If you are a human reading this, I appreciate you checking out my blog. Also, if you have registered for an account on the site, and it was deleted, please accept my apologies. Every few weeks I have to delete around a hundred or so spambot email accounts from various domains. I have plugins to attempt to foil these idiots, but of course it’s not foolproof. If you have attempted to create a legitimate account to comment on posts and it was deleted, please send me a message and I can watch out for your account.
It’s sad that such a thing is necessary, but it’s the world we live in.
This issue plagued me for some time… I was attempting to create a gpg key, add it to my keychain, and then gpg encrypt a netrc file to use in Emacs. It kept failing just before it would create the actual key, and was giving strange X-related errors. I should note that the “over SSH” part of this title means that I was connected via ssh on the server I was attempting to create the gpg key on.
One of the many error messages was that I did not have the “pinentry” package installed, but I verified multiple times that it was there, and even reinstalled it several times.It finally dawned on me that the reason it was looking for pinentry-gtk or pinentry-qt (both X-windows libraries) was that it thought I was locally logged into that server, and could see the desktop. This made me realize that it was trying to display the graphical interface for the passphrase, which could not be displayed because I was connecting via ssh. A quick
echo $DISPLAY showed me that my ssh was attempting to forward the X connection to my local host, however the DISPLAY was not working because my local system did not have those packages installed. Once I issued
unset DISPLAY my key was able to generate just fine, because it used the non-X version of the routine that asked me for my passphrase.
Another seemingly difficult problem solved by thinking things through!
Some time ago I created a free Duo Security account to help protect my VPS. It was relatively simple to configure pam in Linux to use the Duo two factor authentication, so now anytime anyone successfully authenticates with a valid username and password, I get a notification on my phone (both Android and iOS versions available) asking me to confirm or reject the logon. While this seems like a hassle, after looking at the ssh denies (the thousands that I get per day) I felt much more relaxed about the security of my VPS.
Shortly after configuring it on Linux, I also realized there is a WordPress plugin, so now anytime anyone logs into my WordPress account successfully, I get one of the notifications. Since my phone is always nearby, it hasn’t proven to be cumbersome in any way yet. In fact, knowing that even if my WordPress account is hacked and the offenders manage to successfully capture my username and password (don’t use the default username!) they still will not likely to be able to get in. No system is foolproof, but this certainly is a grand step past just password authentication.
If you’re not familiar with two factor authentication, Wikipedia has a writeup (granted not a fantastic one) that should explain the basics.
When the famous heardbleed and OpenSSL vulnerabilities were made public, Duo released updates almost immediately. Great customer service for a great product.