Blog

Posted on

Configuring OpenBSD to use RADIUS auth

I have a love-hate relationship with RADIUS. RADIUS is the cheap white glue of authentication. Just about everything speaks it, so you can use it as cheap glue to unify passwords across your gear. But it’s a finicky protocol, with lots of edge cases, and those edges can be SHARP.

Okay, perhaps it’s more of a tolerate-hate relationship. But still.

OpenBSD supports using RADIUS to authenticate user accounts. Why would you possibly want to do this? For one thing, if you’re using authpf, it gives you a way to easily synchronize firewall passwords with your Windows domain through the Microsoft Internet Authentication Service. It’s not ideal — ideal would be making all of your users use public key auth — but it’s better than nothing, reduces your support workload, and helps convince management that your firewall is a real solution.

I’m assuming you already have a RADIUS server. Mine is freeRADIUS-2.1.12, but any basic RADIUS server will work.

OpenBSD uses BSD authentication, a competitor to PAM. The RADIUS auth process is documented in login_radius(8), but I’ll walk through the basics.

Configure your RADIUS server to allow access from your OpenBSD box, and assign it a shared secret. My RADIUS server is 192.0.2.2, and my secret is the string Insubordinate. (It’s a lousy secret, but it’s just an example, and I’m tired.)

Create a directory for the server list, and set the permissions as per the man page.

# mkdir /etc/raddb
# chgrp _radius /etc/raddb/
# chmod 755 /etc/raddb/

Create the file /etc/raddb/servers. List each server, and its secret, on its own line.

192.0.2.2 Insubordinate

Now switch your default authentication scheme in login.conf.

#auth-defaults:auth=passwd,skey:
auth-defaults:\
        :auth=radius:\
        :radius-port=1812:\
        :radius-server=192.0.2.2:

The change should take effect immediately. Be sure you have a window logged in as root beforehand, so you can switch back if necessary. If you have trouble, check your RADIUS server’s debugging log, or use a packet sniffer to examine the actual RADIUS dialog.

Your host will now check every password against the RADIUS server. That includes root. You probably want to set up an auth-su class, or only have the authpf class use RADIUS, or some combination thereof. I really recommend requiring anyone who can get an actual shell to log in with public key authentication.

And for those who care, you now know exactly what part of Absolute OpenBSD I’m writing.

Posted on

The Purpose of Tech Books

I just got asked one too many times, “What’s in this book that’s not in the man pages?” And I’ve snapped.

I’m blogging my answer, so I can point here and save myself from typing the answer again.

I’m best known for writing about BSD technologies, a field where the developers are notoriously detailed in their documentation. If you look at the man pages for any open-source BSD, you’ll see that everything is included. If something is missing, it’s a bug. In addition there are extensive, lovingly-maintained FAQs and community-supported handbooks. How could I possibly add anything to than knowledge?

The short answer is: integration and context.

The man pages almost certainly contain everything you want to know. But man pages are not examples. Man pages do not provide context for the use of that knowledge. The ability to read disparate manuals and assemble that knowledge into a working, cohesive whole is a very specific skill. Programmers, in particular programmers who learn new technologies, have that skill. Many systems administrators develop that skill, after years of practice.

Some people can take a whole pile of man pages, assimilate their contents, integrate that knowledge together, and create a holistic understanding of the field they cover. They can extrapolate from documents into use cases, and reverse-extrapolate from actual uses into configuration. If you are one of these people, I have two things to say to you:

1) You do not need my books.
2) You are smarter than me.
3) By attempting to convince me of things I already know, you are wasting your own time.

I also concede that many technology books are nothing more than recitals of man pages. Others are nothing more than collections of screenshots, saying “click the Next box” four hundred times. These books are a waste of electrons and wood pulp. I blame them for dragging down the reputation of technology writing. (I also writhe in envy because these books sell far, far better than mine. But that’s a separate issue)

Good technology writing provides context for the information, and guides the reader to create a holistic understanding. Yes, some people can do that purely by reading man pages. Others need help.

