Category: bsd

Posted on

Configuring OpenBSD to use RADIUS auth

I have a love-hate relationship with RADIUS. RADIUS is the cheap white glue of authentication. Just about everything speaks it, so you can use it as cheap glue to unify passwords across your gear. But it’s a finicky protocol, with lots of edge cases, and those edges can be SHARP.

Okay, perhaps it’s more of a tolerate-hate relationship. But still.

OpenBSD supports using RADIUS to authenticate user accounts. Why would you possibly want to do this? For one thing, if you’re using authpf, it gives you a way to easily synchronize firewall passwords with your Windows domain through the Microsoft Internet Authentication Service. It’s not ideal — ideal would be making all of your users use public key auth — but it’s better than nothing, reduces your support workload, and helps convince management that your firewall is a real solution.

I’m assuming you already have a RADIUS server. Mine is freeRADIUS-2.1.12, but any basic RADIUS server will work.

OpenBSD uses BSD authentication, a competitor to PAM. The RADIUS auth process is documented in login_radius(8), but I’ll walk through the basics.

Configure your RADIUS server to allow access from your OpenBSD box, and assign it a shared secret. My RADIUS server is 192.0.2.2, and my secret is the string Insubordinate. (It’s a lousy secret, but it’s just an example, and I’m tired.)

Create a directory for the server list, and set the permissions as per the man page.

# mkdir /etc/raddb
# chgrp _radius /etc/raddb/
# chmod 755 /etc/raddb/

Create the file /etc/raddb/servers. List each server, and its secret, on its own line.

192.0.2.2 Insubordinate

Now switch your default authentication scheme in login.conf.

#auth-defaults:auth=passwd,skey:
auth-defaults:\
        :auth=radius:\
        :radius-port=1812:\
        :radius-server=192.0.2.2:

The change should take effect immediately. Be sure you have a window logged in as root beforehand, so you can switch back if necessary. If you have trouble, check your RADIUS server’s debugging log, or use a packet sniffer to examine the actual RADIUS dialog.

Your host will now check every password against the RADIUS server. That includes root. You probably want to set up an auth-su class, or only have the authpf class use RADIUS, or some combination thereof. I really recommend requiring anyone who can get an actual shell to log in with public key authentication.

And for those who care, you now know exactly what part of Absolute OpenBSD I’m writing.

Posted on

The Purpose of Tech Books

I just got asked one too many times, “What’s in this book that’s not in the man pages?” And I’ve snapped.

I’m blogging my answer, so I can point here and save myself from typing the answer again.

I’m best known for writing about BSD technologies, a field where the developers are notoriously detailed in their documentation. If you look at the man pages for any open-source BSD, you’ll see that everything is included. If something is missing, it’s a bug. In addition there are extensive, lovingly-maintained FAQs and community-supported handbooks. How could I possibly add anything to than knowledge?

The short answer is: integration and context.

The man pages almost certainly contain everything you want to know. But man pages are not examples. Man pages do not provide context for the use of that knowledge. The ability to read disparate manuals and assemble that knowledge into a working, cohesive whole is a very specific skill. Programmers, in particular programmers who learn new technologies, have that skill. Many systems administrators develop that skill, after years of practice.

Some people can take a whole pile of man pages, assimilate their contents, integrate that knowledge together, and create a holistic understanding of the field they cover. They can extrapolate from documents into use cases, and reverse-extrapolate from actual uses into configuration. If you are one of these people, I have two things to say to you:

1) You do not need my books.
2) You are smarter than me.
3) By attempting to convince me of things I already know, you are wasting your own time.

I also concede that many technology books are nothing more than recitals of man pages. Others are nothing more than collections of screenshots, saying “click the Next box” four hundred times. These books are a waste of electrons and wood pulp. I blame them for dragging down the reputation of technology writing. (I also writhe in envy because these books sell far, far better than mine. But that’s a separate issue)

Good technology writing provides context for the information, and guides the reader to create a holistic understanding. Yes, some people can do that purely by reading man pages. Others need help.

