Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

Easy Security Project: standalone ssh-ldap-helper

I’ve been waiting for quite a while for an official way to centrally manage user authentication keys in OpenSSH. If you have a dozen servers, copying authorized_keys files around is a pain. If you have more than that, it’s really really painful. The OpenSSH guys have had good reasons for not wanting to link LDAP libraries straight into OpenSSH. They also gave some general guidance of what they’d want to see in a patch that supported LDAP authentication.

Jan Chadima from Redhat took OpenSSH up on this, wrote a patch as per spec, and submitted it to OpenSSH. And Damien Miller committed it. LDAP support for OpenSSH will be in 6.2…

…sort of.

The patch adds support for getting a user’s authorized_keys file from a helper program. Redhat includes a helper program, ssh-ldap-helper. That program is not in the OpenSSH patch. And, truthfully, there’s no reason it should be in the main OpenSSH distribution. We’ll see helpers for LDAP, for database lookups, for FUSE and HTTP and whatever weird data storage people come up with. I don’t want the OpenSSH guys spending their time writing these helpers.

But the source code for ssh-ldap-helper is in the Red Hat source RPM. As far as I can tell, it’s under a BSD license.

If you’re looking for a way to contribute to the OpenSSH user community, however, digging into the RPM (it’s just a tarfile), extracting the included OpenSSH code, and adding the patch for ssh-ldap-helper, ssh-ldap-wrapper, and the man page is pretty easy. I got that far, after all! I imagine that someone with a little bit of knowledge could make it compile on xBSD. Or at least, it’s a place to start.

You’d make my life a lot easier. And give me more time to finish the new edition of Absolute OpenBSD. That’s what you lot want me to do with my time, isn’t it? (I’ll have a post on that status in a few days.)

I also have to give props to Red Hat on this. They had a need in OpenSSH. They were given the requirements for that need to be met in mainline OpenSSH. And they met those needs and submitted the patch. Everyone cooperated, everyone gets what they need. That is how open source should work. Given how some other open source companies and projects are behaving lately, this makes me feel pretty good about the BSD community.

Posted on

Amazon Author Rank vs Writers

Amazon recently introduced Author Rank, where they list authors in order of popularity. I’ve had a lot of discussions about this feature and what it means to writers.

Amazon provides a surprising number of features for authors. Their Author Central system lets me see how many of which book sold, and where, over a given time period. There’s a neat little app that shows where in the country my books sold, according to Bookscan data. Bookscan data might not be complete, but it’s more information than my twice yearly No Starch royalty statements. I know that in the last four weeks, five of my NSP books sold in the SF-Oakland-San Jose area, and 4 in Washington, DC. That’s interesting, and for a tech author those sales numbers are not too shabby.

I choose the word “interesting” carefully. It’s interesting. But it’s not exactly useful. If these geographic sales charts show that I was consistently selling quite well in Amarillo, Texas, I might be inclined to see what’s going on down there. But the sales basically hit exactly where I expect: Silicon Valley, Washington DC, RTP, NYC, with others trailing.

An author can spend hours trawling through his sales data this way. It’s interesting, but: this data doesn’t help you sell books. It makes sense that you’d kill a couple hours the first time you get the data, but as an ongoing thing, it just takes up time. You’d be better off writing.

Author Central also gives graphs of how your books as a whole, or all your books, sell over time.

sales graph

Looking at this, I might think “Wow. What did I do the week of March 7, 2011? Why did that book do so well that week? And how can I repeat this?” The answer is, I didn’t do anything. This sales spike had nothing to do with me. I wrote a good book. Someone ordered a bunch of copies, perhaps for a test, perhaps for their company, or perhaps because the paper the book is printed on is thin and soft. All I can do is be appreciative of “the folks who bought my book,” whoever they are.

The more insidious question would be: “why have my sales dropped since then?” I have an easy answer. My print sales have dropped, but my ebook sales have increased. Also, technology books have a lifespan. I’m pleasantly stunned that the five-year-old Absolute FreeBSD is still selling this well, but I have no right to expect this trend to continue.

It’s conceivable that I might find a use for this data. If my books consistently sell well in Amarillo, a place not known for its high tech business, I’d probably want to investigate and see what’s happening down there. Perhaps I would somehow use Amarillo in a new book, to give a nod to that readership. But the data fits my expectations, so it won’t change anything I do.

