Contrary to what I thought¹, it is possible to use an elliptic curve-based public SSH key on a Edgemax router, runnning a (recent?) EdgeOS.
Connect to the router over SSH and issue the following, to add your key to EdgeOS’s (/Vyatta’s) configuration:
configure set system login user $your_router_user authentication public-keys user@host key "KEY-BODY-HERE" set system login user $your_router_user authentication public-keys user@host type ssh-ed25519 commit save
A few things to note:
user@host is whatever you want, it’s just the way one describes the key (technically, the config tree entry)
you’ll probably want to use YourUser@YourHost, YourHost as in: the host you are connecting from. That’s what is normally generated by OpenSSH as a comment at the end of public keys but…
…EdgeOS doesn’t understand any comment at the end of public SSH keyfiles. Even if they are a standard feature of OpenSSH keys.
In fact, it doesn’t recognise anything before the key itself either, so the usual ssh-rsa or ssh-ed25519 at the beginning of a keyfile make it choke.
So you must put nothing but the key body, in between quotes, when setting the config value system login user $your_router_user key
Finally, as you have probably guessed from the previous bullet points, setting the system login user $your_router_user type to ed_25519 is you tell EdgeOS what kind of key this is. Yes, this is the part that is at the beginning of a normal SSH keyfile.
This also explains why one hits the following error, when trying to paste when pasting the whole keyfile in the set system login etc. command.
Invalid public key character not base-64
Unfortunately, I was hoping that would explain why the loadkey command doesn’t accept the key from the keyfile, but… no. Even if you strip your public key file of the opening key type declaration (such as ssh-ed25519) and the ending comment (such as axel@master-switch), loadkey still complains and I get a:
Not a valid key file format (see man sshd) at /opt/vyatta/sbin/vyatta-load-user-key.pl line 96, <$in> line 1
It’s not like EdgeOS’s public SSH key management is super user friendly.
La ou le prochan·e président·e de la République française accédera à cette fonction avec une adhésion de – au mieux – 18,19 % ou 16,14 % des inscrit·es¹. Nous sommes donc dans un système (électoral) qui permet à quelqu’un qui remporte l’adhésion d’une personne sur 5 ou même sur 6 d’accéder à une fonction où elle représente le pays et par extension l’ensemble de la population. C’est abscons, et c’est le génie du scrutin uninominal à deux tours, aka : first pass the post, dont les défauts sont très bien expliqués par CGP Grey dans cette vidéo :
Il y a quelque chose qui m’interpelle régulièrement dans la communication de diverses entreprises (et au-delà), c’est leur façon de représenter la technologie.
Je ne parle pas de la technologie de tous les jours, le smartphone, Google et Facebook, l’ordinateur embarqué dans les voitures… non cette technologie là est priée d’être discrète, de se faire oublier surtout, qu’on ne pense pas trop à elle et surtout à ce qu’elle implique.
Ici je veux parler plutôt de la technologie en tant que concept, ou plus exactement comme fantasme. Celle qu’on ne comprend pas (voire qu’on ne doit pas comprendre).
Très souvent, la représentation de ce fantasme technologique passe par la dépiction de versions bancales voire franchement buguées ou datées.
Des hackers et des robots
C’est souvent le cas pour les logos sensés représenter les « hackers », source de fantasmes s’il en est.
Bon exemple, le logo de la série de jeux Watch Dogs, qui est stylisé avec un underscore (ça, admettons) mais surtout, par des lettres affichant de sacrés artefacts de rendu.
Here is a(n unfinished) recipe for a modern chat server using XMPP (which you may recall I like). It needs polishing but I’m publishing it right now to make sure it can start being useful to anyone who needs it. I hope there are no glaring security mistakes, please let me know if you see any.
We will be able to get our messages on all connected devices at the same time, share pictures, audio clips and files simply and instantly, retrieve more chat history from the server and, once we go down in the metro and lose connectivity, get our messages when we regain access to the Internet.
It’s 2016 and I realised I hadn’t updated this site in a long time.
So it’s back up and running, with a fresh coat of paint and an updated backend. I finally moved away from lighttpd and to nginx (after all the cool kids did, 4 years ago) and the site is now secured thanks to a Letsencrypt certificate.
It might not seem like much, but it’s nice to feel like things are moving forward.
I like Jabber¹. It’s simple. It works.
I can use to chat from my home computer, from my office computer, from my phone. Or all three at once.
I can use to chat privately by adding some end-to-end encryption (such as OTR).
I’ve used to call a friend when he was in Africa.
I use it to chat with my mum. Privately too.
I use it to chat with my friends.
Correction, I used to be able to use it to chat with my friends.
Lately, I don’t see some of them online anymore. Including some long distance friends with whom it has become an important way of staying in contact.
See, it may come as a surprise to you, but most of my friends aren’t übergeeks. In fact, most of them aren’t geeks at all.
They just use what everyone uses. And what everyone uses these days is Google, and thus Gmail.
So they have a Jabber account, which they call a Gtalk account.
I’ve tried telling them their Gtalk account is really a Jabber account, in the same way their their Gmail account is really an email account. Most of the time it didn’t stick but hey, what the hell, at least we could chat.
