Skip to content

Category: General

How this site is built and updated

We've been (very) infrequently updating this blog thing since 2006. In that time it's had a number of homes: it probably started as a VM on a machine under the desk in my office, then it spent years flipping between running directly and indirectly (as a VM) on servers in our datacenter. After our old hardware started failing, we moved it to the cloud, running on an EC2 server. Now, it's running in a container. Initially, this blog was created to test and document this new fangled SAML authentication protocol, starting with mod_shib (from Shibboleth v1. When Shibboleth v2 was released, we switched to SAML 2.0 and mod_shib2.

In late 2014, our team started deploying Drupal websites on AWS using Docker images running on CoreOS. As part of that effort we created a base LAMP image using Ubuntu. We also added SimpleSAMLphp to the image to support authentication, since it had features that were a better fit for our environment than mod_shib2 (mainly that there was no separate daemon, like shibd, and that it could store session data in the same database as Drupal, making load balancing much simpler).

In early 2015 we started merging the two efforts, resulting in this new containerized, load-balanced, and easily updated version of our blog.

Leave a Comment

Yubikey PIV for SSH on Macs

We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to unlock your phone, tap on the Duo notification, then tap on 'approve'. You may also need to make changes to your git server; with GitLab we have to use a non-suid copy of login_duo, with a second configuration file, and manually update the git account's authorized_keys file to use login_duo for every SSH key (that needs to use two factor):

command="/usr/sbin/login_duo_git -c \
  /etc/security/login_duo_git.conf -f alice \
  /home/git/gitlab-shell/bin/gitlab-shell key-2",... \
  ssh-rss AAAA...

I've had a few Yubikeys lying around, and I finally decided to try one for SSH. I found Thomas Habets' Yubikey 4 for SSH with physical presence proof instructions for Linux, and modified them to work on Macs. I've tested with OS X 10.11 (El Capitan) and macOS 10.12 (Sierra), but if you're using an older version of OS X you should upgrade, or follow Yubikey's instructions to ensure that Yubikeys are recognized.

Comments closed

Service Alert Log

Got page just before 4pm on Sunday 6-13-2010 that AMCOM HL7 was down. Called IT Operations center, talked to Chauncy to see which shc list…

Comments closed

VMware Silicon Valley Users Group

First talk

Phil Starke, Senior Manager, Cloud Practice.   His presentation was VMware vCloud and Project Redwood.  This was an interesting session since I'd not heard of VMWare's cloud offerings before.

Concepts coveredCloud Computing according to VWware

  • "Lightweight entry/exit service acquisition model"
  • Consumption based pricing (pay per drink)…requires activity based accounting
  • Accessible using standard internet protocols
  • Elastic computing resources
  • Improved economics due to shared infrastructure
  • Cloud value: Instead of having IT people to manage particular pieces of infrastructure, automation and standardization drives IT staff to increase capacity and value.
  • Compute resources (platform) as a service
  • Application as a service (e.g. Salesforce)
Comments closed