Monday, August 3, 2015

YubiKey Neo + Putty SSH + Windows

I have been using Yubikey Neo to manage my OpenSSH key in a CCID at work. I have made it work in Ubuntu and MacOS with relative ease, but most of my colleagues are on Windows and wondered how this could be done on the M$ platform. So I decided to give it a shot and try it out on their newly released Windows 10 (or shall we call it WinOS X )

Step 0: Get YubiKey Neo configured as CCID

Of course you have to buy this hardware before we can even begin. Before your Yubikey appears as a CCID  you will need to use YubiKey Neo Manager to enable it. See the following screenshot. 

You cannot have a password for your Yubikey when you are changing the modes. If you do then you will have to delete that configuration with YubiKey personalization tool. Make sure to exit the GUI applications before you start using console later.

Step 1: Check if you Yubikey works.

You will need have gpg executable installed. Gpg4Win to interact with your Yubikey

C:\>gpg --card-edit
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 0'
Application ID ...: REDACTED
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: REDACTED
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card>


A caveat here is that a few months back there was an advisory regarding Yubikeys with OpenPGP applet version ≤ 1.0.9 being compromised. See the website to make sure that the key you have has non compromised version. 

Step 2: Generate Keys

Now you can do things in steps described in some blog entries. Just make sure that you use the correct PINs the first time (the console will tell you default pins, otherwise you may have to RESET your applet)

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN

Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at 08/02/16 15:18:08
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: User Name
Email address: user@email.com
Comment: Department
You selected this USER-ID:
    "User Name <user@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? C
Comment: Department2
You selected this USER-ID:
    "User Name (Department 2) <user@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (25 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (26 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (34 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: C:/Users/hatsha/AppData/Roaming/gnupg\trustdb.gpg: trustdb created
gpg: key 60C2B662 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-08-02
pub   REDACTED/REDACTED 2015-08-03 [expires: 2016-08-02]
      Key fingerprint = 5ABF D138 BB53 3F9C 133D  DD9A 793B D949 60C2 B662
uid                  User Name (Department 2) <user@email.com>
sub   2048R/REC2015-08-03 [expires: 2016-08-02]
sub   2048R/D0AD1A73 2015-08-03 [expires: 2016-08-02]

Step 3: Use Keys

Next step is to use the generated SSH Key. The easiest way I have found on  Windows is to use an agent that requires a registration. The fee is nominal (1 Euro)/key. After following the instructions you can start the agent and should see keys in the agent if Yubikey pgp is working


While you can export the SSH key out of pgp (so you can put it in your servers/opsworks stack). I just take the easy route and login to a server with password and do an ssh-add -L to get the keys. Don't forget to forward your key from putty though.



Friday, April 3, 2015

Securing your Ansible deployment on AWS

Lately I have been involved in a team which is developing software as micro-services. It is very interesting work and has helped me to get introduced to some interesting technologies such as AWS Ansible and Docker in depth (and in practice).

Ansible is a great deployment automation tool. It is made in python, is declarative and agent-less (i.e. it just needs SSH access to your box). SSH it self is very secure if you use key based authentication. But people tend to use it in very insecure manner (i.e they share SSH keys on email, don't delete old SSH keys once they are revoked etc).

In my opinion the best solution to stop sharing of private keys is to generate them on a hardware token from which they cannot be (easily) copied. Fortunately I have access to Yubico Neo on which I managed to generate a public/private gpg key. The private key resides in your gpg card and public key can be put in your Ansible target hosts. There are quite a few guides (Mac, Linux, Windows) for Yubikey and few more for general purpose CCID based key-stores. And then one can use SSH key forwarding with your Gpg agent so that you can use your Yubikey for servers which require you to first login to jumpboxes.

Ansible has good AWS support in form of modules such as ec2, rds etc (backed by python boto). These modules of-course require AWS api access when trying to conjure/terminate nodes or updating a route53 DNS entry. Normally this means you have to generate and use AWS API tokens. I prefer using jump-boxes with IAM roles instead (IAM roles essentially gives permission to an Amazon instance to call Amazon APIs on your behalf, without requiring any extra keys or passwords etc). 

So this entire approach will be useful only if you can easily login to a jumpbox with IAM role. I like the using OpsWorks to create and start such jumpbox instances. The only thing required for such jumpboxes is to have correct IAMroles (which can do all the things that you need to do from your Ansible scripts, i.e EC2.* or S3.*) and your IAM users have the permission to SSH to the jumpbox. IAM users can register their own SSH keys (of-course the one generated on Yubikey) on OpsWorks. And they keys get magically updated on all machines managed by Opsworks.

Following this guide you make it impossible to leak your SSH key or Amazon credentials, since you don't put them in any remote machine/code. And that should be a good baseline for a secure Ansible deployment on AWS.




Tuesday, October 28, 2014

Micro-services: Learning resources.

I am currently working with/researching about micro-services software architecture (or approach to software architecture). There are tons of resources on the web but unfortunately very few of them are academic in nature. I hope that over the next coming months software/academic community will agree to have a standard definition (perhaps following a simple format similar to this one) for this topic as this subject is starting to get hot.

I personally think the name/term "micro-services" can be a bit misleading. Quite a lot of people I have talked to focus more on the word "micro" and not on the principles. I am all for light weight approaches to building software though. For the time being this term is trending and I don't see the term fading away time soon. See the buzz on twitter and youtube your self.

I hope to make this post as a learning resource for people new to micro-services. I will be curating this over a period of time (so don't expect this content to stay static ;). Please send suggestion on twitter @geoaxis or in comments.

