Recent Updates Toggle Comment Threads | Keyboard Shortcuts

  • MD1032 12:10 pm on August 17, 2015 Permalink | Reply  

    FreeRADIUS two factor authentication (OTP and Password) 

    MultiOTP is a tool to verify one-time passwords from hardware or software HOTP or TOTP devices. In the README they describe how to set up FreeRADIUS for OTP verification. By default, MultiOTP requires entering a 4 digit personal PIN plus the token (usually 6 digits). For better security in multi-factor authentication (MFA), it’s a good idea to use a stronger password than a 4 digit PIN and concatenate it with the OTP. Combining the password and token in one field allows two factor authentication for a lot of older devices that don’t support multiple authentication challenges natively.

    In order to do that, we create a user in FreeRADIUS with an encrypted password. We configure FreeRADIUS for multiOTP according to the instructions. We set “request_prefix_pin=0” in the multiOTP user config file and in multiotp.ini to disable the PIN check.

    Then we change the “authorize” section in FreeRADIUS config “sites-available/default” to:

    authorize {
        if (User-Password =~ /^(.*)([0-9]{6})$/) {
                update request {
                        User-Password := "%{2}"
                }
                multiotp.authenticate
                if (ok) {
                        update request {
                                User-Password := "%{1}"
                        }
                }
        } else {
                reject
        }
        files 
        expiration
        pap
}

    The password of an incoming request is now split into password and 6 digit token via regex. The second match (OTP) is authenticated against the multiotp backend. If successful, the token is stripped from the password for further processing. If the token or the password format is incorrect, the request is rejected.

    After the OTP has been validated, we read the user accounts, password and expiration times from the “users” file using the “files” module. After the expiration check, the password is validated via PAP.

     

    • multiOTP 3:26 am on August 29, 2015 Permalink

      Hello,

      Nice configuration, we hope that multiOTP satisfies your needs. Please note that even if multiOTP is talking about PIN code, we are supporting long passwords as the PIN.

      It’s also possible to synchronize the users of multiOTP with an AD/LDAP, and i nthis case, the prefix password is the AD/LDAP password.

      Best regards,

      Andre

    • multiOTP 3:31 am on August 29, 2015 Permalink

      multiOTP open source is now also available as a ready to use virtual appliance!
      Best regards, and don’t hesitate to send us suggestions!
      Andre

  • MD1032 9:40 pm on April 11, 2015 Permalink | Reply  

    Nomachine reports “ERROR: Unsupported operating system ‘linux'” 

    I’m trying to install Nomachine NX Enterprise Server on Ubuntu, and the installation of the .deb package fails with:

    NX> 704 ERROR: Unsupported operating system 'linux'

    After looking at the install script, I found a simple solution:

    sudo touch /etc/debian_version

     

  • MD1032 7:12 pm on October 29, 2014 Permalink | Reply  

    Two-factor authentication for mySQL users 

    I want to authenticate mySQL users with a password and a token on Ubuntu, so I figured out a way to do this using MariaDB, PAM and Google Authenticator.

    First we need a plugin for mySQL that can authenticate users against PAM. The non-free enterprise version of mySQL has authentication_pam.so. I’m not an Enterprise customer, so I decided against this one.

    A free implementation is available from Percona . To make it work with Oracle mySQL, the plugin auth_pam_compat.so must be used. The problem with this plugin is that cleartext passwords must be enabled in the mySQL client. I didn’t like that idea so I replaced Oracle mySQL with MariaDB.

    sudo apt-get install mariadb-server mariadb-client

    Verify that MariaDB runs fine. Then follow the installation guide for the Percona auth_pam.so plugin. Install some dependencies first:

    sudo apt-get install libpam-dev libmysqlclient-dev automake autoconf libtool build-essential bzr

    then checkout the plugin source from launchpad via bazaar, ./bootstrap, ./configure, make, sudo make install. Load the plugin via /etc/mysql/my.cnf:

    [mysqld]
    plugin-load=auth_pam.so

    and restart the mySQL server. Create a mySQL user according to the Percona installation instructions. It has to be a local system user and it must use the auth_pam plugin. Now install Google Authenticator on Ubuntu and on your smartphone.

    sudo apt-get install libpam-google-authenticator pamtester
    google-authenticator

    Say yes to all questions and take a picture of the QR code using the phone. Then create a directory for the token files:

    sudo mkdir -p /var/lib/mysql-2fa/USERNAME
    sudo mv /home/USERNAME/.google_authenticator /var/lib/mysql-2fa/USERNAME
    sudo chown mysql. -R /var/lib/mysql-2fa

    This is necessary as the Google Authenticator PAM plugin will run as the “mysql” user, which has no access to the token files in user’s home directories. Edit /etc/pam.d/mysqld :

    auth required pam_google_authenticator.so forward_pass secret=/var/lib/mysql-2fa/${USER}/.google_authenticator user=mysql
    auth required pam_unix.so use_first_pass
    account required pam_unix.so

    (the file has a total of three lines, what looks like the first two lines above needs to be in one line)

    Now mySQL needs to access some files related to PAM. Edit /etc/apparmor.d/usr.sbin.mysqld and add:

    /etc/pam.d/mysqld r,
    /lib/x86_64-linux-gnu/security/pam_*.so m,
    /lib/security/pam_google_authenticator.so m,
    /etc/pam.d/* rm,
    /etc/login.defs r,
    /etc/shadow r,
    /var/lib/mysql-2fa/** rwk,

    The mysql user also needs to be part of the ‘shadow’ group:


    adduser mysql shadow

    Try to authenticate using pamtester:

    # sudo -u mysql pamtester -v mysqld my_username authenticate
    pamtester: invoking pam_start(mysqld, my_username, ...)
    pamtester: performing operation - authenticate
    Password & verification code:
    pamtester: successfully authenticated

    Check /var/log/auth.log for any errors. Everything works? Connect to the database with two factor authentication (concatenate password and token):

    # mysql -u my_username -p
    Enter password:
    Welcome to the MariaDB monitor. Commands end with ; or \g.
    Your MariaDB connection id is 1603
    Server version: 5.5.39-MariaDB-0ubuntu0.14.04.1 (Ubuntu)

    Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    MariaDB [(none)]>

    Wohoo!

     

  • MD1032 3:49 pm on August 16, 2014 Permalink | Reply  

    Disable annoying pop-up messages in VirtualBox 

    Run from command line:

    VBoxManage setextradata global GUI/SuppressMessages "all"

     

    • BillV 3:18 am on July 1, 2016 Permalink

      This doesn’t seem to work in VirtualBox 5.0.20 and 5.0.22 and looking at the change log for 5.0.24 it isn’t addressed. The xml file shows that running the above command indeed set the parameter to “all” but VirtualBox ignores it somehow.

  • MD1032 6:20 pm on November 7, 2013 Permalink | Reply  

    3G USB stick Huawei E169/E620/E800 HSDPA in Linux 

    Simply install the “wvdial” package and edit /etc/wvdial.conf:


    [Dialer Defaults]
    Phone = *99***1#
    Username = username
    Password = password
    Stupid Mode = 1
    Dial Command = ATDT

    [Dialer hsdpa]
    Modem = /dev/ttyUSB0
    Baud = 460800
    Init2 = ATZ
    Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
    ISDN = 0
    Modem Type = Analog Modem

    Then run “wvdial hsdpa” and you should be connected. I didn’t have to specify the Optus APN anywhere.

     

  • MD1032 2:35 pm on July 24, 2013 Permalink | Reply  

    CurlFTPfs: 95 Operation not supported 

    I’ve been using curlFTPfs with rdiff-backup and ran across this problem when creating the remote backup log file:

    ftpfs: operation ftpfs_open failed because Operation not supported
    unique: 889, error: -95 (Operation not supported), outsize: 16

    The curlFTPfs author says:

    “Be aware that some applications might not
    be able to “save” files on curlftpfs from 0.9.2 on, because
    we don’t support open(read+write) or open(write) and seek
    anymore.”

    Looking at /usr/lib/python2.7/dist-packages/rdiff_backup/log.py around line 76:

    try: self.logfp = rpath.open("a")
except (OSError, IOError), e:
   raise LoggerError("Unable to open logfile %s: %s"
         % (rpath.path, e))

    The file is opened with the append flag (“a”), which is write and seek. Replacing it with “w” fixes the problem, but truncates the log file, which is fine with me.

