <span style="color: #e6db74">/etc/certs/example.com.key</span>
<span style="color: #75715e"># [...]</span>
</pre></div>
<h3>prosody (jabber) :</h3>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f92672">#</span> <span style="color: #f8f8f2">tout</span> <span style="color: #f8f8f2">d</span><span style="color: #e6db74">'abord, lancez la commande suivante :</span>
<span style="color: #e6db74">sudo openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048</span>
<span style="color: #e6db74"># ensuite, pour chaque VirtualHost dans /etc/prosody/prosody.conf :</span>
<span style="color: #e6db74">ssl = {</span>
<span style="color: #e6db74"> dhparam = "/etc/prosody/certs/dh-2048.pem";</span>
<span style="color: #e6db74"> key = "/etc/certs/example.com.key";</span>
<span style="color: #e6db74"> certificate = "/etc/certs/example.com.crt";</span>
<span style="color: #e6db74">}</span>
<span style="color: #e6db74"># la cipher suite de prosody utilise par défaut EDH et EECDH</span>
</pre></div>
<h3>postfix (email) :</h3>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># /etc/postfix/main.cf</span>
<span style="color: #75715e"># [...]</span>
<span style="color: #f8f8f2">smtpd_tls_cert_file</span> <span style="color: #f92672">=</span> /etc/certs/example.com.crt
<span style="color: #f8f8f2">smtpd_tls_key_file</span> <span style="color: #f92672">=</span> /etc/certs/example.com.key
<span style="color: #f8f8f2">tls_preempt_cipherlist</span> <span style="color: #f92672">=</span> yes
<span style="color: #f8f8f2">smtpd_tls_eecdh_grade</span> <span style="color: #f92672">=</span> strong
<span style="color: #f8f8f2">smtdp_tls_mandatory_ciphers</span> <span style="color: #f92672">=</span> high
<span style="color: #f8f8f2">smtpd_tls_mandatory_exclude_ciphers</span> <span style="color: #f92672">=</span> aNULL, eNULL, MD5, LOW, 3DES, EXP, PSK, SRP, DSS
<span style="color: #f8f8f2">smtpd_tls_security_level</span> <span style="color: #f92672">=</span> encrypt
<span style="color: #f8f8f2">smtpd_tls_mandatory_protocols</span> <span style="color: #f92672">=</span> !SSLv2, !SSLv3
<span style="color: #f8f8f2">smtpd_use_tls</span> <span style="color: #f92672">=</span> yes
<span style="color: #75715e"># [...]</span>
</pre></div>
<h3>dovecot (imap) :</h3>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e"># /etc/dovecot/dovecot.conf </span>
<span style="color: #75715e"># [...]</span>
<span style="color: #f8f8f2">ssl_cert</span> <span style="color: #f92672">=</span> </etc/certs/example.com.crt
<span style="color: #f8f8f2">ssl_key</span> <span style="color: #f92672">=</span> </etc/certs/example.com.key
<span style="color: #f8f8f2">ssl_cipher_list</span> <span style="color: #f92672">=</span> HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL
</pre></div>
<p>Voila. Pour d’autres protocoles/services, je vous invite a RTFM^W vous reporter
au manuel approprié.</p>
<p>Cela étant dit, je conseille a tout le monde d’aller voir la conférence dans le
disclaimer, et tant qu’a faire la conférence du même hacker <a href="https://www.youtube.com/watch?v=8N4sb-SEpcg">SSL and the future
of Authenticity</a> qui parle de son
implémentation d’une technologie “remplaçant” le système de CAs qui existe
actuellement.</p>Mise en place d'un serveur DNS2014-02-24T02:49:00+01:002014-02-24T02:49:00+01:00Wxcafetag:wxcafe.net,2014-02-24:/posts/mise-en-place-dun-serveur-dns/<p>Le DNS (Domain Name System) est le service permettant la résolution des noms de
domaines en différentes informations : adresses IPv4, adresses IPv6, certificats
DNSSEC ou IPsec, localisation géographique, ou encore texte. En général, le DNS
est utilisé pour résoudre des noms de domaines en adresses IP, et ainsi pour
simplifier …</p><p>Le DNS (Domain Name System) est le service permettant la résolution des noms de
domaines en différentes informations : adresses IPv4, adresses IPv6, certificats
DNSSEC ou IPsec, localisation géographique, ou encore texte. En général, le DNS
est utilisé pour résoudre des noms de domaines en adresses IP, et ainsi pour
simplifier la vie de tous les utilisateurs (je doute que tout le monde retienne
de se connecter a <a href="http://173.194.45.66">http://173.194.45.66</a>, ou a
<a href="http://199.16.156.70">http://199.16.156.70</a>. Voire même a
<a href="http://5.39.76.46">http://5.39.76.46</a>).</p>
<p>Cependant, le DNS est un système qui date de 1984, et les exigences de l’époque
en termes d’expérience utilisateur n’étaient pas forcément aussi importantes que
de nos jours. La configuration des serveurs DNS peut ainsi être assez
contre intuitive.
Cela étant dit, comprendre le fonctionnement de DNS et contrôler ses
enregistrements est important.</p>
<p>Tout d’abord, une petite explication théorique. Le DNS fonctionne de la même
façon que le système de fichiers : en arborescence. Cependant, là ou la racine
du FS est <code>/</code>, celle de DNS est <code>.</code>, et là ou il convient d’écrire, par exemple,
<code>/usr/</code> et ou la progression se fait de gauche a droite pour le FS, pour DNS le
<code>.</code> n’est pas obligatoire et la progression se fait de droite a gauche. Par
exemple, le tld(top level domain, domaine de haut niveau) <code>com</code>, et le domaine
<code>google.com</code> appartient a <code>com</code>, on écrit donc <code>google.com</code> sans écrire le point
a la fin de façon courante.</p>
<p>Le reverse DNS est une variante du DNS “classique” permettant de résoudre les
adresses IP en nom de domaine. Ainsi, 5.39.46.76 a pour domaine wxcafe.net.
Cependant, le reverse DNS n’a, par définition, pas de TLD sur lequel se diriger
quand on lui adresse une query. Les “adresses” que l’on query en reverse DNS
sont donc constituées de l’adresse IP, <strong><em>dans le sens contraire a l’ordre
habituel</em></strong>, et du faux domaine .in-addr.arpa
Par exemple, pour connaitre le reverse de 5.39.46.76, il faudra faire <code>dig PTR
76.46.39.5.in-addr.arpa</code>. La réponse sera, évidemment, <code>wxcafe.net</code></p>
<p>Voyons maintenant comment mettre en place son propre serveur DNS. Tout d’abord,
quelques informations. DNS fonctionne sur le port 53 en UDP, et la commande
utilisée pour faire des tests DNS est <code>dig</code>. Le DNS fonctionne avec des
“enregistrements”, records en anglais. Par exemple, un record A indique une
adresse IP, un record NS indique un Serveur de nom, etc. <code>dig</code> se base sur ces
records : par défaut, il ira chercher le(s) record(s) A correspondant(s) au nom
de domaine que vous donnez en argument, mais en précisant un autre type de
record, vous pouvez obtenir n’importe quelle information : par exemple, <code>dig NS
wxcafe.net</code> devrait vous renvoyer</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f92672">;</span> <span style="color: #f92672"><<>></span> <span style="color: #f92672">DiG</span> <span style="color: #f92672">9</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">8</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">4-rpz2</span><span style="color: #f92672">+rl005</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">12-P1</span> <span style="color: #f92672"><<>></span> <span style="color: #f92672">NS</span> <span style="color: #f92672">wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">global</span> <span style="color: #f92672">options:</span> <span style="color: #f92672">+cmd</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">Got</span> <span style="color: #f92672">answer:</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">->>HEADER<<-</span> <span style="color: #f92672">opcode:</span> <span style="color: #f92672">QUERY,</span> <span style="color: #f92672">status:</span> <span style="color: #f92672">NOERROR,</span> <span style="color: #f92672">id:</span> <span style="color: #f92672">13846</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">flags:</span> <span style="color: #f92672">qr</span> <span style="color: #f92672">rd</span> <span style="color: #f92672">ra;</span> <span style="color: #f92672">QUERY:</span> <span style="color: #f92672">1,</span> <span style="color: #f92672">ANSWER:</span> <span style="color: #f92672">2,</span> <span style="color: #f92672">AUTHORITY:</span> <span style="color: #f92672">0,</span> <span style="color: #f92672">ADDITIONAL:</span> <span style="color: #f92672">0</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">QUESTION</span> <span style="color: #f92672">SECTION:</span>
<span style="color: #f92672">;wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span><span style="color: #f92672">.</span> <span style="color: #f92672">IN</span> <span style="color: #f92672">NS</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">ANSWER</span> <span style="color: #f92672">SECTION:</span>
<span style="color: #f92672">wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span><span style="color: #f92672">.</span> <span style="color: #f92672">3600</span> <span style="color: #f92672">IN</span> <span style="color: #f92672">NS</span> <span style="color: #f92672">ns</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span><span style="color: #f92672">.</span>
<span style="color: #f92672">wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span><span style="color: #f92672">.</span> <span style="color: #f92672">3600</span> <span style="color: #f92672">IN</span> <span style="color: #f92672">NS</span> <span style="color: #f92672">ns</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">home</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">wxcafe</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">net</span><span style="color: #f92672">.</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">Query</span> <span style="color: #f92672">time:</span> <span style="color: #f92672">60</span> <span style="color: #f92672">msec</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">SERVER:</span> <span style="color: #f92672">10</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">0</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">42</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">1</span><span style="color: #f8f8f2">#53</span><span style="color: #f92672">(10</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">0</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">42</span><span style="color: #f8f8f2">.</span><span style="color: #a6e22e">1</span><span style="color: #f92672">)</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">WHEN:</span> <span style="color: #f92672">Tue</span> <span style="color: #f92672">Dec</span> <span style="color: #f92672">10</span> <span style="color: #f92672">13</span><span style="color: #f8f8f2">:</span><span style="color: #a6e22e">31</span><span style="color: #f8f8f2">:</span><span style="color: #a6e22e">18</span> <span style="color: #f92672">2013</span>
<span style="color: #f92672">;;</span> <span style="color: #f92672">MSG</span> <span style="color: #f92672">SIZE</span> <span style="color: #f92672">rcvd:</span> <span style="color: #f92672">67</span>
</pre></div>
<p>Comme vous pouvez le voir, les serveurs DNS principaux pour
<a href="http://wxcafe.net">wxcafe.net</a> sont <code>ns.wxcafe.net</code> et <code>ns.home.wxcafe.net</code>,
qui sont respectivement des alias pour <code>wxcafe.net</code> et <code>home.wxcafe.net</code>. Ainsi,
chacun fait autorité pour lui même, et le problème évident est que le résolveur
ne peut résoudre la query si il est renvoyé encore et encore vers le même
serveur. Il convient donc de définir dans le même fichier de configuration
l’adresse de ces deux serveurs. Ainsi, le résolveur, au bout de son deuxième
loop, se rendra compte qu’il est en train de faire une boucle infinie et
demandera l’adresse au serveur auquel il est connecté. La première indication de
direction se fait grâce au serveur du TLD.</p>
<p>La configuration de bind est assez simple dans le principe, le plus complexe
étant en fait d’écrire les fichiers de zone.
La configuration de bind sous debian se fait dans le dossier /etc/bind/. Il
existe 4 fichiers de configuration principaux : <code>named.conf</code>,
<code>named.conf.default-zones</code>, <code>named.conf.local</code> et <code>named.conf.options</code>.
<code>named.conf</code> contient les options par défaut de bind, <code>named.conf.default-zones</code>
les déclarations des zones par défaut (auxquelles il vaut mieux ne pas toucher),
<code>named.conf.local</code> contient les déclarations de vos zones, et
named.conf.options contient les options que vous rajoutez pour changer le
comportement de bind.</p>
<p>Pour commencer, il convient de préciser que nous allons parler ici du cas dans
lequel se trouve wxcafe.net: deux domaines dont nous voulons faire l’autorité,
deux serveurs DNS, et un service de résolution récursive limitée a quelques IPs
(notamment mon accès chez moi). </p>
<p>Examinons tout d’abord les fichiers de configuration de named.
