Probably many of you are facing the same issue: having a consistent UNIX identity across all multiple instances. While in an ideal world LDAP would be a perfect choice, letting LDAP open to the wild Internet is not a great idea.
So, how to solve this issue, while being secure? The trick is to use the new NSS module for SecurePass.
While SecurePass has been traditionally used into the operating system just as a two factor authentication, the new beta release is capable of holding “extended attributes”, i.e. arbitrary information for each user profile.
We will use SecurePass to authenticate users and store Unix information with this new capability. In detail, we will:
The next generation of SecurePass (currently in beta) is capable of storing arbitrary data for each profile. This is called “Extended Attributes” (or xattrs) and -as you can imagine- is organized as key/value pair.
You will need the SecurePass tools to be able to modify users’ extended attributes. The new releases of Debian Jessie and Ubuntu Vivid Vervet have a package for it, just:# apt-get install securepass-tools
ERRATA CORRIGE: securepass-tools hasn’t been uploaded to Debian yet, Alessio is working hard to make the package available in time for Jessie though.
For other distributions or previous releases, there’s a python package (PIP) available. Make sure that you have pycurl installed and then:# pip install securepass-tools
While SecurePass tools allow local configuration file, we highly recommend for this tutorial to create a global /etc/securepass.conf, so that it will be useful for the NSS module. The configuration file looks like:[default] app_id = xxxxx app_secret = xxxx endpoint = https://beta.secure-pass.net/
Where app_id and app_secrets are valid API keys to access SecurePass beta.
Through the command line, we will be able to set UID, GID and all the required Unix attributes for each user:# sp-user-xattrs email@example.com set posixuid 1000
While posixuid is the bare minimum attribute to have a Unix login, the following attributes are valid:
In a similar way to the tools, Debian Jessie and Ubuntu Vivid Vervet have native package for SecurePass:# apt-get install libnss-securepass
For previous releases of Debian and Ubuntu can still run the NSS module, as well as CentOS and RHEL. Download the sources from:
Then:./configure make make install (Debian/Ubuntu Only)
For CentOS/RHEL/Fedora you will need to copy files in the right place:/usr/bin/install -c -o root -g root libnss_sp.so.2 /usr/lib64/libnss_sp.so.2 ln -sf libnss_sp.so.2 /usr/lib64/libnss_sp.so
The /etc/securepass.conf configuration file should be extended to hold defaults for NSS by creating an [nss] section as follows:[nss] realm = company.net default_gid = 100 default_home = "/home" default_shell = "/bin/bash"
This will create defaults in case values other than posixuid are not being used. We need to configure the Name Service Switch (NSS) to use SecurePass. We will change the /etc/nsswitch.conf by adding “sp” to the passwd entry as follows:$ grep sp /etc/nsswitch.conf passwd: files sp
Double check that NSS is picking up our new SecurePass configuration by querying the passwd entries as follows:$ getent passwd user user:x:1000:100:My User:/home/user:/bin/bash $ id user uid=1000(user) gid=100(users) groups=100(users)
Using this setup by itself wouldn’t allow users to login to a system because the password is missing. We will use SecurePass’ authentication to access the remote machine.Configure PAM for SecurePass
On Debian/Ubuntu, install the RADIUS PAM module with:# apt-get install libpam-radius-auth
If you are using CentOS or RHEL, you need to have the EPEL repository configured. In order to activate EPEL, follow the instructions on http://fedoraproject.org/wiki/EPEL
Be aware that this has not being tested with SE-Linux enabled (check off or permissive).
On CentOS/RHEL, install the RADIUS PAM module with:# yum -y install pam_radius
Note: as per the time of writing, EPEL 7 is still in beta and does not contain the Radius PAM module. A request has been filed through RedHat’s Bugzilla to include this package also in EPEL 7
Configure SecurePass with your RADIUS device. We only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication. In case of the server being under NAT, specify the public IP address that will be translated into it. After completion we get a small recap of the already created device. For the sake of example, we use “secret” as our secret password.
Configure the RADIUS PAM module accordingly, i.e. open /etc/pam_radius.conf and add the following lines:radius1.secure-pass.net secret 3 radius2.secure-pass.net secret 3
Of course the “secret” is the same we have set up on the SecurePass administration interface. Beyond this point we need to configure the PAM to correct manage the authentication.
In CentOS, open the configuration file /etc/pam.d/password-auth-ac; in Debian/Ubuntu open the /etc/pam.d/common-auth configuration and make sure that pam_radius_auth.so is in the list.auth required pam_env.so auth sufficient pam_radius_auth.so try_first_pass auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so Conclusions
Handling many distributed Linux poses several challenges, from software updates to identity management and central logging. In a cloud scenario, it is not always applicable to use traditional enterprise solutions, but new tools might become very handy.
The winner's of Nikon's annual Small World microscope photography contest this year include images of transgenic kidneys, a cricket's tongue, spider eyes, and a scarlet pimpernel. The first-place photograph was chosen out of more than 1,200 entries from 79 different countries. Rogelio Moreno, a computer programmer and self-taught microscopist from Panama, managed to capture an image of a tiny creature known as a rotifer with its mouth open.
