authentication

Centrify streamlines administrator tasks in mixed environments

On Oct. 21, Mountain View, Calif.based Centrify Corp. added DirectAuthorize to its suite of products for integrating Active Directory into mixed Linux and Windows environments. DirectAuthorize streamlines user access rights management so that administrators no longer have to configure rights separately on Windows servers and then on non-Windows servers. By consolidating information in a centralized location, DirectAuthorize eliminates redundant rework.   

DirectAuthorize arrives as the third member of a line of products created to ease the task of managing mixed environments with Active Directory. The other two products, DirectControl and DirectAudit, perform centralized authentication and auditing.  

“Typically we serve customers who are looking to introduce Linux, Hewlett-Packard, AIX, or Unix into their environments, and also often VMware.” Centrify CEO Tom Kemp said. “In terms of access rights and password management, that ends up being a lot of sticky notes next to your screen.” DirectAuthorize replaces non-Windows systems’ authorization infrastructure with that of Active Directory, which allows admins to move all user authorization information to a central location and to manage it from that location.

Red Hat tight-lipped on breach, but risk appears small

Red Hat Inc. has declined to provide additional details on last week’s security breach on some Fedora servers that were illegally accessed. Although Red Hat said it did not believe that the package-signing key used to gain access to Fedora operating systems was compromised, the Raleigh, N.C.-based company issued a new Fedora signing key as a precaution. Fedora is Red Hat’s free operating system where innovations are introduced and tested before they are incorporated into production-ready Red Hat Enterprise Linux (RHEL).

Related to the Fedora intrusion, Red Hat also announced a breach into a few Open Secure Shell (SSH) security encryption packages for some versions of RHEL 4 and RHEL 5 that are not under the umbrella of a Red Hat network management system. As a precaution, Red Hat issued an updated version of the affected RHEL Open SSH security packages.

No big deal? 
Reaction to the breach is muted at best.

Joe Clabby, a principal at Falmouth, Maine-based Clabby Analytics, said that a new signing key install “could be a real hassle” for a large install base without an automated deployment system, but he didn’t think it was a huge problem. “It’s good they found it and made it public so people can fix it and life goes on,” he said.

Charles King, a principal analyst at Hayward, Calif.-based Pund-IT Inc., agreed.

A security breach is “always disquieting,” he noted, but this one is probably of lesser impact, because most data centers do not run Red Hat exclusively. In one sense, the breach could be viewed as an indicator of Red Hat’s growing success. Hackers generally target only commercially successful distros, King said.

Well-known tech blogger Jason Perlow said that the breach is “standard stuff” that will be remedied quickly because the entire open source community will become engaged in developing a remedy, versus a breach with a proprietary vendor, which could take months to solve the problem.

I suspect that most large Red Hat installs run RHEL rather than Fedora, thus reducing the probable risk to businesses. Nevertheless, as an admittedly impatient journalist wired to ask questions and expect answers, Red Hat’s failure to be more forthcoming about the extent of the breach and the potential impact is disappointing. Users aren’t well served by a limited statement and a wall of silence.

Package managers: Downloaders beware

Package management—the process of determining which update packages should be installed on a host and then downloading and installing those package—invites a dilemma : OSes need to updated, but the process of updating them can invite security breaches.

A recent study at the University of Arizona explored nine feasible attacks on the popular package managers APT and YUM. As part of their research, the study’s conductors posed as a group of administrators from a nonexistent company and leased a server from a hosting provider. Thousands of clients, including government agencies, downloaded upgrades, which prompted their operating systems to endlessly replicate data, misidentify dependencies, and install unnecessary software. It also left these clients vulnerable to other attacks on their systems, including hackers gaining root access to OSes, system crashes and erased files . Researchers concluded that many public storage spaces for upgrade downloads are in fact maliciously established “mirrors,” or software repositories , that have become infected with sources of attack. You can prevent most of these issues by downloading from only signed metadata repositories, the study counseled. A signature verifies that the repository was created benevolently.

Protecting against mirror threats
In response, readers suggested a number of additional ways to protect a package manager from such threats.

• An OpenSUSE page suggested its internally developed tool, download redirector.
• One blogger wrote that the risks posed by infected repositories are not great enough to merit changes to package manager security.
• Another acknowledged the risk and argued that simply allowing the number of open source package manager products available to increase will maintain or improve current open source package manager security.
• A Gentoo administrator promoted rotating mirrors to ensure security.

