[gentoo-user] Coming up with a password that is very strong.
Howdy, Some may recall me mentioning using LastPass to manage my passwords. Obviously, it can generate very strong passwords that are different for each site. It can also remember them as well which makes things more secure than using just a few passwords for all sites. One for things like financial sites, maybe a less secure one for some site you still want reasonably secure and a even weaker one for sites you don't care about hacking, and hackers likely won't either. I know some people who do this even today. Heck, ages ago, I was one of them. Things change tho. Some passwords can be hacked in seconds by a desktop computer, including my own if I had the software and knowledge to do it. The one thing about most all password managers, they have a master password. That one password unlocks the rest. Trick is, having that one be a good one that is easy to remember, type on a keyboard and be secure, virtually unhackable but also unforgettable. I've had what used to be a strong password for a while. Thing is, with today's computing power, it really isn't anymore. While no one could just guess it, it could be cracked/hacked I'm sure. I need to come up with a new one that meets the requirements I just mentioned. Strong, easy to remember, easy to type but won't forget. I've read that using maiden names, years of birth or whole dates of birth, actual names, pet's name, words in a dictionary and a whole list of other things makes it easier, especially if you post a lot on social media, for hackers to use against you. I'm trying to avoid that sort of thing obviously and have a couple ideas but am curious as to what method others use, without exposing to much detail since this is public. How do you, especially those who admin systems that are always being hacked at, generate strong passwords that meet the above? I've googled and found some ideas but if I use the same method, well, how many others are using that same method, if you know what I mean. ;-) Just looking for ideas. Thanks much. Dale :-) :-) P. S. I haven't had time to deal with the video thing in previous thread. It's on my todo list still. :-(
Re: [gentoo-user] VRFs / Jails / Containers
On 2/3/19 12:39 PM, Grant Taylor wrote: On 2/3/19 6:26 AM, Michael Orlitzky wrote: You can add commands to your existing network configuration that will be run when an interface comes up. For example, in /etc/conf.d/net, ifup_wlan0="iwconfig \$int key s:secretkey enc open essid foobar" Ya I find that to be an absolute kludge. Does it work? Yes. Is it clean? Probably not. Is it graceful? Absolutely not. Think about how it's possible to configure bridging / bonding / VLANs via various parameters and having netifrc construct the commands that are run in the background. Ultimately netifrc is just a shell script that parses another shell script to construct a third shell script. I don't think doing it with only two shell scripts is that much less elegant =) You could go all the way and write your own OpenRC service as /etc/init.d/whatever. You can make it depend on the network being up, and then just write everything that you want it to do into the start function with the corresponding "undo" steps in the stop function. If the series of commands is long and complicated and if you sometimes want to do/undo this subset of the configuration independently, then that's how I'd do it.
Re: [gentoo-user] VRFs / Jails / Containers
On 2/3/19 6:26 AM, Michael Orlitzky wrote: You can add commands to your existing network configuration that will be run when an interface comes up. For example, in /etc/conf.d/net, ifup_wlan0="iwconfig \$int key s:secretkey enc open essid foobar" Ya I find that to be an absolute kludge. Does it work? Yes. Is it clean? Probably not. Is it graceful? Absolutely not. Think about how it's possible to configure bridging / bonding / VLANs via various parameters and having netifrc construct the commands that are run in the background. I'd love to see something that assumes the commands run in the main / default / unnamed network namespace / VRF unless otherwise specified. I'd love to be able to add a parameter to a configuration file that tells sshd to run in a specific VRF like Alarig was wanting to do. Heck, I'd like to see init scripts gracefully deal with the fact that there should be multiple instances of a daemon running, even if they are simply on different ports, much less different VRFs or namespaces.
