Big News

Everyone has probably already seen the regarding Sun and Microsoft and announcement regarding interoperability. This is a very cool announcement and it is something that we have been working on for quite a while in lots of different ways.

The technical details in these announcements are typically glossed over and discussed at a very high level. At my level, I've been involved in various "Microsoft Interoperability" projects for several years, mostly involving Kerberos and single-sign on technologies. I have worked with Microsoft people in various IETF working groups for several years and always found them to be very smart and easy to work with. As engineers, we are usually more interested in getting stuff to work correctly and less interested in the executive level sparring that has occurred in the past.

Regarding the new interoperability

This document describes the protocols used to achieve the web-based single-sign on that is covered by the agreement. Note that this is NOT the same as the GSSAPI/SPNEGO web-based single sign-on technology that I described here. This new interoperability protocol is based on Web Single Sign-On Metadata Exchange Protocol, which involves XML, SOAP, HTTP, and a bunch of "WS-*" protocols. It does not involve any Kerberos or GSSAPI token exchanges.

The other SSO protocol

HTTP Auth-Negotiate with GSSAPI/SPNEGO is useful for extending the Kerberos SSO to internal web sites that only need to authenticate the user. The Web SSO MEX protocol gives the server access to alot more information beyond just the users authentication credentials, the "metadata exchange" part of the name (MEX) refers to all of the other information that can be conveyed in the exchange. The Kerberos SSO exchange typically only involves authentication credentials (tickets) but not alot of extra data associated with the identity being asserted.

Kerberos by itself would never get us close to the level of interop provided by Web SSO MEX. Web SSO MEX allows for interop across environments that use Liberty and WS-Federation and makes it possible to use the Java Enterprise System OR Windows 2003 Servers, which is a big win for enterprise customers that typically have a mix of both and have been frustrated in the past by the inability to leverage both in a compatible way. This announcement should not discourage companies from moving forward with Kerberos integration and improving internal security. Kerberos SSO is more than just web authentication, it can be applied to lots of other non-Web based protocols as well. In Solaris 10 (and later) SSH, LDAP, FTP, telnet, rlogin, and rsh are all Kerberized. Other protocols like SMTP (mail), POP, and IMAP can also be Kerberos enabled with combinations of protocols like SASL/GSSAPI/Kerberos thus extending SSO to almost all of the most commonly used protocols inside of an enterprise (big or small).

So, while I view this announcement as a very positive step forward for Sun, I think there may be some confusion by some over the details of the protocols being used (or not used as the case may be for Kerberos). As I learn more, I will try to clarify the differences more in the future.

Remember the day when concert tickets were in the $10-$20 range? Me either. Well, that's not true either. I do recall paying around $14 for several shows at the Pittsburgh Civic Arena (since renamed "Mellon Arena"), back in my high school years. Today, great seats for a popular tour can easily go well above $100 a seat, (which, I *think* is well above the inflation rate). I read that the Rolling Stones are offering their "Gold Circle" seats for their upcoming tour for about $450. Ouch. I like the Stones (or, at least I like the music they made back in the 1967-1971 period, plus Some Girls and Tattoo You a little later), but I think I would have to settle for some of the cheaper and more distant seats if I were to go to that one.

Which brings me in a roundabout way to my real topic ... U2. I love U2. Really. I'm going to the show in Philadelphia tomorrow night. Then I gotta wait 5 months for their 2 October shows in Wash DC. For all of these shows, I decided to pay up for the expensive seats and have a good view of things. It worked out great last tour, I was right next to the stage, about 10 rows up. I suppose I could have taken my chances on the $50 GA tickets and tried to get lucky to get into the "bomb shelter" (i.e. inside of the catwalk circle that extends out into the floor). Odds are low (I've read its about 1 in 5) and if you don't make it you are likely stuck craning your neck all night and dealing with lots of pushing and shoving for a bad view. I'd love to get into the cirle, but I'd prefer to pay for a known quantity in this case.

