After a week of hard work, I’m happy to announce Xen 4.5.0 testing packages for both EL6 and EL7. These work on CentOS, Scientific Linux and RHEL.

Packages can be downloaded from:

So the openjdk in most linux distros has now been upgraded to v1.8. This has a good bug fix regarding the whole SSLv3 Poodle vulnerability.

This has one problem. The Dell DRAC remote management cards installed in a lot of Dell servers relies on SSLv3 to operate. Without this, you can get into the web interface - but when you get an error stating Error when reading from SSL socket connection and no further.

Thankfully, it is simple to re-enable SSLv3 to allow the connection to succeed.

Open up /usr/lib/jvm/*/jre/lib/security/java.security in your favourite editor as root, and change the following line:

1

jdk.tls.disabledAlgorithms=SSLv3

to

1

jdk.tls.disabledAlgorithms=

This enables SSLv3 to all java applications - however it exposes yourself to the MITM attack as defined in CVE-2014-3566. I suggest having a read of the CVE to understand if you want to leave this setting as default on your system or disable it again afterwards.

A while ago I wrote about how to do this exact thing but with an older version of openssh.

If you’re running a newer version of SSH, then the command syntax has been updated somewhat.

Firstly, once you’ve got your yubikey, you’ll need to enable EPEL for EL6/7 and install the pam_yubico package.

You’ll then need to modify the sshd pam file /etc/pam.d/sshd. There are two options here.

1) You require just the OTP; or

2) You want the OTP and a password.

If you want just the OTP, you add this just after the #%PAM-1.0 header:

1

auth       sufficient   pam_yubico.so id=16 authfile=/etc/yubikey_mappings

If you want both password AND OTP, you add this:

1

auth       required     pam_yubico.so id=16 authfile=/etc/yubikey_mappings

Now to create the /etc/yubikey_mappings user to key mapping. The README says:

1
2
3
4
5
6
7
8
9
10

Create a /etc/yubikey_mappings, the file must contain a user name and the
Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey.

The mappings should look like this, one per line:

------
   first user name:yubikey token ID1:yubikey token ID2:….
   second user name:yubikey token ID3:yubikey token ID4:….
------

Now, if you want to go further and require both a ssh key AND an OTP, you can add the following to /etc/ssh/sshd_config:

1

AuthenticationMethods publickey,password

Now after you supply a valid ssh key you will be asked for your password. If you’ve set this up correctly, this will either be your password + OTP or just OTP.

Enjoy!

Update 21/Jun/2015

One common question I get is how they can allow access without a yubikey while in the office, but force its usage outside of the office. This has a couple of parts - mainly, you’ll probably want to use a public key from inside, but force say a publickey + yubikey outside.

We do this by using a Match block in /etc/ssh/sshd_config as follows:

1
2
3
4

AuthenticationMethods publickey,keyboard-interactive

Match Address 10.1.1.0/24
        AuthenticationMethods publickey

In this method, we set that EVERYONE must use a public key and a keyboard-interactive method to authenticate, then we allow exceptions for small address spaces that we trust. I also recommend making the following changes:

1
2

PasswordAuthentication no
ChallengeResponseAuthentication yes

This disallows skipping the yubikey auth and just using a password. Although, now we’re using PAM as the auth source, you can still use a password via PAM - so we need to disable this in /etc/pam.d/sshd:

1
2

#auth       substack     password-auth
#password   include      password-auth

Hope this helps.

So I’ve been a bit paranoid of late when reading of the actions of the NSA - and looking at the default configs of sshd that ship with distros like EL6, there is a lot that can be done - however it requires updating to a newer openssh version than the ones that ship with EL6.

I now build openssh (currently v6.7p1) in my testing repo: http://au1.mirror.crc.id.au/repo/el6-testing/x86_64/

After installing this, I use the following to change options as required for ‘best practices’. A lot of these come from here. There is a bit more discussion on this by Aaron Toponce.

Firstly, remove existing SSH server keys and only create the following two. Also set AUTOCREATE_SERVER_KEYS=NO in /etc/sysconfig/sshd to stop missing keys being automatically recreated on start.

1
2
3
4
5

cd /etc/ssh/
rm -f ssh_host_*key*
echo AUTOCREATE_SERVER_KEYS=NO > /etc/sysconfig/sshd
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 16384 -f ssh_host_rsa_key < /dev/null

Then add some config to /etc/sshd/sshd_config. If you have any Match blocks, this needs to come before them. If not, add the following to /etc/sshd/sshd_config:

1
2
3
4
5
6

## Change key exchange preferences to pick secure methods.
KexAlgorithms   curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers         chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs            hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
HostKey         /etc/ssh/ssh_host_ed25519_key
HostKey         /etc/ssh/ssh_host_rsa_key

Then eventually restart the sshd service: service sshd restart

Remember to always keep an SSH session open to a server as you do these - as if you get it wrong, a failed start of sshd may lock you out of that system!

I’d like to just quote this post from Whirlpool - as it sums up perfectly the current state of the NBN.

fttnvdsl2 writes... to date I doubt very much that anyone has any appreciation of the amount of work that has gone into getting the network up and running from zero. with all due respect, only someone heckling from the sidelines with no knowledge of the project would think so.

