Ansible with su instead of sudo   October 13th, 2017

At TBits.net, we have decided to use Ansible for setting up our servers.

The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.

The call is quite easy:

ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass

Now we wanted to limit access only to users who have the actual password for root.

Finally, this worked on the command line:

ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass

Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.

[defaults]
remote_user=deploy
 
[privilege_escalation]
become = true
become_method = su
become_ask_pass = true

Two pitfalls that are solved by this:

  • You need to specify the become settings in section privilege_escalation, not just in defaults.
  • The command line parameter ask-become-pass becomes become_ask_pass in the config file.

This works with Ansible 2.3.2 on CentOS 7.4.

Tags: ,
Posted in Hosting, Software Development | Comments Closed

There has been a new release of Roundcube: https://roundcube.net/news/2015/09/14/updates-1.1.3-and-1.0.7-released/

I noticed that because Epel already has version 1.1.3, but Kolab 3.4 Updates still has 1.1.2. Now there is an installation conflict, because yum wants to use the epel version, but that leads to other conflicts.

A temporary solution is to exclude all roundcubemail* packages in the epel repo file:

sed -i "s#enabled=1#enabled=1\nexclude=roundcubemail*#g" /etc/yum.repos.d/epel.repo

The proper solution is to upgrade the roundcubemail package for Kolab 3.4 Updates on OBS.

I was slightly confused which tarball to use, and Daniel Hoffend aka dhoffend helped me out:

  1. Go to https://github.com/roundcube/roundcubemail/releases
  2. Get the commit id for release 1.1.3: 357cd5103d1c27f8416ef316c4a4c31588db45b8
  3. git clone https://github.com/roundcube/roundcubemail
    cd roundcubemail
    git checkout -b newrelease 357cd5103d1c27f8416ef316c4a4c31588db45b8
    git archive --prefix=roundcubemail-1.1.3/ HEAD | gzip -c > ../roundcubemail-1.1.3.tar.gz

To test the new package, download this repo file:

yum install yum-utils
yum-config-manager --add-repo https://obs.kolabsys.com/repositories/home:/tpokorra:/branches:/Kolab:/3.4:/Updates/CentOS_7/home:tpokorra:branches:Kolab:3.4:Updates.repo
yum update

The new updated package will hopefully arrive in Kolab 3.4 Updates within the next days.

Tags: , ,
Posted in Software Development | Comments Closed

Recently at TBits.net, we wanted to even better secure the authentication to a web application that we provide to our customers.

There are several options to extend authentication:

We decided for partial passwords: You have your username and your first password, you login with that, and if that worked, you are asked about some specific letters from your second password: Please give us the third and 5th character of your second password!

See this paper called “Give Me Letters 2, 3 and 6!”: Partial Password Implementations & Attacks that describes Partial Password implementations and attacks in a detailed study.

The next question is, how to store the information about the partial password: you cannot hash it, because you will have to verify single characters. The solution is to use a secret sharing scheme, as described in Partial Passwords – How. It uses the Shamir’s Secret Sharing algorithm.

I have now implemented this idea, processing partial passwords with Shamir’s secret sharing scheme, in PHP. You can find the code licensed under the MIT at: https://github.com/TBits/partialPasswordShamirsSecret. There is an example included.

The Wikipedia article on Lagrange polynomial has been helpful as well in properly implementing the algorithm in PHP.

Tags: , ,
Posted in Software Development | Comments Closed