Firstyear's blog| fy.blackhats.net.au
Firstyear's blog| fy.blackhats.net.au
Firstyear's blog| fy.blackhats.net.au
On the 3rd of September, Yubico announced YSA-2024-03, a vulnerability in the infineon cryptograhpic library which may allow private key extraction to be performed. As is tradition, arm chair experts and thought leaders everywhere rushed to have hot takes on the situation, without adequately understanding the way that the attack works and how it fits into Webauthn on a technical level. TL;DR - Do I Need To Worry No. This attack while cool as heck, is not a risk to the majority of yubikey user...| Firstyear's blog-a-log
Due to a certain motherboard manufacturer having no quality control of their firmware updates, my previous home lab server had 4 of it's 12 DIMM slots fail. This necesitated a rapid replacement of the machine, as I use it heavily for work. While frustrating, rather than lift my existing OpenSUSE Leap install to the new machine, I decided to reinstall - this time, with ZFS as the root filesystem. I have had enough issues with BTRFS performance and reliability to finally commit to moving away f...| Firstyear's blog-a-log
Firstyear's blog| fy.blackhats.net.au
As the maintainer of Rust in openSUSE I am often asked to support build reproducibility in our supply chain. I've spent countless hours researching the problem, and discussing it with security experts to understand details. Thanks to the XZ incident this topic has once again come up, since after any security incident people always use the attention to further their own agendas. As a result, I'd like to write my very not scientific thoughts about reproducible builds. Before We Begin Let's perf...| Firstyear's blog-a-log
A somewhat hidden feature of MacOS is that it has excellent builtin support for PIV (smartcard) authentication. In this guide, we'll go through how to set that up. In this example we'll be using yubikey 5's as our smartcards. This may require you to alter some commands used in this guide. Prerequisites If you are using yubico's piv tool you should install it from yubico's site for the signed binaries rather than installing from homebrew. You should also have a plan for how you want to use you...| Firstyear's blog-a-log
XZ Ahh, it's that beautiful spontaneous time of year. A major public security incident has occured in opensource. All of the epidemiologist's of 2020 suddenly emerge from their chrysalis once more as a beautiful incarnation of a security expert. The hot takes flow more freely than cocaine at a Liberal party event. My share portfolio doubled in value due to taking a long position on popcorn futures. It's now been nearly 2 weeks since this glorious event, and the hot takes have started to settl...| Firstyear's blog-a-log
SSH Key Authentication Basics SSH (Secure Shell) allows remotely accessing the command line interface (cli) of a remote machine. This is very useful for administration of a machine that may be in a completely different country or building. Because of this SSH is a very attractive target for attackers. Defaults The default is to login with a username and password. ┌───────┐ ┌───────┐ │ │ │ │ │ │───────Username───────...| Firstyear's blog-a-log
Webauthn Attestation and OpenSource Keys Webauthn (Passkeys) are only going to become more important in the future and as this grows, deployments with higher security risks and criticality are going to need to start to understand and embrace attestation of their keys. In their current form, almost all software products and IDM's today allow you to enroll any cryptographic authenticator. It doesn't matter what make or model it is, it will be allowed. However, not all authenticators are made eq...| Firstyear's blog-a-log
Getting Started with PKCS11 PKCS11 is one of those horrible mystery technologies, that just seems to have no good starting place or reference on how to make it work. But it's also a technology that you see commonly around for hardware security modules (HSM), trusted platform modules (TPM) and other high impact cryptographic environments. This makes it an annoying chasm to cross for developers and administrators alike who want to configure these important tools for key security. So I decided t...| Firstyear's blog-a-log
SSH Key Storage A kind reader asked me an interesting question the other day. "What do you think of the choice of ssh sk keys between ecdsa and ed25519?". At the same time, within Kanidm we have actually been discussing the different approaches we could take with ssh key handling in the future between ssh cas and ssh sk key attestation, especially once we consider service accounts. As with anything in security we always need to balance the technology with the risks and threats that we are try...| Firstyear's blog-a-log
Storage Administration Guide This guide will help you understand, configure and maintain storage on Linux servers. The content of this guide is optimised for reliability and accesibility. This is based not only on my own experiences but observing the experiences of enterprise customers for many years. ⚠️ Warnings ⚠️ Making changes to storage entails risks. Linux and it's storage tools have no safety barriers. Mistakes can result in COMPLETE LOSS OF ALL YOUR DATA. DO NOT COPY PASTE COM...| Firstyear's blog-a-log
Starting with Rage on OpenSUSE Rage is a rust implementation of Age, a modern, simple and secure file encryption tool. It is easier to use than other tools like GPG, and being written in a memory safe language it avoids many of the exploits that may occur in C based tools. Installing Rage You can install rage on leap or tumbleweed from zypper zypper install rage-encryption Alternately you can install from cargo with cargo install rage Key management The recipient must generate a key. This can...| Firstyear's blog-a-log
About I'm William (Firstyear), a software engineer in Brisbane, Australia. I'm part of the 389 Directory Server team, working for SUSE Labs. I'm always happy to talk LDAP and programming, and am very happy to help out with your issues and queries. I can be contacted about entries on my blog at william at blackhats dot net dot au. If there is anything you would like to see on this blog, I'd be happy to hear from you. Happy reading!| Firstyear's blog-a-log
