Microblog : A very long article Wikipedia article on the orientation of toilet paper [7 jun à 22:52] [R]

Mercredi, 7 juin 2017

DNS 3: NSEC3

Traduction: [ Google | Babelfish ]

Catégories : [ Informatique ]

Third part of my DNS setup notes: changing the DNSSEC config from NSEC to NSEC3. This has be on my TODO list for over a year now, and despite the tutorial at the ISC Knowledge Base, the ride was a bit bumpy.

Generating new keys

The previous keys were using the default RSASHA1 algorithm (number 5), and we need new keys using RSASHA256 (number 8).

Generating those keys was easy. On a machine with enough available entropy in /dev/random (such as a Raspberry Pi with its hardware random number generator) run:
dnssec-keygen -a RSASHA256 -b 2048 -3 example.com
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.com

Transfer the keys to the server where Bind is running, into the directory where Bind is looking for them.

Loading the keys

The documentation says to load the keys with
rndc loadkeys example.net
but that ended with a cryptic message in the logs:
NSEC only DNSKEYs and NSEC3 chains not allowed

Apparently, the algorithm of the old keys does not allow to use NSEC3 (which I knew) so Bind refuses to load these keys (which I didn't anticipate). I eventually resorted to stopping Bind completely, moving away the old keys, deleting the *.signed and *.signed.jnl files in /var/cache/bind/ and restarting Bind. The new keys got then automatically loaded, and the zone was re-signed using NSEC.

NSEC3 at last

I could then resume with the tutorial.

First, generate a random salt:

openssl rand -hex 4
(let's assume the result of that operation was “d8add234”).

Then tell Bind the parameters it needs to create NSEC3 records:
rndc signing -nsec3param 1 0 10 d8add234 example.com.
Then check that the zone is signed with
rndc signing -list example.com

Linking the zones

Since the keys have changed, you need to update your domain's DS record in your parent domains DNS, using the tool provided to you by your registrar. This step is the same as in the “Linking the zones” of the previous part of this tutorial.

[ Posté le 7 juin 2017 à 23:15 | pas de commentaire | ]

Dimanche, 2 avril 2017

Gâteau arc-en-ciel

Catégories : [ Cuisine ]

Préparer une recette de gâteau au yaourt simple. J'ai ajouté 12g de sucre vanillé pour le goût. À la place du moule à cake, utiliser un moule à manqué beurré et fariné.

gateau_arc_en_ciel-1

Séparer la pâte en six portions, et colorer chaque portion avec un colorant alimentaire (rouge, jaune plus rouge pour l'orange, jaune, vert, bleu et rouge plus bleu pour le violet)

gateau_arc_en_ciel-2

Verser la pâte rouge au centre du moule. Par dessus, verser lentement la pâte orange en la faisant tomber d'une hauteur la plus faible possible. Si possible, tourner le moule d'un quart de tour au cours du versement pour que la pâte forme un disque plutôt qu'une ellipse.

gateau_arc_en_ciel-3

Verser de la même manière le jaune, puis le vert, le bleu et le violet.

gateau_arc_en_ciel-4

Cuire 20-25 min au four à 200 °C. Une aiguille enfoncée dans le gâteau doit ressortir propre.

gateau_arc_en_ciel-5

Déguster avec les yeux avant de manger :)

[ Posté le 2 avril 2017 à 18:35 | pas de commentaire | ]

Dimanche, 19 février 2017

Cookies aux pépites de chocolat

Catégories : [ Cuisine ]

Une recette adaptée de Cookwise avec des ingrédients disponibles en Finlande.

Ingrédients

Pour environ 32 cookies.

  • 140g + 30g beurre doux
  • 125g noix de pécan
  • 200g fariinisokeri
  • 1 c. à soupe extrait de vanille liquide
  • 1 oeuf
  • 200g kakkuvehnäjauho
  • 1,5 c. à café levure chimique
  • 1 pincée de sel
  • 80g chocolat noir 72% Pirkka luomu
  • 100g chocolat au lait Panda

Préparation

  • Préchauffer le four à 180 °C, étaler les noix de pécan sur une plaque à biscuits.
  • Mélanger (30s au mixeur) la farine, la levure chimique et le sel.
  • Battre (au batteur éléctrique équipé d'un fouet) 140g de beurre avec le sucre et l'extrait de vanille pour obtenir un mélange homogène. Ajouter l'oeuf et continuer à battre.
  • Faire griller les noix de pécan au four pendant 8 min.
  • Incorporer peu à peu le mélange de farine à l'appareil.
  • Lorsque les noix sont grillées, les mélanger à 30g de beurre et laisser refroidir un peu.
  • Hacher le chocolat au couteau en morceaux d'au plus 5mm et mélanger brièvement à l'appareil.
  • Hacher les noix au couteau en morceaux d'au plus 5mm et mélanger brièvement à l'appareil.
  • Laisser reposer 2h au réfrigérateur.
  • Préchauffer le four à 180 °C.
  • Placer 8 ou 9 boules de pâte grossièrement formées d'environ 35 – 40mm de diamètre sur une plaque en aluminium recouverte d'une feuille de cuisson réutilisable. Replacer le reste de pâte au réfrigérateur.
  • Cuire pendant 9 min au milieu du four.
  • Laisser refroidir 5 min puis déplacer les cookies à l'aide d'une spatule sur une grille.
  • Répéter les trois étapes précédentes avec le reste de la pâte.
  • Conserver dans une boite à biscuits en métal.

