LINUX Unplugged - 570: RegreSSHion Strikes
Episode Date: July 8, 2024We dig into the RegreSSHion bug, debate it's real threat and explore clever tools to build a tasty fried onion around your system.Sponsored By:Core Contributor Membership: Take $1 a month of your memb...ership for a lifetime!Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:💥 Gets Sats Quick and Easy with Strike📻 LINUX Unplugged on Fountain.FMSpokane Meetup - No-Li Brewhouse · JB Events on GathioPlasma/Krunner Docs — Brent's tip: 'https://search.nixos.org/options?query=\{@}' (the '\{@}' is the magic sauce)autossh — Automatically restart SSH sessions and tunnelsautossh on GitHubSpokane Meetup — No-Li Brewhouse, Sat, Jul 13, 2024, 4:00 PMRegreSSHion — Remote Code Execution Vulnerability In OpenSSH ServerregreSSHion — Remote Unauthenticated Code Execution Vulnerability in OpenSSH server.NixOS Security advisory: OpenSSH CVE-2024-6387 “regreSSHion” – update your servers ASAPNasty regreSSHion bug affects around 700K Linux systemsQualys CVE-2024-6387 Write-upLetmein: Authenticating port knocker - Written in Rust — Letmein is a simple port knocker with a simple and secure authentication mechanism. It can be used to harden against pre-authentication attacks on services like SSH, VPN, IMAP and many more.fwknop: Single Packet Authorization > Port Knocking — fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filterMembership Summer Discount — Take $1 a month of your membership for a lifetime!Jeff links: How to run non-nix executables?pick: stu — TUI (Terminal/Text UI) application for AWS S3
Transcript
Discussion (0)
Perhaps we'll never know, boys, but I have this gut instinct that if you could measure all of the SSH traffic that takes place on corporate lands, analyze and tag and ID it, I think what you would determine is that the bulk of the traffic is computers logging into computers.
What do you think?
I bet you we have way more like automation scripts.
I have buttons here on my stream deck, and there's like a dozen of them.
When I push a button, it's executing a separate SSH connection each time.
So there's just got to be in the total grand scheme of SSH usage, more computers logging
into computers than humans logging into computers.
Oh yeah.
I mean, especially with stuff like Ansible out there in the wild.
And I mean, we all know sysadmins just leave one SSH connection running forever.
Well, we did that.
Back in the day, this is a while ago,
like pre-Tailscale days,
when I had just this industrial-grade
carrier NAT stuff going on.
I wanted a way to remotely connect
into my home systems reliably,
and we came up with a little script
that did a reverse connection back to Linode.
Yeah, right.
We had a VPS, which you could access from anywhere,
and then forwarded the port all the way
from the double NAT machine at home
onto the VPS so you could get into it.
Now, that took care of, you know, doing the tunneling,
getting you into your network.
But we had the secondary problem of,
well, you want this to always be on and sometimes i'd change carriers so and or i could be moving through an
area that just didn't have signal so i'd have no internet it needed to restart yeah so we at the
time you know just roll the bash script with some loops and whatnot but maybe do we have a systemd
timer that checked like how did we actually get it? Oh, yeah, probably. Yeah, yeah.
But it seems like auto SSH would have done the job for us.
Yeah, you found something better today, huh?
Yeah, and this is nice because not only will it automatically restart SSH sessions and tunnels,
but it does a few other clever things that just make it nicer.
Plus it adds some monitoring.
It can work with using port forwarding software.
It can do a little bit of alerting.
So this would have probably been a lot cleaner way to do it. Oh, this is nice. You know, of course,
there's tons of ways if you have a mesh overlay network, maybe you don't need this. But I like that you can kind of bring it with you. And it's, you know, you need SSH, you need this,
and then you can get yourself like reliable remote access, maybe just on a temporary basis
to a system for a while, and then quickly tear it all down if you don't need it anymore.
Hello, friends, and welcome back to your weekly Linux talk show. My name is Chris.
My name is Wes.
And my name is Brent.
Well, hello, gentlemen. Coming up on the show today, we're going to dig into that regression bug and then also cover some clever tools to help you protect your SSH server a little bit better.
And then we'll round out the show with some great boosts, an awesome pick, and a lot more.
So before we get any further, let's say time-appropriate greetings to that virtual lug.
Hello, Mumble Room.
Hello, Chris.
Hi, Wes.
And hello, Brent.
Hello.
Aloha.
Thank you for joining us on an early lup.
In some ways, it's nice that we're recording early because it's a lot cooler out.
We needed to today.
It's going to be a hot one.
Speaking of a hot one, go say hello to our friends over at Tailscale.
Tailscale.com slash unplugged. It is the easiest way to connect devices and services directly to each other, wherever they are, regardless of the network or carrier grade NAT, and it is powered by...
Wago.
That's right.
Go build a simple network across complex infrastructure and replace your legacy VPN infrastructure in just minutes and do it for free on 100 devices while you support the show.
It's tailscale.com slash unplugged.
Go check it out.
And thank you to everybody who supports us by going to tailscale.com slash unplugged.
Well, just a quickie, one last mention.
The next Saturday as this episode comes out, July 13th, is our Spokane meetup at the No
Lie Brewhouse.
And it looks like it should be really warm.
So make sure, like I always tell my kids, bring your short sleeve pants and short sleeve shirts because you don't want to wear your long sleeve pants.
It's going to be too hot.