Other lists

First of all, there are few other lists on the tubes that I would encourage you to browse
http://www.mattstine.com/microservices

http://capgemini.github.io/architecture/microservices-reality-check/
(Reading list at the end)

Academic Resources

Articles (these are in no particular order)

http://martinfowler.com/articles/microservices.html (Lewis/ Fowler: Probably the most quoted article on this subject)



Presentation


Tool specific articles



Books



Videos


Following are some videos that I have watched and think are worth watching
 
A whole series of videos explaining micro-services (mostly content for Lewis/Fowler)





















Wednesday, May 21, 2014

Raspberry PI and TL-WN725N from hell

In the last few days I have spent a considerable amount of time trying to configure a seemingly simple Wifi dongle with Raspberry-pi. Being an ex-Gentoo user I thought how hard could it be to get some modules and load them, or so I thought.

First step was to install raspberry pi (I used this software to flash the image using my mac; bit dangerous with asking password for the system, but I am too lazy to look up on how to do this with console :)). I chose the rasbian distro, although arch looks more interesting.

Then of course you need to do an rpi-update, apt-get update to make sure you have the latest stuff

The module that I have does not get picked up by the kernel and I spent a lot of time downloading all kinds of module (.ko) files from the internet to get this dam wifi thing to work. It was a terribly long list of misses.  Long story short I found this link to help me get the wifi dongle  to work.

Then I used wicd-curses to configure the network. One thing that I had trouble with was using configure wifi option. The -> option is actually the right arrow. Once you select the wifi network you want to connect to, just press the right key. Also it was not possible for me to get the wifi network to route properly when it just started, so I just let it reboot, without any wired network. You can find more help  on this here.

I know why linux never really picked up. It is still not easy to get devices work out of the box.

Thursday, March 20, 2014

As native as possible

This is a half baked idea and kind of a rant. The idea is very simple and has to do with my personal position position about how to choose technologies.

When building a software systems, first do things as natively as possible for your context.

As a software developer I would like to construct systems that are easy to get started with, understand, maintain and still can be delivered on time. As you may know that it is impossibly hard to do so many things well in any domain.

In my brief career I have seen many examples of technology stacks and systems which try to achieve the previously stated goals by abstracting away complexities of underlying layers but also creating some of their own. If you are a Java server side developer you probably have worked with likes of Hibernate etc (which helps you create database queries). This usually results in poor results and has been discussed in community (to quote "the resulting cakes  from cake mixes generally taste worse than proper cakes...and they don't even save you any time"). And the more you use such things the more  you start justifying these frameworks/technologies.

I have found that focusing one's energy on learning the basics and applying them pays off in the long run. But it does boil down to where one needs to apply the boundary of abstraction. So as a general rule I would recommend that if you are writing to a database, it would be a very good idea to know how to use that inside out in its native form. For SQL based software it means learning about SQL, various replication and shading strategies , for NoSQL (for example MongoDB, it would mean learning about mongo internals). When working with client side UI on the web this means learning and using Javascript. There are times when things like JSF and Hibernate will help you achieve your goals. I guess in essence I am repeating the matra of  KISS and YAGNI.

So from now on I will try to use SQL/JDBC instead of Hibernate/JPA; Javascript/HTML instead of some cooked framework which tries to avoid JS/HTML.  iOS/Andoird instead of Cordova (I do think Cordova is useful for some use-cases though) and Embedded C instead of things like BGScript (for Bluetooth Smart prototyping) when ever possible.

Edit: Revised the post on 2016-08-14.

Monday, February 10, 2014

BLE Hello World in Cordova/Phonegap

After learning about bluetooth smart, I have been wanting to write some phonegap/cordova apps for my self. There are few plugins (1,2,3) available on github but in my opinion the most promising one is from EvoThings called cordova-ble. I decided to write my self a sample app for scanning on a weekend and ended up modifying one of the examples from EvoThings and mixing in topcoat and zepto as per phonegap expert recommendations. Code is here.

The code is dead simple, so I won't bother to explain it, but essentially it is just HTML5/CSS3/JS stitched together with the evothings plugin.

Video made with the help of  ReflectorAndroid SCR and Apple iMovie

Wednesday, November 6, 2013

A List of links for Bluetooth Low Energy beginners

I had the pleasure of sharing my recent learnings about Bluetooth Low Energy in a Internet of Things meetup in Stockholm. It was inspired by a similar meetup held in San Fransisco back in October. I would like to share some learning resources for people who attended the meetup and this is what this post is about.

I would try to make this list grow over time.

Edit: I am dumping more links here from Droidcon Stockholm

Videos

First the basics. I think the best place to start and get excited is from youtube videos


 There are lots of videos from Bluetooth Tech channel, from home automation, security etc.

 If you want to go more in depth you can watch Robin Heydon from CSR do a really nice intro to BLE. This intro is similar to other webinars that are available out there. You should watch the whole series to get a basic idea


This following video presents BLE from a Linux perspective. I think it introduces too much detail without context, but can be worth watching for users who know their way around linux and have understood basics of BLE. Presentation in PDF is here.

 The following video shows difference between classic and low energy bluetooth

 A quick and fun way to get started with BLE is to play with TI Sensor Tag and an iOS device.

 Another way to get started with BLE is the Estimote app and kit (also on iOS)

 Of course if you are part of the iOS developer program, I would recommend you to watch WWDC talks on CoreBluetooth and CoreLocation from 2012 and 2013. There are talks from Google IO and Microsoft Build as well, but I think Apple talks are far better.

This new Android BLE tutorial from Double Encore BLE guru Dave Smith is really wonderful

Presentations


  • First my hastily prepared presentation.




  • Robin Heydon's presentation (publicly accessible from Bluetooth.org)

Books 



Programming Resources