Michael W. Lucas's Blog, page 75

The bleeding-edge OpenSSH supports using an AuthorizedKeysCommand statement in sshd_config to get the authorized_keys file for a user. This lets you store your authorized_keys files in LDAP, but avoids linking OpenSSH against OpenLDAP. (You could actually use any data store for your back end, but LDAP is both the most popular and what I have.)

Your AuthorizedKeysCommands script should take one argument, and return a series of authorized keys, one per line. CentOS has a script, which I previous...

Fast and furious progress these days:

Absolute OpenBSD: Peter has finished the tech edit on the entire manuscript. Chapters 1-18 are copyedited and returned to NSP. Chapters 1-17 are laid out and look somewhat like an actual book. (Seeing a book in laid out forces me to view it with new eyes. It makes me want to tear up the whole thing and start over. I know I can write better than that. But I think that both the publisher and you lot would lynch me if I delayed the book until 2016 for a prope...

By popular demand (mainly on Twitter) I’ve made the work-in-progress version of DNSSec Mastery available on LeanPub.

This is an experiment. If it works well, I’ll do it again. If not… I won’t.

Why would you be interested?

It’s cheap. I intend to sell the finished ebook for $9.99. The work-in-progress version is $7.99. I will continue to update the manuscript on LeanPub until it’s finished.
Once the manuscript is complete, I’ll raise the LeanPub price to $9.99 to match other vendors.
If you want to...

I have the DNSSec book about a third done, which isn’t bad for spending a week in the hospital this month, and am looking at various publication options. Once the book is finished it’ll be available in print, on Amazon, Barnes & Noble, Kobo, and hopefully iTunes. But I have an option for before the book is complete. LeanPub allows authors to upload works in progress, and update them as the work proceeds.

I’m pondering something like this:

Offer the incomplete book on LeanPub at, say, a 20% disc...

One of the most tedious tasks any network admin faces is replicating changes across multiple devices. I recently stood up new RADIUS servers, and needed to tell all of my routers and switches about it. Rather than logging into each router by hand and pasting in the new configuration, I decided to try RANCID‘s ability to run arbitrary commands on your routers.

Using this method requires that the commands you run don’t generate interactive output. A reload command won’t work, because it prompts...

I offered a haiku contest for the new Absolute OpenBSD. Winners got their haiku in the book, credited to them, plus an ebook copy of the book, plus a physical copy if I get enough physical copies and few enough winners.

More people entered than I expected, a pleasant surprise. I appreciate everyone’s efforts.

The winners are:

Chapter 1:

Josh Grosse: “Mailing lists are rough / Homework is mandatory / Love it or leave it”

Chapter 3:

Josh again, with “Straightforward questions. / Will you take the def...

One of the problems with the Internet is that old stuff hangs around forever. Configuring DNSSec validation on BIND 9.8 and newer is a lot easier than many of the popular tutorials would lead you to suspect. It’s so simple that I wonder why it isn’t the default.

options {

...

dnssec-enable yes;

dnssec-validation auto;

dnssec-lookaside auto;

};

This automatically loads the root zone and dlv.isc.org trust anchors distributed with the BIND source code, verifies them, and uses them to validate all si...

The BSDCan 2013 call for proposals is open. As a BSDCon committee member, it’s my responsibility to get you lot to submit interesting papers. So: submit!

More than once, I’ve been asked something like “How can I get a paper accepted at BSDCan?” or “Why was my BSDCan paper rejected?” Here’s my answer to that general question. Lots of this applies to any conference, but as I’m not on the committees for those other conferences, I can’t claim any authority there. Other conferences have their own i...

When you set goals for a year, you need to tell people about them. The potential embarrassment of having to admit failure helps you complete the goals. With that in mind, here are my goals for 2013:

1) I will do three short technology books through my private label (aka “self-publish”). The first, on DNSSec, is underway. Some text exists, and I’m making copious use of scratch paper and whiteboards to figure out how to explain KSKs, ZSK, and the signature and key lifecycle in a coherent manner....

As Henning reviews the Absolute OpenBSD manuscript, he’s pointed out items that I’ve missed. Some of these are only documented in man pages, while others don’t seem to really be documented anywhere except in the source code. Here’s an interesting tidbit he pointed out that I haven’t seen anywhere other than Henning’s email. (Having said this in public, I’ll now find all sorts of examples that I missed, such as Henning’s slides from EuroBSDcon 2010.)

You can log specific connections to separate...