SSH authentication with OpenPGP & a Yubikey 4

SSH authentication with OpenPGP & a Yubikey 4

I got my brand new Yubikey 4 the other day and decided to transfer my pgp subkeys over to it for safer keeping. After about 10 minutes i bricked the damn thing. Well, more specifically, the OpenPGP applet. Yubico has reset instructions, but all their docs refer to the Yubikey Neo. After contacting support, they told me to follow the instructions for the Neo to reset the applet. I was then able to import my keys fairly easily.

Now that my keys were on the Yubikey i thought it would be fun to setup SSH on my RaspberryPi to use use my PGP keys for auth. The process seemed simple enough except that it took me all night to figure out. I googled the shit out of it and came up with everything but the answer. Hopefully this will help someone else when they run into the same problems i had.

Note: This assumes you’ve got a working Yubikey with a valid authentication subkey already on the key.

Setup your Client (Windows 10 and Putty in my case)

Follow these instructions on Yubico’s site. They are pretty much correct. The only difference i’m seeing now is that i didn’t have to manually start the gpg-agent with a startup shortcut like they said. But I may just be doing something different.

What they leave out is exactly how to configure putty. Once you have the gpg-agent running with “enable-putty-support”, you need to configure a Putty to allow agent forwarding.

Open up putty and go to Connections > SSH > Auth and check the box that says “Allow agent forwarding.”

That’s all you have to do on the client. The rest needs to be done on the server.

Setup your Server (RaspberryPI running Raspbian Jessie Lite in my case)

This is where Yubico’s documentation and google was a bit hazy. I was able to get it working with various links but i had to piece it all together. This post was probably the most helpful. Though he goes into a lot of other stuff not applicable.

First thing i had to do was install gnupg2. This installs gpg-agent that support SSH authentication.

$ sudo apt-get install gnupg2

Next we need to enable the gpg-agent ssh agent:

$ echo enable-ssh-support >> .gnupg/gpg-agent.conf

Now logout of your ssh session and back in so gpg-agent can enable it’s ssh agent.
We can test to make sure that Putty is forwarding the gpg-agent on your PC to your ssh session by listing the current fingerprints/public key represented by the agent:

$ ssh-add -l
4096 4b:92:1e:c9:3f:b2:72:74:13:78:94:43:48:d6:66:2b cardno:000500001BDE (RSA) 

Lastly, we need to add your public key to the authorized_keys file so you can login. We will use the same command as above but using the -L switch instead. This puts it into the proper format:

$ ssh-add -L >> ~/.ssh/authorized_keys

That’s it. Just logout and log back in using the putty settings mentioned above.

CloudFlare Dynamic DNS Updates from a Router

CloudFlare Dynamic DNS Updates from a Router

So you got screwed over with the No-IP debacle and now you want to host your own DDNS service using CloudFlare. Easy right? Well apparently not. Here is how i did it with my Asus RT-N66U router running AsusWRT-Merlin firmware. The information below might also apply to DD-WRT, OpenWRT, or Tomato, but i can’t confirm this as i don’t have a router that supports those firmwares.

1) Your router needs to have a version of WGET that supports SSL. 

This was the biggest hurdle i ran into. Out of the box, AsusWRT-Merlin only comes with a stripped down version of WGET that doesn’t support HTTPS links. To work around this, I had to install OPTWARE so that i could install WGET-SSL. After Optware is installed, just type in “ipkg wget-ssl install”. This will install a full version of wget into the /opt/bin folder. 

You might also be able to use CURL (which is installed by default with OPTWARE) but i had trouble getting it to work with CloudFlare. Apparently the version of CURL that OPTWARE installs by default uses an outdated version of OpenSSL (0.9.7m) that doesn’t support SHA256. Every time i tried to hit CloudFlare’s API, it returned an error. So i just stuck with WGET-SSL.

2) Write a script that will update CloudFlare with your new IP. 

To do this, i referenced this blog post to come up with a script that would work on AsusWRT-Merlin. The most import thing you need is the record ID of the A record you want to update. See the above linked blog post on how to obtain that ID. Once you have it, you can simply plug that info into my script. Here is the final script i came up with:

3) Save the above script in the /jffs/scripts folder and call it “dhcpc-event”

Before you can do this you will need to enable the JFFS section of the flash memory. Once that has been enabled, just save the above script into that location as a file called “dhcpc-event”. (I recommend using vi and doing it from the command line to avoid formatting issues)

As described in this wiki article, the dhcpc-event script is called whenever a DHCP event occurs on the WAN interface. This means any time your IP changes, this script will run. Which is exactly what we want it to do. When DHCP gives you a new IP, we want this script to update CloudFlare. 

