Gleefully Malicious Books
I asked Michael Dexter of callfortesting.org to give me a blurb for the front of the print edition of the new Absolute OpenBSD. Which he was kind enough to do, based on a preliminary PDF.
Then he posted this.
Apparently the book does not completely suck. Always nice to know.
I’ve had really good luck asking random people to do work for me, so I’m going to try it again.
RFC6698 defines the DANE protocol for attaching information to DNSSEC-secured DNS. Notably, you can validate SSL certificates via DNS. This is a game-changer. The key here is the TLSA DNS record.
Web browsers don’t support this yet, but there is the Extended DNSSEC Validator Firefox add-on at os3sec.com, with source at github.
If you have the newest version of the add-on installed, sites like https://www.dnssec.michaelwlucas.com/ show up as secure. There is no “invalid certificate” warning. That’s because I’ve published a TLSA record for this zone, telling the browser that the certificate with fingerprint such-and-such on this port on this host is trustworthy. (Install the plugin from the github source, not from the xpi on the site.)
The interesting thing about this add-on is that it uses libunbound to perform DNSSEC validation at the client. Your local DNS servers don’t need to support DNSSEC. All you need to hack on this plugin is a desktop.
But the add-on doesn’t support BSD — it’s Linux, MS, and Mac only. The add-on authors don’t have time for BSD support, but gave me a couple hints on how to implement it. The plugin can’t find libunbound on BSD.
That seems like it would be easy to do. I’m capable of building the add-on from source, but I’ve never programmed any add-ons before. The source code looks like it’s easy to hack, but my efforts all segfaulted Firefox. Obviously, I need more expertise.
So, if you know anything about Firefox add-ons, or have ever wanted to hack on them, this is your chance.
DANE and TLSA are the killer applications for DNSSEC. The ability to validate cryptographic certificates via DNS is a game changer. (Cliche, but true.) You can have separate certificates for separate ports on a host. With DANE, there’s no longer any need for a self-signed certificate to be a disadvantage.
One of the tasks on an author’s to-do list is gathering blurbs for the new book. A blurb is blatant promotion from a name a reader might recognize. Preferably a name that has some bearing on the topic of the book. You frequently see this in fiction, where the first couple of pages are other people saying “this book is fantastic! It cured my leprous bulemia!” Most often it’s multiple authors each saying nice things about the others’ books.
“Nice,” I think. “They’re doing each other favors. It’s blatant backscratching. When I’m successful, I swear I will never do that.”
For the first time, the fine folks at No Starch Press asked me to get blurbs for the new book. Apparently I have reached the point where I merit that. It’s not bad enough that going around asking people to praise me is like begging for approval. No, I’m a computer dork. Telling others about my accomplishments doesn’t come naturally, and doesn’t work well when I try. Apparently this is common.
(For the record, I don’t particularly like bacon. Pig, yes, but bacon, not so much. I’m aware this is heresy on the Internet. Deal.)
So I have my mission: get blurbs. I think about who I know, who might be interested in the book. With growing horror, I realize: most of them are writers. All of them are friends on some scale, somewhere on the spectrum from “call up when you’re in town and we’ll get gelato” to “I heard you need to borrow a kidney, my back is already shaved.”
I guess I’m going back on my younger and dumber self’s sworn word. Dammit.
At least they all wanted to see the book before they said nice things about it. That’s mild balm to my conscience.
So, I’ve gotten a couple of them back and felt like sharing them. Actually, no, I misspeak. I don’t feel like sharing them. But if something embarrassing is going to happen, it’s best to take control and get it over with. So, in that spirit:
From George Rosamond, a founding member of NYC*BSD User Group and noted detester of string beans and beets:
“The space for BSD books is small, indeed.
All the BSDs provide excellent documentation, from their handbooks and FAQs to their native manual pages. Got a question? There’s a good chance you will find the answer in the official documentation.
Michael W. Lucas manages to squeeze into that ‘other’ space. He engages the reader. He answers those specific questions and addresses those methods that a manual page or online documentation can’t approach.
He is the modest sysadmin sitting next to you in front of an OpenBSD box, narrating as you dive into an operating system that does things minimally without fuss. He’s not perched up high on a pedestal, preaching or obfuscating his words. He is a layperson’s tutor, who’s working through the same issues the average sysadmin does.
So buy this book. Buy it because for the amateur or intermediate OpenBSD end-user, you will flatten any learning curves real or perceived. You will find the elegant simplicity of OpenBSD, while sometimes discouraging for the uninitiated user, is a fruitful path for building systems that just run.”
And from Chris Sanders, author of the essential Practical Packet Analysis and better human being than I am:
“It’s rare to find a book that can cover so much technical content while still being engaging and enjoyable to read. Absolute OpenBSD, 2nd edition, is one of those books that achieves that with flare. Whether you are an experienced OpenBSD user seeking a functional desk reference, or a new OpenBSD user seeking to gain the carnal knowledge necessary to become an expert, then Absolute OpenBSD is the book you have to have.”