Also, this graph contains data. X number of book Y sold in Week Z. Those are real numbers. Not terribly useful, but interesting.

Now consider the Amazon Author Rank graph.

rank graph

On October 5th, I was the #11,117th most popular author on Amazon. Think about that for a moment.

What is popularity? How is it calculated? What is that supposed to mean? Is that an average based on the sales of all of my books, or my sales in aggregate? How are authors ranked? Without this kind of knowledge, this chart isn’t data. It’s an arbitrary rank, no better than Klout. I’d actually find my Scalzi Number more useful; I know how that’s calculated, and hence could derive a shallow meaning from it.

This number will cause an author some kind of emotional reaction. Maybe they’re disappointed that 11,116 authors are more popular than them. Maybe they’re thrilled that hundreds of thousands of authors are less popular than them. Either way, this reaction does not help an author with their craft.

Ranking authors by some unknown popularity algorithm? It’s like high school all over again, and just as meaningful.

When this feature just came out, I exchanged tweets with other authors about it. Chris Sanders, author of Practical Packet Analysis, shared with the world that his author rank was 9425, a few thousand higher than mine.

I agree that his Practical Packet Analysis is a good book. But what am I to draw from him having a higher Amazon rank than I do?

I write the books I write. My Network Flow Analysis is the best book I can create on netflow. PPA is the best book Chris could write about Wireshark. Comparing them isn’t really possible: they’re different topics, different audiences, and completely different books. Even though both are books about networking, they are utterly different in purpose, execution, and readership.

And what does the difference mean? Does his one book sell more copies than all of my books compared together sell less than his? Could be. Even if his books outsell mine twenty-five to one, does it matter to me?

One of the very worst things an author can do is start comparing himself to other authors. That way lies despair and heartbreak. If I measured my success against Dean Koontz or James Patterson, or even Richard Stevens, I’d give up writing altogether. Because my books aren’t their books, my audience isn’t their audience, and my career is not their career. I write the best books I can. And my audience finds them useful enough to buy them. That’s enough.

You want to be a more popular author? Write the best books you can. Continuously work to improve your craft. Become a better author, and readers will come. Don’t get involved in high-school popularity contests, especially ones that offer no benefit to your career, your craft, or your ego.

Personally, I’m going to ignore Author Rank. I see no use for it. The best thing you can do is shut up and write.

And lest someone gets the wrong idea, I like Chris. If I get to Charleston, I plan to look him up and see if he’s free for lunch. I’m sure he knows where to get good barbeque. Mind you, he can pay for it. He’s the big-name popular author, after all.

Hey, maybe Author Rank isn’t completely useless…

Posted on

Get Your Haiku Published in the new “Absolute OpenBSD”

Something weird happened as I worked on the second edition of Absolute OpenBSD: people started sending me haiku. The first edition included a haiku at the beginning of each chapter, something apropos to the topic.

TCP/IP
Learn how it fits together
You cannot escape

I reviewed the old book before outlining the new version, and the haiku made me wince. They’re mediocre at best. I considered dropping them from the new edition, or perhaps replacing them with quotes on trust, but an informal Twitter poll came out overwhelmingly in favor of the haiku. This demonstrates that computing professionals have lousy taste in poetry, or that an author is permitted no opinion on the quality of his own work. Or both.

Frankly, the haiku my fans send are better than the ones I write. Some of mine are okay, but they can’t compete with someone else’s inspiration.

So, here’s the deal:

You’ll find the outline for the second edition in my September status blog post. Each chapter needs a haiku.

Post your English-language haiku here, along with valid contact information and your name as you’d like to be credited. If your haiku is better than what I have for that chapter, I’ll use yours instead of mine. By posting your haiku here, you give me permission to use it in the book. Winners will be selected by me, at my sole discretion, based on whatever criteria I feel like using at the time. Your best bet is to amuse me.

If you don’t want to post your haiku, you can email it to me. Use the subject of “ao2e haiku” to avoid the Horrible Black Void that awaits most email I receive.

What is a haiku? Real haiku are in Japanese. I can’t use real haiku — I can’t even read real haiku. For my purposes, a haiku has:

  • 5-syllable first line, 7-syllable second line, 5-syllable third line
  • A season word (i.e., summer, snow, etc)
  • A comparison

    • You might note that my leading haiku breaks two of these three rules. It amuses me, however, which is more important than any other characteristic. But if you can follow all three rules in a haiku about packet filtering, I’ll be slightly impressed.

