37 PubkeyAuthentication yes ... 56 PasswordAuthentication no ... 61 ChallengeResponseAuthentication yes ... 84 UsePAM yes ... 123 Match User USERNAME 124 AuthenticationMethods publickey,keyboard-interactive

restart sshd service

sudo systemctl restart sshd.service

2019
01.10

creating ed25519 SSH keys

Category: Linux, ssh / Tag: linux, ssh / Add Comment

SSH key creation

$ ssh-keygen -t ed25519

Generating public/private ed25519 key pair. Enter file in which to save the key (/home/USERNAME/.ssh/id_ed25519):

enter a passphrase

Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/USERNAME/.ssh/id_ed25519_test. Your public key has been saved in /home/USERNAME/.ssh/id_ed25519_test.pub. The key fingerprint is: SHA256:SHA256-HASH USERNAME@HOSTNAME The key's randomart image is: +--[ED25519 256]--+ |.................| |.................| |.................| |.................| |.................| |.................| |.................| |.................| |.................| +----[SHA256]-----+

copy SSH key to remotehost

ssh-copy-id username@remotehost

or manually copy .ssh/id.ed25519.pub into .ssh/authorized_key on your remotehost

2019
01.08

1/3 2FA with Google Authenticator

Category: 2FA, Linux / Tag: 2FA, linux, ubuntu / Add Comment

Install libpam-google-authenticator

sudo apt-get install libpam-google-authenticator

Configure google-authenticator for your User

USERNAME@HOSTNAME:~$ google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/USERNAME@HOSTNAME%3Fsecret%GENERATED-SECRET%26issuer%3HOSTNAME Your new secret key is: YOUR-SECRET-KEY Your verification code is VERIFICATION-CODE Your emergency scratch codes are: EMERGENCY-SCRATCH-CODE-1 EMERGENCY-SCRATCH-CODE-2 EMERGENCY-SCRATCH-CODE-3 EMERGENCY-SCRATCH-CODE-4 EMERGENCY-SCRATCH-CODE-5 Do you want me to update your "/home/USERNAME/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y

Scan the QR-Tag with your preferred Authenticator-App

2019
01.03

VM disk resizing without downtime

Category: ESX, Linux, VirtualBox / Tag: esx, linux, virtualbox / Add Comment

!! Create a snapshot or a full-backup before you start !!

!! any mistake will destroy your system !!

1. Resize the virtual HD to new size

2. Start fdisk

# fdisk /dev/sda Welcome to fdisk (util-linux 2.27.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command.

3. Show Partitions

Command (m for help): p Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xa8cb592 Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 999423 997376 487M 83 Linux /dev/sda2 999424 41940991 40941568 19.5G 8e Linux LVM

Remember the partition start: 999424

4. Delete the old partition

Command (m for help): d Partition number (1,2, default 2): 2 Partition 2 has been deleted.

5. Recreate partition

The new partition must start at the same sector where the old started. In this case at 999424

Command (m for help): n Partition type p primary (1 primary, 0 extended, 3 free) e extended (container for logical partitions) Select (default p): p Partition number (2-4, default 2): 2 First sector (999424-83886079, default 999424): Last sector, +sectors or +size{K,M,G,T,P} (999424-83886079, default 83886079): Created a new partition 2 of type 'Linux' and of size 39.5 GiB.

6. Set Partition type

Command (m for help): t Partition number (1,2, default 2): Partition type (type L to list all types): 8e Changed type of partition 'Linux' to 'Linux LVM'.

7. Check created Partition

Command (m for help): p Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xa8cb592e Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 999423 997376 487M 83 Linux /dev/sda2 999424 83886079 82886656 39.5G 8e Linux LVM

8. Write new partition to disk

Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Re-reading the partition table failed.: Device or resource busy The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8).

9. Inform the OS of partition table changes

# partprobe

10. Resize the physical volume

# pvresize /dev/sda2 Physical volume "/dev/sda2" changed 1 physical volume(s) resized / 0 physical volume(s) not resized

11. Check LVM Volume group

# vgdisplay --- Volume group --- VG Name sysvg System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 10 VG Access read/write VG Status resizable MAX LV 0 Cur LV 5 Open LV 5 Max PV 0 Cur PV 1 Act PV 1 VG Size 39.52 GiB PE Size 4.00 MiB Total PE 10117 Alloc PE / Size 4755 / 18.57 GiB Free PE / Size 5362 / 20.95 GiB VG UUID 6LlZ7P-M6by-7ISL-C9CP-iNFH-fo16-gBsclg

www.skux.ch/blog

3/3 Desktop Login with 2FA

2/3 2FA for ssh with Google Authenticator and Public Key

add your SSH keys to the host

configure sshd