Category: Tech

What most of you probably want

Posted on

The semibug PAM talk live tweet

On November 8 I’ll be at mug.org, giving a talk on how “PAM is Un-American.”

Last night, I gave an early version of the talk to the smaller, and not recorded, semibug.org crowd.

Josh Grosse live-tweeted the event.

The actual talk will be recorded. And will have considerably less swearing. Because it’s being recorded.

And yes, I think there really will be a Complete and Unexpurgated Edition of PAM Mastery available at the BSDCan 2017 closing auction. All I’ll need to do is add all the swearing back into the book.

Posted on

See Me in 2016

I have two more public appearances in 2016.

October 7-8, I’ll be at Ohio LinuxFest. They’ve asked me to speak on Introducing ZFS.

November 8, mug.org has invited me to talk about PAM. This is election day in the United States, so the talk is on how PAM is Un-American.

Sadly, family commitments prevent me from going to MeetBSD in Berkeley. Plus, there’s the whole “get on a plane” thing, which I try really really hard to avoid. I’d probably do it to see Berkeley, though. I’m pretty sure a pilgrimage to Berkeley is required once during my lifetime.

Other than that, you can catch me at a Semibug meeting.

Posted on

Penguicon 2016 Lucas Track Schedule

While the folks at Penguicon reserve the right to change the schedule at any time, we’re close enough to the con that I’m comfortable releasing my talks and panel schedule. This is extracted from the official Penguicon descriptions. and schedule.

Friday, 30 29 April:

6 PM – Social Media for Writers (panelist) – Hamlin
What social media trends does a writer building their web footprint need to understand? What are some Dos and Don’ts?

8 PM – PAM: You’re Doing It Wrong (speaker) – Windover
PAM, or Pluggable Authentication Modules, is one of the most occult parts of managing Unixish systems. The unique configuration syntax and idiosyncratic rule processing drives many sysadmins to copy working configurations from other people and random blog posts. This talk takes you through the essentials of PAM configuration, You’ll learn the components of PAM, how PAM processes rules, how to use multi-factor authentication, and get an overview of some useful PAM modules you probably haven’t used, based on my forthcoming book “PAM Mastery.”

10 PM – the ZFS File System (speaker) – Windover
ZFS, the Zettabyte File System, is one of the most full-featured filesystems available today and gives almost unlimited storage flexibility. Originally created by Sun Microsystems, the independent entity OpenZFS now develops ZFS as deployed in illumos, Linux, and FreeBSD. This talk takes you through ZFS’ features, including: data self-healing, deduplication and compression, clones and snapshots, copy-on-write, boot environments, replication, and more. Once you use ZFS, you’ll never understand how you lived without it.

Saturday, 1 May 31 April:

11 AM – Networking for Systems Administrators (speaker) – Windover
Too many organizations have a tense relationship between the network folks and the sysadmins. Sometimes it degenerates just short of war. But basic networking isn’t hard–if it was, network engineers couldn’t do it. This talk teaches the essentials, in a way that lets sysadmins troubleshoot network problems on their own. Sysadmins have amazing visibility into the network, once they know how to use it. We’ll cover cross-platform tools for viewing and troubleshooting the network, on both Windows and Unix.

4 PM – Encrypted Backups with Tarsnap (speaker) – Windover
Online backup is incredibly useful, but has many privacy and integrity risks. Tarsnap is an online backup service that only handles your data in encrypted form. It’s inexpensive and reliable. Plus you don’t need to trust the Tarsnap service–they can’t access your backups even if they want to. And Tarsnap’s built-in deduplication saves space, letting you store terabytes of backups in mere gigabytes of disk. This talk takes you through using Tarsnap, from backing up a system to customizing and rotating backups, to fully restoring them.

5 PM – Acts of Shameless Self-Promotion (panelist) – Portage Auditorium
What’s the best way to get your name forward?

7 PM – reading (speaker) – Writer’s Block (313 & 315)
My first ever fiction reading: my datacenter crime story “Wifi and Romex” I’m sharing this hour with Ken MacGregor. Don’t know which half I’ll get.

Sunday, 2 1 May:

10 AM: Self-Publishing 2016 (panelist) – EMC 1
This panel discusses today’s self-publishing options and business models. Our panelists include authors who are both self- and traditionally published, in fiction and nonfiction, including people who are making an income entirely by self-publishing. We’ll discuss why we made the choice to self-publish, the pitfalls and lessons learned, and which business choices we’ve made on our respective self-publishing efforts.

