This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
osx:start [2018/06/15 14:13] robm [Middle-click via the trackpad] |
osx:start [2020/01/30 20:36] robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 754: | Line 754: | ||
More thorough networking (Ethernet layer, instead of link layer): http:// | More thorough networking (Ethernet layer, instead of link layer): http:// | ||
+ | |||
+ | ===== Automating via SSH configuration files ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | - **As root** on your client system, generate a new SSH keypair to use for VPN. < | ||
+ | - Install new public key into remote system, and prefix with a ForeCommand which is run whenever this key is used to authenticate:< | ||
+ | printf ' | ||
+ | cat ~/ | ||
+ | ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
+ | - Configure client via '' | ||
+ | Hostname $SERVER | ||
+ | User root | ||
+ | # Remote' | ||
+ | # tunnel=" | ||
+ | IdentityFile ~root/ | ||
+ | Tunnel yes | ||
+ | TunnelDevice 0:0 | ||
+ | PermitLocalCommand yes | ||
+ | LocalCommand ~root/ | ||
+ | # Disable connection sharing, otherwise closing VPN may not actually reset | ||
+ | # network settings because vpn.sh (cf. LocalCommand) continues to wait | ||
+ | # for the `ssh` process to exit (which it may not if another session is | ||
+ | # active) | ||
+ | ControlPath none | ||
+ | # Disable use of ssh-agent, as it seems to prevent our preferred identity | ||
+ | # (cf. IdentityFile) being applied, which in turn means we don't trigger the | ||
+ | # ForceCommand of the remote' | ||
+ | IdentityAgent none</ | ||
+ | - Create a new script on your client machine at '' | ||
+ | # .ssh/ | ||
+ | REMOTE_HOST=$1 | ||
+ | TUNNEL_DEVICE=$2 | ||
+ | |||
+ | ifconfig $TUNNEL_DEVICE inet 172.16.0.2 172.16.0.1 | ||
+ | ROUTE=$(route get $REMOTE_HOST) | ||
+ | GATEWAY=$(sed -ne 's/^ *gateway: //p' <<<" | ||
+ | INTERFACE=$(sed -ne 's/^ *interface: //p' <<<" | ||
+ | route add $REMOTE_HOST $GATEWAY | ||
+ | route add 10/8 $GATEWAY | ||
+ | route change default 172.16.0.1 | ||
+ | WAIT_PID=$PPID | ||
+ | ( | ||
+ | while kill -0 $WAIT_PID >/ | ||
+ | # The route gets deleted when the SSH tunnel closes gracefully and tun0 disappears | ||
+ | route change default $GATEWAY | ||
+ | route add default $GATEWAY | ||
+ | route delete 10/8 $GATEWAY | ||
+ | route delete $REMOTE_HOST $GATEWAY | ||
+ | ) &</ | ||
+ | - Make the new script executable: < | ||
+ | - Test it by running < | ||
+ | |||
+ | Sample session showing the output from the commands above: | ||
+ | |||
+ | < | ||
+ | # ssh-keygen -f ~/ | ||
+ | Generating public/ | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | SHA256: | ||
+ | The key's randomart image is: | ||
+ | +---[RSA 2048]----+ | ||
+ | |X+ | | ||
+ | |OB | | ||
+ | |Bo* o | ||
+ | |** B . . . | | ||
+ | |+.= . S . o | | ||
+ | |. o * * o | | ||
+ | |. = B B | | ||
+ | |+ . = = | | ||
+ | |oE +o. | | ||
+ | +----[SHA256]-----+ | ||
+ | |||
+ | # ( \ | ||
+ | # | ||
+ | # cat ~/ | ||
+ | # ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
+ | tunnel=" | ||
+ | |||
+ | # ssh vpn | ||
+ | add host www.robmeerman.co.uk: | ||
+ | add net 10: gateway 10.1.36.1 | ||
+ | change net default: gateway 172.16.0.1 | ||
+ | |||
+ | # Nothing further appears to happen. VPN is up and running! Try `traceroute | ||
+ | # google.com` in another terminal to verify that the traffic is going via your | ||
+ | # server and not its default route. | ||
+ | |||
+ | # When all done, press ^C to kill the VPN and restore default settings. Your | ||
+ | # prompt will return first, and *then* the clean-up code will execute and | ||
+ | # print: | ||
+ | ^C | ||
+ | route: writing to routing socket: not in table | ||
+ | change net default: gateway 10.1.36.1: not in table | ||
+ | add net default: gateway 10.1.36.1 | ||
+ | delete net 10: gateway 10.1.36.1 | ||
+ | delete host www.robmeerman.co.uk: | ||
+ | </ | ||
====== Global Keyboard Shortcut to toggle Skype microphone ====== | ====== Global Keyboard Shortcut to toggle Skype microphone ====== | ||
Line 804: | Line 904: | ||
brew cask install smcfancontrol | brew cask install smcfancontrol | ||
+ | ====== GPG with remote forwarding ====== | ||
+ | |||
+ | GPG Agent forwarding allows a remote system to access secrets held in your local system via an SSH tunnel. When you are not connected to the remote system, it cannot access your secrets, and if the remote system is compromised your secrets are not (since they are never stored on it). | ||
+ | |||
+ | My (initial) use-case is to allow docker on a remote host to store login my login credentials (so I can push/pull images when working), but not store secrets on that hose. THe default behaviour is to store my password in plain text, which is unacceptable. | ||
+ | |||
+ | So I opted to use [[https:// | ||
+ | |||
+ | So I want to use GPG agent forwarding to allow '' | ||
+ | |||
+ | Overview (notes to follow, I hope): | ||
+ | |||
+ | - Install GPG locally and create an identity | ||
+ | - Ensure that passphrase challenge (" | ||
+ | - Install GPG on remote, and import public key | ||
+ | - Configure SSH to forward agent socket | ||
+ | - Disable systemd stuff which creates (unused) gpg sockets and/or configure SSHd to allow you to delete and recreate those sockets | ||
+ | |||
+ | Gotchas to document: | ||
+ | |||
+ | Invalid ioctl for device means the GPG agent was attempting to open a TTY. The agent lives on my MacBook, but the request comes from a remote system. So the remote system' | ||
+ | |||
+ | https:// | ||
+ | |||
+ | - '' | ||
+ | - Append to '' | ||
+ | source ~/ | ||
+ | export GPG_AGENT_INFO | ||
+ | else | ||
+ | eval $(gpg-agent --daemon --write-env-file ~/ | ||
+ | fi</ | ||
+ | - Create/ | ||
+ | - '' | ||
+ | - '' | ||
+ | - '' | ||
+ | pinentry-program / | ||
+ | default-cache-ttl 600 | ||
+ | max-cache-ttl 7200</ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Testcase: | ||
+ | |||
+ | < | ||
+ | |||
+ | Remote end: | ||
+ | |||
+ | Modify ''/ | ||
+ | |||
+ | < | ||
+ | # Allow socket files to be unlinked by incoming connections (intended to | ||
+ | # faciliate use of GPG Agent) | ||
+ | StreamLocalBindUnlink yes | ||
+ | </ | ||
+ | |||
+ | See https:// | ||
+ | ====== Number Pad ====== | ||
+ | |||
+ | I installed an application to make my iPhone act as a Number Pad: https:// | ||
+ | |||
+ | Satisfies [[https:// |