Sup all,

I have written separate articles about this before but decided to put this all together into one article cause why not.

The purpose of this article is to have google 2fa & yubikey u2f at the login prompt (assuming you do not have a login manager (i don’t)).

This article is gentoo heavy. The equivalent for other distros should not be too different or difficult to figure out.

Needed files

First lets emerge the proper packages (some of these are just in case emerges for future usage):

For the Yubikey u2f

  • I tested this with the yubikey {4, 4 nano, and 4C} and the yubikey neo.

    Using the yubikey-personalization-gui, make sure that in slot one of the keys you have it configured to OTP. slot 2 can be whatever.
    once this is done we have to generate the ${HOME}/.config/Yubico/u2f_keys by running this :
    sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

    if you are using multiple yubikeys, then every time you run the above command, you need to edit file like so:
    when you run sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys
    it will add the data like so :

    but if you see something like this:

    then edit so that it looks like the first example or else your u2f will not work and give really weird errors

    Now, lets add and edit the pam files:
    create file /etc/pam.d/yubico
    and add this:
    auth required pam_u2f.so cue interactive
    these items can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include yubico

    Now lets test that the yubikey u2f is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the u2f options here.

    if this is working, lets move on to the google 2fa portion.

    For the Google 2fa

  • I tested this with authy on android as the app.

    Lets run: google-authenticator
    which will look like this:

    click to enlarge

    and just follow the on screen steps which includes using the link provided to add the 2fa portion to your authenticator app.

    now lets create file /etc/pam.d/google-authenticator
    and add this:
    auth required pam_google_authenticator.so nullok
    which can be decoded here

    and now edit /etc/pam.d/login
    and add this line to the top:
    auth include google-authenticator

    Now lets test that the google 2fa is working before fully login out.
    press alt+ctrl+f2 to bring you to a tty and you should see the 2fa options here.

    it this is working then you should now have 2fa & u2f login setup.


    I will eventually write articles on:

  • using your yubikey for screensaver auth (will most likely be xscreensaver heavy)
  • locking / unlocking screen when the yubikey is inserted / removed
  • using 2fa & u2f for ssh / sudo auth

    Again, like with any article, YMMV.

    Here is a pic of the yubikeys i tested with:

    click to enlarge

  • 2017

    So i was just monitoring a deep update and figured i should just post what it looks like.

    Click to enlarge

    Top left : sudo emerge -uDNvt @world –with-bdeps=y –changed-deps –keep-going –verbose-conflicts
    Bottom left : ttyload
    Top center : htop
    Top right : atop
    Middle {center, right} && Bottom {center, right} : ttysys


    So before we begin this article assumes a wiped drive. So not using parallels or virtualization but a full install with no dual booting.

    This article is not going to go through installation. There are plenty of posts across the internet explaining that.

    -= Kernel .config =-
    At time of writing i was using gentoo-sources-4.11.3 but the config file was originally from 4.9.X.
    Here is the .config for gentoo-sources-4.11.3 that i created.

    -= Booting =-
    So i decided to go with grub2. First thing i did was using efibootmgr, remove all other entries that were not gentoo so that it looked like this when done :
    sudo efibootmgr
    BootCurrent: 0000
    Timeout: 5 seconds
    BootOrder: 0000
    Boot0000* gentoo

    I also had a weird issue where after grub called the kernel that my disk location (/dev/sdX) would randomly change location between /dev/sd{a,b}. Easiest fix was adding the below to /etc/default/grub:

    which can be grabbed by running “sudo blkid”.
    Mine shows this:
    /dev/sdb1: UUID="B572-A82B" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="90780068-fc39-4371-9cc9-deaf333d4d99"
    /dev/sdb2: UUID="e795a3d1-590d-4c72-86be-fffe93fcb9e8" TYPE="swap" PARTLABEL="swap" PARTUUID="9dc0699e-6830-4279-93fa-70686f94de10"
    /dev/sdb3: UUID="8f2de9ac-7e52-44ec-af63-488be87e8908" TYPE="ext4" PARTLABEL="root" PARTUUID="a852b30c-4543-49d6-969c-4e49ee029b14"

    Once the UUID & PARTUUID were set, no more issues since old style locations did not matter any longer.