Using a TPM for SSH keys on OpenSUSE Tumbleweed In some environments it is required to store ssh private keys in a way where they can not be extracted from the machine. Trusted Platform Modules (TPM) are an excellent way to achieve this. While other guides exist online for how to configure this for other distributions, this will focus on OpenSUSE Tumbleweed. Install Packages The following is required to be installed. zypper install tpm2-pkcs11 tpm2.0-tools tpm2-0-tss libtpm2_pkcs11-0 tpm2-pkc...| Firstyear's blog-a-log
Why are PBKDF2-SHA256 and PBKDF2_SHA256 different in 389-ds? In a mailing list discussion recently it came up about what password hash format should you use in 389-ds. Confusingly we have two PBKDF2 SHA256 implementations, which has a bit of history. Too Lazy, Didn't Read Use PBKDF2-SHA256. (hyphen, not underscore). What's PBKDF2 anyway? Passwords are a shared-knowledge secret, so knowledge of the password allows you to authenticate as the person. When we store that secret, we don't want it s...| Firstyear's blog-a-log
Why Decentralised ID Won't Work Thanks to a number of high profile and damaging security incidents in Australia people have once again been discussing Decentralised ID (DID). As someone who has spent most of the career working on identity management, I'm here to tell you why it will not work. What Is Decentralised ID Trying To Do? To understand what DID is trying to achieve we have to look at what a "centralised" system is doing. Lets consider an account holder like Google. You create an acco...| Firstyear's blog-a-log
Where to start with linux authentication? Recently I was asked about where someone could learn how linux authentication works as a "big picture" and how all the parts communicate. There aren't too many great resources on this sadly, so I've decided to write this up. Who ... are you? The first component in linux identity is NSS or nsswitch (not to be confused with NSS the cryptography library ... ). nsswitch (name service switch) is exposed by glibc as a method to resolve uid/gid numbers and n...| Firstyear's blog-a-log
Exploring Webauthn Use Cases Webauthn is viewed by many people and companies as the future of authentication on the internet and within our workplaces. It has the support of many device manufacturers, browser vendors and authentication providers. But for Webauthn's lofty goals and promises, as a standard it has many fractured parts. Many of the features it claims at best don't work, at worst, present possible security risks. The standard itself is quite confusing, uses dense and obtuse langua...| Firstyear's blog-a-log
Enable caBLE on your iPhone for testing caBLE allows a nearby device (such as your iPhone) to be used an a webauthn authenticator. Given my work on WebauthnRS I naturally wanted to test this! When I initially tried to test caBLE with webauthn via my iPhone, I recieved an error that the operation wasn't available at this time. There was no other information available. Debugging After some digging into Console.app, I found the log message from AuthenticationServicesAgent which stated: "Syncing ...| Firstyear's blog-a-log
Documentation PR's Welcome - Why Docs Are Not A Beginner Friendly Task Recently I was reporting a usability issue with a library, mainly related to it's confusing or absent documentation. A friend of mine saw the exchange and commented (quite accurately) that it went along the lines of: Me: This library should improve it's documentation Project: PR's welcome Me: I can't write the docs because I don't know how this works without documentation My friend also commented "[this] is probably the re...| Firstyear's blog-a-log
How CTAP2.0 made UserVerification even more confusing I have previously written about how Webauthn introduces a false sense of security with how it manages UserVerification (UV) by default. To summarise, when you request "preferred" which means "perform UV if possible", it can be bypassed since relying parties's (RP) do not check if UV was actually performed, and Webauthn makes no recommendations on how to store credentials in a manner that allows future checking to ensure UV is requested or ...| Firstyear's blog-a-log
Nextcloud - Unable to Open Photos Library I noticed since macos 11.6.2 that Nextcloud has been unable to sync my photos library. Looking into this error in Console.app I saw: error kernel System Policy: Nextcloud(798) deny(1) file-read-data /Users/william/Pictures/Photos Library.photoslibrary It seems that Nextcloud is not sandboxed which means that macos enforces stricter permissions on what this can or can not access, which is what prevented the photos library from syncing. To resolve this ...| Firstyear's blog-a-log
Transactional Operations in Rust Earlier I was chatting to Yoshua, the author of this async cancellation blog about the section on halt-safety. The blog is a great read so I highly recommend it! The section on halt-safety is bang on correct too, but I wanted to expand on this topic further from what they have written. Memory Safety vs Application Safety Yoshua provides the following code example in their blog: // Regardless of where in the function we stop execution, destructors will be // ru...| Firstyear's blog-a-log
Results from the OpenSUSE 2021 Rust Survey From September the 8th to October the 7th, OpenSUSE has helped me host a survey on how developers are using Rust in their environments. As the maintainer of the Rust packages in SUSE and OpenSUSE it was important for me to get a better understanding of how people are using Rust so that we can make decisions that match how the community is working. First, to every single one of the 1360 people who responded to this survey, thank you! This exceeded my ...| Firstyear's blog-a-log
