Stuff I'm Up To

Technical Ramblings

Nginx Configuration Synchronisation — May 25, 2020

Nginx Configuration Synchronisation

Back when I built the Nginx failovers using Nginx and Keepalived I also required that should the config change on the master then the config would automatically be copied to the backup.

There are some important things you need to do for this to work correctly and not put your failover at risk of failing. The last thing you want to do is bork you master servers config and automatically copy a filed config to the backup server and screw that one up too.

Continue reading
PAM_LDAP and uniqueMember — May 24, 2020

PAM_LDAP and uniqueMember

After upgrading the LDAP server so we could make use of some new features like olc and in particular memberOf I ran into a major issue.

Where many programs requiring memberOf work just great, Linux id fails to show anything but the primary group membership from the gid attribute.

Continue reading
SSH Multiplexing — May 21, 2020

SSH Multiplexing

Typically SSH creates a new tcp session for every time you connect to a remote host. But there is a feature of ssh that allows connections to reuse an existing connection using a socket – which is called multiplexing.

Obviously this is only really useful if you are connecting via the same host, you can multiplex to different locations.

Why is this useful?

If I already have a socks connection open to my office gateway I don’t need to open a new TCP connection to pass traffic inside of the office network. Ok, you’re still not sold on the idea? Well we’re using a pretty robust authentication with multi-factor authentication, private keys and passwords to get in via the gateway. This would mean that for every connection I would have to go through that authentication each time. Add to that fail2ban and you get it wrong and your IP is blocked for 90 minutes.

With a multiplexed connection I authenticate ONCE and my subsequent connections go through that already authenticated session.

Continue reading
Remotely Mounting a Fileshare — May 19, 2020
SSH and SOCKS — May 18, 2020

SSH and SOCKS

Here’s my handy script for bringing a socks proxy up and down. Saves the hassle of finding the PID of the ssh proxy process to kill it when you’re done.

socks.sh

#!/bin/bash

SOCKET=~/.ssh/jump.socket
HOST="myuser@gateway.domain.tld -p 22"
PORT=8123

case "$1" in
up|UP)
  if [ -e ${SOCKET} ]; then
    ssh -S $SOCKET -O check ${HOST} > /dev/null
    if [ $? -ne 0 ]; then
      rm -f ${SOCKET}
    else
      ssh -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
    fi
  else
    ssh -M -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
  fi
  ssh -S ${SOCKET} -O check ${HOST}
  ;;
down|DOWN)
  if [ -e ${SOCKET} ]; then
    ssh -S ${SOCKET} -O check ${HOST} > /dev/null
    if [ $? -eq 0 ]; then
      ssh -S $SOCKET -O exit ${HOST}
    fi
  else
    echo "Already down"
  fi
  if [ -e ${SOCKET} ]; then
    rm -f ${SOCKET}
  fi
  ;;
*)
  echo "USAGE:"
  echo "Bring the socks proxy up using:"
  echo "  ./socks.sh up"
  echo "Take the socks proxy down using:"
  echo "  ./socks.sh down"
  ;;
esac

You may want to look at other ports to use other than 1080. Whilst 1080 is a popular socks port it conflicts with docker, so I tend to use an unused port of 8123.

SSH, OATH OTP and LDAP — May 17, 2020

SSH, OATH OTP and LDAP

I got myself into a bit of a knot with this one. We wanted multi-factor authentication setup on the main SSH gateway and that meant private key, password AND OTP. Yes, a real belt and braces security approach.

What I found was that if I added in OATH to PAM that as soon as I entered the OTP I got logged in. Running ssh with -vv to get some verbosity I could see it was getting my private key – so technically I had achieved MFA or more precisely 2FA.

What I needed was to dig a bit deeper into the workings of PAM. Usually it’s just a case of adding in the required PAM entries for LDAP and job done, now I had to figure out required, requisite, sufficient and the options like [success=1...].

Continue reading
SSH Authorized_Keys and LDAP — May 16, 2020
One Time Password and SSHD — May 1, 2020

One Time Password and SSHD

I made a bit of a fool of myself suggesting that we add a free means of securing our external SSH gateway by using Google Authenticator. My boss simply turned around and said

“Why would we recommend that all our users get Google accounts just to logon to our services?”

My Boss

It’s because I haven’t fully moved my mindset away from large commercial free but closed source services, into free and open source.

After five minutes I’d got FreeOTP installed on my phone and setup libpam-oath on my ssh server.

Continue reading
Tunnelling RDP over SSH — February 4, 2020
SSH Tunnelling – autossh — January 31, 2020
Lsyncd and Docker — January 29, 2020
Filesystem Synchronisation — January 28, 2020