Pages

13 December 2015

Mac OS X Two Factor Authentication Demo with Yubikey

With today's security threats, passwords alone may not be a strong enough defense against security incidents and many of you might want a little extra to secure your Apple Macintosh computer against such threats.  Yubico has an affordable solution you might like to try.  Yubico already provides excellent documentation on how to do this, but I have a few tweaks of my own which you can see in the video below or continue reading.



First, the video opens with demo number one.  This demo shows logins with the Yubikey inserted and removed.  Additionally, you can see the substitute user command (su) and superuser do command  in the demo.  The demo doesn't show the standard GUI based Mac OS X authentication challenge, but it too will require the Yubikey to be used in addition to the password.

Demo number two is pretty much the same, but Yubico suggests you uncheck the "Require user input (button press)" box when you set the challenge response feature.  I prefer to leave it checked.  The only pain from doing so comes from the ykpamcfg command which seems to have a short wait when it queries the key during setup.  You have to be Johnny on the spot and hit the button pretty quick, which I don't show in the video.  But once you get past doing so, the Yubikey with button press is very easy to use. 

Next up, the video shows the installation which requires the easy to install Homebrew application.  As mentioned above, Yubico writes really good documents perhaps so you'll buy lots of Yubikeys.  I think the confusing part of their guide is the PAM config section is a bit too wordy and repetitive, listing the same steps over and over again for the same files. Yubico's guide could be condensed to mention editing the files su, sudo, authorization, and screensaver in /etc/pam.d and adding the entry "require       auth       pam_yubico.so mode=challenge-response" line above the first line beginning with "account," but the guide assumes you might not know vi very well and spells out the extra steps.

The last note about their guide is how there is little discussion on the other /etc/pam.d files you could use a Yubikey with. Savvy Yubikey experts will notice I added the /etc/pam.d/su file to my list. Also, you might want to do something with /etc/pam.d/sshd either by adding Yubikey protection or using SSH keys, if you wish to enable remote logins on your Mac.  If you are remotely logging in with Secure Shell, you can't insert your key, so certificate based authentication is, IMHO a nice substitute.


You might want to use Apple's Filevault along with your Yubikey so your computer is encrypted and its data is protected at rest.

17 October 2015

Mac OS X El Capitan Non User Encrypted FileVault Boot

You can choose a disk encryption FileVault password as an alternative encryption option available for your Mac OS instead of  unlocking FileVault with your user account.  For years on many platforms, full disk encryption was unlocked using one password typically not associated with the user's login.  You can achieve this today on the Macintosh platform, not as easily as you could from normally enabling FileVault encryption, almost as easily as the preferred method.

To do this, you can follow the steps below and/or watch the video.



The first step is to make a Mac OS bootable USB drive which is outside the scope of this blog but easy to find with a Google Search.  

The next step is to boot the bootable drive.  Insert it into a USB port, reboot your Mac, and hold down the Option (ALT) key on start choosing the USB installer disk.

The next step assumes you are willing to erase the Mac completely assuming you have it all backed up on Apple's time machine or a similar program.  Once the installer loads, choose the Utiliies -> Disk Utility option.  From there we'll setup encryption, erase the disk and choose the encrypted journaled option.  Pick the password you want for your drive and select Erase and remember the password chosen here.

After it is setup with the encryption key, begin the installation process.

The Mac will reboot after installation.  If all went well, you would be asked for the password you chose above.  Enter your disk password at the password entry prompt and the Mac should begin booting up. You must go through the configuration steps and may optionally recover from your Time Machine drive when prompted or start over with a blank install.

And that is all there is to it.  It is pretty much as easy as using File Vault normally. 

31 May 2015

TV, Ubuntu, and AMD's TV Wonder 600 USB Installation

The ATI TV Wonder 600 USB is not supported on Windows 7 or later but is still supported on GNU/Linux.  The best thing to know is that it's really quick and easy to setup and install on Ubuntu.  All you need to do is execute three steps and you can watch TV in less than 5 minutes.  The instructions on the Linux TV website are all you need and always up to date.  To be brief,  open a terminal window and perform the following commands:


  1. cd /lib/firmware
  2. sudo wget http://steventoth.net/linux/hvr1400/xc3028L-v36.fw
  3. sudo apt-get install me-tv
And that's all there really to is to it.  Just start Me Tv and scan for stations.

The short video below shows you the steps.


