Using MFA for Sudo Only

Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.

# sudo apt-get install libpam-google-authenticator
# sudo google-authenticator

This will then prompt you with a number of choices. The first you should answer yes to enable TOTP.

To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.

# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive

And add these
auth       required pam_google_authenticator.so nullok
auth       required pam_permit.so

Once set up and tested you can disable the password on your account using

# passwd -l

Make sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.

You can remove the nullok once all users have been set up with a secret key via google-authenticator

woman draw a light bulb in white board

Finally Solved – Nextcloud SMB Not Working on Ubuntu 20.04

After banging my head against this problem from a different server, as WSL is not there yet for running as personal production services, I finally managed to hit the right keywords to google fu the answer. php-smbclient has been dropped from the officially repositories and so can only be installed via a PPA.

Installing using the following commands finally sorted it for me, credit to Markus (linked below for this solution)

echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt-key adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 4F4EA0AAE5267A6C        
apt-get update && apt-get install php-smbclient
phpenmod smbclient
service apache2 restart 


https://markus-blog.de/index.php/2020/06/10/how-to-install-nextcloud-19-on-ubuntu-20-04-with-postgresql-12-php7-4-fpm-apache2-and-http-2/

Fixed: Obelisk not working in Ableton Live

So when using the Frozen Plains Obelisk plugin in Ableton live 10 (I’m running10.1.15) following Frozen Plains instructions doesn’t work.
If you change the 2nd drop down on the synth/instrument track to Obelisk64 instead of Pre FX then it will work.

Additionally, if you don’t want record a whole extra midi track for the Obelisk track then instead of arming both track, just set to Obelisk track to In on the monitoring and then arm the instrument you want to record. This has the added benefit of being able to easily have multiple instruments using Obelisk and switch to record on whichever one you want to play

Ideal Obelisk and instrument settings.
Obelisk midi track set to monitor In.
Two different mini instrument tracks set to Obelisk64 instrument In and Obelisk64 instead of Pre FX or Post FX. One instrument track armed.

Checking an Certificate Chain

Use the following one liner to check the a certificate chain in detail:

openssl crl2pkcs7 -nocrl -certfile chained.crt | openssl pkcs7 -print_certs -text -noout | less

Use this command to produce a simple list of the chain in order:

echo "" | openssl s_client -connect www.google.com:443 2>&1 | grep -A 6 "Certificate chain"

#If your testing a local server which is listening on the same port for different headers use this:
echo "" | openssl s_client -connect 172.217.169.4:443 -servername www.google.com 2>&1 | grep -A 6 "Certificate chain"

Solved: RKHunter Useful information in emails

I was trying to get this working by configuring the MAIL_CMD like so: echo -e “Subject: [rkhunter] Warnings found for ${HOST_NAME}\n\n” $(egrep -x “^\[.*\] Warning:.*” /var/log/rkhunter.log) | sendmail
It works but included a little extra part of the egrep command for some reason.

I couldn’t get around this but then I remembered we were going to be calling this using cronic ( https://habilis.net/cronic/ )
So I just changed my crontab to: cronic rkhunter –check –rwo –no-mail-on-warning
Now I get the warnings in a beautiful emails like so: ============================================

Cronic detected failure or error output for the command:
rkhunter –check –rwo –no-mail-on-warning

RESULT CODE: 1

ERROR OUTPUT:

STANDARD OUTPUT:
Warning: The file properties have changed:
         File: /usr/bin/mail
         Current inode: 18331    Stored inode: 18308
         Current file modification time: 1574699160 (25-Nov-2019 16:26:00)
         Stored file modification time : 1574686593 (25-Nov-2019 12:56:33)
Warning: The file properties have changed:
         File: /usr/bin/mail.mailutils
         Current inode: 18320    Stored inode: 18297

START TIME: Mon Nov 25 16:28:01 UTC 2019
END TIME:   Mon Nov 25 16:28:34 UTC 2019

=========================================

blur bright business codes

Running Byobu by Default on Zsh

To make Byobu default on your local machine

Byobu-enable only currently modifies your .bashrc and .bash_profile, to get byobu launching by default with Zsh you need to follow these instruction

Add the following line to the bottom of your ~/.zshrc
_byobu_sourced=1 . /usr/bin/byobu-launch 2>/dev/null || true

To make Byobu default when SSH’ing into a machine

Add the same line to the bottom of ~/.zprofile

Update: I’ve not been able to get this working on AWS. I’m using Ubuntu… anyone got any additional tips