Generated.

[homepage.git] / blog / index.rss

<?xml version="1.0" encoding="utf-8"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/' xmlns:atom="http://www.w3.org/2005/Atom">
        <channel>
                <title>Petter Reinholdtsen</title>
                <description></description>
                <link>http://people.skolelinux.org/pere/blog/</link>
                <atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
        
        <item>
                <title>Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten</title>
                <link>http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</guid>
                <pubDate>Fri, 21 May 2010 16:00:00 +0200</pubDate>
                <description>
&lt;p&gt;For en stund tilbake kjøpte jeg en magnetkortleser for å kunne
titte på hva som er skrevet inn på magnetstripene til ulike kort.  Har
ikke hatt tid til å analysere mange kort så langt, men tenkte jeg
skulle dele innholdet på to kort med mine lesere.&lt;/p&gt;

&lt;p&gt;For noen dager siden tok jeg flyet til Harstad og Hurtigruten til
Bergen.  Flytoget fra Oslo S til flyplassen ga meg en billett med
magnetstripe.  Påtrykket finner jeg følgende informasjon:&lt;/p&gt;

&lt;pre&gt;
Flytoget Airport Express Train

Fra - Til        : Oslo Sentralstasjon
Kategori         : Voksen
Pris             : Nok 170,00
Herav mva. 8,00% : NOK 12,59
Betaling         : Kontant
Til - Fra        : Oslo Lufthavn
Utstedt:         : 08.05.10
Gyldig Fra-Til   : 08.05.10-07.11.10
Billetttype      : Enkeltbillett

102-1015-100508-48382-01-08
&lt;/pre&gt;

&lt;p&gt;På selve magnetstripen er innholdet
&lt;tt&gt;;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?&lt;/tt&gt;.
Aner ikke hva innholdet representerer, og det er lite overlapp mellom
det jeg ser trykket på billetten og det jeg ser av tegn i
magnetstripen.  Håper det betyr at de bruker kryptografiske metoder
for å gjøre det vanskelig å forfalske billetter.&lt;/p&gt;

&lt;p&gt;Den andre billetten er fra Hurtigruten, der jeg mistenker at
strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert
fall den biten vi stakk inn i dørlåsen).&lt;/p&gt;

&lt;p&gt;Påtrykket forsiden er følgende:&lt;/p&gt;

&lt;pre&gt;
Romnummer 727
Hurtigruten
Midnatsol
Reinholdtsen
Petter
Bookingno: SAX69   0742193
Harstad-Bergen
Dep: 09.05.2010 Arr: 12.05.2010
Lugar fra Risøyhamn
Kost: FRO=4
&lt;/pre&gt;

&lt;p&gt;På selve magnetstripen er innholdet
&lt;tt&gt;;1316010007421930=00000000000000000000?+E?&lt;/tt&gt;.  Heller ikke her
ser jeg mye korrespondanse mellom påtrykk og magnetstripe.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Pieces of the roaming laptop puzzle in Debian</title>
                <link>http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html</guid>
                <pubDate>Wed, 19 May 2010 19:00:00 +0200</pubDate>
                <description>
&lt;p&gt;Today, the last piece of the puzzle for roaming laptops in Debian
Edu finally entered the Debian archive.  Today, the new
&lt;a href=&quot;http://packages.qa.debian.org/libp/libpam-mklocaluser.html&quot;&gt;libpam-mklocaluser&lt;/a&gt;
package was accepted.  Two days ago, two other pieces was accepted
into unstable.  The
&lt;a href=&quot;http://packages.qa.debian.org/p/pam-python.html&quot;&gt;pam-python&lt;/a&gt;
package needed by libpam-mklocaluser, and the
&lt;a href=&quot;http://packages.qa.debian.org/s/sssd.html&quot;&gt;sssd&lt;/a&gt; package
passed NEW on Monday.  In addition, the
&lt;a href=&quot;http://packages.qa.debian.org/libp/libpam-ccreds.html&quot;&gt;libpam-ccreds&lt;/a&gt;
package we need is in experimental (version 10-4) since Saturday, and
hopefully will be moved to unstable soon.&lt;/p&gt;

