Error proofing for shell noscripts: shellproof

shellcheck is an util that checks shell programs for common mistakes.

So I got this simple idea: what if we combined the debugging of shellcheck with that of running the code itself, so everything is checked quickly together?

I called it shellproof. It does a quite simple thing: it runs a shell program only if it is mistake free, otherwise it lists those mistakes.

So debugging a program just takes:

shellproof [programPath\]

https://redd.it/liq5nq
@r_linux

Best lightweight Linux distro for a newb.

I've just about had enough of Windows 10's constant forced updates, and this has driven me to consider Linux for the first time. I have two low-spec laptops that currently run Win10 that I'd like to switch to Linux if I can. I'm aware there are any different varieties of Linux out there to pick from, but I'd prefer to run a lightweight version that can run on a potato system.

Any advice and tips appreciated.

https://redd.it/lis174
@r_linux

XScreenSaver alpha testers sought
https://www.jwz.org/blog/2021/02/xscreensaver-alpha-testers-sought/

https://redd.it/li82j4
@r_linux

Can anyone help me with resizing my root partition with unallocated space?
https://redd.it/litzns
@r_linux

Distro recommendations for an all time Windows user?

Been using Windows forever and now I want to see how the Linux side of things are, plus to avoid all that MS-Telemetry thing that's going on with Win10. Recently tried Elementary OS Hera and got my laptop's touchpad working after a bit of tinkering in the BIOS but found out there aren't many gestures. Any distro where I can get a similar feel of the touchpad gestures? Heard that Elementary OS 6 is gonna come out with better 1:1 gesture support but until that arrives, what are my options?

https://redd.it/liu59b
@r_linux

Windows is behaving like over-possessive partner in Dual boot

I am using Linux and Windows both in dual boot. I don’t know why, my windows gets a problem with its BCD every once in a month and I need to reinstall this irritating operating system again only because I need to use Adobe Softwares occasionally. Anyone else facing the same issue? I badly need to get rid of this BCD corruption frequently. My machine is an Asus X570 ZD with Windows pre-installed.

https://redd.it/liv3w1
@r_linux

Alternatives to dialog with more control on colors and more modern looking?

Working on a project where we need to improve ux of an installer. We are using dialog right now but would love to better match company colors and make it look a bit more modern.

Can anyone suggest an alternative?

Tia

https://redd.it/liti2t
@r_linux

Linux step by step

Hi,
As I am learning Linux (self-learning) and have gone through the basics, could you guide me what are the subjects I have to complete step by step.
I did first basics and command line now learning bash noscripting and then what.

https://redd.it/liwnte
@r_linux

How to properly use databases in my application from a superuser account?

What is the best method to incorporate databases in my application? I am using a superuser account to run the application. While I can run the application from this, I don't want to give it superuser privileges to all the databases in the system. What's the standard? Am I supposed to create a new standard user while setting it up and assign a database to it?

https://redd.it/lixt3d
@r_linux

Media center

I'm trying to redo my media center. It once was a window 7 machine, for almost 10 years. However it is my last machine to be transferred to Linux. For one reason my sound card it has a brand new one. A sound blaster, any idea what distro will accept it without drama, I have had very little luck.

https://redd.it/liyq02
@r_linux

Is it normal to have a bin folder in your home directory?

Here comes a weird question. I've been using Linux for more than 8 years and I always create a bin dir in home. That's where I keep all my executable files, DRM free software etc. I don't remember why am I doing this, is this normal?

https://redd.it/lizvgx
@r_linux

Linux on a Samsung Galaxy Book 10.6

Hi all!
I have a Samsung Galaxy Book 10.6 ... tried Ubuntu 20.04 on the machine and didn't had wifi, the touch wasn't working and the keyboard was buggy (when I detached and attached again stopped working).

Should I try another distro? o what should I do?

​

PS: I'm a noob on Linux. I was trying to use WSL2 for windows .... but I prefer to have a real Linux machine.

https://redd.it/lj1ymk
@r_linux

This week in KDE: Plasma 5.21 approaches! – Adventures in Linux and KDE
http://pointieststick.com/2021/02/12/this-week-in-kde-plasma-5-21-approaches/

https://redd.it/lj22f9
@r_linux

OpenMandriva Lx 4.2 released with support for ARM PineBook, PinePhone, Raspberry Pi or Rock Pi. This is first Linux distro that use LLVM/Clang by default with LTO and PGO optimization.
https://www.openmandriva.org/en/news/article/openmandriva-lx-4-2-is-out-now

https://redd.it/lj3yo9
@r_linux

Some nifty stuff ffmpeg can do

# play a video
ffplay output.mp4

# play audio only
ffplay -nodisp output.mp4

# audio streaming of a youtube video
youtube-dl https://www.youtube.com/watch?v=dQw4w9WgXcQ -f bestaudio -o - | ffplay - -nodisp

WAYLAND USERS, LOOK AWAY!

