Sunday, October 8, 2017

Enable FIDO U2F on Linux

By default, only root can access the FIDO U2F device on Linux.  To change this:


  • Insert the U2F device.  Note the device number and execute the following command to print out the info. e.g.
sudo udevadm info -a /dev/usb/hiddev1

  • Take note of the attributes. e.g. for my HyperFIDO device:

......
ATTRS{idProduct}=="0880"
ATTRS{idVendor}=="096e"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="HS"
ATTRS{maxchild}=="0"
ATTRS{product}=="HyperFIDO Token"
......


  • Create a new rule file under /etc/udev/rules.d and grant permission to all users. e.g. create a file named "10-fido-key.rules" and add the followings:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"

  • Re-insert the U2F device.

Sunday, October 1, 2017

Let's Encrypt with Google Cloud Platform

Assuming you already have an application deployed to Google App Engine with a custom domain. Now you want to add https with certificates generated from Let's Encrypt.  Here are the steps on how to do it.

(1) Setup your Let's Encrypt client:
git clone https://github.com/letsencrypt/letsencrypt

(2) Generate the certificate.  For example, to get a certificate for www.acme.com:
sudo ./letsencrypt-auto certonly --manual -d www.acme.com

Answer a few questions and the script will pause.  You will then need to upload a validation file to www.acme.com to confirm that you indeed own the domain.
Create a file containing just this data:
_Pwd8uL9_Joz0O2HNlbyb5nBnrcqvmGj02gX2PfJYhw.XOAQHxnBJFCW1KHWhsYsaRmc_BaKnwNpuNYbS8o2gdY
And make it available on your web server at this URL:
http://www.acme.com/.well-known/acme-challenge/_Pwd8uL9_Joz0O2HNlbyb5nBnrcqvmGj02gX2PfJYhw
-------------------------------------------------------------------------------
Press Enter to Continue
(3) Create and upload the file to App Engine.  Create the folder .well-know/acme-challenge in your application tree.  Then create the specified file and content. In this example, the file name  is
_Pwd8uL9_Joz0O2HNlbyb5nBnrcqvmGj02gX2PfJYhw

and the content is _Pwd8uL9_Joz0O2HNlbyb5nBnrcqvmGj02gX2PfJYhw.XOAQHxnBJFCW1KHWhsYsaRmc_BaKnwNpuNYbS8o2gdY

In your app.yaml file, include the /.well-know folder as static content:

handler:
......
- url: /.well-known
  static_dir: .well-known
......

Then deploy your app:
gcloud app deploy app.yaml

(4) (Optional) Test the URL with your browser that the validation file is deployed successfully.

(5) Go back to the console where the Let's Encrypt client is paused.  Press Enter to continue the execution.  If everything worked out, the certificate and private key will be generated.

(6) Deploy the certificate to GCP.  In your browser, go to the GCP console > App Engine > Settings.  Select "SSL certificates".  Click "Upload a new certificate".

Dump the content of the certificate and paste it in the text area:
sudo cat /etc/letsencrypt/live/www.acme.com/fullchain.pem

For the private key, you will need to convert the format to RSA before pasting:
sudo openssl rsa -in /etc/letsencrypt/live/www.acme.com/privkey.pem

Finally, check the box to enable this certificate with your custom domain.