SOLVED: use AWS-VAULT with gopass as backend
A very good tool to manage multiple AWS account, especially with SSO enabled is AWS VAULT. Idea is that a session gets securely stored in a backend and (re-)used until it expires.
One downside with he default macos keystore as backend is a manual password entry every time the session renews. This is not only annoying, reduces security but even aligns with my security setup. Luckily pass is supported as backend too. But for the but mature version gopass, the following setup has to be applied:
Given we have a gopass setup with two stores:
~/.password-store (default)
~/.password-store-awsvault (vault)
Then config would look like this
export AWS_VAULT_BACKEND=pass
export AWS_VAULT_PASS_CMD=gopass
export AWS_VAULT_PASS_PASSWORD_STORE_DIR=~/.password-store-awsvault
export AWS_VAULT_PASS_PREFIX=vault
This worked writing, but never reading. I didn’t even see aws-vault list calling gopass at all. Looks like the missing vault folder is a problem and aws-vault does a direct directory inspection of AWS_VAULT_PASS_PASSWORD_STORE_DIR. Fix was to hardcode the AWS_VAULT_PASS_PREFIX into a customised script (see below) and to not set the variable. Strictly spoken vault is not a prefix but the name of the store, so it maked sense:
The dedicated aws-vault-pass script:
#!/usr/bin/env bash
ARGS=( "$@" )
## ensure password store has 'git config commit.gpgsign false'
if [ "${ARGS[0]}" == "insert" ]
then
# echo "- INSERT ------ ${ARGS[@]} --------" 1>&2
gopass ${ARGS[@]/sessions/aws-vault\/sessions}
elif [ "${ARGS[0]}" == "show" ]
then
# echo "- SHOW --------------" 1>&2
gopass show --password aws-vault/"${ARGS[1]}"
elif [ "${ARGS[0]}" == "rm" ]
then
# echo "- RM --------------" 1>&2
gopass ${ARGS[@]/sessions/aws-vault\/sessions}
fi
and ensure aws-vault pics it up:
export AWS_VAULT_PASS_CMD=aws-vault-pass
Voila!
Related isssue: https://github.com/99designs/aws-vault/issues/667
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/17
SOLVED: gpg: public key decryption failed: No pinentry
I recently updated to latest gnupg and pinentry version via homebrew, which unfortunately broke my setup. I suddenly got this error when decrypting with gpg:
...
gpg: public key decryption failed: No pinentry
gpg: decryption failed: No pinentry
...
Looking into ~/.gnupg/gpg-agent.conf this first line showed:
pinentry-program /usr/local/bin/pinentry-mac
This is right and the same what which pinentry-mac returns. So why the error? I turns out ` /usr/local/bin/pinentry-mac` is a symbol link which (apparently?) the gpg-agent doesn’t follow. So trick was to set the final path, for me that’s:
pinentry-program /usr/local/Cellar/pinentry-mac/1.1.1.1/bin/pinentry-mac
And, BOOM! It works again.
Further sources:
- https://superuser.com/questions/1628782/gpg-signing-failed-no-pinentry
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/16
Yeah! Ruby 3 released
OMG, the long wait has an end, ruby 3 finally released. Can’t wait to checkout Typing, IMHO one if the biggest areas where ruby <3 was lacking!
https://www.ruby-lang.org/en/news/2020/12/25/ruby-3-0-0-released/
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/12
Linux Performance Observability Tools
Great cheat sheet to observe linux performance:
Source: http://www.brendangregg.com/linuxperf.html
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/11
Launch of Samsung Pay with BankIdent
What a year! What kept me busy at work was the realization of Samsung Pay - contactless, mobile payment with a Samsung Phone. One special feature is the way how users onboard. With using BankIdent the KYC is truly seamless and doesn’t require any call agent anymore. With that it’s as quick and user friendly as never before. See the full story here:
https://m.youtube.com/watch?v=6A9sfu0IiRM
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/9
Github Issue to Blogpost
This is a blogpost created via a github issue. With that the comfort of a WYSIWYG editing is combined with jekyll & github pages. <3
For more check out: https://github.com/yoshum/issue-to-jekyll-post
Original issue and comments
https://github.com/rngtng/rngtng.github.io/issues/7
Oreilly Software Architecture Berlin
Cu there!