Researchers had tried for 23 years to connect this piece of metal to Amelia Earhart's disappearance. They finally think they've proven it was part of her plane.
The post Why It Took 23 Years to Link Amelia Earhart’s Disappearance to This Scrap of Metal appeared first on WIRED.
Your kids may be content with a few fun-size Snickers and tiny boxes of Nerds, but if you're looking for quality candy and lots of it, you need a PhD-level strategy. So we talked to a bunch of academics to create this greed-is-good guide to landing more loot.
The post 6 Expert Tricks for Getting the Best Candy This Halloween appeared first on WIRED.
Classic British motorcycles from the collection of a Texas lawyer are going up for auction.
The post We’d Sell a Kidney for One of These Vintage British Motorcycles appeared first on WIRED.
The Searzall is a baffle that fits over the business end of a blowtorch to spread out the heat, turning your BernzOmatic torch into a handheld broiler.
The post This Fiery Tool Finishes Your Meat With a Blast of Heat appeared first on WIRED.
Touchscreen devices have a serious deficiency of tactility. These magnetic metal controls, created by Florian Born, sit on top of screens and replace virtual knobs and dials with real ones.
The post Sliders, Knobs, and Dials That Give Your Tablet a Physical Interface appeared first on WIRED.
Thanks to Avengers: Age of Ultron's teaser trailer and a certain Tuesday morning press conference—sorry, "special event"—you could be forgiven for thinking that this week has proven it's Marvel Studios' world, and we're just living in it. That's not to say other studios haven't been doing their thing too. But really it has pretty much been Marvel's world recently. Just try not to piss off Thanos and you'll be fine. Here are the highlights of the week's superhero movie news.
The post Cape Watch: Marvel Takes Over the World, Lets White Guys Take a Breather appeared first on WIRED.
When Mike Doyle published the anthology volume Beautiful LEGO last year, he wrote that "this book is a small collection of some of the impressive models that I have come across in my time." From all appearances, he's had a busy year since, because he's already back with a sequel that embraces the darker side of everyone's favorite brick-based artform.
The post These Creepy Lego Creations Are Definitely Not Kid-Friendly appeared first on WIRED.
Given that links appear to be more clickable when shared on Facebook, online publishers have scrambled to become savvy gamers of Facebook’s News Feed, seeking to divine the secret rules that push some stories higher than others. But all this genuflection at the altar of Facebook’s algorithms may be but a prelude to a more fundamental shift in how content is produced, shared, and consumed online. Instead of going to all this trouble to get people to click a link on Facebook that takes them somewhere else, the future of Internet content may be a world in which no video, article, or cat GIF gallery lives outside of Facebook at all.
The post How Facebook Could End Up Controlling Everything You Watch and Read Online appeared first on WIRED.
Retail designers have resources to exhaustively plan, prototype, and field test every detail before opening day. We should apply the same thinking to voting places.
The post America’s Polling Places Desperately Need a Redesign appeared first on WIRED.
A new way of looking at the mind's activity may give insight into how psychedelic drugs produce their consciousness-altering effects.
The post Science Graphic of the Week: How Magic Mushrooms Rearrange Your Brain appeared first on WIRED.
Before I start really digging in to reworking the Render support in Glamor, I wanted to take a stab at cleaning up some cruft which has accumulated in Glamor over the years. Here's what I've done so far.Get rid of the Intel fallback paths
I think it's my fault, and I'm sorry.
The original Intel Glamor code has Glamor implement accelerated operations using GL, and when those fail, the Intel driver would fall back to its existing code, either UXA acceleration or software. Note that it wasn't Glamor doing these fallbacks, instead the Intel driver had a complete wrapper around every rendering API, calling special Glamor entry points which would return FALSE if GL couldn't accelerate the specified operation.
The thinking was that when GL couldn't do something, it would be far faster to take advantage of the existing UXA paths than to have Glamor fall back to pulling the bits out of GL, drawing to temporary images with software, and pushing the bits back to GL.
And, that may well be true, but what we've managed to prove is that there really aren't any interesting rendering paths which GL can't do directly. For core X, the only fallbacks we have today are for operations using a weird planemask, and some CopyPlane operations. For Render, essentially everything can be accelerated with the GPU.
At this point, the old Intel Glamor implementation is a lot of ugly code in Glamor without any use. I posted patches to the Intel driver several months ago which fix the Glamor bits there, but they haven't seen any review yet and so they haven't been merged, although I've been running them since 1.16 was released...
Getting rid of this support let me eliminate all of the _nf functions exported from Glamor, along with the GLAMOR_USE_SCREEN and GLAMOR_USE_PICTURE_SCREEN parameters, along with the GLAMOR_SEPARATE_TEXTURE pixmap type.Force all pixmaps to have exact allocations
Glamor has a cache of recently used textures that it uses to avoid allocating and de-allocating GL textures rapidly. For pixmaps small enough to fit in a single texture, Glamor would use a cache texture that was larger than the pixmap.
