Tuesday Nov 16, 2010

Solaris 11 Express Security Features - TPM Support

A while back (March 2009, to be exact), I wrote about the introduction of TPM support in OpenSolaris.  If you didn't try out OpenSolaris, you can now get the TPM support features in Solaris 11 Express.   Just to recap and update some older information from the earlier post:

  • Support for TPM 1.2 devices on x86/64 and some SPARC (sun4v) platforms.
  • Trusted Computing Group (TCG) software interfaces are supported with the inclusion of the TrouSerS package.  Solaris 11 Express includes Trousers version 0.3.4.
  • The tpmadm(1M) utility can be used to perform TPM administrative functions and view the state of some TPM registers.
  • A PKCS#11 provider for using the TPM to secure keys is also provided (and explained below).

In my  original blog entry, I omitted the details about the PKCS#11 TPM provider.  Solaris 11 Express includes a provider that plugs into the Solaris Cryptographic Framework that enables PKCS#11 consumers to use the TPM as a secure keystore.   This allows private data stored in the TPM provider to be protected by TPM-resident keys.  The benefit is that data protected with TPM keys can only ever be decrypted on that same platform using the same TPM (unless they are migrated, which is a topic for another day).   This protects the data from brute-force password attacks on the keys, and also makes them useless if they are removed from the platform that protects them. 

The TCSD service must be enabled and the TPM device must be available in order for the TPM support to work correctly. 

Check for TPM device:

ls -alF /dev/tpm
lrwxrwxrwx   1 root root 44 Oct  1  2009 /dev/tpm -> \\

Enable the TCSD service:

# svcadm enable tcsd 

If the TPM device is available and the tcsd service is running, individual users must initialize their own personal TPM-protected token storage area as follows:

# pktool inittoken currlabel=TPM

Next, the token PIN must be set for the SO (security officer), the default is 87654321:

$ pktool setpin token=tpm/joeuser so

Finally, the user's PIN can be set (the initial PIN is 12345678):

$ pktool setpin token=tmp/joeuser

The TPM token should now be ready for use.   pktool(1) can be used to generate keys and certificates using the TPM device by specifying the token name used when the token was initialized ("TPM" in the examples above).

       $ pktool gencert token=tpm/joeuser -i
       $ pktool list token=tpm/joeuser

Also, any existing applications that already use the Solaris Cryptographic Framework interfaces (libpkcs11) can easily be made to use the TPM token for their operations by just making them select the TPM token device for the sessions.

More details about the TPM provider are available in the man pages for pkcs11_tpm(5) included in Solaris 11 Express.



Wednesday Dec 16, 2009

GnuPG for Solaris

GnuPG is available in Solaris starting with build 130.  OpenSolaris users can pull the latest packages from the /dev repository by looking for SUNWgnupg and SUNWpth packages.   GnuPG is a complete implementation of the PGP protocol (RFC 4880) with an open source license (GPL).  I will not enumerate all of its many features here, the GnuPG website has plenty of good information.  There are even a set of HowTo documents to help you get started using GnuPG. 

 Things to note:

  • SUNWgnupg delivers version 2.0.13 - the 1.4.XX versions are not included
  • you also need to install SUNWpth (GNU Portable Threads) package.

Also, with PGP support, you can now install the Enigmail plugin for Thunderbird and configure it to use the GnuPG that was installed with the SUNWgnupg package (/usr/bin/gpg2).  This will allow you to send encrypted or signed emails and also to decrypt and verify emails you get from your associates (assuming you have their public keys).  Once you install Enigmail successfully (I did it using Solaris on x86 with the bundled Thunderbird mail client - version and the enigmail from the above link for x86), you should see an "OpenPGP" menu item that was not present before.  Using the items under that menu (Key Management) you can create a key for yourself that can be used for the crypto operations on your emails (sign/verify, encrypt/decrypt).

Tuesday Dec 01, 2009

Solaris Security Essentials - get it !

As my colleague Valerie has noted in her blog, the Solaris 10 Security Essentials is now officially published.

Though the title says "Solaris 10", most of the material applies to OpenSolaris or Solaris Express Developer/Community Edition as well.    The content was put together by a team of engineers in the Solaris Security group over a period of a year or so.   It really highlights many unique features of Solaris that administrators from "other" system's may not be familiar with.  Topics include using SMF for system protection, Role-Based Access Controls, the Solaris Cryptographic Framework, the Key Management Framework, and Trusted Extensions - just to name a few of the more unique Solaris Security features that are covered.