<code>named.conf.local</code> contient les définitions des zones forward et reverse.
Sur wxcafe.net, les zones <code>wxcafe.net</code> et <code>76.46.39.5.in-addr.arpa</code> sont gérées
en master, et les zones <code>home.wxcafe.net</code> et <code>103.177.67.80.in-addr.arpa</code> sont
gérées en slave. Nous n’examinerons ici que les déclarations de zones sur ce
serveur, et pas sur home., car elles sont sensiblement les mêmes. La différence
principale étant que l’un héberge en slave les masters de l’autre.
Le fichier <code>named.conf.local</code> sur wxcafe.net contient donc </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>zone <span style="color: #e6db74">"wxcafe.net"</span> <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">type</span> master<span style="color: #f8f8f2">;</span>
file <span style="color: #e6db74">"/etc/bind/master/wxcafe.net"</span><span style="color: #f8f8f2">;</span>
allow-transfer <span style="color: #f92672">{</span>
<span style="color: #ae81ff">80</span>.67.177.103<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
zone <span style="color: #e6db74">"home.wxcafe.net"</span> <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">type</span> slave<span style="color: #f8f8f2">;</span>
file <span style="color: #e6db74">"/etc/bind/slave/home.wxcafe.net"</span><span style="color: #f8f8f2">;</span>
masters <span style="color: #f92672">{</span>
<span style="color: #ae81ff">80</span>.67.177.103<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
zone <span style="color: #e6db74">"46.76.39.5.in-addr.arpa"</span> <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">type</span> master<span style="color: #f8f8f2">;</span>
file <span style="color: #e6db74">"/etc/bind/master/46.76.39.5.in-addr.arpa"</span><span style="color: #f8f8f2">;</span>
allow-transfer <span style="color: #f92672">{</span>
<span style="color: #ae81ff">80</span>.67.177.103<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
zone <span style="color: #e6db74">"103.177.67.80.in-addr.arpa"</span> <span style="color: #f92672">{</span>
<span style="color: #f8f8f2">type</span> slave<span style="color: #f8f8f2">;</span>
file <span style="color: #e6db74">"/etc/bind/slave/103.177.67.80.in-addr.arpa"</span><span style="color: #f8f8f2">;</span>
masters <span style="color: #f92672">{</span>
<span style="color: #ae81ff">80</span>.67.177.103<span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
<span style="color: #f92672">}</span><span style="color: #f8f8f2">;</span>
</pre></div>
<p>Cela devrait être relativement clair. Globalement, les zones master ont un
fichier dans <code>/etc/bind/master/</code>, et les slaves un fichier dans
<code>/etc/bind/slave/</code>, les masters autorisent le transfert vers home.wxcafe.net
tandis que les slaves déclarent home.wxcafe.net comme master, et le reste est
assez parlant.</p>
<p>Voyons maintenant le fichier de zone concernant wxcafe.net, soit
<code>/etc/bind/master/wxcafe.net</code> : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">$TTL</span> <span style="color: #ae81ff">3600</span> <span style="color: #f8f8f2">;</span> <span style="color: #ae81ff">1</span> <span style="color: #f8f8f2">hour</span>
<span style="color: #f8f8f2">@</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">SOA</span> <span style="color: #f8f8f2">ns</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span> <span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span> <span style="color: #f8f8f2">(</span>
<span style="color: #ae81ff">2014011001</span> <span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">serial</span>
<span style="color: #ae81ff">3</span><span style="color: #f8f8f2">h</span> <span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">refresh</span>
<span style="color: #ae81ff">1</span><span style="color: #f8f8f2">h</span> <span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">retry</span>
<span style="color: #ae81ff">168</span><span style="color: #f8f8f2">h</span> <span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">expire</span>
<span style="color: #ae81ff">300</span> <span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">negative</span> <span style="color: #f8f8f2">response</span> <span style="color: #f8f8f2">ttl</span>
<span style="color: #f8f8f2">)</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">Name</span> <span style="color: #f8f8f2">servers</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">NS</span> <span style="color: #f8f8f2">ns</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">NS</span> <span style="color: #f8f8f2">ns</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">home</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">Mail</span> <span style="color: #f8f8f2">exchangers</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">MX</span> <span style="color: #ae81ff">10</span> <span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">SPF</span> <span style="color: #e6db74">"v=spf1 ip4:5.39.76.46 a -all"</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">Main</span> <span style="color: #f8f8f2">A</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">AAAA</span> <span style="color: #f8f8f2">records</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">A</span> <span style="color: #ae81ff">5.39.76.46</span>
<span style="color: #f8f8f2">ns</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">A</span> <span style="color: #ae81ff">5.39.76.46</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">Aliases</span>
<span style="color: #f8f8f2">data</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">CNAME</span> <span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">[</span><span style="color: #f92672">...</span><span style="color: #f8f8f2">]</span>
<span style="color: #f8f8f2">www</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">CNAME</span> <span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">;</span> <span style="color: #f8f8f2">home</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span> <span style="color: #f8f8f2">definition</span>
<span style="color: #f8f8f2">$ORIGIN</span> <span style="color: #f8f8f2">home</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">@</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">NS</span> <span style="color: #f8f8f2">ns</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">home</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">NS</span> <span style="color: #f8f8f2">ns</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">wxcafe</span><span style="color: #f92672">.</span><span style="color: #f8f8f2">net</span><span style="color: #f92672">.</span>
<span style="color: #f8f8f2">ns</span> <span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">A</span> <span style="color: #ae81ff">80.67.177.103</span>
<span style="color: #f8f8f2">IN</span> <span style="color: #f8f8f2">A</span> <span style="color: #ae81ff">80.67.177.103</span>
</pre></div>
<p>Alors. Expliquons ligne par ligne.<br>
Tout d’abord, le TTL (time to live) est un paramètre définissant le temps
pendant lequel les serveurs récursif (qui font un cache des données) doivent
cacher ce fichier de zone. <br>
Le @ est un raccourci pour exprimer le nom de domaine courant. Ici, donc,
wxcafe.net. <br>
Maintenant, nous arrivons a un record important : SOA (Start of Authority).
Ce record prend de nombreux arguments, dans l’ordre :<br>
- Le nameserver autoritaire pour le nom de domaine en question,<br>
- L’adresse email du responsable de cette zone, avec le premier point
remplacé par un @, </p>
<p>puis entre parenthèses :<br>
- Le numéro de série (“version” du fichier de zone, ici au format
YYYYMMDDNN) <br>
- La période de refresh, période entre chaque mise a jour du nameserver
authoritaire secondaire, <br>
- La période de retry, le temps entre chaque essai de mise a jour si le
nameserveur authoritaire primaire est indisponible, <br>
- La période d’expire, le temps qu’attendra le serveur autoritaire
secondaire avant de supprimer les informations de son cache si le primaire
reste indisponible, et enfin <br>
- La période de TTL négatif, le temps qu’attendra le serveur secondaire
avant de ne plus offrir les informations de cette zone si le serveur
primaire est injoignable. </p>
<p>Bon, tout ceci est peut-être un peu confus, mais ce n’est pas le record le plus
important a lire (pour les humains en tout cas). Continuons : </p>
<p>NS (nameserver) permet de désigner les différents nameservers faisant autorité
pour ce domaine. </p>
<p>MX permet d’indiquer ou il convient d’envoyer les emails pour ce domaine.
SPF est un record d’authentification pour les emails.
Les records A désignent l’association entre un nom de domaine et une adresse
IPv4. Les records AAAA font de même pour les IPv6, mais malheureusement ce site
n’est pas encore en IPv6.</p>
<p>Les CNAME (canonical name) sont en quelque sorte des alias, ils permettent de
mettre en place des domaines exactement semblables a d’autre (ce qui permet par
exemple de filtrer ensuite avec les Virtual Hosts d’Apache, pour le web)</p>
<p>Enfin, la partie qui suit commence avec une déclaration $ORIGIN, ce qui permet
de changer la valeur du @ et des noms de domaine non complets (qui ne se
terminent pas avec un .). Ainsi, la partie suivant définit les nameservers et
l’adresse IP principale de home.wxcafe.net et de ns.home.wxcafe.net. Comme on
l’a vu, étant donné que ce nom de domaine est géré par un autre serveur DNS,
cela permet de rediriger les requêtes nous parvenant et demandant un domaine se
trouvant sous home.wxcafe.net.</p>
<p>Les autres fichiers de zone sont sensiblement similaires, avec les quelques
différences n’étant en fin de compte que des différences de valeurs (dues au
fait que, eh bah, c’est pas les mêmes domaines…).</p>
<p>Voila donc une courte explication de ce qu’est le DNS. Bien entendu, tout n’est
pas expliqué ici, je ne suis passé que sur ce qui est en place au niveau de
wxcafe.net, et encore, rapidement. Si vous voulez en savoir plus, vous pouvez
aller vous renseigner directement a la source : le <a href="https://www.ietf.org/rfc/rfc1034.txt">RFC
1034</a> et le
<a href="https://www.ietf.org/rfc/rfc1035.txt">RFC 1035</a>. Dans un autre style (bien plus
avancé) le blog de <a href="http://bortzmeyer.org">Stéphane Bortzmeyer</a> est interessant
aussi.</p>NAT2014-02-17T05:02:00+01:002014-02-17T05:02:00+01:00wxcafétag:wxcafe.net,2014-02-17:/posts/nat/<p>NAT (Network Address Translation) in a word?<br>
It’s complicated. Very. Don’t do it, you’d damage your brain. </p>
<p>Bon, sinon, prochain article serieux vite, bisous.</p><p>NAT (Network Address Translation) in a word?<br>
It’s complicated. Very. Don’t do it, you’d damage your brain. </p>
<p>Bon, sinon, prochain article serieux vite, bisous.</p>Plan9 from whichever space2013-09-09T11:17:00+02:002013-09-09T11:17:00+02:00Wxcafetag:wxcafe.net,2013-09-09:/posts/plan-9-from-whichever-space/<p><a href="http://en.wikipedia.org/wiki/Plan_9_from_Outer_Space"><strong>Plan 9 from Outer Space</strong></a> est un film de série Z, produit en 1959 par Edward D.
Wood. Il est assez connu comme étant l’un des pires films jamais sortis. Rempli
d’erreur de montage, d’effets spéciaux au rabais, et ayant même connu la mort
d’un acteur …</p><p><a href="http://en.wikipedia.org/wiki/Plan_9_from_Outer_Space"><strong>Plan 9 from Outer Space</strong></a> est un film de série Z, produit en 1959 par Edward D.
Wood. Il est assez connu comme étant l’un des pires films jamais sortis. Rempli
d’erreur de montage, d’effets spéciaux au rabais, et ayant même connu la mort
d’un acteur, il a ainsi atteint le statut de film culte grâce a sa médiocrité.</p>
<p><a href="http://plan9.bell-labs.com/plan9/"><strong>Plan 9 from Bell Labs</strong></a> est un OS venant de Bell Labs (comme son nom l’indique),
et qui a été pensé comme le successeur d’Unix. Il est conçu comme une poursuite
des concepts unixiens jusqu’à leur but naturel. Ainsi, c’est Plan9 qui a
introduit le concept d’UnionFS, le protocole 9P qui permet d’acceder a des
ressources appartenant a d’autres ordinateurs a distance, un support de
l’unicode par défaut et sur tout le système (a l’inverse d’Unix, qui fonctionne
a la base en ASCII), un support de ProcFS amélioré, une interface graphique par
défaut, et d’autres améliorations sur les thèmes de base que propose Unix. </p>
<p>Cependant, Plan9 n’a jamais été véritablement utilisé pour quoi que ce soit
d’autre que la recherche en systèmes, et c’est dommage, parce que Plan9 a
quelque chose de très intéressant à proposer. En effet, en ces jours d’intérêt
grandissant pour le klaoude et la délocalisation a la fois du processing et des
données, et bien que Plan9 ait été créé bien avant que le terme “cloud
computing” n’apparaisse pour la première fois, il semble que ce système ait été
conçu pour apporter cette délocalisation tant rêvée.</p>
<p>En effet, même si l’on considère que les nouveautés qu’il apporte par rapport a
Unix ne sont pas extraordinaires en soit (alors qu’elles sont déjà
conséquentes), lorsqu’on les prend ensemble, elles font de Plan9 le système
d’exploitation ultime en terme de partage de ressources et de données.
