Archive for June, 2009

Debconf and Debcamp

Sunday, June 7th, 2009 by hartmans

I will be attending Debconf 9 in Spain from July 23-30. I will also be attending debcamp the previous week. I’m hoping to build contacts and increase my involvement in the Debian community, and the previous debconf I attended was an interesting window into what was going on in Debian and Linux.

I’m still lining up things to do at Debcamp. Jelmer Vernooij will be there; he’s interested in working with me on Samba 4 support for MIT Kerberos in Debian. I’m interested in working with him on making the user experience good for people who use both Samba 4 and other Kerberos applications.

As I wrote at the bottom of this post, I believe it is critical that the open source community not just follow what Microsoft is doing in the Enterprise space. I also think it is important that we maintain avenues for our own innovation. To that end, I want to look at what we can do to use enterprise infrastructure independent of AD-look-alike projects like Samba as well. So, I’ll be looking at making what I can do to help this in Debian. Areas of interest include:

  1. Easy set up of Kerberos to use an LDAP database
  2. Easy configuration of libpam-krb5 and libpam-ldap together using Kerberos for authentication and LDAP for authorization but not authentication.
  3. Support for FAST integrated into Debian systems so we can gain better protection against weak passwords. As I promised, more about this in its own post.
  4. Better support for PKI/smart cards for network authentication.

These are all projects I think I could make headway on myself. However the value of debcamp is the other people there. I’ve never been to a debcamp before and so I don’t know what it will be like. I do know that I will give higher priority to projects that will benefit from close cooperation over a week. So, if you’re there and want to try to recruit me to your project, feel free. I’m interested in enterprise infrastructure, VOIP, IPv6, network security and making complex infrastructure easy to use.

Kerberos 1.7

Thursday, June 4th, 2009 by hartmans

MIT Kerberos 1.7 is released. I think this release really takes MIT Kerberos forward both for end sites and for system integrators. There are a lot of code quality improvements and bug fixes. For sites, this release allows changes to flow from one KDC to another on an ongoing basis rather than waiting for periodic refreshes. In addition, the domain-realm referral project allows information mapping hosts to domains to be configured in one place rather than on each client.

I already wrote about Active Directory enhancements. Painless Security was also involved in a project to secure Kerberos against offline dictionary attacks. I’m very happy that this project made the 1.7 release. To be truly useful, it will require integration from OS vendors into PAM modules and the like. I’ll discuss my plans for doing that in Debian in a future post.

Despite a lot of new features, initial signs are that 1.7 is going to be a relatively stable release. It has been in Debian unstable for over a month and at this point is working quite well.