Posts for December 2010

2010-12-07: afs-monitor 2.0

Well, I was going to start going through all my AFS software and releasing new versions, but then various other things ate my brain and my life. This release has been mostly ready since the beginning of November. Oh well, better late than never.

This is the first more drastic overhaul of how I was distributing AFS software. Previously, all my AFS monitoring scripts were distributed as separate scripts from my web pages, which meant no history, no public version control repository, and various other problems. As of this release, the AFS monitoring scripts are now collected in a tarball and there's a public Git repository for the code.

Substantial changes in this release compared to the early individual scripts are:

Many thanks to Steve Rader for providing all the work he'd done to enhance our original AFS monitoring scripts.

You can get the latest version from the afs-monitor distribution page. There are also now Debian packages available (as nagios-plugins-afs) from my personal Debian repository.

2010-12-08: afs-monitor 2.1

Every .0 release has to have some sort of obvious bug, and this is no exception. check_afs_space didn't work properly when checking all partitions on a server (a one-line fix). This release has just that fix plus a new TODO file and some README documentation tweaks.

You can get the latest version from the afs-monitor distribution page.

2010-12-10: Last haul of 2010

There was a new book by Bethany McLean, so that meant another book order, and of course I can't just buy one book.

Glen Cook — Chronicles of the Black Company (sff)
Molly Gloss — Wild Life (sff)
Jane Jacobs — Systems of Survival (nonfiction)
Michael Lewis — The Blind Side (nonfiction)
Karen Lowachee — Warchild (sff)
J. Anthony Lukas — Common Ground (nonfiction)
Bethany McLean & Joe Nocera — All the Devils Are Here (nonfiction)
Susan Palwick — Shelter (sff)
Melissa Scott — The Jazz (sff)
Sudhir Venkatesh — Gang Leader for a Day (nonfiction)

2010-12-12: control-archive 1.4.0

This release adds preliminary support for chkscope parameters in checkgroups control messages and filters out out-of-scope lines. The scope is not, however, yet correctly used to determine the actual matching control.ctl entry. It also fixes Perl warnings from processing some malformed control messages and includes hierarchy updates since the previous release.

You can get the latest version from the control-archive distribution page.

2010-12-29: C TAP Harness 1.6

Working on free software is particularly rewarding when someone notices something you've done, decides that it's useful for their purposes as well, and sends feedback and suggestions that you'd never thought of. The C TAP Harness package is one of those things I wrote for a particular need (testing INN), as a hobby, and have been maintaining when I have free time since then. It already does everything I really need, but it's fun to improve periodically when I have some free time. Everything in this release is from suggestions sent by other people (particularly quite a few suggestions and patches from Carsten Hey).

The C library function is_double() now takes an epsilon and considers two doubles equal if they're within that epsilon, following best practices for comparing floating point numbers. It also correctly handles various abnormal numbers (infinity and NaN). Thanks to PICCA Frédéric-Emmanuel for this.

There are multiple improvements to the shell libtap.sh library in this release, most notably cleaning up ok_program. It previously stripped error output after a colon to allow testing of programs whose error output has an appended system-specific message. This functionality has now been removed from ok_program, so it compares the exact output, and added to a strip_colon_error function that implements an improved version of this idea as a wrapper.

The files in this distribution meant to be copied to another package now all have licenses and URLs included in the files, rather than references to LICENSE, and compile properly with a strictly-conforming C89 compiler (in a SUSv3 environment).

There are also some other, more minor bug fixes and improvements.

You can get the latest version from the C TAP Harness distribution page.

2010-12-29: rra-c-util 3.0

The major additions in this release of my collection of C utility libraries and Autoconf probes is a new PAM utility library and a fake PAM library for testing.

The PAM utility library is something that I've been working on for much of the year. The idea originally came from seeing how annoying and repetitive the code for the options parsing in pam-afs-session and particularly pam-krb5 had become. Adding new options required changing code in multiple places, including long, tedious if trees, and duplicating default value information in several ways.

The core of the new PAM utility library is a table-driven option parser. The PAM module need only provide a table of options and default values and a struct into which those values will be written, and the option parser does the rest. The code to write the values into the struct uses some scary C type violations and some techniques that I developed when writing the "new" inn.conf parser for INN. This parser also supports reading options from krb5.conf in addition to the PAM configuration, with appropriate handling of defaults and allowing the krb5.conf support to be optional, and has some neat bits like using a binary search to find an option in the option table so that there shouldn't be much speed penalty from adding more options (apart from the unfortunately linear check for each option in krb5.conf if that's enabled).

