Re: [PLUG] 3rd party vpn Defense evasion
For employees it depends if they are exempt or not. Any supervisory employee who can fire people is automatically considered exempt and many other employee classifications (such as programming) are considered exempt as well. (exemption is once more IRS and state taxing authority determination that the company has no say over) If the employee is exempt from overtime then it's illegal for the company to require that they work a certain number of hours, or at certain times. If the company DOES tell the employee this (that they have to track their time) then the employee can hit them for mandatory overtime (if they exceed 40 hours) Exempt/non exempt classifications are more commonly referred to as salaried/hourly employees. Long and short of it is you cannot use an online form to consider "work to be valid" for a salaried AKA exempt employee. Salaried employees are paid BY THE JOB not by being logged into something for a certain time. Companies quite often forget that putting someone like a programmer on salary is a two way street. The benefit from the company's point of view is they don't have to pay overtime for one of those work-round-the-clock-push times. But in exchange for that, the employee also doesn't have to work 40 hours every week either. A decent salaried employee keeps an eye on time since it's an important metric for how much work is reasonable to expect a salaried employee to do but it is NOT the absolute metric. Companies who have tried to do it differently - that is, not pay OT and make you work late during crunch time - and still make you work 40 hours - regularly end up paying very large fines and back salary to people when they get sued. It's healthy for that to happen for owners of those companies to get slapped silly for trying to exploit workers from time to time. Once more as I keep saying this needs to be handled from an employee management standpoint via managers and HR not from the IT department trying to play God and the managers being wussies and afraid to talk to employees. Is it simply that a large number of IT people are on the autism spectrum and have social anxiety disorder that they will literally waste weeks of company time on elaborate technical solutions that can be handled in 5 minutes by a manager walking up to an employee and saying "hey dude you know that thing you are doing with the VPN, well knock it off" Or is it that their anxiety disorder and desire to Play God just drives them to believe that every other employee in the company is trying to screw IT??? Sheesh!!! Ted -Original Message- From: PLUG On Behalf Of Daniel Ortiz Sent: Wednesday, April 19, 2023 1:39 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion Disclaimer: some of the following if not all could be wrong. Wouldn't it be easier to deal with the credentials side to avoid this problem in the first place? To illustrate what I mean, here's a theoretical idea that while it might be flawed (like potential security failures), could be useful in terms of guidance. When an employee logs in, it sends an email to their company Gmail account complete the login in procedure. They click the link to a Google form which requires them to be logged in to their company Google account for the submitted form to either work or be considered valid. Once, it's submitted, a program will allow them to finish the login process. Also, doing something with a company Google account could be helpful since Google records the devices you logged in with, which if a company can check that, they can see if there is any suspicious devices. On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil wrote: > We're chasing this from data science side as well. As far as charting > the pattern of activity and flag anomalies. > This should trap the subs since he/she won't be checking email, > responding to chat messages etc, or hopefully time of activity could give us > clues. > > I do agree, there are many VPN commercial services and they will never > advertise servers properties, besides there's lots of other open-VPN > options. > > We shall conquer! > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > > wrote: > > > > > > > -Original Message- > > From: PLUG On Behalf Of John Jason > > Jordan > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > >It would be nice if VPN services advertised how effectively they > > >stop > > others from finding out who and where you really are. > > > > They are never going to do this because they are constantly tweaking > their > > proprietary protocols to get around firewalls, and they don't want > > the firewall vendors knowing when they made a change to get past firewalls. > > And given who some of the firewall vendors are, and what they do to > people > > they don't like, this is very understandable. > > > > This stuff is getting very advanced nowadays since many firewalls > > are doing deep packet
