Tuesday, September 3, 2013

One-time passwords with phone-token

Going to vacation? Maybe you don't want to enter your password on a shared computer in a rough hostel? Enter OATH!

Serverside, as root:

Pre-requisite:
Open a root shell and keep it open (if you by any chance break pam it's really hard to login).
Make sure that your clock is correct! (install ntp)

Time to edit PAM:
vi /etc/pam.d/ssh

Comment out the:
# Standard Un*x authentication.
#@include common-auth

Instead, put this in there:
auth    sufficient     pam_unix.so nullok_secure
# OATH OTP
auth    required     pam_oath.so usersfile=/etc/users.oath

The reason we comment the @include common-auth is that it would prompt for regular password before OTP, which we don't want. Or leave it if you want two-factor auth.

Edit OpenSSH config file:
vi /etc/ssh/sshd_config

Change ChallengeResponseAuthentication from no to yes:
ChallengeResponseAuthentication yes

restart sshd:
/etc/init.d/sshd restart

Now, lets add users to the /etc/users.oath:
echo "HOTP/T30/6 user - $(head -c 1024 /dev/urandom | openssl sha1 |awk '{print $2}')" >>/etc/users.oath

Change user above to the username that should be able to use oath,  the output should look like this:
HOTP/T30/6 jolt - XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Change the permission on the file, to root only:
chmod 0600 /etc/users.oath

Now the server side is complete.

Token:
Time to install OATH Token on your phone (or some other compatible OATH token software). Enter the hash from the config file under "Token Secret Key", and set OATH Token to be time-based.


As soon as you open OATH Token it will generate a new number that is valid for 30 seconds. Login and enjoy!

"Lock down token" makes sure that the Token is never displayed again, which is really nice touch.



Thursday, July 12, 2012

Su for groups only?

Got a question from #debian on Freenode:

Q: How can I restrict "su" access for users?

A: Edit /etc/pam.d/su and uncomment.
# auth       required   pam_wheel.so
If needed, change the other parameters, such as time restrictions, if password is needed etc.

Homebrew and Xcode 4.3.

Installed brew and some stuff never got complied, even though I used --use-llvm (no more standard gcc is available in later version of Xcode). I downloaded the command-line-utils from Apple, but still no go.

Turns out you should install those via Xcode instead (Preferences -> Downloads -> Command Line Tools). Install them and brew away!


http://mxcl.github.com/homebrew/

Xcode Preferences.

Sunday, July 8, 2012

Recover data from failing drive.

I have used dd in the past, but dd is intelligent when copying data from a failing disk. What you want is some software that intelligently copies byte data from different part of the drive not to stick in a failing area.

ddrescue to the rescue! (phun intended). ddrescue covers all of the above and is available via
apt-get install gddrescue
(There is another software called dd_rescue, but this has largely been superseded by GNU ddrescue).

Just fire up ddrescue with infile and outfile, I'll use a logfile as well since I don't want it to try previously read sectors from a failing drive.


ddrescue /dev/sdX failingdrive.img failingdrive.log

And that's it!

When people have a failing drive they usually prioritize images for recovery, and for that we can use the splendid tool photorec. Photorecovery can work directly on a drive or file, but since I'm trying to be as gentle as possible with the failing drive I rather use it on my drive image. I'll use a logfile here to for resuming recovery and specifying a directory for the recovered images:

photorec /log failing-photos.log /d ~/recovered_images failingdrive.img

After that you will have to select which partition to search for images, or just specify the whole drive and search. Use apt-get install photorec to install.

Links:

Saturday, June 11, 2011

Time machine and crontab

Time machine backups of OS X is nice, especially since you can restore your full system from them. What is not so nice is that they run all the time, and they transfer a huge amount of files, so you don't want it to run very often.

Recognize the problem? Add it to crontab instead! Just edit your crontab (crontab -e) and add something like this:

25 3-7 * * * /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper &

This means that backupd-helper will run between 25 minutes past 03 to 07 (3-7 AM) everyday. backupd-helper is the same thing that is run if you would press "backup now" in the Time Machine preferences.

