This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
osx:start [2018/06/15 14:13] robm [Middle-click via the trackpad] |
osx:start [2022/05/13 13:19] robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 671: | Line 671: | ||
sudo route add default $NAKED_GATEWAY_IP | sudo route add default $NAKED_GATEWAY_IP | ||
</ | </ | ||
- | |||
- | ====== VPN over SSH ====== | ||
- | |||
- | * **Server**: GNU/Linux (Ubuntu 12.04) -- '' | ||
- | * **Client**: MacOS/BSD (El Capitan, v10.11.5) -- '' | ||
- | |||
- | Create and configure a tunnelled connection between client and server, via '' | ||
- | |||
- | - Go install http:// | ||
- | - SSH into the server and edit ''/ | ||
- | PermitRootLogin yes | ||
- | PermitTunnel yes | ||
- | </ | ||
- | - Restart SSHd on the server ('' | ||
- | - Log out of server (need to reconnect to make use of config changes) | ||
- | - **As root** on the client machine, SSH into the root account on the server with tun devices enabled via '' | ||
- | - Within the resulting root shell on the **server**, configure the new '' | ||
- | ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2 | ||
- | ifconfig tun0 | ||
- | ping 172.16.0.1 | ||
- | ping 172.16.0.2 | ||
- | </ | ||
- | - In a root shell on the **client**, configure the new '' | ||
- | ifconfig tun0 inet 172.16.0.2 172.16.0.1 | ||
- | ifconfig tun0 | ||
- | ping 172.16.0.2 | ||
- | ping 172.16.0.1 | ||
- | </ | ||
- | - Back in the root shell on the **server**, repeat '' | ||
- | - The tunnel is now configured. It will remain so until the SSH session is closed. | ||
- | |||
- | Configure IPv4 (ICMP+TCP+UDP) forwarding and Network Address Translation (NAT): | ||
- | |||
- | - In the root shell on the **server** (only needs to be done one per boot): < | ||
- | # Prepare networking stack for use by forced commands in | ||
- | # / | ||
- | # between 172.16.0.1 (this host) and 172.16.0.2 (remote end). | ||
- | |||
- | # We then want to enabling forwarding of IPv4 traffic, i.e. we want to act as a | ||
- | # router. We enable this in the kernel, and then ensure traffic originating | ||
- | # from the remote side of the point-to-point link is accepted, and any | ||
- | # responses are likewise accepted | ||
- | echo 1 > / | ||
- | / | ||
- | / | ||
- | -m state --state RELATED, | ||
- | / | ||
- | |||
- | # Any traffic originating from the remote side should go through Network | ||
- | # Address Translation (NAT), so responses from (e.g.) DNS servers are sent to | ||
- | # this host, so *we* can forward it to the remote end. This is the MASQUERADE | ||
- | # rule. | ||
- | / | ||
- | / | ||
- | |||
- | # Monitor packets | ||
- | watch -n0.5 -d ifconfig tun0 | ||
- | </ | ||
- | - As root on the **client**: < | ||
- | route add 10.0.0.0/8 -interface tun0 | ||
- | </ | ||
- | - IPv4 forwarding via '' | ||
- | |||
- | Note: The changes made to the server persist after the SSH session has ended. | ||
- | |||
- | To get name resolution working, you need to configure the client to use a DNS server at the remote end, e.g. | ||
- | |||
- | - Discover the DNS nameservers used by the **server**: < | ||
- | - Add these to the **client** system: < | ||
- | |||
- | You may also want to add your remote system' | ||
- | |||
- | Most useful guides: | ||
- | |||
- | * http:// | ||
- | * http:// | ||
- | * https:// | ||
- | * https:// | ||
- | * http:// | ||
- | * NAT: http:// | ||
- | * SSH, including forced-commands via '' | ||
- | |||
- | More thorough networking (Ethernet layer, instead of link layer): http:// | ||
====== Global Keyboard Shortcut to toggle Skype microphone ====== | ====== Global Keyboard Shortcut to toggle Skype microphone ====== | ||
Line 795: | Line 712: | ||
session | session | ||
</ | </ | ||
- | |||
These appear to be tried in the order listed, and if one aborts (e.g. press ESC for TouchID) the next is tried (i.e. the usual terminal password prompt) | These appear to be tried in the order listed, and if one aborts (e.g. press ESC for TouchID) the next is tried (i.e. the usual terminal password prompt) | ||
+ | |||
+ | To make this work from within '' | ||
+ | |||
+ | Install by first running: | ||
+ | |||
+ | < | ||
+ | brew install pam-reattach | ||
