Using Google-Authenticator for free two-factor ssh authentication

Posted on February 12th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , .

12 02 2012

I’d consider myself a pretty security conscious person, so most of my stuff is either firewalled off, can only be access via a VPN, or requires a key of some sort (ssh keys), except for one box. That one box, is the weak kink in the chain, but is there out of convenience. I have a box out there I can jump to, connect in with a password, and then get to everything else. However I hate having the weak kink. The only reason I have it, is if I am not somewhere where I have access to say my laptop, I can still jump on a shared machine say, and connect back to my kit.

Last week I was on a course, and couldn’t use my laptop, so was using one of the training centre’s computers. Throughout the course, I’d check my emails, irc, etc etc. Just using their standard installed putty, connecting back to my server via ssh. However how do I know what they have installed on their hotdesk computer? for all I know, they could have a keylogger sitting there happily recording my password. (Noted: a bit paranoid). On the way home from the course, I really wasn’t happy with that risk, so when I got home, I naturally changed the password, checked logs, no access seen, so happy for now. However needed to find a way to fix this.

Googled about for a bit, then stumbled on Google-Authenticator, now I had read about this being released for google accounts, so two-factor auth to check your GMail..etc however what I hadn’t realised is they had released a PAM (Pluggable Authentication Module) to work with their authenticator. Neat! I span up a VM in my lab, and had a play, and was very very easy to get the module installed, and working with SSH.

After compiling the PAM module, installing, updating the PAM config, and SSHd’s, you’re pretty much ready to go. Users on the server have to enroll using the google-authenticator binary, which asks them a series of question, then presents URL,which displays a QR code. Crank up the authenticator app on your favourite smart phone, and it should add the OTP config, and start generating OTPs. Depending on if you chose time based or generated OTPs, you’ll see a countdown clock (until the next code) or a button to request a new code.

There are some really good guides on setting this up so I won’t duplicate. I’ve got it running on my Ubuntu jump box, and a few CentOS servers in my lab. Seems perfectly stable so far. What I do like about this OTP solution vs some others such as RSA, is it doesn’t need to ‘call home’, so if for some reason the server is isolated from the internet, I can still authenticate using the OTP, as it’s based on RFC 4226 so is time based.

I have read a few places that GA and SSH keys cannot be used together, and you should disable KeyAuthentication. Both can work alongside each other, however OpenSSH sees them as separate things. So if I try to authenticate using my private key, it will accept that, and ask for no further authentication. However what I think what people are saying here, is that if you want to still be challenged for your OTP when using your key, this wont fit your requirements. For me, if I have my key, that is enough for me.

One thing I did put in place, which stops a bit of a chicken and egg situation, is that if you have’t enrolled with google-authenticator on the jump box yet, you can still authenticate just using your password. I’ve given some people access to the jump box for various reasons, and not all use keys, so once I had implemented the dual-auth, some of them couldn’t connect, to be able to setup google-auth, ops. To get this to work you need to add nullok to your PAM config line. I also added a string to print the code as you’re typing.

Your PAM config (eg /etc/pam.d/common-auth) should have a line like for this to work.
auth    required               nullok echo_verification_code

You can get the modules over at google code. All in all, a pretty neat solution to my issue, whatever machine I log in now, sure you can steal my password, but unless you also have my unlocked phone, to generate you a new OTP, you won’t be able to get in. The weak link is now a bit stronger  :mrgreen:


KVM + KSM = Big Bag of Win

Posted on September 26th, 2011 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , .

26 09 2011

I bought a HP Microserver a few months ago, to expand my media storage at home. HP had a promotion where you’d buy the server, and they’d give you £100 cash back. Not bad considering you can pick them up online for around £220. £29 for 8GB of DDR3 for it, and it’s quite an ample home server. I bought four 3TB disks, and have them in Raid-5 for the main storage, and I also have an E-Sata disk shelf with four more 2TB disks, also in Raid-5. The main storage array gives me around 8TB of usable storage, and the other around 5.5TB, so I have quite a bit at home to be getting on with.

A colleague at work today pointed out that HP had extended the offer until the end of September, so I thought I would pick up another one. My reasoning is they’re bloody cheap for what they are, and it’ll make HA testing in my lab a lot easier, with two identical machines.

However I decided to see actually how loaded the server was with what I run on it. The tasks that usually run on it backups of my various colos, streaming to the AppleTVs at home, transcoding up to 8 channels via the DVB cards, and downloading various media online. Well, basically, it isn’t breaking a sweat.

It’s currently running Ubuntu Server 11.04, which has pretty good support for KVM, so decided to spin up a few VMs to see how it handled it. I wasn’t overly optimistic, as AMD Turion™ II processor, which is basically designed for netbooks. However after spinning up a another Ubuntu Server instance, the server seemed to have no issue with this at all.