Somehow, I don’t think NSP will let me use those blurber descriptions, though. Pity.
[UPDATE] Oh, yes, the plug. Forgot the plug. Preorder Absolute OpenBSD, 2nd Edition. Get ebook and print together for one low price. Use coupon code ILUVMICHAEL for a 30% discount and give me a couple extra bucks. Or, if you’re in a place where shipping from the US is prohibitive, get it locally. Whatever. In either case, thank you.
Last night, I finished the first draft of DNSSEC Mastery. If you’re one of my fans who wants to see the existing work, a pre-pub version is now available on LeanPub.
Now I’m looking for people familiar with DNSSEC on BIND to read the book and tell me where I’ve screwed up.
This book is for an established DNS administrator who wants to deploy DNSSEC. I assume you know what named.conf is, why you don’t put PTR records in a forward zone, and so on. The goal is not to get 100% of the people 100% there, but to get 90% of the people 100% there and ground the other 10% so that they can identify their own rough edges. (The idea is roughly similar to my SSH Mastery or Cisco Routers for the Desperate.)
The contents are:
Many of these chapters are short. Chapter 10 is not. The writing is rough, especially near the end.
So, if you know DNSSEC, and you’re interested in spreading the DNSSEC gospel, and you have enough time to read something about half the length of a short paperback novel, contact me via email at mwlucas at my domain.
I’d need any comments by 15 March. I plan to revise that week and get the book into copyedit, so it can be out for BSDCan. Barring any really appalling revelations from the reviewers, that is. I’d rather the book be late than wrong.
From Michael Dexter:
https://twitter.com/michaeldexter/status/303218384357711872
For the record, the “Absolute” in the titles of some of my books is because it’s a good strong word. It has nothing to do with the vodka company. That doesn’t mean I can’t laugh maniacally.
The bleeding-edge OpenSSH supports using an AuthorizedKeysCommand statement in sshd_config to get the authorized_keys file for a user. This lets you store your authorized_keys files in LDAP, but avoids linking OpenSSH against OpenLDAP. (You could actually use any data store for your back end, but LDAP is both the most popular and what I have.)
Your AuthorizedKeysCommands script should take one argument, and return a series of authorized keys, one per line. CentOS has a script, which I previously mentioned, and one of my readers was kind enough to put together an OpenBSD port for it.
But there’s some problems with the CentOS approach, from a cross-platform perspective. While it’s fine on CentOS, porting and installing it on other platforms is more difficult than it needs to be. I’d really like something that has very few dependencies, is easy to install, and is easily portable across platforms.
When setting up a couple of Ubuntu boxes I came across an Ubuntu AuthorizedKeysCommand script. His approach is much simpler than the CentOS approach, but his script didn’t work for me out of the box, and it wouldn’t work on other operating systems without modification. But it inspired me to write my own script, one that works across all of my operating systems, using only the tools I already have on all of my servers. My results follow. But before I offer my script, I feel obliged to warn you.
The bad news is, I am not a programmer. I have been told by multiple independent parties that my code makes the Baby Jesus cry.
The really bad with this is that you need an ldapsearch command that returns your public keys, and this command is hard-coded with this script. The ideal script would read the system ldap config, but you’d probably have to hard-code a path to ldap.conf anyway.
The appalling news is, I wrote it in Perl. Why? Well, the evidence indicates that I am insane. But every server in my environment runs Perl, and it’s been ten years since I used enough sed/awk to make this work. A proper authentication credentials script would not use Perl.
I’m not suggesting that you take my code. I’m hoping to motivate one of my programmer readers, whose code only makes the Baby Jesus grimace a little, to do better. I mean, I’ve set a pretty low bar here.
#!/usr/bin/perl
#takes one argument, the username to get the keys for
die unless $ARGV[0];
open (LDAP, "/usr/bin/ldapsearch -L -xZb\"dc=michaelwlucas,dc=com\" '(&(objectClass=posixAccount)(uid=$ARGV[0]))' sshPublicKey |") || die "ldapsearch failed $!\n";
while (<LDAP>) {
next if /^#|^version|^dn\:|^\s*$/;
s/\n//;
s/\://g;
s/sshPublicKey/\n/;
s/^ //;
print;
}
print "\n";
One catch with this is that you’re processing the raw output of ldapsearch. An acceptable ldapsearch will return keys that look something like this:
...
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAw9zmtbk8bT+7OVpVvzuYYQqRhF8j
...blah, blah, blah...
ilXzBw== rsa-key-20110114
Initially, my LDAP searches returned some keys that looked like this:
...
sshPublicKey:: c3NoLWRzcyANCkFBQUFCM056YUMxa2MzTUFBQUNCQVBhZmNhemdmUHI1T29DdFp
...blah, blah, blah...
y5sb2NhbA==
This key doesn’t start with ssh-rsa or ssh-dss, and it doesn’t even look like a SSH key. But if you look at the key in a graphical tool like phpLDAPAdmin, it has the leading ssh-rsa. In my case, the key had an extra carriage return at the end of the key, which meant that ldapsearch had to base64 encode it. Get rid of extra whitespace. The LPK patch doesn’t notice that space, but a simple external script does.
