Using Google-Authenticator for free two-factor ssh authentication

Posted on February 12th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , .

12 02 2012

I’d consider myself a pretty security conscious person, so most of my stuff is either firewalled off, can only be access via a VPN, or requires a key of some sort (ssh keys), except for one box. That one box, is the weak kink in the chain, but is there out of convenience. I have a box out there I can jump to, connect in with a password, and then get to everything else. However I hate having the weak kink. The only reason I have it, is if I am not somewhere where I have access to say my laptop, I can still jump on a shared machine say, and connect back to my kit.

Last week I was on a course, and couldn’t use my laptop, so was using one of the training centre’s computers. Throughout the course, I’d check my emails, irc, etc etc. Just using their standard installed putty, connecting back to my server via ssh. However how do I know what they have installed on their hotdesk computer? for all I know, they could have a keylogger sitting there happily recording my password. (Noted: a bit paranoid). On the way home from the course, I really wasn’t happy with that risk, so when I got home, I naturally changed the password, checked logs, no access seen, so happy for now. However needed to find a way to fix this.

Googled about for a bit, then stumbled on Google-Authenticator, now I had read about this being released for google accounts, so two-factor auth to check your GMail..etc however what I hadn’t realised is they had released a PAM (Pluggable Authentication Module) to work with their authenticator. Neat! I span up a VM in my lab, and had a play, and was very very easy to get the module installed, and working with SSH.

After compiling the PAM module, installing, updating the PAM config, and SSHd’s, you’re pretty much ready to go. Users on the server have to enroll using the google-authenticator binary, which asks them a series of question, then presents URL,which displays a QR code. Crank up the authenticator app on your favourite smart phone, and it should add the OTP config, and start generating OTPs. Depending on if you chose time based or generated OTPs, you’ll see a countdown clock (until the next code) or a button to request a new code.

There are some really good guides on setting this up so I won’t duplicate. I’ve got it running on my Ubuntu jump box, and a few CentOS servers in my lab. Seems perfectly stable so far. What I do like about this OTP solution vs some others such as RSA, is it doesn’t need to ‘call home’, so if for some reason the server is isolated from the internet, I can still authenticate using the OTP, as it’s based on RFC 4226 so is time based.

I have read a few places that GA and SSH keys cannot be used together, and you should disable KeyAuthentication. Both can work alongside each other, however OpenSSH sees them as separate things. So if I try to authenticate using my private key, it will accept that, and ask for no further authentication. However what I think what people are saying here, is that if you want to still be challenged for your OTP when using your key, this wont fit your requirements. For me, if I have my key, that is enough for me.

One thing I did put in place, which stops a bit of a chicken and egg situation, is that if you have’t enrolled with google-authenticator on the jump box yet, you can still authenticate just using your password. I’ve given some people access to the jump box for various reasons, and not all use keys, so once I had implemented the dual-auth, some of them couldn’t connect, to be able to setup google-auth, ops. To get this to work you need to add nullok to your PAM config line. I also added a string to print the code as you’re typing.

Your PAM config (eg /etc/pam.d/common-auth) should have a line like for this to work.
auth    required               nullok echo_verification_code

You can get the modules over at google code. All in all, a pretty neat solution to my issue, whatever machine I log in now, sure you can steal my password, but unless you also have my unlocked phone, to generate you a new OTP, you won’t be able to get in. The weak link is now a bit stronger  :mrgreen:


Unsecured Call?

Posted on June 7th, 2011 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , .

7 06 2011

“The Cellular network you are using is not encrypted. This call can be intercepted by unauthorized listeners”

Running the first iOS 5 beta on my iPhone 4. Got this come up when I received a call this afternoon.

Apple looking to put in end-to-end encryption of calls?


My ‘cloud’ IM setup

Posted on August 18th, 2010 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , , , , , , , .

18 08 2010

For a long time now, I’ve had a number of different applications I use to connect to various different IM (instant messaging) mediums, such as Irssi for IRC, Pidgin for Jabber/MSN/etc on my desktops/laptops and usually BeeJive on my iPhone when I’m out and about.

This has all ‘kinda’ worked, it hasn’t been the most elegant of solutions, but it did do what I need it to. Until you add something like the iPad to the mix.

The problem I had, was I’d be signed on to say MSN on my MacBook, and then decide I’ve worked enough for the day, so sign off. Then whilst watching TV in the evening, want to send a message to someone, who only uses MSN, so grab my iPad and sign on via BeeJive. Well that kind of works, except, if I forget to sign off BeeJive, it keeps me online on their ‘cloud’, so I can connect back at any time via the iPad, only the iPad though.

If someone was to send me a message when the client is closed on the iPad, sure it sends a push message to it, but no other device. If I go out, and I know someone has sent me a message, I can’t connect to it via BeeJive on the iPhone, as it doesn’t keep them in sync. Same as if I wanted to log in with the MacBook, I can’t see what that message was.

So I decided this doesn’t work how I want and need it to. So I set about designing my own solution. The aim was to set something up running on my infrastructure, at little or no cost (not always easy when you add any iOS devices in the mix), and reliable.

What I came up with, works really well for me, so thought I’d document what I put together.

The server components run on a machine that is always on, the is the core of the solution. The underlying OS I used is a Fedora 14 box (so Fedora rawhide – the development branch). The packages I’ve used are widely available on pretty much every Linux distribution, ports (OS X, *BSD), so the OS here, really doesn’t make much of a difference.

