Category Archives: Security

sudo with Touch ID on macOS

Apple Touch ID with sudo in macOS

If you like to integrate Touch ID in sudo, you can do this easily in macOS and use the fingerprint.

Integration in sudo

Just edit the /private/etc/pam.d/sudo file and put a line inside.

sudo -e /private/etc/pam.d/sudo

Put the following information inside:

auth       sufficient     pam_tid.so

The file should look like:

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Testing

To test the integration, just echo with sudo.

sudo echo "test"
sudo with Touch ID
sudo with Touch ID

Scoring A+ 100 100 100 100 on SSL Labs

Scoring A+ 100 100 100 100 on SSL Labs

If you like to get 100% and A+ on SSL Labs, with Apache and Nginx. You should set the following options:

Apache

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/www_safematix_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_safematix_com.key

SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

SSLCipherSuite 'AES256+EECDH:AES256+EDH:!aNULL'

Nginx

First you should create the dh (Diffie-Hellman) key file.

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;

ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;
ssl_trusted_certificate /etc/nginx/ssl/ca.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
add_header Strict-Transport-Security max-age=15768000; # six months

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

OpenSSL csr sha2 4096 bit – quick

OpenSSL csr sha2 4096 bit – quick

If you like to create quickly a csr with sha256 and 4096 bit

openssl req -new -newkey rsa:4096 -nodes -sha256 -out www_safematix_com_sha256.csr -keyout www_safematix_com.key -subj "/C=CH/ST=Zurich/L=Zurich/O=Safematix IT-Security & Service/CN=www.safematix.com"

If you like to create a dhparm file with OpenSSL

openssl dhparam -out www_safematix_com_dhparam.pem 4096

SSH authentication refused – authorized_keys

If you have a problem to login per ssh and key in the server you must check the auth.log file to see more detail.

auth.log

Authentication refused: bad ownership or modes for directory /home/user/.ssh

When you see this message you have a problem with the permission of .ssh/authorized_keys

chmod 600 .ssh/authorized_keys
chmod 700 .ssh/

By adding

StrictModes off

to your sshd_config file you can also fix the problem, but thats not a good idea. Fixing the permission is the best way.

Nginx SSL Labs A+

Nginx SSL Labs A+

To get a high secure SSL installation on Nginx you should use the following config. With this settings you also get on A+.

SSL Labs A+
SSL Labs A+

It is important to create the Forward Secrecy & Diffie Hellman Ephemeral Parameters.

You can create the dhparm.pem with openssl

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;
ssl_certificate /etc/nginx/ssl/safematix/www_safematix_com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www_safematix_com.key;
ssl_trusted_certificate /etc/nginx/ssl/safematix/ca.pem;

ssl_dhparam /etc/nginx/ssl/safematix/www_safematix_com_dhparam.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";