Re: [PLUG] Transferring public key shows error
I find it is pretty helpful to read the messages. If the messages are too terse, add verbose or debug flags. Then read what it says. Is there anything listening on caddis's port n? On Wed, Apr 19, 2023 at 2:56 PM Rich Shepard wrote: > On Wed, 19 Apr 2023, Russell Senior wrote: > > > So, you can use an editor to remove the offending line 2, and you'll be > > asked to accept the new hostkey the next time to connect. > > Russell, > > The authorized_keys on both hosts each contains the public key of the > other. > > The known_hosts on the laptop (caddis) contains only a key for salmo > created > at 14:42, when I tried to ssh from caddis to salmo. I could not: > > $ ssh salmo > The authenticity of host '[salmo]:n ([192.168.55.1]:n)' can't be > established. > ED25519 key fingerprint is > SHA256:/RInRdtcIMbpPu3LZmpg5wfAWi9ozQwgKLPnTQEDcxg. > This key is not known by any other names > Are you sure you want to continue connecting (yes/no/[fingerprint])? yes > Warning: Permanently added '[salmo]:n' (ED25519) to the list of known > hosts. > rshepard@salmo: Permission denied (publickey) > > Going the other way, from salmo to caddis (where salmo's known_hosts has > only caddis as an entry) also fails: > > $ ssh caddis > ssh: connect to host caddis port n: Connection refused > > With only two hosts on the network it shouldn't be this difficult to get > them to communicate. > > What am I still missing? > > Rich >
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Russell Senior wrote: So, you can use an editor to remove the offending line 2, and you'll be asked to accept the new hostkey the next time to connect. Russell, The authorized_keys on both hosts each contains the public key of the other. The known_hosts on the laptop (caddis) contains only a key for salmo created at 14:42, when I tried to ssh from caddis to salmo. I could not: $ ssh salmo The authenticity of host '[salmo]:n ([192.168.55.1]:n)' can't be established. ED25519 key fingerprint is SHA256:/RInRdtcIMbpPu3LZmpg5wfAWi9ozQwgKLPnTQEDcxg. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[salmo]:n' (ED25519) to the list of known hosts. rshepard@salmo: Permission denied (publickey) Going the other way, from salmo to caddis (where salmo's known_hosts has only caddis as an entry) also fails: $ ssh caddis ssh: connect to host caddis port n: Connection refused With only two hosts on the network it shouldn't be this difficult to get them to communicate. What am I still missing? Rich
Re: [PLUG] Transferring public key shows error
IMO it is best to use ssh-copy-id to transfer your public key. I have begun using: ssh-keygen -f "/home//.ssh/known_hosts" -R "" to remove ID's from my local .ssh/known_hosts file. The advantage of the first is that you don't accidentally copy your private key. The advantage of the second is that you don't accidentally remove a key that you didn't want gone. On Wed, Apr 19, 2023 at 2:39 PM Rich Shepard wrote: > On Wed, 19 Apr 2023, Russell Senior wrote: > > > Your client is complaining about the new host key. You need to remove the > > old hostkey from your *CLIENT'S* known_hosts file. The message is telling > > you what it doesn't like "Offending ED25519 key in > > /home/rshepard/.ssh/known_hosts:2". > > Russell, > > That's what I learned reading more about openssh. > > > So, you can use an editor to remove the offending line 2, and you'll be > > asked to accept the new hostkey the next time to connect. > > This answers the question I was about to ask: how to add a new host to > caddis' know_hosts file. I didn't know it was done automatically when I > connected to salmo. > > Thanks very much, > > Rich >
