Category Archives: code
dns64 blocklist

I wrote a small piece of code today, addressing the problem that DNS Blocklists are not working for Mailservers in a NAT64 enviromnent.


$ host -t A 9.0.a.d.a.e.b.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.6.4.0.0.dnsbl.fnordpol.de 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

9.0.a.d.a.e.b.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.6.4.0.0.dnsbl.fnordpol.de has address 127.0.0.2

this is currently working on my development laptop. It is a small python script which thinks that all it gets is a NAT64 prefixed IPv4 so it builds an ipv4 query out of the V6 address and forwards that thing to the real blocklist provider.

It surely needs some refinement, to make it operative.

Posted on June 1, 2016, 6:43 pm By
Comments Categories: code, misc, software
howto access subuids for lxc for backup and tar

Sometimes it takes a while to come to the obvious solutions, however I did learn a lot about namespaces ans stuff, but conclusions first, if you want to have somethink like fakeroot but for lxc to create backups without knowing about mapped userids or if you want to untar a priviledged installation, you may want to use lxc-usernsexec

cd ~/.local/lxc/yourvm/rootfs ; lxc-usernsexec -- tar xvfz somearchive.tar

You can easily map to different maps or map as root by using -m (u|g|b):0:startid:range for example -m b:0:1738400:65535. lxc-usernsexec does not do a changeroot. so you can use all the tools and data from the base system. However, keep in mind that all the files which are not in your mapped range including the data of the own user, are owned by user nobody and nogroup, that means that ssh private keys and gpg data is not accessable, except if you set the permissions accordingly.

Now a bit Theory:
The namespace change is done by cloning a process with the clone() C system call this one is the basic system call from which fork() exec() and all the others are derived from. but with clone() you can decide that the cloned system process has his own namespace. The Manpage user_namespaces provides you with some piece of C code doing exactly that. If you look at the code you might find a few confusing parts.

  • The uid and gid Mappings can only be made by the root user
  • The uid and gid mappings can not be made by the cloned process, even if it is a root process.
  • The uid and gid mappings can not be preset during clone()

This means clone() creates a new process with a new user namespace, which then has to wait for the parent or a setuid root process to set the mappings, and once this is done, it can continue with its work by, for example executing the process that really does the work. In the example from the user_namespaces manpace this waiting is done by waiting for a pipe to be closed by the parent.


close(args->pipe_fd[1]); /* Close our descriptor for the write
end of the pipe so that we see EOF
when parent closes its descriptor */
if (read(args->pipe_fd[0], &ch, 1) != 0) {
fprintf(stderr,
"Failure in child: read from pipe returned != 0\n");
exit(EXIT_FAILURE);
}

Because the experimental tool in the user_namespaces manpage only does a write to /proc//_map, it will only work as root, and there is no check if the given map makes sense. This check is done by other tools like newuidmap and newgidmap these are also running setuid root, so they have to check if the user is allowed to do the mapping before they actually set it. You may have to keep that in mind before actually implement your own code, that it may be better to call these tools.

you may also need to know that there is nsenter which is a tool that just enters the exact same namespace of a process if the calling process is allowed to do that.

You can find additional information in secondary literature and other blog posts. regards

Posted on May 19, 2016, 5:39 pm By
Comments Categories: code, software
keyctl wtf?

2 more wtfs, this time in keyctl pse have a look:


