This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
osx:start [2018/06/15 14:13] robm [Middle-click via the trackpad] |
osx:start [2019/05/22 15:10] robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 754: | Line 754: | ||
More thorough networking (Ethernet layer, instead of link layer): http:// | More thorough networking (Ethernet layer, instead of link layer): http:// | ||
+ | |||
+ | ===== Automating via SSH configuration files ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | - **As root** on your client system, generate a new SSH keypair to use for VPN. < | ||
+ | - Install new public key into remote system, and prefix with a ForeCommand which is run whenever this key is used to authenticate:< | ||
+ | printf ' | ||
+ | cat ~/ | ||
+ | ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
+ | - Configure client via '' | ||
+ | Hostname $SERVER | ||
+ | User root | ||
+ | # Remote' | ||
+ | # tunnel=" | ||
+ | IdentityFile ~root/ | ||
+ | Tunnel yes | ||
+ | TunnelDevice 0:0 | ||
+ | PermitLocalCommand yes | ||
+ | LocalCommand ~root/ | ||
+ | # Disable connection sharing, otherwise closing VPN may not actually reset | ||
+ | # network settings because vpn.sh (cf. LocalCommand) continues to wait | ||
+ | # for the `ssh` process to exit (which it may not if another session is | ||
+ | # active) | ||
+ | ControlPath none | ||
+ | # Disable use of ssh-agent, as it seems to prevent our preferred identity | ||
+ | # (cf. IdentityFile) being applied, which in turn means we don't trigger the | ||
+ | # ForceCommand of the remote' | ||
+ | IdentityAgent none</ | ||
+ | - Create a new script on your client machine at '' | ||
+ | # .ssh/ | ||
+ | REMOTE_HOST=$1 | ||
+ | TUNNEL_DEVICE=$2 | ||
+ | |||
+ | ifconfig $TUNNEL_DEVICE inet 172.16.0.2 172.16.0.1 | ||
+ | ROUTE=$(route get $REMOTE_HOST) | ||
+ | GATEWAY=$(sed -ne 's/^ *gateway: //p' <<<" | ||
+ | INTERFACE=$(sed -ne 's/^ *interface: //p' <<<" | ||
+ | route add $REMOTE_HOST $GATEWAY | ||
+ | route add 10/8 $GATEWAY | ||
+ | route change default 172.16.0.1 | ||
+ | WAIT_PID=$PPID | ||
+ | ( | ||
+ | while kill -0 $WAIT_PID >/ | ||
+ | # The route gets deleted when the SSH tunnel closes gracefully and tun0 disappears | ||
+ | route change default $GATEWAY | ||
+ | route add default $GATEWAY | ||
+ | route delete 10/8 $GATEWAY | ||
+ | route delete $REMOTE_HOST $GATEWAY | ||
+ | ) &</ | ||
+ | - Make the new script executable: < | ||
+ | - Test it by running < | ||
+ | |||
+ | Sample session showing the output from the commands above: | ||
+ | |||
+ | < | ||
+ | # ssh-keygen -f ~/ | ||
+ | Generating public/ | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | SHA256: | ||
+ | The key's randomart image is: | ||
+ | +---[RSA 2048]----+ | ||
+ | |X+ | | ||
+ | |OB | | ||
+ | |Bo* o | ||
+ | |** B . . . | | ||
+ | |+.= . S . o | | ||
+ | |. o * * o | | ||
+ | |. = B B | | ||
+ | |+ . = = | | ||
+ | |oE +o. | | ||
+ | +----[SHA256]-----+ | ||
+ | |||
+ | # ( \ | ||
+ | # | ||
+ | # cat ~/ | ||
+ | # ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
+ | tunnel=" | ||
+ | |||
+ | # ssh vpn | ||
+ | add host www.robmeerman.co.uk: | ||
+ | add net 10: gateway 10.1.36.1 | ||
+ | change net default: gateway 172.16.0.1 | ||
+ | |||
+ | # Nothing further appears to happen. VPN is up and running! Try `traceroute | ||
+ | # google.com` in another terminal to verify that the traffic is going via your | ||
+ | # server and not its default route. | ||
+ | |||
+ | # When all done, press ^C to kill the VPN and restore default settings. Your | ||
+ | # prompt will return first, and *then* the clean-up code will execute and | ||
+ | # print: | ||
+ | ^C | ||
+ | route: writing to routing socket: not in table | ||
+ | change net default: gateway 10.1.36.1: not in table | ||
+ | add net default: gateway 10.1.36.1 | ||
+ | delete net 10: gateway 10.1.36.1 | ||
+ | delete host www.robmeerman.co.uk: | ||
+ | </ | ||
====== Global Keyboard Shortcut to toggle Skype microphone ====== | ====== Global Keyboard Shortcut to toggle Skype microphone ====== | ||
Line 803: | Line 903: | ||
brew cask install smcfancontrol | brew cask install smcfancontrol | ||
+ | |||
+ | ====== GPG with remote forwarding ====== | ||
+ | |||
+ | Overview (notes to follow, I hope): | ||
+ | |||
+ | - Install GPG locally and create an identity | ||
+ | - Ensure that passphrase challenge (" | ||
+ | - Install GPG on remote, and import public key | ||
+ | - Configure SSH to forward agent socket | ||
+ | - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | ||
+ | |||
+ | https:// | ||
+ | |||
+ | - '' | ||
+ | - Append to '' | ||
+ | source ~/ | ||
+ | export GPG_AGENT_INFO | ||
+ | else | ||
+ | eval $(gpg-agent --daemon --write-env-file ~/ | ||
+ | fi</ | ||
+ | - Create/ | ||
+ | - '' | ||
+ | - '' | ||
+ | - '' | ||
+ | pinentry-program / | ||
+ | default-cache-ttl 600 | ||
+ | max-cache-ttl 7200</ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Testcase: | ||
+ | |||
+ | < | ||