From the Canyon Edge -- :-Dustin

Wednesday, February 20, 2013

Slides from Austin Cloud Users Group -- Encrypt. Everything. Everywhere.

Here are the slides, as promised, from my Cloud Security presentation to the Austin Cloud Users Group. Enjoy!


Friday, February 15, 2013

ssh-import-id now supports -r|--remove keys

As a brief followup to my recent post about ssh-import-id now supporting Github in addition to Launchpad, I should also mention that I've also added a new feature for removing keys that were previously imported.

Here's an example, importing kirkland's public keys from Launchpad.

kirkland@x220:~$ ssh-import-id lp:kirkland
2013-02-15 14:53:46,092 INFO Authorized key ['4096', 'd3:dd:e4:72:25:18:f3:ea:93:10:1a:5b:9f:bc:ef:5e', 'kirkland@x220', '(RSA)']
2013-02-15 14:53:46,101 INFO Authorized key ['2048', '69:57:f9:b6:11:73:48:ae:11:10:b5:18:26:7c:15:9d', 'kirkland@mac', '(RSA)']
2013-02-15 14:53:46,102 INFO Authorized [2] SSH keys

And now let's remove those keys...

kirkland@x220:~$ ssh-import-id -r lp:kirkland
2013-02-15 14:53:49,528 INFO Removed labeled key ['4096', 'd3:dd:e4:72:25:18:f3:ea:93:10:1a:5b:9f:bc:ef:5e', 'kirkland@x220', '(RSA)']
2013-02-15 14:53:49,532 INFO Removed labeled key ['2048', '69:57:f9:b6:11:73:48:ae:11:10:b5:18:26:7c:15:9d', 'kirkland@mac', '(RSA)']
2013-02-15 14:53:49,532 INFO Removed [2] SSH keys


So the way this works is that ssh-import-id now adds a comment to the end of each line it adds to your ~/.authorized_keys file, "tagging" the keys that it adds.  When removing keys, it simply looks for keys tagged accordingly.



Monday, February 11, 2013

Introducing Hockeypuck -- a new HKP server

[Prerequisite: You should first read Casey's introduction
to HKP and Hockeypuck on his blog here.]

Anyone who has ever used Ubuntu, Debian, Launchpad, or apt-get has implicitly trusted a sophisticated public key distribution protocol called "HKP" or, HTTP Keyserver Protocol.  Originally designed for encrypting and signing email, asymmetric key pairs are used to sign, encrypt, decrypt and check signatures of thousands of packages on almost any Linux system.

Many (most?) public key servers today, such as, use an open source package called SKS (synchronizing key server) to distribute public keys.

Within Gazzang's zTrustee product, we rely on HKP to exchange public keys between client's and server.  In our first implementation, we simply used SKS as installed from the Ubuntu repositories.  SKS worked well in some environments, but it didn't scale well to larger environments, where hundreds of thousands of clients running on cloud servers were exchanging public keys in an automated fashion.

Moreover, we envisioned a system where user and host public SSH keys and server public SSL certificates might be exchanged in the same fashion, using the same protocol.  We considered trying to extend SKS to improve the scalability and feature set.

In the end, we decided a new HKP implementation, leveraging a modern, high performance NoSQL key-value store -- MongoDB -- and written in modern language -- The Go Programming Language -- would enable us to build a more efficient, type-safe, memory-safe, concurrent, garbage-collected, fast implementation of HKP.  We could also extend the feature set with a nice user interface and natively support other public keys.

With the general ideas fleshed out, my esteemed colleague, Casey Marshall, got to work on Hockeypuck -- his implementation of HKP in Golang and MongoDB -- freely available under the AGPL.  All credit for the development of Hockeypuck up to this point goes entirely to Casey :-)  That said, he's really quite interested in outside contributions and help at this point, so if you're proficient in Golang and looking to contribute to an awesome security project, here's your bogey!

We at Gazzang are hosting a reference Hockeypuck server at:

But you don't have to use our Hockeypuck server ... we're absolutely delighted that Hockeypuck has been accepted into Ubuntu's 13.04 (raring) distribution in Universe.  It's as easy as:

$ sudo apt-get install hockeypuck

in Ubuntu 13.04 to get your Hockeypuck server up and running.  For other Ubuntu releases, Casey is publishing backports to a stable and an unstable PPA.

This server has successfully imported the world's current public key ring -- that's 4GB of OpenPGP public key information!  Casey's still working on the synchronization, which is based on SKS's "recon protocol".  Again, if you're into hard core polynomial math, can read and understand OCaml, and are interested in re-working that algorithm in Golang, get in touch with us :-)

We're really, really interested in your feedback at this point!  You can file bugs against the project and packages here.  We're also looking for your feature requests...  How would you like to use a public key server?  Would you find it useful to import your SSH server or host public keys from a key server?  Would you find it useful to see "badges" by keys, indicating that key's level or trust?  Or perhaps that a key has been "verified"?  What about linking public keys to OpenID or OAuth logins?  Or what about [insert your idea here!]...

Comments?  Bring 'em on!


Thursday, February 7, 2013

Linux: Won't you be our Valentine?

It will be a lovely week next week!

Valentines Day is next Thursday, February 14th, of course.  Make sure you have chocolate and beautiful flowers for your sweetheart.  And remember, that nothing says, "Was just thinking of you" like finding something cute on Pinterest and pinning it on their wall.  (I need to go figure out how to do that, actually).  And, for extra bonus points, call Mom too!  She'll just love that you thought of her, too, on V-day ;-)

Near and dear to my heart, I'm personally excited that Gazzang will be introduced as one of the newest card-carrying members of the Linux Foundation!  I've been an individual member of the Foundation for years, and have attended nearly a dozen LF events.  We're extremely, extremely proud to add Gazzang to its very impressive list of active corporate members.  What excellent company!  I feel that we at Gazzang are differentiating ourselves from our competitors with comprehensive offerings around big data security, enterprise class encryption, and innovative key management -- all built exclusively in and on top of Linux.

