Jon Williams Blog Music More…

2-Factor Authentication for OpenBSD Using Google Authenticator and totp-util

22 April 2016

This post is adapted from my OpenBSD guide in the totp-util wiki.

I recently set up a semi-public OpenBSD box, and thought I could stand to lock down password logins, especially for the root user. A popular system for two-factor authentication is TOTP:

In a typical two-factor authentication application, user authentication proceeds as follows: a user enters username and password into a website or other server, generates a one-time password for the server using TOTP running locally on a smartphone or other device, and types that password into the server as well. The server then also runs TOTP to verify the entered one-time password. For this to work, the clocks of the user’s device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 time interval from the client’s timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user’s device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.

I wrote totp-util to simplify the process of setting up Google Authenticator on UNIX systems.

Install utilities

npm install -g https://github.com/WIZARDISHUNGRY/totp-util 
pkg_add login_oath

User setup

  • run totp-util to setup ~/.totp-key
  • Scan the code in Google Authenticator

Setup authentication and SSH

  • We’re assuming everyone on the server is using ssh key auth. Change this in /etc/login.conf
# Default allowed authentication styles
auth-defaults:auth=-totp-and-pwd,skey:

Edit /etc/ssh/sshd_config to force SSH logins by root to use both an ssh key and a totp/password.

Match User root
AuthenticationMethods publickey,password

Then run:

/etc/rc.d/sshd restart 
cap_mkdb /etc/login.conf

Now regular users should be able to authenticate with just SSH (or a password plus totp token) but root will need password, ssh and a 2 TOTP token.

Logging in

$ ssh root@machine   
Authenticated with partial success.
user@machine's password: 123456/password

Block Tweet Sponsors

29 September 2014

April, 2016: this is broken right now!

I find the promoted tweets on Twitter super annoying, so I cobbled together a PHP (sorry!) script to block tweet sponsors. If anyone has an idea on how to get the mobile timeline so I never see ads for mobile games with in-purchasing, hit me up.

Accessing OS X Location Services from the command line

21 June 2013

I wanted to access location services data from a bash script so I cobbled together osx-location.

$ make
$ ./location --help
--count <number>         Wait for this many responses (default: 1).
--debug                  Output helpful debugging info.
--format <format>        Set the output format (default: key-value).
--help                   Show this help.
Formats available:
              k = key-value
              j = Geo JSON
              s = SBS-1 ADS-B

$ ./location --debug 
location service enabled
<+40.696969,-73.420420> +/- 65.00m (speed -1.00 mps / course -1.00) @ 6/18/13 8:43:43 PM Eastern Daylight Time
timestamp: 2013-06-19 00:43:43 +0000
latitude,longitude: 40.696969,-73.420420
altitude: 26.000000
horizontalAccuracy: 65.000000
verticalAccuracy: 10.000000
speed: -1.000000
course: -1.000000

Turn on Transmission Bandwidth Limits When Connecting via Ssh

20 May 2013

I spend a lot of time logged into my home machine via ssh and find it irritating that my ssh performance degrades when Transmission is making speedy progress on a torrent. I’ve cobbled together some bash-fu to click the turtle icon when you connect via ssh and uncheck it when the last ssh connection leaves.

Making Sure All Your Test Classes Are Loaded by Your Test Suite

20 May 2013

We were having an issue with developers ommiting or removing tests from our test harness. So I kluged together a PHP/Bash monotrosity that prints a list of files not loaded during the execution of the test harness as determined by strace’s log of file access. Although this is a little coarse, it does provide a list of outdated fixtures, new unadded tests and defunct tests to be removed/fixed. You probably want to tee this into a logfile.

<?php
define('TEST_BASE_PATH', realpath(realpath(dirname(__FILE__)) . '/../library/Mmf/Test/'));
define('SCRIPT_PATH', realpath(dirname(__FILE__)) . '/CommitTest.php');

echo SCRIPT_PATH,"\n";
echo "This is SLOW!\n";
$tmp = tempnam(sys_get_temp_dir(), "TestSuiteCoverage-");
$path = TEST_BASE_PATH;
$files = explode("\n",`find $path -type f`);
echo "Logging strace to $tmp\n";
passthru("strace -o $tmp -eopen -f php ".SCRIPT_PATH." ".escapeshellcmd(implode(' ',array_slice($argv,1))));

$lines = explode("\n",`cut -d \" -f 2 $tmp | grep $path | sort | uniq`);
$diff = array_diff($files,$lines);
echo count($lines), " files encountered of ", count($files), "; ", count($diff), " missing\n\n";
foreach($diff as $file) {
    echo "$file\n";
}
unlink($tmp);

Example output:

php util_scripts/TestSuiteCoverage.php
/home/jon/build/Spam/util_scripts/CommitTest.php
This is SLOW!
Logging strace to /tmp/TestSuiteCoverage-z0EBOL

phpunit   /home/jon/build/Spam/util_scripts/../library/SpacelySprockets/Test/Suite/Integration/Frontend.php 

PHPUnit 3.6.3 by Sebastian Bergmann.

...............................................................  63 / 528 ( 11%)
............................................................... 126 / 528 ( 23%)
............................................................... 189 / 528 ( 35%)
............................................................... 252 / 528 ( 47%)
............................................................... 315 / 528 ( 59%)
............................................................... 378 / 528 ( 71%)
............................................................... 441 / 528 ( 83%)
............................................................... 504 / 528 ( 95%)
........................

Time: 19:56, Memory: 558.25Mb

OK (528 tests, 5557 assertions)
301 files encountered of 362; 361 missing

/home/jon/build/Spam/library/SpacelySprockets/Test/Suite/Integration/CodeLibrary.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Suite/Integration/Fizbuzz.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Suite/Integration/Service.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Suite/Integration/Model.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Suite/Unit/All.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Library/Constant/DefaultProfile.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Library/Autoloader.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Mock/Acl/Frontend.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Mock/View/Helper/TabbedPane.php
/home/jon/build/Spam/library/SpacelySprockets/Test/Fixtures/video-fizbuzz.sql
/home/jon/build/Spam/library/SpacelySprockets/Test/Fixtures/content_comment.sql
/home/jon/build/Spam/library/SpacelySprockets/Test/Fixtures/member-usage.sql
/home/jon/build/Spam/library/SpacelySprockets/Test/Fixtures/stats-test.sql

MTA Real-time Subway Status iCalendar Feed

19 September 2012

THIS IS BROKEN RIGHT NOW

I’ve created a iCalendar (ics) feed of up-to-the-minute MTA train status that you can subscribe to on your phone or calendar application. Right now you can only subscribe to Subway. I find having this always updated in my iPhone’s notification center is better than using a heavy weight dedicated app.

  • iPhone / iOS / Mac OS X: I recomend using iCloud for to sync calendar subscriptions across devices.
  • Google Calendar I don’t think Google polls often enough for this to be useful. YMMV
  • A short url for this page is: mta.jonwillia.ms

iCal displaying MTA status in OSX iCal displaying MTA status in iOS iCal displaying MTA status in iOS

Subscribe


Source —— Ruby source is available on Github: github.com/WIZARDISHUNGRY/mta-status-ical