How I rolled two factor authentication for ssh access to the server that powers this site.

Update: some details in this post are out of date. I’m not running the same hardware I was when I wrote this now, and converted to systemd.

SSh and two factors (or more) of authentication.

Best practices in IT security dictate that to harden a computer against attacks, one should require a user to enable two-factor authentication. In a two factor authentication scheme, the user who is submitting credentials to a service must submit two different forms of proof they are who they claim to be. (Note that by service, it is most often thought of as a website, but in this case the credentials are to the ssh demon). In my first blog post, we are going to explore possible setups for deploying two factors (or more) of authentication to the ssh demon, such that a user must either provide ssh key, or password. Then they must provide two-factor auth from google authenticator. My current setup is running on a Digital Ocean droplet, and is the cheapest option available (512 mb ram and 1 cpu core and 20 gb ssd storage). I am running Ubuntu 14.04 lts, and have an nginx server setup behind what I am protecting with two-factor auth. It is being used to serve the website you are reading.

Background:

In IT security, two-factor authentication is commonly known as a scheme where you harden a system by ensuring two forms of authentication. Usually you want something you know (password, SSH Key Password) and something you have (SSH key in encrypted form, google authentication codes, biometric thing, Yubikey or smart card). This is what I call the “something you know and something you have” rule. If possible, you need to (either by policy or by technical measures) force the something you have rule. It is hard to do by policy because let’s face it, people are lazy and don’t want to get their phone out to prove the something you have part.

Pre recs

You will need a Linux distribution (any UNIX should work, but I have only tested this on Ubuntu Linux). To keep consistent with what I have, disable root login over ssh, and ensure you have a firewall enabled but allow port 22 (or if you changed the port ssh is served on use that port). I also am using public key auth with an ssh key and a strong ssh key password. I also have sudo privileges on my regular account so that I can upgrade myself to root for any commands or use super user. If you disable root login without enabling sudo privileges for your account you will not be able to use the root account again and you probably don’t want to do that.

Warning:

Keep an extra ssh session open right now before you start. Do not log out of this ssh session or if you break things you may end up trapping yourself out of the server and there will be no idiot switch to enable ssh again. (Have fun using the machines real console). I had two ssh shells running, and logged out of one when I was done, and didn’t log out of that one until I knew things were working properly. Also backup the files I ask you to edit, just in case.

Let’s get started

First things first, (obviously) ssh into your server.

Required packages:

Now, get the packages for google authenticator. I assume you are not running as root and thus use sudo.

$ sudo apt-get install libpam-google-authenticator

Setting it up:

Now, run the google-authenticator command in the context of every user you want to have access to the server. I didn’t use match in the ssh demon file, and therefore, two factor is enabled for all users. There are ways to selectively use two factor for only certain users that I didn’t show. If you need to run google-authenticator as bob and you are logged in as root I think you can use the su command. Up to you to figure out that one. Alternatively, before continuing, make all users of the system run google-authenticator and follow the prompts. Do not continue until all accounts are secured with two factor.

$ google-authenticator

It asks if you want time based codes. I recommend you answer yes.

It asks if you want the config written to your ~ directory. You must answer yes.

Now it will display a qr code (maybe) a secret key, and some rescue codes.

Copy all the rescue codes down somewhere safe. Copy the secret key somewhere safe as well. Note that the rescue codes are your get out of jail free cards. If you lose them and lose your phone with google authenticator on it, you are locked out for good. (In other words, if you lose them change your secret key by running this step again).

Enter the secret key into google authenticator.

IMPORTANT: In order to make the something you have part of two-factor auth work, I really don’t recommend using a two-factor authentication app on the pc you are SSH’ing into. This basically removes the point of two-factor authentication because the something you have is gone. Use a phone or separate PC. Phones are nice because they really are something you have.

Now enter what you wish for these prompts.

When all is done, you should have a  .google_authenticator file in your user directory.

