9 August 2023

Antoine Beaupr : OpenPGP key transition

This is a short announcement to say that I have changed my main OpenPGP key. A signed statement is available with the cryptographic details but, in short, the reason is that I stopped using my old YubiKey NEO that I have worn on my keyring since 2015. I now have a YubiKey 5 which supports ED25519 which features much shorter keys and faster decryption. It allowed me to move all my secret subkeys on the key (including encryption keys) while retaining reasonable performance. I have written extensive documentation on how to do that OpenPGP key rotation and also YubiKey OpenPGP operations.

Warning on storing encryption keys on a YubiKey People wishing to move their private encryption keys to such a security token should be very careful as there are special precautions to take for disaster recovery. I am toying with the idea of writing an article specifically about disaster recovery for secrets and backups, dealing specifically with cases of death or disabilities.

Autocrypt changes One nice change is the impact on Autocrypt headers, which are considerably shorter. Before, the header didn't even fit on a single line in an email, it overflowed to five lines:

Autocrypt: addr=anarcat@torproject.org; prefer-encrypt=nopreference;
 keydata=xsFNBEogKJ4BEADHRk8dXcT3VmnEZQQdiAaNw8pmnoRG2QkoAvv42q9Ua+DRVe/yAEUd03EOXbMJl++YKWpVuzSFr7IlZ+/lJHOCqDeSsBD6LKBSx/7uH2EOIDizGwfZNF3u7X+gVBMy2V7rTClDJM1eT9QuLMfMakpZkIe2PpGE4g5zbGZixn9er+wEmzk2mt20RImMeLK3jyd6vPb1/Ph9+bTEuEXi6/WDxJ6+b5peWydKOdY1tSbkWZgdi+Bup72DLUGZATE3+Ju5+rFXtb/1/po5dZirhaSRZjZA6sQhyFM/ZhIj92mUM8JJrhkeAC0iJejn4SW8ps2NoPm0kAfVu6apgVACaNmFb4nBAb2k1KWru+UMQnV+VxDVdxhpV628Tn9+8oDg6c+dO3RCCmw+nUUPjeGU0k19S6fNIbNPRlElS31QGL4H0IazZqnE+kw6ojn4Q44h8u7iOfpeanVumtp0lJs6dE2nRw0EdAlt535iQbxHIOy2x5m9IdJ6q1wWFFQDskG+ybN2Qy7SZMQtjjOqM+CmdeAnQGVwxowSDPbHfFpYeCEb+Wzya337Jy9yJwkfa+V7e7Lkv9/OysEsV4hJrOh8YXu9a4qBWZvZHnIO7zRbz7cqVBKmdrL2iGqpEUv/x5onjNQwpjSVX5S+ZRBZTzah0w186IpXVxsU8dSk0yeQskblrwARAQABzSlBbnRvaW5lIEJlYXVwcsOpIDxhbmFyY2F0QHRvcnByb2plY3Qub3JnPsLBlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBI3JAc5kFGwEitUPu3khUlJ7dZIeBQJihnFIBQkacFLiAAoJEHkhUlJ7dZIeXNAP/RsX+27l9K5uGspEaMH6jabAFTQVWD8Ch1om9YvrBgfYtq2k/m4WlkMh9IpT89Ahmlf0eq+V1Vph4wwXBS5McK0dzoFuHXJa1WHThNMaexgHhqJOs
 S60bWyLH4QnGxNaOoQvuAXiCYV4amKl7hSuDVZEn/9etDgm/UhGn2KS3yg0XFsqI7V/3RopHiDT+k7+zpAKd3st2V74w6ht+EFp2Gj0sNTBoCdbmIkRhiLyH9S4B+0Z5dUCUEopGIKKOSbQwyD5jILXEi7VTZhN0CrwIcCuqNo7OXI6e8gJd8McymqK4JrVoCipJbLzyOLxZMxGz8Ki0b9O844/DTzwcYcg9I1qogCsGmZfgVze2XtGxY+9zwSpeCLeef6QOPQ0uxsEYSfVgS+onCesSRCgwAPmppPiva+UlGuIMun87gPpQpV2fqFg/V8zBxRvs6YTGcfcQjfMoBHmZTGb+jk1//QAgnXMO7fGG38YH7iQSSzkmodrH2s27ZKgUTHVxpBL85ptftuRqbR7MzIKXZsKdA88kjIKKXwMmez9L1VbJkM4k+1Kzc5KdVydwi+ujpNegF6ZU8KDNFiN9TbDOlRxK5R+AjwdS8ZOIa4nci77KbNF9OZuO3l/FZwiKp8IFJ1nK7uiKUjmCukL0od/6X2rJtAzJmO5Co93ZVrd5r48oqUvjklzzsBNBFmeC3oBCADEV28RKzbv3dEbOocOsJQWr1R0EHUcbS270CrQZfb9VCZWkFlQ/1ypqFFQSjmmUGbNX2CG5mivVsW6Vgm7gg8HEnVCqzL02BPY4OmylskYMFI5Bra2wRNNQBgjg39L9XU4866q3BQzJp3r0fLRVH8gHM54Jf0FVmTyHotR/Xiw5YavNy2qaQXesqqUv8HBIha0rFblbuYI/cFwOtJ47gu0QmgrU0ytDjlnmDNx4rfsNylwTIHS0Oc7Pezp7MzLmZxnTM9b5VMprAXnQr4rewXCOUKBSto+j4rD5/77DzXw96bbueNruaupb2Iy2OHXNGkB0vKFD3xHsXE2x75NBovtABEBAAHCwqwEGAEIACAWIQSNyQHOZBRsBIrVD7t5IVJSe3WSHgUCWZ4LegIbAgFACRB5IV
