Home / user-2706

Chas. Owens's questions

Martin Hope
Chas. Owens
Asked: 2018-02-21 08:26:02 +0800 CST
  • 3

I have a set of domain names that are used internally and I do not wish them to leak to the outside world (as that would give an attacker advanced knowledge of the layout of the internal network). Given Certificate Transparency seems like it is gaining momentum, what is the general consensus on the best way to have private domain names? Self signed certs? Wild card certs? Something else?

ssl-certificate
Martin Hope
Chas. Owens
Asked: 2014-01-24 06:25:15 +0800 CST
  • 2

When I try to ssh using an encrypted key held in ssh-agent, I get the following (using ssh -vvv):

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/cowens/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: BLAH
debug3: sign_and_send_pubkey: RSA BLAH
debug3: input_userauth_banner
Access denied
Access denied
Connection closed by BLAH

I can log in if I force it to use a password (ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no) and then, after I disconnect (so it isn't a ControlMaster thing), I can ssh using keys without a problem:

debug1: Offering RSA public key: /home/cowens/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: BLAH
debug3: sign_and_send_pubkey: BLAH
debug1: Authentication succeeded (publickey).
Authenticated to BLAH ([BLAH]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.

The server is using Active Directory to store the user information, so I assume it has something to do with that, but I have worked in environments where AD was used with Linux in the past and not had this problem.

active-directory
Martin Hope
Chas. Owens
Asked: 2010-06-17 04:52:05 +0800 CST
  • 2

Just to get this out in front so I am not told not to do this:

  1. The machines in question are all on a local network with little to no internet access (they aren't even well connected to the corporate network)
  2. Everyone who has the ability to setup a man-in-the-middle attack already has root on the machine
  3. The machines are reinstalled as part of QA procedures, so having new host keys is important (we need to see how the other machines react); I am only trying to make my machine nicer to use.

I do a lot of reinstalls on machines which changes their host keys. This necessitates going into ~/.ssh/known_hosts on my machine and blowing away to old key and adding the new key. This is a massive pain in the tuckus, so I have started considering ways to automate this.

I don't want to just blindly accept any host key, so patching OpenSSH to ignore host keys is out. I have considered creating a wrapper around the ssh command the will detect the error coming back from ssh and present me with a prompt to delete the old key or quit. I have also considered creating a daemon that would fetch the latest host key from a machine on a whitelist (there are about twenty machines that are being constantly reinstalled) and replace the old host key in known_hosts.

How would you automate this process?

ssh known-hosts
Martin Hope
Chas. Owens
Asked: 2010-01-15 16:31:52 +0800 CST
  • 2

In Linux I have no problem dumping tons of data into a domain socket, but the same code on OS X 10.6.2 blows up after about 65 records. The socket reader code looks like

#!/usr/bin/perl

use strict;
use warnings;

use IO::Socket;

unlink "foo";
my $sock = IO::Socket::UNIX->new (
        Local    => 'foo',
        Type     => SOCK_DGRAM,
        Timeout  => 600,
) or die "Could not create socket: $!\n";

while (<$sock>) {
        chomp;
        print "[$_]\n";
}

And the client code looks like

#!/usr/bin/perl

use strict;
use warnings;

use IO::Socket;

my $sock = IO::Socket::UNIX->new (
    Peer     => 'foo',
    Type     => SOCK_DGRAM,
    Timeout  => 600,
) or die "Could not create socket: $!\n";

for my $i (1 .. 1_000_000) {
    print $sock "$i\n" or die $!;
}

close $sock;

The error message I get is No buffer space available at write.pl line 15.. It seems fairly obvious that there is a difference in the buffer size between Linux and OS X, but I don't know how to set it OS X (or what the possible negative side effects might be).

mac-osx perl socket
Martin Hope
Chas. Owens
Asked: 2009-05-23 07:26:27 +0800 CST
  • 5

I have four networks on my machine:

  1. 192.168.20.0/24 wired (connected only at work)
  2. 192.168.20.0/24 wireless (connected only at home)
  3. 192.168.132.0/24 VMWare's NAT
  4. 192.168.238.0/24 VMWare's host-only

My OS X (10.5) seems to prefer to use VMWare's NAT over my Wireless network for machinename.local. Is there any way to change the preference baring shutting down the VMWare interfaces?

routing mac-osx bonjour mdns
Martin Hope
Chas. Owens
Asked: 2009-05-21 15:24:43 +0800 CST
  • 2

I have an Ubuntu 9.04 box and a OS X 10.5 box. They are both on the same subnet (192.168.10.0/24). I can see ubuntu.local and osx.local from the OS X machine, but I can only see ubuntu.local from the Ubuntu machine. When I ping them ubuntu.local is 192.168.10.50, but osx.local is 192.168.132.1. The OS X machine's IP is obviously wrong and I am not certain how it got it. I connect to three networks with it (192.168.20.0/24 ethernet, 192.168.2.0/24 wireless, and the aforementioned 192.168.10.0/24 wireless), so 192.168.132.1 seems very odd.

I would tag this this mdns, but I don't have enough points yet.

Here are the results ifconfig, it does appear as if bonjour is grabbing the VMWare network instead of the the wired or wireless. How can I tell it to use the wireless (or wired)?

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:17:f2:d6:39:8a 
    media: autoselect status: inactive
    supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
    lladdr 00:19:e3:ff:fe:77:30:9c 
    media: autoselect <full-duplex> status: inactive
    supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 192.168.10.102 netmask 0xffffff00 broadcast 192.168.10.255
    ether 00:19:e3:d8:b3:5e 
    media: autoselect status: active
    supported media: autoselect
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 192.168.132.1 netmask 0xffffff00 broadcast 192.168.132.255
    ether 00:50:56:c0:00:08 
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 192.168.238.1 netmask 0xffffff00 broadcast 192.168.238.255
    ether 00:50:56:c0:00:01
domain-name-system mac-osx tcpip bonjour mdns