All articles

2024-07-25 - News - Ian Clark · **Summary**

---
- hosts: localhost
  tasks:
  - name: test 1password
    debug:
      msg: <{{ lookup("onepassword",
                      "Mythic Beasts",
                      field="username") }}>

eval $(op signin)

ansible-playbook op.yml

ok: [localhost] => {
    "msg": "<hostmaster@cam.ac.uk>"
}

$ op signin --session $OP_SESSION_example example

#!/bin/sh
OP_SESSION_example=SQUEAMISHOSSIFRAGE /usr/local/bin/op "$@"

---
document: one
---
document: two

--- one
--- two

--- |
one
--- |
two

---
tags: [ progress ]
authors: [ fanf2 ]
--- |
YAML and Markdown
=================

# commentary explaining the purpose of this login
---
url: https://example.com/login
username: alice
gpg_d:
  password: example-login.asc

my $login = read_login $login_file, qw(username password url);
my $auth = $login->{username}.':'.$login->{password};
my $authorization = 'Basic ' . encode_base64 $auth, '';
my $r = LWP::UserAgent->new->post($login->{url},
          Authorization => $authorization,
          Content_Type => 'form-data',
          Content => [ hello => 'world' ]
      );

Redirect /.well-known/acme-challenge/ \
        http://{{newserver}}/.well-known/acme-challenge/

<VirtualHost *:80>
 ServerName {{inventory_hostname}}

 RewriteEngine on
 # https everything except acme-challenges
 RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
 # serve files that exist
 RewriteCond /var/lib/dehydrated/acme-challenges/$1 -f
 RewriteRule ^/.well-known/acme-challenge/(.*) \
             /var/lib/dehydrated/acme-challenges/$1 [L]
 # otherwise, try alternate server
 RewriteRule ^ http://{{next_acme_host}}%{REQUEST_URI} [R=302]

</VirtualHost>

<Directory /var/lib/dehydrated/acme-challenges/>
 Options FollowSymlinks
 Options -Indexes
 AllowOverride None
 Require all granted
</Directory>

    my @cookie_attr = (
            -name     => '__Host-Session',
            -path     => '/',
            -secure   => 1,
            -httponly => 1,
            -samesite => 'strict',
        );

if (timeout_call($connect_timeout, sub {
    $dbh = DBI->connect(@connect_args);
    moan $DBI::errstr unless $dbh;
})) {
    moan "database connection timed out";
}

- name: check TLS certificate exists
  stat:
    path: /etc/apache2/keys/tls-web.crt
  register: tls_cert
- when: not tls_cert.stat.exists
  name: fake TLS certificates
  file:
    state: link
    src: /etc/ssl/{{ item.src }}
    dest: /etc/apache2/keys/{{ item.dest }}
  with_items:
    - src: certs/ssl-cert-snakeoil.pem
      dest: tls-web.crt
    - src: certs/ssl-cert-snakeoil.pem
      dest: tls-chain.crt
    - src: private/ssl-cert-snakeoil.key
      dest: tls.pem

- name: initialize dehydrated
  command: dehydrated -c
  args:
    creates: /var/lib/dehydrated/certs/{{inventory_hostname}}/cert.pem

- name: certificate links
  file:
    state: link
    src: /var/lib/dehydrated/certs/{{inventory_hostname}}/{{item.src}}
    dest: /etc/apache2/keys/{{item.dest}}
  with_items:
    - src: cert.pem
      dest: tls-web.crt
    - src: chain.pem
      dest: tls-chain.crt
    - src: privkey.pem
      dest: tls.pem
  notify:
    - restart apache

#!/bin/bash
set -eu -o pipefail
( dehydrated --cron
  dehydrated --cleanup
) | logger --tag dehydrated --priority cron.info

#!/bin/bash
set -eu -o pipefail
case "$1" in
(deploy_cert)
    apache2ctl configtest &&
    apache2ctl graceful
    ;;
esac

- copy:
    dest: /etc/dehydrated/conf.d/dns.sh
    content: |
      EMAIL="hostmaster@cam.ac.uk"
      HOOK="/etc/dehydrated/hook.sh"

- copy:
    content: "{{inventory_hostname}}\n"
    dest: /etc/dehydrated/domains.txt

