| Time |
S |
Nick |
Message |
| 00:38 |
|
codex |
Did you guys know you can sniff ssh interprocess and get your password in clear text? |
| 00:38 |
|
codex |
i felt it was so outrageous that I had to write about it |
| 00:38 |
|
codex |
http://blog.vpetkov.net/2013/01/29/sniffing-ssh-password-from-the-server-side/ |
| 01:01 |
|
pdurbin |
codex: yikes! worth spreading the news about that: https://plus.google.com/107770072576338242009/posts/ETqpKHLUEKr |
| 01:09 |
|
pdurbin |
codex: what if i use an ssh key pair? can you grab a copy of my private ssh key if you're root on a box and doing your strace trick? |
| 14:01 |
|
larsks |
pdurbin: You can't get a copy of the private key...but, if someone is using agent forwarding, you can impersonate them (by passing signing requests to their agent) as long as they're connected. |
| 14:03 |
|
larsks |
But codex's article is kind of silly: if you are able to escalate privileges and use "strace", you could also simply replace the sshd binary with one modified explicitly to harvest passwords. I've seen this particular trick in the wild. |
| 14:03 |
|
larsks |
Heck, you could probably accomplish something similar via clever use of LD_PRELOAD. |
| 14:06 |
|
pdurbin |
larsks: right, in the gplus post people are commenting that root could replace /usr/bin/ssh with a version with a key logger |
| 14:06 |
|
pdurbin |
but i don't agree that codex's article is silly |
| 14:12 |
|
larsks |
I think that in general the unix security model is predicated on trusting "root", and that if a "vulnerability" is predicated on having root access to begin with then it's largely a non-issue. |
| 14:12 |
|
larsks |
...your problem is that someone had root access. |
| 14:14 |
|
larsks |
For example: I could start a process in an isolated mount namespace and then bind-mount a new version of sshd onto /usr/sbin/sshd. This would be undetectable from outside of the mount namespace, but would still let me happily harvest passwords. |
| 14:15 |
|
larsks |
The number of ways I can harvest ssh passwords given root access is large. This is why we don't permit password authentication on our systems. |
| 14:15 |
|
pdurbin |
somehow i'm more ok with a fellow sysadmin becoming root and then becoming me with `su` than i am with that sysadmin grabbing and knowing my ssh password |
| 14:16 |
|
larsks |
Right, but the point is they *can*, and that ability is largely indepdent of how ssh handles passwords internally. |
| 14:16 |
|
larsks |
And you shouldn't be using passwords with ssh. Because of this. |
| 14:17 |
|
pdurbin |
know i know! |
| 14:17 |
|
larsks |
Of course, they can get your "sudo" password the same way... |
| 14:17 |
|
pdurbin |
now |
| 14:17 |
|
pdurbin |
so i should assume anyone with root knows my password. or can fairly easily get it |
| 14:17 |
|
larsks |
Yes. |
| 14:18 |
|
pdurbin |
i can use public/private keys for ssh but what about sudo? i need a password, right? |
| 14:20 |
|
larsks |
That depends. Our mechanism for administrative access does not involve passwords at any point in the process (although it does involve a google authenticator token). I can talk about it in more detail if you're interested (but it might be a lot of typing). |
| 14:50 |
|
pdurbin |
larsks: ok. cool. maybe a google+ hangout... which we can turn into a podcast :) |
| 15:08 |
|
larsks |
I'm more typey-typey than talky-talky, unless you want to drop by our office. Maybe I can write something up. |
| 15:15 |
|
pdurbin |
if you want to typey-typey it up it's certainly on topic for #crimsonfu. consider this an open invitation to start typing whenever you want :) |
| 15:21 |
|
ben_e |
does having a topic mean we have a moderator? |
| 15:22 |
|