Limited sleeve engagement, got it.
Recommendation, at least from us over here.
Yeah.
And rumor has it that these two boys are going to attempt to make it.
We still don't
really know exactly how we're going to do that. I don't even really know when I'm leaving. So,
but Bren, you're going to make it, right? You're going to be there. You confirmed last week.
The week before too, it turns out. Oh yeah. So I will be there. We'll find out how later,
I suppose, but I'm pretty excited for this one. It looks like we've got something like 20 registrations
at meetup.com, so that's always a really good sign.
We usually get more than that who show up.
So, yeah, I think it's going to be a party.
Good.
Critical mass acquired.
That's nice.
I appreciate everybody going over there
because a couple of days ahead of time,
I just want to call, no lie, and be like,
hey, we have X amount of people we expect to show up.
So it helps if everybody goes and signs up at meetup.com slash Jupyter Broadcasting.
And then we'll have more in the future as well.
And then before we get into the show, I just wanted to frame a question.
We're going to talk about SSH, and I'm curious how you, the listener, do remote access.
How do you remotely access your systems?
What stack are you using to do it?
And does it work for you? Boost in and let us know
as we get into Regression, which is a remote code execution vulnerability in the OpenSSH server.
Yeah, on July 1st, QualSys went public with a remote code execution vulnerability in OpenSSH
server. But it doesn't affect too many servers, just JLibc-based Linux systems that are vulnerable
to the new bug.
Uh-oh.
I have a few of those.
I got a couple.
That means, well, they estimate that something like of the 14 million possible vulnerable SSH instances that show up on the researchers' scans, Qualsys believes that roughly 700,000
of these internet-facing instances could feasibly be hit by regression.
Wow.
I always think of, too, like the systems that people don't realize maybe have SSH listening,
just appliances that you plug in that the developers use that, and so it's still there.
Somehow it got exposed by mistake, accident.
Mm-hmm.
Now, there's a little bit of good news here so far.
Yeah.
Accident.
Now, there's a little bit of good news here so far.
The exploit has really only been seen on 32-bit systems,
but the developers are pretty sure that there's nothing stopping anyone from technically exploiting it on 64-bit systems too.
Just at the time of the write-up,
there hadn't been like a demonstrated proof of concept for those.
Boy.
Might buy you time, but not forever.
That's nice.
Kicking 32-bit while it's down, though.
Yeah, it is down, isn't it?
Okay, Brent, you mentioned it there.
The name is Regression.
That's because it's actually a regression of a previously patched vulnerability, CVE-2006-5051.
2006.
Yeah, it was reported and patched back in 2006.
Oh.
So that's where the name regression comes from.
And as a result of this, you should check out the links,
if you haven't already, to go look at exactly what versions are impacted
because there's basically like really old versions that were impacted
if they weren't patched for the original version of this
and then a period where SSH was fine, and then the regression appeared.
And then so you've got a batch of newer releases that are all impacted.
So it can get a little technical as to, you know, like which systems.
If you're on a real old LTS, maybe you're not vulnerable.
But if you're too old, you are again.
So are you saying if you've last patched your system in 2007, you're good to go?
Seems like.
Oh, boy, Brent, maybe that'll be your trick with that OpenSUSE tumbleweed system.
Don't get me started.
That's your strategy, maybe.
This is fascinating.
I mean, it's a spread, right?
It means a decent little spread of systems.
And, of course, ultimately it means the flaw would allow an attacker to take control of the affected system.
They don't need a password, and that's why this is a really big problem.
Right. That's why we is a really big problem.
Right, that's why we're talking about it. This is OpenSSH.
This is the thing that might be your only guard post to get into your remote access.
It's how you get in, and it's how someone else could get in, too.
That sound you hear in the background, I'm sorry, I have to apologize.
That is the OpenBSD users laughing at us, because they are not affected by this.
So they can ignore all of this, thanks to tweaks that were made back in 2001.
Way ahead of the game.
Yeah.
QualSys noted in their research, quote,
this vulnerability, if exploited, could lead to full system compromise
where an attacker can execute arbitrary code with the highest privileges,
resulting in complete system takeover, installation of malware,
data manipulation, and the creation of backdoors for persistent access.
It could facilitate network propagation,
allowing attackers to use compromised systems as a foothold
to traverse and exploit other vulnerable systems within the organization.
So pretty much everything.
The old classic island hop.
Okay, so this doesn't sound great,
but what are the chances that we really see it sort of
abused at scale? Well, so far, folks are hopeful because, I mean, to start, right, we know that,
at least so far, it's mostly 32-bit systems that are impacted, and there's fewer and fewer of those
online and on the net these days. Also, the attack can take as long as eight hours to complete
and might require something like 10,000 authentication steps.
Oh, man.
That's according to some folks over at Kaspersky.
Yeah, the delay results from a defense that's already in place in SSH known as address-based layout randomization,
which changes the memory addresses where executable code is stored.
So that's why they got to keep kind of redoing it until they get things just right for the vulnerability
to work. Ah, perhaps
part of the reason why it's easier to exploit
on 32-bit systems. Yeah, it seems like
things just line up a little better in that case.
Okay. And
if you need to make all these authentication steps,
if you're trying to attack a public server that might
already be getting hammered
in SSH attempts,
there's a global global rate limit and your
authentication attempts kind of have to like fit into those.
Right.
So, so far, it's not especially easy to just sort of mass apply.
