Oct 122014
 

Pretty long title for a pretty long work, which took me more than initially thought. And because I’ve sorted out blending multiple info from multiple sites, here we go with a unified post.

Let’s start with the goal.

I wanted to have root access to my home machine via SSH/SFTP with a strong authentication system; but I also wanted to offer to a friend of mine an access to an externally connected hard drive with a simple password.

And to keep everything more secure, I wanted to have this guy chrooted into the directory he can login.

I will not cover the strong authentication setup since there are very good instructions on their site.

To enable the strong authentication only for root, I had to modify a little bit my /etc/ssh/sshd_config file as shown below.

  • disable PAM integration, by putting a hash at the beginning of the line:
    # UsePAM yes

    This is needed since we’re going to use the Match Group directive

  • inserted the following lines below the Subsystem sftp /usr/lib/openssh/sftp-server section
    Match Group root
    ForceCommand /usr/sbin/login_duo

Save and exit, restart the ssh service and test that if you try to ssh the system, after you type in root username and the password something appears similar to what reported below:

$ ssh root@192.168.1.50
root@192.168.1.50's password: 
Duo two-factor login for root
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 1791
 2. Phone call to +XX XXX XXX 1791
 3. SMS passcodes to +XX XXX XXX 1791
Passcode or option (1-3):

Once you choose (for example) 1 and confirm on your authentication device, login will complete.

To enable chromed access for my friend without forcing him to enroll to strong auth, I have created an sftp group with the command:

groupadd sftp

Then I have him to this group with the command:

usermod -G sftp <login name>

I have also disabled his shell with the command:

usermod -s /bin/bash

and set his home directory to my external disk with the command:

usermod -d /media/external/friend

Finally I have created the following entries for sftp in /etc/ssh/sshd_config file under the Subsystem sftp /usr/lib/openssh/sftp-server section as shown below.

Match Group sftp
 ChrootDirectory /media/external/friend
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

NOTABENE: the directory friend must be owned by root with 700 rights. Because my friend is part of the sftp group, to allow him to upload content I needed to create a directory upload below the directory friend and had to chown such directory to his login name as shown below:

listato

If you want to have some more background info about why you need to change ownership and set rights are mentioned, check here.

Once you complete all the editing, remember to restart the ssh service with the command

service ssh restart

Enjoy!

 

Oct 292013
 

This post is a corollary to the previous one on building iOS client based IPSec VPN with the Stonesoft NGFW.

Testing the same configuration with OS X native VPN client, which you can configure in System Preferences – Network, I’ve found that things have changed a little bit in Mountain Lion (and Mavericks). Due to the Gatekeeper enhanced protection, you need to enter your Keychain on the Mac to modify some privileges.

Click on System and identify the certificate you are using to authenticate your machine.

Once found, you just need to expand it to show the private key portion as shown below (yeah, screenshot is in Italian but I think you get the point):

PrivateKey

 

Then you “open” the access to the component to every application as shown below (again, screenshot in Italian):

OpenAccess

Once you do this and confirm, the VPN will restart to work as previously (for example, in Snow Leopard).

Enjoy,

RoarinPenguin

Mar 212013
 

seafilelogoSeafile is a cool project about building a private “Dropbox-like” system.

Although young, it looks VERY promising and it is well documented.

The only shadow part is that if you follow the manual step by step you end up in having an HTTP web server frontend which is definitely not perfect if you’re looking for security.

Info about how to decently configure Apache2 are a bit dispersed on multiple sites, hence I’ve decided to detail in this post the few simple steps you need to achieve a Seafile based private cloud where even the  web frontend works in HTTPS.

Let’s pick up from where you end up if you follow the instructions published by Seafile Team.

Continue reading »

Sep 302010
 

Found out very nice shortcut thanks to friend of mine who knows Mac since longer time than me (at least the modern ones).
Press Shift+Command+4 to get a selection of the screen to be saved on desktop in PNG format instead of Screen Capture utility saving in TIFF.
Add Space Bar to select the whole window the mouse is on and save as PNG on desktop.
Very handy, hence not to self.

Jan 112009
 

Ever wondered how to connect your linux box via bluetooth, for instance to allow file transfer with your phone?

I found some cool and working hints on the Net, reporting here below what worked for me.

  1. Connect your USB dongle
  2. Install what you need:
    apt-get install obexftp bluetooth
  3. Then you need to set the system to use a predefined PIN, since you have no console and very probably you would like to digit only from phone side to connect with this box.
    To do this, you need to edit file /etc/bluetooth/hcid.conf to change the following defaults:
    # Security Manager mode
    #   none – Security manager disabled
    #   auto – Use local PIN for incoming connections
    #   user – Always ask user for a PIN
    #
    security auto; <== this is set by default to user

    and
            # Default PIN code for incoming connections
            passkey "58336342"; <== this is set by default to 1234, not enough secure IMHO…

Now, back to cellular connections:

  1. Scan for cellular address:
    hcitool scan
    this will return the address of your device, like:
    magicbox:~# hcitool scan
    Scanning …
            00:17:E4:82:F4:64       RoarinPenguin
  2. Now we need to search the channel for file tranfers
    magicbox:~# sdptool browse 00:17:E4:82:F4:64      
    This will return all details about services provided by the phone:
    magicbox:~# sdptool browse 00:17:E4:82:F4:64
    Browsing 00:17:E4:82:F4:64 …
    Service Name: AVRCP Target
    Service Description: Audio Video Remote Control
    Service Provider: Symbian Software Ltd.
    Service RecHandle: 0x10000
    Service Class ID List:
      "AV Remote Target" (0x110c)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
        PSM: 23
      "AVCTP" (0x0017)
        uint16: 0x100
    Profile Descriptor List:
      "AV Remote" (0x110e)
        Version: 0x0100
  3. Service RecHandle: 0x10001
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 1