At that point I decided to clone the VM a couple of times, and then spin them all up to load test. 4 clones later, they all booted fine, and the box carried on with no real issues. I showed another colleague at work, and he’d asked how it would cope with Windows guests. The reason he was interested is he has just completed his MSITP qualification, and had quite a bit of difficulty running all the required server instances using his laptop and VMWare Workstation.

This evening I installed a base install of XP, and cloned that 4 times. Again, no real issues, so I decided to give every host 1G of memory (the server only has 8GB total), and see how KSM got on with the VMs. At the moment, it’s still scanning through memory pages, however it’s been running for around 20 minutes, and it’s already reclaimed 2.5GB of memory. No doubt given it some more time, it’s going to reclaim even more.

To say I am impressed by the Microserver, and KVM + KSM would be an understatement.Think I’ll setup a HA cluster when I get the other server, and see how that compares the likes of ESX.

Below just the quick setup I was playing with this evening.


MythTV – Stuck Queue

Posted on February 3rd, 2011 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , .

3 02 2011

I use DHCP at home, as most do, for convenience. Last week I changed the router at home to one compatible with DD-WRT as I was setting IPv6 up at home (something I should blog about later). When I set it up, until I migrated the old DHCP config over, everything on the LAN that had static DHCP allocations went a bit crazy. Once that was resolved everything went back to normal… or so I thought.

However I’d noticed that MythTV wasn’t recording anything. When looking through it had listed all of it’s encoders as remote and “currently not connected”, interesting I thought. It looked like somewhere along the line that box had got instead of So it didn’t think it was, well it’s self. Changing the DHCP assignments quickly resolved this.

A week later I noticed whilst programs had been recording, they were all sitting queued in Job Queue. Restarting the backend process nor did restarting the box. So I had a quick look on it’s DB and noticed the recordings were showing as remote, not local as they should be. Delving a bit further I noticed that it was listing the recordings as being recorded on “” instead of “sidekick”. I’d set the domain on the router, and it was happily distributing via DHCP.

So to resolve my issue, I changed the hostname manually, back to sidekick.

To do this on ubuntu is pretty simple, edit
with the desired hostname and then
/etc/init.d/ restart
However I was now stuck, with all the recordings showing as being recorded on the ‘remote’ host. The only way to fix this would be to edit the database manually. This is where it the less adventurous may want to stop.

So log on to your MySQL instance, it’ll prompt for MySQL’s root password.
sidekick:~# mysql -p -u root
Use mythtv’s database named mythconverg in my setup.
use mythconverg;
Then print the structure and contents of the jobqueue table.
select * from jobqueue;
This is what I was presented with.
mysql> select * from jobqueue;
| id | chanid | starttime | inserttime | type | cmds | flags | status | statustime | hostname | args | comment | schedruntime |
| 284 | 1001 | 2011-02-03 17:11:00 | 2011-02-03 17:15:01 | 256 | 0 | 0 | 272 | 2011-02-03 17:15:53 | sidekick | | Successfully Completed. | 2011-02-03 17:15:01 |
| 283 | 1004 | 2011-02-02 22:00:00 | 2011-02-02 23:05:00 | 256 | 0 | 0 | 1 | 2011-02-03 17:25:24 | | | | 2011-02-02 23:05:00 |
| 282 | 1001 | 2011-02-02 21:00:00 | 2011-02-02 22:00:01 | 256 | 0 | 0 | 1 | 2011-02-03 17:25:24 | | | | 2011-02-02 22:00:01 |
| 279 | 1007 | 2011-02-01 21:00:00 | 2011-02-01 22:00:01 | 256 | 0 | 0 | 1 | 2011-02-03 17:25:24 | | | | 2011-02-01 22:00:01 |

So I can see the that the job ran fine that came in after I changed the hostname. So what I decided to try is to update the hostname, and also the scheduledtime too as it was in the past.
mysql> update jobqueue set
-> status=1,hostname="sidekick",comment="",schedruntime="2011-02-03 17:30:01" where status=1;

So this will update the hostname and schedruntime for anything with status 1 (which means queued). I ran that and restarted mythtv-backend, and all the queue was then worked though.

Job done. Hopefully this may help someone else in a sticky position.


My ‘cloud’ IM setup

Posted on August 18th, 2010 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , , , , , , , .

18 08 2010

For a long time now, I’ve had a number of different applications I use to connect to various different IM (instant messaging) mediums, such as Irssi for IRC, Pidgin for Jabber/MSN/etc on my desktops/laptops and usually BeeJive on my iPhone when I’m out and about.

