LJ Archive

Letters

More Secure SSH Sessions

I read Federico Kereki's January 2014 article “More secure SSH connections”, and the article provides some really good pointers. I would also like to add that small changes to the sshd_config file to ensure that potentially weak ciphers and message digests are excluded can harden the server even more. Additionally, the time out to keep connections alive can be decreased so inactive sessions are closed faster. An example config would be:

Ciphers aes256-ctr
ClientAliveInterval 300
ClientAliveCountMax 0
MACs hmac-sha2-512-96,hmac-sha2-256-96,
↪hmac-sha2-512,hmac-sha2-256

The above may not be suitable for older machines. To check the ciphers that are supported by your sshd implementation, you can check the man page for sshd_config and look for the “ciphers” and “MACs” sections:

Ciphers

Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”. The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour.

These sections list the available ciphers as well as the default order in which they will be used. This is important, as by default your sshd might negotiate a weaker cipher because of the default order. Explicitly specifying the order will eliminate that.

Finally, the above config example I have tested with Debian 7 Stable for SSH server and Windows PuTTY as a client. I have also set up a 4096-bit RSA private key, and the connection works like a charm. The PuTTY bit is important as it seems that many Windows SSH/SFTP programs rely on it for their connections.

Apologies if the above has already been covered in previous articles, and I am just repeating it.

Finally, in future articles, I would like to see if it is possible to secure SSH with one-time passwords (OTP), use dual-factor authentication or even google-authenticator.


Martin

Federico Kereki replies: Martin's comments are appropriate, and can add even more security, as he suggests, by disallowing methods considered less safe. The only point that must be carefully considered is whether all used clients will be able to connect after some methods are restricted. Although for up-to-date clients, the answer should be positive. As to including other ways of authentication, the idea is a good one, and I'll certainly look into it.

Finally, for even more complex rules, which allow for finer-grained controls, I'd suggest looking into the “Match” conditional block rules, which allow specifying different setups depending on the user who's connecting, his or her group, address and more.

Choice of Ads Served

So here I was, trying to learn how to do floating-point arithmetic in bash. Google seemed to think I wanted to visit www.linuxjournal.com/content/floating-point-math-bash. Imagine my surprise when I discovered that an integral part of Linux education are ads that are GIFs of scantily-clad female video-game characters writhing about. While that isn't something that particularly interests me in my free time, it's certainly not something I need to deal with while I'm in my office, surrounded by co-workers and trying to get work done. Thank you so much for not only derailing me from getting coding done but also contributing to the culture that keeps the number of women entering software engineering steadily declining since it peaked in the 1980s.

Guess I'll be following the second and third search-engine hits instead.


K. McNeelyshaw

From time to time, we run Google ad network ads to generate extra much-needed revenue from LinuxJournal.com, and since these are network ads, we do not contract with the individual advertisers. We don't know whose ads will display until they display. Further complicating matters is that different ads will display for different people because of their browsing history. Many advertisers use retargeting to increase the effectiveness of their ads. For example, ever shopped for say, cute dog beds on Amazon and then gotten ads for those same dog beds elsewhere while browsing? Since we have limited control over Google ads, we can't prevent certain ads from displaying, but we can try to eliminate them after the fact. So, if you are ever bothered by a specific ad campaign that is displayed via Google ads on LinuxJournal.com, please feel free to drop us an e-mail to let us know the name of the advertiser. A screenshot of the offending ad would be helpful as well.—Katherine Druckman, LJ Webmistress

A Bundle of Tor

I was especially interested in Kyle Rankin's article “A Bundle of Tor” in the January 2014 issue. In the end, I was able to get the Tor browser up and running in a Linux environment (Lubuntu 13.10), but I must say that the images and explanation in the article were many times “out of date” and not according to the latest state of the Tor setup and browser views.

The text sometimes did not correspond to what I really saw, and the browser and app images in the article were also not really as they currently are in the latest version of the browser.

I would assume that, since it's a brand-new LJ issue, the content of the article would be closer to the “reality”. In my humble opinion, it wasn't. And that's a pity, because for someone new to the Tor browser setup (like me), it can give some confusing impressions and might lead to a non-working (or not-working-as-it-should-work) Tor browser setup.


Geert Vancompernolle

Kyle Rankin replies: I'm sorry to hear that the images and commands weren't up to date enough when you tried everything out. Unfortunately, magazine articles require a bit of lead time compared to Web publishing, and the screenshots and commands were all based on the latest Tor Browser Bundle you could download at the time I wrote the piece in November 2013. That said, apart from filenames being somewhat different (so you may have to adapt the exact command I typed if you downloaded a slightly newer version), the general steps should still be the same. I am surprised that the browser itself looked that different, although perhaps that's just a desktop-theming issue (it could be worse, I normally have a green-on-black theme that I change to something more normal for screenshots). In any case, I do hope you were able to get Tor up and running.