Lets see now after 15 months!

TurnBULL and Co still haven’t delivered

a) A Corporate Plan for the next 3 years

b) A 3 year rollout Plan

c) Even a coherent 12 month rollout Plan is still being formulated

d) No idea of how much remediation of Telstra’s copper will be required

e) No idea of how much repair and replacement of HFC networks will be required

f) No idea of how much they are going to have to charge for the USO and the billions that will have to be pissed down the gurgler maintaining obsolete copper

g) A revenue model which the financial industry won’t piss themselves laughing at (which I might ADD is now in complete disarray)

h) TPG openly ripping into the LNP’s FRAUDBAND network with it unguaranteed UPTO 25Mbps by deploying their own FTTB network

i) No 1Gbps retail plans on the market

j) No migration of the existing 12/1 base tier to 25/5Mbps (Noting that Labor’s NBN was to start the migration to a 10Gbps network in 2016)

k) A plethora of product designs not delivered

l) A legislative program that is questionable to say the least not to mention the reality that much of it may be blocked in the Senate due to being what can only be described as piss poor value for Australian citizens

As for the work that Labor did do prior to the vandals demolishing the NBN well that’s simple for those of who actually do understand what has been done! eg

Built from scratch a company of close to 3000 people with all of the processes and systems with the ability to:-

a) Work through, develop and construct the legislative programs that would be required to deliver the statement of expectations of the Government together with the necessary recommendations to assist in that process.

b) Delivered the Interim Satellite service on “time” and on “budget” – to replace the dial up Satellite service that the LNP were previously responsible for which I might add that the LNP were happy to see continue being delivered by the private sector!

c) Built the Long Term Satellite solution that is on ““schedule”” and on ““budget”” for services beginning in mid 2015 in the face of the LNP’s opposition who called it the Rolls Royce of all Satellite services and that we didn’t need it because and wait for this – because there was enough capacity in the private Satellite market to service all of Australian’s needs!

d) Contracted for, trialled and were rolling out a Fixed Wireless network on budget!

e) Delivering the National Transit Network to support all access technologies, which was on budget and on schedule for completion by 2015 under him.

f) Designed and delivered the OSS/BSS systems through to the production environment and commissioned these to function at scale.

g) Designed and delivered the National Test Facility and a Network Operations Centre which is an important component in the management of National network

h) Responsible for the successful development and launch of a suite of Products covered by WBAs.

i) The successful negotiation of the Telstra agreement for access to their pit and pipe infrastructure that would avoid the requirement to duplicate existing infrastructure nationally together with gaining access to their dark fibre network which would over the lifecyle of the project reduce capex expenditure together with progressively allowing the project to meet its prescribed targets and timelines.

j) Completed the very technical finalisation of the SAU and were awaiting the sign off from the ACCC.

k) Reworked the Fixed Wireless network to allow for the additional delivery of a 25Mbps speed tier component to that network

l) Included additional technology into both the Satellite and Fixed Wireless platforms to allow for the delivery of a “minimum” 25Mbps to all users of those networks.

m) Provided for the introduction of a 250Mbps 500Mbps and 1Gbps service to be delivered from December 2013 into the project’s deliverables

n) Included into the scope of the project the responsibility for the Building of a Greenfields fibre capability which wasn’t part of the original project that can complete more than 30 new developments a week, anywhere in the country.

o) Were building a Customer Connect capability that had connected more than 100k end users and which was rapidly growing the ability to deal with with the exceptionally high take-up rates that were being experienced.

p) And finally, responsible for implementing and growing the capability to build the LN/DN component of the Brownfields network at a cost that preserves the integrity of NBN Co’s financial plan.

q) etc etc etc

ALL THIS WAS DONE ON BUDGET!

And as Mike Quigley stated the initial slippage in the initial volume rollout into the brownfields environment see p) was being addressed with the private contractors having publicly stated thier intention to deliver what it was they were contracted to deliver not to mention Telstra accepting thier own complicity in initially holding the project up by not allocating the appropriate resources!

And as we see now Mike had catered for the adoption of new deployment processes that have been successfully trialled which provide for

The evaluation, contained in an internal presentation document dated August 2014 and seen by Fairfax Media, shows a team combining telecommunications firms Cemetrix, CommsConnect and Linktech Telecom was on track to complete the Melton rollout in just 104 days, compared with an average of 344 days in other areas. Ninety per cent of buildings were serviceable by fibre by the end of August – 61 per cent faster and 50 per cent more cheaply than in areas using previous rollout models, the document said.

And to think that all this was in place 15 months ago when turnBULL and Co took the reigns of control on NBN Co and ground the rollout to a halt in some area’s and cancelled existing contracts wholus bolus!

And yet given their fully costed ready to go faster and cheaper alternative they LIED to the public about!

Not 1 customer connected to FRAUDBAND!

Fttnnnnnn unbelievable huh!

Where’s the financial imperative for ICT to develop Web 3 applications to run on unguaranteed UPTO 25Mbps obsolete copper networks when we already see sunset clauses being effected to shut down PSTN networks as provided in America and Europe?