Kushal Das

FOSS and life. Kushal Das talks here.


Using signify tool for sign and verification

We generally use GNUPG for sign and verify files on our systems. There are other tools available to do so; some tools are particularly written only for this purpose. signify is one such tool from the OpenBSD land.

How to install signify?

pkg install signify

I used the above command to install the tool on my FreeBSD system, and you can install it in your Debian system too, the tool is called signify-openbsd as Debian already has another tool with the same name. signify is yet to be packaged for Fedora, if you are Fedora packager, you may want to package this one for all of us.

Creating a public/private key pair

signify -G -s atest.sec -p atest.pub -c "Test key for blog post"

The command will also ask for a password for the secret key. -c allows us to add a comment in our key files. The following is the content of the public keyfile.

untrusted comment: Test key for blog post public key 

As it is very small in size, you can even create a QR code for the same.

Signing a file

In our demo directory, we have a hello.txt file, and we can use the newly generated key to create a signature.

signify -S -s atest.sec -m hello.txt

This will create a hello.txt.sig file as the signature.

Verifying the signature

$ signify -V -p atest.pub -m hello.txt
Signature Verified

This assumes the signature file in the same directory. You can find the OpenBSD signature files under /usr/local/etc/signify (or in /etc/signify/ if you are on Debian).

To know more about the tool, read this paper.

Setting up WKD

We fetch any GPG public key from the keyservers using the GPG fingerprint (or parts of it). This step is still a problematic one for most of us. As the servers may not be responding, or the key is missing (not pushed) to the server. Also, if we only have the email address, there is no easy way to download the corresponding GPG key.

Web Key Directory to rescue

The Web Key Directory comes to the picture. We use WKD to enable others to get our GPG keys for email addresses very easily. In simple terms:

The Web Key Directory is the HTTPS directory from which keys can be fetched.

Let us first see this in action:

gpg --auto-key-locate clear,wkd --locate-key mail@kushaldas.in

The above will fetch you the key for the email address, and you can also assume the person who owns the key also has access to the https://kushaldas.in server.

There are many available email clients, which will do this for you. For example Thunderbird/Enigmail 2.0 or Kmail version 5.6 onwards.

Setting up WKD for your domain

I was going through the steps mentioned in the GNUPG wiki, while weasel pointed to me to a Makefile to keep things even more straightforward.

all: update install

        rm -rfv openpgpkey
        mkdir -v openpgpkey
        echo 'A85FF376759C994A8A1168D8D8219C8C43F6C5E1 mail@kushaldas.in' | /usr/lib/gnupg/gpg-wks-client -v --install-key
        chmod -v 0711 openpgpkey/kushaldas.in
        chmod -v 0711 openpgpkey/kushaldas.in/hu
        chmod -v 0644 openpgpkey/kushaldas.in/hu/*
        touch openpgpkey/kushaldas.in/policy

        ln -s kushaldas.in/hu openpgpkey/
        ln -s kushaldas.in/policy openpgpkey/

install: update
        rsync -Pravz --delete ./openpgpkey root@kushaldas.in:/usr/local/www/kushaldas.in/.well-known/

.PHONY: all update install

The above Makefile is using gpg-wks-client executable and also pushing the changes to the right directory on the server.

Email providers like protonmail already allow users to publish similar information. I hope this small Makefile will help you to set up your domain.

Highest used Python code in the Pentesting/Security world

python -c 'import pty;pty.spawn("/bin/bash")'

I think this is the highest used Python program in the land of Pentesting/Security, Almost every blog post or tutorial I read, they talk about the above-mentioned line to get a proper terminal after getting access to a minimal shell on a remote Linux server.

What does this code do?

We are calling the Python executable with -c and python statements inside of the double quote. -c executes the Python statements, and as we are running it as non-interactive mode, it parses the entire input before executing it.

The code we pass as the argument of the -c has two statements.

import pty

pty is a Python module which defines operations related to the pseudo-terminal concept, it can create another process, and from the controlling terminal, it can read/write to the new process.

The pty.spawn function spawns a new process (/bin/bash in this case) and then connects IO of the new process to the parent/controlling process.

demo of getting bash

In most cases, even though you get access to bash using the way mentioned above, TAB completion is still not working. To enable it, press Ctrl+z to move the process to sleep, and then use the following command on your terminal.

stty raw -echo

stty changes terminal line settings and part of the GNU coreutils package. To read about all the options we set by using raw -echo, read the man page of stty.