Why should I write a book that competes directly with, say, the FreeBSD Handbook or the OpenBSD FAQ? Not everybody learns in the same way. Discussing the same facts in different language, with a different organization, makes the knowledge take a different path through the reader’s mind. The reader’s job is to use new information to make new connections in their brain, and seeing the same information presented very differently can help.

On a personal level, I do my best to make the job of getting that information easy, and present the reader with a whole bunch of ready-made connections.

If you want me to listen to your proclamation of superiority, I have to say: put your money where your mouth is. Donate the list price of one of my books to an open-source project that I write about. If you feel the uncontrollable need to advertise your superiority, write “That Moron Lucas Is Wasting His Time” in the note field. Copy me on the emailed receipt. At that time I will pay attention to you, in direct proportion to the size of the donation. I won’t change what I do, mind you — I probably won’t even answer the email — but I’ll pay attention to you. And I promise you, the recipient project won’t mind.

Update 5/2/2013: With the OpenBSD book coming out, I’m getting more of these. What really amuses me is that people think it’s important that I know the book is not useful.

Posted on

SSH course at BSDCan 2012

I will be at BSDCan 2012. In addition to poking my nose where it doesn’t belong, spouting insouciance and irrelevance, and derailing important technical discussions with tediously pointless anecdotes about my pet rats, I am teaching a course on SSH.

If you don’t have time to work your way through the SSH book, take a couple hours and and get dragged through it. The course will include material not included in the book, unless it goes too long, in which case I’ll spout off about extra material upon request.

The new FreeBSD Device Drivers book should be out by then, and the author will be there. (Pity poor Joe Kong. He came to BSDCan in 2007, just after his Designing BSD Rootkits came out. I spent the rest of the conference badgering him into writing the FreeBSD Device Drivers book. He spent five years on this project, and is done at long last. I’m sure he’s ready to shout “Ha! Lucas, I’m rid of your stupid project! I’m a free man!” Sadly for Joe, I have another three books he needs to write. Preferably immediately. If he resists my persuasive powers, I’m prepared to use brainwashing techniques.)

If you’re a reader of my blog, you need to go to BSDCan. We received so many excellent paper proposals this year that cutting the list down was physically painful. If you don’t yet have IPv6 up and running, attend the IPv6 tutorial. Or learn about PF. Not to mention two days of really interesting papers. And beer.

Posted on

Small server IPv4/IPv6 pf.conf

I’m deploying IPv6 for my employer. While getting corporate servers up on IPv6 is nice and all, of course I put priority on my own personal Web server.

Just because IPv6 is still populated mostly by early adopters, doesn’t mean we can neglect basic system security. That means that the server needs a packet filter for both IPv4 and IPv6. PF supports filtering both protocols in one ruleset.

The following is a unified IPv4/IPv6 PF ruleset for a small server. It:

  • Allows all traffic from management addresses
  • Allows all ICMP and ICMPv6 traffic
  • Allows traffic to specific ports where we choose to provide service — in this case, SMTP, DNS, and HTTP.
  • Blocks everything else.

    Fill in the IPv4 and IPv6 external addresses, define your interface, adjust the permitted services to match your environment, and you’re ready to go.

    ext_if="em0"
    ext_addr="{192.0.2.40, 192.0.2.41}"
    ext_v6="2001:db8:0:12::2"

    table <mgmt_hosts> const {172.16.0.0/24, 172.16.5.0/24}
    table <v6_mgmt_hosts> const {2001:db8:1:4::2}

    set block-policy return
    set loginterface $ext_if
    set skip on lo0

    scrub in all no-df

    block in all

    pass in on $ext_if proto icmp all
    pass in on $ext_if proto icmp6 all

    pass in on $ext_if inet from <mgmt_hosts>
    pass in on $ext_if inet6 from <v6_mgmt_hosts>

    pass out on $ext_if inet from $ext_addr to any
    pass out on $ext_if inet6 from $ext_v6 to any

    #services we permit
    pass in on $ext_if proto tcp from any to $ext_addr port {25,53,80}
    pass in on $ext_if proto udp from any to $ext_addr port 53
    pass in on $ext_if inet6 proto tcp from any to $ext_v6 port {53,80}
    pass in on $ext_if inet6 proto udp from any to $ext_v6 port 53

    • Posted on

    Print pre-order for “SSH Mastery” now available

    The OpenBSD folks have made pre-orders available for SSH Mastery.

