The Old Monk http://www.theoldmonk.net/blog/archives/technology/ dark matter en-us gera 2008-09-27T19:11:44+05:30 http://www.theoldmonk.net/blog/archives/2008/09/27/trac_mysql_and_authentication/ Trac, MySQL and authentication 2008-09-27T19:06:10+05:30 gera tricks, technology, hacks work :
  • A wiki
  • VPN
  • A bug/issue tracker
Trac gave us the first and the last, and OpenVPN gave us the middle. The newer versions of Trac can use MySQL as a database instead of SQLite and have a nice AccountManager plugin.

And it all comes together with pam_mysql. The only problem was that Trac likes to store passwords hashed as HTTP-Digest style hashes (not the most secure, I know) with an empty realm, and pam_mysql doesn't work for that. The solution was a simple patch to pam_mysql which adds support for such hashes. I'll publish that soon - I'm making it more general by adding support for realms rather than assuming that realm would be empty.

OpenVPN (and apache - via mod_auth_pam) etc. can authenticate via PAM and adding authentication to anything is a simple matter of placing the right .htaccess file. And this is a *common* password across all services, which users can change on the wiki, in their browsers, with a nice polished interface. No unix shells for people who can't deal with them.

This is no Kerberos, but is infinitely simpler - which means a lot for a small startup.

There are a few gotchas though :
  • Apache doesn't like empty realms. This can be worked around by switching to Basic authentication where passwords are passed on to PAM and we ignore realm. Yes, Basic is worse, but there's always SSL. Thus, one can supply _any_ value of realm (the AuthName in .htaccess). The situation might improve if my pam_sql patch accepts realms and we manage to modify the Trac AuthManager plugin to use the same realm.
  • SSH doesn't like to authenticate users which don't have an account on the machine. It does a getpwent() call, and if it fails, it sets the password to '^H ^M INCORRECT' (the ^H and ^M represent the control chars here, but this is what you see in your logs if you debug PAM). One (ugly, in my opinion) way out is to LD_PRELOAD your own getpwent() method for sshd. The other is to grant ssh access to people on a machine by machine basis. This doesn't scale beyond a point but is good enough for small setups and the most secure. We use this. The cleaner solution of course, is to use something like nss_mysql. This might be our next step, but not in the immediate future.
Patch to come Real Soon Now.]]> http://www.theoldmonk.net/blog/archives/2008/03/04/network_profiles_in_ubuntu/ Network profiles in Ubuntu 2008-03-04T22:03:31+05:30 gera tricks, technology, perl, hacks There are various ways of managing multiple network profiles in Ubuntu, but I've never been a fan of NetworkManager. Commandlines work for me very well, and even there - multiple solutions exist with the help of packages like resolvconf etc. Here's my setup which is very Debian-ish and depends on this nice package called ifupdown.

First, there's the /etc/network/interfaces file :

# we always want the loopback
auto lo
iface lo inet loopback

# mappings
mapping eth0
  script /etc/network/map-scheme
  map dhcp eth0-dhcp
  map emergency eth0-emergency

mapping ath0
  script /etc/network/map-scheme
  map office ath0-office
  map home ath0-home

iface eth0-dhcp inet dhcp
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface ath0-office inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/office.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface eth0-emergency inet static
  address 10.9.5.201
  gateway 10.9.4.1
  netmask 255.255.254.0
  up iptables -F
  up lokkit -q --high
  up echo nameserver 172.31.6.5 > /etc/resolv.conf
  up echo nameserver 203.197.12.30 >> /etc/resolv.conf

iface ath0-home inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/home.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

Notice the mappings section (and see 'man interfaces') - that allows me to say :

NETSCHEME="home" sudo ifup ath0

or

NETSCHEME="office" sudo ifup ath0

because the specified script (/etc/network/map-scheme) just looks up the NETSCHEME environment variable and spit out the correct mapping to go to. This thing, by the way, could be rigged to do arbitrarily complex tasks (look in /usr/share/doc/ifupdown/examples/ for sample scripts, including one which tries to ping some known IPs, and decides its location/profile based on successful pings - you could write one which looks for all known wireless SSIDs and then decide which profile to switch to). Here's my trivial script :

#!/usr/bin/perl -w
use strict;

my $scheme = $ENV{NETSCHEME} || "home";

while(<>) {
        if ( s/$scheme\s+// ) {
                print;
        }
}

The conf files in /etc/wpa_supplicant/* are of course wpa_supplicant configuration files. See 'man wpa_supplicant.conf' for details.

]]>