Simple Two-Factor SSH Authentication

23 09 2011

In a two-part post I’m going to show you some tricks you can do with SSH logins. This post covers setting up two-factor SSH authentication with the Google Authenticator app.

I was recently getting some servers in shape so I can pass the Payment Card Industry standards questionnaire and one requirement was two-factor authentication access to the server. I queried whether SSH key + passphrase was acceptable but didn’t get a clear answer so I figured I’d explore setting up another authentication factor myself, plus it piqued my interest.

After a bit of research I found it was possible using a PAM module but it doesn’t work along with SSH key authentication (only password authentication) and I only use SSH key logins for my servers.

The magic

I wanted to find the simplest method of implementing this so I started looking at what we can do with SSH itself. There is an option in the authorized_keys file that allows you to run a command when a user authorizes with a particular key eg.

command="/usr/bin/my_script" ssh-dsa AAA...zzz me@example.com

The command="..." part invokes a different command upon key authentication and runs the /usr/bin/my_script instead. Now we’ve got a starting point to work on the Google Authenticator logic.

Simple implementation

I’ve chosen ruby to implement this simple example but in theory you could use anything you want. This is a naive implementation but it will prove the concept. You’re going to need therotp library as well for this to work gem install rotp.

We put the following in /usr/bin/two_factor_ssh

#!/usr/bin/env ruby
require 'rubygems'
require 'rotp'
# we'll pass in a secret to this script from the authorized_keys file
abort unless secret = ARGV[0]
# prompt the user for their validation code
STDERR.write "Enter the validation code: "
until validation_code = STDIN.gets.strip
  sleep 1
end
# check the validation code is correct
abort "Invalid" unless validation_code == ROTP::TOTP.new(secret).now.to_s
# user has validated so we'll give them their shell
Kernel.exec ENV['SSH_ORIGINAL_COMMAND'] || ENV['SHELL']

The secret is in Kernel.exec which, upon successful validation, replaces thetwo_factor_ssh script process with the original command the user was attempting or their default shell so it is a completely seamless experience from that point on.

Generating the secret

We need to generate a secret token that is shared between the Google Authenticator app and the server.

Here’s a little script that will spit out a new token and a link to a QR code that can be scanned into the Google Authenticator application.

#!/usr/bin/env ruby
require 'rubygems'
require 'rotp'
secret = ROTP::Base32.random_base32
data = "otpauth://totp/#{`hostname -s`.strip}?secret=#{secret}"
puts "Your secret key is: #{secret}"
puts url

Running this produces:

We can scan the QR code directly into Google Authenticator and then update ourauthorized_keys file as follows:

command="/usr/bin/two_factor_ssh 4rr7kc47sc5a2fgt" ssh-dsa AAA...zzz me@example.com

That should do it!

Testing it out

[richard@mbp ~]$ ssh moocode@myserver
Enter the validation code: wrong
Invalid
Connection to myserver closed.
[richard@mbp ~]$
[richard@mbp ~]$ ssh moocode@myserver
Enter the validation code: 410353
moocode@myserver:~$

Great, that seems to work as expected.

Wrapping up

I’ve got a slightly more involved example that adds in support for ‘remember me’ by IP address for a fixed period of time so you don’t have to reach for the phone on every single login from the same IP.

The extended example also does some primitive logging but I’d like to add in a better auditing system (another PCI compliance requirement) as this would allow us to know which key is used to log into the server and whether they validated.

We should also probably have a fallback mechanism (a master key or 5 one-time codes like Google does) so we don’t inadvertently lock ourselves out of the server.

Article: moocode.com

Advertisements




OpenSUSE Linux: Creating Self-Signed SSL Certificates

18 06 2009
Overview

At some point or another, you’ll likely end up needing an SSL certificate for a Web site somewhere along the line. For a commercial site, your hosting provider can or will help you get this all squared away. This article is not for people in that situation.