    Service Name: Dial-Up Networking
    Service RecHandle: 0x10002
    Service Class ID List:
      "Dialup Networking" (0x1103)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 2
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "Dialup Networking" (0x1103)
        Version: 0x0100

    Service Name: OBEX Object Push
    Service RecHandle: 0x10003
    Service Class ID List:
      "OBEX Object Push" (0x1105)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 9
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "OBEX Object Push" (0x1105)
        Version: 0x0100

    Service Name: Hands-Free Audio Gateway
    Service RecHandle: 0x10004
    Service Class ID List:
      "Handfree Audio Gateway" (0x111f)
      "Generic Audio" (0x1203)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 28
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "Handfree Audio Gateway" (0x111f)
        Version: 0x0101

    Service Name: Headset Audio Gateway
    Service RecHandle: 0x10005
    Service Class ID List:
      "Headset Audio Gateway" (0x1112)
      "Generic Audio" (0x1203)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 29
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "Headset" (0x1108)
        Version: 0x0100

    Service Name: Imaging
    Service RecHandle: 0x10006
    Service Class ID List:
      "Imaging Responder" (0x111b)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 15
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "Imaging" (0x111a)
        Version: 0x0100

    Service Name: SyncMLClient
    Service RecHandle: 0x10007
    Service Class ID List:
      UUID 128: 00000002-0000-1000-8000-0002ee000002
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 10
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "" (0x00000002-0000-1000-8000-0002ee000002)
        Version: 0x0100

    Service Name: OBEX File Transfer
    Service RecHandle: 0x10008
    Service Class ID List:
      "OBEX File Transfer" (0x1106)
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 11
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "OBEX File Transfer" (0x1106)
        Version: 0x0100

    Service Name: Nokia OBEX PC Suite Services
    Service RecHandle: 0x10009
    Service Class ID List:
      UUID 128: 00005005-0000-1000-8000-0002ee000001
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 12
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "" (0x00005005-0000-1000-8000-0002ee000001)
        Version: 0x0100

    Service Name: SyncML DM Client
    Service RecHandle: 0x1000a
    Service Class ID List:
      UUID 128: 00000004-0000-1000-8000-0002ee000002
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 13
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "" (0x00000004-0000-1000-8000-0002ee000002)
        Version: 0x0100

    Service Name: Nokia SyncML Server
    Service RecHandle: 0x1000b
    Service Class ID List:
      UUID 128: 00005601-0000-1000-8000-0002ee000001
    Protocol Descriptor List:
      "L2CAP" (0x0100)
      "RFCOMM" (0x0003)
        Channel: 14
      "OBEX" (0x0008)
    Language Base Attr List:
      code_ISO639: 0x454e
      encoding:    0x6a
      base_offset: 0x100
    Profile Descriptor List:
      "" (0x00005601-0000-1000-8000-0002ee000001)
        Version: 0x0100

  4. The interesting channel for us is Obex File Transfer, thus 11. Let’s browse what telefone has to offer:

    obexftp -b  00:17:E4:82:F4:64 -c / -l

    This command will access the cellular of the given address the "/" (root) directory and will list its contents

Now, once could ask how to send files to the mentioned box. Well, so far I have discovered how to “pull” them from the box from the phone using obexftp command as follows:

obexftp -b 00:17:E4:82:F4:64 -c /<path_on_the_phone> -g picture1.jpg

There should be another way to put the box in listening mode through rfcomm command, but that’s food for another article 😉 since I have first to read and “digest” articles like this one

Sep 032008
 

I just learnt something cool to finetune a WiFi net and before I forget, it’s better to take note as usual.

It has to do with channels and frequencies and issue at home was that my WiFi was not performing as I was expecting.

It was configured to run on channel 8, since I’ve noticed that many of the others in range were running on channel 11.

Problem is that over the 11 (sometimes 13) channels available for a WiFi, only three are ortogonal, that means only three are not overlapping at all: 1, 6 and 11.

All others involve the risk of a minimum overlapping thus performance drop could happen.

I reconfigured the channel to be 1 and b-b-b-b-booom!

WiFi is going perfectly at full speed even from low power devices like iPod or Nokia WiFi phone.

Cool!

And I used a cool and easy software to detect different WiFi details: it is called WirelessNetView and is freely downloadable from www.nirsoft.net.

Mar 292008
 

One of the things I like of Linux is that despite I’m working with it since 1994 I never end learning part of it.

Today my need was the following: I dd a 20 Gb backup onto a 40 Gb HDD and it worked smoothly, but problem is that filesystem on first partition was 20 Gb while partition was 40 Gb (more or less).

Therefore my need was to extend my filesystem to match partition size to benefit of the additional disk space offered by new HDD size. Googling a bit, I discovered a command that did the magic very smoothly: resize2fs.
All I needed to do is launching command followed by device where filesystem needs to be resized, no matter is filesystem is mounted or not, as follows: resize2fs /dev/hda1

Output has pleasantly been the following:

resize2fs 1.40-WIP (14-Nov-2006)
Filesystem at /dev/hda1 is mounted on /; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 3
Performing an on-line resize of /dev/hda1 to 8835742 (4k) blocks.
The filesystem on /dev/hda1 is now 8835742 blocks long.

Useless to say that AFAIK on Windows this is a dream without costly softwares, and even then…