Trust your SSH server

Friday, 23 October 2020
Écrit par
Grégory Soutadé

This article you're reading is hosted on my own server. This last one runs a lot of services : web, mail, database, XMPP... and to manage it I need an SSH connection which is the more secure way to connect to a remote server. But, how I can trust this connection in an hostile environment ?

Connection protocols and key exchange has greatly evolved the last 20 years, but there are still based on a root asymmetric key pair (RSA, DSA, ECDSA...). When you connect to a server for the first time, you get a message like this :

The authenticity of host ' (' can't be established.
RSA key fingerprint is 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23.
Are you sure you want to continue connecting (yes/no)? no

This is a human readable fingerprint of the root key used to establish a connection. Personally, I don't know my server fingerprint by heart. There is some solutions to check it :

  • Manually by printing it on a paper/on your phone/on a USB key
  • Register it with a DNS record, but DNS server/response can be easily spoofed
  • Using a public key based connection (you need to keep it on a USB key)

The better remains having the secret (key or fingerprint) somewhere you could access it. I propose in this article an other solution you can always run in an hostile environment without any previous setup.

The idea is to create a restricted user that can only run a verification script that will check fingerprint once connection is established which avoid Man In The Middle attacks !


First, we'll have to create this user named check-user :

useradd --create-home --no-user-group --shell /bin/rbash check-user
cd /home/check-user

You can set a password or not. I don't do it, so I cannot open a connection from external nor internal as my server always checks for password (we can still use su/sudo command). I also set a restricted shell (rbash).

Then, we have to create a key pair

su check-user
cp .ssh/ .ssh/authorized_keys

You can set or not a password for this key. Then, edit .ssh/authorized_keys and add :

command="rbash" ssh-rsa AAAA...

Now, downloads in /home/check-user and set execution permissions.

Then, go to your webserver directory were you can put some downloadable files (something like /var/www) and copy SSH the private key.

cd /var/www
cp /home/check-user/.ssh/id_rsa ssh_check
chmod a+r ssh_check

Now, you can edit and run from any network !

How does it works ?

The client starts by establishing an SSH connection and close it immediately in order to retrieve remote fingerprint. Then, it downloads check-user SSH private key and use it to connect to the server and send the fingerprint. The only command that can be run with this key is rbash which get the fingerprint and compare with the ones installed on the server side. A message is then displayed which indicates if the connection is secure or not.



target_key=`echo $SSH_ORIGINAL_COMMAND| tr -d "\r\n"`

if [ -z "${target_key}" ] ; then
    echo "Empty key provided, abort"
    exit 0

for keyfile in /etc/ssh/ssh_host_* ; do
    a=`ssh-keygen -l -f ${keyfile}|grep "${target_key}"` # To avoid print
    if [ $? -eq 0 ] ; then
        echo "Target key found, your connection is secure !"
        exit 0

echo "!!! WARNING !!! Key not found, the connection may not be secure"

exit 1


KEY_TRACE="Server host key:"

if [ -z "$1" ] ; then
    echo "usage : $@ <ssh server>"
    exit 0

echo "Retrieve remote key for $1"
ssh -v -o "NumberOfPasswordPrompts=0" $@ >${tmp_file} 2>&1
key=`cat ${tmp_file}|grep "${KEY_TRACE}"`
key=`echo ${key}|cut -d" " -f6`
rm -f ${tmp_file}

echo "Retrieve SSH private key from ${SSH_CHECK_KEY}"
wget -O ssh_check ${SSH_CHECK_KEY}
chmod 0400 ssh_check

echo "Check for key ${key}"
ssh -l ${REMOTE_USER} -i ssh_check $@ "${key}"
echo "Cleaning"
rm -f ssh_check

gPass 1.0

Friday, 16 October 2020
Écrit par
Grégory Soutadé

Logo gPass

Petit rappel : gPass est un gestionnaire de mot de passes en ligne. C'est une alternative libre à lastpass. Il permet d'héberger un serveur de mot de passe, qui stockera un mot de passe fort et unique pour chaque site web. Les mots de passes sont chiffrés par une "clé maître" que seul l'utilisateur connaît et sont remplacés à la volée dans le formulaire d'authentification.

gPass version 1.0 est dehors ! En réalité, cela ne constitue pas un tournant majeur dans la vie de ce greffon, mais simplement une "dixième" version qui évolue régulièrement de manière incrémentale. La liste des modifications n'est d'ailleurs pas énorme. On pourra toutefois noter un petit nettoyage de code.