{{hostname}} {% if i_am_www %} www.dns.cam.ac.uk dns.cam.ac.uk {% endif %}

131.111.8.42  recdns0.csx.cam.ac.uk -> rec0.dns.cam.ac.uk
131.111.12.20 recdns1.csx.cam.ac.uk -> rec1.dns.cam.ac.uk

# Find the domain's details page.

click '#commonActionsMenuLogin_ListDomains';

fill '#MainContent_tbDomainNames' => $domain,
    '#MainContent_ShowReverseDelegatedDomains' => 'selected';

click '#MainContent_btnFilter';

name: .
keyid: 20326
    algorithm: RSASHA256
    flags: SEP
    next refresh: Fri, 18 Jan 2019 14:28:17 GMT
    trusted since: Tue, 11 Jul 2017 15:03:52 GMT
keyid: 19164
    algorithm: RSASHA256
    flags: REVOKE SEP
    next refresh: Fri, 18 Jan 2019 14:28:17 GMT
    remove at: Sun, 10 Feb 2019 14:20:18 GMT
    trust revoked

131.111.8.42  recdns0.csx.cam.ac.uk -> rec0.dns.cam.ac.uk
131.111.12.20 recdns1.csx.cam.ac.uk -> rec1.dns.cam.ac.uk

ansible-playbook dhcpd-shutdown-save-leases.yml \
    --limit $SERVER

ANSIBLE_SSH_ARGS=-4 ANSIBLE_HOST_KEY_CHECKING=False \
    ansible-playbook -e all=1 --limit $SERVER main.yml

git push
ansible-playbook --limit new main.yml

    { jsonrpc: "2.0", id: 0,
      method: "rpc.transaction",
      params: [ { jsonrpc: "2.0", id: 1, method: ... },
                { jsonrpc: "2.0", id: 2, method: ... }, ... ] }

    { jsonrpc: "2.0", id: 0,
      method: "rpc.transaction",
      params: { prepared: "#" } }

    { "jsonrpc": "2.0",
      "id": 0,
      "method": "transaction",
      "params": [ {
          "jsonrpc": "2.0",
          "id": 1,
          "method": "foo",
          "params": { ... }
        }, {
          "jsonrpc": "2.0",
          "id": 2,
          "method": "bar",
          "params": { ... }
        } ]
    }

    # signatures valid for 1 day (default is 30 days)
    # re-sign 23 hours before expiry
    # (whole zone is re-signed every hour)
    sig-validity-interval 1 23;
    # restrict the size of a batch of signing to examine
    # at most 10 names and generate at most 2 signatures
    sig-signing-nodes 10;
    sig-signing-signatures 2;

    rndc freeze test.example
    dig axfr test.example | grep -v RRSIG |
    dnssec-signzone -e now+$((86400 - 3600 - 200)) \
            -i 3600 -j 200 \
            -f signed -o test.example /dev/stdin
    rm -f test.example test.example.jnl
    mv signed test.example
    # re-load the zone
    rndc thaw test.example
    # re-start signing
    rndc sign test.example

$ fakeroot alien oracle-instantclient12.1-basiclite-12.1.0.2.0-1.x86_64.rpm
$ fakeroot alien oracle-instantclient12.1-sqlplus-12.1.0.2.0-1.x86_64.rpm

$ ora2pg --debug
$ mv output.sql tables.sql
$ ora2pg --debug --type copy
$ mv output.sql rows.sql

$ table-fixup.pl <tables.sql >fixed.sql
$ psql -1 -f functions.sql
$ psql -1 -f fixed.sql
$ psql -1 -f rows.sql

$ time simple-cdd --dist stretch \
        --debian-mirror http://ftp.uk.debian.org/debian
[...]
ERROR: missing required packages from profile default:  less
ERROR: missing required packages from profile default:  simple-cdd-profiles
WARNING: missing optional packages from profile default:  grub-pc grub-efi popularity-contest console-tools console-setup usbutils acpi acpid eject lvm2 mdadm cryptsetup reiserfsprogs jfsutils xfsprogs debootstrap busybox syslinux-common syslinux isolinux
real    1m1.528s
user    0m34.748s
sys     0m1.900s

isc.org
allow-update { !{ !localhost; any; }; key local-ddns; };

http://www.ucs.cam.ac.uk/network/infoinstitutions/techref/portblock

max-udp-size 1420;
minimal-responses yes;

cloudflare.net.  HINFO  ( "Please stop asking for ANY"
                          "See draft-jabley-dnsop-refuse-any" )

https://jackdaw.cam.ac.uk/ipreg/nsconfig/

    Connection of IoA/RGO to IP world
    ---------------------------------

This note is a statement of where I believe we have got to and an initial
review of the options now open.

