While browsing the information super highway I discovered some cool new tools for Linux today. The first is a pretty slick looking top replacement called btop, it displays and information dense view of the current and ongoing systems metrics. Memory usage, RAM usage, CPU usage, and network statistics. It’s easy to navigate and can be highly cusomtisable, though I’ve found it’s default configuration to be excellent as it is.
The second great find is a new terminal application, this one is called Black Box and it’s beautiful. It’s built from the ground up for GTK4 and it’s font rendering is a world above that of the default Gnome terminal, as well as having support for custom keyboard shortcuts too. It’s available as a flatpak or you can of course build it from source. It has experimental support for Sixel for rendering images within the terminal too, which is neat though no idea how to get it to work so far.
After I set up passkeys on my Google account and not getting prompted for my Yubikey as a second factor I posed the following question on mastodon the other day about passkeys:
“#Passkeys question, I have Yubikeys set as the second factor on numerous accounts. What if I want to use passkey for those accounts stored on a Yubikey, will using passkey mean I need an OTP code or have to use a different Yubikey? Or will passkeys eliminate the second factor as it has seemed to do with my Google account, I just signed in using a passkey and wasn’t asked for my second factor. I should have really done far more reading on this matter.”
I had some suggestions (some assumption about my age too, “Some of you don’t remember a time without 2FA”, my man I first used 2FA back in 1999 to get onto the corporate VPN over dial up, it was a dongle about the size of an AirPod case) about the how and why but nothing from anyone in the know or anything pointing me in the right direction, so I’ve done what I should of done before enabling Google’s passkeys implementation on my account, actually read up on them
First thing I learned, which is obvious in hindsight, passkeys are 2FA in themselves. this is explained in Googles documentation. On Android and iOS device as the key itself is one factor, something you have. The biometric identification whether that’s a fingerprint or Face ID, is the second factor, something you are. So that makes sense for 2FA replacement.
Next I wanted to know about using a passkey with a security key, how would you implement 2FA then. Unfortunately I can’t set up one of my Yubikeys with Googles passkeys or find any documentation on it. I also can’t set it to be used as the something I have within Google security settings. The guidance on using security keys with passkeys is not there yet either, the passkeys site says it’s coming soon and Google doesn’t have any. I think this is because the big roll out at present is focused on the consumer centric iteration and not the business corporate security centric version. Things like non-synchronised passkeys, security keys as second/third factor authentication are there in the WebAthen documentation just not focused on explaining in a less technical manor, or from what I can see implemented in Googles or Apples current itteration of passkeys. I haven’t looked into Micrsofts rollout yet, thought I don’t think their even as far ahead as Google and Apple are, and I am frankly not reading Microsoft documentaion on my own time.
I may dig into the full documentation about it but a lot of it is beyond my understanding as it goes into the technical details and specifications which is more information than I need or wish to understand on the matter. So I will more than likely wait for the end user guidance when it comes out.
The basics of adding a Yubikey to be used to authorise
sudocommands on a Debian Linux machine.
First install the required
sudo apt install libpam-u2f
Create the configuration folder for the U2F keys config file:
Register your Yubikey into the configuration file in the directory you created:
pamu2fcfg > ~/.config/Yubikey/u2f_keys
You will be prompted for your keys pin (if set, it should be!) and required to touch the key as normal to register it.
To register additional keys use the following command:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Now you need to add a line to the
/etc/pam.d/sudofile to enable the key.
Add the line
auth sufficient pam_u2f.soafter the
sessionentries and before the line
@include common-auth, then save but do not close the file.
If you want to make it 2FA instead of just authorisation the line would be
auth required pam_u2f.so.
Open a new terminal window to test the configuration is working:
sudo echo SUCCESS
If that works as expected, waiting on the touch of the Yubikey you are now OK to close the
/etc/pam.d/sudofile, if not check for typos or revert before debugging.
These are instructions simplified for the one purpose I was after from the Yubico guide, which goes into more details and use cases.. https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F
This is some basic instructions for setting up Peers for Wireguard when routing traffic through a central interface. In my circumstances it is mostly for accessing my home network and using my DNS servers when on mobile. I am working on a setup with Wireguard installed on my OPNSense router (I followed acombination of the OPNSense Road Warrior and Digital Ocean guides linked below).
