Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

RSA - Weak Keys

OpenBSD

Intro

Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC.

With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit.

128 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(128)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

32 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(32)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

16 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(16)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

sample with 16Bit RSA Key

Git - Mass Updater

Linux

Intro

Let’s assume you have a bunch of GIT Repos in a Folder like this:

/project1/
    /repo1/
    /repo2/
    /repoN/

and you would like to update all of them ? here a little helper.

  • Loop over all Folders
  • check if ‘.git’ exists
  • if so, do a git pull –all

Script

Copy/Paste it to your Terminal and you get a executable Script called ‘git_update_all.sh’.

cat << 'EOF' > git_update_all.sh
#!/usr/bin/env bash

# Get the current script directory
script_dir=$(dirname "$(readlink -f "$0")")

# Change into each directory in the script folder
for dir in "$script_dir"/*; do

    if [ -d "$dir" ]; then

        cd "$dir" || exit 1

        if [ -d ".git" ]; then

            echo "Updating Git repository in $dir"
            git pull --all

        else

            echo "Skipping $dir - not a Git repository"

        fi

        cd "$script_dir" || exit 1

    fi

done

echo "Git update for all repositories completed."
EOF

# make it executable
chmod u+x git_update_all.sh

Usage

and then run it, like it, use it :)

OpenBSD - gpg

Security

gpg stuff

generate key

gpg --generate-key

change Passphrase

gpg --change-passphrase user-id

import key

gpg --import 92FFBB90C18B59AEF311F9C5D2E39FFEAC507F67.pub.gpg

list key

gpg -k

sample

root@host # gpg -k 
[keyboxd]
---------
pub   ed25519 2024-01-02 [SC] [expires: 2027-01-01]
      F7118E072D426449DD9E4DE29674836DB8FECEDA
uid           [ultimate] root <root@host>
sub   cv25519 2024-01-02 [E] [expires: 2027-01-01]

encrypt

-r recipient -e encrypt

date > date
gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date

sample

root@host # gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date
root@host# ll date*                                                                                                                                                              
-rw-r--r--  1 root  wheel   29 Jan  2 15:14 date
-rw-r--r--  1 root  wheel  200 Jan  2 15:15 date.gpg

root@host# file date*
date:     ASCII text
date.gpg: data

decrypt

-d decrypt

OpenBSD - USB

OpenBSD

dmesg

show disks

dmesg |grep ^sd. 

sd0 at scsibus1 targ 0 lun 0: <ATA, KingFast, T031> t10.ATA_KingFast_04xxxxxxxxxxxx
sd0: 114473MB, 512 bytes/sector, 234441648 sectors, thin
sd1 at scsibus4 targ 1 lun 0: <JetFlash, Transcend 8GB, 1100> removable serial.85xxxxxxxxxxxxxxxxxx
sd1: 7450MB, 512 bytes/sector, 15257600 sectors

Show DiskLabel

sysctl hw.disknames

hw.disknames=sd0:9axxxxxxxxxxxxxx,sd1:60xxxxxxxxxxxxxx

Show Disklabel sd1

disklabel sd1 

disklabel sd1 
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Transcend 8GB
duid: 60xxxxxxxxxxxxxx
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 949
total sectors: 15257600
boundstart: 64
boundend: 15257600

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  c:         15257600                0  unused

Fdisk

kill everything

Hetzner - Arm64 OpenBSD

OpenBSD

OpenBSD on ARM64 at Hetzner DC

Price/Performance is unbeatable at Hetzner for arm64 virtual machines. A Server (CAX21) with 4 CPU, 8 GB RAM, 80 GB Disk, 20 TB Traffic/month cost around 7 Euros/Month.

Let’s build a Template for OpenBSD. Here is how todo it:

  • Get Server with CAX21 (4 CPU, 8 GB RAM, 80 GB Disk), with Debian or Ubuntu
  • Menu “ISO-Images”, mount Image “OpenBSD 7.4-current 2023-11-03 (arm64)”
  • Reboot the VM
  • Install OpenBSD as usual
  • Disk: sd0
  • Use (W)hole disk
  • (E)dit auto layout
  • Delete all Partitions execpt Partition “i” (MSDOS)
  • Build Disk Layout as you like. My Layout for 80GB at Hetzner
  • Location of sets? http
  • HTTP Server: cdn.openbsd.org
  • Server directory? pub/OpenBSD/7.4/arm64
  • finish setup
  • halt vm, remove iso images
  • boot vm and login through console or ssh
Any Comments ?