Re: [gentoo-user] VRFs / Jails / Containers
On 2/3/19 1:50 AM, Alarig Le Lay wrote: For the VRF part, Gentoo supports it; it’s in the upstream kernel sources. Yep. I've been doing Network Namespaces, and VRF to a lesser degree, for quite a while now. It's just all been manual or ad-hock scripts. I only tried it once, but failed because my sshd should have been lunch in my VRF and I didn’t quickly find a way to do it. Yep. That's the type of integration that I've found lacking. I'm only currently asking about how to configure the various network components, not even how to run processes inside of the various systems. But otherwise, it worked. It absolutely manually works. I'm looking for the thing(s) to allow the Gentoo OS init scripts to take over some of the management. That's what I'm finding lacking. I asked my question because I was hoping that someone would know about something I didn't. ;-)
Re: [gentoo-user] VRFs / Jails / Containers
On 2/2/19 11:09 PM, Bill Kenworthy wrote: I am unclear on what you are trying to do. See my reply to Rich's message for a description. I find the gentoo scripts good for the simple case but a complex case almost always needs extra help. Yep. I was hoping that there was something that I was unaware of or could extend to do what I want to do. If its networking, could something like shorewall help? No, I don't think that Shorewall or a similar firewall config management system will help. I also find those systems annoying. Sure, they have their benefits. But why do I need them when I should be able to do the same thing on a stock Gentoo (or other) Linux system? After all they are using the same kernel. (Maybe a different version or config there of.) I will occasionally look at those solutions and treat them like themed Lego sets. I build them, look at them, analyze them, and pull out the distinct Lego bricks that I want to use in my own system. }:-)
Re: [gentoo-user] VRFs / Jails / Containers
On 2/3/19 5:37 AM, Rich Freeman wrote: Nothing wrong with that approach. I use systemd-nspawn to run a bunch of containers, hosted in Gentoo, and many of which run Gentoo. However, these all run systemd and I don't believe you can run nspawn without a systemd host (the guest/container can be anything). These are containers running full distros with systemd in my case, not just single-process containers, in my case. However, nspawn does support single-process containers, and that includes with veth, but nspawn WON'T initialize networking in those containers (ie DHCP/etc), leaving this up to the guest (it does provide a config file for systemd-networkd inside the guest if it is in use to autoconfigure DHCP). ACK That makes me think that systemd-nspawn is less of a fit for what I'm wanting to do. I'm not exactly certain what you're trying to accomplish, but namespaces are just a kernel system call when it comes down to it (two of them I think offhand). Two util-linux programs provide direct access to them for shell scripts: unshare and nsenter. If you're just trying to run a process in a separate namespace so that it can use veth/etc then you could probably initialize that in a script run from unshare. If you don't need more isolation you could run it right from the host filesystem without a separate mount or process namespace. Or you could create a new mount namespace but only modify specific parts of it like /var/lib or whatever. That's quite close to what I'm doing. I'm actually using unshare to create a mount / network / UTS namespace (set) and then running some commands in them. The namespaces are functioning as routers. I have an OvS switch connected to the main / default (unnamed) namespace and nine (internal) OvS ports, each one in a different namespace. Thus forming a backbone between the ten network namespaces. Each of the nine network namespaces then has a veth pair that connects back to the main network namespace as an L2 interface that VirtualBox (et al) can glom onto as necessary. This way I can easily have nine completely different networks that VMs can use. My main home network has a route to these networks via my workstation. (I'm actually using routing protocols to distribute this.) So the main use of the network namespaces is as a basic IP router. There doesn't /need/ to be any processes running in them. I do run BIRD in the network namespaces for simplicity reasons. But that's more ancillary. I don't strictly need the mount namespaces for what I'm currently doing. That's left over from when I was running Quagga and /needed/ to alter some mounts to run multiple instances of Quagga on the same machine. I do like the UTS namespace so that each ""router has a different host name when I enter it. Maybe this helps explain /what/ I'm doing. As for /why/ I'm doing it, well because reasons. Maybe not even good reasons. But I'm still doing it. ¯\_(ツ)_/¯ I'm happy to discuss this in a private thread if anyone is really curious. People generally equate containers with docker but as you seem to get you can do a lot with namespaces without basically running completely independent distros. Yep. I feel like independent distros, plus heavier weight management