 JSe3WSHsB0IAQZAQgAHRYhBHsWQgTQlnI7AZY1qz6h3d2yYdl7BQJZngt6AAoJED6h3d2yYdl7CowH/Rp7GHEoPZTSUK8Ss7crwRmuAIDGBbSPkZbGmm4bOTaNs/gealc2tsVYpoMx7aYgqUW+t+84XciKHT+bjRv8uBnHescKZgDaomDuDKc2JVyx6samGFYuYPcGFReRcdmH0FOoPCn7bMW5mTPztV/wIA80LZD9kPKIXanfUyI3HLP0BPwZG4WTpKzJaalR1BNwu2oF6kEK0ymH3LfDiJ5Sr6emI2jrm4gH+/19ux/x+ST4tvm2PmH3BSQOPzgiqDiFd7RZoAIhmwr3FW4epsK9LtSxsi9gZ2vATBKO1oKtb6olW/keQT6uQCjqPSGojwzGRT2thEANH+5t6Vh0oDPZhrKUXRAAxHMBNHEaoo/M0sjZo+5OF3Ig1rMnI6XbKskLv6hu13cCymW0w/5E4XuYnyQ1cNC3pLvqDQbDx5mAPfBVHuqxJdRLQ3yDM/D2QIsxnkzQwi0FsJuni4vuJzWK/NHHDCvxMCh0YmSgbptUtgW8/niatd2Y6MbfRGxUHoctKtzqzivC8hKMTFrj4AbZhg/e9QVCsh5zSXtpWP0qFDJsxRMx0/432n9d4XUiy4U672r9Q09SsynB3QN6nTaCTWCIxGxjIb+8kJrRqTGwy/PElHX6kF0vQUWZNf2ITV1sd6LK/s/7sH+x4rzgUEHrsKr/qPvY3rUY/dQLd+owXesY83ANOu6oMWhSJnPMksbNa4tIKKbjmw3CFIOfoYHOWf3FtnydHNXoXfj4nBX8oSnkfhLILTJgf6JDFXfw6mTsv/jMzIfDs7PO1LK2oMK0+prSvSoM8bP9dmVEGIurzsTGjhTOBcb0zgyCmYVD3S48vZlTgHszAes1zwaCyt3/tOwrzU5JsRJVns+B/TUYaR/u3oIDMDygvE5ObWxXaFVnCC59r+zl0FazZ0ouyk2AYIR
 zHf+n1n98HCngRO4FRel2yzGDYO2rLPkXRm+NHCRvUA/i4zGkJs2AV0hsKK9/x8uMkBjHAdAheXhY+CsizGzsKjjfwvgqf84LwAzSDdZqLVE2yGTOwU0ESiArJwEQAJhtnC6pScWjzvvQ6rCTGAai6hrRiN6VLVVFLIMaMnlUp92EtgVSNpw6kANtRTpKXUB5fIPZVUrVdfEN06t96/6LE42tgifDAFyFTZY5FdHHri1GG/Cr39MpW2VqCDCtTTPVWHTUlU1ZG631BJ+9NB+ce58TmLr6wBTQrT+W367eRFBC54EsLNb7zQAspCn9pw1xf1XNHOGnrAQ4r9BXhOW5B8CzRd4nLRQwVgtw/c5M/bjemAOoq2WkwN+0mfJe4TSfHwFUozXuN274X+0Gr10fhp8xEDYuQM0qu6W3aDXMBBwIu0jTNudEELsTzhKUbqpsBc9WjwNMCZoCuSw/RTpFBV35mXbqQoQgbcU7uWZslLl9Wvv/C6rjXgd+GeX8SGBjTqq1ZkTv5UXLHTNQzPnbkNEExzqToi/QdSjFMIACnakeOSxc0ckfnsd9pfGv1PUyPyiwrHiqWFzBijzGIZEHxhNGFxAkXwTJR7Pd40a7RDxwbO6p/TSIIum41JtteehLHwTRDdQNMoyfLxuNLEtNYS0uR2jYI1EPQfCNWXCdT2ZK/l6GVP6jyB/olHBIOr+oVXqJh+48ki8cATPczhq3fUr7UivmguGwD67/4omZ4PCKtz1hNndnyYFS9QldEGo+AsB3AoUpVIA0XfQVkxD9IZr+Zu6aJ6nWq4M2bsoxABEBAAHCwXYEGAEIACACGwwWIQSNyQHOZBRsBIrVD7t5IVJSe3WSHgUCWPerZAAKCRB5IVJSe3WSHkIgEACTpxdn/FKrwH0/LDpZDTKWEWm4416l13RjhSt9CUhZ/Gm2GNfXcVTfoF/jKXXgjHcV1DHjfLUPmPVwMdqlf5ACOiFqIUM2ag/OEARh356w
 YG7YEobMjX0CThKe6AV2118XNzRBw/S2IO1LWnL5qaGYPZONUa9Pj0OaErdKIk/V1wge8Zoav2fQPautBcRLW5VA33PH1ggoqKQ4ES1hc9HC6SYKzTCGixu97mu/vjOa8DYgM+33TosLyNy+bCzw62zJkMf89X0tTSdaJSj5Op0SrRvfgjbC2YpJOnXxHr9qaXFbBZQhLjemZi6zRzUNeJ6A3Nzs+gIc4H7s/bYBtcd4ugPEhDeCGffdS3TppH9PnvRXfoa5zj5bsKFgjqjWolCyAmEvd15tXz5yNXtvrpgDhjF5ozPiNp/1EeWX4DxbH2i17drVu4fXwauFZ6lcsAcJxnvCA28RlQlmEQu/gFOx1axVXf6GIuXnQSjQN6qJbByUYrdc/cFCxPO2/lGuUxnufN9Tvb51Qh54laPgGLrlD2huQeSD9Sxa0MNUjNY0qLqaReT99Ygb2LPYGSLoFVx9iZz6sZNt07LqCx9qNgsJwsdmwYsNpMuFbc7nkWjtlEqzsXZHTvYN654p43S+hcAhmmOzQZcew6h71fAJLciiqsPBnCEdgCGFAWhZZdPkMA==

