Never Ending Security

It starts all here

Tag Archives: PAM

Set up Yubikey with PAM for OpenVPN, SSH and Squirrelmail

Leave a comment Posted by on 22 February 2015

Yubikey and PAM for SSH:
If you’re using ArmHF or Armel you might experience a bug with the default libpam-yubikey packages:
See: https://bugs.launchpad.net/raspbian/+bug/1039577

If you have succesfully build the new package/fix and installed it, then it’s time to continue the setup for SSH:
1) you can create a global config or use a users own yubikey file, I choose the latter: mkdir /home/*username*/.yubico/ and create a file authorized_yubikeys
The context of this file should be:
username:*yubikey first 12 characters*:*next yubikey first 12 characters*
2) get an API key for the yubikey cloud solution to authenticate against: https://upgrade.yubico.com/getapikey/
3) remember the API key and add the following line to /etc/pam.d/sshd:
auth required pam_yubico.so id=*your API id number* key=*your API key* url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
4) comment /etc/ssh/sshd_config ChallengePassword no (so it says yes when you comment is!)
5) restart sshd: /etc/init.d/ssh restart or service sshd restart
6) test !

For OpenVPN with Yubikey and PAM:
1) Follow above steps for the correct yubikey pam module
2) Install OpenVPN with a default server.conf, ca.crt, server.crt etc following the 100 manuals on the net
3) Check if you have the OpenVPN AUTH module installed when you installed OpenVPN aka /usr/lib/openvpn/openvpn-auth-pam.so – if you don’t have this file install the openvpn-pam module
4) add the following to the /etc/openvpn/server.conf:
#
### yubikey auth
#
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn #make sure the path is correct and end the line with the pam module name (openvpn – we’ll create this file manually later on)
client-cert-not-required
username-as-common-name
5) create a file /etc/pam.d/openvpn with the following contents:
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth required pam_unix.so use_first_pass
# first check the yubikey auth and then a succesful unix PAM auth
6) change the client openvpn config to add the following line: auth-user-pass
7) test!

Yubikey and Squirrelmail:
Read the howto here:

http://wiki.yubico.com/wiki/index.php/Applications:Squirrelmail_Plugin

Don’t forget to install php-curl or similar package as php needs to do a curl
command/post against the Yubico API

Authentication, Encryption, Guides and Tutorials, Tunneling , , , ,

Set up a secure IRC with SSL, PAM auth and crypted salted passwords

1 Comment Posted by on 22 February 2015

ngircd with pam and ssl (strong ciphers)

– ngircd source – v21 minimal
– install libpam-passwd , libpam-dev and apache-utils (for htpasswd)

./configure –with=pam –with-openssl;make;make install
– create /etc/pam.d/ngircd:

auth required pam_pwdfile.so pwdfile=/usr/local/etc/ngircd.passwd
– create password file with crypt function and salt (!) as discussed here http://viki.brainsware.org/?en/Virtual_Users_simple – NOTICE!! crypt() alone is insecure – you need to use that perl function to create crypt() passwords with a salt, I have not found a stronger hash function that works with Ngircd
– fix ngircd.conf with

PAM = yes
PAMIsOptional = no
– enable SSL and allow default strong ciphers (CipherList = HIGH:!aNULL:@STRENGTH)
– start ngircd and check /var/log/syslog and /var/log/auth.log
Sample config:

[Global]
Name = hodor.pragmasec.nl
AdminInfo1 = Description
AdminInfo2 = Location
AdminEMail = admin@irc.server
;HelpFile = /usr/local/share/doc/ngircd/Commands.txt
Info = PragmaSEC IRC
Listen = 0.0.0.0
MotdPhrase = “Welcome to the PragmaSEC IRC server”
# Global password for all users needed to connect to the server.
# (Default: not set)
;Password = abc
PidFile = /var/run/ngircd/ngircd.pid
ServerGID = irc
ServerUID = irc
[Limits]
ConnectRetry = 60
IdleTimeout = 60
MaxConnections = 500
MaxConnectionsIP = 10
MaxJoins = 10
MaxNickLength = 9
MaxListSize = 10
PingTimeout = 120
PongTimeout = 20
[Options]
AllowedChannelTypes = #&+
AllowRemoteOper = no
;ChrootDir = /var/empty
;CloakHost = cloaked.host
;CloakHostModeX = cloaked.user
;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
;CloakUserToNick = yes
;ConnectIPv6 = yes
;ConnectIPv4 = yes
;DefaultUserModes = i
DNS = no
Ident = no
;IncludeDir = /usr/local/etc/conf.d
MorePrivacy = yes
;NoticeAuth = no
OperCanUseMode = no
;OperChanPAutoOp = yes
OperServerMode = no
PAM = yes
PAMIsOptional = no
RequireAuthPing = yes
;ScrubCTCP = no
;SyslogFacility = local1
;WebircPassword = xyz
[SSL]
CertFile = /etc/ssl/certs/hodor-bundle.crt
CipherList = HIGH:!aNULL:@STRENGTH
;CipherList = SECURE128
;DHFile = /usr/local/etc/ssl/dhparams.pem
KeyFile = /etc/ssl/private/hodor.key
;KeyFilePassword = secret
Ports = 6667
[Operator]
;Name = TheOper
;Password = ThePwd
;Mask = *!ident@somewhere.example.com

[Channel]
Name = #pragmasec
Topic = pragmasec
Modes = tnk
;Key = Secret
;KeyFile = /usr/local/etc/#chan.key
MaxUsers = 20
# -eof-

Encryption, Guides and Tutorials, Hardening, Scripts and Config , ,