Roger Lipscombe's questions

I'm looking to use CloudHSM for an intermediate CA. To that end, I need to generate a keypair and sign it with the root (offline HSM) CA. We're using ECDSA.

However, when I generate a CSR from an ECC keypair, it fails verification. Here's what I'm doing:

genECCKeyPair -i 2 -l intermediate-ca -nex
getCaviumPrivKey -k 42 -out intermediate-ca.key

openssl req -engine cloudhsm -new -key intermediate-ca.key -out intermediate-ca.csr -subj "/CN=Intermediate CA"

openssl req -in intermediate-ca.csr -verify -noout

This reports:

verify failure
139822323439520:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:

If I attempt to sign the CSR, openssl reports Signature did not match the certificate request

If I do the same steps with an RSA key, everything's fine.

What am I doing wrong?

I'm using docker compose to create a bunch of containers, and the internal hostname is the container ID; when each container registers its hostname in ... whatever (but consul in this instance) it's hard to tell the hosts apart.

In particular, when combined with --scale, I end up with something like the following:

09f62d66a050.docker_default
56f1dc03a54c.docker_default
772799d94048.docker_default
983c5cda71c7.docker_default
a7c77bb2dd98.docker_default

I can't just set hostname in docker-compose.yml (because I'm using --scale).

How do I add a prefix to the generated hostname?

I'm cool with my hosts being called web-56f1dc03a54c, web-a7c77bb2dd98, redis-09f62d66a050, etc.

If I use sudo, and type my password in, I can continue to use sudo without my password for 15 minutes.

I know (per man sudoers) that I can edit the timeout by setting the timestamp_timeout value in /etc/sudoers. That's not my question.

My question is this: is that timeout counted from the first time I use sudo, or is it refreshed every time I use sudo?

sudo foo    # at T; prompts for a password
sudo bar    # at T+10m; no password required
sudo baz    # at T+20m; does this prompt?

If I run git clone [email protected]:some-org/some-repo.git, I'm prompted with the following:

The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.

Obviously, I verify the fingerprint against the list at https://help.github.com/articles/github-s-ssh-key-fingerprints/, and respond yes:

Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
...etc.

That results in two entries being added to my ~/.ssh/known_hosts file, both with the same key, both hashed.

If I confirm the key with ssh-keyscan github.com, the key matches.

But why do I have two entries in known_hosts, rather than one?

How can I add a host key to the SSH known_hosts file securely?

I'm setting up a development machine, and I want to (e.g.) prevent git from prompting when I clone a repository from github.com using SSH.

I know that I can use StrictHostKeyChecking=no (e.g. this answer), but that's not secure.

So far, I've found...

1. GitHub publishes their SSH key fingerprints at GitHub's SSH key fingerprints

2. I can use ssh-keyscan to get the host key for github.com.

How do I combine these facts? Given a prepopulated list of fingerprints, how do I verify that the output of ssh-keyscan can be added to the known_hosts file?

I guess I'm asking the following:

How do I get the fingerprint for a key returned by ssh-keyscan?

Let's assume that I've already been MITM-ed for SSH, but that I can trust the GitHub HTTPS page (because it has a valid certificate chain).

That means that I've got some (suspect) SSH host keys (from ssh-keyscan) and some (trusted) key fingerprints. How do I verify one against the other?

Related: how do I hash the host portion of the output from ssh-keyscan? Or can I mix hashed/unhashed hosts in known_hosts?

We were poking in our web server access logs this morning and found a request with ?winzoom=1 on the end.

Given that this web server only serves firmware upgrade files to IoT devices (that we also control), we were wondering where it came from.

In particular, we don't deal with query strings, so we were wondering whether to strip them, or whether to reject the request.

I've tried searching for "winzoom", but all I get is the screen magnification software. If I exclude that, it's a mixture of random Russian and Chinese sites.

I also found some cached pages in Google with ?winzoom=1 on the end.

What is it? Some kind of web caching software I've never heard of? A proxy? Something else?

If it's a proxy (i.e. our IoT devices might connect through it), then we need to ignore it. If it's a desktop app, we can simply reject the request.

Update: we got hold of the User-Agent: "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 MicroMessenger/6.5.5 NetType/WIFI Language/en"

On our Ubuntu servers, core dumps are currently disabled. If we enable them, and a daemon process crashes, will that impact the time taken for upstart to restart the process?

That is: if my daemon's using, say, 32GB of RAM, does that all have to be written to disk (which might take a while) before upstart can restart the daemon?

I've got a Windows 2012 Domain Controller running DNS and DHCP servers. The default setting appears to be Dynamically update DNS A and PTR records only if requested by the DHCP clients.

(This is under Scope Properties -> DNS)

Is there a downside to selecting Always dynamically update DNS A and PTR records?

What's the difference between that and Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)?

When you use openssl req -x509 -new -nodes -key my.key -days 366 -out my.pem to generate a self-signed certificate, it prompts you for a bunch of information, such as "Country Name (2 letter code)", etc.

Is there any way to automate the responses to these prompts, making the process non-interactive?

I'm attempting to get a vagrant instance up and running, but when I do vagrant up --provision, it fails with the error:

ERROR: Cookbook postgres not found.

I'm using vagrant-berkshelf, which appears to be copying the cookbooks across. That is: when I vagrant ssh to the VM, I can see a cookbook /tmp/vagrant-chef-3/chef-solo-1/cookbooks/postgres.

