Thursday, 4 July 2013

More about kerberized Home Directories

In my last post on kerberized NFSv4 home directories I complained that the screen saver looks for configuration files in my home directory which is unavailable. The new behaviour of NFS is to just block if the ticket has expired rather than fail. So the screen saver sits there waiting for a ticket before I can enter my password. One suggestion is to automatically renew tickets. I think this removes some of the benefits of kerberized home directories and just delays this inevitable lock out.

We use the gnome desktop environment, gnome-screensaver can be locked down in such a way that it does not read the user's configuration:

gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 10

I also looked into using xscreensaver instead of gnome-screensaver. Initially, it has the same issues as gnome-screensaver: it tries to find its settings in the user's home directory. xscreensaver supports setting a different home directory via the HOME environment variable. However, we would need to use a wrapper that sets the environment for all xscreensaver commands. I then decided to patch xscreensaver to look for its settings in /var/lib/xscreensaver/$USER.

Unfortunately, in both cases, my GTK theme seems to be looking for files in my home directory that do not exist anyway...

Wrappers for xscreensaver and friends might be the way to go after all.

Monday, 3 June 2013

kerberized NFSv4

So, I got the kerberized NFSv4 home directory to work - until my ticket expires. The screen saver attempts to access my home directory and just sits there and waits. So I don't get the enter my password and cannot renew a ticket. There are a number of posts around
  • Ubuntu seem to have patched the kernel: bug 1014910 and bug 794112. I am not convinced this is the correct behaviour.
  • in this post the possibility to zap the kerberos cache files is discussed which might be an option

Tuesday, 21 May 2013

new flickr design

So, updated its site layout quite drastically. I think it's a mixed bag. The new design is really good for viewing photos. However, I think it is quite difficult to get the information that used to be easily available. In particular the new home page is very difficult to view: too contrasty, pictures are too large. I preferred the more muted overview allowing you to see everything at a glance. The high contrast design clashes with the white background which also makes it difficult to read. The new photostream is excellent for viewing the pictures. I also really like the new banner graphic - although it would have been nice to be able to access all my pictures to select a banner. I miss being able to see the stats for each picture in the stream. The set page does not work on Ubuntu 13.04 chrome browser, something wrong in the style sheets. I really don't like how the set thumbnails are rescaled. I carefully selected them to look ok. I really like the new android flickr app. It's excellent and I suspect I'll use that a lot to view photos. All in all, I hope flickr sorts out the various issues, in particular offer a different view to get at the statistics more easily. Once my pro account runs out I'll need to consider if I buy the ad free version or not.

Thursday, 21 February 2013

IPSec on our SL6 machines II - KINK

Kerberos can be used to set up an IPSec security association (SA), the protocol is called Kerberized Internet Negotiation of Keys (KINK). It would sense to make use of our kerberos infrastructure directly rather than generating x.509 certificates using kerberos. KINK is supported by racoon2 which is available from EPEL. So this is probably worth exploring although documentation is also very sparse. It would be nice if we could use opportunistic encryption which doesn't require both ends of the IPSec tunnel to be specified. However, it does rely on extra entries in DNS. This might be possible but adds a certain amount of complication. This is also an interesting article giving an overview of IPSec. It suggests that an LDAP might be used to distribute public keys. Nate Carlson's post on how to setup an IPSec tunnel between openswan and windows XP looks also worth looking into.

Tuesday, 19 February 2013

IPSec on our SL6 machines I

I am looking into using IPSec to provide a secure tunnel over which we can transfer data between our servers and possibly as a way to secure NFS. We have a kerberos infrastructure and can provide our own x.509 certificates. There is very little documentation on how to setup IPSec on RHEL6, Centos6 or SL6 (they should be all the same really). Furthermore, RHEL6 is now using openswan which appears to have moved to githup. On the new site there is still very little documentation with just a few unhelpful examples. So, the plan is to have a series of posts so I don't forget what I have found out.