Category Archives: Ubuntu

Requering both an SSH key and a YubiKey

As of OpenSSH 6.2 there is the configuration option AuthenticationMethods, allowing for the requirement of more than one authentication method. For me the obvious combination here is requiring both regular ssh key auth as well as a physical YubiKey, both which need to succeed.

This post is a short description of my personal setup, focusing more on the how than on the whys.

In addition to the obvious requirement of having a YubiKey my setup depends on the following:

  • Running at least OpenSSH 6.2, which is provided by default as of Ubuntu 13.10. Debian wise it might be helpful to know that the Wheezy backports currently contains OpenSSH 6.5.
  • The Yubico PAM module. Assuming recent enough Debian/Ubuntu that module can be found in the libpam-yubico package.
  • An API key from https://upgrade.yubico.com/getapikey/.

Here we have the relevant part of sshd_config, only enforcing the additional requirement for selected users.

### /etc/ssh/sshd_config
...
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM yes
...
Match Group yubiusers
      PasswordAuthentication yes
      AuthenticationMethods publickey,password

Then there is the part about having PAM threat ssh passwords as YubiKey OTPs. Given Debian style /etc/pam.d/ I am modifying /etc/pam.d/sshd to replace the include of /etc/pam.d/common-auth with an include of my own custom /etc/pam.d/yubi-auth.

### /etc/pam.d/sshd
...
# @include common-auth
@include yubi-auth
...
### /etc/pam.d/yubi-auth
auth    required        pam_yubico.so mode=client id=NNN key=sEcREt authfile=/etc/yubimap

(No, the /etc/pam.d/yubi-auth file isn’t globally readable.)

In a more general manner the PAM config change is about replacing the auth … pam_unix.so line with an auth … pam_yubico.so line.

The specified /etc/yubimap holds the mapping between usernames and YubiKeys.

### /etc/yubimap
andreas:ccccccbhkljr
root:ccccccbhkljr

Finally, the result.

andreas@corrino:~$ ssh halleck.arrakis.se
Authenticated with partial success.
andreas@halleck.arrakis.se's password:
...
andreas@halleck:~$

YubiKey NEO and Ubuntu

My Christmas gift to myself this year turned out to be a YubiKey NEO.

The new feature I myself find most interesting is that the NEO can act as an OpenPGP smartcard. While there is a pretty good introduction in the Yubico blog post YubiKey NEO and OpenPGP I ran into some obstacles getting things running under Ubuntu.

First of all it doesn’t seem like the version of the yubikey-personalization  (1.7.0) included in Ubuntu 12.10 recognizes the YubiKey NEO. Without spending to much time on debugging that issue was solved by upgrading to the current yubikey-personalization version, using the Yubico PPA.

Then there was the matter of getting the device permissions right, allowing my non-root user to use/modify the NEO more actively than just having it act as a keyboard (HID), spitting out one time passwords. Turns out that the /lib/udev/rules.d/70-yubikey.rules provided by the current yubikey-personalization (1.11.1) only matches the ATTRS{idProduct} “0010”, which doesn’t apply to the NEO. I solved that by copying the 70-yubikey.rules to /etc/udev/rules.d/, modifying it to instead match ATTRS{idProduct} against “0010|0111″. According to the add udev rules for YubiKey NEO bug report it probably doesn’t hurt to also through the 0110 id into the mix.

Finally I had the fun experience of running into a limitation in the gnome-keyring’s capacity to act as gnupg-agent (Launchpad bug #884856). Any attempt to have GnuPG interact with the NEO smartcard, while using the gnome-keyring gnupg-agent, resulted in a “selecting openpgp failed: unknown command” error. Not finding any cleaner configuration option I resorted to simply removing /etc/xdg/autostart/gnome-keyring-gpg.desktop, resulting in gnome-keyring no longer hijacking the GPG_AGENT_INFO environment variable, instead letting the real gnupg-agent do its thing.

Now I only need to decide to what extent to actually use the OpenPGP smartcard feature. Yet, that’s a whole different blog post.

Linköping Launchpad workshop

Tomorrow evening, Monday that is, I will be hosting a Launchpad workshop in Linköping. It will be held together with “Dataföreningen” and  their Ubuntu network. Primarily we will focus on using Launchpad for any (FOSS) project, while at the same time cover a few Ubuntu specific cases.

See Driva projekt på launchpad (Swedish) for more information.

Ubuntu 10.04, Alfa 3

Just installed the third alfa release of Ubuntu 10.04 (aka Lucid Lynx) on my Netbook, an Inspiron Mini 10v. So far nothing seems terrible broken. Of course, at this point so far merely consists of booting the system, connecting to the wireless, firing up the web browser, etc.

When trying out the new alfa release, please consider reporting bugs you discover. The earlier bugs are found, the greater the chance for them to actually get fixed in time for the final release.