Many years ago, I watched a documentary about Security firms showcasing offensive attacks, that was the first I saw them using Python scripts to send in the payload and exploit the remote systems. Now, I am using similar scripts in the lab to learn and having fun with Python. It is a new world for me, but, it also shows the diverse world we serve via Python.

Two new federated services for dgplug

Last week we started providing two new services for the dgplug members.

Mastodon service at toots

Having our own instance was in the plan for time in my head. I had personal Mastodon account before, but, that instance went down and never tried to find a new home. This time, I think if a few of us (the sys-admins from the group) use this as a regular thing for ourselves, it will be much easier to maintain than depending on someone else.

Any regular dgplug member can get an invite link for the instance by joining the IRC channel and asking for the same.

Blogging platform

In our summer training, we spend much time talking about communication, a significant part is focused on blogging. We suggest https://wordpress.com as a starting place to the newcomers. At the same time, we found that some people had trouble as they were more focused on the themes or other options than writing regularly.

I looked at https://write.as before, but as I saw https://people.kernel.org is now running on WriteFreely, I thought of giving it a try. The UI is much more straightforward, and as it uses Markdown by default, that is a plus point for our use case. Though most of this year’s participants already have their own blogs, we don’t have many people at the beginning, which helps as not too many support requests to us.

Just like the Mastodon instance, if you need a home for your blogs, come over to our IRC channel #dgplug on Freenode server, and ask for an account.

backup of the systems

This is the biggest question in providing the services in my mind. We set up the very initial backup systems, and we will see in the coming weeks how it stands. Maybe, we will take down the services, and try to restore everything from backup, and see how it goes.

Btw, if you want to follow me over Mastodon, then I am available at https://toots.dgplug.org/@kushal

A few bits on tmux

I don’t remember when I started using tmux, but, the move from screen to tmux was quick. I have it installed on all of my systems and VMs. Though I never bothered to have a proper configuration file, it also means that I never used any plugin or other particular configuration. I don’t prefer to use plugins for command line applications much (for example in Vim), as not all systems will have those plugins installed.

tmux screenshot

While working on OSCP labs, I wished for a way to keep my tmux sessions logged, as that helps to create the report or remember the process in the future. Later, I found IPPSec has a video on their usage of tmux, which includes a plugin to log tmux sessions. I decided to give it a go and created my tmux.conf based on the same.

$ cat ~/.tmux.conf

# Remap prefix to screens
set -g prefix C-a
bind C-a send-prefix
unbind C-b

# Other values
set -g history-limit 100000
set -g allow-rename off

# Join windows
bind-key j command-prompt -p "Join pane from:"  "join-pane -s '%%'"
bind-key s command-prompt -p "Send pane to:"  "join-pane -t '%%'"

# Search mode VI
set-window-option -g mode-keys vi
bind -T copy-mode-vi y send-keys -X copy-pipe-and-cancel 'xclip -in -selection clipboard'

# git clone https://github.com/tmux-plugins/tmux-logging
run-shell /opt/tmux-logging/logging.tmux

Following IPPSec, I have also converted the prefix key to Ctrl+a. This change helps to use another tmux in a remote system, where the default Ctrl+b works as the prefix key. I have also moved the default search to vi mode. You can start selecting text by pressing the spacebar, and then press y to copy text to the primary system clipboard, and helps to copy text easily to any other GUI application. This feature requires xclip tool from the system packages.

I have also cloned the tmux-logging repository under /opt.

On Twitter, Justin Garrison pointed me to his super amazing awesome-tmux repository, which contains many many useful resources on tmux. I spent a good part of reading The Tao of tmux.

Now, my tmux is working the way I want on my Linux systems and also on the FreeBSD laptop (where I am writing this blog post). Btw, if you search tmux cheatsheet on https://duckduckgo.com it provides a lovely view of the cheat sheet in the result page.

FreeBSD on a Thinkpad 230

From the first-ever conference I attended, I started picking up many tools and habits from other participants, speakers, and friends. It is still the same with many new conferences I go to, by meeting new people and learning about new technologies, or sometimes about technologies which are not so new.

I use Linux as my primary operating system at home over 15 years now, getting a good Internet connection helped to make it happen. It was the same for my servers too. I do run different distributions, depending on the kind of work that needs to be done. When I go to many language-specific or general technical conferences, I do always find some discussions related to which distribution is good for what. However, whenever I met Trouble aka Philip Paeps, his lines are always amusing, but, also making questions about how FreeBSD differs from Linux in every possible way. I had FreeBSD running in few VMs at home, which is okay to have an understanding of the basics. To know more in details, I decided to move my primary site https://kushaldas.in over FreeBSD around a year ago. Till now it is running fine, and as a simple static website, there is not much to do anyway.