Gnome 3 compare to MacOs An assertion I have made in the past is that to me "Gnome 3 feels like MacOs with rough edges". After some discussions with others, I'm finally going to write this up with examples. It's worth pointing out that in my opinion, Gnome 3 is probably still the best desktop experience on Linux today for a variety of reasons - it's just that for me, these rough edges really take away from that being a good experience for me. High Level Structure Comparison Here's a pair of s...| Firstyear's blog-a-log
StartTLS in LDAP LDAP as a protocol is a binary protocol which uses ASN.1 BER encoded structures to communicate between a client and server, to query directory information (ie users, groups, locations, etc). When this was created there was little consideration to security with regard to person-in-the-middle attacks (aka mitm: meddler in the middle, interception). As LDAP has become used not just as a directory service for accessing information, but now as an authentication and authorisation s...| Firstyear's blog-a-log
Getting started with Yew NOTE This post is really out dated now, there are easier ways to start. See the yew official docs as this process has gotten much easier! Yew is a really nice framework for writing single-page-applications in Rust, that is then compiled to wasm for running in the browser. For me it has helped make web development much more accessible to me, but getting started with it isn't always straight forward. This is the bare-minimum to get a "hello world" in your browser - from...| Firstyear's blog-a-log
Compiler Bootstrapping - Can We Trust Rust? Recently I have been doing a lot of work for SUSE with how we package the Rust compiler. This process has been really interesting and challenging, but like anything it's certainly provided a lot of time for thought while waiting for my packages to build. The Rust package in OpenSUSE has two methods of building the compiler internally in it's spec file. Use our previously packaged version of rustc from packages Bootstrap using the signed and prebuilt...| Firstyear's blog-a-log
Open Source Enshrines the Wrong Privilege Within Open Source/Free Software, we repeatedly see a set of behaviours - hostile or toxic project owners, abusive relationships, aggression towards users, and complete disregard to users of the software. Some projects have risen above this and advanced the social behaviours in their communities, but these are still the minority of projects. Many advocates for FLOSS have been trying to enhance adoption of these technologies in communities, but with th...| Firstyear's blog-a-log
Time Machine on Samba with ZFS Time Machine is Apple's in-built backup system for MacOS. It's probably the best consumer backup option, which really achieves "set and forget" backups. It can backup to an external hard disk on a dock, an Apple Time Machine (wireless access point), or a custom location based on SMB shares. Since I have a fileserver at home, I use this as my Time Machine backup target. To make this work really smoothly there are a few setup steps. MacOS Time Machine Performance ...| Firstyear's blog-a-log
Against Packaging Rust Crates Recently the discussion has once again come up around the notion of packaging Rust crates as libraries in distributions. For example, taking a library like serde and packaging it to an RPM. While I use RPM as the examples here it applies equally to other formats. Proponents of crate packaging want all Rust applications to use the "distributions" versions of a crate. This is to prevent "vendoring" or "bundling". This is where an application (such as 389 Directory ...| Firstyear's blog-a-log
Getting Started Packaging A Rust CLI Tool in SUSE OBS Distribution packaging always seems like something that is really difficult or hard to do, but the SUSE Open Build Service makes it really easy to not only build packages, but to then contribute them to Tumbleweed. Not only that, OBS can also build for Fedora, CentOS and more. Getting Started You'll need to sign up to service - there is a sign up link on the front page of OBS To do this you'll need a SUSE environment. Docker is an easy way...| Firstyear's blog-a-log
Webauthn UserVerificationPolicy Curiosities Recently I received a pairof interesting bugs in Webauthn RS where certain types of authenticators would not work in Firefox, but did work in Chromium. This confused me, and I couldn't reproduce the behaviour. So like any obsessed person I ordered myself one of the affected devices and waited for Australia Post to lose it, find it, lose it again, and then finally deliver the device 2 months later. In the meantime I swapped browsers from Firefox to E...| Firstyear's blog-a-log
Rust, SIMD and target-feature flags This year I've been working on concread and one of the ways that I have improved it is through the use of packed_simd for parallel key lookups in hashmaps. During testing I saw a ~10% speed up in Kanidm which heavily relies on concread, so great, pack it up, go home. ...? Or so I thought. Recently I was learning to use Ghidra with a friend, and as a thought exercise I wanted to see how Rust decompiled. I put the concread test suite into Ghidra and took a lo...| Firstyear's blog-a-log
Deploying sccache on SUSE sccache is a ccache/icecc-like tool from Mozilla, which in addition to working with C and C++, is also able to help with Rust builds. Adding the Repo A submission to Factory (tumbleweed) has been made, so check if you can install from zypper: zypper install sccache If not, sccache is still part of devel:tools:building so you will need to add the repo to use sccache. zypper ar -f obs://devel:tools:building devel:tools:building zypper install sccache It's also importan...| Firstyear's blog-a-log
How a Search Query is Processed in Kanidm Databases from postgres to sqlite, mongodb, and even LDAP all need to take a query and turn that into a meaningful result set. This process can often seem like magic, especially when you consider an LDAP server is able to process thousands of parallel queries, with a database spanning millions of entries and still can return results in less than a millisecond. Even more impressive is that every one of these databases can be expected to return the corr...| Firstyear's blog-a-log
