GPG Key

Published
by
James
on May 23, 2008
in Uncategorized
. Comments

I’ve uploaded a public GPG key for anyone who wants to send encrypted information my way. You’ll find it at http://key.jamesconroyfinn.com/.

It was created using the OS X version of GPG, which can be installed using MacGPG (http://macgpg.sourceforge.net/). Once installed a key can be generated in a few quick and simple steps using gpg in Terminal.

There are some useful links on the MacGPG Sourceforge page that demonstrate how to create a key and how to use your keys to encrypt email in Mail and Entourage.

Leroy Jenkins!

Published
by
James
on April 23, 2008
in Gaming
. Comment

I haven’t seen this video in ages. Cracked me up when I first saw it. I’ve done a few raids in the past and always laughed at how seriously some people took it. Leroy Jenkins!

phpMyProxy

Published
by
James
on April 17, 2008
in Uncategorized
. Comments

I’ve just setup phpMyProxy at http://phpproxy.jamesconroyfinn.com. It’ll provide all the usual functionality expected in a web proxy like stripping page titles, removing javascript and images and ignoring cookies.

OpenSSH Keys

Published
by
James
on April 11, 2008
in Uncategorized
. Comment

OpenSSH is included in OS X and allows admins full access to all levels of a machine’s OS. However, you have to type in a password for every connection, which can be tiresome when you need to connect to 20 client machines!

Thankfully, we can avoid all this typing through a private/public key system. There is an article on creating the necessary keys on the OpenSSH website, which is easy to follow. I’m going to run through and OS X centric implementation here.

First off we need to decide what we are connecting to and which account we will use to authenticate. For this example we’ll access a machine called “target” as the user “admin”.

We need to be working in your home folder on your machine to start with.

Open Terminal. You’ll probably be in your home folder already. If not run

cd

Now we’ll make sure out ~/.ssh directory exists, cd in to it and create our public key

mkdir ~/.ssh && cd ~/.ssh
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

You’ll be asked for a passphrase at this point. Make sure it’s very, very secure! I’ve made a couple of scripts that will generate passwords, which you can find in my password generation post.

You can also get passwords generated for you online at https://www.grc.com/passwords.htm or use Apple’s built-in password generator accessible via the change password sheet in the Account preference pane.

There are lots of dashboard widgets and pieces of software designed to generate passwords for you. Check out Google for a look at what’s available.

Once you’ve decided on your very secure password and typed/pasted it in (very naughty!!) you’ll have an id_rsa and id_rsa.pub file in ~/.ssh. The public file (id_rsa.pub) needs to be uploaded to “target”. This can be done using scp.

scp ~/.ssh/id_rsa.pub admin@target:/Users/admin

The “admin@target:/Users/admin” portion will obviously need to be changed to match your remote machine. You need to use your “admin” username before the at symbol, you can use an IP address or hostname to refer to your “target” machine and put the file anywhere you want, I just tend to dump it in the “admin” user’s home folder.

So, if you want to dump the id_rsa.pub file in “superuser’s” home folder on a machine accessible via client1.domain.co.uk you’d enter

scp ~/.ssh/id_rsa.pub superuser@client1.domain.co.uk:/Users/superuser

You need to have SSH enabled for scp to work! You’ll be asked for your SSH password once you try to transfer the file.

Now that the file’s uploaded we’ll SSH in using the existing SSH password, not the one we used to generate our id_rsa files. Once connected we append the public key information to ~/.ssh/authorized_keys and change permissions to make everything slightly more secure.

1
2
3
4
5

mkdir ~/.ssh
~/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/.id_rsa.pub
chmod 700 ~/.ssh
chmod 600 ~/.authorized_keys

Now we have the contents of our id_rsa.pub file appended to the ~/.ssh/authorized_keys file. We’ve also changed permissions so only our “admin” user has any sort of access to ~/.ssh.

Now we can disconnect from “target” and test our public key connection using

ssh -o PreferredAuthentications=publickey target

OS X will notice that we need to supply a password here, which is the password we used to generate our id_rsa files. This can be saved in to our Keychain so we never need to type it again!

If everything has worked as expected we’ll be connected to our “target” machine and any ssh connections from now on will be passwordless.

I’ve added an alias in my ~/.bash_profile so I can ssh with out all of the required arguments. The alias I use is below.

alias targetssh='ssh -o PreferredAuthentications=publickey target'

SSH Remote Desktop Selection

Published
by
James
on April 11, 2008
in Uncategorized
. Comments

Apple Remote Desktop is an invaluable tool in the Mac sysadmin world providing functionality above and beyond the likes of VNC. There are however, a few things that we can’t do. For a lot of really geeky work we need an interactive shell via SSH. The problem is ARD only provides a simple Send UNIX command utility that pales in comparison to a fully functional SSH connection.

I made an applescript for a colleague of mine who wanted to be able to SSH a selection of machines in ARD. It’s not too smart as it doesn’t pull usernames or passwords from anywhere but it does speed up opening a connection to a target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

tell application "Remote Desktop"
  set the_result to display dialog ¬
    "Username: " default answer ¬
    "systsupp" with icon 1 ¬
    buttons {"Cancel", "Connect"} ¬
    default button "Connect"
 
  set button_pressed to button returned of the_result
  set text_typed to text returned of the_result
 
  if (count of text_typed) > 0 then
    set ssh_command to "ssh " & text_typed & "@"
  else
    set ssh_command to "ssh "
  end if
 
  if button_pressed is "Connect" then
    set sel to selection
    repeat with i from 1 to length of sel
      set this_ip to Internet address of item i of sel
      tell application "Terminal"
        activate
        do script ssh_command & this_ip
      end tell
    end repeat
  end if
end tell

If you really want to speed things up you can set up a private/public OpenSSH key to enable password-less connections to your target machines. Of course, if you have multiple usernames this script becomes a little bit less useful!

