2017
07.04

Sup all,

as the title states, this article will go over how to automatically enable / disable xscreensaver on the insertion / removal of your yubikey. only caveat is that it will not lock the screen. this article assumes that your xscreensaver session will lock the screen after x amount of minutes (preferably < 5 minutes).


Udev

i added these lines to file /etc/udev/rules.d/90-yubico-u2f.rules:

SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="XXXX", ENV{ID_MODEL_ID}="XXXX", RUN+="/usr/local/bin/yubikey_ss.sh enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="XXXX", ENV{ID_MODEL_ID}=="XXXX", RUN+="/usr/local/bin/yubikey_ss.sh disable"

for those lines to work we need to insert the yubikey and run
udevadm monitor --udev --property
and grep both “ID_VENDOR_ID” and “ID_MODEL_ID” and replace the XXXX with the corresponding greps.

then restart udev once the script is in place


yubikey_ss.sh

next we will add /usr/local/bin/yubikey_ss.sh with these contents:

#!/usr/bin/env bash

_USER=$(ps -aux \
    | awk '$0 !~ /root/ && /session/ {print $1}' \
    | sed -n '1p')

case "$1" in
    enable)
        /bin/su ${_USER} \
            -c "DISPLAY=:0 /usr/bin/xscreensaver-command -activate"
        ;;
    disable)
        /bin/su ${_USER} \
            -c "DISPLAY=:0 /usr/bin/xscreensaver-command -deactivate"
        ;;
esac

and make it executable.

test to ensure that it works.


Notes

at this point, you should realize that you are just activating the screensaver and not locking it so the password will not be on unless you have the “Lock screen after” option enabled in
xscreensaver-command -demo
set it to around 5 or less minutes. one if you are paranoid.

YMMV

2017
07.03

Sup all,

I have written separate articles about this before but decided to put this all together into one article cause why not.

The purpose of this article is to have google 2fa & yubikey u2f at the login prompt (assuming you do not have a login manager (i don’t)).

This article is gentoo heavy. The equivalent for other distros should not be too different or difficult to figure out.


Needed files

First lets emerge the proper packages (some of these are just in case emerges for future usage):
app-crypt/libu2f-host
app-crypt/libu2f-server
sys-auth/pam_u2f
app-crypt/yubikey-manager
app-crypt/yubikey-neo-manager
dev-python/yubiotp
sys-auth/libyubikey
sys-auth/pam_yubico
sys-auth/yubikey-personalization-gui
sys-auth/google-authenticator


For the Yubikey u2f

  • I tested this with the yubikey {4, 4 nano, and 4C} and the yubikey neo.

    Using the yubikey-personalization-gui, make sure that in slot one of the keys you have it configured to OTP. slot 2 can be whatever.
    once this is done we have to generate the ${HOME}/.config/Yubico/u2f_keys by running this :
    sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

    if you are using multiple yubikeys, then every time you run the above command, you need to edit file like so:
    when you run sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys
    it will add the data like so :
    <username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
    <username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...

    but if you see something like this:
    <username1>:<KeyHandle1>,<UserKey1>
    <username1>:<KeyHandle2>,<UserKey2>
    <username1>:<KeyHandle3>,<UserKey3>
    <username4>:<KeyHandle4>,<UserKey4>

    then edit so that it looks like the first example or else your u2f will not work and give really weird errors

    Now, lets add and edit the pam files:
    create file /etc/pam.d/yubico
    and add this:
    auth required pam_u2f.so cue interactive
    these items can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include yubico

    Now lets test that the yubikey u2f is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the u2f options here.

    if this is working, lets move on to the google 2fa portion.


    For the Google 2fa

  • I tested this with authy on android as the app.

    Lets run: google-authenticator
    which will look like this:

    click to enlarge

    and just follow the on screen steps which includes using the link provided to add the 2fa portion to your authenticator app.

    now lets create file /etc/pam.d/google-authenticator
    and add this:
    auth required pam_google_authenticator.so nullok
    which can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include google-authenticator

    Now lets test that the google 2fa is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the 2fa options here.

    it this is working then you should now have 2fa & u2f login setup.


    Notes

    I will eventually write articles on:

  • using your yubikey for screensaver auth (will most likely be xscreensaver heavy)
  • locking / unlocking screen when the yubikey is inserted / removed
  • using 2fa & u2f for ssh / sudo auth

    Again, like with any article, YMMV.

    Here is a pic of the yubikeys i tested with:

    click to enlarge

  • 2017
    06.16

    So i was just monitoring a deep update and figured i should just post what it looks like.

    Click to enlarge

    Top left : sudo emerge -uDNvt @world –with-bdeps=y –changed-deps –keep-going –verbose-conflicts
    Bottom left : ttyload
    Top center : htop
    Top right : atop
    Middle {center, right} && Bottom {center, right} : ttysys

    2017
    05.26

    So before we begin this article assumes a wiped drive. So not using parallels or virtualization but a full install with no dual booting.