You can do it, but it might be more used at perhaps more targeted places to start with.
And we're going to talk about some tooling too that would help in these particular situations
in a bit.
We should note too, if you can't patch right away, there is a mitigation you can do.
It does leave you open to a denial of service attack
if folks keep hammering at you,
but that's better than having root on your box.
Yeah, yeah, this is one of those where we want to talk about it
not to freak everybody out because, like Wes just said,
it's not a super high likelihood.
A lot of limitations and specifics to make this work,
and like we've mentioned so far, it seems pretty tough.
But as time goes on, entrepreneurs out there will figure out ways to make this more and more exploitable and easier to get to.
So it is something we want to be aware of and patch against.
And, you know, that's kind of the thing with some of the servers that are hanging around.
Maybe you just installed a server recently and is a Minecraft server for your kid and it's sitting on the net and you're not going to touch
it again for years and maybe just it's vulnerable to this you know the pre-show i mentioned all
these computers logging into computers and what was in the back of my mind there was really what
where this type of stuff gets exploited probably most likely in the wild, I would guess, is on the LAN.
Not across the internet, where people take more precautions with their SSH servers, but
on the LAN, where maybe you don't patch as often, or maybe you have really old automation
systems or monitoring systems that are not really part of the workflow, but still on
the network and have access to a lot of things.
Yeah, right.
You've already gotten access to some privileged network, and now you're using this to jump to different hosts.
Yeah, that seems like where this type of flaw
gets used more realistically and more practically in the wild.
And there maybe you're not on this system,
this is sitting on your land,
maybe you're not doing some sort of rate limit either
or anything like that.
You're making me think I better have my firewall up here at the studio.
Yeah, you got that old laptop there, right?
I mean, still, you're talking about a pretty big job to actually pull it off.
But it's big enough that, I mean, since we go back to a regression introduced in 2006,
it's one that people need to act on.
It's worth, too, if you haven't and you're curious about these kinds of details,
the write-up is just really well done.
You can tell that a lot of like craft and care
went into explaining how all of this works.
So do check that out if you're interested.
Yep.
If you're in the States,
welcome back from America Day.
Now go patch your box.
1password.com slash unplugged.
In a perfect world,
end users would only use things exactly as IT set up for them.
With managed devices, carefully curated and selected software,
and of course, login credentials that always had the absolute best passwords
and maybe even two-factor systems.
And of course, it would never be a system that you hadn't seen before,
or at least check to make sure it was secure.
That would be really great,
but that's not how it works, right? Everybody's now got their own devices. Everything's scanning Wi-Fi and Bluetooth all the time. And you can't put MDMs on any of that. You can't put security
tools on any of that. You can't pre-check any of that. This is a huge problem. And it's what
1Password calls the access trust gap. And they've also created the first ever solution to fill it one password
extended access management it secures every sign-on for every app on every device it includes
the password manager you know and you love and the device trust solution you've heard me talk
about before which of course is collide one password extended access management cares about
the user experience and privacy which means it can go places other tools like personal devices and contractor devices.
It ensures that every device is known and healthy.
Every login is protected.
So stop trying to ban BYOD or fight the shadow IT.
Start protecting everybody with 1Password extended access management.
It makes your life easier too.
And you can manage it all with a beautiful pane of glass.
So go check it out and support the show.
Go to 1password.com slash unplugged.
You go over there, you scroll down a little bit.
They got a video demo that explains it in even more detail.
It's a great way to kind of see what's going on while you also support the show.
So try it.
It's 1password.com slash unplugged.
it. It's 1password.com slash unplugged. Well, that certainly gets me thinking,
how in the world am I supposed to avoid this in the future? I would imagine, you know,
some of these boxes need to have remote listening ports open. So surely there's some better precautions I can take for this in the future. Any ideas? Now, we're going to talk about a few
tools here. But of course,
I think we've probably said on the show a thousand times, really, if you're going to
have a system on the internet, it's a defense in depth type of approach. Or as you like to call it,
the layered onion. Layered, delicious fried onion. Delicious, delicious fried onion. But
really multiple layers. You always like to say I'm like a layered onion. You are, Brent.
You're like a deep personal layered onion.
You think you know a guy and then you find out that he goes paragliding.
And then you think you know a guy.
A few years later, it turns out he's like this like- International man of mystery.
He's like the swan on the ice.
He can ice skate like the best of them.
You're like, what?
How come you never mentioned that you're an ice skater?
And then it just goes on and on with Brent.
And that's how you want your security.
If you get through one layer, you want the next layer to kind of protect you.
So what we're going to talk about today is kind of within that context.
And that also includes strong passwords, perhaps only using keys to log into your SSH server, things like that that we've talked about in the past.
Also, tools like fail to ban could be really useful.
Like I would imagine in this case would probably ban this thing before it got very far.
Yeah, don't give folks a chance to do a ton of authentication attempts.
And then our move, only run SSH on a private network like a tail net or a Nebula network or NetBird or whatever.
Yeah, or behind a VPN.
Like that's a common approach here right is
like you just you remove ssh from being the thing that's listening and that's the ultimate gateway
to whatever your host or network is and you assign that to something else like could be a wire guard
vpn open vpn or yeah something fancy like tailscale or nebula or another overlay vpn product yeah
it works and i think it's something of, of course, also frequent updates, all that kind of stuff.
But I know.
I know what you're going to do.