After the change, the entire key fits on a single line, neat!

Autocrypt: addr=anarcat@torproject.org; prefer-encrypt=nopreference;
 keydata=xjMEZHZPzhYJKwYBBAHaRw8BAQdAWdVzOFRW6FYVpeVaDo3sC4aJ2kUW4ukdEZ36UJLAHd7NKUFudG9pbmUgQmVhdXByw6kgPGFuYXJjYXRAdG9ycHJvamVjdC5vcmc+wpUEExYIAD4WIQS7ts1MmNdOE1inUqYCKTpvpOU0cwUCZHZgvwIbAwUJAeEzgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRACKTpvpOU0c47SAPdEqfeHtFDx9UPhElZf7nSM69KyvPWXMocu9Kcu/sw1AQD5QkPzK5oxierims6/KUkIKDHdt8UcNp234V+UdD/ZB844BGR2UM4SCisGAQQBl1UBBQEBB0CYZha2IMY54WFXMG4S9/Smef54Pgon99LJ/hJ885p0ZAMBCAfCdwQYFggAIBYhBLu2zUyY104TWKdSpgIpOm+k5TRzBQJkdlDOAhsMAAoJEAIpOm+k5TRzBg0A+IbcsZhLx6FRIqBJCdfYMo7qovEo+vX0HZsUPRlq4HkBAIctCzmH3WyfOD/aUTeOF3tY+tIGUxxjQLGsNQZeGrQI

Note that I have implemented my own kind of ridiculous Autocrypt support for the Notmuch Emacs email client I use, see this elisp code. To import keys, I pipe the message into this script which is basically just:

sq autocrypt decode   gpg --import

... thanks to Sequoia best-of-class Autocrypt support.

Note on OpenPGP usage While some have claimed OpenPGP's death, I believe those are overstated. Maybe it's just me, but I still use OpenPGP for my password management, to authenticate users and messages, and it's the interface to my YubiKey for authenticating with SSH servers. I understand people feel that OpenPGP is possibly insecure, counter-intuitive and full of problems, but I think most of those problems should instead be attributed to its current flagship implementation, GnuPG. I have tried to work with GnuPG for years, and it keeps surprising me with evilness and oddities. I have high hopes that the Sequoia project can bring some sanity into this space, and I also hope that RFC4880bis can eventually get somewhere so we have a more solid specification with more robust crypto. It's kind of a shame that this has dragged on for so long, but Update: there's a separate draft called openpgp-crypto-refresh that might actually be adopted as the "OpenPGP RFC" soon! And it doesn't keep real work from happening in Sequoia and other implementations. Thunderbird rewrote their OpenPGP implementation with RNP (which was, granted, a bumpy road because it lost compatibility with GnuPG) and Sequoia now has a certificate store with trust management (but still no secret storage), preliminary OpenPGP card support and even a basic GnuPG compatibility layer. I'm also curious to try out the OpenPGP CA capabilities. So maybe it's just because I'm becoming an old fart that doesn't want to change tools, but so far I haven't seen a good incentive in switching away from OpenPGP, and haven't found a good set of tools that completely replace it. Maybe OpenSSH's keys and CA can eventually replace it, but I suspect they will end up rebuilding most of OpenPGP anyway, just more slowly. If they do, let's hope they avoid the mistakes our community has done in the past at least...

22 September 2013

Paul Tagliamonte: Musings about Debian and Python

On a regular basis, I find myself the odd-man-out when it comes to talking about how to work with Python on Debian systems. I'm going to write this and post it so that I might be able to point people at my thoughts without having to write the same email in response to each thread that pops up. Turns out I don't fit in with the Debian hardliners (which is to say, the mindset that pip sucks and shouldn't exist), nor do I fit in with the Python hardliners (which is to say apt and dpkg are out of date, and neither have a place on a Development machine). I think our discourse on this topic has become petty and stupid in general. Let's all try to step back and drop a bit of the attitude. pip doesn't suck, and neither does apt. The truth is, both sides are wrong. As with any subject, the real answer here is much more nuanced than either side presents it. I'm going to try and present my opinion on this, in the way that both my Pythonista self and my Debianite self see the issue. Hopefully I can keep this short, to the point, and caked with logic. The case for dpkg (the Debianite in me) In defense of dpkg and apt, imagine having to install python-gnome2 on all your systems when you install. It'd be hell on earth. Imagine having a user try to do this. It's insane to assume that end-users will be using pip for this purpose. pip is fun and all, but it's also installing 100% untrusted code to your system (perhaps as root, if you're using pip with sudo for some reason), and hasn't been reviewed for software freeness, which is something Debian (and Debian users) take seriously. This isn't even to mention the hell that pip wreaks on dpkg controlled files / packages. Try to remember how much of your system running (yes, right now) is running because of Python or Python modules. Try to imagine how much of a pain in the ass it'd be if you couldn't boot into GNOME to use nm-applet to connect to wifi to pip install something. I'm sure even the most extreme pip'er understands the need for Operating System level package management. Debian also has a bigger problem scope - we're not maintaining a library in Debian for kicks, we're maintaining it so that end user applications may use the library. When we update something like Django, we have to make sure that we don't break anything using it (although, to be honest, the fact that we package webapps is an entire rant for later) before we get to update it to the newest release. Hell, with a few coffees, I could automate the process of releasing a .deb with a new upstream release, 100% unattended. I won't, however, since this is an insane idea. Let's go over a brief list of things I do before uploading a new package:

Review the entire codebase for simple mistakes.
Review the entire codebase for license issues.
Review the entire codebase for files without source, and track down (and include source for) any sourceless files (such as pickle files, etc).
Get to know the upstream, get to know open bugs, write something using the lib, in case I need to debug later.
Install the package.
Test the package.
Work out any Debian package issues (this is easy).

Now, a brief list of things I do before I update a package:

Review the changes between the last uploaded version (in diff format, if it's sane, otherwise get the VCS and review), ensure all the above are still OK.
Review for Debian-local issues (such as how it will upgrade, using piuparts, and adequate, etc).
Check to make sure it won't break any reverse dependencies.
Review for bugfixes that I might need to bring back to the stable release.
Figure out if I should (or even can) backport the package, if API is stable.
Review for bugs (upstream or in Debian) that I need to mention in the debian/changelog.

Clearly, this isn't a quick-and-dirty task. It's not a matter of getting a package updated (technically), it's a much more detailed process than that. This is also why Debian is so highly regarded for its technical virtuosity, and why the ISS decided to deploy Debian in space, despite other commercial distros such as Red Hat, or Ubuntu, and community distros, such as Fedora or Arch. It's also not Debian's job to package the world in the archive. This is an insane task, and it's not Debian's place to do it. We introduce libraries as things need them, not because we wrote some new library that someone may find slightly useful at some point in the future. maybe. Upstream developers and language communities (not only Python here) tend to lose sight of why we're doing this in the first place, which is our users. This isn't some sort of technical pissing contest to see who can distribute the software in the best way. Debian-folk always keep end users as our highest priority. I quote the Debian Social Contract, when I say that Our priorities are our users and free software. No one's trying to get developers to use dpkg to create software. In fact, as you'll see below, I actively discourage using system modules for development. The case for pip (the Pythonista in me) In defense of pip, the idea that Debian will keep the latest versions of packages is insane. The idea that we can keep pace with upstream releases is nuts, and the idea that every upstream release on pypi is ready to ship is bananas. b-a-n-a-n-a-annas. As a developer, I don't want to support every release, and I surely don't want other people depending on some random snapshot. Often times, I'll put stuff up on pypi as a preview, or to release often, and solicit feedback without having to give out instructions on using a git checkout (it's also easier to have them try a version from pypi so I can cross-ref the git tag to reproduce issues when they file them)

Even Debian tools I write, like python-schroot are released to pypi first, and I treat that as the upstream location when packaging it in Debian.

pypi is easy, ubiquitous and works regardless of the platform, which means less of my development time is spent packaging stuff up for platforms I don't really care about (Arch, Fedora, OSX, Windows), even though I value feedback from users on those systems. The effort it takes to release something is limited to python setup.py sdist upload, and it's in a place (and in a shape) that anyone can use it without having 10 sets of platform-local instructions. Even ignoring all the above, when I'm writing a new app or bit of code, I want to be sure I'm targeting the latest version of the code I depend on, so that future changes to API won't hit me as hard. By following along with my dependencies' development, I can be sure that my code breaks early, and breaks in development, not production. Upstreams also tend to not like bug reports against old branches, so ensuring I have the latest code from pypi means I can properly file bugs. Lastly, I prefer virtualenv based setups for development, since I'm usually working on many things at once. This often means version mismatches in libraries, which brings in API changes (another whole rant here as well). I don't want to keep installing and uninstalling packages to switch between the two projects, and using a chroot(8) means a lot of overhead and that it's disconnected from my development environment / filesystem, so I resort to virtualenv to isolate my Development environment. Final notes I don't want to keep arguing about this. Just accept that the world's a big place and that there exist use-cases that both apt and pip need to exist and work in the way they're working now. At the very least, try and understand there exist smart people on both sides, and no one is trying to screw anyone over or keep their own little private club to themselves. Hopefully, going forward, we can make sure that the integration between these two tools gets better, not worse. Help make this dream a reality. Contribute to a productive tone, not a destructive one. In short:

Use pip without sudo always. Don't tell people to use sudo.
Use apt or dpkg when deploying system-wide.
Understand people are going to package, and they will be more concerned about software using your library then keeping your library up to date.
Understand Debian Developers and package maintainers have to do a lot of work when updating or sponsoring an upload.
Understand upstream developers can't be bothered to fix every issue with every release (release early, release often) with some snapshot you introduced into unstable.
Use pip and virtualenv in development setups, so we can upgrade your app when we upgrade the lib.