The cool thing about this tour is that Sun is powering the "ONE" campaign, as fellow blogger MaryMary has blogged about extensively. She was actually lucky enough to meet Bono (and some other celebs). I am not hooked into that part of the business and will have no such access, but I am looking forward to the show(s).

With all the hype for the new Star Wars movie coming out next week (I think), I found this funny blog from none other than Darth Vader himself.

Some of the comments are almost as funny as the blog itself.

OpenSolaris is coming! The world will get to see, warts and all, the gory details of how and why Solaris works the way it does. I'm not actively involved in any sort of decision making on how OpenSolaris will work or how code contributions from outside of Sun will be reviewed. I do know how things work from the inside, though. In addition to the obvious requirements that new code doesn't break old code, interfaces stability rules must be maintained, and architectural integrity must be respected, there are other "rules" that we (inside Sun) must follow. Among these are our "cstyle" rules - rules that govern how the code must appear (braces and indentation rules, for example).

This sort of thing (enforcement of style rules) has been known to spark religious wars in some companies that I worked at prior to Sun and is always a contentious subject when 2 people with different style preferences try to merge their code.

I read an interesting article yesterday on Joel On Software about coding standards and how code styling standards can be misused (as well as how and why they are indeed useful). Mostly the article is about Windows programming and there is considerable discussion on Hungarian notation and the use of exception handlers in Java and C++. It is all sort of interesting and timely (at least for me) because I've been wondering how the external community will view our code from a readability and "stylistic" point of view. I guess we'll find out soon enough...

I borrowed some CSS from fellow bloggers MaryMary and Martin today to give my blog the new corporate look (see Sun.Com).

I bought a book on CSS a while back called 101 Essential Tips, Tricks, and Hacks (by Rachel Andrew) from SitePoint and found it to be very helpful in designing web pages WITHOUT having to use alot of TABLE tags. This book is especially good for someone (like me) who prefers to learn by looking at examples. This book has tons of good examples as well as descriptions. I highly recommend it for anyone who is interested in learning or writing web pages using CSS.

I see that Sun has a new look on our website today - I like it. I then noticed that my blog is linked from the Solaris Security Page as a Security related blog. Hmmm, I sort of feel obligated to post a bit more frequently now and try to remain topical (it's hard).

Lately, I've had my head buried in ASN.1 encoding and decoding software. If you have ever needed to parse ASN.1 data, you may sympathize with me a bit - it is a pain. There are some freeware tools for helping encode and decode ASN.1 data, but upon closer investigation, they always seem to fall short in some critical area - such as being able to parse and compile a complex ASN.1 syntax like PKCS#12. Anyway, if anyone can recommend a good ASN.1 package, I'd love to hear from you. (I've already looked at esnacc and asn1c).

If you do alot of digital photography, you probably have certain tools that you like to use in you "digital darkroom". Photoshop is usually considered THE tool for "serious" photogeeks. Yes, I know, it doesn't run on Solaris (or Linux), but I when I am working on photos, I want the best tool for the job and am not going to let OS religion dictate my choice of tool. However, Photoshop CS is also seriously expensive for the full blown version.

The Gimp is a very powerful tool that is included in Solaris 10 and on most Linux distros. Personally, I don't care for the Gimp interface, but that's not to say it won't do the job. GIMP does have a nice interface for adding extensions and there is a growing community of GIMP extension developers who are always adding nice enhancements. Most digital workflow steps can be performed in the Gimp just as in Photoshop. Its a matter of choice and convenience.

One thing that the GIMP and Photoshop do not offer is a way to manage huge libraries of photos. I have thousands of images on my hard drive and searching through lots of subdirectories and looking at non-descriptive filenames (ex: DSCN01234.JPG) is not a very efficient system. There are alot of packages out there for managing digital photo libraries. If anyone actually reads this, maybe I will get a bunch of suggestions for OpenSource photo managers that I can try out and report on later.

I have always liked using ACDSEE, it is very fast, it has nice browsing features, has great archiving, backup and restore features. It also includes an editor which can do all of the most common digital "tweaks" that one usually performs.

