How To: TOTP 2FA Linux SSH Using Google-Authenticator

Lock Tux

Using only a username and password for authentication is no longer secure. With user-database dumps reaching millions of exposed, albeit hashed and salted, passwords. Secure authentication should include not only something you know, but also something you have (in your pocket… always).

There have been several OTP and general 2FA solutions for Linux. From SMS (Text-me-a-password) to Yubikeys. There exists a Free (so far) TOTP (Time-Based One Time Password) solution from Google, called Google Authenticator.

Google Authenticator for iOS

It uses an App called Authenticator for iOS (and Android i presume) to “show” you the tokens, who live for 30 seconds each. There exists an even more awesome package for Debian and Ubuntu called google-authenticator, which allows you to easily set it up! The package also includes the necessary PAM module.

I have made the following steps on a Raspberry Pi, running Raspian.

  1. Install Google Authenticator
    pi@awesomebox ~ $ sudo apt-get install libpam-google-authenticator
  2. Run Google Authenticator
    pi@awesomebox ~ $ google-authenticator
    Do you want authentication tokens to be time-based (y/n) y
    ...BIG
    ......FANCY
    .........QR-CODE
    Your new secret key is: ZZZZZZZZZZZZZZZZ
    Your verification code is 123456
    Your emergency scratch codes are:
    11111111
    22222222
    33333333
    44444444
    55555555
  3. Scan the QR-CODE on screen with the Authenticator App
    Scanning...
  4. Answer yes (y)
    Do you want me to update your "/home/pi/.google_authenticator" file (y/n) y
    Do you want to disallow multiple uses of the same authentication token? (y/n) y
    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want to do so (y/n) y
    Do you want to enable rate-limiting (y/n) y
  5. Add PAM module
    pi@awesomebox ~ $ sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
  6. Enable “Challenge-Response Authentication” in SSH
    pi@awesomebox ~ $ sudo vi /etc/ssh/sshd_config
    Change entry ChallengeResponseAuthentication from no to yes.
  7. Restard SSH
    pi@awesomebox ~ $ service ssh restart
  8. Test it out
    Open up a new terminal window and ssh to your box as you normally would
    user@lazybox ~ $ ssh pi@awesomebox
    Password: [Enter password]
    Verification code: [Enter TOTP-token from App]

Happy TOTP-ing :)

The Old Reader (RSS Reader) – Best Online RSS Alternative, after Google Reader Discontinuation

The Old Reader Logo

I personally check RSS-feeds every day and ever since Google Reader got discontinued a while back, I’ve found a viable alternative, The Old Reader. The service easily allowed me to import my old feeds through an OPML-file, and even gave me instructions how to export my Google Reader feeds.

The service does not (yet) offer any iPhone app, or Andriod equivalent that I know of. However, since it seems to be already optimized for mobile browsers, it is not an issue of mine. Simply create a iOS homescreen shortcut from Safari, and you’re done. Fancy web 2.0 HTML5 site-build adds a nice feel and the controls are what you would expect from an RSS reader.

Apart from the occasional slowdowns, site-downs (I hope you like cats) and internal conflicts within the site crew. I highly recommend it.

Knitting Contacts, Infinite Radio Transmissions – Social Media OnTheGo

Facebook iPhone Ad

It’s nothing new, It’s not coming, it’s here and been here for a while now. Twitter, Facebook, Google+ and so on. Found their way in to our pockets, and has become -some more common than others- an integrated part of the users smartphone operating system.

Their almost instant transition from the desktop to the handheld, has switched priorities around. A simple photo with a name and author, is no longer enough. The services already giant library of hash tags has shown its worth and still grows bigger. Written with the thumbs of thousands of smartphone users.

Every mobile upload comes with GPS coordinates, upload date and the optional description and hash tags. The familiar Status Update is more than just text. More often than not, users tend to allow Location Data and perhaps add People you are with to the update.

I’m not opposed this development, quite the contrary. I just find it amazing that with such common hardware, wide software library‘s and clever use of the radio spectrum. These devices can accomplish so much, with only a set battery milliampere barely limiting the user experience.

Knitting contacts OnTheGo, Spewing infinite radio transmissions. The user seamlessly accomplish, with her handheld device.

You Cannot Win – Its All In The Numbers

Slot MachineFrom the predetermined consequence of an electronic slot machine, to all the advanced algorithms that recommend what entertainment to consume. Mankind’s vision of a predetermined destiny changes significantly. Rather than being of a supposed divine essence -divinity created by humans to begin with- it misfires and is rationally interpreted as man-made phenomena. This in turn can perhaps have a negative effect when culture, human activity, is involved. No futile, insensitive, code-strip should decide what I want to see and hear.  Continue reading You Cannot Win – Its All In The Numbers

How To: Add Google Analytics Code to WordPress Manually

I have already posted a WordPress plugin recommendation on the plugin “Google Analytics for WordPress” and it works great. But there is a few things that I personally find annoying. First of all, it not only adds the Analytics code to the header, but also “Powered by blah blah blah” and I find that egotistic of the developer. Secondly it’s the general placement of the code, in the header, which means that the visitors web-browser will load that as one of the first elements of the page. Which will slow down the download of the main content, which is very important to me. Next I will show you how you can add the code manually to your WordPress footer. Continue reading How To: Add Google Analytics Code to WordPress Manually