Why should I write a book that competes directly with, say, the FreeBSD Handbook or the OpenBSD FAQ? Not everybody learns in the same way. Discussing the same facts in different language, with a different organization, makes the knowledge take a different path through the reader’s mind. The reader’s job is to use new information to make new connections in their brain, and seeing the same information presented very differently can help.

On a personal level, I do my best to make the job of getting that information easy, and present the reader with a whole bunch of ready-made connections.

If you want me to listen to your proclamation of superiority, I have to say: put your money where your mouth is. Donate the list price of one of my books to an open-source project that I write about. If you feel the uncontrollable need to advertise your superiority, write “That Moron Lucas Is Wasting His Time” in the note field. Copy me on the emailed receipt. At that time I will pay attention to you, in direct proportion to the size of the donation. I won’t change what I do, mind you — I probably won’t even answer the email — but I’ll pay attention to you. And I promise you, the recipient project won’t mind.

Update 5/2/2013: With the OpenBSD book coming out, I’m getting more of these. What really amuses me is that people think it’s important that I know the book is not useful.

Posted on

February “SSH Mastery” sales numbers and expenses

I promised several authors results of my private label publishing experiment. I now have sales numbers from February from Amazon, B&N, Smashwords, and CreateSpace. Just like the January post, this comes with some caveats:

  • This includes only SSH Mastery. I have removed my fiction from the totals. Again, fiction sales are considerably lower, but growing.
  • This excludes the 200 copies bought at cost by the OpenBSD/OpenSSH team for fundraising, and the 40 review copies I ordered.
  • I’m not going to regularly report sales numbers to the general public. I will say when I break even.

    Without further ado, here’s the numbers:

  • Amazon Kindle: 163 ebooks sold (135 US, 14 UK, 10 DE, 2 FR, 1 IT, 1 ES), for a total of ~$1100.83. (Amazon reports European royalties in euros or pounds, so the exact total will vary with the day they compute the check).
  • Barnes & Noble: 8 ebooks sold, for $51.92
  • Smashwords: 109 ebooks sold, for $869.80
  • CreateSpace: 4 physical books sold, for $41.27
  • Total: 280 ebooks, 4 physical books, for a total of ~$2063.

    I said last month that February sales were lower than January’s. One a per-day basis, they were much lower. But the book only went live on Amazon on 20 January. The excellent January numbers were due to my hard-core fans buying it. (And I thank you all, sincerely.)

    Similarly, the print version was available on 27 February, if you bought it directly from my CreateSpace store. It went live on Amazon on 29 February. One copy sold on the 27th, and three on the 29th. The March average per-day sales per venue will be lower, but the greater number of days will create higher totals.

    A couple sales per day per channel adds up. The B&N sales don’t look impressive, but hey, it’s $52 that I wouldn’t otherwise get, and eight readers I wouldn’t otherwise have.

    I expect sales to go down from this point on. Reviews drive sales. Reviews this far have all been from people who follow my work. There’s nothing wrong with that — indeed, I appreciate every review. But I think I’ve basically worked through all the reviewers in my hard-core fan base. In the future, I must attract disinterested reviews. I have saved the contact information for everyone who has ever reviewed my work, and am working my way through the list offering review copies. I’m going slowly; I’d rather have 3 reviews a month for 6 months than 18 reviews in one month.

    So, what about the expenses? Publishing this cost:

  • $2,581 for the publishing workshop I attended. Mind you, I took two workshops in a row, I flew to Oregon, I rented a car, I ate at a couple really good restaurants.
  • $227 for artwork. My graphic skills are appalling, so I hired a graphic artist. This includes getting all the line drawings for the book done professionally, some touch-up on screenshots, and the Tilted Windmill Press corporate logo in high-res in six different sizes.
  • $226.50 for page layout. I don’t feel like learning to use InDesign right now.
  • $150.00 for copyediting the manuscript.
  • $214.57 for CreateSpace print fees. This includes several rounds of proofs and 40 review copies, as well as the fees to get the book into the Ingram’s catalog for bookstores.

