Language Selection

English French German Italian Portuguese Spanish


Syndicate content
Planet Debian -
Updated: 3 hours 17 min ago

Jonathan McDowell: Setting up SSH 2FA using TOTP

Tuesday 30th of April 2019 08:27:23 PM

I spend a lot of time connected to remote hosts. My email and IRC client live on a dedicated server with Bytemark, which makes it easy to access wherever I am in the world. I have a well connected VM for running Debian package builds on using sbuild. At home my Home Assistant setup lives in its own container. And of course that lives on a server which is in the comms room and doesn’t even have a video card installed. At work my test machines are all in the server room rather than noisily on my desk. I connect to all of these with SSH (and screen, though I keep meaning to investigate tmux more thoroughly) - I’ve been doing so since the days of dialup, I’m very happy with the command line and I generally don’t need the overhead of a remote GUI. I don’t think I’m unusual in this respect (especially among people likely to be reading this post).

One of the things I love about SSH is the ability to use SSH keys. That means I don’t have to remember passwords for hosts - they go in my password manager for emergencies, I login with them once to drop my .ssh/authorised_keys file in place, and I forget them. For my own machines, where possible, I disable password logins entirely. However there are some hosts I want to be able to get to even without having an SSH key available, but equally would like a bit more security on. A while back I had a conversation with some local folk about the various options and decided that some sort of two-factor authentication (2FA) was an appropriate compromise; I was happy to trust an SSH key on its own, but for a password based login I wanted an extra piece of verification. I ended up putting the Google Authenticator on my phone, which despite the name is actually a generic implementation of the TOTP and HTOP one-time password algorithms. It’s turned out useful for various websites as well (in particular at work I have no phone coverage and 2FA on O365. Having Authenticator installed makes that easier than having to wave my phone near the window to get an SMS login token).

For the server side I installed the Google Authenticator PAM module, conveniently available in Debian with a simple apt install libpam-google-authenticator. I added:

auth required nullok

to /etc/pam.d/sshd below the @include common-auth line, and changed

ChallengeResponseAuthentication no

in /etc/ssh/sshd_config to be yes instead. servicectl restart sshd restarts SSH and brings the new config into play. At this point password only logins are still ok (thanks to the nullok above). To enable 2FA you then run google-authenticator as your normal user. This asks a bunch of questions - I went for TOTP (i.e. time based), disabled multiple uses and turned on the rate-limiting. The tool will display an ASCII art QR code (make sure your terminal window is big enough) that can be scanned by the phone app. From this point on the account will require an authentication code after a successful password entry, but also allow SSH key only logins.

For the avoidance of doubt, this does not involve sending any information off to Google or any other network provider. TOTP/HOTP are self contained protocols, and it’s the scanning of the QR code/entering the secret key at setup time that binds the app to the server details. There are other app implementations which will work just fine.

(This post mostly serves to document the setup steps for my own reference; I set it up originally over a year ago and have just had to do so again for a new machine.)

Chris Lamb: Free software activities in April 2019

Tuesday 30th of April 2019 05:59:59 PM

Here is my monthly update covering what I have been doing in the free software world during April 2019 (previous month):

  • It was my last month in my tenure as Debian Project Leader after two years in the post. Thank you so much for all the support and kind words that I received in the past few weeks and congratulations to Sam Hartman for being elected to the post for the upcoming year.

  • Attended the conference in Gothenburg, Sweden where I gave a talk entitled "What can free software learn from classical music?". As part of this, I also organised a Debian Bug Squashing Party as part of the conference's Community Day — thanks to Kuro Studio for their hospitality.

  • For the Tails privacy-oriented operating system, I attended an in-person sprint in France where I worked on countless issues, features and adjacent concerns regarding the move to Debian "buster".

  • As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy board meeting, participated in various licensing discussions occurring on the internet, etc.

  • Opened a pull request against the django-q task queue for projects using the Django web framework project in order to inline a Python import. This prevents circular imports under some toolchain combinations. [...]

  • Opened a pull request for the ADMS code generator for the Verilog-AMS hardware description language to make the build reproducible. [...]

