Kushal Das4

FOSS and life. Kushal Das talks here.

Do not limit yourself

This post is all about my personal experience in life. The random things I am going to write in this post, I’ve talked about in many 1x1 talks or chats. But, as many people asked for my view, or suggestions on the related topics, I feel I can just write all them down in one single place. If you already get the feeling that this post will be a boring one, please feel free to skip. There is no tl;dr version of it from me.

Why the title?

To explain the title of the post, I will go back a few years in my life. I grew up in a coal mine area of West Bengal, studied in the village’s Bengali medium school. During school days, I was very much interested in learning about Science, and kept doing random experiments in real life to learn things. They were fun. And I learned life lessons from those. Most of my friends, school teachers or folks I knew, kept telling me that those experiments were impossible, or they were beyond my reach. I was never a class topper, but once upon a time I wanted to participate in a science exam, but the school teacher in charge told me that I was not good enough for it. After I kept asking for hours, he finally said he will allow me, but I will have to get the fees within the next hour. Both of my parents were working, so no chance of getting any money from them at that moment. An uncle who used to run one of the local book stores then lent me the money so that I could pay the fees. The amount was very small, but the teacher knew that I didn’t get any pocket money. So, asking for even that much money within an hour was a difficult task. I didn’t get a high score in that examination, but I really enjoyed the process of going to a school far away and taking the exam (I generally don’t like taking written exams).

College days

During college days I spent most of my time in front of my computer at the hostel, or in the college computer labs. People kept laughing at me for the same, batchmates, juniors, seniors, or sometimes even professors. But, at the same time I found a few seniors and friends, and professors who kept encouraging whatever I did. The number of people laughing at me were always higher. Because of the experience during school days, I managed to ignore those.

Coming to the recent years

The trend continued through out my working life. There are always more people who kept laughing at everything I do. They kept telling me that the things I try to do, do not have any value and beyond my limit. I don’t see myself as one of those bright developers I meet out in the world. I kept trying to do things I love, tried to help the community whichever way possible. What ever I know, I learned because someone else took time to teach me, took time to explain it to me. Now, I keep hearing the similar stories from many young contributors, my friends, from India. Many times I saw how people kept laughing at my friends in the same way they do at me. They kept telling my friends that the things they are trying to achieve are beyond their limit. I somehow managed to meet many positive forces in my life, and I keep meeting the new ones. This helped me to put in my mind that we generally bound ourselves in some artificial limits. Most of the folks laughing at us, never tried anything in life. It is okay if we can not write or speak the perfect English like them, English is not our primary language anyway. We can communicate as required. The community out there welcomes everyone as they are. We don’t have to invent the next best programming language, or be the super rich startup person to have good friends in life. One can always push at personal level, to learn new things. To do things which makes sense to each of us. That maybe is totally crazy in other people’s life. But, it is okay to try things as you like. Once upon a time, during a 1x1 with my then manager (and lifelong mentor) Sankarshan Mukhopadhyay, he told me something which remained with me very strong to this day. We were talking about things I can do, or rather try to do. By taking another example of one of my good friends from Red Hat, he explained to me that I may think that my level is nowhere near to this friend. But, if I try to learn and do things like him, I may reach 70% level, or 5% or 50%. Who knows unless I try doing those new things. While talking about hiring for the team, he also told me about how we should always try to get people who are better than us, that way, we always will be in a position to learn from each other I guess those words together changed many things in my life. The world is too large, and we all can do things in our life at certain level. But, what we can do depends on where we draw those non-existing limits in our lives.

The Python community is one such example, when I went to PyCon US for the first time in 2013, the community welcomed me the way I am. Even though almost no one knew me, I never felt that while meeting and talking to my life time heroes. Funny that in the same conference, a certain senior person from India tried to explain that I should start behaving like a senior software engineer. I should stand in the corner with all the world’s ego, and do not talk to everyone the way I do. Later in life, the same person tried to convince me that I should stop doing anything related to community as that will not help me to make any money.