&lt;p&gt;This collection of packages allow for two different setups for
roaming laptops.  The traditional setup would be using libpam-ccreds,
nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
which should work out of the box if the configuration changes proposed
for nscd in &lt;a href=&quot;http://bugs.debian.org/485282&quot;&gt;BTS report
#485282&lt;/a&gt; is implemented.  The alternative setup is to use sssd with
libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
care of the caching of passwords and group information.&lt;/p&gt;

&lt;p&gt;I have so far been unable to get sssd to work with the LDAP server
at the University, but suspect the issue is some SSL/GnuTLS related
problem with the server certificate.  I plan to update the Debian
package to version 1.2, which is scheduled for next week, and hope to
find time to make sure the next release will include both the
Debian/Ubuntu specific patches.  Upstream is friendly and responsive,
and I am sure we will find a good solution.&lt;/p&gt;

&lt;p&gt;The idea is to set up the roaming laptops to authenticate using
LDAP or Kerberos and create a local user with home directory in /home/
when a usre in LDAP logs in via KDM or GDM for the first time, and
cache the password for offline checking, as well as caching group
memberhips and other relevant LDAP information.  The
libpam-mklocaluser package was created to make sure the local home
directory is in /home/, instead of /site/server/directory/ which would
be the home directory if pam_mkhomedir was used.  To avoid confusion
with support requests and configuration, we do not want local laptops
to have users in a path that is used for the same users home directory
on the home directory servers.&lt;/p&gt;

&lt;p&gt;One annoying problem with gdm is that it do not show the PAM
message passed to the user from libpam-mklocaluser when the local user
is created.  Instead gdm simply reject the login with some generic
message.  The message is shown in kdm, ssh and login, so I guess it is
a bug in gdm.  Have not investigated if there is some other message
type that can be used instead to get gdm to also show the message.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Parallellized boot is now the default in Debian/unstable</title>
                <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</guid>
                <pubDate>Fri, 14 May 2010 22:40:00 +0200</pubDate>
                <description>
&lt;p&gt;Since this evening, parallel booting is the default in
Debian/unstable for machines using dependency based boot sequencing.
Apparently the testing of concurrent booting has been wider than
expected, if I am to believe the
&lt;a href=&quot;http://lists.debian.org/debian-devel/2010/05/msg00122.html&quot;&gt;input
on debian-devel@&lt;/a&gt;, and I concluded a few days ago to move forward
with the feature this weekend, to give us some time to detect any
remaining problems before Squeeze is frozen.  If serious problems are
detected, it is simple to change the default back to sequential boot.
The upload of the new sysvinit package also activate a new upstream
version.&lt;/p&gt;

More information about
&lt;a href=&quot;http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot&quot;&gt;dependency
based boot sequencing&lt;/a&gt; is available from the Debian wiki.  It is
currently possible to disable parallel booting when one run into
problems caused by it, by adding this line to /etc/default/rcS:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
CONCURRENCY=none
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;If you report any problems with dependencies in init.d scripts to
the BTS, please usertag the report to get it to show up at
&lt;a href=&quot;http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org&quot;&gt;the
list of usertagged bugs related to this&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Sitesummary tip: Listing MAC address of all clients</title>
                <link>http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</guid>
                <pubDate>Fri, 14 May 2010 21:10:00 +0200</pubDate>
                <description>
&lt;p&gt;In the recent Debian Edu versions, the
&lt;a href=&quot;http://wiki.debian.org/DebianEdu/HowTo/SiteSummary&quot;&gt;sitesummary
system&lt;/a&gt; is used to keep track of the machines in the school
network.  Each machine will automatically report its status to the
central server after boot and once per night.  The network setup is
also reported, and using this information it is possible to get the
MAC address of all network interfaces in the machines.  This is useful
to update the DHCP configuration.&lt;/p&gt;

&lt;p&gt;To give some idea how to use sitesummary, here is a one-liner to
ist all MAC addresses of all machines reporting to sitesummary.  Run
this on the collector host:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
perl -MSiteSummary -e &#39;for_all_hosts(sub { print join(&quot; &quot;, get_macaddresses(shift)), &quot;\n&quot;; });&#39;
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;This will list all MAC addresses assosiated with all machine, one
line per machine and with space between the MAC addresses.&lt;/p&gt;

