Using YubiKey with GPG

Using Yubikey with GPG encryption

Let me try to show my experience in using Yubikey as a Smartcard for storing signing and GPG encryption keys. There are a lot of information in the internet about that, but that my first try in configuring yubikey for such purposes.

Firstly we need to install necessary packages on our mac by doing the following command, I’m using brew:

$ brew install gnupg yubikey-personalization

This will allow us to program our Yubikey.

The next step is we need to create a new keys for further usage.

Generate a key

Let’s do a temporary directory:

export GNUPGHOME=$(mktemp -d)

And create a GPG configuration:

$ cat << EOF > $GNUPGHOME/gpg.conf
use-agent
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
EOF

Generate a master key

During creation a new master key, we will need to choose RSA (sign only) key and I would go with 4096 bits. And you’ll be asked to enter a passphrase, try to enter something unique and strong 🙂

VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Valerii
Email address: [email protected]
Comment:
You selected this USER-ID:
    "Valerii <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
public and secret key created and signed.

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa4096/0xA2B71234247579BE 2018-01-28 [SC]
      Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99
uid                              Valerii <[email protected]>

Export a new key

export KEYID=0xA2B71234247579BE

Create subkeys

VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec  rsa4096/0xA2B71234247579BE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). Valerii <[email protected]>

During a creating a new subkeys enter the passphrase you entered during making a master key. In the following example I selected to generate a key with expiration in 1 year.

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:13:38 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
[ultimate] (1). Valerii <[email protected]>

Next, let’s create n encryption key by selecting RSA (encrypt only) – number 6

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:16:29 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
ssb  rsa4096/0x181FFBA2120AA342
     created: 2018-01-28  expires: 2019-01-28  usage: E
[ultimate] (1). Valerii <[email protected]>

I selected to create 4096 bit RSA encrypt only key which is going to be valid for 365 days only.

And let’s create an authentification key now.

read more…

Continue reading “Using YubiKey with GPG”

Icinga2: LiveStatus Activation/Installation

Hey all,

Here is a quick note how to install and activate MK Livestatus (Check_MK) API for your Icinga2 installation.

More info about livestatus on the official website: https://mathias-kettner.de/checkmk_livestatus.html

So, check if it’s already activated:

# icinga2 feature list
Disabled features: compatlog debuglog gelf graphite influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker command ido-mysql mainlog notification

As we can see livestatus is currently disabled

Let’s enable it using the following command:

# icinga2 feature enable livestatus
Enabling feature livestatus. Make sure to restart Icinga 2 for these changes to take effect.

Now we need to add one more LivestatusListener object and fix the existing one to support livestatus on local unix socket and on TCP socket.

Open /etc/icinga2/features-enabled/livestatus.conf and edit it as following:

library "livestatus"

object LivestatusListener "livestatus-tcp" {
  socket_type = "tcp"
  bind_host = "0.0.0.0"
  bind_port = "6666"
}

object LivestatusListener "livestatus-unix" {
  socket_type = "unix"
  socket_path = "/var/run/icinga2/cmd/livestatus"
}

You can bind it to some specific IP and/or change port to another one if you need, also make sure that your socket_path is exists

# ls -la /var/run/icinga2/cmd/livestatus
srw-rw---- 1 icinga icingacmd 0 Oct 30 10:51 /var/run/icinga2/cmd/livestatus

Let me know if you have any questions

Thanks!

 

 

Icinga2 Director: How to import a server IP from local file

Hey all,

#shortstory

Today I had a pretty interesting task with Icinga2 and Director. The issue was with accessibility to DNS server which was installed in AWS without any public access, so basically it was used only for internal requests. To make story short, the task was to get IP address from local file, hostname from SQL database and assign it to each other.

Here is the changes that I made for ‘PropertyModifierGetHostByName.php’ file.

<?php

// - /usr/share/icingaweb2/modules/director/library/Director/PropertyModifier/PropertyModifierGetHostByName.php
namespace Icinga\Module\Director\PropertyModifier;

use Icinga\Exception\InvalidPropertyException;
use Icinga\Module\Director\Hook\PropertyModifierHook;
use Icinga\Module\Director\Web\Form\QuickForm;

class PropertyModifierGetHostByName extends PropertyModifierHook
{
    public static function addSettingsFormFields(QuickForm $form)
    {
        $form->addElement('select', 'on_failure', array(
            'label'        => 'On failure',
            'description'  => $form->translate('What should we do if the host (DNS) lookup fails?'),
            'multiOptions' => $form->optionalEnum(array(
                'null' => $form->translate('Set no value (null)'),
                'keep' => $form->translate('Keep the property (hostname) as is'),
                'fail' => $form->translate('Let the whole import run fail'),
            )),
            'required'    => true,
        ));
    }

    public function getName()
    {
        return 'Get host by name (DNS lookup)';
    }

    public function transform($value)
    {
        //$host = gethostbyname($value);
        $lines_array = file("/usr/share/icingaweb2/dns.txt"); //comma-separated txt file
        
        foreach($lines_array as $line) {
            if(strpos($line, $value) !== false) {
            list(, $new_str) = explode(",", $line);
            $host = trim($new_str); }
        }

        if (strlen(@inet_pton($host)) !== 4) {
            switch ($this->getSetting('on_failure')) {
                case 'null':
                    return null;
                case 'keep':
                    return $value;
                case 'fail':
                default:
                    throw new InvalidPropertyException(
                        'Host lookup failed for "%s"',
                        $value
                    );
            }
        }

        return $host;
    }
}

The file dns.txt contains IP and domain names, which are comma-separated. You may change the location of the file, use many of them, or even use key-value database for such queries, it’s pretty easy.

So, basically it search for IP address in dns.txt file for provided hostname in Import function. It will return null or fail (based on your settings), if returned IP is not IPv4.

Extra module will be created and pushed to the github on next Monday.

Happy monitoring!

 

Garage Sale – new or like-new books on Sale!

Learning Python, 5th Edition, by Mark Lutz

Get a comprehensive, in-depth introduction to the core Python language with this hands-on book. Based on author Mark Lutz’s popular training course, this updated fifth edition will help you quickly write efficient, high-quality code with Python. It’s an ideal way to begin, whether you’re new to programming or a professional developer versed in other languages.

Complete with quizzes, exercises, and helpful illustrations, this easy-to-follow, self-paced tutorial gets you started with both Python 2.7 and 3.3 the latest releases in the 3.X and 2.X lines plus all other releases in common use today. You’ll also learn some advanced language features that recently have become more common in Python code.

  • Explore Python’s major built-in object types such as numbers, lists, and dictionaries
  • Create and process objects with Python statements, and learn Python’s general syntax model
  • Use functions to avoid code redundancy and package code for reuse
  • Organize statements, functions, and other tools into larger components with modules
  • Dive into classes: Python’s object-oriented programming tool for structuring code
  • Write large programs with Python’s exception-handling model and development tools
  • Learn advanced Python tools, including decorators, descriptors, metaclasses, and Unicode processing

Price: $60

Amazon: https://www.amazon.com/Learning-Python-5th-Mark-Lutz/dp/1449355730/

Learning Python
Learning Python

Read more under cut…

Continue reading “Garage Sale – new or like-new books on Sale!”