[ Posté le 19 février 2017 à 11:45 | pas de commentaire | ]

Dimanche, 5 février 2017

SSH access to a Buffalo LS210 NAS

Traduction: [ Google | Babelfish ]

Catégories : [ Informatique ]

My old NAS that I use for backups is now over 10 years old, and while it still works and faithfully backs-up my files every night, it has an always increasing probability to fail.

I decided to replace it with a Buffalo Linkstation 210, that offers 2 TB of space for 140 EUR, making it cheaper than building my own device, at the risk of not being able to use it the way I want it, being a commercial device that wasn't designed with my needs in mind.

The way I want to use the NAS is that it boots automatically at a given time, after which the backup script on the desktop starts, transfers the needed files, and puts the NAS to sleep mode again. That last feature was available on my previous device, but not anymore on the LS210. Hence the need to make it do my bidding.

Moreover, the Web UI for administrating the LS210 is horribly slow on my desktop due to bad Javascript code, so the less I have to use it, the better.

The device

The way to gain SSH access seems to vary depending on the exact version of the device and the firmware. Mine is precisely a LS210D0201-EU device with firmware version 1.63-0.04, bought in January 2017.

Initial setup

I found instructions on the nas-central.com forum. It relies on a Java tool called ACP_COMMANDER that apparently uses a backdoor of the device that is used for firmware updates and whatnots, but can apparently be used for running any kind of shell command on the device, as root, using the device's admin user's password.

Let's assume $IP is the IP address of the device and "password" is the password of the admin user on the device (it's the default password).

You can test that ACP_COMMANDER works with the following command that runs uname -a on the device:
java -jar acp_commander.jar -t $IP -ip $IP -pw password -c "uname -a"
It will output some amount of information (including a weird message about changing the IP and a wrong password ), but if you find the following in the middle of it, it means that it worked:
>uname -a
Linux LS210D 3.3.4 #1 Thu Sep 17 22:55:58 JST 2015 armv7l GNU/Linux

Starting the SSH server is then a matter of

  • enabling the SSH feature (which, on this cheap model, is disabled by default),
  • starting the SSH server,
  • changing root's password to "root" so that we can login (the password can be changed to something more secure later).
This is achieved through the following commands:
java -jar acp_commander.jar -t $IP -ip $IP -pw password -c "sed -i 's/SUPPORT_SFTP=0/SUPPORT_SFTP=1/g' /etc/nas_feature"
 
java -jar acp_commander.jar -t $IP -ip $IP -pw password -c "/etc/init.d/sshd.sh start"
 
java -jar acp_commander.jar -t $IP -ip $IP -pw password -c "(echo root;echo root)|passwd"

On some older version of the firmware, root login was disabled in SSH, and needed to be allowed with

java -jar acp_commander.jar -t $IP -ip $IP -pw password -c "sed -i 's/#PermitRootLogin/PermitRootLogin/g' /etc/sshd_config"
but that is not the case on my device.

Once this is done, I can run
ssh root@$IP

and login with password "root" (which was set earlier).

One nasty feature of the device is that the /etc/nas_feature file gets rewritten on each boot through the initrd. One last step is then to edit /etc/init.d/sshd.sh and to comment out near the beginning of the file the few lines that check for the SSH/SFTP support and exit in case SSH is not supported:
 #if [ "${SUPPORT_SFTP}" = "0" ] ; then
 #        echo "Not support sftp on this model." > /dev/console
 #        exit 0                                               
 #fi

According to a comment on the nas-central forum,

“The /etc/nas_feature is restored on each reboot, so sshd does not run on boot. Even if you change the init script.”

but I found this not to be true.

I checked that this setup really resists reboots, by logging in as root and typing reboot. SSH access was still possible after the device had restarted.

Going further

It was then possible to setup SSH access using keys; RSA and ECDSA are supported but not ED25519.

One missing feature is the sudo command, but I can live without it I guess.

I have then setup the device to wake up at a given time (through the “Sleep timer” feature in the administration Web UI). It is then possible to put the device to sleep by running as root
PowerSave.sh standby
The command is located in /usr/local/sbin, and this path is not available for non-interactive logins, so I wrote the following wrapper script to shutdown the device:
#!/bin/sh
 
ssh root@$IP 'bash -l -c "PowerSave.sh standby"'

After having been put into standby, the device will then start automatically on the set time, or when the “function” button on the back is pressed.

[ Posté le 5 février 2017 à 12:52 | pas de commentaire | ]