    Both entries and attributions must be PG-rated. As in, no obscenity. Sorry, folks, I know that obscenity is a staple in sysadmin circles, but AO2e is supposed to be a clean family book.

    I’m not limiting entries per person, but I can say that if you flood me with dozens of mediocre haiku I’ll probably miss the the one awesome one you do post. (“Oh, it’s him again. Sigh.”)

    So, what’s in it for you?

    Selected haiku will appear at chapter headings in the second edition of Absolute OpenBSD, with attribution. This is your chance at eternal fame. Selected haiku-ists will get an ebook of the finished book. If I can swing a sufficient number of physical copies, I’ll give those out as well. Depends on how many winners and how many copies I get.

    Competition will remain open until I finish the first draft of the book. I’m writing frantically, hoping to get a first draft done by mid-November. If I make that deadline, the book can exist for BSDCan 2013. That would be awesome. Can I make that deadline? Dunno. I’m holding the contradictory ideas “no, that’s impossible” and “sure I can!” in my brain simultaneously.

    So, in closing:

    Lucas is lazy
    Your haiku makes him chortle?
    Get free electrons.

    Posted on

    Log Only sudo Failures

    The sudo(8) privilege management tool is very admin-friendly in that it logs successes and failures. I don’t really care when my users successfully use sudo. I do care when they use it unsuccessfully, however. A sudo failure indicates that either the user doesn’t know their system password, or they’re trying to use forbidden commands.

    sudo keeps logs. The interesting thing is, successful log messages are of priority notice, while unsuccessful attempts are of priority alert. This opens up an easy way to improve security and customer service.

    First, a user who cleverly gets root can edit your log files. forward your sudo logs to your logging host. Your users should not have access to your logging host.

    First, split your sudo logs out into two logs. You can set sudo’s syslog facility, but as I’m always short on facilities, I tend to break sudo out via program name. Here’s a syslog.conf entry.

    !sudo
    *.* /var/log/sudo
    *.alert /var/log/sudofail

    Touch the files, restart syslogd, and /var/log/sudofail will contain only password failures and attempts to run forbidden commands. The two log entries are very different.

    Sep 26 10:37:27 caddis sudo: mwlucas : command not allowed ; TTY=ttyp0 ; PWD=/home/mwlucas ; USER=root ; COMMAND=/sbin/reboot
    Sep 26 10:53:09 caddis sudo: mwlucas : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/su

    Separating this log out opens some interesting customer service possibilities. If you’re on OpenBSD, you can automatically have newsyslog email you the log of failures. Otherwise, you can set up a separate script to do that, or feed it to your alerting system, or whatever. Then have a helpdesk minion call the user in question and ask what they’re trying to do. Perhaps they’ve forgotten their password. Perhaps someone else got access to their account. Perhaps they’re having trouble. Maybe they need sudo -l explained to them.

    The end user will either feel like you’re watching out for them, or realize that your sysadmin group watches the systems very closely.

    Even if you don’t take proactive action, having sudo failures logged to a separate file simplifies digging through the logs.

    Posted on

    On Bogus Book Reviews

    There’s been a furor recently about authors faking reviews in one manner or another: Either by buying reviews, or by sock puppetry. As nobody can generate reams of morally-outraged words like offended writers, it’s created a pretty big buzz in the publishing world. Here’s my thoughts on these types of reviews. For brevity, I lump all of these reviews into a category I’m going to call “fake reviews.” It’s not strictly accurate, I know, but I can’t come up with a better phrase at the moment.

    I’m not outraged. I’ve expected this. Perhaps it’s my computer security experience, but any system that permits this kind of exploitation will be exploited. Publishing is no magic kingdom exempt from the rule of self-interest. Just because I’ve expected this, doesn’t mean I approve of it.

    Reviews are important. I depend on reviews for sales, and I depend on sales to write new books. Would I like hundreds of five-star reviews? Sure.

    Would I pay for them, or sock-puppet them? No.

    Purchasing reviews betrays a lack of confidence in your work. If your work is good, if it has an audience, that audience will find it. Eventually.

    Writing is a long game. You must have patience. In traditional publishing, a paperback book has about three months to find a readership. Today, with ebooks, online ordering, and print-on-demand, books can take years to find a readership. (My nonfiction books are different, mind you; one factor that goes into deciding if I should write a book is if I expect it to have at least a three-year lifespan. My books have considerably less time to find readers. Lucky novelist bastards.)

