[117658 views]

[]

[toggle ads]

Odi's astoundingly incomplete notes

New Entries

What the TLS private key is for really

People think that the private key of the server certificate protects the content of TLS messages. And so if someone obtains the private key they can decrypt a TLS connection. Well, not quite.

These days the private key is primarily used for authentication. So the server can prove that it is what its certificate claims it is. If a server presents a certificate for odi.ch then it needs the matching private key to prove that claim to clients. So losing the server key always enables identity theft and thus man-in-the-middle attacks.

The content of a TLS connection is encrypted using a session key (using a symmetrical algorithm like AES).

If that session key is exchanged using an insecure key exchange protocol then it is true: we can recover it. The original key exchange protocols did that. The client creates a pre-master secret and encrypts it with the server's public key, so it can be obtained with the server's private key. That pre-master secret is the basis for the session key.

If the session key is exchanged using a secure key agreement protocol (Diffie-Hellman) then we can not recover it. A secure key agreement protocol is able to produce a shared secret in plain sight without any encryption of the agreement protocol itself. It does not in any way depend on private key of either party.

posted on 2016-10-07 11:45 CEST in Code | 0 comments | permalink

Making ntp-client (ntpdate) work in Gentoo

tl;dr:
/etc/dhcpcd.conf:
waitip 4
dhcpcd will background already after configuring an IPv6 address on the interface. Which may be seconds before you get an IPv4 lease and DNS information from the DHCP server. The ntp-client init script may therefore run before we have a valid /etc/resolv.conf and will fail due to name resolution not working.
Tell dhcpcd to background only after we haven an IPv4 address, which is like the whole point of DHCP these days. I don't consider the network "up" with IPv6 only.

It's particularly a problem when you get IPv6 router advertisements. Like in qemu VMs with user networking.

Look at the following log, where you see it backgrounding 3 seconds before the lease:
Oct  4 14:35:25 localhost dhcpcd[3356]: eth0: adding address fe80::59c1:f175:aeb3:433
Oct  4 14:35:25 localhost dhcpcd[3356]: DUID 00:01:00:01:1a:7a:85:31:52:54:00:12:34:56
Oct  4 14:35:25 localhost dhcpcd[3356]: eth0: IAID 00:12:34:56
Oct  4 14:35:25 localhost dhcpcd[3356]: eth0: rebinding lease of 10.0.2.15
Oct  4 14:35:25 localhost dhcpcd[3356]: eth0: probing address 10.0.2.15/24
Oct  4 14:35:26 localhost dhcpcd[3356]: eth0: soliciting an IPv6 router
Oct  4 14:35:26 localhost dhcpcd[3356]: eth0: Router Advertisement from fe80::2
Oct  4 14:35:26 localhost dhcpcd[3356]: eth0: adding address fec0::4f23:8633:1bba:42f5/64
Oct  4 14:35:26 localhost dhcpcd[3356]: eth0: adding route to fec0::/64
Oct  4 14:35:26 localhost dhcpcd[3356]: eth0: adding default route via fe80::2
Oct  4 14:35:28 localhost dhcpcd[3356]: forked to background, child pid 3384
Oct  4 14:35:31 localhost dhcpcd[3384]: eth0: leased 10.0.2.15 for 86400 seconds
Oct  4 14:35:31 localhost dhcpcd[3384]: eth0: adding route to 10.0.2.0/24
Oct  4 14:35:31 localhost dhcpcd[3384]: eth0: adding default route via 10.0.2.2


posted on 2016-10-04 13:15 CEST in Code | 0 comments | permalink

another broken sudo

$ sudo -l
[sudo] password for xxx: 
Matching Defaults entries for xxx on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin,
    logfile=/var/log/sudolog

User xxx may run the following commands on this host:
    (ALL) ALL, (ALL) /usr/bin/passwd [a-zA-Z0-9_-]*, !/usr/bin/passwd root, (ALL) !/sbin/su*, !/bin/su, !/bin/bash root,
    !/bin/sh root, (ALL) !/usr/sbin/visudo, (ALL) !sudoedit /etc/sudoers, (ALL) !/usr/bin/* /etc/sudoers, !/bin/*
    /etc/sudoers, /opt/* /etc/sudoers, (ALL) !/usr/bin/* /etc/shadow, !/bin/* /etc/shadow, !/opt/* /etc/shadow
$ sudo bash
# whoami
root
Look how they wanted to restrict executing bash. And look how they wanted to restrict access to sudoers. All that AFTER giving me ALL(ALL). Again, sudo is a complete failure.

