Tag Archives: Debian

Requering both an SSH key and a YubiKey

As of OpenSSH 6.2 there is the configuration option AuthenticationMethods, allowing for the requirement of more than one authentication method. For me the obvious combination here is requiring both regular ssh key auth as well as a physical YubiKey, both which need to succeed.

This post is a short description of my personal setup, focusing more on the how than on the whys.

In addition to the obvious requirement of having a YubiKey my setup depends on the following:

  • Running at least OpenSSH 6.2, which is provided by default as of Ubuntu 13.10. Debian wise it might be helpful to know that the Wheezy backports currently contains OpenSSH 6.5.
  • The Yubico PAM module. Assuming recent enough Debian/Ubuntu that module can be found in the libpam-yubico package.
  • An API key from https://upgrade.yubico.com/getapikey/.

Here we have the relevant part of sshd_config, only enforcing the additional requirement for selected users.

### /etc/ssh/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM yes
Match Group yubiusers
      PasswordAuthentication yes
      AuthenticationMethods publickey,password

Then there is the part about having PAM threat ssh passwords as YubiKey OTPs. Given Debian style /etc/pam.d/ I am modifying /etc/pam.d/sshd to replace the include of /etc/pam.d/common-auth with an include of my own custom /etc/pam.d/yubi-auth.

### /etc/pam.d/sshd
# @include common-auth
@include yubi-auth
### /etc/pam.d/yubi-auth
auth    required        pam_yubico.so mode=client id=NNN key=sEcREt authfile=/etc/yubimap

(No, the /etc/pam.d/yubi-auth file isn’t globally readable.)

In a more general manner the PAM config change is about replacing the auth … pam_unix.so line with an auth … pam_yubico.so line.

The specified /etc/yubimap holds the mapping between usernames and YubiKeys.

### /etc/yubimap

Finally, the result.

andreas@corrino:~$ ssh halleck.arrakis.se
Authenticated with partial success.
andreas@halleck.arrakis.se's password:

Fully using apt-get download

Occasionally I need to download a Debian package or two. While I could find a download link using packages.debian.org / packages.ubuntu.com I really do prefer using apt-get download. In addition to the general pleasantness of using a command line tool the main benefit really is that apt automatically will verify checksums and gpg signatures.

For me the most typical usage scenario is that I want to download a Debian package from a different release than the one I happen to run on my workstation. Instead of putting additional entries in /etc/apt/sources.list, and hence having to deal with apt pinning as well as it making my regular apt-get update runs slower, I find it much more convenient to setup a separate apt environment.

First there is the basic directory structure.

$ mkdir -p ~/.cache/apt/{cache,lists}
$ mkdir -p ~/.config/apt/{apt.conf.d,preferences.d,trusted.gpg.d}
$ touch ~/.cache/apt/status
$ ln -s /usr/share/keyrings/debian-archive-keyring.gpg ~/.config/apt/trusted.gpg.d/
$ ln -s /usr/share/keyrings/ubuntu-archive-keyring.gpg ~/.config/apt/trusted.gpg.d/

(For an Ubuntu system the /usr/share/keyrings/debian-archive-keyring.gpg keyring is provided by the debian-archive-keyring package.)

Then there is the creation of the files ~/.config/apt/downloader.conf and ~/.config/apt/sources.list. They should contain something like the following.

## ~/.config/apt/downloader.conf
Dir::Cache "/home/USERNAME/.cache/apt/cache";
Dir::Etc "/home/USERNAME/.config/apt";
Dir::State::Lists "/home/USERNAME/.cache/apt/lists";
Dir::State::status "/home/USERNAME/.cache/apt/status";
## ~/.config/apt/sources.list
# Debian 6.0 (Squeeze)
deb http://ftp.us.debian.org/debian/ squeeze main contrib non-free
deb http://ftp.us.debian.org/debian/ squeeze-updates main non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free

# Debian 6.0 (Squeeze) Backports
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free

# Debian 7.0 (Wheezy)
deb http://ftp.us.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main

# Debian Unstable (Sid)
deb http://ftp.us.debian.org/debian/ sid main

# Ubuntu 12.04 (Precise)
deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu precise-security main restricted universe multiverse

# Ubuntu 12.10 (Quantal)
deb http://us.archive.ubuntu.com/ubuntu/ quantal main restricted universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ quantal-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu quantal-security main restricted universe multiverse

Given the just described setup, apt-get download can now download packages from any release/codename defined in ~/.config/apt/sources.list.

