Category Archives: tech

So you’re confused about the gandi.cli API keys?

Yeah, me too.

The Gandi cli looks great on paper, however, it’s a bit unfriendly to get running,

Here is the situation, as of September 2019:

  • you actually need two different API keys
  • the old V4 interface uses a XMLRPC API.
  • the new V5 interface uses a REST API

So you need to go to v4.gandi.net, log in with your handle, and in your account management go to the API management and (re)generate your (XMPRPC) API key.

Then you also need to go to gandi.net, log in with your username, and in your security settings (re)generate a (REST) API key.

Finally, when running `gandi setup` you will put the v4 key first and the v5 key last.

This will give you a config file $HOME/.config/gandi/config.yaml that will look something like this:

api:
host: https://rpc.gandi.net/xmlrpc/
key: ikaitooquu4ahfun5Gidaen
apirest:
key: ien5quun1Eezaer3iesh7ph

I get a “IOError: unsupported XML-RPC protocol” error when trying to use the gandi record command.

But using the gandi dns command works fine.

record is the command to manage old (v4) domains .

dns is the command to manage “LiveDNS” (v5) domains.

Enabling a U2F security key on Github with Firefox (even if Github tries to stop you)

So, there’s this cool thing called U2F, for Universal 2nd Factor, a dead simple second authentication method in the form of a physical token (I’m using a Yubikey Neo, but that’s not specially relevant to we’ll be talking about here as it should apply to any security key).

By Tony Webster from Minneapolis, Minnesota, United States – Hardware Authentication Security Keys (Yubico Yubikey 4 and Feitian MultiPass FIDO), CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=71716914

To put in simpler term: with U2F to log in to a website you need the password and a physical doodad plugged in the computer. No doodad, no access. Sorry evildoers.

The idea being that while it’s possible to steal credentials (login and password), if you need also a physical thing, then just the credentials on their own are not useful.

With “trust-us-because-we-run-a-super-advanced-global-scale-Internet-infrastructure” companies like Facebook storing hundreds of millions of credentials in the clear (good job Facebook, no, really), it makes sense to use something that can’t just be stolen over the Internet.

I mean, you wouldn’t download a car, right?

So enabling U2F wherever you can is a good idea (as is having multiple physical security keys, as you will lose one or have it stolen).

Just show me how and stop blabbering

Fair enough. Let’s look at how to enable U2F security keys on Github in April 2019.

First of all, you’ll need to go to your Github account’s security settings and enable Two Factor Authentication (or 2FA as we cool kids call it, yo.). Github currently forces you to enable another 2FA method first, either SMS (erk) or TOTP (yes), so you’ll have to do that first. (Hint: you can use decent, FOSS apps to do TOTP on your phone).

Unfortunately for us, U2F is not enabled by default in current versions of Firefox (66.0.1 as i write this).

Luckily, it’s very simple to enable however, visiting `about:config`, searching for “U2F” and setting the following to true:

Security.webauth.U2F = true

More disheartening is the fact that even with this setting enabled, Github won’t let you add a key to your account, insisting instead that you “update to the latest version of Google Chrome”.

Not going to do that.

Instead, you can simply use Firefox’s developer tools to unhide the button that lets you add a security key.

To do so, open the Developer Tools (hitting F12 will do nicely) and in the Inspector, search HTML for:

new-u2f-registration

You should find a div element with a CSS display set to “none”, as shown in the CSS viewer (located to the bottom or to the right of the main inspector pane, depending on if your dev tools ar docked to the right or to the right, respectively).

Then, just untick the box next to “display: none;” and the “Register new device” button will appear.

The following screenshot might help:

Unhiding the Register new device button using Firefox’s Dev Tools

After that, everything works as you’d expect: you click the button, plug your key in, touch its button if it has one, give it a name to recognise with on Github, and you’re done.

Good, one less website to authenticate to without 2FA.

Adding a ED25519 SSH key to an ubiquiti edgemax router

Contrary to what I thought¹, it is possible to use an elliptic curve-based public SSH key on a Edgemax router, runnning a (recent?) EdgeOS.

Connect to the router over SSH and issue the following, to add your key to EdgeOS’s (/Vyatta’s) configuration:

configure
set system login user $your_router_user authentication public-keys user@host key "KEY-BODY-HERE"
set system login user $your_router_user authentication public-keys user@host type ssh-ed25519
commit
save

A few things to note:

  • user@host is whatever you want, it’s just the way one describes the key (technically, the config tree entry)
  • you’ll probably want to use YourUser@YourHost, YourHost as in: the host you are connecting from. That’s what is normally generated by OpenSSH as a comment at the end of public keys but…
  • …EdgeOS doesn’t understand any comment at the end of public SSH keyfiles. Even if they are a standard feature of OpenSSH keys.
  • In fact, it doesn’t recognise anything before the key itself either, so the usual ssh-rsa or ssh-ed25519 at the beginning of a keyfile make it choke.
  • So you must put nothing but the key body, in between quotes, when setting the config value system login user $your_router_user key
  • Finally, as you have probably guessed from the previous bullet points, setting the system login user $your_router_user type to ed_25519 is you tell EdgeOS what kind of key this is. Yes, this is the part that is at the beginning of a normal SSH keyfile.

