ihc童鞋@提不起劲 ihciah

🔐 macOS OpenSSH Patcher for Hardware Security Keys

Supports ED25519-SK with Yubikey and other FIDO2 hardware security keys!

🤔 Discussion

Despite being compiled to support hardware security keys that take advantage of the FIDO2 protocol, the built-in OpenSSH client on macOS Sonoma and above lacks the middleware/library to support these devices. To keep using the built-in client - which is often the most stable and secure method for SSH connections - we need to compile the Security Key Provider from OpenSSH source and tell the macOS client about it ourselves.

This script does all of that for you on both Apple Silicon and Intel Mac computers!

The script installs openssl and libfido2 along with the required build tools from Homebrew. It then clones the latest main branch of OpenSSH Portable and builds from it the Security Key Provider library: sk-libfido2.dylib. It finally moves the built library to /usr/local/lib/, modifies ~/.zshenv to expor

Common

export OPT=/opt
export BUILDS=/some/where/mini_linux
mkdir -p $BUILDS

Linux kernel

Achieving warp speed with Rust

朴素VPN：一个纯内核级静态隧道

由于路由管控系统的建立，实时动态黑洞路由已成为最有效的封锁手段，TCP连接重置和DNS污染成为次要手段，利用漏洞的穿墙方法已不再具有普遍意义。对此应对方法是多样化协议的VPN来抵抗识别。这里介绍一种太简单、有时很朴素的“穷人VPN”。

朴素VPN只需要一次内核配置（Linux内核），即可永久稳定运行，不需要任何用户态守护进程。所有流量转换和加密全部由内核完成，原生性能，开销几乎没有。静态配置，避免动态握手和参数协商产生指纹特征导致被识别。并且支持NAT，移动的内网用户可以使用此方法。支持广泛，基于L2TPv3标准，Linux内核3.2+都有支持，其他操作系统原则上也能支持。但有两个局限：需要root权限；一个隧道只支持一个用户。

朴素VPN利用UDP封装的静态L2TP隧道实现VPN，内核XFRM实现静态IPsec。实际上IP-in-IP隧道即可实现VPN，但是这种协议无法穿越NAT，因此必须利用UDP封装。内核3.18将支持Foo-over-UDP，在UDP里面直接封装IP，与静态的L2TP-over-UDP很类似。

	// This is a technique to emulate lifetime GATs (generic associated types) on stable rust starting
	// with rustc 1.33.
	//
	// I haven't seen this exact technique before, but I would be surprised if no one else came up with
	// it. I think this avoids most downsides of other lifetime GAT workarounds I've seen.
	//
	// In particular, neither implementing nor using traits with emulated lifetime GATs requires adding
	// any helper items. Only defining the trait requires a single helper trait (+ a single helper impl
	// for the 2nd variant) per GAT. This also makes the technique viable without any boilerplate
	// reducing macros.

	extern crate ring;

	use ring::aead::*;
	use ring::pbkdf2::*;
	use ring::rand::SystemRandom;

	fn main() {
	// The password will be used to generate a key
	let password = b"nice password";

	interface=wlan0

	# --------------------------------------
	bss=wlan1
	ssid=EAP
	# IEEE 802.11 specifies two authentication algorithms. hostapd can be
	# configured to allow both of these or only one. Open system authentication
	# should be used with IEEE 802.1X.
	# Bit fields of allowed authentication algorithms:
	# bit 0 = Open System Authentication



	Movement:

	j, k down, up
	h, l left, right (in some contexts)
	space page down
	pg up/down page up/down
	arrows up, down, left, right

	# -- coding: utf-8 --
	#!/usr/bin/env python
	#
	#__author__= '[email protected]'

	import urllib,urllib2

	def login(username, password):
	url="http://10.108.255.249/include/auth_action.php"
	data={"username": username,