More Secure SSH Sessions, II

I loved Federico Kereki's article on SSH security in the January 2014 issue. I have to admit I was surprised not to see the OAUTH 2 Factor Verification PAM Module mentioned. I use this paired with Google Authenticator to access my machine via SSH. It asks for the verification code on my phone before it even offers a chance for my password. Since it changes every 30 seconds, it makes it even stronger than a password:

#Pam Module dependency
$ sudo apt-get install libpam-devel

#Authenticator PAM Module
$ sudo apt-get install libpam-google-authenticator

# Run as a user to create your hash key, DON'T LOSE IT!
$ google-authenticator

Now add the hash to your Google Authenticator app. Very important: you have to edit your sshd config in /etc/ssh/sshd_config and enable “ChallengeResponseAuthentication” and “UsePAM” by setting them to “yes”. And voilà. Now restart your sshd server and give it a try.


Brian

Federico Kereki replies: This is a valid suggestion (thanks, Brian, for the tip!), and indeed more could be written on one-time password (OTP) systems or two-factor authentication (TFA) systems, such as Google Authenticator and similar ones. I'll keep it in mind for the future. I should point out that NTP configuration is important. Your server and your smartphone should be (reasonably) in sync as to time. Also, you probably should think about configuring sshd to enable other authentication methods, or else be certain never to forget or lose your smartphone if you need to connect to a server! Outside from that, Google Authenticator also can be used for extra security in Web sites to better protect your accounts.

Dave Taylor's Spitfire Photo

Love the Spitfire picture in Dave Taylor's “Framing Images with ImageMagick” article in the February 2014 issue, but I am sure I won't be alone in pointing out they were made by Supermarine, not Submarine. Per ardua ad astra, as they say in the RAF.


Roger Greenwood

Dave Taylor replies: Bah, I blame autocorrect! Thanks for the clarification, mate!

Susan Sons' EOF, I

If I were a better writer, this could have been written by me—well put, Susan. [See Susan Sons' Guest EOF “Girls and Software” in the February 2014 issue.] I'm probably of the same generation as Susan and have had similar experiences, and I'm sick and tired of the “female quota” thing. I'm hoping that initiatives like the Raspberry Pi will allow young girls to discover that there are far more exciting things to do than painting their faces. But it probably requires a major shift in the mindset of ordinary people (parents, grandparents, teachers) to encourage girls to experiment with non-girly pastimes. I keep hoping.


Uschi

Susan Sons replies: Thanks for reading (and for writing).

There's so much we should be doing to expose all kids to more things so they can pick a “just right fit” set of interests for themselves. People spend too much energy on “girls must need this...” or “high IQ kids must need that...” and so on—less demographics, more experimentation.

<Waits for the world to take a deep breath and let kids be kids.>

Susan Sons' EOF, II

Susan's editorial was so honest, so powerful and so transcendent, that she managed to ruthlessly expose one of the most disturbing trends in our modern world—an ever-increasing self-polarization of “wronged groups” that change their lives' narratives into ever more strident “calling out” of their presumed guilty offenders and histrionic elucidation of gross offenses against their group. Paraphrasing Susan, in reality, some people are jerks, some are not, and if the human race is to survive, hopefully the majority will strive to avoid earning the first categorization.

It has always been this way, it always will be, and ultimately the responsibility for which category one falls into lies with the individual, not the group into which they've been categorized by others. Thank you for publishing Susan's take on one instance of this polarizing movement, that of gender inequality in technology fields, and the movement's apparent need to demonize all non-victims as intentional or witless perpetrators of the injustice.

What an amazing person Susan comes across as in her article. I, as one member of the infinitely guilty “white male club” that I had the misfortune of being born into, regret not having had the pleasure of working and interacting directly with such a clear thinker and merit-focused technologist. I'm not in her league by any stretch of the imagination but applaud the mindset that urges humanity to re-focus on accomplishment rather than self-categorization into aggrieved groups and counterattacks against all perceived tormentors.

There are, have been, and will continue to be grievous injustices in the world. At times, it seems we've made no progress at all in addressing the ultimate source of such injustice, our weaknesses as individual human beings. By creating new polarizations in the 21st century that strive to rise to the same level of histrionics as those that wreaked such horrors in the 20th century (Fascism, Communism, etc.), we are only setting the stage for new manifestations of counter-productive revenge rather than focusing on improving ourselves and becoming better human beings, one individual at a time.

Kudos again for publishing one of the most forthright, heartfelt, and powerful articles I've read in any publication in quite a while.


Chris Munger

Susan Sons replies: Thanks, Chris, for your kind words.

I can't fix it all, but I've found through the letters of readers like yourself that there are far more who just want to get things done rather than argue about demographics. That's heartening, because if we can just get more willing to say so in public, things should start getting back to sanity.

Susan Son's EOF, III

I am impressed with Susan Sons' EOF article “Girls and Software”, and the plainness with which she applies common sense to issues that have been taken to absurd levels of complexity due to political correctness. It's very good and refreshing to see these opinions in writing, and now I have this article as a reference to respond with when having discussions on the matter. Unfortunately, in these types of arguments, it looks like only women are entitled to have certain opinions, which leads me to an important point Susan makes in her article: when certain people see that a woman expresses a different opinion, then they say she doesn't represent the female point of view for whatever reason they make up at the moment. To me, this only means that they do not understand how intellectual exchange of opinion works, basically, by listening to all opinions and counter-arguing with facts and reasoning, and not paying attention to the person.