Using SUSE Leap Enterprise with Docker It's a little bit annoying to connect up all the parts for this. If you have a SLE15 system then credentials for SCC are automatically passed into containers via secrets. But if you are on a non-SLE base, like myself with MacOS or OpenSUSE you'll need to provide these to the container in another way. The documentation is a bit tricky to search and connect up what you need but in summary: Get [/etc/SUSEConnect]{.title-ref} and [/etc/zypp/credentials.d/SCC...| Firstyear's blog-a-log
Windows Hello in Webauthn-rs Recently I've been working again on webauthn-rs, as a member of the community wants to start using it in production for a service. So far the development of the library has been limited to the test devices that I own, but now this pushes me toward implementing true fido compliance. A really major part of this though was that a lot of their consumers use windows, which means support windows hello. A background on webauthn Webauthn itself is not a specification for ...| Firstyear's blog-a-log
User gesture is not detected - using iOS TouchID with webauthn-rs I was recently contacted by a future user of webauthn-rs who indicated that the library may not currently support Windows Hello as an authenticator. This is due to the nature of the device being a platform attached authenticator and that webauthn-rs at the time did not support attachment preferences. As I have an ipad, and it's not a primary computing device I decided to upgrade to iPadOS 14 beta to try out webauthn via touch (...| Firstyear's blog-a-log
docker buildx for multiarch builds I have been previously building Kanidm with plain docker build, but recently a community member wanted to be able to run kanidm on arm64. That meant that I needed to go down the rabbit hole of how to make this work ... What not to do ... There is a previous method of using manifest files to allow multiarch uploads. It's pretty messy but it works, so this is an option if you want to investigate but I didn't want to pursue it. Bulidx exists and I got it workin...| Firstyear's blog-a-log
Developer Perspective on Docker A good mate of mine Ron Amosa put a question up on twitter about what do developers think Docker brings to the table. I'm really keen to see what he has to say (his knowledge of CI/CD and Kubernetes is amazing by the way!), but I thought I'd answer his question from my view as a software engineer. Docker provides resource isolation and management to applications Lets break that down. What is a resource? What is an application? It doesn't matter what kind of app...| Firstyear's blog-a-log
virt-manager missing pci.ids usb.ids macos I got the following error: /usr/local/Cellar/libosinfo/1.8.0/share/libosinfo/pci.ids No such file or directory This appears to be an issue in libosinfo from homebrew. Looking at the libosinfo source, there are some aux download files. You can fix this with: mkdir -p /usr/local/Cellar/libosinfo/1.8.0/share/libosinfo/ cd /usr/local/Cellar/libosinfo/1.8.0/share/libosinfo/ wget -q -O pci.ids http://pciids.sourceforge.net/v2.2/pci.ids wget -q -O usb.ids h...| Firstyear's blog-a-log
Resolving AirPlayXPCHelper Perr NULL kCanceledErr with Apple TV and MacOS I decided to finally get an Apple TV so that I could use my iPad and MacBook Pro to airplay to my projector. So far I've been really impressed by it and how well it works with modern amplifiers and my iPad. Sadly though, when I tried to use my MacBook pro to airplay to the Apple TV I recieved an "Unable to connect" error, with no further description. Initial Research The first step was to look in console.app at the loca...| Firstyear's blog-a-log
Building containers on OBS My friend showed me how to build containers in OBS, the opensuse build service. It makes it really quite nice, as the service can parse your dockerfile, and automatically trigger rebuilds when any package dependency in the chain requires a rebuild. The simplest way is to have a seperate project for your containers to make the repository setup a little easier. When you edit the project metadata, if the project doesn't already exist, a new one is created. So we can st...| Firstyear's blog-a-log
389ds in containers I've spent a number of years working in the background to get 389-ds working in containers. I think it's very close to production ready (one issue outstanding!) and I'm now using it at home for my production LDAP needs. So here's a run down on using 389ds in a container! Getting it Started The team provides an image for pre-release testing which you can get with docker pull: docker pull 389ds/dirsrv:latest # OR, if you want to be pinned to the 1.4 release series. docker pu...| Firstyear's blog-a-log
APFS (why is df showing me funny numbers?!) Apple's APFS has been the default for MacOS since High Sierra, where SSD (flash) automatically would convert from HFS+. This is a god send, especially with HFS+'s history of destroying any folder that has a large number of inodes within it. However, APFS behaves differently to previous filesystem technology. Let's see if we can explain why df reports multiple 932Gi disks like this: > df -h Filesystem Size Used Avail Capacity iused ifree %iused Mount...| Firstyear's blog-a-log
USG fixing avahi Sadly on the USG pro 4 avahi will regularly spiral out of control taking up 100% cpu. To fix this, we set an hourly restart: sudo -s crontab -e Then add: 15 * * * * /usr/sbin/service avahi-daemon restart| Firstyear's blog-a-log
Fedora 32 Wallpaper Submission - Story Fedora opens submissions for wallpapers to be submitted for the next version of the release. I used fedora for a long time, so I decided to submit this photo, and write this post to talk about it: This was takeing on 2019-11-19 in my home city of Adelaide, South Australia. I had traveled to see some friends over Christmas. We went to Mount Osmond to take some photos, and I took this as we walked up to the lookout. The next day, this area was a high risk ...| Firstyear's blog-a-log
