Kerberos: the Three Headed Authenticator

Good Morning from my Robotics Lab! This is Shadow_8472, and today, I believe I finally have the key holding back a number of my projects. I haven’t finished this week’s research as of starting writing, so I have no idea of how it turns out. Let’s get started!

Critical Path

Right now, my immediate long-term goal is getting photo archive pictures scanning, preferably with a custom script to streamline the process. For that, I need a reliable computer for processing photos — my laptop would work, but I’d feel a lot better if I had its long-term memories inside the case instead of hanging out for the world to snag. I would clone them inside with dd, but I’ve been holding out until I can perform a backup to the NAS. And that is where I’ve been stuck for a month or two: authentication to the NAS instead of by individual IP… until recently.

Kerberos

I often work on topics in parallel, switching on the last day if I don’t complete something. Last week, someone brought up Kerberos, an authentication protocol that’s been around since the mid-80’s, and if the Computerfile video, “Taming Kerberos,” is to be believed, it’s resistant to quantum attacks. And here is another video explaining Kerberos while addressing its weak points, something that most explanations overlook.

Named after the three-headed dog of Greek mythology, Cerberus, Kerberos follows a three-part model for authentication: client, host, and a mutually trusted authentication server. In simplified terms, you and the authentication server has two steps, one that uses cryptographic keys so both client and authentication server are sure they know each other, and another that issues tickets, or temporary passes, for desired hosts. Given a ticket, the host then does some final checks before conducting its normal business with the client.

Kerberos has more practical applications than just NAS authentication. It would appear OpenSSH is perfectly happy authenticating with it. I already have around 7 to 9 SSH-enabled devices and I don’t care to manually generate and distribute keys amongst everyone. And then there’s conflicting host keys when not everything is tied down to its own static IP and my Pi 4 I’m now swapping MicroSD cards on. I’ve resolved to just having one machine I SSH into that holds most of the keys I need and then SSH into the appropriate machine from there. In the future, I may even apply this technology for that website I’ve been working towards for almost a year now.

Compiling Kerberos

There are plenty of explanations of how Kerberos works out there. So many to the point where they clogged up my searches for actually finding an implementation of the method to use as a server. I eventually found what I believe to be the preferred download over at MIT. It does, however, come with a warning about exporting cryptographic source code from the US without permission, and that it’s illegal for it to go to a short list of countries or their nationals, though I did see some possible leeway for Canadians.

I intend to set my PackMan ghost-themed Raspberry Pi 3 (Codename: BlinkyPie) up as the host for this authentication server. With a significantly more powerful Pi in the house, it’s no longer my go-to for small scale computing, but since this is a very small scale job, processing speed and Ethernet bandwidth shouldn’t matter so much. I pulled it out of storage in plain sight and set it next to the NAS, near where I’ll need it for another project I’ve been putting off for years now. Of course, I’ll be wanting to lock that thing up tight once I have it going long-term. For now, I’ve set it up with a static IP where such a future system will go — right in there with our other network services.

The source code came in a tar file. I extracted it, but then remembered that it’s good practice to verify the download when possible. MIT provides a PGP signature. I’ve only worked with Shasums before, but it’s a similar idea: protect against corruption and tampering.

The PGP implementation I found to read about is called GPG. I had to look no farther than Blinky’s own Raspian operating system to find it was already included. It’s usually nice when a little tool you learn about is already within arm’s reach. I struggled around with reading the manual, its internal help page, and looking up use-cases online. I found their missing public key, tracked down an instruction set under “documentation” on how to compile from scratch, and was finally able to manually verify the signature for the tarball. Trying to verify the signature in a separate directory failed to produce the key, as expected.

My first attempt at building Kerberos failed. I stepped back to research details in the instruction set I previously glazed over, such as requiring ANSI C compliance.

At this point, I started to get some direct answers from members on the EngineerMan discord server. EngineerMan himself personally explained how ANSI C is just a longer name for the C language, but mostly older standards. He named c89, but said, “you won’t hear people call c18 ansi c though.”

