Saturday, December 11, 2021

Installing wget on MacOS from source

I recently had the time-consuming pleasure of trying to get wget onto my Mac ... without using homebrew.  Don't get me wrong, I think homebrew is a really helpful project, but it also kind of feels like curling a script and piping it into a root shell.  Here's what I did (on MacOS Monterey) to build and install from source.

Step 1: You're going to need either OpenSSL or gnutls libraries (not just the binary) in order to build it.  I chose OpenSSL.  Honestly, I picked it simply because it was the only one I could get to compile.

git clone git://
cd openssl
make -n install   # Dry run, for a sanity check.
sudo make install # Actually do the install.

Step 2:  Now you can compile wget -- we just need an extra flag in the configure step, to tell it we're using OpenSSL.  The last command here updates your wget config to tell it where to find the trusted TLS certificates on a Mac.

curl -o wget.tar.gz
tar -xzf wget.tar.gz
cd wget-*
./configure --with-ssl=openssl
make -n install   # Sanity check.
sudo make install # VĂ¡monos.

echo 'ca-certificate=/etc/ssl/cert.pem' >> ~/.wgetrc

There you go!  Three hours of your life back.

Sunday, September 26, 2021

Opening the Garage with a Wave of My Hand

So here's the story.  To get into my building's garage, I need to wave an rf-enabled key at a reader.  Problem is that I ride, so I have gloves on.  I have to stop just before the gate, take a glove off, fish the key out of my pocket, stuff it into my other glove, put the first glove back on, then ride up to the gate, scan, and ride in with it still in my glove, fully expecting it to fall out on the way.

A blue cloner, a blue keyfob, and an empty tequila glass.
I don't know how many commas I used enumerating that long sequence of events.  Clearly too many.  Something must be done.  Think of the children.

(Attention span ruined by TikTok?  TL;DR: get a cheap blue writer and copy your fob to a ring with a read-write T5577 chip in it.)

So, I know that people are getting teenty-tiny rfid chips crammed into their hands.  What if I could glue/sew one of those onto my gloves?  (Spoiler: I ended up going a different way.)  Then I could just ride up, wave my glove, and ride on in!

Step one was to try to duplicate the key at all.  So I popped over to eBay and looked for a duplicator.  The popular match (a blue thing from China) says it's for 125 KHz and a quick search on the interwebs indicated that my keyfob likely is one.  They all come with a few blanks included, even.  I found a US shipper and committed twelve dollars to the experiment.

It arrived, I tried it out (beep boop!) and the duplicate fob it made worked just fine on the garage.  (And the building front door and the elevator.)  I enlisted friends and made copies of their keys for them -- those also worked!

Alright, now to duplicate my key onto a teeny-tiny chip.  That did not go so well.  I mean, I completely got the wrong type of chip, had no idea what I needed, and utterly failed.  (Though now I know exactly which one I needed.)

A simple black ring

There's something really magical about showing people how easy it is to clone these things.  Particularly because there's something really magical about how your apartment building wants to charge you a hundred bucks if you ask them for a spare copy.  These things cost fifty cents, dudes!  (There's a reason why land owners are the first against the wall when the revolution comes.)

Back to the project though.  During my research I discovered that you can actually get a ring with a chip in it!  Add to cart! Ship it!

And ... success!  Now when I ride, I put on my ring, and opening the garage is just a wave of my hand.  Total cost of the parts (that worked) is under fifty bucks.  And my friends love me because I can make them spares, too.  This was a good project!

Sunday, August 30, 2020

Running Kali 2020.3 on an original GPD Pocket

I recently needed to dust off my wifi skills, and to keep a low profile, I use my GPD Pocket laptop.  My install of Kali was old, so I decided to see if I could load Kali 2020.3 on it.  After much searching and futzing about, it turns out almost everything works right out of the box.  You need a couple files, some settings, and a trick with the installer.  I also found the archlinux wiki page on GPD really useful, oddly enough.
  • Run the text-mode installer.
  • When you're asked to load the brcm files from a USB drive, say "no."
  • It will successfully find all the APs around you, so select yours.
  • But, it *won't* be able to negotiate WPA2 without the missing files.
  • Tell it you're using an open wifi network.
  • Let this fail.  (If you'd told it WPA2 it it would be in a loop of failing and re-asking you the PSK.)
  • Now, select the option to continue without a network connection.
  • Install and reboot.
  • Log in to your new system.
  • (If your screen is rotated, click to the Kali logo, pick Settings, then Display, and set Rotation to "Right.")
  • Put a copy of this brcmfmac4356-pcie.gpd-win-pocket.txt file on a USB drive.  (Kali can read FAT.)
  • Write a copy into /lib/firmware/brcm/brcmfmac4356-pcie.gpd-win-pocket.txt on Kali.
  • Reboot.  (I know, I know, I could use modprobe.)
  • Log in to your system.
  • Click the Kali icon, choose Settings, then Advanced Network Configuration.
  • Double-click your SSID.
  • Go to the Wi-Fi Security tab.
  • Update your settings to reflect that you use WPA, and provide a password.
  • Save

You'll also need to tweak the touchscreen configuration, which doesn't know it is rotated, yet.

