Backpedaling

The Norwegian Conservative Party didn’t win the election. It doesn’t even have a relative majority—the Labor Party is still hanging on in there. But the sum of nominally conservative representatives is now greater than the sum of nominally socialist representatives, so they’re going to try to scrape together a coalition. Unfortunately, they can’t do so without the support of the brownshirts in the Progress Party, who did very badly in the election—losing a third of their parliament seats—but have petulantly threatened to sabotage any conservative coalition they’re not invited to join.

Said brownshirts are trying very hard to pretend that they’re not really brownshirts, and local and national media are mostly willing to accept that. International media, less so. Some of them have latched onto the fact that Anders Behring Breivik was once a member, which is unfair in the sense that he was never a party official or an elected representative or even a candidate and the Progress Party has never advocated violence. It is, however, spot on in the sense that several prominent members of the Progress Party have repeatedly and unrepentently expressed the same extremist philosophy, and even dabbled in victim blaming. Come election season, Progress Party candidates wring their hands and shed crocodile tears and point to their party program, which carefully wraps the issue in euphemisms about tradition and culture, and call their detractors liars and bullies.

The Conservative Party is now desperately trying to whitewash its brownshirt allies so it can realize its dream of forming the first conservative government in eight years, and the first in 23 years to be led by the Conservative Party. Frankly, it seem a bit too desperate—especially when you consider the fact that it’s in a better position now than the last time it formed a government without the Progress Party.

The Progress Party is effectively trying to blackmail its way into the coalition, and unfortunately, it’s likely to succeed. But I think it’s in for a rude awakening—and given its habitual intransigence, I think the odds are good that the coalition will crumble well before the next election. Fingers crossed.

Growing a VirtualBox disk with ZFS on it

I have a VirtualBox VM on a Windows host with a 32 GB disk. That disk is partitioned with GPT and has four partitions: a boot partition, a swap partition, a smallish UFS root partition, and a ZFS partition. I need more space in the latter, so let’s grow it.

Continue reading “Growing a VirtualBox disk with ZFS on it”

Challenges in Identity Management and Authentication

This was my presentation at the 2012 EuroBSDCon in Warsaw, Poland. I’ve been meaning to write more extensively on this subject, but never got around to it. I just watched through the video twice, and it was a lot less cringe-inducing than I expected (especially when you consider that I was sick and sleep-deprived when I gave it).

Towards the end, I got a question about Apple’s security framework. In my answer, I referred to it as CDDL. That was a slip of the tongue; I was referring to CDSA, which is actually an Open Group specification which Apple implemented and open-sourced. Furthermore, CDSA does not to everything I said it does. However, Apple built their Security Services Framework (described in their Authentication, Authorization and Permissions Guide and various other documents) on top of CDSA; so the combination of CDSA and what Apple added on top does everything from key management to authentication and authorization.

My presentation at the 2013 EuroBSDCon in St Julians, Malta will continue where I left off last year, outlining a concrete solution based on the principles set forth in the second part of last year’s presentation (starting at 32:06).

pkgng without ports: addenda

Two things I forgot to mention in my previous post:

  1. In order to use OpenPAM from svn instead of the version that comes with FreeBSD, you need to copy security/pam_mod_misc.h and pam_debug_log.c into the OpenPAM source tree and adjust the Makefiles accordingly, otherwise FreeBSD’s service modules won’t run and you won’t be able to log in. I don’t plan to include this code in OpenPAM; I’d rather overhaul FreeBSD’s modules so they no longer need it.
  2. What I actually wanted to do, but didn’t because I needed a solution there and then, was patch automake itself to add a pkgng target so gmake pkgng creates a package with no additional input required (except possibly a +DESC file).

Creating pkgng packages without ports

Lately, I’ve been working on expanding the scope of OpenPAM to more than just a PAM library. Specifically, I’ve added support (in a separate library) for the OATH HOTP and TOTP one-time password algorithms. In the long term, I also intend to implement PSKC and OCRA, the ultimate goal being full compliance with the OATH client and server certification profiles. Part of the reason I’m doing this is that my employer needs it, which is why the University of Oslo holds the copyright on most of the OATH code, but it is also something I’ve been wanting to do for a long time, and which I believe will greatly benefit FreeBSD.

This is a large undertaking, though. I’m not comfortable rolling a new OpenPAM release with the OATH code at this time—and I probably won’t be for quite a while. I’ve created a “nooath” branch and may roll a release from that branch in order to get the many other OpenPAM improvements into FreeBSD 10.0, but that’s a different story.

In the meantime, I need a way to test my code; not just on a development machine, but also on semi-production systems such as my desktop and my home router. Once it’s tested, I also need a way to deploy it on mission-critical systems. All these systems have one thing in common: they are binary installations, maintained with freebsd-update rather than built from source. So I need a way to install a newer version of OpenPAM without disturbing the base version.

Continue reading “Creating pkgng packages without ports”