DirectAuthorize arrives as the third member of a line of products created to ease the task of managing mixed environments with Active Directory. The other two products, DirectControl and DirectAudit, perform centralized authentication and auditing.  

“Typically we serve customers who are looking to introduce Linux, Hewlett-Packard, AIX, or Unix into their environments, and also often VMware.” Centrify CEO Tom Kemp said. “In terms of access rights and password management, that ends up being a lot of sticky notes next to your screen.” DirectAuthorize replaces non-Windows systems’ authorization infrastructure with that of Active Directory, which allows admins to move all user authorization information to a central location and to manage it from that location.

Related to the Fedora intrusion, Red Hat also announced a breach into a few Open Secure Shell (SSH) security encryption packages for some versions of RHEL 4 and RHEL 5 that are not under the umbrella of a Red Hat network management system. As a precaution, Red Hat issued an updated version of the affected RHEL Open SSH security packages.

No big deal? 
Reaction to the breach is muted at best.

Joe Clabby, a principal at Falmouth, Maine-based Clabby Analytics, said that a new signing key install “could be a real hassle” for a large install base without an automated deployment system, but he didn’t think it was a huge problem. “It’s good they found it and made it public so people can fix it and life goes on,” he said.

Charles King, a principal analyst at Hayward, Calif.-based Pund-IT Inc., agreed.

A security breach is “always disquieting,” he noted, but this one is probably of lesser impact, because most data centers do not run Red Hat exclusively. In one sense, the breach could be viewed as an indicator of Red Hat’s growing success. Hackers generally target only commercially successful distros, King said.

Well-known tech blogger Jason Perlow said that the breach is “standard stuff” that will be remedied quickly because the entire open source community will become engaged in developing a remedy, versus a breach with a proprietary vendor, which could take months to solve the problem.

I suspect that most large Red Hat installs run RHEL rather than Fedora, thus reducing the probable risk to businesses. Nevertheless, as an admittedly impatient journalist wired to ask questions and expect answers, Red Hat’s failure to be more forthcoming about the extent of the breach and the potential impact is disappointing. Users aren’t well served by a limited statement and a wall of silence.

A recent study at the University of Arizona explored nine feasible attacks on the popular package managers APT and YUM. As part of their research, the study’s conductors posed as a group of administrators from a nonexistent company and leased a server from a hosting provider. Thousands of clients, including government agencies, downloaded upgrades, which prompted their operating systems to endlessly replicate data, misidentify dependencies, and install unnecessary software. It also left these clients vulnerable to other attacks on their systems, including hackers gaining root access to OSes, system crashes and erased files . Researchers concluded that many public storage spaces for upgrade downloads are in fact maliciously established “mirrors,” or software repositories , that have become infected with sources of attack. You can prevent most of these issues by downloading from only signed metadata repositories, the study counseled. A signature verifies that the repository was created benevolently.

Protecting against mirror threats
In response, readers suggested a number of additional ways to protect a package manager from such threats.

• An OpenSUSE page suggested its internally developed tool, download redirector.
• One blogger wrote that the risks posed by infected repositories are not great enough to merit changes to package manager security.
• Another acknowledged the risk and argued that simply allowing the number of open source package manager products available to increase will maintain or improve current open source package manager security.
• A Gentoo administrator promoted rotating mirrors to ensure security.

Package manager security, as pointed out by this report, is crucial to the success of your operating system. With the present drive for continuous upgrades for your data center, you may feel pressure to download from the most accessible source available. Don’t: the risk of downloading insecure software is greater than the time it will take to check out the above links.

For more on package managers, check out these links: How to manage software on Ubuntu Server with “aptitude” and “apt-get”

Managing Software on Ubuntu Server Edition

Currently in beta, oVirt comprises two components: oVirt Managed Node, which is an embedded hypervisor based on a Linux kernel and KVM; and oVirt Server Suite, an administrative console that includes a Web interface and has functionality for tasks related to virtual machine management, such as status monitoring, performance monitoring and visualization and authentication.

With oVirt, IT administrators get a picture of “what’s going on in your server room from a virtualization perspective,” said Red Hat CTO Brian Stevens. The current generation of virtualization management tools, contends Stevens, fall short for customers because they are proprietary and do not integrate into the enterprise.

The oVirt infrastructure integrates with several open source projects, including libvirt for virtual machine management, FreeIPA for directory services, Cobbler and Koan for provisioning, and collectd for performance data collection.

Currently oVirt enables IT administrations to collect data from managed hosts; eventually Stevens said that oVirt will include automation capabilities to allow IT administrators to establish service-level agreements around physical and virtual machines and migrate machines accordingly based on those levels.

If that interests you, check out the sample chapter on OpenLDAP and the guide to Samba and Active Directory on SearchEnterpriseLinux.com.

(Does the Caddyshack reference make up for the shameless plug?)

Sometimes this process is a headache, but sometimes a project can really surprise you—things just work and upper management is just peachy keen with how the whole thing looks on the balance sheet.

In that vein, SearchEnterpriseLinux.com wants to help its readers discover the best of the best in Linux products for the enterprise in our prestigious SearchEnterpriseLinux.com 2007 Products of the Year awards. We’ve been asking readers and vendors over at SearchEnterpriseLinux.com to nominate a favorite product they’ve used or to nominate their own new product, and now we’ve opened it up to the Intertubes here at the Enterprise Linux Log. Regardless of where you fall — vendor, user or general Linux guru –the deadline is drawing near!

