leo homestuckbad ideas 2k21Zola2021-02-06T00:00:00+00:00https://vriska.dev/atom.xmlTrusting ssh keys using a centralized hardware secret2021-02-06T00:00:00+00:002021-02-06T00:00:00+00:00https://vriska.dev/trusting-ssh-keys-using-a-centralized-hardware-secret/<p>In the past, I've used a single passwordless ssh key shared between all of my devices. This is obviously very insecure, but means that I don't have to deal with an easily-losable hardware token or synchronizing many public keys between devices. However, some little-known functionality makes it possible for me to approve keys with a hardware secret on my workstation and have them automatically be usable to log in to all of my machines.</p>
<h2 id="amd-ftpm">AMD fTPM</h2>
<p>This feature is in a prominent location on most Ryzen/Threadripper motherboards but isn't clearly explained what exactly it does. However, the functionality it provides is quite useful. The much-maligned AMD PSP gains a helpful use as a TPM, a hardware device which provides quite a few useful cryptography oriented features. The relevant one here is that tpm2-software (originally developed by Intel)'s tpm2-pkcs11 allows using any TPM as a PKCS#11 token.</p>
<p>Getting this working, however, is somewhat of a challenge. Once the fTPM is enabled in the BIOS, the first step is to make sure the kernel can see it. However, I got a <code>can't request region for resource</code> error, despite this apparently having been fixed for the fTPM back in 2019.</p>
<p>I thought this issue may have been Threadripper-specific, and I found a patchset that specifically claimed to fix this issue on Threadripper. Due to various issues, it was rejected in favor of the current patch, but none of those issues appeared to be relevant to my case. I <a href="https://raw.githubusercontent.com/leo60228/dotfiles/7ca19c07bbed61fc458b04602f476b4c5345470c/files/tpm-threadripper.patch">"ported"</a> the patch to newer kernel versions just by reverting the upstreamed patch and then applying the rejected patchset.</p>
<p>Once the TPM is visible, NixOS makes it pretty easy to set up tpm2-pkcs11. All that needs to be done is to add a small snippet to the NixOS configuration that enables tpm2-software as a whole, tpm2-pkcs11 for PKCS#11 emulation, and tabrmd which manages TPM access from userspace:</p>
<pre style="background-color:#2b303b;">
<code class="language-nix" data-lang="nix"><span style="color:#c0c5ce;">{
</span><span style="color:#d08770;">security</span><span style="color:#c0c5ce;">.</span><span style="color:#d08770;">tpm2 </span><span style="color:#c0c5ce;">= {
</span><span style="color:#d08770;">enable </span><span style="color:#c0c5ce;">= </span><span style="color:#d08770;">true</span><span style="color:#c0c5ce;">;
</span><span style="color:#d08770;">pkcs11</span><span style="color:#c0c5ce;">.</span><span style="color:#d08770;">enable </span><span style="color:#c0c5ce;">= </span><span style="color:#d08770;">true</span><span style="color:#c0c5ce;">;
</span><span style="color:#d08770;">abrmd</span><span style="color:#c0c5ce;">.</span><span style="color:#d08770;">enable </span><span style="color:#c0c5ce;">= </span><span style="color:#d08770;">true</span><span style="color:#c0c5ce;">;
};
}
</span></code></pre>
<p>Now that tpm2-pkcs11 is installed, all that needs to be done is to create an emulated PKCS#11 token and generate a key.</p>
<pre style="background-color:#2b303b;">
<code class="language-bash" data-lang="bash"><span style="color:#65737e;"># gives a PID, change the other commands if it isn't 1
</span><span style="color:#bf616a;">tpm2_ptool</span><span style="color:#c0c5ce;"> init
</span><span style="color:#65737e;"># label, sopin, and userpin can be anything but need to match in future commands
</span><span style="color:#c0c5ce;">tpm2_ptool addtoken</span><span style="color:#bf616a;"> --pid</span><span style="color:#c0c5ce;">=1</span><span style="color:#bf616a;"> --label</span><span style="color:#c0c5ce;">=ftpmtoken1</span><span style="color:#bf616a;"> --sopin</span><span style="color:#c0c5ce;">=mysopin</span><span style="color:#bf616a;"> --userpin</span><span style="color:#c0c5ce;">=myuserpin
</span><span style="color:#65737e;"># several algorithms are available, see `tpm_ptool --help`
