Using only a username and password for authentication is no longer secure. With user-database dumps reaching millions of exposed, albeit hashed and salted, passwords. Secure authentication should include not only something you know, but also something you have (in your pocket… always).
There have been several OTP and general 2FA solutions for Linux. From SMS (Text-me-a-password) to Yubikeys. There exists a Free (so far) TOTP (Time-Based One Time Password) solution from Google, called Google Authenticator.
It uses an App called Authenticator for iOS (and Android i presume) to “show” you the tokens, who live for 30 seconds each. There exists an even more awesome package for Debian and Ubuntu called google-authenticator, which allows you to easily set it up! The package also includes the necessary PAM module.
I have made the following steps on a Raspberry Pi, running Raspian.
- Install Google Authenticator
pi@awesomebox ~ $ sudo apt-get install libpam-google-authenticator
- Run Google Authenticator
pi@awesomebox ~ $ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: ZZZZZZZZZZZZZZZZ
Your verification code is 123456
Your emergency scratch codes are:
- Scan the QR-CODE on screen with the Authenticator App
- Answer yes (y)
Do you want me to update your "/home/pi/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want to do so (y/n) y
Do you want to enable rate-limiting (y/n) y
- Add PAM module
pi@awesomebox ~ $ sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
- Enable “Challenge-Response Authentication” in SSH
pi@awesomebox ~ $ sudo vi /etc/ssh/sshd_config
Change entry ChallengeResponseAuthentication from no to yes.
- Restard SSH
pi@awesomebox ~ $ service ssh restart
- Test it out
Open up a new terminal window and ssh to your box as you normally would
user@lazybox ~ $ ssh pi@awesomebox
Password: [Enter password]
Verification code: [Enter TOTP-token from App]
Happy TOTP-ing :)
I personally check RSS-feeds every day and ever since Google Reader got discontinued a while back, I’ve found a viable alternative, The Old Reader. The service easily allowed me to import my old feeds through an OPML-file, and even gave me instructions how to export my Google Reader feeds.
The service does not (yet) offer any iPhone app, or Andriod equivalent that I know of. However, since it seems to be already optimized for mobile browsers, it is not an issue of mine. Simply create a iOS homescreen shortcut from Safari, and you’re done. Fancy web 2.0 HTML5 site-build adds a nice feel and the controls are what you would expect from an RSS reader.
Apart from the occasional slowdowns, site-downs (I hope you like cats) and internal conflicts within the site crew. I highly recommend it.
It’s nothing new, It’s not coming, it’s here and been here for a while now. Twitter, Facebook, Google+ and so on. Found their way in to our pockets, and has become -some more common than others- an integrated part of the users smartphone operating system.
Their almost instant transition from the desktop to the handheld, has switched priorities around. A simple photo with a name and author, is no longer enough. The services already giant library of hash tags has shown its worth and still grows bigger. Written with the thumbs of thousands of smartphone users.
Every mobile upload comes with GPS coordinates, upload date and the optional description and hash tags. The familiar Status Update is more than just text. More often than not, users tend to allow Location Data and perhaps add People you are with to the update.
I’m not opposed this development, quite the contrary. I just find it amazing that with such common hardware, wide software library‘s and clever use of the radio spectrum. These devices can accomplish so much, with only a set battery milliampere barely limiting the user experience.
Knitting contacts OnTheGo, Spewing infinite radio transmissions. The user seamlessly accomplish, with her handheld device.
From the predetermined consequence of an electronic slot machine, to all the advanced algorithms that recommend what entertainment to consume. Mankind’s vision of a predetermined destiny changes significantly. Rather than being of a supposed divine essence -divinity created by humans to begin with- it misfires and is rationally interpreted as man-made phenomena. This in turn can perhaps have a negative effect when culture, human activity, is involved. No futile, insensitive, code-strip should decide what I want to see and hear. Continue reading You Cannot Win – Its All In The Numbers
I have already posted a WordPress plugin recommendation on the plugin “Google Analytics for WordPress” and it works great. But there is a few things that I personally find annoying. First of all, it not only adds the Analytics code to the header, but also “Powered by blah blah blah” and I find that egotistic of the developer. Secondly it’s the general placement of the code, in the header, which means that the visitors web-browser will load that as one of the first elements of the page. Which will slow down the download of the main content, which is very important to me. Next I will show you how you can add the code manually to your WordPress footer. Continue reading How To: Add Google Analytics Code to WordPress Manually