&lt;p&gt;To allow system administrators easier job at adding static DHCP
addresses for hosts, it would be possible to extend this to fetch
machine information from sitesummary and update the DHCP and DNS
tables in LDAP using this information.  Such tool is unfortunately not
written yet.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>systemd, an interesting alternative to upstart</title>
                <link>http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html</guid>
                <pubDate>Thu, 13 May 2010 22:20:00 +0200</pubDate>
                <description>
&lt;p&gt;The last few days a new boot system called
&lt;a href=&quot;http://www.freedesktop.org/wiki/Software/systemd&quot;&gt;systemd&lt;/a&gt;
has been
&lt;a href=&quot;http://0pointer.de/blog/projects/systemd.html&quot;&gt;introduced&lt;/a&gt;

to the free software world.  I have not yet had time to play around
with it, but it seem to be a very interesting alternative to
&lt;a href=&quot;http://upstart.ubuntu.com/&quot;&gt;upstart&lt;/a&gt;, and might prove to be
a good alternative for Debian when we are able to switch to an event
based boot system.  Tollef is
&lt;a href=&quot;http://bugs.debian.org/580814&quot;&gt;in the process&lt;/a&gt; of getting
systemd into Debian, and I look forward to seeing how well it work.  I
like the fact that systemd handles init.d scripts with dependency
information natively, allowing them to run in parallel where upstart
at the moment do not.&lt;/p&gt;

&lt;p&gt;Unfortunately do systemd have the same problem as upstart regarding
platform support.  It only work on recent Linux kernels, and also need
some new kernel features enabled to function properly.  This means
kFreeBSD and Hurd ports of Debian will need a port or a different boot
system.  Not sure how that will be handled if systemd proves to be the
way forward.&lt;/p&gt;

&lt;p&gt;In the mean time, based on the
&lt;a href=&quot;http://lists.debian.org/debian-devel/2010/05/msg00122.html&quot;&gt;input
on debian-devel@&lt;/a&gt; regarding parallel booting in Debian, I have
decided to enable full parallel booting as the default in Debian as
soon as possible (probably this weekend or early next week), to see if
there are any remaining serious bugs in the init.d dependencies.  A
new version of the sysvinit package implementing this change is
already in experimental.  If all go well, Squeeze will be released
with parallel booting enabled by default.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Parallellizing the boot in Debian Squeeze - ready for wider testing</title>
                <link>http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</guid>
                <pubDate>Thu, 6 May 2010 23:25:00 +0200</pubDate>
                <description>
&lt;p&gt;These days, the init.d script dependencies in Squeeze are quite
complete, so complete that it is actually possible to run all the
init.d scripts in parallell based on these dependencies.  If you want
to test your Squeeze system, make sure
&lt;a href=&quot;http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot&quot;&gt;dependency
based boot sequencing&lt;/a&gt; is enabled, and add this line to
/etc/default/rcS:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
CONCURRENCY=makefile
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;That is it.  It will cause sysv-rc to use the startpar tool to run
scripts in parallel using the dependency information stored in
/etc/init.d/.depend.boot, /etc/init.d/.depend.start and
/etc/init.d/.depend.stop to order the scripts.  Startpar is configured
to try to start the kdm and gdm scripts as early as possible, and will
start the facilities required by kdm or gdm as early as possible to
make this happen.&lt;/p&gt;

&lt;p&gt;Give it a try, and see if you like the result.  If some services
fail to start properly, it is most likely because they have incomplete
init.d script dependencies in their startup script (or some of their
dependent scripts have incomplete dependencies).  Report bugs and get
the package maintainers to fix it. :)&lt;/p&gt;

&lt;p&gt;Running scripts in parallel could be the default in Debian when we
manage to get the init.d script dependencies complete and correct.  I
expect we will get there in Squeeze+1, if we get manage to test and
fix the remaining issues.&lt;/p&gt;

&lt;p&gt;If you report any problems with dependencies in init.d scripts to
the BTS, please usertag the report to get it to show up at
&lt;a href=&quot;http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org&quot;&gt;the
list of usertagged bugs related to this&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Forcing new users to change their password on first login</title>
                <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</guid>
                <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
                <description>
&lt;p&gt;One interesting feature in Active Directory, is the ability to
create a new user with an expired password, and thus force the user to
change the password on the first login attempt.&lt;/p&gt;

&lt;p&gt;I&#39;m not quite sure how to do that with the LDAP setup in Debian
Edu, but did some initial testing with a local account.  The account
and password aging information is available in /etc/shadow, but
unfortunately, it is not possible to specify an expiration time for
passwords, only a maximum age for passwords.&lt;/p&gt;

&lt;p&gt;A freshly created account (using adduser test) will have these
settings in /etc/shadow:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
root@tjener:~# chage -l test
Last password change                                    : May 02, 2010
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
root@tjener:~#
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The only way I could come up with to create a user with an expired
account, is to change the date of the last password change to the
lowest value possible (January 1th 1970), and the maximum password age
to the difference in days between that date and today.  To make it
simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
avoid testing if 0 is a valid value).&lt;/p&gt;

&lt;p&gt;After using these commands to set it up, it seem to work as
intended:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
root@tjener:~# chage -d 1 test; chage -M 10950 test
root@tjener:~# chage -l test
Last password change                                    : Jan 02, 1970
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10950
Number of days of warning before password expires       : 7
root@tjener:~#  
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;So far I have tested this with ssh and console, and kdm (in
Squeeze) login, and all ask for a new password before login in the
user (with ssh, I was thrown out and had to log in again).&lt;/p&gt;

&lt;p&gt;Perhaps we should set up something similar for Debian Edu, to make
sure only the user itself have the account password?&lt;/p&gt;

&lt;p&gt;If you want to comment on or help out with implementing this for
Debian Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;

&lt;p&gt;Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
shadow(8) page in Debian/testing now state that setting the date of
last password change to zero (0) will force the password to be changed
on the first login.  This was not mentioned in the manual in Lenny, so
I did not notice this in my initial testing.  I have tested it on
Squeeze, and &#39;&lt;tt&gt;chage -d 0 username&lt;/tt&gt;&#39; do work there.  I have not
tested it on Lenny yet.&lt;/p&gt;

&lt;p&gt;Update 2010-05-02-19:05: Jim Paris tells me via email that an
equivalent command to expire a password is &#39;&lt;tt&gt;passwd -e
username&lt;/tt&gt;&#39;, which insert zero into the date of the last password
change.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Thoughts on roaming laptop setup for Debian Edu</title>
                <link>http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</guid>
                <pubDate>Wed, 28 Apr 2010 20:40:00 +0200</pubDate>
                <description>
&lt;p&gt;For some years now, I have wondered how we should handle laptops in
Debian Edu.  The Debian Edu infrastructure is mostly designed to
handle stationary computers, and less suited for computers that come
and go.&lt;/p&gt;

&lt;p&gt;Now I finally believe I have an sensible idea on how to adjust
Debian Edu for laptops, by introducing a new profile for them, for
example called Roaming Workstations.  Here are my thought on this.
The setup would consist of the following:&lt;/p&gt;

&lt;ul&gt;

 &lt;li&gt;During installation, the user name of the owner / primary user of
   the laptop is requested and a local home directory is set up for
   the user, with uid and gid information fetched from the LDAP
   server.  This allow the user to work also when offline.  The
   central home directory can be available in a subdirectory on
   request, for example mounted via CIFS.  It could be mounted
   automatically when a user log in while on the Debian Edu network,
   and unmounted when the machine is taken away (network down,
   hibernate, etc), it can be set up to do automatic mounting on
   request (using autofs), or perhaps some GUI button on the desktop
   can be used to access it when needed.  Perhaps it is enough to use
   the fish protocol in KDE?&lt;/li&gt;

 &lt;li&gt;Password checking is set up to use LDAP or Kerberos
   authentication when the machine is on the Debian Edu network, and
   to cache the password for offline checking when the machine unable
   to reach the LDAP or Kerberos server.  This can be done using
   &lt;a href=&quot;http://www.padl.com/OSS/pam_ccreds.html&quot;&gt;libpam-ccreds&lt;/a&gt;
   or the Fedora developed
   &lt;a href=&quot;https://fedoraproject.org/wiki/Features/SSSD&quot;&gt;System
   Security Services Daemon&lt;/a&gt; packages.&lt;/li&gt;

 &lt;li&gt;File synchronisation with the central home directory is set up
   using a shared directory in both the local and the central home
   directory, using unison.&lt;/li&gt;

 &lt;li&gt;Printing should be set up to print to all printers broadcasting
   their existence on the local network, and should then work out of
   the box with CUPS.  For sites needing accurate printer quotas, some
   system with Kerberos authentication or printing via ssh could be
   implemented.&lt;/li&gt;

 &lt;li&gt;For users that should have local root access to their laptop,
   sudo should be used to allow this to the local user.&lt;/li&gt;

 &lt;li&gt;It would be nice if user and group information from LDAP is
   cached on the client, but given that there are entries for the
   local user and primary group in /etc/, it should not be needed.&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;I believe all the pieces to implement this are in Debian/testing at
the moment.  If we work quickly, we should be able to get this ready
in time for the Squeeze release to freeze.  Some of the pieces need
tweaking, like libpam-ccreds should get support for pam-auth-update
(&lt;a href=&quot;http://bugs.debian.org/566718&quot;&gt;#566718&lt;/a&gt;) and nslcd (or
perhaps debian-edu-config) should get some integration code to stop
its daemon when the LDAP server is unavailable to avoid long timeouts
when disconnected from the net.  If we get Kerberos enabled, we need
to make sure we avoid long timeouts there too.&lt;/p&gt;

&lt;p&gt;If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Great book: &quot;Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future&quot;</title>
                <link>http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</guid>
                <pubDate>Mon, 19 Apr 2010 17:10:00 +0200</pubDate>
                <description>
&lt;p&gt;The last few weeks i have had the pleasure of reading a
thought-provoking collection of essays by Cory Doctorow, on topics
touching copyright, virtual worlds, the future of man when the
conscience mind can be duplicated into a computer and many more. The
book titled &quot;Content: Selected Essays on Technology, Creativity,
Copyright, and the Future of the Future&quot; is available with few
restrictions on the web, for example from
&lt;a href=&quot;http://craphound.com/content/&quot;&gt;his own site&lt;/a&gt;. I read the
epub-version from
&lt;a href=&quot;http://www.feedbooks.com/book/2883&quot;&gt;feedbooks&lt;/a&gt; using
&lt;a href=&quot;http://www.fbreader.org/&quot;&gt;fbreader&lt;/a&gt; and my N810. I
strongly recommend this book.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Kerberos for Debian Edu/Squeeze?</title>
                <link>http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html</guid>
                <pubDate>Wed, 14 Apr 2010 17:20:00 +0200</pubDate>
                <description>
&lt;p&gt;&lt;a href=&quot;http://www.nuug.no/aktiviteter/20100413-kerberos/&quot;&gt;Yesterdays
NUUG presentation&lt;/a&gt; about Kerberos was inspiring, and reminded me
about the need to start using Kerberos in Skolelinux.  Setting up a
Kerberos server seem to be straight forward, and if we get this in
place a long time before the Squeeze version of Debian freezes, we
have a chance to migrate Skolelinux away from NFSv3 for the home
directories, and over to an architecture where the infrastructure do
not have to trust IP addresses and machines, and instead can trust
users and cryptographic keys instead.&lt;/p&gt;

&lt;p&gt;A challenge will be integration and administration.  Is there a
Kerberos implementation for Debian where one can control the
administration access in Kerberos using LDAP groups?  With it, the
school administration will have to maintain access control using flat
files on the main server, which give a huge potential for errors.&lt;/p&gt;

&lt;p&gt;A related question I would like to know is how well Kerberos and
pam-ccreds (offline password check) work together.  Anyone know?&lt;/p&gt;

&lt;p&gt;Next step will be to use Kerberos for access control in Lwat and
Nagios.  I have no idea how much work that will be to implement.  We
would also need to document how to integrate with Windows AD, as such
shared network will require two Kerberos realms that need to cooperate
to work properly.&lt;/p&gt;

&lt;p&gt;I believe a good start would be to start using Kerberos on the
skolelinux.no machines, and this way get ourselves experience with
configuration and integration.  A natural starting point would be
setting up ldap.skolelinux.no as the Kerberos server, and migrate the
rest of the machines from PAM via LDAP to PAM via Kerberos one at the
time.&lt;/p&gt;

&lt;p&gt;If you would like to contribute to get this working in Skolelinux,
I recommend you to see the video recording from yesterdays NUUG
presentation, and start using Kerberos at home.  The video show show
up in a few days.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>