Fixing a MacBook Pro 8,2 with dead AMD GPU I've owned a MacBook Pro 8,2 late 2011 edition, which I used from 2011 to about 2018. It was a great piece of hardware, and honestly I'm surprised it lasted so long given how many MacOS and Fedora installs it's seen. I upgraded to a MacBook Pro 15,1, and I gave the 8,2 to a friend who was in need of a new computer so she could do her work. It worked really well for her until today when she's messaged me that the machine is having a problem. The Probl...| Firstyear's blog-a-log
There are no root causes At Gold Coast LCA2020 I gave a lightning talk on swiss cheese. Well, maybe not really swiss cheese. But it was about the swiss cheese failure model which was proposed at the university of manchester. Please note this will cover some of the same topics as the talk, but in more detail, and with less jokes. An example problem So we'll discuss the current issues behind modern CPU isolation attacks IE spectre. Spectre is an attack that uses timing of a CPU's speculative ex...| Firstyear's blog-a-log
Concurrency 1: Types of Concurrency I want to explain different types of concurrent datastructures, so that we can explore their properties and when or why they might be useful. As our computer systems become increasingly parallel and asynchronous, it's important that our applications are able to work in these environments effectively. Languages like Rust help us to ensure our concurrent structures are safe. CPU Memory Model Crash Course In no way is this a thorough, complete, or 100% accurat...| Firstyear's blog-a-log
Concurrency 2: Concurrently Readable Structures In this post, I'll discuss concurrently readable datastructures that exist, and ideas for future structures. Please note, this post is an inprogress design, and may be altered in the future. Before you start, make sure you have read part 1 Concurrent Cell The simplest form of concurrently readable structure is a concurrent cell. This is equivalent to a read-write lock, but has concurrently readable properties instead. The key mechanism to enable...| Firstyear's blog-a-log
Packaging and the Security Proposition As a follow up to my post on distribution packaging, it was commented by Fraser Tweedale (@hackuador) that traditionally the "security" aspects of distribution packaging was a compelling reason to use distribution packages over "upstreams". I want to dig into this further. Why does C need "securing" C as a language is unsafe in every meaning of the word. The best C programmers on the planet are incapable of writing a secure program. This is because to co...| Firstyear's blog-a-log
Packaging, Vendoring, and How It's Changing In today's thoughts, I was considering packaging for platforms like opensuse or other distributions and how that interacts with language based packaging tools. This is a complex and ... difficult topic, so I'll start with my summary: Today, distributions should focus on supporting and distributing applications and work with native language supply chains to enable this. Distribution Packaging Let's start by clarifying what distribution packaging is. ...| Firstyear's blog-a-log
Fixing opensuse virtual machines with resume Today I hit an unexpected issue - after changing a virtual machines root disk to scsi, I was unable to boot the machine. The host is opensuse leap 15.1, and the vm is the same. What's happening! The first issue appears to be that opensuse 15.1 doesn't support scsi disks from libvirt. I'm honestly not sure what's wrong here. The second is that by default opensuse leap configures suspend and resume to disk - by it uses the pci path instead of a swap ...| Firstyear's blog-a-log
Password Quality and Badlisting in Kanidm Passwords are still a required part of any IDM system. As much as I wish for Kanidm to only support webauthn and stronger authentication types, at the end of the day devices can be lost, destroyed, some people may not be able to afford them, some clients aren't compatible with them and more. This means the current state of the art is still multi-factor auth. Something you have and something you know. Despite the presence of the multiple factors, it's ...| Firstyear's blog-a-log
Rust 2020 - helping to get rust deployed This is my contribution to Rust 2020, where community members put forward ideas on what they thing Rust should aim to achieve in 2020. In my view, Rust has had an amazing adoption by developers, and is great if you are in a position to deploy it in your own infrastructure, but we have yet to really see Rust make it to broad low-level components (IE in a linux distro or other infrastructure). As someone who works on "enterprise" software (389-ds) and my...| Firstyear's blog-a-log
Recovering LVM when a device is missing with a cache pool lv I had a heartstopping moment today: my after running a command lvm proudly annouced it had removed an 8TB volume containing all of my virtual machine backing stores. Everyone, A short view back to the past ... I have a home server, with the configured storage array of: 2x 8TB SMR (Shingled Magnetic Recording) archive disks (backup target) 2x 8TB disks (vm backing store) 2x 1TB nvme SSD (os + cache) The vm backing store also had a lv...| Firstyear's blog-a-log
Upgrading OpenSUSE 15.0 to 15.1 It's a little bit un-obvious how to do this. You have to edit the repo files to change the release version, then refresh + update. sed -ri 's/15\.0/15.1/' /etc/zypp/repos.d/*.repo zypper ref zypper dup reboot Note this works on a transactional host too: sed -ri 's/15\.0/15.1/' /etc/zypp/repos.d/*.repo transactional-update dup reboot It would be nice if these was an upgrade tool that would attempt the upgrade and revert the repo files, or use temporary repo file...| Firstyear's blog-a-log
Announcing Kanidm - A new IDM project Today I'm starting to talk about my new project - Kanidm. Kanidm is an IDM project designed to be correct, simple and scalable. As an IDM project we should be able to store the identities and groups of people, authenticate them securely to various other infrastructure components and services, and much more. You can find the source for kanidm on github. For more details about what the project is planning to achieve, and what we have already implemented ple...| Firstyear's blog-a-log