And in celebration of all this love, Gazzang's fabulous marketing department has created a special Valentine's Day card for Linux, speaking on behalf of enterprises and big businesses far and wide that are just head over heels in love with the Penguin :-)  Enjoy!


Tuesday, February 5, 2013

ssh-import-id now supports Github!


As of ssh-import-id 3.0, you can now import SSH public keys from both Launchpad and Github using lp:$USER and gh:$USER like this:

$ ssh-import-id lp:kirkland gh:cmars
2013-02-05 17:54:15,638 INFO Authorized key ['4096', 'd3:dd:e4:72:25:18:f3:ea:93:10:1a:5b:9f:bc:ef:5e', 'kirkland@x220', '(RSA)']
2013-02-05 17:54:15,647 INFO Authorized key ['2048', '69:57:f9:b6:11:73:48:ae:11:10:b5:18:26:7c:15:9d', 'kirkland@mac', '(RSA)']
2013-02-05 17:54:22,125 INFO Authorized key ['2048', '84:df:01:9f:da:d3:ef:7d:a0:44:17:ff:ab:30:15:22', 'cmars@github/2114943', '(RSA)']
2013-02-05 17:54:22,134 INFO Authorized key ['2048', 'ab:6a:0c:99:09:49:0b:8f:2a:12:e2:f3:3d:c7:a9:79', 'cmars@github/3263683', '(RSA)']
2013-02-05 17:54:22,135 INFO Authorized [4] new SSH keys
This is now available in Ubuntu Raring 13.04, backported to all other supported Ubuntu releases in this PPA, in the upstream source tarballs, and now installable through pip from pypi!


It's been almost 3 years now since I introduced ssh-import-id here on this blog.  I have a Google Alert setup to watch ssh-import-id and I'm delighted to see that it seems to be quite popular and heavily used!

As a brief reintroduction, ssh-import-id is similar to the ssh-copy-id command.  Whereas ssh-copy-id pushes your public key into a remote ~/.ssh/authorized_keys file, ssh-import-id pulls a public key into the local ~/.ssh/authorized_keys.  Especially in cloud instances, it's a great way to securely, easily, and conveniently retrieve and install your own SSH public key, or perhaps that of a friend or colleague.

When I initially wrote it, it was really just a simple shell script wrapper around wget, with some error checking, that would pull public keys over an SSL connection from  All of my network friends and colleagues had active, authenticated accounts at, and everyone had to upload their public GPG keys and public SSH keys to Launchpad in order to get any work done.  This was really easy, since all keys are available as flat text at a very predictable URL pattern:

I have always wanted ssh-import-id to be able to pull keys from servers other than Launchpad.  The tool has long supported defining a $URL in your environment or in /etc/ssh/ssh_import_id at the system level.  There just aren't really any other good, authenticated SSH public key servers.


A few days ago, my friend and Gazzang colleague Casey Marshall noticed that Github had actually recently added support to their API which exposes public SSH keys!  This was just awesome :-)  It would take a bit of effort to support, though, as the output format differs between Launchpad (raw text) and Github (JSON).

So this past Saturday on a beautiful evening in Austin, TX (when neither of us should really have been hacking), we both independently initiated our own implementation adding support for Github keys in ssh-import-id :-)  A bit of duplicated effort?  Yeah, oh well...  But we both took a similar approach: let's port this puppy from shell to Python so that we can take advantage of JSON parsing (our alternative was awk!).


My approach was pretty elementary...  I basically implemented a line-by-line, function-by-function port from Shell to Python, since I knew, from a regression standpoint, this would be stable, solid code.  But Casey is undoubtedly the better programmer between the two of us :-)  He took a much more Pythonic approach, implementing each of the protocol handlers as sub commands.

Once we caught up with one another online around midnight Saturday night, we realized that we really duplicating efforts.  So we decided to team up on the problem!  Casey had a much more elegant design, complete with a and uploadable to  Meanwhile, I have maintained the source code and the package in Ubuntu for nearly 3 years and I understood the complex set of legacy compatibility I needed to preserve, as well as several years worth of gotchas and bugs-fixed.  So I took Casey's implementation, whole hog, and went to work on a bunch of little things to get it whipped into shape for upload to Ubuntu.


Given that Github is now supported in addition to Launchpad, there may actually be some interest in the tool beyond Ubuntu.  Non-Ubuntu users can now install ssh-import-id directly from!

$ sudo pip install ssh-import-id
Downloading/unpacking ssh-import-id
  Running egg_info for package ssh-import-id
Requirement already satisfied (use --upgrade to upgrade): argparse in /usr/lib/python2.7 (from ssh-import-id)
Downloading/unpacking Requests >=1.1.0 (from ssh-import-id)
  Running egg_info for package Requests
Installing collected packages: ssh-import-id, Requests
  Running install for ssh-import-id
    changing mode of /usr/local/bin/ssh-import-id-lp to 775
    changing mode of /usr/local/bin/ssh-import-id to 775
    changing mode of /usr/local/bin/ssh-import-id-gh to 775
  Running install for Requests
Successfully installed ssh-import-id Requests
Cleaning up...

Other New Features

We've added a few other new features in the 3.x series...
  1. We now detect duplicate keys by their size/fingerprint/type, and avoid adding duplicates
  2. We also now support a -r|--remove option, which you can use to prune keys from ~/.ssh/authorized_keys file that were added by ssh-import-id
Please report bugs as you find them here!  And please use StackExchange for questions!  Enjoy ;-)