     

  • MD1032 8:30 pm on December 12, 2012 Permalink | Reply  

    OpenStack “backing file” cleanup script 

    Sometimes OpenStack leaves the “backing file” of the sparse root filesystem behind after a VM is destroyed. Those files are located in /var/lib/nova/instances/_base/ and can use up hundreds of GB. To find out which of those backing files are orphans and delete them, someone has posted a script, which I slightly improved:

    #!/bin/sh
cd /var/lib/nova/instances
find -name "disk*" | xargs -n1 qemu-img info | grep backing | sed -e 's/.*file: //' -e 's/ .*//' | sort | uniq > /tmp/ignore
while read i; do
ARGS="$ARGS \( \! -path $i \) "
done < /tmp/ignore
eval "find /var/lib/nova/instances/_base/ -type f $ARGS -delete"

    Someone in the original post claimed that adding remove_unused_base_images = True to nova.conf would do this automatically, however I could not reproduce that on Folsom.

     

  • MD1032 1:33 pm on November 10, 2012 Permalink | Reply  

    How to create a bootable volume in Openstack Folsom 

    Wouldn’t it be nice to have the root filesystem of your Openstack VM inside a volume? This way you could install a lot of packages on the root partition without spreading the files over several volumes. You could take a snapshot of the entire system (OS & data) and boot right off it.

    Openstack Folsom supports this feature. Here’s how you can create your own bootable volume:

    • On your desktop machine, download the cloud image of the OS that you want to boot from a volume. I chose Ubuntu 12.10:
    • wget http://cloud-images.ubuntu.com/releases/quantal/release/ubuntu-12.10-server-cloudimg-amd64-disk1.img
    • Now convert it to RAW format using qemu-img
    • qemu-img convert -O raw ubuntu-12.10-server-cloudimg-amd64-disk1.img ubuntu-12.10-server-cloudimg-amd64-disk1.raw
    • Start up a regular VM from the Ubuntu cloud image (or any other image you have)
    • Create a volume (that you later want to boot from) and attach it to the VM
    • SSH into the VM and become root
    • check if your volume is attached with fdisk -l. The volume device name is /dev/vdb in my case
    • ssh into your desktop machine (or wherever you have the RAW image)  from the VM and write the image data directly into the volume device
    • ssh user@desktop cat ubuntu-12.10-server-cloudimg-amd64-disk1.raw > /dev/vdb

    If you want your root partition to be larger than 2GB, you can now resize it to the volume size. To do that, start parted, get the partition information, delete (!) the partition, create a new one with the same “start” value, but with (total size-1) as the end value. Partition type is “primary”, filesystem “ext4”.


    root@3:/home/ubuntu# parted /dev/vdb
    GNU Parted 2.3
    Using /dev/vdb
    Welcome to GNU Parted! Type 'help' to view a list of commands.
    (parted) unit B
    (parted) p
    Model: Virtio Block Device (virtblk)
    Disk /dev/vdb: 21474836480B
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 8225280B 2146798079B 2138572800B primary ext4 boot

    (parted) rm 1
    (parted) mkpart
    Partition type? primary/extended? p
    File system type? [ext2]? ext4
    Start? 8225280
    End? 21474836479
    Warning: The resulting partition is not properly aligned for best performance.
    Ignore/Cancel? i

    (parted) set 1 boot on
    (parted) p
    Model: Virtio Block Device (virtblk)
    Disk /dev/vdb: 21474836480B
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 8225280B 21474836479B 21466611200B primary ext4 boot

    (parted) q
    Information: You may need to update /etc/fstab.

    Now you can detach the volume in Horizon and create a new instance. Choose “Boot from Volume” in “Volume Options” and choose your volume. You may also take a snapshot of the volume first, if you want to preserve it in a fresh state for later. You still need to choose an image in the “Details” section, which makes no sense in this case, since the VM is entirely booted off the volume.

     

  • MD1032 5:03 pm on August 31, 2012 Permalink | Reply  

    collectd libvirt plugin build dependencies 

    When configuring collectd using ./configure –prefix=/usr/local –enable-libvirt , the modules section that’s displayed after configuring on my machine shows:

    libvirt . . . . . . . no (dependency error)

    The solution here is to install the libxml2-dev package in addition to libvirt-dev, since that is needed by collectd to parse the XML VM configuration stanzas that libvirt provides.

     

  • MD1032 3:43 pm on June 11, 2012 Permalink | Reply  

    Airport Extreme: update dynamic hostname through BIND 

    If you are the owner of an Apple Airport Extreme base station, you may have wondered if it is possible to assign a static hostname to your dynamically changing ADSL IP address. Many other routers offer this feature through one of the popular dynamic DNS services such as DynDNS. Apple however decided not to support the proprietary interfaces of those commercial services, but instead use a generic approach as described in RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE).

    Here’s how you can use this feature.

