Tag Archives: google

Google Authenticator (and implementing it on Linux)

A few weeks ago Google brought their two-factor auth product, Google Authenticator, to the iPhone and Android devices.  (There may be other implementations they released, but those are all I’ve actually touched.)  Their immediate use for it was with your google accounts, specifically Google mail seemed to be their target. The day after it was released, I was lucky enough to have it turned on for my accounts and I’ve been using it since then.

Not that I’m an internet security expert, but it’s seems a pretty straight-forward software token implementation. On Google’s side, to seed the software on your smartphone, it uses a QR code. (I point this out as its one of the few uses of QR codes in the wild that I’ve seen that doesn’t make me want to vomit everywhere. For the record, the only other use of QR codes that I have condoned is @tcar using them to rickroll people.) They also give you a hand full of one time password codes for you to print out to keep in your wallet in case you are without your smartphone.

In practice with Google’s accounts, when you log in, you’re additionally asked for the current code.  At that time, you can choose to have google assume the machine you’re on is good for 30 days.  For a home or work machine that isn’t going anywhere, that’s probably safe, but I find myself not checking that box a lot.

The only downside is that any application you have that interacts with a Google service but can’t do a secondary form of authentication, such as an mail/IMAP client, you’ll need to set up “application-specific passwords.” These are passwords that application alone uses to get to your account that you can revoke at any time. Its not difficult, its just tedious as I ended up needing to create 10 different passwords due to the variety of applications I use that interact with Google.  However, now that they are set up, I don’t have to touch them again unless one of the passwords get compromised.

In any case, if you depend on some google services, and you have a smartphone, I highly recommend looking into this with your account.

After using Google Authenticator for a few days with google, I became aware of their project on google code. Besides having the code for the Android and Blackberry applications, it contains code for a PAM module. That really peaked my interest as I’ve always toyed with the idea of implementing two-factor auth at home and on the server I share with my friends, but there hasn’t really been a conveniently deployable way to do it.

Here’s where the linux part starts

There’s no code release for the PAM module yet, so you’ll need to check out a copy using Mercurial.  Once that’s downloaded, you want to make sure you have your PAM development libraries installed.  I also suggest (as the Google wiki’s page says) having libqrencode installed so the google-authenticator command line setup tool can spit a QR code out at you to more easily activate it in your smartphone.  Once those are there, its a pretty easy compile since the Google folks seem to be developing it on Linux. If you’re on another platform, your milage may vary.  I also see via a comment on the wiki page that someone made a Ubuntu ppa of it, so that might simplify matters as well.

By default, the PAM module is all or nothing, so either all your users need to be set up for two-factor auth or no one can be.  There is a patch that allows you to modify this behavior to ignore two-factor auth if it hasn’t been set up or not, which would work for a good transitory period. I haven’t implemented this yet, as its from a recent comment on the wiki page, but when I go to implement this on my shared server I’ll be making use of it.

On my ubuntu server, once the PAM module was installed, I just added the following line to /etc/pam.d/sshd after the existing “@include common-auth“:

auth required pam_google_authenticator.so

Once that was added, I ran the google-authenticator command line tool to create the shared secret and control file for the two-factor authentication.  Once you run it you should see something like this:

Once you say yes to that question and capture the QR code with Google Authenticator on your smartphone, you’re bleepin’ golden.  (Yes, I dummied up an account to generate that, took the screenshot, and then erased that account.  I’m not completely dumb.)

One thing you might need to do is edit your sshd configuration to make sure that ChallengeResponseAuthentication is turned on.  This allows ssh to interactively do extra challenges as required by PAM.  By default this is off in Fedora and Ubuntu.

RSS feed now less Delicious

I recently moved my blog’s RSS/ATOM feed from old-feedburner to new google-flavored feedburner. While I was doing the switch, I looked at what feedburner services I am using. One of the services is called Link Splicer which allows you to inject your links from social bookmarking sites into you feed.

In looking at how little I blog at times, those bookmarks were often the only thing making my feed grow. I also can’t get much feedback on those links in how it works. So in thinking about how I want to present myself and my site online, I’ve decided to separate the tags back out.

For all zero of you who want to follow my bookmarks just follow the feed from my delicious feed.

Google being evil? NOT

Edward Kasner, with the help of his nephew, Milton Sirotta, coined the term googol. We all know it now to be 10100. Kasner’s relatives are supposedly upset that everyone’s favorite search engine Google is making money of the word he coined. Peri Fleisher, Kasner’s great-neice, is appearently talking to NPR and anyone who will listen about this injustice.

First note, in that second article, I love this quote: “I had heard of Google in 1988 before most people were aware of it. I didn’t know if the company was going to take off or not.” (Emphasis mine.) I’m sure this is a typing mistake, but its still funny to me.

Second note, this seems really silly to me. I guess the controversy comes to these two points: 1) In Google’s favor, Google spelled it differently. 2) In the family’s favor Google acknowledges that they based their name on this term, but doing a play on the word. The family might have some merit, but once a word is released into the lexicon for general use, its too late. Especially a seemlingly general term like googol. Unless you’ve trademarked it and defend that trademark, or something like that.

Being a geek, I knew the world googol long before Google came along. How many “normal” people did? Scrabble and Upwords players maybe. And that’s why the family is all ticked off.

Seems like a lot of sour grapes to me.