greptilian logo

IRC log for #sourcefu, 2013-01-30

http://sourcefu.com

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
00:38 codex Did you guys know you can sniff ssh interprocess and get your password in clear text?
00:38 codex i felt it was so outrageous that I had to write about it
00:38 codex http://blog.vpetkov.net/2013/01/29/sniffing-ssh-password-from-the-server-side/
01:01 pdurbin codex: yikes! worth spreading the news about that: https://plus.google.com/107770072576338242009/posts/ETqpKHLUEKr
01:09 pdurbin codex: what if i use an ssh key pair? can you grab a copy of my private ssh key if you're root on a box and doing your strace trick?
14:01 larsks pdurbin: You can't get a copy of the private key...but, if someone is using agent forwarding, you can impersonate them (by passing signing requests to their agent) as long as they're connected.
14:03 larsks But codex's article is kind of silly: if you are able to escalate privileges and use "strace", you could also simply replace the sshd binary with one modified explicitly to harvest passwords.  I've seen this particular trick in the wild.
14:03 larsks Heck, you could probably accomplish something similar via clever use of LD_PRELOAD.
14:06 pdurbin larsks: right, in the gplus post people are commenting that root could replace /usr/bin/ssh with a version with a key logger
14:06 pdurbin but i don't agree that codex's article is silly
14:12 larsks I think that in general the unix security model is predicated on trusting "root", and that if a "vulnerability" is predicated on having root access to begin with then it's largely a non-issue.
14:12 larsks ...your problem is that someone had root access.
14:14 larsks For example: I could start a process in an isolated mount namespace and then bind-mount a new version of sshd onto /usr/sbin/sshd.  This would be undetectable from outside of the mount namespace, but would still let me happily harvest passwords.
14:15 larsks The number of ways I can harvest ssh passwords given root access is large.  This is why we don't permit password authentication on our systems.
14:15 pdurbin somehow i'm more ok with a fellow sysadmin becoming root and then becoming me with `su` than i am with that sysadmin grabbing and knowing my ssh password
14:16 larsks Right, but the point is they *can*, and that ability is largely indepdent of how ssh handles passwords internally.
14:16 larsks And you shouldn't be using passwords with ssh.  Because of this.
14:17 pdurbin know i know!
14:17 larsks Of course, they can get your "sudo" password the same way...
14:17 pdurbin now
14:17 pdurbin so i should assume anyone with root knows my password. or can fairly easily get it
14:17 larsks Yes.
14:18 pdurbin i can use public/private keys for ssh but what about sudo? i need a password, right?
14:20 larsks That depends.  Our mechanism for administrative access does not involve passwords at any point in the process (although it does involve a google authenticator token).  I can talk about it in more detail if you're interested (but it might be a lot of typing).
14:50 pdurbin larsks: ok. cool. maybe a google+ hangout... which we can turn into a podcast :)
15:08 larsks I'm more typey-typey than talky-talky, unless you want to drop by our office.  Maybe I can write something up.
15:15 pdurbin if you want to typey-typey it up it's certainly on topic for #crimsonfu. consider this an open invitation to start typing whenever you want :)
15:21 ben_e does having a topic mean we have a moderator?
15:22 pdurbin ben_e: no, but here's what's on topic (patches welcome!): http://sourcefu.com/topics
15:23 pdurbin westmaas: i still haven't taken vagrant off since i love and use it so much
15:23 ben_e i read it
15:23 ben_e i'm just saying if i start talking about my mole collection, are you going to /kick me? :-)
15:24 ben_e it seems like there's some crossover between teh channels
15:24 ben_e so are there really people who would say "i'm a sysadmin! all this python talk is annoying to me. /quit"
15:25 pdurbin yeah, but i believe a split is healthy. like stackoverflow vs. serverfault
15:25 ben_e nods
15:26 pdurbin i'm just saying ssh and password stuff seems to better fit here: http://crimsonfu.github.com/topics
15:26 pdurbin codex: thanks for posting in both places
15:30 pdurbin ben_e: i've never had to kick anyone from either channel, despite the spam concerns i wrote about at http://crimsonfu.github.com/2012/02/06/crimsonfu-freenode-irc-channel-setup.html
15:31 spilth joined #sourcefu
15:57 pdurbin semiosis: you around? or anyone who knows maven sites? i've been thinking about them again: http://irclog.iq.harvard.edu/dvn/2013-01-30#i_479
15:58 pdurbin we had discussed them previously here: http://irclog.greptilian.com/sourcefu/2013-01-15#i_1810
16:02 semiosis sup?
16:02 spilth I know a little bit. What's your question?
16:03 pdurbin http://cescoffier.github.com/maven-play2-plugin/maven/snapshot/ shows one level deep under overview: intro, goals, usage, quickstart