My understanding of the situation is so: Imagine I have a big program I intend to maintain for 50+ years. I can write it to the standards present here in 2020. But if a new standard comes out in the meantime, I can either go through the bother of updating EVERYTHING each time –leaving myself open to any bugs that might crop up as a result– or I can just keep using the 2020 standards. If someone needs to compile it, the newer compiler can always be manually configured to run the older standard. Now just backdate the situation to 1989 or so and October 2020.

I tried recompiling a few times without changes, trying to sift through the overabundant console output. I think it was my third attempt where I stretched my terminal across two screens and beyond that I noticed several messages referencing missing files.

One iteration, I redirected the first phase’s output to a log file using the > operator, but two warnings about missing files went to the console anyway. One was for something called Tcl, and the other for OpenSSL. OpenSSL showed up when I looked for it, but Discord user jeffz popped in and talked me through getting the developer version. Additional packages had to be added, preferring development versions when available.

Eventually, I stabilized the configuration script (I think), at which point I copied the whole build directory to a backup. With help, I worked on brute forcing the actual compilation. Every time, a huge error log would plague me, sometimes with lines so long, it would take four screens to show the full line in tiny text. User yemou on the Nixhub Discord server spotted a tiny typo in the command fragment make CFLAGS=-std=c89. Most, but not all log activity went away after that. Oh, and jeffz pointed out some MIT Kerberos compilation instructions tailored for Debian-based distros.

Installing Kerberos From a Repository

I got close —real close– to successfully compiling. I learned a lot to file away, but when I explored that link jeffz gave me about MIT Kerberos installation on Debian, it went straight to the apt repository. I installed it and promptly messed up the admin-server package configuration.

Initial MIT Kerberos 5 configuration is unforgiving. I tried removing the packages and putting them back, but they found some other remnants to lock on to. I used the page linked above to track down and remove more mentions, but each time I plucked something out, it broke even worse. I saw someone in a similar situation asking for help. I quickly figured out how to purge when dealing with the repository, and was soon greeted with the configuration screen, though it still must have found something because it didn’t ask everything again. I read farther, and found where they were suggesting a clean install. Not what I wanted to hear, but it’s probably for the best.

This is where I sprouted off to work on last week’s topic, where I arranged for a personal master image of Raspberry Pi OS. On taking another look at the install script for Kerberos, I feel like I’m trying to install an engine to a horse and buggy — in theory it could work, but I’m getting asked questions about where the intake manifold or the gas tank are going to go. I’m spending more effort dodging the work of setting up static IP’s than I am just doing the original work.

Kerberos needs to go wait out in the dog house for a while. Who knows? Maybe I’ll revisit it in five years or so and play ball then.

Final Question

While exploring available Kerberos downloads, I happened across a development branch. They warned multiple times against the wrong people using it with decreasingly relevant warnings. They finally skill gated it by giving a set of instructions to keep the hopeless beginners out of trouble. Have you ever run across any skill gates?

Raspberry Pi OS: Review and Clean Install Image

Good Morning from my Robotics Lab! This is Shadow_8472, and today, I am going over the new official Raspberry Pi operating system and producing a custom image I can deploy in case I ever need a clean install. Let’s get started!

Raspberry OS Review

BlinkyPie is my Raspberry Pi 3B+ with a Pacman ghost case I printed and finished myself (with help). It’s supposed to eventually host an OpenCV powered feline deterrent system I’m still aiming to deploy some day. Today, I’m starting by installing the new official operating system for all Raspberry Pi’s: Raspberry Pi OS on a fresh MicroSD card.

Installation was fraught with several simple mistakes. My proper procedure is to: 1. Have an empty MicroSD card. 2. Download the OS image (over a WIRED connection) and verify it with its hash. 3. Quarantine the image and SD card on a computer I don’t mind rebuilding (no sdX other than the target SD in an adapter, internal MicroSD is mcblk0). 4. dd the image to /mnt/sdX. 5. Boot the image. 6. If it doesn’t work, lower the bit rate for the dd command (yes, it saved the project this time).

I didn’t skimp on resources this time: I got the full desktop image with recommended software. Long-term, I’m figuring it will be easier to maintain. Since I’ll be using this image over and over several times, I took a day or two to do things like localization settings, a lefty mouse, enabling SSH, and customizing the UI.

