# uname -a


jeudi 18 février 2016

Debian 8 : Limit SSH users to SFTP

Let’s say you want to configure a secure remote file access for you users, but you can’t use FTPS for some reasons (problems with passive mode and commercial firewalls ? Yes !). Your only secure solution is either a VPN, or a SFTP access.

SFTP is great, but it may implies giving full command line access to your end users.  In order to prevent that, you could set-up a jailed SSH access with Jailkit and some bind mount, but it’s not that trivial to configure and to maintain ; and it may not work with software virtualization (Docker, LXCs…). There is a simpler solution.

The solution is : use the native chroot and limitations abilities of OpenSSH. Here is how.

Lire la suite...

mardi 6 août 2013

Configure 2-factor Yubikey authentication for Debian : the easiest way

One of last five years trending topics is the rise of Token authentication, to provide a safer way to authenticate than the classic login/password couple.

Today I will show you how to configure a 2-factor authentication (login/password + yubikey), in order to use it with your local Unix users as well as with SSH login (PAM powered).

In this tutorial, I will use the Yubico API, because it’s simpler. When using the API, the validity check will be computed by Yubico servers. By the way, you can set up your own authentication server if you don’t want to depend on Yubico servers.

  • First things first, you have to afford a Yubikey at http://www.yubico.com/

  • Get your Yubikey ID. You can use the 12 first digit of every Yubikey generated password, but you can also generate it from http://demo.yubico.com/php-yubico/Modhex_Calculator.php
    For lazy people, type this in a shell and activate your Yubikey : read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}

  • Create a .yubico directory in your home, and create a file named authorized_yubikeys inside it. Fill this file with your unix username and Yubikey ID like that : username:yubikeyid

  • Next, create a id/secret couple for each server ou service you want to authenticate : https://upgrade.yubico.com/getapikey/
    The ID returned after submitting the URL is the service ID, and the secret is the associated secret. Every pair ID/secret is unique.
    You could use the same id/secret for every server you configure, but it is not intended for : you should use a different id/secret couple for every different server.

  • Log in to your server as root, and install libpam-yubico (from apt : apt-get install libpam-yubico).

  • And configure it : sudo dpkg-reconfigure libpam-yubico. When prompted, set the service ID in place of the N in id=N and the secret in place of the K in key=K.

  • Then apply the configuration with the command pam-auth-update.

That’s all ! Every PAM-compliant authentication will now ask for the Yubikey code to authenticate (as well as login and password). When login from SSH, juste activate your Yubikey after typing your password, before typing “enter”.

Warning : if you messed up the Yubikey configuration and are using “sudo” before every command, you will be locked outside your server ! After dpkg-reconfigure, if you checked “Yubico authentication”, it will ask for a Yubikey code every time a “sudo” authentication is required, so keep a root terminal opened to revert your changes.