Everything Curl is a book about everything related to Curl. I read the book before online. But, now I am proud to have a physical copy signed by the author :)
It was a good evening, along with some amazing fish in dinner and wine and lots of chat about life in general.
This Tuesday I attended SamNet Vinterkonferensen, jointly organized by ISOC-SE, SNUS, DFRI and Dataskydd.net, focusing on technology, the internet, privacy, and decentralization. The organizers gave me caution before hand as the whole conference was in Swedish :)
The venue was Internetstiftelsen, which is already one of my favorite small conference venues in Stockholm (as we have done many open spaces there in the last 1 year).
After the morning coffee and breakfast, the day started with a talk about "blockchain", it felt more like a 2015 version of the presentation :) After that a very good detailed description of IPv6 and adoption. The third talk was on DNS from Mikael Kullberg. This presentation was a perfect mix of technical details and fun :)
After the fika break, there was another govt talk about e-identification. And it broke my brain. The level of Swedish was too much, and my brain refused to do any real-time translation/understanding of the Swedish afterward. So, I spent the time in the lobby talking to people and writing some code.
The second half starts with Tobias Pulls talking about his work on anonymity and Tor network. There are a few slides with detailed graphs, and I had difficulty to understand them. Though Pulls mentioned before that he had to work hard to get all the English terms translated into Swedish. Next, MC took the stage to talk about Tillitis.
Last part of the day I spent listening to folks discussion different DNS/packets/anonymity related topics.
My goal was to meet more people and listen to more technical discussions in Swedish. So, I count the conference a success :)
I can not keep track of Github notifications, for too many years. Yesterday, I thought of rewriting retask for Python3 only, and noticed a PR waiting for 7 years only, from Miro.
Now it is merged. Took some time, but the patch went in. Miro also noticed :)
You can use your Yubikey 4 or 5 for the rest of the tutorial.
If you mark your Yubikey presence is required to unlock your computer, then one not only needs your password, they will have to gain physical access to your Yubikey.
$ sudo dnf install ykclient* ykpers* pam_yubico*
Connect the Yubikey to your system, and see if it is not getting detected.
$ ykinfo -v
version: 5.2.7
If the system can not find the Yubikey, then it will show the following error.
Yubikey core error: no yubikey present
Then, for each of the Yubikey, we have the run the following command once:
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
Firmware version 4.2.7 Touch level 517 Program sequence 1
Configuration data to be written to key configuration 2:
fixed: m:
uid: n/a
key: h:9d97972ff90267d7cff02b49d41f85a68325805c
acc_code: h:000000000000
OATH IMF: h:0
ticket_flags: CHAL_RESP
config_flags: CHAL_HMAC|HMAC_LT64|CHAL_BTN_TRIG
extended_flags: SERIAL_API_VISIBLE
Commit? (y/n) [n]: y
Here we are configuring the slot 2, with challenge-response mode, and HMAC (even less than 64 bytes), and also saying that the human has to touch the physical key by providing CHAL_BTN_TRIG, also making the serial API visible.
$ ykpamcfg -2 -v
debug: util.c:219 (check_firmware_version): YubiKey Firmware version: 5.2.7
Sending 63 bytes HMAC challenge to slot 2
Sending 63 bytes HMAC challenge to slot 2
Stored initial challenge and expected response in '/home/kdas/.yubico/challenge-16038846'.
Remember to touch the key button twice after the command sends in 63 bytes, the LED on the key should blink that that time.
Now, we can mark that the Yubikey must be present during login, and after touching the key, one still has to type in the password, or for lesser security context, one needs either the Yubikey or password to login.
For the first scenario, add the following to the /etc/pam.d/gdm-password
file, just above the auth substack password-auth line.
auth required pam_yubico.so mode=challenge-response
If you want either password or Yubikey to work, then replace required with sufficient.
You will have to logout of Gnome, and then when you click your username while relogin, you will notice that the Yubikey is blinking. Touch it, and then enter password to complete login.
The similar configuration changes required to be made in /etc/pam.d/sudo.
But, remember to keep the sudo session open in one terminal, then try to test
the sudo command in another one. Just in case :)
To learn more about the pam configuration, read man pam.conf.