04 Apr 2021

Using yubikey for SSH

Using yubikeys everywhere is my jam…here’s how.


I did it by installing yubikey-agent with a:

brew install yubikey-agent
brew services start yubikey-agent

Then shell configuration in ~/.zshrc:

export SSH_AUTH_SOCK="/usr/local/var/run/yubikey-agent.sock"

For each yubikey

  • Create an 8 char password in password manager
  • Run yubikey-agent -setup
    • Enter PIN/PUK
  • Get the public key and verify it works with ssh-add -L
  • Record public key in password manager and use the Yubico id to disambiguate which yubikey
  • Add the public key to anywhere relevant, ie https://github.com/settings/keys

16 Dec 2012

Easy SSH Tunnel on OSX

I recently found myself working from a restaurant with open WIFI. After having someone on open WIFI snatch my Facebook credentials back in 2009, I’ve become understandably paranoid about security on unsafe connections. I spent a few minutes setting up a Squid Proxy on my VPS, when I came upon a better solution: set a SOCKS Proxy in OSX and create an SSH tunnel.

How it works

The SSH tunnel connects to the VPS using an encrypted channel. This is open for use on a localport such as 8080 (or a randomly assigned one w/ script). The SOCKS Proxy passes network requests to the localport instead of sending them to the web/email-server/etc.

How to do it

On OSX it consists of the two following steps: sudo networksetup -setsocksfirewallproxy Wi-Fi $localport off ssh -f -p $remoteport -D $localport $remoteuser@$remoteproxy sleep 1d This is all well and good, but someone went to the trouble of wrapping this in a script: OSX-PROXY. I took a little bit of time this weekend and refactored the code to extract functions, utilize a case statement, and add extra commandline arguments.   My revised script also toggles the state of the proxy if no arguments are given.


The aforementioned code works very well but I’m not sure if it re-routes all DNS requests which could divulge personal information. So I switched to this python library that re-routes all activity and is more established: SShuttle. Add an alias to the shell for quick starting with default settings: [code]alias sshuttle_start=’sshuttle --dns -vvr user@vps 0/0' [/code](Replace user and vps placeholders with the appropriate info). PS - Never ever trust public or semi-public Wifi.  Using a proxy like this is the minimum security that you should consider.

19 Jul 2012

X11 Forwarding: Or How to use my favorite Calculator in OSX

I switched to a Macbook Air a few months ago and I’ve been generally quite happy with the setup.

One thing I’m unhappy with is the availability of my two favorite calculator programs. On Linux distos I’m accustomed to installing ‘qalculate’ and on Windows it’s been GraphCalc. I tried to find equivalent programs under OSX, giving it all of 15 min of effort, but couldn’t find a robust solution with good history, nice data entry, etc.

So, I decided to stick with my favorite (‘Qalculate’). I then tried installing it from source under OSX which didn’t succeed. I then tried to do the same with graphcalc’s Linux source, with the same result.

At this point I remembered toying around with X-forwarding over SSH. Since I had already installed the X11 environment for running GIMP (GNU Image Manipulation Program), it was trivial to que up a virtual instance of Debian Linux under Parallels. I installed Qalculate in that virtual instance and used the ssh command for X-forwarding: ssh -X username@server\_name 'qalculate-gtk &'

The result is that I have a virtual instance of Debian running in the background, my normal OSX interface, and my favorite calculate ready to go (as if it were a native OSX application).

Thanks SSH!

05 Jul 2012

Linux Command of the Day

No fancy commands today, just good ol’ functional admin action. I was setting up a couple of new Virtual Private Servers (ala EC2 or DamnVPS) and came across the following helpful command ssh-copy-id -i ~/.ssh/id\_rsa.pub username@remote\_server\_ip\_or\_domain What it does is copies (appends) your ssh key to the list of permissible keys on the remote server.

Need to make an SSH key for this purpose? ssh-keygen -t rsa -b 4096

Need to install ssh-copy-id on OSX? brew install ssh-copy-id