The day Germany went offline

DENIC messed up their DNS servers today rendering most of the domains in .de unreachable. In technical terms requests to their servers either timed out or returned a NXDOMAIN answer, which states that the domain does not exists.

Kristian Köhntopp came up with the following URL to the DENIC homepage:

http://www.denic.de/typo3temp/pics/i_64bbbffdb3.jpg

I think if this is what DENIC considers to be a domain it's really astonishing that .de did not break earlier :-) Ironically, this site may not be reachable right now.

Posted
Several SSl certificates on one IP with Apache

For years there has been the problem with SSL/HTTPS requiring a separate IP per X.509 certificate. Almost all webservers serving unencrypted plain HTTP/1.1 support a mechanism called name-based virtual hosts which enables a theroeticaly unlimited number of different doamins on on IP. This was not the cast for HTTPS since SNI arrived.

Now it was the time to enable SNI on my Apache 2.2 instance. In fact I changed only the NameVirtualHost directive and enable mod_ssl. I now have NameVirtualHost twice in the global Apache configuration:

NameVirtualHost *:80 NameVirtualHost *:443

Now I only had to add a separate certificate for each virtual host. Works like a charm.

The only documentation I had can be found here:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Posted
Using SSSD for single-sign-on

I have the need to work on some of my systems with my LDAP/Kerberos5 user while not being connected to any network. By now I have managed to get around this by using pam-ccreds and nss-db which would locally cache user credentials.

Now there's a new approach to this whole situation: SSSD, a project introduced by Fedora.

It combines the functionality of pam-ccreds and nss-db while enhancing it with several features like multi-domain support (e.g. use several different LDAP sources for user authentication). A PAM and a NSS module ar provided while the main part of the configuration is done inside one single file: /etc/sssd/sssd.conf

My current configuration can be found as a Puppet template:  sssd.conf

The appropriate NSS configuration: nsswitch.conf

And the different PAM stage configurations, tailord for a Debian/Sid installation:

I have migrated all my systems to SSSD by now and it works like a charm, no more silly KRB5 timeouts when working offline.

Posted