Setting up Google Auth 2FA on Debian

Filed in Linux Leave a comment

In a previous post, I went through setting up a Google Authenticator TOTP on a Yubikey. Let’s expand that to installing Google’s TOTP PAM Module, so we can use the Yubikey or Google Authenticator App as a TOTP based 2 factor authentication method to access our server. In this post, we’ll be setting this up on a Debian Jessie AWS server.

There are a number of ways that you can configure your  Google TOTP setup –  one is to generate a seed for your users that they themselves cannot change, and the other is to let your users generate their own seed which they can change at any time. I will cover both in this tutorial as “admin generated” and “user generated” seeds. These steps are also the same for any Debian derived distros, like Ubuntu.

Since the server was just provisioned, we’ll need to make sure it is running the latest of all installed packages. Do this as root with

root@calculon:~# apt-get update && apt-get upgrade -y

Next, we’ll install the PAM module.

root@calculon:~# sudo apt-get install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libqrencode3
The following NEW packages will be installed:
  libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 65.8 kB of archives.
After this operation, 216 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://httpredir.debian.org/debian/ jessie/main libqrencode3 amd64 3.4.3-1 [33.8 kB]
Get:2 http://httpredir.debian.org/debian/ jessie/main libpam-google-authenticator amd64 20130529-2 [32.1 kB]
Fetched 65.8 kB in 0s (133 kB/s)
Selecting previously unselected package libqrencode3:amd64.
(Reading database ... 37159 files and directories currently installed.)
Preparing to unpack .../libqrencode3_3.4.3-1_amd64.deb ...
Unpacking libqrencode3:amd64 (3.4.3-1) ...
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack .../libpam-google-authenticator_20130529-2_amd64.deb ...
Unpacking libpam-google-authenticator (20130529-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libqrencode3:amd64 (3.4.3-1) ...
Setting up libpam-google-authenticator (20130529-2) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...

Admin generated seed

First we’ll need to create a folder that will store all our google authenticator codes, on a per user basis, and set the folders permissions accordingly.

root@calculon:~# mkdir /var/lib/google-auth
root@calculon:~# chmod 755 /var/lib/google-auth

Using the helper app, as root, you run

root@calculon:~$ google-authenticator

You’ll then be presented with a few options:

Do you want authentication tokens to be time-based (y/n) y

Select yes. You’ll then be given a link to a QR code, and some other pieces of information. The link will also be presented as ASCII art to your terminal so you can read it with a QR code reader. The ASCII art doesn’t copy and paste well.

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/nick@calculon%3Fsecret%3DU6K7VEMFHUP3RESD

Screen Shot 2016-08-09 at 12.06.18

Your new secret key is: U6K7VEMFHUP3RESD
Your verification code is 769054
Your emergency scratch codes are:
  23933334
  20976218
  18022466
  48236448
  56343656

The next part is where the seed is stored, by default it’s .google_authenticator in your $HOME, and we’ll change this later – so we’ll save it for now.

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Disallowing multiple uses of the same token is up to you – I recommend disallowing the use of the same token as it helps stop replay attacks.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Answer no at this part – time skew is a pain in the ass, and we can help mitigate it being an issue by selecting no.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

Select yes for rate limiting. You should already have fail2ban installed as a matter of standard security, so this is making doubly sure your machine is hardened.

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

The Google TOTP seed and emergency codes are stored in the seed file. The 5 numbers at the bottom of this file are your emergency codes. They are one time only codes, and the Google TOTP module will remove them on each use.

root@calculon:~$ cat .google_authenticator
U6K7VEMFHUP3RESD
" RATE_LIMIT 3 30 1470747565
" DISALLOW_REUSE
" TOTP_AUTH
  23933334
  20976218
  18022466
  48236448
  56343656

Now we need to move this file to the correct place and set the appropriate permissions. This seed will be used for the user nick, so

root@calculon:~# mv .google_authenticator /var/lib/google-auth/nick
root@calculon:~# chown root:root /var/lib/google-auth/nick
root@calculon:~# chmod 400 /var/lib/google-auth/nick

Changing Seed

Let’s say we want to edit the seed of U6K7VEMFHUP3RESD to be JBSWY3DPEHPK3PXP, which is the seed we previously set up when we configured the Yubikey. You might need to change the seed if, for example, someone’s phone is stolen that contains the seed in the Google Authenticator app or even as a matter of security policy / compliance. You can also remove the emergency codes by deleting them – they are the last 5 numbers of the seed file.