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Russell Senior wrote: Your client is complaining about the new host key. You need to remove the old hostkey from your *CLIENT'S* known_hosts file. The message is telling you what it doesn't like "Offending ED25519 key in /home/rshepard/.ssh/known_hosts:2". Russell, That's what I learned reading more about openssh. So, you can use an editor to remove the offending line 2, and you'll be asked to accept the new hostkey the next time to connect. This answers the question I was about to ask: how to add a new host to caddis' know_hosts file. I didn't know it was done automatically when I connected to salmo. Thanks very much, Rich
Re: [PLUG] Transferring public key shows error
Your client is complaining about the new host key. You need to remove the old hostkey from your *CLIENT'S* known_hosts file. The message is telling you what it doesn't like "Offending ED25519 key in /home/rshepard/.ssh/known_hosts:2". So, you can use an editor to remove the offending line 2, and you'll be asked to accept the new hostkey the next time to connect. -- Russell On Wed, Apr 19, 2023 at 2:23 PM Rich Shepard wrote: > On Wed, 19 Apr 2023, Rich Shepard wrote: > > > Should salmo's id_ed25519.pub be in caddis' .ssh/authorized_keys? > > I think that I found the problem: salmo's id_ed25519.pub has only one line > and it's for a host no longer on the LAN. > > So, I'll generate a new keypair for salmo, using the same passphrase, then > copy that public key to caddis. > > Well, when I somehow, unintentionally, FUBAR a host I don't do it halfway. > Sigh. > > More when I make these changes. > > Rich >
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Rich Shepard wrote: Should salmo's id_ed25519.pub be in caddis' .ssh/authorized_keys? I think that I found the problem: salmo's id_ed25519.pub has only one line and it's for a host no longer on the LAN. So, I'll generate a new keypair for salmo, using the same passphrase, then copy that public key to caddis. Well, when I somehow, unintentionally, FUBAR a host I don't do it halfway. Sigh. More when I make these changes. Rich
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Russell Senior wrote: There is also a config for the server: sshd_config Oy! I forgot about that. The sshd_config files in both salmo and caddis are the same and do require passphrase authentification. On caddis my ssh attempt still fails and I am not certain about which file on salmo needs correcting: rshepard@caddis ~]$ ssh salmo @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:/RInRdtcIMbpPu3LZmpg5wfAWi9ozQwgKLPnTQEDcxg. Please contact your system administrator. Add correct host key in /home/rshepard/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/rshepard/.ssh/known_hosts:2 Host key for [salmo]:14982 has changed and you have requested strict checking. Host key verification failed. Should salmo's id_ed25519.pub be in caddis' .ssh/authorized_keys? Thanks, Rich
Re: [PLUG] 3rd party vpn Defense evasion
Disclaimer: some of the following if not all could be wrong. Wouldn't it be easier to deal with the credentials side to avoid this problem in the first place? To illustrate what I mean, here's a theoretical idea that while it might be flawed (like potential security failures), could be useful in terms of guidance. When an employee logs in, it sends an email to their company Gmail account complete the login in procedure. They click the link to a Google form which requires them to be logged in to their company Google account for the submitted form to either work or be considered valid. Once, it's submitted, a program will allow them to finish the login process. Also, doing something with a company Google account could be helpful since Google records the devices you logged in with, which if a company can check that, they can see if there is any suspicious devices. On Wed, Apr 19, 2023 at 10:29 AM Ishak Micheil wrote: > We're chasing this from data science side as well. As far as charting the > pattern of activity and flag anomalies. > This should trap the subs since he/she won't be checking email, responding > to chat messages etc, or hopefully time of activity could give us clues. > > I do agree, there are many VPN commercial services and they will never > advertise servers properties, besides there's lots of other open-VPN > options. > > We shall conquer! > > On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt > wrote: > > > > > > > -Original