    -= keyboard lights =-
    I followed this link from wiki.gentoo.org to set keyboard lighting except in the script provided i changed the step to “2” instead of “25” so that there is a more fine tuned stepping.

    -= screen back lighting =-
    Again, i followed this link from wiki.gentoo.org to set screen back light levels but again, in the script i changed the steps from “25” to “5” so that the screen would change gradually.

    -= keyboard iso layout =-
    I had an issue where the tilda key was showing left and right carats. To correct this i put this line in “/etc/local.d/02-kbd–iso.start”:
    echo 0 > /sys/module/hid_apple/parameters/iso_layout

    since its a local.d script it will start up on boot.

    -= lid closing and backlight =-
    So the link posted above caused weird issues so i installed “sys-power/pm-utils” and changed the acpi scripts a bit like so :

    /etc/acpi/events/lm_lid :

    /etc/acpi/actions/lid.sh :
    #!/usr/bin/env bash
    if [ $(cat ${_DBL} | awk '{print $2}') = "closed" ]
    xscreensaver-command -lock


    Sup all,

    Sorry for the delay in posting any new articles but life caught up with me.

    This article involves the inverse path usb armory and how to not only ssh into it, but be able to reach the outside world from it while connected to my gentoo machine.

    As of the time of writing:
    – the image used on the armory was debian base 20170518
    – Gentoo Base System release 2.3
    – Gentoo sources 4.11.2-r1

    There were some kernel changes that had to be made due to the usb CDC networking:

    Device Drivers --->
        [*] Network Device Support --->
            <*> USB Network Adapters --->
                <*>   Multi-purpose USB Networking Framework
                    -*-     CDC Ethernet support (smart devices such as cable modems)
                    <*>     CDC EEM support
                    -*-     CDC NCM support
                    <*>     CDC MBIM support
                    <*>     Host for RNDIS and ActiveSync devices
                <*>   Simple USB Network Links (CDC Ethernet subset)
                    [*]     Embedded ARM Linux links (iPaq, ...)

    These settings will create an eth interface called enp0s20u1 when the usb armory is plugged in (ignore the first column since its dmesg timing).

    Once the image is loaded onto the microsd card and the usb armory plugged in, dmesg should give you something similar to :

    [ 1199.466184] usb 1-1: new high-speed USB device number 4 using xhci_hcd                                                                                                                                                                                                                  
    [ 1199.637025] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a2                                                                                                                                                                                                                
    [ 1199.637032] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0                                                                                                                                                                                                           
    [ 1199.637035] usb 1-1: Product: RNDIS/Ethernet Gadget                                                                                                                                                                                                                                     
    [ 1199.637037] usb 1-1: Manufacturer: Linux 4.9.28 with 53f80000.usb                                                                                                                                                                                                                       
    [ 1199.645848] cdc_ether 1-1:1.0 usb0: register 'cdc_ether' at usb-0000:00:14.0-1, CDC Ethernet Device, 1a:55:89:a2:69:42                                                                                                                                                                  
    [ 1199.651675] cdc_ether 1-1:1.0 enp0s20u1: renamed from usb0                                                                                                                                                                                                                              
    [ 1199.659833] IPv6: ADDRCONF(NETDEV_UP): enp0s20u1: link is not ready

    Once plugged in, you are going to want to ssh into your usb armory and grant it internet access. The best thing to do is something along the lines of the next couple of commands. i placed them all in a script for ease but i will just paste the raw commands below (YMMV):

    sudo ifconfig enp0s20u1 gateway netmask
    sudo echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
    sudo iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE
    sudo /etc/init.d/iptables save
    sudo /etc/init.d/iptables stop
    sudo /etc/init.d/iptables start

    Now to test it but just remember that both user and password are “usbarmory”:

    ssh usbarmory@
    usbarmory@'s password: 
    Warning: untrusted X11 forwarding setup failed: xauth key data not generated
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Thu May 25 23:53:59 2017 from
    -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

    and Voila!!!

    now you are in the usb armory and you can update it.


    irc bashbot

    sup all,

    happy holidays and all that good stuff.

    so lately i have been working on an irc bot written only in bash.

    i know, sounds like a fucking nightmare and it would have been easier in python but this is fun and it works.

    you can grab it here

    i will write an article in the up and coming days/weeks explaining all the moving parts and all that fun stuff.