    This article is not going to go through installation. There are plenty of posts across the internet explaining that.


    -= Kernel .config =-
    At time of writing i was using gentoo-sources-4.11.3 but the config file was originally from 4.9.X.
    Here is the .config for gentoo-sources-4.11.3 that i created.


    -= Booting =-
    So i decided to go with grub2. First thing i did was using efibootmgr, remove all other entries that were not gentoo so that it looked like this when done :
    sudo efibootmgr
    BootCurrent: 0000
    Timeout: 5 seconds
    BootOrder: 0000
    Boot0000* gentoo

    I also had a weird issue where after grub called the kernel that my disk location (/dev/sdX) would randomly change location between /dev/sd{a,b}. Easiest fix was adding the below to /etc/default/grub:
    GRUB_DEVICE="PARTUUID=a852b30c-4543-49d6-969c-4e49ee029b14"
    GRUB_DEVICE_UUID="8f2de9ac-7e52-44ec-af63-488be87e8908"

    which can be grabbed by running “sudo blkid”.
    Mine shows this:
    /dev/sdb1: UUID="B572-A82B" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="90780068-fc39-4371-9cc9-deaf333d4d99"
    /dev/sdb2: UUID="e795a3d1-590d-4c72-86be-fffe93fcb9e8" TYPE="swap" PARTLABEL="swap" PARTUUID="9dc0699e-6830-4279-93fa-70686f94de10"
    /dev/sdb3: UUID="8f2de9ac-7e52-44ec-af63-488be87e8908" TYPE="ext4" PARTLABEL="root" PARTUUID="a852b30c-4543-49d6-969c-4e49ee029b14"

    Once the UUID & PARTUUID were set, no more issues since old style locations did not matter any longer.


    -= keyboard lights =-
    I followed this link from wiki.gentoo.org to set keyboard lighting except in the script provided i changed the step to “2” instead of “25” so that there is a more fine tuned stepping.


    -= screen back lighting =-
    Again, i followed this link from wiki.gentoo.org to set screen back light levels but again, in the script i changed the steps from “25” to “5” so that the screen would change gradually.


    -= keyboard iso layout =-
    I had an issue where the tilda key was showing left and right carats. To correct this i put this line in “/etc/local.d/02-kbd–iso.start”:
    #!/bin/bash
    echo 0 > /sys/module/hid_apple/parameters/iso_layout

    since its a local.d script it will start up on boot.


    -= lid closing and backlight =-
    So the link posted above caused weird issues so i installed “sys-power/pm-utils” and changed the acpi scripts a bit like so :

    /etc/acpi/events/lm_lid :
    event=button/lid.*
    action=/etc/acpi/actions/lid.sh

    /etc/acpi/actions/lid.sh :
    #!/usr/bin/env bash
    _DBL="/proc/acpi/button/lid/LID0/state"
    if [ $(cat ${_DBL} | awk '{print $2}') = "closed" ]
    then
    xscreensaver-command -lock
    pm-suspend
    fi

    2017
    05.25

    Sup all,

    Sorry for the delay in posting any new articles but life caught up with me.

    This article involves the inverse path usb armory and how to not only ssh into it, but be able to reach the outside world from it while connected to my gentoo machine.

    As of the time of writing:
    – the image used on the armory was debian base 20170518
    – Gentoo Base System release 2.3
    – Gentoo sources 4.11.2-r1

    There were some kernel changes that had to be made due to the usb CDC networking:

    Device Drivers --->
        [*] Network Device Support --->
            <*> USB Network Adapters --->
                <*>   Multi-purpose USB Networking Framework
                    -*-     CDC Ethernet support (smart devices such as cable modems)
                    <*>     CDC EEM support
                    -*-     CDC NCM support
                    <*>     CDC MBIM support
                    <*>     Host for RNDIS and ActiveSync devices
                <*>   Simple USB Network Links (CDC Ethernet subset)
                    [*]     Embedded ARM Linux links (iPaq, ...)

    These settings will create an eth interface called enp0s20u1 when the usb armory is plugged in (ignore the first column since its dmesg timing).