After you’ve created the script, be sure to set it to executable. (chmod a+rx dhcpc-event) Then test it by running it. (./dhcpc-event) Remember that the script has a 30 second pause at the beginning to ensure the WAN interface is fully up and operational before it does anything. So don’t worry when it just sits there for a while after you execute it. After 30 seconds, you should see a valid JSON response with the newly update IP listed in the “content” section. I recommend setting your A record to a bogus ip (E.g. before testing the script. That way you can verify your script updated the record correctly. 

And now you’re done. Anytime your IP changes, your router will call the script and update your IP. Again, this might work with DD-WRT or other firmwares, though i’m not sure of the specifics. If your firmware doesn’t have the dhcpc-event script like AsusWRT does, another option would be to simply create a script and then schedule it to run via CRON every hour or two. I’d definitely build in some checks to ensure you’re not constantly updating CloudFlare though. See this post for that info


I just finished this book and it was amazing. I highly recommend it if you are into video games, geek culture, technology, or 80s nostalgia. (Or all of the above) Here is the synopsis: 

In the year 2044, reality is an ugly place. The only time teenage Wade Watts really feels alive is when he’s jacked into the virtual utopia known as the OASIS. Wade’s devoted his life to studying the puzzles hidden within this world’s digital confines—puzzles that are based on their creator’s obsession with the pop culture of decades past and that promise massive power and fortune to whoever can unlock them. 

But when Wade stumbles upon the first clue, he finds himself beset by players willing to kill to take this ultimate prize. The race is on, and if Wade’s going to survive, he’ll have to win—and confront the real world he’s always been so desperate to escape.

Also, wilwheaton narrates the audio book. I was a bit uncertain at first but quickly fell in love with his performance. Great book and a great reader. Much wow so amaze.

Windows 7 OEM SLIC/SLP Activation via WDS/MDT

Windows 7 OEM SLIC/SLP Activation via WDS/MDT

I ran into a situation recently where i wanted to deploy Windows 7 to a Dell workstation that came with an OEM copy of Windows 8 Pro. (Microsoft OEM downgrade rights allow this) I wanted to automate this with WDS & MDT so i would never again have to worry about it. The only problem was that I didn’t have a nice little CD key sticker with an OEM windows key. This means i needed a way to install Windows 7 and activate it the same way the OEMs do. Until now I had no idea how OEM activations work. All i knew was that when i used an original Dell OEM CD to install windows, it didn’t require a CD key and was auto-magically activated. 
I’m writing this post because i was never able to find any sort of blog post or forum post describing my particular situation. I had three goals in mind:
  1. I needed to create an image that i could deploy via WDS (Windows Deployment Services) and MDT (Microsoft Deployment Toolkit). 
  2. I wanted the image to be as up-to-date as possible with Windows Updates. I didn’t want to wait 6 hours on Windows updates every time I deployed a new machine. 
  3. I wanted the image to be activated auto-magically just like the Dell OEM DVD does. (Note: Licensing and legality are beyond the scope of this post. Please deploy responsibly.
Here is the solution i came up with. 
Short Answer:
Those familiar with MDT and WDS will have no trouble with items 1 and 2 above. The part that stumped me was doing items 1 and 2 in conjunction with item 3. Doing so with a volume license and a KMS server is easy. With an OEM license it’s a different story. 
As it turns out, all you need for the auto-magical oem offline activation is the following: 
  1. Use an OEM SLP key found online or in the OEM DVD. (E.g. Dell’s SLP key can be found under .$OEM$$$setupscriptsslp.cmd file) You don’t need to use DISM for this. (Though you probably can.) Just use MDT. 

  2. You need to have the OEM’s cert (The OEM.xrm-ms file located in the $OEM$$$System32OEM folder on the OEM DVD) injected into the C:WindowsSystem32OEM folder of the wim. 
Most posts on the internet just assume you know you need to do that. I DIDN’T and ended up spending my entire afternoon figuring that out. Once i figured that out, all i had to do was inject the cert into the folder above, use the OEM SLP key, deploy a reference image using a task sequence set to perform windows updates, capture said image, and then redeploy. The cert even persists through sysprep so you don’t need to re-inject after the capture. 
Long Answer: 
  1. The first step is to download & extract a copy of Windows 7 to a folder. I recommend using the vanilla versions from the VLSC/MSDN. The OEM DVD from a manufacture would work as well. One thing i found out (that i already sort of knew) is that all Windows 7 ISOs are the same. They all include every version of Windows 7 and are pretty much identical. The difference is the $OEM$ folder on the disk. 

