Willi Ballenthin's questions

I have a PCAP file containing SSL-encrypted HTTP traffic and the private key from the relevant web server. I'd like a PCAP file that contains the decrypted HTTP traffic to feed into a different tool. I've been able to get tshark to decrypt and display the HTTP protocol; however, when I output its results to a packet dump file, the file still contains the SSL-encrypted traffic. Can I use tshark to reconstruct and write a PCAP with the decrypted traffic?

I'm currently using the following command:

./tshark                                                                   \
  -o ssl.desegment_ssl_records:TRUE                                        \
  -o ssl.desegment_ssl_application_data:TRUE                               \
  -o ssl.keys_list:"127.0.0.1","443","http","../snakeoil/rsasnakeoil2.key" \
  -V -2 -R http                                                            \
  -r ../snakeoil/rsasnakeoil2.cap                                          \
  -w out.pca

I'd like to be able to run a script, have it prompt me for my password, and then mount an ecryptfs directory. I do not want the password to sit around on the file system, or show up in logs, ps, etc. I thought I could use a temporary file descriptor for this; however, ecryptfs returns an error with the following statements.

willi@hostname:~$ exec 3<<<"passphrase_passwd="$(zenity --password)
willi@hostname:~$ sudo mount -t ecryptfs -o ecryptfs_cipher=aes,\
  ecryptfs_key_bytes=16,ecryptfs_passthrough=no,\
  ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=1234678765432345678,\
  key=passphrase:passphrase_passwd_fd=3 /mountpoint/ /mountpoint/
Error attempting to evaluate mount options: [-1] Operation not permitted
Check your system logs for details on why this happened.
Try updating your ecryptfs-utils package, and/or
submit a bug report on https://bugs.launchpad.net/ecryptfs

After the error is returned, I can verify that ecryptfs did not read the file descriptor, because the password is still sitting in it:

willi@hostname:~$ cat <&3
passphrase_passwd=test

I reviewed the approach in encryptfs auto-mounting script; though I'd like to avoid having the password in a file on the file system.

I'm using version 103 of ecryptfs-utils:

willi@hostname:~$ ecryptfsd --version
ecryptfsd (ecryptfs-utils) 103

This is free software.  You may redistribute copies of it under the terms of
the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.
There is NO WARRANTY, to the extent permitted by law.

How can I use the temporary file descriptor with ecryptfs?

I've been using od to display the contents of binary files in various formats. Often times I find myself bouncing between -x (hex output) and -c (ASCII output) at the same offsets, when I'd really like to see them side-by-side, like in a common hex editor. Are there any tools that print this style output, with similar options (skip, count, etc.) as od, to standard out?

How can I set login throttling and lockout policies on a Linux (specifically Debian) system?

Things like, setting retry count, delays between login attempts, and idle session timeouts.

The box in question is a headless server, so SSH settings are acceptable. Thanks!

Are there any Linux/Unix tools which find all the files in one directory not present in another? Basically I'm looking for diff which works on the output of ls.

Short and sweet scripts are also appreciated.

I'd like to get the timezone of a system. Now some caveats...

• Im using Linux, and the target systems will be UNIX.
• I'll be using only system images, ie. not the live system, but the partitions will be mounted.
• I'll eventually be scripting it.

I was thinking about using /etc/localtime, but sometimes this is a real file, and sometimes a symlink. In either case, I can't seem to get a description of the file format from which to parse.

Anyone have any ideas?

Thanks