Feed aggregator

Alessio Treglia: Handling identities in distributed Linux cloud instances

Planet Debian - Thu, 30/10/2014 - 13:55

I’ve many distributed Linux instances across several clouds, be them global, such as Amazon or Digital Ocean, or regional clouds such as TeutoStack or Enter.

Probably many of you are facing the same issue: having a consistent UNIX identity across all multiple instances. While in an ideal world LDAP would be a perfect choice, letting LDAP open to the wild Internet is not a great idea.

So, how to solve this issue, while being secure? The trick is to use the new NSS module for SecurePass.

While SecurePass has been traditionally used into the operating system just as a two factor authentication, the new beta release is capable of holding “extended attributes”, i.e. arbitrary information for each user profile.

We will use SecurePass to authenticate users and store Unix information with this new capability. In detail, we will:

  • Use PAM to authenticate the user via RADIUS
  • Use the new NSS module for SecurePass to have a consistent UID/GID/….
 SecurePass and extended attributes

The next generation of SecurePass (currently in beta) is capable of storing arbitrary data for each profile. This is called “Extended Attributes” (or xattrs) and -as you can imagine- is organized as key/value pair.

You will need the SecurePass tools to be able to modify users’ extended attributes. The new releases of Debian Jessie and Ubuntu Vivid Vervet have a package for it, just:

# apt-get install securepass-tools

ERRATA CORRIGE: securepass-tools hasn’t been uploaded to Debian yet, Alessio is working hard to make the package available in time for Jessie though.

For other distributions or previous releases, there’s a python package (PIP) available. Make sure that you have pycurl installed and then:

# pip install securepass-tools

While SecurePass tools allow local configuration file, we highly recommend for this tutorial to create a global /etc/securepass.conf, so that it will be useful for the NSS module. The configuration file looks like:

[default] app_id = xxxxx app_secret = xxxx endpoint = https://beta.secure-pass.net/

Where app_id and app_secrets are valid API keys to access SecurePass beta.

Through the command line, we will be able to set UID, GID and all the required Unix attributes for each user:

# sp-user-xattrs user@domain.net set posixuid 1000

While posixuid is the bare minimum attribute to have a Unix login, the following attributes are valid:

  • posixuid → UID of the user
  • posixgid → GID of the user
  • posixhomedir → Home directory
  • posixshell → Desired shell
  • posixgecos → Gecos (defaults to username)
Install and Configure NSS SecurePass

In a similar way to the tools, Debian Jessie and Ubuntu Vivid Vervet have native package for SecurePass:

# apt-get install libnss-securepass

For previous releases of Debian and Ubuntu can still run the NSS module, as well as CentOS and RHEL. Download the sources from:



./configure make make install (Debian/Ubuntu Only)

For CentOS/RHEL/Fedora you will need to copy files in the right place:

/usr/bin/install -c -o root -g root libnss_sp.so.2 /usr/lib64/libnss_sp.so.2 ln -sf libnss_sp.so.2 /usr/lib64/libnss_sp.so

The /etc/securepass.conf configuration file should be extended to hold defaults for NSS by creating an [nss] section as follows:

[nss] realm = company.net default_gid = 100 default_home = "/home" default_shell = "/bin/bash"

This will create defaults in case values other than posixuid are not being used. We need to configure the Name Service Switch (NSS) to use SecurePass. We will change the /etc/nsswitch.conf by adding “sp” to the passwd entry as follows:

$ grep sp /etc/nsswitch.conf passwd:     files sp

Double check that NSS is picking up our new SecurePass configuration by querying the passwd entries as follows:

$ getent passwd user user:x:1000:100:My User:/home/user:/bin/bash $ id user uid=1000(user)  gid=100(users) groups=100(users)

Using this setup by itself wouldn’t allow users to login to a system because the password is missing. We will use SecurePass’ authentication to access the remote machine.

