Did you leave the parking brake on?

Just a reminder, when you’re migrating a lot of data and configuration information to a new machine, remember to make sure you pull all the relevant information.

I just spent the better part of my afternoon/evening chasing down a problem where a user could not log on via SSH. He had the right key. He were using the right passphrase. His account existed in /etc/passwd, and he was listed in the right groups in /etc/group. We did all sorts of debugging on his client, and then a clue popped out when we ran the server in debug mode:

Access denied for user dude man by PAM account configuration

Well, I thought it was a clue. Turns out there was nothing overtly obvious about what was going on. Nothing, that is, until I finally decided to check the contents of /etc/shadow, only to discover that the user in question had no entry there.

Remember to check the simple things first. For a Unix/Linux account to be happy these days, it needs an entry in both /etc/passwd and /etc/shadow! It’s a step that is only really missed when you’re copying the contents of these files from another machine, instead of using built-in utilities (useradd, groupadd) to create user accounts.

Did you leave the parking brake on?

LDAP, SSH and Access Control on Linux

I was recently asked for my opinion on options for adding access control, or, more specifically, host-level authorization for users connecting to Linux systems. All the systems in question are a variety of CentOS, and all of them are configured to use LDAP for authentication and authorization via the pam_ldap and nss_ldap modules.

The Problem

In a default configuration, pam_ldap and nss_ldap will make user and group accounts in LDAP act just like user and group accounts in /etc/passwd, /etc/shadow and /etc/group. If it is present, it’s a valid account for the system. In the general case, this is a good thing, and simplifies the configuration of your systems. Things get complicated, however, when you only want a subset of users to be allowed to log in to specific machines. Traditionally, the method for doing this has been to force pam_ldap to examine the LDAP entry for the user trying to authenticate, and only allow the authentication to succeed if some attribute of the user’s object matches a configured value. The host attribute of the account objectclass is a great one to use, but if your user objects are based on person or inetOrgPerson, and you’re doing the right thing and have strict schema checking, you can’t use it. You’d either have to violate your schema and disable checking, or violate your schema and add the extensibleObject objectclass, which is basically a schema-valid end-around to schema checking.

There are similar tradeoffs for other object attributes you might choose for utilizing for access control, especially considering that you can only use attributes that exist in your users’ LDAP objects, and not outside them. While it certainly can be done, and I have done it in LDAP implementations before, there’s never a truly clean way to implement the policy, and changes to the policy induces the risk of breaking the host’s LDAP configuration entirely.

A Good Solution

In the case I was most recently asked about, the only way to gain access to the system is via SSH. The application stack which the hosts run either doesn’t do any user authentication, or handles it itself. Taking a step back from LDAP, then, there is an easier way to do access restrictions: the OpenSSH daemon’s AllowUsers and AllowGroups configuration directives.

Utilizing the capabilities of OpenSSH takes one piece of complexity out of the already complex LDAP client configuration, and moves it into a service that is a lot easier to repair should something go wrong. This is especially true if you are utilizing a configuration management (CM) system like CFEngine, Puppet or Chef, where the ability of the CM to do anything might completely hinge upon the system user and group databases being intact. A configuration error that causes people to not be able to log in via SSH is less serious than all of your systems user and group records disappearing, which can completely unhinge your system.

Finally, utilizing OpenSSH’s AllowUsers and AllowGroups let’s you manage access to hosts simply by modifying group memberships of users, which can be easily done in LDAP with tools such as my personal favorite, the LDAP Account Manager. This nicely avoids the possibility of having to write your own management tool for access control to add/delete/modify attributes that aren’t easily handled by existing tools, or may not even be visible to those tools. Saving time and effort is key to sanity as a systems administrator, and this will save you a lot.

The best part, though, is that this method works regardless of whether you use LDAP, NIS/NIS+, rdist /etc/passwd and friends from a master copy, or any other method of pushing user and group account data out to your hosts. On top of that, there’s nothing saying you can’t layer this on top of LDAP ACLs, too, for that extra bit of paranoia.

Loose Ends

There are, however, some downsides to doing access control via OpenSSH. The first is that it only applies to OpenSSH. This may seem like a statement of the obvious, but it’s important to point out. Other services you may be running, which also rely on LDAP for authentication and authorization, will not be beholden do your policies configured for OpenSSH. Again, it may seem like I’m simply re-stating the obvious, but consider:

  • Do you run an FTP server with user accounts?
  • Do you run an IMAP or POP service?,
  • Do you run SMTP AUTH?

Those are just three examples, but any service you provide that performs user auth and does so via PAM, SASL (backed by PAM) or directly with LDAP would need to have it’s own ACLs in place if you don’t want all your LDAP users to have access.

With that in mind, however, if your needs are simple, use a simple tool, and get the job done with less stress.

Happy hacking!

LDAP, SSH and Access Control on Linux

I really need to meet this Systems Boy…

… Or at least add him to my daily reading.

My last source of confusion (on this matter, at least) is that people are going after Apple on this at all. Until the iPhone there was never an expectation that phones should either run Flash or be open. A phone is not a personal computer. It’s a phone. All smartphones are just phones. They play by a whole different set of rules. And that set of rules is much longer and stricter than that of a personal computer. No one ever complained that Nokia’s phones weren’t open. Or Motorola’s. Or Samsung’s. Why now is it completely offensive that Apple’s phones should be? Moreover, there are no phones in existence today that can display Flash content because of all the reasons cited by Jobs in his letter. Google’s phones don’t. Neither do Palm’s. So why is everyone going after Apple? It’s just crazy.

Quick update: About the only thing that has changed since he posted this, I think, is that Google has announced with Adobe that they’re going to get Flash on the Android platform. We’ll have to see how that turns out, but I honestly don’t have high hopes, primarily because touch is not the same as keyboard, monitor and mouse, and I’m not sure Flash content designed for web-on-PC will translate well.

I really need to meet this Systems Boy…

Dear Adobe Reader Safari Plugin: Die.

If you’re anything like me, you have a strong dislike for all the stupidity that surrounds the Adobe Reader (formerly known as Acrobat Reader.)

I won’t go into the details here (though this guy can explain it in great detail), but because I very occasionally need features of Adobe Reader, I still keep it installed on my Mac, while I use Preview for all my other PDF needs. I’ve gone so far as to install the Firefox PDF Plugin for Mac for when I use Firefox, just to avoid Adobe Reader. And, really, there’s no point in Adobe Reader for most cases where you just want to be able to view or print PDF files. Doubly so, since Mac OS X lets you print any document to a PDF file as a default feature of the OS.

There are, though, edge cases where having Adobe Reader installed and available are useful. So I have it installed, but I refuse to use their web plugin. Adobe doesn’t care, though, and will periodically, sometimes randomly, and sometimes even without my consent, re-install the plugin. Even though I’ve told it not to. Adobe Updater, I’m looking at you, here.

Sadly, my solution is heavy-handed. I created a launchd task that will forcibly remove the Adobe Reader plugin from /Library/Internet Plugins whenever it’s created. It’s fast, efficient, and works.

And, as soon as I can figure out the new wordpress theme, I’ll post it here in a legible form

UPDATE: Thanks to Lynne and Chad on Twitter for suggesting the Preserve Code Formatting plugin!

And now, the Launchd config. Save this as:


/Library/Internet Plug-Ins/AdobePDFViewer.plugin


/Library/Internet Plug-Ins/AdobePDFViewer.plugin


Dear Adobe Reader Safari Plugin: Die.

We are not all waifs! Nor are we all petite Asian girls!

It has long troubled me that women’s clothing designers have decided that everyone is small, waif-like, and perfectly proportioned. I know about the impact of models on our psychological development and well-being. That is a rant I could easily devote many screens to. However, that is not my purpose here.

I am baffled by the continuation of this trend over time, particularly since we as a society have become somewhat more enlightened. People are more aware of the reality that most of us live every day. We have begun to recognize that not all women are tiny. The reality TV show, “How to Look Good Naked,” is an example of movement toward realistic thinking and acceptance.  The fact that the show lasted less than a year indicates that progress is often faltering and slow.

Unfortunately, globalization and outsourcing have intensified the small clothing size problem. Now that many of our garments are being shipped to us from manufacturing plants in India, China, Indonesia, and other parts of the Eastern world, the already small sizes have gotten smaller. Now, the assumption appears to be that we are all petite Asian girls/women.  It is growing increasingly difficult to find clothes in realistic sizes.

I was very happy to find that at many music concerts there are now more fitted “girly” tees and tanks alongside the usual “Adult” (read male) tees. Women like to show off their curves and more tailored styles are flattering. However, the manufacturers must assume that we were all buying size Small and Medium before. The women’s tees are not cut to fit actual women with real curves.

Even the manufacturers who are producing their products in the United States are failing us on this point. American Apparel is an excellent example. This is a company that I would like to support. They take a strong stand on immigration and have a project called “Legalize LA.” I admire some of the things that they have tried to do. Their clothes are made in downtown LA using vertically integrated manufacturing. These are all things that I can support. However, when I start looking at their size charts, I start running into problems. For example, model #2102ORG. This is an Organic Fine Jersey Short Sleeve T and in 2008 was marked as “Sustainable Edition.” Sounds great. I would like to wear that. I look at the size chart. The largest size available is a XXL. Sounds big, right? Well, it’s not, not really. The chest measurement on that is only designed to accommodate a bust that is 44″-46″ at fullest point.

pure t is a company that specializes in maternity tees.  Given the fact that most women gain weight when they are pregnant and that much of that weight is often in their breasts, I would expect maternity and nursing tees to be amply sized.  When I click on their size chart, I discover that the bust on a Large is only expected to fit someone with a 38″-39″ bust line.  That is also the largest size listed in the chart. Some tees may be ordered in an XL, but no details are given about that size.  Another incongruity is that the Large is marked as being equivalent to sizes 10-12 instead of the industry standard of 12-14.

It is depressing to realize that clothes made for real women with curves are difficult find.  I haven’t even discussed the problem of being amply endowed in the bust but not being correspondingly tall.  It is difficult to find long sleeved tops that will accommodate a large bust without expecting the woman to have incredibly long arms to match.  Shopping in the petites section doesn’t help on that front because if you’re “petite” you’re not supposed to be buxom.

I live in the in-between.  I find it difficult to shop in the regular sized racks because the busts are cut too small and the sleeves are cut too long.  I find it difficult to shop in the plus sized racks and stores like Lane Bryant because I am not far enough into the plus category for their clothes to fit me.  They also assume that the larger the bust line, the larger the waist line and hips.  This is not always the case, even for those of us without breast implants.  To get something to fit my bust, it ends up roomy in the waist and down right huge in the hips.  What are those of us without the budget for personal tailors to do???

We are not all waifs! Nor are we all petite Asian girls!

BPA-free 5 Gallon bottles are available in San Diego County!

I am very excited to report that I have FINALLY procured some 5 gallon water bottles that do not contain Bisphenol-A (BPA).  After my October 2008 post about the evils of BPA, I discovered that the 5 gallon bottles I was using at home were made from #7 plastic.  I set about replacing them immediately.  Unfortunately, at the time, I could not locate any 5 gallon bottles that were not #7 plastic.  I found a site that claimed to sell them, but they were out of stock and could not tell me when that problem would remedied.

Pure Flo water company in Santee, CA has BPA free bottles for sale in their water store.  You may also purchase them from their website.  Pure Flo has a self-serve water station at their Santee location where you can fill your 5 gallon bottles.   When I bought my new, BPA-free bottles they came with a free fill-up.

So far,I like the bottles.  They are lighter weight and softer than the crown top bottles I was using but they take the same dew caps.  Gregory did discover, to our consternation, that the no spill top we used to use with our old bottles will fit the new bottles but is then almost impossible to remove when you want to switch bottles.  The bottles are molded AROUND the handles, so there is little chance that the handles will pop off of the bottles.  The handle seemed comfortable enough to use and did not seem to dig into my hand.

I do not know if Pure Flo will deliver water in BPA-free bottles or not but I’m sure they would happily entertain the question.

BPA-free 5 Gallon bottles are available in San Diego County!