    So, how much more do I need to sell to break even?

    Total expenditures: $3,399.86.
    Total Jan-Feb royalties: $3506.88

    I have made $107.02 in about forty days of sales (assuming my time is free). So, I’d like to give a sincere “thank you!” to the 482 people who bought SSH Mastery in January and February, as well as those who bought it since then.

    Again, this assumes that my time to write, design, lay out, test, corral reviews, and so on, is free. Also, I don’t have that cash in hand yet. Ebook retailers delay payment for 30-60 days after the close of the month or quarter. I’ll get my first check at the beginning of April.

    Clearly, the self-publishing route is viable, if you have good content. (I’ll babble about tech book content, and the distressing quality thereof, some other time.)

    If you want to do this yourself, I strongly recommend you to get into Dean Wesley Smith’s Think like a Publisher workshop. No, I don’t encourage you to go. I command you to go. DWS is a fiction writer, and his other workshops are for fiction writers, but TlAP is suitable for all sorts of writers. I spent weeks pounding my head against the desk trying to figure out how all the different ebookstores work, and this workshop not only solved all those problems, it let me get this book into print as well.

    I’m also going to cut off the Big Question that I get asked any time self-publishing comes up: “What about Absolute OpenBSD, 2nd Edition?”

    Even if self-publishing SSH Mastery turns into an absolute freaking gold mine and self-publishing showers me with riches, I will finish AO2e. I will send it to NSP. I’ve promised that I would do this book, and I know many people are eagerly waiting for it. Breaking my agreement with my publisher and, more importantly, my readers, would be blatant asshole behavior. And I’m just not going to behave that way. AO2e will be the next big book I publish.

    • Posted on

    SSH course at BSDCan 2012

    I will be at BSDCan 2012. In addition to poking my nose where it doesn’t belong, spouting insouciance and irrelevance, and derailing important technical discussions with tediously pointless anecdotes about my pet rats, I am teaching a course on SSH.

    If you don’t have time to work your way through the SSH book, take a couple hours and and get dragged through it. The course will include material not included in the book, unless it goes too long, in which case I’ll spout off about extra material upon request.

    The new FreeBSD Device Drivers book should be out by then, and the author will be there. (Pity poor Joe Kong. He came to BSDCan in 2007, just after his Designing BSD Rootkits came out. I spent the rest of the conference badgering him into writing the FreeBSD Device Drivers book. He spent five years on this project, and is done at long last. I’m sure he’s ready to shout “Ha! Lucas, I’m rid of your stupid project! I’m a free man!” Sadly for Joe, I have another three books he needs to write. Preferably immediately. If he resists my persuasive powers, I’m prepared to use brainwashing techniques.)

    If you’re a reader of my blog, you need to go to BSDCan. We received so many excellent paper proposals this year that cutting the list down was physically painful. If you don’t yet have IPv6 up and running, attend the IPv6 tutorial. Or learn about PF. Not to mention two days of really interesting papers. And beer.

    Posted on

    Small server IPv4/IPv6 pf.conf

    I’m deploying IPv6 for my employer. While getting corporate servers up on IPv6 is nice and all, of course I put priority on my own personal Web server.

    Just because IPv6 is still populated mostly by early adopters, doesn’t mean we can neglect basic system security. That means that the server needs a packet filter for both IPv4 and IPv6. PF supports filtering both protocols in one ruleset.

    The following is a unified IPv4/IPv6 PF ruleset for a small server. It:

  • Allows all traffic from management addresses
  • Allows all ICMP and ICMPv6 traffic
  • Allows traffic to specific ports where we choose to provide service — in this case, SMTP, DNS, and HTTP.
  • Blocks everything else.

