Category Archives: Uncategorized

Using google authenticator with OpenBSD SSH logins

For an introduction on two factor authentication please see: http://en.wikipedia.org/wiki/Two-step_verification


NOTE: Make sure you leave a terminal with root access if you are using a remote system until you have tested that you can indeed authenticate to it!

Steps tested on OpenBSD 5.4, used tools on EL6 client to generate QR code. I’m mainly documenting this here so I can remember how to do this again.

1. Install: login_oauth-.tgz eg.

# pkg_add -v http://mirror.planetunix.net/pub/OpenBSD/5.4/packages/i386/login_oath-0.8p1.tgz

Make sure to look over the readme: /usr/local/share/doc/pkg-readmes/login_oath-version

2. Add a new login class by editing /etc/login.conf and add change user(s) to use it.

# The TOTPPW login class requires both TOTP and passwd; the user must
# supply the password in the format OTP/password, e.g. 816721/axlotl.

totppw:\
        :auth=-totp-and-pwd:\
        :tc=default:

Change user(s) login class eg.

# usermod -L totppw username

3. Generate a random key in the users home directory

$ openssl rand -hex 20 > ~/.totp-key

Note: Make sure your home directory and this file are not world readable! Otherwise you will be prevented from logging in.

4. Convert hex string key to base32

Documents show perl, I have supplied some code in python.

import binascii
import base64
import sys

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print 'Syntax: %s ' % ( sys.argv[0])
        sys.exit(1)

    print base64.b32encode(binascii.unhexlify(sys.argv[1]))

5. Generate QR code so you don’t have to type in a big random sequence on your smart phone. Free web based ones exist, but only use if you trust.

$ qrencode -o ~/.totp-key.png 
"otpauth://totp/?secret=BASE 32 SECRET&issuer=Your name, etc."

More info: http://code.google.com/p/google-authenticator/wiki/KeyUriFormat

6. Using google authenticator create a new software key using your created QR code. If you don’t want to create a QR code, then create a new entry, set to time based and enter the 64 characters. I’m guessing it may take a few tries to get it correct.

7. Test that google authenticator and oathtool –totp `cat ~/.totp-key` match. If they don’t make sure both the phone and the computer dates and time match.

8. Using a separate terminal, ssh to remote system with just the password, this should fail. Then try using OTP/password for your password and you should get authenticated.

Buffer bloat mitigation with OpenBSD pf

For an introduction to buffer bloat read more here http://en.wikipedia.org/wiki/Bufferbloat .

My home network utilizes OpenBSD and the built in packet filter (pf). I use cable for broadband internet and found that if I tried to upload a large file my internet connecting became very unable with high amounts of latency. After utilizing tools such as http://netalyzr.icsi.berkeley.edu/blog/ it became obvious that I was suffering from buffer bloat.

After doing some searching I came across using altq support in pf to try some configuration changes to reduce the buffer bloat in my configuration.

I added a queue for my external network card with the following:

altq on $ext_if bandwidth 1Mb hfsc queue { bb }
queue bb bandwidth 100% qlimit 9 hfsc ( default )

and the corresponding rule to tag outgoing traffic for that interface to this queue

pass out on $ext_if keep state queue( bb )

My home connection is advertised as 5Mb down, 1Mb up. In testing I get about 1.1Mb up so I setup my outgoing queue to limit outgoing to 1Mb. A typical setting would be 97% of maximum. One of the most important values in the queue setup is the number of buffers. Mine is currently set at 9. This is how I determined what the value should be.

Maximum upstream bandwidth in packets is upstream bandwidth in bytes / size of a packet. In my case 1000000/8 = bandwidth in bytes / 1460 (size of packet) which yields 85 packets a second. So if I set my buffer size to 85 I should have about 1 second of latency. In my case I like my latency low so I divided by 10 to try and get a 100ms latency under full upstream use which is 8.5, which I rounded up to 9.

So how does it work?