22 September 2010

Gunnar Wolf: Damage control: Cleaning up compromised SSH keys

This morning, my laptop was stolen from my parked car while I was jogging. I do not want to make a big deal out of it. Still, even though I am sure it was not targetted at my data (three other people at least were reporting similar facts in the same area), and the laptop's disk will probably just be reformatted, I am trying to limit the possible impact of my cryptographic identification being in somebody else's hands. GPG makes it easy: I had on that machine just my old 1024D key, so it is just matter of generating a revocation certificate. I have done that, and uploaded it to the SKS keyservers - Anyway, here is my revocation certificate:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: A revocation certificate should follow
iHIEIBEIADIFAkyaOZwrHQJBIGNvbXB1dGVyIGNvbnRhaW5pbmcgdGhpcyBrZXkg
d2FzIHN0b2xlbgAKCRDYDvNai7UnrzWAAKC34eF76JQjxrZqSjNwcC0dU/5VbACg
gMIMmYg91Sl3y8KsZXdGj/rV7UE=
=rdlT
-----END PGP PUBLIC KEY BLOCK-----

But What worries me more is access to the computers my ssh key works for. Yes, the ssh key uses a nontrivial passphrase, but still SSH keys cannot be revoked (and this makes sense, as SSH should not add the delay, or potential impossibility, to check with a remote infrastructure whenever you want to start a session). So, I generated a new key (and stored it at ~/.ssh/id_rsa.new / ~/.ssh/id_rsa.new.pub) and came up with this snippet:

$ OLDKEY=xyHywJuHD3nsfLh03G1TqUEBKSj6NlzMfB1T759haoAQ
$ for host in $(cat .ssh/known_hosts   cut -f 1 -d \  cut -f 1 -d ,  
                sort   uniq); do 
    echo == $host
    ssh-copy-id -i .ssh/id_rsa.new.pub $host && 
    ssh $host "perl -n -i -e 'next if /$OLDKEY/;print' .ssh/authorized_keys"
done

Points about it you might scratch your head about:

.ssh/known_hosts' lines start with the server's name (or names, if more than one, comma-separated), followed by the key algorithm and the key fingerprint (space-separated). That's the reason for the double cut It could probably be better using a regex-enabled thingy understanding /[, ]/, but... I didn't think of that. Besides, the savings would be just for academic purposes ;-)
I thought about not having the ssh line conditionally depend on ssh-copy-id. But OTOH, this makes sure I only try to remove the old key from the servers it is present on, and that I don't start sending my new key everywhere just for the sake of it.
my $OLDKEY (declared in Shell, and only literally interpolated in the Perl one-liner below) contains the final bits of my old key. It is long enough for me not to think I'm risking collision with any other key. Why did I choose that particular length? Oh, it was a mouse motion.
perl -n -i -e is one of my favorite ways to invoke perl. -i means in-line editing, it allows me to modify a file on the fly. This line just skips (removes) any keys containing $OLDKEY; -n tells it to loop all the lines over the provided program (and very similarly, -p would add a print at the end Which in this particular ocassion, I prefer not to have). It is a sed lookalike, if you wish, but with a full Perl behind.

Caveats:

This assumes you have set HashKnownHosts: no in your .ssh/config. It is a tradeoff, after all I use a lot tab-expansion (via bash_completion) for hostnames, so I do have the fully parseable list of hosts I have used on each of my computers.
I have always requested my account names to be gwolf. If you use more than one username... well, you will have to probably do more than one run of it connecting to foo@$host instead.
Although most multiuser servers stick to the usual port 22, many people change the ports (me included) either because they perceive concealing them gives extra security, or (as in my case) because they are fed up with random connection attempts. Those hosts are stored as [hostname]:port (i.e. [foo.gwolf.org]:22000). Of course, a little refinement takes care of it all.,/li>
Oh, I am not storing results... I should, so for successive runs I won't try to connect to a system I already did, or that already denied me access. Why would I want to? Because some computers are not currently turned on. So I'll run this script at least a couple of times.

Oh, by the way: If you noticed me knocking on your SSH ports... please disregard. Possibly at some point I connected to that machine to do something, or it landed in my .ssh/known_hosts for some reason. I currently have 144 hosts registered. I am sure I triggered at least one raised eyebrow. And I will do it from a couple of different computers, to make it less probable that I miss some I have never connected from while at the particular computer I am sitting at right now. So... Any ideas on how to make this better?