02 November 2014

Cable Modem and DSL Home Networks Using VLANs Sharing Ethernet with DD-WRT in Control

This article continues the VLAN discussion from the previous post,  showing you the settings for DD-WRT to make an isolated LAN sharing Ethernet wiring between you and a roommate in the common areas of your home.  This requires installing custom firmware from DD-WRT or OpenWRT.  The included video shows a real world setup that matches the article, but simulates some components described herein.  The cable colorings match the diagram with VLAN7 in yellow and the trunk lines in orange.



I assume you have two networks in your home such as cable and DSL for you and your roommate and you want to use wired networking with access to both networks in common areas with only one Ethernet cable per room. VLANs are a great solution for this. Let's say your roommate needs  a connection in the office and one for the downstairs TV for her entertainment device (XBOX, AppleTV, etc), thus you two need to share the Ethernet cable for common rooms.  For this scenario, we will split the trunk into a Y configuration, bridging two physically separate cables together with VLAN tagging and trunking sending both LANs to two floors in the home.

Home Shares DSL and Cable in Wired Ethernet Using VLANs with DD-WRT, OpenWRT, and VLAN Trunks
Home Network Carrying  multiple VLANs


We will assign your roommate VLAN7 in the basement distribution switch (switch2), but we'll exclude the Netgear WNDR3800 basement router since which serves the cable modem.  In the prior article, you see the basement switch (switch2) as a VLAN distribution point, but it will become a VLAN access point for VLAN7.

Switch 2 changes from the previous build by adding a second trunk to the first floor switch (switch3). Port 3 is now tagged and includes both VLAN1 for the homeowner LAN, and VLAN7 the DSL LAN.  Port 2 is assigned to VLAN7's DSL modem which is simulated with a laptop in the video  Switch2 doesn't include VLAN7 in the Wan port (W) column excluding it from being able to receive VLAN7 traffic.

Image shows two VLAN trunks and one port assigned to VLAN7
DD-WRT VLAN Trunks and Ports on Linksys e3000

This is the first floor DD-WRT router using the venerable Linksys WRT54GS router.  In this configuration, port 4 is assigned to VLAN7, while the remaining ports stay on VLAN1 except for the WAN port which is the trunk line from the basement.  This router supports the roommate's living room device on port 4.  The video uses my receiver to simulate the roommate's device.

This diagram tags the VLAN trunk port and assigns the VLANs to their proper ports
Linksys WRT54GS VLAN Trunk

The 2nd floor VLAN distribution runs DD-WRT on a Linksys e3000 and uses port 4 for VLAN7 and supports the roommate's computer in the office.

This image shows VLAN7 on its own port, the WAN port as a trunkline, and the remaining ports on VLAN1


Electric wiring or wireless technologies can also be used to connect different networks to devices around the home and these solutions tend to be the the star attraction when you inquire at places like Micro Center or Best Buy for help, but you have another very powerful technique in VLANs which can be used with the inexpensive equipment you or others have discarded.  You can also find many managed switches under $100 U.S. if you wish to purchase hardware dedicated to VLAN networks.


19 October 2014

Home VLAN Trunking with OpenWRT and DDWRT




My edge router is a Netgear WNDR3800 running OpenWRT which creates four VLANs for my domicile.  I use Linksys e3000s running DD-WRT as managed switches distributing LANs where I want them to go.  I will show how I use the remaining Linksys e3000 units to send all four VLANs into one trunk line.  The DD-WRT and the OpenWRT projects have this well documented in a TL;DR manner showing all the command line steps.  I did the whole thing using the GUI interfaces and I will show the wiring as well.  I use VLAN trunking since my office has only one ethernet connection but I have multiple LANs and I want the ability to change the wiring without running physical wires.  Re-wiring is done with software changes!  Of course, you can buy managed switches but many of you might have collected these consumer routers over the years or would like to save some money on the used market since managed switches can be pricey. The short video above contains a demo toward the end.

To start, lets look at the diagram below showing the Netgear WNDR3800 serving the connection to the WAN.
Netgear WNDR3800 uses each port as a distinct VLAN with Port 2 as a VLAN Trunk
Netgear WNDR3800 as VLAN Distributor

The Internet goes into the WNDR3800's WAN port.  This router supports my guest wireless LAN 192.168.2.0/24 and the primary LAN 192.168.1.0/24.  Additionally, it supports a server control LAN 192.168.5.0/24 and the DMZ LAN 192.168.4.0/24.  The server LAN has only one PC-BSD based ATOM server running my IPv6 blog using ports 3 and 4 on the device.  Port 1 on the WNDR3800 goes into a power line adaptor, but isn't really used.  Port 1's main purpose is to be open in case of an emergency requiring a cable connection to VLAN1,which is the administrative LAN.

