Skew-T Meteorologist in Kansas City

Filed under Tech

Yubikey

In the past year I've taken steps to increase security on some of my accounts and machines. One of these measures was to protect my network with public key authentication and two-step verification with TOTP (Google Authenticator). It was easier than I had feared to set up the two-step via Linux PAM. Logging in thus does require having my phone available and then unlocking, launching an app, and entering the code.

Yubikey 5c
Yubikey 5c

Yubikey is a hardware authentication device, with a form factor similar to that of a small USB flash drive. It supports a number of different protocols, including U2F to replace one time codes with a direct message with the site. What interested me the most was as a secure place to keep SSH keys. Keys sitting on disk can potentially be taken and need long passwords to keep secure. With a Yubikey the private key can remain locked away, only usable with the device present, a PIN, and optionally contact with the device (to prevent remote exploitation).

There are a couple of ways to create keys that can be used for SSH: PIV and OpenPGP. I've had issues with GPG in the past and it seemed likely to require replacing ssh-agent, so I thought I'd first try PIV, or Personal Identity Verification. At work I use a smart card that meets the same standard and it works with standard SSH components combined with opensc software. The syntax is a little odd, requiring the full path to the smart card library.

ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <host>

ssh-agent is able to cache and forward but plugging and unplugging the Yubikey can cause issues. At times a flush of ssh-agent or a restart of GNOME Keyring fixes the issue. Reading more about the higher encryption standards available through PGP, and that Chrome OS has support for smart cards in the built-in SSH app, I decided to try PGP as well. Creating keys and subkeys was fairly quick with reasonable defaults to most of the prompts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Create GPG key
gpg --gen-key

# Create subkey on Yubikey
gpg addcardkey

# Get PGP Yubikey applet information
gpg --card-status

# Get an SSH format public key
gpg --export-ssh-key <key>

There are rather vociferous arguments about the interactions between GNOME Keyring and gpg-agent. Keyring has generally worked well for me but it does not show the card-based subkeys at all. Switching the SSH agent socket to GPG agent provides a very seamless experience with card removal and insertion. Keyring does not fully support smart card authentication so I first created an alias to switch the SSH agent socket on the fly, before just permanently disabling the ssh-agent functionality of the Keyring, after which gpg automatically took over. Other keys can still be loaded on-the-fly.

1
2
3
4
5
6
# Use gpg-agent for SSH agent
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

# Disable GNOME Keyring ssh-agent
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop

fzf, ripgrep, git grep

Recent work has found me searching through large directory structures for files with sometimes less than obvious names. grep -r had become a go-to but it's not particularly speedy. Seeing a mention or two on Twitter led me to ripgrep which is specifically designed for such recursive file content searches. It also handily ignores files specified by gitignore and hidden files by default. Discovering ripgrep reminded me I had forgotten all about git grep which also allows for recursive searches, taking advantage of the git index, for files already in a repo.

fzf is a fuzzy finder, presenting an interactive way to search lists like filenames and git commits. Setting up aliases add useful interactivity to common tools, enabling quick full searching at the prompt in addition to the usual tab completion. As an example, searching recursively for a file, presenting a list of matches, and opening the selected in vim, bypassing the list if just one match.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
fe() {
  local IFS=$'\n'
  local files=()
  files=(
    "$(rg --files | fzf-tmux \
          --query="$1" \
          --multi \
          --select-1 \
          --exit-0
    )"
  ) || return
  "${EDITOR:-vim}" "${files[@]}"
}

Home Theater API

Taking advantage of a Black Friday sale, I upgraded my living room home theater with a new Onkyo receiver. I purchased my previous receiver, also an Onkyo, in grad school and it has served me well. It was lacking in some modern features, being connected entirely analog and required speaker wire pass-through to drive the subwoofer that was added to the setup a couple of years ago. The new unit features several HDMI inputs, HDMI-ARC output, and networked services like Spotify and Chromecast. Connected via wifi there is a phone app that can control most features.

Onkyo TX-NR676
Onkyo TX-NR676

Many such consumer devices rely on purely cloud based services so it was great to discover the API allows control over the local network. I'm only just starting to explore. There is a great Python module for accessing the API including device discovery, onkyo-eiscp. An MQTT bridge, onkyo2mqtt, is promising, able to transmit messages upon device actions like volume adjustment. The former also offers a straightforward command line tool:

onkyo --host x.x.x.x audio-muting=on

Discovering this ability to adjust audio remotely, it was nice to find pychromecast allows some measure of control over the diminutive media players. Apparently the Chrome dev tools can help determine app specific commands.

Late 2017 Desktop Build

Motherboard
Motherboard

I have increasingly taken advantage of hardware-assisted virtualization using KVM in Debian to run headless server applications. Using a desktop workstation for this task is less than ideal, taking resources away from graphical applications and incurring disruptions like occasional reboots. It hasn't quite been two years since building my last desktop machine and the experience gained made it quick to get a new box together.

Running the latest 8th gen Intel Core i5, I downsized certain areas like moving to a Micro ATX and installing just 16 GB of RAM while keeping the same NVidia graphics card. The old, larger machine has now been repurposed as a full time server residing in the basement and it should soon take responsibility for running Plex and MySQL away from the lightly specced standalone Synology NAS.

Specifications:

  • Fractal Design Define Mini C
  • Intel Core i5-8600K
  • 16 GB DD4 3200 memory
  • 500 GB Samsung EVO 960 M.2 SSD
  • ASUS RoG Z370-G motherboard
  • SeaSonic 520W 80 Plus Bronze

Termux

Screenshot of Termux
Screenshot of Termux

Termux is an Android app that provides a terminal emulator and Debian-like Linux environment. Smartphone screens are relatively small compared to a laptop or full computer monitor but screens continue to improve making terminal use increasingly viable. My Google Pixel XL has a 5.5 inch screen running at 2560x1440, the same resolution as one of my desktop 27 inch monitors.

Vertically the terminal is restricted to 57 columns but is surprisingly usable with the on screen keyboard. Held horizontally and paired with the Logitech K380 Bluetooth keyboard, it is an excellent text terminal. Features abound, from an API exposing hardware remotely via ssh, to style support including Powerline fonts.