Category Archives: English

Cost effective One-Time Password solution: How to install yubico’s plugin on Freeradius

If you want One Time Password authentication for your website or your VPN, Yubico propose some cost effective solutions with its yubikeys and its related free open source softwares. In this article we will focus on the Yubikey OTP and its use with Yubico’s RLM plugin for freeradius.

In this case, we will assume you will use the Yubico OTP keys originally provided with your yubico token and hence, the Yubicloud OTP validation service. In a future article, we’ll explain how to configure your own validation server and your own Key Storage Module.

As the point is to be cost effective, no need to spend all your money on this solution. The token will cost you about 30 or 40 Euro depending on the features you need and you can install the Freeradius on a Raspbian for a 40€ Raspberry Pi (or on any Debian server).

As Yubico’s website is not really the most user friendly companion to make this happen, here is a verbatim on how to do it.

I assume you have a Debian Wheezy installed and ready and that you are logged in. As I don’t know if you are using sudo or just su, I will put the command lines as if they were issued for a root user:

1st, we need to install freeradius and a few perl libraries

apt-get install freeradius
apt-get install perl
apt-get install perl-modules
apt-get install libanyevent-perl liburi-perl libanyevent-http-perl libuuid-tiny-perl libdigest-hmac-perl libcrypt-cbc-perl libcrypt-Blowfish-perl

Then we need to download and install the Yubico perl client

wget https://github.com/Yubico/yubico-perl-client/archive/master.zip
unzip master.zip 
cd yubico-perl-client-master/
perl Makefile.PL
make
make install

after what we can download and install Yubiko’s RLM

wget https://github.com/Yubico/rlm-yubico/archive/master.zip
unzip master.zip.1 
cd rlm-yubico-master/
make install

When the software is installed, we need to configure radius to use the plugin. Pay attention, there is a typo in Yubico’s instructions (a _ must be replaced by a -)

First edit the perl module coniguration

vi /etc/freeradius/modules/perl

and add the following line:

module = /usr/share/rlm-yubico/rlm_yubico.pl

at the same time you can remove the module= … sample … line.

Then you must edit the default configuration of freeradius

vi /etc/freeradius/sites-available/default

and add “perl” (without quotes) to a line by itself in the “authorize” section. It needs to occur early on, at least before “files” then add “perl” to a line by itself in the “post-auth” section.

Then, finally, you must add the Yubiko’s dictionary

vi /etc/freeradius/dictionary

by adding the following line:

$INCLUDE /usr/share/rlm-yubico/dictionary

Notice the difference between rlm-yubico (here) and rlm_yubico (as mentionned in Yubiko’s instructions)

You just need to restart the freeradius server.

service freeradius restart

OK, the first part is done. We need now to configure it.

Before starting editing configuration files, we need to generate a shared symmetric key for use with the Yubico Web Services. In order to do that, we must go to a Yubiko website  allowing you to generate that key:  https://upgrade.yubico.com/getapikey/

There, we will need to authenticate ourself using our Yubikey One-Time Password and provide our e-mail address as a reference. You type your email address and then click on the OTP field and press the button of your Yubikey. You will automatically receivve a screen with a message similar to this one:

Congratulations! Please find below your client identity and client API key.

Client ID: 12345
Secret key: +azAZx123AZaABCDEFGHaAbcdeZ=

Be sure to protect the secret. If you need to generate more client id/keys for your different applications, please come back.

Note that it may take up until 5 minutes until all validation servers know about your newly generated client.

Pretty easy isn’t it?
First we will edit the RLM configuration file:

vi /etc/yubico/rlm/ykrlm-config.cfg

The file will look like that when you will have edited the bold parts:

#
# Settings for FreeRADIUS authentication of users using YubiKeys.
#

# Length in characters of the public ID part of Yubikeys
#$id_len = 12;

# List of URLs to use for YubiKey OTP validation
# By default rlm_yubico will target the YubiCloud sync pool:
#$verify_urls = [
# "https://api.yubico.com/wsapi/2.0/verify",
# "https://api2.yubico.com/wsapi/2.0/verify",
# "https://api3.yubico.com/wsapi/2.0/verify",
# "https://api4.yubico.com/wsapi/2.0/verify",
# "https://api5.yubico.com/wsapi/2.0/verify",
#];
#
# It can easily be configured to use a different pool, like a server
# running on localhost:
#$verify_urls = [ "http://127.0.0.1/wsapi/2.0/verify" ];

# Client ID and API key for use with the YubiKey validation service.
# For use with the YubiCloud, you can get an API key here:
# https://upgrade.yubico.com/getapikey/
#$client_id = 12345;
#$api_key = "+azAZx123AZaABCDEFGHaAbcdeZ=";

# If set to 1, a user with no YubiKey assigned can authenticate using
# any valid YubiKey OTP, which will then cause that key to be assigned
# to the user.
#$allow_auto_provisioning = 1;

