Encrypted credentials for Amazon AWS command line client

In this quick post I will show howto use the password manager „password-store1 to securely store your credentials used by the Amazon Webservices command line client.

The installation for Mac and Linux system is fairly easy:
$ pip install awscli

The credentials are stored as key-value pairs inside a PGP-encrypted file.
Everytime you call the AWS CLI tool, your keys will be decrypted and directly passed to the aws tool.

Use pass to add your keys in the store:
$ pass edit providers/aws

An editor opens. Use the following format:
User: stv0g
Secret-Key: vAAABn/PMAksd235gAs/FSshhr42dg2D4EY3

Add the following snippet to your .bashrc:

function aws {
	local PASS=$(pass providers/aws)
	local AWS=$(which aws)
	# Start original aws executable with short-lived keys
	AWS_ACCESS_KEY_ID=$(sed -En 's/^Access-Key: (.*)/\1/p' <<< "$PASS") \
	AWS_SECRET_ACCESS_KEY=$(sed -En 's/^Secret-Key: (.*)/\1/p' <<< "$PASS") $AWS $@

Then use the cli tool aws as usual:
$ aws iam list-access-keys
{ "AccessKeyMetadata": [ { "UserName": "stv0g", ...

Use Yubikey and Password-store for Ansible credentials

I spent some time over the last months to improve the security of servers and passwords. In doing so, I started to orchestrate my servers using a configuration management tool called Ansible. This allows me to spin-up fresh servers in a few seconds and to get rid of year-old, polluted and insecure system images.


My ’single password for everything‘ has been replaced by a new password policy which enforces individual passwords for every single service. This was easier than I previously expected:

To unlock the ‚paranoid‘ level, I additionally purchased a Yubikey Neo token to handle the decryption of my login credentials in tamper-proof hardware.
pass‚ is just a small shell script to glue several existing Unix tools together: Bash, pwgen, Git, xclip & GnuPG (obeying the Unix philosophy). The passwords are stored in simple text files which are encrypted by PGP and stored in a directory structure which is managed in a Git repository.

Yubikey Neo und Neo-n

There are already a tons of tutorials which present the tools I describes above. I do not want to repeat all that stuff. So, this post is dedicated to solve some smaller issues I encountered:

Use One-Time passwords across multiple servers

The Yubikey Neo can do much more than decrypting static passwords via GnuPG:

  • Generate passwords:
    • fixed string (insecure!)
    • with Yubico OTP algorithm
    • with OATH-HOTP algorithm
  • Do challenge response authentication
    • via FIDO’s U2F standard
    • with HMAC-SHA1 algorithm
    • with Yubico OTP algorithm

Some third-party services already support FIDO U2F standard or traditional OATH-{H,T}OTP TFA, like used by the Google authenticator app. I suggest to have a look at: https://twofactorauth.org/.

For private servers there are several PAM modules available to integrate OTP’s or Challenge Response (CR) methods. Unfortunately, support for CR is not widespread across different SSH- and mail clients.

So, you want to use OTP’s which leds to another problem: OTP’s rely on a synchronized counter between the hardware token and the server. Once you use multiple servers, those must be synchronized as well. I’m using a central Radius server to facilitate this.

Integrate ‚pass‘ into your Ansible workflow

Ansible uses SSH and Python scripts to manage several remote machines in parallel. You must use key-based SSH authentication, because you do not want to type every password manually! Additionally you need to get super user privileges for most of your administrative tasks on the remote machine.

The SSH authentication is handled by gpg-agents ‚–enable-ssh-support‘ option and a PGP key on your token.

To get super user privileges, I use the following variable declaration my Ansible „group_vars/all“ file:
ansible_sudo_pass: "{{ lookup('pipe', 'pass servers/' + inventory_hostname) }}"

There is a separate root password for every server (e.g. „pass servers/lian.0l.de“). I wrote some ansible roles to easily and periodically roll those passwords.

Integrate ‚pass‘ into OS X

There are already several plugins and extensions to intergrate the ‚pass‘ password store into other Programs like Firefox and Android.

A prompt for the password you want

I added support for OS X by writing a small AppleScript which can be found here: https://github.com/zx2c4/password-store/blob/master/contrib/pass.applescript

A notification with countdown

Workshop: Security Token

Der Open Source Arbeitskreis (OSAK) der Fachschaft FSMPI, veranstaltet nun zum zweiten Mal eine Crypto Party auf der sich Interessierte über Verschlüsselung und verwandte Themen informieren können.

Ich möchte hier die Gelegenheit nutzen um etwas Werbung für diese Veranstaltung zu machen. Genaue Infos findet Ihr unten im Flyer.

Dieses Mal wird es auch einen kleinen Workshop von mir geben:

Hardware Crypto Tokens

„I know none of my passwords“

Ich werde in ca. 20 Min eine kurze Übersicht über Security Tokens wie bspw. den Yubikey oder die OpenPGP Smartcard geben. Dabei wird der Fokus auf verschiedenen Anwendungsszenarien wie bspw. One-Time-Passwords, Logins, E-Mail Verschlüsselung usw liegen.

