Photo of jesterpm

Hello,

My name is Jesse Morgan. I am a Software Engineer at Amazon.com. I also backpack, sail, ski, and play with radios in the woods.

PGP Key: C663 9070 0831 1F3C

I've been building a OAuth2 (and IndieAuth)-based single-sign on system, with the intention of using it as the auth layer for a few things I plan to build for my own use. Along the way, I've been contemplating how I could use the same system for... well... everything. This morning I wondered if I could use it for my own git repositories.

Currently, my git repositories are in GitHub (I oscillate back and forth between self-hosting various things or using other services). I use a ssh key hidden away in a hardware key (Yubikey) for authentication. One downsides of my current setup is that I need somewhat finicky setup (GPG SSH Agent) on any machine that I want to use the key. Another is that that only the most expensive Yubikeys have the ability to run the GPG Applet, I only have the one, and it's not always next to me when I want it. I have a handful of u2f-only security keys, so there's always one nearby.

GitHub's solution appears to be something like Gmail's app passwords. Basically a special password that you use for git operations, presumably each password is only used on a single machine. However, it's still a long-lived credential (floating around a disk in plain text even). Can I do better?

I dig a bit of reading on how Git works over HTTP and came across a config option to pass extra HTTP headers. That would allow me to send an OAuth2 bearer token. So I could put a Git behind an reverse proxy, which could be responsible for checking the access token. Now I just need to make getting and refreshing the access token somewhat convenient.

I recently built a command line tool for getting access tokens from the SSO service. It has two sub-commands: login, which will request or refresh an access token using the OAuth2 device flow, and curl, which will passes the rest of the arguments to curl and adds an authorization header with the current token. I'm thinking of adding a new git-setup command, which would modify my git config with a new block for the git server, with the authorization header in the extraHeaders option. This would be a short-lived credential that would last for a day. Future login commands would update the access token in the config. In a pinch, if I was in an environment where I couldn't use the CLI tool, I could get an access token from the website and pass the token into git.

So the initial setup would look something like this:

  $ sso git-setup https://git.jesterpm.net
  
Go to https://... and enter code ABCD-EFGH to authorize access.

$ cat ~/.gitconfig
[http "https://git.jesterpm.net"]
    extraHeader = Authorization: Bearer xxxxxx

Then the day-to-day flow would look like:

  $ sso login    # Assuming it hasn't already been done for some other reason
  
Go to https://... and enter code JKMNP-QRST to authenticate yourself.

$ git push

I think I could arrive at a solution that was even more portable (that didn't need the sso tool to be installed). For example, I could have a hosted shell script so that I run curl https://git.jesterpm.net/login.sh | sh to set everything up, but I really don't find myself trying to access code on random machines much anymore.


Last weekend's progress on raised beds.

This is the private signal flag that I fly from my boat (or anywhere, really). A private signal (or a house flag) was traditionally a flag that represented the owner of the boat. They aren't very common anymore—the closest I usually see is someone flying Blackbeard's flags —but given my interest in archaic communication systems, here we are...

Jesse Morgan's Private Signal Flag

As best as I can describe it, it's a blue swallowtail flag, charged with two green right triangles, each surmounted by a white chevron, the peak of the first at the first third and the peak of the second at the crutch, with the second overlapping the first.

I designed it near the end of the summer of 2021. This was the favorite of a half-dozen or so iterations. All of them were blue, green, and white and vaguely represented both mountains and the letter M. All of those are fairly common elements, but I wanted the flag to be somewhat unique. After searching through Flags of the World, Wikipedia, and reverse image search, the most similar flags I could find were Ed Mitchell's reimagined flag for Montana and the flag for the city of Seward, Alaska. The swallowtail shape helps set it apart from most flags. It fits with the theme, since private signals were traditionally swallowtailed (perhaps for the same reason...). Along the way I also found the FlagWaver web app, which was really helpful to visualize how the flag would look with and without wind.

If, somehow, you found this page after seeing the flag, do let me know.

I finally decommissioned Californium, my 12 year old Linode instance first launched 2009-12-19. It was a Gentoo installation that was so out of date that portage couldn't update anymore. I started this migration so long ago that it's replacement has already been replaced once.

Circuit diagram

What's it going to be???

This still dark at 07:00 time of year is always so depressing. But just three more days until it starts to get better again.

NF 21

The best of my photos from this year's friends camping trip (of the photos without people).

Butcher block counter top with waterlox drying

First coat of waterlox on the countertop.

Network cable install

A year and a half into WFH and one house later, I have a wired network connection at my desk.

When I got the old boat motor back, the lower was still detached. It was also seized up. I was trying to reattach it to store everything away, but I needed to spin the shaft to line up the teeth. Out of curiosity, I started to disassemble the lower. As I worked at the shaft, this junk started pouring out the gear oil drain... It had the consistency of dirt with some salt crystals mixed in. I didn't have a magnet to check if it was ferrous, but I assume this is what was left of my gears.

Kitchen drawers (pre-paint)

And now I have drawers. I'll finish painting them tomorrow and then see how they fit.

See more posts