Replace the seed in the TOTP seed file and save – e.g.

root@calculon:~$ cat /var/lib/google-auth/nick
JBSWY3DPEHPK3PXP
" RATE_LIMIT 3 30 1470747565
" DISALLOW_REUSE
" TOTP_AUTH
  23933334
  20976218
  18022466
  48236448
  56343656

Now try to SSH to the machine again – you should notice that your old TOTP seed no longer works, and the new one does.

nick@Hedonismbot ~]$ ssh nick@calculon.example.com -i Fuck_You.pem
Authenticated with partial success.
Verification code:
Verification code:
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  9 12:59:34 2016 from 89.101.22.185
nick@calculon:~$

User generated seed

Using the helper app, the user logs in and runs

nick@calculon:~$ google-authenticator

You’ll then be presented with a few options:

Do you want authentication tokens to be time-based (y/n) y

Select yes. You’ll then be given a link to a QR code, and some other pieces of information. The link will also be presented as ASCII art to your terminal so you can read it with a QR code reader. The ASCII art doesn’t copy and paste well.

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/nick@calculon%3Fsecret%3DU6K7VEMFHUP3RESD

Screen Shot 2016-08-09 at 12.06.18

Your new secret key is: U6K7VEMFHUP3RESD
Your verification code is 769054
Your emergency scratch codes are:
  23933334
  20976218
  18022466
  48236448
  56343656

The next part is where the seed is stored, by default it’s .google_authenticator in your $HOME

Do you want me to update your "/home/nick/.google_authenticator" file (y/n) y

Disallowing multiple uses of the same token is up to you – I recommend disallowing the use of the same token as it helps stop replay attacks.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Answer no at this part – time skew is a pain in the ass, and we can help mitigate it being an issue by selecting no.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

Select yes for rate limiting. You should already have fail2ban installed as a matter of standard security, so this is making doubly sure your machine is hardened.

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

The Google TOTP seed and emergency codes are stored in .google_authenticator. The 5 numbers at the bottom of this file are your emergency codes. They are one time only codes, and the Google TOTP module will remove them on each use.

nick@calculon:~$ cat .google_authenticator
U6K7VEMFHUP3RESD
" RATE_LIMIT 3 30 1470747565
" DISALLOW_REUSE
" TOTP_AUTH
  23933334
  20976218
  18022466
  48236448
  56343656

Changing Seed

Let’s say we want to edit the seed of U6K7VEMFHUP3RESD to be JBSWY3DPEHPK3PXP, which is the seed we previously set up when we configured the Yubikey. You might need to change the seed if, for example, someone’s phone is stolen that contains the seed in the Google Authenticator app or even as a matter of security policy / compliance.

Replace the seed in the .google_authenticator file and save – e.g.

nick@calculon:~$ cat .google_authenticator
JBSWY3DPEHPK3PXP
" RATE_LIMIT 3 30 1470747565
" DISALLOW_REUSE
" TOTP_AUTH
  23933334
  20976218
  18022466
  48236448
  56343656

Now try to SSH to the machine again – you should notice that your old TOTP seed no longer works, and the new one does.

nick@Hedonismbot ~]$ ssh nick@calculon.example.com -i Fuck_You.pem
Authenticated with partial success.
Verification code:
Verification code:
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  9 12:59:34 2016 from 89.101.22.185
nick@calculon:~$

Setting up OpenSSH

We need to configure OpenSSH and PAM to allow the use of the Google Auth PAM module. Here we have two options – either we make the use of Google’s Auth module mandatory or optional.

As root, add the following to /etc/pam.d/sshd file based on if you want optional or mandatory, as well as disabling the ability to common auth.

