Threads for qbit

  1. 5

    I tried this out today and have to say it’s pretty cool. I never really had a good model for transporting ssh keys around when changing devices.

    1. 7

      A nice alternative for recent versions of OpenSSH is to use FIDO/U2F hardware keys. Then your ssh keys live in your pocket!

      1. 5

        If you use 1Password, the new v8 CLI will do it all for you(it runs an SSH agent backed by 1password storage).

        1. 2

          I’ve also tried this recently, but my only gripe was the frequency at which it asks for authentication. It’s kind of a pain when you use VS Code and use features like terminal split. It would ask me to authenticate every time a new shell was open, which I understand, but it’s not quite what I need for my use cases at work at least.

          1. 2

            That’s odd I have the same setup and I don’t think I have that problem, it just asks on connection/reconnection. FWIW you can unlock 1P with Windows Hello or macOS touchid and then you can use those on ssh key prompts.

            1. 1

              I just double checked and I do NOT get auth prompts for new terminals.

              1. 1

                Interesting, I commented here and they replied that it was expected behavior https://1password.community/discussion/128261/1password-asking-for-permission-each-time

                1. 2

                  I would guess that my VS Code is configured to not spawn a new process for every terminal and yours is. There could probably be a lot of settings that would affect this, but that’s where I would look. It being intended 1Password behavior they all new processes need to re-auth with the agent totally makes sense to me.

                  1. 2

                    Perhaps check this setting? https://stackoverflow.com/a/65440523/6211058

                    1. 1

                      Awesome! I’ll try it today and report back

                      1. 1

                        So that seems to work a bit better, I’m starting to realize though that there is likely some sort of timeout that requires re-authentication after a while.

          2. 2

            Yes! This has been absolute magic. My ssh private key is securely in my vault instead of on lots of hard drives, waiting to be slurped up by some malicious npm package or whatever.

            1. 1

              On really? I need to dig into that.

              1. 2

                docs: https://developer.1password.com/docs/ssh/agent/

                in 1password developer preferences turn on the agent put the IdentityAgent line in ~/.ssh/config

                new item a SSH key

                if you generated the key, copy the public key into your ~/.authorized_keys file (or similar) on tootiehost

                ssh tootiehost

          1. 5

            Tailscale has impressively convenient UX for a VPN, but assuming you’re not running a lot of high-value unauthenticated/never-updated services on your tailnet, the risks are medium-low. Enabling SSH and other service access with the same authentication moves the risk needle to “insane.”

            For practical purposes, Tailscale operates a Kerberos KDC (or X.509 client-certificate CA if you prefer) that you don’t control, run by people you don’t know, who are now going to be targeted by all the hackers and LEOs in the world. The same effectively applies for the public SSO provider you have probably connected.

            It’s 11pm. Do you know where your krbtgt is?

            1. 2

              Enabling SSH and other service access with the same authentication moves the risk needle to “insane.”

              How? The ssh server is only accessible within the tailnet. Nothing new is exposed to the world.

              1. 2

                As far as I can tell, the Tailscale “KDC” effectively issues the equivalent of Kerberos tickets (probably more or less the thing they call a “node key” in the blog). Up to now, a ticket was only valid for the Tailscale equivalent of IKE viz. you could establish the equivalent of an IPsec Security Association which would allow you to connect to port 22 on a protected host, but go no further.

                So any compromise would have limited effect, as your host is still protected by separate service-level authentication, such as a password or a separate SSH public key.

                With deployment of Tailscale SSH, the ticket will also let you log in to the protected host. So a TS SSO or ticket compromise is now equivalent to a traditional Kerberos password or TGT compromise: the attacker has access to the TS “IKE” service to establish tunnels, and through the tunnel to the special SSH service which accepts TS tickets. Should Tailscale itself fall, the entire realm falls just as a Kerberos realm would.

                1. 1

                  This feature provides SSH access to users such as root, seemingly bypassing the ssh server itself. Sure an attacker would still need access to your tailnet, and the correct ACLs, but I agree that this feature will continue to raise the focus on tailscale as an attack vector.

                  Personally, I moved away from tailscale after I became uncomfortable with how much access a successful attack would gain.

