More Zonkyness

Blog

  • Tinkering With The Yubikey

    This is a series of working notes on the Yubikey which is an interesting device used to supplement passwords to make two-factor authentication easier. It is essentially a hardware security token device that pretends to your computer to be a keyboard and enters a one-time only password that can be used to verify your identity – much like a password, but much more secure.

    Well perhaps "easier" only if someone does all the configuration for you, although I am inclined to look a bit deeper into such things for my own amusement. My own key is a Yubikey NEO, but much of what follows also applies to the other Yubikey models.

    Observations

    This is the spot for observations on using the Yubikey over time.

    1. For some reason the Yubikey doesn't always "light up" on my workstation at work. It works fine at home – the green light always turns on ready for a key press – but at work it often seems to flicker and stay out. Not sure what causes this, but it always seems to be persistent when you really need to use it! 

    Configuration

    … is to some extent unnecessary, but under Linux there are three bits of software that can be installed to configure additional features of the Yubikey :-

    1. The library: https://developers.yubico.com/libykneomgr/
    2. The command-line tool: https://developers.yubico.com/yubikey-personalization/
    3. The GUI: https://developers.yubico.com/yubikey-personalization-gui/

    All three build easily from the instructions given. Just make sure to remember to copy the udev rules from yubikey-personalization to /etc/udev/rules.d/ and run udevadm trigger to enable them. This will make sure you can access your yubikey as a console user, so you don't have to become root.

    Enabling Linux Authentication

    This was all done with a Linux container (LXC), so it could be relatively easily thrown away and restarted. The first step was to install the relevant PAM module :- 

    # apt-get install libpam-yubico

    This pulls in a ton of other required packages.

    The next is to grab the unchanging part of your Yubikey token. This is the first 12 characters of what you get when you activate it. Whilst you have it to hand, now would be a good time to create the mapping file – /etc/yubikey-mappings :- 

    # Yubikey ID mappings
# Format:
#       user-id:yubikey-id:yubikey-id:...
# (But usually only one)
user-id:ccccccsomeid

    Next step is to add a little something to one of the pam files. For testing (assuming you have console) access, the relevant file might be /etc/pam.d/sshd but once you have things working, /etc/pam.d/common-auth might be a better choice. Right at the top of the file add :- 

    auth       sufficient   pam_yubico.so debug id=16 authfile=/etc/yubikey-mappings
#       Added for Yubikey authentication.

    Because these things always have problems when you first try them, it makes sense to set up the debugging log :- 

    touch /var/run/pam-debug.log
chmod a+w /var/run/pam-debug.log

    At this point, assuming everything works as expected :-

    1. You will be able to authenticate using ssh using either your Yubikey, or your password.
    2. This assumes your server is able to communicate with the Yubi Cloud.

    There are further improvements to be made … and we'll get to those shortly.

    But That's Not Two-Factor Authentication!

    Indeed not, so we'll fix that right now.

    Firstly remove the line we previously added to /etc/pam.d/sshd; because of the way that Debian configures pam, it is less disruptive (i.e. fewer changes) to make the change to /etc/pam.d/common-auth :- 

    auth       requisite     pam_yubico.so id=16 debug authfile=/etc/yubikey-mappings
#       Yubikey configuration added.
auth    [success=1 default=ignore]      pam_unix.so nullok_secure use_first_pass

    But before restarting sshd (you have been doing that haven't you?), you will need to add a Yubikey ID to /etc/yubikey-mappings for the root user.

    At this point, you will only be able to authenticate if you enter your username, followed by both your Unix password and activate your Yubikey at the password prompt. Entering both at the same prompt is a little weird especially when you consider that there is no indications anywhere that Yubikey authentication is required.

    But we can fix that. First of all, one small change to common-auth – remove the use_first_pass phrase.