16:03 pdurbin it comes from the "menu" https://github.com/cescoffier/maven-play2-plugin/blob/master/src/site/site.xml#L44
16:04 pdurbin it's pretty flat... i'm wondering about a deeper hierarchy
16:04 pdurbin more like sphinx/readthedocs
16:05 spilth oooh, that looks nice
16:05 semiosis i actually havent used the site plugin for much, sorry not much help there
16:06 pdurbin no worries. it's very nice in general
16:07 pdurbin check this out.. you specify you mailing list here: https://github.com/cescoffier/maven-play2-plugin/blob/master/pom.xml#L41
16:07 pdurbin and it gets rendered here: http://cescoffier.github.com/maven-play2-plugin/maven/snapshot/mail-lists.html
16:09 pdurbin that part is done by maven-project-info-reports-plugin - http://maven.apache.org/plugins/maven-project-info-reports-plugin/
16:23 spilth http://maven.apache.org/guides/mini/guide-site.html
16:29 pdurbin spilth: thanks. i need to throw what i've got over the wall and move on to other things
16:29 spilth sounds like it
16:29 pdurbin but so far i'm liking maven sites a lot
16:29 spilth customize more later
16:30 spilth you could set up a CI server to build those projects and deploy the documentation somewhere with each build
16:31 spilth I love that bug where somebody's RSS feed suddenly insist that ever article on the site has just been posted
17:30 pdurbin ok, my proof of concept maven site for dvn: http://dvn.github.com/dvn-mavensitepoc
17:30 pdurbin see especially the pom.xml stuff at http://dvn.github.com/dvn-mavensitepoc/mavensite.html
17:41 spilth nice
17:47 spilth I really loathe our internal wiki system
17:48 spilth I just want to use Markdown and a Jekyll site to create and publish documentation
18:25 pdurbin spilth: reminds me of docjekyll: http://irclog.perlgeek.de/crimsonfu/2012-08-02#i_5868537 ... may it rest in peace
18:27 spilth I prefer people checking out the project from Git and committing their changes... then it goes through some build/deploy process. No web interface.
18:27 spilth I realize that's limiting it to tech savvy people...
18:28 pdurbin then you should use ikiwiki. i has a web interface
18:28 pdurbin it
18:41 spilth I think I want Git to be the level-of-entry for participating
18:44 pdurbin +1
18:46 spilth I can't find an example, but on difficult mountain biking trails they will often have a "filter technical" - a technical feature at the beginning of the trail that you need to clear in order to access the rest of the trail. It gives you an idea of what you'll be encountering and have to deal with.
18:47 raprasad joined #sourcefu
18:47 pdurbin makes sense
18:47 raprasad been using this cs-xml spec,  better than json
18:48 raprasad (comma separated XML)
18:48 pdurbin crimsonfubot: lucky cs-xml
18:48 crimsonfubot pdurbin: http://www.quackit.com/xml/tutorial/xml_css.cfm
18:48 agperson joined #sourcefu
18:48 raprasad just joking
18:48 * pdurbin shakes fist
18:52 spilth -1
18:54 pdurbin raprasad: i showed a java dev my xml thing and he agrees it's aweseome :)
18:54 raprasad re: -1; agreed
18:56 * spilth goes off to make a pom.yml
19:03 semiosis java devs love xml
19:03 semiosis pdurbin: ^
19:03 spilth Well when you get certified in something you want to make sure you use it all the time...
19:04 * spilth ducks
19:04 pdurbin i can turn xml to yaml thanks to ironcamel's App::p
19:04 spilth What we really need is XAMLSV
19:05 spilth And then whatever version of that Microsoft comes out with
21:28 spilth Also, using something like Jekyll let's use extend it with our own tags and tools
21:35 pdurbin spilth: but... ikiwiki already has a nice plugin architecture
21:36 pdurbin http://ikiwiki.info/plugins
21:36 spilth for some reason I just cringe at wikis
21:36 pdurbin http://wiki.greptilian.com/ikiwiki
21:37 pdurbin you want a blogging platform instead?
21:37 spilth No, I want a way for people to document and organize things.
21:37 spilth But done by editing text files in whatever editor they like, not through a web interface.
21:37 spilth And committing their changes to version control.
21:38 pdurbin sounds like ikiwiki to me
21:38 pdurbin let's call it ikidocy to make you happy
21:38 spilth Can we take out the "icky" too? :-)
21:38 pdurbin docydocy
21:38 spilth +1
21:40 pdurbin this ikiwiki has decent css: http://www.dragonflybsd.org
21:41 spilth http://code.google.com/p/better-web-readability-project/
21:42 pdurbin hmm, http://www.allapis.com/Better-Web-Readability-Project-CSS-Library/The-Raven.html does look pretty nice
21:43 spilth I love that isn't actually applied to their project page :-)
21:43 pdurbin if shuff were here he'd link to http://ethanschoonover.com/solarized
21:44 spilth I tried solarized. Wasn't digging it.
21:44 spilth I like this - http://bootswatch.com/readable/
21:45 spilth You can see how I feel about font sizes - http://spilth.org/notes/rails3-date-time/
21:48 spilth Our current wiki has a small font and apparently changing the CSS is a huge pain (hosted solution)
21:50 spilth Okay, I will look at this icky thing

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

http://sourcefu.com