Average pings to slashdot.org in milliseconds

Idle connection:                 23.8   ( 0% packet loss)
Maxed upstream use:              95.1   ( 0% packet loss)
Maxed upstream without altq:   2083.4   (10% packet loss)

Quite the improvement!

Thanks to the information on https://calomel.org/pf_hfsc.html for helpful tips.

Fool me once, shame on you, fool me twice …

American water heater company, the maker of the water heater I installed issued me a return authorization number for the water heater that would not run when installed per the instructions. I installed the new one (1/5) and this one works better (it will start), but still not great. It makes noise when starting and the flame is quite yellow and has bad shape. I have posted videos of the start and flame for technical support to look at.

This is the replacement unit starting : http://youtu.be/_Bb3IgamFdo

I contacted technical support again via email and sent them video footage of the poor flame. After a few days technical support contacted me again and FedEx’d me a smaller orifice to try, a #30. The heater comes standard with a #29. I got this smaller orifice and installed it and the unit ran very poorly http://youtu.be/ml-uqXvCrp8

At this point I gave up, I contacted a local contractor and scheduled an install of a new furnace and water heater. I was done trying to make this water heater work.

The replacement water heater was returned to Lowe’s for a refund. Lowe’s was very helpful throughout this very frustrating experience.

You shall not heat!

As I was unable to correct the negative pressure causing my atmospherically vented natural gas water to back draft at start, I decided to replace it. The 15 year old AO Smith 40 gallon, 40K BTU water heater had absolutely no issues, except that it left our house hold yearning for more hot water.

Obviously a new atmospheric vented water heater was out as it would exhibit the same problem as the old one. What other options are there?

  • Atmospheric (what we had)

These are the old type that have existed since the beginning of water heating. Burner on the bottom with a flue up the center which has a draft hood and vents out a chimney. Exhaust is very hot because of low efficiency and it naturally rises and vents out the chimney.

  • Direct vent

Sealed combustion, used outside air for combustion. Non-powered (no electricity), horizontal and vertical venting with special pipe within a pipe with very stringent requirements. Not used very often as the water heater basically needs to be right against the wall. This is basically an atmospheric water heater with sealed venting and are typically not very energy efficient.

  • Powered direct vent

Sealed combustion, requires electricity, horizontal and vertical venting using plastic pipe. These have a wide range of efficiency ratings.

  • Power vent

Open combustion which uses inside air, requires electricity, horizontal and vertical venting using plastic pipe. These have a wide range of efficiency ratings.

Since 2003 water heaters have Flammable Vapor Ignition Resistant (FVIR) technology. This prevents home owners from blowing up their houses due to heaver than air explosive vapors. This has caused water heaters to rise dramatically in complexity and price. It has also been the cause of class action law suites.

As I was trying to mitigate a negative air pressure issue, I went with a powered direct vent. I purchased and installed a 50Gal 60K BTU Powerflex Direct (PDVG62-50T60-NV) from Lowe’s (ref.) . My dad and son helped with the install and after about 6 hours it was ready to go. I filled it up, went over the check list and then plugged it in. The gas was lit by the hot surface igniter and then it sounded like a rapid sequence of explosions and then the unit would turn off. This was repeated twice more and the unit got stuck in lock out. I called technical support and after talking for a while we decided to have a plumber come out and take a look, but that would be the next day!

We need some air in here!

In a previous posting I mentioned running into an issue with our water heater failing to draft when all the exhaust fans and clothes dryer running.  I did some research and through testing I thought the entire issue could be resolved by adding more “make-up air”.   Thus I added a 6″ duct into our mechanical room.  This was in addition to our existing 5″.

You would think that after having ~48″ sq. of open hole to the outside would mitigate any possible negative pressure, but you would be wrong.  The water heater still failed to draft in worst case CAZ testing.

I called a local HVAC contractor to evaluate.  They spent 3 hours trying different things, including adding 3′ to our chimney, but no joy!