1. Using YubiKey and SmartCards through ssh tunnel remotely with p11-kit

    Sat 18 April 2020
    By mute

    I don't run my DNS server on my laptop and I don't plug in my smartcard at the datacenter (yet). So to keep the KSK offline, I have my YubiKey plugged into my home router, I ssh into that, and then ssh to the DNS server with the key shared over an ssh channel.

    p11-kit-server creates a unix socket which then serializes the communication to the smartcard. p11-kit-remote is more like the xinetd way of doing things. It isn't what I want for this, but can be used in the reverse -- such that the dns server starts the communication to …

  2. Offline KSK on YubiKey to DNSSEC sign BIND zones

    Sat 18 April 2020
    By mute

    BIND9 has native pkcs11 support which is usually available in separate packages. But that does not work for smartcard. Your HSM would need to support every crypto function. We want to use OpenSSL engine to do everything except the few things that the smartcard holds secret inside (signing things with a key that can't come out). So don't bother with the bind pkcs11 packages.

    This took too long to figure out because of a bug in libp11. I guess other software doesn't check whether the key has the private flag set. I would keep getting something like:

    dnssec-signzone: fatal: cannot …
  3. GNU Screen zombie / defzombie for tmux

    Sun 11 February 2018
    By mute

    If you set remain-on-exit in tmux, and are too lazy to press Prefix x y <CR> or just prefer the way GNU Screen's zombie command would ask, "Kill/Respawn" then you have found the right place.

    I know this doesn't work in 2.3 that is in Debian stretch, so unfortunately you'll need a later version. I'm not sure the earliest, but I just compiled tmux 2.8 and found what I needed in it's documentation.

    set-hook -g pane-died 'command-prompt -1 -p "(k)ill/(r)espawn: " "if -Ft = \"#{==:%1,k}\" kill-pane; if -Ft = \"#{==:%1,r}\" respawn-pane"'

    So they're putting more …

  4. pfSense UniFi controller stuck adopting

    Tue 23 February 2016
    By mute

    Java is suppose to be cross-platform but in the case of the UniFi controller, that is not true. There is a snappy-java-1.0.5.jar which doesn't include FreeBSD/amd64 native libraries and thus doesn't work under pfSense. You'll notice this when you upgrade a UAP from to The inform url now requires the snappy compression I guess and if you sniff the traffic or look at logs you'll see a 500 failure and a trace about snappy. Just grab the one from the pkg system or, as I did:

    wget http …
  5. New site

    Mon 24 August 2015
    By mute

    I've moved from using lighttpd+php+mysql+wordpress to nginx+pelican. My site is now static and on an even smaller vps. Costs went from $40/yr to just $15/yr. So far RamNode has been good. I meant to transition everything over but ... Oops. If you're looking for my old projects, then I am sad. Perhaps one day I'll get an itch to do things with the web again and put useful things here. Until then ... I sorry. :'(

  6. Codegolfing su in assembly

    Sat 06 December 2014
    By mute
    ; su in x86-64 for abusing shbot on irc.freenode.org/#bash.
    ; we overwrite .text section of a donor binary with our code to save writing a big ELF header.
    ; mute (m@san.aq) 07jul2015. public domain.
    ; 1. get offset for target binary
    ;  (/bin/nl is 6288 and /bin/[ is 5696; good luck getting other binaries off shbot)
    ;   objdump -h ~/nl.shbot | awk '/text/{print "ibase=16;"toupper($6)}' | bc
    ; 2. build this file with nasm
    ;   nasm -f bin su su.asm
    ; 3. get base64 encoded
    ;   base64 -w 0 ./su
    ; 4. run on shbot
    ;   # cd /bin;(head -c5696;read -N33;recode …
  7. FIX: WeeChat beeps too much on private message

    Check if the current window is the window that triggered the beep using

    ${window.buffer} != ${buffer}

    Set trigger conditions like this so that highlights beep for current window, but private messages won't beep in current window.

    /set trigger.trigger.beep.conditions "${tg_highlight} || (${tg_msg_pv} && (${window.buffer} != ${buffer}))"
  8. FIX: Windows Open File Security Warning

    Fri 14 November 2014
    By mute

    We have all seen this from time-to-time for a file we downloaded from the Internet:

    Open File - Security Warning

    It's usually not a problem because it's an installer and we run it once and it goes away. But what if it's a portable executable? Just exactly WHERE in the heck is this data stored?

    NTFS has a feature called Alternate Data Streams (ADS) which is where this security information is stored. Grab a copy of the SysInternals utility streams to remove this offending data if you plan to keep the file around but don't want to completely disable the security feature.

    And there you …

    Tagged as : windows
  9. Native IPv6 with Time Warner Cable

    Sun 11 May 2014
    By mute

    For some reason I decided to look into IPv6 again. Initially for AT&T since I was in the router page and saw it as an option that was disabled but not changeable. Then I logged into the router I have at my kids' house. I ran tcpdump and saw this:

    root@OpenWrt:/proc/sys/net/ipv6/conf/eth1# tcpdump -vvv -i eth1 ip6
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:36:53.462003 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::7281:5ff:fe2c:bbd9 > ff02::1: [icmp6 sum ok …

Page 1 / 11