More Zonkyness

Blog

  • Don’t Break SSH: Remove Insecure Crypto Gracefully

    I had the pleasure of upgrading a server today which involved fixing a number of little niggles; one of which was that connecting to switches suddenly stopped working :-

    ✗ msm@${server}» ssh admin@${someswitch}
Unable to negotiate with ${ip} port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

    This was relatively easily fixed :-

    ✗ msm@${server}» ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@${someswitch}
Password:

    Of course doing this command-by-command is a little tedious, so a more permanent solution is to re-enable all the supported key exchange algorithms. The relevant algorithms can be listed with ssh -Q kex, and they can be listed in the server-wide client configuration in /etc/ssh/ssh_config :-

    Host *
    KexAlgorithms ${comma-separated-list}

    But Why?

    According the OpenSSH developers, the latest version of ssh are refusing to use certain key exchange algorithms (and other cryptographic ‘functions’).

    Their intention is perfectly reasonable – by default the software refuses to use known weak crypto. I’m fully behind the idea of discouraging the use of weak crypto.

    But the effect of disabling weak crypto in the client is unfortunate – all of a sudden people are unable to connect to certain devices. The developers suggest that the best way of fixing the problem is to upgrade the server so that it supports strong cryptography.

    I fully agree, but there are problems with that :-

    1. Some of the devices may very well be unsupported with no means to upgrade the ssh dæmon. Now in an ideal world, these devices wouldn’t be on the network, but in the real world there are such devices on the network.
    2. Some devices may not be capable of being upgraded because of processor or memory limitations. Network switches are notorious for having slow processors and tiny amounts of memory, and it is entirely possible that such a device would not be capable of running more exotic and modern crypto. Similarly lights out management processors are often severely limited.
    3. Even if a device is capable of being upgraded, there are the standard problems – the vendor may be slow at releasing updates, change control gets in the way, and lastly resourcing may be an issue – upgrading several hundred switches manually with just one or two people doing it is not going to be a quick job.

    Lastly, whilst security is important, breaking things just to make a point is a little extreme. Whilst it is possible to fix the problem, it is something that isn’t immediately obvious to someone who doesn’t routinely configure ssh. And someone, somewhere has had this breakage occur just before they really need to fiddle with a switch Right Now.

    There is a far better option available – leave the weak crypto enabled, but warn noisily about its use :-

    WARNING!!!!! (2 second delay)
WARNING!!!!! (2 second delay)

The device you are connecting to only supports known weak crypto which means this connection
is subject to interception by an attacker.

You should look at upgrading the device as soon as possible.

    Telling people what is wrong noisily and continuing to work is far better than simply breaking with a rather terse message.

    Foggy Reflection

     

  • USA: Home of the Pædophile, Land of the Sex Slave

    In the USA, a considerable number of states (30 counting 16 years as “adult”) allow the marriage of underage children under certain constraints. And these marriages do happen; whilst proportionally they are a tiny minority, to those victims it is nothing less than state-sanctioned child sex abuse.

    In terms of numbers, Unchained at Last (via Wikipedia) found that between 2000-2010 there were 167,000 children in marriages; 13% were boys (I mention boys because most articles start with the girls). But weren’t they all children marrying each other? Only in 14% of cases.

    The USA government condones and supports child sex abuse.

    The overwhelming majority of not just the rest of the world, but even third-world countries are better on the marriage loophole allowing child sex abuse. Trump: For the victims of those marriages, USA is the “shit-hole”.

    The Bench

  • How Inhumane Is Hanging?

    Now don’t get me wrong – I think all forms of execution are inhumane, but I have just seen a US progressive video which made it plain that hanging is supposedly more inhumane than current US forms of execution. I would mention them by name, but I’ve heard this from other places too.

    A properly carried out (variable drop) hanging should be relatively humane – it should be fast (less than 15s from being removed from the cell to the end), and causes immediate paralysis and unconsciousness before death.