OpenSUSE leap as a virtualisation host I've been rebuilding my network to use SUSE from CentOS, and the final server was my hypervisor. Most of the reason for this is the change in my employment, so I feel it's right to dogfood for my workplace. What you will need Some computer parts (assembaly may be required) OpenSUSE LEAP 15.1 media (dd if=opensuse.iso of=/dev/a_usb_i_hope) What are we aiming for? My new machine has dual NVME and dual 8TB spinning disks. The intent is to have the OS on the...| Firstyear's blog-a-log
LDAP Filter Syntax Validation Today I want to do a deep-dive into a change that will be released in 389 Directory Server 1.4.2. It's a reasonably complicated change for our server, but it has a simple user interaction for admins and developers. I want to peel back some of the layers to explain what kind of experience, thought and team work goes into a change like this. TL;DR - just keep upgrading your 389 Directory Server instance, and our 'correct by default' policy will apply, and you'll ke...| Firstyear's blog-a-log
Using ramdisks with Cargo I have a bit of a history of killing SSDs - probably because I do a bit too much compiling and management of thousands of tiny files. Plenty of developers have this problem! So while thinking one evening, I was curious if I could setup a ramdisk on my mac for my cargo work to output to. Making the ramdisk On Linux you'll need to use tmpfs or some access to /dev/shm. On OSX you need to run a script like the following: diskutil partitionDisk $(hdiutil attach -nomount r...| Firstyear's blog-a-log
CPU atomics and orderings explained Sometimes the question comes up about how CPU memory orderings work, and what they do. I hope this post explains it in a really accessible way. Short Version - I wanna code! Summary - The memory model you commonly see is from C++ and it defines: Relaxed Acquire Release Acquire/Release (sometimes AcqRel) SeqCst There are memory orderings - every operation is "atomic", so will work correctly, but there rules define how the memory and code around the atomic ar...| Firstyear's blog-a-log
I no longer recommend FreeIPA It's probably taken me a few years to write this, but I can no longer recommend FreeIPA for IDM installations. Why not? The FreeIPA project focused on Kerberos and SSSD, with enough other parts glued on to look like a complete IDM project. Now that's fine, but it means that concerns in other parts of the project are largely ignored. It creates design decisions that are not scalable or robust. Due to these decisions IPA has stability issues and scaling issues that...| Firstyear's blog-a-log
Using 389ds with docker I've been wanting to containerise 389 Directory Server for a long time - it's been a long road to get here, but I think that our container support is getting very close to a production ready and capable level. It took so long due to health issues and generally my obsession to do everything right. Today, container support along with our new command line tools makes 389 a complete breeze to administer. So lets go through an example of a deployment now. Please note: the c...| Firstyear's blog-a-log
Implementing Webauthn - a series of complexities ... I have recently started to work on a rust webauthn library, to allow servers to be implemented. However, in this process I have noticed a few complexities to an API that should have so much promise for improving the state of authentication. So far I can say I have not found any cryptographic issues, but the design of the standard does raise questions about the ability for people to correctly implement Webauthn servers. Odd structure decisio...| Firstyear's blog-a-log
The Case for Ethics in OpenSource For a long time there have been incidents in technology which have caused negative effects on people - from leaks of private data, to interfaces that are not accessible, to even issues like UI's doing things that may try to subvert a persons intent. I'm sure there are many more: and we could be here all day listing the various issues that exist in technology, from small to great. The theme however is that these issues continue to happen: we continue to make d...| Firstyear's blog-a-log
Using Rust Generics to Enforce DB Record State In a database, entries go through a lifecycle which represents what attributes they have have, db record keys, and if they have conformed to schema checking. I'm currently working on a (private in 2019, public in july 2019) project which is a NoSQL database writting in Rust. To help us manage the correctness and lifecycle of database entries, I have been using advice from the Rust Embedded Group's Book. As I have mentioned in the past, state mach...| Firstyear's blog-a-log
Debugging MacOS bluetooth audio stutter I was noticing that audio to my bluetooth headphones from my iPhone was always flawless, but I started to noticed stutter and drops from my MBP. After exhausting some basic ideas, I was stumped. To the duck duck go machine, and I searched for issues with bluetooth known issues. Nothing appeared. However, I then decided to debug the issue - thankfully there was plenty of advice on this matter. Press shift + option while clicking bluetooth in the menu-bar...| Firstyear's blog-a-log
GDB autoloads for 389 DS I've been writing a set of extensions to help debug 389-ds a bit easier. Thanks to the magic of python, writing GDB extensions is really easy. On OpenSUSE, when you start your DS instance under GDB, all of the extensions are automatically loaded. This will help make debugging a breeze. zypper in 389-ds gdb gdb /usr/sbin/ns-slapd GNU gdb (GDB; openSUSE Tumbleweed) 8.2 (gdb) ds- ds-access-log ds-backtrace (gdb) set args -d 0 -D /etc/dirsrv/slapd-<instance name> (gdb) ru...| Firstyear's blog-a-log
Programming Lessons and Methods Everyone has their own lessons and methods that they use when they approaching programming. These are the lessons that I have learnt, which I think are the most important when it comes to design, testing and communication. Comments and Design Programming is the art of writing human readable code, that a machine will eventually run. Your program needs to be reviewed, discussed and parsed by another human. That means you need to write your program in a way they c...| Firstyear's blog-a-log