daemons on top are a LOT more than I want. As stated, I don't really /need/ to run processes in the containers. I do because it's easy. The only thing I /need/ is the separate IP stack / configuration. Now, I will point out that there are good reasons for keeping things separate - they may or may not apply to your application. If you just want to run a single daemon on 14 different IPs and have each of those daemons see the same filesystem minus /var/lib and /etc that is something you could certainly do with namespaces and the only resource cost would be the storage of the extra /var/lib and /etc directories (they could even use the same shared libraries in RAM, and indeed the same process image itself I think). Yep. The only gotcha is that I'm not sure how much of it is already done, so you may have to roll your own. If you find generic solutions for running services in partially-isolated namespaces with network initialization taken care of for you I'd be very interested in hearing about it. I think there are a LOT of solutions for creating and managing containers. (I'm using the term "container" loosely here.) The thing is that many of them are each their own heavy weight entity. I have yet to find any that integrate well with OS init scripts. I feel like what I want to do can /almost/ be done with netifrc. Or that netifrc could be extended to do what (I think is) /little/ additional work to do it. I don't know that network namespaces are strictly required. I've been using them for years. That being said, the current incarnation of Virtual Routing and Forwarding (VRF) provided by l3mdev seems to be very promising. I
Re: [gentoo-user] VRFs / Jails / Containers
On 2/2/19 10:56 PM, Grant Taylor wrote: On 2/2/19 7:36 PM, Bill Kenworthy wrote: LXC containers ?? Maybe. I just feel like that's more heavy weight than I want. I'm functionally running a series of ip commands to configure networking in a special way. You can add commands to your existing network configuration that will be run when an interface comes up. For example, in /etc/conf.d/net, ifup_wlan0="iwconfig \$int key s:secretkey enc open essid foobar" (taken from the example file that ships with OpenRC).
Re: [gentoo-user] VRFs / Jails / Containers
On Sat, Feb 2, 2019 at 11:52 PM Grant Taylor wrote: > > On 2/2/19 9:39 PM, Michael Jones wrote: > > systemd-nspawn is also an option, but I don't think that'll work with > > OpenRC. > > Ya I moved (back to) Gentoo to get away from systemd. I'm not > going to voluntarily opt to use it, or any of it's children. That's > /my/ opinion. I know others opinions differ. > Nothing wrong with that approach. I use systemd-nspawn to run a bunch of containers, hosted in Gentoo, and many of which run Gentoo. However, these all run systemd and I don't believe you can run nspawn without a systemd host (the guest/container can be anything). These are containers running full distros with systemd in my case, not just single-process containers, in my case. However, nspawn does support single-process containers, and that includes with veth, but nspawn WON'T initialize networking in those containers (ie DHCP/etc), leaving this up to the guest (it does provide a config file for systemd-networkd inside the guest if it is in use to autoconfigure DHCP). I'm not exactly certain what you're trying to accomplish, but namespaces are just a kernel system call when it comes down to it (two of them I think offhand). Two util-linux programs provide direct access to them for shell scripts: unshare and nsenter. If you're just trying to run a process in a separate namespace so that it can use veth/etc then you could probably initialize that in a script run from unshare. If you don't need more isolation you could run it right from the host filesystem without a separate mount or process namespace. Or you could create a new mount namespace but only modify specific parts of it like /var/lib or whatever. People generally equate containers with docker but as you seem to get you can do a lot with namespaces without basically running completely independent distros. Now, I will point out that there are good reasons for keeping things separate - they may or may not apply to your application. If you just want to run a single daemon on 14 different IPs and have each of those daemons see the same filesystem minus /var/lib and /etc that is something you could certainly do with namespaces and the only resource cost would be the storage of the extra /var/lib and /etc directories (they could even use the same shared libraries in RAM, and indeed the same process image itself I think). The only gotcha is that I'm not sure how much of it is already done, so you may have to roll your own. If you find generic solutions for running services in partially-isolated namespaces with network initialization taken care of for you I'd be very interested in hearing about it. -- Rich
Re: [gentoo-user] VRFs / Jails / Containers
For the VRF part, Gentoo supports it; it’s in the upstream kernel sources. I only tried it once, but failed because my sshd should have been lunch in my VRF and I didn’t quickly find a way to do it. But otherwise, it worked. -- Alarig