This also explains why one hits the following error, when trying to paste when pasting the whole keyfile in the set system login etc. command.

Invalid public key character not base-64

Unfortunately, I was hoping that would explain why the loadkey command doesn’t accept the key from the keyfile, but… no. Even if you strip your public key file of the opening key type declaration (such as ssh-ed25519) and the ending comment (such as axel@master-switch), loadkey still complains and I get a:

Not a valid key file format (see man sshd) at /opt/vyatta/sbin/vyatta-load-user-key.pl line 96, <$in> line 1

Oh well.

  1. It’s not like EdgeOS’s public SSH key management is super user friendly.

La technologie, c’est ce qui ne marche pas.

Il y a quelque chose qui m’interpelle régulièrement dans la communication de diverses entreprises (et au-delà), c’est leur façon de représenter la technologie.
Je ne parle pas de la technologie de tous les jours, le smartphone, Google et Facebook, l’ordinateur embarqué dans les voitures… non cette technologie là est priée d’être discrète, de se faire oublier surtout, qu’on ne pense pas trop à elle et surtout à ce qu’elle implique.
Ici je veux parler plutôt de la technologie en tant que concept, ou plus exactement comme fantasme. Celle qu’on ne comprend pas (voire qu’on ne doit pas comprendre).

Très souvent, la représentation de ce fantasme technologique passe par la dépiction de versions bancales voire franchement buguées ou datées.

Des hackers et des robots

C’est souvent le cas pour les logos sensés représenter les « hackers », source de fantasmes s’il en est.
Bon exemple, le logo de la série de jeux Watch Dogs, qui est stylisé avec un underscore (ça, admettons) mais surtout, par des lettres affichant de sacrés artefacts de rendu.

Watch_Dogs logo
Image promotionnelle du jeu Watch Dogs, avec logo stylisé

Continue reading La technologie, c’est ce qui ne marche pas.

Exporting text messages on Sailfish OS

I had to export text messages (SMS) from a Jolla phone running Sailfish (not sure the version is relevant, SailfishOS 1.1.6.27 (Aaslakkajärvi) (armv7hl)).

2019-04-17 update: these instructions have been corrected and updated for Sailfish OS 3.0.2.8 (Oulanka).

Here is the best solution I found, using a bash script (the groovy script used in the previous version of this post is the one having issues now, so i switched to a bash script).

All scripts tested came from this question on together.jolla.com.

Continue reading Exporting text messages on Sailfish OS

A modern & private chat system (XMPP with Prosody and Conversations)

Here is a(n unfinished) recipe for a modern chat server using XMPP (which you may recall I like). It needs polishing but I’m publishing it right now to make sure it can start being useful to anyone who needs it.  I hope there are no glaring security mistakes, please let me know if you see any.

What do we get?

The users will use Conversations while on the server-side we use prosody.

We will be able to get our messages on all connected devices at the same time, share pictures, audio clips and files simply and instantly, retrieve more chat history from the server and, once we go down in the metro and lose connectivity, get our messages when we regain access to the Internet.

Continue reading A modern & private chat system (XMPP with Prosody and Conversations)

Google Hangouts and the all but likely death of Jabber

I like Jabber¹. It’s simple. It works.
I can use to chat from my home computer, from my office computer, from my phone. Or all three at once.
I can use to chat privately by adding some end-to-end encryption (such as OTR).
I’ve used to call a friend when he was in Africa.
I use it to chat with my mum. Privately too.
I use it to chat with my friends.

Correction, I used to be able to use it to chat with my friends.
Lately, I don’t see some of them online anymore. Including some long distance friends with whom it has become an important way of staying in contact.

See, it may come as a surprise to you, but most of my friends aren’t übergeeks. In fact, most of them aren’t geeks at all.
They just use what everyone uses. And what everyone uses these days is Google, and thus Gmail.
So they have a Jabber account, which they call a Gtalk account.
I’ve tried telling them their Gtalk account is really a Jabber account, in the same way their their Gmail account is really an email account. Most of the time it didn’t stick but hey, what the hell, at least we could chat.

Now Google has decided to move all their users away from Jabber and towards Hangouts, their new instant messaging platform.

Now before we go any further, of course I understand the need for Google to clean up their multiple instant messaging apps. Of course I understand that most Gtalk users only have Gtalk users in their contact lists. And from what I understand, you can still log in to your Gtalk account, as the Gtalk service is being maintained for the foreseeable future, whatever that means.

But while, Google is selling this a an upgrade they are passing over the fact that Hangouts is really only compatible with Hangouts, and nothing else.
As if users’ Gmail accounts could only send email to other Gmail accounts.

Continue reading Google Hangouts and the all but likely death of Jabber

How email is still failing, a good read on security

Why are we still blindly (for most of us, to say the least) trusting a messaging protocol that lacks so many basic security protections?

The fact is that if someone owns our email account, they own us. To make things worse, so many of us hand the keys to our lives over to the custody of third parties such as Google, Microsoft, and Yahoo!

I think Mark Burnett is spot on.

http://xato.net/cryptography/email-security-industrys-biggest-failure/