Côté serveur :

  • Nouveau bouton "clear form"
  • Défilement automatique sur l'entrée correspondante lors de la validation d'une clé maître si le champs URL est renseigné (ce qui est le cas quand on clique sur le lien "Your server" du popup)

Addon :

  • Suppression de la compatibilité avec l'ancien code de cryptographie
  • Suppression du code de l'addon de Firefox pour ne garder que la webextension
  • Suppression de la fonction de blocage des requêtes
  • Copie du mot de passe dans le presse papier quand on utilise "@_" dans la fenêtre popup même s'il est rempli dans le formulaire
  • Correction d'un petit bug lors de la copie du mot de passe dans le presse papier

Les addons sont disponibles ici (firefox) et (Chrome). La partie serveur est à télécharger sur la page du projet.

C Macro stuff

Saturday, 22 August 2020
Écrit par
Grégory Soutadé

Let's play with some strangefun C stuff related to macro implementation in GCC compiler.

In the next code, we will work on this kind of structure which is a basic implementation of a matrix structure :

typedef struct {
  int width;
  int height;
  double* data;
} matrix;

In a standard algorithm implementation, we would use malloc() for at least .data field. But, in embedded world, it's preferable to use static allocations (if we use "static" matrices with known parameters).

Use an array as a C macro parameter

First trap of our compiler. We want to statically initalize an array like this :

#define STATIC_ARRAY(_name, _values) double _name[] = _values

STATIC_ARRAY(myArray, {0.0, 0.1, 0.2};

Compilation returns this error :

b.c:5:38: error: macro "STATIC_ARRAY" passed 4 arguments, but takes just 2
STATIC_ARRAY(myArray, {0.0, 0.1, 0.2});

The second argument is not considered as an array, but a list of arguments. My question is WHY ??? This seems a non sense as the goal of macros is to copy paste without interpretation.

Solution I found is to use a variadic macro parameter. This will only works for one array value.

#define STATIC_ARRAY(_name, ...) double _name[] = __VA_ARGS__

STATIC_ARRAY(myArray, {0.0, 0.1, 0.2});

In flight shadow array

Another problem come if I make a more complex macro to initialize my structure. Basically, we may do something like this :

#define STATIC_MATRIX(_name, _width, _height, ...)          \
  static matrix _name = {.width = _width, .height=_height, .data=__VA_ARGS__}

STATIC_MATRIX(myMat, 2,2, {0.0, 0.1, 0.2, 0.3});

Which give a wonderful error :

b.c:13:1: warning: braces around scalar initializer
STATIC_MATRIX(myMat, 2,2, {0.0, 0.1, 0.2, 0.3});
b.c:13:1: note: (near initialization for ‘’)
b.c:13:28: error: incompatible types when initializing type ‘double *’ using type ‘double’
STATIC_MATRIX(myMat, 2,2, {0.0, 0.1, 0.2, 0.3});

The correct way to initialize our structure is to declare an array and affect it to .data field. We can embbed this declaration in macro definition :

#define CONCAT_DIRECT(s1, s2) s1##s2
#define CONCAT(s1, s2) CONCAT_DIRECT(s1, s2)

#define STATIC_MATRIX(_mat, _w, _h, ...)            \
static double CONCAT(sarr_,__LINE__)[]=__VA_ARGS__;static matrix _mat={.width=_w,.height=_h,.data=CONCAT(sarr_,__LINE__)}

STATIC_MATRIX(myMat, 2,2, {0.0, 0.1, 0.2, 0.3});

This a bit long, but it works ! The macro creates two statics objects, one named by user and one which is unique thanks to line number concatenation. Note, that we cannot split it on two lines due to line number in the name.