My new favorite tool is Picasa2 from the folks at Google. The interface is slick, the editing tools are more limited than those from ACDSEE, Gimp, or Photoshop. However, the editing features that they do offer are really easy to use and I have had excellent results using Picasa2 to adjust my photos for web publishing. It has nice features for archiving, backup/restore, and searching. I highly recommend using this if you keep your photo library in Windows and need a good utility for managing and doing basic "digital darkroom" operations.

Here is my photo gallery, most of the photos in this were edited with Photoshop, but I am starting to use Picasa2 more and more now.

I recently returned from a trip to a couple of our offices in Asia to help spread the good word about Solaris 10 to our internal people and key partners. There were alot of people involved and it was very interesting all around. Being a Solaris engineer, we tend to lose track of the fact that the rest of the world is only now being introduced to Solaris 10 and all the new features that we are familiar and comfortable with are sometimes confusing and exotic to others. So, getting out and presenting our technical features to the outside is very important and beneficial to Sun in general.

A nice side benefit of trips like this is that I get to visit exotic (and not so exotic) foreign places and practice my photography skills.

So, here are some albums from my recent visit.

• Beijing
• Singapore

Occasionally I hear or read requests from people wanting to use Kerberos authentication for Web access, especially with Firefox and Mozilla since they now have this capability. Below is a document I wrote up a while ago that explains how to do this with Solaris 10. Everything you need to set it up and use it are included in S10 - Mozilla, Apache, Kerberos, and GSSAPI - all are bundled and available today. Hopefully this is helpful...

Single Sign On Web Authentication

This document describes how to configure the various pieces needed to setup a web server to participate in a Kerberos single-sign on (SSO) environment using a standard web server such as Apache or Microsoft IIS. This does not describe specialized Web-SSO systems such as that offered by the Access Manager product.

Introduction

Web based SSO using Kerberos typically means following the specification that Microsoft released which describes how they do Kerberos auth for web. A copy of this (now expired) IETF draft is here.

SPNEGO is an IETF protocol that is used by GSSAPI applications to negotiate the underlying mechanism to be used. It is known as RFC 2478. This is NOT designed specifically for HTTP use and it was not written for the sole purpose of facilitating web-based SSO. There are other security protocols that make use of it, most notably SASL, which is used often for secure LDAP authentication.

There are 3 pieces needed in order to enable this functionality for Single-Sign On Web authentication:

• A browser that supports the "WWW-Authenticate: Negotiate" header
• A web server that supports the "Negotiate" authentication feature of HTTP
• A Kerberos realm and working KDC that issues tickets to the users.

Browsers

Currently, there are 3 browsers that support the "Negotiate" authentication extension.

• Mozilla 1.7 (and later)
• Firefox 0.9 (and later)
• MS Internet Explorer 5.0 (and later).

Mozilla and Firefox

Once you have the necessary browser, you must configure it to support the feature, it is not typically enabled by default. For Mozilla and Firefox, you may need to adjust a couple of private user preferences so that the authentication will be allowed on a non-secure connection (i.e. not SSL).

Setting the Preferences

In the URL window, enter about:config. This brings up a complete list of user preferences that can be set.

Parameters for Mozilla and Firefox

• network.negotiate-auth.delegation-uris = https://,http://
• network.negotiate-auth.trusted-uris = https://,http://

Be default, these are usually restricted to just work on "https://" connections (secured by SSL). You may add non-SSL to the allowed list by setting the value to look like this: https://, http://.

You change the values in this window by double-clicking on the preference you wish to set. This brings up a window that allows you to enter a new value.