$ ls -a ~ | grep google

If it prints .google_authenticator you should be good to go.

Edit the config files

Use your favorite text editor for this.

$nano /etc/pam.d/sshd

Add this line to the file: For future reference, anything in triple quotes should be added or edited.

“””

auth required pam_google_authenticator.so

“””

One tutorial I saw said to add this to the top, but I added it to the bottom after it failed to work properly. This is just including the shared object (library) for google auth.

Now edit

/etc/ssh/sshd_config

$ nano /etc/ssh/sshd_config

If the ChallengeResponseAuthentication exists, set it to yes. Otherwise, add the appropriate line. Note it may be commented.

“””

ChallengeResponseAuthentication yes

“””

I now added this line to that same file.

“””

Authentication Methods publickey,keyboard-interactive

“””

This sets up a chain of events. If you don’t want to use a public key (I recommend public key crypto over passwords always), then don’t do this, and be aware that if someone logs into the machine with a public key, two factor auth won’t work because it is going to assume that if the user has a public key, they don’t need to enter a password and two factor token.  Log out and try logging back in and see if it worked. If not, you should not log out of the other ssh shell.

Typical chain of events:

  • User Malinda gives her username.
  • SSH shell asks her for public key challenge. Her client provides the appropriate key.
  • Since she is a good and security conscious user of her computer, she is required to type in her ssh key password before the challenge is complete.
  • Now she is asked for her account password. She provides it.
  • The system now asks her for a two factor auth token. She complies.
  • If the two above pieces of information are correct, then she is in. Otherwise, access denied, it asks for password and two factor auth again with no indication of password or auth was wrong.

Other Notes:

If you have a Yubikey, there is a Yubikey module At the Yubikey page. I haven’t played with it because I don’t have a Yubikey.

It is possible to disable password auth altogether so it just requires username>ssh_key>auth_code but I didn’t do that. To do so, see

https://sysconfig.org.uk/two-factor-authentication-with-ssh.html

Also, if you are a company with needs for high security or have multiple (pesky) humans to enforce two factor auth with, you can better enforce the two factors of authentication if you use the Yubikey. This is because it is much harder to install an application to do the second factor of auth. A Yubikey is a physical device and thus is truly something you have.

Enjoy!

Two math problems on money and sequences.

Math problem for the mentally curious

For those who enjoy a math problem to finish off a great day on this planet, here is a problem for you. I randomly came up with it while watching the democratic debate last night (must have been bored).  It is two problems, the second one follows from the first.

Problem statement!

Suppose you owe me money from a recent lone. Your unfortunate situation lets me demand money from you in either one of two ways. You get the choice to choose one of them .

Option 1:

You pay me 1 dollar a day for $$n$$ days.

Option 2.

You pay me 0 cents today (day 1), 1 cent tomorrow (day 2), $$0+1+2$$ cents on day 3, $$0 + 1 + \dots + i + \dots +(n-1)$$ cents on day n.

The dilemma:

[1]: At what day does it become not profitable for you to pay me with option two.

[2]: Additionally, create an expression to tell me how much money I will profit if you pick option 2. Hint: Negative profits for days 1 and so on, are possible until the day when statement 1 above is true.

Problem statement!  For problem 2

Suppose you owe me money from a recent lone. Your unfortunate situation lets me demand money from you in either one of two ways. You get the choice to choose one of them .

Option 1:

You pay me $$x$$ dollar a day for $$n$$ days.

Option 2.

You pay me 0 cents today (day 1), 1 cent tomorrow (day 2), $$0+1+2$$ cents on day 3, $$0+1+ \dots +i+ \dots +(m-1)$$ cents on day m.

The dilemma:

Find an equation for x and n that calculates what day it becomes not profitable for you to pay me with option two (in other words, figure out which day $$nx = m$$. Additionally, create an expression to tell me how much money I will profit if you pick option 2. Hint: Negative profits for days 1 and so on, are possible until the day where $$mx = n$$.