I’m looking to move away from using default, non-root accounts. Raspberry Pi OS (I’m just going to call it rPiOS from now on, if that’s okay) and Raspian before it come with one called ‘pi.’ To change it, I had to first enable SSH, log out any and all sessions for the pi user, and change over the account and home directory names — preferably without logging into the GUI as root and creating a bunch of normal user files.

I poked around rPiOS without an agenda for a bit. There was always the games folder I never paid much attention to before, so I checked that out. Of special interest were the collection of simple Python games. They had no fewer than three Tetris clones, a normal one, one with one block pieces, and one with five block pieces, like the original Soviet precursor. The five-block per piece game runs a little fast, so after some time, I realized I’d like to try and slow it down a bit. I also found a “Bookshelf” where you can read up on Pi projects. It also came preloaded with a bunch of programming tools. I know it should be obvious, but rPiOS is built for learning. It has just enough there to be plug and play for a browsing machine, I know the Pi3 chugs a little under watching my church’s Livestream on Sabbath mornings, but it should be more than enough computer for anyone without serious computation needs.

A Small, Custom rPiOS Image

I have to admit, this week’s topic was a node for a much larger project I’ll be covering next week. Suffice it to say, I’m in a position where I may need to reinstall rPiOS several times in rapid succession. That is why I’m making an image file.

Once I had tweaked rPiOS mostly to my liking, I shut it down and brought the card over to my Manjaro Pi 4. dd was not happy with me making backing up my MicroSD to a 1 TB external hard disk for some reason. Everyone helping me seemed sure it was corruption on the MicroSD card. As much as I respect their advice, I can’t help but be skeptical this time. It’s a new card with low usage so far. It boots fine, and I was trying to copy between two devices on the same USB 3 component. I’ll file this away as mystery unsolved for the time being, but for whatever reason, it confused BASH to the point where ls wouldn’t work with relative paths until I changed directories.

I eventually used the internal rPiOS card duplicator and made a physical copy over top my RasPup install. I tested it, and It booted normally. Moving things back over to the original card, I followed a tip I found in this video and used dd if=/dev/sdX | gzip > imageName.gz to make a compressed copy of my pi SD directly on itself. I copied it over the network with scp, and unzipped my image.

Now, many guides on rPi backups invoke partition tools I’m still too scared to touch, especially on a timeframe. That’s why I downloaded and used PiShrink, a shell script available on GitHub that downsizes your Pi images so you’re not saving empty space in storage — or even worse: transmitting it to a friend. Apparently it’s popular for use with RetroPi, a Pi distro for emulating old games.

My MicroSD cards are 32 GB each. My final image is down to 9. If I had more time, I may try again without the default desktop background, since I’m planning on never using it, and I think my custom desktop image is a good chunk of the added size.

Final Question:

What useful finds have you made when looking for something similar?

Parts Ordered: Derpy’s Second Makeover

Good Morning from my Robotics Lab! This is Shadow_8472, and today, I am shopping for parts to re-refurbish Derpy Chips, an older tower I turned into an Ubuntu box for a while. Let’s get started!

Overview

My computer tower is old — going on nine years here. Some day, it will be going up for total replacement, but not today. Still, I find myself in need of a second tower for my personal use — something with a little more heft than my laptop maxes out around.

My father built a computer tower long before I got into Linux. It served as the family’s main computer for several years, but it had a habit of crashing with the vague error: “Power Kernal Failure.”

I eventually took over on the machine to turn it into a Minecraft server. I swapped out its 2 TB HDD for a much more modest 250 GB SSD, and the crashes stopped. I still named it Derpy Chips, part in endearment, part in reference to its past. It has since fallen back into disuse for lack of RAM when I swiped it for Button Mash, our new dedicated Minecraft server, and more recently, I grabbed the replacement SSD for installing Manjaro on my production machine following long after its liquid cooling pump started making a horrendous noise (presumed worn out).

