Posts for September 2013

2013-09-12: AFS::PAG 1.00

One of the very long-standing problems with AFS is that it doesn't have a stable library interface or API. The situation with shared libraries is even worse. Despite that, there is a native XS AFS Perl module that tries to provide a native Perl interface to the various AFS libraries, despite all of their quirks. We've used that off and on for various things over the years.

Unfortunately, the historic AFS code used an LWP (lightweight threading) implementation that relied on hairy C internals, and when Perl switched over to being threaded with POSIX pthreads by default, the loadable module started having trouble. Various people managed to keep it limping along through Debian's squeeze release, but as of wheezy it just no longer worked; the thread mismatches and the mismatches between the various AFS libraries were too severe.

There's work in progress to fix this by building yet another profile of the AFS libraries, with all their warts, but in the meantime we needed access to the AFS PAG functions for various backend scripts. Everything else the Perl module did could be replaced by running the regular commands and parsing their output, but setpag has to be called in the process that should be affected to work safely. Hence this module.

AFS::PAG provides a native Perl interface to the API exposed by libkafs and libkopenafs for PAG manipulation: hasafs, haspag, setpag, and unlog. (Eventually it might provide access to pioctl, but I haven't done that work yet.) It supports any platform that has a libkafs or libkopenafs, or Linux without either (by implementing the pioctl interface itself).

You can get the latest version from the AFS::PAG distribution page.

2013-09-16: pam-webauth-otp 1.0

One of the things that was added to WebAuth when we added support for multifactor authentication was the ability to talk to an external user information service. We wanted to keep the details of the multifactor authentication implementation out of WebAuth itself and encapsulate them in a service that WebAuth calls so that we could replace it with something else later and so that each site could do multifactor authentication in their own way. (It looks like we're going to be using that capability, so I'm very glad we designed it that way.)

That, however, also means that the same interface used by WebAuth could be used for other things. This PAM module is the first non-WebAuth use of that API. It provides the ability to prompt for an OTP code as part of the PAM authentication stack and then verify that code against the WebAuth user information service.

This is only the bare beginnings of a full PAM integration with the user information service, and it doesn't do lots of things that it could. (For example, do anything with the list of configured factors, show reasonable error messages if a user doesn't have the right things configured, or even support the SMS multifactor method that requires a callout to send the SMS message in advance of the authentication.) But it works, and for any multifactor method that doesn't require a user interaction beyond a code entry, it's fairly clean.

This is the first public release, with documentation and a test suite. (There was an earlier, undocumented internal 0.1 release.) It's too soon to say whether we'll keep using this in the long run, but we're using it right now in production and will continue to do so for a little bit at least. I suspect this will prove a viable long-term approach, with some possible changes to the way the user information service abstraction layer works.

You can get the latest version from the pam-webauth-otp distribution page.

2013-09-22: podlators 2.5.2

This is a bug-fix release to my POD translator package, which contains Pod::Man and Pod::Text and is used by Perl core to format POD documentation. This is not, alas, the long-awaited overhaul of UTF-8 handling; that's still coming at some point in the future.

The primary changes in this release are various performance patches from Dagfinn Ilmari Mannsåker from work on profiling all the Perl core modules. I learned from merging those packages that reversing a long string can make regex replacement operations on the tail faster, even with the time required to reverse the string twice. I'm surprised.

This release also wraps the Pod::Simple parse_lines and parse_string_document to set the default output to STDOUT, similar to what was already done with parse_file, since some of the one-liners that people were testing would have produced confusing error messages without this. It fixes handling of POD documents with error sections and no other content, thanks to a bug report by Andreas Koenig. And it fixes typos and other documentation issues, thanks to Andreas, David Steinbrunner, and Brian Gottreu.

You can get the latest release from the podlators distribution page.

Last modified and spun 2017-11-18