Now Google has decided to move all their users away from Jabber and towards Hangouts, their new instant messaging platform.
Now before we go any further, of course I understand the need for Google to clean up their multiple instant messaging apps. Of course I understand that most Gtalk users only have Gtalk users in their contact lists. And from what I understand, you can still log in to your Gtalk account, as the Gtalk service is being maintained for the foreseeable future, whatever that means.
But while, Google is selling this a an upgrade they are passing over the fact that Hangouts is really only compatible with Hangouts, and nothing else.
As if users’ Gmail accounts could only send email to other Gmail accounts.
So now, more and more of friends aren’t showing up online anymore because they’ve been switched to Hangouts, usually without realising so. And most of them will probably wonder why am never online anymore, not realising they have moved to a different network.
After all, everything looks the same right? Just a little shinier and more “modern”.
Of course, a perfect solution would be to explain the situation to them.
Create an account for them on my jabber server (or on anotherserver or even help them set up their own, it’s reallynot that hard), even enable them to point their own domain name at my server, and let them have a cool email@example.com address.
It’s simple, all they’d have to do on their end is download Xabber on Android or ChatSecure if –heavens forbid– they’re on iOS², enter their login and password and be on their merry way.
But the truth of the matter is: that would already be too much of an inconvenience.
Most people agree on an intellectual level that independence is important. But once you hit the practicalities, a surprising (and disappointing) amount of people will throw their arms in the air and explain how all they want is to chat, not go into all this complex stuff.
Most people would also agree, especially in these post-PRISM-revelations days, that protecting your privacy is important.
But how many are willing to actually take a look at their online habits and change them?
I may sound bitter, and that’s because I am in part, but I am really more disappointed than anything else I guess.
At the end of the day, I wish I could just create an account for all my friends, have them realise the danger of putting all your eggs in the same basket and all your online life with the same provider and keep chatting as we do now, but to get the same usefulness out of that Jabber account they’d still have to convince all their friends to do the same, who’d have to convince all their friends to do the same, etc.
All of this compared to “but it already just works”.
Sure, it’s possible, but it’s an uphill battle.
And the best part (or the worse) is that it has already happened.
Remember 10-15 years ago. IM was ruled by ICQ, AIM, Yahoo! messenger, MSN messenger.
None of which could talk to any of the others.
Users were siloed.
But users were not (and are not) stupid, so they created accounts on each service. Then they started using clients that could run all services at once.
Ahh, those were the good old days of Trillian and then Miranda and gAIM.
In the end, a better service, or in fact a better protocol emerged: Jabber.
Legacy services even ended up trying to run on Jabber at one point or another and finally huge players based their entire instant messaging offering on Jabber: Google with Gtalk, Facebook with Facebook chat.
This made this services technically compatible with any other server running Jabber (in the same way firstname.lastname@example.org can send and receive mail to and from email@example.com). And most of the time it made the services actually interoperable (if the service did it right and didn’t close off connections to the rest of the Jaber network in order to be an island on their own… looking at you Facebook chat).
In plain words : I can run my server and chat with anyone connected to a Jabber server as long as I’m on their contact list.
Fast forward to now, and having been through a period of interoperability, we are back to silos: Skype, Facebook Chat, iMessage, WhatsApp and… Hangouts.
None of which can talk to each other.
And this is what really annoys me. We were pretty much done with this silly issue and now we’re back to the same problem.
That and the fact I simply won’t be able to chat my friends, unless they decide to switch back to Jabber (hard), to run a Jabber account on the side just for me (some might be nice enough to indulge me, but for how long?) or I accept to open a Hangouts account.
Why are we still blindly (for most of us, to say the least) trusting a messaging protocol that lacks so many basic security protections?
The fact is that if someone owns our email account, they own us. To make things worse, so many of us hand the keys to our lives over to the custody of third parties such as Google, Microsoft, and Yahoo!
The lack of updates on this website is a clear testament of the fact, though.
It feels as if it has been a lot longer, and some of my friends have also told me so. As one can imagine, it has been an intense ride, with many dossiers unfolding at the same time: the Net Neutrality debate, the French HADOPI law and similarly-named administration clinging on to dear life, the revision of the European IPRED directive, the dangerous and infamous ACTA agreement, and the many and ongoing attempts to control and censor the Internet.
But many positive things have also happened: positive proposals for the future of creation funding were synthesised, wonderful projects such as RespectMyNet, a citizen Net Neutrality monitoring and reporting platform, the Political Memory, or the Pi Phone came to fruition. Furthermore, many, many citizens learned of what is looming over the Internet as we know it and our freedoms in this space, and decided not only to keep track of these issues but also to act on them.
To imagine over 2.5 million people have watched a two-minute video trying to synthesise the dangers about ACTA is quite incredible, and to see how in a post-SOPA setting this translated into literally thousands of phone calls to European elected representatives makes one realise that citizen involvement, beyond being heart-warming, is also vastly efficient.
I can hardly sum up everything I’ve learned, the insight I’ve gained into politics and policy-making at the European level, the understanding of organisations and volunteer communities, the wonderful people I’ve met and the knowledge and expertise they’ve shared with me.
But I will attempt to do so in a few posts in the near future.