12 PM: BSD Operating Systems in 2016 (speaker) – Windover Charlevoix B
The BSD family of Unix has a been kicking around for almost 40 years now, and have taken different paths than Linux. Come see the last year’s developments in BSD land! One of them just might solve your intractable problem. We’ll talk about new things from FreeBSD, OpenBSD, plus updates from NetBSD, Dragonfly, and assorted derivatives.

2 PM: Senior Sysadmins Panel – Windover
Some say systems administration is a young man’s game, and that eventually sysadmins rise into management. They’re wrong. A sysadmin who measures their experience in decades has made mistakes younger sysadmins can’t even imagine. This panel lets you learn from their suffering, take advantage of their experience, and laugh at their pain.

I’ll have print books at all of my tech talks, including the brand-new FreeBSD Mastery: Advanced ZFS. You’ll be able to find my novels up in the Writer’s Block, rooms 313 & 315.

I’ll be kicking around the con the rest of the weekend, except for probably a lunch break Saturday. (Anyone interested in pho?) I’m not making a firm schedule for the rest of the time, but you’ll have a pretty decent chance at finding me at any of these events.

Friday 4 PM: LN2 Welcome Back Ice Cream
Friday 11 PM: LN2 After Hours Ice Cream
Saturday 3 PM: LN2 Guest Flavors Ice Cream
Saturday 11 PM: LN2 After Hours Ice Cream
Sunday 11 AM: LN2 Sunday Brunch Ice Cream

Posted on

FreeBSD and pam_listfile

I’ve discovered unknown terrors while researching and writing PAM Mastery. Well, terrors previously unknown to me, at least. I’m certain that the OpenPAM and Linux-PAM developers are very much aware of them. (I’m also certain that they’re part of the reason DES keeps his hair cut so short, so that he can’t yank it out of his head in bloody chunks.)

Part of the writing process was building a giant spreadsheet listing operating systems, PAM versions, and which modules appear in each OS. Strictly speaking, OpenPAM proper contains very few modules. Most “OpenPAM” modules actually originate from FreeBSD. But people are free to use them, so they generally get lumped into the “OpenPAM module” bucket.

One module that’s conspicuous by its absence in pam_listfile. Pam_listfile.so lets you accept or reject access based on the username’s presence in a file. It’s much like the traditional BSD /etc/ftpusers functionality.

It’s a reasonable enough module. And I’m told that pam_listfile.so can be compiled to work on FreeBSD, but nobody’s bothered to submit a port. How to make it work is a perennial question on the FreeBSD mailing lists.

The good news is, you can easily emulate pam_listfile.so on FreeBSD using pam_exec. Pam_exec runs a command as part of the PAM chain. If the command returns 0, the module says to grant access. If the command returns 1, the module says to deny access. (Whether PAM obeys this instruction or not depends on the type of statement.)

Here I implement basic pam_listfile.so functionality in a shell script, pam_listfile.sh.

Enable pam_listfile.sh as an auth rule.

auth required pam_exec /usr/local/scripts/pam_listfile.sh

Now all you need is a script. This version of the script permits access if the username appears in /etc/validusers.

#!/bin/sh
/usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

And here’s a version that rejects access if the username appears in /etc/validusers, exactly like /etc/ftpusers. It’s a huge change, adding an entire exclamation point.

#!/bin/sh
! /usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

You could add more functions as you need. The important thing is to return either 0 or not-zero.

PAM Mastery is over half finished. I’ve completed the parts on “this is how PAM works” and have moved on to “here are some cool PAM modules that you might want to use.”

And my marketing department says I need to mention that I’m taking sponsors on the print and ebook versions of PAM Mastery.

Posted on

next talk: “FreeBSD Filesystem Fun” at March semibug

I’m slated to present at the next SemiBUG meeting.

By unpopular demand, I’ll offer “FreeBSD Filesystem Fun,” also known as “odd stuff I learned as I’ve written the FreeBSD storage books.” You’ll get content on UFS, ZFS, unionfs, various memory filesystems, and some of the really odd corners I discovered while writing the book. Warning: will contain actual math and ZFS tuning know-how.

15 March. 7 PM. Altair Engineering!

To be followed by dining at Leo’s Coney Island right next door. (We’re flexible on dinner, but somehow it always turns out to be Leo’s.)

Future meetings of note include two special guests:

On 19 April, Tom Lawrence is coming to talk about pfSense.

And on 17 May, Isaac Levy is flying in from New York City to talk about FreeBSD jails. I’d really like to fill our space for this one, as Ike is both a great speaker and making a special flight exclusively for us. Knowing Ike, I suspect that the dinner afterwards will involve beer.