19 March 2006

Clint Adams: This report is flawed, but it sure is fun

91	D63469DF	dnusinow	1243
63	DEB0EC31	eloy
55	A965818F	vela	1243
46	58510B5A	myon	2143
39	9B7C328D	luk	31-2
39	1880283C	anibal	2134
37	0FE53DD9	opal	4213
32	2B0920C0	lool	1342
29	788A3F4C	joeyh
27	0F932C9C	doko
25	8768B1D2	sjoerd
23	F1BCDB73	aurel32	13-2
19	E02FEF11	jordens	1243
18	AB963370	schizo	1243
18	6E74A7D1	jdassen(Ks)	1243
18	68FD549F	tbm	3142
18	6783ED5E	fpeters	1--2
17	91B0D3B7	edd	-213
16	E07F1CF9	rousseau	321-
16	248AEB73	rene	1243
15	8E635A5E	rafl
14	C0143D2D	bubulle	4123
13	D87C6781	krooger(P)	4213
13	A436AD25	jfs(P)
13	3D08B612	msp
13	1E880A84	fjp	4213
13	0F7A8D01	nobse
12	F1968D1B	decklin	1234
12	E7075A54	mhatta
12	D75F8533	joss	1342
12	BF24424C	srivasta	1342
12	B8C1FA69	sto
12	7F961564	kobold
12	2A30D729	pere	4213
12	16D970C6	eric	12--
11	5E0577F2	mpitt
11	307D56ED	noel	3241
11	2BE16D01	moray	1342
10	BC7D020A	formorer	-1--
10	A7D91602	apollock	4213
10	A51A4FDD	gcs
10	917A225E	jordi
10	4B729625	pvaneynd	3123
10	497A176D	loic
9	62F1A57F	pa3aba
9	54FD2A58	glandium	1342
9	4A5D72FE	rafael
9	13FEFC40	fenio	-1--
9	0AFC7476	rra	1243
8	90267086	duck	31-2
8	86A118E6	ch	321-
8	801EA932	joey	1243
8	7F4E0E11	waldi	-123
8	514B3E7C	florian	21--
8	41954920	fs	12--
8	2A385C57	mckinstry	21-3
8	25BFB848	rleigh	1243
7	BC70A6FF	pape	1---
7	B70E403B	ari	1243
7	8E2D213A	jochen(Ks)
7	85FEC17F	kilian
7	84FB46D6	lwall	1342
7	800969EF	smimram	-1--
7	79CC6586	haas
7	5BFA90EC	kohda
7	52B7487E	sesse	2341
7	29499F61	sho	1342
7	1E161AFB	barbier	12--
6	FC05DA69	wildfire(P)
6	EEB6B4C2	avdyk	-12-
6	EDF008C5	blade	1243
6	E25F2102	mejo	1342
6	D1C41882	adeodato(Ks)	3142
6	D0B433DF	ross	12-3
6	B0EBC777	piman	1233
6	9D309C3B	robert	4213
6	882A6C4B	kov
6	6BBA3C84	zugschlus	4213
6	5662C734	mvo
6	554FB4C6	petere	-1-2
6	37155778	stratus
6	2D9ACC8E	lars	1243
6	2809E61A	josem
6	2252FA1A	frank	2143
6	1CF2D62A	micah
6	10FA4CD1	cjwatson	2143
5	EE6DC66A	jaldhar	2143
5	EA59038E	sgran	4123
5	E1EE3FB1	md	4312
5	E0B8B2DE	jaybonci
5	C9A5B54E	sesse(Ps	,Gs) 2341
5	C4CF8EC3	twerner
5	C2FEE5CD	acid	213-
5	C09FD35A	tille
5	C03C56DF	rfrancoise	---1
5	B7CDA2DC	xam	213-
5	A20EBC50	cavok	4214
5	808D0FD0	don	1342
5	797EBFAB	enrico	1243
5	5230514A	sjackman
5	49A5F855	otavio	-123
5	3DC29B41	pdm
5	29982E5A	vorlon	1243
5	2763483B	mkoch	213-
5	21DB31C5	smr	2143
5	1BF8DE0F	stigge	312-
5	12CADFA5	csmall	3214
5	0A0AC927	lamont
4	F2CF01A8	bdale
4	F095E5E4	mnencia
4	E9F2C747	frankie
4	E9ABFCD2	devin	2143
4	E81E55C1	dancer	2143
4	E38E7ACF	hmh(Gs)	1243
4	E298966D	jrv(P)
4	DF5CE2B4	huggie	12-3
4	DD982A75	speedblue
4	C671257D	damog	-1-2
4	C4A3823E	kmr	4213
4	C0B10A5B	dexter
4	C02440B8	js	1342
4	BE9F70EA	tb	1342
4	B7D2F063	varenet	-213
4	A3F9E30E	schultmc	1243
4	A3D7B9BC	lawrencc	2143
4	A1EE761C	madcoder	21--
4	9DE1EEB1	he	3142
4	9D928C9B	guillem	1---
4	9B726B71	racke
4	90788E11	jsogo	2143
4	864826C3	gotom	4321
4	7244970B	kroeckx	2143
4	5B48FFAE	marga	2143
4	54E672DE	isaac	1243
4	4B3A135C	erich	1243
4	4597A593	agmartin	4213
4	3FCC2A90	amaya	1243
4	3F3E6426	agx	-1-2
4	3EF23CD6	sanvila	1342
4	32C9C8BD	werner(K)
4	204DDF1B	aquette
4	00D8CD16	tolimar	12--
3	FEC23FB2	bap	34-1
3	F972BE03	tmancill	4213
3	F801A743	nduboc	1---
3	EBEDB32B	chrsmrtn	4123
3	EA291785	taggart	2314
3	E4D47EC1	tv(P)