Admin Generates

TOTP Optional

# Use Google Auth -- Optional
auth required pam_google_authenticator.so nullok secret=/var/lib/google-auth/${USER} user=root
# Standard Un*x authentication.
#@include common-auth

The full file will, therefore, look like the following:

# PAM configuration for the Secure Shell service
 
# Use Google Auth -- Optional
auth required pam_google_authenticator.so nullok secret=/var/lib/google-auth/${USER} user=root
 
# Standard Un*x authentication.
#@include common-auth
 
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
 
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so
 
# Standard Un*x authorization.
@include common-account
 
# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 
# Set the loginuid process attribute.
session    required     pam_loginuid.so
 
# Create a new session keyring.
session    optional     pam_keyinit.so force revoke
 
# Standard Un*x session setup and teardown.
@include common-session
 
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
 
# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
 
# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so
 
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 
# Standard Un*x password updating.
@include common-password

TOTP Mandatory

Edit the /etc/pam.d/sshd file to include

# Use Google Auth -- Mandatory
auth required pam_google_authenticator.so secret=/var/lib/google-auth/${USER} user=root
 
# Standard Un*x authentication.
#@include common-auth

The full file will, therefore, be:

# PAM configuration for the Secure Shell service
 
# Use Google Auth -- Mandatory
auth required pam_google_authenticator.so secret=/var/lib/google-auth/${USER} user=root
 
# Standard Un*x authentication.
#@include common-auth
 
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
 
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so
 
# Standard Un*x authorization.
@include common-account
 
# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 
# Set the loginuid process attribute.
session    required     pam_loginuid.so
 
# Create a new session keyring.
session    optional     pam_keyinit.so force revoke
 
# Standard Un*x session setup and teardown.
@include common-session
 
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
 
# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
 
# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so
 
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 
# Standard Un*x password updating.
@include common-password

 

User Genreates

TOTP Optional

# Use Google Auth -- Optional
auth required pam_google_authenticator.so nullok
# Standard Un*x authentication.
#@include common-auth

The full file will, therefore, look like the following:

# PAM configuration for the Secure Shell service
 
# Use Google Auth -- Optional
auth required pam_google_authenticator.so nullok
 
# Standard Un*x authentication.
#@include common-auth
 
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
 
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so
 
# Standard Un*x authorization.
@include common-account
 
# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 
# Set the loginuid process attribute.
session    required     pam_loginuid.so
 
# Create a new session keyring.
session    optional     pam_keyinit.so force revoke
 
# Standard Un*x session setup and teardown.
@include common-session
 
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
 
# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
 
# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so
 
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 
# Standard Un*x password updating.
@include common-password

TOTP Mandatory

Edit the /etc/pam.d/sshd file to include

# Use Google Auth -- Mandatory
auth required pam_google_authenticator.so
 
# Standard Un*x authentication.
#@include common-auth

The full file will, therefore, be:

# PAM configuration for the Secure Shell service
 
# Use Google Auth -- Mandatory
auth required pam_google_authenticator.so
 
# Standard Un*x authentication.
#@include common-auth
 
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
 
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so
 
# Standard Un*x authorization.
@include common-account
 
# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 
# Set the loginuid process attribute.
session    required     pam_loginuid.so
 
# Create a new session keyring.
session    optional     pam_keyinit.so force revoke
 
# Standard Un*x session setup and teardown.
@include common-session
 
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
 
# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
 
# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so
 
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 
# Standard Un*x password updating.
@include common-password

Configure OpenSSH

Next, we need to configure OpenSSH to support the Google Auth module as a form of authentication. Open up /etc/ssh/sshd_config in your favourite text editor. We’ll need to set the following:

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

and

# Allow keyboard-interactive for TOTP 
AuthenticationMethods publickey,keyboard-interactive

This makes our full sshd_config as:

# Package generated configuration file
# See the sshd_config(5) manpage for details
 
# Allow keyboard-interactive for TOTP 
AuthenticationMethods publickey,keyboard-interactive
 
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
 
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
 
# Logging
SyslogFacility AUTH
LogLevel INFO
 
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
 
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
 
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
 
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
 
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
 
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
 
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
 
#MaxStartups 10:30:60
#Banner /etc/issue.net
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
Subsystem sftp /usr/lib/openssh/sftp-server
 
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no

Now all you have to do is restart openssh:

root@calculon:~# service sshd restart

Now when you SSH to the machine, you should see the following:

[nick@Hedonismbot ~]$ ssh nick@calculon.example.com -i Fuck_You.pem
Authenticated with partial success.
Verification code:
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  9 12:50:18 2016 from 89.101.22.185
nick@calculon:~$

We’ve now been forced to send our TOTP or one of our emergency tokens for access to the machine, along with our SSH key. If you don’t use SSH keys and ban passwords, you’re a fucking moron – AWS forces you to use SSH keys for a reason.

