We’ve been looking for a proper password management tool for our team quite some time. Even if we focus on Single-Sing-On wherever possible, you have a good collection of service users or privileged users.

Our requirements (beside security) were

• usability
• no shared passwords
• access control
• easy to integrate in our work flows

Based on our style of work we were searching exclusively for command line tools.

You are right - since I write this blog post we’ve already found our password management tool: pass

1

$ brew install pass  # Depends on: xz, pwgen, tree, gnu-getopt, gnupg2

Pass is based on GnuPG, so you encrypt, decrypt and trust based on your GPG keyrings. The documentation of pass shows the usage for a single user workflow. The most simple adaption for teams is to use GPG groups.

Per default GPG groups are defined in the local configuration file. So if you don’t changed your team members often this perhaps convenient enough for you. If not I would search for a way to use includes in the configuration file, where you put the fragment itself in the repository.

1

$ gpg2 --gen-key     # in case you need a new or separate keyring

If you are located behind a firewall that blocks port 11371/tcp you should change the GnuPG keyserver communication to port 80/tcp:

1
2
3
4
5

$ grep ^keyserv ~/.gnupg/gpg.conf
keyserver  hkp://p80.pool.sks-keyservers.net:80

$ gpg2 --send-keys <keyid>
$ gpg2 --search-keys <team-members>

After the typical key signing and the group setup we are ready to create the password repository.

1
2
3

$ pass init <gpg_group_name>
$ pass git init
$ pass git remote add origin myserver.net:pass-store

Now you can store and retrieve keys with pass. Have a look at the man pages or the web site.

Let me know if you like this approach or you decided to go for another one - feedback welcome.

Links

• pass - the standard unix password manager
• GnuPG
• Git

Sample job postings of companies without legacy systems:

Leading Music Video Platform
Key Skills Required 2 x Mid-Senior Level Developers
Rails, RSpec, Cucumber, .JS, Chef, Puppet, API’s, Redis, Cassandra, NoSQL, TDD. BDD, GIT

Top Video Hosting Platform
Key Skills Required 1 x Mid-Level Developer 1 x Senior Developer
Rails, JS, NoSQL, HTML5 Mongo, AWS (Beneficial) TDD, BDD, GIT

Streaming Content Specialist
Key Skills Required 1x Mid-Level Developer 1 x Senior/Lead Developer
Rails, Sinatra, HTML5 RSpec, Coffeescript, GIT, Redmine, RabbitMQ, Capistrano, API’s, TDD, BDD

Leading Niche Travel Specialist
Key Skills Required 2 x Mid-Level Developer 2 x Senior Level Developers
Rails, MongoDB, CouchDB, GIT, TDD, BDD

Better late than never: Last Thursday (Jan 31 2013), Oracle released the Mac OS X version of the database instant client version 11.2 (11gR2).

Before there was only a client for version 10.2 available.

Oracle 10.2 was released in 2005, version 11.2 in 09/2009.

I call the Instant Client the real client for Oracle RDBMS, in terms of what a client really needs (while Oracle calls it the other way round). Just the fundamental libraries, a few binaries, and optional an SDK. No installer and no Oracle home path.

On an Oracle blog Christopher Jones asks for feedback in case you use the client. Oracle needs to justify the resources for the OS X bundle.

While their company aquisitions mainly seem to be customer-base than technology driven decisions, their knowledge on own customers is so limited?

I don’t think so - Oracle knows quite well what their customers are using. Even without market researches or surveys: the Oracle user groups, conferences, support sites, etc.

Anyway, I wrote Christopher an email telling him I’m happy with the new client…

I missed it.
I missed it again.
But - this time was the last time.
Next year I will be there.
For sure.

The Chaos Communication Congress, the annual congress of the Chaos Computer Club.

“Not my department” was the title this time, pushing the event in a slighty more political direction, after “Behind enemy lines”, “We come in peace”, or “Here be dragons”.

You can find the congress archives here.

Since C3 is a hackers and security congress, there might be a good chance hackers will be around too. And there is a free and open WLAN…

So be prepared.

The good folks from CCC have compiled a preparation list that’s good for the conference but also good for the rest of the time.

29C/3 - How to survive

It covers the main client operating systems (Linux, BSD, OS X, MS-Windows) telling you how to ensure basic security on your system.

Keep in mind: every system can be hacked. It just depends on the effort others are willing to spend…

Since several months we are working on designs and implementations of identity management (IdM), a discipline increasing security and UX in the IT landscape of organizations.

IdM is quite an interesting area, you need to touch and use a big set of technologies and a bunch of already existing security standards. And you need to talk to many people in an organization.

Here are some tips and rules you should follow, independent of products you may use.