You're still going to go spin yourself up a VPS
or something like that,
and you're going to want to just put SSH on the public Internet.
I know.
I understand.
So we wanted to talk about a couple of tools
that you might consider
that, you know,
will at least hide your SSH port, make it a little more difficult.
They're kind of fun.
It's not the complete solution,
but there's some in here that we hadn't seen before.
And the first tool that I found this week
that I wanted to share with you boys is called Let Me In.
It's a port knocker written in Rust.
It's a simple port knocker
with a simple and secure authentication mechanism.
And it can be used to harden against pre-authentication attacks on services like SSH or IMAP or any other.
It requires NF tables, so you do need to run NF tables.
It will not work with IP tables.
Are you not running NF tables yet?
Come on.
And, I don't know, it's a port knocker.
So, you know what the idea is, right, is you send a certain amount of packets in a certain order to a port and then it will activate the other port.
Yeah, right. So you can have your firewall set up to block everything except your port knocker.
And then it kind of pays attention to the system, notices the right pattern, and then it says, oh, OK, for your IP only, I'm going to open up a hole in the firewall so you can connect to SSH.
And I think that's the key part.
It has to be the IP of the client that did the successful knock.
So you are opening a port, but you're only opening a port to somebody that knew the handshake.
Again, it's just one of the things you could do.
And let me in is one of the newer ones that looks pretty simple and straightforward that, you know,
you could probably get up and running in just minutes.
In some ways, there are parallels to the hole punching techniques that some of these
Mesh VPNs use, right, where they're using the cleverness of the hole punching algorithm
to get NAT tables and firewalls to let traffic through.
And here, if you're on a Linux box using NF tables, you can kind of just do that more
explicitly yourself.
Now, let's talk about one that you found with,
this is a little bit more complicated,
but you were,
Oh,
Oh,
you were looking for something that would work on Nick's OS.
There it is.
There it is.
There it is.
All right,
boys.
The first Nick's mention of the show.
Brentley, do you have a drink?
Because Wes and I came prepared.
Yeah, what do you got?
Wes was really clever.
And, you know, he realized it's going to be a hot day here in the PacWest.
And he got us some Marks.
Some Marks.
He got us a Marks hard cider.
Oh, boy.
This is before I've had a sip.
Yeah, this is Mike's Harder.
I have a cranberry here.
Okay, I got a black cherry.
And it has a big warning sign on here because it's got an electric bolt on there as well.
So you want to watch out.
And then, of course, it's got a lemon that has three electric bolts hitting it.
I'm a little scared because this can is, you know,
perspiring. That doesn't seem safe around electricity.
Yep. All right. Cheers.
Cheers, Wes. Thank you.
Hmm. That's not bad.
No. That's sort of refreshing.
Sort of like a sody pop. Yeah.
Boy, that could be dangerous.
So you were looking for something
that we could potentially package
up, but also maybe configure in NixOS and maybe have part of a standard package or something.
We're kind of like brewing in the back of our minds like this ideal VPS Nix setup.
And it might be interesting to put something like this in there.
So I think it's probably called FWKNOP.
FWKNOP?
Yeah, it's hard to smoothly say.
FWKNOP.
Yeah, it stands for Firewall Knock Operator.
And this uses something a little bit different.
Yeah, it's kind of claim to fame or differentiation here
is it uses what's called single packet authorization,
which has basically the same benefits of port knocking.
You have a service hiding behind a default drop packet filter, but it also has some advantages.
You can use asymmetric ciphers for encryption. It's authenticated with an HMAC in the encrypt
then authenticate model. The packets are non-replayable. It can't be broken by trivial
sequence busting attacks. It only sends a single packet over the network.
And it's a lot faster, at least than some port knocking implementations.
Okay.
All right.
So this sounds interesting.
Sounds a little more complicated than just like send packets in a certain order, though.
But perhaps not that much more complicated.
Yeah, that's where you'll see some of these. I think Let Me In has some functionality for this too
of like you can add a layer of authentication
or like shared secret or pre-shared key kind of thing
where make it, you know, make it a little harder
for some rando to be able to just walk up
and knock the right port.
So they have to like knock the right ports
and send the right payload.
I think, so they're trying to, if I'm grokking this,
they're trying to work around the like fundamental problem that port knocking has, which is if you're really under observation and somebody's monitoring your internet traffic of your node, they're just going to see the port knocking and then they'll know the sequence.
They'll just knock the, yeah, exactly.
Yeah.
So this is trying to work that around by adding a little bit layer, a layer of authentication essentially.
Yeah.
essentially. Yeah, and so in the case of FWK-NOP,
it has a setup where you can kind of craft
this special packet that you've signed
and the cryptography works out that when it's
received by the server, it can just be like, oh,
I don't need any further dialogue or discussion.
Looks good to me. Port's open, buddy.
Would you do this? I mean, I'm thinking like for
a VPS
that we might want to have, I don't know,
there are sometimes a system you want to have public
SSH access to.
Yeah, I mean, SSH is so widely deployed that it's like a little bit, you know, it's less of a burden.
I think it depends on the technology because just SSH, right?
Like there's tons of clients, there's mobile clients, like people can have it.
And obviously lots of mesh networks have those too.
But like everyone has SSH.
You don't need to require special stuff.
Using something like this kind of doesn't have that benefit.
But if you needed to maintain compatibility or you really had some tooling that just didn't support any other way of working, it's a nice layer.