    I’m giving the books to the OpenBSD Project at cost, and they’re selling them at list as a fund-raiser. I make nothing on books ordered through OpenBSD, but the money will go to further OpenBSD, OpenSSH, PF, and who knows what else. I’m going to imagine that the money will support the annual developer barbeque, as buying beer is more fun than buying hardware.

    I will make a decent profit on books sold through Amazon, Barnes & Noble, and brick-and-mortar stores. (Yes, I can get books into brick-and-mortar stores, with a bit of luck, a smidgeon of effort, and just a few ounces of blackmail.) I figure it’ll even out; the general public will order from Amazon.

    When will the books arrive? Once the proofs are approved, I’ll order the OpenBSD books before I approve sale through Amazon. I don’t know when that is yet, but believe me, I want this book out there.

    So, if I make nothing on this, why do it? It’s a good way to support a widely-used project that has written software that makes my job easier. So order yours now!

    Plus, I write about open-source software projects, preferably BSD-based ones. This means that I have to maintain good relationships with those projects. Not only am I a geek, I work at home. My usual social interactions consist of ignoring the threatening emails from the boss, the pet rats asking for treats, and the nagging phone calls from the social worker asking if I’ve taken my meds today. As you might guess, maintaining good relationships is not my strong point. If you have trouble keeping friends, try bribery. I hear it works a treat.

    Posted on

    Installing WHMCS on FreeBSD 9.0-RELEASE

    Or, if you prefer: “WHMCS versus PHP.” Blogged for the next sysadmin searching Google.

    $DAYJOB recently acquired WHMCS to help automate virtual server provisioning, billing, and so on. According to everything I’ve read, WHMCS runs just fine on FreeBSD, so I installed the prerequisites on a 9.0-i386 machine. As with any server for PHP-based Web sites, I verified that the server processed PHP with a simple phpinfo() page. I then grabbed the WHMCS tarball (no link, you must be a customer, sorry), extracted it into the directory, ran the setup program, fed in the database information and license key…

    ..and it wouldn’t run. Calling up the app resulted in a blank page. WHMCS provides troubleshooting instructions for this exact circumstance. I enabled the requested debugging, but couldn’t get WHMCS to produce an error. Adding a bogus argument to my phpinfo() test page made an error appear, so I was confident the failure to display an error message wasn’t a server configuration problem.

    This comes down to FreeBSD’s PHP packaging.

    When you install PHP on the popular varieties of Linux, you generally get a whole slew of PHP extensions with it. BSD-based systems only install exactly what you ask for: if you want PHP but don’t request any extensions, you won’t get any extensions.

    I agree with this approach. Every piece of installed software needs patching and updating. Every piece of installed software is a potential attack vector. If I don’t need a piece of software, I don’t want it on my server.

    WHMCS doesn’t list all of the required extensions. They assume you have a kitchen-sink PHP install. After some reading and research, I found that WHMCS runs fine with the following PHP modules and extensions installed. I’ve included the version numbers for reference, but you should be able to just pkg_add -r all of these by name.