Microsoft Internet Explorer

To configure IE to allow for SSO authentication:

• click on the "Tools" menu in the toolbar at the top.
• Select the "Internet Options" item at the bottom of the menu.
• Select the "Advanced" tab in the options window that should appear.
• Scroll down through the various options until you find the section for "security".
• Click in the box next to "Enable Integrated WIndows Authentication" so that it appears with a check in the box to indicate that it is enabled.
• Log out and log-back into Windows as a user in a Kerberos realm (either AD or SEAM/MIT) using your name and realm in the login window. Ex: wyllys@SUN.COM

This assumes your windows box is already participating in a Kerberos realm, either managed by Active Directory, or the box is configured to use a non-Windows KDC such as SEAM or MIT. Instructions for setting this up are here: Setting up Kerberos Interop on Windows.

Web Server Configuration

The other important part of the Web-SSO equation is having a properly configured HTTP server that supports the NegotiateAuth extension. Microsoft IIS already supports this and there are extensions for Apache that also enable this feature.

Solaris 10 Apache Configuration

Apache supports extensions to it's authentication system so third parties may add new features easily, without modifying the core Apache engine. There are a couple of extensions available that support the "NegotiateAuth" exchange.

Solaris 10 GSS Authentication Module

mod_auth_gss is an Apache module that enables support for the "NegotiateAuth" exchange on Unix/Linux systems which have GSSAPI support. It only uses GSSAPI to do send either SPNEGO or KRB5 authentication tokens. The user must have a valid Kerberos ticket in their personal credential cache in order for this to work correctly, no passwords are used by the protocol. The user is never prompted for a password and thus the authentication occurs without user interaction, thus "Single Sign On" is achieved.

The benefit of this module over the next one (below), is that it is purely GSSAPI based and does not require access to raw Kerberos libraries in order to compile or run, it only need to link with libgss.so.1. It will support GSSAPI authentication using either SPNEGO (if its available on the system) or Kerberos V5. Currently, only Solaris 10 and Microsoft Windows XP/2000/2003 have SPNEGO support. On other systems, it is assumed that GSSAPI-KRB5 tokens will be used by the client. Other open source Kerberos distributions like Heimdal will soon be (if they haven't already) be offering a SPNEGO mechanism now that the SPNEGO spec has been updated.

The module shipped in Solaris 10's Apache area supports both 1.x and 2.x versions of Apache. The use of SSL encryption is also recommended (but not required).

• mod_auth_gss is bundled with Apache in Solaris 10. By default, it is installed in /usr/apache/libexec
• Configuration Instructions

mod_auth_krb5

mod_auth_krb5 is an open-source module that enables support for Kerberos SSO authentication through the NegotiateAuth extension. This module supports the standard GSSAPI + SPNEGO token exchange used in the Microsoft implementation. It also has a couple of nice "extra" features such as the ability to use the password given in the authentication exchange and have the web server request a ticket for the user. This is quite different from the GSSAPI SSO model and is not secure on a non-SSL protected connection because the password passes over the wire virtually unprotected. This method is provided merely as a convenience feature and is not recommended for security.

The downside of this module is that it does not compile on Solaris and use the native Solaris Kerberos code because Solaris does not export the raw Kerberos APIs. Thus, this module requires that the user install a third party Kerberos implementation like MIT or Heimdal in order to build the module. Doing so, the implementor loses the features of the native Kerberos and GSSAPI on Solaris.

IIS Configuration

If you are testing with an IIS web server, the only thing to do is go into the IIS configuration and change the security properties for the areas that you wish to protect so they are using "Integrated Windows Authentication".

---

Configurating Kerberos

1. Set up Kerberos Server (if you don't already have one). Follow basic instructions given in the SEAM documentation at docs.sun.com.

The KDC should be a protected, standalone system. But for internal testing purposes it may be hosted on the same system as the Apache web server.