    Once the image is loaded onto the microsd card and the usb armory plugged in, dmesg should give you something similar to :

    [ 1199.466184] usb 1-1: new high-speed USB device number 4 using xhci_hcd                                                                                                                                                                                                                  
    [ 1199.637025] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a2                                                                                                                                                                                                                
    [ 1199.637032] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0                                                                                                                                                                                                           
    [ 1199.637035] usb 1-1: Product: RNDIS/Ethernet Gadget                                                                                                                                                                                                                                     
    [ 1199.637037] usb 1-1: Manufacturer: Linux 4.9.28 with 53f80000.usb                                                                                                                                                                                                                       
    [ 1199.645848] cdc_ether 1-1:1.0 usb0: register 'cdc_ether' at usb-0000:00:14.0-1, CDC Ethernet Device, 1a:55:89:a2:69:42                                                                                                                                                                  
    [ 1199.651675] cdc_ether 1-1:1.0 enp0s20u1: renamed from usb0                                                                                                                                                                                                                              
    [ 1199.659833] IPv6: ADDRCONF(NETDEV_UP): enp0s20u1: link is not ready

    Once plugged in, you are going to want to ssh into your usb armory and grant it internet access. The best thing to do is something along the lines of the next couple of commands. i placed them all in a script for ease but i will just paste the raw commands below (YMMV):

    sudo ifconfig enp0s20u1 10.0.0.2 gateway 10.0.0.2 netmask 255.255.255.0
    sudo echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
    sudo iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE
    sudo /etc/init.d/iptables save
    sudo /etc/init.d/iptables stop
    sudo /etc/init.d/iptables start

    Now to test it but just remember that both user and password are “usbarmory”:

    ssh usbarmory@10.0.0.1
    usbarmory@10.0.0.1's password: 
    Warning: untrusted X11 forwarding setup failed: xauth key data not generated
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Thu May 25 23:53:59 2017 from 10.0.0.2
    -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
    usbarmory@usbarmory:~$ 

    and Voila!!!

    now you are in the usb armory and you can update it.

    2017
    01.18

    irc bashbot

    sup all,

    happy holidays and all that good stuff.

    so lately i have been working on an irc bot written only in bash.

    i know, sounds like a fucking nightmare and it would have been easier in python but this is fun and it works.

    you can grab it here

    i will write an article in the up and coming days/weeks explaining all the moving parts and all that fun stuff.

    stay tuned

    2016
    09.29

    sup

    i decided to write this command line bar graph (with portions taken from here) that shows graphs based on the amount of files and extensions in a dir (recursive or non-recursive).

    need came about due to not wanting to grep, sort and uniq certain folders at the time for what i was doing.

    here is a link to the script.

    here is the usage animation:
    bargraph
    click to enlarge

    here is the usage:

    NAME
        bargraph.sh - show bar graphs of dir file types
    
    SYNOPSIS
        bargraph.sh [OPTION]...
    
    DESCRIPTION
        This script shows a bar graph with the total count
        of files in a dir according to extension.
    
        -b [character]
                This is to specify what character you want to use to
                draw your bar graphs. If this option is used, place
                the character in quotes (ex: "#").
                Default is "#"
    
        -d [path]
                This is to specify the path to be used. Need to input
                this for the script to work.
    
        -e [ext{,ext,ext}]
                This option is to select a single or list of extensions
                to show in the bargraph.
                Usage is either { -e "foo" } for single extension or
                { -e "foo,bar,baz" } for multiple. Always comma separated.
    
        -h      Show this file (usage).
    
        -r      Recursive.
    
        -s      This sorts output according to most files.
                Default is sorted by name.
    
        -v      Show version.
    2016
    09.28

    Sup all

    so i finally decided to have a command run every time my terminal goes idle. after some searching, here is what i have come up with:
    lock-after-time && lock-command

    from the man pages:

    lock-after-time number
            Lock the session (like the lock-session command) after number seconds of inactivity.  The default is not to lock (set to 0).
    lock-command shell-command
            Command to run when locking each client.  The default is to run lock(1) with -np.

    so in my .tmux.rc :

    set -g lock-after-time 360
    set -g lock-command "/usr/bin/asciiquarium"

    asciiquarium is set to start after 6 minutes.

    2016
    09.08

    now that i am back in i have decided to post an updated screenshot of the status page for no real reason.

    fortiswitch-fortiswitch
    Click to enlarge

    2016
    09.08

    sup all

    so i’ve been working with a fortiswitch 224d-poe at home for a while when the thing went bat shit on me. When i tried to access the admin console i realized that i had forgotten the password. Below are the steps i used for wiping switch back to factory default with latest (as of time of writing) firmware.

    first things first, make sure that you have a properly pinned console cable :
    10338-serial-cable-pinouts-for-console-access-to-fortinet-devices
    click image to enlarge

    then set up a tftp server. i used tftp-hpa in a non-daemonized mode since i only needed it for one time usage.

    next restart the switch with console. i did this below:
    sorry for the awful pics but it was 0400 in the morning when i did this
    20160907_035650
    click image to enlarge

    since the default and data2 partitions were formatted and saved as default, this caused the factory default settings to be enabled.

    once this was done:
    fortiswitch-fortiswitch
    click image to enlarge

    and voila. back to defaults and regained access to the switch.