pdurbin |
ben_e: no, but here's what's on topic (patches welcome!): http://sourcefu.com/topics |
| 15:23 |
|
pdurbin |
westmaas: i still haven't taken vagrant off since i love and use it so much |
| 15:23 |
|
ben_e |
i read it |
| 15:23 |
|
ben_e |
i'm just saying if i start talking about my mole collection, are you going to /kick me? :-) |
| 15:24 |
|
ben_e |
it seems like there's some crossover between teh channels |
| 15:24 |
|
ben_e |
so are there really people who would say "i'm a sysadmin! all this python talk is annoying to me. /quit" |
| 15:25 |
|
pdurbin |
yeah, but i believe a split is healthy. like stackoverflow vs. serverfault |
| 15:25 |
|
ben_e |
nods |
| 15:26 |
|
pdurbin |
i'm just saying ssh and password stuff seems to better fit here: http://crimsonfu.github.com/topics |
| 15:26 |
|
pdurbin |
codex: thanks for posting in both places |
| 15:30 |
|
pdurbin |
ben_e: i've never had to kick anyone from either channel, despite the spam concerns i wrote about at http://crimsonfu.github.com/2012/02/06/crimsonfu-freenode-irc-channel-setup.html |
| 15:31 |
|
|
spilth joined #sourcefu |
| 15:57 |
|
pdurbin |
semiosis: you around? or anyone who knows maven sites? i've been thinking about them again: http://irclog.iq.harvard.edu/dvn/2013-01-30#i_479 |
| 15:58 |
|
pdurbin |
we had discussed them previously here: http://irclog.greptilian.com/sourcefu/2013-01-15#i_1810 |
| 16:02 |
|
semiosis |
sup? |
| 16:02 |
|
spilth |
I know a little bit. What's your question? |
| 16:03 |
|
pdurbin |
http://cescoffier.github.com/maven-play2-plugin/maven/snapshot/ shows one level deep under overview: intro, goals, usage, quickstart |
| 16:03 |
|
pdurbin |
it comes from the "menu" https://github.com/cescoffier/maven-play2-plugin/blob/master/src/site/site.xml#L44 |
| 16:04 |
|
pdurbin |
it's pretty flat... i'm wondering about a deeper hierarchy |
| 16:04 |
|
pdurbin |
more like sphinx/readthedocs |
| 16:05 |
|
spilth |
oooh, that looks nice |
| 16:05 |
|
semiosis |
i actually havent used the site plugin for much, sorry not much help there |
| 16:06 |
|
pdurbin |
no worries. it's very nice in general |
| 16:07 |
|
pdurbin |
check this out.. you specify you mailing list here: https://github.com/cescoffier/maven-play2-plugin/blob/master/pom.xml#L41 |
| 16:07 |
|
pdurbin |
and it gets rendered here: http://cescoffier.github.com/maven-play2-plugin/maven/snapshot/mail-lists.html |
| 16:09 |
|
pdurbin |
that part is done by maven-project-info-reports-plugin - http://maven.apache.org/plugins/maven-project-info-reports-plugin/ |
| 16:23 |
|
spilth |
http://maven.apache.org/guides/mini/guide-site.html |
| 16:29 |
|
pdurbin |
spilth: thanks. i need to throw what i've got over the wall and move on to other things |
| 16:29 |
|
spilth |
sounds like it |
| 16:29 |
|
pdurbin |
but so far i'm liking maven sites a lot |
| 16:29 |
|
spilth |
customize more later |
| 16:30 |
|
spilth |
you could set up a CI server to build those projects and deploy the documentation somewhere with each build |
| 16:31 |
|
spilth |
I love that bug where somebody's RSS feed suddenly insist that ever article on the site has just been posted |
| 17:30 |
|
pdurbin |
ok, my proof of concept maven site for dvn: http://dvn.github.com/dvn-mavensitepoc |
| 17:30 |
|
pdurbin |
see especially the pom.xml stuff at http://dvn.github.com/dvn-mavensitepoc/mavensite.html |
| 17:41 |
|
spilth |
nice |
| 17:47 |
|
spilth |
I really loathe our internal wiki system |
| 17:48 |
|
spilth |
I just want to use Markdown and a Jekyll site to create and publish documentation |
| 18:25 |
|
pdurbin |
spilth: reminds me of docjekyll: http://irclog.perlgeek.de/crimsonfu/2012-08-02#i_5868537 ... may it rest in peace |