    Fill in the IPv4 and IPv6 external addresses, define your interface, adjust the permitted services to match your environment, and you’re ready to go.

    ext_if="em0"
    ext_addr="{192.0.2.40, 192.0.2.41}"
    ext_v6="2001:db8:0:12::2"

    table <mgmt_hosts> const {172.16.0.0/24, 172.16.5.0/24}
    table <v6_mgmt_hosts> const {2001:db8:1:4::2}

    set block-policy return
    set loginterface $ext_if
    set skip on lo0

    scrub in all no-df

    block in all

    pass in on $ext_if proto icmp all
    pass in on $ext_if proto icmp6 all

    pass in on $ext_if inet from <mgmt_hosts>
    pass in on $ext_if inet6 from <v6_mgmt_hosts>

    pass out on $ext_if inet from $ext_addr to any
    pass out on $ext_if inet6 from $ext_v6 to any

    #services we permit
    pass in on $ext_if proto tcp from any to $ext_addr port {25,53,80}
    pass in on $ext_if proto udp from any to $ext_addr port 53
    pass in on $ext_if inet6 proto tcp from any to $ext_v6 port {53,80}
    pass in on $ext_if inet6 proto udp from any to $ext_v6 port 53

    • Posted on

    Book Promotion Methods and Effectiveness

    Lots of people claim to have “the secret” to promoting books. After all, your book is awesome, isn’t it? The problem must be that you aren’t promoting it. You can attend workshops, courses, and buy books that all proclaim The Secret.

    For SSH Mastery, I’m responsible for all of the promotion. I’ve followed the usual advice: I have a blog, I have Twitter, I have a fan page on Facebook, and so on. You can stalk me through any method you choose. I also have real-time access to sales data from Amazon, Smashwords, and Barnes & Noble.

    For this example I’m going to use Amazon data, because Amazon provides very nice graphs through Author Central. If you’re an author and you are not on Author Central, get on it NOW. (Then check it only once a month or so.)

    Here’s the graph for Kindle sales of SSH Mastery, since its release.

    from Author Central

    Note that Amazon’s sales ranking algorithms are rather mushy. More than once, according to Author Central, this book has cracked the #10,000 limit. Most of the time, Amazon retroactively changes that. The peaks shown are generally within a day or two of when the sale took place, however. While this is undesirable, it’s better detail than the quarterly or biannual resolution you get from a publisher.

    So, what have I done to promote SSH Mastery? I’ve blogged it. I blog every time it gets a mention in the press. The blog goes into Twitter and Facebook. I also comment on the book via Twitter.

    I also thank people when they say they buy the book or when they review. Even when they don’t like the book. (This book has received all five-star reviews, but more on that later.) Being known as a nice guy, or at least a polite one, or at least “not a screaming jackass,” has publicity value all its own.

    So, how does all this impact book sales?

    There’s been four reviews or “general public statements about the book that might not be exactly a review” that I know of:

    Peter Hansteen, 22 Jan 2012
    Justin Sherrill, 2 Feb 2012
    Alexander Leidinger, 3 Feb 2012
    Richard Bejtlich, 6 Mar 2012

    (Wow. I forgot to blog Bejtlich’s review. He is my biggest fan and a staunch advocate of my work, and I completely failed to blog his review. I done him wrong. I’m a doofus.)

    There’s also been good reviews posted on all of the ebook sites. I don’t appreciate them any less, but those reviews only help when people go to the retailer’s site. That means that they already know the book exists.

    Compare those dates to the spikes on the graph. Keep in mind the mushiness of the Amazon ranking algorithm. You’ll see that the spikes roughly match up with the reviews. (If I had taken snapshots of this graph on the actual day and the day after the review, the spikes would be much more apparent, but I didn’t think of that until today. Yep, I’m a doofus.)

    There’s another small spike around 20 February that I have no explanation for. I don’t know why it’s there, but I’m glad to see it.

    The initial high sales came from the folks who follow me via my blog, Facebook, Twitter, or some other promotional medium. I was thrilled to see fans buying my work, and of course I appreciate every sale. But that surge didn’t last long, and it’s not enough to sustain a career.

    But reviews expose the book to entirely new audiences. Reviewers are force multipliers. Nurture them.