# record screen and save as video
ffmpeg -f x11grab -i :0.0 -f pulse -i 0 output.mp4

# record part of the screen as gif for 5 with seconds
# with 800x600 resolution, 0 x-offset and 30 the y-offset
ffmpeg -f x11grab -framerate 10 -video_size 800x600 -i :0.0+0,30 -t 5 output.gif

# take a screenshot and save as png
ffmpeg -f x11grab -i :0 -t 1 -f mjpeg output.png

Note: the last three commands obviously requires X11, and ffplay may require installing ffmpeg-full on some distros (which is only 2 MiB if ffmpeg is already installed, at least on NixOs)

To be honest, I'm still reading ffmpeg's man page and I don't understand these commands much myself, I just shamelessly copied them from various websites. It all started this morning when I wanted to record the screen using peek (gif screen recorder) which didn't work due to some missing GTK dependency, did some Google-fu and now I'm uninstalling peek in addition to mpv, scrot and kazam (which IMO only serve as wrappers for ffmpeg) ... I can say that things escalated quickly.

https://redd.it/lj4v0w
@r_linux

Alternative Shells
https://github.com/oilshell/oil/wiki/Alternative-Shells

https://redd.it/lj578u
@r_linux

Does anyone like snap package manager?

ubuntu comes with snap, but I don't understand the benefit.

I feel its redundant and takes up a lot of disk space to have installed. I have read it comes with all the dependencies for each deb, however sometimes I want to install my own dependency versions.

I like using ubuntu on things like raspberry pi, but the first thing I have to do is remove snap.

https://redd.it/lj4mbx
@r_linux

Flatpak security

I've started using Fedora Silverblue and I have few questions about Flathub packages security.
1. Is every single app in separate container, or there's one container for all Flatpak apps?
2. Most of popular apps like Visual Studio Code, are not official versions, I mean Microsoft didn't publish it. As far as I know there's no code review on Flathub. How can I be sure that apps from Flathub repository are safe?
3. Can I be sure that no app in Flathub repository is malicious?

https://redd.it/ljbpr9
@r_linux

Just, a command runner written in Rust

Just lets you save and run commands from files with a terse, readable syntax similar to Make:

build:
cc *.c -o main

# test everything
test-all: build
./test --all

# run a specific test
test TEST: build
./test --test {{TEST}}

It is cross-platform, written in Rust, and actively maintained on GitHub:

https://github.com/casey/just/

Just has a bunch of nice features:

- Can be invoked from any subdirectory
- Arguments can be passed from the command line
- Static error checking that catches syntax errors and typos
- Excellent error messages with source context
- The ability to list recipes from the command line
- Recipes can be written in any language
- Works on Linux, macOS, and Windows
- And much more!

Just doesn't replace Make, or any other build system, but it does replace reverse-searching your command history, telling colleagues the weird flags they need to pass to do the thing, and forgetting how to run old projects.

https://redd.it/ljdcki
@r_linux

Best and Easiest way(s) to Secure OpenSSH authentication on your personal systems.

There are two ways that I like nowadays and both of them involve 2FA and hardware keys. Specifically Yubikey in my case, but other ones will probably work as well.

The traditional approach to securing OpenSSH authorization involves several approaches:

Traditional SSH Keys - A very good and robust approach for managing access on personal systems. In large organizations the problem of key management is hairier then it seems at first glance.
SSH Keys signed with OpenSSH built-in CA support \- A intermediate approach that most people are unaware of that are a good match for many businesses and other organizations. With this approach you are using SSH keys that are signed by a CA. This way you can do things like revoke system access quickly in case of a compromise.
Kerberos - A great approach if you are using AD or FreeIPA already. But the overhead of managing it is pretty high and relatively minor issues with network configurations can cause massive headaches, which makes it detrimental for personal use.

So for personal use just old fashioned SSH keys are the way to go. However We can make OpenSSH auth even more secure with hardware tokens.

Now the older way to do it is to enable 2FA using OTP (one time password) approach. This generally involves adding additional login requirements in the form of PAM modules. This is going to be the most common search result as it's been in use for years now. It can take advantage of your own TOTP infrastructure or tie into Google's or other providers. This is fine, but I really despise working with PAM. If I can use something OpenSSH supports natively then that is the way to go, IMO. Especially when you can avoid additional infrastructure dependencies.