Oh, in time machine prefs, set it to NOT run (since the point is to run it by crontab). And no, backups will not be taken if you computer is asleep (since cron would be asleep as well..)


Thursday, April 28, 2011

Use a specific proxy connection with Chrome Web Browser in OSX

I travel a little bit now and then so I use a few different wireless or fixed networks that I'm a guest at. I tend to use Firefox a lot, and in FF i have set FF to always browse via my proxy server at home (tinyproxy). The handy thing with FF is that the proxy setting is only for FF, and that is a feature I've been missing in Chrome which I tend to use more often these days.

In OSX, there is a setting to use a proxy in System Preferences, but then that setting will be applied to all programs (except FF in my case), which is not what I want. So today I googled if there were any new addons for Chrome that could do that, and lo and behold, here is the solution (but not from a addon...)

Type the following in a Terminal.app (or iTerm2, which is awesome)

open -a /Applications/Google\ Chrome.app --args --proxy-server=proxy.home.over.vpn:8888
I saved that string as an alias in .bashrc for reuse.

Taken from http://hints.macworld.com/article.php?story=20100213001826236

Wednesday, March 16, 2011

Exim4, dovecot with sqlite authentication

As I am moving away from courier to dovecot I also wanted to move away from the old courierauth DB and use something newer and slicker: sqlite3. Having all my SMTP and IMAP users in sqlite3 is nice, since you don't need them to have a actual system user.

Creating the sqlite3 db is easy, just "sqlite3 /etc/dovecot/authdb.sqlite". I used the SQL query from the dovecot page:


CREATE TABLE users (
userid VARCHAR(128) NOT NULL,
domain VARCHAR(128) NOT NULL,
password VARCHAR(64) NOT NULL,
home VARCHAR(255) NOT NULL,
uid INTEGER NOT NULL,
gid INTEGER NOT NULL
);

The next step was to edit the /etc/dovecot/dovecot.conf and /etc/dovecot/dovecot-sql.conf. I just created the entries in the sqlite db manually (my courierdb is small)

insert into users values ('jolt', 'mekk.com','oldcryptedpw', '/home/courier/jolt','104','105');

where all of the values are directly from the /etc/courier/userdb.

Now the fun part: get exim4 to play well with sqlite. ( I leave out the Exim dovecot config, since I used the exact same one from courier (i.e. it's the same path. Read the Dovecot-courier migration document for config details).

In exim I commented out my existing login: and plain: sections and replaced it with this:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :

server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $1

The above lines are just a modified version of the MySQL authentication example at the Exim wiki.

Now I tried exim4 and and after changing the select clause a bit it actually worked!

Now back to dovecot. Dovecot needs to be configured (in /etc/dovecot/dovecot.conf) to use both passdb sql and fetch userdb info at the same time (enable userdb prefetch). I missed that myself, of course, so be warned:


# SQL database
passdb sql {
# Path for SQL configuration file
args = /etc/dovecot/dovecot-sql.conf
}

userdb prefetch {
}


And dont forget to disable PAM (just comment it out, don't forget the }).


Then I needed to change the default crypt method to CRYPT (thats what my courierdb used, remember?). Here is the /etc/dovecot/dovecot-sql.conf config file for your reading pleasure:


# Database driver: mysql, pgsql, sqlite
driver = sqlite
connect = /etc/dovecot/authdb.sqlite


# Default password scheme.
#
# List of supported schemes is in
# http://wiki.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = PLAIN-MD5
default_pass_scheme = CRYPT

# and enable the last line for user and pw prefetch:
password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u'




I think that's pretty much it, so good luck!

Saturday, October 23, 2010

Printing with Konica Minolta PP1300W in OSX Snow Leopard (over Time Capsule)

I was supposed to do this years ago, and I actually tried to, but I never got the gutenprinting stuff to work with the built in CUPS of OSX. However, today was the day I thought I might just do it!

Turns out it was quite easy (after I tried all the different combinations that is...)