Update: Hier sind die Vortragsfolien und das Handout:

Präsentation (pdf)
Handout (pdf)


Casting between Qt and OpenCV primitives

opencv_qtAs a follow-up to the previous post, I’d like to present some code which I think might be helpful for other Qt / OpenCV projects as well.

This code was written for Pastie. Pastie is a piece of software I wrote as part my image processing seminar. It makes use of the well known libraries:

  • Qt for the graphical user interface
  • OpenCV for image processing and computer vision

I wrote a C++ header file to facilitate the co-operation of those two libraries. This file enables the conversion / casting of OpenCV and Qt types e.g.:

#include <QImage>
#include <cv/core.hpp>

QImage qimg("filename.png");
cv::Mat cvimg = toCv(qimg);

The source code is available at GitHub.

The following conversions are supported:

QImage cv::Mat
QTransform cv::Mat
QPoint cv::Point2i
QPointF cv::Point2f
QRect cv::Rect2i
QRectF cv::Rect2f
QSize cv::Size

You can find some examples in the real code here and here.

Seminar: Camera-based PCB Analysis for Solder Paste Dispensing


The lectures during my last semester were largely focused on digital image processing. Combining this with the inspiration for 3D printing, I gathered through my trip though South Korea, resulted in the following seminar paper. Seminars are a compulsory part of our curriculum which I like due the self-contained work and the ability to pick an individual topic.

Over the past year, I’ve built my own Kossel 3D printer. The Mini Kossel is based on a novel parallel delta kinematic which was developed by Johann C. Rocholl, a Google engineer from Germany.

This paper is targeting the automation of solder paste dispensing onto printed circuit boards by using computer vision and RepRap robots.

Full Slides as PDF
Full Paper as PDF
Source Code at GitHub

Seminar: Image Processing and Content Analysis

Camera-based PCB Analysis for Solder Paste Dispensing

Steffen Vogel (steffen.vogel@rwth-aachen.de)
Academic Advisor: Wei Li (wei.li@lfb.rwth-aachen.de)
Institute of Imaging & Computer Vision (LfB)
Rheinisch-Westfälische Technische Hochschule (RWTH), 52056 Aachen

1 Abstract

Two of the main challenges for PCB prototyping are the time-consuming setup of involved machines and their economic feasibility for small laboratories and hobbyists. This paper tries to offer solutions for both of these issues:

  1. The complex setup process of industrial machines can be accelerated by computer vision. It is preferable to automate this process as far as possible to enable the operation by untrained personnel and hobbyists. The workflow can be further simplified by not relying on external CAD data. This includes: detection of components, pads and footprints; mapping between available components and footprints and planning of shortest tool paths.
  2. The adaption of proven 3D printers allows to lower the costs for such machines. The lightweight and fast kinematics of parallel 3D-delta robots like the RepRap Mini Kossel are perfectly suited for the assembly of PCBs. Only the print head has to be exchanged between the individual steps of the process.

This work presents a workflow to control DIY 3D printers for the purpose of PCB assembly. By using cheap and easy-obtainable parts like proven RepRap 3D printers, this technique is viable for small laboratories, FabLabs and hobbyists. During the seminar, a analysis and control software for RepRap printers was written. Hence, we focus on the overall workflow and tools and less on algorithms and theory.
Here, the task of solder paste dispensing was chosen to be explored in detail. This work establishes the groundwork for more complex task like the pick and placing of electronic components.

2 Motivation

The ongoing miniaturization of electronic products like smartphones and Ultra Books has led to a new form factor for electronic components. Surface-mounted devices (SMD) are already widespread in electronic design and production. As a result, previously used through-hole components are gradually phased out. This miniaturization of SMD components is an ongoing trend and raises the barrier for hobbyists to produce PCBs themselves. Soldering and placement of 0401-sized resistors or BGA packages is not possible by hand any longer.

This work is motivated by the vision to build an all-in-one machine for the complete process of prototype PCB assembly (PCBA). To accelerate the development process and to reduce the costs, all of these tasks can be handled by a single workbench 3D printer / CNC mill. The PCB production process roughly can consists of the following steps:

  1. Isolation milling or pen plotting of PCB traces
  2. Drilling of holes and contours
  3. Solder paste dispensing for SMD pads with a syringe
  4. Pick-and-place of SMT components with vacuum
  5. Soldering with hot air, a hot plate or by a laser

For the scope of this paper, the process of solder paste dispensing was chosen. This task offers the biggest margin to profit from computer vision. Industrial mass production uses stencils to apply solder paste onto the PCB. For small prototype assemblies the fabrication of stencils is not worthwhile. Therefore, solder paste is applied manually with a pressurized syringe, which is hold by hand.
The dispensing of solder paste requires the knowledge exact solder pad positions and dimensions. Traditionally, this information is exported by CAD design tools and is required to produce the stencils.
But sometimes the CAD data is not available or stored in an inaccessible proprietary format. This paper presents techniques to gather the pad locations and dimensions by means of computer vision.

Fig. 1: Solder paste dispensing techniques
Fig. 1: Solder paste dispensing techniques
Fig. 2: 0805-sized resistor
Seminar: Camera-based PCB Analysis for Solder Paste Dispensing weiterlesen