Ainsi, le fait que 9P permette de considérer toutes les ressources d’un système
distant comme n’étant qu’une poignée de fichiers permet de le monter comme
n’importe quel système de fichier. Le fait que chaque utilisateur puisse accéder
a plusieurs namespaces de façon transparente (et donc de démarrer, arrêter et
gérer des processus sur chacun de ces namespaces) et que chaque namespace puisse
interagir avec les autres, même s’ils sont hétérogènes (c’est a dire provenant
de machines différentes), permet d’utiliser les ressources d’une machine
distante comme si elle était présente localement. Le mécanisme d’UnionFS permet
de rendre tout ça utilisable, en montant plusieurs systèmes de fichiers sur le
même point de montage, en même temps, et de pouvoir ainsi accéder aux fichiers
de plusieurs machines a la fois (ce qui permet une délocalisation des données
bien plus poussée que Dropbox ou Google Drive, et ce en kernelspace).</p>
<p>Le réseau fait donc partie intégrante de Plan9, et il devient plus difficile de
parler d’ordinateur lorsque le concept même du système est d’être composé de
clusters eux mêmes composés de machines hétérogènes. Le système de fichier
virtuel /net fourni par le kernel de Plan9 permet d’implémenter très facilement
différents concepts réseaux : en montant le /net d’un ordinateur du réseau local
sur celui servant de gateway vers l’internet, on crée un NAT vers cet ordinateur
du réseau local. En montant le /net d’un ordinateur distant sur un ordinateur
local via le protocole 9P sécurisé, on crée un VPN : les connections locales se
font en utilisant l’accès de l’ordinateur distant, et les connections entre les
deux sont chiffrées. </p>
<p>Bref, bien avant les clusters de Raspberry Pi qui utilisent une api python pour
partager leur “puissance” de calcul en userspace, des superordinateurs pour
lesquels le noyau Linux s’est doté du support de jusqu’à 4096 CPUs, des OS tels
JoliOS qui promettent une integration du klaoude alors qu’ils ne sont en fait
que des navigateurs web a peine améliorés et des services de stockage en ligne
qui promettent un accès universel a toutes nos données alors qu’ils ne proposent
que de les garder a disposition par le web, Plan9 promettait une technologie de
partage des ressources système et de données, une intégration du réseau dans le
système particulièrement poussée, un environnement graphique supporté par le
basesystem et non greffé par dessus comme l’a été X11, et de nombreuses autres
améliorations sur Unix.</p>
<p>Malheureusement, il n’a jamais été adopté de façon véritablement significative,
et ce pour une raison très Unixiènne : “worse is better”. En effet, le parc de
machines Unix déjà installées était suffisamment performant et fonctionnel pour
que des solutions soient développées au dessus du système pour remplir les
mêmes fonctions que remplit Plan9 <em>via</em> son kernel, tels le nouveau ProcFS de
Linux, FUSE, etc…</p>Sed Basics2013-08-18T22:57:00+02:002013-08-18T22:57:00+02:00Wxcafetag:wxcafe.net,2013-08-18:/posts/sed-basics/<p><code>sed</code> est un outil Unix très largement utilisé et très pratique pour manipuler
le texte (ce qui se montre relativement indispensable dans un environnement
Unix, puisque ce système est assez porté sur le texte). Cependant, il assez peu
connu en détail, et la plupart du temps une seule fonction est …</p><p><code>sed</code> est un outil Unix très largement utilisé et très pratique pour manipuler
le texte (ce qui se montre relativement indispensable dans un environnement
Unix, puisque ce système est assez porté sur le texte). Cependant, il assez peu
connu en détail, et la plupart du temps une seule fonction est utilisée : le
remplacement de texte.<br>
Or <code>sed</code> a bien plus de possibilités que ça, comme nous allons le voir.</p>
<p>Tout d’abord, rappelons les bases : <code>sed</code> est un programme Unix de base, mais
aussi un langage de manipulation de texte dérivé de <code>ed</code>, l’éditeur original.
<code>ed</code> est un éditeur de ligne, conçu a l’époque ou les ordinateurs n’étaient pas
personnels et étaient utilisés avec des <a href="http://fr.wikipedia.org/wiki/telescripteur">téléscripteurs</a>, c’est a dire des
machines dépourvues d’écrans et ne permettant donc pas l’utilisation d’éditeurs
dits “visuels”, tels que vim, emacs, et globalement tous les éditeurs ayant un
curseur et affichant plusieurs lignes. <code>sed</code> est donc une évolution de <code>ed</code>, le
s signifiant stream, <code>sed</code> est un éditeur de flux, prenant donc avantage du
concept Unixien de flux de données (voir <a href="http://fr.wikipedia.org/wiki/Flux_standard">Flux standards</a>) pour éditer plus d’une ligne a la fois.
En pratique, <code>sed</code> est principalement utilisé sur des fichiers.</p>
<p><code>sed</code> a quelques options pratique, notamment <code>-s</code> qui permet d’empêcher
l’affichage systématique des lignes traitées, ou bien <code>-i</code> (pour GNU sed) qui
permet de rediriger l’output dans le fichier d’input. Cela dit, l’intérêt unique
du programme est son langage de manipulation de texte.</p>
<p><code>ed</code>, et donc <code>sed</code>, utilise un langage basé sur les séparations (en général des
/). Ainsi, la commande de base dans <code>sed</code> est </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>/[regex]/
</pre></div>
<p>qui permet de ne sélectionner que les lignes qui matchent [regex] (et donc de
n’exécuter les commandes qui suivent que sur ces lignes.) </p>
<p><br/>
La commande <code>sed</code> la plus utilisée est bien entendu le <strong>s</strong>, qui s’utilise de
la façon suivante : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">s</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">[old</span> <span style="color: #f8f8f2">text]</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">[new</span> <span style="color: #f8f8f2">text]</span><span style="color: #f92672">/</span><span style="color: #f8f8f2">[options]</span>
</pre></div>
<p>qui se propose donc de remplacer (substitute) [old text] (qui peut être une
regex) par [new text] (qui doit être un texte fixe, avec quelques
exceptions), en appliquant [options], la plus connue des options étant <code>g</code>,
qui permet d’appliquer la commande affectée a toutes les occurrences du texte
matché sur la/les lignes concernée-s.<br>
Les exceptions a la “fixité” de [new text] sont particulièrement
intéressantes. En effet, <code>sed</code> utilise un langage de regex plutôt standard,
excepté le fait qu’il permet jusqu’à 9 “holding spaces”, qui sont délimités par
\( et \), et qui sont représentées dans le texte de remplacement par \1 à
\9.</p>
<p>Par exemple, la commande </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sed 's/\(hello world\) world/\1/'
</pre></div>
<p>sur le texte “hello world world” renverrait comme résultat</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>hello world
</pre></div>
<p>De la même façon, le symbole <code>&</code> dans le texte de remplacement représente le
texte original. Ainsi, la commande </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sed 's/hello world/& world/'
</pre></div>
<p>sur le texte “hello world” renverrait comme résultat</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>hello world world
</pre></div>
<p><br/></p>
<p>Une autre commande utile est <strong>p</strong>, qui sert a afficher le texte présent dans
l’espace courant :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>/[regex]/p
</pre></div>
<p><code>sed</code> stocke en effet la ligne sur laquelle il travaille dans un espace mémoire
dédié, que j’appelle l’espace courant (pattern space en anglais). La commande
<code>p</code> affiche (print) ce qui ce trouve dans cet espace. La /[regex]/ réduit
le pattern space de façon a ce qu’il ne contienne que les lignes matchant, et le
<strong>p</strong> affiche donc ce dernier.</p>
<p>Un autre exemple de commande sont <strong>c</strong>, <strong>i</strong> et <strong>a</strong>, qui s’utilisent ainsi :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>c \
[text]
</pre></div>
<p>De la même façon, pour le i : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>i \
[text]
</pre></div>
<p>Et de même pour a. </p>
<p>Ces trois commandes s’utilisent de la même façon pour la bonne raison qu’elles
sont très proches. <strong>i</strong> sert a insérer du texte <em>avant</em> le pattern space. <strong>a</strong>
sert a insérer du texte <em>après</em> le pattern space, et enfin <strong>c</strong> sert a
remplacer <em>tout</em> le pattern space. Les trois utilisent [text] comme
remplacement ou insert.
Attention, les insertions se font sur la ligne précédant ou suivant le pattern
space, et non sur la ligne en question.</p>
<p>Enfin, dernière commande ne fonctionnant que ligne par ligne, <strong>d</strong> :
/[regex]/d
<strong>d</strong> (delete) supprime les contenus du pattern space.</p>
<p><code>sed</code> est un outil puissant, mais complexe. Dans un prochain article, je
parlerai des commandes multilignes et des labels.</p>Le chiffrement de partitions avec dm-crypt et device-mapper2013-07-10T03:18:00+02:002013-07-10T03:18:00+02:00Wxcafetag:wxcafe.net,2013-07-10:/posts/le-chiffrement-de-partition-avec-dm-crypt-et-device-mapper/<p>Le chiffrement en tant que concept informatique est traditionnellement associé
au chiffrement de fichiers, c’est a dire au fait de passer d’un fichier <em>en
clair</em> a un fichier chiffré dit <em>cyphertext</em>. Cependant, il ne se limite pas a
ça, et peut aussi servir a garantir l’intégrité d …</p><p>Le chiffrement en tant que concept informatique est traditionnellement associé
au chiffrement de fichiers, c’est a dire au fait de passer d’un fichier <em>en
clair</em> a un fichier chiffré dit <em>cyphertext</em>. Cependant, il ne se limite pas a
ça, et peut aussi servir a garantir l’intégrité d’un système d’exploitation, ou
bien la confidentialité d’un support de stockage, par exemple. Nous allons ici
voir comment mettre en place un système de ce type sous GNU/Linux. Cet article
n’a pas pour but de vous apprendre a mettre en place un système basé sur une
procédure de boot sécurisée, mais plutôt d’expliquer les concepts qui entrent en
jeu dans l’utilisation du sous-système du noyau Linux <a href="http://en.wikipedia.org/wiki/dm-crypt"><strong>dm_crypt</strong></a> et de
présenter un rapide tutoriel concernant la création d’un support chiffré sur
lequel garder vos informations confidentielles (par exemple, votre <a href="http://wxcafe.net/posts/11/19/12/la-cryptographie-avec-pgp-et-principalement-gnupg">clé GPG</a>)</p>
<p>dm-crypt est un sous-système de device-mapper, qui est lui-même un sous-système
du noyau Linux, et s’appuie sur <a href="http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup">LUKS</a>, un standard de chiffrement
de disques. Comme son nom l’indique, device-mapper est un système qui a pour but
de <strong>mapper</strong> des <strong>block devices</strong>. Pour être plus clair, le kernel considère
comme “block device” tout fichier spécial (en gros, les fichiers disques dans
<code>/dev/</code>, les systèmes de fichiers type LVM, les RAID logiciels, et, dans le
cas qui nous intéresse, les systèmes de fichier chiffrés). Son mode de
fonctionnement est simple : a partir d’un “fichier de périphérique” (trad.
Wikipédia), il en “crée” un nouveau, virtuel, ayant des propriétés différentes.