2. Create a Kerberos service key for the Apache server to use for authenticating the clients. Also create a user principal testing the browser later. The "Negotiate" method used by IIS and IE looks for a principal named "HTTP/f.q.d.n@REALM" (f.q.d.n == Fully Qualified Domain Name). To create this principal for use with the Apache module do the following: [As 'root', on the Apache server]

a. /usr/sbin/kadmin
- this assumes the KDC setup procedure was followed (step 1).
b. kadmin: addprinc -randkey HTTP/www.foo.com
c. kadmin: ktadd -k /var/apache/http.keytab HTTP/f.q.d.n
d. kadmin: addprinc tester
e. kadmin: quit

---

Testing the 'Negotiate' plugin with mozilla

1. The client system (Solaris 10) must be configured to use Kerberos. Setup /etc/krb5/krb5.conf to use the KDC created earlier

2. kinit to get a TGT as the "tester" principal created above in step 2d.
$ kinit tester ( enter password )

3. Use mozilla (with 'negotiateauth' extension installed) to access the Kerberos protected pages on your web server.

If it doesn't work, enable the "GSSDebug" variable in the Apache configuration file (see the the Configuration Instructions) and check the Apache "error_log" to see if any messages are being generated that might help indicate the problem.

---

Configuring mod_auth_gss

Before using GSSAPI authentication with Apache, the system must already have been configured to use Kerberos V5 authentication. All of the major Kerberos V5 implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft) currently support Kerberos V5 GSSAPI mechanisms. Configuring Kerberos is beyond the scope of this document. Adding GSSAPI authentication support to the web extends Single sign on capabilities to the intranet and reduces the risks involved in having users constantly entering username/password combinations when accessing websites.

Configure a Service Principal

The default service principal that mod_auth_gss will try to use is "HTTP/f.q.d.n". The key for this principal must be stored in a keytab file that is readable by the Apache server, but it should be protected from access by anyone else, and should definitely not be stored in an area that can be browsed by clients.

Example: the Apache server is on host "www.foo.com". Create a principal called "HTTP/www.foo.com". Store the key for this principal in a protected keytab file. Using MIT Kerberos V5:

    $ kadmin
    $ kadmin> ktadd -k /var/apache/http.keytab  HTTP/www.foo.com
    $ kadmin> quit
    

Once the keys are created and stored, using GSSAPI authentication is very simple. Set up the authentication type for the directories being protected to be "GSSAPI". If the keytab or service name chosen is not the defaults ("HTTP" and "/var/apache/http.keytab", respectively), then you may use the above mentioned directives to override the default values. Example:

<Location /var/apache/htdocs/krb5>
	AuthType    GSSAPI
	ServiceName HTTP
	KeytabFile  /var/apache/http.keytab
	GssDebug    0
	Require valid-user
	AllowOverride AuthConfig
</Location>

GSSAPI authentication provides a more secure authentication system, but only works with supporting browsers.

It is recommended that this authentication method be combined with TLS security (mod_ssl, for example) to further secure the authentication data being exchanged.

I've renamed my blog. Since I am one of those people who work from home (full-time), it only seems fitting to title my blog "The Pajama Hacker". The stereotype of the work-from-home person who sits around in their pajamas (or sweat pants, as I prefer) all day is pretty accurate in my case. My daily routine usually doesn't involve getting dressed until after lunch sometime. Why bother, right ? I get my best work done in the morning's just after my wife goes to work and my son is off to school. Because I am on the east coast (Wash DC area) and most of my co-workers are on the west coast, I don't get many phone calls until at least 11 or 12, which means I have several hours of uninterrupted quality work time. "Pajamas" is not accurate, though, I prefer old sweat pants or shorts (in the summer).

So, welcome to my new blog, same as the old blog. The Pajama Hacker.

I changed my theme to celebrate the new blogging interface. I think there are some kinks to work out, but overall its going to be an improved blogging experience for readers and posters.

Happy Holidays!

I have some more GMail invites to give out. First come, first serve. Email me at my gmail address: wyllys _at_ gmail ... (you know the rest).

I considered making a "top 10" list, but then I was worried I wouldn't come up with 10 good thoughts :) So, in the spirit of blogging, here are some of my favorite things about 2004 (in no particular order).