I disabled this when I rewrote the Glamor rendering code for core X; that code used texture repeat modes for tiles and stipples; if the texture wasn't the same size as the pixmap, then texturing would fail.
On the Render side, Glamor would actually reallocate pixmaps used as repeating texture sources. I could have fixed up the core rendering code to use this, but I decided instead to just simplify things and eliminate the ability to use larger textures for pixmaps everywhere.Remove redundant pixmap and screen private pointers
Every Glamor pixmap private structure had a pointer back to the pixmap it was allocated for, along with a pointer to the the Glamor screen private structure for the related screen. There's no particularly good reason for this, other than making it possible to pass just the Glamor pixmap private around a lot of places. So, I removed those pointers and fixed up the functions to take the necessary extra or replaced parameters.
Similarly, every Glamor fbo had a pointer back to the Glamor screen private too; I removed that and now pass the Glamor screen private parameter as needed.Reducing pixmap private complexity
Glamor had three separate kinds of pixmap private structures, one for 'normal' pixmaps (those allocated by them selves in a single FBO), one for 'large' pixmaps, where the pixmap was tiled across many FBOs, and a third for 'atlas' pixmaps, which presumably would be a single FBO holding multiple pixmaps.
The 'atlas' form was never actually implemented, so it was pretty easy to get rid of that.
For large vs normal pixmaps, the solution was to move the extra data needed by large pixmaps into the same structure as that used by normal pixmaps and simply initialize those elements correctly in all cases. Now, most code can ignore the difference and simply walk the array of FBOs as necessary.
The other thing I did was to shrink the number of possible pixmap types from 8 down to three. Glamor now exposes just these possible pixmap types:
GLAMOR_MEMORY. This is a software-only pixmap, stored in regular memory and only drawn with software. This is used for 1bpp pixmaps, shared memory pixmaps and glyph pixmaps. Most of the time, these pixmaps won't even get a Glamor pixmap private structure allocated, but if you use one of these with the existing Render acceleration code, that will end up wanting a private pointer. I'm hoping to fix the code so we can just use a NULL private to indicate this kind of pixmap.
GLAMOR_TEXTURE. This is a full Glamor pixmap, capable of being used via either GL or software fallbacks.
GLAMOR_DRM_ONLY. This is a pixmap based on an FBO which was passed from the driver, and for which Glamor couldn't get the underlying DRM object. I think this is an error, but I don't quite understand what's going on here yet...
Flipboard may have been the original iPad magazine, but now it's making its app smarter for its growing smartphone audience.
The post Flipboard Finally Ditches Its iPad Roots With a Smarter Phone App appeared first on WIRED.
The gadget isn't a smartwatch and isn't intended to replace your watch. It's a Bluetooth fitness band packed full of sensors: optical heart rate sensing, 3-axis accelerometers with a gyroscope to track movement, GPS to track your runs even if you leave your phone at home, skin temperature, galvanic skin response presumably to measure sweating, ambient light and UV light, and a microphone so it can be used with Cortana on Windows Phone.Microsoft
The 1.4-inch touch screen with its 320×106 resolution can deliver alerts, and there's a vibration motor too. Twin 100mAh batteries give it 48 hours of what Microsoft calls "normal use" though GPS can shorten this. The charge time is 1.5 hours, using a magnetically attached USB charger. There are three different sizes, so it should fit on most wrists.
Rumors that Microsoft was coming up with its own cross-platform fitness band appear to have been validated with the perhaps accidental disclosure of apps for OS X, Windows Phone, Android, and iOS designed to support the gadget. Windows Central was first to spot the early publication.
The OS X app
5 more images in gallery
The device will be called "Microsoft Band." Thanks to the app in the Mac App Store, we have a good idea of what it will look like: a black wristband with a screen. Functionally, it looks like it's going to be a pretty standard fitness band: it'll count footsteps (and use this information to attempt to count calories burned) and appears to monitor heart rates day and night to tell you how well you're sleeping.
The Windows Phone app. The apps for iOS and Android look all but identical.
5 more images in gallery
As we should expect, there will also be a cloud service for accumulating and analyzing the data the band collects.
Not content with launching five Yoga-branded tablets earlier this month, Lenovo has added a sixth device to its range.
The new device almost rounds out the range announced before. The new lineup has 8-inch and 10-inch tablets in both Android and Windows variants, and a 13-inch Android tablet, the Yoga Tablet 2 Pro, that also includes an integrated projector that can cast a 50-inch picture.
4 more images in gallery
Today, the company has announced a 13-inch Windows tablet, the Yoga Tablet 2 Windows. This is almost a counterpart to the Yoga Tablet 2 Pro, matching its 13.3 inch 2560×1440 screen, quad core Intel Atom Z3745 processor at up to 1.86GHz, 802.11a/b/g/n dual-band Wi-Fi, 15-hour battery life, and a 2.27lb weight. But it's not quite identical. The Windows tablet doesn't have the integrated projector. It does, however, double the RAM to 4GB and double the storage to 64GB.