  • More hacking on the Lintian static analysis tool for Debian packages, including:

    • Correct false-positives in the missing-systemd-timer-for-cron-script tag due to an incorrect regular expression. (#927970)
    • Don't check for the x86-specific "SafeSEH" hardening feature for code that is JIT-compiled by the Mono runtime. (#926334)
    • Triaged and accepted a huge number of patches and merge requests that had accumulated, adding a large number of new tags, updating systemd hardening flags [...], etc.
  • Created a quick-and-dirty script to obtain Max Temkin's highlights of Star Trek: The Next Generation. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month:

I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

  • Add support for semantic comparison of GnuPG "keybox" (.kbx) files. (#871244)
  • Treat missing tools as failures if a "magic" environment variable is detected in order to faciliate interpreting required tools on the Debian autopkgtests as actual test failures, rather than skipping them. The behaviour of the existing testsuite remains unchanged. (#905885)
  • Filed a "request for packaging" for the annocheck tool which can be used to "analyse an application's compilation". This is as part of an outstanding wishlist issue. (#926470)
  • Consolidated on a single alias as the exception value across the entire codebase. [...]

I spent a considerable amount of time our website this month too, including:

  • Using an explicit "draft" boolean flag for posts. Jekyll in Debian stable silently (!) does not support the where_exp filter. [...]
  • Moving more pages away from the old design with HTML to Markdown formatting and the new design template. [...]
  • Addding a simple Makefile to implicitly document how to build the site [...] and add a simple .gitlab-ci.yml to test branches/builds [...].
  • Adding as simple "lint" command so we can see how many pages are using the old style. [...]
  • Adding an explicit link to our "Who is involved?" page in the footer of the newer design [...] and add a link to donation page [...].
  • Moved various bits of infrastructure to support a monthly report structure. [...]

Finally, I made the following changes to strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build:

  • Workaround Archive::Zip's incorrect handling of the localExtraField class member field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership metadata within .zip and .epub files. (#858431)
  • Actually check the return status from Archive::Zip when writing file to disk. [...]
  • Catch an edge-case where we can't parse the length of a particular field within .zip files. [...]

Debian Debian LTS

This month I have worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.


Finally, I also made the following non-maintainer uploads (NMUs) to fix release-critical bugs for "buster".

FTP Team

As a Debian FTP assistant I ACCEPTed 30 packages: easygen, faudio, golang-github-anmitsu-go-shlex, golang-github-apparentlymart-go-cidr, golang-github-apparentlymart-go-rundeck-api, golang-github-corpix-uarand, golang-github-cyberdelia-heroku-go, golang-github-emirpasic-gods, golang-github-facebookgo-inject, golang-github-fzambia-sentinel, golang-github-gliderlabs-ssh, golang-github-hashicorp-go-safetemp, golang-github-hmrc-vmware-govcd, golang-github-icrowley-fake, golang-github-jesseduffield-gocui, golang-github-jesseduffield-pty, golang-github-jesseduffield-termbox-go, golang-github-kevinburke-ssh-config, golang-github-michaeltjones-walk, golang-github-nozzle-throttler, golang-github-stvp-roll, golang-github-willf-bloom, golang-gopkg-src-d-go-billy.v4, libdmtx, openjdk-13, pmdk-convert, python-deprecated, python-django-debreach, qgis & redfishtool.

I additionally filed 3 RC bugs against packages that had potentially-incomplete debian/copyright files against faudio, libdmtx & python-deprecated.

Sergio Durigan Junior: Debian Bug Squashing Party, Toronto version

Tuesday 30th of April 2019 04:00:00 AM


This past Saturday, April 27th, 2019, Samuel Vale, Alex Volkov and I organized the Toronto Bug Squashing Party here in the city. I was very happy with the outcome, especially the fact that we had more than 10 people attending, including a bunch of folks that came from Montréal!

The start

It was a cold day in Toronto, and we met at the Mozilla Toronto office at 9 in the morning. Right there at the door I met anarcat, who had just arrived from Montréal. Together with Alex, we waited for Will to arrive and open the door for us. Then, some more folks started showing up, and we waited until 10:30h to start the first presentation of the day.

Packaging 101

Anarcat kindly gave us his famous "Packaging 101" presentation, in which he explains the basics of Debian packaging. Here's a picture of the presentation:

And another one:

The presentation was great, and Alex recorded it! You can watch it here (sorry, youtube link...).

During the day, we've also taught a few tricks about the BTS, in order to help people file bugs, add/remove tags, comment on bugs, etc.

Then, we moved on to the actual hacking.

Bug fixing

This part took most of the day, as was expected. We started by looking at the RC bugs currently filed against Buster, and deciding which ones would be interesting for us. I won't go into details here, but I think we made great progress, considering this was the first BSP for many of us there (myself included).