              1. 4

                I appreciate the leg work that went into making all the various bits work with emacs.. and the effort it took to get them into a comprehensive blog post.

                At the same time, this is exactly why I opt for things like IDEA or vscode. You can spend the rest of your life getting your $EDITOR to work like IDEA or vscode.. or you can just use IDEA or vscode :P

                1. 2

                  Personally, I think having both would be handy. I am not sure what format things currently are in, or what the overhead of doing both would be - but something like org-mode would make it much easier to have a single doc that defines both the slides and a single-page .. thing.

                  1. 2

                    Having both, will be hard to maintain, but I will give it a try. Thank you very much!

                    1. 2

                      Don’t stretch yourself thin on my account :D

                  1. 3

                    Cargo/npm: I dread doing updates.

                    In cargo I have had breakage (requiring refactoring of my code) with updates to rust AND with updates to dependencies (direct or indirect).

                    In npm I have had breakage with updates to dependencies. Again requiring me to refactor code.

                    With Go: no breakage.

                    1. 6

                      But what if you want to use the passwords outside fo the browser?

                      1. 2

                        Fully agreed. It came up a couple of times in the thread that people use their password manager for more than simply websites. Nowadays people probably also want to use their password manager on their phone and everything should stay in sync without too much additional effort.

                      1. 6

                        If there was better support on public clouds, I’d be using NixOS all the time, this totally kills Ansible and other configuration management solutions.

                        1. 6

                          There’s actually a terraform module that you can use to load configuration into NixOS machines. It’s been on my list to write about it, but I want to use it in production a bit more before I commit to writing about it.

                          1. 4

                            Which platforms does it work (well) on? I’m using this script to bootstrap Hetzner servers, and I wouldn’t mind something a bit less manually involved.

                            1. 5

                              I can’t find the comment. A nice lobster user pointed me at nix-infect and I use it with Terraform like this:

                              resource "hcloud_server" "mon2" {
                                image       = "debian-10"
                                keep_disk   = true
                                name        = "mon2"
                                server_type = "cx21"
                                ssh_keys    = local.hcloud_keys
                                backups     = false
                              
                                user_data = <<EOF
                                #cloud-config
                                runcmd:
                                  - curl https://raw.githubusercontent.com/zimbatm/nixos-infect/3e9d452fa6060552a458879b66d8eea1334d93d2/nixos-infect | NIX_CHANNEL=nixos-20.09 bash 2>&1 | tee /tmp/infect.log
                                EOF
                              }
                              
                              1. 2

                                I’ve only tested it with AWS, but as far as I understand it should work fine with Google Cloud and just about anything else as long as you have a NixOS system on it.

                            2. 5

                              Vultr lets you upload an ISO and install from that.

                              Edit: They even have an existing nixos ISO you can use!

                              1. 5

                                I usually make my own NixOS ISO that will automatically install NixOS on the machine with something like this that I really need to write a blogpost on.

                                1. 4

                                  I wonder how hard it would be to extend this solution to create a ZFS-based installation.

                                  I’d love to have a way of automatically installing NixOS onto one of OVH’s US-based servers. I’m thinking the best way to do this would be either PXE or a variation on this kexec-based solution.

                                  1. 3

                                    Not very! You’d just mess with the part that configures disks and mounting. I don’t use ZFS in my VMs however it should be easy to do. I would also suggest messing with how it defines the disk in question. I’m going to set something up with ZFS zraid1 groups for when I do installation on my homelab once I get the rack ordered in July (depending on how the research for my homelab goes, I currently have a spreadsheet of hardware I’d want (a bunch of used 2U servers) but I really need to wait until I move to be sure that the new place has space for it.

                                  2. 3

                                    Nice! Though as a NixOS beginner it might be easier to start out with an existing ISO. :D

                                    1. 4

                                      Granted, but being able to assimilate a new system in about 3 minutes is a fun party trick :D

                                      1. 3

                                        Heck yes! I look forward to your post about it!

                                        1. 1

                                          And just like that, I had to build an ISO! Thanks for pointing me at your repo, it was very helpful! :D

                                  3. 2

                                    NixOS + packer gives you a decent story, and then you can set userdata to finish off your images on first boot. I wrote about it here: http://jackkelly.name/blog/archives/2020/08/30/building_and_importing_nixos_amis_on_ec2/

                                  1. 2

                                    Super cool! I have wanted to get into ST recently. At the moment the thing that most prevents me is not having a recent vm on OpenBSD.