Our editorial team and a select panel of industry experts and analysts are currently accepting submissions online until 5 p.m. PST on Nov. 9, 2007 in a range of categories, including: Server Linux platform product (either a distribution release or a new, integrated server Linux offering); Security applications/tools for Linux on the server; Virtualization product for Linux on the server; and Linux administration tools. You can access the 2007 POY submission page in the link above.

To qualify, new or significantly upgraded products must have been shipped after October 31, 2006, and before November 1, 2007. Submit your entry today and let us know what you think are the top data center products on the market!

First, a little background information:

On Monday, SearchEnterpriseLinux.com posted a story on Active Directory and Linux authentication. The story gave a general overview, attempting to lay out some of the more mainstream ways IT pros are using AD to manage identity, authentication and security on their Linux servers. These include LDAP and Kerberos protocols, Samba 3, and proprietary third party cross platform management applications. While there was room to expand on the points made and some areas that could have been articulated better, the article was not intended to be in-depth from a technical point of view. But, as the reporter who filed that story, I can appreciate when an expert in the field takes the time to email me and explain, politely, that there were a few things that needed clarification.

Yesterday morning Doug Miller, a consultant with Interop Systems Inc., emailed me to point out a few things that could have been explained better in the article. Doug recently wrote a series of tech notes on this very subject, and has worked with Unix, Windows and Linux interoperability topics for several years.

The first point of contention was on Kerberos and LDAP. In the article, our sources described the technology as an expert tool, to be used in academic arenas where the manpower was such that all the tweaking they required would not affect business as usual. It was suggested that experts with these protocols should use them and do things on their own to avoid any uncertainty when it comes time to patch servers since third parties won’t be involved.

But not so fast — Miller explained that we goofed. “Standard Linux Kerberos can be easily used with Active Directory with no changes on either end other than setting up the configuration files on Linux,” he said in an email exchange. For now, it would seem, a correction was in order.

Also in the article, we discussed that Kerberos had some schema issues with Windows, and again more tweaking was necessary. Again, Miller says some clarification is in order:

“Microsoft has supported standard UNIX schema in Active Directory for a number of years via the Services for UNIX product. From Windows Server 2003 R2 and on, UNIX schema is built into Active Directory. UNIX schema information can be accessed via NIS or LDAP from Linux clients. These methods are fully supported by Microsoft.”

Subsequent research at LinuxToday.com, where this article now swings in tatters at the hands of the passionate Linux community, seem to support this point.

Pretty straightforward. There were what appeared to be inaccuracies in the reporting, and a correction was prepared. But wait, there’s even more. CC’d on that same email, and completely missed by my careless eyes, was Gartner analyst John Enck, from whom I had gleaned much of the analysis found in the article.

Enck subsequently responded to Miller’s points about Kerberos and those Unix schemas. First, he reiterated the fact that Kerberos and LDAP protocols are by no means “easily” implemented by IT managers–that’s why consultancies like Interop Systems exist. Second, AD does support the NIX-mapping schema extensions, but some Unix and Linux distributions require extensions beyond NIS; there is no universal Linux/Unix LDAP schema.

“And as for “fully supported,” do you really think you can call up Microsoft and ask them a question regarding any arbitrary version of Linux or Unix? They aren’t equipped (literally) to support all of the distributions and releases out there,” Enck said.

Later in the day the exchange continued, as Miller — a Windows and Unix expert by trade before he became a consultant — said Windows Server 2003 R2 and Windows Server 2008 are actually now really good infrastructure servers for UNIX/Linux authentication and directory services – even without buying third party software.

“The key point here is on the Windows side, this is all Microsoft supported software in mainline products. On the Linux side, you use standard Linux packages that are included with the standard distributions – no need for downloading new projects and compiling it yourself. This stuff works with out of the box Microsoft and Linux software and it actually works really well. And there are multiple ways to do this depending on what the customer needs,” he said.

On the NIS side, Miller said AD has supported the NIS extensions for several years via Services for UNIX. With the Microsoft Server releases starting with R2, there is now support for both NIS mapping *and* RFC2307 standards-based UNIX-style schema extensions, he said.

“These are built in. I would consider the RFC2307 schema ‘universal Linux/Unix LDAP schema’ as these are the same extensions UNIX-based LDAP servers use e.g. OpenLDAP. They are 100% supported by Microsoft and you can call Microsoft and get support for various scenarios related to accessing the UNIX schema in AD. You are right that they don’t have the ability to support every LDAP scenario related to every possible Linux or UNIX OS but that is a challenge for all software vendors given the number of Linux and UNIX OSes out there,” Miller said.

This all leads me to believe that people are still confused on this issue. On two sides of the aisle we had two experts with two entirely different takes on how to best synch up AD with Linux, if that’s route you’ve decided on for authentication, etc. There was a small patch of common ground or two, but finding that ground as a user is tough, and probably keeps consultants like Miller in business. Ultimately, this means more reporting has to be done, and more calls to be made — including an upcoming Q&A interview and podcast with Miller to flesh out his thoughts a little more than we could over email.