What we’re doing here will be to create our own Certificate Authority. Then, we’ll create our own server key and a signing request. Then, we’ll sign our own certificate using the key and certificate from our own Certificate Authority. In other words, we’re not just going to create an SSL certificate, but we’re going to sign that bad boy, too.

This is useful for personal websites that need a little security, or when you’re waiting for your real cert from a real Certificate Authority. Perhaps you need it for transmitting data from an external server to your Intranet. Or perhaps you need it in any of the three hundred thousand seven hundred forty-two other situations that may arise.

Read the rest of this entry »





OpenSuSE 11.0 is out!!!

19 06 2008

Another one of those days that I look forward to …. yes, openSUSE 11.0 has been officially released.

“Looking at the list of Top500 supercomputers, we find that 20 of the top 50 run SUSE Linux. This ratio extends to the entire Top500 – around 40% run SUSE.”

If you have never heard of this distro, as is now known as Mercedes-Benz of Linux, openSUSE originated in 2005, with Novell’s decision to begin developing the existing Suse Linux Professional product in collaboration with external developers, including bringing the community into the beta-testing process. Previously all development had been done in-house.

A lot has changed since openSUSE 10.3, and a lot of work has gone into improving openSUSE. In this release you’ll find updated versions of almost every program, a vastly improved installer, faster and easier package management, and much more. Features added to OpenSuse 11.0 since version 10.3, the latest stable version, include Linux kernel 2.6.25, Xen 3.2 virtualisation, windowing engine X.Org 7.3.

openSUSE 11.0 includes two branches of KDE — the KDE 3.5.x series, which is the stable and older KDE series that many openSUSE users are already familiar with, and the cutting edge KDE4. GNOME users will find a lot to like in openSUSE 11.0. openSUSE’s GNOME is very close to upstream GNOME, because Novell and openSUSE want to do as much work as possible in the upstream release. OpenOffice.org 2.4 provides openSUSE users with a top-notch office suite with a word processor (Writer), spreadsheet (Calc), presentation tool (Impress), and drawing software (Draw). Here’s some of the improvements you’ll see in openSUSE 11.0:

  • Rewritten installer that makes installation even easier
  • Faster and easier package management
  • Easier system updates with PackageKit
  • Easier 3-D effects with Compi z-Fusion and CCSM
  • KDE 4 – The next generation KDE Desktop
  • GNOME 2.22 – Latest and greatest GNOME release
  • Firefox 3.0 – openSUSE ships with Firefox 3.0 beta 5, will update to 3.0 final
  • OpenOffice.org 2.4 – Latest OpenOffice.org, with dozens of improvments and new features, including better VBA support, 3-D transitions in Impress, and import support for Microsoft Office 2007 document formats.
  • Banshee 1.0 – Major update to Novell-sponsored multimedia application.
  • Tasque – Simple and elegant to-do application.
  • NetworkManager 0.7 – Cutting edge release of NetworkManager, which includes support for EV-DO/UMTS cards.
  • PulseAudio – Better sound management in GNOME.
  • Linux kernel 2.6.25 – Most recent major release of the Linux kernel
  • Nearly every application has been updated since 10.3
  • More than 200 new features specific to openSUSE

It’s now easy to enable and configure Compiz in KDE and GNOME, using Simple CCSM, which is labeled Desktop Effects in the main menu. Using the Simple CCSM dialog you can enable/disable Compiz, and change some of the more prominent Compiz features without getting deep into all of the functionality of Compiz. From here you can choose effects profiles which vary from lightweight profiles with a few effects to more comprehensive sets of effects which may have a more marked effect on performance. More advanced users may want to delve deep into Compiz functionality with the CompizConfig Settings Manager (ccsm), which is also part of openSUSE 11.0’s default package set.

Check out the list of more than 200 new features specific to openSUSE.

Users have two options for installation — the live CDs, which feature a simplified installer that doesn’t require the user to make any decisions about package selection, and the openSUSE DVDs, which allow users to choose their desktop (including KDE 3.5 and Xfce, or no desktop at all) and other packages not included on the live CDs.