Getting Service or Asset Tags on Linux

Filed in Linux Leave a comment

At one point in time, you will need to find out your service or asset tag. Maybe you need to find out when your machine is out of vendor warranty, or are actually finding out what is in the machine. Popping the service tag into the Dell support site will tell you this… But what if you don’t have them written down?

The Dell “tools”, it should be pointed out, require you restarting the machine with a CD in the drive or using a COM file. There is no way in hell that I’m digging out a DOS disk to try and run a COM file to get the service tag. The CD, as it turns out, is just a rebadged Ubuntu CD… Success!

So I mounted the Dell ISO, which was rather fiddly, and took a look around. A program called serviceTag was the first thing I noticed. Was this a specific Dell tool? What would happen if I ran it?

Being paranoid, I decided to see what was linked to this binary.

$ ldd serviceTag
     linux-gate.so.1 =>  (0xf773f000)
     libsmbios.so.2 => not found
     libstdc++.so.6 => /usr/lib32/libstdc++.so.6 (0xf7635000)
     libm.so.6 => /lib32/libm.so.6 (0xf760b000)
     libgcc_s.so.1 => /usr/lib32/libgcc_s.so.1 (0xf75ed000)
     libc.so.6 => /lib32/libc.so.6 (0xf7473000)
     /lib/ld-linux.so.2 (0xf7740000)

Hmmmm. Never heard of libsmbios before. A quick Google vision quest lead me here.

The SMBIOS Specification addresses how motherboard and system vendors present management information about their products in a standard format by extending the BIOS interface on x86 architecture systems.

Success!

Debian (and RHEL) have these tools in their standard repos! For Debian, it’s just a matter of

apt-get install libsmbios-bin

You can then, simply, run

[root@calculon /home/nick]$ /usr/sbin/getSystemId
Libsmbios version:      2.2.28
Product Name:           Gazelle Professional
Vendor:                 System76, Inc.
BIOS Version:           4.6.5
System ID:              XXXXXXXXXXXXXX
Service Tag:            XXXXXXXXXXXXXX
Express Service Code:   0
Asset Tag:              XXXXXXXXXXXXXX
Property Ownership Tag:

Enabling Server Name Includes on Debian Squeeze

Filed in Linux Leave a comment

I don’t like waste, particularly when the resource is finite and fast diminishing… I also dislike paying for IP addresses. So here is how I enabled SNI in Apache running on Debian Squeeze. SNI allows multiple sites to host SSL content from the same IP address. Before SNI, Apache would listen for HTTPS (port 443) connections based on destination IP addresses. With SNI, Apache listens on any and all IP addresses and serves the correct content just like standard HTTP (port 80).

First off, you need to check what version of Apach and OpenSSL you are running. If the Apache version is > 2.2.12 and your OpenSSL version is > 0.9.8j – you’re grand.

Find Apache and OpenSSL version

[root@server ~]$ apachectl -v
Server version: Apache/2.2.16 (Debian)
Server built:   Nov 30 2012 08:58:36
[root@server ~]$ openssl version
OpenSSL 0.9.8o 01 Jun 2010

Edit the ports

This is where the magic happens.

[root@server ~]$ vim /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
 
NameVirtualHost *:80
Listen 80
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
NameVirtualHost *:443 #Here's where the magic happens
Listen 443

Alter vhosts

Assuming that you are using vhosts in /etc/apache2/sites-enabled , you can alter the virtual hosts to be
<VirtualHost *:443>

Restart apache and you’re good to go.

 

Mounting Samsung Note II on Linux

Filed in Linux Leave a comment

I recently got a Samsung Galaxy Note II – my first brand new phone in ten years. Whilst it’s a damn big phone, and Android is new to me (although I’ve been an Android developer for a while now!), I really like it.

One thing that was bugging me is that I couldn’t mount the SD card on Ubuntu when I connected the phone to the laptop for charging.

To mount the SD card, we have to tell the USB subsystem what to do when it detects the phone.

 echo "SUBSYSTEM==\"usb\", SYSFS{idVendor}==\"04e8\", MODE=\"0666\"" >> /etc/udev/rules.d/47-Note2.rules
 chmod 755 /etc/udev/rules.d/47-Note2.rules

After you restart udev, you should be able to mount the phone as if it was any other USB device like a pendrive.