$ keyctl list @u
1 key in keyring:
175445478: –alswrv 0 0 user: d395309aaad4de06
$ keyctl list 175445478
185 keys in keyring:
4: key inaccessible (Required key not available)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
0: key inaccessible (Invalid argument)
10: key inaccessible (Required key not available)
0: key inaccessible (Invalid argument)
64: key inaccessible (Required key not available)
2: key inaccessible (Required key not available)
90575192: key inaccessible (Required key not available)
-1289718489: key inaccessible (Invalid argument)
1226118138: key inaccessible (Required key not available)
1367941247: key inaccessible (Required key not available)
185619277: key inaccessible (Required key not available)
-395441912: key inaccessible (Invalid argument)
745876651: key inaccessible (Required key not available)
2130504598: key inaccessible (Required key not available)
-837867635: key inaccessible (Invalid argument)
-1322709961: key inaccessible (Invalid argument)
-405937745: key inaccessible (Invalid argument)
-1943943650: key inaccessible (Invalid argument)
1965794927: key inaccessible (Required key not available)
1320268544: key inaccessible (Required key not available)
-172599692: key inaccessible (Invalid argument)
-2138721474: key inaccessible (Invalid argument)
892941156: key inaccessible (Required key not available)
1631137843: key inaccessible (Required key not available)
878993761: key inaccessible (Required key not available)
909141348: key inaccessible (Required key not available)
571539456: key inaccessible (Required key not available)
1716864051: key inaccessible (Required key not available)
119: key inaccessible (Required key not available)
$

The kernel documentation makes it clear:

$$code
Each key is issued a serial number of type key_serial_t that is unique for
the lifetime of that key. All serial numbers are positive non-zero 32-bit
integers.

 Userspace programs can use a key's serial numbers as a way to gain access
 to it, subject to permission checking.

$$/code

So first, if I am not wrong I would have guessed that it should show the key
with the ID 175445478 not all the others. And secondly it looks like the output
accidently uses int instead of unsigned int.

But Wait, there is more:

$$code(lang=shell)
$ keyctl show
Session Keyring
70665221 –alswrv 0 0 keyring: _ses
184578637 –alswrv 0 65534 _ keyring: _uid.0
175445478 –alswrv 0 0 _ user: d395309aaad4de06
tanja:~# man keyctl
tanja:~# keyctl add user foobar barfoo @u
545549103
$ keyctl show
Session Keyring
70665221 –alswrv 0 0 keyring: _ses
184578637 –alswrv 0 65534 _ keyring: _uid.0
175445478 –alswrv 0 0 _ user: d395309aaad4de06
545549103 –alswrv 0 0 _ user: foobar
$$/code

Every other tool I know tries to prevent key data from being shown in the process list by not passing cleartext passwords as commandline arguments, maybe for keyctl rules are different.

So far for this interesting experience. I still hope that I am wrong and everything is fine as soon as I dig deeper.

Posted on May 10, 2016, 11:14 pm By
Comments Categories: code, software
ecryptfs-add-passphrase returns sig [d395309aaad4de06] for test

Right now I am a bit annoyed, because I have read the installation manuals for ecryptfs.
Most of them point to something like:

$$code(lang=shell)
$ echo -n test | ecryptfs-add-passphrase
Passphrase:
Inserted auth tok with sig [d395309aaad4de06] into the user session keyring
$ echo d395309aaad4de06 >> ~/.ecryptfs/secret.sig
$$/code

basicly you later tell mount which passphrase to use via ecryptfs_fnek_sig=d395309aaad4de06,ecryptfs_sig=d395309aaad4de06

Maybe I am totally stupid, but for me, for the moment it looks as if signature actually means CHECKSUM. And it looks like this one is even worse than the one in your /etc/shadow. It may get better if your password is actually long compared with that checksum, but I would guess: most user passwords are not.

However I would be happy to learn that I was concerned for nothing.

brought nat64 to live

I just brought my first ever NAT64 up and running!

64 bytes from 64:ff9b::808:808: icmp_seq=501 ttl=57 time=1.42 ms
64 bytes from 64:ff9b::808:808: icmp_seq=502 ttl=57 time=1.48 ms
64 bytes from 64:ff9b::808:808: icmp_seq=503 ttl=57 time=1.50 ms
64 bytes from 64:ff9b::808:808: icmp_seq=504 ttl=57 time=1.43 ms
64 bytes from 64:ff9b::808:808: icmp_seq=505 ttl=57 time=1.36 ms
64 bytes from 64:ff9b::808:808: icmp_seq=506 ttl=57 time=1.51 ms
64 bytes from 64:ff9b::808:808: icmp_seq=507 ttl=57 time=1.55 ms
64 bytes from 64:ff9b::808:808: icmp_seq=508 ttl=57 time=1.45 ms
64 bytes from 64:ff9b::808:808: icmp_seq=509 ttl=57 time=1.53 ms
64 bytes from 64:ff9b::808:808: icmp_seq=510 ttl=57 time=1.35 ms
64 bytes from 64:ff9b::808:808: icmp_seq=511 ttl=57 time=1.35 ms
64 bytes from 64:ff9b::808:808: icmp_seq=512 ttl=57 time=1.37 ms
64 bytes from 64:ff9b::808:808: icmp_seq=513 ttl=57 time=1.56 ms

it can ping googles nameserver now.
V6 only infrastructure is coming.