So then you also came across, and this is a little bit different approach at this, but
potentially very, very useful, a tool from the folks over at TarSnap, SPipeD, I think
is how you say it, which is a utility for creating symmetrically encrypted and authenticated
pipes between socket addresses so that one may connect to one address and transparently
have a connection established to another address.
Yeah, it's kind of like forwarding a port with SSH, but this thing doesn't use SSH.
Right.
And you basically have like a pre-shared symmetric key that encrypts this tunnel.
And yeah, it's just like a nice little tiny utility, super portable.
It's like 6,000 lines of C made by Colin Percival, the genius behind TarSnap and a bunch of other great tooling.
made by Colin Percival, the genius behind Tarsnap and a bunch of other great tooling.
I've used this in the past when I was on a LAN I didn't quite trust
and I was using Synergy.
It was Synergy at the time, whatever barrier input leap it's called now.
And you were basically just grabbing the port for that?
Yeah, and that way I can be sure because I think at the time
at least Synergy didn't encrypt the traffic.
So in theory someone could watch as my mouse and remote keyboard are transmitted over the network.
And so this just lets you run like, you know, it looks still like just another regular pipe, but with security encryption on top.
So you've come in here and you've completely tossed the table over and you said, forget SSH.
Well, or what you can do is, again, layer stuff.
And instead of having SSH listening regularly, you hide SSH behind this
thing. And then you've just got your
pre-shared key, you connect up, you start the
S-Pipe D daemon, you make that shared pipe
up, and then you can talk to SSH.
On the
Authors 2.5 GHz Intel
Core 2 laptop,
S-Pipe D operates at approximately 300
megabits. Yeah, so even back then the performance
was great. It's been around for a long time.
There's probably better options these days,
but some of this stuff just reminded me of, you know,
you've got a lot of options if you do want to assemble your own sort of toolkit of security in depth.
LinuxUnplugged.com slash boost.
You can now boost from the web.
Get your message on the show, support the pod,
and use a completely independent open source peer-to-peer network. If you would have told
past Chris when he was starting all of this that there would be a system, there was no middleman,
that nobody owned, that was using free software, using free software money to transfer value,
oh my God, and then integrate it into the podcast apps. I don't know. I just don't think
I could have seen it all come together. It's really impressive what's been built in the last
few years. It might be time to try it yourself. And one of the great things is when you boost
the episodes, you're also supporting the podcast app developer. The spec calls for a percentage of
like a 1% or 2%, whatever they decide, the market kind of works it out for the developer,
a little percentage fee. It doesn't take away from the total that we
see when you send in your boost, so you still get credit for the full amount, but the app
developer can get like a 2% fee.
And that gives them a sustainable way to continue development of the application that doesn't
require like baking in ads or you've seen how Pocket Cast has had to sell themselves
a dozen times.
It doesn't really end well for a podcast app that can't find a path to monetization because surprisingly, and I've learned this now having a little bit of an inside track, podcast apps are more complicated and harder to make with way more edge cases than you'd ever imagine.
And I say that as somebody who's been doing podcasts for like 18 years, then seeing behind the scenes a little bit, I was still surprised.
been doing podcasts for like 18 years, then seeing behind the scenes a little bit, I was still surprised. It takes a ton of work, dedicated time, full-time work, especially when you build a
little bit of a user base. So to build in a way for these developers to monetize just by the users
supporting the content that they listen to, it's genius. It's part of what I love about podcasting
2.0. So when you boost the show, not only is it going to each one of us, like Drew and Brent and Wes and myself and the network,
and we send a little off to some other developers,
but you're also supporting the podcast index
and the application developer at the same time.
It makes the whole thing sustainable.
And it's all using a peer-to-peer open source network
to make it happen.
And now with Strike available in 100 countries,
including the UK and in more places
as they continue to grow, it's even easier to link Strike to Fountain and just get a boost in.
Or if you use the web at linuxunplugged.com slash boost, you just need any app that can scan a QR code and send a lightning payment.
You can send your message and say hi to us and we'll read on the show while you support that individual production.
While the sound effects are fun, it's about more than that.
It's about supporting independent content directly from the audience to the creator with no middleman. Try it out,
support the show, and get your message on here, linuxunplugged.com slash boost.
And now, as the French say, it is time for Le Boost.
Ah yes, the boost section.
Now if you want to send us a boost, we've got a nice, quick, easy way to do it these days.
Brand new.
Like us on plug.com slash boost.
You can send us a message right in your browser.
Make things a little easy for you.
Now we do have some baller boosts here.
BHH32 sent us in 98,383 sets.
Hey, Rich Lobster!
Oh! Oh!
Very nice. Thank you, BHH.
Just to answer your question about Linux desktop coverage.
Uh, yes, please.
All right.
Uh, yes, yes.
Maybe less NixOS and more Fedora.
Hey, I just spent a week on Fedora.
And Gen 2?
Oh, is that really desktop? I still brent needs to do the gen 2 challenge right yeah as a host on the show yeah to make up
for slack but like technically isn't nixos like a source distribution technically so it's like
the modern gen 2 you might only if you show us you disabled all your subs.
And by what definition? Because aren't all distributions a source distribution
at some level?
I don't think I'm going to accept that.
Now,
BHH continues, I run Fedora 40
on all my family's computers and
Mint Cinnamon Edition in my in-laws' computers.