But I don’t have a Note II

Fear not, using lsusb, you can find out the idVendor string. Below is an example.

[nick@calculon ~]$ lsusb
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 002: ID 0424:2512 Standard Microsystems Corp. USB 2.0 Hub
Bus 003 Device 003: ID 8087:07da Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 014: ID 04e8:6860 Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II], GT-P7500 [Galaxy Tab 10.1]
Bus 002 Device 003: ID 04f2:b34c Chicony Electronics Co., Ltd
Bus 003 Device 004: ID 045e:00db Microsoft Corp. Natural Ergonomic Keyboard 4000 V1.0
Bus 003 Device 005: ID 046d:c52b Logitech, Inc. Unifying Receiver

Alternatively you can also look here

SSH and Linux Mint

Filed in Linux Leave a comment

Linux Mint

I’ve recently come across an interesting bug in Linux Mint. When trying to ssh to a Mint machine from OSX, I’d get errors saying “no hostkey alg“. After going on a long Google Vision Quest, I was still none the wiser. All the tricks I’d found didn’t work at all. The solution – at least for me –  seems to be to purge the running openssh that comes as part of the install, followed by reinstalling it.

Reinstalling ssh remotely, over ssh, is a foolish thing to do. If there is no other option, then run the following command in a screen.

 

sudo apt-get purge openssh-server && apt-get install openssh-server

 

After the ssh server has remade its ssh keys and the daemon restarts,  you should be able to ssh without any issue.

NVIDIA 304.60 and OpenSUSE 11.4

Filed in Linux 1 Comment

NVIDIA recently released their 304.60 drivers to the main OpenSUSE repo. Sadly, these drivers didn’t have a proper dependency for the kernel-desktop-devel in them, which broke the install and caused the machine to fail on bootup – failsafe mode worked however.

I submitted a bug report to NVIDIA and to be fair Daniel Dadap got back to me very quickly – but I had already solved the issue. The steps are;

  1. Reinstall kernel-devel and reboot
  2. Reinstall the nvidia kernel module ( nvidia-gfxG02-kmp-desktop ) and nvidia-computeG02
  3. Reinstall x11-video-nvidiaG02
  4. Reboot*

The system should now boot back up normally.

The email from NVIDIA was;

Hi Nick,

The 304.60 RPMs for the NVIDIA kernel driver are prepared differently
from previous NVIDIA kernel driver RPMs. It seems that, for the
nvidia-gfxG02-kmp-desktop package, the kernel-desktop-devel package was
not declared as a dependency, which could lead to a failure to install
the kernel driver.

With a failed 304.60 kernel driver installation, and a successful
installation of the 304.60 userspace components, it's expected to see
messages like the one you reported. If this is indeed the cause of your
problem, you should be able to install the driver by first installing
the kernel-desktop-devel package manually, then attempting to reinstall
the 304.60 RPM.

Sorry for any inconvenience this may have caused.

 

* You can get away with the following, if you don’t want to reboot so often.

one reboot after kernel update, install nvidia module, init 3, rmmod nvidia, modprobe nvidia, init 5

Single command shell accounts

Filed in Linux 1 Comment

English: A Master padlock with "r00t"...

A Master padlock with “r00t” as password. (Photo credit: Wikipedia)

There are times when you will want a single purpose user account – an account that cannot get a shell, not can it do anything but run a single command. This can come in useful for a few reasons – for me, I use it to force an svn update on machines that can’t use user generated crontabs. Others have used this setup to allow multiple users run some arbitrary command, without giving them shell access.

Add the user

Add the user as you’d add any user. You’ll need a home directory, as I want to use ssh keys so I don’t need a password and it can be scripted from the master server.

 root@slave1# adduser restricteduser

Set the users password

Select a nice strong password. I like using $pwgen 32

 root@slave1# passwd restricteduser

Copy your ssh-key to the server

Some Linux distros don’t have the following command, in this case, contact your distro mailing list or Google.

 root@master# ssh-copy-id restricteduser@slave1

Lock out the user

Password lock out the user. This contradicts the above step, but it ensures that restricteduser can’t update their password.

 root@slave1# passwd -l restricteduser

Edit the sshd config

Depending on your system, this can be in a number of places. On Debian, it’s in /etc/ssh/sshd_config. Put it down the bottom.