sudo apt install
Set up the link:
sudo ip link add dev wg0 type wireguard
Generate a public/private key pare:
wg genkey | tee private.key | wg pubkey public.key
Add the information to the config file in the wireguard directory:
wg0.confwith the name of the connection if not
[interface] # Host Private Key PrivateKey = alkdfnaXdsaoDcasdkcnmaldop0o3240fd2030293j2= # Host IP address Address = 10.10.10.1/32 # Global DNS server to use DNS = 18.104.22.168 # List any peers here [Peer] # Serve/Peer public key PublicKey = er8M9cwuahdnfalkdfhaoisdnfalGhRETPqpvCjiCljis= # The IPs to route over wireguard 0.0.0.0/0 for all, or other CIDR ranges AllowedIPs = 0.0.0.0/0 # The public endpoint of the wireguard server Endpoint = 22.214.171.124:12345
Pass through qrencode to scan into the mobile app if necessary:
sudo apt install qrencode
qrencode -t ansiutf8 < wg0.conf
It is worth moving the
private.keyto the wireguard directory and removing permissions from it and the
.conffile so only
rootuser has any access to them, ensure private keys are kept secret:
sudo chmod go= /etc/wireguard/wg0.conf
sudo mv private.key /etc/wireguard/private.key && sudo chmod go= /etc/wireguard/private.key
Test the connection, enable wireguard connection:
sudo wg-quick up wg0
Disable wireguard connection:
sudo wg-quick down wg0
Some useful links
Wireguard GUI for debian based linux distributions, adds system tray icon and simple toggle:
OPNSense Wireguard Road Warrior setup, I used most steps to set up on my router:
Digital Oceans Wireguard setup guide is very useful and more featured than Wireguards’ own one:
Settings for Android App intents for conecting and disconnecting Tailscale VPN, for use in automation like Tasker.
I use it to connect to Tailscale when I leave my home WiFi network and disconnect again when join the home network.
These settings can be used to in the “Send Intent” action within Tasker. Any fields not mentioned should be left blank.
Target: Broadcast Receiver
Target: Broadcast Receiver
These should be set up as tasks within Tasker, which can then be called in the Profiles you create.
I created a connected and disconnected profile for my home network which called the appropriate intent.
I was trying to get an easy way to automate toggling my Wireguard VPN conection on and off when I left the house or for certain times of day. Unfortunately wiht the standard iOS settings or the Wireguard app there is no way to autmoate this that I have found. I did however discover some custom URLs for getting to certain VPN and DNS settings via shortcuts. So I can get all the way to the VPN setting but there is no way to make it toggle as far as I can tell. here are all the URL’s I discovered while looking into this, as most guides still refer to the VPN shortcut the old way. I found this list useful in my research, though it is out of date.
I have recently been participating in the UK Governments Upskill in Cyber initiative, which I have completed my SANS GFACT and GSEC exams. As a celebration of the end of the learning part of the course they put on a Capture the Flag event for us. It was my first time participating in such and event, though I had played First Person Shooters but this is something very different.
I just wanted access to my PiHole on my mobile when out of the house so I could get the tracking benefits when out of the house. I was surprised to find Wireguard was relatively simple to set up configure and deploy for my small use case of a desktop, Raspberry Pi, Mobile, iPad, and laptop. I did run into a small issue with a typo in my config file, which took me an hour to spot, even after I’d spotted it in the script I created to automate adding peers.
I went looking for a way to get ZSH style AutoComplete where it shows commands from youor history as you type and you can complete with a tap of the right arrow. And I came a cross PSReadline, a powerful PowerSHell model that does autocomplete exactly how I wanted it and so much more. I am using it mostly for the autocomplete functionality but if you have a read through it’s default profile, there are some great additional things it can do.
I had a really annoying problem where I couldn’t get the fingerprint reader working on my Dell XPS 13 after installing Ubuntu 22.04. Turns out there was a bug in the released drivers and Dell hadn’t picked it up when certifying the release for this device. My fingerprint reader is a Goodix Technology one, which doesn’t offer open source drivers itself either so couldn’t fall back to those.
Hot tip if you use zsh, which I do. I pretty much always want to list the contents of a directory after I
cdinto it, which you can achieve using zsh hook functions. Just add the following to your .zshrc and your good to go, this can be used to run any command you like after a directory change.
I always forget to transfer my keys and never remeber the command s to generte new ones, So here are my basic instructions for generating SSH keys and setting them up with Github and a server.
To enable the full right click context menu in Windows 11, hat tip to PC Pro a paper magazine I still get occasionally.
Go to the registy key:
Using the command line in Windows to create and individual zip archive of multiple folders.
The location where Docker stores the data for volumes created when using it in WSL2 mode:
This has moved several times over it’s lifetime so far and may move again in the future.
First things first is to install some dependencies (some others that I always need installed too):