  2. Once you have the iso extracted, we need to find the master install.wim file and determine what version of windows you intended to create an image for. (In my case, Windows 7 Pro) This file is found under the sources folder of the ISO/DVD. Once you’ve located the file, open an elevated command prompt (or Power Shell) and run the following command: (Keep in mind i’ve extracted the contents of my DVD to c:win7dvd)

    dism /get-imageinfo /imagefile:c:win7dvdsourcesinstall.wim

    This will output each version of Windows 7 that is contained within the install.wim file. Note down the Index number of the version you need. (3 in the case of Windows 7 Pro)

  3. Now let’s extract just that version of Windows 7 from the install.wim file. 

    dism /export-image /sourceimagefile:c:win7dvdsourcesinstall.wim /sourceindex:3 /destinationimagefile:c:winpewin7pro.wim

Extract the OEM cert & CD key:

  1. First let’s get the OEM’s SLP key. The way i did this for Dell was to use the Dell OEM DVD. Open the DVD and browse to D:sources$OEM$$$setupscripts. Then open/edit (DO NOT RUN) the slp.cmd file. Inside you will find the key. Note that down for use later when we build the task sequence in MDT. You can also find a list of ALL OEM SLP keys on the internet. They aren’t secret or anything. 

  2. Next we need to get the OEM’s certificate. To do this browse to D:sources$OEM$system32OEM. Once there you should see a file called OEM.xrm-ms. Copy this file to a safe place. You will need this later. Just like above, you can also find the certs online. One site i found offered a .7z file with over 200 OEM certs. 
Inject & Deploy:
There are two ways to do this last part. The first way is the way i did it originally. It works well and did the job. After i did this, i discovered a much easier way that works just as well. I’ll document both ways in case there is a use case for the first method that is not apparent to me right now. I should also mention that this assumes you already know how to use WDS/MDT. Explaining that in detail is way beyond the scope of this post. 
Method 1: 
  1. We need to mount the wim you extracted above so we can inject the cert into it. Open an elevated command prompt (or Power Shell) and run the following command:

    dism /mount-image /imagefile:c:winpewin7pro.wim /index:1 /mountdir:c:winpewin7pro 
    (NOTE: Make sure the mount directory exists but is empty)

  2. Now browse to c:winpewin7prowindowssystem32 and create a new folder called OEM. (Or if one exists, open it and move to the next step) 

  3. Find the cert you copied earlier and paste it into this folder. 

  4. Now that the cert has been injected, we need to unmount the cert and commit the changes. Using the same elevated command prompt as before, run this command:

    dism /unmount-image /mountdir:c:winpewin7pro /commit

  5. Now that our win7pro.wim file contains the cert, import it into MDT and create your task sequence. During the task sequence creation, use the SLP key you captured earlier. Be sure to use the last option that says “Specify the product key for this operating system.” Not the MAK or KMS options. Once the task sequence is created, be sure to enable the windows update steps. (Pre & Post) 

  6. Now deploy the image your reference computer. (I recommend a VM) During the deployment wizard, be sure to tell LiteTouch to capture an image when it’s finished. Walk away for 4 hours and let Windows apply 300 updates and restart half a dozen times. 

  7. Once the fully updated Windows 7 Pro image has been captured, simply import that wim into MDT and use that to deploy your workstations. The new image will be fully updated and will automatically activate as long as you use that same SLP key.
Method 2:
This method uses MDT to inject the cert during LiteTouch deployment. If you aren’t familiar with the $OEM$ folder structure, you should read up on it here. Basically, anything in the $OEM$$$ folder gets copied to the C:Windows folder during installation. MDT had the capability of doing this until Microsoft removed it in MDT 2012 Update 1. Luckily someone wrote a script that adds this functionality back. 
  1. First, download the CopyOEM.wsf script from this blog post and read up on how to add the script to your task sequence. 

  2. Open your MDT’s DeploymentShare and open the $OEM$ folder. Inside create a new folder called System32. Open that folder and create another folder called OEM. 

  3. Copy and paste the cert you obtained earlier into this folder. When all is said and done your cert should be under the serverDeploymentShare$$OEM$system32oem folder. 

  4. Now import the above extracted win7pro.wim file into MDT and create your task sequence. During the task sequence creation, use the SLP key you captured earlier. Be sure to use the last option that says “Specify the product key for this operating system.” Not the MAK or KMS options.

  5. Once the task sequence is created, enable the windows update steps. (Pre & Post) Also be sure to add in the step to copy the $OEM$ folder to the destination as described in the blog post linked in step 1. 

  6. Now deploy the image to your reference computer. (I recommend a VM) During the deployment wizard, be sure to tell LiteTouch to capture an image when it’s finished. Walk away for 4 hours and let Windows apply 300 updates and restart half a dozen times. 