That about brings it to today. I would like to move Derpy back into use, but it needs cooling, a hard drive, and RAM. I did some preliminary investigations, and estimated a cost of about $250 with minimal thought for compatibility. All I need is a holdover to the next rig.

CPU cooling

The options are almost limitless, and almost all of them are incompatible. Derpy’s case is pretty deep, so I’m not terribly worried about height, but different CPU sockets have slightly different shapes.

While it’s entirely possible to hire someone to pour liquid nitrogen on the CPU all day, even a fancy water cooling system would be more reasonable. A properly functioning liquid cooling system would definitely be quieter, which is something I need. All I have to say to that is that I was impressed with my sister’s Noctura cooler, so we ordered one from them.

Hard Drive

As stated earlier, Derpy’s first hard drive, a spinning platter HDD, was defective and the problem wasn’t isolated within the warranty period. Lacking a cooling block that wasn’t the size of a teacup, I yoinked its second hard drive, an SSD, for another computer I have yet to finish stabilizing.

Western Digital is a respected brand, and I’m happy with their products thus far. I don’t need a full terabyte for a holdover machine, but it would be nice to have one in my production model. We therefore went ahead and bought a 1 TB with the plan of migrating the original replacement to it and reworking the smaller SSD again.

RAM

Probably the most picky of the components I’m looking at today, RAM is the sort of thing I hear you can try and see if it works and as long as you aren’t using so much force that things are physically cracking, you should be fine come your “smoke test.”

The most noticeable factor in RAM is what kind it is. The current standard is DDR4, but the technosystem I’m tending is all on DDR3. Other factors come into play as well, such as how fast the motherboard runs it, the voltage supplied, how much memory per stick there is, and in the case of matched sets, how much memory there is total. When shopping online, many sites will have some sort of filters so you can hopefully find the perfect match for your needs.

One important consideration I wanted to take into account was how good Derpy’s original 4 sticks of 4GB of RAM compared against Button Mash’s motherboard and CPU. Obviously, they’re compatible, but I wanted to know if the RAM was too good for the computer it was in. We ended up looking up the specific parts and found it was a perfect match for max clock speed and overall capacity, leaving me free to explore other options.

We pulled in the original box for Derpy’s motherboard and looked up the specs. Turns out it can take up to 32 GB of RAM across four slots where it previously was fully booked with a total of 16. While shopping, I considered buying either another set of four 4 GB or a set of two 8 GB sticks. Hypothetically speaking, If I expected to rotate a future new tower in, I could put my relatively newer tower over where Derpy is now being staged, and the possibility for future upgrade could be left open.

This plan ran into a time wall and was laid down before fully explored. I learned how CPU generation matters to RAM. Derpy has a 2nd generation i7 while I’m presently on a 3rd generation i5. Such a set of RAM would need to service both, and while such a product exists, we ended up just grabbing a 4 set of RAM intended for just Derpy without making sure it shipped from the US.

Of note, we also learned about RAM latency timings. Long story short: while lower numbers are better here, they aren’t as important. “Latency for the less-complex DDR2 RAM can be lower, but it can’t process data nearly as quickly as a modern DDR4 chip.” [MakeTechEasier (author comment)]

Of course, some motherboards might have a capacity to auto detect the voltage and adapt. All I know is that I’m tired of numbers for now and I’ll be happy when I see everything working smoothly.

Final Question

Have you ever built a computer from components and had something go wrong, even if things technically worked?

A Collection of Raspberry Pi Projects: Volume 1

Good Morning from my Robotics Lab! This is Shadow_8472, and today, I am playing with some SD cards I got to try out additional systems for my Raspberry Pi 4. Let’s get started!

The Plan

I would like a computer where I can format drives without having to worry about nuking any drives I can’t easily repair should I get a single keystroke wrong again. I need a quarantine machine.

Earlier this year, I got a Raspberry Pi 4 to serve as a head/firewall for a model supercomputer (still pending). Back then, I found three microSD cards, but only one was good for booting Raspian, and I ended up with a neat, little Wi-Fi to Ethernet router. I like my reverse wireless router. I don’t want to give up my reverse wireless router.