</span><span style="color:#c0c5ce;">tpm2_ptool addkey</span><span style="color:#bf616a;"> --algorithm</span><span style="color:#c0c5ce;">=ecc256</span><span style="color:#bf616a;"> --label</span><span style="color:#c0c5ce;">=ftpmtoken1</span><span style="color:#bf616a;"> --sopin</span><span style="color:#c0c5ce;">=mysopin</span><span style="color:#bf616a;"> --userpin</span><span style="color:#c0c5ce;">=myuserpin
</span></code></pre><h2 id="ssh-certificates">ssh certificates</h2>
<p>ssh has a little-known feature where instead of manually distributing ssh public keys to specific users, you can instead have a single CA key that's trusted on each machine. Then, in addition to the private and public keys, you can provide a public certificate created by signing the public key with the CA private key. This signing step is where you specify the users the key can be used for.</p>
<p>In addition, ssh can directly utilize a PKCS#11 key. This is little known (possibly due to strange interactions with <code>ssh-agent</code>?) but works perfectly here. The first step is to extract the CA public key:</p>
<pre style="background-color:#2b303b;">
<code class="language-bash" data-lang="bash"><span style="color:#bf616a;">ssh-keygen -D</span><span style="color:#c0c5ce;"> /run/current-system/sw/lib/libtpm2_pkcs11.so | </span><span style="color:#bf616a;">tee</span><span style="color:#c0c5ce;"> ssh-ca.pub
</span></code></pre>
<p>Next, <code>ssh-ca.pub</code> needs to be trusted on all the systems you'd like to log in to. For systems where you can't do this, such as hosted Git providers, you can of course just use <code>authorized_keys</code> like normal. NixOS doesn't have an option for this, but it can easily be added to <code>sshd_config</code>:</p>
<pre style="background-color:#2b303b;">
<code class="language-nix" data-lang="nix"><span style="color:#c0c5ce;">{
</span><span style="color:#d08770;">services</span><span style="color:#c0c5ce;">.</span><span style="color:#d08770;">openssh</span><span style="color:#c0c5ce;">.</span><span style="color:#d08770;">extraConfig </span><span style="color:#c0c5ce;">= ''
</span><span style="color:#a3be8c;"> TrustedUserCAKeys </span><span style="font-style:italic;color:#ab7967;">${</span><span style="font-style:italic;color:#a3be8c;">../files/ssh-ca.pub</span><span style="font-style:italic;color:#ab7967;">}
</span><span style="color:#c0c5ce;">'';
}
</span></code></pre>
<p>Now, you need to create the signatures. Copy the public keys you'd like to sign over to the system you set up the fTPM on. There are quite a few options available here, with the full list being available in ssh-keygen's manual page. For a simple example with a signature named <code>desktop</code> with a serial number of 1 authorized to log in as <code>leo60228</code>:</p>
<pre style="background-color:#2b303b;">
<code class="language-bash" data-lang="bash"><span style="color:#bf616a;">ssh-keygen -s</span><span style="color:#c0c5ce;"> ssh-ca.pub</span><span style="color:#bf616a;"> -I</span><span style="color:#c0c5ce;"> desktop</span><span style="color:#bf616a;"> -D</span><span style="color:#c0c5ce;"> /run/current-system/sw/lib/libtpm2_pkcs11.so</span><span style="color:#bf616a;"> -n</span><span style="color:#c0c5ce;"> leo60228</span><span style="color:#bf616a;"> -z</span><span style="color:#c0c5ce;"> 1 id_ecdsa.pub
</span></code></pre>
<p>This produces an <code>id_ecdsa-cert.pub</code> next to <code>id_ecdsa.pub</code>. Copy it back over next to <code>id_ecdsa</code> on the machine you're logging in with.</p>
<p>At this point, you're done! There's quite a bit more functionality available with both the fTPM and ssh certificates, but this was good enough for what I needed. One common tweak that makes revocations much easier but adds quite a bit of complexity is to set up an automated way to generate certificates with low expiry times, so that you can easily revoke certificates just by refusing to sign them. I didn't find this necessary, however.</p>
<h3 id="credits">Credits</h3>
<p><a href="https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md">The tpm2-pkcs11 docs on SSH</a>, <a href="https://incenp.org/notes/2020/tpm-based-ssh-key.html">this blog post on using tpm2-pkcs11 with SSH</a>, and <a href="https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/">this blog post from Facebook on ssh certificates</a> were all very helpful in figuring this out.</p>
