I am not a front-end developer, not a UI designer, nor a UX guru, but I am an
engineer, so when I face a puzzle worth solving my brain switches on and I
cannot let it go until I find a satisfactory solution to the puzzle.
My blog heavily relies on me sharing session dumps and file excerpts using the
code blocks. I am using PrismJS to highlight syntax in these blocks. However,
after a while I found that there is one thing that really irritates me: these
code blocks are not designed to be truly responsive, for instance – when
time 18 min.
I had my blog site for more than a decade now, but until now I was not putting
any effort or thoughts into maintaining my audience or promoting the site. It
was dormant for nearly a decade and I decided to rejuvenate it and start using
it as a platform I could leverage to share some ideas I think which are worth
Before I embarked on the journey of renovating the blog site I needed to set
some goals and requirements up, so I would be able to assess my progress and
estimate how much effort is required. The
time 6 min.
Recently, I wrote about the dynamic resolution of upstream servers in
nginx which was achieved by quite an intrusive patch to the core nginx module.
The patch was invented a while ago and was working very well up until recent
nginx versions were released.
With the release of nginx 1.10 it was noticed that the patch crashes some
workers under heavy load and this was unacceptable for the production load,
hence a new approach was implemented.
The beauty of the new solution is that it is non-intrusive and works with any
services that communicate via sockets.
A while ago in the Transparent SSH host-jumping (Advanced) post I
described a technique on how one could jump quite effortlessly through a chain
of intermediate hosts. However, there was a catch: the user names and ports
across the whole chain should be the same and there was no easy way to change
Given that I recently paid quite a lot of attention to the ProxyCommand
directive I decided to look into the implementation of the helper script that
will allow one to tweak parameters for the hosts in the chain.
I was involved in the creation of the sshephalopod project, which was an
attempt to build an enterprise level authentication framework for SSH
authentication using the SSH CA feature.
The project is based on a wrapper script that signs a user via a SAML identity
provider and gets user’s public key signed for the further usage.
In one of the discussions I pointed out that such a wrapper script is not good
for the end user experience and I proposed to provide the users with an excerpt
for their ssh config file, so the functionality of sshephalopod would be
time 5 min.
I heard a lot about Raspberry Pi boards but until now I had no need nor time to
work with one.
However, recently I purchased a Dodge Journey R/T and found that although I
love the car I am so disappointed with its software and hard-wired logic that I
decided to experiment a bit and fix the most annoying things.
Since almost everything inside the car is talking over the CAN bus I needed
some kind of a enclave inside the car where I could run my code and
inject/intercept CAN messages.
I strive for simplicity since I am a strong believer that achieving a goal with
the most simplest solution looks elegant, proves that you have deep knowledge
on the subject, and overall is beautiful by itself. Additionally to this, a
simple solution is easier to comprehend and to audit, hence it is much easier
to ensure the security of such a solution.
Over the last decade I stumbled upon numerous complicated firewalls erected on
the NAT boxes with tens (sometimes, hundreds!) of rules describing the traffic
flows and punched holes for some edge cases. Every time I wondered what kind
time 7 min.
In this brief article I am going to describe how I resolved a nagging issue I
had with setting up access to hosts which are not directly reachable, but where
you need to forward your connection through an intermediate host.
Previously, I was using the local SSH port-forwarding technique (although I
was configuring hosts I connect to in the ~/.ssh/config file instead of
using the command-line options). However, this approach turned out to be quite
inconvenient since every time I wanted to connect to a new host (and, possibly,
through a new intermediate host) I had to edit my
time 6 min.
None of the systems I administer or supervise have sudo installed with the
SUID bit set.
Every time I answer a question on how to do privileged work on these systems
(i.e. do tasks that require administrator privileges) with a proposal to SSH
under the privileged account directly to do such a work, whoever asked
time 15 min.
In my previous blog entry I described some basic functionality of SSH in terms
of port-forwarding. Now it’s time for a little bit more complex stuff.
In this article I will highlight:
(forward) piercing of a firewall (getting access to resources behind it);
dynamic port-forwarding (AKA proxy);
(reverse) piercing of a firewall (exposing your local services on the remote side).
Forward firewall piercing
Let’s start with the forward firewall piercing, since it is the easiest and was
somewhat already described in my previous blog entry on this topic. Now,
imagine that you already have SSH access to some
time 4 min.
I think all of you are using SSH in your daily routines. However, do you use
its full potential? Today’s topic is the SSH port-forwarding feature and how
it can be use to achieve some interesting configurations.
I’m sure most of you are aware of the feature, but how many of you are using
it? Personally, I’m a bit obsessed with it and have found numerous cases where
this feature of SSH is a real life saver.
Let’s start with simple things and imagine that you have a server where you
are running MySQL (as a
time 2 min.