Par exemple, un disque partitionné via LVM apparaîtra comme un seul disque dans
/dev, et device-mapper est requis pour pouvoir en voir les partitions (qui
apparaîtront donc dans /dev/mapper)</p>
<p>Ainsi, dans le cas qui nous intéresse ici, device-mapper prend un système de
fichier chiffré, crée un périphérique virtuel non chiffré dans /dev/mapper, et
déchiffre a la volée tous les accès disques a ce périphérique non chiffré en les
traduisant sur le système de fichier chiffré, le tout de manière tout a fait
transparente pour les applications utilisant le disque en question. Cela induit
bien entendu une baisse de performance relativement significative dans le cas
d’un chiffrement du système de fichier root, mais quasiment insignifiante dans
le cas de chiffrement de partitions de données.</p>
<p>D’ailleurs, certain-e-s se demandent peut-être comment le système peut démarrer
si le système de fichier root est chiffré. Dans ce cas précis, la procédure de
boot <strong><em>doit</em></strong> s’appuyer sur une image initrd (l’initrd est un système de
fichier minimal qui sert uniquement a initialiser le système. Les kernels de
base de la plupart des distributions GNU/Linux en utilisent un dans tous les
cas, pour des raisons de compatibilité) et sur une partition de boot qui elle
n’est pas chiffrée. Ainsi, le bootloader de niveau 2 (grub, syslinux,…) charge
en mémoire le kernel depuis la partition de boot, puis ce dernier décompresse et
charge l’initrd en RAM, celui-ci a son tour lance un script permettant de
charger les modules nécessaires a la suite du boot (que ce soit pour un boot
sans disque root local, ou bien comme ici avec un système chiffré), puis le
système de fichier “cible” est remonté sur la racine, et l’initrd est démonté
est la RAM qu’il occupait est libérée, puis la procédure de boot normale reprend
depuis le système de fichier maintenant monté sur la racine.</p>
<p>La méthode la plus évidente pour contourner le chiffrement du disque est alors
de remplacer le fichier compressé initrd dans /boot, qui n’est pas chiffrée, par
un autre modifié, copiant par exemple la phrase de passe permettant de
déchiffrer la partition cible. Plusieurs méthodes permettent de se prémunir
contre ce genre d’attaques : l’une des plus simple est de faire un checksum du
fichier initrd utilisé et reconnu comme sûr, et de vérifier lors du <em>vrai</em> boot
que l’initrd présente toujours le même checksum. Cela dit, cette méthode a
l’inconvénient d’intervenir après les faits, et de nécessiter au moins un accès
a un fichier initrd reconnu comme sûr.<br>
Une autre approche consisterait a placer le système de fichier /boot sur un
périphérique dédié, protégé en écriture de façon matérielle (par exemple, une
carte SD) ou, de façon encore plus efficace, sur un périphérique chiffré et
protégé en écriture de façon matérielle. Ainsi, il n’est pas possible pour un
attaquant de modifier ce système de fichier, et l’initrd est alors toujours de
confiance. Cependant, cela a pour conséquence de rendre la mise a jour de
l’initrd et du noyau <em>beaucoup</em> plus difficile qu’elle ne le serait sans.</p>
<p>Pour en revenir aux systèmes de fichiers chiffrés, leur gestion est faite par un
programme dédié, <code>cryptsetup</code>. Ce dernier était en charge de cryptoloop,
l’ancien sous-système de chiffrement du kernel Linux (déprécié depuis), et est
maintenant responsable de l’utilisation <em>userspace</em> de dm-crypt, qui pour sa
part est entièrement <em>kernel-space</em>. Cryptsetup permet ainsi le chiffrement, la
manipulation (montage/démontage/…) et la gestion de clé des systèmes de fichier
LUKS. Cryptsetup est cependant conçu pour être utilisé en tant que root, et les
utilisateurs qui veulent monter de systèmes de fichiers chiffrés devront ainsi
obligatoirement être capables de le faire en tant que root. </p>
<p>Voyons comment il faudrait procéder pour créer une image disque chiffrée de 1Go :<br>
Tout d’abord, il nous faut créer le fichier qui contiendra l’image. Pour cela,
dans une situation réelle ou l’on cherche a chiffrer un disque, il convient
d’utiliser /dev/urandom comme source, pour éviter la détection du système de
fichier chiffré sur le disque.
Ici, par exemple, nous allons faire : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>dd bs=1000 count=1000000 if=/dev/urandom of=image.img
</pre></div>
<p>Maintenant que notre image est créée, nous pouvons la chiffrer : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo cryptsetup luksFormat image.img
</pre></div>
<p><code>cryptsetup</code> va alors nous demander si nous sommes absolument surs de vouloir
formater ce disque (nous allons donc valider en tapant YES), puis une
passphrase. Il convient ici de choisir une passphrase particulièrement sûre,
puisque toute personne ayant accès a la passphrase aura aussi accès au disque et
donc a vos secrets.<br>
Une fois cela fait, nous allons mapper cette image : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo cryptsetup luksOpen image.img crypto
</pre></div>
<p><code>cryptsetup</code> nous redemande la passphrase, charge pendant quelques secondes,
puis nous redonne le prompt. Que s’est-il passé? En cherchant un peu, nous
voyons qu’il n’y a pas de nouveau disque dans /dev. C’est tout a fait normal. En
effet, cryptsetup (et par lui, device-mapper et dm-crypt) ne monte pas les
systèmes de fichiers chiffrés, il les mappe, et ça n’a rien a voir. On remarque
qu’est apparu dans /dev/mapper le fichier crypto. Ce fichier est le disque
virtuel qui correspond a notre image. Il se comporte comme toute partition, et
peut donc être monté, formaté, etc (il ne peut cependant pas être partitionné.
Il se comporte en effet comme une partition, et non comme un véritable disque.)
Bon, ceci fait, notre disque virtuel n’est pas formaté. Il nous reviens donc de
le faire, pour pouvoir l’utiliser. </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo mkfs.ext4 /dev/mapper/crypto
</pre></div>
<p>Maintenant que notre disque est formaté, il peut être monté : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo mount /dev/mapper/crypto /mnt
</pre></div>
<p>Et voila, nous avons un système de fichier fonctionnel et chiffré! Si vous
voulez vérifier, un <code>mount | grep crypto</code> devrait vous donner le résultat
suivant : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>/dev/mapper/crypto on /mnt type ext4 (rw,relatime,data=ordered)
</pre></div>
<p>Vous pouvez maintenant commencer a stocker tous vos secrets sur ce fichier, ils
sont (en fonction de votre passphrase) en sécurité. </p>
<p>Pour résumer :</p>
<ul>
<li>
<p>Pour monter vos partitions : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo cryptsetup luksOpen <fichier chiffré> <nom de disque virtuel>
sudo mount /dev/mapper/<nom de disque virtuel> <emplacement>
</pre></div>
</li>
<li>
<p>Pour démonter vos partitions : </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo umount <emplacement>
sudo cryptsetup luksClose <nom de disque virtuel>
</pre></div>
</li>
</ul>
<p>Pour simplifier la vie de tous, j’ai créé deux petits scripts vous permettant de
créer et de monter/démonter vos images/disques chiffré-e-s en une seule
commande. Ils se trouvent sur <a href="https://github.com/wxcafe/cryptoscripts">github</a>. </p>
<p>Par ailleurs, si vous comptez transferer votre image disque sur un véritable
disque (ou clé usb, ou autre), il est préférable de créer une partition de
taille appropriée et de faire un <code>dd if=votre_image of=/dev/votre_partition</code>
pour ce faire.</p>Redesign du blog, etc2013-06-12T19:14:00+02:002013-06-12T19:14:00+02:00wxcafetag:wxcafe.net,2013-06-12:/posts/redesign-du-blog/<p>Comme vous avez pu le remarquer, ce blog a “un peu” changé récemment.</p>
<p>Du coup, expliquons. J’ai récemment monté <a href="http://serverporn.fr">serverporn</a>, et ai par la même
occasion découvert <a href="http://getpelican.com">pelican</a>. J’ai tout de suite accroché a ce générateur de
site statique en python, du fait de son efficacité, de sa …</p><p>Comme vous avez pu le remarquer, ce blog a “un peu” changé récemment.</p>
<p>Du coup, expliquons. J’ai récemment monté <a href="http://serverporn.fr">serverporn</a>, et ai par la même
occasion découvert <a href="http://getpelican.com">pelican</a>. J’ai tout de suite accroché a ce générateur de
site statique en python, du fait de son efficacité, de sa facilité d’utilisation
et de sa grande customisation. En gros, pelican est un logiciel qui prend des
fichiers markdown ou reStructuredText, les passe a la moulinette d’un “thème”
constitué de templates pour les fichiers html et l’organisation du projet et
d’une partie “statique” contenant le css, et les autres fichiers nécessaires au
projet, et en fait des pages html. </p>
<p>Globalement, un thème est constitué ainsi :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #f8f8f2">thème</span>
<span style="color: #960050; background-color: #1e0010">├──</span> <span style="color: #66d9ef">static</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">css</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">└─</span> <span style="color: #f8f8f2">[css</span> <span style="color: #f8f8f2">files]</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">img</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">└─</span> <span style="color: #f8f8f2">[image</span> <span style="color: #f8f8f2">files]</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">└─</span> <span style="color: #f8f8f2">js</span>
<span style="color: #960050; background-color: #1e0010">│</span> <span style="color: #960050; background-color: #1e0010">└─</span> <span style="color: #f8f8f2">[javascript</span> <span style="color: #f8f8f2">files]</span>
<span style="color: #960050; background-color: #1e0010">└──</span> <span style="color: #f8f8f2">template</span>
<span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">base.html</span>
<span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">index.html</span>
<span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">page.html</span>
<span style="color: #960050; background-color: #1e0010">├─</span> <span style="color: #f8f8f2">[...]</span>
<span style="color: #960050; background-color: #1e0010">└─</span> <span style="color: #f8f8f2">article.html</span>
</pre></div>
<p>Sachant que les fichiers .html sont en réalité des fichiers suivant la syntaxe
django, et utilisent des variables particulières telles <code>{{ article.content }}</code>,
par exemple. La syntaxe complète est très bien documentée dans la <a href="http://docs.getpelican.com/en/3.2/themes.html#templates-and-variables">doc</a> de
pelican.</p>
<p>L’un des grands avantages de pelican est aussi la facilité qu’il offre quand a
la mise a jour du blog.<br>
En effet, il offre un système de Makefiles permettant, grâce a de nombreuses
cibles de compilation, de régénérer le site entier, de ne générer que les
fichiers modifiés depuis la dernière génération, de générer uniquement les
fichiers n’existant pas la dernière fois, etc…
La gestion du projet en devient donc très simple, puisque après avoir écrit un
article, il suffit de faire un <code>make html</code> pour mettre a jour le blog.</p>
<p>De plus, le système de wordpress commençait a ne plus me convenir, du fait du
manque de customisation, du fait que ça soit du PHP (beurk), etc. La, avec
pelican, je contrôle bien plus ce qui est mis sur le serveur (puisque c’est moi