$ APT_CONFIG=~/.config/apt/downloader.conf apt-get update
$ APT_CONFIG=~/.config/apt/downloader.conf apt-get download git/squeeze-backports
Get:1 Downloading git 1: [6557 kB]
Fetched 6557 kB in 2s (2512 kB/s)
$ APT_CONFIG=~/.config/apt/downloader.conf apt-get download git/precise
Get:1 Downloading git 1: [6087 kB]
Fetched 6087 kB in 3s (1525 kB/s)

Do note that apt-get download was introduced in apt 0.8.11. For Debian that translates into Wheezy (7.0) and for Ubuntu that would be as of Natty (11.04). The main difference between apt-get download and apt-get –download-only install is that the later also does dependency resolution.

rdiff-backup bash-completion

I use rdiff-backup for most of my private backups. It’s a great piece of software. I just wish it had its own bash-completions.

(Problem solved.)

Update October 6th: Now included in Debian (sid).

My ~/private Eee folder

Inspired by the Ubuntu project Encrypted Private Directory I decided to set something similar up on my Eee PC. Being a regular FUSE user I based my solution on EncFs and pam-encfs.

First of all we create our folders. These commands should be run as your normal user. The password you give EncFs has to be the same as the one you use to login.

$ mkdir /home/U/.private /home/U/private
$ chmod 700 /home/U/.private /home/U/private
$ encfs /home/U/.private /home/U/private

$ fusermount -u /home/U/private

(By the way, I’m assuming that the user is part of the fuse group, or has proper permissions to /dev/fuse by some other means.)

With your folders in order it’s time to instruct PAM on how to automaticly mount your private folder at login time. My /etc/pam.d/common-auth  and /etc/security/pam_encfs.conf looks like this.

auth    sufficient    pam_encfs.so
auth    required    pam_unix.so nullok_secure use_first_pass

U  /home/U/.private  /home/U/private  –public  nonempty

Using –public will ensure proper file ownership; no matter if encfs is mounted by root (gdm/X) or by your normal user. You might have to restart gdm, sshd, etc before your new PAM settings take effect.

By now the folder /home/U/private/ will be mounted at login time. Everything you put in there will be encrypted into /home/U/.private/.

I guess I shold mention that my Eee is a DebianEee. I have no idea how well this will work on the default Xandros Eee installation.

Debian – Ubuntu, S/Key and OPIE

Been looking for a simple way to enabling  S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

Ubuntu (8.04) and OpenVZ

A new version of Ubuntu ( Hardy Heron / 8.04 ) is now available. To my great surprise I noticed that there’s an OpenVZ-kernel included in the universe-repository. Considering OpenVZ being my favorite approach on server virtualization, this is really good news.

Seems as if Ubuntu’s OpenVZ-support is still somewhat experimental thought.  One thing is the lack of polish; such as /etc/sysctl.conf not being automatically updated, the absence of a downloadable template, etc. Then there’s the slightly bigger issue of my test computer not even booting of the provided OpenVZ-kernel. (Bug #210672)

The alternative, to those of us who live in the world of apt and deb,  is to run Debian together with the external debian.systs.org-repository. While I generally prefer not to rely on third party repositories, this one has been around for a while now and seems quite reliable.

Anyhow, I’m really looking forward to see Ubuntu’s OpenVZ support improving. Perhaps I won’t use OpenVZ with current version of Ubuntu, but it’s most definitely something I’ll enjoy in future versions.

Virtualized Firefox

At those times when I get paranoid about security I get especially nervous about my web browser. How can I not be, considering all the content of unknown origin it’s exposed to? Also, as the web becomes more interactive the area vulnerable for exploits grows exponentially.

While it’s some comfort to have Firefox run as a non-administrative user it would still feel a lot better if that user didn’t happen to be my regular user, with access to all my files, settings, keys, etc. That is why I now run my Firefox completely virtualized.

The setup I’ve initially chosen is based on having VirtualBox power a virtual Debian stable. Inside that virtual machine Firefox (IceWeasel) is launched from an unprivileged X-environment. Openbox seemed like a suitable window manager.

Of course, there are still the risk of a web-session being used to attack another, the issue of keeping my certificates safe, the potential of VirtualBox being exploitable, etc. Stil, keeping your computer safe is something of a journey and this virtualized solution is hopefully a step in the right direction.