OHM = Oklahoma + (Hacker + Maker) * Space

Fourteen hundred (1400) square feet of space just waiting for mussels and brains to bring it to live.

Last night I attended a meeting OHM Space. For now it just a big room but I can invasion the day when it will have tools all types. I can see work working and medal working, electronics benches and paint booths, I can see class rooms with projectors and servers in racks. I can see people building furniture and bikes, RC planes and lots of electronics. But for now its just a space and the only making being done is the space it self and the only hacking was the dreams of the future.

Last night we talked about how people will be using the space.

Your have chance to become a cofounder. By paying for a full year of membership now, you’ll be guaranteed to have 24/7 access to an amazing community, voting rights, a neat certificate, access to a free parts wall and the honor of being an “OHM Space Founding Member”. The early adopter fee is $300 for your first 12 months in a single lump sum. That’s only $25/month! Collecting the money this way will help us get started with enough in the bank to keep the doors open and the electricity flowing for a full year.


Two-factor SSH with YubiKey on CentOS 5.6

YubikeyI believe the Passwords are the biggest security problem facing public computing and YubiKey is the answer. A password is often the only thing between your stuff and the people who want to steal your stuff.  Passwords fall victim to all sorts attacks. This little device acts like a USB keyboard. Each time you press the button it generates a thirty two charter one-time-password (OTP) password.

There are all kinds of instructions for installing a Yubikey.  Most are very confusing or miss a step. I hope this makes it simple for you.   All you really need these days are the rpms from the epel repository.  Note the release /5/ and system type /i386/.  I you have a different system you will need to get the right epel code.  For example, the file for Redhat 6 x64 is http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm.

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -i epel-release-5-4.noarch.rpm
yum install libyubikey
yum install pam_yubico
vi /etc/pam.d/sshd
auth       required   pam_yubico.so id=#### debug authfile=/etc/sysconfig/yubikey
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

For more information on pam_yubico.so settings, see the project Wiki page.

Here are the parameters we are using.

  "id":         to indicate your client identity.

  "key":        to indicate your client key in base64 format.

  "debug":      to enable debug output to stdout or
                /var/run/pam-debug.log if it exists.

  "authfile":   to indicate the location of the file that holds the
                mappings of yubikey token IDs to user names.

Create a /etc/sysconfig/yubikey This file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey.

The mappings should look like this, one per line:


Individual, by user

Each user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line:

<user name>:<yubikey token ID>:<yubikey token ID>

To debug the process you can create a log file.  Don’t forget to remove this and the debug word from /etc/pam.d/sshd when you are done.

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log

Now you can tail the log file and try logging in.

tail -f /var/run/pam-debug.log &
ssh -l root localhost

Try logging in with a password only and the yubikey only.  Then try password+yubikey.

Please email me if you have any troubles.


ESXi USB root password recovery

Recovering ESXi root password is not like most linux system.  You can’t just put ‘single’ into lilo.

You need to boot a Linux CD into recover mode.

mount /dev/sda6 to /mnt/sysconfig

cd /tmp

tar zxf /mnt/sysconfig/local.tgz

vi /tmp/etc/shadow

remove the password fro mthe root entry.

That’s all there is to it, good luck!