FreeOTP in Your Own Language

On Monday we announced the immediate availability of FreeOTP, the open source OTP app for Android.  The response has been fantastic! We immediately had a huge surge in installs and a lot of positive reviews. If you haven’t yet had a chance to post your review, do it now.

However, unless your language is English, FreeOTP doesn’t currently speak your language. Help us solve this problem! Translating Android apps isn’t difficult, and in most cases requires little other than editing an XML file. If you would like to contribute a translation, please file a ticket or send us an email. We’re glad to help you any way we can!

Announcing FreeOTP

I’d like to announce the general availability of FreeOTP for Android. It is available for install now in the Google Play store.

FreeOTP is a multi-factor authentication client based on the HOTP and TOTP standards. FreeOTP features:

  • A FLOSS code base
  • Support for HOTP or TOTP
  • Native QR code scanning
  • Adherence to the Android UI design principles
  • Tablet support

We anticipate that FreeOTP should work with any server providing HOTP or TOTP support, including the upcoming OTP support in FreeIPA.

So, if you fancy a bit of adventure, please try FreeOTP! We welcome your feedback. Please also don’t forget to leave your positive reviews on Google Play so that it will be easier for other Android users to find out about FreeOTP.

We have also developed FreeOTP for iOS and are currently working to bring it to the Apple App Store. Please stay tuned for future news!

The FreeOTP project is hosted on Fedora Hosted. We welcome your feedback and contributions.

Lexington in exemplum

Bluegrass Airport is a microcosm of Lexington, KY. It is also a fantastic example of everything I love about living here. To be sure it is a small airport: one terminal, two concourses and a collection of puddle-jumpers that fly only to larger airports. But everything about flying here reminds me of why I choose to live in the Bluegrass.

There is never traffic leading into the airport, nor could you get confused about where to go. Everything is clearly labelled. The landscaping is well appropriated and the buildings are clean, modern and offer free WiFi. I have only once seen a line for security, and it was when a large group was flying. Every employee, both public and private, smiles and wishes you good day or a safe flight.

Flying out of Lexington may be small on features, but it is big on charm. It has one restaurant (deSha’s) and one coffee stand. But the food is always high quality, prepared quickly and at a fair price. On my last trip, upon approaching the desk of the coffee stand, I was offered an apology that they had just raised their prices. However, they told me that since I was the first customer since the price raise they would give me my item at the old price!

This theme extends all over Lexington. While it may not have everything, it is big enough to have everything you need without the problems larger cities face. It is clean, friendly, well appointed and with an abundance of charm (especially, driving through its nearby horse farms). You couldn’t ask for a better place to raise a family!

Seth Vidal in Memoriam

I was extremely saddened today to hear of the loss of Seth Vidal. Although I can’t claim to have known him well, we had met on several occasions and was able to work on a side project with him. Seth will always be special to me because my first foray into Python was reading and attempting to understand some code he had written. Seth also had a great sense of humor. He could turn almost anything into a joke. Seth’s impact on Fedora was in many ways immeasurable. Judging by his code and infrastructure alone couldn’t do him justice. His wit and enthusiasm were contagious.

My sincerest condolences go out to his family and friends. Our thoughts and prayers are with you.

FreeIPA Two Factor Authentication Test Day

Welcome testdayers! Today’s test day will feature FreeIPA’s new Kerberos OTP support.

FreeIPA’s OTP support is a new feature and we are not yet providing a comprehensive management UI. But with a little tweaking of LDAP via some provided helper scripts, we should be able to test upstream plumbing work that makes OTP possible on MIT krb5.

Please check out the test day page where you will find live CDs and instructions on how to test. In particular, we are actively looking for people to test OTP against your own third party 2FA services. This will help us establish a list of known good solutions and give us targets for improving our compatibility.

Wether you join us on IRC or via email, we look forward to hearing from you!

 

QEMU with PowerPC64 Guests

TL;DR

For a fully functioning Debian Sid PPC64 guest image, follow the README.txt here: http://npmccallum.fedorapeople.org/qemu/ppc64/debian/

QEMU 1.4.0

With QEMU 1.4.0, PPC64 guests are close to working out of the box. It took some exploration to figure out exactly how to make this work, but it is mostly simple once you figure it out. In short, PPC64 emulation has a flakey IDE controller. This causes random lockups. You can work around this on Debian Sid.

Things that Don’t Work

  • virtio disks: This appears to be a QEMU problem as I can’t get it to work without random lockups on numerous distros, most notably Fedora 18.
  • graphical console: The only way to get the system to boot is with -nographic.
  • boot-loader after install: I’m not sure why, but this crashes QEMU. The workaround is to load the kernel/initrd directly and bypass the boot-loader.
  • power management: There are no fancy features like rebooting or powering off. You’ll have to do it manually.
  • Fedora 18: The PPC64 ISO appears not to have drivers for either the ATA or SCSI controllers that QEMU supports. Since virtio support doesn’t appear to work (see above), that means Fedora 18 has no disk driver support.

