bcrypt in Debian

Posted on 2012-03-11 by nanaya

WARNING: using method below will lock yourself out when using emergency console since whatever crypt it’s using surely doesn’t understand bcrypt (as I experienced myself). Additionally, this solution won’t add bcrypt support to other applications using crypt interface like proftpd unless it’s started by preloading libxcrypt.so first (also from my own experience).

As much as Drepper want to pretend bcrypt is wrong solution, it actually gives one benefit: ease of switch to Linux. Some systems use bcrypt by default or configurable to use it. On other case, there might be time where you need system’s (or applications using system’s) crypt to handle bcrypt passwords from external system (usually web applications).

It’s quite difficult to enable bcrypt support in RHEL based distro as there is no libxcrypt and pam_unix2 packages available. Thankfully it’s available in Debian (and derivatives) in package libpam-unix2.

The README.Debian says to modify files in /etc/pam.d but if I remember it correctly, it confused apt PAM handling system or whatever. Fast forward few weeks, I discovered a better way to use it by creating PAM configuration in /usr/share/pam-configs. Since it’s mostly equivalent to normal pam_unix, I just copy and modify the file using this (long-ass) oneliner sed:

sed -e 's/pam_unix.so/pam_unix2.so/g;s/^Name: Unix authentication$/Name: Unix2 authentication/;s/pam_unix2.so obscure sha512/pam_unix2.so obscure blowfish rounds=8/;s/ nullok_secure//' /usr/share/pam-configs/unix > /usr/share/pam-configs/unix2

Then execute pam-auth-update, select Unix2 authentication and deselect Unix authentication. Don’t forget to update passwords for all other users as well or they won’t be able to login since pam_unix2 doesn’t recognize sha based hashes.

Actually, change all other users password to use md5 first before replacing the PAM with pam_unix2.

Update 2012-04-01: Removed nullok_secure since it isn’t supported.

Update 2012-06-09: Added warning.

nginx/php single config for SSL and non-SSL connection

Posted on 2012-01-23 by nanaya

This morning I noticed I haven’t upgraded WordPress MU Domain Mapping plugin to the latest version. It supposedly brings better SSL support. And after upgrading I couldn’t log in to my mapped domain blogs (e.g. this blog). Wasn’t it a great way to start my morning?

After some digging, I found out the problem was because I don’t have one PHP(?) parameter – HTTPS – passed properly. It should set to True whenever one is using SSL connection otherwise there’s no way the PHP process can know if the connection is secure or not. Previous version of WPMUDM have a bug in which skips SSL check but in turn enables using HTTPS even without such parameter. Decided it’s my fault (I believe it would completely breaks phpMyAdmin), adding the parameter then I did.

But it’s not that simple: I’m using unified config for both my SSL and non-SSL connection’s PHP include. Splitting the config would make the duplication worse (it’s already relatively bad as it is) so that’s not an option. Using the evil if is also not a solution since it doesn’t support setting fastcgi_param inside it.

Then the solution hit me. The map module – a module specifically made for things like this and to avoid usage of if. I tested it and indeed worked as expected.

Here be the config:

...
http {
  ...
  map $scheme $fastcgi_https {
    https 1;
    default 0;
  }
  ...
  server {
    ...
    location ~ .php$ {
      ...
      fastcgi_param HTTPS $fastcgi_https;
    }
...

And WordPress MU Domain Mapping is now happy.

Update 2012-02-20: nginx version 1.1.11 and up now have $https variable. No need to have that map anymore.

User Management in Solaris 10

Posted on 2011-11-08 by nanaya

We’re back with Solaris 10 administration series. This time, it’s the user management part.

Securing the Password

For God knows why reason (probably legacy), the default password hashing algorithm in Solaris 10 is the classic UNIX DES hashing. To change it, edit /etc/security/policy.conf and find line starting with CRYPT_DEFAULT and change it to this:

CRYPT_DEFAULT=2a

(you can also set to other value but 2a should be good enough)

And to change the root password, first edit /etc/shadow and append $2a$ to the 2nd (password) field like this:

root:$2a$afgfdg....:...

or else chaning the root password using passwd won’t be set using the newly configured algorithm.

Creating User

First of all remember that there’s character limit of 8 for username in Solaris. Linux doesn’t have this but it’ll break ps (displaying UID instead of username). Also creating directory in /home is not possible because of several reasons. The proper way is to create home directory somewhere and create relevant entry in /etc/auto_home.

useradd -s /bin/bash newuser
mkdir -p /export/home/newuser
chown newuser:staff /export/home/newuser
printf "%st%sn" "newuser" "localhost:/export/home/newuser" >> /etc/auto_home
passwd newuser

This will let Solaris to automount (loopback filesystem/lofs) the actual directory (in this case /export/home/newuser) to /home.

Of course you can set the directory somewhere else, though having home not in /home feels weird.

Secure password, version 2

Posted on 2008-08-30 by nanaya

There’s this link for tutorial how to create secure and easy to remember passwords.

More or less it’s the same as the one I posted months ago, just now with character-to-symbol replacement method. Reducing the need to create unnecessary long sentence to get symbols etc.

[ [Read](http://kylehasegawa.com/content/the-perfect-password-plan) | [My old post](https://blog.myconan.net/posts/222) ]

_Last update 2011-07-11 10:31: markdown-fied, fixed link, added tags and categories_

Easy way to create rather secure and easy to remember password

Posted on 2008-05-03 by nanaya

Long title is looooooooooooong. LOL.

The steps:

* Create (long) sentences (usually two) that’s easy to remember and contains numbers and symbols (ex: I have smartly bought & waste money on manga that the anime has just aired this season, Zettai Karen Children, for $10. It’s a good read though!)
* Take first letter of each words, except for numbers and symbols (from above: Ihsb&wmomttahjats,ZKC,f$10.Iagrt!)
* That’s it, LOL. (and the example above is too long. 2 sentences with 5 word each should be sufficient 😛 )

Last update 2011-07-11 10:32: ~~markdown-fied~~, tagged and categorized

myconan/blog

Herp a derp

Tag Archives: security