Arun Perinkolam's Weblog

Arun Perinkolam's Weblog

All | Cricket | General | Photography | Solaris / Security

20050612 Sunday June 12, 2005

 Moved...

This weblog has now been moved to http://perinkolam.blogspot.com

(2005-06-12 22:41:24.0/2005-06-12 22:34:42.0) Permalink Comments [4]
Trackback: http://blogs.sun.com/arunpn/entry/moved

20050206 Sunday February 06, 2005

 Kerala through a Kaleidoscope

On my trip to India during Dec 2004, I vacationed in Kerala with my family. A place which people call 'God's own country' and which lives up to the reputation every single bit. With nature at its best, the only thing you can possibly do is relax !

And it was a perfect opportunity for me to do the two things I enjoy doing most: enjoying mother nature and making beautiful photographs. Check it out yourself.

(2005-02-06 18:02:20.0/2005-02-06 17:54:19.0) Permalink Comments [3]
Trackback: http://blogs.sun.com/arunpn/entry/kerala_through_a_kaleidoscope

20041201 Wednesday December 01, 2004

 Working from India !

I have been working for the past couple of weeks from India and let me tell you first up that its been great so far and I am enjoying every bit of it. The first two weeks were spent at IEC (India Engineering Center), Bangalore, where I was stationed amongst the Solaris Sustaining folks on the 6th floor. The Solaris Sustaining folks (a lot of whom I already knew) are extreme fun to hang out with. They probably take Scott's motto of "Let's kick butt and have fun" a little too seriously :) ... yes, believe me. Bangalore is a nice place, excellent weather all year round and lots to do for the socially active. The only thing that probably put me off was the traffic and the absolute indiscipline that most drivers strictly seem to follow. Whilst I was in Bangalore also got to meet fellow, highly acclaimed bloggers like Chandan.

I am currently working off of the Sun office in Bombay (Bandra), which is much smaller than Sun's presence at Langford Road, Bangalore but very well-equipped and packed with busy Sun Sales personnel.

Bottom-line is that Sun is probably one of the most telecommute-friendly companies around, and working remotely @Sun is practically painless.

(2004-12-01 02:16:30.0/2004-12-01 02:11:24.0) Permalink
Trackback: http://blogs.sun.com/arunpn/entry/working_from_india

20041004 Monday October 04, 2004

 Whats New in Solaris Kerberos ?

So if you havent guessed already, I am an engineer working in the Solaris Kerberos Development team. I interned with Sun whilst I was doing my graduate studies at USC, and then came back to join Sun full-time, March 2001 and have enjoyed every working day since.

Solaris has had support for Kerberos since 2.6/2.7 days, it was available as an unbundled product then (many of you might know it as SEAM - Sun Enterprise Authentication Mechanism). Solaris 9 had both the client and server bits bundled in and Solaris 10 now has the full feature set (we bundled in the last remaining piece, viz the Kerberos Remote Applications into S10). Solaris Kerberos has had a fairly decent overhaul in S10, with a slew of important projects, rfe's (request for enhancements) and bugfixes going in. I have tried and listed the important ones below:

Kerberos Remote Applications : Kerberos support for remote applications such as telnet, ftp, ssh, rlogin, rsh, rdist and their corresponding daemons was added. Previously this (except ssh) was available in s8/s9 as an unbundled product, which could be downloaded seperately. Excepting ftp and ssh, which talk GSSAPI, the other apps talk to the Kerberos API directly for credential retrieval, verification etc. This was mainly so we do not break interoperability with the corresponding apps from MIT and other MIT-based kerberos vendors. All crypto operations (AES, RC4-HMAC, 3DES, DES) are provided for by the Solaris Cryptographic Framework.

PAM Kerberos enhancements : The Kerberos PAM module has undergone some major cleanup mainly so that it better complies with PAM standards, better error-code returns, removal of support for unecessary options such as the use_first_pass/try_first_pass and xfn related options. Another important and extremely useful addition was that of the PAM Kerberos Auto-migrate module, pam_krb5_migrate(5). This module when listed on the PAM stack for a particular service (dtlogin, rlogin, ssh, telnet) will try and automatically migrate the Solaris user in question to the default Kerberos realm (the one listed in the local kerberos configuration file), if the user does not already have a valid kerberos account. The newly formed Kerberos account will retain the user's current unix password. This feature will prove very useful to IT organizations in industry/academia who are looking for a convenient way to migrate users to their local Kerberos realm, without admin intervention.