qui ait modifié les templates et le css), c’est lisible (puisque c’est du
python, par opposition au PHP…), et c’est plus “efficace”. Le markdown est
très pratique, je peux utiliser mon éditeur de texte de prédilection pour faire
les articles, je n’ai pas besoin d’un accès continu au net, bref, c’est plus
efficace.</p>
<p>En ce qui concerne les points négatifs : </p>
<ul>
<li>
<p>Perte des commentaires:
Je vous propose de vous référer a l’article de Gordontesos <a href="http://gordon.re/hacktivisme/la-necessite-des-commentaires.html">ici</a> quand a
mon avis sur ce sujet.</p>
</li>
<li>
<p>Perte du bouton flattr:
Il va bientôt être remis, c’est juste un manque de temps de ma part, mais vu
que toutes les pages passent par les mêmes templates, c’est assez facile a
faire.</p>
</li>
<li>
<p>Perte du spam:
Pourquoi c’est dans les points négatifs, ca?</p>
</li>
<li>
<p>Temps d’adaptation et d’appréhension du système:
Oui, pendant encore un certain temps, il y aura des glitchs plus ou moins
réguliers sur le blog, c’est parce que j’apprend a me servir de ce système
et que j’apprend du css et du html. Ca arrive, ca passera, mais dans tous
les cas ca me permet d’apprendre plein de choses, donc je mets plutôt ca
dans la catëgorie positive.</p>
</li>
</ul>
<p>Voila, c’est mon retour d’expérience sur pelican. A plus. </p>Comment Saurik a rooté les Google Glass2013-05-06T06:24:00+02:002013-05-06T06:24:00+02:00Wxcafetag:wxcafe.net,2013-05-06:/posts/comment-saurik-a-roote-les-google-glass/<p>Comme vous avez pu le lire dans les médias, Saurik (Jay Freeman, connu
pour avoir développé Cydia, un “app store” alternatif pour les iTrucs),
après avoir reçu une paire de Google glass de la part de Google (de
façon assez évidente…), a trouvé intéressant d’obtenir un accès root
sur …</p><p>Comme vous avez pu le lire dans les médias, Saurik (Jay Freeman, connu
pour avoir développé Cydia, un “app store” alternatif pour les iTrucs),
après avoir reçu une paire de Google glass de la part de Google (de
façon assez évidente…), a trouvé intéressant d’obtenir un accès root
sur celles-ci, ce qu’il a accompli très rapidement. Des démentis de la
part de Google et de certains autres sites sont vite arrivés, disant que
les lunettes possédaient un bootloader débloqué et que de fait, le root
était facile a obtenir : il suffisait de débloquer le bootloader,
d’extraire l’OS, de le rooter hors-fonctionnement, puis de le
réinstaller, rooté, sur les lunettes.</p>
<p>Le fait est que de débloquer le bootloader laisse une trace permanente
sur les lunettes, et que Saurik n’a pas utilisé cette technique pour
rooter sa paire. Voyons comment il a fait :</p>
<p><em>Je tiens tout d’abord a préciser que toutes les informations qui vont
suivre sont extraites de <a href="http://www.saurik.com/id/16">cet article</a>, et plus précisément de la
partie “How does this exploit work”. Je tente d’apporter ma maigre
contribution a cette explication.</em></p>
<p>Donc, d’après les témoignages des quelques utilisateurs de Glass dans le
monde, il semblerait que ces dernières fonctionnent avec un système
d’exploitation Android, avec une nouvelle interface, mais avec les mêmes
outils internes: un kernel Linux, des outils userland GNU et une machine
virtuelle Java Dalvik pour les applications.</p>
<p>Saurik a donc cherché un exploit connu pour cette version d’android, et
l’a appliqué a son problème. L’exploit en question est relativement
simple. Depuis la version 4.0 d’android, le système permet la sauvegarde
des données des différentes applications, une a une, via ADB (Android
Debug Bridge, un protocole USB permettant l’accès a de nombreuses
fonctions avancées des machines fonctionnant sous android, dont, entre
autre, un shell, un accès au logs de debugging, etc… Cette
fonctionnalité est bien entendu désactivable.) Ce backup est très simple :
il crée un fichier .tgz contenant le dossier de configuration de
l’application. Lors de la restauration, le système supprime la
configuration existante, puis la remplace par celle dans l’archive gzip.</p>
<p>Le problème de sécurité vient du fait que les applications android
voient leurs données stockées dans /data/data/identifiant/, et que
/data/ a pour permissions drwxrwx–x 27 system system, ce qui
signifie que seul system et les membres du groupe system peuvent lire
dessus. Or, le fichier /data/local.prop définit de nombreux paramètres
au démarrage, et notamment un qui permet au système de déterminer s’il
fonctionne dans une VM ou sur un véritable appareil. S’il fonctionne sur
une machine virtuelle, il donne les droits root a tout utilisateur se
connectant via ADB, ce qui est ce que l’on cherche pour l’instant. Le
fait que /data/ appartienne a system veut dire que le programme de
restauration doit être setuid pour accéder aux données a l’intérieur qui
appartiennent a root (soit toutes les applications système d’android,
dont l’application paramètres, et, dans ce cas précis, l’application de
log système présente sur les google glass de test. Ainsi, nous avons un
processus tournant en tant que root, qui va écrire sur une partition qui
nous intéresse des données que nous possédons.</p>
<p>Cependant, un problème reste : le système de restauration d’Android
vérifie les données avant de restaurer, et ne restaure pas les symlinks,
ce qui nous empêche d’avoir accès directement a /data/local.prop, le
fichier qu’on cherche a modifier. Cela dit, il nous reste une
possiblité. Plaçons un dossier world-writable dans le fichier de backup,
et nous pourrons écrire dedans pendant quelques secondes, le temps que
la restauration se termine et que le système remette les permissions en
place. Ainsi, nous pouvons créer le fichier
/data/local/com.google.glass.logging/whatev/x, lien vers
/data/local.prop, et nous avons un toujours un processus tournant en
tant que root qui est en train d’écrire dans ce dossier.</p>
<p>Donc, nous allons lancer deux processus en même temps : </p>
<ul>
<li>
<p>Le premier tentera en boucle de créer le symlink. Il sera consitué de
la commande suivante, depuis un shell sur les lunettes :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>while ! ln -s /data/local.prop /data/data/com.google.glass.logging/whatev/x 2>/dev/null
do :
done
</pre></div>
</li>
<li>
<p>Le deuxième sera le processus de restauration de notre exploit. Celui
ci, pour une plus grande chance de réussite, devra être suffisamment
lourd : au moins \~50Mo. Il devra contenir whatev/bigfile et whatev/x,
pour qu’il crée whatev, prenne du temps a copier bigfile, puis écrive
dans x après que le symlink soit effectif. La commande sera, depuis
l’ordinateur host :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb restore exploit.ab
</pre></div>
<p>Ces commandes vont fonctionner de concert pour nous donner un accès root :<br>
- Le processus de restauration va créer le dossier whatev, qui sera
world-readable. Il va commencer a copier le fichier bigfile.<br>
- Le processus de symlink va créer le lien
/data/data/com.google.glass.logging/whatev/x, pointant vers
/data/local.prop, puis rendre l’âme proprement.<br>
- Le processus de restauration, ayant enfin fini de copier
whatev/bigfile, copiera les contenus que nous voulons dans whatev/x, qui
est lié a /data/local.prop. Comme le processus est setuid root, il ne se
rendra compte de rien, et écrira tout dans /data/local.prop.</p>
</li>
</ul>
<p>And voilà! On a écrit ce que l’on veut dans /data/local.prop, ce qui
nous permet de faire croire a android qu’il tourne dans une machine
virtuelle (ce que l’on veut, c’est en fait “ro.kernel.qemu=1”, qui
indique au noyau qu’il tourne dans qemu, un système de VM).</p>
<p>Il nous reste a rebooter, depuis l’ordinateur host :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb reboot
</pre></div>
<p>Puis nous remontons la partitions système en lecture/écriture (r/w),
depuis le host :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb shell "mount -o remount,rw /system"
</pre></div>
<p>Nous copions le binaire <a href="https://data.wxcafe.net/uploads/android/glass/su">su</a> vers l’appareil :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb push su /system/xbin
</pre></div>
<p>Nous donnons les bonnes permissions a ce binaire, afin de pouvoir
l’exécuter plus tard :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb shell "chmod 6755 /system/xbin/su"
</pre></div>
<p>Ensuite, nous supprimons le fichier /data/local.prop, pour pouvoir
redémarrer normalement :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb shell "rm /data/local.prop"
</pre></div>
<p>Enfin, nous redemarrons a nouveau :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>adb reboot
</pre></div>
<p>Et voila, une paire de google glass rootée!</p>
<p>Il est bon de préciser que cette manipulation n’est possible que parce
que les lunettes tournent sous une ancienne version d’android, et que ce
bug a été fixé depuis.</p>
<p>Il serait aussi interessant de couvrir les problèmes de vie privée
qu’engendrent les Google Glass, et ce sera fait dans un autre billet.</p>
<p>A bientôt!</p>Monter son propre serveur, partie 1: le serveur et l'apache.2013-03-18T09:51:00+01:002013-03-18T09:51:00+01:00Wxcafetag:wxcafe.net,2013-03-18:/posts/monter-son-propre-serveur-partie-1/<p>Il y a un certain temps, j’avais parlé du concept du self-hosting. Il
s’agit de posséder son propre serveur, et donc, par extension, ses
données. </p>
<p>Bien entendu, il n’est pas nécessaire pour cela de posséder
physiquement son propre serveur (encore que ce soit possible, mais ce
n …</p><p>Il y a un certain temps, j’avais parlé du concept du self-hosting. Il
s’agit de posséder son propre serveur, et donc, par extension, ses
données. </p>
<p>Bien entendu, il n’est pas nécessaire pour cela de posséder
physiquement son propre serveur (encore que ce soit possible, mais ce
n’est pas le sujet abordé ici.)<br>
Nous expliquerons ici les étapes nécessaires pour arriver a avoir un
serveur utilisable, du moment ou vous arrivez sur le système fraichement
installé, au moment ou vous possédez un serveur avec tous les paquets
nécessaires a l’utilisation que l’on veut en faire ici d’installés.
Cette partie va consister a paramétrer le système (ici un debian
squeeze. Il est bien sur possible de faire la même chose avec a peu près
toutes les distributions Linux disponibles, tout comme avec les BSD et
tous les autres systèmes UNIX, mais je vais ici me limiter a debian 6.0.x
squeeze, parce que c’est une distribution simple a utiliser comme
serveur, stable, et facile a configurer (puisqu’une bonne partie de la
configuration est déjà faite et incluse dans le paquet), donc adaptée au
but de cet article, a savoir rendre l’installation simple et
compréhensible).</p>
<p>La première chose a faire est bien entendu d’obtenir le serveur en lui
même. Cette partie de la chose ne sera pas traitée dans cet article. Il
existe en effet un nombre infini d’obtenir un serveur, que ce soit en le
louant chez OVH/1&1/n’importe quel autre hébergeur commercial, en
participant a un système d’hébergement collaboratif (je vous laisse
chercher), en achetant un serveur et en le faisant fonctionner de chez
vous, en utilisant un vieux PC… Bref, les possibilités sont multiples.
Dès lors que vous avez accès a un système debian serveur, peu importe sur
quel matériel il fonctionne, et a priori peu importe aussi la manière
dont vous y accédez, le résultat est le même (et la procédure aussi…).