Ah, nice base across
all of them. Do you upgrade all of them every nine months or so, BHH? The in-laws computers. Ah, nice base across all of them. Do you upgrade all of them every like nine months or so, BHH?
The in-law edition.
I like that.
Right.
The in-laws get Cinnamon.
Everybody else gets Gnome.
They need that.
He says, I'm also excited for Cosmic, and I'm super excited for the Fedora Cosmic spin specifically.
I've also been experimenting with Gen 2, and I actually love it.
It's so fast.
I just wish easier install methods were available for it.
And by the way, this is a zip code boost.
Uh-oh, Wes.
Well, this one should be easy because it's right in our backyard.
98383 is a postal code in Kitsap County, Washington.
You know, near Silverdale.
Hello, Kitsap and Silverdale area.
Where are those?
I don't recognize them, even though we've spent quite a bit of time in the Washington.
Yeah, we should, you know, we should take old Brantley to the banger base.
That would be fun.
What?
You know, maybe another excuse for a ferry ride.
Should I like bring protection or what?
Yeah.
Yeah.
Bring a helmet.
Definitely bring a helmet.
Thank you.
BHH.
Appreciate that boost.
Hybrid sarcasm comes in with 50,000 sets.
I hoard that which all kind covet.
I just switched from Gnome to Plasma 6.
Ah.
So far, so good.
I'm enjoying the connectivity to my iPhone using KDE Connect.
And I'm looking forward to the peritor workspaces planned for Plasma.
Tried several themes, but just came back to Breeze Dark.
Oh, and plus one for KRunner.
Agreed.
I'm surprised KRunner doesn't get more attention, because everybody that ends up trying a launcher loves a good launcher.
And KRunner's built right in.
I forget about it, because I'm so used to it.
I mean, it is great.
Yeah.
If I had one wish, it would be that the sole focus now of the project would just be its speed.
Launch that KRunner window as fast as possible.
Because for me, sometimes that first execution, it's like a 1-1000, 2-1000.
There it is.
I'd love it to just be instantaneous.
You know, Hybrid, I was in the same boat when we were doing our Plasma 6.1 talk the other week.
I was like, oh, yeah, let's try some of those themes.
You know, you were talking up your – I tried another like a Windows Vista-y era theme.
And then some regular themes.
But Breeze Dark is just so sleek these days.
So, yeah, I just like – yeah, why switch?
Breeze is getting really good, and they always refine all that stuff.
I just like to play around and try out those retro themes.
There's just something about it that's really special.
A simple time.
Yeah.
I have a pro tip for you with KRunner.
I've been recently, like, diving even deeper into KRunner,
and my suggestion for all you boys is you can add a web search shortcut to KRunner.
So, like, then you might just write Nix space and then what you're looking for and go straight to the Nix search for options and packages.
That is good.
It's a beautiful thing.
Thank you.
Now, Bobbypin came in with 20,000 sets.
Yes, sir.
Sir, sir, sir, sir.
I do daily drive desktop Linux. I found
Linux a decade ago when the
Linux Action Show episode of
Chris and Matt reviewing the System76
Kudo Pro popped up on
my feed. Do you remember that one, Chris?
Yeah, I do. Kudo was
a killer. I installed Ubuntu
14.04 on my laptop, and a decade
later, I'm running Arch with
BSPWM. Thanks for all the content throughout the years. Wow, and a decade later, I'm running Arch with BSPWM.
Thanks for all the content throughout the years.
Wow, thank you for listening, Bobby.
It's a lovely Linux journey.
Thank you for that boost. That's a great boost. I really appreciate that.
Not the one comes in with 20,000 sats.
Put some macaroni and cheese on there, too.
Loving the scheduled podcast and fountain, but I always forget the allocated time.
I've suggested that they also add a notification or alarm when scheduled podcasts go live.
Yeah, that would be killer.
Podverse, definitely you can do that.
And I want to say if it's not in Fountain, it is in the beta builds where there's like a way once you go in there, you can get notifications when we go live.
I think it's just general notification.
So when an episode gets posted or when we're live, I think it might be in there.
If they're not, they're in development i hope so because i think i've experienced where i get
notifications for new episodes like proper releases but not when a live goes live okay
which would be nice i'm still i it's not as often because of the summer but we're still meeting
pretty frequently almost every week to just to just discuss all that kind of stuff so i'll bring
that up when i meet with uh nick at fountain and And if you don't know what we're talking about here, what are they
talking about? This is one of the features of Podcasting 2.0 that I'm the most
excited about is live streams in the RSS feed. So you just
subscribe to the show like you would. And then in your podcast list
when we're pending, you'll have a little pending icon. When we're live, you'll have a little live icon. And then when
the episode gets released, boom, it's there for playback.
It's a really slick system.
And you just tune right in there on your podcast app.
In fact, this was a live boost from NotTheOne, so thank you.
Yes.
Boosted during this episode live.
They already know what we're talking about.
Thank you, NotTheOne.
Appreciate it.
Listener Jeff boosted in with $14,567. This old duck still got it. Listener Jeff boosted in with $14,567.
This old duck still got it.
Oh, you know, that's actually a combination of a row of ducks and a Spaceballs boost.
Oh, okay.
All right.
Good, good.
The hell was that?
Spaceball won.
They've gone to plaid.
And we got that Spaceballs boost last show live from Jeff.
Only took me the whole show to get sats in my wallet.
Ha ha.
Great show as always, fellas.
And then after that, we got a row of ducks.