SPNEGO : Solaris now has suport for the Simple and Protected GSSAPI negotiation scheme. This primarily enables GSSAPI client-server applications to successfully negotiate a GSSAPI mechanism supported by both the negotiating parties. Currently, KerberosV5 is the only GSSAPI mechanism available in Solaris, and SPNEGO is available as a GSSAPI plugin, mech_spnego(5). Microsoft AD uses SPNEGO for authentication to web, LDAP and other services, so this feature greatly helps improve our interop story with them in the security space. Btw, Microsoft's SSPI Negotiate protocol which uses SPNEGO is not RFC compliant (surprise !), so we have added a special option to interoperate with them.

IPROP : Solaris 10 Kerberos now has a rocking, home-grown incremental propagation scheme that keeps the Kerberos KDC master and slave databases in-sync, upto an accuracy of 1/100,000th of a second. Ok, its not that efficient but its pretty good :). This replaces the age-old, inefficient, manual dump and transfer scheme, kprop(1M) that the MIT implementation has, and one that has obvious coherency issues. The new functionality has been bundled into existing kerberos daemons, and can be switched on with just one extra line to the Kerberos KDC configuration file (kdc.conf) on the master and slave(s). There is also an extremely useful, update log observability tool, kproplog(1M), which can used to observe the status of the update logs on the master, slave(s). No more kprop, no more cron !

Re-syncs & others : Amongst other things, our Solaris kerberos mechanism and the KDC have been res-sync'ed with MIT 1.2.1 mainly to pull in several bugfixes and feature enhancement contributions from the open source community. Other rfe's include addition of 3DES support, TCP & IPv6 support, lookup of kdc location, host-to-realm mapping using DNS, krb5 password change support for non-Solaris clients and improved replay cache performance. As already mentioned Solaris Kerberos now just interfaces with the Solaris Cryptographic Framework for all its crypto operations, as opposed to making native Krb5 API calls. This helps kerberos leverage the latest/greatest crypto algorithms now, and in the future too without major re-work. In the same vein as pam_krb5_migrate(5), which helps in quick, easy user migration to a Kerberos realm, S10 offers kclient(1M) for client machines. This cmdline utility helps to convert an up-and-running system into a Kerberos client, without a sweat. The utility can be conveniently used in either the interactive or the profile mode, and offers various options such as setting up the machine as a Krb5 NFS server amongst others.

As pointed out several times by other Solaris bloggers @Sun, these features are already there for you to try out if you are subscribed to the Solaris Express program. If not you might have to wait just a bit longer for Solaris 10 to GA.

Enjoy,
Arun.

(2004-10-04 13:58:09.0/2004-10-04 10:52:40.0) Permalink Comments [3]
Trackback: http://blogs.sun.com/arunpn/entry/whats_new_in_solaris_kerberos

20040819 Thursday August 19, 2004

 Nepenthe & Big Sur, CA

Couple of weeks back, myself and a friend of mine from Grad School drove down Highway 1, along the Pacific Coast to Nepenthe and Big Sur.

I have been to Big Sur about 5 times already and will never cease to appreciate the splendid natural beauty that the place has to offer. The drive along PCH with your windows rolled down, with half your attention on the wheel and the other half on the setting sun, is simply put, exhilirating.

The link below has a few of pics I liked, amongst the several I shot that day.
Hope you enjoy them !

Link - http://www.pbase.com/arunpn/nepenthe_big_sur_ca

(2004-08-19 11:18:00.0/2004-08-19 11:14:55.0) Permalink Comments [1]
Trackback: http://blogs.sun.com/arunpn/entry/nepenthe_big_sur_ca

20040728 Wednesday July 28, 2004

 Sun Labs Open House 2004

Attended the Sun Labs Open House at Mountain View today.

I have always been really impressed with all the cool stuff being worked on in Sun Labs. Since this was my first Open House attendance, it felt great to see the demos and technologies being worked on, first hand. A few that caught my attention were:

1. Next Generation Desktop (a.k.a Project Looking Glass) - The demo was great. I thought this was one project were a well-thought out, powerful demo could really sweep the customer off his/her feet. If you are itching to get it onto your GNOME desktop environment, you can download it from here. Sun employees, I believe, can download a more recent developer's release. I was told by the demo'er that MS is working on something similar which is very surprisingly named Arrow-Glass.