The two "new" ways I have discovered as of late are:

1. Take advantage of OpenPGP/Smartcard support available on some hardware cards. Most notable Yubikey 5 series, but there are others. With this approach you use GPG and gpg-agent to manage your private keys. Access is protected by a card PIN (can be up to 127 ascii characters).
2. Take advantage of FIDO2. Since version 8.2 OpenSSH has supported FIDO2 authentication natively. Which is freaking fantastic. You should use a password encrypted private key for additional security. Make it more 2FA-ish.

Pros of OpenPGP/Smart card approach:

Can work with older versions of OpenSSH
gpg-agent support is built into proper Linux desktops
All the private keys are managed via hardware token.
Can use hardware token with a wide variety of other software.
More single-sign-on-like You don't have to keep fingering your key for things like ansible.

Cons:

A lot of hardware tokens don't have OpenPGP/Smartcard support.
Can be a pain to migrate secured (password disable) systems from old key to GPG key. You end up doing things like running one shell with SSH_AUTH_SOCK ssh-agent and another with gpg-agent, or setting up aliases to help copy over new keys and remove old ones.
A lot of work is required to setup your card. Need to setup subkeys and such things.
You really need to have a second hardware key as backup in case your main key gets lost or damaged.
By default gpg deletes private keys from your \~/.gnupg keyring after copying to the card, so you have to back up your keyring prior to that if you want to have backups.
Need to configure ssh client to look to gpg-agent instead of ssh-agent.
Can't use cool ed25519 keys.

Pros of FIDO2 approach:

Minimal additional configuration. Pretty much all you need to do is use ssh-keygen. It's exceptionally easy to setup.
ssh-agent is integrated by default in decent Linux desktops.
Uses separate encrypted private key (recommended) for additional password protection.
easy migration to new keys.
Fido2 works well with many websites.

Cons:

Can't backup your hardware token. You need a second token if you want backup.
If you want backup token you have two sets of keys to

manage.
Need to finger the device for each SSH usage (can mitigate with OpenSSH [ControlMaster](https://ldpreload.com/blog/ssh-control) feature. May not be true for all hardware tokens.
Needs very new (>8.2) version of OpenSSH to work. So no-go on LTS installs like vanilla CentOS 8.

As you can see the Fido2 approach is the slicker and newer of the two approaches. Probably slightly more secure as well.

​

With the FIDO2 all you have to do is:

1. Purchase a hardware token that has U2F/FIDO2 support.
2. Setup the FIDO2 PIN (recommended) (for yubikey use yubiky-manager command "ykman set-pin")
3. And then run ssh-keygen:

​

ssh-keygen -C "nice name for key here" -t ed25519-sk -O resident -f ~/.ssh/mynewkey

And it should prompt you for your fido2 pin and that's it. You can begin copying around the key with ssh-copy-id.

​

If you do get a hardware token and it does have OpenPGP support then you really are going to want to use it for other stuff. It can tie into Pass password store, secure communication with email and other protocols and a whole bunch of other stuff. If you are already doing that stuff adding OpenSSH support is fairly trivial.

The approach to properly setting up OpenPGP support using GNUPG is significantly more involved. The best guide I know of is this one:

Dr. duh's YubiKey-Guide

He has you go full-paranoid with offline encrypted creation and backup of the keys among other things. Highly recommended. If you are doing it you might as well do it right.

After that you just need to make sure that you have "enable-ssh-support" set in your \~/.gnupg/gpg-agent.conf. (maybe restart your gpg-agent or log out and log back in, whatever works best for you).

And then tell OpenSSH to use the gpg-agent socket. Set the equivalent of

export SSHAUTHSOCK=$(gpgconf --list-dirs agent-ssh-socket)

If your .bashrc or whatever is appropriate for your setup.

After that you can run:

ssh-add -L

to list your public key. Which then you can copy around manually. Or just use ssh-copy-id, it'll do the right thing even though there is no pub file in \~/.ssh for it.

​

After that then pick a standard OpenSSH hardening guide. All the same things apply. Just don't go nuts. No need to make it easy to trivially trigger a denial of service on yourself using silly things like fail2ban. Remember with passwords disabled brute force attacks are worthless. Failed logins are just OpenSSH doing it's job and are about as interesting as logging pings. Successful logins are what you should be monitoring for and be paranoid about!

In /etc/ssh/sshd_config do things like:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

​

https://redd.it/ljd9rl
@r_linux