https://conferences.oreilly.com/software-architecture/sa-eu/public/schedule/speakers
REST Security Cheat Sheet
Wintergarden - building Marble Machine X
Must Follow for any music, hacking, DYI, builders:
https://www.youtube.com/watch?v=dNv8AeZfuUc
Follow the full channel: https://www.youtube.com/channel/UCcXhhVwCT6_WqjkEniejRJQ
Lego + Pinball <3
How to be an Architect in a Microservice World
Great Talk and deck by Felix (@fmueller_bln)
https://speakerdeck.com/fmueller_bln/how-to-be-an-architect-in-a-microservice-world
Mirobot
Wow, Me wantz!
https://www.kickstarter.com/projects/mirobot/mirobot-6-axis-mini-industrial-robot-arm
And for my Kid: https://root.irobot.com
Hack my Car - ODB and GPS
I got myself a ‘ODB-diagnosegerät’ from China. Of course it didn’t work right away and I had to readz the internets for fixing. First I had to find a suitable driver. USB identifier was: Product ID: 0x7523 Vendor ID: 0x1a86. This looks like a CH340 / CH341 Serial / USB Chip. Luckily I found the drivers here:
http://0xcf.com/2015/03/13/chinese-arduinos-with-ch340-ch341-serial-usb-chip-on-os-x-yosemite/
VAG-COM 409.1 + Wine: https://appdb.winehq.org/objectManager.php?sClass=version&iId=33443
VAG-COM 409.1 + Win7: http://www.passatworld.com/forums/volkswagen-passat-b5-discussion/303177-vag-com-409-1-3rd-party-windows-7-64-bit.html
Kabel Fix:
- http://www.sprinter-forum.net/archive/index.php/t-16816.html?s=431faad6d4d5c53154b970ef0d7a5d65
- http://legacygt.com/forums/showthread.php/vag-com-cables-chipsets-ft232rl-ch340-214994p4.html
- https://github.com/nodemcu/nodemcu-devkit-v1.0/issues/2
- https://www.sgaf.de/content/vagcom-kabel-erkannt-412207
GuzziDag: http://www.von-der-salierburg.de/download/GuzziDiag/
Other Software:
https://www.blafusel.de/obd/obd2_soft.html
Next: get GPS Tracker.
Hope is to find my car, once it got stolen, but so far, it was more of a hack project :). I figured, the best opensource solution you currently get is traccar.org. Here’s how to set it up and dockerize: https://www.traccar.org/docker/
Alternatives:
Hacking mir:ror
Finally! All of a sudden I got an evening with ccb23 to hack of lives away. This time: NFC like it’s 2009. Aka violet mir:ror.
Out of the blue we were brainstroming how to DYI hörbert, a smart mp3 player for our youngest. Here, a mp3 is selected via NFC sensor. O.T: “NFC sensor!? Wait, I remember having touch this years ago, lemme get the Nabaztag”. And indeed, along with the infamous Nabaztag IOT rabbit, violet released a side product called ‘mir:ror’ in 2009(?). It’s a NFC to USB device meant to showcase & utilize its capabilities. To bad official drivers were only released for WIN and discontinued with the bankrupt of violet. But opensource to rescue. We quick figure the device adheres to HID standard, so let’s get it working (on a mac/linux).
After confirming the device is recognised in MacOS X we got hooked. Next, with a quick google search we first discovered http://reflektor.sourceforge.net - an OOO implementation based on hidraw. too bad kernel extension is Linux specific, so next the HIDapi, an OS agnostic lib for general purpose use, felt promising. Indeed, we got the mir:ror up and running the first time on Mac, although reading was non blocking and we couldn’t really make sense out of it. After various back and forth, we jumped back to start: let’s check on linux first. So with virtualbox and ubuntu we were able to install reflektor and use it via hidraw. Worked like a charm! So next is porting this to MacOSX and getting deeper understand of mirware. What commands are supported? Modifying (or just turning off) the choreo would be a huge plus towards using mir:ror for our custom mp3 project. In anycase, this 10 years old device was way ahead of its time and still works like wooow!
Sources worth to check:
http://reflektor.sourceforge.net/links.php
http://arduino-projects4u.com/violet-mirror/
https://github.com/suan/mirlite
https://github.com/leh/ruby-mirror