Michael W. Lucas's Blog, page 70

…at least not now.

This is a “post it now so I can point to it later” piece.

I met Michael DeHaan, the Ansible creator, primary author, lead, and probably Grand Poobah, at AnsibleFest in Boston. We discussed the possibility of an Ansible book. He’s certainly open to the idea.

But we agreed that Ansible is moving too dang quickly to document in a book. By the time I finished a book, progress in Ansible would make the book obsolete. Ansible development will slow down at some time, making a book mu...

I’ve previously written about managing the OpenSSH server with Ansible. That example focused on my BSD servers. I also manage Ubuntu and CentOS machines as well as my FreeBSD and OpenBSD. While the BSD machines are very similar, Ubuntu and CentOS might are two different operating systems. Can I manage all of them by hand? Sure. But some of these call their SSH service ssh, while others call it sshd. They store their SFTP servers in different directories.

I want to manage all of these simultane...

My environment has two common tasks when managing OpenSSH servers: copying user’s authorized_keys files to the server, and changing the sshd configuration file /etc/ssh/sshd_config. I use Ansible for both, using a single playbook. Running the playbook updates all the authorized_keys files on every host and verifies that sshd is properly configured. (Not that any of my minions would reconfigure sshd without going through change control, or anything like that.)

I’ll start with authorized_keys ma...

The traditional BSD standard of “edit /etc/rc.conf” isn’t sustainable across large numbers of machines. If you must change dozens of servers you want a reliable way to alter the system without either manually editing every configuration file or some sed/awk hackery. (Running a sed/awk script to edit rc.conf on every server I own makes me nervous. I don’t do nervous these days.) FreeBSD 9.2 and later includes sysrc, a program to consistently and safely alter /etc/rc.conf and friends from the c...

I’ve learned a lot about sudo while writing Sudo Mastery. One of the things I’ve learned is that many, many people have insecure sudo policies. Most tutorials, mine included, leave holes people who understand sudo can get through. I’ve also learned that many people are using sudo much more cleverly than I previously thought.

Sudo is perhaps the most widely used access control tool for Unix-like systems. I’d like this book to be accurate and useful. As such, I have a favor to ask my readers:

If...

Most computer books are badly written. The information in the book is fine (usually, hopefully), but the actual craft of writing is poor. They read like computer programs. This isn’t surprising, as most computer books are written by computer professionals. By the time you’re good enough at a computing topic to write a book about it, your brain automatically arranged things in machine-friendly order. That’s human nature. The downside of this, however, is that most computing books lack the thin...

If you didn’t see the live stream of my DNSSEC talk, it’s on YouTube.

The user group administrative stuff takes up the beginning of the video. I start babbling about 21 minutes in.

For those who missed it, tomorrow I’ll be presenting about DNSSEC at the Metro Detroit Linux User’s Group (MDLUG).

If you happen to be in the area, and want to see it in meatspace rather than online, feel free. The address is 1677 West Hamlin Road, Rochester Hills, MI, 48309.

Last weekend I amused myself by tweeting:

Stupid contest: give the title of the tech book I’ve just started writing. If correct, you get to make me a sandwich.

The answer is Sudo Mastery. Obviously. Although there were some amusing and hopeful alternative suggestions.

As with DNSSEC Mastery, I’m making the in-progress draft available for purchase. I did this with DNSSEC Mastery, and people seemed pleased. So, let’s try this again.

You can buy Sudo Mastery now for $7.99. You get access to the earl...

On August 10, at 12:30PM EDT, I’ll be doing a talk on “DNSSEC in 55 Minutes” for the Metro Detroit Linux Users Group. I do this sort of thing all the time, but this time will be a little different.

The talk will go out live via Google Hangouts on Air. You’ll be able to see it via my Google Plus account. I haven’t done this before, but I believe you’ll be able to ask questions in a chat window. And it will be archived on YouTube for public viewing.

As it’s a Linux user group meeting, I will of c...