Server side:
Irssi – a cross platform IRC client.
ZNC – a cross platform IRC bouncer.
BitlBee – a cross platform IM gateway for IRC.

Client side:
Colloquy Mobile – iOS IRC client – use this on the iPad and iPhone.
Adium (Beta) – OS X IM client – use the beta version as it supports IRC.
Pidgin – a cross platform IM client – use this on any Windows or Linux machines i happen to be on.

Again the client side really doesn’t matter, just as long as you have something you can connect to an IRC server with, it should be all good.

The setup uses BitlBee to connect to MSN, G-Talk, Jabber, Facebook chat, and pretty much any other IM network you’d want to connect into. BitlBee presents it’s self as a IRC server, and you contact list is all shown as a room. When you chat to someone you do so as you would traditionally. That part worked a treat.

At first I just had Irssi running with the proxy module enabled, this allows you to reconnect into your Irssi session, with a local client, and ‘pose’ as remote session. This worked well, so I just left Irssi running in a remote screen session, then when I wanted to connect in and chat, I would just open say Pidgin locally, and it would connect to all the rooms the Irssi session had.

This was fine, however, Irssi on it’s own doesn’t support playback. What I mean here is, if someone had sent me a DM, Irssi would have it, but when I logged in with Pidgin, Irssi wouldn’t send me a copy of that message, it only forwards new messages. For these kind of features, I’d need to employ a bouncer, not the thuggish type that stand outside nightclubs, but an IRC bouncer.

I tried a few, but settled with ZNC. I should point out here, that when using ZNC, there isn’t really any need to use Irssi in the equation any more, I just kept it as have a few custom scripts, and all my historic logs are there, so decided to keep it.

ZNC will connect to all your favourite IRC networks, keep you online, and when you connect to it with your client, it will replay all the conversations and DMs you missed since you last connected in. this was exactly the functionality I was looking for.

There are also a host of other cool things you can do with ZNC, so I have mine configured to set me away everywhere 5 minutes after my client disconnects. Also if you team colloquy mobile up with ZNC, you can have it push message your iPhone or iPad if you’re mentioned in a chat, or if someone sends you a DM, I have mine set to only do this if there are no other clients connected, else when I’m at computer having a conversation, both my iPhone and iPad have a bit of a push message spasm. This push message function was exactly what I was looking for to replace BeeJive, except this pushes it to all my devices, not just the one that has my account singed in.. neat I thought.

This my no means is the simplest way to set up your MSN, but for if you want all the prerequisites I did, it really works.

The server topology may be a bit complex so have (for my sins) put together a diagram of how it’s set out, along with a few screenshots.

Any questions, please feel free to ask.


New year & a new toy

Posted on January 9th, 2009 by Luke Sheldrick.
Categories: Photography.
Tags: , , , .

9 01 2009

Tuesday, 6th Jan, saw me breaking my third new years resolution, to watch what I spend my money on. For a while I’ve been thinking about getting into the world of DSLR’s, so after much thinking about it, I ventured to the sales, and got myself a Nikon D60.

I’d read lots of reviews, and actually thought about buying it, rather than on a whim, which is usually the route I would take. Managed to get a reasonably good deal, and so far been having quiet a lot of fun reading up on the world photography. I went for the D60, as it has many of the features seen on the more expensive DSLR, but aimed at the entry level photographer, me.

I’ve taken a few pics, and will eventually upload to flickr, just take even longer now, as they’re much high res, and my home upload speed is terrible at best. Also need to master some photo editing wares, not sure what one I prefer yet.

I was however interested to see, how my new shiny camera would compare to my compact. Whilst I was out strolling around the other day, I took the same picture of the coast, with the two cameras.

Nikon D60:
Nikon D60

Olympus FE330:
Olympus FE330

The thumbnails can be quite deciving, but the bigger photo’s on flickr reveal all. Both pictures were taken at the same point, faceing roughly the same point, and using the fully auto function on both.

I also had my iPhone and TyTN on me, so thought I’d take a photo with those too.

Apple iPhone:
iPhone (First Gen)

HTC Hermes (TyTN / Vario II)

Surprisingly here, the iPhone, with it’s lower Mega Pixel lens, actually took a better photo. The colours on the TyTN were terrible. Out of all four, the D60 showed the closest match, the other three, make the day look quite dark, where it was actually quite a light day.

I need to see if I can get my iPhone to properly GPS log, have been using instamapper, but can’t seem to get HoulahGeo to geotag the photos using the files, but once that’s all working, will be able to geotag the photos too, which will be rather useful 🙂 Then a few more lens, filters… oh dear this could all be expensive, very expensive.

No doubt I’ll snap some more in the coming future. Below are a few of snaps from the “Playing with my D60” album, from when I’d just got the camera out the box:


Where am I?

Posted on December 14th, 2008 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , .

14 12 2008

Have been playing with my iPhone this evening, looking at what’s new, and I must say am really quiet impressed with some of the software coming out. VLC Remote, is especially well welcomed, simple but effective.

I was thinking of getting a GPS plotter / tracker, as carrying a PDA + Bluetooth Receiver, is slightly annoying. Cue, iPhone, which does more for me everyday.

There is a cool app called InstaMapper which will plot / track where you are, and even though I have a first gen iPhone, does very well considering, it doesn’t have GPS. Then using their API’s can add it to facebook / here should I wish. Example below…

Also found (via jailbroken / cydia) an app called Backgrounder, so you can run processes, in standby, which the nice folk at Apple don’t like. Very impressed.


1 of 212