Last week during rootconf I again met trouble and a bunch of old friends (who all are regular in the FreeBSD world). They helped me to understand how to upgrade to the latest release, and showed a few more tricks. I wanted to use it more to become familiar with command line tools.

I got a X230 laptop with CoreBoot and installed FreeBSD 12 on it. The necessary installation went very smooth. Then, I decided to have KDE as a desktop environment on it. I followed the guide. However, I failed to get sddm working. Even though friends at #freebsd and #bsdin tried to help/debug, only in the evening, we figured out that I was missing some critical Xorg related packages.

# pkg install xf86-input-keyboard xf86-input-mouse xf86-input-synaptics xf86-input-libinput xauth

Also, remember to upgrade the system to the latest.

# freeebsd-update fetch
# freebsd-update install

I have installed the regular applications I use in my standard Linux boxes, including FocusWriter. Remember to install the hunspell package and corresponding dictionary for your language, if you want to have spell checking in FocusWriter.

I am writing this blog post in the same tool in the FreeBSD system. I completely forgot how good the old X series ThinkPad keyboards were feeling nice to type on this. I will keep using this system for learning purpose and hoping to write more in the coming days.

DMARC, mailing list, yahoo and gmail

Last Friday late night, I suddenly started getting a lot of bounced emails from the dgplug mailing list. Within a few minutes, I received more than a thousand emails. A quick look inside of the bounce emails showed the following error:

Unauthenticated email from yahoo.in is not accepted due to     domain's 550-5.7.1 DMARC policy.

Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

$checkboxes = document.querySelectorAll("[name$=nomail]");
for (var i=0; i<$checkboxes.length; i++)  {
      $checkboxes[i].checked = false;

The above small script helped me to uncheck 50 email addresses at a time, and I managed to unblock the email addresses without spending too many hours clicking.

I have also modified the mailing list DMARC settings as suggested. Now, have to wait and see if this happens again.

Indian news websites over Tor and HTTP vs HTTPS

Following the idea of Secure The News, I wanted to verify if the Indian news websites have proper certificates or can they be viewed over Tor network.

The major problem was to get the list of urls, and I managed to create that from the Wikipedia list of Indian news organizations. Next, I had to write a straightforward Python script to verify the sites over Tor.

I have 181 site URLs and out of those, 5 are down. Among the rest 176 sites, surprisingly all but 3 sites could not be open from Tor network. The following 3 sites are blocking the users from Tor, thus, compromising the privacy and security Tor Browser provides to their readers.

  • http://www.dnaindia.com/
  • http://www.financialexpress.com/
  • http://www.jagran.com/

On the other hand, when it comes to enabling HTTPS by default and redirecting people to that, most of these sites failed miserably.

117 sites do not provide their sites over HTTPS. If you do not know why it is important to provide the same, please read this. If you don’t know how to enable HTTPS on your website, you can read this guide.

This is the list of the URLs who are only on HTTP.

Game of guessing colors using CircuitPython

Every participant of PyCon US 2019 received a CircuitPython Playground Express (cpx) in the swag bag from Digikey and Adafuit, which is one of the best swag in a conference. Only another thing which comes in my mind was Yubikeys sponsored by Yubico in a rootconf a few years ago.

I did not play around much with my cpx during PyCon, but, decided to go through the documents and examples in the last week. I used Mu editor (thank you @ntoll) to write a small game.

The goal is to guess a color for the next NeoPixel on the board and then press Button A to see if you guessed right or not. Py and I are continuously playing this for the last weeks.

The idea of CircuitPython, where we can connect the device to a computer and start editing code and see the changes live, is super fantastic and straightforward. It takes almost no time to start working on these, the documentation is also unambiguous and with many examples. Py (our 4 years old daughter) is so excited that now she wants to learn programming so that she can build her things with this board).

My talk at PyCon US 2019

A couple of weeks back, I gave a talk at PyCon US 2019, "Building reproducible Python applications for secured environments".

The main idea behind the talk is about the different kind of threats in an application which has dependencies (with regular updates) coming from various upstream projects, and also the final deployable artifact (Debian package in this case) needs to audit-able, and reproducible.

Before my talk on Saturday, I went through the whole idea and different steps we are following, with many of the PyPA (Python Packaging Authority) and other security leads in various organizations.

You can view the talk on Youtube. Feel free to give any feedback over email or Twitter.