Note: We are talking here about role based access control (RBAC), which is the most prevalent authorization model. Other models can easily connect to this design.

So let’s start

No matter where your central point of structure or truth is located, either an application or more common, a directory service, the design of this area is the key.

A recent talk I did in a customer project: Directory Structure

Implementing organizational hierarchies in IT systems usually gives you headache and a lot of work, since those hierarchies tend to change frequently in large organizations. But we don’t like frequent changes of our structure and security base. So we need a clever design here: allow the data to change, not the structure.

In IT we always start with a layer model, even if we don’t need one - it sounds good in presentations :-)

Our model or how we see this world

• Layer one: identities (also called persons, users)
• Layer two: organizational units (teams, departments, etc.)
• Layer three: organizational roles (enterprise roles)
• Layer four: application specific roles (groups)

Where the first one is a flat list of identities, the second one usually will be needed to implement a certain form of hierarchy and membership.

Talking in LDAP: use “member of” for memberships. It’s easy to browse up the hierarchy. Optionally you may implement a second list “members” for comfortably browsing down the hierarchy, in case the directory server does not automatically offer this. You should be aware this is data redundancy, but often very useful.

The third layer is a flat list without inheritance, each role describing a certain general role in your organization. Keep this one more business/organizational related and don’t stick it to used applications or products.

The last one is a long, flat list of already existing, application defined roles or groups. Those may be technical or business roles, it doesn’t matter since the applications are the master of those data. They need to maintain the mapping to their low-level application permissions.

What’s an application?

Well every kind of system we deal with is an application. It may be your CRM system, an trouble-ticket system, an physical access control, and your intranet system. And yes, your file server and mail server are applications too.

Wow, a lot of data here!

That’s true, but we won’t enter it manually. See below…

So, how to use this?

Everything we do then is to create and maintain relations between elements of those layers.

You won’t map from layer one (identities) directly to layer four (app-roles), this is like shooting yourself in the foot. Abstraction means in our case to link via layer three, our organization roles.

Please serve yourself

A self-service application may be used to create new relations or end-date existing ones. In general that’s a good idea, already medium sized organizations deal with a huge set of entries and relations.

Changes on those relations can be provisioned directly or as an approval workflow. You can even use both methods, depending on who captures this change.

Request and approval permissions should be mapped again to enterprise roles or in that special case to the owner of the involved objects (in LDAP represented with the owner field).

An example

We decided to create a new organizational role for finance controllers, since their responsibilities are already too distinct from finance agents, the role we used up to now. Our ERP team has already implemented a new ERP role erp-controller, covering their needs in a better way.

We will create this new organizational role finance controller and then request to map this role to the ERP application role erp-controller. This request shall be approved by the responsible team, in this case the ERP security team.

We know this, because the organizational role security-erp is the owner of application role erp-controller (like for all other ERP application roles). Three persons are currently in security-erp, and we hope not all of them are currently on vacation. An email has been sent to notify them we need their approval.

I hope you get the point…

Who is feeding this system?

Identities and organizational units

Changes on persons and organizational groups (layer one and two) and relations between those should come from the HR team. In case there is an HR system in place, an interface to this system is the way to go.

Creation of new persons (new employees) and retirements are straight forward to implement. Moving a person from one department to another means deprovision the direct relations of the person and assign it to the new team. Roles defined via the team will already be available to the person, direct assignments to certain enterprise roles need to be requested.

Application roles

For large implementations an automatically exchange of app roles to the individual applications is worth the effort. Usually the way from the app to the IDM system is the more important one.

How are those rules enforced?

Nowadays almost all applications support directory services by LDAP integration. It’s important to use this integration for authentication and authorization.

Authentication

Authentication can be done by an LDAP call (ldapbind, ldapcompare) or offering single sign on (SSO). There are several options you can use for SSO. A common way for access within an intranet (or using VPN) is to implement Kerberos).

If you want to support access coming from Internet you need another technology, e.g. own implementation with a common cookie, OpenID, or other central authentication services.

Authorization

Systems using the directory service will retrieve the application role the user has been assigned to.

For legacy systems not offering a directory integration you need to provision this data (user and assigned app role). Data exchange in both ways gives you the knowledge what rules are really in place (hacked into the end system).

Huh, this post was getting longer than I thought.

Let me know your experience or opinion…

We all know them well: relational database system (RDBMS) – like Oracle, MySQL, PostgreSQL, etc. Basically you can model and implement everything with them, they are stable and the standardized query language SQL is powerful.

But RDBMS may not be the answer to every question and they are not designed to handle workload and data sizes brought by our beloved Internet.

