Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
User Journal

Journal Journal: Kerberos and Apache and Postgresql and CGIs and Kill Me Now 1

So, I've been overhauling the infrastructure at the ol' hosting coop, and decided: hey, we're acquiring afs tokens using mod_waklog and a $user/daemon kerberos principle, why not use that same principle for authenticating against postgresql? Bonus features: using a user map, the user's primary principle would authenticate as the same database user, and it eliminates another indirection in the auth process (we're using identd now, probably a terrible idea).

And then reality: mod_waklog grabs tokens, but the tickets used to acquire those tokens are not available to any CGI processes. This is correct behavior afaict: being an apache equivalent to aklog, it has no business dealing with kerberos keys. So, mod_auth_kerb is probably the piece responsible for this, right? Maybe. mod_waklog has two modes for acquiring tokens: one wherein you specify the principle and a keytab for a specific location, and another where it will use any tickets previously acquired by another module. So you can grab tokens using mod_auth_kerb for real users entering passwords or forwarding tickets.

In a moment of insanity I though modify suexec might be a good idea. It was, luckily, just a moment of insanity.

So now I'm left wondering if there's even a solution. Since we're offering generic Internet hosting, requiring that members figure out authentication with kerberos in their cgi programs just to access postgresql (and one day mysql, if it can even use gssapi) isn't going to fly. If there is a solution: where oh where does it belong.

My current thinking is that I should add something like Krb5AcquireTickets $principle $keytab (or Krb5LocationPrinciple, or ... whatever, I'm bad at naming things) to mod_auth_kerb. This promises a slight improvement to mod_waklog: all of the code dealing with acquiring tickets could be removed since it appears to only exist since no other modules exist to acquire tickets from a keytab. But something tells me this might still be wrong.

I'm probably doomed. The life of a volunteer sysadmin!

User Journal

Journal Journal: New Phone, New Desktop...

Continuing with my quest to write at an abyss...

I ended up getting the mytouch 4G Slide (HTC Doubletouch) from newegg ($130 + 24 months further enslavement to T-Mobile + if-you-cancel-within-six-months-you-owe-us-$400 standard reseller crap). And then the despair began, as the Internet informed me I had to do crap like run an untested binary to exploit the userspace and bootloader instead of a simple unlocking procedure... but then a friend who had done something similar let me know that, *phew*, you only had to do that if you wanted the "easy" way of reflashing from Android (before getting your new image installed, naturally).

I just had to use the HTC bootloader unlocker and flash Clockwork Recovery, fastboot flash the kernel, and then use the recovery image to flash the new /system. I.e. the way it had to be done on the G1... yes, much much more difficult than exploiting Linux and some vulnerability in the bootloader...

With that out of the way, I now have CM9 (Android 4.0.3). So far it's running well... my first day battery life was great, yesterday not so much (suspecting something with wakelocks, the phone refused to suspend to ram after I ran maps...). I'm also trying to use as much Free Software as possible: I installed the Google apps for now because ... I am weak, and I like the calendar and maps. But, otherwise, I'm trying only to use software from F-Droid (or things not in F-Droid that are Free of course, but in an ideal world I'd also be submitting those for inclusion). The bad: the keyboard kind of sucks. There's basically no tactile feedback, they removed the tab button for a stupid "www/com" button (hoping I can remap that, but this is Android and not X11), and it's uncomfortably wide. Dear HTC: Please, please, resurrect the Dream's hinge... I thought the hinge would be the first part to fail on my G1, but it was solid until the end. That extra bit of vertical space was nice (5 rows!), and gave a more natural horizontal spacing between keys (I could reach 3/4 of my G1 keyboard with one thumb, now it's about half for each).

Still, Android on a device with lots of processor power and RAM is actually pleasant to use, instead of an exercise in seeing how many profanities you can utter at a device.

And now for MORE FUN: at some point I did an apt-get upgrade to get a slightly newer X server and ... where did my network printer go? Oh no, cups was repackaged and I need to install these new driver packages? They rely on GNOME 3 components... no, no, no is this really happening... thus died my gnome-session + sawfish + xfce-panel desktop :(. I gave GNOME 3 a five minute shot and it confirmed my suspicions: gnome-shell sucks. I have yet to futz with getting fallback mode working with sawfish et al, and am just using KDE 4.7 now. Which is a lot nicer than 4.5, and may actually suffice for my needs. We'll see. The big thing is that it seems to handle multiple monitors reasonably well now (before hotplugging never did the right thing; I have a laptop + 24" display for when I'm at my desk, so I plug/unplug on a daily basis).

User Journal

Journal Journal: Farewell, HTC Dream

I got an HTC Dream about ... three years ago? And two days ago I was merrily using the phone when suddenly the touchscreen stopped responding. I rebooted, hoping it was Android 1.6 being lame yet again and ... where did the audio hardware go? dmesg revealed scads of i2c errors and that was that, time to get a new phone against my will. Because, honestly, I think the G1 is the best phone designed, ever. I'd really like to see a new version with an optical trackpad replacing the trackball (it got a bit less responsive after ~18 months, presumably from dirt) and a slightly larger screen... but otherwise untouched. And, since it croaked after a mere three years of being treated very well, a bit better build quality (hey, HTC, sell the design to Nokia and hit them with the cluebat to make them release more maemo devices). It was good enough for me to lay down my desire for an OpenMoko and compromise on a mostly non-free device yet again...

After a bit of searching, I settled upon this mytouch 4G slide thing. The keyboard is lame and only four rows... emacsing over ssh will certainly become more exciting. But, it was the best device under $250 (+ 24 months further enslavement to T-Mobile) hardware wise and is supported by Cyanogenmod so maybe I won't hate it too much. UPDATES TO FOLLOW (not that anyone reads Slashdot journals anymore).

User Journal

Journal Journal: Journal! Things! Hops and Homebrew.

Hello once upon a time people used Slashdot journals and I think that was pretty neat. I was thinking to myself: "I need to upgrade HCoop's Debian install so that I can install some modern weblogging software and do more than post asinine facebook status updates" and then I realized... Slash!

The system says I have no journal entries, but I could have sworn I wrote a few way back when they were new and I was a lame teenager. Oh well, they're probably best left to the abyss if they even existed at all.

Let's start on a sad note then: there's a shortage of Centennial hops until the fall harvest. Kind of sucks, I hope this isn't indicative of a secretly poor aroma hop harvest last fall (discovering stuff like total hop yields doesn't seem too easy).

But, hey, let's make the best of a potential sharp increase in hop prices: No time like the present to knock out a double batch of my homebrewed IPA (and I just upgraded to a converted keg kettle + 60 qt mash tun with a fancy homemade manifold = hello 10 gallon batches). Mmm... a pound of hops (tasty, until the register displays my total bill ... and then tasty again 8 weeks later).

In the off chance anyone is actually reading this... I'm not too keen on experimenting with the hop bill of this since it tastes pretty good, and is probably the hardest and most expensive thing I brew (failure is agonizing). So ... I've stuck with Citra, but I hear that other hops have similar fruity tastes, ... anyone know whether any of the non-proprietary hops varieties might be reasonable as a substitute? I was unaware of the politics of hop genetics until after I made this recipe, and I kind of want to one day grow all of the ingredients in my back yard.


Slashdot Top Deals

The solution to a problem changes the nature of the problem. -- Peer