Posts for November 2015

2015-11-27: rra-c-util 5.9

A minor release of my C utility library, including some changes required for the previous release of pam-afs-session and the upcoming release of remctl.

The Kerberos portability layer now correctly defines the strings for dealing with anonymous principals when built with Heimdal, and adds KRB5_ANON_REALM (required for doing the authentication). The PAM testing framework has some improvements for handling pam_modutil_getpwnam and supports testing against PAM_SESSION_ERR.

You can get the latest version from the rra-c-util distribution page.

2015-11-27: remctl 3.10

remctl is a simple and secure remote command execution protocol using GSS-API. Essentially, it's the thinnest and simplest possible way to deploy remote network APIs for commands using Kerberos authentication and encryption.

Most of the work in this release is around supporting anonymous authentication for an upcoming project of mine. This included cleaning up ACL handling so that clients that authenticated with anonymous PKINIT didn't count as ANYUSER (it's not likely this would have been a security problem for existing users, since you would have had to enable anonymous service tickets in your KDC), and adding new anyuser:auth and anyuser:anonymous ACLs that are explicit about whether anonymous users are included.

With this change, it's possible, using a KDC with anonymous service tickets enabled, to use anonymous PKINIT to make entirely unauthenticated remctl calls. I plan on using this with wallet to support initial system key bootstrapping using external validation of whether a system is currently allowed to bootstrap keys. Note that you need to be very careful when enabling anonymous service tickets, since many other Kerberos applications (including remctl prior to this release) assume that any client that can get a service ticket is in some way authenticated.

Also new in this release, the server now sets the REMOTE_EXPIRES environment variable to the time when the authenticated remote session will expire. This is usually th expiration time of the user's credentials. I'm planning on using this as part of a better kx509 replacement to issue temporary X.509 certificates from Kerberos tickets, limited in lifetime to the lifetime of the Kerberos ticket.

This release also includes some portability fixes, a bug fix for the localgroup ACL for users who are members of lots of local groups, and some (mildly backwards-incompatible) fixes for the Python RemctlError exception class.

You can get the latest release from the remctl distribution page.

2015-11-28: podlators 4.00

podlators is the distribution that includes the Pod::Man and Pod::Text modules for Perl, plus the pod2man and pod2text driver scripts (among a few other, more minor things).

I've been working on a new release of this for a couple of years and got trapped in a cycle of always wanting to finish up one more thing before making a release. (Really need to fix Unicode handling once and for all! Oh, I have a much better idea for how to do testing! I should really revise all of this code for my current coding style!) But some discussions elsewhere reminded me of the merits of release early and often, so I decided to finally put something out.

There are quite a few accumulated changes, although not as many as the major version increase would indicate. I did that so that I could standardize on the same version number in all of the modules and switch to a much simpler versioning scheme. That required increasing the major version to something higher than all the component modules.

Other than that, there are mostly a bunch of bug fixes, but also a lot of changes to Pod::Man to support Debian's reproducible build effort. The code is now more predictable and reliable about how it generates dates, and supports two new ways of forcing the date in generated documentation to a particular value so that builds are more predictable.

I also changed the build system over to Module::Build, although it also provides a Makefile.PL file so that it can be built as part of Perl core.

You can get the latest version from the podlators distribution page.

Last modified and spun 2017-03-25