Never thought I'd be boosting in with a NixOS tip.
Here we go.
NixOS can't run non-Nix packages like static game binaries sitting on your file system.
So use Steam in the CLI.
Run steam-run space your app, and boom, the app will launch. Steam doesn't have to be running
either. I've tested this with a few old games that are native Linux binaries. I would bet you
don't even need a Steam account. You tell me. And then he links us to a guide over at nix.dev.
He's absolutely correct.
So Steam Run is really just like a runtime environment that kind of creates like a traditional runtime
similar to the Steam environment,
and then you can run the application in that environment.
And Wes, maybe we'll share some hot tips with us next episode.
Remember you were talking in our group chat
about ways you were running binaries that didn't require Steam Run?
Oh, that is true.
Maybe we'll cover that next episode.
Thank you, Jeff.
Appreciate that boost.
Torp sent us a little bit of advice with 5,150 sets.
Everything's under control.
So if you want to make your own time standard, it requires a few items you should have in your pantry.
First, grab your atomic clock.
It's essentially the machine that goes ping from Monty Python. Got it. Then you hook it up to an
oscilloscope. And now you have your reference second for your master NTS device. Put it on
tailscale, of course. Have two other slave NTS computers that you can point your normal devices
to. The atomic clock can be bought online for a couple hundred or less, and the NTS protocol does the heavy lift.
Oh, okay.
See, this is getting doable.
There you go.
Plus, what if we had our own atomic clock?
That seems really neat.
Like we should probably have our own JB standard time.
Right.
A proper time zone.
I agree.
Thank you, Torped.
Something for us to think about.
It's on Amazon, right?
Chao Wing Wang comes in with
a raw ducks.
I've been using desktop Linux since about 1999
with a few breaks in between.
But Linux is my daily on the desktop.
I actually try to stay in the
command line more and more as time goes on
also. Cheers. Funny how that works
out, isn't it? Just works.
Thanks, Chow. Appreciate that
check-in. Remaking Eden
boosted in 5,000 sats.
You're so boost! Just to say,
boost! Hey!
Thank you. And
slash home slash JLA came
in with 5,000 sats as well. You're so boost!
That's a clever nickname. Please
keep reviewing desktop environments.
It's an important part of a Linux OS, and it's nice to get your impressions before trying them out.
I installed KDE again after I had to switch to Gnome,
as switching between users did not work stellar at the time about one or two years ago.
But I've not had any issues so far this go-round.
Getting some pretty strong signal here, boys.
Yeah.
Huh. Okay, good to know.
Our dear Gene Bean sent us a row of ducks.
I daily drive both desktop Linux and macOS.
That's a personal slash work difference.
macOS?
Wonder how that is for you, Gene.
And Faraday Fedora sent us in what is an expert double boost here for a total of a row of ducks. Can't say I'm a daily
desktop Linux user, Windows at work, and my gaming desktop is Windows due to anti-cheat,
but every time I'm doing some personal computing outside of gaming, it's on my ThinkPad running
Linux. And so many things I use day to day outside of the desktop is on self-hosted Linux.
And one day I hope to use my gaming PC headless via Steam Link.
Ooh.
Like that.
My man.
My man.
The second boost here.
When I first came to Linux, I was drawn to KDE because it looked like Windows 10.
But within a few hours of using KDE and Dolphin in particular, I realized that Linux
was the superior OS. On the topic how to use MS Office on Linux, what I did at the start of the
pandemic was Office 365 and set up a separate browser to be the host of that. And all things
worked. Church and state, if you will. That's probably the best way to do that uh faraday if you're gonna
run that kind of thing in your web browser just this morning though you know one of the web apps
that we love and have used for years it logged all of us out as we're trying to prep the show
it's early in the morning it's a double we're kind of under the gun and the web app logs us all out
and it just strikes me as like man if this was just a binary that I was running on my computer, this would just not be a problem.
And every web app, I mean, not only do you have the overhead of the damn web browser, but then you also have like the latency of loading remote elements.
loading remote elements.
It's just they'll never be as good as a native application running off of my SSD that can do crazy amounts of megabits a second.
And I mean, we're in 2024, and this tool I'm using,
it's got to be one of the best web apps because it's simple, it's focused,
and it still has these problems.
And I just don't know, man.
I just, Office 365 in the web browser feels like a step backwards in user experience compared
to Word.
And if you think about it, you're just trying to sit down.
You just want to write.
You just want to, if you get the flow, you just want to get that on the page.
And you don't want to have to crap about your web browser asking for location permission
or, hey, this browser is out of date or, hey, this new extension updated so I just popped up a new tab on you.
And that's not even to mention the fact that maybe you've got to log in.
In order to log in, you've got to two-factor.
So then you've got to go get your device because, God forbid, you left your phone somewhere else in the house.
So that way you can then get into your text editor.
It's not a great future. And I would love to see pushback on or maybe WebAssembly come on and swoop in and save the day like I've been told for a decade now that it would and make these applications responsive, local, and not have all of these cloud-connected issues.
So I just don't feel like Office 365 is quite it.
But I do appreciate that it is an option, I suppose.
Maybe it's worth pointing out that I could see a version of the,
you know, where Linux just doesn't get the native app. So at least with web apps, we have that,
right? Like I'm imagining some services that start as like a mobile app only, they don't even have
like a usable website. And then, okay, they have like a Windows and a Mac app. And what's just
like desktop, at least with the web apps, they're crappy on all platforms, but they include that
platform includes ours. That's true. That is at least with the web apps. They're crappy on all platforms, but that platform includes ours.