Message- > > From: PLUG On Behalf Of John Jason Jordan > > Sent: Tuesday, April 18, 2023 2:00 PM > > > > >It would be nice if VPN services advertised how effectively they stop > > others from finding out who and where you really are. > > > > They are never going to do this because they are constantly tweaking > their > > proprietary protocols to get around firewalls, and they don't want the > > firewall vendors knowing when they made a change to get past firewalls. > > And given who some of the firewall vendors are, and what they do to > people > > they don't like, this is very understandable. > > > > This stuff is getting very advanced nowadays since many firewalls are > > doing deep packet inspection, and looking specifically for patterns in > > packet traffic that indicate it is VPN traffic encapsulated in regular > http > > or https traffic. So the proprietary vpn clients will modify the > encrypted > > traffic to make it look like regular https traffic. > > > > Never forget that for you, me, and probably all the readers of this list, > > that creating using blocking and messing around with VPNs is really > mainly > > an intellectual exercise, but that there are many people in the world in > > places like Russia and China where a secure VPN means not having people > > breaking their doors down in the middle of the night and hauling them off > > to prison - or worse. > > > > Ted > > > > >
Re: [PLUG] Transferring public key shows error
There is also a config for the server: sshd_config On Wed, Apr 19, 2023, 13:14 Rich Shepard wrote: > On Wed, 19 Apr 2023, Paul Heinlein wrote: > > > It looks to me like sshd on salmo is configured to accept only public key > > authentication. It won't take your password. > > Paul, > > I was wrong. When I ssh into github or my website host I need to use my > passphrase. > > But, in both salmo's and caddis' /etc/ssh/ssh_config only > PasswordAuthentication yes > is set. I'm still getting that error. > > Regards, > > Rich >
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Paul Heinlein wrote: It looks to me like sshd on salmo is configured to accept only public key authentication. It won't take your password. Paul, I was wrong. When I ssh into github or my website host I need to use my passphrase. But, in both salmo's and caddis' /etc/ssh/ssh_config only PasswordAuthentication yes is set. I'm still getting that error. Regards, Rich
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Paul Heinlein wrote: It looks to me like sshd on salmo is configured to accept only public key authentication. It won't take your password. Paul, I know that, but I'm not offered a prompt for the passphrase and entering it instead of my password won't work. If you don't have local access to an SSH key already in your .ssh/authorized_keys file on salmo, well, you've locked yourself out. This is the first time I've tried to put another host's public key in salmo's .ssh/authorized_keys using scp. I'll go back to moving a copy across in a thumb drive. Thanks, Rich
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Rich Shepard wrote: Generated a key pair and, following the Slackware OpenSSH instructions tried to use scp to put the laptop's public key on the desktop: $ scp id_ed25519.pub rshep...@salmo.appl-ecosys.com:/home/rshepard/.ssh/authorized_keys The authenticity of host '[salmo.appl-ecosys.com]: ([192.168.55.1]:ED25519 key fingerprint is SHA256:/RInRdtcIMbpPu3LZmpg5wfAWi9ozQwgKLPnTQEDcxg. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[salmo.appl-ecosys.com]:14982' (ED25519) to the list of known hosts. rshep...@salmo.appl-ecosys.com: Permission denied (publickey). lost connection What have I done incorrectly here? It looks to me like sshd on salmo is configured to accept only public key authentication. It won't take your password. If you don't have local access to an SSH key already in your .ssh/authorized_keys file on salmo, well, you've locked yourself out. If you do have access to an SSH recognized by salmo, you'll need to load it locally before attempted the scp operation. -- Paul Heinlein heinl...@madboa.com 45°22'48" N, 122°35'36" W
Re: [PLUG] Transferring public key shows error