June will be a BSDCan trip report, and July, Josh Grosse on porting software to OpenBSD.

Posted on

The Penguicon Lucas Tech Track

I submitted several tech events to Penguicon, our local tech/SF/maker/assorted random WTF convention.

They accepted six: five talks and one panel.

So if you’re in Detroit on the weekend of 29 April-1 May, come by and see me bloviate about:

  • PAM: You’re Doing It Wrong
  • the ZFS File System
  • Networking for Systems Administrators
  • Encrypted Backups with Tarsnap
  • BSD Operating Systems in 2016
  • Senior Sysadmin Panel

    The last one, the Senior Sysadmin Panel, should be a lot of fun. I’m looking for 3-4 more people to sit on that panel. I was a pro sysadmin for 20 years at a variety of organizations. Ideally, while I’m moderating the panel, I’d like to be the junior sysadmin on it. Let me know if you’ll be at Penguicon and interested.

    I’ve also expressed strong interest in being on the self-publishing panel, but I haven’t heard back on that yet. That’ll be on the lit track.

    • Posted on

    first semibug.org meeting next Tuesday

    The first meeting for theSoutheast Michigan BSD User Group, aka SEMIBUG, will be next Tuesday, 17 November 2015, at the Hazel Park Raceway restaurant.

    We’ll discuss what sort of meeting we want, when the regular meeting will happen, where it will be, and suchlike. We’ll probably also draft someone to fix the website. (By fix, I mean “burn it to the ground and try again.”)

    The restaurant menu is very minimal thanks to the season, but after the meeting interested parties can head out to one of the local places for actual food. Buy a soda or a beer at HPR to justify our presence.

    Posted on

    freebsd-update: “/usr/sbin/freebsd-update: cannot open files/.gz: No such file or directory”

    This morning, I finally updated my web server to FreeBSD 10.2-p6 using freebsd-update. Normally I like freebsd-update, but this morning it decided to be cranky.

    As usual, it was cranky because I didn’t know what I was doing.

    First, I should say that I don’t need to update my hosts that often. If there’s, say, a mountd(8) security advisory, I don’t bother. And when I ran bunches of FreeBSD boxes, I ran freebsd-update through ansible.

    This means I’m not terribly familiar with the output.

    So, I run:

    # freebsd-update -F -r 10.2-RELEASE upgrade

    There’s the usual “downloading metadata” messages, then a bunch of stuff on updating patches.

    I then get presented with an /etc/mail/sendmail.cf diff, saying some of the innards of that file has changed. Fine.

    Then I get:

    The following file will be removed, as it no longer exists in
    FreeBSD 10.2-RELEASE: /etc/ntp.conf
    Does this look reasonable (y/n)?

    Wait… FreeBSD dropped /etc/ntp.conf? What, did they drop ntpd? Who do they think they are, OpenBSD? I’m sure that’s in the release notes, had I bothered to read the release notes. Fine, I’ll install openntpd from packages after the upgrade. No biggie. But I want /etc/ntp.conf to stick around, as I have custom twiddles in there. I think. It’s been a while.

    So I answer n. Just like I would with mergemaster.

    And freebsd-update ends.

    Fine. That’s all the updates, right? I saw stuff download. I then do:

    # freebsd-update install
    No updates are available to install.
    Run '/usr/sbin/freebsd-update fetch' first.

    What fresh hell is this? I saw all sorts of stuff download!

    I rerun the freebsd-update command, and this time I notice in the output:

    /usr/sbin/freebsd-update: cannot open files/.gz: No such file or directory

    Something’s missing.

    I add -F, to say “hey, re-download everything.”

    Same result.

    Eventually, I let freebsd-update take /etc/ntp.conf. The upgrade kept running after that, downloading a bunch more stuff and finally telling me to reboot and run freebsd-update install.

    The takeaways here are:

    1) freebsd-update is not mergemaster. Answering n anywhere makes the update stop before it’s finished.
    2) Read the release notes.

    BTW, ntpd is still part of FreeBSD 10.2. I don’t know why the update wanted to blow away my ntp.conf rather than point out any diffs.

    Posted on

    SSH talk, 10 November 2015

    I’ll be at the Farmington Hills Public Library for the mug.org meeting on 10 November 2015, talking about SSH.

    The talk will be pretty much based on SSH Mastery, as you might expect.

    Meeting starts around 6:30 PM.

    The library throws us out at 9PM, at which point a bunch of us troop out to Red Lobster for dinner. You’re welcome to come too.

    MUG talks are normally filmed and available on YouTube. But you really do want to fly in from your distant continent to see this talk in person.