                                    I did pick up an M1 Mac recently though, maybe working under Rosetta will be fast enough.

                                    1. 2

                                      Looks like Cog can be built for OpenBSD: https://github.com/OpenSmalltalk/opensmalltalk-vm/issues/413

                                      I haven’t tried it myself! But there’s a screenshot in that thread that shows Squeak running, so it could be a promising line of investigation.

                                      Also, the aarch64 build of Cog works pretty well. (Not sure about M1 specifically.) The aarch64 build of Cog is what’s driving squeak-on-a-phone.

                                      1. 1

                                        Oh awesome! ty for digging this up! Last I knew it took a bunch of patches :D

                                    1. 7

                                      Author here! For people that are not on OpenBSD, you can still use this via the Portable OpenBSD KSH version!

                                      There will be some incompatibilities if you go this route as some of the commands currently used have OpenBSD specific flags (or are openbsd specific).

                                      Feel free to send in patches!

                                      1. 1

                                        Does it work with mksh?

                                        1. 2

                                          I don’t believe it will. Completions are done in OpenBSD’s ksh by setting an env variable. Fairly sure that is unique among the ksh implementations.

                                          1. 1

                                            Alright, thanks!

                                      1. 7

                                        I did this for a while.. It mostly worked well but never worked great. The pcscd / gpg-agent dance was flaky.. and most days would have to start one or the other.

                                        Since OpenSSH added FIDO2 and it’s in OpenBSD by default, I have completely switched to using it.. and I have to say it’s painless!

                                        I even did a writeup showing how to use two different keys (resident and non-resident) on the same device: https://deftly.net/posts/2020-06-04-openssh-fido2-resident-keys.html

                                        1. 2

                                          Since OpenSSH added FIDO2 and it’s in OpenBSD by default, I have completely switched to using it.. and I have to say it’s painless!

                                          I want to use it. But as far as I understand, GitHub and others do not support it yet, right?

                                          1. 2

                                            Ya, last I tried it didn’t work on GitHub. They always lag behind pretty bad with regard to OpenSSH features.

                                            1. 1

                                              I’m confused, isn’t this a client-side OpenSSH feature? Shouldn’t GitHub be agnostic to whether the key lives on a FIDO2 device?

                                              Is it a matter of GitHub not supporting the ed25519 key type?

                                              1. 2

                                                The FIDO stuff is a new key type: ed25519-sk

                                        1. 11

                                          Another thing to note is that 1.16 brings support for OpenBSD/mips64! jsing@ has been going to town!

                                          1. 4

                                            Solene’s percent - Solene is an OpenBSD developer who dabbles in NixOS and often writes about it her experiences in both!

                                            1. 13

                                              It’s the default on macOS:

                                              qbit@plq[0]:~% openssl version
                                              LibreSSL 2.8.3
                                              qbit@plq[0]:~% 
                                              
                                              1. 8

                                                I’ve been a happy customer of Feedbin since 2013. I use their web UI on desktop and the Reeder app (iOS) on my phone. Highly recommend both. Feedbin in particular has lot of nice touches like being able to subscribe to Twitter accounts and email newsletters as well as RSS feeds, an API, custom sharing targets, Feedbin notifier app, and it’s open-source.

                                                1. 3
                                                  • Postgres 10
                                                  • Redis > 2.8
                                                  • Memcached
                                                  • Elasticsearch 2.4

                                                  That’s a crazy set of deps. Especially given postgresql can do key value store, PubSub and full text search with insanely fast trigram search. Even if you wanted to keep a dedicated key-vaules store, redies and memcached have huge overlap.

                                                  1. 3

                                                    It’s a pretty standard Rails stack for sites that get a decent amount of traffic/poll a lot of feeds, which I imagine Feedbin does.

                                                  2. 2

                                                    Likewise. Not sure when I first signed up, but it’s a bill I’m more than happy to pay each month.