Also in the utility library are logging functions that handle calling pam_syslog with the right options and a vector library for handling automatically resizing arrays of strings. The latter is also used for PAM options that are actually lists of things inside the option parser.

Also in this release is a fake PAM library that implements just enough of PAM to allow a test program to call all the entry points of a PAM module. This is needed for good PAM module testing, since the system PAM library always looks at the system configuration and doesn't given the caller any control over skipping that. This library can be initialized by a test case and provides enough of the PAM library that a module will be happy, and allows the test case to inspect the internal PAM data if required.

This release also includes substantial improvements to the kafs replacement library, including Mac OS X and Solaris 11 support and support for k_haspag (even if building with a kafs library that doesn't have it). It also includes additional Kerberos portability glue and fixes some broken GCC attribute markers in the utility library.

You can get the latest version from the rra-c-util distribution page.

2010-12-29: pam-afs-session 2.0

pam-afs-session is a PAM module that creates a PAG and obtains tokens for a user at login, working with a Kerberos PAM module (such as pam-krb5) that obtains Kerberos tickets.

The main reason for the new major version is that this release finally hopefully addresses a long-standing problem with pam-afs-session on Linux: the PAM module creates a PAG and obtains tokens, pam_keyinit runs and deletes both, and then the module doesn't run again because it's already run. A lot of users have had to just remove pam_keyinit in order to make pam-afs-session work properly.

This release takes advantage of the new VIOC_GETPAG and k_haspag interface and checks, when run, whether the user is in a PAG. If they're not, because it's been destroyed by pam_keyinit for example, it creates a new PAG and obtains tokens again even if it had already run. This means that as long as pam-afs-session is after pam_keyinit in the session stack, it should work properly.

I also switched pam-afs-session over to Automake and Libtool in this release rather than hand-rolling compilation rules. This, among other things, lets me suppress all non-public symbols on all platforms, not just on Linux. I had very positive experiences with doing this on pam-krb5 (not a single user complained or had trouble building the module), so hopefully the same will hold with pam-afs-session.

This release also adds untested support for the new AFS system call methods on Mac OS X and Solaris 11 (which use an ioctl in /dev instead of a system call) and updates the configure options used to configure kafs support.

Other bug fixes in this release include avoiding returning an uninitialized value from pam_open_session when notokens is set, removing module data on pam_close_session so that opening multiple sessions with the same PAM handle should work, fixing a configure error when built with --without-krb5, and properly reporting ignore status when debugging is enabled.

Finally, and this should make a big difference for maintainability going forward, this release includes a test suite and uses the new PAM utility layer and fake PAM testing library from rra-c-util 3.0.

You can get the latest version from the pam-afs-session distribution page.

2010-12-31: pam-krb5 4.4

I had accumulated some fixes and felt like doing one more software release before the new year. It starts the year off on a good note.

The main change in this version is a bug fix (and, unfortunately, a bug reintroduction) in the PKINIT support for MIT Kerberos. In trying to fix an issue where the user's password wasn't saved in the PAM stack if PKINIT failed and the module fell back on prompting, I added a password prompt in all cases, even if try_pkinit was set. Since with PKINIT the user may not have a password, that's confusing to say the least.

This release fixes that at the cost of reintroducing the problem of not saving the user's password in the PAM stack if PKINIT fails. I know how to fix this, but it will require a substantial reworking of the control flow for doing PKINIT authentications under MIT Kerberos. It's something that I've wanted to do anyway, since it will make the code more analogous to the Heimdal code and easier to maintain, but that will have to wait for another release.

This issue only affects MIT Kerberos. Heimdal has a much nicer (at least for my purposes) interface for PKINIT authentication that doesn't present the same problem.

This release also reorganizes the pam_krb5 man page to break the configuration directives up into sections. It's still a bit hard to follow since there are so many options at this point, but this will hopefully make it a bit more readable. Finally, there are some additional portability fixes.

You can get the latest version from the pam-krb5 distribution page.

Last spun 2014-04-06 from thread modified 2013-01-04