LiveCD Installer

DVD Installer

KDE 4.0.x Desktop

KDE 3.5.x Desktop

Gnome 2.22 Desktop

Wine with its monumental 1.0 release

Download openSUSE 10.3:

To install from the DVD, see openSUSE 11.0 DVD Installation. For live CDs, see openSUSE 11.0 Live-CD Installation. As usually I recommend, use torrents so not to overload ftp servers.

Download: Software.opensuse.org
Buy it: http://en.opensuse.org/Buy_openSUSE

Instructions are available as follows:

Installation from DVD/CD:
Official openSUSE 11.0 Start-Up guide
Step-by-step installation guide
Network Installation:
Internet Installation

Don’t forget to check out the openSUSE-Community.org website … a great place for information.

To get help, provide any feedback, ask questions, or get involved and help contribute to the openSUSE distribution, please communicate. There are several ways to get in touch with the openSUSE community, including:

If you find a bug report it http://bugzilla.novell.com and will help openSUSE mature more.

Expect posts on openSUSE from me. If you have some questions, or topics that you would like me to cover, regarding 11.0, let me know and I’ll see if I can.

A huge thanks to all those involved in the release, particularly all the community contributors, for making this an excellent openSUSE release!

Read the following to get yourself introduced to 11.0:

Article By: E@zyVG





web2py – Python Web Framework

11 06 2008

Free and open source full-stack enterprise framework for agile development of secure database-driven web-based applications, written and programmable in Python.

  • No installation, no configuration, no dependencies. All in one package. You can run it off a USB drive
  • Runs on Windows, OSX, Unix/Linux, and Windows CE phones.
  • Allows development, debugging, testing, deployment, maintenance and administration, including database administration, via the provided web interface.
  • Enforces good Software Engineer practices, like the Model-View-Controller design, validation and self-submission of forms.
  • Strong on security. Prevents the most common types of vulnerabilities: Cross Site Scripting, Injection Flaws, and Malicious File Execution.
  • Talks HTML, XML, RSS, ATOM, AJAX, JSON, RTF, CSV, WIKI, XML-RPC, REST, Flash, etc.
  • Dynamically and transparently generates SQL queries for you for SQLite, MySQL, PostgreSQL and Oracle. Even creates and alters tables for you when required. Performs automatic transactions.
  • Allows you to create apps easily, byte-code compile them, and distribute them in open or closed source under any license you like.
  • Faster then the competition, designed for small as well as large projects, includes the ability to upload/download/stream large files, internationalization support, distributed transactions, …

Get it here





Spicebird – Open Source Outlook Alternative

26 03 2008

Spicebird was created by a group called Synovel Technologies, “an opensource technology startup based in Hyderabad, India. They develop and contribute to Free and Open Source applications, especially in the enterprise communication and collaboration space.”

Spicebird is a collection of contact and collaboration tools, including Chat, Email, Calendar, Tasks and Contacts. What’s nice about the integrative approach to these tools is that, for example, you can check on a contact, and not only do you get basic contact information, you also see your contact’s online status, so you can IM this user via the built-in Chat window, or contact him via Jabber, if you choose. The application is built on top of mozilla Thunderbird, Sunbird, Xmpp4moz and adds more features and integration. The extensibility of the mozilla platform makes adding new tools and customization of the suite easy. Spicebird has a long road ahead to become a comprehensive communications suite.

Check out the Video Demo of the product.

Article By: E@zyVG





Open Source Living

31 12 2007

Hello,

I came across this site of all kinds of the greatest open-source  software while browsing Linux & Open Source Blog. Please check it out. I’ll be adding it to my links page. This is my last post for the year 2007 and I hope all of you Happy Holidays and Happy New Year!.





Configuring Ruby Rails for Apache on SUSE Linux Enterprise Server

20 12 2007

I was browsing the net for a decent way to configure Apache and Rails and came across this article. I hope all you Ruby developers enjoy this…

Read Article