The Long Gray Line

“The Long Gray Line” is a film about a man, fresh off the boat from Ireland in 1898, who becomes an long term fixture at West Point. I had heard of the movie for years, but never watched it before. My main impetus in watching it was to see what the Academy looked like before they built Eisenhower and MacArthur Barracks, Washington Hall, and the rest of the “new” buildings that made up so much of my experience there.

Funny how many scenes were shot with active Cadets playing extras. They didn’t even need period costumes, they just showed up in their issued uniforms. The officer and NCO uniforms changed visibly over the years, but not the Cadet uniforms.

When the Lusitania sunk, and the Trumpet sounded, the question was not “are we going to lose anyone” but “who are we going to lose.”

The train doesn’t stop at West Point anymore: there is an iron fence between the Train Station building (used for Social Events) and the still active tracks that periodically send trains to chase the climbing team from their perches near “Crew” wall. 20% Of the Corps of Cadets are women. Cadets have Majors, cars, and cell phones now. Much of the plain has be converted to Sprots fields. Graduation is held in Michie Statdium, not at Battle Monument. Central Divisions are gone, with the execption on the first division, kept as a Bank and Museum. Intercollegiate athletics have taken on a huge role, displacing military training as the primary form of physical exercise.

Cadets still take Boxing and Swimming. Cadets in trouble still walk their post in a military manner at the quicktime, 120 steps per minute, for several hours each weekend, until their hours are all worked off. Chapel, no longer mandatory, still fills a huge role in the lives of Cadets and Officers alike. West Point graduates still fill the upper officer ranks at disproportionate numbers to their commissioning ratio.

I mentally compared it to the movie, “The Butler.” Both told the story of an institution from the point of view of someone fairly far down the chain. Both are historical, and driven by real people and events. Both have their share of Schmaltz, of makeup and aging, of historical costumes often becoming the real star of a scene. Both deal with pieces of American Government. Most important, both show peepholes int exclusive institutions that are otherwise reserved for people who have committed themselves far beyond the average. Both have Eisenhower.

But where as “The Butler” shows the evolution of America, it is the static aspect of West Point that strikes home hardest. Even the New Buildings don’t radically alter the image of West Point, they just sharpen it. The waiters in the Mess Hall are still culled from the most recent of immigrants. The words to songs like “The Corps” and “The Alma Mater” may have been slightly adjusted to reflect the greater mixing of genders, the songs still instill the thrill from the presence of Ghostly Assemblage of The Long Gray Line.

There is always something a little silly in watching actors play roles when you know the real people involved. I was a Cadet, and watching a trained actor play one with all of the earnestness and fresh-faced appeal that is the hallmark of the 1950s feels almost like I am being aped. Of course, that must be true of any role copied from real events, and I take no real offence from it. It just further reinforces how strange West Point must seem to those whom have never attended it. How can your really understand that place until you have had a dream where you are in the wrong place, in the wrong uniform, desperately sprinting to get to formation? West Point may be America’s Camalot, but for me it truly is my Alma Mater.

Teaching Horizon to Share

Horizon is The OpenStack Dashboard. It is a DJango (Python) Web app. During a default installation, Horizon has resources at one level under the main Hostname in the URL scheme. For example, authentication is under http://hostname/auth.

Devstack performs single system deployments. Packstack has an “all-in-one” option that does the same thing. If these deployment tools are going to deploy other services via HTTPD, Horizon needs to be taught how to share the URL space. Fortunately, this is not hard to do.
Continue reading

Public Key Document Signing for Oslo Messaging

The PKI version of the Keystone tokens use a standard format for cryptographic signing of documents. Crypto Message Syntax (CMS) is the mechanism behind S/MIME and is well supported by the major cryptographic libraries: OpenSSL and NSS both have well documented CMS support. Messaging in OpenStack requires guaranteed identification of the author.

Continue reading


There is more to the certmonger story. A lot more. After my last attempt I tried to use certmonger:

  • as a user-launched process
  • to get a user certificate
  • direct from the dogtag instance behind FreeIPA

I was not 100% successful, but the attempt did have some positive results.

Continue reading

FreeIPA web call from Python

This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.

Courtesy of Rich Megginson

Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.

import kerberos
import sys
import os
from requests.auth import AuthBase
import requests
import json

class IPAAuth(AuthBase):
    def __init__(self, hostname, keytab):
        self.hostname = hostname
        self.keytab = keytab
        self.token = None


    def __call__(self, request):
        if not self.token:

        request.headers['Authorization'] = 'negotiate ' + self.token

        return request

    def refresh_auth(self):
        if self.keytab:
            os.environ['KRB5_CLIENT_KTNAME'] = self.keytab
            LOG.warn('No IPA client kerberos keytab file given')
        service = "HTTP@" + self.hostname
        flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
            (_, vc) = kerberos.authGSSClientInit(service, flags)
        except kerberos.GSSError, e:
            LOG.error("caught kerberos exception %r" % e)
            raise e
            kerberos.authGSSClientStep(vc, "")
        except kerberos.GSSError, e:
            LOG.error("caught kerberos exception %r" % e)
            raise e
        self.token = kerberos.authGSSClientResponse(vc)

hostname, url, keytab, cacert = sys.argv[1:]

request = requests.Session()
request.auth = IPAAuth(hostname, keytab)
ipaurl = 'https://%s/ipa' % hostname
jsonurl = url % {'hostname': hostname}
request.headers.update({'Content-Type': 'application/json',
                        'Referer': ipaurl})
request.verify = cacert

myargs = {'method': 'dnsrecord_add',
          'params': [["", ""],
                     {'a_part_ip_address': ''}],
          'id': 0}
resp =, data=json.dumps(myargs))
print resp.json()

myargs = {'method': 'dnsrecord_find', 'params': [[""], {}], 'id': 0}
resp =, data=json.dumps(myargs))
print resp.json()

Run the script like this:

python ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt

Using Certmonger to Generate a selfsign Cert for CMS

We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.
Continue reading