Configure PAM for SecurePass

On Debian/Ubuntu, install the RADIUS PAM module with:

# apt-get install libpam-radius-auth

If you are using CentOS or RHEL, you need to have the EPEL repository configured. In order to activate EPEL, follow the instructions on http://fedoraproject.org/wiki/EPEL

Be aware that this has not being tested with SE-Linux enabled (check off or permissive).

On CentOS/RHEL, install the RADIUS PAM module with:

# yum -y install pam_radius

Note: as per the time of writing, EPEL 7 is still in beta and does not contain the Radius PAM module. A request has been filed through RedHat’s Bugzilla to include this package also in EPEL 7

Configure SecurePass with your RADIUS device. We only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication. In case of the server being under NAT, specify the public IP address that will be translated into it. After completion we get a small recap of the already created device. For the sake of example, we use “secret” as our secret password.

Configure the RADIUS PAM module accordingly, i.e. open /etc/pam_radius.conf and add the following lines:

radius1.secure-pass.net secret 3 radius2.secure-pass.net secret 3

Of course the “secret” is the same we have set up on the SecurePass administration interface. Beyond this point we need to configure the PAM to correct manage the authentication.

In CentOS, open the configuration file /etc/pam.d/password-auth-ac; in Debian/Ubuntu open the /etc/pam.d/common-auth configuration and make sure that pam_radius_auth.so is in the list.

auth required pam_env.so auth sufficient pam_radius_auth.so try_first_pass auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so Conclusions

Handling many distributed Linux poses several challenges, from software updates to identity management and central logging.  In a cloud scenario, it is not always applicable to use traditional enterprise solutions, but new tools might become very handy.

To freely subscribe to securepass beta, join SecurePass on: http://www.secure-pass.net/open
And then send an e-mail to info@garl.ch requesting beta access.

What Can You Do With All That Halloween Candy?

Wired - Thu, 30/10/2014 - 13:31

Could burning the calories from your Halloween candy charge your smart phone?

The post What Can You Do With All That Halloween Candy? appeared first on WIRED.

20 Incredible Photos of a World Too Tiny to See

Wired - Thu, 30/10/2014 - 13:00

The winner's of Nikon's annual Small World microscope photography contest this year include images of transgenic kidneys, a cricket's tongue, spider eyes, and a scarlet pimpernel. The first-place photograph was chosen out of more than 1,200 entries from 79 different countries. Rogelio Moreno, a computer programmer and self-taught microscopist from Panama, managed to capture an image of a tiny creature known as a rotifer with its mouth open.

The post 20 Incredible Photos of a World Too Tiny to See appeared first on WIRED.

Why It Took 23 Years to Link Amelia Earhart’s Disappearance to This Scrap of Metal

Wired - Thu, 30/10/2014 - 12:00

Researchers had tried for 23 years to connect this piece of metal to Amelia Earhart's disappearance. They finally think they've proven it was part of her plane.

The post Why It Took 23 Years to Link Amelia Earhart’s Disappearance to This Scrap of Metal appeared first on WIRED.

6 Expert Tricks for Getting the Best Candy This Halloween

Wired - Thu, 30/10/2014 - 11:30

Your kids may be content with a few fun-size Snickers and tiny boxes of Nerds, but if you're looking for quality candy and lots of it, you need a PhD-level strategy. So we talked to a bunch of academics to create this greed-is-good guide to landing more loot.

The post 6 Expert Tricks for Getting the Best Candy This Halloween appeared first on WIRED.

We’d Sell a Kidney for One of These Vintage British Motorcycles

Wired - Thu, 30/10/2014 - 11:30

Classic British motorcycles from the collection of a Texas lawyer are going up for auction.

The post We’d Sell a Kidney for One of These Vintage British Motorcycles appeared first on WIRED.

This Fiery Tool Finishes Your Meat With a Blast of Heat

Wired - Thu, 30/10/2014 - 11:30

The Searzall is a baffle that fits over the business end of a blowtorch to spread out the heat, turning your BernzOmatic torch into a handheld broiler.

