cloud-init: Automatically import your public SSH keys into LXD Instances

Tags

automation, cloud-init, lxc, lxc profile, lxd, SSH, ssh-key, ubuntu, YAML

While provisioning LXD instance; we can define post deployment task using cloud-init. This will help us to import your public SSH keys, add new user, update packages and install new packages if required. To do that we use lxc profile.

First check what lxc profile you have. There should be one default profile.

# lxc profile list

Copy default profile and create new one

# lxc profile copy default production

Edit newly created profile

# lxc profile edit production

Use the following configuration. This is YAML file and for better formatting please download it from here Continue reading →

recover corrupt /etc/sudoers file over SSH

Tags

SSH, sudo su, ubuntu

Recently I have faced issue where I mistakenly edit the file under /etc/sudoers.d/. When ever I am trying to sudo; I am getting following error:

fakrul@fakrul-server01:~/.config$ sudo su
>>> /etc/sudoers.d/fakrul_sudo: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers.d/fakrul_sudo near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialise policy plugin

Unfortunately I don’t have any other sudo user. I have googled and got a solution.

Steps:

1. Open two ssh sessions to the target server.

2. In the first session, get the PID of bash by running:
fakrul@fakrul-server01:~/.config$ echo $$
5886

3. In the second session, start the authentication agent with:

pkttyagent --process (pid from step 2)

4. Back in the first session, run:

fakrul@fakrul-server01:~/.config$ pkexec rm /etc/sudoers.d/fakrul_sudo

5. In the second session, you will get the password prompt. “fakrul_sudo” file will be removed in the first session. In same way you can add new file.

 

Mikrotik ssh key authentication

Tags

mikrotik, SSH, ssh authentication

We can use SSH key to authenticate Mikrotik box.

Step 1: Check you SSH key pairs. We will copy the public key (id_rsa.pub)

bash-3.2$ ls
config id_rsa id_rsa.pub known_hosts


Step 2: Copy public key (id_rsa.pub) to the MT. In this case MT IP is 192.168.99.1 and username is admin
bash-3.2$ scp id_rsa.pub admin@192.168.99.1:/

Step 3: Login to MT and check whether the public key has been copied successfully
[admin@mt] > file print
# NAME TYPE SIZE CREATION-TIME
0 flash disk jan/01/1970 11:00:07
1 id_rsa file 1896 dec/18/2019 10:19:45
2 flash/skins directory jan/01/1970 11:00:08
3 flash/mt-20191217-0031.backup backup 18.3KiB dec/17/2019 00:31:20

Step 4: Now enable ssh-key login for user admin. Run the following command from MT
[admin@mt] > user ssh-keys import user=admin public-key-file=id_rsa.pub

Step 5: Verify it. Run the following command from MT
[admin@mt] > user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 R admin 2048 fakrul@au-mohammad-macbook.local


Step 6: Try to ssh to you MT box. It will ask for passphrase
bash-3.2$ ssh admin@192.168.99.1
Enter passphrase for key '/Users/fakrul/.ssh/id_rsa'

Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator

Tags

SSH, Two Factor Authetication

We will enable two factor authentication in out ubuntu server. To implement that we are going to use multifactor authentication with Google Authenticator.

Step 1: Install Google Authenticator from following link in your Android device/iPhone/iPad/BlackBerry/Firefox devices

https://support.google.com/accounts/answer/1066447?hl=en

Step 2: Install Google Authenticator in your Ubuntu

fakrul@fakrul-ubuntu ~> sudo apt-get install libpam-google-authenticator

Step 3: Create an Authentication Key

Log in as the user you’ll be logging in with remotely and run the google-authenticator command to create a secret key for that user.

fakrul@fakrul-ubuntu ~> google-authenticator

You will be prompted for some configurations. Scan the QRcode that appears with the Google Authenticator app or you can add the secret key Google Authenticator app.

Save the backup codes listed somewhere safe. They will allow you to regain access if you lose your phone with the Authenticator app.

Next it will ask several question; unless you have a good reason to, the defaults presented are sane. Just enter “y” for them.

Step 4: Activate Google Authenticator

Enable Google Authenticator for SSH logins.

fakrul@fakrul-ubuntu ~> sudo vi /etc/pam.d/sshd
auth required pam_google_authenticator.so

Next, open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line, and change it to read as follows.

fakrul@fakrul-ubuntu ~> vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Step 5: Restart ssh to activate the feature

fakrul@fakrul-ubuntu ~> sudo service ssh restart

Please note that it wont’s work if you have public key based authentication is enabled.