It's nice to be listed as a "published author".  My family and friends now think I'm the next Stephen King.  I had to explain that this book is neither fictional nor suspenseful.  Perhaps they just think I'm generally a scary guy.  Hmmm...

Anyway, buy the book!  It makes a great stocking stuffer for the security geek in your family!

Thursday Sep 24, 2009

The Onion Router (Tor) in OpenSolaris

Build 116 (back in June, 2009) the Onion Router software was put into OpenSolaris (Tor) as the SUNWtor and SUNWtor-root packages.  Quoting from the Tor website :

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

Tor is especially relevant today in countries that heavily censor internet usage and traffic.  It allows one to browse anonymously and obscure your location as well as your destination.    There are 2 sides to the  use of Tor - using it as a client to obscure your internet activity, or running a relay to add to the tor network.  If you want to anonymize your own browsing and NOT run as a relay, you can install the torbutton Firefox extension and start browsing anonymously.  Note that your pages will load much slower since your data is passing through various Tor relay nodes located all over the world.

The packages that were put into OpenSolaris allow you to set up your OpenSolaris system as a tor relay node and thus allow others from around the world to relay traffic through your system.  Installing and running a Tor relay on OpenSolaris is very easy:

  1. install the SUNWtor and SUNWtor-root packages if they are not already on your system.
  2. Edit /etc/torrc and make any desired changes.   This configuration file only needs minor modifications from its default installation profile to make it useful.   You will probably need to change the following parameters:
    • Nickname - give your node a unique name.  This does not have to be a hostname, it can be a nonsense word, a funny name, or anything you want.  It is used to uniquely identify your relay node and is useful to use when you want to check on the various Tor relay node status pages to see if your system is properly registered.
    • RelayBandwidthRate, RelayBandwidthBurst - These 2 parameters allow you to limit how much bandwidth your relay will be allowed to consume.
    • ExitPolicy - If you don't want your relay node to be the final stop before the end user connects to a site (making your tor node IP the one that the website records), set up a "no-exit" policy by setting the ExitPolicy to be "reject \*:\*".  There are other examples of ExitPolicy entries in the config file and also on the tor website.
    • HardwareAccel - This is particularly useful on SPARC Enterprise T2 systems with the Niagara 2 processor.  When this is enabled (set value to "1";), the Tor relay will take advantage of the AES encryption provided by the onboard cryptographic module which results in a huge performance boost for the code that is encrypting the relaying the data between nodes, thus allowing your node to process more data much faster.  See the "Enhanced Crypto Support" section below for more details.
  3. Start the tor relay node using SMF (as root): $ svcadm enable tor
  4. That's it!

Once your relay is configured and started, you can use a tor node status page such as this one - https://torstat.xenobite.eu to see if your node is recognized and registered (search for your node using the Nickname you provided when you configured it (step 2 above).

Enhanced Crypto Support for Tor in OpenSolaris

As mentioned above, when Tor was being integrated into Solaris, a couple of enhancements were applied to the code to allow it to take advantage of the Solaris Cryptographic Framework. Specifically, when the "HardwareAccel" option is enabled, the tor code will check to see if the AES CTR mode mechanism is supported by the crypto framework.  If so, it will use the crypto framework APIs (PKCS#11) to perform the AES encryption and decryption operations.   Normally, the AES crypto is done in software either using OpenSSL or a native implementation of AES.   Because the current OpenSSL encryption in Solaris does not support AES CTR mode in hardware, the standard Tor encryption operations see no benefit from the HardwareAccel option on the Niagara 2 systems.  The additional PKCS#11 crypto support was added to the Tor code in order to provide access to the hardware accelerated crypto engine.  As a result, when running on a system with hardware support for AES CTR mode such as the Sun SPARC Enterprise servers with Niagara 2 chips (T51XX, T52XX, etc)  the results are significant (an improvement of 25x or more was observed while running the relay in a live environment on an internet facing server.