I’ve written a quick how-to on setting up private/public OpenSSH keys to enable passwordless SSH connections at Open SSH keys.

Password Generation

Published
by
James
on April 11, 2008
in Coding and Ruby
. Comment

There are lots of ways of generating passwords. We can use dashboard widgets, desktop applications or even websites. I’ve recommended GRC’s password generator in the past (https://www.grc.com/passwords.htm) as it’s quick and easy.

The password below is random. Try refreshing the page!

{V7J2v+p1s#q;f.Q2X/E;v;C,E1k]P|Y;j;B0P.Z

I tend to use Apple’s password generator, which can be found in the change password sheet available through the Accounts preference pane.

When I don’t have access to the GUI though I revert to a few simple scripts, which I’ve included below.

The first uses the OpenSSH library including in Ruby. It asks for a string to push through an AES encryption algorithm and will print both the encrypted string and a decrypted string.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#!/usr/bin/env ruby -wdK
 
require "digest/sha1"
require "openssl"
require "base64"
 
if ARGV.length == 0
  puts "Usage: #{File.basename($PROGRAM_NAME)} input_string"
  exit
end
 
def encrypt(plaintext, salt = "%jha&%£Hkjhae5hH£5k£$HKJF7@EEE")
  aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
  aes.encrypt
  aes.key = Digest::SHA1.hexdigest(salt)
 
  out = aes.update(plaintext)
  out << aes.final
  Base64.encode64(out)
end
 
def decrypt(ciphertext, salt = "%jha&%£Hkjhae5hH£5k£$HKJF7@EEE")
  aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
  aes.decrypt
  aes.key = Digest::SHA1.hexdigest(salt)
 
  out = aes.update(Base64.decode64(ciphertext))
  out << aes.final
  out
end
 
enc = encrypt(ARGV[0].downcase)
 
puts "Input String: #{ARGV[0].downcase}"
puts "Encrypted: #{enc}", "Decrypted: #{decrypt(enc)}"

In theory the key generation that uses SHA1 and salt to create our key is unnecessary. We could use the same key every time or generate a key using a user-specified variable from the command line or a simple hashing algorithm based on our input string.

Accessing the script from the command line yields the following:

$ ruby keygen.rb 'OurStringToEncrypt'
Input String: ourstringtoencrypt
Encrypted: jljJEY+vLtNzIPNMg0iIVviONKURdX6/7uIxE4P2dpw=
Decrypted: ourstringtoencrypt

An alternate script is a really simple SHA1 hash that generates a fixed-length hash of hexadecimal characters. Not the most secure password but it’s quick and easy.

An example of what this yeilds is below.



ruby simple_hash.rb 'A Simple String'
02e48eed167d25f5f13355cbafb758eccebba439



Finally there’s a PHP script I used to generate the password printed at the top of this post. It’s really quite simple and limits users to a 500 character maximum length. The source is below.



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

function generatePassword($length) {
	if ($length > 500) {
		header("Location: http://code.theonlyjames.com/password.php?length=500");
		exit;
	}
 
	$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	$special = '0123456789@#$%-_.,:;!+|[]{}()/\\';
 
	$password = '';
	$alt = time() % 2;
	for ($i = 0; $i < $length; $i++) {
		if ($alt == 1) {
			$password .= $chars[(rand() % strlen($chars))];
			$alt = 0;
		} else {
			$password .= $special[(rand() % strlen($special))];
			$alt = 1;
		}
	}
	return $password;
}
 
header("Content-type: text/plain");
echo generatePassword(isset($_GET['length']) ? $_GET['length'] : 40);

Oscar the Grouch

Published
by
James
on April 11, 2008
in Uncategorized
. Comments

Oscar the Grouch - Originally uploaded by jamesconroyfinn

Approaching the grouch when he’s sifting through his possessions can be a troubling experience. Hands off you thieving bastards!

Terminal, colour and Ruby

Published
by
James
on April 8, 2008
in Coding and Ruby
. Comments

I use ruby for system administration tasks all the time and find a little colour always helps to highlight certain information. The only problem is I’ll forget which colour is represented by which number. The ruby script below prints out a nice box of all foreground and background colours. I’ve uploaded a screenshot of the output below so you can see how it looks.

Ruby colour box

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

#!/usr/bin/env ruby -wdK
 
esc = "\033["
fgs = (30..37).to_a
bgs = (40..47).to_a
box_width = 4 + 4 * bgs.length
 
puts "", "Ruby colour box".center(box_width), ""
 
print " "*4
 
bgs.each_with_index do |bg, i|
  fg = fgs[i]
  print " #{bg} "
end
 
print "\n"
 
fgs.each do |fg|
  print " #{fg} "
  bgs.each do |bg|
    print "#{esc}#{fg};#{bg}m #{fg} #{esc}0m"
  end
  print "\n"
end
 
puts "", "http://www.jamesconroyfinn.com".center(box_width), ""

There are a couple of nice ruby features used in this script like defining an array using a range.

4

fgs = (30..37).to_a

And padding a string to center align it:

27

"http://www.jamesconroyfinn.com".center(box_width)