    In my case, the reviews are all positive. If I really wanted to do an experiment to test the “reviews are the only effective publicity” hypothesis, I’d write a lousy book and see how those reviews impacted sales. But my authorial pride outweighs my scientific curiosity.

    So, the most effective promotion tool? Reviews.

    Other than that: Shut up and write. No, quit jabbering and babbling. Shut up and write. Those words you’re going to use on a comment on this blog post? Put that energy into making your book awesome.

    Shut up and write.

    Posted on

    SolusVM KVM offline migration with shared storage

    I’m building a new virtualization cloud with SolusVM, KVM, and a bit of Xen (to make use of older hardware). Each machine has its own hard disk, but it only holds the local operating system. All virtual machines reside on cheap iSCSI storage, so I can easily migrate VMs from one compute node to another. The goal being, of course, to separate service failures from hardware failures. (I still have to deal with possible storage failures, of course, but hot-swap hard drive arrays reduce my risk somewhat.)

    SolusVM provides a nice front end to the whole Linux virtualization tangle. It does exactly what it claims, and at a reasonable price. I’m happy to pay someone a couple bucks a year per physical server to give me a non-sucky cloud front end that Just Works. One feature that it lacks is live migration for KVM and Xen hosts. Live VM failover is nice, but not essential for my purposes. As part of our Redundant Array of Inexpensive Crap strategy, I cluster VMs as well as physical servers: multiple mail servers, multiple DNS servers, and so on.

    While there’s documentation on how to cold-migrate Xen VMs, there’s no documentation on how to migrate a KVM VM from one node to another, however. Let alone how to do this with shared storage. But the forum says that the Xen method should work with KVM. Let’s try it and see what happens!

    The Xen page talks about replicating the LVM container on the new node. With shared storage, you can skip this step; I defined my SolusVM groups based on the iSCSI device they’re attached to. I imagine the same migration process would work with unshared storage, if you duplicated the disk data first.

    Go into the SolusVM GUI and note the VM number and the node number. For my test, want to move VM 2 onto node 4. Log onto the master server, become root, and run:

    # cd /scripts
    # ./vm-migrate 2 4
    Virtual server information updated!
    #

    I then tried to start the VM via the GUI, and it wouldn’t boot. Log onto the compute node to find out why. Any time I have a virtualization problem involving multiple pieces of hardware, I check /var/log/libvirt/libvirtd.log. Starting the virtual machine generated this log message:

    14:36:13.417: 1443: error : qemuMonitorOpenUnix:290 : failed to connect to monitor socket: No such process
    14:36:13.417: 1443: error : qemuProcessWaitForMonitor:1289 : internal error process exited while connecting to monitor: inet_listen_opts: bind(ipv4,0.0.0.0,5901): Address already in use
    inet_listen_opts: FAILED

    The KVM instance could not use port 5901, because something else was using it. KVM uses VNC to offer console access, and attaches to a port above 5900. Machine number one’s console is on VNC on port 5901, machine number two on port 5902, and so on.

    The migrate-vm script didn’t change the console port. I went into the VM entry, changed the port by hand, and brought up the machine without trouble. Annoying, but not insurmountable.

    Hopefully this helps the next sysadmin searching for this topic.

    Posted on

    SSH Mastery print now on Amazon

    You can now buy the print SSH Mastery from Amazon. The print version isn’t yet linked to the ebook version, but that will happen within 1-3 days.

    To my surprise, Amazon has not discounted the book. I don’t know why. I spoke with their author support desk, and was told that some books get discounted and some do not, according to some internal algorithm that only Amazon knows. All of my other books get discounted before publication. I assume that SSH Mastery will be discounted as well, but I have no idea when. (Yes, Amazon has an author support desk. From clicking “Call me” to resolution and hanging up the phone, total time 2 minutes 29 seconds. I am impressed.)

