Ossipee

Posted on September 27, 2015 by Adam Young

OpenStack is a big distributed system. FreeIPA is designed for security in distributed system. In order to develop and test each of them, separately or together, I need a distributed system. Virtualization has been a key technology for making this kind of work possible. OpenStack is great of managing virtualization. Added to that is the benefits found when we “fly our own airplanes.” Thus, I am using OpenStack to develop OpenStack.

Steve Okay took this while waiting for a flight to LAS

Early to Rise
757-200 lifts off Rwy 1 at SFO at sunrise. Credit Steve Okay. Used With Permission

Continue reading →

Using Ansible to add a NetworkManager connection

Posted on July 30, 2015 by Adam Young

The Virtual Machine has two interfaces, but only one is connected to a network. How can I connect the second one?

Continue reading →

Install FreeIPA via Ansible

Posted on June 22, 2015 by Adam Young

No better way to learn some more details of Ansible than to automate a task I need to do on a regular basis: ipa-server-install.

Continue reading →

Resetting a Known Host for SSH

Posted on June 19, 2015 by Adam Young

I often create and destroy a virtual machine multiple times in development. SSH records the host and key and often complains about a changed value for a given key. As I am attempting to automate more and more, I need to be able to communicate with these recreated hosts without dealing with the warning messages.
Continue reading →

Automating Kerberos Authentication

Posted on May 1, 2015 by Adam Young

Sometimes you need unattended authentication. Sometimes you are just lazy. Whatever the reason, if a user (human or otherwise) wants to fetch a Ticket Granting Ticket (TGT) from a Kerberos Key Distribution Center (KDC) automatically, the Global Security Services API (GSSAPI) library shipped with most recent distributions support it.

Continue reading →

OpenStack keeps resetting my hostname

Posted on March 26, 2015 by Adam Young

No matter what I changed, something kept setting the hostname on my vm to federate.cloudlab.freeipa.org.novalocal. Even forcing the /etc/hostname file to be uneditable did not prevent this change. Hunting this down took far too long, and here is the result of my journey.
Continue reading →

Ansible Hostgroups from FreeIPA

Posted on October 9, 2014 by Adam Young

Ansible provides management for a large array of servers using ssh as the access mechanism. This is a good match forÂ FreeIPA.Â However, by default Ansible uses a flat file to store groups of hosts.Â How can we get that info from FreeIPA? Continue reading →

Phishing

Posted on August 21, 2014 by Adam Young

Kerberos was slow when talking to my demo machine. As part of debugging it, I was making DNS changes, so I pointed my machine directly to the DNS server. It was at my hosting provider, and authoritative for my domain.

As I tend to do, I idly checked Facebook. Its a bad habit, like biting nails. Sometimes I’m not even aware that I am doing it. This time, however, a browser warning brought me up short:

“Security Error: Domain Name Mismatch”

The certificate reported that it was valid for a domain that ended in the same domain name as the nameserver I was pointing at.

Someone just like me had the ability to push up whatever they wanted to the DNS server. This is usually fine: only the Authoritative DNS server for a site is allowed to replicate changes. It did mean, however, that anyone that was looking at this particular DNS server would be directed to something they were hosting themselves. I’m guessing it was a Phishing attempt as I did not actually go to their site to check.

Most of us run laptops set up to DNS from the DHCP server we connect to. Which means that if we are at a Coffee Shop, the local library, or the Gym, we are running against an unknown DNS server. The less trusted the location, the less reason to trust the DHCP server.

This is a nasty problem to work around. There are things you can do to mitigate, such as whitelisting DNS servers. The onus, however, should not be up to the end users. DNSSec attempts to address the issues. Until we have that, however, use HTTPS where ever possible. And check the certificates.

Keeping DHCP from changing the Nameserver

Posted on May 28, 2014 by Adam Young

I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf

interface "eth0" {
 prepend domain-name-servers 192.168.187.12;
}

This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.

Keystone and Kerberos

Posted on May 3, 2014 by Adam Young

“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”

This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.

Continue reading →

Adam Young's Web Log

The Notebook of a Programmer Climber Musician Ex-Soldier Woodworker and a few other things

Category Archives: Sysadmin

Ossipee

Using Ansible to add a NetworkManager connection

Install FreeIPA via Ansible

Resetting a Known Host for SSH

Automating Kerberos Authentication

OpenStack keeps resetting my hostname

Ansible Hostgroups from FreeIPA

Phishing

Keeping DHCP from changing the Nameserver

Keystone and Kerberos