    The fact that I’m not willing to pay for good reviews means that I have to ask my readers for them. I walk a careful line between groveling for exposure and annoying my readers. So far, I seem to have erred on the side of not annoying my readers, but I’m OK with that. It’s better to get fewer reviews than alienate your readers.

    I send books to book reviewers. They want books to review, I want book reviews. It’s a fair trade.

    I can’t say that I would never buy a review. Never is a strong word. Purchasing a review from a reviewing business would be a business decision. But if I ever do buy reviews, they will be disclosed as such.

    On the other side of this coin:

    I occasionally review books, both on Blather and on Amazon. I frequently know the authors of these books. I don’t consider these reviews fake, but I do try to disclose my bias.

    If I review a book on this blog, it’s because I honestly think it’s awesome, or because it fills some desperate need and it’s “good enough,” or because it changed how I think about things. I review some books from No Starch Press, because they always ask me if I’m interested in their new titles. I don’t review all the books they send me. In part that’s because I’m lazy. In part it’s because I’m working on my own books. But I find the time to review the truly exceptionally awesome books they send me. (Which reminds me, I owe them a review on the Magna Guide to Linear Algebra.)

    I also review fiction books I really enjoy, but not as “Michael W Lucas, Famous-in-a-real-small-world Author.” Usually those go up under my family’s Kindle account. Do I know those authors? Some of them, sure. I’m a writer. I make friends with other writers. We sit around smoky rooms late at night, sipping absinthe and bemoaning how unfair life is to us artistic sorts. But most of my blog readers don’t really care that I think that Harry Connolly’s 20 Palaces books are unquestionably the best modern fantasy of the decade, and that everyone interested in that genre should purchase them all, immediately. You’re here for other reasons. (I have no idea what those reasons are, but they’re something about technology. Or writing. Something like that.)

    For example, I didn’t know Chris Sanders before reviewing Practical Packet Analysis. But we’ve exchanged emails several times since then, and if I ever get to his part of the world I’ll ask him if he wants to get barbeque. It’s called networking, and it makes your career go. But if he ruins the (purely hypothetical) third edition of his book, that connection won’t make me give him a five-star review. I’ll just quietly not review it.

    Same sort of thing Peter Hansteen and his Book of PF, although my chances of getting to Norway aren’t very good. And Norway isn’t noted for their barbeque. (What do they eat in Norway, anyway? From my observations at tech conferences, the answer seems to be “beer.”)

    I occasionally write reviews about books by writers I know. It’s a small world.

    If I write a review, in any genre of book, it’s because I honestly think a book is awesome. I’ll give that book 4-5 stars. I won’t give someone a 5-star review just because I’m their friend, however.

    If I read a book and I enjoy it, but it’s not awesome, I won’t review it. Just because a book doesn’t set fire to my brain doesn’t mean that book won’t speak to someone else. In computer book terms, just because a book is about Windows 7 doesn’t mean that it’s a bad book. It’s just not for me.

    Would I ever give a book a 1-star review? Sure. If a book is unprofessionally done, I’ll excoriate it. Sentences have these things called “verbs” and “nouns,” and are built with this thing called “grammar.” If a book completely fails to meet my standards for competent wordcraft, I feel free to label it a failure.

    But usually, when I get crap in my eyes I close them.

    Posted on

    Absolute OpenBSD status, 9 Sep 2012

    Those who have been following my Twitter feed know most of this, but here’s the status on this book.

  • Chapters 0-10 have been sent to No Starch. They’ve done initial edits on 0-5. I’ve responded to those edits, so they’re now off for Hansteen’s tech review.
  • Chapters 11, 14, and 17 have been sent to Henning for informal review.
  • Chapters 12, 13, and 20 partially exist.
  • Other chapters are outlines, notes, fragments, script(1) sessions, etc.
  • Oh, and the Afterword exists. Mainly because it’s 90% stolen from my blog. But still, I can cross it off the list.

    Why are things written out of order? Depends on what I’m doing at the time. Also, some chapters can be written without Internet access. Otherwise, I write chapters in order.

    I believe I’ve chopped down the outline to where it needs to be for a book roughly the same size as Absolute FreeBSD. Chapter titles are subject to change. Heck, everything is subject to change.

