Two Factor SSH Authentication - Pubkey Yubikey

OpenSSH >= 6.2 supports “multi factor authentication” which is to say you can require multiple forms of identification to complete authentication for the SSH connection.

A real world comparrison would be I suppose providing more than one form of identification to open a bank account.

OpenSSH 6.2 introduces the AuthenticationMethods setting; this combined with pam_yubico can be used to require that the connections provides both the SSH public key and the yubikey O.T.P (One time password).

OpenSSH 6.2 is included Fedora 19 and for a while now OpenSSH has supported the Match Group (I covered the use of such for chrooting users easily).

So we’re going to combined this combination such that we attain the following:

  1. SSH Connections will require pubkey authentication
  2. SSH Connections will also require yubikey authentication
  3. The above will be applied to specified users via the Match Group clause

To be clear if the connection does not provide a valid public key for the user; it will never reach the yubikey prompt stage; also if the provided yubikey OTP is invalid authentication will also fail.

Install the pam_yubico package: sudo yum -y install pam_yubico

At the end of your /etc/ssh/sshd_config add the following:

Match Group mfagroup
    AuthenticationMethods pubkey,keyboard-interactive

You will also need to set ChallengeResponseAuthentication yes in your sshd_config file.

The above is the bare minimum you can add any additions you wish; and restart sshd.

Create the file /etc/pam.d/yubi-auth with the content

auth sufficient id=your_yubicloud_id key=your_yubicloud_api_key authfile=/etc/ssh/yubikey_mappings url= debug

Note: I am specifying the URL as the default will use http and not https despite what the documentation might say.

Create the file: /etc/ssh/yubikey_mappings with the content:


You can get your yubikey identity from

Edit /etc/pam.d/sshd so that the first lines read:

auth       include     yubi-auth

And finally create a user in your group, in this case we’re using the mfagroup.

useradd -g mfagroup -s /bin/bash username and install their public ssh key in /home/username/.ssh/authorized_keys, ensuring proper permissions.

All being well when you try to login with the user you should see the following:

Authenticated with partial success.
Yubikey for `username': 

And you have sucessfully setup two factor ssh authentication with public keys.


SELinux on Amazon AMI Linux

This took a little digging into; in order to get SELinux to function on Amazon AMI Linux you must carry out the following steps.

yum -y install policycoreutils selinux-policy-targeted

Now edit /etc/grub.conf and ensure your kernel line looks something like the following:

title Amazon Linux 2013.XX (3.XX.XX-XX.XX.amzn1.x86_64)
root (hd0)
kernel /boot/vmlinuz-3.XX.XX-XX.XX.amzn1.x86_64 root=LABEL=/ console=hvc0 selinux=1 security=selinux enforcing=1 LANG=en_US.UTF-8 KEYTABLE=us
initrd /boot/initramfs-3.XX.XX-XX.XX.amzn1.x86_64.img

Note the addition of “selinux=1 security=selinux enforcing=1”

Now: touch /.autorelabel

And: /sbin/new-kernel-pkg --package kernel --mkinitrd --make-default --dracut --depmod --install 3.XX.XX-XX.XX.amzn1.x86_64 || exit $?

Replacing the XX portions with your running kernel or you can use substitute in the uname -r output; this one liner script was obtained from: rpm -q --scripts kernel and is required to rebuild the initrd image such that the selinux settings can take effect.

Alternatively if there are updates outstanding a yum -y update will acheive the same thing (selinux settings should persist); after all of this you can now reboot and wait.

This will take a while to start back up as an selinux relabel is running (this is what the touch /.autorelabel achieves.

All being well selinux should now be running enforcing in targeted mode; if not check your /etc/selinux/config file.


Percona Live UK 2013

Percona Live London 2013 drew to a close yesterday, following some truely great talks.

I myself presented a talk on security which it appears was very well received, and I am hopeful this talk will make it into the line up for percona live 2014.

My talk was well received and there was a lot of great Q&A both during and after the session … though I did run 15 minutes over sorry Tim I’ll have to buy you a beer by way of appology at the next confernece.

Ryan H also gave a great talk on backups, I’ll update this blog post with a link to the slides once tey become available.

I’ve posted some photos of the event aswell.

More to come.


Tor Gains 1.2M Users in Wake of NSA Scandal Ironically Making It Easier for the NSA

So … TOR is supposed to have gains 1.2 Million users following all the fanfare around the NSA.

If I were to facepalm at this point I fear my face would pushed out the back of my skull, so let me relay a small bit of insight.

TOR is an anonymizing proxy so long as every node along the chain is “behaving”, let’s say fo sake for argument somene sets up a malicious exit node, Jackin’ TOR shows just such a setup used to inject content into http requests.

  • inject javascript
  • javascript executed by browser, makes request to malicious host
  • identifying the browser if exploit exits this can now be used
  • malicious payload send back in request
  • malicious program now running makes direct request to C&C server (this does not go out via TOR, rquest is no longer anonymous)
  • we can pretty much do anything we want now with the system

And if the above does not work?

  • inject javascript
  • steal cookies
  • steal users accounts with banking, email, other services.

I Am Alive, the Last 8 Months in Review

Well, where to begin.

2013 has been a year of change for myself, after a long consideration period spanning several months in 2012 I felt that it was time to move on from Psycle Interactive as their Systems Administrator; the new roles “on the table” were as follows:

  • Percona - Systems Admin role which later became a Remote DBA role
  • Rackspace - Systems Admin
  • Google - Systems engineer
  • Facebook - Systems engineer

I accepted the offer from Percona becoming part of the Remote DBA team; the growth over the last 8 months has in my opinion been very rapid; the team and client list has more than doubled in size.

So some highlights on what I have been up to this year (well what I can talk about at least).

There’s so much more which I can not talk about with it being IP / NDA related.

Expect more security focused posts soon as I work on their content.