<p><a href="https://brid.gy/publish/mastodon"></a></p>
Automatic syndication and cross-platform interactions with blogs2021-02-05T00:00:00+00:002021-02-05T00:00:00+00:00https://vriska.dev/automatic-syndication-and-cross-platform-interactions-with-blogs/<p>I've set up the following functionality:</p>
<ul>
<li><a href="https://leo60228.space">https://leo60228.space</a> and <a href="https://leo60228.tumblr.com">https://leo60228.tumblr.com</a> will notify linked sites (outgoing Webmentions)</li>
<li>Posts from <a href="https://leo60228.space">https://leo60228.space</a> will automatically be posted on Mastodon (syndication)</li>
<li>External interactions with posts on <a href="https://leo60228.space">https://leo60228.space</a> and <a href="https://leo60228.tumblr.com">https://leo60228.tumblr.com</a> will be displayed on the posts (incoming Webmentions, Webmention bridging)
<ul>
<li>Links to posts on Twitter</li>
<li>Replies to automatic cross-posts on Mastodon</li>
<li>Links from Webmention-compatible sites</li>
</ul>
</li>
</ul>
<h2 id="outgoing-webmentions-for-leo60228-space">Outgoing Webmentions for leo60228.space</h2>
<p>There's quite a few ways to go about implementing support for outgoing Webmentions. My method replies on external services, but required very few changes to my site to set up.</p>
<p>First, I had to implement support for microformats2 on my site. This was easy enough to do: I just had to add some classes to elements that described different (meta)data about my site and posts, as well as add a <code><link rel="author"></code> to my homepage on posts. This required some minor restructuring of my markup.</p>
<p>Next, I had to actually send out Webmentions. With <a href="https://webmention.app">webmention.app</a>, this was very easy. All I had to do was sign up for an account and add a webhook whenever my site was deployed that included a link to a pre-existing Atom feed. <a href="https://webmention.app/docs#how-to-integrate-with-netlify">This is documented pretty well.</a></p>
<h2 id="syndication-and-webmention-bridging">Syndication and Webmention bridging</h2>
<p>Syndication was made very easy by <a href="https://www.brid.gy">Bridgy</a>. With Bridgy, all I had to do was sign in Mastodon, and then I can automatically syndicate a post from my blog to Mastodon just by including a Webmention to a special link.</p>
<p>Webmention bridging was just as easy. All I had to do was sign in with the services that I'd like to integrate with. There are a few caveats here, however, which are listed in the Bridgy documentation. The most important one is that due to Twitter API limitations some mentions may be lost.</p>
<h2 id="incoming-webmentions-for-leo60228-space">Incoming Webmentions for leo60228.space</h2>
<p>There are also quite a few approaches here, however I went with the popular <a href="https://webmention.io">Webmention.io</a> which provides a hosted service and API for receiving Webmentions (the IndieWeb people seem to be very good at naming things). Webmention.io's support for displaying interactions on sites is limited to a simple counter, however I found <a href="https://github.com/PlaidWeb/webmention.js">webmention.js</a> which provides a simple display of Webmentions.</p>
<h2 id="webmentions-for-leo60228-tumblr-com">Webmentions for leo60228.tumblr.com</h2>
<p>Bridgy makes <em>outgoing</em> Webmentions simple enough, just by signing in with Tumblr on the Bridgy site. Incoming Webmentions are also possible, but a bit trickier. Webmentions <em>would</em> map to comments, but Tumblr only has reblogs, which function a bit differently. Bridgy handles this by using Disqus, external commenting software that has bidirectional integration with Tumblr.</p>
<p>This works well enough, but adding an entire comments feature seems a bit heavy to me. It'd be interesting if there was a way to <em>just</em> display Webmentions within a Tumblr theme. I'm not sure of the feasibility or difficulty of something like this, though.</p>
<p><a href="https://brid.gy/publish/mastodon"></a></p>
IndieWeb2021-02-05T00:00:00+00:002021-02-05T00:00:00+00:00https://vriska.dev/indieweb/<p>This site now supports outgoing WebMentions and implements microformats2.