    For those who are interested in the numbers behind the print version:

  • If you buy from OpenBSD, I make zero. The proceeds go to support OpenBSD/OpenSSH development. I am perfectly content with this.
  • If you buy from Amazon, I make about the same as I would if you bought the ebook.
  • If you buy from my CreateSpace store, I make about twice as much money as an Amazon purchase. But there’s no Amazon Prime, no free shipping when combined with other purchase, and no discount, ever.

    Some thoughts on the CreateSpace store, while I’m at it:

    CreateSpace gives me the store automatically, for free, so I link to it; otherwise, I wouldn’t bother setting it up. Purchases from here are “giving the author extra money because you want to.” And to my surprise, someone actually bought one there, so: thank you, anonymous buyer. (Note that Amazon/CreateSpace also makes more money when you buy from the CS estore.)

    In the event that people actually start buying from the CreateSpace estore, I’d probably set up a PayPal tip jar, so that those folks who want to give me extra money can do so and still get free shipping and/or discounts. It’s a step that I’ve avoided, but if people actually want overpay me for work I honestly own, who am I to argue?

    • Posted on

    SSH Mastery Print Here

    Today, I received a good proof of SSH Mastery. All of the errors I know of are fixed.

    I’ve ordered 200 books for the OpenBSD Project. Those books should be manufactured this weekend and delivered next week. (For the record, the OpenBSD guys have been a pleasure to deal with.)

    Amazon should have the books available in ten days or so, Barnes & Noble and other Ingram-connected bookstores a while afterwards.

    If you absolutely must have the print book now, you can order it through my CreateSpace store. Of all the ways the book is available, I make the greatest profit on books sold through the CS store. (It also charges list price, so I’m not going to push it on people. Only order from there if you want to give me extra money.)

    If you want to pay full price, you can order it from OpenBSD. I give them the books at cost, and the rest benefits OpenBSD and OpenSSH.

    Posted on

    Remote Web Browsing via OpenSSH and PuTTY

    I’m installing SolusVM as a virtualization management system. It lets you manage your private cloud via a Web browser, set up resellers, and so on. When you first log in, the administrative interface locks itself down so that you can only log in from one IP address, in a sort of implicit whitelist. You must explicitly add other addresses. That’s fine, even reasonable. I had three address ranges to add: my office, the headquarters, and Fearless Leader’s office. So I went into the management interface and explicitly added the headquarters’ addresses.

    And I was locked out of the management interface. Apparently the explicit whitelist permitting HQ overwrote the implicit whitelist permitting my workstation.

    I could have opened a ticket with SolusVM and admitted that I’d ignorantly locked myself out. But I don’t like interacting with vendors. I could have driven into the office, but that would involve changing out of my bathrobe. That left logging into the management workstation via a web browser from headquarters. I’m not going to talk one of my coworkers through it if I can avoid it.

    Instead, I used SSH dynamic forwarding to connect to the SolusVM head node from an IP address at headquarters.

    You can do this with an OpenSSH server and either a PuTTY or OpenSSH client. I chose to use PuTTY because that was the computer on the couch with me. I have several OpenSSH servers at headquarters.

    Open a new PuTTY session. Enter the host, username, and server port as normal. Before opening the session, go to the left-hand side of the screen and select SSH -> Tunnels. Enter a “Source port” of 9999. Near the bottom, select “Dynamic.” Now open your SSH connection.

    You now have a SOCKS proxy running on your computer. All traffic sent to port 9999 is sent over your SSH session. Your SSH server connects you to the Internet.

    Go to your Web browser’s connection settings. In firefox, it’s Tools->Options->Advanced. Select the Network tab, then Settings. Select Manual proxy settings, then enter a SOCKS host of 127.0.0.1 port 9999. Select the SOCKS5 button. Exit the menus, hitting OK all the way back.

    Now your Web browser connects to the Internet via the SOCKS proxy running on your computer. You’re browsing the Web from the IP address of your SSH server.

    This is much faster than remote browsing options such as Remote Desktop or forwarding X11 over SSH. And it let me log into my SolusVM console without having to communicate with another human being, so everybody wins.

    Of course, you could learn about this sort of trick and more in my new SSH book.