Announcing help.ubuntu-se.org

One of the projects the Swedish Ubuntu LoCo has been working on this summer is a Swedish equivalent of the web site help.ubuntu.com. Being able to give someone a direct url to the (translated) documentation can sometimes help a lot. Hence I’m now very glad to be able to announce our very own…

At this point there are a few people I would like to thank. Obviously the most import contributors are our translation team, under the lead of Daniel Nylander. Without them there wouldn’t really be much to put on the site in the first place. Secondly I would also like to mention our server administrator Lars Ljung, who gave us a framework to work on by providing the initial modifications to the original XSLT templates.

If any other LoCo would like to embark on a similar project, feel free to contact us to get some pointers. While all our work are available in the Launchpad project ubuntu-se-help I’m not sure how much good it will do others in its current stage. Creating a cleaner, and better documented, structure is definitely on the todo list. Of course it would also be very interesting to hear from others who already do similar things, and from whom we perhaps could get some pointers ourself.

On a completly different note, don’t forget the Ubuntu Bug Jam in Linköping now on saturday.

Ubuntu Bug Jam in Linköping

The 3rd of October the Swedish Ubuntu LoCo will arrange a Bug Jam at Linköping University. This in correspondence with the Ubuntu Global Jam happening that weekend.

See http://ubuntu-se.org/wiki/Global_Jam for more information.

Also, happy Software Freedom Day everyone!

Hello Planet Ubuntu

Being the newly elected Team Contact for the Swedish Ubuntu LoCo I figured this would be a good time to add my blog to Planet Ubuntu and, by doing that, introduce myself to the greater Ubuntu community.

I’ve been a part of the Swedish LoCo since January 2008. Besides helping out with support, and a short tour as a forum moderator, my primary LoCo work has been done in the role as one of the server administrators. Now I look forward to whole lot of new challenges in the role as Team Contact.

Outside the LoCo I’m part of Ubuntu Bug Control, primarily doing triage on bugs related to the server team. One of my current ambitions is to get my LoCo more involved in the triage process.

At this point I would also like to introduce my running mate, and our new Team Leader, Mathias Friman. While I’ll be the one dealing with external communications and such, he will be the one responsible for our LoCo’s internal organization.

Finally I would like to thank Urban and Vulfgar, the former Team Leaders of the Swedish LoCo, for all their hard work. Thank you!

Anyway, if you want to get in touch we the Swedish Ubuntu LoCo, feel free to drop me a line!

My rdiff-backup PPA

For my personal backups I usually prefer to use rdiff-backup.

Since current Ubuntu versions doesn’t provide any packages from the recent stable branch of rdiff-backup I nowdays like to create my own debs. Also, rdiff-backup tends to work best if you have the same version on both ends of the backup.

At first I maintained my own repository, had a whole set of different pbuilder chroots, etc. While it was a good learning experience I’m not really sure it’s worth the effort for just one package. Hence I now maintain my packages in a Launchpad PPA.

In case you’d like to use my rdiff-backup packages you are very welcome to do so. They can be found in the PPA for Andreas Olsson.

EDIT: Use PPA for rdiff-backup packages (also mine) instead.

Actually, you really shouldn’t use my PPA unless: 1) You have a somewhat good reason to trust me and/or 2) You have the means to get even with me if my packages break your system.

APT::Install-Recommends

Apparently Ubuntu now has APT::Install-Recommends set to True by default. This happened in version 8.10 (Intrepid) and it results in that packages marked as Recommended are now automatically installed kinda like dependencies.

I guess that change can make sense on a desktop system, where it might be nice to by default provide the user with a few more useful features.  Dealing with servers on the other hand I very much like to be in control of what and what not is installed.

My way of disabling the automatic installation of Recommends is to put this into /etc/apt/apt.conf.d/01ubuntu:

APT
{
Install-Recommends “false”;
};

Disclaimer: I don’t know the APT layout of Ubuntu well enough to know if that is the best place to put those settings. All I can say is that for now it seems to get the job done.

Yes, I have made a mention about it in Launchpad (#316472).

Ubuntu and OpenBSD

Ubuntu and OpenBSD, two of my favorite operating systems, both released new versions a couple of weeks ago. Happening at basically the same time it made me think about how different they are, and that being part of the reason I like them so.

On an Ubuntu system I can easily do pretty much anything I want to do on it, and Ubuntu will handle it reasonable well. It’s not always perfect, but usually it will work good enough. A lot of times good enough is really good enough.

Running OpenBSD I feel a bit more limited in the aspect of what can easily be done. On the other hand, those things which can be done easily are done really, really well.  The OpenBSD servers I maintain really doesn’t need much maintenance once they are setup.

Different operating system has different priorities and make different compromises. In my world that is a good thing. As long as my operating systems interoperate well, they really don’t have to be the same.