2. Next Generation Internet Security - I have been following the ECC work that Sheueling, Vipul Gupta and others have been working on, for some time now. Sheueling gave a quick, to-the-point overview of ECC-based public key exchanges and in her viewpoint, the big role its going to play in futuristic public key products. She also pointed out its very glaring advantages as far as reduced key sizes, and its difficult-to-ignore performance benefits (which improve exponentially as the processor addr space gets smaller) especially on smaller processors like 8-bit, 16-bit.

3. xACML - Extensible Access Control Markup Language - An easy-to-use authorization framework that Seth Proctor and co. have worked on, and could be integrated into any application that wants to do authz. The first thing that came to mind was the crappy .k5login approach that Kerberos uses to do authz, maybe something to think about for our team in order to provide a more complete auth + authz package for Solaris, if found feasible. For more info see xACML on sourceforge.

4. Proximity Communication - I was blown away by this concept, this was the first I had ever heard of it ... so, yeah pls pardon my ignorance. David Hopkins gave us a rundown of the approach of face-to-face chips, which essentially communicate wirelessly and the advantages that it offers like almost-zero wiring, reduced chip sizes, increased throughput/performance in inter-CPU communication/cross-calls (say) etc.

Before I got back to Menlo Park I thoroughly enjoyed a Sun-subsidised $1 cappucino :).
An afternoon well-spent.



(2004-07-28 21:08:38.0/2004-07-28 21:02:28.0) Permalink Comments [1]
Trackback: http://blogs.sun.com/arunpn/entry/sun_labs_open_house_2004

20040721 Wednesday July 21, 2004

 The Canon DRebel 

I got really interested in photography roughly a year or so ago.
Was contemplating on which digital camera (P&S) to purchase for quite
some time, and thats when DD (a.k.a Debojyoti Dutta), a buddy of mine
from USC suggested that if I am interested in photography to an extent
beyond the average P&S user I should give serious thought to Canon's
new digital SLR (priced below $1000) on the block, the
Digital Rebel (EOS 300D).

I decided to take the $1000 plunge, Dec 2003 and I have been shooting away
ever since. Photography can get really infectious and addictive, and I am
enjoying every freakin bit of it. Apart from the kit lens, I now also own the
70-200mm f/4L and the 50mm f/1.4, both of which are lenses of outstanding
quality, and deliver images which are tack-sharp, especially the former (check out
the USAF thunderbirds pics in the link below, which gave my 70-200 some good workout).

If you are thinking on the lines of gifting yourself a new dSLR, definitely give
a thought to the DRebel (Nikon also has come out with the D70 as its entrant into
the sub $1000 dSLR space).

For evidence, check my a few of my photo galleries at - http://www.pbase.com/arunpn,
and please do leave comments and vote for pics that your really enjoyed.

Cheers,
  Arun.


(2004-07-21 23:07:42.0/2004-07-21 23:05:09.0) Permalink
Trackback: http://blogs.sun.com/arunpn/entry/the_canon_drebel

20040716 Friday July 16, 2004

 The Asia cup

India survived the first match against UAE yesterday, thanks to a hundred by "The Wall", a.k.a Rahul Dravid. Its just $15 on dishnetwork, so I hope all you desis have subscribed for it :)

(2004-07-16 15:10:01.0/2004-07-16 15:10:01.0) Permalink
Trackback: http://blogs.sun.com/arunpn/entry/the_asia_cup

 Entering the world of blog's ....

This would be the first post to my personal weblog (a concept which is creating ripples in all online user communities). I am just getting my feet wet here and still have to get used to publishing these status reports on a daily basis, as if my manager-enforced ones werent enough, just kidding :) ... but I love the concept.

Anyways kudos to all who came up with the easy to use front-end interface for blogs.sun.com, great job!
More from me later....

(2004-07-16 15:10:43.0/2004-07-16 14:00:08.0) Permalink
Trackback: http://blogs.sun.com/arunpn/entry/trying_again


« September 2008
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today


XML



blogs.sun.com
Weblog
Login





Today's Page Hits: 12