Sorry, but they are wrong in that point. I never saw any of my favorite human beings doing that. Does not matter how senior people are, age or experience wise, they always listen to others, talk nicely with everyone. Money is not everything in life. I kept jumping around in PyCon every year, kept clicking photos or talking with complete strangers about their favorite subjects. Those little conversations later become much stronger bonds, I made new friends whom I generally meet only once in a year. But, the community is still welcoming. No one cared to judge me based on how much money I make. We tried to follow the same in dgplug. The IRC channel #dgplug on Freenode is always filled with folks from all across the world. Some are very experienced contributors, some are just starting. But, it is a friendly place, we try to help each other. The motto of Learn yourself, teach others is still very strong among us. We try to break any such stupid limits others try to force on our lives. We dream, we try to enjoying talking about that book someone just finished. We discuss about our favorite food. I will end this post saying one thing again. Do not bound yourself in some non existing limits. Always remember, What a great teacher, failure is (I hope I quoted Master Yoda properly). Not everything we will try in life will be a super successful thing, but we can always try to learn from those incidents. You don’t have to bow down in front of anyone, you can do things you love in your life without asking for others’ permissions.

Using split ssh in QubesOS 4.0

The idea behind Qubes OS is known as security by compartmentalization. You create different Qubes (VMs or domains) to compartmentalize your digital data. So that even if one of the VMs is compromised, the attacker will not be able to access data stored in other VMs.

If we look into a typical GNU/Linux user’s daily routine, ssh is a regular tool everyday. We do login to various systems, or access files over ssh. But, if you keep the ssh keys in the place where you are also running the browser, there is a chance that someone will try to access the files by attacking through the browser. Yesterday we all read many things which can be done by attacking through the browsers (Yay! SECURITY!!!).

In this tutorial, we will learn about split-ssh and how we can keep the actual ssh keys safe in QubesOS. At the time of writing this article (2018-01-05), the commit in the master branch is 1b1786f5bac9d06af704b5fb3dd2c59f988767cb.

Modify the template VM

Because we will be adding things to /etc directory of our VMs, we will have to do this in the template VM. Because in the normal VMs the /etc directory will be a fresh copy every time we restart the VM. I modified fedora-26 as that is my default template.

First, add the following code in the /etc/qubes-rpc/qubes.SshAgent file in the template VM and then shut it down.

notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN"

Creating the actual ssh-vault VM

Next task is to create a new VM, I named it ssh-vault. The name is important to remember as the code/configuration will access the ssh keys based on the vault VM name. You can have as many ssh vaults as you want. Remember to open the configuration after creation and set the networking to None.

Start the vault VM, either create a new pair of ssh key, or copy your existing key in there. Remember to use qvm-copy command to copy the files, no network is available.

[Desktop Entry]

Then add the above content to the ~/.config/autostart/ssh-add.desktop file. You may have to create the autostart directory.

$ mkdir -p .config/autostart
# vim ~/.config/autostart/ssh-add.desktop

Configuring the client VM

Client VM is the VM in which you use the ssh key. Add the following to the /rw/config/rc.local file, and then make the file executable. Remember to use sudo for the same.


if [ "$SSH_VAULT_VM" != "" ]; then
	rm -f "$SSH_SOCK"
	sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '$SSH_SOCK' -c 'qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent' &"

If you look carefully at the shell scrip above, you will find we are setting the vault VM name using a variable called SSH_VAULT_VM. Change this name to whatever VM you want to use as the vault.

$ sudo vim /rw/config/rc.local
$ sudo chmod +x /rw/config/rc.local

Next, we will add the following to the ~/.bashrc file, so that ssh can find the right socket file.

# Set next line to the ssh key vault you want to use

if [ "$SSH_VAULT_VM" != "" ]; then

Then I restarted the vault and client VMs. Because my ssh key also has a passphrase, I entered that using ssh-add command in the ssh-vault VM.

Configuring the policy in dom0

In QubesOS you will have to define a policy in the dom0, based on that the VMs can talk to each other (using QubeOS’ internal). In my case I want only the emails VM should be able to ask to get access to the ssh keys. So, I added the following in /etc/qubes-rpc/policy/qubes.SshAgent file.

emails ssh-vault ask

The above policy rule says that when the emails VM tries to contact ssh-vault VM, it has to ask for permission to do so from the user.

Using ssh (finally!)

At this moment you can safely start the client VM, and try to ssh into anywhere. It will open up an authentication dialog, you will have to select and click on Okay button to give access to the ssh keys. You will also see a notification in the top notification area.