    0: Introduction
    1: Community Support
    2: Installation Prep
    3: Installation Walk-Through
    4: Post-Install Setup
    5: Booting
    6: User Management
    7: Root, and how to avoid it
    8: Disks & Filesystems
    9: More Filesystems
    10: OpenBSD Security Features
    11: IPv4 & IPv6
    12: Network Connections
    13: Software Management
    14: /etc
    15: Maintenance
    16: Daemons (sensorsd, snmp, etc)
    17: Desktop OpenBSD (cwm, tmux, etc)
    18: Kernel Configuration
    19: Building Custom Kernels
    20: Upgrading
    21: Packet Filtering
    22: managing PF
    23: edges
    Afterword

    Trimming to this length hurt, but one of my critical design goals is to write a book small enough to hold in the bathtub. I might sometimes recommend books that exceed that limit, but they have to be freaking awesome books.

    One thing that helps is Peter Hansteen’s Book of PF. It didn’t exist when the first edition of AO came out, so I needed to do pretty exhaustive coverage into PF. My coverage of primordial PF took three chapters in the first edition, and PF and family has roughly doubled its features since then. He does an excellent deep dive into PF, so I can reduce those chapters.

    I’ve talked about word count before, but I need to stop doing that. The book has flailed around enough that the number of words I write isn’t exactly useful. I wrote 7,000 anti-words on Chapter 17 before sending it to Henning, for example.

    On the plus side, the AO2e narrator now sounds a little less Dexter Morgan and a little more BOFH. That’s probably a good thing.

    • Posted on

    OpenBSD read-only ports tree with restrictive sudo

    The OpenBSD folks strongly encourage users to use packages for software management. Most of the time, their packages just work. But sometimes, you must use a port.

    OpenBSD includes an updated Apache 1.3 server, and recommends that everyone use it if at all possible. (There’s also nginx, which is the future platform, but it’s not quite integrated yet.) I have a Web application that only runs on Apache 2.2, so the included Web server is not an option. OpenBSD provides an Apache 2.2 package for people like me, which is very kind of them. But I need an Apache 2.2 with LDAP authentication support. That means I must build Apache 2.2 from a port.

    If I have to use ports, then I want to do so as easily as possible. When I need to upgrade my ports, I want to be able to remove /usr/ports and extract the tarball that goes with whatever snapshot I’m running. I need the ports tree to do all its work, and store all its packages, outside the ports tree itself. This means a read-only ports tree.

    I’m running the August 22 i386 snapshot everywhere. I build packages from ports on one machine and share out the package repo via NFS.

    I dislike running as root for routine tasks, like building ports on the port-building machine. The ports tree supports using sudo for privileged operations. I don’t want to be continually interrupted to enter my password, though. And I don’t want to give unlimited root access via sudo without a password. This means that I need to lock down my account on this machine to only those activities needed to build packages from ports. I readily concede that building packages requires high-level privileges, but there’s a world of difference between rm -f /usr/ports/* and rm -rf /*. Could an intruder exploit this? Absolutely. You must run make(1) as root to build a port, and you can run fdisk(8) via make. But it will protect me from operator error. And my operators make errors.

    I also want my minions to be able to build packages without giving out root. Because, you know, logging into a system and typing a command because someone else needs a package is extra work for me.

    So, how to do this?

    First, create a system group for people who may build packages. This group contains two users, myself and lasnyder. From /etc/group:

    portbuild:*:10001:mwlucas,lasnyder

    My /home partition has lots of space, so I’ll build everything there. First, we need four directories:

  • one for building stuff: /home/ports/wrkobjdir
  • one for completed packages: /home/ports/pkgrepo
  • distfiles: /home/ports/distdir
  • package plist database: /home/ports/plist

    Create these directories, and set their ownership (as well as /home/ports) for group writing.

    # chgrp portbuild /home/ports/*
    # chmod 775 /home/ports/*

    Any user in the portbuild group can write to these directories.

    Now tell the ports system about these directories. Make the following entries in /etc/mk.conf:

    WRKOBJDIR=/home/ports/wrkobjdir
    DISTDIR=/home/ports/distdir
    PACKAGE_REPOSITORY=/home/ports/pkgrepo
    PLIST_DB=/home/ports/plist
    SUDO=/usr/bin/sudo

    (The sudo isn’t necessary for the directories, but I’m not going to send you back later to add it. That would be lame.)

    Now for sudo. Give everyone in the portbuild group permission to run any command in the PORTBUILDCMDS alias.

    %portbuild ALL= NOPASSWD: PORTBUILDCMDS

    Now create the PORTBUILDCMDS alias. I built this alias iteratively: build a port, wait for the build to fail, add the missing command with the tightest restrictions that seem sensible, clean the port, and remake it. The following alias was sufficient for everything I tried:

    Cmnd_Alias PORTBUILDCMDS = /usr/bin/install, /usr/sbin/chown, /bin/chgrp, /bin/sh -c umask, /usr/sbin/mtree, /usr/bin/touch, /usr/bin/env, /usr/sbin/pkg_create, /bin/rm -f /home/ports/pkgrepo/*, /usr/bin/make, /usr/bin/perl /usr/ports/infrastructure/bin/*, /bin/chmod 555 /home/ports/*, /bin/mkdir -p /home/ports/*, /bin/rm -rf /home/ports/*

    Now choose a port and build it.

    # cd /usr/ports/editors/vim
    # make clean && make

    (When testing, I always clean a port before building it.)

    You might find that the build stops and you’re asked for a password. This means that sudo is trying to run a command that’s not in your command alias. Go ahead and enter your password. The build will fail, because you don’t have privileges, but you’ll get an error message in /var/log/secure. Between the error in the terminal window and the error in the log file, you should be able to figure out exactly which command failed.

    It’s impossible to know ahead of time every command that will ever be used by any port that ever exists. This iterative process is a pain at first, but once you’ve built a few ports you’ll find most of the necessary commands. The sudoers command alias I include here was sufficient to build editors/vim, which calls in python, dbus, glib, three different autoconfs, tcl/tk, CUPS, and a whole bunch of other crap. (I don’t use vim myself, mind you, but if you want a port that hauls in whole bunches of stuff, it’s a good choice. I could have built Emacs, but I wanted the build to finish today.)

    In building the first port, the ports system creates a temp directory, /tmp/portlocks. The ports system doesn’t use sudo to access this directory, and the directory is owned by the user who built the first port on this system. Change the group and assign group privileges to this directory.

    # chgrp portbuild /tmp/portslocks/
    # chmod 775 /tmp/portslocks/

    (Is this a bug, or a feature. I dunno. But I’m sure that some reader will tell me.)

    It seems that not all ports can be built without running as root. This isn’t a usual configuration, so I’m not shocked that not all code paths are tested — especially when building random software from random authors. When I tried to build devel/autoconf/2.59, I got:

    ===> Building package for autoconf-2.59p3
    Create /home/ports/pkgrepo/i386/all/autoconf-2.59p3.tgz
    Warning: @option no-default-conflict without @conflict
    mv: rename /home/ports/pkgrepo/i386/tmp/autoconf-2.59p3.tgz to /home/ports/pkgre po/i386/all/autoconf-2.59p3.tgz: Permission denied
    *** Error code 1

    I reported the error to ports@ like a good little user. It’s a holiday weekend, so I’m also not surprised I haven’t heard back.

    I only hit this error after building fifty-odd ports, though. It appears that limited sudo permissions are doable.

    • Posted on

    Technology versus Democracy

    Yesterday’s election was mostly a primary, but also included a few millage issues. The purpose of a primary is to keep the obvious maniacs from getting onto the final ballot, so I make the effort to vote. (Your definition of “obvious maniacs” probably differs from mine, but that’s okay.)

    I’m waiting for verification, and am glad to see that they’ve finally replaced the big printed books with a laptop. But all of the verification people are standing around the laptop, getting more and more frustrated. One of them is on the phone. “Yes, we entered the password. No, it’s not letting us into the site. He’s entering it again. Yes, I’m sure the Caps Lock key is off. He’s trying again. Yes, the password we’re using is ‘election’.”

    I’m third person in line. The line is growing quickly behind me. I peer at the laptop, lean in, and quietly say “Excuse me, but your Caps Lock light is on.”

    The guy at the keyboard turns off Caps Lock, the password is entered, and the poll workers quickly get us all through. Everybody hails me as a technical genius. Which I might well be, if you define “genius” as “someone who looks to see WHICH LIGHTS ARE ON.”