# If set to 1, allows a user to omit the username when logging in with
# an already provisioned YubiKey.
#$allow_userless_login = 0;

# Defines who is required to provide a YubiKey OTP when logging in.
# The available levels are:
# 0 = Permissive. OTPs are not required to authenticate, by anyone.
#
# 1 = Require when provisioned. OTPs are required by all users that
# have a YubiKey assigned to them.
#
# 2 = Always require. OTPs are required by all users. If no YubiKey
# has been assigned, that user cannot log in, unless auto-provisioning
# is enabled.
#
$security_level = 2;

# Sets the location of a file containing username to YubiKey mappings.
# Each line of this file should start with a username, followed by : and
# then a comma separated list of public IDs. Lines starting with # or blank
# lines are ignored.
$mapping_file = "/etc/yubico/rlm/ykmapping";

Notice: you can already see how we can configure the RLM to use a local validation server instead of the Yubicloud servers.

Now, we just have to edit the list of users and map the user with one or more yubikey. This is done by editing /etc/yubico/rlm/ykmapping (as we defined it in the config file).

vi /etc/yubico/rlm/ykmapping

We provide the userid and the public identity of the Yubikey(s) of the user. If a user, like JaneDoe hereafter can use more than one Yubikey, we must separate the public identity of the Yubikey by a , (comma). Pay attention NOT to leave a blank between the : and the public ID in the file.

If you don’t know where to find the public identity of your yubikey, you can find it using:

  • the Yubikey personnalization tool: the Yubikey OTP tab should display a Public Identity field with the value in modhex – you just need to remove the whitespace between the letters)
  • Yubico’s OTP demo website (https://demo.yubico.com/). When trying the Single-Factor authentication, you will get to a “Congratulation” page with a “Technical details” button. If you click on it you will find your identity under the Parameters section, at the line starting with identity=.

Once edited, the file should look like that:

# Maps usernames to YubiKeys.
# Each line should contain a username followed by a :, then followed by a
# comma separated list of YubiKey public IDs.
#
# For example:
#user1:cccccccccccd,ccccccccccce
johndoe:vvefgfhjjrgf
janedoe:vvefgfhjjrgh,vvefgfhjjrgr

Then you might have to edit the Freeradius server’s configuration to allow you client to connect to it and define a shared secret. This is done by editing the client.conf file in /etc/freeradius directory. Just add your client configuration into the file (there is plenty of examples in the file itself). As an example it could be:

client 192.168.0.0/24 {
 secret = RadiusPassword
 shortname = private-network
}

In order to allow us to test the server, we allow the entire subnet to send requests to the Radius server.

By default the Freeradius server will listen to the UDP port 1812. If you want to change that, you might need to edit the radiusd.conf file.

Then you need to configure your user in the freeradius users file and add, for example, a cleartext password for the user:

johndoe            Cleartext-Password := "HisPassword"
janedoe            Cleartext-Password := "HerPassword"

Consequently, johndoe & janedoe will have to type their password before pushing the button on the yubikey to add their OTP in the password field.

Also, depending of the system you will use for authentication, you might need to specify the Radius service type. VPN solution mostly use the Login Service-Type. Consequently, in the users file you will need to specify the type for the users that will use the OTP.

johndoe            Cleartext-Password := "HisPassword"
                   Service-Type = Login-User

Notice: the start of the next line for the user’s definition must be a tabulation.

For johndoe, a password will then start with HisPasswordvvefgfhjjrgf********************** where HisPassword is the password typed by johndoe, vvefgfhjjrgf the Public ID sent has the first part of the OTP when you press the Yubikey’s button then the ************** is the crypted unique 32 characters string generated at that moment by the Yubikey. For more details on what is a Yubikey’s OTP composed of, you can refer to OTP’s explained on Yubico developer’s site.

When it’s done, you need to restart the freeradius server:

service freeradius restart

You can check the server response by configuring your authentication system or using a Radius testing tool (like NTRadPing from Mastersoft – it’s free).

That’s it.

The belgian ministry of defence recruits 24 cyber security specialists.

Lt. Col. Tim Sands (from left), Capt. Jon Smith and Lt. Col. John Arnold monitor a simulated test April 16 in the Central Control Facility at Eglin Air Force Base, Fla. They use the Central Control Facility to oversee electronic warfare mission data flight testing. Portions of their missions may expand under the new Air Force Cyber Command. Colonel Sands is the 53th Electronic Warfare Group AFCYBER Transition Team Chief, Captain Smith is the 36th Electronic Warfare Squadron Suppression of Enemy Air Defensestest director, and Colonel Arnold is the 36th Electronic Warfare Squadron commander. (U.S. Air Force photo/Capt. Carrie Kessler)

The Selor, the official recruitment agency for the Belgian federal government, just started a new recruitment campaign for 24 cyber security specialists amongst which 20 with a master degree and relevant experience. Its an ambitions objective and we can applaude the will to increase our capability in fighting the cyber war within the ministry of defence. However, it is a difficult goal to achieve as there is not so many skilled specialists, they don’t have absolutely a master degree and they may not be satisfied with a yearly salary around 42 K€ (gross). However, we should not underestimate the patriotic sense or the desire to step into the military/spy world. Additionnally, it is certainly an interesting choice for some people to make a new step forward in their career.

