- A page for biographical information. +

I enjoy cybersecurity, networking, systems administration, and automation.

I am currently employed as a SOC analyst.

I hold the following certifications:

CompTIA Network+
CompTIA Security+
IPv6 Certified Network Engineer
Stellar Cyber Certified Associate

When I am not working on various technology projects I enjoy + golfing and tennis. I also occasionally play guitar (poorly)

This page contains various articles on technology topics of interest, - typically structured as how-to or tutorial documents. - Items without links indicate future topics I intend to cover. All articles + typically structured as how-to or tutorial documents. All articles are intended for Debian 11 unless otherwise stated, but should be similar if tried on other distros.

Configuration Management

Ansible Basics
Ansible Playbooks
Ansible integration with FreeIPA

- -

Desktop Programs

Mutt - Terminal Email Client

Identity Management

FreeIPA Server Setup
Integrated 2FA with FreeIPA
FreeIPA Sudo Rules
Kerberized NFS using FreeIPA

Miscellaneous

Linux Software RAID

Debian Archive Mirror

Monitoring

I no longer use Icinga in favor of Prometheus and Grafana

Icinga2 Master Installation
Icinga2 Director
Icinga2 Agent Installation and Configuration
Store Icinga2 data in InfluxDB
Graph Icinga data with Grafana and InfluxDB
Icinga2 Alert Notifications

Networking

BIND9 DNS Server
ISC DHCP Server
Chrony NTP Server
UFW Host-Based Firewall

Security

PAM OATH Two Factor Authentication
LUKS Device Encryption
Prelude SIEM
Snort IPS
FreeRADIUS Server

Self Hosting

Postfix/Dovecot Mail Server
Jellyfin Media Server
Searx Self-Hosted Search Engine
Proxmox Virtual Environment

mfa

Check out the source code here - - git.chudnick.com/mfa

- -

mfa is a system for out-of-band multi-factor - authentication with PAM. - My original reason for working on this was to get MFA functionality for - a Postfix/Dovecot mail server that uses PAM for authentication. - Solutions such as pam_oath are not feasible - for this purpose because a mail client has no way of exposing an - interface for the oath challenge-response. - Therefore a way to circumvent the original application to get the request - to the user is needed, which is what mfa does.

- -

The design of mfa is not novel, it works the same way as Cisco's Duo. - Duo does have open source modules for achieving this objective, but all - the authentication requests are - sent back to their proprietary "cloud" service. I'm sure that most - free software - enthusiasts see this as a major red flag, especially for small personal - use cases.

- -

Design

- -

mfa is primarily composed of three parts - the server, the client, - and the PAM module. - The server listens for connections from both clients and PAM - modules. The server receives a - request from a PAM module that includes the username of the user - attempting to authenticate, - the hostname of the computer, and the service being accessed. The - server then correlates the - combination of user, host, and service to a particular client, and - attempts to push a request. - The server will then evaluate the client's response, and either - return to the PAM module that - the user is authenticated or denied.

- -

The server itself consists of two parts that I've called - mfad and - mfac. mfad is the program responsible for doing - what I've described above. - mfac is a command line utility that the administrator uses to - configure the server. mfac is used - to enroll clients in the system and to provision applications. A - client is enrolled by using the - --add-client option and providing an alias for that user. The - server then assigns that user an - identifying key that is used to connect and a TOTP secret key. With - the client enrolled, the - administrator can then assign applications to that client. With the - --add-app command, the - administrator ties a username, hostname, and service combination to - a client alias, so that - when that combination is seen the server knows who to ask for - authentication. The administrator - also identifies which MFA methods are valid for this combination - (currently either or both of - push and/or totp). The example below shows the process of - enrolling a new client called - 'tux' and then provisioning MFA for SSH attempts to - tux@linux.example.org.

- -

# Enroll a client named tux
-mfac --add-client tux
-alias: tux
-client key: VA32LB3SF2HG2FDWJS5XIOFVWTMBQYRSQ3PK3OOPA3FBIQMSMJZCXYJQCYKYUWUU
-totp secret: TGGG3QCXA4MR2S2X6B33GSYN
-uri: otpauth://totp/tux%40mfad?secret=TGGG3QCXA4MR2S2X6B33GSYN
-
-# Provision MFA for SSH tux@linux.example.org allowing for both push
-authentication or TOTP
-mfac --add-app --user tux --host linux.example.org --service sshd --alias tux
---methods push totp
-

- -

The PAM module of mfa also consists of two parts: the actual PAM - module - pam_mfa.so that gets called in the PAM stack and a - helper - program that interacts with mfad. The job of pam_mfa.so is to - retrieve the - necessary information (user and service) from PAM and then invoke - the helper - program with that data. It then waits for the MFA process to - complete, retrieves - the result, and returns either success or failure to the PAM stack. - The helper - program initiates a connetion to mfad when run and then passes - username, hostname, - and service information to the server. It too receives a success - or failure response - and then relays that information to the PAM module. Here is an - example of using - pam_mfa.so in the PAM stack for sshd.

- -

/etc/pam.d/sshd 
-auth requisite pam_mfa.so

- -

The client program is what the end user interacts with to - provide authentication responses. - Currently it is only a very simple terminal program but expanding - on this is high on the - TODO list. The client opens a connection to the server and - identifies itself with the client - key that was generated during enrollment. The client waits for a - prompt from the server, and - when it receives one, informs the user. The client receives the - users input and sends it back - to the server. The client performs this loop continuously until it - is closed.

- -

clibrary

- -

Check out the source code here - - git.chudnick.com/clibrary

- -

mail-tools

- git.chudnick.com/mail-tools -

- -

deploy-scripts

- - git.chudnick.com/deploy-scripts -

- -

server-scripts

- - git.chudnick.com/server-scripts -

mfa

Check out the source code here - - git.chudnick.com/mfa

- -

mfa is a system for out-of-band multi-factor authentication with PAM. - My original reason for working on this was to get MFA functionality for a Postfix/Dovecot - mail server that uses PAM for authentication. Solutions such as pam_oath are not feasible - for this purpose because a mail client has no way of exposing an interface for the oath - challenge-response. Therefore a way to circumvent the original application to get the request - to the user is needed, which is what mfa does.

- -

The design of mfa is not novel, it works the same way as Cisco's Duo. Duo does have open - source modules for achieving this objective, but all the authentication requests are - sent back to their proprietary "cloud" service. I'm sure that most free software - enthusiasts see this as a major red flag, especially for small personal use cases.

- -

Design

- -

mfa is primarily composed of three parts - the server, the client, and the PAM module. - The server listens for connections from both clients and PAM modules. The server receives a - request from a PAM module that includes the username of the user attempting to authenticate, - the hostname of the computer, and the service being accessed. The server then correlates the - combination of user, host, and service to a particular client, and attempts to push a request. - The server will then evaluate the client's response, and either return to the PAM module that - the user is authenticated or denied.

- -

The server itself consists of two parts that I've called mfad and - mfac. mfad is the program responsible for doing what I've described above. - mfac is a command line utility that the administrator uses to configure the server. mfac is used - to enroll clients in the system and to provision applications. A client is enrolled by using the - --add-client option and providing an alias for that user. The server then assigns that user an - identifying key that is used to connect and a TOTP secret key. With the client enrolled, the - administrator can then assign applications to that client. With the --add-app command, the - administrator ties a username, hostname, and service combination to a client alias, so that - when that combination is seen the server knows who to ask for authentication. The administrator - also identifies which MFA methods are valid for this combination (currently either or both of - push and/or totp). The example below shows the process of enrolling a new client called - 'tux' and then provisioning MFA for SSH attempts to tux@linux.example.org.

- -

# Enroll a client named tux
-mfac --add-client tux
-alias: tux
-client key: VA32LB3SF2HG2FDWJS5XIOFVWTMBQYRSQ3PK3OOPA3FBIQMSMJZCXYJQCYKYUWUU
-totp secret: TGGG3QCXA4MR2S2X6B33GSYN
-uri: otpauth://totp/tux%40mfad?secret=TGGG3QCXA4MR2S2X6B33GSYN
-
-# Provision MFA for SSH tux@linux.example.org allowing for both push authentication or TOTP
-mfac --add-app --user tux --host linux.example.org --service sshd --alias tux --methods push totp
-

- -

The PAM module of mfa also consists of two parts: the actual PAM module - pam_mfa.so that gets called in the PAM stack and a helper - program that interacts with mfad. The job of pam_mfa.so is to retrieve the - necessary information (user and service) from PAM and then invoke the helper - program with that data. It then waits for the MFA process to complete, retrieves - the result, and returns either success or failure to the PAM stack. The helper - program initiates a connetion to mfad when run and then passes username, hostname, - and service information to the server. It too receives a success or failure response - and then relays that information to the PAM module. Here is an example of using - pam_mfa.so in the PAM stack for sshd.

- -

/etc/pam.d/sshd 
-auth requisite pam_mfa.so

- -

The client program is what the end user interacts with to provide authentication responses. - Currently it is only a very simple terminal program but expanding on this is high on the - TODO list. The client opens a connection to the server and identifies itself with the client - key that was generated during enrollment. The client waits for a prompt from the server, and - when it receives one, informs the user. The client receives the users input and sends it back - to the server. The client performs this loop continuously until it is closed.

- -

clibrary

- -

Check out the source code here - - git.chudnick.com/clibrary

- -

mail-tools

- git.chudnick.com/mail-tools -

- -

deploy-scripts

- git.chudnick.com/deploy-scripts -

- -

server-scripts

- git.chudnick.com/server-scripts -

This is some of the software that I use and recommend. - It goes without saying, but all of this software is free as in freedom, - libre, open source.

- -

Desktop Programs

Window Manager - dwm - [git]

Shell - zsh

Terminal Emulator - urxvt

Statusbar - dwmblocks - [git]

Text Editor - vim

Music Player - cmus

Process Monitor - htop

Media Player - mpv

Email - neomutt, isync, msmtp - [kb]

RSS - newsboat

PDF Reader - zathura

Sandbox - firejail

Virtualization - qemu/kvm + libvirt

Firewall - ufw

+ All of this software is FOSS.

Server Software

This is some server oriented software that I use.

Mail Server - postfix + dovecot - [kb]

Media Server - jellyfin

Infrastructure

Virtualization - Proxmox VE

Backups - Proxmox Backup Server

DNS - Pi-hole

+ +

Services

Authentication and Identity - Authelia

LDAP - FreeIPA [kb]

RSS Aggregator - FreshRSS

Dashboard - Homer

Search Engine - SearxNG

Wiki - Bookstack

Personal Cloud - Nextcloud

Photo Management - Photoprism

Game Streaming - Sunshine + Moonlight

Mail Server - Postfix + Dovecot [kb]

Server Monitoring - icinga2 - [kb]

Monitoring

Service Monitoring - Prometheus + Grafana + Cadvisor

Log Management - Loki

Configuration Management - ansible

Media

Media Server - Jellyfin

Music Server - Navidrome

Identity Management - FreeIPA - [kb]

Development

Configuration Management - Ansible

Git Repository - Gitea

Git Mirror - cgit

CI/CD - Jenkins

Diagramming - draw.io

Desktop Programs

Window Manager - dwm [git]

Shell - zsh [git]

Terminal Emulator - st [git]

Text Editor - vim [git]

Music Player - cmus [git]

Process Monitor - htop [git]

Media Player - mpv

Email - neomutt, isync, msmtp + [git] + [kb]

PDF Reader - zathura [git]

Sandbox - firejail [git]

Firewall - ufw

About Me

Knowledge Base

Configuration Management

Desktop Programs

Identity Management

Miscellaneous

Monitoring

Networking

Security

Self Hosting

Projects

mfa

Design

clibrary

mail-tools

deploy-scripts

server-scripts

Projects

mfa

Design

clibrary

mail-tools

deploy-scripts

server-scripts

Software I Use

Desktop Programs

Server Software

Infrastructure

Services

Monitoring

Media

Development

Desktop Programs