From paul.suh at ps-enable.com Mon Jun 11 18:55:38 2007 From: paul.suh at ps-enable.com (Paul Suh) Date: Mon Jun 11 18:56:04 2007 Subject: [Newsletter] WWDC Session, Automounts and VPN, WWDC Keynote Commentary, Apple Global Training Message-ID: <1DA58F28-7DF2-4A61-8D0B-CD36FD6136DC@ps-enable.com> Folks, I've been pretty quiet on the newsletter for a while, for a reason. I'm presenting at a session on Friday at WWDC -- Session 542, Managing and Deploying Open Directory, 9:00 AM Pacific time. I'll be posting my slides and demos a little bit later, but my part is a case study of a client where we're doing an Open Directory integration. In most of the case studies of directory services integration, people are taking Macs and tying them into some other directory services network -- generally Active Directory. In this case, the company is using Open Directory as a central identity store, tying in other systems. Open Directory's standards- based design makes it easy to tie in other systems. Automounts and VPN I've discovered a royal pain in the neck resulting from VPN with automounted share points. In my network at home I have automounts for /Network/Applications, / Network/Library, and a home directory automount at /Network/Servers/ crocus.goodeast.com/Volumes/raid/Users. This works fine for machines that are on the local network, but it turns into a problem for machines that connect via VPN. Here's what happens: As long as I'm on the road with my laptop, it doesn't connect to the LDAP server so there's no automounts. However, when I connect via VPN the laptop gets an address on the local network and it loads the automounts -- and then the automounts happen. The problem comes when I disconnect from the VPN. The automounts are still connected, but the server is no longer accessible. The result is long-running beach balls and hung apps. Also, the portable home directory mount also runs into problems since it will also be triggered and then gets cut off when I disconnect. To work around this, I changed the way that DNS was resolved for VPN, using BIND 9 views. (You can also do this by running a different DNS server for the VPN clients.) It helped that I configured my VPN so that it was in a neatly separable network range: 192.168.1.64-79. In CIDR notation this is 192.168.1.64/28. Since all of the automounts come from my file server, crocus.goodeast.com whose IP address is 192.168.1.129. I set up a view that gave a different result for DNS clients in the VPN range. Instead of returning 192.168.1.129, the view returns 192.168.1.131 (an OpenBSD server that does not serve AFP). There is also a separate entry to allow for manual connections (where I want to retrieve a file by hand from the Finder, and I will do a manual disconnect.) WWDC Keynote Commentary There is a lot of neat stuff from the keynote that we can discuss publicly. For me, the big pieces from Leopard are: iChat Theater Time Machine Cross-client search Quicklook iChat theater is a radical improvement to remote collaboration. Time Machine will transform the way we do backups. Cross-client search will make it easy to find stuff. But the problem will be security and privacy in a networked environment. Who can get access to certain files across the network as a result of searches will be a serious issue. Quicklook is neat, but I am seriously concerned in terms of security. Lots of Outlook worms on Windows work because of holes in the IE engine that allowed a malicious message to execute arbitrary code by just looking at it. A badly written Quicklooks plugin could lead to a buffer overflow and arbitrary code execution. iPhone application development is Web 2.0/AJAX. This is really neat from a variety of angles. For an enterprise, it means that almost all of your existing apps just work with the iPhone if they work with Safari. The downside is that if you don't have cell coverage, none of your applications work. I'd like to see what I can find out as far as allowing Safari to access iPhone services. I wonder if I can somehow set up inbound access to the iPhone. I won't be able to say much about the rest of the week, since we're under a non-disclosure agreement here. Apple Global Training The WorldWide Training and Certification department was merged with the Sales Training department, all of the training rooms in the Apple Market Centers will be closed, the course development will be outsourced, and Training Units will no longer be sold (although existing ones will be honored). A lot of details are still to be decided, and there's a meeting for us trainers tomorrow morning where we'll get more information. --Paul Paul Suh http://www.ps-enable.com/ paul.suh@ps-enable.com (240) 672-4212 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2615 bytes Desc: not available Url : http://lists.ps-enable.com/pipermail/newsletter/attachments/20070611/631c35c2/smime.bin From paul.suh at ps-enable.com Wed Jun 27 00:04:14 2007 From: paul.suh at ps-enable.com (Paul Suh) Date: Wed Jun 27 00:04:28 2007 Subject: [Newsletter] Leopard's QuickLook, OD/Solaris integration How-To Message-ID: Folks, It's been just over a week since I spoke at WWDC and I'm pretty much still floating! It was pretty nerve wracking, and I was a nervous wreck starting the previous Sunday, when I realized that my OD session was the *only* IT track session in that time slot on Friday. QuickLook --------------- This strikes me as a potentially huge security issue. Many of the Outlook e-mail worms spread because of buffer overflows in the IE engine that was used to render the content. These buffer overflows allowed the worm to execute arbitrary code in the *user* context, not the system context. As a result, the mere act of viewing a message would trigger the worm to attempt to propagate itself to everyone in the user's address book and also act to trigger an attempt to escalate privileges to take over the machine. Granted, a lot of this was made easier by the fact that most Windows users were (at the time) running with Administrator privileges -- but that isn't all too different from the way that many Mac users run right now. QuickLook presents the same kind of vulnerability -- multiplied by 100 or 1000! Application vendors will be asked to create rendering engines for their file formats, and if the rendering engine does not handle incorrect input properly, an attacker may cause arbitrary code to execute in the user context, just by having the user click on the file in the Finder. This needs to be sandboxed very carefully or it becomes a huge security vulnerability. Some techniques to harden the system would be a stack canary, address-space layout randomization, and systrace-style constrained file access. I can't comment on which of these (if any) are included in Leopard due to the NDA's, but even with these it is a serious concern. I'd really want a virtual machine- style constraint on what the QuickLook plugin is allowed to do. OD/Solaris Integration How-To ------------------------------------------ Just to give you the quick run-down on this, in case you want to try it yourself. First, steps 1-4 should be executed on Solaris, as root. 1) Make a copy of the /etc/nsswitch.ldap file to /etc/ nsswitch.ldap.dist, in case you want to preserve Sun's original configuration. 2) Copy the /etc/nsswitch.conf file to /etc/nsswitch.ldap. Edit the new /etc/nsswitch.ldap file so that the following lines are changed from the original: passwd: files ldap group: files ldap 3) Execute the following command, with appropriate adjustments for the search base and Open Directory master IP address: ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=od-master,dc=example,dc=com -a serviceSearchDescriptor=passwd:cn=users,dc=od- master,dc=example,dc=com -a attributeMap=passwd:gecos=cn -a serviceSearchDescriptor=group:cn=groups,dc=od- master,dc=example,dc=com -a serviceAuthenticationMethod=pam_ldap:simple 10.17.1.1 The elements break down as follows: -v Verbose output manual Manual configuration (as opposed to using a config file or creating a config file) -a credentialLevel=anonymous Use an anonymous bind for basic communication -a defaultSearchBase=dc=od-master,dc=example,dc=com Default search base -a serviceSearchDescriptor=passwd:cn=users,dc=od- master,dc=example,dc=com Where to look for user info -a attributeMap=passwd:gecos=cn Map the gecos attribute in a standard passwd file to the cn attribute for users (long name on Mac OS X) -a serviceSearchDescriptor=group:cn=groups,dc=od- master,dc=example,dc=com Where to look for group info -a serviceAuthenticationMethod=pam_ldap:simple Use simple, cleartext LDAP binding for authentication 10.17.1.1 IP address of the Open Directory Master 4) Edit the /etc/pam.conf file so that the block for "other auth" is changed from: other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 to other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 Your Open Directory users can authenticate to Solaris via ssh, telnet, or what have you. Now to do Kerberos integration. It's pretty easy. 5) Copy the /Library/Preferences/edu.mit.Kerberos file from the Open Directory Master to /etc/krb5/krb5.conf on Solaris. 6) Open Workgroup Manager, and create a computer record for the fully qualified host name of the Solaris machine; e.g. "solaris10.example.com". 7) Open Server Admin on the Open Directory Master, go to the Open Directory settings, and click on the button "Add Kerberos Record..." Fill in the necessary usernames and password, and the fully qualified host name of the Solaris system, then click on "Add". 8) From the command line on the Open Directory Master, execute sudo kadmin.local Once you have the kadmin.local prompt, export the necessary principals to a keytab file by using the following command, substituting the appropriate fully qualified host name and Kerberos domain as necessary. ktadd -k /var/root/solaris_host_principals.keytab host/ solaris.example.com@EXAMPLE.COM Exit the kadmin.local tool by giving the command "quit". For maximum security, export the keytab to a root-readable-only directory on an encrypted disk image. 9) Copy the /var/root/solaris_host_principals.keytab file to /etc/ krb5/krb5.keytab on the Solaris system. Then, secure erase the /var/ root/solaris_host_principals.keytab file from the Open Directory master. You should now be able to get a TGT from the Open Directory master and connect to the Solaris machine using ssh without typing a password. Slides from my preso are available at: --Paul Paul Suh http://www.ps-enable.com/ paul.suh@ps-enable.com (240) 672-4212 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2615 bytes Desc: not available Url : http://lists.ps-enable.com/pipermail/newsletter/attachments/20070627/e174c051/smime.bin