There is an active IRC channel #qubesin the Freenode server. Join there and ask any doubts you have.

Using diceware to generate passwords

Choosing a new password is always an interesting topic. When I started using computers for the first time, my idea was to find some useful words which I can remember, maybe 2-3 of those words together. With time I found that the websites have different requirements when it comes to choosing a new password. But, in the last few years we also saw many examples where brute forcing a password is a rather simple thing. The modern powerful computers enable anyone to find a right combination of characters in a decent time frame.

What is a diceware password?

Diceware passwords are normal passwords (a few words together) generated from a list of words by either rolling a dice, or by computer. You can read more in the original Diceware website.

Using diceware project to generate your passphrases

If you notice, I have written passphrase instead of password. This is because passphrases are not only easier to remember than a complex password, but they also provide better security from bruteforce attacks. The following comics from XKCD explains it better than any words.

Installing diceware

diceware is a very simple command line tool written in Python. It can help you to choose a diceware passphrase easily. It was already packaged for Debian, last week I have packaged it for Fedora (thank you Parag for the review). Yesterday night it was pushed to stable. So, now you can install it using dnf.

$ sudo dnf install diceware

Using diceware

$ diceware 

By default it is creating passphrases with 6 words in it, but you can increase by using -n command line argument. You should use at least 7 words in your passphrase. Read the story from Micah Lee to understand how this helps to increase the strength of your passphrases in many folds.

The man page of the diceware has more details about usage.

Start using a password manager

Now is a good time to start using a password manager. Save all the passwords/passphrases in one place, and secure it with a super long passphrase which you can remember. This article from Martin Shelton has many examples. The members of Fedora engineering team uses a command line tool called pass which uses gpg to encrypt the passwords.

Duplicate MAC address error in Qubes VMs

Just after I did the fresh install of Qubes 4.0rc3, I saw one error about sys-net (and sometimes same for other VMs) having a duplicate mac address for NIC. I rebooted the system for a few times, which solved the issue.

Start failed: invalid argument: network device with mac 00:16:3e:5e:6c:00 already exists

But, from the last week I started getting the same error again and again. Even if I use the qvm-prefs command to change the mac address, it is still trying to boot using the old address, I could not find the reason behind it. Rebooted the laptop way too many times with a hope of the error vanishing away, but of no use.

At first I checked the file /var/lib/qubes/qubes.xml for the duplicate record of the MAC address, but I found the right value there (the new one I set using the qvm-prefs command).

So, the next step was to remove the whole sys-net. As I forgot that I can not remove it till I remove all the dependency, my qvm-remove sys-net command will fail. I had to remove all dependencies using the Qubes Global Settings. Next, I removed and recreated the vm/domain and created a new one.

$ qvm-remove sys-net
$ sudo su -
# cd /srv/formulas/base/virtual-machines-formula/
# qubesctl top.enable qvm.sys-net
# qubesctl --targets sys-net state.highstate

I am yet to learn about Salt, I found a nice starting guide in the official Qubes documentation.

Share files securely using OnionShare

Sharing files securely is always a open discussion topic. Somehow the relationship between security/privacy and usability stand in the opposite sides. But, OnionShare managed to create a bridge between them. It is a tool written by Micah Lee which helps to share files of any size securely and anonymously using Tor.

In the rest of the post I will talk about how you can this tool in your daily life.

How to install OnionShare?

OnionShare is a Python application and already packaged for most of the Linux distributions. If you are using Windows or Mac OS X, then visit the homepage of the application, and you can find the download links there.

On Fedora, you can just install it using dnf command.

sudo dnf install onionshare -y

For Ubuntu, use the ppa repository from Micah.

sudo add-apt-repository ppa:micahflee/ppa
sudo apt-get update
sudo apt-get install onionshare

How to use the tool?

When you start the tool, it will first try to connect to the Tor network. After a successful connection, it will have a window open where you can select a number of files, and then click on Start sharing button. The tool will take some time to create a random onion URL, which you can then pass to the person who is going to download the files using the Tor Browser.

You can mark any download to stop after the first download (using the settings menu). Because the tool is using Tor, it can punch through standard NAT. Means you can share files from directly your laptop or home desktop. One can still access the files using the Tor Browser.