You can look at the bugs we worked on, and you will see that we have actually fixed 6 of them! I even fixed a JavaScript bug, which is something totally out of my area of expertise ;-).

I also noticed something interesting. The way we look at bugs can vary wildly between one DD and another. I mean, this is something I always knew, especially when I was more involved with the debian-mentors effort, but it's really amazing to feel this in person. I tend to be more picky when it comes to defining what to do when I start to work on a bug; I try really hard to reproduce it (and spend a lot of time doing so), and will really dive deep into the code trying to understand why some test is failing. Other developer may be less "pedantic", and choose to (e.g.) disable certain test that is failing. In the end, I think everything is a balance and I tried to learn from this experience.

Anyway, given that we looked at 12 bugs and solved 6, I think we did great! And this also helped me to get my head "back in the Debian game"; I was too involved with GDB these past months (there's a post about one of the things I did which is coming soon, stay tunned).

Look at us hacking:

Wrap up

At 19h (or 7p.m.), we had to wrap up and prepare to go. Because we had a sizeable number of Brazilians in the group (5!), the logical thing to do was to go to a pub and resume the conversation there :-). If I say it was one of the first times I went to a pub to drink with newly made friends in Toronto, you probably wouldn't believe, so I won't say anything...

I know one thing for sure: we want to make this again, and soon! In fact, my idea is to do another one after Buster is released (and after the summer is gone, of course), so maybe October. We'll see.


I would like to thank Mozilla Toronto for hosting us; it was awesome to finally visit their office and enjoy their hospitality, personified by Will Hawkins. It is impossible not to thank anarcat, who came all the way from Montréal to give us his Debian Packaging 101 talk. Speaking of the French-Canadian (and Brazilian), it was super awesome meeting Tiago Vaz and Tássia Camões, and it was great seeing Valessio Brito again.

Let me also thank the "locals" who attended the party; it was great seeing everybody there! Hope I can see everybody again when we make the second edition of our BSP :-).

More in Tux Machines

Audiocasts/Shows: Jupiter (Linux Academy) and TLLTS

Android Leftovers

KMyMoney 5.0.6 released

The KMyMoney development team today announces the immediate availability of version 5.0.6 of its open source Personal Finance Manager. Another maintenance release is ready: KMyMoney 5.0.6 comes with some important bugfixes. As usual, problems have been reported by our users and the development team fixed some of them in the meantime. The result of this effort is the brand new KMyMoney 5.0.6 release. Despite even more testing we understand that some bugs may have slipped past our best efforts. If you find one of them, please forgive us, and be sure to report it, either to the mailing list or on Read more

Games: Don't Starve Together, Cthulhu Saves the World, EVERSPACE 2 and Stadia

  • Don't Starve Together has a big free update adding in boats and a strange island

    Klei Entertainment have given the gift of new features to their co-op survival game Don't Starve Together, with the Turn of Tides update now available. Taking a little inspiration from the Shipwrecked DLC available for the single-player version Don't Starve, this new free update enables you to build a boat to carry you and other survivors across the sea. Turn of Tides is the first part of a larger update chain they're calling Return of Them, so I'm excited to see what else is going to come to DST.

  • Cthulhu Saves the World has an unofficial Linux port available

    In response to an announcement to a sequel to Cthulhu Saves the World, Ethan Lee AKA flibitijibibo has made a unofficial port for the original and a few other previously Windows-only games. As a quick reminder FNA is a reimplementation of the proprietary XNA API created by Micrsosoft and quite a few games were made with that technology. We’ve gotten several ports thanks to FNA over the years though Ethan himself has mostly moved on to other projects like working on FAudio and Steam Play.

  • EVERSPACE 2 announced, with more of a focus on exploration and it will release for Linux

    EVERSPACE is probably one of my absolute favourite space shooters from the last few years, so I'm extremely excited to see EVERSPACE 2 be announced and confirmed for Linux. For the Linux confirmation, I reached out on Twitter where the developer replied with "#Linux support scheduled for full release in 2021!".

  • Google reveal more games with the latest Stadia Connect, including Cyberpunk 2077

    Today, Google went back to YouTube to show off an impressive list of games coming to their Stadia game streaming service, which we already know is powered by Debian Linux and Vulkan. As a reminder, Google said not to see Stadia as if it was the "Netflix of games", as it's clearly not. Stadia Base requires you to buy all your games as normal, with Stadia Pro ($9.99 monthly) giving you a trickle of free games to access on top of 4K and surround sound support.