<a href="https://brid.gy/publish/mastodon"></a></p>
hsmusicifier 0.3.0: Split up bundled albums with additional flexibility for art2021-01-24T00:00:00+00:002021-01-24T00:00:00+00:00https://vriska.dev/hsmusicifier-0-3-0-split-up-bundled-albums-with-additional-flexibility-for-art/<p>(If you missed it, check out the <a href="https://vriska.dev/hsmusicifier-0-2-0-add-track-art-and-artist-info-to-your-homestuck-music-collection-in-any-format/">0.2.0 announcement</a>.)</p>
<p>hsmusicifier is a tool to add metadata from <a href="https://hsmusic.wiki">hsmusic.wiki</a> to your Homestuck music collection. 0.3.0 adds some extra flexibility for art, and enables splitting up bundled albums.</p>
<h1 id="split-bundled-albums">Split bundled albums</h1>
<p>If you have the post-2019 Bandcamp albums, you've lost quite a bit of metadata. hsmusicifier previously let you get back track art, but didn't help with the fact that as many as 4 albums could all show up as one. Now, hsmusicifier can re-add the original album and track numbers.</p>
<p><img src="/img/uploads/splitalbums.png" alt="Split up!" title="Split up!" /></p>
<h1 id="extra-flexibility">Extra flexibility</h1>
<p>With all of these features, you might only want to make some of these changes to your precious tracks. In addition, you might also want to use the album art for the first track, just like the original releases did. Now, hsmusicifier gives you many more options to control its functionality.</p>
<p><img src="/img/uploads/options.png" alt="Input, output, artists, albums, art, first song art and other song art" title="Amazing flexibility!" /></p>
<h1 id="download">Download</h1>
<p><del>As always, you can download data files and prebuilt binaries for Linux and Windows from <a href="https://github.com/leo60228/hsmusicifier/releases/tag/0.3.0">GitHub</a>.</del></p>
<p>0.3.1 is now available with some minor improvements. You can get it from <a href="https://github.com/leo60228/hsmusicifier/releases/tag/0.3.1">GitHub</a>.</p>
hsmusicifier 0.2.0: Add track art and artist info to your Homestuck music collection in any format2021-01-23T00:00:00+00:002021-01-23T00:00:00+00:00https://vriska.dev/hsmusicifier-0-2-0-add-track-art-and-artist-info-to-your-homestuck-music-collection-in-any-format/<p>hsmusicifier is a tool to add metadata from <a href="https://hsmusic.wiki">hsmusic.wiki</a> to a Homestuck music collection. See <a href="https://vriska.dev/hsmusicifier-automatically-add-track-art-to-id3-tags-including-fan-anthologies-and-post-2019-bandcamp/">the announcement post</a> for more details on the core functionality.</p>
<p>hsmusicifier 0.2.0 adds two major new features.</p>
<h1 id="artist-info">Artist info</h1>
<p>Ever been annoyed by how the artist of all of your Homestuck tracks just shows up as "Homestuck" despite the enormous multitude of artists? Now, hsmusicifier will add full artist info to all of your tracks, while preserving the Album Artist field used by music players.</p>
<p><img src="/img/uploads/before.png" alt="Oops, All Homestuck!" title="Before" /></p>
<p><img src="/img/uploads/after.png" alt="Full of Artists!" title="After" /></p>
<h1 id="ffmpeg">FFmpeg</h1>
<p>hsmusicifier now uses the well-known FFmpeg library for reading and writing audio files. This means that it now has support for almost every audio format you could think of! FLAC specifically may be especially useful, due to its combination of losslessness, support for metadata from Bandcamp, and support for track art.</p>