Crash Hero!

NVDA Developers and bug smashers! ATTENTION! This is an important announcement from the department of release stability management. Recently, a new member joined the NVDA community. Her name will remain anonymous, but you may refer to her as the crash hero. In fact, she is the first NVDA superhero. She exhibits her superpower in the form of an NVDA Add-on that can save all your crash dumps in a folder of your choosing on your computer and she does this automatically when NVDA reboots after a crash. She even asks you what you were doing before the crash, and logs it in a messages file. With her completely accurate perception of time and date, you will always know when crashes happened, because she names each crash as a timestamped folder inside your crashes directory. Let the crash hero save you from having to remember where to find the crash dump and keep track of what exactly you were doing before a crash occurred.

Now that I’ve introduced the crash hero, on behalf of the crash hero, I would like to invite you to experience the thrill of never having to open your temp directory and frantically save the crash somewhere when a crash happens in the middle of a homework assignment or business meeting. The crash hero will save crashes in your user folder by default, but by selecting the crash settings item in your NVDA preferences menu, you can pick a custom folder to log all of your crashes in! The crash hero is here, and the crash hero is ready to help you if you are someone who regularly runs snapshots of NVDA so that you or other developers can catch bugs before they sting the general masses.

Download:

https://files.derekriemer.com/crashHero-dev.nvda-addon

Source code (The crash hero is only made stronger by others contributing):

https://github.com/derekriemer/nvda-crashHero

Changes to Googles Youtube for IOS, and how to use it with voiceover.

Youtube was recently updated, and several voiceover changes were put in. At first, you may do what I did. “oh, damn, it, google, stop, breaking, things!!!”

It turns out that google actually fixed a lot of things in this version, making the user experience more streamlined and much more efficient. They did seem to break one thing though.

The story about the video player

In this update, you will find the traditional video player, and below it the video title. It used to be there was a more actions button near there, and there was also a button for expand description. All of that is gone. instead, you’ll notice voiceover says “actions available” just like home screen or mail or a lot of other IOS apps. The available actions are as follows, as tested on a video by sciShow space.

  • Activate item <default> (Likes the current video, there is no way the user would know this without trying it out for themselves)
  • More actions: Expands the options for share, and add to list.
  • Subscribe
  • [If subscribed to current channel]: send me /stop sending me, every notification for this channel.

Now, flicking left/right will bypass everything that used to be there, allowing yourself the ability to more efficiently move by flicking through the app. This is great. They’ve also now changed the like/unlike. To like a video, press the default action, this seems to like the video. Or flick down to more actions, and you may see numbers like 8k and 2k. The first is like and the second is dislike (I think). They aren’t currently labelled with like or dislike. There’s also a handy share button. The only thing missing is a way to view the video description. There may be features I don’t know about missing though.

The videos view

The videos view used to suck. You flicked right and it said “more actions” and other things. Now, simply flicking right sends you to the next available video. Again, you can flick down or up here to do the following:

  • “Activate item” <plays the video>
  • More actions, <Bring up a flyout allowing you to  do these things:
    • Express you aren’t interested in seeing this video ever again.
    • add to watch later.
    • add to playlist.
    • share …
    • cancel <can be activated by scrubbing as well>

This enhancement is really a nice move by google, I’m glad to see this. It was confusing at first, because I didn’t realize this had changed, but now that I figured it out, it’s quite welcoming.

Indentone has been deprecated

Say bye bye to the Indentone addon for NVDA! 🙂

A few months ago, I wrote about indentone. The addon is now in NVDA 2016.4, and thus the addon is not necessary. To turn on line indent reporting with tones, select document formatting from preferences, and then select report line indentation using tones (Alt+i). The combobox has 4 options:

  •  Off: No indent is reported.
  • Speech: the old behavior. If you use indentone, you don’t want this.
  • Tones: Just report indents with tones.
  • both speech and tones: Reports with both of them.

