Fri, 12 Mar 2010
I was looking over the release notes for OpenSSH 5.4. Among the list of nice things (key revocation, better passphrase protection, and certificates - though not X.509) in there I noticed support for a new -W option. The manual has this to say about it:
-W host:port
Requests that standard input and output on the client be for-
warded to host on port over the secure channel. Implies -N, -T,
ExitOnForwardFailure and ClearAllForwardings and works with Pro-
tocol version 2 only.
The release notes specifically state:
* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618
That sounds nice and like it will save me from having to do things in a two step process. Normally I have to do ssh -L 7272:gmail-smtp-in.l.google.com:25 syn and use nc localhost -p 7272 or something else in another terminal to get data out through the tunnel. Now with -W it's combined into one simple step.
wxs@ack wxs % ssh -W gmail-smtp-in.l.google.com:25 syn 220 mx.google.com ESMTP 14si5094846qyk.3 EHLO PANTS! 250-mx.google.com at your service, [129.21.50.215] 250-SIZE 35651584 250-8BITMIME 250-ENHANCEDSTATUSCODES 250 PIPELINING
I like things that make my life easier.
posted at: 09:19 | tags: geek | path: /entries/geek | permanent link to this entry
Wed, 24 Feb 2010
Shmoocon 2010: Now With Photos AND VIDEO!
I put up Drew's and Jordan's photos up from Shmoocon 2010. They are up here.
posted at: 13:02 | tags: shmoocon | path: /entries/generic | permanent link to this entry
Tue, 09 Feb 2010
Shmoocon 2010 Aftermath
Shmoocon happened this past weekend. I'd give a full review/write-up of it but I've been insanely pressed for time lately. If you were there and we got a chance to meet for the first time or if you are someone I've known from before and I got to see you again I'd like to say thank you for making it a great conference for me. I'll be posting Jordan's and Drew's pictures to flickr when I have them as I forgot my camera (again). Expect a link to them here when I have them online.
posted at: 09:21 | tags: shmoocon | path: /entries/generic | permanent link to this entry
Wed, 13 Jan 2010
Airport Extreme Shenanigans
I recently got my hands on an Airport Extreme from Apple. It's a nice little device to replace my old linksys. I was using my Soekris board to do that but something which speaks AFP natively is nice to have, especially now that I have 2 Apple machines in the house. Have no fear, my Soekris box will still be my border device, and will run a couple of key services too.
While configuring the Airport to replace my Linksys I was unable to find a way to set the internal IP address of the device. I can tell it to use NAT or just bridge at layer 2. If it is in NAT mode I can't tell it what to use for an internal IP address, at all. It defaults to 10.0.1.1, 192.168.1.1 or 172.something.1.1. This totally screws up my network, and AFAICT there is no way to change it, at least after spending 10 minutes looking through their administration stuff and online.
Back when I learned networking basics your default gateway lived at the top of the network address space, and I've always configured my networks to be like that. I understand that it doesn't have to be that way, but it's just the way I've rolled for as long as I can remember. At some point it apparently became fashionable to put your default route at the bottom. Seems kind of silly to me but whatever, as long as I can change it I don't care what the default is.
I had a machine at 192.168.1.1/24 already, which obviously was conflicting with my Airport Extreme. So now I have to re-configure that machine (I have a handful of static machines because they serve various things out to the public and changing firewall rules to match DHCP changes is annoying). To make matters worse every machine on my network that was static was using 192.168.1.254 as a DNS server, so every time I SSH'ed into a machine to re-configure it I had to wait for reverse DNS to timeout.
If Apple made it so you can not change the IP address of the airport extreme I would not be surprised. Apple products are great if you fit into their very narrow use-case. But the minute you try to do even basic things that are normal EVERYWHERE else in the world you end up fighting with Apple stuff. I can point to multiple instances of where Apple products are total failures. This Airport Extreme business is just one example.
posted at: 21:23 | tags: apple, rant | path: /entries/rant | permanent link to this entry
Thu, 24 Dec 2009
CFT: Sudo Update
If you use Sudo on FreeBSD and want to test out an update for it please apply the patch from here and rebuild/reinstall the port. I'm especially interested in environments using ldap, kerberos and newer releases of FreeBSD (specifically 8.0). I'll take reports of success or failure for anything though. Since this is such a heavily used port I want to make sure I get it correct and cause as little headache for myself and others as possible.
posted at: 14:02 | tags: sudo, freebsd, ports | path: /entries/freebsd | permanent link to this entry
Mon, 16 Nov 2009
This Can't Be Right.
if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
eocd[i+2] == 0x05 && eocd[i+1] == 0x06) {
// if the sequence $50 $4b $05 $06 appears anywhere after
// the real one, minzip will find the later (wrong) one,
// which could be exploitable. Fail verification if
// this sequence occurs anywhere after the real one.
