ben lemasurier's questions

I have got this slick little yubikey and I want to add an additional layer of security when authenticating ssh sessions. On the server side I've already disabled password authentication and only permit the use of ssh keys when logging in.

The problem is, after configuring sshd and PAM for yubikey auth, sshd still only requires an ssh key, I'm never asked to provide a response from the yubikey.

How do I require both and ssh key and a yubikey?

(ubuntu 14.04 - trusty)

/etc/pam.d/common-auth:

auth    required    pam_yubico.so mode=client try_first_pass id=<id> key=<secret>
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so
# end of pam-auth-update config

/etc/ssh/sshd_config:

...

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

I'm in the process of building out a new PostgreSQL (9.3) environment in which traffic hovers around 99% read. We'll have 2 very powerful machines, connected via 1Gb ethernet. With the multitude of replication and failover options available in the 9.x release, what's the best option for a high-read scenario? A solution in which the standby server also acts as a read-only slave would be ideal.

So we just picked up a new PS6100x and I'm wondering if I need to setup the ethernet channels myself or is it automatic?

It's configured in an HA setup; dual controllers connected to redundant cisco switches with a 10GE interconnect. On the controller, I've enabled eth0-3, each with it's own IP 172.16.0.50-53, and a group IP address of 172.16.0.10. Do I need to bond the interfaces on the switch or will the controller take care of this for me?

I'm using an ASA 5510 for a large network containing multiple subnets, some of which (wireless) have limited network access. I'd like to allow the wireless users to be able to VPN in for full network access, however none of the hosts on the inside network are able to connect to the VPN, or even ping the ASA external interface.

I'm assuming this has something to do with my NAT rules getting in the way. Can anyone point me in the right direction?

Here's the running-config (sanitized): http://pastebin.com/snN4AVSA

packet-tracer ping from inside to outside: http://pastebin.com/hX8X8kTr

We've got a central log server (syslog-ng) and I'd like to provide a slick web interface for viewing the logs. Most of what I've seen are either horribly broken, outdated, or just fugly. I'm not very concerned about analysis, though it would be a bonus. Any recommendations?

I'm looking for help deciding on a new router for our data center equipment. Currently, we've got about 10 machines, each with their own firewall. I'd like to get them all behind a single router and also create a vpn tunnel to our main office.

Requirements:

• Gigabit Ethernet
• Firewall
• Cisco compatible point-to-point VPN

Traffic primarily consists of external HTTP requests, averaging ~10Mb/s, surging up to ~150Mb/s.

The router at the main office is a Cisco 2821.

I'm switching from Apache to Nginx/fcgi and I'm having a small issue while attempting to setup the applications rewrite rules.

The code handles routes via the use of PATH_INFO, e.g., example.com/foo/bar/ will be routed to example.com/index.php/foo/bar/

I've modified the server configuration to pass PATH_INFO:

location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass   127.0.0.1:9000;
      fastcgi_index  index.php;

      fastcgi_split_path_info ^(.+\.php)(.*)$;
      fastcgi_param SCRIPT_FILENAME  /var/www/public$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
}

And the rewrite handler:

location / {
      root   /var/www/public;
      index  index.html index.htm index.php;

      if (!-f $request_filename) {
        rewrite ^(.*)/(.*)$ /index.php/$2 break;
      }
    }

With 'rewrite_log on', the url's appear to be routing properly:

[error]: *2 open() "/var/www/public/index.php/test" failed (20: Not a directory), client: 192.168.0.254, server: example.com, request: "GET /test HTTP/1.1", host: "example.com", referrer: "http://example.com/index.php"

However, it appears to be looking for the directory "test". How can I force it to request index.php, passing '/test' to the script?

I've upgraded one of our servers (debian lenny) from backports. It upgraded the kernel to 2.6.32-trunk-amd64, and switched the disk access to UUID. Everything works fine, however, /dev/ram0 no longer gets created and I'm unable to see it in /dev/disk/by-uuid:

# ls -l /dev/disk/by-uuid/
  total 0
  lrwxrwxrwx 1 root root 10 2010-11-02 10:20 0670c658-a28d-4e93-991c-7e270a1dfbf3 -> ../../sda3
  lrwxrwxrwx 1 root root 10 2010-11-02 10:20 07DA-0A15 -> ../../sda1
  lrwxrwxrwx 1 root root 10 2010-11-02 10:20 ba59116d-c127-431b-bc00-c2c676ea0cb6 -> ../../sda5

The ramdisk is defined in /boot/grub/menu.list as:

 kernel          /boot/vmlinuz-2.6.32-trunk-amd64 root=UUID=0670c658-a28d-4e93-991c-7e270a1dfbf3 ro quiet ramdisk_size=2000000

Am I doing something wrong?

Thanks!