  • Edit /usr/share/X11/ xorg.conf.d/40-libinput.conf
  • Inside the "InputClass" stanza for "libinput touchscreen" add this:
  • Option "CalibrationMatrix" "0 1 0 -1 0 1 0 0 1"
  • Restart

Tuesday, September 19, 2017

Build a Puppet 5 Master on CentOS 7 -- Hella Quickstyle

Want get going with Puppet 5, but you're in some sort of an insane hurry?  Let me walk you through a "hella quickstyle" install of a Puppet 5 master on CentOS 7.  Starting with a completely new, base CentOS 7 system, here's what to do, as root.

Install the Master

I'll be using Puppet Labs' own yum repositories for the install.  The repository definition can be installed by grabbing an RPM.

  rpm -Uvh

Now it's a piece of cake to install the puppetserver package and its dependencies.

  yum -y install puppetserver

The default configuration has the master's JVM start with a 2 gb heap size.  That's way more than I need.  (Your mileage will vary.)  Let's bring that size down.

  sed -i -e 's/-Xms2g -Xmx2g/-Xms128m -Xmx512m/' /etc/sysconfig/puppetserver

Now I can start up the Puppet server.

  systemctl start puppetserver

If you like, make a symlink to the puppet binary in /usr/local/bin.

  ln -s /opt/puppetlabs/puppet/bin/puppet /usr/local/bin/puppet

The package adds configuration for the master, but not the agent, so I'll add a stanza telling the agent to fetch catalogs from itself.

  cat >> /etc/puppetlabs/puppet/puppet.conf <<EOF
    server = `hostname -f`

Now the agent should be able to run.

  puppet agent --test

Finally, I'm going to tell firewalld to allow TCP connections to port 8140, so that other nodes can request catalogs from my master.

  cat > /etc/firewalld/services/puppetmaster.xml <<EOF
  <?xml version="1.0" encoding="utf-8"?>
      <description>Puppet Master</description>
      <port protocol="tcp" port="8140"/>

  firewall-cmd --permanent --add-service=puppetmaster   # may take two tries
  firewall-cmd --reload

Add PuppetDB

Next, I'll use Puppet to install and configure PuppetDB.  First, I need to install a module.  I'm not going to use r10k to manage the modules I need, but in the real world, you probably would.  I'm just going to use the Puppet Module Tool to throw it directly into the production code environment.

  puppet module install puppetlabs-puppetdb

Now I classify my master with puppetdb classes.  I'm going to add a node definition for my master to the site.pp manifest.  (And I'll add a default node, for the future.)  When I declare the puppetdb class, I'll tune my memory requirements down, and tell it not to manage my firewall.

  cat >> /etc/puppetlabs/code/environments/production/manifests/site.pp <<EOF
  node '`hostname -f`' {
    # Install and configure PuppetDB
    class { 'puppetdb':
      java_args => { '-Xms' => '128m', '-Xmx' => '256m' },
      manage_firewall => false,
    # And configure the master to use PuppetDB
    include puppetdb::master::config

  node default {
    notify { 'Default node definition ... no classification found!':}

Let's make sure it's working.  First, do an agent run, which should make the master submit a report to the PuppetDB.

  puppet agent --test

And now try a (convoluted) curl request straight into the local PuppetDB, to list nodes that are classified with the "Puppetdb" class.  Note: if you adapt and re-use this later, make sure to run it from the master.

  curl -X GET \
    --tlsv1 \
    --stderr /dev/null \
    --data-urlencode "query=[\"and\",[\"=\",\"type\",\"Class\"],[\"=\",\"title\",\"Puppetdb\"]]" \
    --cert   $(puppet config print hostcert) \
    --key    $(puppet config print hostprivkey) \
    --cacert $(puppet config print localcacert) \
    https://`hostname f`:8081/pdb/query/v4/resources | python -m json.tool

Add Agent Nodes

For quick reference, here are the steps to add just the Puppet agent to a node.  All you need to do is add a yum repo, install the puppet-agent package, aim it at your new master, and run.  Make sure  to replace FQDN_OF_YOUR_MASTER in the example below.

  rpm -Uvh
  yum -y install puppet-agent
  cat >> /etc/puppetlabs/puppet/puppet.conf <<EOF
    server = FQDN_OF_YOUR_MASTER
  puppet agent --test --waitforcert 10

Future Direction

These instructions use the Puppet module tool to install the puppetdb module.  That throws it directly into /etc/puppetlabs/code/environments/production/modules.  Most production-grade Puppet masters use 'r10k' to manage the modules that they need, automatically pulling them from version control or the forge, rather than adding them by hand.  The documentation for r10k is here.