                                                  1. 1
                                                    1. 8

                                                      I had the same knee-jerk reaction :D - at the time I was on a “porting” roll, having just converted the git-prompt stuff to OpenBSD’s ksh.

                                                      After further reflection, it became obvious that converting the build system (wrapper?) would potentially introduce more issues than it solves. Sorta a “if it ain’t broke” situation..

                                                      If you are looking specifically for Go things to help with this label has a lot of stuff that one can take a crack at!

                                                      If you are looking for OpenBSD+Go things - There is a grip of that too! I have documented a few things here. IMO enabling PIE mode on OpenBSD would be a decent start - it gets ya into various bits in the Go runtime - and eventually into some OpenBSD areas (that I haven’t been able to track down the breakage on :D).

                                                      I also know that jsing@ is looking for some help switching things from using syscalls to using libc. That change would let OpenBSD remove the Go specific loosening in the kernel!

                                                      1. 2

                                                        I had the same knee-jerk reaction :D

                                                        Well, the “knee-jerk” reaction is to the person who started that thread for not coming up with further details. I found the reaction of ianlancetaylor to my particular comment very helpful, at least it gives me the idea that if someone wants to step up and make this happen, there is fair chance it will be included, with the caveat on how to prevent backsliding to bashisms, hence the discussion I started here on Lobste.rs.

                                                        After further reflection, it became obvious that converting the build system (wrapper?) would potentially introduce more issues than it solves. Sorta a “if it ain’t broke” situation..

                                                        Thanks for sharing that :) I’m a bit afraid / hesistant for that as well, as most people are I guess.

                                                        Thanks for the other pointers as well! The whole reason I was building the runtime myself is because while pledging an spf filter I found that only LookupHost and LookupAddr can be handled by libc (and call get{addr,name}info), but other lookups, i.e. LookupTXT always go through native Go, hence I had to pledge “inet” instead of only “dns”. So another thing I’m thinking of is making sure that more of the Name Resolution is handled via libc using res_init(3) so that code that only needs dns from the network only needs a “dns” pledge instead of the full “inet”.

                                                      1. 2

                                                        As an OpenBSD observer but not-yet convert, the thing that I find most off-putting about the setup on laptop is editing byzantine config files to connect to wifi like I’m on early 2000s Linux. Is there a “pull-down menu, discover visible networks, choose, enter key” GUI to make that more convenient?

                                                        1. 8
                                                          join WiFiHome wpakey secretSupersecret
                                                          join WiFiWork wpakey lesssecret
                                                          dhcp
                                                          

                                                          Seems pretty simple to me :P

                                                          It’s also all done via ifconfig. One single command to manage network interfaces.

                                                          On linux there is (was?): ip, iw, iwconfig, ifconfig, iwctl, iwd.. probably others I can’t remember..

                                                          That complexity didn’t vanish, it’s just been hidden by NetworkManager.

                                                          1. 4

                                                            Having done this on macOS, Linux, and OpenBSD, I like OpenBSD’s setup the best for anything network related. It is well documented, and consistently works the way it should.

                                                            I would greatly prefer to use OpenBSD’s wifi setup to the mess that is NetworkManager/netplan/etc. Since I switched to Ubuntu 20.04, I’ve had no end of trouble with getting networking to work reliably, where it all just worked on OpenBSD on the same hardware. Sadly I need Ubuntu to run certain proprietary packages, so I’m stuck with it for the time being.

                                                            I think this is a really enjoyable aspect of OpenBSD – there is no “secret sauce”. Usually the config files you are editing fully define the behavior of whatever they configure, there isn’t some magical daemon snarfing things up and changing the system state behind the scenes (looking at you, NetworkManager, netplan, systemd-resolved, etc.).

                                                            That said, because OpenBSDs tools tend to be well documented, simple, and consistant, they tend to be easy to wrap. I did this for mixerctl.

                                                          1. 3

                                                            It would be interesting to see a similar test but with pg_trgm included in the postgres test.

                                                            1. 1

                                                              What does that do?

                                                              1. 2

                                                                Creates trigram index, which helps with search for fixed strings and some regular expressions.

                                                            1. 3

                                                              There is The-Open-Book project that might result in a decent alternative!

                                                              1. 1

                                                                This series is super neat! Thanks for sharing!