    Requirements:

    • Apple Airport Extreme Base Station
    • Airport Utility version 5.6 (the DNS update feature is not accessible in 6.0+)
    • a domain name where you can choose your own nameserver (most domain sellers allow this)
    • a (Linux) server running BIND9 on a static IP address

    Setup

    • for this setup I assume that your Linux box has the static hostname mybox.com on IP address 46.19.92.98. The domain name you want to use for your airport extreme is airport.mydomain.com. This means mydomain.com is owned by you and has its nameserver set to mybox.com.
    • Install BIND version 9 on your Linux server (e.g. “sudo apt-get install bind9”) and create a zone file for your domain. You can put it in /etc/bind/zones/mydomain.com.db and make it look like this:
    $ORIGIN .
$TTL 86400	; 1 day
mydomain.com		IN SOA	mybox.com. mailaddress.gmail.com. (
				2012060524 ; serial
				28800      ; refresh (8 hours)
				7200       ; retry (2 hours)
				864000     ; expire (1 week 3 days)
				86400      ; minimum (1 day)
				)
			NS	mybox.com.
			A	46.19.92.98
			MX	10 mydomain.com.
$ORIGIN mydomain.com.
*			A	46.19.92.98
$ORIGIN _dns-sd._udp.mydomain.com.
b			PTR	mydomain.com.
db			PTR	mydomain.com.
dr			PTR	mydomain.com.
lb			PTR	mydomain.com.
r			PTR	mydomain.com.
$ORIGIN _udp.mydomain.com.
_dns-update		SRV	0 0 53 mybox.com.
    • google for some BIND tutorials if you need more information on the zone file configuration
    • make sure port 53 UDP is open in your Linux box’s firewall
    • create a RNDC key. This is the “password” used to update your DNS zone. Run “rndc-confgen -a -c /etc/bind/rndc.key”
    • add the following to your /etc/bind/named.conf.local:
    include "/etc/bind/rndc.key";
zone "mydomain.com" {
      type master;
      file "/etc/bind/zones/mydomain.com.db";
      update-policy {
        grant rndc-key name airport.mydomain.com A;
      };
};
    • ensure that your zone file and the named.conf.local have permissions -rw-r–r– and are owned by root, group bind.
    • on Ubuntu 12.04 I had to edit the file /etc/apparmor.d/usr.sbin.named and change the line “/etc/bind/zones/** r,” to “/etc/bind/zones/** rw,”
    • restart apparmor and bind
    • check the syslog for any bind errors
    • if you’ve just changed the nameserver of domain.com to mybox.com, it may take 24h or more for this update to reach your provider’s DNS cache
    • check your nameserver configuration with “dig”. “dig a domain.com” should give you an answer section with your Linux box’s IP address. “dig ns domain.com” should return mybox.com. “dig PTR b._dns-sd._udp.domain.com” should return domain.com.
    • when everything works as expected, we can now configure Airport Extreme. Open “Airport Utility 5.6”, choose the “base station” tab and click “Edit…”. Configure it as in the screenshot below. The password is the “secret” as mentioned inside your rndc.key file. Enter it without the quotes.
    • click “Done” and “Update”. Your Airport Extreme should update the DNS A record for airport.domain.com every 15 minutes. In your syslog it looks like this:

    Jun 11 07:15:07 alderaan named[31953]: client 40.224.233.149#5353: updating zone 'domain.com/IN': deleting rrset at 'airport.domain.com' A
    Jun 11 07:15:07 alderaan named[31953]: client 40.224.233.149#5353: updating zone 'domain.com/IN': adding an RR at 'airport.domain.com' A

    • you can now reach your home network from anywhere through the hostname “airport.domain.com”. Success!!
     

    • belkone 8:21 am on September 14, 2014 Permalink

      Hi, I know, that article is from 2012, but should it works right now? When I try to setup dns using your solution I have in logs: named[5798]: client xx.xx.xx.xx#61698: update ‘zzz.zzz.zzz/IN’ denied. Can you tell me what am I doing wrong?

    • Liviu P. 5:14 am on September 29, 2015 Permalink

      Very interesting article. I can confirm it works but i think BIND is not giving back the right answer to apple airport router since the router sends DNS update very very often (5 times a minute). I think the answer should contain ttl value (lease time) but i didn’t figure out how to do that with BIND and i wrote my own dns server.

    • Sanigo 2:25 am on May 19, 2016 Permalink

      It is a good article, and it did work! But i have the same problem as Liviu, the router sends update too frequently. I have no idea about this.

← Older posts

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel