Ubuntu: Ten Minute Apache mod_authn_yubikey Install

YubiKey

The YubiKey, from Yubico is a small USB device which is about the size of a small flash drive, and which emits OTP strings when the button is depressed.   The device can also be reprogrammed to offer static passwords and the new 2.0 version has a very handy management application available.  The device is compatible with most recent *nix and Solaris installations, as well as MacOS and Windows.

Since receiving mine, I have tested it via several available PHP implementations, and other interfaces, e.g. the Wordpress plugin and the LastPass integration.  Last night, I found a site which offers an Apache HTTP Server module for use with the usual Basic authentication.  Since I wanted to use it on a production server without build tools installed, I first compiled it on a test server, and then copied the necessary files to the production box.  The following are the steps I used to build and enable it.

Install the prerequisites (assuming build-essential is already installed)

  1. $ sudo apt-get install apache2-threaded-dev libcurl3 libcurl4-openssl-dev

Download, unpack and build:

  1. $ wget http://mod_authn_yubikey.coffeecrew.org/authn_yubikey.tar.bz2
  2. $ tar jxf authn_yubikey.tar.bz2
  3. $ cd authn_yubikey/
  4. $ apxs2 \
  5. -DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \
  6. -DYK_PACKAGE_VERSION=\\\"0.1\\\" \
  7. -I. -Wc -c -lcurl mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo

If all has gone according to plan, the module object now exists in the .lib (dot lib) directory.  If necessary, scp it to your server and continue.

Note: The following layouts are based on an Ubuntu installation, you may need to put the library where your system expects to find it.

Copy module to required directory:

  1. sudo cp .lib/mod_authn_yubikey.so /usr/lib/apache2/modules/

Create the basic files to allow the module to be enabled/disabled using the normal Ubuntu functionality:

Module load file (/etc/apache2/mods-available/authn_yubikey.load)

  1. # /etc/apache2/mods-available/authn_yubikey.load
  2. LoadFile /usr/lib/libcurl.so.4
  3. LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so

Basic module config file:

  1. # /etc/apache2/mods-available/modules/authn_yubikey.conf
  2. <IfModule mod_authn_yubikey.c>
  3. AuthYubiKeyRequireSecure Off
  4. </IfModule>

Since this module works in a similar manner to the standard Apache Auth packages, create a htpasswd file, adding a user with key id ‘abcdeffedcba’ (first 12 characters emitted by the YubiKey), username ‘jsmith’ and password ‘mypass’. The ‘-s’ uses SHA instead of crypt():

  1. $ cd /etc/apache2
  2. $ mkdir conf
  3. $ cd conf
  4. $ htpasswd -csb conf/ykUserDb abcdeffedcba jsmith:mypass
  5. $ touch conf/ykTmpDb && chown www-data conf/ykTmpDb

Now just pick a directory or location to protect, and add a basic config section to the appropriate Apache config file:

  1. <Location /supersekret>
  2. AuthType Basic
  3. AuthBasicProvider yubikey
  4. AuthName "Please log in using your YubiKey"
  5. AuthYubiKeyTimeout 30
  6. AuthYubiKeyTmpFile conf/ykTmpDb
  7. AuthYubiKeyUserFile conf/ykUserDb
  8. AuthYubiKeyRequireSecure On
  9. AuthYubiKeyExternalErrorPage Off
  10. Require valid-user
  11. </Location>

Note: The ‘AuthYubiKeyRequireSecure On’ ensures the only SSL (https) connections are allowed. Turn that off to use standard http.

That’s it, now just enable the module and restart Apache:

  1. $ sudo a2enmod authn_yubikey
  2. $ sudo /etc/init.d/apache2 restart

For additional information regarding the use and configuration of the module, please check the the mod_authn_yubikey website – http://mod_authn_yubikey.coffeecrew.org/.

Many thanks to Jens Frey, the author of the plugin for his quick response to my request for clarification on a few points.

September 18, 2009 · Filed Under Linux

Comments Off 

Twitter + ttytter + perl + Prowl = iPhone Push Goodness

Version 3.0 of the Apple iPhone OS now allows push notifications.  However, for security reasons (presumably), Apple requires that push notifications must flow through their server, and are only allowed to be delivered to native applications. 

Prowl is a new application which allows notifications to be pushed to the iPhone from applications like Growl for Windows or Macs.  Fortunately, the developer has also implemented an API so that one can easily submit push notifications from virtually any programming language which is able to talk to it via the web.

So what?  Well, as I am a big fan of Twitter, I follow enough people that I am often unable to keep up with the flow of tweets.  I had resorted to following the most important posters via RSS, but now I am able to follow their accounts and have any posts they submit pushed to my iPhone as a notification.

Read more

August 1, 2009 · Filed Under Linux

Comments Off 

IPv6 Difficulties

Until my VMware server machine crashed, I had a pair of IPv6 tunnels running for many months out of a pair of virtual machines.  One was Ubuntu Hardy with a tunnel to Sixxs.net, the other an OpenBSD machine with a tunnel to Hurricane Electric’s Tunnelbroker service.

Wanting to get back into the IPv6 address space, I installed the aiccu client on another server and configured it for my Sixxs tunnel.  This worked out of the box, but within about 36 hours it stopped working.  Most frustrating was the lack of any errors in any logs and restarting the service had no effect.  The tunnel interface was created with the correct IP, route showed all the correct routes, and I could ping the IPv4 address of my assigned PoP (uschi02).  Then, strangely, about two hours later things started working again.  Until this morning…

I awoke to find that the tunnel had again dropped overnight, and as before, nothing I do seems to be able to get the tunnel working again.  The Sixxs website indicates that the PoP is up and talking to other PoPs.

So, since I also have a tunnel from Hurricane, I gave another machine a static IP and added the necessary information to /etc/network/interfaces:

#  Hurrican Electric IPv6 Tunnel
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
endpoint <your_assigned_IPv4_server_endpoint>
address <local_IPv6_tunnel_endpoint>
netmask 64
mtu 1480
up ip -6 route add 2000::/3 dev he-ipv6

From this point, I restarted the network service:

sudo /etc/init.d/networking restart

et voila! The tunnel was up and pingable. So I guess I will stick with the HE service for now, though if anyone has any ideas as to what the issue with Sixxs might be (when using Ubuntu Intrepid and aiccu / AYIYA), please let me know.

December 7, 2008 · Filed Under Linux

2 Comments 

SpaceX experiences anomaly during launch

SpaceX have experienced what they are calling “an anomaly” during tonight’s liftoff of their Falcon I system.  Early tweets on the topic indicate that there was an issue during tank separation which caused the rocket to explode.  This has not been confirmed, but given the sudden loss of video from the launch vehicle, and the even more sudden termination of their webcast, it is not out of the realm of possibility.

Hopefully they have good data to help prevent this in future launches.

August 3, 2008 · Filed Under Space

Comments Off 

Embarq Customer Service: FAIL

This is why customer service personnel should 1) be located in the country whose population they are serving, or at least 2) human, awake, and able to respond to requests from potential customers.

I am online tonight shopping for a local land-based telephone service.  After spending twenty minutes looking around the Embarq website at their various plans, I still have not found out how they define “local” as in “Local phone service” which is included in their basic package.  I know, it should be in the FAQ section, or somewhere else linked directly from the page describing that as included in that package, but it is not.

So I find their Customer Service page and, conveniently, they have a Sales Chat link.  I fill in my question, and submit it.  This is what follows:

Scott Schulz
Initial Question/Comment: Looking at your service, but unable to find out what constitutes Local service. How is that defined?

6:19:08 PM System System
Jill @ EMBARQ has joined this session!

6:19:08 PM System System
Connected with Jill @ EMBARQ

6:19:08 PM System System
Phone Number: 919xxxxxxx

6:19:08 PM System System
Hello, thank you for contacting Embarq Customer Service. Please give me one moment to pull up your account information.

6:19:21 PM Customer Scott Schulz
I do not yet have an account

6:22:33 PM AgentJill @ EMBARQ
Can I please verify you on the account with the last four digits of your social security number or the password on your account?

6:22:46 PM Customer Scott Schulz
I do not yet have an account

6:27:08 PM Agent Jill @ EMBARQ
It seems that you have been idle for more than two minutes. I apologize for any inconvenience, but if there is no response in the next 2 minutes, this session will end. Thank you for your cooperation.

6:27:34 PM Customer Scott Schulz
I do not yet have an account, I am shopping for one

Jill @ EMBARQ
Thank you for connecting with Embarq! If you require further assistance, feel free to contact us again. You may chat live with an Embarq agent 8am to 8pm Eastern time Monday through Friday and 11am to 8pm Eastern time on Saturday. In a moment, you will be asked to take a short survey to rate your satisfaction with Embarq. Your feedback is important to us and we would appreciate you taking the time to respond. Have a great day Scott!