A friend who is poking around at Android code came across that and pointed it out to me. I took a look at the git repository and it's still there (git://android.git.kernel.org/platform/bootable/recovery). I don't know any reality where that will ever be true.
posted at: 15:42 | tags: android, typo | path: /entries/geek | permanent link to this entry
Fri, 18 Sep 2009
Adventures in Soekris Land - Part I
As I've mentioned before I was recently given a net4501 by Jordan. Now that I'm moved into my new house I'm in the process of getting FreeBSD up and running on it. Since Jordan said he was seeing performance issues with it I figured it couldn't hurt to update the BIOS on the device first before I boot FreeBSD on it. It's actually a pretty simple process. All you need is lrzsz (ports/comms/lrzsz) and a serial cable.
Connect your serial cable and power on the board. You'll see the inital POST and then you have 5 seconds to hit Ctrl-P to break out of the boot sequence and into the "Monitor" which is basically a firmware prompt. Once you've got there issue the "download" command. Once you do that you have 30 seconds to start a file transfer of the image you want to flash. Using cu(1) to connect to the board you can use the ~C sequence to fork a child process where file descriptor 0 is the remote tty input, file descriptor 1 is the remote tty output and file descriptor 2 is the local tty stderr. The command you want to run is lsz -X <img.bin>. This will send the image over the serial port to the board which is waiting for it (and stores it at a special location in memory). Once the download is finished you can flash the freshly downloaded image onto the board using the "flashupdate" command.
Soekris has a great manual and a wiki which are both great sources of information.
Now that my board has the newest BIOS I'll be working on getting a FreeBSD image running on it. I think I'll start off with a simple PXE booting environment and eventually move to using the compact flash card as a boot environment. You can expect more updates as my Adventures in Soekris Land continues but for now I need to go to bed - my lawn needs to be cut in the morning (oh, the joys of being a home owner =b).
posted at: 22:27 | tags: soekris | path: /entries/geek | permanent link to this entry
Wed, 09 Sep 2009
Way to respect TTL, VMware.
Here's something fun. Here's a DNS query that looks right:
wxs@ack wxs % dig @4.2.2.1 +nocmd +nocomments +noquestion +nostats syn.atarininja.org syn.atarininja.org. 1771 IN A 129.21.60.158 wxs@ack wxs %
Here's the same query but from a NAT'ed VM (VMware Workstation) using the NAT device as a DNS server:
wxs@rst wxs % dig @192.168.2.2 +nocmd +nocomments +noquestion +nostats syn.atarininja.org syn.atarininja.org. 5 IN A 129.21.60.158 wxs@rst wxs %
The TTL is always 5. It's not like it starts at 5 and counts down. It's always 5. The NAT device acts as a DNS proxy, forwarding requests to whatever DNS server the host machine uses. I checked these requests and the response coming back has the real TTL. Why does VMware feel the need to manipulate TTL values on DNS responses?
posted at: 12:33 | tags: DNS | path: /entries/geek | permanent link to this entry
Fri, 14 Aug 2009
Soekris net4501 Acquisition
Thanks Jordan!
I've been quiet because I bought a house. Things have been hectic, to say the least, with that and are only going to get more hectic as we prepare to move in and finally move in. I'm hoping that by the end of September I'll be settled in and can get back to doing more than just updating ports.
The picture above will be one of my first projects. It's a net4501 donated to me by Jordan. He said he was having network performance issues with it and I said I would take it off his hands to replace my dying Linksys. Along with that piece of hardware to work on I've had another donation (which is currently in Northern Virginia pending my arrival to pick it up and bring it home) which will make a fine addition to my house. I'll give details once I have them in picture form. It supposedly doesn't work with -CURRENT so my first task with that will be to figure out why and fix it.
Things will likely continue to be quiet around here until my life settles back to normal.
posted at: 20:35 | tags: FreeBSD | path: /entries/freebsd | permanent link to this entry
Fri, 17 Jul 2009
My, How They Grow...
I just made the commit to note that my mentee, Steven Kreuzer, is flying solo. He's been a pleasure to work with and I know will go forth and do great things. Keep up the good work Steven!
posted at: 09:30 | tags: freebsd | path: /entries/freebsd | permanent link to this entry
