Skip to content

Category: General

New Directions in Providing Active Directory Domain Services


AD over the IPv6 Internet with end-to-end IPSec using certificate based authentication.

In a distributed IT environment like Stanford, where teams are empowered to create their own servers using IAAS solutions like Amazon EC2, there are several patterns of practice that enable greater velocity and scalability of change:

  1. Use of auto-assigned IP addresses and DNS servers, as provided by the cloud vendor
  2. Arbitrariness of the virtual network's private IP space
  3. Exclusive reliance on the publicly routed internet for service discovery and communication

While employing these patterns confers significant benefits, complications arise when applying them to a service like Active Directory, which as a high-value attack target, is often cordoned on private networks, with its services unexposed to the public internet. So a problem emerges: when a cloud-based server needs to join an AD domain, but the domain controllers (DCs) reside in a different virtual network, how are the DCs discovered and their services consumed over the public internet, without compromising security?

1 Comment

How this site is built and updated

We've been (very) infrequently updating this blog thing since 2006. In that time it's had a number of homes: it probably started as a VM on a machine under the desk in my office, then it spent years flipping between running directly and indirectly (as a VM) on servers in our datacenter. After our old hardware started failing, we moved it to the cloud, running on an EC2 server. Now, it's running in a container. Initially, this blog was created to test and document this new fangled SAML authentication protocol, starting with mod_shib (from Shibboleth v1. When Shibboleth v2 was released, we switched to SAML 2.0 and mod_shib2.

In late 2014, our team started deploying Drupal websites on AWS using Docker images running on CoreOS. As part of that effort we created a base LAMP image using Ubuntu. We also added SimpleSAMLphp to the image to support authentication, since it had features that were a better fit for our environment than mod_shib2 (mainly that there was no separate daemon, like shibd, and that it could store session data in the same database as Drupal, making load balancing much simpler).

In early 2015 we started merging the two efforts, resulting in this new containerized, load-balanced, and easily updated version of our blog.

Comments closed

Yubikey PIV for SSH on Macs

We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to unlock your phone, tap on the Duo notification, then tap on 'approve'. You may also need to make changes to your git server; with GitLab we have to use a non-suid copy of login_duo, with a second configuration file, and manually update the git account's authorized_keys file to use login_duo for every SSH key (that needs to use two factor):

command="/usr/sbin/login_duo_git -c \
  /etc/security/login_duo_git.conf -f alice \
  /home/git/gitlab-shell/bin/gitlab-shell key-2",... \
  ssh-rss AAAA...

I've had a few Yubikeys lying around, and I finally decided to try one for SSH. I found Thomas Habets' Yubikey 4 for SSH with physical presence proof instructions for Linux, and modified them to work on Macs. I've tested with OS X 10.11 (El Capitan) and macOS 10.12 (Sierra), but if you're using an older version of OS X you should upgrade, or follow Yubikey's instructions to ensure that Yubikeys are recognized.

Comments closed

Service Alert Log

Got page just before 4pm on Sunday 6-13-2010 that AMCOM HL7 was down. Called IT Operations center, talked to Chauncy to see which shc list…

Comments closed