Author: lindsay

Last time I made mention of Peter Gostelow, it was about a rather unfortunate incident in Africa, where he had been attacked with a machete, and sustained some nasty injuries. Well, over a year later, he’s still on the road in Africa, and had some more bad luck.

This time he wasn’t physically injured, but pretty much everything of value has been stolen, including his last 6 months of photos, stored on an external hard drive. He’s feeling pretty low about it, and trying to work out how to replace the laptop and camera. He doesn’t need much to pay for his day to day expenses, but a new camera and laptop is hard to manage.

Peter was one of the cyclists who inspired me, years ago. Reading his website when he was touring around Asia was one of the things that gave me impetus to make my own long haul trip. If you’ve come across his blogs, and maybe been a bit inspired, he’d probably appreciate it if you could send a few dollars his way.

I know what it’s like to lose stuff, and not just the expensive kit, but all your photos. Somehow I’m still not as disciplined as I should be with backups, but seriously, if you’re out on the road, take Pete’s advice: BACKUP BACKUP BACKUP

Left to my own devices, I could probably be quite happy working, studying in the evening, going for a bike ride in the weekend, occasionally traveling around the world, basically keeping to myself.

Those that know my fiancé will of course realize that keeping to ones self is not Anna’s style at all. Although her social circle is not as out of control as it once was, she still works hard at maintaining contact with a wide group of people. One of the ways she does this through regular social events, of which the annual “Mid-winter Christmas” dinner. My northern hemisphere readers will wonder why I feel the need to specify mid-winter along with Christmas, but trust me, they don’t go together here.

Here, we use the theme of mid winter Christmas as an excuse for a party in the depths of winter. Brutal it is too, only 10 hours of sunlight a day, and temperatures almost down to single digits. We gather for a not quite informal seated dinner, for 20. Not many people could host a dinner party for 20, but with a bit of rearranging of the house, we somehow manage.

With a limit of 20 or so, competition is fierce for places, but Anna has her favourites. I must ask her why Arden is still on the list, since he doesn’t get cheap booze any more. Wouldn’t be the same without him of course.

So the usual suspects gathered for a huge meal and light entertainment. Luckily we had outsource the main meat cooking to two of the guests – no chance of fitting a leg of lamb and an enormous piece of pork in our oven. It was barely coping with all the vegetables.

Lots of hard work by Anna and the girls, and the party was the usual success. Every year, Anna declares that “this is the last one ever” – and yet the day after, while cleaning up, she says “well it wasn’t too bad, maybe we could have one more.”

just next year it will be just Anna and I, living in a small house. I have no idea how we’ll manage it again…

Dave didn’t like the little plastic hat, he thought it worked better as a tie:

I know, this is not the usual sort of thing I cover here, but it’s something I’ve been working on the last few weeks, and I couldn’t find it documented decently anywhere, at least not for my particular setup. So I thought I’d put it here for Google to index. Maybe it will help someone else out.

Environment:

• Squid proxy server running on RedHat EL 5.x
• Clients using Firefox and Safari, on Macs and Linux
• Mac OS X Server providing authentication services
• ICAP A/V scanning

Previously we were using NTLM authentication with Squid, but it is a pretty poor experience. NTLM authentication on Mac OS X is unstable if you’re also doing Time Machine backups, and users get far too many authentication popups. I’ve been planning on moving to Kerberos authentication for a long time, but never quite got around to it. We also wanted to enable SSL Interception, using DynamicSslCert, so we can properly log and scan SSL traffic.

The default Squid package that ships with RHEL 5.x is 2.6.x. This is getting a bit long in the tooth. DynamicSslCert has recently gone into the 3.1.12.x RC series, so it’s very close to mainstream. Here’s the steps I followed to get SSL interception, and Kerberos authentication working:

• Create a binary RPM from Squid 3.1.12.2. Squid-3.1.12.3 does not compile with ICAP enabled. You will probably want to get the Squid spec file used for Fedora, and use that as a base. Add “–enable-ssl-crtd” and build the package.
• On your Mac OS X Server, create the required Kerberos principal, and export it to a keytab file:
  
sudo kadmin.local -q "add_principal -randkey HTTP/<fqdn of proxy server>"
sudo kadmin.local -q "ktadd -k squid.keytab -norandkey HTTP/<fqdn of proxy server>"

  <FQDN> is the fully qualified hostname of your proxy server
• Install your new Squid RPM on the Proxy server
• Copy your squid.keytab file to /etc/squid/squid.keytab. Ensure it is readable by the squid user
• Edit /etc/init.d/squid, to add this chunk near the top:
  KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
• Create the SSL cert DB with “/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid/ssl_crtd/”. Ensure that directory, and those below it are owned by Squid.
• Create an intermediate CA certificate on your root CA. I’ve used the Mac OS X CA, but you can use whatever CA you have. Copy the key and certificate to /etc/squid/ssl_cert/ – you’ll need to create that directory. Ensure squid can read the cert and keys.
• Update /etc/krb5.conf. Ensure it has your realm set to your Mac Server.
• If you want to do NTLM fallback, enable the winbind service, and use “net join -W -S -U ” to join the domain.
• Configure authentication in squid.conf with something like this – this will use Kerberos/Negotiate first, with an NTLM fallback:
  auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s HTTP/<fqdn of proxy>
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=<domain> <domain>\<fqdn on mac os server>
auth_param ntlm children 12
acl auth proxy_auth REQUIRED

