# uname -a

Switch

Mot-clé -

Fil des billets

dimanche 25 août 2013

Configure Munin graphs with Nginx, FastCGI, and Debian 7

Par Mathieu le dimanche 25 août 2013, 11:40 - Informatique

Setting up Munin with Nginx can be a little harsh. Here is the ready-to-go solution for Debian Wheezy.

Lire la suite...

6 commentaires un rétrolien

mardi 6 août 2013

Configure 2-factor Yubikey authentication for Debian : the easiest way

Par Mathieu le mardi 6 août 2013, 00:20 - Hacks

One of last five years trending topics is the rise of Token authentication, to provide a safer way to authenticate than the classic login/password couple.

Today I will show you how to configure a 2-factor authentication (login/password + yubikey), in order to use it with your local Unix users as well as with SSH login (PAM powered).

In this tutorial, I will use the Yubico API, because it’s simpler. When using the API, the validity check will be computed by Yubico servers. By the way, you can set up your own authentication server if you don’t want to depend on Yubico servers.

  • First things first, you have to afford a Yubikey at http://www.yubico.com/

  • Get your Yubikey ID. You can use the 12 first digit of every Yubikey generated password, but you can also generate it from http://demo.yubico.com/php-yubico/Modhex_Calculator.php
    For lazy people, type this in a shell and activate your Yubikey : read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}

  • Create a .yubico directory in your home, and create a file named authorized_yubikeys inside it. Fill this file with your unix username and Yubikey ID like that : username:yubikeyid

  • Next, create a id/secret couple for each server ou service you want to authenticate : https://upgrade.yubico.com/getapikey/
    The ID returned after submitting the URL is the service ID, and the secret is the associated secret. Every pair ID/secret is unique.
    You could use the same id/secret for every server you configure, but it is not intended for : you should use a different id/secret couple for every different server.

  • Log in to your server as root, and install libpam-yubico (from apt : apt-get install libpam-yubico).

  • And configure it : sudo dpkg-reconfigure libpam-yubico. When prompted, set the service ID in place of the N in id=N and the secret in place of the K in key=K.

  • Then apply the configuration with the command pam-auth-update.

That’s all ! Every PAM-compliant authentication will now ask for the Yubikey code to authenticate (as well as login and password). When login from SSH, juste activate your Yubikey after typing your password, before typing “enter”.

Warning : if you messed up the Yubikey configuration and are using “sudo” before every command, you will be locked outside your server ! After dpkg-reconfigure, if you checked “Yubico authentication”, it will ask for a Yubikey code every time a “sudo” authentication is required, so keep a root terminal opened to revert your changes.

samedi 16 mars 2013

Apache : globally configure HTTPS for all VirtualHosts

Par Mathieu le samedi 16 mars 2013, 19:16 - Hacks

You want to configure “once and for all” HTTPs for all domains and sub-domains handled by your webserver, and you don’t want to redeclare the certificate in each VirtualHost. Here is the trick.

I run Debian. In a default Apache installation, the directory /etc/sites-enabled contains a file named 000-default which declares a default VirtualHost for HTTP.

You have to know that when Apache loads an entire directory of configuration files, the files are read in alphabetical order. So if you want to declare something before something else, you can cheat on its name in the loaded configuration. It is exactly what 000-default does.

In /etc/apache2/sites-available, you have a file named default-ssl. Edit this file to fit your needs (path to certificate, etc). Note that this certificate will be the same for all the domains hosted on your server. It’s what we want : only one configuration. If you are hosting multiple domains on the same server, the certificate will probably be invalid for at least one of your domains, and you should use mod_macro instead of a global HTTPs configuration.

Now, enable the website the common way : a2ensite default-ssl. Don’t restart Apache yet.

Rename the file default-ssl created in /etc/apache2/sites-enabled/ to 000-default-ssl.

Configure your other VirtualHost with a *:80 section and a *:443 section, as usual but without specifying certificate and SSL informations for VirtualHosts on *:443.

If you restart Apache, you will notice something like this :

_default_ virtualhost overlap on port 443

To get rid of these warnings, just add to your ports.conf, in the right section : 

NameVirtualHost *:443
Listen 443 http

When you finally restart Apache, every VirtualHost declared as *:443 will use the certificate defined in 000-default-ssl without mentioning it.

page 3 de 3 -