Dans cet article, nous parlerons de la configuration de base, du moment
ou vous avez le serveur vierge dans les mains au moment ou vous
installez le serveur http.</p>
<p>Dans cet article, lorsque est précisée le type d’IP a utiliser, il
convient de mettre ce type précisément. Quand le type n’est pas
précisée, libre a vous de choisir ipv4 ou ipv6.</p>
<p>Bref. Commençons au point ou vous avez un accès root a votre serveur,
n’ayant soit aucun mot de passe, soit un choisi par l’hébergeur, et ou
rien n’est configuré. Connectez vous a celui-ci (ssh root@). Commencez
donc par faire un <code>passwd</code>, pour mettre au plus vite un mot de passe
solide sur le compte root. Continuons en allant vite mettre en place le
nom de domaine. Pour cela, votre registrar doit vous fournir une
interface vous permettant d’éditer l’entrée DNS pour votre nom de
domaine. </p>
<p>Cette entrée doit donc pour l’instant ressembler a ca :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span> <votre nom de domaine> NS 1
IN MX 1
IN A <IPv4 de votre serveur>
IN AAAA <IPv6 de votre serveur>
</pre></div>
<p>Cela vous permet de rediriger tout le trafic se référant a votre nom de
domaine vers votre ip (le fonctionnement exact du DNS est assez
compliqué a expliquer, donc on va dire que c’est de la magie pour
l’instant, ca sera peut être le sujet d’un autre article), et d’indiquer
que les mails @votre-nom-de-domai.ne doivent aussi être redirigés vers
votre serveur, ce qui est un bon début. Faisons un petit point sécurité
ici : pour accéder a votre serveur, il vous suffit actuellement de taper
le mot de passe root.</p>
<p>root est un utilisateur <strong>assez</strong> répandu, et il est assez simple de
bruteforcer le mot de passe. (<em>Relativement</em> assez simple, en fonction
du nombre de caractères, ça prend plus ou moins de temps, et si vous
avez suffisamment de caractères, ça peut prendre un temps assez
conséquent. Cela dit, il vaut mieux être prudent…) Ainsi, nous allons
arrêter d’utiliser root et nous allons commencer a utiliser des couples
clés publiques/privées pour nous connecter au serveur.<br>
Cela se fait en deux temps : tout d’abord, créer un nouvel utilisateur,
grâce auquel nous administrerons le serveur a l’avenir; puis configurer
OpenSSH pour que celui ci n’accepte que les connections par clés et plus
celles sur root.</p>
<p>Commençons par ajouter un utilisateur. Si vous êtes sous debian, cela se
fait avec adduser, qui est interactif (vous ne devriez pas avoir de
problème avec, puisqu’il crée tout les dossiers et fichiers nécessaires,
et vous pose toutes les questions utiles pour vous aider.) sinon, vous
devrez utiliser useradd, qui est (en plus d’être très chiant a
distinguer de l’autre, bien plus chiant a utiliser. (adduser est en fait
un simple script permettant l’utilisation d’useradd plus facilement.)</p>
<p>Avec adduser, vous pouvez soit utiliser le mode interactif en tapant
juste <code>adduser <username></code>, soit utiliser le mode non-interactif
en faisant un <code>adduser --group <username></code></p>
<p>Avec useradd, vous devrez utiliser la commande suivante : <code>useradd -m
-N -g <username></code>. Cette commande ajoutera un utilisateur, créera
son dossier principal dans /home/, et l’ajoutera au groupe du même nom
que lui (ce qui est en général nécessaire pour des questions de vie
privée).</p>
<p>Il convient maintenant d’ajouter cet utilisateur aux groupes qu’il sera
amené a administrer: <code>usermod <username> -a -G www-data postfix
users staff sudo wheel</code>, puis de changer son mot de passe
<code>passwd</code>. Enfin, ajoutons le aux utilisateurs autorisés a utiliser
sudo: <code>echo "%sudo ALL=(ALL) ALL" >> /etc/sudoers</code><br>
Enfin, changeons d’utilisateur : <code>su</code>. A ce point, vous avec un
utilisateur complètement fonctionnel et utilisable pour toutes les
taches d’administration. Si vous devez encore utiliser root, c’est que
quelque chose ne va pas.</p>
<p>Vous êtes donc loggés sur le système en tant qu’utilisateur normal. Nous
allons maintenant passer a la phase 2 du plan : désactiver le login ssh
root et le login ssh par mot de passe.<br>
Tout d’abord, qu’est-ce qu’un login par clé ssh? Il s’agit en fait d’un
système assez semblable a celui vous permettant de chiffrer vos mail :
vous avec une clé publique et une clé privée sur le client, et la clé
publique est aussi sur le serveur. Lorsque vous vous connectez, openssh
vérifie que vous possédez la clé privée qui correspond a la clé publique
stockée sur le serveur (pour votre utilisateur, bien entendu). Il est
également possible d’utiliser plusieurs clés publique pour chaque<br>
utilisateur.</p>
<p>Bref, maintenant que nous avons la théorie, passons a la pratique : tout
d’abord, il nous faut générer un couple de clés publique/privée sur le
client. Openssh fait ça via la commande <code>ssh-keygen -t rsa</code> (le -t
rsa précise a ssh que nous voulons un chiffrement rsa, qui est
suffisamment solide pour cette utilisation.) Entrez les informations que
ssh-keygen vous demande. Trois fichiers devraient maintenant se trouver
dans votre dossier .ssh/ : id_rsa, id_rsa.pub, et known_hosts.<br>
known_hosts liste les serveurs auxquels vous vous êtes connectés déjà
une fois (pour éviter les attaques MITM, mais bref). Non, ce qui nous
intéresse ici c’est id_rsa et id_rsa.pub . id_rsa contient votre clé
privée, sauvegardez la sur une clé USB ou notez la sur un bout de
papier, si vous la perdez, vous ne pourrez plus vous connecter au
serveur. (planquez la clé usb/le bout de papier…) id_rsa.pub, quand a
lui, contient votre clé publique. Copiez la sur le serveur, avec un
<code>scp ~/.ssh/id_rsa.pub <username>@<votre nom de domaine>:~/</code> , ou
en la copiant a la main, si ça vous amuse. </p>
<p>Vous avez maintenant un fichier id_rsa.pub dans votre dossier personnel
sur le serveur, il faut le mettre a un endroit ou openssh le reconnaitra.
Il est donc nécessaire de créer le dossier .ssh (<code>mkdir .ssh</code>), puis
de déplacer ce fichier a la bonne place (<code>mv ~/id_rsa.pub ~/.ssh/authorized_keys</code>).
Testez si ça fonctionne : ouvez un autre terminal, et<br>
connectez vous a votre serveur (<code>ssh <username>@<votre nom de
domaine></code>), et il ne devrait pas vous demander de mot de passe.<strong>Si
il vous en demande un, NE PASSEZ PAS A LA SUITE. Quelque chose a foiré,
donc vérifiez que vous avez suivi correctement les instruction
ci-dessus.</strong></p>
<p>Continuons. Il ne nous reste plus qu’a installer le serveur web, et a le
configurer: </p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>sudo apt-get install \
apache2 apache2.2-common apache2-doc apache2-mpm-prefork \
apache2-utils libexpat1 ssl-cert libapache2-mod-php5 \
php5 php5-common php5-gd php5-cgi libapache2-mod-fcgid \
apache2-suexec php-pear php-auth php5-mcrypt mcrypt \
php5-imagick imagemagick libapache2-mod-suphp libruby \
libapache2-mod-ruby
</pre></div>
<p>(faisons large, on aura besoin de l’excédent plus tard…), puis activons les<br>
mods apache en faisant <code>a2enmod suexec rewrite ssl actions include
dav_fs dav auth_digest</code>, et faisons en sorte que ces activations
soient prises en compte par apache via un <code>sudo service apache2
restart</code> </p>
<p>Le serveur fonctionne, maintenant, il est necessaire de lui expliquer
comment fonctionner sur notre nom de domaine et ou trouver les fichiers
a envoyer. </p>
<p>Pour cela, nous allons faire un simple <code>ln -s /etc/apache2/sites-{available,enabled}/default</code>, car apache est assez
sympa pour nous filer un fichier de configuration par défaut. Il nous
faut encore l’éditer, en changeant l’adresse mail au début du document
par la votre, et en changeant <code>AllowOverride none</code> en <code>AllowOverride All</code>,
et enfin redémarrer apache pour qu’il prenne en compte les
modifications, par un <code>sudo service apache2 restart</code> </p>
<p>Et maintenant, il vous reste a apprendre le html, parce que ca y est,
votre serveur est fonctionnel! Voila voila. Dans la prochaine partie, on
verra l’installation du serveur mail (c’est suffisamment complexe pour
prendre un article seul…)</p>Pourquoi je vais quitter linux pour passer a FreeBSD.2013-02-04T17:41:00+01:002013-02-04T17:41:00+01:00Wxcafetag:wxcafe.net,2013-02-04:/posts/pourquoi-je-vais-quitter-linux-pour-passer-a-freebsd/<p><em>This is subject to debate, and as most of the actors in this field are
not French-speaker, there is an English version of this text <a href="http://data.wxcafe.net/archives/126">here</a></em></p>
<p>Bon, voila. J’ai passé le cap. Je suis sous GNU/Linux depuis un certain
temps, maintenant, et depuis un certain temps je remarque …</p><p><em>This is subject to debate, and as most of the actors in this field are
not French-speaker, there is an English version of this text <a href="http://data.wxcafe.net/archives/126">here</a></em></p>
<p>Bon, voila. J’ai passé le cap. Je suis sous GNU/Linux depuis un certain
temps, maintenant, et depuis un certain temps je remarque des
changements malvenus. Bien entendu, au début, je n’avais pas les
connaissances nécessaires pour comprendre ne serait-ce que ces
modifications existaient. Et puis certaines sont arrivées avant que je
n’ai même idée que quelque chose dans mon système d’exploitation avait
cette fonction la. Par exemple, udev, ou policykit/consolekit/. A
l’époque, je n’avais aucune idée de la façon dont les disques étaient
montés sur mon système. Le premier système non-Windows que j’ai utilisé
fut Ubuntu 9.10 Karmic Koala, et il était encore trop tôt pour que je
cherche a démonter le système pour comprendre comment il fonctionnait en
profondeur. Cependant, avec le temps, les connaissances s’accumulant et
mon niveau de compréhension du système s’améliorant, j’ai commencé a
remarquer que certain bouts de l’OS ne collaient pas exactement avec les
autres. Bien sur, je ne saurais dire si cette réalisation s’est faite a
cause de la recrudescence de ces bouts d’OS, ou bien juste a cause de ma
compréhension plus poussée. Toujours est-il que ces petits bouts d’OS ne
s’adaptant pas au reste du système se faisaient de plus en plus visible.
Et puis, un jour, j’en ai eu marre de voir unity sur ma machine, et j’ai
choisi de passer a Archlinux. C’était avant le passage a systemd. Ce
système me convenait bien. Si je n’installais pas Gnome, ce que je ne
comptais pas faire, il ne me forçait pas a installer un *kit
quelconque, ni dbus. Oui, udev était toujours la, mais c’était le moins
envahissant de ceux la.</p>
<p>Mais Archlinux est passé a systemd. Attention hein, je ne critique ici
ni systemd, ni udev, ni même les <em>kit, et surtout pas Archlinux. Les
premiers sont probablement très efficaces dans leur domaine, et le
second n’a pas <strong>vraiment</strong> eu le choix, rapport a la philosophie de la
distribution d’avoir au plus vite les dernières versions de tout.