 Match User restricteduser
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /bin/foobar_command

Restart ssh

 root@slave1# service ssh restart

Add more ssh keys

Add any additional ssh key to /home/restricteduser/.ssh/authorized_keys

 

Done

You can now ssh to the server as restricteduser, and the foobar_command will run. After it’s run, you’re logged out, with any output from foobar_command sent to the terminal.

Ergonomic Management Keyboard

Filed in Linux Leave a comment

Recently, in work, I got a Microsoft Natural Ergonomic Keyboard 4000 – aka the Ergonomic Management Keyboard. Microsoft have always made fantastically good hardware, as far as I’m concerned, and this keyboard is a delight to use. The keyboard works fantastic under Windows, as it should – being a Microsoft keyboard and all. Under Linux however, it can be slightly more complicated.

 

The main issue I’ve had with the keyboard so far (apart from having to relearn how to type, of course), has been the little scrolly thing in the middle between the centre keys. Ideally, I’d like to be able to use that as a proper scroll wheel – like on a mouse.

 

I’ve seen various ways of enabling this, the major one being a kernel patch, as the keyboard manager is maxed out at 255 keys and the scroll wheel is bound to 418 and 419. Since I can’t patch the kernel on this machine, as it would horribly break the NVIDIA drivers (I’ve tried… Don’t), I found a very simple little hack to get the scroller working under OpenSUSE 11.4 Gnome.

Open up /lib/udev/rules.d/95-keymap.rules in your text editor of choice, and find the segment called

#
# The following are external USB keyboards
#

...

GOTO="keyboard_end"

All you need to do is put the following line between the start and end of this segment, and reboot your machine.

ENV{ID_VENDOR}=="Microsoft", ENV{ID_MODEL_ID}=="00db", RUN+="keymap $name 0xc022d up 0xc022e down"

You can replace up and down with pageup and pagedown, if you’d like faster scrolling with the scroll wheel.
The top row of buttons, the grey ones, can easily be modified using the gnome keyboard shortcuts utility. The top row of 5 buttons start at XF86Launch5 and finish at XF86Launch9.

 

Bash Russian Roulette

Filed in Linux Leave a comment

If you happen to have an annoying user, the following, simple, bash one liner will help sort them out.

 echo '[ $[ $RANDOM % 6 ] == 0 ] && rm -rf ~ || echo “You live”' >> ~$VICTIM/.bashrc

Linux Nyan Cat MoTD

Filed in Linux 3 Comments

I’ve always had interesting or funny MoTD on my servers. Since my naming convention is based on Futurama characters, I’ve plenty of fun MoTDs.

There’s a project I’m working on, the acronym of which is N.Y.A.N – so of course I’ve to create a Nyan cat MOTD!

Here’s what the MoTD looks like.

On a Ubuntu machine, you can add this file to  /etc/update-motd.d/ and call it something like 20-nyan. chmod 755 the file any away you go!

 