  7. Once the fully updated Windows 7 Pro image has been captured, simply import that wim into MDT and use that to deploy your workstations. The new image will be fully updated and will automatically activate as long as you use that same SLP key.
You’ll be happy to know (or you might already know) that Windows 8 eliminates this whole mess. Everything is now stored in the UEFI/BIOS and Windows 8 by default will activate automatically if this data is detected. 
I also want to mention that in the future when you want to re-update your Windows 7 image to pull in new updates, be sure to do it using the original win7pro.wim file and not the captured wim file. If you don’t, you may run into the Windows 7 sysprep limit.
New Computer!

New Computer!

So i finally built a new computer. My last one was almost 8 years old. (Jesus that’s a long time) I built it in 2007 and it was finally starting to show its age. When i built it the machine was a beast. It played most of the games i liked to play very well. It treated me well but it was finally time for an update.

The Ancient One:

My old machine consisted of an Intel Core 2 Duo E6600 Dual-core 2.4Ghz CPU, 4Gb of ram, and an Nvidia 8800Gtx with 768MB of vram. Over the years I’ve upgraded the internal hard drives. About a year ago i had to replace the motherboard (Free, thanks to the evga lifetime warranty) and power supply. When i replaced the power supply i did so with the intention of using it in the new PC. I also bumped up the ram to 8GB at some point. Other than that, the machine has remained the same. 

The New One:

When I finally convinced myself to buy a new computer i decided to wait for good deals rather than purchasing on a whim. It just so happened that all of these deals came over the Black Friday & Cyber Monday weekend. I ended up buying everything but the SSD from NewEgg. I think i ended up with a great system and and saved a lot of money. While it may not be the fastest gaming PC out there it suits my needs and will give me a lot of room to grow. 


CPU: Intel Core i5-4670K 3.4GHz Quad-Core Processor
     ($239.99 @ Newegg) (I paid $209.99)
Motherboard: Gigabyte GA-Z87X-UD5H ATX LGA1150 Motherboard
     ($219.99 @ Newegg) (I paid $159.99)
Memory: G.Skill Trident X Series 8GB (2 x 4GB) DDR3-2400 Memory
     ($94.99 @ Newegg) (I paid $64.99)
Storage: Samsung 840 EVO 250GB 2.5" SSD
     ($175.95 @ Newegg) (I paid $119.99)
Video Card: Sapphire Radeon HD 7870 GHz Edition 2GB Video Card
     ($192.55 @ Newegg) (I paid $129.99)
Case: Corsair 400R ATX Mid Tower Case 
     ($99.99 @ Newegg) (I paid $59.99)
Power Supply: Corsair Enthusiast 650W ATX Power Supply
     ($83.98 @ Newegg) (I paid $0)
NewEgg Total: $1107.44
My Total: $744.94 (Savings of $362.50) 

The above spec also assumed that I already have monitors, operating system, keyboard, mouse, and speakers/headphones. In addition, i also moved over a 2TB 5400rpm SATA drive with all my files. If i were to have bought those items the build price would have been much higher. 

The main reason the video card was so cheap was that NewEgg was trying to clear out stock of the older AMD 7870 models to make room for the newer r9 270. (Almost identical card and performance) 

The motherboard was also kind of a weird buy. I had no intention of going with the high end UD5H when i was specing out the system. I had initially decided on the UD3H. When i went to purchase the UD3H i noticed that the UD5H was actually a few dollars cheaper due to a significant price cut and black friday rebate. While i love this motherboard, if it were not on sale I would NOT have purchased it. I just don’t feel you get much for that extra $55. 

Room to Grow:

One item i regret not buying is an aftermarket CPU cooler. I decided to stick with the stock cooler. While the stock cooler works great it does not allow for any overclocking. Within the next month or so i do plan on buying an aftermarket cooler as well as several more case fans. Then i can start cracking up the CPU. 

The other area where i cut cost is with the video card. While the 7870Ghz i bought won’t be able to run all games on ultra at 60FPS, it will run all of the games I play right now on high settings without stuttering. I just don’t game enough to warrant spending 3 times as much on a higher end graphics card. For the price i paid for the 7870Ghz, when i do upgrade to a better card, I won’t feel as though i threw away money.

Moral of the story?

There isn’t really a moral of the story i guess. There are always great deals to be had. And, as with all technology, as soon as you buy something it is going to be outdated. However, I would say that if you can afford to wait and search for good deals, do it. You can save a lot of money this way. Just be sure not to wait too long. Then you’ll end up with an 8 year old PC like I did.