In that case you have a few options. 1. Enable password authentication on the desktop. 2. Move the key another way (email pubkey, pastebin, etc) 3. On your desktop, copy the key from your laptop. Using either password auth, or by adding an existing key to your laptop's authorised keys file. If you use GitHub you can see any public keys you've added to your account like so: https://github.com/borcean.keys Replacing 'borcean' with your username. On Wed, Apr 19, 2023 at 12:08 PM Rich Shepard wrote: > > On Wed, 19 Apr 2023, Jeffrey Borcean wrote: > > > Are you able to ssh into your desktop from the laptop? > > Jeffrey, > > Nope. That's what I'm trying to do. > > > It looks like the desktop is configured to use keys for > > authentication, but you don't have any trusted keys on the laptop. So > > you can't connect. > > I just used ssh-keygen to produce a new pair of ED25519 keys and a > passphrase. > > > If you have another key that is already autorised you can specify the > > key with: -i identiy_file > > This is a new installation on the laptop. > > Thanks, > > Rich
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Jeffrey Borcean wrote: Are you able to ssh into your desktop from the laptop? Jeffrey, Nope. That's what I'm trying to do. It looks like the desktop is configured to use keys for authentication, but you don't have any trusted keys on the laptop. So you can't connect. I just used ssh-keygen to produce a new pair of ED25519 keys and a passphrase. If you have another key that is already autorised you can specify the key with: -i identiy_file This is a new installation on the laptop. Thanks, Rich
Re: [PLUG] Transferring public key shows error
> rshep...@salmo.appl-ecosys.com: Permission denied (publickey). Are you able to ssh into your desktop from the laptop? It looks like the desktop is configured to use keys for authentication, but you don't have any trusted keys on the laptop. So you can't connect. If you have another key that is already autorised you can specify the key with: -i identiy_file
Re: [PLUG] Transferring public key shows error
On Wed, 19 Apr 2023, Russell Senior wrote: What was your goal in copying the public key? Russell, Adding it to the desktop's authorized_keys file. Rich
Re: [PLUG] Transferring public key shows error
What was your goal in copying the public key? -- Russell Senior russ...@personaltelco.net On Wed, Apr 19, 2023, 11:05 Rich Shepard wrote: > Generated a key pair and, following the Slackware OpenSSH instructions > tried to use scp to put the laptop's public key on the desktop: > > $ scp id_ed25519.pub rshep...@salmo.appl-ecosys.com: > /home/rshepard/.ssh/authorized_keys > The authenticity of host '[salmo.appl-ecosys.com]: > ([192.168.55.1]: ED25519 key fingerprint is > SHA256:/RInRdtcIMbpPu3LZmpg5wfAWi9ozQwgKLPnTQEDcxg. > This key is not known by any other names > Are you sure you want to continue connecting (yes/no/[fingerprint])? yes > Warning: Permanently added '[salmo.appl-ecosys.com]:14982' (ED25519) to > the list of known hosts. > rshep...@salmo.appl-ecosys.com: Permission denied (publickey). > lost connection > > What have I done incorrectly here? > > TIA, > > Rich >
[PLUG] Transferring public key shows error
Generated a key pair and, following the Slackware OpenSSH instructions tried to use scp to put the laptop's public key on the desktop: $ scp id_ed25519.pub rshep...@salmo.appl-ecosys.com:/home/rshepard/.ssh/authorized_keys The authenticity of host '[salmo.appl-ecosys.com]: ([192.168.55.1]:
Re: [PLUG] Generating id_ed25519 key pair
On Wed, 19 Apr 2023, Johnathan Mantey wrote: Not -G, -t Thanks, Johnathan. Regards, Rich
Re: [PLUG] Generating id_ed25519 key pair
Not -G, -t On Wed, Apr 19, 2023 at 10:22 AM Rich Shepard wrote: > It's been years since I last set up ssh on a host. Reading man ssh-keygen > I'm not sure which option to use to generate an ed25519 key pair rather > than > a RSA key pair. > > Is it 'ssh-keygen -G ed25519 -T -P '? > > Rich >
[PLUG] Generating id_ed25519 key pair
It's been years since I last set up ssh on a host. Reading man ssh-keygen I'm not sure which option to use to generate an ed25519 key pair rather than a RSA key pair. Is it 'ssh-keygen -G ed25519 -T -P '? Rich
Re: [PLUG] Loading ~/.keymap on laptop fails
On Wed, 19 Apr 2023, MC_Sequoia wrote: You may need to execute sudo dpkg-reconfigure keyboard-configuration" Reference - https://askubuntu.com/questions/800871/failed-console-keymap Mike, This looks specific to ubunty. I run Slackware. Thanks, Rich
Re: [PLUG] Loading ~/.keymap on laptop fails