An somehow infelicitous buzz word groups alternatives of relational databases: NoSQL. Seldom systems of such diversity were put together in one category…

Recently I had the joy to use one of them again, one that I really like: Redis. Firm implementation, beautiful interface, and easy to use.

Check out the web site web site, including an interactive tutorial.

We’ve created a prototype for a customer, helping them to write a common customer search form over multiple CRM systems. Since searches on multiple legacy systems via middleware layers may not be very responsive, a caching database sounded like a way to go.

This prototype you can find on Github. Updates will follow, we are still working on it.

If you want to learn more about Redis, there is a nice and free 30 pages book in PDF from Karl Seguin: The Little Redis Book.

From a couple of other services and repositories we’ve now switched to Redmine.

Redmine is a web based project management tool you host on your own.

The tool supports all of our requirements and offers integration for several version management systems, including our main one: git.

Furthermore it offers plugins to other webservices you already may use.

Documentation and knowledge sharing is one of the main features we were searching for. Redmine comes with support for the textile markup language and you can cross-reference many other project objects.

We are quite satisfied with the new solution.

Many Thanks to the Redmine team!

Did you like Statistics - Wikipedia in school/university? Some people (like me) did, some not. However, if you work with IT, sooner or later you need it. Why not having another look on stats?

The University of California, Berkeley published their course materials for ”Introduction to Data Science” on Internet. Nice material, not difficult and well known languages and tools are covered - and it goes without saying you will only use open source stuff…

Phython, R and databases are used when you subdue big data. HTML, CSS and JavaScript for web programming.

On Mac OS X, BSD and Linux you can install Python and R with favourite package manager. If you prefer GUI here is one for R: RStudio.

Have fun with statistics (again)!

• Python Programming Language
• The R Project for Statistical Computing
• RStudio

Searching for a new editor? Ok, try Vim.

There a lot of editors out there, all have their pros and cons.  If you spend a big amount of your time with your editor, as a developer, a writer, or whatever, you may want of find a powerful and fast editor.  It should offer the features you want, and it should be easy extensible.

One of the most common editors is “vi”, created in 1976 by Bill Joy.  It has been ported to all systems I know, and it is shipped with almost all operating systems now as “Vim”.  If you work on Mac OS X you can use it within the terminal or you download a Cocoa version of it: MacVim.

With Vim you work in certain modes (insert mode, command mode) and use keyboard commands to trigger functions (e.g. delete the current line: dd).  Since you have to learn a minimum amount of functions, the learning curve is somehow steep in the beginning.  However the time spent in learning, you’ll get back later (like always) as a much improved working speed.

Furthermore there are many extensions (plugins) available, e.g .for programming languages.

Here is a collection of links:

• Wikipedia
• From Textmate to Vim
• Daniel Fischer’s starting guide
• Github: MacVim (alloy) with extensions
• Vim plugins you should know

Mac OS X 10.7 Lion - as other versions before - has a built in VPN client for Cisco VPN (IPSec). This could well be an alternative to 3rd party software like the Cisco client for Mac, or the open source vpnc package. But there are some pitfalls too.

Here is how to setup or migrate your Cisco VPN connection. Thanks to Anders Brownworth for this article.

However you might have to fix some problems until you can enjoy your stable connectivity.

One common problem is that the client drops the connections after 48 to 60 minutes, at the time it should exchange a new phase one key pair.  Simon Heimlicher has a well documented work-around for that problem.

Another intended behavior may become a problem when the Cisco VPN profile tells the client not to allow local network connections.  This is basically done by the clients routing table, so let’s change it.  This you do after the VPN connection has been established.  You have to do this after every login, so it’s better you create a script that  you can execute from your home directory or better from ~/.scripts.

First you have to know what is your local network, in this example this is 192.168.0.0/16 (/16 that means from 192.168.0.0 to 192.168.255.255, explanation).  Then you need to know the company network(s). Ok, here we have e.g. 10.0.0.0/8, 172.16.0.0/12, and a public one like 107.94.64.0/18.

Here are the necessary steps, you can create a script with them that you need to run with sudo.

1
2
3
4
5
6
7
8
9
10
11
12

#!/bin/sh
# run this script with sudo (sudo script.sh)
# route company networks over vpn
TUNNEL=`netstat -rn -f inet | grep -o utun[0-9] | uniq`
route add 10.0.0.0/8 -interface $TUNNEL
route add 172.16.0.0/12 -interface $TUNNEL
# sample: route add 107.94.64.0/18 -interface $TUNNEL
# now delete the default route for vpn
route delete default -interface $TUNNEL
# and reactivate your own default route
# default route needed without flag I (interface)
route add default 192.168.1.1

After that you are able to reach again your home network and all internet traffic will run over your default route.