    php5-5.3.8
    php5-bz2-5.3.8
    php5-ctype-5.3.8
    php5-curl-5.3.8
    php5-dom-5.3.8
    php5-extensions-1.6
    php5-filter-5.3.8
    php5-gd-5.3.8
    php5-hash-5.3.8
    php5-iconv-5.3.8
    php5-json-5.3.8
    php5-ldap-5.3.8
    php5-mysql-5.3.8
    php5-openssl-5.3.8
    php5-pdo-5.3.8
    php5-pdo_sqlite-5.3.8
    php5-phar-5.3.8
    php5-posix-5.3.8
    php5-session-5.3.8
    php5-simplexml-5.3.8
    php5-tokenizer-5.3.8
    php5-xml-5.3.8
    php5-xmlreader-5.3.8
    php5-xmlwriter-5.3.8
    php5-zip-5.3.8
    php5-zlib-5.3.8

    I’d really like to trim this down to only what is strictly necessary to run WHMCS, but that information doesn’t seem to be available. I could methodically remove and reinstall extensions to see when WHMCS breaks, but I have better things to do than debug missing docs for a commercial PHP app.

    On the plus side: now that WHMCS is installed, it’s really slick. I’m looking forward to using it. Actually, I’m looking forward to having other people use it for me, so I can do more interesting things than provision servers, accounts, and billing.

    Posted on

    New review of SSH Mastery, and print pre-order status

    There’s a new review of SSH Mastery over at DragonFlyBSD Digest. I’m delighted that Justin liked the book. (Mind you, I’m appalled that he’s actually reading and paying attention to the minutia I occasionally post here. But I’m delighted he liked the book.)

    On the pre-order front: Austin Hook just ordered 200 copies of SSH Mastery for the OpenBSD Project. He will be listing the book for pre-order “soon.” I’ve given them the greatest discount possible, and they’ll be selling the book for list price. Proceeds will go to support OpenBSD/OpenSSH development. I will fill Austin’s order at the first opportunity.

    When is that? When the book exists in finished form. I reviewed the print layout today, made some corrections, and sent them back to the layout person. If she doesn’t kill me outright, I’ll be able to order proofs in a few days. If the proofs show an error, I do another cycle. (Print pages look nothing like on-screen pages.) Once I approve the proofs, I can order books.

    A normal publisher (whatever that means) would have a scheduled print time. They’d push out the release date, and delay the book if necessary to fit that window. That gives them a known release date. Me, I’m not going to set a sufficiently-padded arbitrary date when I can get them sooner.

    And for those of you who wonder when I’m going to quit pushing my wares and post techie stuff again, I’ll have a post on DNSSEC deployment next week.

    Posted on

    SSH Mastery available at Smashwords

    To my surprise, SSH Mastery is available at Smashwords.

    I don’t know if this version will make it through to Kobo and iBooks, but you can buy it now. If I have to update it to get the book through the Smashwords Meatgrinder and into third-party stores, you’d get access to those later versions as well.

    Posted on

    enable DNSSec resolution on BIND 9.8.1

    With BIND 9.8, enabling DNSSec resolution and verification is now so simple and low-impact there’s absolutely no reason to not do it. Ignore the complicated tutorials filling the Internet. DNSSec is very easy on recursive servers.

    DNS is the weak link in Internet security. Someone who can forge DNS entries in your server can use that to leverage his way further into your systems. DNSSec (mostly) solves this problem. Deploying DNSSec on your own domains is still fairly complicated, but telling a BIND DNS server to check for the presence of DNSSec is now simple.

    In BIND 9.8.1 and newer (included with FreeBSD 9 and available for dang near everything else), add the following entries to your named.conf file.

    options {
    ...
    dnssec-enable yes;
    dnssec-validation auto;
    ...
    };

    This configuration uses the predefined trust anchor for the root zone, which is what most of us should use.

    Restart named. You’re done. If a domain is protected with DNSSec, your DNS server will reject forged entries.

    To test everything at once, configure your desktop to use your newly DNSSec-aware resolver and browse to http://test.dnssec-or-not.org/. This gives you a simple yes or no answer. Verified DNSSec is indicated in dig(1) output by the presence of the ad (authenticated data) flag.

    For the new year, add two lines to your named.conf today. Get all the DNSSec protection you can. Later, I’ll discuss adding DNSSec to authoritative domains.