Because of the nature of Tor, the whole connection is end to end encrypted. This also makes the sharer and downloader anonymous, but you have to make sure that you are sharing the download URL in a secure way (for example, you can share it using Signal). OnionShare also has a rate-limit so that an attacker can not do many attempts to guess the full download URL.

Qubes OS 4.0rc3 and latest UEFI systems

Last week I received a new laptop, I am going to use it as my primary work station. The first step was to install Qubes OS 4.0rc3 on the system. It is a Thinkpad T470 with 32GB RAM and a SSD drive.

How to install Qubes on the latest UEFI systems?

A few weeks back, a patch was merged to the official Qubes documentation, which explains in clear steps how to create a bootable USB drive on a Fedora system using livecd-tools. Please follow the guide and create a USB drive which will work on these latest machines. Just simply using dd will not help.

First step after installing Qubes

I upgraded the dom0 to the current testing packages using the following command.

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
$ sudo qubes-dom0-update qubes-template-fedora-26

I also installed the Fedora 26 template on my system using the next command. One of the important point to remember that Fedora 25 is going to be end of life today. So, better to use updated version of the distribution :)

There was another important thing happened in the last two weeks. I was in the Freedom of the Press Foundation office in San Fransisco. Means not only I managed to meet my amazing team, I also met many of my personal heroes in this trip. I may write a separate blog post about that later. But for now I can say that I managed to sit near to Micah Lee for 2 weeks and learn a ton about various things, including his Qubes workflow. The following two things were the first change I did to my installation (with his guidance) to make things working properly.

How to modify the copy-paste between domains shortcuts?

Generally Ctrl+Shift+c and Ctrl+Shift+v are used to copy-paste securely between different domains. But, those are the shortcuts to copy-paste from the terminal in all the systems. So, modifying them to a different key combination is very helpful for the muscle memory :)

Modify the following lines in the /etc/qubes/guid.conf file in dom0, I did a reboot after that to make sure that I am using this new key combination.

secure_copy_sequence = “Mod-c”;
secure_paste_sequence = “Mod-v”;

The above configuration will modify the copy paste shortcuts to Windows+c and Windows+v in my keyboard layout.

Fixing the wireless driver issue in suspend/resume

I also found that if I suspend the system, after starting it on again, the wireless device was missing from the sys-net domain. Adding the following two module in the /rw/config/suspend-module-blacklist file on the sys-net domain helped me to fix that.


The official documentation has a section on the same.

You can follow my posts on Qubes OS here.

The journey continues at Freedom of the Press Foundation

The code we write is the extension of our emotions and thinking. A few months back a twitter thread on Gnome’s account made Anwesha and me think about it once again. I think the most important reply in that thread came from Miguel de Icaza.

The contribution to Free Software happens over 2 forms, for many it helps to solve or support a personal cause. Sometimes it is something we deeply care about (actually the 2 points are not that different). That is why people come back to home from their daily jobs, and then continue contributing upstream till late night. Many jobs now also allow working on upstream Free Software projects as part of the work. The word Open Source helped to create a bridge between businesses and creators. But, we still have to keep fighting for Freedom in various levels in life, even including for the basic human rights.

More than a month back, the Supreme Court of India ruled that privacy is a fundamental right to every Indian citizen. It was a huge win for every privacy advocate, but it was one of the big battles in the whole fight for right to privacy. Even though governments are using public money to develop software infrastructure, almost none of them are Free Software. There is a current campaign happening for having publicly financed software developer for people to be Free Software. No one knows what is going on in the closed source infrastructure, and if people point out the issues, they are getting punished. If you never heard about Aadhaar project in India, feel free to visit this site to learn about how much destruction it is bringing in.

Journalists were the most common people in the movies (in our childhood days) who used to find out all bad things people in power were doing, and at the end of the movie, public used to win with help of court (and sometimes fights between the hero and villains). Things have changed a lot over the years. Now technology enables many to be in a condition to find out the wrongdoings of the state, or private companies. It is much easier to send across that information to the journalists, and we can see how those revelations are helping the world. But, technology also enables the wrong-doers to attack the whistleblowers and the journalists who publish the truth to the people.