A quick web search turned up this. I ran both commands w/o any problems. "You should run systemctl status console-setup.service as per suggestion to have a look at the problem." You may need to execute sudo dpkg-reconfigure keyboard-configuration" Reference - https://askubuntu.com/questions/800871/failed-console-keymap
Re: [PLUG] 3rd party vpn Defense evasion
-Original Message- From: PLUG On Behalf Of Ishak Micheil Sent: Wednesday, April 19, 2023 7:29 AM To: Portland Linux/Unix Group Subject: Re: [PLUG] 3rd party vpn Defense evasion >We shall conquer! Ah, no you won't. But go ahead and think that if it makes you sleep easier. And if you get seriously annoying to the subs they will start suing you for breech of contract. Ted
Re: [PLUG] 3rd party vpn Defense evasion
We're chasing this from data science side as well. As far as charting the pattern of activity and flag anomalies. This should trap the subs since he/she won't be checking email, responding to chat messages etc, or hopefully time of activity could give us clues. I do agree, there are many VPN commercial services and they will never advertise servers properties, besides there's lots of other open-VPN options. We shall conquer! On Tue, Apr 18, 2023, 3:21 PM Ted Mittelstaedt wrote: > > > -Original Message- > From: PLUG On Behalf Of John Jason Jordan > Sent: Tuesday, April 18, 2023 2:00 PM > > >It would be nice if VPN services advertised how effectively they stop > others from finding out who and where you really are. > > They are never going to do this because they are constantly tweaking their > proprietary protocols to get around firewalls, and they don't want the > firewall vendors knowing when they made a change to get past firewalls. > And given who some of the firewall vendors are, and what they do to people > they don't like, this is very understandable. > > This stuff is getting very advanced nowadays since many firewalls are > doing deep packet inspection, and looking specifically for patterns in > packet traffic that indicate it is VPN traffic encapsulated in regular http > or https traffic. So the proprietary vpn clients will modify the encrypted > traffic to make it look like regular https traffic. > > Never forget that for you, me, and probably all the readers of this list, > that creating using blocking and messing around with VPNs is really mainly > an intellectual exercise, but that there are many people in the world in > places like Russia and China where a secure VPN means not having people > breaking their doors down in the middle of the night and hauling them off > to prison - or worse. > > Ted > >
[PLUG] Loading ~/.keymap on laptop fails
I'm setting up my Lenovo T430 with Slackware64-15.0. In ~/.bash_profile is the command to load ~./keymap. This fails to work and I've had the same issue with other laptops, but never on desktops. Because I never use the CAPS LOCK key, but consistently use the CTRL key I've always swapped the two on the left side of the keyboard. I'd like some ideas on how to determine why it doesn't load and how to get it working in both consoles and virtual terminals when X is running. TIA, Rich
Re: [PLUG] 3rd party vpn Defense evasion
I'm pretty sure I saw J Jason Jordan on the TV the other day railing that Spider Man is public enemy number 1. :) On Wed, Apr 19, 2023 at 1:50 AM Michael Rasmussen wrote: > On 2023-04-18 12:01, Ishak Micheil wrote: > > John is a contractor, hires someone else to do the work. Vdi setup, > > he > > shares his creds with the subcontractor who possibly actually in a > > different country. Using VPN services prior to logging in to mask > > thier > > locations . > > Ahh, you've discovered the root of your problem: J Jason Jordan is a > terrorist as he wrote in his post earlier in this thread. > > > -- > Michael Rasmussen > Be Appropriate && Follow Your Curiosity >
Re: [PLUG] 3rd party vpn Defense evasion
On 2023-04-18 12:01, Ishak Micheil wrote: John is a contractor, hires someone else to do the work. Vdi setup, he shares his creds with the subcontractor who possibly actually in a different country. Using VPN services prior to logging in to mask thier locations . Ahh, you've discovered the root of your problem: J Jason Jordan is a terrorist as he wrote in his post earlier in this thread. -- Michael Rasmussen Be Appropriate && Follow Your Curiosity