Cependant, systemd, tout comme udev et les </em>kits (bien que ce ne soient
pas les seuls a faire ça…) ont un problème très précis, qui n’importe
pas a tout le monde, mais qui est très gênant pour ceux a qui il
importe, et ce problème est que ces systèmes ne respectent absolument
pas la philosophie UNIX. La philosophie UNIX, pour rappel, se résume en
ces 9 principes :</p>
<ol>
<li>Ce qui est petit est beau</li>
<li>Faites en sorte que chaque programme fasse une chose, bien.</li>
<li>Faites un prototype aussi vite que possible</li>
<li>Choisissez la portabilité plutôt que l’efficacité</li>
<li>Stockez les données dans des fichiers textes.</li>
<li>Utilisez ce qui existe déjà a votre avantage. [<strong>1</strong>]</li>
<li>Utilisez des scripts shells pour faciliter la portabilité et la
réutilisation.</li>
<li>Évitez les UI qui “capturent” l’utilisateur.</li>
<li>Faites de chaque programme un filtre.</li>
</ol>
<p>Alors bien entendu, un système d’exploitation est fait pour évoluer, et
on pourrait penser qu’UNIX a fait son temps. Cependant, ce n’est pas
exactement la façon dont l’informatique fonctionne. Effectivement, les
standards, les systèmes d’exploitation, les logiciels, tout doit évoluer
- ou mourir - et UNIX ne fait pas exception a la règle. Mais ce n’est
pas d’UNIX que nous parlons ici. C’est de la <em>philosophie</em> UNIX. Et
celle-ci n’a pas fait son temps, <strong>elle a fait ses preuves.</strong> La
philosophie UNIX, en plus d’être efficace sur le papier, a aussi 44 ans
de tests derrière elle, et fonctionne aussi bien qu’au premier jour.<br>
La philosophie UNIX est aussi et surtout une garantie d’utilisabilité
et de simplicité pour les administrateurs systèmes, pour les
développeurs, bref pour tous ceux qui font de l’informatique
<em>sérieusement</em> (je ne dis pas que les autres métiers de l’informatique
ne sont pas sérieux, je prend juste ceux-ci comme exemples parce que ce
sont ceux qui sont les plus proches du système).</p>
<p>Tous OS se doit d’avoir un système standardisé pour faire communiquer
les programmes entre eux. UNIX a un système de pipes, des sortes de
fichiers spéciaux permettant d’échanger des informations. C’est
efficace, ça respecte le “tout est fichier”, c’est standard, c’est
simple a comprendre, bref, ça fonctionne parfaitement. Dbus vient
remplacer ça, avec une interface qui n’est explicitement pas faite pour
être utilisée a la ligne de commande mais a l’aide d’APIs, et un
programme monolithique qui effectue sa tache d’une façon complètement
obscure pour l’utilisateur. Alors bien sur, il l’effectue d’une façon
efficace, cette tache. Oui, ça va plus vite qu’avant. Oui, c’est plus
“rangé”, ça fait moins “fouillis”. Mais c’est moins efficace. C’est
<em>beaucoup</em> moins utilisable pour l’utilisateur final. C’est
horriblement chiant pour les sysadmins, parce qu’ils ne peuvent plus
lire facilement les échanges entre programmes. C’est peu pratique, en
fin de compte. Et ça ne respecte pas du tout la philosophie UNIX.<br>
Systemd prend le même parti de créer une interface unifiée, accessible
via des appels a des APIs uniquement, complètement obscure, extrêmement
abstraite, bien entendu monolithique, et très peu ouverte a la
modification par l’utilisateur final. Alors oui, il parait que ça
augmente la vitesse de boot. Eh bien, au risque d’en choquer quelques
uns, je préfère avoir un système qui boote <em>légèrement</em> plus lentement
et que je puisse modifier facilement, et qui soit ouvert, compréhensible
et distribué. C’est presque comme si les projets freedesktop.org avaient
pour but de remplacer la base UNIX de linux en créant un système
concurrent, bâtard, bâti sur le kernel Linux mais n’employant plus les
systèmes basiques d’UNIX.</p>
<p>Le problème est qu’il est facilement visible que la direction prise par
la communauté Linux n’est pas celle du retour sur les systèmes UNIX ni
celle du développement de solutions respectant la philosophie UNIX, mais
remises au gout du jour (?), mais est bien d’accepter et de pousser les
changements apportés par les projets freedesktop.org directement dans le
cœur du système lui même. Ainsi, Fedora (très près de Red Hat, dont font
partie de nombreux développeurs de ces projets), a déjà adopté tous ces
changements (archlinux aussi, mais pour d’autres raisons…), et on peut
compter sur le fait que les autres distributions l’adopteront un jour ou
l’autre.</p>
<p>Bon, maintenant que nous avons, si ce n’est démontré la nocivité de ces
systèmes, tout du moins exprimé les raisons qui font qu’ils me
déplaisent, on pourrait penser qu’il suffit de passer a une distribution
n’incluant pas systemd, voire a une distribution n’incluant pas du tout
de contenus freedesktop.org, et de vivre avec le fait de ne pas être sur
archlinux. Cependant, avec un peu de réflexion, on voit que si des
distributions comme archlinux et Fedora ont adopté systemd (et
qu’OpenSUSE est en train de l’intégrer), il est probable que cela
devienne un standard au fil des années, et que seuls survivent systemd
et upstart, le gestionnaire de démarrage d’ubuntu, qui ne changera
probablement pas (je les vois mal revenir en arrière sur ce point.)
Toujours est-il que l’init héritée du System V semble condamnée a mourir
sous Linux. Il pourrait être judicieux de passer sous debian squeeze,
qui ne recevra probablement jamais la mise a jour, ou a wheezy, qui ne
la recevra probablement que dans 2/3 ans. Cependant, cette période est
toujours trop courte, et met sur mon système d’exploitation une date
d’expiration, chose qui ne me plait que moyennement. Non, la solution
est de passer sous un système autre, qui ait son propre système d’init
(ou qui ne risque pas de passer sous systemd). Dans ce cas, deux options
principales s’ouvrent a moi: OpenSolaris et *BSD. Minix n’est pas
vraiment un choix, vu le peu de programmes qu’il permet de faire
fonctionner et le fait qu’il ne soit disponible que sur i386, ce qui
n’est pas vraiment avantageux au vu de mon système en x86_64. Haiku
n’est pas un choix non plus, puisque le but est de rester dans une
optique UNIX.</p>
<p>OpenSolaris est un système d’exploitation tout a fait valable. Je n’ai
en théorie aucun problème sur cet OS, sauf que certains choix de design
ne correspondent pas du tout a l’idée que j’ai d’un OS. En effet,
OpenSolaris ressemble assez a Debian dans sa vision du fonctionnement de
ses outils, avec des paquets modifiés pour les rendre plus simples a
utiliser (fichiers de configuration fournis par défaut, par exemple, et
autres patchs “release-only”), et une tendance a faire des scripts et
des outils installés par défaut pour tout et n’importe quoi. Bref, cela
n’est pas le sujet. Il convient aussi de voir qu’avec la récente
acquisition de Sun par Oracle, il est possible que le projet OpenSolaris
n’ait pas de très beaux jours devant lui (la <a href="http://hub.opensolaris.org/bin/view/Main/">page d’accueil</a> du
projet affiche d’ailleurs un ÉNORME logo Oracle, du meilleur gout.)</p>
<p>Il reste donc *BSD. Pourquoi choisir FreeBSD plutôt qu’OpenBSD, NetBSD
ou DragonFlyBSD (pour ne citer que les plus connus) ? Et bien c’est
simple : pour aucune raison particulière. OpenBSD et NetBSD ont pour
réputation d’être orientées sécurité, et d’après ce que j’ai pu en voir
DFBSD ressemble aussi au système de l’assistance a l’user a outrance
décris plus haut. Mais la vérité est que je n’ai pas fait suffisamment
de recherches et que FreeBSD ne va me voir arriver que par hasard, parce
qu’entre toutes les BSD ca me semble la plus sympa et la plus agréable a
utiliser, plus le fait que le système de ports me convient bien (j’aime
pouvoir configurer mes logiciels de façon assez profonde.)</p>
<p>Voila, c’est mon avis sur ce “problème” actuel du monde de Linux. Bien
entendu, je continuerai a utiliser Linux, et je ne peux qu’espérer que
les systèmes tels que systemd ou dbus ne disparaissent, ou tout du moins
n’apparaissent jamais chez certaines distributions, créant de ce fait un
choix pour les utilisateurs.<br>
[1]: Je n’ai pas trouvé de traduction satisfaisante a “software leveraging”, mais l’idée est la…*</p>Update et pensées a propos du Raspberry Pi2013-01-27T01:55:00+01:002013-01-27T01:55:00+01:00Wxcafetag:wxcafe.net,2013-01-27:/posts/update-et-pensees-a-propos-du-raspberry-pi/<p>Bon.<br>
J’ai annoncé il y a environ 20 jours que j’avais pour projet de faire
une Piratebox basée sur un Raspberry Pi, <del>astucieusement</del> nommée
PiRatBox. Il se trouve qu’après de nombreux essais, un problème
récurrent apparait: le Raspberry Pi n’est pas capable de fournir assez
de …</p><p>Bon.<br>
J’ai annoncé il y a environ 20 jours que j’avais pour projet de faire
une Piratebox basée sur un Raspberry Pi, <del>astucieusement</del> nommée
PiRatBox. Il se trouve qu’après de nombreux essais, un problème
récurrent apparait: le Raspberry Pi n’est pas capable de fournir assez
de courant par défaut pour faire fonctionner a la fois un disque dur et
une antenne WiFi.<br>
Alors, autant il me semble évident qu’avec une
alimentation provenant d’un port USB a 2A (max), je n’avais pas
énormément de chances d’avoir 2A sur chacun des ports host du Raspi,
autant avoir moins de 250 mA sur chacun de ces ports me semble un tout
petit peu exagéré en terme de rentabilité. </p>
<p>De même, le fait de ne pas pouvoir désactiver le port Ethernet (ne me
servant a rien) (vous savez, celui qui est monté en USB…), qui
consomme énormément, est assez louche. Il devrait toujours être possible
de désactiver une device USB, me semble-t-il, au niveau logiciel. La,
bien qu’il soit surement possible de la désactiver au niveau du kernel,
il n’est pas <strong>simplement</strong> possible de la “débrancher”. Ce qui est bien
chiant, étant donné le besoin évident de puissance électrique dans
lequel on se retrouve. </p>
<p>Bon, je dois avouer n’avoir pas testé de lancer les différents services
composant le système des piratebox sous arch, pour la simple <del>et
bonne</del> raison qu’arch utilise systemd et qu’il n’existe pas de wrapper
systemd pour les daemons piratebox, et que j’ai la flemme d’en faire,
parce que systemd est une horreur a utiliser avec les scripts init. Donc
non, j’utiliserai debian. Le problème d’utiliser debian dans ce cas
précis est que apt/dpkg a une gestion des dépendances dans un sens mais
pas dans l’autre, en ce sens que si on installe un package “haut”, c’est
a dire dépendant de plusieurs autres packages, apt/dpkg se charge
efficacement d’installer toutes les dépendances nécessaires, tandis que
si on désinstalle un package “bas”, c’est a dire sur lequel de nombreux
autres packages dépendent, apt/dpkg ne désinstalle pas ces packages
“hauts”, ce qui pose un vrai problème quand on se retrouve sur un
Raspberry Pi, puisqu’il n’y a pas de moyen “facile” de choisir ce qui
sera installé sur le système avant l’installation proprement dite
(puisque le moyen “universel” d’installation sur Raspberry Pi est le dd
vers la SD qui sert de disque système.)</p>
<p>Il y a <strong>énormément</strong> d’autres critiques que l’ont pourrait faire
concernant le Raspberry Pi. Son système de démarrage a s’arracher les
cheveux, par exemple. En effet, plutôt que de faire comme tout pc
normalement constitué ou la partie calcul démarre, lance le bootloader,
cherche le kernel de l’OS qui lui même se lance, initialise le hardware,
etc…, a un système bâtard du au fait que la puce au centre de la carte
est a la base une puce graphique a laquelle on a greffé un cœur de
calcul (probablement au fond d’une cour d’immeuble, dans les quartiers
pauvres de Bratislava, vu la propreté de la greffe…), et le moyen le
plus efficace qu’aient trouvé les personnes ayant implémenté cette
atrocité de gérer le boot est donc de faire démarrer le cœur graphique
en premier, ce dernier exécute un code propriétaire pour démarrer le
cœur de calcul, qui a son tour lance le bootloader qui cherche le kernel
etc… </p>
<p>Ce qui non seulement complique énormément le boot, non seulement ajoute
du code propriétaire a un projet se disant libre, mais en plus n’est
<strong>visiblement</strong> pas fait pour être utilisé de cette manière. Le hack,
oui, mais uniquement quand c’est bien réalisé, sinon je dis non. </p>
<p>Enfin, le projet que j’avais est toujours en cours de réalisation. Je
le terminerai dès que j’aurai récupéré les outils nécessaires pour
monter mon alimentation personnalisée pour le Raspberry Pi. Et une fois
que cela sera fait, ce Raspi restera une Piratebox pour le reste de sa
vie. Les problèmes qu’il m’a posé, qu’il n’aurait pas du me poser, m’ont
trop agacé pour que j’aie envie de le sortir et de jouer avec une fois
sa mission remplie. </p>
<p>Dommage.</p>Update2013-01-05T18:32:00+01:002013-01-05T18:32:00+01:00Wxcafetag:wxcafe.net,2013-01-05:/posts/update/<p>Juste une petite note pour annoncer le prochain article, consacré a la
fabrication d’une PirateBox basée sur un Raspberry Pi. Voila, a bientôt
sur le blog!</p><p>Juste une petite note pour annoncer le prochain article, consacré a la
fabrication d’une PirateBox basée sur un Raspberry Pi. Voila, a bientôt
sur le blog!</p>Mutt ou le client email le meilleur moins mauvais2013-01-02T02:12:00+01:002013-01-02T02:12:00+01:00Wxcafetag:wxcafe.net,2013-01-02:/posts/mutt-ou-le-client-email-le-meilleur-moins-mauvais/<p>Les clients mails ont une particularité en commun : ils sont tous
<del>très</del> mauvais. Cela pour nombre de raisons, mais la principale reste
que leurs interfaces/raccourcis claviers ne sont pas efficaces pour une
utilisation <strong>a la</strong> UNIX<br>
Cependant, un d’entre eux se démarque par sa moins-mauvais-itude, c’est
le …</p><p>Les clients mails ont une particularité en commun : ils sont tous
<del>très</del> mauvais. Cela pour nombre de raisons, mais la principale reste
que leurs interfaces/raccourcis claviers ne sont pas efficaces pour une
utilisation <strong>a la</strong> UNIX<br>
Cependant, un d’entre eux se démarque par sa moins-mauvais-itude, c’est
le relativement bien connu <del>Outlook Express 2003</del> Mutt!<br>
Mutt est un client mail en ligne de commande, qui, comme le dit sa page
d’accueil, <a href="http://www.mutt.org">“just sucks less”</a>. Dans les faits, mutt est assez
chiant a configurer mais particulièrement pratique a utiliser après.</p>
<p>La configuration de mutt se fait dans le fichier <code>.muttrc</code> ou dans
<code>/etc/Muttrc</code>, et il est courant d’utiliser offlineimap en
conjonction avec celui ci, de façon a accéder aux mails même sans accès
internet (mutt dispose d’un système d’accès IMAP/POP et SMTP, mais ne
crée pas de cache, ce qui empêche la consultation des emails sans
connexion internet.) La configuration d’offlineimap se fait dans
<code>~/.offlineimaprc</code> ou dans rien d’autre en fait, c’est une config
par user. Offlineimap est un petit logiciel en python qui synchronise un
dossier en Maildir avec un serveur IMAP, ce qui tombe bien puisque
justement mutt accepte les dossiers au format Maildir. (De plus, cela va
tout a fait dans le sens de la libération des données en cela que vous
possédez vos mails en local.)<br>
Bref, passons aux choses serieuses : le code. Déjà, installez
offlineimap et <a href="http://data.wxcafe.net/scripts/mutt-sidebar.sh">ce script</a> fait par moi, qui vous permet d’installer
mutt avec le patch sidebar, qui crée un listing des dossiers sur la
partie gauche.<br>
Ensuite, voyons pour la partie configuration :<br>
Ma configuration d’offlineimap :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span><span style="color: #75715e">## Config file for offlineimap</span>
<span style="color: #75715e">## Originally located in ~/.offlineimaprc</span>
<span style="color: #75715e">## This should not be edited without creating a copy before</span>
<span style="color: #75715e">## Created by Wxcafe (Clément Hertling)</span>
<span style="color: #75715e">## Published under CC-BY-SA</span>
<span style="color: #f8f8f2">[general]</span>
<span style="color: #75715e"># List of accounts to be synced, separated by a comma.</span>
<span style="color: #f8f8f2">accounts</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">main</span>
<span style="color: #f8f8f2">[Account</span> <span style="color: #f8f8f2">main]</span>
<span style="color: #75715e"># Identifier for the local repository; e.g. the maildir to be synced via IMAP.</span>
<span style="color: #f8f8f2">localrepository</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">main</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">local</span>
<span style="color: #75715e"># Identifier for the remote repository; i.e. the actual IMAP, usually non-local.</span>
<span style="color: #f8f8f2">remoterepository</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">main</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">remote</span>
<span style="color: #75715e"># Status cache. Default is plain, which eventually becomes huge and slow.</span>
<span style="color: #f8f8f2">status_backend</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">sqlite</span> <span style="color: #960050; background-color: #1e0010">#</span> <span style="color: #f8f8f2">le</span> <span style="color: #f8f8f2">type</span> <span style="color: #f8f8f2">de</span> <span style="color: #f8f8f2">cache.</span> <span style="color: #f8f8f2">(plain</span> <span style="color: #f8f8f2">ou</span> <span style="color: #f8f8f2">sqlite)</span>
<span style="color: #f8f8f2">[Repository</span> <span style="color: #f8f8f2">main</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">local]</span>
<span style="color: #75715e"># Currently, offlineimap only supports maildir and IMAP for local repositories.</span>
<span style="color: #f8f8f2">type</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">Maildir</span> <span style="color: #960050; background-color: #1e0010">#</span> <span style="color: #f8f8f2">le</span> <span style="color: #f8f8f2">type</span> <span style="color: #f8f8f2">de</span> <span style="color: #f8f8f2">stockage</span> <span style="color: #f8f8f2">(Maildir</span> <span style="color: #f8f8f2">ou</span> <span style="color: #f8f8f2">IMAP)</span>
<span style="color: #75715e"># Where should the mail be placed?</span>
<span style="color: #f8f8f2">localfolders</span> <span style="color: #f92672">=</span> <span style="color: #f92672">~/</span><span style="color: #f8f8f2">Emails</span><span style="color: #f92672">/</span> <span style="color: #960050; background-color: #1e0010">#</span> <span style="color: #f8f8f2">le</span> <span style="color: #f8f8f2">dossier</span> <span style="color: #f8f8f2">dans</span> <span style="color: #f8f8f2">lequel</span> <span style="color: #f8f8f2">vous</span>
<span style="color: #75715e"># voulez que vos emails apparaissent</span>
<span style="color: #f8f8f2">[Repository</span> <span style="color: #f8f8f2">main</span><span style="color: #f92672">-</span><span style="color: #f8f8f2">remote]</span>
<span style="color: #75715e"># Remote repos can be IMAP or Gmail, the latter being a preconfigured IMAP.</span>
<span style="color: #f8f8f2">type</span> <span style="color: #f92672">=</span> <span style="color: #f8f8f2">IMAP</span>
<span style="color: #f8f8f2">remotehost</span> <span style="color: #f92672">=</span> <span style="color: #75715e">//placeholderhost// # le serveur de votre messagerie</span>
<span style="color: #f8f8f2">remoteuser</span> <span style="color: #f92672">=</span> <span style="color: #75715e">//placeholderusername// # votre nom d'utilisateur</span>
<span style="color: #f8f8f2">remotepass</span> <span style="color: #f92672">=</span> <span style="color: #75715e">//placeholderpassword// # votre mot de passe</span>
<span style="color: #f8f8f2">cert_fingerprint</span> <span style="color: #f92672">=</span> <span style="color: #75715e">//placeholdercert// # le certificat du serveur (IMAPS only)</span>
</pre></div>
<p>Ça devrait être assez simple a lire, j’ai tout bien commenté :3<br>
Puis ma config mutt :</p>
<div class="codehilite" style="background: #272822"><pre style="line-height: 125%"><span></span>## Mutt MUA configuration file
## This file should not be edited without creating a copy
## File Created and edited by Wxcafe (Clément Hertling)
## Published under CC-BY-SA
# General config for reading (fetched via offlineimap)
set mbox_type = Maildir
# type de boite mail (voir dans offlineimap, mailbox par defaut)
set folder = ~/Email/
# dossier root mailbox/imap
set spoolfile = +INBOX
# dossier d'inbox
set mbox = +'All Mail'
# dossier ou archiver les emails
set copy = yes
# yes pour copier les messages dans les differents dossier, no pour...
# enfin voila quoi.
set header_cache = /.hcache/
# dossier ou sont stockés les headers (pour le cache)
set record = +Sent
# dossier dans lequel sont stockés les messages envoyés
set postponed = +Drafts
# dossier dans lequel sont stockés les brouillons
mailboxes = +INBOX +Drafts +Sent +Trash +All\ Mail
# liste des dossiers qui vont apparaitre dans la colonne de gauche
# General config for sending (using Mutt's native support)
set smtp_pass = 'password_placeholder'
# votre mot de passe
set smtp_url = "smtp://username@whatev.org:465/"
# l'url ou envoyer les emails
set send_charset = "utf-8"
# UTF8, NE PAS CHANGER
set signature = ".sign"
# vous pouvez mettre votre signature dans .sign
set sig_on_top = yes
# il est d'usge de mettre no ici. Cependant, je trouve ca plus lisible
# comme ca.
set ssl_verify_host = no
# mettez yes ici si votre serveur a un certificat configuré correctement
set hostname = "wxcafe.net"
# mettez l'adresse de votre serveur ici
# Misc settings
auto_view text/html
# la façon de voir les emails par défaut.
set date_format = "%y-%m-%d %T"
# format de date d'envoi/de reception.
set index_format = "%2C | %Z [%D] %-30.30F (%-4.4c) %s"
# format de l'index (la présentation de l'interface)
# voir http://www.mutt.org/doc/manual/manual-6.html#index_format
set sort_alias = alias
set reverse_alias = yes
set alias_file = "$HOME/.mutt/aliases"
# liste des alias noms/email. a créer et remplir vous même.
# format : "alias short_name long_email_adress"
source $alias_file
set beep = no
# ne pas biper. CE SON ME TUE T.T
set tilde = yes
set sleep_time = 0
# ?
set sidebar_visible = yes
set sidebar_width = 15
# parametres de la barre coté gauche
set realname = "Clément Hertling (Wxcafé)"
set from = "wxcafe@wxcafe.net"
set use_from = yes
set certificate_file = "$HOME/.mutt/cacert"
# parametres d'envoi. mettez vos propres infos a la place des miennes...
set edit_headers = yes
# vous permet de vois les headers des mails. j'aime, donc je laisse.
# Macros
# le titre dit tout. index veut dire que la macro est active dans les menus,
# pager qu'elle l'est dans la visionneuse, les deux qu'elle l'est dans les
# deux
# \C represente la touche Control
bind index,pager \Cp sidebar-prev
# Control+p -> remonter d'un dossier dans la sidebar
bind index,pager \Cn sidebar-next
# Control+n -> descendre d'un dossier dans la sidebar
bind index,pager \Co sidebar-open
# Control+o -> ouvrir le dossier selectionné dans la sidebar
macro index,pager d "=Trash" "Trash"
# d supprime le message en cours
bind pager previous-line
# permet de monter d'une ligne avec la touche up, au lieu de changer de message.
bind pager next-line
# permet de descendre d'une ligne avec la touche down, au lieu de changer de
# message
bind pager j next-line
bind pager k previous-line
# raccourcis vim
# PGP signing commands
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x******** -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x******** -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=0x********
# remplacez 0x******** par votre identifiant PGP!!!!!
set pgp_replyencrypt=no
set pgp_timeout=7200
set pgp_good_sign="^gpg: Good signature from"
# si vous ne comptez pas utiliser PGP, commentez toute cette section, depuis
# PGP signing options
# Palette for use with the Linux console. Black background.
# Schéma de couleur Rouge et Noir. Commentez si vous voulez le
# défaut noir et blanc.
# d'autres schémas sont trouvables sur google et autre.
color hdrdefault red black
color quoted brightblack black
color signature brightblack black
color attachment red black
color message brightwhite black
color error brightred black
color indicator black red
color status white black
color tree white black
color normal white black
color markers red black
color search white black
color tilde brightmagenta black
color index red black ~F
color index red black "~N|~O"
</pre></div>
<p>Voila, pour plus d’informations vous pouvez aller voir le manuel de mutt
@ <a href="http://www.mutt.org/doc/manual/">http://www.mutt.org/doc/manual/</a><br>
J’espère que cette configuration “toute faite” vous aidera a commencer
a utiliser mutt. Il est tout de fois important de se souvenir
qu’utiliser une configuration toute faire n’aide pas a comprendre un
programme ou un système, et que cette façon de faire devrait être
réservée a l’introduction ou a des situations ou il est absolument
nécessaire d’avoir rapidement une configuration fonctionnelle (c’est a
dire, dans le cas d’un client email, euh… jamais?). Je vous invite
donc a relire les annotations dont sont parsemés les fichiers de
configuration en question, et surtout a lire le manuel, a chercher sur
<del>Bing</del> <del>Google</del> <del>Yahoo</del> Seeks, et globalement
a tenter de comprendre les configurations en question et a les améliorer!</p>