What we have achieved so far
----------------------------

All the Suns are properly connected at the lower levels to the
Cambridge IP network, to the national IP network (JIPS) and to the
international IP network (the Internet). This includes all the basic
infrastructure such as routing and name service, and allows the Suns
to use all the usual native Unix communications facilities (telnet,
ftp, rlogin etc) except mail, which is discussed below. Possibly the
most valuable end-user function thus delivered is the ability to fetch
files directly from the USA.

This also provides the basic infrastructure for other machines such as
the VMS hosts when they need it.

VMS nodes
---------

Nothing has yet been done about the VMS nodes. CAMV0 needs its address
changing, and both IOA0 and CAMV0 need routing set for extra-site
communication. The immediate intention is to route through cast0. This
will be transparent to all parties and impose negligible load on
cast0, but requires the "doit" bit to be set in cast0's kernel. We
understand that PSH is going to do all this [check], but we remain
available to assist as required.

Further action on the VMS front is stalled pending the arrival of the
new release (6.6) of the CMU TCP/IP package. This is so imminent that
it seems foolish not to await it, and we believe IoA/RGO agree [check].

Access from Suns to Coloured Book world
---------------------------------------

There are basically two options for connecting the Suns to the JANET
Coloured Book world. We can either set up one or more of the Suns as
full-blown independent JANET hosts or we can set them up to use CS
gateway facilities. The former provides the full range of facilities
expected of any JANET host, but is cumbersome, takes significant local
resources, is complicated and long-winded to arrange, incurs a small
licence fee, is platform-specific, and adds significant complexity to
the system managers' maintenance and planning load. The latter in
contrast is light-weight, free, easy to install, and can be provided
for any reasonable Unix host, but limits functionality to outbound pad
and file transfer either way initiated from the local (IoA/RGO) end.
The two options are not exclusive.

We suspect that the latter option ("spad/cpf") will provide adequate
functionality and is preferable, but would welcome IoA/RGO opinion.

Direct login to the Suns from a (possibly) remote JANET/CUDN terminal
would currently require the full Coloured Book package, but the CS
will shortly be providing X.29-telnet gateway facilities as part of
the general infrastructure, and can in any case provide this
functionality indirectly through login accounts on Central Unix
facilities. For that matter, AST-STAR or WEST.AST could be used in
this fashion.

Mail
----

Mail is a complicated and difficult subject, and I believe that a
small group of experts from IoA/RGO and the CS should meet to discuss
the requirements and options. The rest of this section is merely a
fleeting summary of some of the issues.
Firstly, a political point must be clarified. At the time of writing
it is absolutely forbidden to emit smtp (ie Unix/Internet style) mail
into JIPS. This prohibition is national, and none of Cambridge's
doing. We expect that the embargo will shortly be lifted somewhat, but
there are certain to remain very strict rules about how smtp is to be
used. Within Cambridge we are making best guesses as to the likely
future rules and adopting those as current working practice. It must
be understood however that the situation is highly volatile and that
today's decisions may turn out to be wrong.

The current rulings are (inter alia)

        Mail to/from outside Cambridge may only be grey (Ie. JANET
        style).

        Mail within Cambridge may be grey or smtp BUT the reply
        address MUST be valid in BOTH the Internet AND Janet (modulo
        reversal). Thus a workstation emitting smtp mail must ensure
        that the reply address contained is that of a current JANET
        mail host. Except that -

        Consenting machines in a closed workgroup in Cambridge are
        permitted to use smtp between themselves, though there is no
        support from the CS and the practice is discouraged. They
        must remember not to contravene the previous two rulings, on
        pain of disconnection.