So why isn't chef (inside the vagrant box) finding the cookbook? I thought that the vagrant-berkshelf plugin was supposed to deal with this?

I've got an nginx installation that serves a couple of virtual hosts; these are working fine. However, I seem to recall that this server is responsible for hosting a couple of other websites. I can't recall which ones.

I don't want these requests to resolve to the default (arbitrary) vhost.

At the moment, for example, going to http://10.0.0.10/ (the internal address) resolves to the default vhost. This vhost is running drupal, and -- because drupal doesn't recognise the vhost -- it brings up the drupal installation instructions. I'm concerned that this is happening to other, external names that resolve to this server.

Is there a way to set up nginx so that it logs and drops requests that don't exactly match a configured vhost?

Alternatively, I guess, the question could be phrased: "How do I set up a default vhost that matches all unknown names? And how do I configure that vhost to log and drop accesses?"

I have a file README.TXT. If I issue the following command:

PS> Get-Item ReadMe.txt

...then it returns "ReadMe.txt". I want to find out the actual name of the file on disk, including case. How do I get it to return "README.TXT"?

I ask because I'm trying to track down a problem with case-insensitive filenames on Windows versus case-sensitive files on a Unix box, and I want to get the actual case used on the Windows box.

More detail: I have a list of files (stored in a .CSPROJ file) which are in a different case from those stored on disk. I want to be sure that they match. For example: if the .CSPROJ file says "ReadMe.txt", but the file on disk is "README.TXT", sometimes editing the file in Visual Studio rewrites the file as "ReadMe.txt", which then confuses Perforce, because it's case-sensitive, and the filename no longer has the case it was expecting. I want to write a script that spots the mismatched filenames, so that I can do something about them before it causes a problem.

When I import a certificate, I'm offered the option to "automatically select the certificate store based on the type of certificate".

What basis does Windows use? Which types of certificate end up in which stores?

I'm using the Hyper-V module for PowerShell, and I've successfully mounted an ISO file onto a virtual machine. Question is: how do I eject (or unmount) it?

I'd prefer to use the PSHyperV stuff, if there's a solution. Failing that, dipping into WMI from PowerShell would be acceptable.

(Using Windows 2008 R2, if it makes a difference)

I've got an MSDN subscription; I'd like to play with Windows Azure; I don't particularly want to pay (more) for it. I'm not looking for 5-nines uptime.

Is there any way to avoid being Slashdotted when using Azure? Can I set limits for usage, so that my site is unavailable rather than getting charged?

We're currently running a couple of continuous build/test agents in VMWare Player. They regularly fail due to timing/speed problems. That is: because there are two VMs on the same box, they contend for (e.g.) disk access and are massively slowed down.

Would upgrading to VMWare Workstation (or Server or ESXi) improve things, or should I request a physical box for one of the agents instead?

I've got a Hyper-V Server 2008 (i.e. Core) box running the following:

1. A Windows 2008 domain controller and fileserver.
2. A backup domain controller (also Windows 2008).
3. An Ubuntu server web server.

I'd like to ensure that this is backed up to an external (USB) hard disk, but I'm running into some problems.

1. I can't mount the USB hard disk in any of the guests (or can I?). This means that the backup has to be done from the host.
2. The file server guest has several physical disks mounted (i.e. they're not VHD files). This means that I can't back them up from the host.

How should I go about backing this up?

Update

I'm going to try the following:

1. Plug the external disk into the host, mount it and share it.
2. On the Windows PCs, use WBADMIN to do a complete backup to the network share (e.g. \\HOST\USBDISK).
3. I'm still wondering about how to back up the Ubuntu box to the external disk. I'll raise another question about this.
4. I'm also still wondering about how to go about scripting/scheduling this -- I can't use the built-in Windows Backup schedule, because the external disk might not be available.

I've managed to (temporarily) get hold of another Hyper-V-capable PC, so I'll try a disaster recovery scenario at the weekend.

I've searched, but I can't find anything that explains why Microsoft started labelling new versions of Windows Server (and now SQL Server) as R2 releases.

If they're new releases, why not simply give them new names?

Or is there something going on with upgrade pricing or licensing?

Windows has the concept of network location awareness (NLA), which means that you can configure a network as "public" (i.e. home/work), "private", etc..

What information does it use to "fingerprint" a network for this purpose?

I've got a Windows 2008 machine with two network adapters in it. One's connected to the corporate network, and the other's connected to a private (lab) network. They're both configured by DHCP. They don't overlap: the corporate network is a 192.168.x.y network, and the lab network is a 10.a.b.c network. Both networks are always up.

That said, the lab itself is partitioned into two subnets: 10.5.26.x and 10.5.24.x. There's an R/RAS box connecting those subnets. This machine is connected to 10.5.26.x. I don't particularly need this box to get directly to the 10.5.24.x network (it's simulating a low-bandwidth link), so I've not set up static routing.

The lab is only connected to this computer. I have squid (and WSUS) configured on the machine to allow the lab to access the outside world.

I'd like this machine to ignore the lab network's 003 Router option (the default gateway) and the 006 DNS Servers option. If it uses these, its connection to the Internet becomes unreliable (because of the conflicting gateway options).

I also don't particularly want to use static IP on the private adapter, because then network location awareness doesn't work, and I can't then easily configure the private/public setting.

I guess that I can configure the DHCP server on the private network to issue the "external" router and DNS server entries for that particular reservation, but that seems like a hack.

Anyone got any better ideas?