Showing posts with label ubuntu. Show all posts
Showing posts with label ubuntu. Show all posts

2023-05-26

YubiKey U2F on Ubuntu

Basic walk through of setting up U2F with YubiKey on Ubuntu 23.04 (should work on recent versions, as well). This follows the official documentation closely, removing anything not necessary for my particular setup.

N.B. this is different from challenge response, a different multifactor method. YubiKeys support multiple protocols, U2F and challenge response being two of them.

Preliminaries:

  • Ubuntu 23.04
  • YubiKey
    • I used the YubiKey 5 series: 5 NFC, 5 C, and 5 Ci. Where necessary, I used an adapter to plug in the USB-C key into an standard USB-A port.
Steps:
  • Associate YubiKey U2F with your account
    • Creates a line of text in a file containing your username and the 2nd factor string
    • Move the U2F file to a secure location readable only by root
  • Create PAM configs to require U2F for certain authentication operations, e.g. login, sudo

Create two PAM configs. Creating these configs will allow us to include them rather than copying and pasting the same config lines in multiple other PAM configs in /etc/pam.d.

In these configs, we add the “cue” and “interactive” options which will prompt the user to insert the YubiKey and to touch it.

/etc/pam.d/u2f-required will be the configuration to require the YubiKey:

auth required pam_u2f.so authfile=/etc/yubico/u2f_keys cue interactive

/etc/pam.d/u2f-sufficient will be the configuration which allows using only the YubiKey without a password:

auth sufficient pam_u2f.so authfile=/etc/yubico/u2f_keys cue interactive

For the initial setup, also add the following to the "auth" lines in the above config files:

debug debug_file=/var/log/pam_u2f.log

Then, create an empty debug log file to start: 

sudo touch /var/log/pam_u2f.log

CAUTION Best to have a root shell active, in case something goes awry, and you cannot sudo anymore:

normaluser$ sudo bash
#

DO NOT exit this terminal until you are sure at least sudo works. 

Basic idea: in each authentication scenario (i.e. PAM config file) where you want U2F, add the line

@include u2f-required

after the line 

@include common-auth

E.g. require U2F for sudo, modify the files
  • /etc/pam.d/sudo
  • /etc/pam.d/sudo-i
These are the PAM configs I updated in /etc/pam.d:
  • gdm-password -- prompts for YubiKey at GUI login screen
  • login -- prompts for YubiKey at console login
  • polkit-1 -- prompts for YubiKey when running GUI apps requiring sudo, e.g. synaptic
  • su -- prompts for YubiKey for su
  • sudo -- prompts for YubiKey for sudo
  • sudo-i -- prompts for YubiKey for sudo -i
The first one to try should be sudo since it is easy to test. Make the modification, then open a new terminal tab/window, and run a simple sudo command, e.g. "sudo ls -l /tmp". It should prompt you to insert the device, and then to touch it:

normaluser$ sudo ls -l /tmp
[sudo] password for normaluser: 
Insert your U2F device, then press ENTER.
Please touch the device. (The YubiKey should start flashing.)
total xx
[listing of files here]

If that did not work, examine the debug log /var/log/pam_u2f.log Make any adjustments, close out that sudo terminal tab/window, and launch a new one.

Once you are satisfied that everything works, you can remove the “debug debug_file=/var/log/pam_u2f.log” from /etc/pam.d/u2f_required and /etc/pam.d/u2f_sufficient

Minor annoyance: the GUI popup dialog for sudo authentication won’t accept just ENTER when it says “Insert your U2F device, then press ENTER”: you have to type in at least a SPACE for it to register that you have acknowledged the prompt, and are ready to touch the YubiKey.
Posted by at No comments:
Labels: , , ,

2015-05-20

Ubuntu swap partitions across upgrades

I recently upgraded from 14.10 Utopic to 15.04 Vivid, and only just realized that the swap partition was not mounted. Had to reformat it, and update /etc/fstab since the UUID had changed, too.
Posted by at No comments:
Labels: , , , ,

2014-02-19

Missing Adobe fonts

If you try to start up remote X11 application to display on your Ubuntu machine, and get errors complaining about missing fonts like:
-adobe-helvetica-medium-r-*-*-10-*-*-*-*-*-iso8859-1
here's how to fix it.

You have to install not just fonts, but also the font server. First, the font server:
sudo apt-get install xfs xfstt 
and the fonts:
sudo apt-get install t1-xfree86-nonfree ttf-xfree86-nonfree ttf-xfree86-nonfree-syriac xfonts-75dpi xfonts-100dpi
And then, restart X11 on your Ubuntu machine, or just reboot.
Posted by at No comments:
Labels: , , ,

How to get "normal" scrollbars in Ubuntu Unity

I hate the little scrollbar in Ubuntu because on a laptop, it's harder to get precise control of the cursor to hit the few-pixel-width area (the orange bit in the first image below).

To get "normal" scrollbars, type this command:
gsettings set com.canonical.desktop.interface scrollbar-mode normal



Should you want to get the Ubuntu-style scrollbar back, reset the parameter:
gsettings reset com.canonical.desktop.interface scrollbar-mode 
Posted by at No comments:
Labels: , , ,

2013-08-23

Exchange email support for Evolution on Ubuntu 13.04 Raring Ringtail

First, a little personal update: I have just left Wake Forest University, and joined Drexel University as a senior systems administrator in charge of the high performance computing University Research Computing Facility.

There are some dependencies which have not been properly encoded into the Exchange MAPI plugin for Evolution in Ubuntu 13.04. To get MAPI support, you must install: evolution-mapi and python-samba.