    Next edit the file /etc/ssh/sshd_config and find the ChallengeResponseAuthentication phrase and set to "Yes" :- 

    ChallengeResponseAuthentication yes

    And after a quick reboot, the log in process works in a sensible way :- 

    » ssh chagers
Yubikey for `mike': (Press YubiKey)
Password: (Enter Unix password)
Linux chagers 3.14-0.bpo.1-amd64 #1 SMP Debian 3.14.12-1~bpo70+1 (2014-07-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 15:37:05 2014
...
</pre>

  • Special Treatment for Former Members of the Armed Services?

    Yes.

    But why? Apparently there is something special about serving in the armed forces – special enough for the mythical (it has no legal basis and so is in fact not a covenant at all) Military Covenant to be a popular phrase. And even a factor in determining government policy.

    But why does someone who has served 20 years in the Army catering corp deserve more and/or better services than an NHS nurse who has “fought in the trenches” (including volunteering for work in the Ebola-stricken countries in West Africa)? And who is most likely to suffer from PTSD? A nurse up to his arms in blood and gore? Or an Army cook who is up to her arms in spuds?

    And when you come down to it, anyone who suffers PTSD – even a banker who has smashed up his Ferrari – needs special treatment.

    Perhaps those who have been in the armed services should be first in the queue for specialist treatments but those programmes should be open to all who need them.

    And perhaps the “Military Covenant” should be extended into a “Public Services Covenant” to include those other public servants whose jobs put them in harm’s way – the police, fireman, ambulance drivers, nurses, etc.

  • Muting Smartphones

    Today I happened to come across a story about a priest who uses a signal blocker to stop phones from shrieking, bleeping, or blurting during church services. Very possibly illegal, although it’s quite understandable.

    After all a church service is just like a theatrical performance and the distraction of phones is likely to put people off. We need more quiet at times – such as in the theatre, church, the quiet carriage in a train, or even a meeting room.

    But a signal blocker is going too far – if there is an emergency, we need to be able to use our phones. And asking people does not work – there are always a few people who won’t bother to silence their phones. Not necessarily because they don’t care, but sometimes simply because they don’t think of it.

    Rather than blocking phones, we need to tell phones to silent themselves automatically.

    And it could be quite easy to do. In quiet zones, simply broadcast a well accepted SSID (“QUIETPLACE” perhaps?) and configure phones to automatically mute themselves when they see such an SSID. It would require support from phone manufacturers as most of us wouldn’t bother if we have to set something up – or even just install an App to do it, but it’s certainly possible.

  • Robin Knox Johnston: He’s Old. So What?

    Recently, Robin Knox Johnston took part in a sailing race, and the BBC spent some time interviewing him and highlighting his progress throughout the race.

    Fair enough, but why was it necessary to keep banging on about how old he is? Yes he’s old enough – after all he completed his around the world voyage in the year I was born – but it’s probably the least interesting thing about him and what he was doing.

    (Image obtained from http://www.robinknox-johnston.co.uk/)

    In practically every interview with him the BBC did, his age came up … and many times it came up more than once. Anyone would think the BBC is under the impression that old people should be sitting in a rocking chair with a blanket on their knees drooling gently.

     

  • NATS Software Failure: Old Code or Buggy Code?

    Anyone watching mainstream media for news about the software failure at NATS can be forgiven for thinking that old software is responsible for the problem that occurred recently causing many flight delays. The mainstream media seems to have clung onto the idea that the code is old and decided to blame that for the problems. You do have to wonder where they got these ideas from given that most journalists have the technology qualifications of a gnat. Perhaps from industry insiders who have a vested interest in selling new products perhaps?

    Anyone who has written code can tell you that it is not old code that is responsible for software failures, but buggy code. Old code can be buggy, but so can new code. In fact as there has been less time to spend debugging it, new code is likely to have many more problems than old code.

    That sounds like a recipe for leaving old code well alone. But it isn’t really. Old code needs to be updated and refreshed on a continual basis but not replaced in a “big bang” approach just because it is old.

    Small changes and not big changes. Small changes are easier to do, quicker to do, and it’s feasible during testing to say that the small change is rubbish and to throw it away.

    The more important a system is, the more important it is to evolve it towards the future rather than simply replace it with something newer and shinier.

    And letting mainstream journalists dictate your IT strategy is always a mistake.