I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

• Get yourself a YubiKey
• Install and enable the epel repository
• Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

#%PAM-1.0
auth       required     pam_yubico.so id=16 authfile=/etc/yubikey_mappings
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example:

1
2

root:abcdabcdabcd
myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

 RequiredAuthentications[12]
         Specifies required methods of authentications that has to succeed before authorizing the connec-
         tion.  (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

             RequiredAuthentications1 method[,method...]
             RequiredAuthentications2 method[,method...]

         Example 1:

             RequiredAuthentications2 password,hostbased

         Example 2:

             RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn’t 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key….

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.

Just about everyone in Australia is aware of the new requirements for replacing the old spinning dial meters with a smart meter. They look pretty much like this and hide in with the circuit breakers etc.

While there has been a big drama over the changeover (with some people going berserk), there have been a lot of promises about them making our lives better. Jemena however have started tackling this head on. Once you register your meter, you can then access your electricity usage details right up to the current day (in fact, it is even updated four times a day!). As the following screenshots from the Jemena Electricity Outlook shows, you get really good data (although I didn’t show my usage for today, it does break it down into hourly usage blocks!).

What is also nice is that if you can find the rate that your electricity retailer charges you (good luck on that!), then you can input both the charge per kWh AND the daily supply charge to get an estimated dollar figure - which can even include off peak and on peak splits. From what I hear, if you have a solar power setup and are feeding the grid, you will even get a separate colour bar that shows you how much power you fed to the grid.

While this is all fun, I managed to get my hands on a preview device that is still unconfirmed. Picture first, then words.

This display (after being authorised via the Jemena Electricity Outlook) connects to your smart meter wirelessly. It is powered by a single AA battery and shows up to the minute as well as trend data for your electricity usage. From my experiments, it looks as though this is updated every 30 seconds.

Interestingly, there is a lot of functionality in this display that is not yet implemented (fingers crossed it does!) such as $/hr for your electricity usage, targets for usage as well as trend monitoring.

As you can see, it doesn’t look as though the outlook portal currently communicates your target levels etc to the display, nor does it transfer the tariff you set within the portal to the meter - so at this stage it won’t show anything in the $/hr section.

Where does this lead us? Who knows. These devices are only just starting to be developed for use in Australia now - and as more companies get on this bandwagon, and as more people want to reduce their carbon footprint, I can see this area expanding fairly rapidly over the next few years. Until then, keep your eyes open for other wholesalers releasing the access to your usage information and use it as a basis to shop around and save yourself a considerable sum.

EDIT: Oh, and the best thing about the portal? Look for the “Download your data” link. You’ll get a CSV file broken down hourly of your usage since the smart meter was first installed! Go Jemena!

When you do open source stuff, sometimes its amazing where the project turn up. Today I got a big surprise.

If you’re setting up an IBM Compute Node using a Xen hypervisor, some of the documentation seems rather familiar. Especially this part:

1

yum install http://au1.mirror.crc.id.au/repo/kernel-xen-release-6-3.noarch.rpm

Although the documentation is in a bit of a mess regarding this topic on the IBM site, it might have been much easier to link to my howto or even to the kernel-xen mailing list for support if required.

Does that make me an IBM Business Partner now? ;)</body></html>

Ok, its been quite a while since I’ve posted a general post to my site here. So in order for it to not be taken over by my Xen announcements, here is what is on my YouTube playlist at the moment.

1) PSY - Gangnam Style. This is the ONLY Korean pop singer to EVER make #1 on the British charts.

2) Lonely Island feat Michael Bolton - Jack Sparrow. This one makes me chuckle probably harder than I should.

I won’t bore you with others, these are good enough ;)

Just a small update to the kernel to allow xtables to be built against it to bring it inline with stock kernels.

Its syncing to the repos at the moment, should be available across the board soon.