2FA has its critics: It’s so unreliable! Phones are so easily hijacked It’s not a lot of added security etc Some of these make assumptions not necessarily in evidence. In this post: FreeBSD 12.1 pam_google_authenticator-1.08 Most of the 2FA I use is time-based one-off passwords (TOTP), as opposed to text messages. These are often 6-digit numbers which change every 30 seconds. These are hard to guess and cannot be intercepted as they reside […]
I have several old devices. Upgrading them is either impossible, they are unsupported, or I can’t be bothered upgrading the. Access is only via a dedicated VLAN within my home network. When stuck, I posted to Twitter and that led me to OpenSSH Legacy Options. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms. Here’s what I just tried: $ ssh pdu1 Unable
Connecting to old devices via ssh Read More »
In general, passphrase-less ssh keys are a security nightmare. It is similar to leaving the key to your front door in the lock. Anyone stumbling across it has access to your house. Similarly, if someone gets your ssh key, and there is no passphrase on it, they can use that key for anything which grants access to that key. Side note: How can you tell if a given ssh key has a passphrase?
subversion via ssh passphrase-less key Read More »
I was doing some work in a remote location with a laggy connection to home. I was running ansible and kept encountering these errors: fatal: [pg01]: FAILED! => {“failed”: true, “msg”: “Timeout (12s) waiting for privilege escalation prompt: “} Rerunning the script would encounter the same error in a different part of the script. After an error-free run I concluded it was my dodgy connection; ansible was waiting for a reply from my
ansible: Timeout waiting for privilege escalation prompt Read More »
I have used ssh-agent for a long time. I enter my passphrase once, then let ssh-agent handle my ssh sessions. Last night, I noticed I ssh’d to a box and did not enter my passphrase. I got logged in. I had just rebooted my laptop so I was very concerned about this. It look at while, but eventually, I discovered the cause. OSX was caching the passphrase. More interestingly, it was not using
OSX was caching my ssh passphrases – easy fix Read More »
Last night, this worked fine. This morning, it fails: # ansible-playbook jail-mailjail.yml PLAY [mailjails] ************************************************************** GATHERING FACTS *************************************************************** failed: [mailjail.example.org] => {“failed”: true, “parsed”: false} invalid output was: Sorry, try again. Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts TASK: [pkg | install pkg] ***************************************************** FATAL: no hosts matched or all hosts have already failed — aborting PLAY RECAP ******************************************************************** to retry, use: –limit @/root/jail-mailjail.retry mailjail.example.org : ok=0 changed=0 unreachable=0
When ssh and ansible play poorly together Read More »
I kept seeing these messages: Jun 12 04:09:18 nyi sshd[94523]: Authentication tried for dan with correct key but not from a permitted host (host=dbclone.example.org, ip=10.6.0.9). Jun 12 04:09:18 nyi sshd[94523]: Authentication tried for dan with correct key but not from a permitted host (host=dbclone.example.org, ip=10.6.0.9). I’ve been seeing them for a long time. How long? Three years. I didn’t think it was that long. But back in July 2010 I mentioned it. After
Authentication tried for dan with correct key but not from a permitted host Read More »
I started seeing this error: Jun 10 19:12:38 nyi sshd[92208]: error: key_read: uudecode AAAAB3NzaC1yc2EAAAABJQAAAIBdX/USEtxnO91Vpujney8gwkq2sRrcU9R6nKAoGv1eNMWrMD9a93kZMjR4fFMAH87g+zyHBftxCsyE0wJX2A0UFgIQsiuOOINkTJMyk\n failed I couldn’t figure it out. Then I searched ~/.ssh/authorized_keys for that string. I found it in there. But the line was incomplete. It looked like I’d deleted the last part of the line. It should end with something like this: … onsnJNGeljjf9i8U3aorbSZj3jiEuTYMoTi9XK2dvGh5bbEQggw47jQg= dan@bigtimes.example.org Solution: I deleted that line. Then I copy/pasted the public key back into the file
sshd: error: key_read: uudecode failed Read More »
One of the challenges of providing hands-on demonstrations is giving everyone their own sandbox to play in. I don’t want people to spend time on installing software. I want people to learn about the software in question, specifically Bacula. With this in mind, I’ve been building up a solution based on FreeBSD 9.1, ZFS, and jails. My solution is pretty nifty, but I don’t think it’s anything special. The key is simplicity. The
The Bacula Tutorial jail server Read More »