Hacker Newsnew | past | comments | ask | show | jobs | submit | mmh0000's commentslogin

Until recently, Podman used slirp4net[1] for its container networking. About two years ago, they switched over to Pasta[2][3] which works quite a bit differently.

[1] https://github.com/rootless-containers/slirp4netns

[2] https://blog.podman.io/2024/03/podman-5-0-breaking-changes-i...

[3] https://passt.top/passt/about/#pasta-pack-a-subtle-tap-abstr...


`-c none` hasn't worked in SSH for at least a decade.

The `none` option was for SSHv1 which was already quite old when it was fully removed from OpenSSH 7.6 in 2017[1].

https://www.openssh.com/releasenotes.html


Now that you mention it, I think that probably was around the the last time I used it. Time flies.


This has been a "need" for a long time for home users with FDE. The go-to software solution for Linux has been:

https://github.com/gsauthof/dracut-sshd


Sure, if you're using dracut, which is not true for "Linux" in general.


Most Linux distros are not Arch either. It would be nice to have more support for this use case in general - like something one can configure easily during the initial OS setup.

I use OpenSuse so I had to use the guide for Fedora, but there were some differences as far as I remember.


Dracut is used by default on:

Fedora, RHEL, CentOS, Rocky, Alma, Arch, and Gentoo

Dracut is available on:

Debian and Ubuntu

That covers most common Linux distros.

-

Personally, I'm using this on Fedora.


”Fedora, RHEL, CentOS, Rocky, Alma” are all the same distro group: Enterprise Linux (EL). That it's ”available” on other distros is irrelevant, almost anything is ”available” as a non standard choice for any distro.


I have a setup based on this, but I modified it to encrypt the SSH host key using the TPM. That way, I can detect a MiTM from an attacker who has stolen the drive or modified the boot policy because host key verification will fail.

/usr/lib/dracut/modules.d/46cryptssh:

    #!/bin/bash
    
    check() {
        require_binaries sshd || return 1
        return 0
    }
    
    depends() {
        return 0
    }
    
    install() {
        if [ ! -e /etc/ssh/dracut ]; then
            mkdir /etc/ssh/dracut &&
            tmp=$(mktemp -d) &&
            head -c128 /dev/random > $tmp/passphrase &&
            ssh-keygen -t ed25519 -f /etc/ssh/dracut/ssh_host_ed25519_key -N"$(base64 < $tmp/passphrase)" &&
            tpm2_createprimary -C o -c $tmp/primary.ctx &&
            tpm2_pcrread -o $tmp/pcr.bin sha256:0,7
            tpm2_createpolicy --policy-pcr -l sha256:0,7 -f $tmp/pcr.bin -L $tmp/pcr.policy
            tpm2_create -C $tmp/primary.ctx -L $tmp/pcr.policy -i $tmp/passphrase -c $tmp/seal.ctx &&
            tpm2_evictcontrol -C o -c $tmp/seal.ctx -o /etc/ssh/dracut/seal || {
                rm -r $tmp /etc/ssh/dracut
                exit 1
            }
            rm -r $tmp
        fi
        for file in /etc/ssh/dracut/*; do
            inst_simple "$file" "/etc/ssh/${file#/etc/ssh/dracut/}"
        done
    
        mkdir -p -m 0700 "$initdir"/root/.ssh
        /usr/bin/install -m 600 /etc/ssh/dracut_authorized_keys "$initdir"/root/.ssh/authorized_keys
    
        inst_binary /usr/sbin/sshd
        inst_binary /usr/sbin/ssh-keygen
        inst_binary /usr/bin/tpm2_unseal
        inst_binary /usr/bin/base64
        inst_simple /usr/lib/libtss2-tcti-device.so
        
        inst_simple "$moddir"/cryptsshd.service "$systemdsystemunitdir"/cryptsshd.service
        inst_simple "$moddir"/sshd_config /etc/ssh/sshd_config
    
        inst_binary /usr/lib/ssh/sshd-session
        inst_binary /usr/lib/ssh/sshd-auth
    
        mkdir -p -m 0755 "$initdir"/var/empty/sshd
        mkdir -p -m 0755 "$initdir"/usr/share/empty.sshd
        mkdir -p  -m 0755 "$initdir"/var/log
        touch "$initdir"/var/log/lastlog
    
        systemctl -q --root "$initdir" enable cryptsshd
    }
cryptsshd.service:

    [Unit]
    Description=OpenSSH Daemon for Disk Encryption Passphrase
    DefaultDependencies=no
    Before=cryptsetup.target
    After=network-online.target
    
    [Service]
    Type=notify-reload
    ExecStartPre=/bin/sh -c '/usr/bin/ssh-keygen -p -f /etc/ssh/ssh_host_ed25519_key \
        -N "" -P "$(/usr/bin/tpm2_unseal -c /etc/ssh/seal -p pcr:sha256:0,7 | base64)"'
    ExecStart=/usr/bin/sshd -D
    KillMode=process
    Restart=always
    
    [Install]
    WantedBy=sysinit.target
That encrypts the SSH host key using a password sealed with PCR7, which is invalidated if an attacker disables Secure Boot or tampers with the enrolled keys. Thus, an attacker can't extract the key from the drive or by modifying the kernel command line to boot to a shell (since that's not allowed without disabling secure boot).

It's still probably vulnerable to a cold boot attack, since the key is decrypted CPU-side. It would be interesting to perform the actual key operations on the TPM itself to prevent this.


If true. And I put a big if on that.

I WILL be buying their flagship model.

My go to for Graphene has been used Pixels from eBay. Because I can’t give money to Google in good conscience.


Doesn't buying a used pixel encourage the sale of new pixels by demonstrating a healthy resale value?


I don't think the market of people buying used phones for the purpose of graphene is going to make a dent in profits for Google. It raises resale value maybe by say, $0, considering the price is set by the average consumer


Well then buying them directly from Google would have no effect either.


Except that Google would then get the profits

It's not about Google, it's about OP's personal values


But if you think buying on the secondhand market doesn't impact the market, why do you think buying from the OEM does?

It's one phone's worth of demand either way.


Nobody is buying pixels specifically to resells them. If anything there fast reduction in value makes them less attractive.

First hand = money goes directly to Google including margin

Second hand = money only goes towards a private person, 0$ for google. At best it prevents usable phones being thrown into landfill.


> If anything there fast reduction in value makes them less attractive.

Right. And if you buy a secondhand one you are increasing their value on the secondhand market. Reducing the depreciation increases the value of the brand new phone.


That was addressed further up: https://news.ycombinator.com/item?id=47243976


No it wasn't. That's the exact point I'm refuting.

If you don't think voting with your wallet works, then that is a position you can take. But you can't think it works when buying from the OEM but doesn't work when buying on the secondary market.


Sure you can, because you're talking about different inputs in your supply and demand scenario. You're also talking about different opportunity costs for the OEM, different incentives, and different outcomes. You're also assuming the person selling their Pixel is buying another Pixel, and not switching to a device made by a different OEM.

And ultimately, if buying it on the secondary market in such small numbers that it doesn't move the market, then it adequately addresses the concern.

Edit: I'm not saying there's zero effect of it, but it's likely statistically insignificant.


I never considered resale value when buying a phone. Is that really something people look for?


I often hear resale talk from iPhone buyers.


How much of that is self-justification for convincing themselves to buy something expensive?


that depends what you consider a healthy resale value, I bought my Pixel 6a with no issues for 100EUR :-) (and not because I care about Google's business, I don't have gapps in my phone, I just like good deals/VFM)


Yes, because everyone is a perfectly rational agent in the economy.


Didn't know more people are doing this. I am also using a used Pixel 4a which I got from eBay. Still has good battery. I don't see any reason to upgrade any time soon.


Speaking of battery, veeeeery soon phones will have mandated replaceable batteries in the EU. I'm just hoping my current moto (a $99 job perfectly adequate for absolutely everything I do) survives until then.

