First thing that I need is a system for authentication. This means a method where systems can verify the identity of anything that wants to access services. This is different than authorization, which will determine what services are granted access. I’m just saying services instead of machines since being able to log into a machine does not necessarily mean that the user would have access to every service that a machine can provide. I’ll be using a system developed at MIT called Kerberos. Continue reading “[Network Administration]: Kerberos Authentication Service”
The first part of this new network is a DNS (Domain Name Service) Server. Probably it’s not really needed, but there are some advantages setting one up, and it wasn’t really all that difficult. Some of the reasons are:
- Ability to centralize machine names into a single location – This was a pretty big one. I have a NAS that I use, and I’m setting up some servers, so to be able to reference them by name, I would have to keep a list of machines and IP addresses on every machine’s local
/etc/hostsfile to be able to use address by name. If a machine had an IP address change, then each of the
/etc/hostsfiles would have to be updated to keep them all in sync. There are not a lot of files to keep up to date, but I liked the idea of a single reference point where I can have all of the information.
- Ability to use aliases to refer to machines based on what services they provide – This is a pretty significant advantage also. By creating a CNAME entry for the different services that I use, I can easily point at different physical machines and modify them as needed. For example, I can reference my LDAP directory by using the hostname
ldap.example.com, and have a CNAME entry point this at an actual machine, say
hopper.example.comwhich runs the LDAP server. In the future, if I wanted to move this to a different machine, for example
cerf.example.com, I just have to update the CNAME record on the DNS server, and all of the clients will route to the proper machine without having to make any local changes. The same can be done for the Kerberos KDC, a web server, a NAS filer containing specific data, etc.
In the past couple of weeks, I’ve revamped my local network and how it’s tied together. I’ll document the steps here on the site. There are a number of pieces that were added to what I’ve described before.
One of the goals was to separate out some of the more security critical pieces from machines that provide services either available on the local network, or providing services on the internet. Security was one of the things that i didn’t like about how it was set up previously. Also, it was hacked together more than i would have liked.
Here are some of the pieces and I’ll describe each of them in later posts.
DNS or Domain Name System, in addition to other things, associates domain names and other information with ip addresses. This allows translation of computer names to their appropriate address so that they can be located on a local network, or on the internet. It also provides information for other services such as email routing, and kerberos servers
- Kerberos authentication:
Kerberos is an authentication protocol that works on the principal that a third party will verify the authenticity of a client and server to each other in a secure and encrypted manner.
- LDAP directory:
LDAP is a directory which stores the account information and determines authorization to different services. It is general purpose, and can also store other information for dissemination to machines on our network. It will provide information about users and group accounts among other information.
- Network Accounts: Our directory will need to be populated with the proper network account information.
- Client configuration: Our machines will need to be configured to access the proper servers for both Linux and OSX. Also, client machines are configured to load networked directories based on autofs maps in our LDAP directory.
- Kerberized SSH: Once we have the accounts configured we can use enable kerberized SSH to allow for remote access to servers using our kerberos tickets to connect. This allows us to connect without having to always enter a password or provide a public key, but rather use our tickets to authenticate us.
- Kerberized Postfix MTA: I’m using the kerberos authentication to allow for submission of mail for delivery by my mail clients.
Some notes about the setup. I’ve moved the more – what I would call – critical services to their own machine. For this I’m using a very lightweight machine. A Zotac ZBOX nano AD11.
For what I’m thinking of using it for, it’s perfect. It takes up almost no space and I’m planning on having the machine on all of the time, but not being used all of the time. Also, I’m not planning on using it for anything that would be considered a heavy load. It has a tested power consumption of 11W at idle, and that’s the main thing that I’m looking for. And its really quiet, despite what the reviews say. It has 64GB of disk and built in gigabit Ethernet which is fast and easy.
A pair of tickets to see Television at the Fillmore in the city fell into the lap of my better half this week. Typically, we’ll see bands that are younger, because usually they are doing things that are more interesting. But I have to say that this was a fantastic show. Even if they may not be considered innovative anymore, to watch musicians that have been at for more than 40 years is really something to behold. It’s not that often that you get an opportunity to see a band where everyone has completely mastered their instruments and can bend them to their will so effortlessly.
The massacre of 9 people in the Emanuel African Methodist Episcopal church in Charleston, South Carolina has incited debate and frustration, but already it feels as if the entire episode will not resolve anything really at all. There have been calls for increase gun control laws, but I think that to see it through the lens of merely gun violence is to not even begin to approach what the tragedy is a manifestation of. Don’t get me wrong, I am in support of increased gun control laws. But you don’t need a mass murder to call for instituting increased gun control laws. There are 297 reasons every day to call for gun control laws, at least according to the Brady Campaign study between 2009 and 2013. But yet, it’s not discussed in the news or by politicians everyday. Why not? Probably because it’s become too common an occurrence. Probably because the majority, 54%, of the victims of gun violence are black, a rate that far outpaces the actual percentage of the population. While it’s not broken out by class, the majority are probably in poorer neighborhoods – ones that have been forgotten by the establishment.
What happened in Charleston was more than an episode of gun violence, it was an act of racism, and beyond even that, it was an act of terrorism. It has been pointed out already by Jelani Cobb in his piece for The New Yorker, or John Stewart on The Daily Show, but so few people in the political establishment have said anything of the sort. And why would they? It’s easy to look at what happened as just an episode of random violence. But, it wasn’t. There was political motive behind it. Other acts of terrorism have been condemned, and anyone associated with the group that commits it is accused of being complicit if they do not immediately speak out and condemn it. Moderate muslims are constantly associated with acts of radical islam groups. How many times have we heard that they need to speak out against it or they are just as responsible. That they need to take the responsibility upon themselves to stand up and fight against their most radical elements. Well, here is an act of terrorism and I have yet to hear any politician really speak out against white people, white extremists, denouncing themselves. On the PBS News Hour on June 19th, Republican presidential nominee and South Carolina Senator Lindsey Graham simply called him a crazy person, and that that “there is no way to explain what would explain a person to do this”.
(also on PBS NewsHour site) Already, those in power are starting to immediate distance themselves from what had happened. No one would talk like this if this was an Islamist radical. And that is is what you call privilege. Being the race in power affords you the ability and the power to control the narrative of any story. History is written by those in power, and this is yet another example of it. There are no calls for moderate whites to take responsibility, for any fundamental reexamination of why the social fabric is the way it is. I’m still waiting for calls to drone strike white extremists in South Carolina starting at the State Capital. That’s been the standard procedure against muslims.
The fact that anyone would even say that there is no way to explain this boggles the mind. The racism is to established that the Confederate flag still flies on the state capital grounds. In fact, while the state and national flags fly at half mast to mourn those killed, the Confederate flag flies at full mast. The symbolism of that speaks volumes. I understand that people are calling for the Confederate flag to be removed. But what is that, it’s some visible token to give the impression that something is being done. The flag will be removed, politicians will call it a victory against hate, everyone will pat each other on the back and call it a day. Why would we need to address any sort of institutionalized racism – we’re removed the flag from the grounds of the state capital, what else is there to do. Fix one superficial thing and deflect anything that needs to be done on a more fundamental level beyond that. Again privilege, narrative, and everything else that comes with power.