The good news is that a central mail hub/distributer will become
available as a network service for the whole University within a few
months, and will provide sufficient gateway function that ordinary
smtp Unix workstations, with some careful configuration, can have full
mail connectivity. In essence the workstation and the distributer will
form one of those "closed workgroups", the workstation will send all
its outbound mail to the distributer and receive all its inbound mail
from the distributer, and the distributer will handle the forwarding
to and from the rest of Cambridge, UK and the world.

There is no prospect of DECnet mail being supported generally either
nationally or within Cambridge, but I imagine Starlink/IoA/RGO will
continue to use it for the time being, and whatever gateway function
there is now will need preserving. This will have to be largely
IoA/RGO's own responsibility, but the planning exercise may have to
take account of any further constraints thus imposed. Input from
IoA/RGO as to the requirements is needed.

In the longer term there will probably be a general UK and worldwide
shift to X.400 mail, but that horizon is probably too hazy to rate more
than a nod at present. The central mail switch should in any case hide
the initial impact from most users.

The times are therefore a'changing rather rapidly, and some pragmatism
is needed in deciding what to do. If mail to/from the IP machines is
not an urgent requirement, and since they will be able to log in to
the VMS nodes it may not be, then the best thing may well be to await
the mail distributer service. If more direct mail is needed more
urgently then we probably need to set up a private mail distributer
service within IoA/RGO. This would entail setting up (probably) a Sun
as a full JANET host and using it as the one and only (mail) route in
or out of IoA/RGO. Something rather similar has been done in Molecular
Biology and is thus known to work, but setting it up is no mean task.
A further fall-back option might be to arrange to use Central Unix
facilities as a mail gateway in similar vein. The less effort spent on
interim facilities the better, however.

Broken mail
-----------

We discovered late in the day that smtp mail was in fact being used
between IoA and RA, and the name changing broke this. We regret having
thus trodden on existing facilities, and are willing to help try to
recover any required functionality, but we believe that IoA/RGO/RA in
fact have this in hand. We consider the activity to fall under the
third rule above. If help is needed, please let us know.

We should also report sideline problem we encountered and which will
probably be a continuing cause of grief. CAVAD, and indeed any similar
VMS system, emits mail with reply addresses of the form
"CAVAD::user"@....  This is quite legal, but the quotes are
syntactically significant, and must be returned in any reply.
Unfortunately the great majority of Unix systems strip such quotes
during emission of mail, so the reply address fails. Such stripping
can occur at several levels, notably the sendmail (ie system)
processing and the one of the most popular user-level mailers. The CS
is fixing its own systems, but the problem is replicated in something
like half a million independent Internet hosts, and little can be done
about it.

Other requirements
------------------

There may well be other requirements that have not been noticed or,
perish the thought, we have inadvertently broken. Please let us know
of these.

Bandwidth improvements
----------------------

At present all IP communications between IoA/RGO and the rest of the
world go down a rather slow (64Kb/sec) link. This should improve
substantially when it is replaced with a GBN link, and to most of
Cambridge the bandwidth will probably become 1-2Mb/sec. For comparison,
the basic ethernet bandwidth is 10Mb/sec. The timescale is unclear, but
sometime in 1992 is expected. The bandwidth of the national backbone
facilities is of the order of 1Mb/sec, but of course this is shared with
many institutions in a manner hard to predict or assess.

For Computing Service,
Tony Stoneley, ajms@cam.cus
29/11/91

https://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-signed.html

https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-signed.html

http://www.isc.org/software/bind/advisories/cve-2011-4313

               Old IPv6 address          New IPv6 address
authdns0.csx   2001:630:200:8080::d:a0   2001:630:212:8::d:a0
authdns1.csx   2001:630:200:8120::d:a1   2001:630:212:12::d:a1
recdns0.csx    2001:630:200:8080::d:0    2001:630:212:8::d:0
recdns1.csx    2001:630:200:8120::d:1    2001:630:212:12::d:1

https://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

http://www.isc.org/software/bind/advisories/cve-2011-2464

http://www.isc.org/software/bind/advisories/cve-2011-2465

http://www.isc.org/software/bind/advisories/cve-2011-1910

http://www.isc.org/software/bind/advisories/cve-2011-1910

http://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

https://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

http://jackdaw.cam.ac.uk/ipreg/nsconfig/consolidated-reverse-zones.html

http://www-tus.csx.cam.ac.uk/windows_support/Current/activedirectory/dns/dnssec.html

http://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

http://jackdaw.cam.ac.uk/ipreg/nsconfig/consolidated-reverse-zones.html

https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-validation.html
https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-testing.html

