Posts Tagged: Authentication

To restrict an Active Directory Group to a single VPN Tunnel Group

Reference: Scenario: Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET” Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

Read More

Setting up SSH Alerts to iPhone

This is sort of a follow up to my SSH screencast series for remote access to your Mac.  Maybe you are paranoid like me and want to know when a connection has been made to your mac, when a wrong user name has been tried or even a failure to login on a good username.  You also want to know this no matter where you are. I was inspired by the script written by Whitson Gordon, over at Macworld on automating turning off your wireless Airport interface.  Note what I have below has only been tested on my Snow Leopard setup.  I leave it up to you if you are on Leopard or even Tiger.  BTW update your system if you are as far back as Tiger. C’mon join the modern world. You will have to have Growl installed, also install growlnotify and last you need a Growl to push notification service like Prowl.  Then have the Prowl app on your iPhone or iPad. Read on for the scripts and how to get it all working.

Read More

Cisco – AAA Exclude Console Port for Local Backup access

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands. Create a local user account under global config mode. username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE Next under global config mode aaa authentication login console local aaa authorization exec console local aaa authorization commands 0 console local aaa authorization commands 1 console local aaa authorization commands 15 console local aaa authorization console Then under the console line interface authorization commands 0 console authorization commands 1 console authorization commands 15 console authorization exec console login authentication console

Read More

When does 2 = 1 ?

Talk about the wrong way to make a piece of software. I was helping a friend get iGet working with his mac. We did not want to leave SSH running on port 22. It was getting hit with all sorts of brute force user guessing attacks. Here are some examples Sep 4 09:29:27 sshd[13637]: Invalid user admin Sep 4 09:29:37 sshd[13641]: Invalid user stud Sep 4 09:29:45 sshd[13643]: Invalid user trash Sep 4 09:29:51 sshd[13645]: Invalid user aaron Sep 4 09:29:56 sshd[13647]: Invalid user gt05 Sep 4 09:30:00 sshd[13649]: Invalid user william Sep 4 09:30:03 sshd[13651]: Invalid user stephanie Sep 4 09:30:40 sshd[13664]: Invalid user gary from Sep 3 16:51:06 sshd[10423]: Invalid user nagios Sep 3 16:51:07 sshd[10425]: Invalid user backuppc Sep 3 16:51:09 sshd[10427]: Invalid user wolfgang Sep 3 16:51:10 sshd[10430]: Invalid user vmware Sep 3 16:51:13 sshd[10432]: Invalid user stats Sep 3 16:51:14 sshd[10434]: Invalid user kor Sep 3 16:51:15 sshd[10436]: Invalid user wei Sep 3 16:51:16 sshd[10438]: Invalid user cvsuser Also we wanted to fix up public key authentication instead of passwords. So we used his Apple airport extreme to map an external port say 3622 to 22 on his Mac in his home network. Then we whipped up public-private key pair. “ssh-keygen -t rsa” was good enough to do that. We of course put a good strong passphrase on it. Now things like iTerm and Cyberduck on the mac worked great with his new setup. Both the port and the private key. But he has this thing called iGet. It claims key support. But I did let it work with key authentication if the private key had a passphrase. So we had to whip up a second keypair just for that program and append the new public key to his authorized_keys file in his .ssh folder. The worst part is the vendor tried to say that using keys is not inherently more secure than a password because iGet just uses SSH to start the connection then takes over with its own protocol. How stupid. And such a bad attitude. Cyberduck is free and it works way better on key support. Sure iGet has some neat features like access to the remote machine’s spotlight etc. But kiss that advantage goodbye once Leopard comes out. But personally I would not give iGet my money for their product with that attitude and poor private key with passphrase support. By default keys get dumped right into your .ssh folder on a Mac. If there is no passphrase and someone somehow runs code that lets them grab the entire folder contents they would have your access into machines via SSH. At least if it has a passphrase they still have to brute force the key just to use it. After all it is not two factor authentication if it is just a key without a passphrase.  Its one factor.  Something you have.  Adding something you know (the passphrase) greatly improves the security so in the world of iGet 2=1.

Read More

Paypal + Verisign PiP Token

I came back from Birmingham today to find my Paypal security token arrived yesterday.  It came with a nice instruction card on how to add it to your Paypal account.  Only problem it’s wrong.  I tried going to the Token link and logging it.  It did not take me straight to adding the key.  I had to go into my account page then clicking the link to the security key.  From there it is straight forward to add it. As an added bonus.  If you use Verisign PiP for OpenID you can add the same token to logon authorization there as well.   Then all you do is go to your account details.  Click the Add Credential.  It wants two fields to be filled in.  The top one is the code on the back of your Paypal security token.  The long number over the barcode, the token’s serial number.  The second field is a keycode from the token.  So flip it back over and press the button.  Enter the displayed six digit number into the second field and submit. Now when you log into Paypal or Verisign PiP you have to know your logon name, password AND the six digit number on your token at the time you sign in.  There is a slight difference in how you enter it though.  On Paypal, append the six digits to your password when you type in your password.  On Verisign logon as normal and it will prompt you for the six digit code after you submit your name and password. That is it.  Now you have two factor authentication.  Your password (something you know) and  the code the security token provides (something you have).  Without the token your accounts cannot be used.

Read More