Of course, I don't agree with everything in the article but I mostly concur. In any case, I find it an interesting topic to be brought up in our beloved journal. Thank you, Susan.


Juan Olmedilla

Susan Sons replies: Thanks for the kudos, Juan...hopefully we'll see a return to sanity over time.

Susan Sons' EOF, IV

Susan Sons' EOF piece (February 2014) “Girls and Software” is one of the most refreshing articles I've read anywhere in I don't know how long; you need to keep this “girl” on board—not to disparage the “boys”.

About six years ago, I relocated from Detroit to northeastern Michigan and have gotten to know quite a few folks, including a number of teen and post-teen girls. Something I've noticed is that young girls, 'round here anyway, just aren't like young girls when I was a young boy (which would be 60-some years ago). Lot of farm kids, lot of tough-times kids, willing and hard workers, smart, able, jump right in and make something happen, know how to drive a pickup, know how to drive a snowplow, know how to plow a field, cripes, know how to fix a busted pickup! Perfect candidates for technology, not a few actually doing technology. Overheard a recent conversation comparing the benefits of smartphone operating systems (Android versus Windows versus iPhone) in detail with references, between a 16-year-old, an 18-year-old and a 22-year-old. Serious talk with demonstrations to make a point. A little bit of kid, a lot of savvy (a lot more savvy than I'll ever be about smart or dumb phones).

Seems like just the kind of folks Ms Sons is talking about.

I'd like to hear a lot more from her.


Thomas Ronayne

Susan Sons replies: Thanks for the compliment, Thomas.

I've always thought it funny how much—despite the stereotype of the sheltered upper-middle-class suburban gamer becoming a techie—country life or growing up poor in any environment dovetails with hackerdom.

No one talks about the “maker movement” or hacking there, because it's a way of life. If you need something, you build it. If something breaks, you fix it. When resources are scarce, you improvise. For those who have the interest in computers, applying the same principles there is second nature.

I've thought, for a while now, that kids from these sorts of places are the ones that will save us...save us from the costs of sheltering kids, of keeping them away from work, of not letting them experiment or think for themselves. It matters little whether they become hackers, or apply those skills in some other area.

Susan Sons' EOF, V

I just got my February 2014 issue, and the first article I read was the EOF by Susan Sons. I agree with her that people should be judged on their merit, rather than their sex. This goes for anything, not just our little world of tech.

I grew up in a small town in Washington, and was part of a tech club in high school. There were no girls, not because they weren't welcome, but because of the very dichotomy that Susan discusses in her article. It's sad, because I knew a few girls who wanted to join in, but assumed that they were not welcome because of their sex.

We need more people with the hacker mindset, women included, because we have issues that need solutions, and hackers provide us with the mental resources we need to solve them. We should encourage intelligence and creativity in all of our children, regardless of their sex.


Reed Brousseau

BirdCam

The first time I visited your site I saw a mourning dove in the snow. I absolutely couldn't believe it. I grew up in South Dakota and they are definitely "gone South" for the winter there. [See Shawn Powers' BirdCam articles in the October 2013 and February 2014 issues.]

Anyway, I love visiting the BirdCam page a couple times a day just to see what's going on in your backyard. Great ideas and good implementation.


Bill

Thanks Bill! My family teases me about BirdTopia, but then just moments ago, my wife IM'd me from work saying that she couldn't see the bird bath due to snow, but a mourning dove kept popping its head up over the snowbank, and it made her laugh. The amount of joy I've gotten from the entire project, tech and building, has been incredible. Thanks again—Shawn Powers

Loved Kyle's DNS Article

Two questions: 1) Can we get more like this? I am interested in better security for my personal machine as well as my server on the Net. [See “Own Your DNS Data” by Kyle Rankin in the February 2014 issue.] 2) Regarding DNS specifically, is there a way to test and verify where my queries are going to?

Thanks for the great magazine!


Shawn Freeman

Kyle Rankin replies: I'm glad you liked the column. To answer your first question, I'm devoting at least the first part of this year to security and privacy issues in my column, so you can expect more security content in the coming months.

With respect to where your DNS queries are going, the most definitive way to see where DNS traffic is going is to use a low-level tool like tcpdump or wireshark that can capture packets leaving your system. Since DNS communicates over port 53, you should be able to filter out the rest of your traffic and just view DNS packets. If you don't need a definitive answer, or aren't interested in something that low-level, you always can look at /etc/resolv.conf for a list of nameservers, and if it only lists 127.0.0.1 and you haven't set it to that yourself yet because you are running your own DNS server on the same machine, you may be using a tool like resolvconf on your system and may have to dig through the resolvconf configuration to track down what actual name servers you are using.

LJ Archive