On the right, you see I have a Linksys e3000 in the basement which receives the trunk output from the WNDR3800 into its own WAN port. The settings are pictured below.

Linksys e3000 VLAN Trunk Setup with DD-WRT using WAN port and Physical Port 1
DD-WRT Trunking with Linksys e3000
The WAN port is used for input from the WNDR3800 physical port 2.  Port W in the picture above is the WAN port and it is tagged with VLANs 1 through 5 selected.  VLAN2 must be included per the DD-WRT wiki.  The middle ports serve the main network VLAN1 but these can be switched to different VLANs as needed.  Port 4 pictured above is tagged and contains all the same VLANs as the intake port, or "WAN" port as it is labelled.  Port 4 is actually physical port 1 on the Linksys e3000.  The DD-WRT switch guide identifies that the numbering is reversed from the GUI so port 4 in the GUI is labelled as port 1 on the device.

Port 1 is the trunk port sending everything upstairs to my office.  I prefer building servers in the comfort of the office rather than cold and cramped basement so I use the VLAN tagging to make the switch ports on the upstairs Linksys e3000 VLANs 4 and 5, but as you see I switched them to VLAN3 (GUEST) for the demo and the other port is still VLAN1.  For server building, I bring both VLAN4 and VLAN5 upstairs for DMZ and server control allowing me to easily configure the server with the proper IPs the first time without needing to change IPs once placed into the server area downstairs.

Below is the configuration of the upstairs DD-WRT using VLAN5 (SERVER) into physical port 1. DHCP/WAN and other features that make the e3000s a primary router are disabled but not depicted in any of the pictures below.

One port is switched to VLAN 5 on the Linksys e3000
Linksys e3000 with VLAN Trunking and VLAN5

As you can see from the above steps, VLAN trunking is pretty easy and OpenWRT/DD-WRT make virtual wiring quite easy.  Of course, with just about everything wireless nowadays, I suspect this article will get few hits.  You can assign wireless networks to VLANs just as my guest network is bridged to VLAN3.

You can see the devices in their real world setup below.  The basement e3000 should have two orange cables but the house is wired with blue so I put a white label with orange text around it on the right but the photo isn't very sharp around the cable nor is the label's text visible in the picture.

The far right is the trunk upstairs and is a blue cable with an white label with orange text
Linksys e3000 Basement VLAN Trunk Orange
I should use a blue VLAN1 colored cable for the gaming PC instead of the gray one in the picture.
VLAN Trunk in on orange cable into WAN port with remaining ports on VLAN1
Office e3000 with trunk in WAN port and AnyLAN port in Yellow

Netgear WNDR3800 backplane with separate VLANs
Netgear WNDR3800 running OpenWRT as Gateway Router

Netgear WNDR3800 Backplane VLAN Connections 

Intel ATOM Server with PC-BSD
Intel ATOM Server running PC-BSD





06 October 2014

Take and Bake Pizza Delicious Crust

Improving the Crust of Pre-made Pizza


I love the taste of Papa Murphy's take and bake pizza and I feel this pie is one the best values in fast food, but I don't like the crust so much.  The crust needs something extra which for some could be dipping sauce, but I like to spice up the crust myself with my own blend of seasonings.  You can use whatever seasonings you like, of course and if you do leave a note about your choices of spices and enhancers below.

Take a look at the video to see how to improve the crust of the pizza.


12 April 2014

Intel Atom D2500 Mini-ITX Unboxing and Setup

Unboxing and Setup of Mini PC

This quiet little PC arrived in the mail recently and is quick and easy to setup.  In the video, I unpack it from its carton, install a 320 GB disk drive, 2 GB of ram, and install PC-BSD 10.  The PC is solidly built and the plastic feels good to the hands.  The back panel is cluttered with too many legacy ports which could have been removed for newer technologies. It runs quiet but it is still warm enough to use for hand warming on a cold day.

You can see at its manufacturer's site all of the different ways Mini-ITX systems can be configured.  

Video

See this video featuring unboxing to startup.