I suggest configuring a local zone and dedicating it for the tor service.  This allows it to have it's own IP address and additionally gives the  administrator more control over the resources that the relay node is allowed to consume.  The tor configuration file allows you to limit the bandwidth, but by putting it in a container, you also get the ability to control other factors such as memory use, cpu use and privileges.

I documented the work done and the results in a brief paper that can be downloaded here.

Monday Mar 30, 2009

TPM Support in Solaris

Solaris now has support for Trusted Platform Module (TPM) devices (as of build 112).  If you don't know what a TPM is or Trusted Computing is all about, I recommend visiting the Trusted Computing Group page.   The TPM device support that was just put into build 112 is only available on x86/amd64 platforms.  SPARC support is coming in a future build. 

Having TPM device support by itself is not terribly useful.  To have complete support for the Trusted Computing Group interfaces and protocols, we also had to deliver a working TSS (Trusted Software Stack) and some utilities to take advantage of the TPM device.  All of these pieces together make it possible for developers and users to use the TPM to generate keys that are either stored in the TPM and can never leave the TPM unless wrapped by a TPM-resident key, or stored on disk protected (wrapped) by a TPM resident key.   TPM devices do implement some encryption algorithms in hardware, they are not very efficient and are not recommended for bulk encryption operations, TPMs are much better suited for securing keys and data (signing, verifying, wrapping) than for purely encrypting large quantities of data.   Software crypto is generally much faster than TPM crypto.

Software For Using the TPM

The TSS was actually delivered into the SFW consolidation in build 106.   We chose to use the Trousers package for our TSS (version 0.3.1).  You can get the TSS from the SUNWtss and SUNWtss-root packages (currently available in the OpenSolaris /dev repository).  The TSS package allows developers to write applications to take advantage of the TPM using standard interfaces as defined in the TSS Specification.

We also delivered a new command - tpmadm(1).  tpmadm allows the administrator to take ownership of the TPM and perform some other basic commands for querying and managing the persistent key store (see the TCG specs for details).

usage: tpmadm command args ...
where 'command' is one of the following:
        clear [owner | lock]
        keyinfo [uuid]
        deletekey uuid

Once the ownership is established  (using tpmadm init), the user can query the status of the TPM.  Here is an example of the status of a system with an Atmel 1.2 TPM device:

TPM Version: 1.2 (ATML Rev: 13.9, SpecLevel: 2, ErrataRev: 1)
TPM resources
        Contexts: 16/16 available
        Sessions: 2/3 available
        Auth Sessions: 2/3 available
        Loaded Keys: 18/21 available
Platform Configuration Registers (24)
        PCR 0:  E1 EE 40 D8 66 28 A9 08 B6 22 8E AF DC 3C BC 23 71 15 49 31 
        PCR 1:  5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B 
        PCR 2:  5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B 
        PCR 3:  5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B 
        PCR 4:  AF 98 77 B8 72 82 94 7D BE 09 25 10 2E 60 F9 60 80 1E E6 7C 
        PCR 5:  E1 AA 8C DF 53 A4 23 BF DB 2F 4F 0F F2 90 A5 45 21 D8 BF 27 
        PCR 6:  5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B 
        PCR 7:  5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B 
        PCR 8:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 9:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
        PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Using the TPM

Before you can use the TPM,  you must first have the following packages installed (and all of this assumes that your system has a TPM device in the first place).

  • SUNWtpm
  • SUNWtss
  • SUNWtss-root
After installing the above packages (if they are not already on your system), the system usually has to be rebooted.  The reboot is necessary because the kernel has to reprocess the ACPI table in order to access the TPM and attach the device driver.  Once the reboot completes, you can verify that the TPM device is attached by running "$ modinfo | grep TPM" and looking for something like: "tpm (TPM 1.2 driver)".  If your device driver is attached, you then must start the TCS daemon by running "svcadm enable tcsd".   The TCS daemon manages all of the communication between the user applications and the TPM.  The TSS software automatically talks to the TCS daemon, not directly to the TPM.  The TCS daemon must be running in order for any TSS-based applications to be able to function properly.

Many x86 systems these days do come with TPM devices.   The Sun Ultra 40 M2 systems have Infineon 1.2 TPM devices.  Dell sells several models with TPM chips, both desktops and laptops.  I believe IBM (Lenovo) and other vendors also have TPM devices.  Future SPARC platforms will also have TPM 1.2 devices as well. 

