Esa Jokinen

@[email protected]
14 Followers
21 Following
39 Posts
Please consider direct messages on Mastodon as public; use email & PGP for important stuff.
Webhttps://esajokinen.net
GitHubhttps://github.com/oh2fih
Esa JokinenJul 31, 2024

Once upon a time there was a HTML attribute called Id. She had graduaded from the W3 University, specialized in specifying a unique identifier for an HTML element. For her sister, Class, it was much easier to make friends, as she was able to hang out with multiple elements at the same time. Eventually, Id was almost entirely forgotten, and everyone started to invite only Class to every web site party.

One day the testers were thinking it would be nice if there was someone who could give unique identifiers to HTML elements. They hired Mr. Data-Testid from Nonstandardistan for the job despite he was not formally qualified. Unemployed and sad, Id lived unhappily ever after.

(The moral of the story: there is no need to reinvent the wheel.)

#webdevelopment

Esa JokinenJul 28, 2024

Track changes in the CVE database (CVEProject / cvelistV5) `tail -f` style, also printing changes in the CVSS 3.1 scores. Written using only the Python Standard Library, the only external requirement being the Git binary.

#cve #cvelist #vulnerabilities #cvss #opensource

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/follow-cvelist.py

Misc-Scripts/bin/follow-cvelist.py at main · oh2fih/Misc-Scripts

Miscellaneous scripts for different purposes. Mostly unrelated to each other. - oh2fih/Misc-Scripts

GitHub
Esa JokinenJul 24, 2024

CVE-Search v5.1.0 fixes bugs, improves interoperability with the CveXplore library and makes it easier to retry incomplete updates from the NVD API. Read the changelog carefully.

https://github.com/cve-search/cve-search/releases/tag/v5.1.0

Release cve-search v5.1.0 released with source improvements, bugs fixed and integrate latest version of CveXplore · cve-search/cve-search

cve-search v5.1.0 cve-search v5.1.0 released with source improvements, bugs fixed and integrate latest version of CveXplore. Changes Retire db_mgmt_[source].py (#1113) [Esa Jokinen] Caution! Poss...

GitHub
Esa JokinenJul 23, 2024

Let's Encrypt has made implementing DANE even more difficult. The root CA is no longer included in the chain, and the intermediates may change without notice. To address these issues, I wrote a script that automates TLSA record creation from the published intermediates.

#letsencrypt #dane #tlsa #certificatepinning

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/letsencrypt-tlsa.sh

Misc-Scripts/bin/letsencrypt-tlsa.sh at main · oh2fih/Misc-Scripts

Miscellaneous scripts for different purposes. Mostly unrelated to each other. - oh2fih/Misc-Scripts

GitHub
Esa JokinenJul 22, 2024
The fact that OpenSSH's sshd_config keyword ClientAliveInterval is for detecting unresponsive connections does not change no matter how many times it is repeated that it would monitor the session activity.

Debunking this misinformation in
https://serverfault.com/a/1162840/274176
How to ensure that SSH drops the connection after 8 hours of inactivity?

On our Debian servers, I want to ensure that any SSH connections time out and disconnect after 8 hours. This was recommended by our security consultant. I executed these steps: # Log in as root then:

Server Fault
Show threadEsa JokinenJun 25, 2024
@gunstick @adulau Conference spam is easy enough to handle with user+conference suffix, but then someone *called* me to ask about my experience of their booth at the expo. I was brutally honest by answering that I don't recall their company at all, because I was there just for the 🍺 and the swag.
Esa JokinenApr 14, 2024

After some work on bug fixes & improvements for CVE-Search & CveXplore both finally have new releases. 🎉

https://github.com/cve-search/cve-search/releases/tag/v5.0.2

Release cve-search v5.0.2 released with many enhancements and bug fixes. · cve-search/cve-search

Release Notes for Version 5.0.2 (Released on 2024-04-13) This release of our software introduces a number of enhancements and bug fixes improving on our previous versions. Highlights include suppor...

GitHub
Show threadEsa JokinenDec 26, 2023
@varbin I see. Implementing punycode support in OpenSSH might be way out-of-scope already. Keeping backwards compatibility is hard when implementing new security controls: even disabling uncommon characters by default and enabling them by configuration could break something somewhere. Maybe it is still best to avoid using these variables altogether on hardened configurations.
Show threadEsa JokinenDec 26, 2023

@varbin Good point. That justifies the blacklist based solution for the username, but hostnames are still strictly defined and could use a whitelist of characters. That would be a more secure approach for anyone having `%h` but not `%u` in their `ProxyCommand`.

I am also wondering could Windows have similar special characters that would require sanitizing on the Windows version of the OpenSSH client.

Show threadEsa JokinenDec 26, 2023
@varbin The additional characters from that use case are limited and could be whitelisted, too. Also, "this strictness is applied only to names coming from the commandline", so it does not affect usernames or hostnames specified in the configuration. (It could be wider with an explicit configuration parameter that disables the limitation.)