We can modify this macro (or create a new one) by removing static attributes. In this case, be careful if you define it in an header, and use it in two separate file at the same line. It could be interesting to use static objects or not depending on variables usage.

Another improvement could be to create const array if data is not updated. Thus, compiler can use a the same memory space for multiple matrix arrays with the same values.

Last but not least. Here, the created array has a variable length that depends on value in parameter. We can fix its size with :

static double CONCATENATE(static_darray_,__LINE__)[_width*_height]

Install Debian on SolidRun Clearfog board

Monday, 15 June 2020
Écrit par
Grégory Soutadé

ClearFog base board

For a project, I need to run java on an ARMv7 core. I could have used my Cubox server, but I don't have enough memory to run web services & java in parallel. Fortunately, I could find a SolidRun ClearFog Base board. This board is mainly network focused and only have an old dual Cortex A9 with 1GB of memory which is quick reached by today web applications, but it should be okay with a single one (I hope).

SolidRun provides documentation & ready to use OS (Debian FreeBSD, Yocto, OpenWRT), so board start should take less than one half hour. Nevertheless, documentation is split in multiple files, and there is no step by step guide. Moreover, Debian images seems crafted (we can't read main ext4 partition). After 2 hours of fails I started to turn crazy ! Here is my step by step tutorial.

The goal is to install Debian on an 8GB SDCard

1) Get an 8GB SDCard and delete all partitions thanks to gparted (or fdisk).

2) Within gparted create an ext4 partition that starts at 4MB with 8GB length

3) Download target Debian images from SolidRun resources. You should take .tar.xz file which is a compressed tar file of root filesystem.

4) Go to SDCard main partition and extract data from Debian image (using sudo)

cd /media/soutade/UUID/
sudo tar -Jxvf ~/clearfog/sr-a38x-debian-buster-20200218.tar.xz

5) Update fstab with your new SDCard UUID

sudo emacs etc/fstab

6) Download U-Boot for base-sdhc variant

7) Burn it to SDCard at address 512 (first sector). We assume SDCard is /dev/sdb (check it before applying this command)

sudo dd if=u-boot-clearfog-base-sdhc.kwb of=/dev/sdb1 seek=1 bs=512

8) Configure ClearFog switches to start using SDcard (Off Off On On On)

9) Insert SDCard into the board, connect serial line USB to your computer

10) Power up the board and start serial line screen

sudo screen -L /dev/ttyUSB0 115200

11) Stop U-Boot process by hit a key

12) Setup kernel bootargs. Here we setup root filesystem read/write at startup, but it should be re mounted rw by fstab. Only root argument is mandatory

setenv bootargs root=/dev/mmcblk0p1 rw
env save

The board should now start with a fresh Debian ! I suggest to connect within SSH which is more comfortable to use than serial line console. Login/password is debian:debian.

Have fun !

Gnome Shell Generic Monitor v2

Wednesday, 13 May 2020
Écrit par
Grégory Soutadé

Capture Gnome Shell Generic Monitor

La version 2 de mon extension Generic Monitor pour Gnome Shell vient d'être validée ! Le choix de sortir une seconde version rapidement est volontaire. Il s'agissait de suivre le modèle RERO (Release Early, Release Often). La v1 posait la fonctionnalité de base, tandis que la v2 apporte (presque) tout ce qui manquait. Le but étant aussi de garder un code simple et réduit. Les principaux changements sont :

  • Ajout des signaux "onActivate", "onDesactivate", "onClick", "onRightClick", "onDblClick" et "onRightDblClick"
  • Ajout de la propriété box (left, center, right)
  • Refonte des exemples pour utiliser une classe de base qui manipule la partie DBus plutôt que de tout faire à la main à chaque fois
  • Passage de GPLv2 à GPLv3

La gestion des widgets (côté extension), migre du contrôleur principal à la classe MonitorWidget vu qu'elle prend déjà en charge la box.

C'est donc une version avec beaucoup d'interactivité, et une classe principale dans les exemple qui permet de construire très simplement des minis applications !