Simon Josefsson: Privilege separation of GSS-API credentials for Apache
September 20, 2022, 6:40 AM
To protect web resources with Kerberos you may use Apache HTTPD with mod_auth_gssapi — however, all web scripts (e.g., PHP) run under Apache will have access to the Kerberos long-term symmetric secret credential (keytab). If someone can get it, they can impersonate your server, which is bad.
The gssproxy project makes it possible to introduce privilege separation to reduce the attack surface. There is a tutorial for RPM-based distributions (Fedora, RHEL, AlmaLinux, etc), but I wanted to get...
Matthew Garrett: Handling WebAuthn over remote SSH connections
September 20, 2022, 2:17 AM
Being able to SSH into remote machines and do work there is great. Using hardware security tokens for 2FA is also great. But trying to use them both at the same time doesn't work super well, because if you hit a WebAuthn request on the remote machine it doesn't matter how much you mash your token - it's not going to work.But could it?The SSH agent protocol abstracts key management out of SSH itself and into a separate process. When you run "ssh-add .ssh/id_rsa", that key is being loaded into the...
Antoine Beaupré: Looking at Wayland terminal emulators
September 19, 2022, 4:41 PM
Back in 2018, I made a two part series about terminal emulators
that was actually pretty painful to write. So I'm not going to retry
this here, not at all. Especially since I'm not submitting this to the
excellent LWN editors so I can get away with not being very good
at writing. Phew.
Still, it seems my future self will thank me for collecting my
thoughts on the terminal emulators I have found out about since I
wrote that article. Back then, Wayland was not quite at the level
where it is now, ...
Matthew Garrett: Bring Your Own Disaster
September 19, 2022, 7:12 AM
After my last post, someone suggested that having employers be able to restrict keys to machines they control is a bad thing. So here's why I think Bring Your Own Device (BYOD) scenarios are bad not only for employers, but also for users.There's obvious mutual appeal to having developers use their own hardware rather than rely on employer-provided hardware. The user gets to use hardware they're familiar with, and which matches their ergonomic desires. The employer gets to save on the money requi...
Axel Beckert: wApua 0.06.4 released
September 19, 2022, 12:55 AM
I today released version 0.06.4
of my WAP WML browser wApua and also uploaded that release to Debian Unstable.
It’s a bugfix release and the first upstream release since 2017.
It fixes the recognition of WAP WML pages with more recent DTD
location URLs ending in .dtd instead of .xml
(and some other small difference). No idea when these URLs changed,
but I assume they have been changed to look more like the URLs of
other DTDs. The old URLs of the DTD still work, but more recent WAP
Russ Allbery: Effective altruism and the control trap
September 17, 2022, 8:49 PM
William MacAskill has been on a book tour for What We Owe to the
Future, which has put effective altruism back in the news. That plus the
decision by GiveWell to
remove GiveDirectly from their top charity list got me thinking about
charity again. I think effective altruism, by embracing long-termism, is
falling into an ethical trap, and I'm going to start heavily discounting
their recommendations for donations.
Some background first for people who have no idea what I'm talking a...
Shirish Agarwal: Books and Indian Tourism
September 17, 2022, 7:32 PM
A few days ago somebody asked me and I think it is an often requested to perhaps all fiction readers as to why we like fiction? First of all, reading in itself is told as food for the soul. Because, whenever you write or read anything you don’t just read it, you also visualize it. And that visualization is and would be far greater than any attempt in cinema as there are no budget constraints and it takes no more than a minute to visualize a scenario if the writer is any good. You ju...
James Valleroy: How I avoid sysadmin work
September 17, 2022, 2:55 PM
The server running this blog is a RockPro64 sitting in my living room. Besides WordPress (the blogging software), I run various other services on it:
Bepasty for sharing files,Ikiwiki for taking notes,Quassel for staying connected to IRC chat servers,Radicale for synchronizing my calendar and tasks,Shaarli for sharing bookmarks, andTiny Tiny RSS for reading other people’s blogs.
Most of these are for my personal use, and a few of them have pages for public viewing (linked at the top of t...
Jonathan Dowland: Prusa Mini
September 17, 2022, 7:56 AM
In June I caved and bought a Prusa
3D printer for home. I bought it just before an announced price hike. I went
for a Prusa because of their reputation for "just working", and the Mini mostly
as its the cheapest, although, the print area (7"³) is large enough for most of
the things I am likely to print.
To get started, at the same time I bought some Prusament recycled
PLA to print
with which, unfortunately, I've been a little disappointed with.
I was attracted to the idea of buyi...
Jonathan Dowland: Introducing Red Hat UBI9 OpenJDK runtime images
September 17, 2022, 6:11 AM
A few weeks ago we shipped the first RHEL UBI9-based OpenJDK container images.
Universal Base Image (UBI) is an initiative where you can obtain, share and
build upon official Red Hat container images without needing a Red Hat
subscription. They're exactly the same base images that Red Hat products are
built upon, composed entirely of Open Source software. Your precise rights are
covered in the
Nowadays we offer two flavours of images, the original style (now termed
builder images) and le...
Jonathan Dowland: things I'd like to 3D print, revisited
September 15, 2022, 1:55 PM
Back in November I wrote up a list of 25 things I would 3D print.
Let's revisit the list and see how things have developed.
Stuff I won't print
Some kind of 45° leaning prong to dry bottles and flasks on
A tea tray and coasters
Small tins to keep loose-leaf tea in
It was pointed out to me that you can't safely print things to store food in
with most materials, as their porous/layered nature facilitates the growth of
bacteria. So, I'll rule out those items.
A vinyl record.
The size of th...
Joachim Breitner: rec-def: Dominators case study
September 15, 2022, 8:27 AM
More ICFP-inspired experiments using the rec-def library: In Norman Ramsey’s very nice talk about his Functional Pearl “Beyond Relooper: Recursive Translation of Unstructured Control Flow to Structured Control Flow”, he had the following slide showing the equation for the dominators of a node in a graph:
Norman Ramsey shows a formula
He said “it’s ICFP and I wanted to say the dominance relation has a beautiful set of equations … you can read all these algorithms how to compute thi...
Matthew Garrett: git signatures with SSH certificates
September 15, 2022, 1:34 AM
Last night I complained that git's SSH signature format didn't support using SSH certificates rather than raw keys, and was swiftly corrected, once again highlighting that the best way to make something happen is to complain about it on the internet in order to trigger the universe to retcon it into existence to make you look like a fool. But anyway. Let's talk about making this work!git's SSH signing support is actually just it shelling out to ssh-keygen with a specific set of options, so let's...
Click here to read the complete article