The post This Fiery Tool Finishes Your Meat With a Blast of Heat appeared first on WIRED.

Sliders, Knobs, and Dials That Give Your Tablet a Physical Interface

Wired - Thu, 30/10/2014 - 11:30

Touchscreen devices have a serious deficiency of tactility. These magnetic metal controls, created by Florian Born, sit on top of screens and replace virtual knobs and dials with real ones.

The post Sliders, Knobs, and Dials That Give Your Tablet a Physical Interface appeared first on WIRED.

Movie House

Wired - Thu, 30/10/2014 - 11:30

Kaleidescape's Cinema One movie server provides seamless access to your entire Blu-ray collection. Unfortunately, one major limitation means it's more of an expensive indulgence, not a must-have device for videophiles.

The post Movie House appeared first on WIRED.

Cape Watch: Marvel Takes Over the World, Lets White Guys Take a Breather

Wired - Thu, 30/10/2014 - 11:30

Thanks to Avengers: Age of Ultron's teaser trailer and a certain Tuesday morning press conference—sorry, "special event"—you could be forgiven for thinking that this week has proven it's Marvel Studios' world, and we're just living in it. That's not to say other studios haven't been doing their thing too. But really it has pretty much been Marvel's world recently. Just try not to piss off Thanos and you'll be fine. Here are the highlights of the week's superhero movie news.

The post Cape Watch: Marvel Takes Over the World, Lets White Guys Take a Breather appeared first on WIRED.

These Creepy Lego Creations Are Definitely Not Kid-Friendly

Wired - Thu, 30/10/2014 - 11:30

When Mike Doyle published the anthology volume Beautiful LEGO last year, he wrote that "this book is a small collection of some of the impressive models that I have come across in my time." From all appearances, he's had a busy year since, because he's already back with a sequel that embraces the darker side of everyone's favorite brick-based artform.

The post These Creepy Lego Creations Are Definitely Not Kid-Friendly appeared first on WIRED.

How Facebook Could End Up Controlling Everything You Watch and Read Online

Wired - Thu, 30/10/2014 - 11:30

Given that links appear to be more clickable when shared on Facebook, online publishers have scrambled to become savvy gamers of Facebook’s News Feed, seeking to divine the secret rules that push some stories higher than others. But all this genuflection at the altar of Facebook’s algorithms may be but a prelude to a more fundamental shift in how content is produced, shared, and consumed online. Instead of going to all this trouble to get people to click a link on Facebook that takes them somewhere else, the future of Internet content may be a world in which no video, article, or cat GIF gallery lives outside of Facebook at all.

The post How Facebook Could End Up Controlling Everything You Watch and Read Online appeared first on WIRED.

America’s Polling Places Desperately Need a Redesign

Wired - Thu, 30/10/2014 - 11:30

Retail designers have resources to exhaustively plan, prototype, and field test every detail before opening day. We should apply the same thinking to voting places.

The post America’s Polling Places Desperately Need a Redesign appeared first on WIRED.

Science Graphic of the Week: How Magic Mushrooms Rearrange Your Brain

Wired - Thu, 30/10/2014 - 11:30

A new way of looking at the mind's activity may give insight into how psychedelic drugs produce their consciousness-altering effects.

The post Science Graphic of the Week: How Magic Mushrooms Rearrange Your Brain appeared first on WIRED.

Keith Packard: Glamor cleanup

Planet Debian - Thu, 30/10/2014 - 08:51
Glamor Cleanup

Before I start really digging in to reworking the Render support in Glamor, I wanted to take a stab at cleaning up some cruft which has accumulated in Glamor over the years. Here's what I've done so far.

Get rid of the Intel fallback paths

I think it's my fault, and I'm sorry.

The original Intel Glamor code has Glamor implement accelerated operations using GL, and when those fail, the Intel driver would fall back to its existing code, either UXA acceleration or software. Note that it wasn't Glamor doing these fallbacks, instead the Intel driver had a complete wrapper around every rendering API, calling special Glamor entry points which would return FALSE if GL couldn't accelerate the specified operation.