    An interesting story from Pierrepoint (Britain’s last executioner) about the execution of Nazi war-criminals was that the US executions were carried out by volunteers rather than qualified executioners, and the volunteers refused to listen to Pierrepoint’s advice. Many of the US hangings were botched causing either decapitation (which probably isn’t especially inhumane, but would be rather messy) or slow strangulation over 20 minutes.

    Perhaps it is this that has led to the belief that hanging is more inhumane than other US forms of execution.

    Misty Trees

  • Is Islam A Religion Of Peace?

    The phrase “Islam is a religion of peace” gets bandied about a great deal these days – either by those saying that it is a religion of peace and islamic terrorists are an aberration, or by those who question whether islam is a religion of peace at all.

    To be honest though, the phrase is irrelevant. You can have the most peaceable religion in existence and yet fundamentalist followers of that religion will resort to violence, and yes you can have a religion that calls for the torture to death of all non-followers, yet if the followers of that religion are peaceable nobody is at risk.

    Questioning the religion as a whole is all very well (and as someone who would prefer that all religions disappear in a puff of logic, usually to be encouraged), but it does tend to encourage the kind of idiot who normally goes in for racism into attacking all muslims (and often sikhs as well) because of the sins of a few.

    Muslims are just people; people with the disadvantage that they have been indoctrinated into a faith – not much different to christians, sikhs, hindus, jews, or zorastrians (and if I’ve left out your religion, yes I mean you too). Some are good people; some are bad.

    But in the words of Steven Weinberg: “but for good people to do evil—that takes religion”.

    But truisms like that are overly simplistic; religious terrorists are people who are convinced that they are good – probably better than their coreligionists – and who want to enforce their beliefs and standards of behaviour on others. And are prepared to do so in ways that most of us would call psychotic.

    These people – the religious terrorists – are in all likelihood only a tiny minority of all muslims (or christians, …), and in a surprising number of cases are not especially well educated in their religion. In fact many of them are petty crooks, with a burning desire to be more significant than they deserve.

    In the end, debating whether islam really is a religion of peace or not is pretty much a waste of time because it is irrelevant – even the religions with the most peaceful reputations have terrorists (major religions only).

    Old Metal 3

  • An Awesome Window Manager ECC Widget

    This is a continuation of an earlier post regarding ECC memory under Linux, and is how I added a little widget to display the current ECC memory status. Because I don’t really know lua, most of the work is carried out with a shell script that is run via cron on a frequent basis.

    The shell script simply runs edac-util to obtain the number of correctable errors and uncorrectable errors, and formats the numbers in a way suitable for setting the text of a widget :-

    #!/bin/zsh
#
# Use edac-util to report some numbers to display ...

correctables=$(edac-util --report=ce | awk '{print $NF}')
uncorrectables=$(edac-util --report=ue | awk '{print $NF}')

c="chartreuse"
if [[ "$correctables" != "0" ]]
then 
  c="orange"
fi
if [[ "$uncorrectables" != "0" ]]
then
  c="red"
fi

echo "ECC: $correctables/$uncorrectables "

    This is run with a crontab entry :-

    */7 * * * * /site/scripts/gen-ecc-wtext > /home/mike/lib/awesome/widget-texts/ecc-status

    Once the file is being generated, the Awesome configuration can take effect :-

    -- The following function does what it says and is used in a number of dumb widgets
-- to gather strings from shell scripts
function readfiletostring (filename)
  file = io.open(filename, "r")
  io.input(file)
  s = io.read()
  io.close(file)
  return s
end

eccstatus = wibox.widget.textbox()
eccstatus:set_markup(readfiletostring(homedir .. "/lib/awesome/widget-texts/ecc-status"))
eccstatustimer = timer({ timeout = 60 })
eccstatustimer:connect_signal("timeout",
  function()
      eccstatus:set_markup(readfiletostring(homedir .. "/lib/awesome/widget-texts/ecc-status"))
  end
)
eccstatustimer:start()
...
layout = wibox.layout.fixed.horizontal, ... eccstatus, ...

    There plenty of ways this could be improved – there’s nothing really that requires a separate shell script, but this works which is good enough for now.