sha256: 2ea0f6b96f44980331d15e964c778907c458816776b7ab2315d7c40bb24845b2

APU - Firmware Upgrade

OpenBSD

intro

as we all know, the apu’s from pcengines are eol. but it’s worth to bring the existing ones to the latest firmware. if you have openbsd running on your boxes, you can upgrade it with like this:

add packages

doas pkg_add -i flashrom pciutils

set hostname

based on apu version and mac of em0

type=$(dmesg |grep ^bios0: |tail -1 |sed 's/.*gines //')
mac=$(ifconfig em0 |awk '/lladdr/ {print $2}' |awk -F':' '{printf "%s-%s-%s\n",$4, $5, $6}')
echo "${type}-${mac}" |tee /etc/myname; hostname $(cat /etc/myname)

sample

macos - hdiutil

Security

Intro

hdiutil is a command-line utility on macOS that allows users to create, manipulate, and convert disk images. Disk images are virtual disk files that can contain the entire file system structure, including files, folders, and metadata. hdiutil provides a variety of functions related to disk images, and it’s a powerful tool for managing disk-related tasks on a Mac.

Basic Usage

create

echo -n "geheim" |hdiutil create -encryption -stdinpass -size 10m -volname encdata test.dmg -fs HFS+J

mount ro

echo -n "geheim" |hdiutil mount -stdinpass -readonly test.dmg

mount rw

echo -n "geheim" |hdiutil mount -stdinpass test.dmg

create, strong, mount

echo -n "geheim" |hdiutil create -encryption AES-256 -stdinpass -attach -volname encdata -size 10m test.dmg -fs HFS+J

unmount

hdiutil unmount /Volumes/encdata

or

Hugo Canonical

Blog

A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com?dress=1234 and example.com/dresses/1234), Google chooses one as canonical. Similarly, if you have multiple pages that are nearly identical, Google can group them together (for example, pages that differ only by the sorting or filtering of the contents, such as by price or item color) and choose one as canonical. Google can only index the canonical URL from a set of duplicate pages.

Nginx - IP

OpenBSD

sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto.

Update nginx Config for your vhost

and forward temporary/permanent to a sorry host.

--->8- snip -8<---

    location / {
      allow 192.0.2.0/24;
      allow 2001:db8::/32;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

or move the ip’s to a dedicated file and include it here …

--->8- snip -8<---

    location / {
      include incl/admin_ip.txt;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

Admin IP’s

cat ../incl/admin_ip.txt

K8s - DigitalOcean

Cloud

Deploy Sampleapp on Kuberentes …

Prerequisite

  • Domain “kubbi.xyz”, ns1.digitalocean.com, ns2, ns3 …
  • Digital Ocean Login

Doku

https://docs.digitalocean.com/products/kubernetes/getting-started/operational-readiness/

Build Kubbi Cluster

Build Cluster with WebGUI or CLI

via CLI

time doctl kubernetes cluster create prod001 --region fra1 --node-pool "size=s-2vcpu-2gb;auto-scale=true;min-nodes=3;max-nodes=5"
  • FRA1
  • 3 Nodes
  • 2 CPU
  • 2 GB RAM
  • 60 GB Disk
  • Costs: 54 USD/Mt!

Connecting and managing this cluster

doctl kubernetes cluster kubeconfig save 4375b470-ebe8-4ccb-925a-345df364dfbd

user@mac % doctl kubernetes cluster kubeconfig save 4375b470-ebe8-4ccb-925a-345df364dfbd


Notice: Adding cluster credentials to kubeconfig file found in "/Users/user/.kube/config"
Notice: Setting current-context to do-fra1-k8s-1-28-2-do-0-fra1-1702031438694

kubectl config get-contexts

kubectl config get-contexts

user@mac % kubectl config get-contexts

CURRENT   NAME                                         CLUSTER                                      AUTHINFO                                           NAMESPACE
*         do-fra1-prod-cluster-01                      do-fra1-prod-cluster-01                      do-fra1-prod-cluster-01-admin

kubectl cluster-info

kubectl cluster-info

user@mac % kubectl cluster-info

Kubernetes control plane is running at https://f179692f-aeac-4f9c-af3b-2422897ea578.k8s.ondigitalocean.com
CoreDNS is running at https://f179692f-aeac-4f9c-af3b-2422897ea578.k8s.ondigitalocean.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

kubectl version

kubectl version

user@mac % kubectl version

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.2

kubectl get nodes

kubectl get nodes

user@mac % kubectl get nodes

NAME                    STATUS   ROLES    AGE     VERSION
prod-cluster-01-xa856   Ready    <none>   3m59s   v1.28.2
prod-cluster-01-xa85a   Ready    <none>   4m7s    v1.28.2

Install Nginx Ingress Controller

  • via GUI / Marketplace / NGINX Ingress Controller

show lbl status

doctl compute load-balancer list --format IP,ID,Name,Status

user@mac % doctl compute load-balancer list --format IP,ID,Name,Status

IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new

no ip yet … wait …