The thinking was that when GL couldn't do something, it would be far faster to take advantage of the existing UXA paths than to have Glamor fall back to pulling the bits out of GL, drawing to temporary images with software, and pushing the bits back to GL.

And, that may well be true, but what we've managed to prove is that there really aren't any interesting rendering paths which GL can't do directly. For core X, the only fallbacks we have today are for operations using a weird planemask, and some CopyPlane operations. For Render, essentially everything can be accelerated with the GPU.

At this point, the old Intel Glamor implementation is a lot of ugly code in Glamor without any use. I posted patches to the Intel driver several months ago which fix the Glamor bits there, but they haven't seen any review yet and so they haven't been merged, although I've been running them since 1.16 was released...

Getting rid of this support let me eliminate all of the _nf functions exported from Glamor, along with the GLAMOR_USE_SCREEN and GLAMOR_USE_PICTURE_SCREEN parameters, along with the GLAMOR_SEPARATE_TEXTURE pixmap type.

Force all pixmaps to have exact allocations

Glamor has a cache of recently used textures that it uses to avoid allocating and de-allocating GL textures rapidly. For pixmaps small enough to fit in a single texture, Glamor would use a cache texture that was larger than the pixmap.

I disabled this when I rewrote the Glamor rendering code for core X; that code used texture repeat modes for tiles and stipples; if the texture wasn't the same size as the pixmap, then texturing would fail.

On the Render side, Glamor would actually reallocate pixmaps used as repeating texture sources. I could have fixed up the core rendering code to use this, but I decided instead to just simplify things and eliminate the ability to use larger textures for pixmaps everywhere.

Remove redundant pixmap and screen private pointers

Every Glamor pixmap private structure had a pointer back to the pixmap it was allocated for, along with a pointer to the the Glamor screen private structure for the related screen. There's no particularly good reason for this, other than making it possible to pass just the Glamor pixmap private around a lot of places. So, I removed those pointers and fixed up the functions to take the necessary extra or replaced parameters.

Similarly, every Glamor fbo had a pointer back to the Glamor screen private too; I removed that and now pass the Glamor screen private parameter as needed.

Reducing pixmap private complexity

Glamor had three separate kinds of pixmap private structures, one for 'normal' pixmaps (those allocated by them selves in a single FBO), one for 'large' pixmaps, where the pixmap was tiled across many FBOs, and a third for 'atlas' pixmaps, which presumably would be a single FBO holding multiple pixmaps.

The 'atlas' form was never actually implemented, so it was pretty easy to get rid of that.

For large vs normal pixmaps, the solution was to move the extra data needed by large pixmaps into the same structure as that used by normal pixmaps and simply initialize those elements correctly in all cases. Now, most code can ignore the difference and simply walk the array of FBOs as necessary.

The other thing I did was to shrink the number of possible pixmap types from 8 down to three. Glamor now exposes just these possible pixmap types:

  • GLAMOR_MEMORY. This is a software-only pixmap, stored in regular memory and only drawn with software. This is used for 1bpp pixmaps, shared memory pixmaps and glyph pixmaps. Most of the time, these pixmaps won't even get a Glamor pixmap private structure allocated, but if you use one of these with the existing Render acceleration code, that will end up wanting a private pointer. I'm hoping to fix the code so we can just use a NULL private to indicate this kind of pixmap.

  • GLAMOR_TEXTURE. This is a full Glamor pixmap, capable of being used via either GL or software fallbacks.

  • GLAMOR_DRM_ONLY. This is a pixmap based on an FBO which was passed from the driver, and for which Glamor couldn't get the underlying DRM object. I think this is an error, but I don't quite understand what's going on here yet...

