Bernard's Babble

Mon, 09 Oct 2006

For those final years in need of motivation

Thesis Countdown Timer

written at 00:09 under /geek
permanent link

Sun, 27 Aug 2006

OTP and SSH

After travelling around Mexico and logging into my mail server from random machines, my paranoia has turned me to looking at one-time passwords. Here's a brief rundown of what I went through to set it up on Ubuntu.

On a local secure machine (laptop/PDA):

  1. apt-get install opie-client
  2. Think up a secret passphrase between 10 and 127 characters long.
On the server:
  1. apt-get install libpam-opie opie-server
  2. As per /usr/share/doc/libpam-opie/README.Debian, I edited /etc/pam.d/ssh and replaced the line 
    @include common-auth
    with 
    auth	sufficient	pam_unix.so
auth 	sufficient	pam_opie.so
auth	required	pam_deny.so
    .
  3. Enable ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.
  4. As the user on the server, run opiepasswd. This will give you a challenge that you need to answer by running opiekey or otp-md5 on a local (secure) machine. 
    server% opiepasswd
Adding bernard:
You need the response from an OTP generator.
New secret pass phrase:
        otp-md5 499 so9449
        Response: 

    client% otp-md5 499 so9449
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: ***************
LIEU FOLK GULL WALL TASK AN
    And now pass LIEU FOLK GULL WALL TASK AN back to the opiepasswd command.
Now when you log into the server with ssh, you should be greeted with something like: 
insecure% ssh server
otp-md5 498 so9449 ext, Response:
where you respond by running otp-md5 498 so9449 on your local secure machine, entering your secret passphrase, and punch in the response back to the server. If the server rejects it, double-check you didn't mess up your secret passphrase. There are no other warnings or errors if you do!

The sequence number will decrement towards 0, each time a challenge is used. So if you're going travelling without your PDA, you could pre-generate your one-time passwords, print them out and stick them in your wallet (assuming you trust your wallet).

Et voila.

written at 12:39 under /geek
permanent link

Sat, 17 Jun 2006

Ubuntu, Suspend2

My laptop HDD died last week and so I took the opportunity to give Ubuntu a spin - I figured given I've been recommending it to Linux newcomers for a while, I'd better try it myself. Whilst I've been coming to grips with this newfangled GUI thing, and doing things the Ubuntu way, I've also decided to make some generic Suspend2-enabled kernels. Being generic, I've made them apt-gettable and publically accessible, but please don't sue me if they give your cat indigestion, or worse.

written at 17:23 under /geek
permanent link

Thu, 31 Mar 2005

Good ol' reliable ext2

When stress testing Martello's Promise SX8 raid card, who would've thought that ext2 would be easily corruptable? Seems a regression between 2.6.9 and 2.6.10 can bite you in the bum with ext2. And the only kernel that fixes all the bugs we're running into is 2.6.12-rc1-mm4 (which hasn't actually been released yet...). Go the power of Linux.

written at 11:15 under /geek
permanent link

Suspend2 tidbits

Been hacking on userui some more - syncing the fbsplash code with splashutils 1.1.9.3 released yesterday. Should be releasing it soon - the fbanim code is a little lacking sadly. I need to decide on a video decoder library and format to standardise on. Also now that Nigel's releasing the filewriter, the hibernate script needs to be ready to handle that with ease! Still waiting for my machine to backup before I can test it...

written at 01:32 under /geek
permanent link