+ | </ | ||
+ | |||
+ | and then modifying ''/ | ||
+ | |||
+ | < | ||
+ | # sudo: auth account password session | ||
+ | auth | ||
+ | auth | ||
+ | auth | ||
+ | auth | ||
+ | account | ||
+ | password | ||
+ | session | ||
+ | </ | ||
====== Automatic fan control when on AC power to avoid sweaty palms ====== | ====== Automatic fan control when on AC power to avoid sweaty palms ====== | ||
Line 803: | Line 740: | ||
brew cask install smcfancontrol | brew cask install smcfancontrol | ||
+ | |||
+ | ====== GPG with remote forwarding ====== | ||
+ | |||
+ | GPG Agent forwarding allows a remote system to access secrets held in your local system via an SSH tunnel. When you are not connected to the remote system, it cannot access your secrets, and if the remote system is compromised your secrets are not (since they are never stored on it). | ||
+ | |||
+ | My (initial) use-case is to allow docker on a remote host to store login my login credentials (so I can push/pull images when working), but not store secrets on that hose. THe default behaviour is to store my password in plain text, which is unacceptable. | ||
+ | |||
+ | So I opted to use [[https:// | ||
+ | |||
+ | So I want to use GPG agent forwarding to allow '' | ||
+ | |||
+ | Overview (notes to follow, I hope): | ||
+ | |||
+ | - Install GPG locally and create an identity | ||
+ | - Ensure that passphrase challenge (" | ||
+ | - Install GPG on remote, and import public key | ||
+ | - Configure SSH to forward agent socket | ||
+ | - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | ||
+ | |||
+ | Gotchas to document: | ||
+ | |||
+ | Invalid ioctl for device means the GPG agent was attempting to open a TTY. The agent lives on my MacBook, but the request comes from a remote system. So the remote system' | ||
+ | |||
+ | https:// | ||
+ | |||
+ | - '' | ||
+ | - Append to '' | ||
+ | source ~/ | ||
+ | export GPG_AGENT_INFO | ||
+ | else | ||
+ | eval $(gpg-agent --daemon --write-env-file ~/ | ||
+ | fi</ | ||
+ | - Create/ | ||
+ | - '' | ||
+ | - '' | ||
+ | - '' | ||
+ | pinentry-program / | ||
+ | default-cache-ttl 600 | ||
+ | max-cache-ttl 7200</ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Testcase: | ||
+ | |||
+ | < | ||
+ | |||
+ | Remote end: | ||
+ | |||
+ | Modify ''/ | ||
+ | |||
+ | < | ||
+ | # Allow socket files to be unlinked by incoming connections (intended to | ||
+ | # faciliate use of GPG Agent) | ||
+ | StreamLocalBindUnlink yes | ||
+ | </ | ||
+ | |||
+ | See https:// | ||
+ | |||
+ | Client: '' | ||
+ | |||
+ | Server: '' | ||
+ | |||
+ | .. and trust it, or tools like ' | ||
+ | |||
+ | Server: '' | ||
+ | |||
+ | Server testcase: < | ||
+ | |||
+ | **Future direction**: | ||
+ | ====== Number Pad ====== | ||
+ | |||
+ | I installed an application to make my iPhone act as a Number Pad: https:// | ||
+ | |||
+ | Satisfies [[https:// | ||
+ | |||
+ | ====== Working with Certificates ====== | ||
+ | |||
+ | Tool to help with generating / converting certificates: | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ====== Monitor Brightness Control (external monitor) ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | < | ||
+ | brew cask install monitorcontrol | ||
+ | </ | ||
+ | |||
+ | ====== Fan Control ====== | ||
+ | |||
+ | (iStat Menus doesn' | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ====== Change URL and file-type/ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | or '' | ||
+ | |||
+ | ====== Download files from interactive SSH sessions ====== | ||
+ | |||
+ | iTerm2.app snippet: | ||
+ | |||
+ | < | ||
+ | alias download=" | ||
+ | Li4uIgogIGV4aXQgMQpmaQpmb3IgZmlsZW5hbWUgaW4gIiRAIgpkbwogIGlmIFsgISAtciAiJGZp | ||
+ | bGVuYW1lIiBdIDsgdGhlbgogICAgZWNobyBGaWxlICRmaWxlbmFtZSBkb2VzIG5vdCBleGlzdCBv | ||
+ | ciBpcyBub3QgcmVhZGFibGUuCiAgICBjb250aW51ZQogIGZpCgogIGZpbGVuYW1lNjQ9JChlY2hv | ||
+ | IC1uICIkZmlsZW5hbWUiIHwgYmFzZTY0KQogIGZpbGVzaXplPSggJCh3YyAtYyAiJHtmaWxlbmFt | ||
+ | ZX0iKSApCiAgcHJpbnRmICJcMDMzXTEzMzc7RmlsZT1uYW1lPSR7ZmlsZW5hbWU2NH07c2l6ZT0k | ||
+ | e2ZpbGVzaXplWzBdfToiCiAgYmFzZTY0IDwgIiRmaWxlbmFtZSIKICBwcmludGYgJ1xhJwpkb25l | ||
+ | Cg==' | ||
+ | |||
+ | </ | ||
+ | |||
+ | Also offered as an answer [[https:// | ||