Package manager security, as pointed out by this report, is crucial to the success of your operating system. With the present drive for continuous upgrades for your data center, you may feel pressure to download from the most accessible source available. Don’t: the risk of downloading insecure software is greater than the time it will take to check out the above links.

For more on package managers, check out these links: How to manage software on Ubuntu Server with “aptitude” and “apt-get”

Managing Software on Ubuntu Server Edition

Red Hat previews virtual management tool

At a mid-morning session during the Red Hat Summit in Boston today, a standing-room only crowd of more than 125 attendees got a preview of oVirt, a “next-generation open source virtualization management solution.”

Currently in beta, oVirt comprises two components: oVirt Managed Node, which is an embedded hypervisor based on a Linux kernel and KVM; and oVirt Server Suite, an administrative console that includes a Web interface and has functionality for tasks related to virtual machine management, such as status monitoring, performance monitoring and visualization and authentication.

With oVirt, IT administrators get a picture of “what’s going on in your server room from a virtualization perspective,” said Red Hat CTO Brian Stevens. The current generation of virtualization management tools, contends Stevens, fall short for customers because they are proprietary and do not integrate into the enterprise.

The oVirt infrastructure integrates with several open source projects, including libvirt for virtual machine management, FreeIPA for directory services, Cobbler and Koan for provisioning, and collectd for performance data collection.

Currently oVirt enables IT administrations to collect data from managed hosts; eventually Stevens said that oVirt will include automation capabilities to allow IT administrators to establish service-level agreements around physical and virtual machines and migrate machines accordingly based on those levels.

Set up a Samba Domain Controller with LDAP for Ubuntu server

Hey Ubuntu fans – ever wanted a domain controller with an LDAP back end for a server but couldn’t bring yourself to run Windows? Well, the guys over at HowtoForge assembled a great how-to guide for setting up a Samba Domain Controller with an OpenLDAP directory that authenticates like a Windows Server 2003 Domain Controller. The Samba LDAP configuration doesn’t make for a fully comparable Windows domain controller, but it does give your Ubuntu server LDAP authentication (so you have that going for you, which is nice). And the author also points out that this setup can be expanded to spread out authentication over multiple networks to include slave servers and Microsoft XP boxes.

If that interests you, check out the sample chapter on OpenLDAP and the guide to Samba and Active Directory on SearchEnterpriseLinux.com.

(Does the Caddyshack reference make up for the shameless plug?)

UPDATE REMINDER: Product of the Year nominations are going on now!

Working with vendors is tough. You need their help, they want your money. Hopefully, whatever it is they help you install works and the price meets you both somewhere in the middle (as in your side of the middle, right?).

Sometimes this process is a headache, but sometimes a project can really surprise you—things just work and upper management is just peachy keen with how the whole thing looks on the balance sheet.

In that vein, SearchEnterpriseLinux.com wants to help its readers discover the best of the best in Linux products for the enterprise in our prestigious SearchEnterpriseLinux.com 2007 Products of the Year awards. We’ve been asking readers and vendors over at SearchEnterpriseLinux.com to nominate a favorite product they’ve used or to nominate their own new product, and now we’ve opened it up to the Intertubes here at the Enterprise Linux Log. Regardless of where you fall — vendor, user or general Linux guru –the deadline is drawing near!

Our editorial team and a select panel of industry experts and analysts are currently accepting submissions online until 5 p.m. PST on Nov. 9, 2007 in a range of categories, including: Server Linux platform product (either a distribution release or a new, integrated server Linux offering); Security applications/tools for Linux on the server; Virtualization product for Linux on the server; and Linux administration tools. You can access the 2007 POY submission page in the link above.

To qualify, new or significantly upgraded products must have been shipped after October 31, 2006, and before November 1, 2007. Submit your entry today and let us know what you think are the top data center products on the market!

Analysts debate Active Directory’s role in Linux authentication

I had the interesting opportunity to be a third party to a battle of analysts today, and I thought I would share some of the things I learned from that conversation.

First, a little background information:

On Monday, SearchEnterpriseLinux.com posted a story on Active Directory and Linux authentication. The story gave a general overview, attempting to lay out some of the more mainstream ways IT pros are using AD to manage identity, authentication and security on their Linux servers. These include LDAP and Kerberos protocols, Samba 3, and proprietary third party cross platform management applications. While there was room to expand on the points made and some areas that could have been articulated better, the article was not intended to be in-depth from a technical point of view. But, as the reporter who filed that story, I can appreciate when an expert in the field takes the time to email me and explain, politely, that there were a few things that needed clarification. Continued »