Richard Bucker

Pulling My Hair Out

Posted at — Oct 6, 2020

The shit hit the fan yesterday… I was trying to conncet to my client’s VPN networks, however, ChromeOS does not really support OpenVPN and so with my head spinning and not wanting to take too much of my manager’s time I tried to install OpenVPN in the ChromeOS-linux container and while it worked it was not going to bridge the networks between the container and the ChromeOS desktop.

I supposed I could install my browser or other GUI apps in the linux container but that’s just more stuff… and not the direction that this story goes…

Once I proved that the ovpn file(s) were ok I started up an Intel NUC that was running POPOS. That took a few hours to configure. The POPOS package manager did not have a bundle for OpenVPN and while there is a basic VPN toolchain it refused to open my ovpn. At some point I made it past that…. but sharing files from my ChromeOS desktop to this other machine required a USB sneaker-net. (my NAS would not mount; missing ssh keys)

The NUC is ok… but switching between keyboards, mouse, monitor means that I need to clear my desktop. I have tons of mail, hardware, tools, power banks, coffee cups, and I happen to do all my normal work on my ChromeOS machine. So next I tried to launch a POPOS on my VMware ESXi server, however, I was not able to login. ESXi does not support password managers and in a default installation there is a max limit to the number of password retries before the account is locked. After several hours I remembers I had some orchestration code. Even that code failed but at least I verified the password. That’s when I realized I needed to reboot… That worked and frankly I was lucky it survived.

It’s easy to say that sysadmins should never forget passwords but the challenge is that we do not always spend time in every system. Different OS’ have different requirements. Configuration as code is a strong idea, however, it does not always survive vendor upgrades.

My reporting system had 1700 gode generated reports. There were plenty of original (v1) reports that could not be re-generated. I’m also looking at building tcl and all those tools… so much else that is vulnerable.

I call this FALSE SENSE OF SECURITY