Whats Next

The delivery of the TPM device support and the software apps and APIs is just the first step.  There are many uses for TPMs and TCG protocols that can be developed to take advantage of these features.   Attestation (verifying the integrity of the platform, software and/or hardware), secure boot, and advanced key storage are just a few of the potential applications of this technology. 


To summarize, these are the steps you need to take in order to use a TPM on your Solaris (OpenSolaris) based system:

  • Get the SUNWtpm, SUNWtss, and SUNWtss-root packages either by installing SXCE (build 112 or later) or from the OpenSolaris /dev repository with build 112 (or later) packages.
  • Install the above packages if not already on your system.  Reboot if you just installed SUNWtpm for the first time.
  • Start the TCS daemon process - svcadm enable tcsd
  • Verify the status of the TPM  - tpmadm status
    • If the TPM is not yet owned, you must take ownership and assign an owner password with the "tpmadm init" command.
  • The TPM must be running at the 1.2 spec level, older 1.1 TPMs will not function correctly with this software.

Coming soon - details on using the PKCS #11 TPM provider...

Tuesday Apr 08, 2008

Tech Days and Photos

I recently had a round-the-world trip to speak at 2 Sun Tech Days events - Sydney and Johannesburg.  Both events went very well, I presented on "New Security Features in Solaris" and "OpenSolaris: A Definition" in Sydney.   In Johannesburg, I presented the same security talk, as well as the OpenSolaris talk again along with Jim Hughes and his "Nevada" talk.  It is always good to get out in front of customers and hear feedback.  I think they also appreciate talking to the engineers who help build the stuff instead of people a few steps removed, it gives them a much better chance of hearing the detailed kind of answer they are looking for, especially when they are asking deep, technical questions.

As always, I travelled with my camera and managed to use a lot of my free time to shoot.  I posted a tiny fraction of the shots on my flickr account in 2 sets.  Have a look -  Sydney and Africa.



Friday Jul 20, 2007

Nice trip

In late June I attended Trusted Computing Group meetings in Rome (yes, Italy, not New York).  Sun is an active participant in the TCG and has been for several years.  My areas of interest are in those working groups that deal with the interactions between different parts of the system and also interactions between systems (hosts).  More and more computers these days are shipping with TPMs (Trusted Platform Modules - a hardware chip soldered directly to the motherboard), so we are interested in taking advantage of the TPMs to make the overall system more secure.    In Solaris, we do not yet have the plumbing (i.e. driver and basic OS support) in place for TPMs but there is work being done in this area that anyone can contribute to if they are interested.  Look for more in the future!

Oh yeah - and Rome was amazing.  I had never been there before, and it is an incredible city.  Consider the history of that area, its been populated for well over 2000 years and there are bits and pieces of history dating way-WAY back all over the place.  I took some pictures - have a look.


Thursday Jan 25, 2007

PKI and Key Management

Information about the Solaris Key Management Framework project - now available on OpenSolaris.org[Read More]

Wednesday Aug 16, 2006

Key Management Framework Update

The Key Management Framework project is in the final stages and getting ready for putback.  Read on to learn about the new PKI interfaces are are going to be introducing soon.

Alot of updates and changes have been documented since the last project update.  We survived the architecture committee commitment review and have had significant feedback on the design from other security people inside of Sun.  We also had some outside comments as well via the kmf-discuss (at) opensolaris.org mailing list.  All of these things have been incorporated and documented.   We hope that this project will fill a need for developers and admininstrators who want to use PKI technology but find the current interfaces lacking in one way or another.

One of the features I think is most interesting is the concept of a system-wide PKI policy database.  This database will contain a set of policy statements which consist of parameters that affect how certificates are validated by the applications.    Because KMF can manage certificates in NSS databases, OpenSSL files, or PKCS#11 tokens, the policy can be applied to objects in any of those places (provided the application goes through the KMF interfaces).   We are also greatly expanding the list of commands for the Solaris pktool(1) utility to include certificate create/delete/import/export/list commands  symmetric key generations, and many other PKI object manipulation commands.   Check out our design documents the files page for more details on these and other KMF features.

So, if you are a developer or administrator interested in upcoming Solaris PKI features, please have a look at our project and send feedback, we want to hear from you.

