Cloudweavers » openssh

Swekey – An authentication gizmo for Windows, Mac OSX, GNU/Linux

pascal.charest — Mon, 21 Sep 2009 18:20:05 +0000

Through my connection with PraizedMedia (a client of Les Laboratoires Phoenix- managed data infrastructure), I received a ‘Swekey‘ device. It look like an normal USB key, but their website seem to push toward something much more useful (and potentially dangerous). Hence, I decided to try it. It is advertised as :

The swekey is a small USB key that secures access to any swekey enabled web sites.
Swekey secured web sites won’t let you login without your swekey plugged to your computer.
The swekey can also be used to secure corporate’s intranet, unix servers access, and database administration.
[...]

Swekey device, Photo by Pascal Charest

The website mention integration with WordPress, SSH, putty, MediaWiki, Zabbix, Magento, SugarCRM… and much more… In fact they even speak about integration with any OpenID enabled websites – Might be very cool and interesting. Lets see how it work.

I’m an hacker at heart, so I don’t normally read much of a device documentation, but in this case – I was lost. How is the device working? Is it a key with auto-run partition + dedicated browser, is it the equivalent of an RSA key, is there any software to install ? To answer my questions, what would be better that some tests in a protected GNU/Linux workstation (which is what normal people do : plug it in and see what happen):

The device auto-detection work and recognize the device as an USB CDROM drive (from dmesg):

usb 2-8: new full speed USB device using ohci_hcd and address 3
usb 2-8: configuration #1 chosen from 1 choice
Initializing USB Mass Storage driver…
scsi10 : SCSI emulation for USB Mass Storage devices
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
usb-storage: device scan complete
scsi 10:0:0:0: CD-ROM Musbe Swekey 1.03 PQ: 0 ANSI: 0
sr1: scsi-1 drive
sr 10:0:0:0: Attached scsi CD-ROM sr1
sr 10:0:0:0: Attached scsi generic sg3 type 5
cdrom: This disc doesn’t have any tracks I recognize!
usb 2-8: reset full speed USB device using ohci_hcd and address 3

Then : Nothing. No auto-mount, no dialog box… Kinda of left there. The partition cannot be mounted…

Going to their website, I learn the official working steps: “BUY” (pseudo-done), “PLUG” (done), “REGISTER” (ugh?) and I’m “READY”. The REGISTER (the step I’m at, right ?) section give me an error of ‘missing plug-in’ from Mozilla Firefox 3.0.14. Ok, browsing “Support”/”Download” inform me of missing dependencies (a software must be installed) to access the device. I download the x64 GNU/Linux version and … hum ?

pcharest@hydra:~/Desktop/swekey$ cat README
Swekey client
This package install:
- the swekey-client command line tool
- the swekey HAL module
- the swekey Mozilla plugin

The swekey-client command line tool gives you the list of plugged swekeys
and let you calculate OTPs with them.

type:
swekey-client –help
to get the available options

To install swekey-client just type:
sudo ./install
or
./install
if you are root

To uninstall swekey-client just type:
sudo ./uninstall
or
./uninstall
if you are root

I have no idea what is an OTP but let say I try installing the client:

sudo ./install

and validate the device is detected:

./swekey-client –list

It work and give me a device ID. Good, at least the device is known by the system. I still don’t know how it should work. I guess I should be installing the Mozilla plug-in the readme mentionned, but… I never found it. I guess the client install worked (and it was included) because after a Mozilla reload, the Manage section of their web page give (or might also be one of the random file I clicked on) :

Registration is not mandatory but it will allow you to disable a lost or stolen Swekey.

So… I don’t really need to register the key… lets try it then (which I’ve been trying to do for quite a long time at this point).

I own quite a few Zabbix servers, so, from the list of supported service :

ZABBIX is an enterprise-class open source distributed monitoring solution.
A swekey integration exists, it is still a patch but you can ask for it if you need to test it.

Ok, still want to test the device – So i try with MediaWiki:

And it started to work well : creation of an account (user+password), then I get asked if I want to bind this account to my Swekey. This won’t allow me to auto-login but will require the key to be present in any computer (with the installed software) to access the account.

Summary: As a summary, I’d say that while it give a boosted security (require the Swekey to log) – it does seem to go a bit over the limit of the permanent fight between conviviality and security. Installing the software is complicated and might be very problematic on system without administrator access… Personally, having tried both, I would prefer Paypal key ID to be integrated to more website. There is no need to ‘install’ the software on any computer and it give you the same added security the Swekey does.

top sysadmin stuff

pascal.charest — Sat, 07 Mar 2009 13:45:37 +0000

Being challenged everyday to augment my productivity, here is a few quick tricks/software helping system administrator.