I was not able to get Exchange MAPI to work with Drexel's Exchange server: the issue was during the authentication step. However, using Exchange Web Services works. This uses Exchange's web service, which presents all the data in XML. To use this, the evolution-ews package has to be installed. Then, for the Host URL, use the usual web access address, appended with /EWS/Exchange.asmx So, if the webmail address is https://exchangeweb.myorganization.com/ the Host URL for Evolution will be https://exchangeweb.myorganization.com/EWS/Exchange.asmx

 UPDATE: There is a bug in the exchange-ews package: there is an issue with sending mail. To fix, edit the the file in  ~/.config/evolution/mail/sources/  that contains a line that starts "Email=", and change it to Email=myemail@myorganization.com
Posted by at No comments:
Labels: , , , , ,

2013-01-22

Cinnamon desktop for Ubuntu 12.10 Quantal

I wish I had discovered this sooner. I've been using Unity for months and never did get used to it very well. I installed the Cinnamon desktop over the weekend, and it works like an old-fashioned desktop.
sudo add-apt-repository ppa:gwendal-lebihan-dev/cinnamon-stable
sudo apt-get update
sudo apt-get install cinnamon
When logging in, click on the small Ubuntu logo, and select the desktop environment you want.

Posted by at No comments:
Labels: , , ,

2012-11-28

Full-disk encryption on Linux Mint 14

UPDATE 2014-06-29: Unfortunately, when I updated the comment system to use Google+, it cleared out the old comments, which happened to be somewhat helpful.

I have just tried, and failed, to get full-disk encryption on Linux Mint 14 (see also this Ars Technica review). I'm writing this post in the hopes that someone can figure out how to get it to work.

As part of my university's ongoing efforts to improve data security, we have just been required to encrypt the drives on our work-issued laptops.

Ubuntu 12.10 Quantal Quetzal introduced the full-disk encryption option into their default installer. Previously, it was only available via the text-mode installer available on a separate "alternate" image. However, despite using Quantal for several months, I find the Unity GUI really annoying, and decided to try Linux Mint 14 with the Cinnamon desktop GUI. The Cinnamon GUI is a GNOME 3 fork, so it uses 3D compositing, but presents a GNOME 2-like interface (or Windows-like), which I prefer.

Unfortunately, Linux Mint 14 did not adopt Quantal's Ubiquity installer, so the full-disk encryption option was not available. Andreas Haerter has written a good guide to full-disk encryption on Ubuntu prior to 12.10, and included a shell script which automates a lot of the process. I made some small modifications to the script for Mint: renaming LVM volume names, using optimal alignment in parted. However, Ubiquity now crashes after I specify the mount points and it starts doing the install proper.

Maybe someone out there has an idea of what might be broken?

My modified script is here:


Posted by at 4 comments:
Labels: , , , ,

2012-05-22

Laptop hibernate in Ubuntu 12.04 LTS Precise Pangolin

Having switched back to Ubuntu Unity/GNOME from KDE on my laptop, I discovered that the option to hibernate (i.e. suspend to disk) was disabled.
This is due to a bug in policykit-desktop-privileges. To reënable, here are instructions. You have to create (use sudo) a local policykit authority file /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla and add the following stanza:
[Re-enable hibernate by default]
Identity=unix.user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
 You will probably have to log off and then back on again for it to take effect.

UPDATE: In addition, for "suspend" (i.e. suspend to RAM), you will need the apmd package. The upower and pm-utils packages are also required, but those should have been installed by default.
Posted by at No comments:
Labels: , , , ,

2012-03-01

How to disable Unity global menus in Ubuntu

Wow. I am really hating this new Blogger interface. I just managed to completely delete the post again. "Revert to Draft" doesn't mean revert to original content when you edit an existing post, it just completely erases the existing content. Then, when you hit the "Close" button, the now blank post is saved, thereby losing your content.

In any case, the original post griped about Unity's auto-hiding global menubar, and gave a tip to remove it, which is to remove the package that provides that feature:

    sudo apt-get purge indicator-appmenu

If you want to completely revert Ubuntu to a stock GNOME 3 UI, there are extensive instructions here. In particular, the crazy disappearing scrollbar handles which are as easy to grab onto as eels.
Posted by at No comments:
Labels: , , , , ,

2011-05-12

Mounting .dmg files in Ubuntu

Every now and then, it may be useful to mount a Mac OS X .dmg (disk image) file in Linux. I just had to do this to get some Canon printer drivers (PPD files) which were distributed in a .dmg file.

There are two steps (not including installing the applicable packages which make reading Apple's HFS+ disk format possible):

  1. convert the .dmg file into a .img file
  2. mount the resulting .img disk image
Before that, install the hfsplus package which allows accessing HFS+ volumes. This will probably install libhfsp0 as a co-requisite. You will also need the dmg2img package to convert the compressed .dmg image format to an uncompressed .img format.

Once you have the appropriate packages installed, do the following (assume the .dmg file is mydisk.dmg):

    $ dmg2img mydisk.dmg
    $ sudo modprobe hfsplus
    $ sudo mkdir /mnt/mydisk
    $ sudo mount -t hfsplus -o loop mydisk.img /mnt/mydisk
    $ cd /mnt/mydisk
Posted by at No comments:
Labels: , , , ,

2011-05-10

Compiling 64-bit code in Ubuntu

Compiling, and in particular linking, 64-bit code in Linux is always a bit of a pain due to the coëxistence of 32-bit libraries. In Ubuntu 11.04 Natty Narwhal (and possibly previous versions), the 64-bit libraries are in two directories:
  • /lib/x86_64-linux-gnu
  • /usr/lib/x86_64-linux-gnu 
UPDATE: There are symbolic links in the places the Fedora/RedHat expects them: /lib64 and /usr/lib64
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)