using gnupg as a privacy guard

Two days ago I cleaned up my key management.
I created new gnupg keys and I figured out that gnupg is able to
deal with many more things than I thought of today.

You can use the Keys in you GPG storage to authenticate your ssh logins.
You can use the Keys for signing and ancrypting with both PGP and S/MIME
standards.

The GPG Agent keeps your keys painlessly locked away when you are not
using them for a while, but I do not have to enter my passphrase every
minute just to check my mail.

There is only one Option that I really miss: I want to authenticate
against Facebook, Google and others via using GnuPG, it is the
obvious next step. That means a Webbrowser who is aware of Gnupg and
a multipart signed mime post request. There are rumors that browsers
already have such a thing, but I was not able to find anything on the
net.

So my private keys are now saver than before.
But lets start from scratch:

  • everyone uses electronic signatures, on webpages and for your eBanking
  • most people do know nothing about electronic signatures
  • not knowing is is dangerous

If you don’t know anything about Public Key and Signatures you definately
watch this:

An electronic signature is the other way round, you
encrypt private and decrypt public.

How easy is that? The only big issue is, that you have to keep your keys save.

So far, cu next time. Oh by the way, my new GnuPG Key is:

  • ID: 5F94E76B Keygrip: 977A0623F543190A41D7DE2A0D297B023E9868DD
Hack Attack

Security is a Bastard! Only two weeks ago, I did some major upgrades to my
internet server system. I improved especially my root passwords to a 6 digit
random generated one, hoping that it would take a few years to get all the
combinations done with that 3 seconds delay. WRONG WRONG WRONG, but my old
setup was even worse.

It took them 14 Days, on a system with only ssh open! how? Because I was a
naive. The MaxSessions parameter did misslead me a bit to belive that it means
connections but a session is not a connection, so hey, lets open a thousand
connections, and every connection trys 3 passwords, much faster!

So what did I do to prevent this from happening again:

  • Setting the PermitRootLogin back to without password
  • creating a special user who provides me access to su so I can get root in case of key loss
  • the special user has no obvious name, you can guess it.
  • 8 character random generated passwords
  • adding the following iptables rule:

$$code(lang=shell)
iptables -A INPUT -p tcp -m tcp –dport 22
–tcp-flags FIN,SYN,RST,ACK SYN
-m connlimit –connlimit-above 10
–connlimit-mask 32 –connlimit-saddr
-j REJECT –reject-with icmp-port-unreachable
$$/code

And that as a default on all systems. This will work until the next one comes along.

se ya.

so far for the bike

image{IMG_20150716_003105.jpg}
Note the Fatique crack.
I am heading off with a car now.

Very odd perl experiences

Sometimes really odd things happen:

I am still testing if this perl expression:

$$code(lang=perl)
my $obj=eval “Some::Object->new()”;
$$/code

may be responsible for serious segmentation faults within perl for AIX.
pls stay tuned.

A Telegram Network for Ham Radio

A few weeks ago I launched the QTC-Net Project.
Which is a Telegram Network between Ham Radio operators.

http://www.qtc-net.org/

The Idea was simply this:

  • 4 operators A, B, C and D. A has a message for D.
  • A is talking to B, telling him the message B then puts the message in the network
  • C is talking to D, C will fing the message to D in the network and tells it D

Coding such a thing is more difficult than it looks like. especially if it should
be decentralized, unencrypted (ham radio requirement), and easy to use.

so we will se what the future brings… 🙂

Next Page