Meaningful 2fa on modern linux Recently I heard of someone asking the question: "I have an AD environment connected with <product> IDM. I want to have 2fa/mfa to my linux machines for ssh, that works when the central servers are offline. What's the best way to achieve this?" Today I'm going to break this down - but the conclusion for the lazy is: This is not realistically possible today: use ssh keys with ldap distribution, and mfa on the workstations, with full disk encryption. Background So...| Firstyear's blog-a-log
Using the latest 389-ds on OpenSUSE Thanks to some help from my friend who works on OBS, I've finally got a good package in review for submission to tumbleweed. However, if you are impatient and want to use the "latest" and greatest 389-ds version on OpenSUSE. zypper ar obs://network:ldap network:ldap zypper in 389-ds Docker docker run --rm -i -t registry.opensuse.org/home/firstyear/containers/389-ds-container:latest To make it persistent: docker run -v 389ds_data:/data <your options here ......| Firstyear's blog-a-log
Structuring Rust Transactions I've been working on a database-related project in Rust recently, which takes advantage of my concurrently readable datastructures. However I ran into a problem of how to structure Read/Write transaction structures that shared the reader code, and container multiple inner read/write types. Some Constraints To be clear, there are some constraints. A "parent" write, will only ever contain write transaction guards, and a read will only ever contain read transaction ...| Firstyear's blog-a-log
SUSE Open Build Service cheat sheet Part of starting at SUSE has meant that I get to learn about Open Build Service. I've known that the project existed for a long time but I have never had a chance to use it. So far I'm thoroughly impressed by how it works and the features it offers. As A Consumer The best part of OBS is that it's trivial on OpenSUSE to consume content from it. Zypper can add projects with the command: zypper ar obs://<project name> <repo nickname> zypper ar obs://network:ld...| Firstyear's blog-a-log
The idea of CI and Engineering In software development I see and interesting trend and push towards continuous integration, continually testing, and testing in production. These techniques are designed to allow faster feedback on errors, use real data for application testing, and to deliver features and changes faster. But is that really how people use software on devices? When we consider an operation like google or amazon, this always online technique may work, but what happens when we appl...| Firstyear's blog-a-log
Useful USG pro 4 commands and hints I've recently changed from a FreeBSD vm as my router to a Ubiquiti PRO USG4. It's a solid device, with many great features, and I'm really impressed at how it "just works" in many cases. So far my only disappointment is lack of documentation about the CLI, especially for debugging and auditing what is occuring in the system, and for troubleshooting steps. This post will aggregate some of my knowledge about the topic. Current config Show the current config w...| Firstyear's blog-a-log
Nextcloud and badrequest filesize incorrect My friend came to my house and was trying to share some large files with my nextcloud instance. Part way through the upload an error occurred. "Exception":"Sabre\\DAV\\Exception\\BadRequest","Message":"expected filesize 1768906752 got 1768554496" It turns out this error can be caused by many sources. It could be timeouts, bad requests, network packet loss, incorrect nextcloud configuration or more. We tried uploading larger files (by a factor of 10 ...| Firstyear's blog-a-log
Identity ideas ... I've been meaning to write this post for a long time. Taking half a year away from the 389-ds team, and exploring a lot of ideas from other projects has led me to come up with some really interesting ideas about what we do well, and what we don't. I feel like this blog could be divisive, as I really think that for our services to stay relevant we need to make changes that really change our own identity - so that we can better represent yours. So strap in, this is going to b...| Firstyear's blog-a-log
Work around docker exec bug There is currently a docker exec bug in Centos/RHEL 7 that causes errors such as: # docker exec -i -t instance /bin/sh rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:247: starting container process caused "process_linux.go:110: decoding init error from pipe caused \"read parent: connection reset by peer\"" As a work around you can use nsenter instead: PID=docker inspect --format {{.State.Pid}} <name of container> nsenter --target $PID...| Firstyear's blog-a-log
High Available RADVD on Linux Recently I was experimenting again with high availability router configurations so that in the cause of an outage or a failover the other router will take over and traffic is still served. This is usually done through protocols like VRRP to allow virtual ips to exist that can be failed between. However with ipv6 one needs to still allow clients to find the router, and in the cause of a failure, the router advertisments still must continue for client renewals. To ...| Firstyear's blog-a-log
Rust RwLock and Mutex Performance Oddities Recently I have been working on Rust datastructures once again. In the process I wanted to test how my work performed compared to a standard library RwLock and Mutex. On my home laptop the RwLock was 5 times faster, the Mutex 2 times faster than my work. So checking out my code on my workplace workstation and running my bench marks I noticed the Mutex was the same - 2 times faster. However, the RwLock was 4000 times slower. What's a RwLock and Mutex ...| Firstyear's blog-a-log
