Today I Learned

macOS asks for a PIN instead of a password

Whenever you try to athenticate macOS asks for a PIN instead of a password. This happens if you paired your key at some point with macOS.

Just open Terminal.app and unpair it:

sudo /usr/sbin/sc_auth unpair -u YourUserName

or simply

sudo /usr/sbin/sc_auth unpair

Take out your key if you have it plugged in and reboot.

Your key should be unpaired from your username. Remember you don't have to pair your key to use it. You only have to pair it if you want to use it for macOS authentication.

Automate the creation and deletion of EC2 snapshots via AWS CLI 2

We're heavily using AWS and we're scripting everything we can. As AWS CLI 2 came out recently we needed to update our scripts.

This script creates a new snapshot and deletes all snapshots older than 2 weeks, for a specific volume.




SNAPSHOT_AGE=$(date +%Y-%m-%d --date '2 weeks ago')
TODAY=$(date +%d-%m-%Y)

echo "Creating new snapshot of volume $VOLUME."
aws ec2 create-snapshot --output text --description "$DESCRIPTION - AutoSnapshot $TODAY" --volume-id $VOLUME >> /dev/null

echo "Deleting snapshots older than: $SNAPSHOT_AGE"

snapshots=$(aws ec2 describe-snapshots --output text --filters Name=volume-id,Values=$VOLUME --query "Snapshots[?StartTime<'$SNAPSHOT_AGE'].SnapshotId")

echo "Snapshots sheduled for deletion: $snapshots"

for snapshot in $snapshots; do
  echo "Deleting $snapshot ..."
  aws ec2 delete-snapshot --snapshot-id $snapshot

Automatically add and remove SSH keys from remote hosts

Managing multiple hosts is a pain when using SSH key authentication. There are a lot of solutions out there for managing SSH keys, there's Ansible, Puppet, or other paid solutions.

There's also another option, to use a script to do the job for you.

Here's how

1. Create a targets file containing your hosts and usernames

# Host
hostname.example.com username

2. Create a add-keys.sh file

echo update ssh-keys: ${keys}

cat targets | grep -vE '^(\s*$|#)' | sed 's/#.*$//g' | while read host user
   echo "# Adding public ssh-keys for $user@$host"
   for k in ${keys};
      echo "# Adding public key $k"
      touch ${k%\.pub}
      ssh-copy-id -f -i $k $user@$host

3. Create a remove-keys.sh file


echo update ssh-keys: ${keys}

cat targets | grep -vE '^(\s*$|#)' | sed 's/#.*$//g' | while read host user
   echo "# Remove public ssh-keys for $user@$host"
   for k in ${keys};
      echo "# Remove public key $k"
      ssh $user@$host 'bash -s' <<EOT
sed -i "/$key/d" ~/.ssh/authorized_keys
      echo "# Key removed"

4. Add the public keys you want to add as .pub files in the same folder

5. Run one of the scripts. Done.

Upgrade your SSH Keys to the new Ed25519 standard

Why should you upgrade?

Your ssh key is most probably half a decade or more old, as with all technlologies, cryptographic algorithms evolve and all of them become less secure with time as vulnerabilites are discovered, or computing power increases. Good SysOps and DevOps often rotate their keys and you should too!

See all the benefits of Ed25519 here: https://ed25519.cr.yp.to

You need to upgrade right now if:

  • your key was generated using DSA you need to upgrade right now
  • your key was generated using RSA less than 3072bit length
  • your key was generated using ECDSA

Ed25519 is the public-key algorithm you should use today.

How to generate your key:

I like to have custom names for my keys, and I also add relevant information to key comments like: role, name and e-mail. The -o 100 option, increases the brute force resistance of your key by increasing the KDF rounds.

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/zeno.popovici.ed25519 -C "Graffino Member :: Zeno Popovici (zeno@graffino.com)"

Don't forget to provide a strong password for your key.

Deploy (macOS)

You can now deploy your key. First, you need to add it to your keychain like this:

ssh-add -K ~/.ssh/zeno.popovici.ed25519

On macOS, to copy your public key to the clipboard and paste it into GitHub or other services you're using, just issue:

pbcopy < ~/.ssh/zeno.popovici.ed25519.pub

That's it!