6:29:58 PM System System
Jill @ EMBARQ has left this session!

6:29:58 PM System System
The session has ended!

So much for pre-sales support… and so much for using Embarq as a carrier.

July 10, 2008 · Filed Under CustomerNoService

1 Comment 

Ubuntu Hardy: The 10 Minute git Install

Since updating my laptop to Hardy Heron I had not yet installed an update git, so I thought it would be a good time for that:

Install the usual prerequisites:

sudo apt-get install curl libcurl4-openssl-dev libexpat1-dev

Fetch, unpack, and build:

wget http://kernel.org/pub/software/scm/git/git-1.5.5.3.tar.bz2

tar jxf git-1.5.5.3.tar.bz2

cd git-1.5.5.3

make prefix=/usr all

Unfortunately, at this point I got an error I had not seen on prior installs:

* tclsh failed; using unoptimized loading
MSGFMT    po/de.msg make[1]: *** [po/de.msg] Error 127
make: *** [all] Error 2

A little snooping brought me to this site.  While I’m sure that his method works, it seems a bit extreme to hand-build all of the listed packages.  Fortunately the answer to my problem was there:

sudo apt-get install gettext

After installing gettext, re-running ‘make prefix=/usr’ completed as expected.  After it is built, it is a simple matter to install all of the new goodness:

sudo make prefix=/usr install

Running ‘git version’ should return the newly installed version.  If you want to track the development version, you can now use this installed version of git to check out the devel repository and build it using the same steps.

June 7, 2008 · Filed Under Linux, Software

3 Comments 

Twhirl’ing on Linux

I’m not a huge fan of some of the things Adobe has released over the last couple years, e.g. the uber-bloated Acrobat Reader, but I do like their Air product. Sadly, until a couple weeks ago it was unavailable for linux… but that has now changed!

Adobe Labs have released an alpha of Adobe Air for linux, and tonight I finally remembered about it and downloaded it. It is closed source, but I find it useful, so I installed it. Installation is as easy as 1) download the bin file, 2) give it execute perms, and 3) run it as root so it can install systemwide.

I then proceeded to the Twhirl website, and while that site’s easy download button did not yet realize that Air was available for linux, there is a direct download link, which Firefox opened properly with Air and installed (it asked for my password again to install as root).

From there, simply click on the icon, enter your Twitter username and password, and away you go!

Twhirl 0.8 on Ubuntu Linux

Close
Twhirl 0.8 on Ubuntu Linux - Gutsy

May 7, 2008 · Filed Under Software

2 Comments 

Upgraded and Still Running

I finally got around to fixing the molecule applets on here tonight, and while I was messing around with this and that, it was time to move this blog to Wordpress 2.5 also.  At this point, it looks like everything is working as expected, but let me know if any unexpected behaviour is found.

April 24, 2008 · Filed Under Site

Comments Off 

Critical VMware Security Issue on Windows Hosts

SANS are reporting today that Core Security have uncovered a critical security issue with some VMware products when the base OS is Windows.  When running the VMware product versions listed below with a host-shared folders enabled (and at least one configured), it is possible for malware in the virtual machines to access the full filesystem of the host OS.  This leaves open the possibility of infection or data destruction on the host machine.   And while most production VMware servers are running other versions, e.g. VMware Server, ESX, etc., many of us do run Player or Workstation on test machines.

The affected versions:

  •  VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
  • VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
  •  VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

Source:  http://isc.sans.org/diary.html?storyid=4018

February 24, 2008 · Filed Under Security

Comments Off 

Total Lunar Eclipse

According to NASA there will be a lunar eclipse of the full moon tomorrow night. Hopefully I’ll remember to wander outside and watch it, assuming it is not raining.

From this news item on their website:

On Wednesday evening, February 20th, the full Moon over the Americas will turn a delightful shade of red and possibly turquoise, too. It’s a total lunar eclipse—the last one until Dec. 2010.

The Sun goes down. The Moon comes up. You go out and look at the sky. Observing the eclipse is that easy. Maximum eclipse, and maximum beauty, occurs at 10:26 pm EST (7:26 pm PST).

February 19, 2008 · Filed Under Science

Comments Off 

Next Page →