Installing Debian Sid

  1. Create a temporary directory:

    mkdir ppc64; cd ppc64

  2. Download the Debian Sid kernel image:

    wget http://ftp.us.debian.org/debian/dists/sid/main/installer-powerpc/current/images/powerpc64/netboot/vmlinux

  3. Download the Debian Sid initrd image:

    wget http://ftp.us.debian.org/debian/dists/sid/main/installer-powerpc/current/images/powerpc64/netboot/initrd.gz

  4. Create a disk image:

    qemu-img create -f qcow2 debian-sid-ppc64.qcow2 10G

  5. Start QEMU:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2 -kernel vmlinux -initrd initrd.gz -append “console=ttyPZ0 libata.dma=0 debian-installer/allow_unauthenticated=true”

    1. console=ttyPZ0 – This is needed to make the console work when using -nographic.
    2. libata.dma=0 – This disables DMA on the ATA controller. It makes the controller more stable (NOTE: I didn’t say perfectly stable…).
    3. debian-installer/allow_unauthenticated=true – When I tried to install the first time through, I got to the end and got complaints about unsigned packages. This is likely a simple error in the repo. NOTE WELL: this option disables security.
  6. Follow install instructions.
  7. When the OS tries to reboot, it won’t work. Just shut down the VM.
  8. Start QEMU again:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2

  9. Notice that QEMU crashes: Uh oh!
  10. Use qemu-nbd to mount your boot/root partition and extract the kernel and initrd images. Alternatively, just download them from here.
  11. Start QEMU again:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2 -kernel vmlinux-3.2.0-4-powerpc64 -initrd initrd.img-3.2.0-4-powerpc64 -append “console=ttyPZ0 libata.dma=0 root=/dev/sda3″

  12. Bask in all the PPC64 guest glory!

 

 

 

Migrating the Blog to OpenShift

So this weekend I migrated the blog to Red Hat’s awesome new OpenShift service. If you are reading this, it means the migration was successful! Overall it went fairly smoothly. I’ve migrated my install multiple times at this point, so I was familiar with the process. But I also found that Deon Garrett has written some great documentation.

One of the problems identified by Deon is the inability to CNAME the root of the domain. Basically he uses a common domain provider’s URL Forwarding feature to redirect example.com to www.example.com. This workaround is great for a typical WordPress install. But for a subdomain-style, multisite installation, you have a problem where his forwarding approach results in an infinite redirect loop.

The key is that in a subdomain-style multisite installation, WordPress redirects www.example.com back to example.com. In order to fix this, we need to trick WordPress into thinking that www.example.com is, in fact, example.com. You can do this simply by adding a single line to your .htaccess file:

RequestHeader edit Host “^www\.(.*)$” “$1″

This line strips ‘www.’ from the start of every Host header. This works in my installation, but you might need something a bit more specific for your installation. For additional options, see mod_headers.

If you have interest in deploying WordPress on OpenShift, you should note that I have provided pull requests for updating OpenShift’s WordPress to 3.5.1 (the latest) and for enabling multisite WordPress uploads.

Happy OpenShifting!

Announcing… webSSO

webSSO is a new cloud-centric, federated authentication system developed to solve the problems of deploying authentication across heterogeneous infrastructures. It is a thin policy layer on top of widely deployed and trusted protocols such as HTTPS and TLS client certificate authentication. It provides:

  • Single sign-on across local, Internet and cloud infrastructures
  • Globally unique identities via existing certificate authorities
  • Decentralized authentication
  • Credential delegation
  • Depoyment on existing HTTPS stacks
  • Multi-protocol support (i.e. not restricted to HTTP)
  • Cryptographic trust validation of all parties

It is true, there are lots of authentication protocols available. Kerberos, for instance, is a widely deployed, mature protocol for local infrastructure. However, it has almost no Internet presence, mostly because identity providers are not willing to expose their Kerberos servers to the Internet. Kerberos also competes in the encryption space with SSL/TLS, the hands down winner in the web-enabled world. Lastly, Kerberos has difficulty scaling in large, flat topologies.

Outside of the enterprise context, OpenID has a large presence on the Internet. As one of the first attempts at creating a federated identity system in the Internet, it has accomplished remarkable things. However, OpenID doesn’t do single sign-on. Nor does it validate all parties in the authentication transaction, leading to problems with security/phishing. When combined with OAuth, OpenID can perform credential delegation. But implementing these protocols is quite complex, leading to bugs that compromise security. OpenID is also tightly tied with the web-based world and has gained no traction outside this environment.

The true problem arises when the local infrastructure and Internet worlds meet. If you want to use your enterprise identity on the Internet or in a cloud service, you’re pretty much out of luck. The same is mostly true with using your Internet identity in the enterprise. Thus, webSSO came about as we began to envision a world where there was no division between local, Internet and cloud infrastructures.

For more information about webSSO, check out our website where you can find the Internet Draft, a full description of the protocol and my presentation for the Cloud Identity Summit. If you happen to be at the Summit, check out the New Technology Panel in the Cascade Ballroom at 12pm Mountain Time today or look me up!