Author: iyield

Senior Sys. Admin. / GDO JS-Vantage dev. @ Compuware Corporation.

Yubico. The entreprise implementation.

Ok.

So, I did play with the Yubi key for a while now and I think this is the time to bring it on to the next level.

I will try to implement the solution to SSH login on 25% of our Linux boxes. I will try to finish that ASAP and will let you know the user’s feed back. Now, let’s place order at http://yubico.com for a bunch of keys… And the nano one for me… 😉

Will keep you posted.

P.S : I’m also thinking to use the Yubico radius server for our VPN connectivity. May be… Will see if I have time for that.

Bike.

1H20 for 25 Km with my bike this morning to go to work.

Front wind, big bridge and dangerous city street…

Not a bad time for the first year run…

BOINC: SETI@HOME. My stats

Yubico, YubiKey + SSHD and PAM.

So, here we go, a month after.

I did play with the Yubikey like explained in the previous post. I did not try back with the Google Apps but did make it work with the SSHD/PAM. I have to say it work’s really well. The only thing is that I would like it to work along with RSA key.

I did try it with the Yubico and SSH RSA keys and the RSA keys always take over… I am not sure if this how it should be or if I just need to change a PAM config ? I will need to check back on that.

I did stated in my previous post that I did not find any good Debian documentation. That is not true… Sorry… I did find one, however, I was to much in a hurry that I missed some stuff… And that one step was not really clear…

So here is the link for the documentation. : http://code.google.com/p/yubico-pam/wiki/YubikeyAndSSHViaPAM

This doc is from Yubico them self.. However, as step #1, Administrative level, you should know that the yubico token id is spliced in 2 parts and that the first part is the first 12 characters on one OTP password and the 2nd are the last 12 of that same password in order to work. I had to figure it out… :

<user name>:<yubikey tokan ID>:<yubikey tokan ID>:

Note that this it the same as per user basis.

Update : This is a better post to use yubikey with ssh keys, just note that I did not tested yet, but as by reading it, it look like a good alternative.

http://berrange.com/?s=yubico

P.S : Again, sorry for my dirty english…

Yubico and the YubiKey. The start of a trial.

*Very quick post…

Hi there,

As stated earlier, I did received a yubiko key a couple of week’s ago. Fortunately or unfortunately, as I was on a 6 week vacation in Mexico, I couldn’t play much with it. I guess I was too much occupied by drinking and ”sport’s”.

On that, I’m now starting to play with the key. I have so far done 4 thing with it.

– Configure the slot 2 to use static password to use with TrueCrypt and other thing’s that only support static password. So far, that part work’s fine.

– I configured my GoogleApps account to use the SSO(single sing on) using the Yubico OTP server. This however lead me to have all my domain account use the SSO OTP server… Wich is a problem for the other user of my domain that do not have a key… So I had to roll back… But if I can activate this feature for only specific account’s… I WILL use it for SURE ! It did work well ! I guess I will need to ask google if that is possible since I did not find any way to enable that per user basis… Or may be I’m blind… That is very possible as well.

– I try to configure a local Linux box running Debian to use the yubiKey for SSH login. This use a PAM library from Yubico called libpam-yubico. I however not been able to make it work successfully… Please note that I did all that in the last 3-4 days between other stuff… So I did quick and may have skip some steps… I will come back on that.

– Created a LastPass account. I did not linked my Yubico key to it yet. I will try to play a little much with LastPass before to see if I like that too… I use to use KeyPass before with my data base saved in DropBox… Will let you know if I switch to the ”premium” version of LastPass that let use the YubiKey with the Yubico OTP server with it…

So ! What can I say so far ?

Well, it seem to be a verry cool way to enhanced my logon security on all the different web services and local password I use. I can’t say so far if I will adopt it for good or if it will stay a project/toy… I will post back on the subject soon and will also try to post great tutorial, specially with Debian Linux with I didn’t find much on the internet, or at least not exactly what I was looking for…

Stay tune !

P.S : I know ! My english writing is very very bad ! ;-(

Lucky me.

I received a email this morning from Yubico marketing.

It seem like I was good enough embassador and I will receive a free Yubico key as long with a T-Shirt.

Yeah !

I am very excited to play with it for my personal use and see how can I apply that in my company.

Cool !

Yubico – A little promotion for a great product.

Hi There,

This is a short post to promot a great security product by a company named Yubico. Yubiko is a 2nd level of authentication for cloud services and other with a key that ”generate” strong password. You can view all the details here : yubico.com/yubicloud and consider supporting YubiKey login

Also, this product has been discussed on a good show that I listen.: HAK5 see: hak5.org

Thanks !

XKCD. Funny one…

MediaWiki search index with 3 letters acronyms.

Hi there,

Today I had to fix a ”feature” of MediaWiki using a MySQL DB.

The ”feature” in question is that we where not able to do search with only 3 letters word or acronyms. It indeed return result, but not all of them… It turn’s out that for performance reasons, MySQL an MediaWiki are set to index ”words” starting only with 4 caracters..

So, if you where searching for SSH, you would get result but not all of them. The fix is pretty easy when you know where to search… And I did search for a long time… lol

So, here is a step by step example to change that ”behaviour”

1- Go to /etc/mysql or /etc and edit the my.cnf with vi or preferred editor…

2- Go to the [mysqld] section and add : ft_min_word_len=3

3- go to mysql command prompt by typing : mysql -p or whatever will bring you MySQL server command line and choose the correct DB. You can type use db_bame;

4- At the mysql command prompt, also type this : REPAIR TABLE searchindex QUICK;

5- restart or reload the MySQL DB(just to be sure)

6- go to the wiki folder (/var/www/wiki) or where it is on your server and edit LocalSettings.php config file and add : $wgDBminWordLen = 3;

7- Reload APACHE. /etc/init.d/apache2 reload

8- Rebuild mediawiki index like explained here : http://www.mediawiki.org/wiki/Manual:Rebuildtextindex.php

9- Have fun testing…

10- Leave a comment or question 🙂

Apple and ”my 2 cents”

Hi Everyone,

Today’s post is my 2 cents of the day. Why? Well… I’m a little tired that peoples think that I am a Apple fan with it’s logo tattoed on my chest…

I know, the apereance are against me since I own a MBP 15”, a iPad 1^st gen, and a iPhone 4.

However, the only reason I do love Apple product at this time is that they are; in my opinion; the ”best” on the market at this right given time.

You would have ask back 5 or 10 years or even 4 years ago; what laptop would you purcharss; I would have answred with a complet different thing…

So, what is my point here? Well, read back the line that start with the word ”however”…. That’s it!

Oh! And I do not give Apple all the credit, there are other great product out there as well and I know it… Since I use them too…;-)

Hope this answer the ”critics” answer’s?

My 2 cents.

iYield's Blog

Why bothering when you can script it !