<h1 id="download">Download</h1>
<p><del>You can download assets and a prebuilt Windows version from <a href="https://github.com/leo60228/hsmusicifier/releases/tag/0.2.0">GitHub</a>.</del></p>
<p>UPDATE (2020-01-24): 0.2.1 has been released, adding a prebuilt Linux version and a few bugfixes. You can (still) get it from <a href="https://github.com/leo60228/hsmusicifier/releases/tag/0.2.1">GitHub</a>.</p>
hsmusicifier: Automatically add track art to ID3 tags (including fan anthologies and post-2019 Bandcamp)2021-01-21T00:00:00+00:002021-01-21T00:00:00+00:00https://vriska.dev/hsmusicifier-automatically-add-track-art-to-id3-tags-including-fan-anthologies-and-post-2019-bandcamp/<p>(NOTE: this post was originally on <a href="https://old.reddit.com/r/homestuck/comments/l2ekhj/hsmusicifier_automatically_add_track_art_to_id3/">Reddit</a> before this blog was created)</p>
<p>hsmusicifier is a tool to add track art from the wonderful <a href="https://hsmusic.wiki">hsmusic.wiki</a> to ID3 tags. ID3 is a way to add metadata to songs generally used (by both Bandcamp and the vast majority of music players) for mp3 files. This doesn't sound that helpful at first, but it doesn't <em>just</em> work for albums that originally had track art. <a href="https://hsmusic.wiki">hsmusic.wiki</a> also contains multiple fan anthologies of track art and has the SoundCloud exclusive track art for the Friendsim OST!</p>
<p>Also, if you've recently purchased the Homestuck albums, you won't have track art (well, except for coloUrs and mayhem: Universe A). hsmusicifier can help you too! All albums on the current Bandcamp are supported by hsmusicifier. For albums that never had track art of any kind, hsmusicifier will still add the art for each individual album instead of the global art used for the entire collection.</p>
<p>In theory, hsmusicifier will work for all albums with track art on <a href="https://hsmusic.wiki">hsmusic.wiki</a>, along with the 2019 collection albums. However, I haven't been able to test every one of them. These are the ones I've tested:</p>
<ul>
<li>Alterniabound (with Alternia)</li>
<li>Beyond Canon</li>
<li>coloUrs and mayhem: Universe A & B</li>
<li>HIVESWAP Act 1 OST (with THE GRUBBLES)</li>
<li>Hiveswap Friendsim</li>
<li>Homestuck Vol. 1-4 (with Midnight Crew: Drawing Dead)</li>
<li>Homestuck Vol. 5-6 (with The Felt)</li>
<li>Homestuck Vol. 7-8 (with Cherubim)</li>
<li>Homestuck Vol. 9-10 (with [S] Collide. and Act 7)</li>
<li>Symphony Impossible to Play (with Medium)</li>
</ul>
<p>In addition, while these albums were always released with their original track art (whether existing or not), they're much less useful, but I've still confirmed that the tool is compatible:</p>
<ul>
<li>HIVESWAP Act 2 Original Soundtrack</li>
<li>Diverging Delicacies</li>
<li>Land of Fans and Music 2</li>
<li>Land of Fans and Music 3</li>
<li>Land of Fans and Music 4</li>
<li>Weird Puzzle Tunes</li>
</ul>
<p>I suppose this could be useful for the LOFAM albums if your download somehow got corrupted.</p>
<p>Anyway, you can download the tool on <a href="https://github.com/leo60228/hsmusicifier/releases/latest">GitHub</a>. The release includes the required data files as well as a Windows version. I've tested Linux built from source (that's how I did development, in fact). macOS should work too, but I haven't tested it.</p>