Photography - Why You Should Use JPG (not RAW) When I started my modern journey into photography, I simply shot in JPG. I was happy with the results, and the images I was able to produce. It was only later that I was introduced to a now good friend and he said: "You should always shoot RAW! You can edit so much more if you do.". It's not hard to find many 'beginner' videos all touting the value of RAW for post editing, and how it's the step from beginner to serious photographer (and editor). ...| Firstyear's blog-a-log
Extracting Formally Verified C with FStar and KreMLin As software engineering has progressed, the correctness of software has become a major issue. However the tools that exist today to help us create correct programs have been lacking. Human's continue to make mistakes that cause harm to others (even I do!). Instead, tools have now been developed that allow the verification of programs and algorithms as correct. These have not gained widespread adoption due to the complexities of their tool ...| Firstyear's blog-a-log
AD directory admins group setup Recently I have been reading many of the Microsoft Active Directory best practices for security and hardening. These are great resources, and very well written. The major theme of the articles is "least privilege", where accounts like Administrators or Domain Admins are over used and lead to further compromise. A suggestion that is put forward by the author is to have a group that has no other permissions but to manage the directory service. This should be used...| Firstyear's blog-a-log
Understanding AD Access Control Entries A few days ago I set out to work on making samba 4 my default LDAP server. In the process I was forced to learn about Active Directory Access controls. I found that while there was significant documentation around the syntax of these structures, very little existed explaining how to use them effectively. What's in an ACE? If you look at the the ACL of an entry in AD you'll see something like: O:DAG:DAD:AI (A;CI;RPLCLORC;;;AN) (A;;RPWPCRCCDCLCLORCWOWDSDD...| Firstyear's blog-a-log
Making Samba 4 the default LDAP server Earlier this year Andrew Bartlett set me the challenge: how could we make Samba 4 the default LDAP server in use for Linux and UNIX systems? I've finally decided to tackle this, and write up some simple changes we can make, and decide on some long term goals to make this a reality. What makes a unix directory anyway? Great question - this is such a broad topic, even I don't know if I can single out what it means. For the purposes of this exercise I'll tr...| Firstyear's blog-a-log
Smartcards and You - How To Make Them Work on Fedora/RHEL Smartcards are a great way to authenticate users. They have a device (something you have) and a pin (something you know). They prevent password transmission, use strong crypto and they even come in a variety of formats. From your "card" shapes to yubikeys. So why aren't they used more? It's the classic issue of usability - the setup for them is undocumented, complex, and hard to discover. Today I hope to change this. The Goal To authen...| Firstyear's blog-a-log
Using b43 firmware on Fedora Atomic Workstation My Macbook Pro has a broadcom b43 wireless chipset. This is notorious for being one of the most annoying wireless adapters on linux. When you first install Fedora you don't even see "wifi" as an option, and unless you poke around in dmesg, you won't find how to enable b43 to work on your platform. b43 The b43 driver requires proprietary firmware to be loaded else the wifi chip will not run. There are a number of steps for this process found on t...| Firstyear's blog-a-log
Creating yubikey SSH and TLS certificates Recently yubikeys were shown to have a hardware flaw in the way the generated private keys. This affects the use of them to provide PIV identies or SSH keys. However, you can generate the keys externally, and load them to the key to prevent this issue. SSH First, we'll create a new NSS DB on an airgapped secure machine (with disk encryption or in memory storage!) certutil -N -d . -f pwdfile.txt Now into this, we'll create a self-signed cert valid for ...| Firstyear's blog-a-log
What's the problem with NUMA anyway? What is NUMA? Non-Uniform Memory Architecture is a method of seperating ram and memory management units to be associated with CPU sockets. The reason for this is performance - if multiple sockets shared a MMU, they will cause each other to block, delaying your CPU. To improve this, each NUMA region has it's own MMU and RAM associated. If a CPU can access it's local MMU and RAM, this is very fast, and does not prevent another CPU from accessing it's own. Fo...| Firstyear's blog-a-log
GSoC 2017 - Mentor Report from 389 Project This year I have had the pleasure of being a mentor for the Google Summer of Code program, as part of the Fedora Project organisation. I was representing the 389 Directory Server Project and offered students the oppurtunity to work on our command line tools written in python. Applications From the start we have a large number of really talented students apply to the project. This was one of the hardest parts of the process was to choose a student, gi...| Firstyear's blog-a-log
So you want to script gdb with python ... Gdb provides a python scripting interface. However the documentation is highly technical and not at a level that is easily accessible. This post should read as a tutorial, to help you understand the interface and work toward creating your own python debuging tools to help make gdb usage somewhat "less" painful. The problem I have created a problem program called "naughty". You can find it here . You can compile this with the following command: gcc -g ...| Firstyear's blog-a-log
Time safety and Rust Recently I have had the great fortune to work on this ticket . This was an issue that stemmed from an attempt to make clock performance faster. Previously, a call to time or clock_gettime would involve a context switch an a system call (think solaris etc). On linux we have VDSO instead, so we can easily just swap to the use of raw time calls. The problem So what was the problem? And how did the engineers of the past try and solve it? DS heavily relies on time. As a result...| Firstyear's blog-a-log
Firstyear's blog| fy.blackhats.net.au
Firstyear's blog| fy.blackhats.net.au