    stay tuned



    i decided to write this command line bar graph (with portions taken from here) that shows graphs based on the amount of files and extensions in a dir (recursive or non-recursive).

    need came about due to not wanting to grep, sort and uniq certain folders at the time for what i was doing.

    here is a link to the script.

    here is the usage animation:
    click to enlarge

    here is the usage:

        bargraph.sh - show bar graphs of dir file types
        bargraph.sh [OPTION]...
        This script shows a bar graph with the total count
        of files in a dir according to extension.
        -b [character]
                This is to specify what character you want to use to
                draw your bar graphs. If this option is used, place
                the character in quotes (ex: "#").
                Default is "#"
        -d [path]
                This is to specify the path to be used. Need to input
                this for the script to work.
        -e [ext{,ext,ext}]
                This option is to select a single or list of extensions
                to show in the bargraph.
                Usage is either { -e "foo" } for single extension or
                { -e "foo,bar,baz" } for multiple. Always comma separated.
        -h      Show this file (usage).
        -r      Recursive.
        -s      This sorts output according to most files.
                Default is sorted by name.
        -v      Show version.

    Sup all

    so i finally decided to have a command run every time my terminal goes idle. after some searching, here is what i have come up with:
    lock-after-time && lock-command

    from the man pages:

    lock-after-time number
            Lock the session (like the lock-session command) after number seconds of inactivity.  The default is not to lock (set to 0).
    lock-command shell-command
            Command to run when locking each client.  The default is to run lock(1) with -np.

    so in my .tmux.rc :

    set -g lock-after-time 360
    set -g lock-command "/usr/bin/asciiquarium"

    asciiquarium is set to start after 6 minutes.


    now that i am back in i have decided to post an updated screenshot of the status page for no real reason.

    Click to enlarge


    sup all

    so i’ve been working with a fortiswitch 224d-poe at home for a while when the thing went bat shit on me. When i tried to access the admin console i realized that i had forgotten the password. Below are the steps i used for wiping switch back to factory default with latest (as of time of writing) firmware.

    first things first, make sure that you have a properly pinned console cable :
    click image to enlarge

    then set up a tftp server. i used tftp-hpa in a non-daemonized mode since i only needed it for one time usage.

    next restart the switch with console. i did this below:
    sorry for the awful pics but it was 0400 in the morning when i did this
    click image to enlarge

    since the default and data2 partitions were formatted and saved as default, this caused the factory default settings to be enabled.

    once this was done:
    click image to enlarge

    and voila. back to defaults and regained access to the switch.


    hello all

    just returned from hacker summer camp and have acquired a couple of new yubikeys specifically the four and the four nano and have been configuring them in my gentoo install just for login.

    below are the steps to set this up in gentoo and pam for required authentication. this article assumes that you have already configured your yubikeys so i will not go through how to config them.

    the first bunch of packages that we have to install :

    [I] sys-auth/pam_u2f
         Available versions:  (~)1.0.4 {debug}
         Installed versions:  1.0.4(03:25:01 PM 08/10/2016)(-debug)
         Homepage:            https://github.com/Yubico/pam-u2f
         Description:         Library for authenticating against PAM with a Yubikey
    [I] sys-auth/pam_yubico
         Available versions:  (~)2.17-r1 (~)2.19-r1 {ldap test}
         Installed versions:  2.19-r1(02:36:23 PM 08/10/2016)(-ldap -test)
         Homepage:            https://github.com/Yubico/yubico-pam
         Description:         Library for authenticating against PAM with a Yubikey

    so the emerge line would be sudo emerge -av pam_u2f pam_yubico

    once that is installed we are going to create /etc/pam.d/yubico with the contents of :
    auth required pam_u2f.so cue interactive

    and now we need to create the u2f_keys file under ${HOME}/.config/Yubico using the pamu2cfg utility:
    sudo pamu2fcfg -u $(logname) >> ${HOME}/.config/Yubico/u2f_keys

    double check this file if you are putting in more than one entry to ensure that each line is separate.

    once this is done, we are going edit bot /etc/pam.d/login and /etc/pam.d/passwd and add to both the line:
    auth include yubico

    once everything is saved, lets test it by pressing alt + ctrl + f2 — this will open a new session without logging you out.

    and bam. fully set up.