  1. Go to Linuxprinting and download the min12xxw dmg (min12xxw-0.0.92-ub.dmg).
  2. Download the Ghostscript stuff from the same page (gplgs-8.71.dmg)
  3. Run the installer for min12xxw
  4. Run the Ghostscript installer
  5. Add your printer (it will auto select the Foomatic/min12xx driver
  6. Save and print!

Monday, October 4, 2010

Automatically upgrade Debian with security updates

So, one of the boring tasks of being a sysadmin is to do updates. Well, it's not really boring, just a boring task of doing it if you have more than 10 systems or so.

Since I'm lazy and not really a sysadmin full-time, I'm cheating by using the unattended-upgrades package. Here is how you do it:

  1. Install unattended-upgrades
  2. Add the following to /etc/apt/apt.conf
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";
  3. See if you need to modify
    /etc/apt/apt.conf.d/50unattended-upgrades
    (I didn't)
  4. Watch your logs for any errors during updates (I use logcheck for this)
  5. Read the additional info at https://wiki.ubuntu.com/AutomaticUpdates for more details about this feature if you want to.

Saturday, July 10, 2010

iPhone 3G iOS4 improved speed

After installing ios4 the phone became extremely sluggish, so I thought "why not google around when I'm at home with this shitty cold".

So, first you need to jailbreak your phone (i.e. redsnow or equivalent).
Then install OpenSSH, adv-cmds erica utilities, vim, bash from Cydia or Rock (i prefer Rock to cydia any day).

Now: start with changing your password on root and mobile user to something not guessable,

--

First tip:

The first one I found was to enable some swap memory by uploading a plist that enable the dynamic pager:

Download com.apple.dynamic_pager.plist, scp it to the iphone and place it in /System/Library/LaunchDaemons/ and reboot.

If you are lazy the iMemory Enhancer is available from Cydia (but I like to know which file they are actually touching).

--

The second one is to disable some of the daemons that take care of background tasks.

Login via SSH and perform this:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

and continue with these (if they exist)

com.apple.CrashHousekeeping.plist
com.apple.DumpBasebandCrash.plist
com.apple.DumpPanic.plist
com.apple.ReportCrash.DirectoryService.plist
com.apple.ReportCrash.Jetsam.plist
com.apple.ReportCrash.SafetyNet.plist
com.apple.ReportCrash.SimulateCrash.plist
com.apple.ReportCrash.plist
com.apple.powerlog.plist
com.apple.racoon.plist (this is used by VPN subsystem, so don't remove if you use that)
com.apple.scrod.plist (used for voice, which the 3G doesn't support)
com.apple.tcpdump.server.plist
com.apple.apsd.tcpdump.en0.plist (thought to be used by push notification logging)
com.apple.apsd.tcpdump.pdp_ip0.plist ( -"- )
com.apple.wifiFirmwareLoader.plist (thought to be used for the new OTA (over-the-air) updates)

Oh, and you can do the same with sshd if you want to:
launchctl unload -w /Library/LaunchDaemons/com.openssh.sshd.plist
You can then start SSH when you want by using SBSettings

Now lets, deactivate locationd from startup but let it startpup on request

cd /System/Library/LaunchDaemons

plutil -convert xml1 com.apple.locationd.plist
vim com.apple.locationd.plist
------------------

search for RunAtLoad

change true ----> false

----------------
plutil -convert binary1 com.apple.locationd.plist
reboot

Do this under your own risk.

Found the info at modmyui

--

iPhone 3G has shadows enabled default for icons and the dock, which sucks some power, removing some of the png's are supposedly helping the graph libs giving you more memory and power. So, remove/move these files from /System/Library/CoreServices/SpringBoard.app:

WallpaperIconShadow*.png
WallpaperIconDockShadow?.png

--

Also, on another note, people have seen some improvements by removing additional language from applications. Not sure if it really matters or not, your milage will vary:

http://a-common-hades.blogspot.com/2010/02/final-script-for-deleting-iphone.html