Updates from August, 2015 Toggle Comment Threads | Keyboard Shortcuts

  • MD1032 12:10 pm on August 17, 2015 Permalink  

    FreeRADIUS two factor authentication (OTP and Password) 

    MultiOTP is a tool to verify one-time passwords from hardware or software HOTP or TOTP devices. In the README they describe how to set up FreeRADIUS for OTP verification. By default, MultiOTP requires entering a 4 digit personal PIN plus the token (usually 6 digits). For better security in multi-factor authentication (MFA), it’s a good idea to use a stronger password than a 4 digit PIN and concatenate it with the OTP. Combining the password and token in one field allows two factor authentication for a lot of older devices that don’t support multiple authentication challenges natively.

    In order to do that, we create a user in FreeRADIUS with an encrypted password. We configure FreeRADIUS for multiOTP according to the instructions. We set “request_prefix_pin=0” in the multiOTP user config file and in multiotp.ini to disable the PIN check.

    Then we change the “authorize” section in FreeRADIUS config “sites-available/default” to:

    authorize {
            if (User-Password =~ /^(.*)([0-9]{6})$/) {
                    update request {
                            User-Password := "%{2}"
                    if (ok) {
                            update request {
                                    User-Password := "%{1}"
            } else {

    The password of an incoming request is now split into password and 6 digit token via regex. The second match (OTP) is authenticated against the multiotp backend. If successful, the token is stripped from the password for further processing. If the token or the password format is incorrect, the request is rejected.

    After the OTP has been validated, we read the user accounts, password and expiration times from the “users” file using the “files” module. After the expiration check, the password is validated via PAP.

    • multiOTP 3:26 am on August 29, 2015 Permalink


      Nice configuration, we hope that multiOTP satisfies your needs. Please note that even if multiOTP is talking about PIN code, we are supporting long passwords as the PIN.

      It’s also possible to synchronize the users of multiOTP with an AD/LDAP, and i nthis case, the prefix password is the AD/LDAP password.

      Best regards,


    • multiOTP 3:31 am on August 29, 2015 Permalink

      multiOTP open source is now also available as a ready to use virtual appliance!
      Best regards, and don’t hesitate to send us suggestions!

  • MD1032 7:12 pm on October 29, 2014 Permalink  

    Two-factor authentication for mySQL users 

    I want to authenticate mySQL users with a password and a token on Ubuntu, so I figured out a way to do this using MariaDB, PAM and Google Authenticator.

    First we need a plugin for mySQL that can authenticate users against PAM. The non-free enterprise version of mySQL has authentication_pam.so. I’m not an Enterprise customer, so I decided against this one.

    A free implementation is available from Percona . To make it work with Oracle mySQL, the plugin auth_pam_compat.so must be used. The problem with this plugin is that cleartext passwords must be enabled in the mySQL client. I didn’t like that idea so I replaced Oracle mySQL with MariaDB.

    sudo apt-get install mariadb-server mariadb-client

    Verify that MariaDB runs fine. Then follow the installation guide for the Percona auth_pam.so plugin. Install some dependencies first:

    sudo apt-get install libpam-dev libmysqlclient-dev automake autoconf libtool build-essential bzr

    then checkout the plugin source from launchpad via bazaar, ./bootstrap, ./configure, make, sudo make install. Load the plugin via /etc/mysql/my.cnf:


    and restart the mySQL server. Create a mySQL user according to the Percona installation instructions. It has to be a local system user and it must use the auth_pam plugin. Now install Google Authenticator on Ubuntu and on your smartphone.

    sudo apt-get install libpam-google-authenticator pamtester

    Say yes to all questions and take a picture of the QR code using the phone. Then create a directory for the token files:

    sudo mkdir -p /var/lib/mysql-2fa/USERNAME
    sudo mv /home/USERNAME/.google_authenticator /var/lib/mysql-2fa/USERNAME
    sudo chown mysql. -R /var/lib/mysql-2fa

    This is necessary as the Google Authenticator PAM plugin will run as the “mysql” user, which has no access to the token files in user’s home directories. Edit /etc/pam.d/mysqld :

    auth required pam_google_authenticator.so forward_pass secret=/var/lib/mysql-2fa/${USER}/.google_authenticator user=mysql
    auth required pam_unix.so use_first_pass
    account required pam_unix.so