At this point if the government can identify the whistleblower, it is too dangerous to be a whistleblower. If we want to find what the state is doing, so that, we, the people, can have control over it, we need to make whistleblowers safe. -- RMS in his talk last year.

Freedom of the Press Foundation is one such organization working to protect and defend journalism, to support journalists and whistleblowers worldwide. One of the major development from the foundation is SecureDrop project. SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz. The project also won The Award for Projects of Social Benefit from Free Software Foundation in 2016. This week I joined the Freedom of the Press Foundation as a staff member to help on the SecureDrop and other projects.

As I started writing the post with Why Free Software?, helping the journalists and whistleblowers with Free Software is vital cause I can personally relate to. In the last month, we saw at least 3 journalists killed in India, from 1992, we have the second highest deaths of the journalists due to their work. We also saw the increased death threats to the journalists in India and other parts of the world. The freedom of the press stands as a pillar of the democracy, and we will continue to protect it.

Taking off Red Hat, but not Fedora

Red Hat, the name means a lot of things to me. Red Hat Linux was the first Linux distribution I ever saw and worked with. Later I moved into Fedora, and it became my defacto distribution from Core 1 days. Started contributing to the project formally from 2006, and joined in Red Hat for the first time back in 2008. People kept asking me why do I wear my Red Fedora everywhere, why do I feel so enthusiastic all the time? For me, it is always the people, the company itself started to provide a healthy relationship with the businesses and Free Software vendors (including itself). It is still standing tall and growing because of the people in the company, who still cares about Freedom. I left Red Hat for 11 months in between, and then came back to work on Fedora itself as Fedora Cloud Engineer in the Fedora Engineering team. Later Sayan also joined the team.

The last 3 years were full of fun in different levels. There were last-minute breakages, heated discussion over IRC or on emails. But, the community stayed above of everything, the goal of releasing a better distribution for everyone, and kept inventing at the same time was in sync. I actually have to admit that I can not express my feelings about working on Fedora as a full-time job. It was the dream coming true. Friendships became deeper, found many complete new points of view at things in life. It is never only about technology. The 4 foundations always remind us why the community is still growing and why we are in love with the project. I should mention that most of my technical know-how about Fedora and many related things actually came from Patrick. He taught me a lot of things over the years.

I am now back as a community contributor to the project. This was a personal decision, and I got support from Anwesha and friends to go ahead with this. I always worked on upstream projects with my personal email ID, means there is nothing changed in Fedora directly for me.

At the end, I want to thank Paul Frields, Matthew Miller, Denise Dumas, and rest of the Fedora Engineering team and the community to give me this opportunity.

Network isolation using NetVMs and VPN in Qubes

In this post, I am going to talk about the isolation of network for different domains using VPN on Qubes. The following shows the default network configuration in Qubes.

The network hardware is attached to a special domain called sys-net. This is the only domain which directly talks to the outside network. Then a domain named sys-firewall connects to sys-net and all other VMs use sys-firewall to access the outside network. These kinds of special domains are also known as NetVM as they can provide network access to other VMs.

Creating new NetVMs for VPN

The easiest way is to clone the existing sys-net domain to a new domain. In my case, I have created two different domains, mynetwork and vpn2 as new NetVMs in dom0.

$ qvm-clone sys-net mynetwork
$ qvm-clone sys-net vpn2

As the next step, I have opened the settings for these VMs and marked sys-net as the NetVM for these. I have also install openvpn package in the templateVM so that both the new NetVM can find that package.

Setting up openvpn

I am not running openvpn as proper service as I want to switch to different VPN services I have access to. That also means a bit of manual work to setup the right /etc/resolv.conf file in the NetVMs and any corresponding VMs which access the network through these.

$ sudo /usr/sbin/openvpn --config connection_service_name.ovpn

So, the final network right now looks like the following diagram. The domains (where I am doing actual work) are connected into different VPN services.

Two days remaining for PyCon Pune 2018 CFP

The CFP for PyCon Pune 2018 will close at the end of 15th September AOE. If you are thinking about submitting a talk, this is a good time to do that. The conference will happen from 8-11th February in Pune, India. The first 2 days are the main conference, a single track event where will have around 650 people. The last two days will be devsprints.

We have already announced all the 6 keynote speakers of the conference.

Go ahead and submit your talk today.