A tab is 4 spaces, this isn’t configurable. If your indent gets beyond 72 spaces, or 18 tabs, you will hear speech not a tone. This is so that we don’t hurt your ears. For the technically curious, the work happened on ticket #5906, and #6057 was the pull request.

Musically curious people will love that each space is represented with a quarter tone, giving a tab a whole tone. The first note, (0 indents) is an A3, at 220 HZ. There are 3 octaves of indents reported, and after that, the system resorts to speech. Mixed tab/spaces will report indents, which is something to be aware of. Also, stereo has been removed, as it is unnecessary and counterproductive on users who aren’t using headphones.

With Indentone in NVDA, I wish my fellow coders a much more productive life coding. Please enjoy this feature. Thanks goes to Jamie from NV Access for helping me design the NVDA implementation, Mick from NV Access for helping me track down a bug in the NVDA implementation after I looked at it stumped on how to fix it, Chris Toth of Accessible apps for convincing me to get this thing out to as many coders as possible, and Camlorn for some help getting the correct equation for figuring out what tone to play and the volume hack in the addon but not in NVDA (Yes, I did look at how you did volume in unspoken originally). With Indentone, blind people now have a very natural way to visualize indentation in code, and the excuses about indentation being useless for blind people should be minimized since technology to avoid this has now  been mainstreamed.

Indentone, making NVDA read indents as musical spacial tones.

Attention: This addon has been deprecated. See The indentone deprecation post for details.

I have decided to make an addon that lets NVDA report indents as tones. This for now is not an official NVDA Add-on which has gone through community review (see future work for more reasons). Here is how it works. When you are reading some code or text with indents, if NVDA sees 4 spaces, or 1 tab, it plays a note. Each indent level we increase, the add-on plays the next whole tone up. Example: c3 all the way on your left (one octave below middle c), 0 tabs. D3, slightly farther right, 1 tab. for each level of indent NVDA sees, it plays a note farther to the right, and up that many levels on a whole tone scale. Then, when indent level decreases again, the notes pitch decreases, and the tone moves back to the left a bit. NVDA previously played no tone for no indent (technical reason) (fixed in indentone0.3.0).

The readme is pasted here. for those who don’t care and just want a download link, go to the download heading level 2.

How to use:

Installation

Install this addon by pressing enter or double clicking it from the file manager. Then tell NVDA to install it by following the prompts.

Using

When NVDA  would normally speak indents, this addon should activate. If it doesn’t, please contact me.
This addon will detect changes in indent level and beep to inform you that an indent occurred. When the text you are reading is more indented than the last text you were reading, it beeps farther to your right than it did before.
Also, the tone will play one whole tone higher  than the previous indent level would. For example, no tabs will be all the way to your left at one octave below a middle c. The first tab will cause NVDA to play a D3 (one step up), 2 tabs an E3 (two steps up), 3 tabs an fSharp3 (technically 3 steps), and so on.
The 3 tabs will be slightly farther right of the C, and a middle c would be much closer to the center of your body than the c below that.
When the text is less indented than it was before (assuming it was already indented), NVDA will do the opposite. For example, lowering the tone and moving it to the left. The farthest right tab level is 3 octaves higher than the no indent level.

Future work

I may play around with panning the audio dynamically. This would allow me to start the beep at your left, and move it 1 indent unit over a time of about 200 milliseconds. The advantage of this is you could judge the difference in indentation that just occurred, while in parallell hearing the code you are currently editing, even if you don’t musically easily judge whole tone steps.
I am also probably going to experiment with integrating this into NVDA core (I’m going to open up a ticket about this after finals). I spoke about Indentone at NVDACon 2016 in a session about my add-ons. I received much great feedback, and I am excited to continue work on this.

Download and links.

https://files.derekriemer.com/indentone-0.3.0.nvda-addon

Source Code:

https://github.com/derekriemer/nvda-indentone