Friday Mar 03, 2006

Bands that "Get it" and companies that don't

These days, while most bands are being completely undermined by destructive (but utterly useless) DRM technologies (see: Sony BMG Lawsuit Settlement), it is refreshing to know that there are bands out there that "get it" and are taking advantage of new distribution channels offered by the internet rather than fighting them and treating their fans like criminals (thank you, RIAA).

Pearl Jam has long been a favorite band of mine. When their contract with Sony ended a couple of years ago, they decided to take things in a different direction. They are rolling out a new album in May and will be releasing their first single from that album next week - available as a FREE, Non-DRM-encumbered, MP3. Nice. What a novel concept - give people music in a truly portable format, don't try to force them into using a proprietary music player or platform, just give me (or sell me) the music and let me decide how/when/where I want to play it.

Since 2000, Pearl Jam have released CDs of every concert immediately following the shows. You could usually order the show from the internet the next day and you would receive a link to where you could immediately download the entire show in MP3 format (albeit in a low-quality bitrate) while waiting for your double-CD to arrive in the mail about a week later - with no DRM crap to restrict your use of it. Their ticket sales for fanclub members (of which I am a proud member, #183XXX) are handled smoothly and fairly (compared to the fiasco with the recent U2 tour and their fanclub tickets). Seniority counts, I was in the 10th row last time they came around to the DC area and hope to do at least as well this year. Again - they get it. They saw that fans were selling crap quailty bootlegs for $20 or more and decided to put out high-quality CDs of all their shows for $12 a pop. Its a win for both the fans and the band. The fans win because they can purchase a copy of their show for a great price, the band wins by getting a little extra revenue from the sales and ALOT of goodwill from happy fans. Why don't other big bands do this (U2, I'm looking at you) ? Heck, for the prices I paid for U2 tickets (face value, I did not scalp), they should be including an autographed CD for free!

Established bands like Pearl Jam or U2 have enough clout within the industry to make their own rules (to some extent) and give their fans what they want. Unfortunately, too many younger, less established, bands don't have the power to control how their companies distribute their music and treat their fans. So, you end up with crippled and destructive CDs being sold as "enhanced" and marketed as if they are actually doing YOU a favor by giving you inferior quality compressed tracks in a proprietary media format (WMV). Thank God they are still forced to deliver real CDs that actually play in cars and older CD players and computers.

When I buy a CD, I immediately want to rip the tracks and put it on my iPod. I am not ripping the tracks and sharing them on the internet, I just want to play them on my device and on my terms. I also want to rip them at better quality than what is offered by iTunes or some of the other online music stores. Thankfully, anyone running an OS other than Windows can do this pretty easily - Mac OSX, Linux, and Solaris all have tools for quickly and easily extracting the raw .WAV files from a CD which can then be converted to whatever format you like and stored on whatever device you like. On Solaris (at least in recent Nevada builds - see OpenSolaris.org) you can use the cdda2wav (1) command to quickly extract the .wav files and then use other tools to turn them into MP3 or WMV or whatever format you prefer. Similar tools are available on Linux and Mac OS X obviously has it's own utilities (iTunes for one). On Windows you can also do this as long as the CD is not encumbered by lame DRM "protection" and/or you have your CD "autoplay" feature disabled.

It all comes down to the culture of openness and freedom versus the culture of lock-everything-down-and -try-to-control-everything. People want openness - open standards, open source - and freedom - freedom to use media on their terms, not someone elses. Success will come to companies that embrace these concepts not those that fight against them (hello again RIAA and MPAA).

Wednesday Mar 01, 2006

OpenSolaris Key Management Framework

OpenSolaris Key Management Framework

Just today I unveiled a new (and my first) OpenSolaris project - Key Management Framework (KMF). We are trying to make it easier to develop PKI applications and manage PKI objects (X.509 certificates, keys, CRLs, etc). The project has been under development for some time now and we will start dumping our documentation and (eventually) code on the OpenSolaris site for comment in the coming weeks/months.

So, if you are interested, join our discussion list and send comments.

Tuesday Sep 20, 2005

Join the FBI - watch porn!