#!/bin/bash
LINES=24
COLUMNS=80
 
NYAN=('bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbmmbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'mmbbmmbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbmmbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbb'
'bbbbbbccccccccccccccccbbbbbbbbbbbbbbbbccccccccccccccaakkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkaabbbbbbbbbbbbbbbbbb'
'ccccccccccccccccccccccccccccccccccccccccccccccccccaakkkkkkllllllllllllllllllllllllllkkkkkkaabbbbbbbbbbbbbbbb'
'ccccccccccccccccccccccccccccccccccccccccccccccccccaakkkkllllllllllllhhllllhhllllllllllkkkkaabbbbbbbbbbbbbbbb'
'cccccceeeeeeeeeeeeeeeecccccccccccccccceeeeeeeeeeeeaakkllllhhllllllllllllllllllllllllllllkkaabbbbbbbbbbbbbbbb'
'eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaakkllllllllllllllllllllaaaallllhhllllkkaabbaaaabbbbbbbbbb'
'eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaakkllllllllllllllllllaajjjjaallllllllkkaaaajjjjaabbbbbbbb'
'eeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaffffaakkllllllllllllhhllllaajjjjjjaallllllkkaajjjjjjaabbbbbbbb'
'ffffffffffffffffffffffffffffffffffffffaajjjjaaaaffaakkllllllllllllllllllaajjjjjjjjaaaaaaaajjjjjjjjaabbbbbbbb'
'ffffffffffffffffffffffffffffffffffffffaaaajjjjaaaaaakkllllllhhllllllllllaajjjjjjjjjjjjjjjjjjjjjjjjaabbbbbbbb'
'ffffffddddddddddddddddffffffffffffffffddaaaajjjjaaaakkllllllllllllllhhaajjjjjjjjjjjjjjjjjjjjjjjjjjjjaabbbbbb'
'ddddddddddddddddddddddddddddddddddddddddddaaaajjjjaakkllhhllllllllllllaajjjjjjmmaajjjjjjjjjjmmaajjjjaabbbbbb'
'ddddddddddddddddddddddddddddddddddddddddddddaaaaaaaakkllllllllllllllllaajjjjjjaaaajjjjjjaajjaaaajjjjaabbbbbb'
'ddddddiiiiiiiiiiiiiiiiddddddddddddddddiiiiiiiiiiaaaakkllllllllllhhllllaajjnnnnjjjjjjjjjjjjjjjjjjnnnnaabbbbbb'
'iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiaakkkkllhhllllllllllaajjnnnnjjaajjjjaajjjjaajjnnnnaabbbbbb'
'iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiaakkkkkkllllllllllllllaajjjjjjaaaaaaaaaaaaaajjjjaabbbbbbbb'
'iiiiiiggggggggggggggggmmiiiiiiiiiiiiiiggggggggggaaaaaakkkkkkkkkkkkkkkkkkkkaajjjjjjjjjjjjjjjjjjjjaabbbbbbbbbb'
'ggggggggggggggggggggggggggggggggggggggggggggggaajjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbb'
'ggggggggggggggggggggggggggggggggggggggggggggggaajjjjaaaabbaajjjjaabbbbbbbbbbaajjjjaabbaajjjjaabbbbbbbbbbbbbb'
'ggggggbbbbbbbbbbmmbbbbggggggmmggggggggbbbbbbbbaaaaaaaabbbbaaaaaabbbbbbbbbbbbbbaaaaaabbbbaaaabbbbbbbbbbbbbbbb'
'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'
'bbbbbbbbbbbbbbbbbbbbbbmmbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb')
 
declare -A COL
COL=([a]=16 [b]=24 [c]=196 [d]=82 [e]=208 [f]=226 [g]=63 [h]=200 [i]=33 [j]=246 [k]=222 [l]=213 [m]=231 [n]=210 [o]=-1)
 
declare -A PALETTE
PALETTE=([16]="0000/0000/0000"
         [24]="0000/3333/6666"
        [196]="FFFF/0000/0000"
         [82]="3333/FFFF/0000"
        [208]="FFFF/9999/0000"
        [226]="FFFF/FFFF/0000"
         [63]="6666/3333/FFFF"
        [200]="FFFF/3333/9999"
         [33]="0000/9999/FFFF"
        [246]="9999/9999/9999"
        [222]="FFFF/CCCC/9999"
        [213]="FFFF/9999/FFFF"
        [231]="FFFF/FFFF/FFFF"
        [210]="FFFF/9999/9999")
 
for color in ${COL[@]}; do
 echo -en "\033]4;$color;rgb:${PALETTE[$color]}\033\\"
done
 
PIXEL=" "
SAVECURSOR=$'\0337'
HIDECURSOR=$'\033[?25l'
RESTORECURSOR=$'\0338\033[?12;25h'
QUERYCURSOR=$'\033[6n'
 
YOFFSET=$(((28-LINES)/2))
YOFFSET=$[ $YOFFSET &gt; 0 ? $YOFFSET+1 : 0 ]
XOFFSET=$((108-COLUMNS))
XOFFSET=$[ $XOFFSET &gt; 0 ? $XOFFSET : 0 ]
CHAR+=${PIXEL}
 
CACHE=$(mktemp -d --suffix __NYANCAT)
 
trap 'exit 1' INT TERM
trap 'rm -rf "${CACHE}"; echo -n $RESTORECURSOR' EXIT
 
#echo -n $HIDECURSOR
 
for ((y=YOFFSET; y&amp;2
read -s -dR POS
stty echo icanon
 
CURSORHOME=$((${POS:2:${#POS}-4} - y))
echo  -n $SAVECURSOR
echo -n $RESTORECURSOR

Edit: A few people have said they cannot get the file to work. 11-nyan can be used instead.

TOP