That's true.
That is a nice thing for Linux users.
You know, this reminds me of my brother complaining to me just this week.
He's running an X230 ThinkPad, which is like an aged machine,
but otherwise it does everything he needs.
And his accounting software, that good old QuickBooks, is web-based for him.
And he said it uses something like 50% of his CPU just consistently.
And that's just what he's got to live with because that's all his accountant will use.
So, yeah, repercussions for those older computers for sure.
Electron's a scam from the hardware vendors.
I get it now.
It's all a big plan to make us buy more hardware.
Oh, Faraday Fedora, thank you for that boost.
Appreciate it.
Now, if you didn't hear your boost read on the show,
don't worry.
We're doing two episodes this week,
and so we're just going to carry some of those over
to the next episode,
and we'll do the total and the shout-out
in next week's episode.
So don't worry.
We got it.
We're just banking for the summer,
and thank you,
everybody who sends a boost into the show. It really does mean a lot to us because not only
is it a great way to support the show directly, but we get these messages sent to our inboxes
throughout the week and it keeps us motivated. It keeps us focused on the show, kind of keeps
the signal. You know what I mean? So there's also just that kind of aspect for the team,
but then it's also a way to directly support the show using an entire free
software self-hosted stack that we then get the optionality around.
And we really appreciate it.
And you can now boost from the web,
like Brent said at linuxunplugged.com slash boost and stay tuned to next
week's episode for the rest and our totals.
Thank you everybody who helps the show out.
We really genuinely appreciate it.
And of course you can become a member.
You get the ad free version of the show or the bootleg,
get the full live stream.
Sometimes double the content.
You can do that at linuxunplugged.com slash membership.
We got to pick before we get out of here.
And it's called STU.
I think you found this, Wes?
I did, yes.
I installed this immediately.
I haven't used it yet.
But I'm like, I'm going to use this.
It's like, you know, when you're seeing an application like,
oh, I need this for when I'm going to need it.
It's a terminal graphical environment, you know, for AWS S3 compatible storage.
Yeah, it's an S3 terminal 2E.
Yeah.
Graphical seems like a weird thing to say,
but it is sort of like in the style of end curses,
and it is written in Rust.
And it lets you just browse around an S3 bucket like it's a local file system on your disk.
Yeah, you know, I'm seeing more and more Rust apps using this Ratatouille underlying library
that's like how you implement the terminal user interface. So Stu is another one. And yeah,
it makes for a nice experience. What I appreciate about it, and this is why I installed it immediately, is it also has like a really basic but useful built-in text editor.
And we store like a few RSS files and XML files up on object storage.
And I could see using this to just quickly connect in, make those edits, save it immediately right there in object storage, just avoid the whole like download and re-upload of the file and just use Stu to just make the changes directly.
I like to do it live, Wes.
Yeah, I think it helps to make, you know, S3 storage,
which is ubiquitous these days.
And maybe you even have self-hosted or something
that make you feel a little more accessible,
a little closer to the ease of navigating around
in a terminal experience.
Yeah.
Hey, considering this is Rust and using Ratatouille and S3, you know, giving you S to S3, can
we call it Stewie from now on?
Yeah, I think Stewie is appropriate.
You just got to imagine the silent I.
Yeah.
You should probably open a pull request.
Okay.
You know, do a mass rename and then.
No big deal.
Yeah.
You can make like the pull, name it like saying the silent I out loud, you know, and then
maybe the audience could get behind you on this.
We can make a real impact.
Boosting your support.
Yeah.
So we asked you at the top of the show, how do you do remote access?
What have you settled on?
What works for you?
And are you still using SSH?
Would you use a port doctor?
I'm going to ask.
Yeah.
Would you use a port knocker?
I'm going to ask, yeah.
Would you use one of these tools, or do you already use one of these tools to hide your SSH server?
As part, I'm sure, of a security in-depth strategy.
Also curious to know if you like the little bit tighter, leaner, shorter run episodes since we're doing a summer prerecord.
Kind of curious to know what you think.
Something that runs a little bit shorter and tighter.
Let us know.
You can boost in with that, too.
Because we will not be live next week, unfortunately.
I miss you guys already. But when I get i should be refreshed recharged these guys have gotten a sunday off so
i'm sure you'll be working on some sort of amazing project right recovering from the meetup really i
think is is what's yeah naps are a project right yeah i fantasize about about a sunday where we
take it off and i'm not traveling that feels like what would what would I do with that? That just feels like luxurious time.
I think you wouldn't know what to do.
Hammock time, they say.
Yeah.
And of course, if you're subscribed to the RSS feed,
you don't know about nothing.
You don't got to worry about it
because the show just comes out as regular.
And you could find that RSS feed over at linuxunplugged.com
along with a bunch of our show notes and things like that
because linuxunplugged.com slash 570
is the place to get the links for the things we talked
about today. You'll find our contact
page over there, Matrix information
and Mumble information, because when I'm back
and fresh, I'd love to have you in that Mumble
room. We've got the details over there. It's a whole
summer of live. Yeah.
The summer of LARP. Come on and join
us. Spend your Sundays with
us. At least the ones we're live.
Thanks so much for joining us on this week's episode of the Unplugged program.
I'll see you right back here next Tuesday.
As in Sunday. Thank you.