3	E19F188E	troyh	1244
3	DF6807BE	srk	4213
3	D2A913A1	psg(P)
3	D097A261	chrisb
3	C6CEA0C9	adconrad	1243
3	C20DF273	ondrej
3	B5444815	ballombe	1342
3	B1DF9A57	cate	2143
3	AFA44BDD	weasel(Ps	,Gs) 1342
3	AA6541EE	brlink	1442
3	A824B93F	asac	3144
3	A71C1E00	turbo
3	A2D7D292	seb128
3	9ED101BF	mbanck	3132
3	969457F0	joostvb	2143
3	89BF7E2B	kobras	1--2
3	86946D69	mooch	12-3
3	74886B63	nathans
3	6F222F1F	edelhard
3	6D67F790	foka
3	60B6B958	geiger
3	607559E6	mako
3	5C33C1B8	dirson
3	5921B5D8	ajmitch
3	4C1A5BE5	sjq
3	431B38BA	pxt	312-
3	3E7B4B73	lmamane	2143
3	27572C47	ucko	1342
3	20021490	schepler	1342
3	1DEB8EAE	goedson
3	1BF2305A	krala(Gs)	3142
3	19A42D19	dannf	21-4
3	174FEE35	wookey	3124
3	124B26F3	mfurr	21-3
3	0A327652	tschmidt	312-
3	090DD8D5	ingo	3123
3	0813569F	jeroen	1141
3	0644FAB7	bas	1332
3	0123F2F2	gareuselesinge	1243
3	00530C24	bam	1234
2	FD6645AB	rmurray	-1-2
2	F95C2F6D	chrism(P)
2	F9138496	graham(Gs)	3142
2	F5D65169	jblache	1332
2	F28CD102	absurd
2	F2597E04	samu
2	F0B27113	patrick
2	EFA6B9D5	hamish(P)	3142
2	EE0A35C7	risko	4213
2	E91CD250	daigo
2	D688E0A7	qjb	-21-
2	D4BE1450	prudhomm
2	D2A6B810	joussen
2	CFD42F26	dilinger
2	CEE44978	dburrows	1243
2	CD4C0D9D	skx	4213
2	BFB880A3	zeevon
2	BD8B050D	roland	3214
2	B74952A9	alee
2	B4D6DE13	paul
2	B345BDD3	neilm	1243
2	B28C5995	bod	4213
2	B0FA4F49	schoepf
2	B0DDAF42	awoodland
2	A8061F32	osamu	4213
2	A21AD4F9	tviehmann	1342
2	99E81DA0	kaplan
2	964199E2	fabbe	3142
2	8DBFEC2F	pelle
2	8B8D7663	ametzler	1342
2	8B143975	martignlo
2	88C7C1F7	93sam	2134
2	83E5110F	ovek
2	817A996A	tfheen
2	807CAC25	abi	4123
2	798DD95C	piefel
2	78D621B4	uwe	-1--
2	6FF0ABF2	rcw	2143
2	6E8169D2	hertzog	3124
2	6C0084FC	chrisvdb
2	6B79D401	filippo	-1--
2	67756F5D	frn	2341
2	5E2EB5B4	nveber	123-
2	5C6153AD	broonie	1243
2	5B713DF0	djpig	1243
2	50ECFB98	ccontavalli(Gs)
2	50064181	paulvt
2	4F71955A	dajobe	21-3
2	4E2ECA5A	jmm	4213
2	496A1827	srittau
2	3E8DCCC0	maxx	1342
2	3D97C149	mstone(P)	2143
2	2DB65596	dz	321-
2	29F19BD1	meskes
2	1F41B907	marillat	1---
2	1EB2DE66	boll
2	1557BC10	kraai	1342
2	144843F5	lolando	1243
2	10656584	voc
2	0D7CA701	steinm
2	05410E97	horms
1	FC992520	tpo	-14-
1	FB0DFE9B	gildor
1	FAEEB4A9	neil	1342
1	F7E8BC63	cedric	21--
1	F2C423BC	zack	1332
1	F0199162	kreckel	4214
1	ECA94FA8	ishikawa	2143
1	EAAC62DF	cyb	---1
1	EA2D2C41	malattia	-312
1	E77AC835	bcwhite(P)
1	E66C9BB0	tach
1	E145F334	mquinson	2143
1	E0BA04C1	treinen	321-
1	DFE80FB2	tali
1	DE054F69	azekulic(P)
1	DC814B09	jfs
1	CB467E27	kalfa
1	C9132DDB	yoush	-21-
1	C87FFC2F	stevenk	-1--
1	C2CE8099	knok	321-
1	BED37FD2	henning(Ks)	1342
1	BA0A7EB5	treacy(P)
1	B7D86E0F	cmb	4213
1	B62849B3	smarenka	2143
1	B3C281F4	alain	2143
1	B25A5CF1	omote
1	ABA0E8B2	sasa
1	AB474598	baruch	2143
1	AB2A91F5	troup	1--2
1	A827CEDE	afayolle(Gs)
1	A6C805B9	zorglub	2134
1	A674A359	maehara
1	A57D8BF7	drew	2143
1	A269D927	sharky
1	A1696D2B	lfousse	1232
1	9BF42B07	zinoviev	--12
1	9057B5D3	vanicat	2143
1	8E950E00	mechanix
1	8BB527AF	gwolf	1132
1	8A1D9A1F	jgoerzen
1	8807529B	ultrotter	2134
1	872EB4E5	rcardenes
1	85EE3E0E	angdraug	12-3
1	835EB2FF	bossekr
1	80C83E8E	igloo	1243
1	7B8357E5	andreas	212-
1	7B80220D	sjr(Gs)	1342
1	7796A60B	sfllaw	1342
1	75CB1AD2	toni	1---
1	746C51F4	klindsay
1	72D03CB1	kmuto	4231
1	71473F66	ttroxell	13-4
