Stuff I'm Up To

Technical Ramblings

SSH, OATH OTP and LDAP — May 17, 2020

SSH, OATH OTP and LDAP

I got myself into a bit of a knot with this one. We wanted multi-factor authentication setup on the main SSH gateway and that meant private key, password AND OTP. Yes, a real belt and braces security approach.

What I found was that if I added in OATH to PAM that as soon as I entered the OTP I got logged in. Running ssh with -vv to get some verbosity I could see it was getting my private key – so technically I had achieved MFA or more precisely 2FA.

What I needed was to dig a bit deeper into the workings of PAM. Usually it’s just a case of adding in the required PAM entries for LDAP and job done, now I had to figure out required, requisite, sufficient and the options like [success=1...].

Continue reading
SSH Authorized_Keys and LDAP — May 16, 2020
Resetting the Root Password — May 15, 2020
Nextcloud, LDAP and Password Changes — May 14, 2020

Nextcloud, LDAP and Password Changes

Using Nextcloud with LDAP is straight forward enough, you just add in the “LDAP user and group backend”. We wanted to use Nextcloud to enable our LDAP users to change their own password, and this is where things go sticky.

Our Nextcloud was configured just how we like our other LDAP auth systems – with a readonly user that’s able to bind and query only. Try as I might I could not get Nextcloud to change a users password, even though the user was granted write access to their own password in the LDAP ACL on the server.

There were a number of wider things to change before users could change their password, it wasn’t just this use of a readonly binding.

Continue reading
One Time Password and SSHD — May 1, 2020

One Time Password and SSHD

I made a bit of a fool of myself suggesting that we add a free means of securing our external SSH gateway by using Google Authenticator. My boss simply turned around and said

“Why would we recommend that all our users get Google accounts just to logon to our services?”

My Boss

It’s because I haven’t fully moved my mindset away from large commercial free but closed source services, into free and open source.

After five minutes I’d got FreeOTP installed on my phone and setup libpam-oath on my ssh server.

Continue reading
Asterisk + WebRTC — April 16, 2020

Asterisk + WebRTC

Enable WebRTC so you can use a plain old HTML5 browser to make calls.

I had already configured Asterisk’s http server to use my Let’s Encrypt certificates. This was pretty much redundant for http usage as I always put systems behind an Nginx reverse proxy where I can.

http.conf

[general]
servername=pbx.domain.tld
enabled=yes
bindaddr=0.0.0.0
bindport=8088
tlsenable=yes            ; enable tls - default no.
tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
tlscertfile=/etc/asterisk/keys/fullchain1.pem ; path to the certificate file (*.pem) only.
tlsprivatekey=/etc/asterisk/keys/privkey1.pem ; path to private key file (*.pem) only.

/etc/nginx/conf.d/asterisk.conf

Snippets added into the nginx.conf to proxy to the asterisk /ws path.

Note the use of the non-https port for the upstream asterisk.

upstream asterisk {
  server 127.0.0.1:8088;
}
server {
  ...
  location /ws {
    proxy_buffers 8 32k;
    proxy_buffer_size 64k;
    proxy_pass http://asterisk/ws;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 999999999;
  }
}

pjsip.conf

[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0

ps_aors

Set the max_contacts to 5

ps_endpoints

Set dtls_auto_generate_cert to yes, webrtc to yes

References

https://wiki.asterisk.org/wiki/display/AST/Configuring+Asterisk+for+WebRTC+Clients

https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5

https://www.bidon.ca/fr/notes/asterisk-webrtc

Jitsi + Asterisk = Jigasi — April 15, 2020
Asterisk – IAX — April 14, 2020
Asterisk – SIP + TLS — April 13, 2020
Asterisk and PostgreSQL — April 12, 2020

Asterisk and PostgreSQL

I started out wanting a real-time database connection to our existing LDAP server. This went well, but involved importing a schema into the LDAP cn=config and mapping the data into Asterisk.

It then became apparent that the effort involved in linking Asterisk to LDAP didn’t really produce the key result that I was after. My whole reason for linking Asterisk to LDAP was to share authentication credentials from our users for their SIP devices. After I’d deployed it I discovered that Asterisk would store it’s credentials in different fields and what’s worse is that the password could only be plain-text or an MD5 hash.

If our users must use a separate credential for logging into a SIP device, then using LDAP is no longer of interest to me. We may as well use a database – enter PostgreSQL.

Continue reading
Wireguard Config Builder — April 10, 2020

Wireguard Config Builder

Back in the day when OpenVPN ruled the seas installing it, securing it and authenticating clients with certificates was an process involving plenty of effort. Now with wireguard the setup is a breeze.

Pretty much install wireguard, generate a key pair and start it up!

It sounds too easy, but it is. But let’s cover a few essentials, so you understand what you need to provide to get it working.

Continue reading
Wireguard on a Raspberry Pi — April 9, 2020