    (the file has a total of three lines, what looks like the first two lines above needs to be in one line)

    Now mySQL needs to access some files related to PAM. Edit /etc/apparmor.d/usr.sbin.mysqld and add:

    /etc/pam.d/mysqld r,
    /lib/x86_64-linux-gnu/security/pam_*.so m,
    /lib/security/pam_google_authenticator.so m,
    /etc/pam.d/* rm,
    /etc/login.defs r,
    /etc/shadow r,
    /var/lib/mysql-2fa/** rwk,

    The mysql user also needs to be part of the ‘shadow’ group:

    adduser mysql shadow

    Try to authenticate using pamtester:

    # sudo -u mysql pamtester -v mysqld my_username authenticate
    pamtester: invoking pam_start(mysqld, my_username, ...)
    pamtester: performing operation - authenticate
    Password & verification code:
    pamtester: successfully authenticated

    Check /var/log/auth.log for any errors. Everything works? Connect to the database with two factor authentication (concatenate password and token):

    # mysql -u my_username -p
    Enter password:
    Welcome to the MariaDB monitor. Commands end with ; or \g.
    Your MariaDB connection id is 1603
    Server version: 5.5.39-MariaDB-0ubuntu0.14.04.1 (Ubuntu)

    Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    MariaDB [(none)]>


    • Simon 7:22 pm on March 10, 2020 Permalink

      Hello. I know this was written a while back. But my query is how does this affect applications using the database?

  • MD1032 2:34 pm on March 20, 2012 Permalink  

    RAID5 array of 6 SSDs Performance Evaluation 

    I’ve got six Crucial m4 SSDs with 256GB in a RAID5 array, resulting in 1.2TB useable disk space.The SSDs are connected via SATA3 to a Gigabyte 990FX UD7 board. I’m running 64bit Ubuntu 11.10 server.

    The following two articles offer some good ideas on performance tuning the SSD RAID:

    The chuck size on /dev/md127 is 512k, which is the default in Ubuntu and suits the 512k erase block size of the Crucial m4 disks. I’ve decided to partition the disks with “gdisk”, using a GPT. The partition starts at sector 2048 to align with the SSD chunk size. The filesystem is ext4, using 4k block size and 128 blocks stride, which again matches the 512k EBS. There is no need to pass any special options to mkfs.ext4, it was all autodetected.

    I’m using the following optimizations in /etc/rc.local:

    md=`ls -l /dev/disk/by-id/md-uuid-f70a5a71:577d6424:8ca4b9cf:265a61a3 | 
    awk '{ print $NF }' | sed -e 's/[/\.]//g'`
    echo 32768 >  /sys/block/$md/md/stripe_cache_size
    blockdev --setra 4096 /dev/$md
    for s in $SSD
      NODE=`ls -l $s | awk '{ print $NF }' | sed -e 's/[/\.]//g'`
      echo noop > /sys/block/$NODE/queue/scheduler

    Make sure /etc/rc.local is run by bash, not sh. The block device scheduler for the SSDs is set to “noop”, since there is no seek time on the SSD.

    Here are some benchmarks:

    root@localhost:/mnt/ssd# dd of=file.bin if=/dev/zero bs=1G count=10
    10+0 records in
    10+0 records out
    10737418240 bytes (11 GB) copied, 20.4972 s, 524 MB/s
    root@localhost:/mnt/ssd# dd if=file.bin of=/dev/null
    20971520+0 records in
    20971520+0 records out
    10737418240 bytes (11 GB) copied, 16.53 s, 650 MB/s

    650MB/s read speed is not too bad!

    Probably add GRUB_CMDLINE_LINUX_DEFAULT=”bootdegraded=true” to /etc/default/grub to allow the array to boot in degraded state.

    Note that there is no TRIM support for software raid5 yet (only levels 0,1,10 as of Linux 3.3), but support for levels 4,5,6 is in the making. Until then, a regular wipe of all SSDs may allow for steady performance.

  • MD1032 6:43 pm on August 25, 2011 Permalink  

    Display all installed Ubuntu packages sorted by size 

    dpkg-query -W -f'${Package}\t${Installed-Size}\t${Status}\n' |\
    awk '/installed$/ { print $2 "\t" $1 }' |sort -n
  • MD1032 12:09 am on March 1, 2011 Permalink  

    WordPress 3.0.5 & Debian & blank screen when inserting objects 

    When I try to insert an image into a blog post, all I get is a white blank page. The source code of that page reveals some javascript, and the FF error console reports “win.send_to_editor is not a function”. I’ve found countless postings on the web from other users who had this problem, none of their solutions helped me.