As if the FBI does not have its hands full with terrorism, organized crime, white-collar crime, and other threats to society, the Washington Post is reoprting that the FBI has been directed - BY CONGRESS - to divert resources to investigating pornography. Not child-pornography, but regular, consenting adult stuff. Apparently, it is a running joke inside the FBI and noone really wants to be part of it because they all know it is a joke, but the geniouses that we elected into congress think it is "Real Important" and are mandating some extra attention. Seriously, does our country not have enough Real Problems to solve that are more important than investigating businesses that have already passed constitutional muster several times? Go after the spammers and phishers that are putting porn links onto computers without consent - that would be GREAT. Go after the spyware sellers and makers (some of whom are backed up by largely legitimate corporations) - again, GREAT. This move reeks of political influence from the religious right who seem to think that they have a mandate to legislate their own version of morality on everyone, regardless of constitutional protections and existing laws.

Is it 2008 yet?

Monday Sep 19, 2005

Electronic Voting

I read two articles today, both of which relate to the topic of electronic voting. The first was from the Washington Post about the Carter-Baker panel that has several recommendations for fixing the voting system (including adding MANDATORY PAPER TRAILS), the other is from Brad Friedman and it claims that Diebold is aware that their software is open to hacks and that they are suppressing any dissent on the subject internally by threatening to fire people. Yeah, that'll work. The story is already all over the internet. Noone from Diebold has ever really explained exactly why they are so adamantly opposed to paper trails and an open review process. The sad thing is that the government is not squeezing them on this matter and they are allowed to continue doing business with no oversight or scrutiny.

BlackBoxVoting.org has lots of intresting reports on that sad state of electronic voting systems in America. What really gets ones blood boiling is the fact that this is 2005. A full 5 years after the 2000 election debacle and we STILL DONT HAVE anysort of security standards for these boxes. There is no mandatory verfiable paper trail, there is no oversight of the security of the systems being used, and we have no more reason to trust the system today than we did 5 years ago. I would rather go back to paper ballots and "hanging chads" than to trust the future of our country's elections to software that has not been rigorously examined and thoroughly vetted by software security experts, not just by the software engineers at the company that builds the systems.

This is not a Democrat or a Republican issue, it is something that should concern anyone with an interest in the future of the country. Write to your congressman about this issue - support Rush Holt's HR 550.

Instructions on just how to hack the Diebold code are all over the internet, its not as if this is a theoretical issue. Yet, here we are, 5 years later, and still no closer to a real solution. The next presidential election is 3 years away, congressional elections are coming up next year. It's infuriating that our government is so completely inept that it cannot address this issue in a timely manner.

Saturday Sep 17, 2005

More photo blog stuff

I updated my Photoblog this past weekend and migrated it to start using the PixelPost system. This is my first foray into the world of MySQL and PHP programming, but I found it to be surprizingly easy and smooth. I was already pretty familiar with CSS and scripting, so it wasn't much of a problem. The really nice thing is the way it keeps track of things in the MySQL db and the nice administrative interface so I can upload pics and keep track of comments and categories with a nice interface.

So, for anyone interested in managing their own photoblog site (as opposed to using Flikr or one of the other blog services) and learning a bit about the LAMP (Linux/Apache/MySQL/PHP) paradigm, I highly recommend PixelPost. Most major web hosting services (I use Lunarpages) offer all of the pieces you need to get started with something like this - including MySQL DBs, and PHP support.

Monday Sep 12, 2005

Kerberos and Thunderbird

A really cool security feature was just recently added to the Thunderbird email client - support for GSSAPI authentication. This extends the ability to do secure single-sign on with Kerberos to your email reading. Unless your current mail server (POP or IMAP) is SSL-protected, your username/password passes over the network in the clear. If your organization uses Kerberos for security (and convenience of single-sign on), you can now extend it to mail clients.

Solaris does not include pop3 or imap server software, but there are some open source implementations that already have the necessary server-side support for this secure authentication - The U-W IMAP Server is a popular IMAP server implementation.

Here is the announcement from the Kerberos mailing list. (Thanks to Simon Wilkinson)

The Thunderbird beta (1.5b1) that was released yesterday contains new
support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP

It would be really good to get some test coverage against different
servers, and in different environments. I originally wrote and tested
the code against the U-W IMAP server - it's also been tested against
various servers using Cyrus SASL for their GSSAPI support.

The beta can be downloaded from


Kerberos mailing list           Kerberos@mit.edu



« July 2016