Aside: I've noticed over the years that phones die in one of the following ways: - too fast charging (battery dies, charge controller dies) - usb port dies - screen broken - all sorts of falls

A lether folio case, gorilla glass, and a Qi charging adapter solve all of those problems (the charging adapter also limits the current by virtue of being inefficient). It has a magnetic connector (it's a simple two-pin job and it doesn't have any issues) - in the rare occasion I want to charge up real quick, I can still hook up directly via usb c, and meanwhile the port is stuffed with the converter's plug which prevents it from accumulating dirt and fluff.

I'm glad to say that even despite many falls, some directly onto the screen, the phone itself still works very well, even if the case and glass protector are obviously ragged.

I hope once unlockable Moto's come around I'll be able to keep that one for a long while as well.


When you say replaceable, do you mean repairable or swappable? Like, does it need to be done without tools (probably takes <1 minute) or would it take me 2 hours with a load of tools (no change from today) just that there's a legal requirement for them to be commercially available?

Fwiw, besides people that crack the screen I have not seen any of the failures you've mentioned. The only phone I saw someone replace, for reasons other than software support, was myself because the gnss chip was cooked after 3 years (would track me perfectly, like if I step to the right it would notice, but with an offset of hundreds of metres so I'm in another town). All other phones I've owned are still perfectly functioning (the oldest Android phone I have, 2012, has a more reliable battery than my daily driver!), I don't use any case or screen protector. They're just software-wise obsolete because no updates and developers require the newer android apis


well, it isn't receiving security updates https://grapheneos.org/faq#device-support


imo the RAM bloat/overly aggressive OS. on a similar aged device without zswap I couldn't run more than one maybe two things without the OS killing everything in the background. I think it was better before I got stuck updating to 15


Security patches.


and support for hw memory tagging :p


Imagine downvoting “security patches” on Hacker News.


I too have been buying used Pixels, mostly for environmental reasons. But from a local shop phonebot. Got 3 phones from there, no issues at all.


Buying used introduces such a big supply chain risk. I stay safe by buying direct and asking the NSA not to open the shipment in the order notes.

(y’all know this one https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa... )


What is the supposed threat model here?

Mr. Rich Guy sells me his personal device he used in the previous year because he wants new shiny phone, but he may have the very slightest chance of being a super evil genius? The government selling tampered phones on ebay, when they could just.. go directly to vendors and put their backdoors directly into new phones/software?

Sorry for the light snark, but this attack vector seems way too complicated for not much benefit. Unless you are some very VIP person being personally targeted.


Futility I suppose, joking around about how we can’t win :)

b/c as seen in the link buying new isn’t perfect


I put GrapheneOS on the phone myself.

I wouldn't trust the OS shipped with a used phone.

NSA could technically do this with a new phone also and probably has.


Def gotta wipe used stuff.

I have read comments from people who buy the new iPhone on day one but do a factory reset before touching it!


You should really try to buy any phone used if you can, whether Pixel or Google or not.


Why?


For the environment? To reduce e-waste? And you'll almost certainly save substantial money too.


How good is it for the environment / e-waste? If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.

If I said "I buy new phones regularly, but I sell them in second hand, for the environment". Would you consider I actually make an effort for the environment?


> If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.

Because when someone says "buy used" they're obviously telling you to buy the antiques your grandma used to love back in the day on an annual basis. Anything newer than that especially from the last year or two would be new and insane to consider, especially if you keep it more than a year. You really owned me with the flawless argument there.


I don't understand what you say, but you sound like you did not like my question.

I was merely pointing out that "buying used" is not necessarily better than "buying new but keeping for 8 years". Many people "buy used" but often.


"Surveillance Camera Man"[1] makes a good practical example of it.

[1] https://www.youtube.com/watch?v=X9sVqKFkjiY


Wow. It’s scary to think this person votes.

A dude makes a series of terrible decisions. Decides to not learn from any them. Then blames society. Okay.

But my early story is eerily similar to his. Expect instead of just my dad dropping out to do drug, so did my mom. I grew up constantly moving between women’s shelters, random peoples couches and storage units.

And while he was in rural Oregon, I was in rural Idaho.

I ditched my parents as soon as I could. I worked basic non-silicon valley tech jobs. Moved from help desk ticket closer to actual IT career. No college, no money or time for it. Did alright.

