PF’s skip on interface directive

The OpenBSD packet filter (PF) received several enhancements in OpenBSD 3.7. One of the coolest things is the ability to tell PF not to filter traffic on specific interfaces, such as the loopback interface. This behavior is defined in the pf.conf configuration file with the “set skip on” statement:

set skip on lo0

Prior to the “set skip on” option you had to explicilty allow traffic to flow with the following pass statements:

pass in quick on lo0 all
pass out quick on lo0 all

This of course assumes a default policy of “block everything not explicilty allowed,” which all firewalls _SHOULD_ be using.

Fix for Solaris SSH client hangs

One of my colleagues came to me with an ssh problem a few weeks back, and I thought I would share my findings here. The issue centered around ssh hanging when you tried to invoke a command on a remote server, similar to this:

$ ssh host “ls -la”

When I added the “-vv” (verbose output) option to ssh to root cause the problem, I got the following information:

debug1: authentications that can continue: publickey,password
debug3: start over, passed a different list
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: key does not exist: //.ssh/id_rsa
debug1: try pubkey: //.ssh/id_dsa
debug1: read SSH2 private key done: name dsa w/o comment success 1
debug3: sign_and_send_pubkey
debug1: sig size 20 20
debug2: we sent a publickey packet, wait for reply
debug1: Remote: Forced command: /usr/local/bin/yikes
debug1: ssh-userauth2 successfull: method publickey
debug1: fd 6 setting O_NONBLOCK
debug1: fd 7 setting O_NONBLOCK
debug1: fd 8 IS O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: client_init id 0 arg 0
debug1: channel request 0: shell
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 16384
debug2: channel 0: rcvd adjust 32768
debug1: channel 0: read< =0 rfd 6 len 0
debug1: channel 0: read failed
debug1: channel 0: input open->drain
debug1: channel 0: close_read
debug1: channel 0: input: no drain shortcut
debug1: channel 0: ibuf empty
debug1: channel 0: input drain->closed
debug1: channel 0: send eof
debug1: channel 0: rcvd eof
debug1: channel 0: output open->drain
debug1: channel 0: obuf empty
debug1: channel 0: output drain->closed
debug1: channel 0: close_write
debug1: channel 0: send close
debug1: channel: 0 rcvd request for exit-status
debug1: cb_fn 267a4 cb_event 91
debug1: channel 0: rcvd close
debug1: channel 0: full closed2
debug1: channel_free: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)

Upon examining the output, I started to wonder why the message “The following conenctions are open” was displayed. Upon examing the OpenSSH source code, it looks like the ssh client examines the active sessions prior to exiting, and displays this message if the session doesn’t exit cleanly (this is grossly oversimplified, and I will refer you to channel.c and clientloop.c. if you are interested in the gory details).

I took my knowledge from the code and started searching the OpenSSH archives for issues related to commands hanging. I immediately found a thread describing an SSH command hang problem, and saw that Darren Tucker had posted a patch to address the issue. Since we were using the SSH client provided by Sun, I wanted to see if this patch had been integrated into the Sun SSH client. To get the current patch revision of the SSH client, I used the Solaris what(1) command:

$ what /usr/bin/ssh

/usr/bin/ssh:
        $OpenBSD: ssh.c, v 1.69 2000/10/27 07:32:19 markus Exp $
        $OpenBSD: sshconnect.c, v 1.79 2000/09/17 15:52:51 markus Exp $
        $OpenBSD: sshconnect1.c, v 1.8 2000/10/12 09:59:19 markus Exp $
        $OpenBSD: sshconnect2.c, v 1.27 2000/10/19 16:45:16 provos Exp $
        $OpenBSD: clientloop.c,v 1.39 2000/10/27 07:48:22 markus Exp $
        $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $
        $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $
        $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $
        $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $
        $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $
        $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $
        $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $
        $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $
        $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $
        $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $
        $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $
        $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
        $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $
        $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $
        $OpenBSD: mac.c,v 1.1 2001/02/11 12:59:24 markus Exp $
        $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $
        $OpenBSD: util.c, v 1.6 2000/10/27 07:32:19 markus Exp $
        $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $
        $OpenBSD: nchan.c, v 1.19 2000/09/07 20:27:52 deraadt Exp $
        $OpenBSD: packet.c, v 1.38 2000/10/12 14:21:12 markus Exp $
        $OpenBSD: readpass.c, v 1.12 2000/10/11 20:14:39 markus Exp $
        $OpenBSD: readconf.c, v 1.49 2000/10/11 20:27:23 markus Exp $
        $OpenBSD: rsa.c, v 1.16 2000/09/07 20:27:53 deraadt Exp $
        $OpenBSD: tildexpand.c, v 1.8 2000/09/07 20:27:55 deraadt Exp $
        $OpenBSD: ttymodes.c, v 1.8 2000/09/07 20:27:55 deraadt Exp $
        $OpenBSD: uidswap.c, v 1.9 2000/09/07 20:27:55 deraadt Exp $
        $OpenBSD: uuencode.c, v 1.7 2000/09/07 20:27:55 deraadt Exp $
        $OpenBSD: xmalloc.c, v 1.8 2000/09/07 20:27:55 deraadt Exp $
        $OpenBSD: canohost.c,v 1.26 2001/04/18 14:15:00 markus Exp $
        $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $
        $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $
        $OpenBSD: ssh-dss.c, v 1.2 2000/12/19 23:17:58 markus Exp $
        $OpenBSD: ssh-rsa.c, v 1.4 2001/01/16 19:20:06 markus Exp $
        SunOS 5.9 Generic 114356-01 Jan 2003

