Tag Archives: Linux

Google Authenticator (and implementing it on Linux)

A few weeks ago Google brought their two-factor auth product, Google Authenticator, to the iPhone and Android devices.  (There may be other implementations they released, but those are all I’ve actually touched.)  Their immediate use for it was with your google accounts, specifically Google mail seemed to be their target. The day after it was released, I was lucky enough to have it turned on for my accounts and I’ve been using it since then.

Not that I’m an internet security expert, but it’s seems a pretty straight-forward software token implementation. On Google’s side, to seed the software on your smartphone, it uses a QR code. (I point this out as its one of the few uses of QR codes in the wild that I’ve seen that doesn’t make me want to vomit everywhere. For the record, the only other use of QR codes that I have condoned is @tcar using them to rickroll people.) They also give you a hand full of one time password codes for you to print out to keep in your wallet in case you are without your smartphone.

In practice with Google’s accounts, when you log in, you’re additionally asked for the current code.  At that time, you can choose to have google assume the machine you’re on is good for 30 days.  For a home or work machine that isn’t going anywhere, that’s probably safe, but I find myself not checking that box a lot.

The only downside is that any application you have that interacts with a Google service but can’t do a secondary form of authentication, such as an mail/IMAP client, you’ll need to set up “application-specific passwords.” These are passwords that application alone uses to get to your account that you can revoke at any time. Its not difficult, its just tedious as I ended up needing to create 10 different passwords due to the variety of applications I use that interact with Google.  However, now that they are set up, I don’t have to touch them again unless one of the passwords get compromised.

In any case, if you depend on some google services, and you have a smartphone, I highly recommend looking into this with your account.

After using Google Authenticator for a few days with google, I became aware of their project on google code. Besides having the code for the Android and Blackberry applications, it contains code for a PAM module. That really peaked my interest as I’ve always toyed with the idea of implementing two-factor auth at home and on the server I share with my friends, but there hasn’t really been a conveniently deployable way to do it.

Here’s where the linux part starts

There’s no code release for the PAM module yet, so you’ll need to check out a copy using Mercurial.  Once that’s downloaded, you want to make sure you have your PAM development libraries installed.  I also suggest (as the Google wiki’s page says) having libqrencode installed so the google-authenticator command line setup tool can spit a QR code out at you to more easily activate it in your smartphone.  Once those are there, its a pretty easy compile since the Google folks seem to be developing it on Linux. If you’re on another platform, your milage may vary.  I also see via a comment on the wiki page that someone made a Ubuntu ppa of it, so that might simplify matters as well.

By default, the PAM module is all or nothing, so either all your users need to be set up for two-factor auth or no one can be.  There is a patch that allows you to modify this behavior to ignore two-factor auth if it hasn’t been set up or not, which would work for a good transitory period. I haven’t implemented this yet, as its from a recent comment on the wiki page, but when I go to implement this on my shared server I’ll be making use of it.

On my ubuntu server, once the PAM module was installed, I just added the following line to /etc/pam.d/sshd after the existing “@include common-auth“:

auth required pam_google_authenticator.so

Once that was added, I ran the google-authenticator command line tool to create the shared secret and control file for the two-factor authentication.  Once you run it you should see something like this:

Once you say yes to that question and capture the QR code with Google Authenticator on your smartphone, you’re bleepin’ golden.  (Yes, I dummied up an account to generate that, took the screenshot, and then erased that account.  I’m not completely dumb.)

One thing you might need to do is edit your sshd configuration to make sure that ChallengeResponseAuthentication is turned on.  This allows ssh to interactively do extra challenges as required by PAM.  By default this is off in Fedora and Ubuntu.

Linux nostalgia

There is a question/thread over at slashdot titled What did you first do with Linux? Rather than copy my reply here, I’ll just put a link to my reply to that subject.  I did have (and I mentioned it in the post) a get off my lawn moment when writing it.  A fun walk down memory lane, and reading the rest of the comments on slashdot shows you how relatively early I was to the game.

It also makes me want to link to Anne’s idea of the best to learn Linux.

Truth in comics

I love xkcd and its geeky geeky ways.  It often captures things I’ve lived and/or seen.  Today’s is one I have lived and seen lived.

This reminds me of a post on usenet my friend Anne made in 1998.  To quote:

So I am left not bitter just tired of this whole meeting people, emotional ties, finding a compatible person and then having them yank away.

It is just an emptiness right now.

From what I have observed from my male friends, though, this is exactly the climate required to learn Linux. Without a full and happy lovelife or distraction of soft lips and a reason to kiss them, there is enough room to grasp the intricacies and nuances of such a fine operating system.

It has already begun to happen. As I walk down the street I am not thinking of emptiness, kising, nathan or any other previous SO’s, I am thinking of penguins, rm -rf / and lilo.

I am already convinved that linux will dull the pain better than heroin.

I still loves me some linux hardcore, though.

Sunday fun

  1. Shutdown
  2. <install new/replacement disk>
  3. fdisk
  4. mkswap
  5. umount /boot
  6. dd
  7. e2fsck && resize2fs
  8. mount -o remount,ro /
  9. dd
  10. e2fsck && resize2fs
  11. mount -o remount,rw /
  12. pvcreate
  13. vgextend
  14. pvmove (wait a long long long time for 174 GB, especially with disk read errors, to move)
  15. vgreduce
  16. shutdown
  17. remove old and busted, put new hotness in as primary disk
  18. boot into rescue disk
  19. mount / /usr
  20. grub-install /dev/hda1
  21. ms-sys -m /dev/hda
  22. vi /etc/fstab
  23. shutdown -r now
  24. Party like its 1999 or, if you like assembler better:   GGB