Future Work
  • Deal with X vs GL color formats
  • Finish my new CompositeGlyphs code
  • Create pure shader-based gradients
  • Rewrite Composite to use the GPU for more computation
  • Take another stab at doing GPU-accelerated trapezoids

Microsoft Band: A wearable device with support for iOS, Android, and Windows Phone

OS news - Thu, 30/10/2014 - 08:17
It's got a built-in GPS, so you can wear in around and don't have to take your phone. It's svelte and stylish. The display is small (keeping the device small) but it's high resolution and touchscreen. In addition to all the standard quantified self stuff, it supports mail, messaging, calendar, and alerts. It costs $199, and it's on sale now (for preorder). Most importantly, you can load it with Starbucks credit and use it to pay for lattes. Looks like a winner.

Flipboard Finally Ditches Its iPad Roots With a Smarter Phone App

Wired - Thu, 30/10/2014 - 05:01

Flipboard may have been the original iPad magazine, but now it's making its app smarter for its growing smartphone audience.

The post Flipboard Finally Ditches Its iPad Roots With a Smarter Phone App appeared first on WIRED.

Microsoft Band and Microsoft Health: The $199 all-platform fitness band

Ars Technica - Thu, 30/10/2014 - 05:00

After being leaked just a few hours ago, it's now official: Microsoft's first entry into the wearable space is Microsoft Band, a fitness band.

The gadget isn't a smartwatch and isn't intended to replace your watch. It's a Bluetooth fitness band packed full of sensors: optical heart rate sensing, 3-axis accelerometers with a gyroscope to track movement, GPS to track your runs even if you leave your phone at home, skin temperature, galvanic skin response presumably to measure sweating, ambient light and UV light, and a microphone so it can be used with Cortana on Windows Phone.


The 1.4-inch touch screen with its 320×106 resolution can deliver alerts, and there's a vibration motor too. Twin 100mAh batteries give it 48 hours of what Microsoft calls "normal use" though GPS can shorten this. The charge time is 1.5 hours, using a magnetically attached USB charger. There are three different sizes, so it should fit on most wrists.

Read 7 remaining paragraphs | Comments

Microsoft’s $199 fitness band, the Microsoft Band, leaked by app stores

Ars Technica - Thu, 30/10/2014 - 02:33

Rumors that Microsoft was coming up with its own cross-platform fitness band appear to have been validated with the perhaps accidental disclosure of apps for OS X, Windows Phone, Android, and iOS designed to support the gadget. Windows Central was first to spot the early publication.

The OS X app

5 more images in gallery

The device will be called "Microsoft Band." Thanks to the app in the Mac App Store, we have a good idea of what it will look like: a black wristband with a screen. Functionally, it looks like it's going to be a pretty standard fitness band: it'll count footsteps (and use this information to attempt to count calories burned) and appears to monitor heart rates day and night to tell you how well you're sleeping.

The Windows Phone app. The apps for iOS and Android look all but identical.

5 more images in gallery

As we should expect, there will also be a cloud service for accumulating and analyzing the data the band collects.

Read 2 remaining paragraphs | Comments

Lenovo adds a 13-inch Windows tablet to the Yoga mix

Ars Technica - Thu, 30/10/2014 - 02:00

Not content with launching five Yoga-branded tablets earlier this month, Lenovo has added a sixth device to its range.

The new device almost rounds out the range announced before. The new lineup has 8-inch and 10-inch tablets in both Android and Windows variants, and a 13-inch Android tablet, the Yoga Tablet 2 Pro, that also includes an integrated projector that can cast a 50-inch picture.

4 more images in gallery

Today, the company has announced a 13-inch Windows tablet, the Yoga Tablet 2 Windows. This is almost a counterpart to the Yoga Tablet 2 Pro, matching its 13.3 inch 2560×1440 screen, quad core Intel Atom Z3745 processor at up to 1.86GHz, 802.11a/b/g/n dual-band Wi-Fi, 15-hour battery life, and a 2.27lb weight. But it's not quite identical. The Windows tablet doesn't have the integrated projector. It does, however, double the RAM to 4GB and double the storage to 64GB.

Read 2 remaining paragraphs | Comments

Syndicate content