So, if you have the rights skills, the desire to work in a very stimulating environement fighting the war against the cyber-soliders and cyber-criminals, you have until the 19th of June 2015 to apply here (in French): http://www.selor.be/fr/cyberdefense or here (in flemish): http://www.selor.be/nl/cyberdefense.

Our illustration: Lt. Col. Tim Sands (from left), Capt. Jon Smith and Lt. Col. John Arnold monitor a simulated test April 16 in the Central Control Facility at Eglin Air Force Base, Fla. They use the Central Control Facility to oversee electronic warfare mission data flight testing. Portions of their missions may expand under the new Air Force Cyber Command. Colonel Sands is the 53th Electronic Warfare Group AFCYBER Transition Team Chief, Captain Smith is the 36th Electronic Warfare Squadron Suppression of Enemy Air Defensestest director, and Colonel Arnold is the 36th Electronic Warfare Squadron commander. (U.S. Air Force photo/Capt. Carrie Kessler)

Crime-as-a-Service, the new emerging model of a 300+ billion$ business?

In its 2014 report on Internet Organized Crime Threat Assessment, Europol highlighted the rising of a new business model in the cybercrime community: Caas, Crime-as-a-Service. More and more hackers provide “services”, available through the darknet (like Tor), allowing to rent thousands of infected computers, undected payload for viruses, list of passwords, and so on. For a few years now, you can even pay anonymously using virtual currencies (like bitcoin). They often provide a very good customer service and sometimes even a cash back warranty.

We often underestimated the size and importance of the Cyber Crime market. In its 2013 report on the economic impact of cybercriminality, McAfee estimate the global revenue of the  cyber crime activities worlwide between 300 billion$ to 1 trillion$.

1.000.000.000.000 $/Year

 

With number as huge, it is dfficult to represent the magnitude of this market. In comparaison, the yearly worlwide drug market generate between 300 and 600 billions$ of revenue or bigger than the PIB of some European countries.

Caas is increasingly proposed and used by more traditionnal crime organizations to suport their activities. The Europol report mention a quite interesting figure on a russian underground forum dedicated to hacking having 13.000 members and 4.000 daily visitors. It is hard to find a security professionnal nowadays but on the dark side, they are legions of hackers (when you see the profit they can make, you may understand why they are so many).

Additionnally, the “dark side” is also offering other services, mirroring the “legit” community, as Iaas (Infrastructure-as-a-Service), Data-as-as service, Hacking, or Money-Laundering. The hacker world has developped its own eco-system. As it is more and more interacting with the other “worlds”, it may be soon possible (if it is not already) for everybody to use and pay anonymously for illegal services.

After online drug dealer like Silk Road on Wikipedia, we might soon see service to remove your speeding ticket or to have a preview of exam’s questions. Nor to say, in a more and more digital worl, with eGovernment and the Internet of Objects growing in size, might we soon be able to ask for a new identity, a true diplome we never studied for, or even worse, the death of our worst ennemy in a car crash (assuming he drives one of the new connected cars).

Some forms of cyber criminality are already well established and cost already a lot of money as well as a huge human cost (even more if we talk about child pornography, one of the big beneficiary of the darknet). We could think about hunting these tools and protocols used to create the darknet but they are also used by thousands of honnest people wanting to protect their anonymity, their privacy or to “speak freely” in oppressing regimes. Even more, should you try to suppress it, new technologies would be quicly invented or developped to create even deeper, even darker, networks. With such a big amount of money at stake, the means to create a dark zone on the Internet would be nearly unlimmited. They could even create a parrallel network hiding in plain sight if they once achieve a higher level of organization at a global level.

As always, eventually, our only weapons are the skills and means of the people fighting them and able to differenciate the right from the wrong, the bad from the good. Unfortunately, we don’t have enough skilled professionnal yet. We sure do have already a lot of very talented security professionnals (coder, hackers, network specialist, governance, auditors) but the fight remains inequal as they have to find only one faillure to succeed and we need to close them all to win. So, we definitely need better trainings, better information exchange, better research, higher standards for IT professionnals and better preparation of our future professionnals.

Clearly, we need also to make security more understandable, more user friendly. As Bruce Schneier was advocating a few years ago, security must become a convenience like any household appliance, easy to use, easy to sell, easy and efficient. It is maybe where the dark side is winning the competition at this stage.