This has all ‘kinda’ worked, it hasn’t been the most elegant of solutions, but it did do what I need it to. Until you add something like the iPad to the mix.

The problem I had, was I’d be signed on to say MSN on my MacBook, and then decide I’ve worked enough for the day, so sign off. Then whilst watching TV in the evening, want to send a message to someone, who only uses MSN, so grab my iPad and sign on via BeeJive. Well that kind of works, except, if I forget to sign off BeeJive, it keeps me online on their ‘cloud’, so I can connect back at any time via the iPad, only the iPad though.

If someone was to send me a message when the client is closed on the iPad, sure it sends a push message to it, but no other device. If I go out, and I know someone has sent me a message, I can’t connect to it via BeeJive on the iPhone, as it doesn’t keep them in sync. Same as if I wanted to log in with the MacBook, I can’t see what that message was.

So I decided this doesn’t work how I want and need it to. So I set about designing my own solution. The aim was to set something up running on my infrastructure, at little or no cost (not always easy when you add any iOS devices in the mix), and reliable.

What I came up with, works really well for me, so thought I’d document what I put together.

The server components run on a machine that is always on, the is the core of the solution. The underlying OS I used is a Fedora 14 box (so Fedora rawhide – the development branch). The packages I’ve used are widely available on pretty much every Linux distribution, ports (OS X, *BSD), so the OS here, really doesn’t make much of a difference.

Server side:
Irssi – a cross platform IRC client.
ZNC – a cross platform IRC bouncer.
BitlBee – a cross platform IM gateway for IRC.

Client side:
Colloquy Mobile – iOS IRC client – use this on the iPad and iPhone.
Adium (Beta) – OS X IM client – use the beta version as it supports IRC.
Pidgin – a cross platform IM client – use this on any Windows or Linux machines i happen to be on.

Again the client side really doesn’t matter, just as long as you have something you can connect to an IRC server with, it should be all good.

The setup uses BitlBee to connect to MSN, G-Talk, Jabber, Facebook chat, and pretty much any other IM network you’d want to connect into. BitlBee presents it’s self as a IRC server, and you contact list is all shown as a room. When you chat to someone you do so as you would traditionally. That part worked a treat.

At first I just had Irssi running with the proxy module enabled, this allows you to reconnect into your Irssi session, with a local client, and ‘pose’ as remote session. This worked well, so I just left Irssi running in a remote screen session, then when I wanted to connect in and chat, I would just open say Pidgin locally, and it would connect to all the rooms the Irssi session had.

This was fine, however, Irssi on it’s own doesn’t support playback. What I mean here is, if someone had sent me a DM, Irssi would have it, but when I logged in with Pidgin, Irssi wouldn’t send me a copy of that message, it only forwards new messages. For these kind of features, I’d need to employ a bouncer, not the thuggish type that stand outside nightclubs, but an IRC bouncer.

I tried a few, but settled with ZNC. I should point out here, that when using ZNC, there isn’t really any need to use Irssi in the equation any more, I just kept it as have a few custom scripts, and all my historic logs are there, so decided to keep it.

ZNC will connect to all your favourite IRC networks, keep you online, and when you connect to it with your client, it will replay all the conversations and DMs you missed since you last connected in. this was exactly the functionality I was looking for.

There are also a host of other cool things you can do with ZNC, so I have mine configured to set me away everywhere 5 minutes after my client disconnects. Also if you team colloquy mobile up with ZNC, you can have it push message your iPhone or iPad if you’re mentioned in a chat, or if someone sends you a DM, I have mine set to only do this if there are no other clients connected, else when I’m at computer having a conversation, both my iPhone and iPad have a bit of a push message spasm. This push message function was exactly what I was looking for to replace BeeJive, except this pushes it to all my devices, not just the one that has my account singed in.. neat I thought.

This my no means is the simplest way to set up your MSN, but for if you want all the prerequisites I did, it really works.

The server topology may be a bit complex so have (for my sins) put together a diagram of how it’s set out, along with a few screenshots.

Any questions, please feel free to ask.


Goodbye windows, hello linux

Posted on January 26th, 2008 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , .

26 01 2008

Well tonight decided that both the XP / Vista (dual boot) installed on my main desktop at home were too annoying and memory hogging.

Decided to give a Linux distro a go, as have become quite accustomed recently to the unix way of doing things (well have a few cent servers running, and have a macbook).

Went for Ubuntu Gutsy (7.10), and after fighting with it to play nicely with my nVidia graphics card, and Dual HP monitors, it seems pretty cool.

Still gotta get it to play with my web cam (shouldn’t be too difficult) and my Asus TV Tuner card, which so far doesn’t look too promising on the t’internet.

Oh and… can’t sleep again. Grr!


1 of 11