I started shopping for microSD cards, and came across a then-recent Tom’s Hardware article where they tested several brands for use with Raspberry Pis and compared them in different areas. Going off their recommendation, I selected the Silicon Power 3D NAND. I figured I may want more than one, so I got a 5 pack. The next size up was 10, and I’m not quite that avid a Pi user at the present time.

Besides a Quarantine Machine, additional applications include:
a general purpose operating system,
an actual firewall/supercomputer head
a media center
a home-network wide ad blocker
And it would be good to have a backup of my Quarantine card in case I really goof it.

Manjaro ARM

While I was installing Manjaro on my desktop, I noticed they have a version for ARM processors, such as the Raspberry Pi. They even maintain an image for installation on the Pi. I went with XFCE to preview for an upcoming project.

Installation was a nightmare due to user error. I must have tried three or four times to load Manjaro onto the first partition on a microSD card. Along the way, I found a thread where someone was reporting issues with installing the current version, 20.08 (named after the year.month), and people told him to try 20.06. My advice: if you’re thinking about trying to install any version of Manjaro, don’t try to downgrade. I don’t remember how I did it, but I got an older image to update later.

Once I went back to the official documentation and saw I was supposed to aim the dd command directly to the drive itself, I got it next try using the older image. The interface to finish installing felt unintuitive, leaving me to research keyboard standards. I would not recommend for anyone new to Linux.

Where the installer lacked polish, the XFCE desktop environment made up for it with some nicely preconfigured settings. Perhaps I was a bit harsh on it before. I was especially happy to be rid of the ugly, black lines around the screen present on Raspian. And of course, once I found the pacman command to update and checked the version, 20.10 had been released.

I went to hone this install in, reviewing some of my past lessons. A brief search didn’t help me set a static IP, but I moved on anyway. SSH was enabled by default, but it gave me an infuriating time confirming the host key fingerprint. I ended up caving to move on, but I did learn something about the improved security of a newer standard called Ed22519.

Raspup

Puppy Linux –in theory– is an excellent choice for an expendable Linux install on a Quarantine Machine because. It’s small, it’s enough to get you by as a daily driver if you can stand its slightly offbeat control scheme, and most importantly, it’s easy enough to reinstall. It’s also made for x86.

That’s where the people over at Raspup stepped in earlier this year. Installation was much easier than Manjaro, but that was where the polish ended. It’s so new, they don’t show up on Distrowatch. Their site doesn’t have a recognized security certificate, and has some oddball domain going on.

As for the operating system itself, I found its lack of Ctrl+Alt+T bringing up a terminal to be the greatest shortcoming in terms of my user experience. It also seemed obsessed with using linked GUI windows for everything initial setup. It also took way too long to boot up. While it did have those black bars around the screen, it did have a utility to adjust them between reboots. I don’t have the patience for it right now.

The most impressive thing about Raspup is their claim to work on any Raspberry Pi version, though the compute module remains untested. I honestly wish this project the best of luck, but at present, I can only recommend this cute, little project if you’re bored, want to poke around with something new, and have a spare microSD card for your pi. [Link to Raspup]

Other Projects

My goal was to also include a media station, but that didn’t install correctly as my research window for this week was closing. I’d also like to see about extracting an IR sensor from a dead piece of hardware, but that project can easily fill its own month of blogs.

While doing my write-up, I considered Tiny Core again, and there appears to be one for the Pi. I may do this one on the sly without reporting on it.

Six plus microSD cards is a lot to manage for a single Raspberry Pi. The five pack cards each came with an adapter, so I borrowed a label maker and applied labels to those.

Closing thoughts

One of the quirks I noticed with Manjaro on the Pi was that my USB SD card reader was showing up as /dev/sdc. Normally, SD family cards, such as the one inserted directly onto the motherboard at the time, have a different designation, so that’s something to look into. On the other hand, this discrepancy may be just what I’m after in terms of a safe computer to blast away at disk destroying operations. It only took one wrong keystroke, and if I don’t pursue Tiny/MicroCore Linux again, this may have the safety margin I need where I can disconnect any unneeded drives without opening any cases.

Final Question

What other Pi distros would you like to see reviewed on here?