1	6E76D81D	seanius	1243
1	6C63746D	hector
1	6C5F196B	malex	4213
1	6A9F3C38	rkrishnan
1	68021CE4	ron	---1
1	66F24521	pyro	-123
1	631B4819	anfra
1	62EEAD8B	falk	1342
1	61326D40	jamessan	13-4
1	609CD2C0	berin	--1-
1	5D8CDA7B	guus	1243
1	5D8C12EA	rganesan
1	5D64F870	zobel
1	59EF5DBC	bs
1	57F045DC	camm
1	564EE4B6	hazelsct
1	5623FC45	moronito	4213
1	551BE447	torsten
1	54AD21B5	warmenhoven
1	53BBA490	sjg
1	532005DA	seamus
1	50973B91	pjb	2143
1	4F83C751	kmccarty	12-3
1	4DB97694	khkim
1	4CD6E3D2	wjl	4213
1	4A8854E6	weinholt	1243
1	4950EAA6	ajkessel
1	4298C761	robertc(Ks)
1	42955682	kamop
1	3FD29468	bengen	-213
1	3FD25C84	roktas	3142
1	3B047084	madhack
1	39CCF0C7	tagoh	3142
1	39A8CCE2	eugen	31-2
1	38015E7E	thb	1234
1	36B861C1	bab	2143
1	33FC40A4	mennucc1	3214
1	2C0FCD1A	wdg	4312
1	2B05B73A	rjs
1	258D8781	grisu	31-2
1	206C5AFD	chewie	-1-1
1	200D1596	joy	2143
1	1C74E0B7	alfs
1	19D03486	francois	4123
1	18EA3457	rvr
1	176015ED	evo
1	16BD77C6	alfie
1	12AA1DB8	jh
1	128287E8	daf
1	09FC015C	godisch
1	06468DEB	fog	--12
1	05792F34	rla	-21-
1	028AF63C	forcer	3142
1	004DA6B4	bg66
0	.	zufus	-1--
0	.	zoso	-123
0	.	ykomatsu	-123
0	.	xtifr	1243
0	.	xavier	-312
0	.	wouter	2143
0	.	will	-132
0	.	warp	1342
0	.	voss	1342
0	.	vlm	2314
0	.	vleeuwen	4312
0	.	vince	2134
0	.	ukai	4123
0	.	tytso	-12-
0	.	tjrc1	4213
0	.	tats	-1-2
0	.	tao	1--2
0	.	stone	2134
0	.	stevegr	1243
0	.	smig	-1-2
0	.	siggi	1-44
0	.	shaul	4213
0	.	sharpone	1243
0	.	sfrost	1342
0	.	seb	-21-
0	.	salve	4213
0	.	ruoso	1243
0	.	rover	--12
0	.	rmayr	-213
0	.	riku	4123
0	.	rdonald	12-3
0	.	radu	-1--
0	.	pzn	112-
0	.	pronovic	1243
0	.	profeta	321-
0	.	portnoy	12-3
0	.	porridge	1342
0	.	pmhahn	4123
0	.	pmachard	1--2
0	.	pkern	3124
0	.	pik	1--2
0	.	phil	4213
0	.	pfrauenf	4213
0	.	pfaffben	2143
0	.	p2	1243
0	.	ossk	1243
0	.	oohara	1234
0	.	ohura	-213
0	.	nwp	1342
0	.	noshiro	4312
0	.	noodles	2134
0	.	nomeata	2143
0	.	noahm	3124
0	.	nils	3132
0	.	nico	-213
0	.	ms	3124
0	.	mpalmer	2143
0	.	moth	3241
0	.	mlang	2134
0	.	mjr	1342
0	.	mjg59	1342
0	.	merker	2--1
0	.	mbuck	2143
0	.	mbrubeck	1243
0	.	madduck	4123
0	.	mace	-1-2
0	.	luther	1243
0	.	luigi	4213
0	.	lss	-112
0	.	lightsey	1--2
0	.	ley	-1-2
0	.	ldrolez	--1-
0	.	lange	4124
0	.	kirk	1342
0	.	killer	1243
0	.	kelbert	-214
0	.	juanma	2134
0	.	jtarrio	1342
0	.	jonas	4312
0	.	joerg	1342
0	.	jmintha	-21-
0	.	jimmy	1243
0	.	jerome	21--
0	.	jaqque	1342
0	.	jaq	4123
0	.	jamuraa	4123
0	.	iwj	1243
0	.	ivan	2341
0	.	hsteoh	3142
0	.	hilliard	4123
0	.	helen	1243
0	.	hecker	3142
0	.	hartmans	1342
0	.	guterm	312-
0	.	gniibe	4213
0	.	glaweh	4213
0	.	gemorin	4213
0	.	gaudenz	3142
0	.	fw	2134
0	.	fmw	12-3
0	.	evan	1--2
0	.	ender	4213
0	.	elonen	4123
0	.	eevans	13-4
0	.	ean	-1--
0	.	dwhedon	4213
0	.	duncf	2133
0	.	ds	1342
0	.	dparsons	1342
0	.	dlehn	1243
0	.	dfrey	-123
0	.	deek	1--2
0	.	davidw	4132
0	.	davidc	1342
0	.	dave	4113
0	.	daenzer	1243
0	.	cupis	1---
0	.	cts	-213
0	.	cph	4312
0	.	cmc	2143
0	.	clebars	2143
0	.	chaton	-21-
0	.	cgb	-12-
0	.	calvin	-1-2
0	.	branden	1342
0	.	brad	4213
0	.	bnelson	1342
0	.	blarson	1342
0	.	benj	3132
0	.	bayle	-213
0	.	baran	1342
0	.	az	2134
0	.	awm	3124
0	.	atterer	4132
0	.	andressh	1---
0	.	amu	1--2
0	.	akumria	-312
0	.	ajt	1144
0	.	ajk	1342
0	.	agi	2143
0	.	adric	2143
0	.	adejong	1243
0	.	adamm	12--
0	.	aba	1143