• Solaris 10 - It's redundant in this forum to keep gushing about our latest release, but I can't help but sing the praises of our new baby. 4 years ago when I started at Sun, I was given an old laptop to use when travelling. My first thought was to try and put Solaris 8 (x86) on it. Big mistake. Video drivers didn't work right, PCMCIA support was non-existent (or very difficult to get working correctly), which meant that I couldn't use my NIC card (and definitely couldn't use my wireless card). I gave up after a few days of teeth gnashing and went with some Linux distro. Fast forward to 2004 and its a completely different story - Solaris 10 installs smoothly, it has all of the key features I need (video support, PCMCIA support for many NIC cards, CD/DVD RW support) and its F-A-S-T. I love opening it up at a conference or in front of customers and seeing the look of disbelief when I say "No, it's not Linux, this is Solaris 10.". 2005 should be a great year as the rest of the world will see what we've been up to for the past 3 years.
• My iPOD - I got a 10GB iPOD last year for Christmas and its been my #1 gadget ever since. My preferred use is to plug it into my car (cassette adapter) and use it on road trips - nothing like having 1000 or more of your favorite songs right there in a tight little package. Why would anyone get one of those bulky car CD changers these days??
• Netflix - Fantastic idea, wish I'd thought of it first (and had the money to make it happen). I can't see any reason why I would ever visit a traditional video store again.
• The Pittsburgh Steelers 13-1 BABY! What a great season. I was at 2 games this year, the opener against the Raiders and the Halloween game against the Patriots. Whipping the Patriots and Eagles back-to-back made my year. Now they gotta take care of business and keep it going to the very end.
• Music - Lots of great music came out this year, but I seem to be stuck in the early 1990's in my own tastes. My favorites this year were:
  • U2 - How to Dismantle an Atomic Bomb - Vertigo is sort of everywhere right now, but I still dig the opening riffs.
  • Pearl Jam - Live at Benaroya Hall - Pearl Jam is often overlooked in the ugly homogenized world of commercial radio, but they still have a really solid fan base and are still cranking out great music. This album really showcases what great musicians they are and what a great voice Eddie Vedder still has.
• blogging - blogging was influential throughout the presidential election cycle, and its now growing into all kinds of new areas. I am not a particularly prolific blogger (its been months since my last post), but I enjoy reading others. I especially enjoy photoblogging which is a cool way to exhibit your own personal favorite photos for others to comment on. My Photo Blog .

There is a nice article about the success of the Firefox browser. Firefox is a great open source success story. So many Open Source projects get started with good intentions and then die due to lack of interest or follow-through. Just browse through the thousands of entries at sourceforge and see how many are actually active and useable. They claim (as of today - 11/16/2004) to have 90,830 active projects. Thats ALOT. The number of projects that are begin actively worked on and developed is probably quite a bit smaller than that number.

Everyone has read by now that Solaris 10 is going open source, so I won't blow that horn again here. Sun has always embraced the open source movement, we have incorporated many open source projects into our distributions and have also contributed many many thousands of lines of code back to the open source community (GNOME, OpenOffice, and Mozilla just to name a few more high profile projects), so this is not a new concept to us. Despite that fact, Linux zealots will likely take issue with our motivations or our licenses (still TBD), as it may seem like a threat to the continued growth of Linux (the typical Slashdot reaction is to respond first, then read the details later). Regardless, Solaris 10 will stand up to any scrutiny with its rich feature set, strong security, and reliability.

I haven't blogged in a while about Solaris or anything else, but I plan to be more proactive about that in the future, especially as Solaris 10 starts rolling out. There is alot to talk about, especially in the security area.

One thing I have been working on, as a personal project and on my own time, is my own photo blog. Check it out if you enjoy random photos.

Forcing oneself to take some photos every day (or at least every couple of days) can be challenging, especially if you are not visiting new places or doing "new and interesting" things. The most challenging thing for a photographer is to take a mundane subject and find a new way to see it and give a boring subject new life. If you take the time to look at my photos, you will see that I still have a long way to go to acquire this skill, but there is some enjoyment to be had in the learning process.

My Photo Blog