It's always a really stupid idea to first hand out permission to everything and then trying to backpedal and go all like: uh oh... but not that... and this... and not that either... and... ah clever me... You are not going to find all possibilities. Ever.

posted on 2016-09-28 16:00 CEST in Code | 0 comments | permalink

Oracle hangs on login of one user

I just troubleshooted the strangest Oracle issue. Logon with a certain user simply hangs and eventually returns with ORA-03135. In v$session you can see many sessions waiting on library cache lock. Their current sql statement is a select from sysauth$.

DBA and Oracle consultants were unable to find the problem.

Until I noticed that the password in my datasource was simply wrong. The application tried to open many connections at the same time (to populate its pool). Probably it's a deadlock in Oracle's Auditing for failed logons.

posted on 2016-06-28 10:59 CEST in Code | 0 comments | permalink

findutils atime, mtime, ctime have "interesting" semantics

How not to design a user interface:
       -atime n
              File  was  last accessed n*24 hours ago.  When find figures out how many 24-hour periods ago the file was last accessed, any fractional part is ignored, so to match -atime +1, a file has to have been accessed at least two days ago.


Even tough you say -atime +1, it actually behaves like "atime + 2 days >= now". It's not intuitive. It encourages people of shooting themselves in the foot.

posted on 2016-06-13 15:17 CEST in Code | 0 comments | permalink

Time to switch your Gentoo to Plasma-5

Gentoo has already announced that you should switch from KDE-4 to Plasma-5. Now is a good time to do that. Since yesterday KDE Apps 15.12.3 are marked stable on the amd64 architecture. That means you can upgrade now without adding tons of entries to /etc/portage/package.keywords.

To avoid confusion, please note that there is no KDE-5. There is only the Plasma-5 desktop on which KDE apps can run. Plasma is not KDE. KDE-4 apps will still work on Plasma-5. But most newer versions of KDE apps already support Plasma-5, so you get a consistent look-and-feel.

It's actually very nice once you stop this dreadful thing which happens to be baloo.

posted on 2016-05-26 10:23 CEST in Code | 0 comments | permalink

Grey background in Firefox 46

Firefox 46 has enabled GTK3 support on Linux. This affects the default background color of web pages that don't specify it. To resolve it, put a custom CSS into your profile folder.

~.mozilla/firefox/*.default/chrome/userContent.css:
body {
 background-color: white;
}
GTK3 also affects scrollbar behaviour and the size of form elements.

posted on 2016-04-28 12:37 CEST in Code | 0 comments | permalink

in software: old != stable

We have now all learned that Debian ships a horribly outdated xscreensaver. We have seen similar things in SuSE, so it's not just Debian. And we have also heard that the package maintainers rather paper over that fact instead of shipping a current version.

Debian has that concept where they bless some random version of a software as "stable". Everything else is automatically declared "unstable". Stable for them means: the package maintainers backport some patches they deem "important" to that old version.

Where does that paradigm come from?

From the last century. No, really! There was a point in software history where available system memory became large. So software started becoming larger, simply because you could do more stuff. At the same time the development environments and development processes lacked badly behind that evolution. Can you remember Pair Programming, eXtreme Programming? People were either using Visual C++ 3, or vi to write code. Some even Notepad. There was no infrastructure like static code analysis, continuous integration, basically no unit tests, no coverage analysis. The most you could get was syntax highlighting and CVS.

It was also the time of dial-up Internet, static web pages, no mobile phones, POP accounts, news on paper. No forums. Just mailing lists with no easy way to search. You were basically alone with an old book on the C language.

That basically meant, ever growing code bases became a mine field. It was unmaintainable. It started bitrotting everywhere. Litte changes here and there could easily break code in interesting places.

It was the time of Never Touch a Running System. It was the time of everybody being scared of updates. Change freezes over new years'. Extensive testing before some little change could make it into production. Literally months from writing code to deploying it into production! Then if something want wrong, exceptions to that rule to bring a dearly needed fix in quickly.

Fast-forward to today

We have so much infrastructure that crunches the hundreds of thousands of lines of code without us even looking, that points out when something breaks. We have found ways to manage stunning amounts of code without getting lost. We have continuous integration with solid code coverage.

Huge projects have finally become maintainable. Also structure intrinsic to a language like the package concept of Java, or namespaces in C# help enourmously with organizing large code bases so that you can find your way around. Garbage collection eliminates the need to think too much about memory allocation, which would otherwise be real PITA and a source of many problems in a large system.