When I searched the sunsolve patch database for patch identifier 114356, I immediately saw the following information:

4763864 Non-interactive ssh can hang after remote command has exited

This matched the issue we were experiencing! I immediately applied the patch, and everything started working! I love debugging issues like this, and hope Sun incorporates this into the Recommended patch cluster in the future!!!

Using automator to convert text to audio

While reading the latest tips on Mac OS X hints, I came across a cool tip on using Tiger’s automator to convert text documents to audio. I am trying to read through RFC 2616, and thought this would be a perfect document to listen to while walking to class. Once you open automator, you need to drag the TextEdit “Get Contents of TextEdit Document to the workspace, and open the document you want to transform. Once this occurs, you can use the “Text to Audio File” option to convert the text file to an AIFF file. This gives you several voice options, and I would highly recommend against using the robot and hysterical voices. :) Once the AIFF file is created, you can use “Import Audio File” to compress (you can choose between AAC and MP3 file types) the file and import it into iTunes. I am not real thrilled with the voice selections, but the conversion process seems to work flawlessly!

Filtering attachments with procmail

I have been performing some basic statistical analysis on the spam and viruses I receive, and it seems like more and more Email comes littered with silly attachments. While I really appreciate people sending me executables, help files, compressed archives, VB script and screen savers, I should alert you now that these messages go directly to the bit bucket ( /dev/null ). This is accomplished with the following procmail filter:

:0 B
* $"filename=.*(zip|pif|exe|scr|com|vbs|bat|hlp)"
/dev/null

This checks the message body for a MIME header with the filename type, and attempts to match the value against a variety of extensions. If it finds a match, the file is written to /dev/null. This is one of my favorite procmail recipes!

Contract law

It is amazing how many processes and transactions are governed by contract law. Real estate sales contracts, credit card applications, bills of sale, apartment leases, land contracts, mortgages (or deeds to secured debt if you live in Georgia), and deeds are all governed by contract law, which is quite complicated. While reviewing a sales contract this weekend, I started to wonder what makes a contract valid. According to my real estate text book, the following items need to exist for a contract to be enforcable in a court of law:

1. An agreement needs to be made between parties.

2. Something of “consideration” needs to be at the heart of the contract.

3. Parties to the contract need to be “competent.”

4. There needs to be reality of consent.

5. There needs to be legality of purpose.

6. Necessity of writing is required in most circumstances.

All of this sounds complex, but is actually relatively straight forward. An agreement consists of an offer and acceptance. Something of consideration would be a house, a boat, a yaht, an island off the coast of Costa Rica, or a large wad of cash. Competent parties are parties not under the influence of drugs or alcohol. Reality of consent ensures that a contract is free of mistakes, misrepresentations, fraud, undue influence, and duress. The consent of all parties must also be real and intentional. Legality of purpose ensures that contracts involve legal promises, actions, and objections. A contract containing illegal acts or objects would violate this condition. For a detailed explanation of contract law (including stuff I missed), you can head over to No Law.

Generating random numbers

Randomness is a key element in cryptography (seeds and shared secrets), TCP (ISNs), and can be useful when simulating client access patterns in test scripts. If an OS supports the /dev/random pseudo-device, the dd, od, and awk utiltiies can be used to generate random values:

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2}’
007

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3}’
035170

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3$4}’
018183199

This will pipe a string of entropy to od, which will use od’s type field to generate an unsigned random integer, which will then be piped into awk to print the second value in the string. You can also use openssl to generate entropy on a system:

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
51

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
120

I am sure there are more efficient ways to do this, and would love to get feedback. :)