    I have three points to make on this seemingly pointless anecdote:

  • In discussions about electronic voting machines, remember: these are the people who have time and interest to work the polls. They have no awareness of good security practice. They don’t troubleshoot, because they don’t really know how to. It’s not a question of age: one of the people was a senior citizen, two were middle-aged, and one mid-twenties.
  • If you have time to volunteer as a poll worker, do so. Democracy isn’t about voting; it’s about doing things to help your community.
  • I am the savior of democracy. In Precinct Three, at least.

    • PS: I didn’t include the real password here, but the actual password was just as bad.

    Posted on

    FreeBSD: portmaster with pkgng

    I recently tried FreeBSD’s pkgng, based on Ivan Voras’ blog post. Days after getting the new machine set up, though, I got this in my daily status mail:


    Checking for packages with security vulnerabilities:
    Database fetched: Fri Aug 3 03:02:57 EDT 2012
    apache-2.2.22_5 is vulnerable:
    Apache -- Insecure LD_LIBRARY_PATH handling

    WWW: http://portaudit.FreeBSD.org/de2bc01f-dc44-11e1-9f4d-002354ed89bc.html

    php5-5.4.4 is vulnerable:
    php -- potential overflow in _php_stream_scandir

    WWW: http://portaudit.FreeBSD.org/bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89.html

    Where did this come from? A bit of poking around my system leads me to /usr/local/etc/periodic/security/410.pkg-audit. My first question is, where did this file come from? pkgng includes an equivalent to the old pkg_info -W:

    $ pkg which /usr/local/etc/periodic/security/410.pkg-audit
    /usr/local/etc/periodic/security/410.pkg-audit was installed by package pkg-1.0.r4

    pkgng gives you an audit of your packages in the daily mail. Excellent. It’s a DragonFly feature that I really like, and long overdue in FreeBSD.

    So, how to upgrade the insecure ports? Unfortunately, I’ve had to build apache from source. I can’t use packages. That means I need to build the new version from ports. I get the new version ports tree with:

    # portsnap fetch extract

    I like to use portmaster for managing my ports. I’m told it works with pkgng. Let’s find out. First, tell ports that we’re running under pkgng by setting a variable in /etc/make.conf:

    WITH_PKGNG=yes

    Now install portmaster:

    # cd /usr/ports/ports-mgmt/portmaster
    # make all install clean

    But portmaster doesn’t seem to work with pkgng:

    $ portmaster -L
    ===>>> Root ports (No dependencies, not depended on)
    ===>>> 0 root ports

    ===>>> Trunk ports (No dependencies, are depended on)
    ===>>> 0 trunk ports

    ===>>> Branch ports (Have dependencies, are depended on)
    ===>>> 0 branch ports

    ===>>> Leaf ports (Have dependencies, not depended on)
    ===>>> 0 leaf ports

    ===>>> 0 total installed ports
    ===>>> There are no new versions available

    A bit of research shows that portmaster needs to be patched before it works with pkgng. (Portmaster has a large install base, the portmaster maintainer is very careful about not messing up existing users, and pkgng is still very young. I’m confident that portmaster will work with pkgng by the time pkgng becomes the default.) You can get the patch on github.

    Now build portmaster with the patch.

    # cd /usr/ports/ports-mgmt/portmaster/
    # make patch
    # cd work/portmaster-3.13.13
    # patch < $HOME/patch-portmaster-pkgng
    # cd ..
    # cd ..
    # make all install

    I keep the patch in my home directory, because any time I want to rebuild portmaster I must reapply the patch. And if the patch fails, I must check for a new patch.

    Try the new portmaster:

    # portmaster -L
    ===>>> Root ports (No dependencies, not depended on)
    ===>>> pkg-1.0.r4
    ===>>> New version available: pkg-1.0.r5_1
    ===>>> portmaster-3.13.13
    ...

    Much better.

    I’ll start by upgrading pkgng itself, then my other ports. I use:

    # portmaster -d --no-confirm pkg

    Use whatever portmaster options you prefer, of course. With the pkgng patch, portmaster seems to behave exactly as you expect. But the only way we’ll know for sure is if you test pkgng in your environment and file bug reports with the appropriate maintainer.

    Posted on

    BSDTalk #218, featuring… Me!

    Will Beckman interviewed me at BSDCan. That interview is now available as BSDTalk #218.

    Some of the issues I mention in the podcast are now solved. SSH Mastery is easily available in print in Europe. (You want the print copy as well as the ebook. You know you do.)