Mnemonic    Code    Supported by    Can be used with which
                  BIND versions[1]    negative responses

RSASHA1        5       9.4          Only zones using NSEC
NSEC3RSASHA1   7       9.6          Zones using NSEC or NSEC3[2]
RSASHA256      8    9.6.2 or 9.7    Zones using NSEC or NSEC3

http://ucsnews.csx.cam.ac.uk/articles/2010/03/30/newsgroups-and-bulletin-boards

http://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

http://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-validation.html

http://www-tus.csx.cam.ac.uk/windows_support/Current/activedirectory/dns/ad_dns_config_info.html

111.131.in-addr.arpa
0.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa

https://jackdaw.cam.ac.uk/ipreg/nsconfig/

http://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-windows.html

http://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

<4-digit-year><2-digit-month><2-digit-day><2-more-digits>

$ dig +short hinfo cam.ac.uk
"SERIAL" "2009072120"

http://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-validation.html

http://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-testing.html

131.111.8.42   or 2001:630:200:8080::d:0
131.111.12.20  or 2001:630:200:8120::d:1

http://people.pwf.cam.ac.uk/cet1/dnssec-validation.html

http://people.pwf.cam.ac.uk/cet1/signed-cam.html

http://people.pwf.cam.ac.uk/cet1/dnssec-testing.html

http://people.pwf.cam.ac.uk/cet1/prune-reverse-zones

http://jackdaw.cam.ac.uk/ipreg/nsconfig/sample.named.conf

http://jackdaw.cam.ac.uk/ipreg/nsconfig/db.cache

http://jackdaw.cam.ac.uk/ipreg/nsconfig/

ftp://ftp.internic.net/domain/named.root

http://jackdaw.cam.ac.uk/ipreg/nsconfig/db.cache

ftp://ftp.cus.cam.ac.uk/pub/IP/Cambridge

http://jackdaw.cam.ac.uk/ipreg/nsconfig

notify no;

ftp://ftp.cus.cam.ac.uk/pub/IP/Cambridge/sample.named.conf

ftp://ftp.cus.cam.ac.uk/pub/IP/Cambridge/sample.named.conf

 masters { 131.111.8.42; 131.111.12.20; };

 masters { 131.111.8.37; 131.111.12.37; };

authdns0.csx.cam.ac.uk [131.111.8.37]
authdns1.csx.cam.ac.uk [131.111.12.37]

recdns0.csx.cam.ac.uk [131.111.8.42]
recdns1.csx.cam.ac.uk [131.111.12.20]

ip-register@uis.cam.ac.uk

page	v2 lines	v3 lines	change
box	283	151	53%
vbox	327	182	55%
aname	244	115	47%
cname	173	56	32%
mx	253	115	45%
srv	272	116	42%
motd	51	22	43%
totp	66	20	30%

All articles

aims

what about regpg?

1password

secrets automation and 1password connect

1password command line tool

Ansible and op

SHAmbles

DNSSEC implications

YAML documents

YAML frontmatter

Tabs and indentation

Indents in Markdown

The login problem

Ad-hoc data formats

Secret hygiene

Implementation

Deployment

The situation

The problem

A solution

on the old server

on the new server

migrate

API cookies

Single ops

Clustering

Validation servers

Decentralized validation

Apache mod_rewrite

Code

Security checks

State objects

Next

Apache::DBI

Connection hangs

DBI(3pm) timeouts

Sys::SigAction

Undelete

Chicken / egg

Snakeoil

ACME dehydrated boulders

Boring config details

Done

Started

Next

Simple safety interlocks

Key timing in BIND

What can break?

A simple rule

Applying this rule to BIND

Caveat

Required work

My WebDriver library

Asyncrony

The WebDriver spec

Next steps

DNS flag day

Old DNSSEC root key revoked

Statefulness

Bad solutions

Better solution

Further improvements

Stats

Projects

Future of IP Register

Maintenance

IETF

Open Source

What's next?

Context

Rewrite needed

Current landscape

What I tried out

What didn't work

What next

For rename

For both

For upgrade

For rename

Ansible and `op`