1. BlackBerry

Yeah, I know. It was an easy one – and easy to expect since I’ve bought a Storm. Employees get to hate them (since they are always hooked to the business) but as owner of a small business, I NEED to be informed of everything going on. The ability of answering my email / instant messanging while in route between Montreal & Ottawa is of prime importance. My clients doesn’t need to know where I am or what I am doing, they know I’m ready to help them.

The BlackBerry by itself is not as feature-complete as the iPhone seem to be. Using the pre-loaded email client with gmail just doesn’t cut it. It’s using IMAP and discarding all your filter/labels for incoming messages. There is an alternative : gmail mobile application. Available from the central mobile application repository of Google. Using a customized alert setting, you can be informed when you have new mail (in your inbox), while preserving your filter/label configuration. While you are there, you should also install the maps application, can always be handy.

Another “must-have” app. for sysadmin is MidpSSH. Which, as its name make it pretty clear, is a SSH/Telnet client. There have been a few reports of incompatibility between Storm and midpssh – yet, with an up-to-date OS/taking into account that your device often capitalize the first letter (of a username)/openssh is case-sensitive, you should not have any problems to connect to GNU/Linux systems.

2. Monitoring software

A good monitoring system watching over your network is a life saver and all the difference between you informing your client of a system failure or the other way around. Nagios is pretty well known and getting help is very easy since the community is so dynamic. Another software doing the same job is Zabbix. I do have some predisposition toward it, being a certified expert. Both are free softwares and are easy to install/configure. Zabbix does have a cuter interface though – can become handy if your client require access.

Both software allows sysadmins to run remote command. Personally, I find those systems to be way too complicated to setup when Monit is easily available. Its configuration allow a syntax very similar to : if load > 5 for 10 minutes, then stop postfix-delivery. Another life saver when you don’t expect your remote monitoring agent to be able to launch a command. I use it for limits like (if load>80 for 2 minutes, then stop {httpd,mysqld}). If your system is badly losing interactivity, your normal remote monitoring software will never be able to save your system (ssh will timeout).

3. Log/Security software

While Zabbix/nagios can do some checksum on important files (such as /etc/passwd, /etc/shadow, …), they are not ready as IDS (Intrusion Detection System) yet. For such system, I recommend OSSEC. Following the online documentation, you will have a log-analysis system created in no time – using thousand of rules given with the software. Customization can also be done pretty quickly. The ‘action’ following a trigger can be email-alert or a command. The system come with a pre-built interface to iptables… port-scanning and brute force password testing are no more.

Add to all these tools a svn repository for your code, an Puppet system for global configuration and some wiki for documentation and you should have a pretty strong backbone to deal with anything your clients throws at you.

hashing the know_hosts file

pascal.charest — Fri, 15 Aug 2008 16:29:58 +0000

OpenSSH client keep a fingerprint of servers to which connections (ssh-client) have been made. Such fingerprints are stored in .ssh/know_hosts and are automatically compared with the current server fingerprint on connection acknowledgment.

Hence, the .ssh/known_hosts file is crucial to system security against man-in-the-middle attack in a networked environment. This file is also a very very good vector of attack on system administrator computer and hashing the content of the file is a good practices. Especially with the current wave of big bugs hitting GNU/Linux systems.

The first step is to enable hashing of the new fingerprints:

# cat /etc/ssh/ssh_config
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
TCPKeepAlive yes
ServerAliveInterval 60

The “HashKnownHosts yes” configuration option is the way to go – it is a general setting affecting all users on your system (Host *). If you don’t have access to the central ssh_config option, don’t forget you have personalized user setting in .ssh/config.

This enable the hashing of future fingerprints. To modify your actual file, use the following ssh-keygen command. Your unmodified know_hosts will be save as know_hosts.old .

# ssh-keygen -H -f .ssh/know_hosts

Have fun, stay safe.

High performance SSH/SCP

pascal.charest — Mon, 18 Feb 2008 21:15:21 +0000

The article here, about high performance optimization to the SSH process, has been doing quite a few waves. I still post it on my blog since some people might have missed it (shame on you!).

In a very short summary : lets say that it’s a patch to allow for dynamic resizing of the internal flow control buffer in OpenSSH. It also multi-thread the crypto part. In other words, you get speed, you don’t lose much, on link where you own both end-point.

You still need to be a bit careful, there is a lot of talk of why it WON’T be integrated in the official OpenSSH release. But hey, if Leif Nixon and Robert G. Brown like it, jeez…. I guess it must not be that bad.

Note : For those who don’t know those names, they are kind of "local" heros in the Beowulf clustering field.