Of course, if someone wanted to write an AuthorizedKeysCommand that was portable, handled that encoding, and didn’t suck as bad as mine, it wouldn’t hurt my feelings at all. Really.
Fast and furious progress these days:
Absolute OpenBSD: Peter has finished the tech edit on the entire manuscript. Chapters 1-18 are copyedited and returned to NSP. Chapters 1-17 are laid out and look somewhat like an actual book. (Seeing a book in laid out forces me to view it with new eyes. It makes me want to tear up the whole thing and start over. I know I can write better than that. But I think that both the publisher and you lot would lynch me if I delayed the book until 2016 for a proper rewrite.) I’m sending prepub PDFs out to various OpenBSD celebrities in the hope of getting blurbs for the front of the book. Best quote so far, from someone who will remain anonymous: ” It’s unfortunate that the strength of BSD man pages undercut his sales so much.”
DNSSec Mastery: I’ve made the second version available on LeanPub. It now contains everything you need to deploy DNSSec, provided nothing goes wrong and you don’t have to rotate keys. Plus, the introduction now gives you a reason to read the book, which is a bonus. (That last sentence originally read “The introduction no longer blows chunks.” And people say I can’t be tactful.)
To Ludovic ‘Ludy’ Simpson: You won the haiku contest. But you didn’t leave me contact info. Please get me your shipping address. Thank you.
By popular demand (mainly on Twitter) I’ve made the work-in-progress version of DNSSec Mastery available on LeanPub.
This is an experiment. If it works well, I’ll do it again. If not… I won’t.
Why would you be interested?
Why would I do this?
Do I care what you do? No.
In the long run, sales made via Amazon, B&N, Smashwords, or other ebookstores are better for my career. I’m expecting that only my most hardcore fans will buy the book early. If you’re a hardcore fan, but want to wait for the release of an actual book to buy it, I don’t blame you. I wouldn’t buy an incomplete book.
But it’s here if you want it.
I have the DNSSec book about a third done, which isn’t bad for spending a week in the hospital this month, and am looking at various publication options. Once the book is finished it’ll be available in print, on Amazon, Barnes & Noble, Kobo, and hopefully iTunes. But I have an option for before the book is complete. LeanPub allows authors to upload works in progress, and update them as the work proceeds.
I’m pondering something like this:
If you follow my blog, you’re probably a fan. I have no problem giving a discount to people interested enough in my work to follow my blog. And I might even get useful feedback.
One of my goals is to reduce the amount of non-paying non-writing work I do. (Basically, I want to reduce my monthly recurring expenses, especially time expenses.) Updating a book as I write it isn’t a huge amount of work, but if nobody’s interested, I don’t want to bother.
So: would anyone be interested? Or should I keep writing in my bubble?
One of the most tedious tasks any network admin faces is replicating changes across multiple devices. I recently stood up new RADIUS servers, and needed to tell all of my routers and switches about it. Rather than logging into each router by hand and pasting in the new configuration, I decided to try RANCID‘s ability to run arbitrary commands on your routers.
Using this method requires that the commands you run don’t generate interactive output. A reload command won’t work, because it prompts you for confirmation. But adding configurations to a Cisco router doesn’t.
I assume you have a working RANCID install.
Start by creating a text file containing your commands. RANCID expects to log on and log off of the router. All you need to provide is what happens between those two points.
conf t
radius-server host 192.0.2.2 auth-port 1812 acct-port 1813 key BuyBooksFromLucas
radius-server host 192.0.2.14 auth-port 1812 acct-port 1813 key BuyBooksFromLucas
exit
wr
Now use the device-specific login command, specify the file containing your commands with -x, and list every router you want to run the commands on.
# clogin -x newradius.conf router-1 router-2 router-3
RANCID logs into each device and add the new configuration. You can watch the process in action, and catch any problems.
I found that the Mikrotik login script had problems when the script changed the prompt. I’ve reported this to the RANCID mailing list, and expect it will be patched shortly. But fortunately, that’s pretty easy to work around in a Mikrotik, by giving the entire command in one line, as shown below.
/radius add accounting-backup=no accounting-port=1813 address=192.0.2.2 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=BuyBooksFromLucas service=login timeout=300ms
/radius add accounting-backup=no accounting-port=1813 address=192.0.2.14 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=BuyBooksFromLucas service=login timeout=300ms
Having RANCID run commands for you is much more accurate and less tedious than doing it yourself. And this way, if you make a mistake in your commands, at least it’ll be consistent across all your devices.