Yeah life would have been a fuckton easier if I had supportive parents. But I’m in a good place and what I did wasn’t magic or luck. It was simply get basic job. Get shit apartment. Get slightly better job. Repeat.

This dude is deep in incel territory, which you can tell from the incel words he drops throughout his rant.

This dude says he never expected or needed any hand outs but several paragraphs earlier was complaining that the food bank didn’t provide vegan food. Ooohhh Kay. I have a lot of thoughts about both those statements. But dang dude. Maybe if you’re starving you should take any food you can get and deal with the rich people virtue signaling once you can afford to eat.

(To clarify on the above, being vegan is fucking great. It’s good to not kill animals… but you gotta take care of yourself before you take care of a cow.)

Yeah parts of the system are screw up. Yeah some people get a really unfair hand. But this guy was in generally good health, should have had health insurance through these crap jobs he was complaining about for his skateboard thing. (Which is another wtf that shows total lack of risk analysis. Who choses skateboarding as a hobby when you can’t afford a doctor. Jeez. Take up running.)


You, especially as someone who has "been there", nailed it.

And congrats on taking personal responsibility rather than blaming others and society for your bad decisions (and I'm betting that you, like most of us, have made some bad decisions from time to time - but try to learn from them rather than wallow in them).


You were absolutely lucky. And nobody had health insurance at a $10/hr job in 2004


My first job was Call Center tech support for eMachines (through a random 3rd-party contractor called "Alorica") at a whopping $7.25/hr in 2003.

It had health insurance. Not great insurance, mind you, but insurance. It would cover ER-type emergencies and had something like a $100 co-pay for standard visits. It was basically "don't go to the doctor unless you're actually dying insurance," and if you're in generally good health, like I was, or the author of this article. It's "good enough".

My next job after that was sales-drone at CompUSA for a whole 7.65/hr. But they had slightly better insurance. Then they went out of business. And my job after that was as a phone agent at Delta Airlines, starting at $8.50/hr and rising to $11.77/hr when I left.

It wasn't until 2007 that I got my first real tech-job. And it was still customer service. But it paid $15/hr and had "normal" insurance.

I fully realize the insurance situation is f'ed. And those in less good health get quite screwed. But, this guy... This guy caused himself a lot of his own problems.


lol calling Python lightweight:

  ⟩ dnf install --downloadonly --installroot /tmp/yourmom python3
  …SNIP…
  Transaction Summary:
  Installing:        59 packages

  Total size of inbound packages is 33 MiB. Need to download 33 MiB.
  After this operation, 118 MiB extra will be used (install 118 MiB, remove 0 B).
  The operation will only download packages for the transaction.
Don't get me wrong, Python is a great many things. Easy to use, surprisingly fast for a scripting language, and well documented. But not lightweight.

(( The Windows version is 110MiB after decompression. ))


[1] https://www.youtube.com/watch?v=lj3iNxZ8Dww


Yes. For one simple reason: As vi is part of the POSIX standard[1], it is gauranteed to be installed on all unix(-like) machines you may touch now or in the future.

[1] https://pubs.opengroup.org/onlinepubs/9699919799/


I generally use iSH[1] for my iPhone to Linux needs. Specifically, I like it because it's a standard Linux distribution with OpenSSH. Meaning all the things work like sftp, ssh, tunnels, and local clients like `mysql` tunneled through ssh

[1] https://apps.apple.com/us/app/ish-shell/id1436902243


I use iSH too and love that I have all my standard CLI tools available, or can just install ones I want.

But using the ssh client in iSH to interact with TUI interfaces is a less than optimal experience. Many nice UI affordances that something like Terminus provides are lacking. Like using swipes as input, key management tools, or using location monitoring as a trick to keep it running in the background. Definitely excited to check out this new Echo client.


I also love iSH. However, I haven't been able to run agents directly from my phone on it like I would hope.

I spent a few hours trying to get GitHub Copilot CLI or Claude Code installed only to discover that the version of Node is pegged to 14, which prohibits installation of several of these tools via NPM.

Has anyone had success with this? I'd love to see the packages updated to support later versions


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: