I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys so that they cannot be stolen or copied. (well, they can be physically stolen, of course).
Read the rest of this entry »
A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain.
It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?
Read the rest of this entry »
If you split up code into different libraries you can get a diamond dependency problem.
That is you have two parts of your code that depend on different incompatible versions of the same library.
Normally you shouldn't get in this situation. Only someone who hates their users makes a non backwards compatible change to a library ABI. You don't hate your users, do you?
Read the rest of this entry »
The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived connections such as web page requests. If I have 10Mbps connection and the server has 10Mbps to spare, why doesn't a 17kB web page transfer at 10Mbps from first to last byte? (that is, when excluding TCP handshake, HTTP request and server side page rendering)
This is pretty Linux-focused, but I'll add pointers for other OSs if I see them.
Read the rest of this entry »
Yubico and their products are awesome.
That pretty much sums up this blog post but I'm going to go on anyway. If you're thinking of introducing two-factor authentication to your company, or you're using something that's fundamentally broken (like RSA SecureID) you simply must at least take Yubikeys into consideration.
Read the rest of this entry »The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them.
In other words if your .pub file doesn't end in -cert.pub and you haven't used ssh-keygen -s, then you aren't using certificates.
Read the rest of this entry »
I've started writing a replacement for SSH.
Why? Because SSH has some drawbacks that sometimes annoy me. I also wanted an authentication scheme that's more similar to SSL/TLS than what SSH does.
With tlssh you don't specify username or password, you simply connect to the server using a client-side certificate to log in as the user specified in the certificate. No interaction until you reach the shell prompt on the server.
Read the rest of this entry »
Yes clipboard, not keyboard. I've made a clipboard sniffer for X called ClipSniff.
It periodically saves whatever is in the clipboard (both the "PRIMARY" and the "CLIPBOARD") into a sqlite database.
git clone http://github.com/ThomasHabets/clipsniff.gitRead the rest of this entry »
I was recently asked why autotools was so good. I thought I might as well post what I answered.
Read the rest of this entry »
I've always wanted to be able to move a process from one terminal to another. For example if I've started a long-running foreground process (such as irssi or scp) outside of a screen and I have to log out my local terminal. I looked around and there doesn't seem to be any way to do this.
Read the rest of this entry »