This change also leads to greatly increased development speed. The amount of changes that go into projects each day has exploded in the last decade. If you look into a project like OpenStack, the sheer amount of concentrated development power is simply mind boggling.

Current is the new stable

Today bugs are fixed quickly. Often it takes mere minutes after a bug report until the bug is fixed in the code. And mere hours or days until it goes into production.

We have finally come to the conclusion that life is a lot easier if you can get changes into prod as fast as you can, instead of waiting for months. That's the complete opposite of the old paradigm. Yes, that will release bugs into production sometimes. But this way they also get noticed very quickly, and can be fixed speedily. No big deal. Everybody is happy. How many updates of your apps on your smart phone do you get per day? Notice something? Online services like Facebook or Netflix simply don't have maintenance windows. They are permanently online every single millisecond. They release new versions of code several times a day. Nobody even notices.

By the way
, have you noticed how people seem to be so much happier about a fixed bug than about a completely new feature? New feature means they need to adapt and learn something new. Fixed bug means they can finally do what they meant to do.

Suddenly those package maintainers find themselves in a situation where they need to decide which patch of possibly hundreds each day to backport. And they face a large code base that they are very unlikely to understand as they are not developers of that software. So how can they actually do this job? Short answer: they generally can't. There are also numerous examples of when package maintainers failed. They thought they could just "fix" something in OpenSSL better than the developers. Surprise, turns out it was a security disaster.

When software dies

Also software is not maintained forever. Sometimes development simply stalls. Because everybody left the project and had children. Or one of various other reasons. That's the time when also users of that software need to find something else. They will need to stop using it. Software is not alone. It runs embedded in a soup of other software. Sooner or later it will become incompatible with the rest of that soup and actually stop working anyway. Or security issues that were found pile up and make this piece of software a dangerous item.

Obviously that concept of keeping an old version forever is not useful anymore. It needs to be replaced. Some Linux distributions like Gentoo have long adopted a rolling release model with no major releases. This fits the new paradigm perfectly. It allows following upstream releases very closely.

Of course simply adopting a rolling release model is no guarantee for uptodate packages either. Also Gentoo has stable/unstable branches (keywords), which means whether integration of the package within the soup is considered complete. Gentoo took 6 years to deem Apache 2.4 "stable".

Who doesn't move dies

All the above has interesting consequences if software is never updated. Such as in embedded systems. Such systems become dangerous items with time and must be disposed of.
Also it is insufficient to update only certain packages of a system. Systems must keep current on all packages. For instance only updating apps and keeping an outdated kernel is therefore unsafe.
This has also immediate effects on backward compatibility. It should allow the kernel to break user space from time to time by introducing an incompatible change. Of course this would trigger a cascade of updates to user space. But in a rolling release model this should be a supported scenario. Either adapt to the change or become obsolete!

posted on 2016-04-14 10:18 CEST in Code | 0 comments | permalink

KDE clear baloo db

KDE Plasma 5 has this nice launcher that lets you simply start typing and will display search results. Unfortunately they are completely useless. Because they come from Baloo.

The first thing Baloo does is read your whole freaking hard drive and create a full text index from it. Well thanks. I never asked for that. Guess how long that takes for today's disk sizes. And guess how interesting results are from tons of Java API Doc that happens to be installed somewhere deep in a forgotten corner of the file system.

Well, you think, let's just clear the index and let it only index what seems to be useful. Then to your surprise the settings dialog provides no such controls to clear the index. There is a CLI tool called balooctl that even has a clear command. But that seems to accept only individual full path names. And is basically undocumented. Well thanks again for that.

Using strace I was able to find where baloo stores its index: ~/.local/share/baloo. Simply nuke this unfortunate thing out of existance.

See also the checkbox 'Expand search to bookmarks, files and emails' in Application Laucher Settings.

posted on 2016-04-13 21:55 CEST in Code | 0 comments | permalink

Ancient Apache Version on SuSE EL 11

How can it be that such a modern Linux distribution ships such an outdated Apache version?!? Apache 2.4 is availably since 4 years. Are they crazy?
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3

# httpd2 -V | grep version
Server version: Apache/2.2.12 (Linux/SUSE)
If they have applied additional patches, then that is totally unclear from the version number.

Consequence? Customer's brave admin compiles Apache 2.4 manually. Of course he will then walk away and forget about that box that's completely exposed to the Internet. Very bright idea.

posted on 2016-04-05 10:07 CEST in Code | 0 comments | permalink