| 18:27 |
|
spilth |
I prefer people checking out the project from Git and committing their changes... then it goes through some build/deploy process. No web interface. |
| 18:27 |
|
spilth |
I realize that's limiting it to tech savvy people... |
| 18:28 |
|
pdurbin |
then you should use ikiwiki. i has a web interface |
| 18:28 |
|
pdurbin |
it |
| 18:41 |
|
spilth |
I think I want Git to be the level-of-entry for participating |
| 18:44 |
|
pdurbin |
+1 |
| 18:46 |
|
spilth |
I can't find an example, but on difficult mountain biking trails they will often have a "filter technical" - a technical feature at the beginning of the trail that you need to clear in order to access the rest of the trail. It gives you an idea of what you'll be encountering and have to deal with. |
| 18:47 |
|
|
raprasad joined #sourcefu |
| 18:47 |
|
pdurbin |
makes sense |
| 18:47 |
|
raprasad |
been using this cs-xml spec, better than json |
| 18:48 |
|
raprasad |
(comma separated XML) |
| 18:48 |
|
pdurbin |
crimsonfubot: lucky cs-xml |
| 18:48 |
|
crimsonfubot |
pdurbin: http://www.quackit.com/xml/tutorial/xml_css.cfm |
| 18:48 |
|
|
agperson joined #sourcefu |
| 18:48 |
|
raprasad |
just joking |
| 18:48 |
|
* pdurbin |
shakes fist |
| 18:52 |
|
spilth |
-1 |
| 18:54 |
|
pdurbin |
raprasad: i showed a java dev my xml thing and he agrees it's aweseome :) |
| 18:54 |
|
raprasad |
re: -1; agreed |
| 18:56 |
|
* spilth |
goes off to make a pom.yml |
| 19:03 |
|
semiosis |
java devs love xml |
| 19:03 |
|
semiosis |
pdurbin: ^ |
| 19:03 |
|
spilth |
Well when you get certified in something you want to make sure you use it all the time... |
| 19:04 |
|
* spilth |
ducks |
| 19:04 |
|
pdurbin |
i can turn xml to yaml thanks to ironcamel's App::p |
| 19:04 |
|
spilth |
What we really need is XAMLSV |
| 19:05 |
|
spilth |
And then whatever version of that Microsoft comes out with |
| 21:28 |
|
spilth |
Also, using something like Jekyll let's use extend it with our own tags and tools |
| 21:35 |
|
pdurbin |
spilth: but... ikiwiki already has a nice plugin architecture |
| 21:36 |
|
pdurbin |
http://ikiwiki.info/plugins |
| 21:36 |
|
spilth |
for some reason I just cringe at wikis |
| 21:36 |
|
pdurbin |
http://wiki.greptilian.com/ikiwiki |
| 21:37 |
|
pdurbin |
you want a blogging platform instead? |
| 21:37 |
|
spilth |
No, I want a way for people to document and organize things. |
| 21:37 |
|
spilth |
But done by editing text files in whatever editor they like, not through a web interface. |
| 21:37 |
|
spilth |
And committing their changes to version control. |
| 21:38 |
|
pdurbin |
sounds like ikiwiki to me |
| 21:38 |
|
pdurbin |
let's call it ikidocy to make you happy |
| 21:38 |
|
spilth |
Can we take out the "icky" too? :-) |
| 21:38 |
|
pdurbin |
docydocy |
| 21:38 |
|
spilth |
+1 |
| 21:40 |
|
pdurbin |
this ikiwiki has decent css: http://www.dragonflybsd.org |
| 21:41 |
|
spilth |
http://code.google.com/p/better-web-readability-project/ |
| 21:42 |
|
pdurbin |
hmm, http://www.allapis.com/Better-Web-Readability-Project-CSS-Library/The-Raven.html does look pretty nice |
| 21:43 |
|
spilth |
I love that isn't actually applied to their project page :-) |
| 21:43 |
|
pdurbin |
if shuff were here he'd link to http://ethanschoonover.com/solarized |
| 21:44 |
|
spilth |
I tried solarized. Wasn't digging it. |
| 21:44 |
|
spilth |
I like this - http://bootswatch.com/readable/ |
| 21:45 |
|
spilth |
You can see how I feel about font sizes - http://spilth.org/notes/rails3-date-time/ |
| 21:48 |
|
spilth |
Our current wiki has a small font and apparently changing the CSS is a huge pain (hosted solution) |
| 21:50 |
|
spilth |
Okay, I will look at this icky thing |