    In the end it came down to the fact that I was using the wordpress 3.0.5 Debian sid package. According to the Debian guidelines, Debian packages should not ship software that has already been packaged for Debian. This is why the wordpress package depends on some PHP libraries and also tinyMCE and symlinks to them from inside the /usr/share/wordpress directory. Apparently there were some incompatibilities between some external libraries and wordpress 3.0.5 which prevented me from inserting objects into the editor.

    Long story short, I’ve removed the Debian package and am now running wordpress from source, which works like a charm.

  • MD1032 4:14 pm on October 14, 2010 Permalink
    Tags: ubuntu apt   

    Reinstall all installed Ubuntu packages 

    for pkg in `dpkg --get-selections | egrep -v deinstall | awk '{print $1}'` ; do apt-get -y install --reinstall $pkg ; done

  • MD1032 1:46 am on October 10, 2010 Permalink
    Tags: ati, fglrx, , radeon,   

    fglrx in Ubuntu 10.10: disable underscan 

    Do you see black borders on your TV when you connect your Linux HTPC with ATI Radeon chipset/card? Usually you would be able to change overscan/underscan settings in the graphical ATI tool – but my plasma is detected as a projector, some underscan is applied and the slider to correct it is missing.

    The solution lies in the command-line tool aticonfig. It allows you to set the relative screen position and the absolute screen size. Create a new file containing this script:

    aticonfig --set-dispattrib=dfp1,positionX:0
    aticonfig --set-dispattrib=dfp1,positionY:0
    aticonfig --set-dispattrib=dfp1,sizeX:1920
    aticonfig --set-dispattrib=dfp1,sizeY:1080

    and make it executable. Now configure it as a “startup application” in the Ubuntu preferences. There’s a catch though: you need to find out the name of your display device first. Mine is called “dfp1”. Have a look at your /var/log/Xorg.0.log and find the line similar to

    [    25.483] (II) fglrx(0): Connected Display0: DFP1

    and insert the correct name into the script. Also make sure you set the correct display resolution. Run the script or log off and back on, and the black borders should be gone.

    • frans 3:21 pm on January 10, 2012 Permalink

      Thanks for this fix, Works great.

    • kevin 2:28 am on December 22, 2012 Permalink

      this fixed my projector as well… why isnt the default to not over/underscan the damn screen? the edid info has proper hz and res in the rest of the tools. wtf ati?

  • MD1032 7:47 pm on October 8, 2010 Permalink
    Tags: hack, , , udev   

    Disable automatic udev rules for network interfaces in Ubuntu 

    If you want to deploy a Ubuntu image across different hosts, each time you boot it on a new machine, a new udev rule for its network card will be created. You will then end up with eth1, eth2, and so on. There are different ways to work around this problem. Here is a simple approach that will completely disable the automatic rule file generation:

    1. rm /etc/udev/rules.d/70-persistent-net.rules
    2. mkdir /etc/udev/rules.d/70-persistent-net.rules

    It’s a hack, it’s not pretty, but it works.

  • MD1032 11:54 pm on March 22, 2006 Permalink  

    Thunderbird IMAP TLS Bug 

    Thunderbird seems to be a bit buggy connecting via IMAP/TLS to a Courier server. When Courier is set up to disallow non-TLS connections, it advertises STARTTLS and LOGINDISABLED. This is a challenge for the mail client to send the STARTTLS command before logging in. Thunderbird doesn’t do that: as soon as it sees LOGINDISABLED, it aborts the connection with error message. This happens even if the account settings in Thunderbird are set to require TLS.

  • MD1032 7:51 pm on March 15, 2006 Permalink  

    Debian, make and kernel rebuild troubles 

    Building the Linux kernel on my Debian/unstable machine recently caused some trouble: everytime I ran make, all files were (re-)compiled, not just the ones of modules I just added. The problem is related to the latest make version 3.81rc-1. Downgrading to 3.81beta4 solved this for me. It’s actually a bug in kbuild, but I can take months until the kernel includes a fix.

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc