Implications of OpenID - Google Tech Talk
July 10, 2007 | Leave a Comment
The embeded video comes from a Google Tech Talk given by Simon Willison.
From the abstract:
Simon Willison OpenID is an emerging standard that provides simple, decentralised … all » authentication for the Web. OpenID follows the Unix philosophy, solving one small problem rather than attempting to tackle the many larger challenges posed by online identity. This talk will explore the implications of OpenID, and explore the best practices required to take advantage of this new technology while avoiding the potential pitfalls.
Tags: authentication, decentralized, google, google tech talks, identity, identity management, open id, openid, password, passwords, simon willison, standard, unix, willison
Dotster VPS Upgrade to PHP 5 and MySQL 5
May 7, 2007 | 8 Comments
I recently purchased a Dotster VPS and needed to get it upgraded to have PHP 5 and MySQL 5, rather than version 4 of both. These machines run CentOS, so the best plan was to use yum.
Unfortunately, yum is not installed initially, so the first step was to get and install all the prerequisites plus yum:
export MIRROR=http://mirror.centos.org/centos/4/os/i386/CentOS/RPMS/
wget ${MIRROR}python-sqlite-1.1.7-1.2.i386.rpm
wget ${MIRROR}sqlite-3.3.3-1.2.i386.rpm
wget ${MIRROR}python-urlgrabber-2.9.8-2.noarch.rpm
wget ${MIRROR}python-elementtree-1.2.6-4.2.1.i386.rpm
wget ${MIRROR}yum-2.4.3-1.c4.noarch.rpm
rpm -Uhv python-elementtree-1.2.6-4.2.1.i386.rpm
rpm -Uhv python-urlgrabber-2.9.8-2.noarch.rpm
rpm -Uhv sqlite-3.3.3-1.2.i386.rpm
rpm -Uhv python-sqlite-1.1.7-1.2.i386.rpm
rpm -Uvh yum-2.4.3-1.c4.noarch.rpm
Once that is in place, you need to enable CentOS Plus. Go into /etc/yum.repos.d/CentOS-Base.repo and under [centosplus] change “enabled=0″ to “enabled=1″.
Now you can simply execute ‘yum update’ and it should install both MySQL 5 and PHP 5 with all the necessary prerequisites (plus a number of other things…)
Update: A few other things to do:
- Remove /etc/php.d/ioncube-loader.ini This file will cause weirdness with PHP and throw “Failed loading /usr/lib/php4/php_ioncube_loader_lin_4.3.so: /usr/lib/php4/php_ioncube_loader_lin_4.3.so: undefined symbol: zend_hash_add_or_update” in /var/log/httpd/error_log
- Change php.ini memory_limit to be increased from the default of 8M, I recommend at least 32MB
- Tune your MaxClients setting in /etc/httpd/conf/httpd.conf I couldn’t begin to make a recommendation here…
Do this at your own risk, this could mess up your entire system. Be sure to have a good backup before starting this process.
Tags: cent os, centos, centos plus, centosplus, dotster, dotster vps, mysql, mysql 5, php, php 5, unix, vps, yum
Password-less SSH Login
May 8, 2006 | 14 Comments
On occasion I have the need to establish trust relationships between Unix boxes so that I can script file transfers. In short, here’s how you leverage SSH to do that. Using the example of trying to connect from server ‘ender’ to get a file on ‘bean’ follow this example:
- Connect to ender
- type:
ssh-keygen -t rsa- default directory for keyfiles will be ~/.ssh/
- if you do not want to be prompted, leave passphrase blank
- copy the contents of .ssh/id_rsa.pub (there should only be one line)
- place this line on bean, in ~/.ssh/authorized_keys
- that’s it, you should now be able to ssh/sftp/scp from ender to bean without being prompted for a password!
For further detail and a more complete example check this site out.
Update: You must have "RSAAuthentication yes" in your /etc/ssh/sshd_config file. On many Linux installations this setting is commented out in a default install
Tags: authentication, keygen, linux, pass phrase, password, scp, sftp, solaris, ssh, system administration, unix
Definition: Code Turd
April 7, 2006 | 22 Comments
In a major enterprise system we pay a lot of money for, a recent patch threw us an error based on the following line of code in a shell script:
echo "I am what is running, this is linux" >> /home/ban7/jobsub/for_whatever_purpose.txt
This line was not conditional and was ironically being run on a Solaris system, not Linux. Our DBA Jon Graton defines these little gems of “production” code as “code turds”.
Tags: code, dba, definition, disk turd, jon graton, linux, programming, shell script, solaris, unix
Win2K3 R2 TechNet with Michael Murphy, Dig It?
March 1, 2006 | 3 Comments
Point of fact, no.
Yesterday I attended a Microsoft TechNet event with Michael Murphy. My interest in this specific TechNet was to learn what I could about Microsoft’s federated identity management plans.
The good news is that Active Directory Federation Services (ADFS) is now released. This package implements the WS-Federation standard for federated single sign on (SSO).
To Murphy’s credit he started the federated discussion with what I think is the perfect analogy, the drivers license. I’ll talk more about that at a later point, but I loved his quote: “Where is my drivers license for the Internet?”
It was when he started to be asked questions about their solution that his shallow knowledge and inexperience in this field became readily apparent. A gentleman asked the question, “How does this relate to the Liberty Alliance?” Murphy was not at all familiar with “Liberty” and basically dismissed the question. Unfortunately this would be like someone presenting about SQL Server and not being familiar with MySQL…
Anyway, another participant tried to get at what might allow LA and ADFS to interact, he asked: “Is this product SAML compliant?” Murphy said he’d never heard of SAML, and to him it sounded “like a camel named Sam.” Obviously this response was not useful to anyone…
At this point I piped up and asked about how ADFS exchanged authorization information with the service provider, the question was something like “how does it assert authorization and attribute information?” Murphy said it doesn’t. Unfortunately I knew this had to be untrue…
ADFS could not possibly be ONLY about authentication and completely ignore the authorization issue. I re-framed my question saying that attributes and authorizations were key to identity. He said they were not, this system addressed the authentication issue and attribute information was never communicated. Fear of sounding more like a dink led me to give up at this point…
I should have asked “What good is your drivers license without attributes for your age, sight restriction, etc.?” Maybe he would have “got it” then…
Moving on, Murphy demo’d how the interaction would occur using some virtual servers he had. The interface for managing and setting up these federated connections seemed pretty easy and intuitive.
When Murphy logged into the service provider interface in the demo, I immediately noticed that the newly created account already had a bunch of attributes. Most notably, a $500 spending limit.
I had to ask: “How does the service provider know this newly created user has a $500 spending limit?” Murphy stumbled with this, but threw out a blatantly off the cuff and incorrect response.
At this point a guy behind me asked “Can you scroll down?” This was it, clearly my fears for a half implemented federated system were really just due to a poor presenter. A pile of attributes, including custom defined ones including title were being listed in a textarea as the things being passed.
So anyway, ADFS has potential, but we’ll have to try it out for ourselves.
Stuff that intrigued me from other sections of the event:
Can we run Active Directory Application Mode (ADAM) centrally to manage our authorizations for all web-based applications? ‘Cause this would rock.
Windows Server Update Services (WSUS) could be useful for PSU…
Distributed File System (DFS) and the Branch Office Management seems partially implemented, not well thought out, and overall garbage.
The Cygwin replacement, or is there more to it?
Finally, did Michael Murphy learn his presentation style from Billy Mays?
Tags: "Active Directory Application Mode", "active directory federation services", "billy mays", "distributed file system", "liberty alliance", "michael murphy", "UNIX Interoperability Components", "windows server 2003 r2", "Windows Server Update Services", active directory, ad, adam, adfs, cygwin, dfs, federated identity management, identity management, microsoft, presentation, saml, technet, unix, windows, ws-federation, wsus
Showing More On Your Terminal
January 13, 2006 | 4 Comments
I have a monitor hooked to a FreedBSD system in my office that used to just show a login prompt all day long. Occassionally I’d sit at this machine and use the console, so the monitor was useful, but 99 out of 100 times I’d just SSH to the machine.
I decided to put this monitor to better use by continually outputting some log data to this screen. Specifically I’m outputting LDI synchronization events, which are XML. Initially I was pretty satisfied with this, except for one littel annoyance. XML is bulky, so I could only see one event on the screen at a time. I found that using scroll lock I could scroll back and see old events, but what I really wanted was either a smaller font or more lines.
Enter vidcontrol.
vidcontrol -i mode will show all the modes your display supports, but more importantly, vidcontrol 80x60 will change your terminal from the standard 80×25. In short, you’ll get more than double the number of lines.
More importantly, I won’t have to wade through the man pages next time I forget this command…
Thanks to Erich for the help on solving this one. He found some great docs on vidcontrol and vidfont, whihc I have since lost… However, here is the manpage on vidcontrol.
Tags: bsd, freebsd, ldi, linux, log, logging, monitor, monitoring, terminal, unix, vidcontrol, xml
Defining Unix Load Average
November 7, 2005 | 5 Comments
Went looking for a simple definition of load average in Unix, but alas, simplicity is not in the nature of load. I read UNIX® Load Average Part 1: How It Works by Dr. Neil Gunther who breaks load down into much appreciated, yet excruciating detail.
In short it is the average sum of the number of processes waiting in the run-queue plus the number currently executing over 1, 5, and 15 minute time periods.
It’s calculated like this: load(t) = load(t - 1) e^(-5/60m) + n (1 - e^(-5/60m))
(at least in Linux)
From Gunther’s PDF Guide:
Most sys admins tend to refer to and use the m = 1 minute load average For queueing models we want the steady-state average [...] that suggests the m = 15 minute load average is more useful for capacity planning
So load is useful but complex.
Casey experienced some pretty sever load numbers recently…
Tags: definition, dr. neil gunther, gunther, LA triplets, linux top, load, load average, monitoring, performance, performance monitoring, solaris, unix