  Your http_access line must now specify “auth”
• Enable icap with:
  icap_enable on
icap_service service_avscan_resp respmod_precache bypass=0 icap://127.0.0.1:1344/av_scan
adaptation_access service_avscan_resp allow all

• Configure SSL Dynamic cert generation with config like this:
  
sslcrtacl sslbumpbypass dstdomain "/etc/squid/whitelist.https"
d_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/ key=/etc/squid/ssl_cert/ always_direct allow all
ssl_bump deny sslbumpbypass
ssl_bump allow all
sslproxy_cert_error deny all

  Any domains added to /etc/squid/whitelist.https will NOT be intercepted. You probably want to put banking sites in here.
• Modify SELinux. You’ll need to run “semanage -a -t http_port_t -p tcp 1344” to allow Squid to connect to ICAP. You’ll also need to configure a local SELinux policy to allow Squid to read/write the temporary files that squid_kerb_auth puts into /tmp. Use audit2allow, and your audit logs to work out what you need here.

You will need to configure both Firefox, and the System Keychain on your Macs to trust the Intermediate CA used by Squid. Unfortunately it doesn’t pass the whole keychain, including the root CA, so just trusting the root CA is not enough. Hopefully the ability to pass the chain will come in later releases.

I don’t want to publish full configs, but this should be enough to get you started. Any specific questions, fire them this way, and I’ll try to help

Note: Safari and Mail.app do not support Kerberos authentication. They fall back to NTLM happily enough.

That’s the easy part out of the way – I’ve passed CCIE written. I worked my way through the huge stack of books I’ve got, managed to get enough to soak in, and got the written exam out of the way.

It wasn’t too flash, but a pass is a pass, so now I can book the lab. The aim will be to sit it late this year, before my wedding. It takes an average of 2.7 attempts to pass, so I’ll be happy to pass it in 2 attempts. The nearest location for me is Sydney. Not too bad, although it would be nicer to do it at home.

I need to do some research over the next few days, comparing and pricing workbooks, study material and rack rentals from INE, IPexpert and Cisco 360. Unfortunately it’s all very expensive (thousands of $US), so I need to do a bit of analysis before spending the cash. They have a range of different learning options, payment methods and approaches. I’ll probably go with INE, but add in a few bits and pieces from the other vendors.

Guess it was never going to be cheap studying for CCIE.

Other good news: I’ve ordered an iPad, and it should arrive next week! Purely purchased for…ah…study purposes. Yes that’s it.

All of the Cisco Press books I’ve ordered have arrived, and the stack is looking pretty intimidating:

I have to work my way through that stack, not just skimming them, but paying attention, making notes as I go…it’s going to be a long winter working through them all.

I ended up buying them from a mix of Amazon, Fishpond and a local Borders store. I got lucky with the Multicast and Internet Routing Architectures books – Borders was selling them for only $20 each. They think that because they’re 10 years old, they’re out of date, but they cover core protocols, so they don’t date as quickly as technical books usually do. All the other books cost quite a bit, especially when you add International shipping. Kudos to Amazon too – one of the books was water damaged. I filled in a return form, and within 10 minutes Amazon had responded to say “We’ve shipped a replacement, and don’t worry about shipping back the old one – do whatever you like with it.” Good to see that for all the work Amazon is doing with things like EC2, they haven’t lost sight of keeping their long term customers happy.

You always have a different perspective on a place when you’ve actually been there, rather than just seen it in pictures.

I’ve been thinking about Libya quite a bit recently, after the unrest going on there. It was only a matter of time before things came to a head there, regardless of what has been going on in surrounding countries.

The thing that stood out to me when I was there 5 years ago was the enormous Gaddafi propaganda. Every place where you might see a commercial billboard in another country, Libya had a huge picture of Gaddafi. Signs, slogans, posters. Watches were the souvenir to buy – I still have a watch somewhere around the house with a picture of Gaddafi on the face, celebrating 37 years of rule. You don’t have that much propaganda if everyone truly loves you.

It was an unusual country to visit, in many ways one of the lowest hassle Middle Eastern countries. Few tourists visit, so there hasn’t been the same development of touts, scam artists, and general level of people selling you crap you don’t need. Instead, people are reserved but friendly. It is sad to think of them at war with themselves, people being shot at by their own government. Most of the people killed will just be ordinary people, trying to go about their lives.

I recall staying in a small town in the desert, walking around, when I met a young man who asked me “What are you doing here?” He couldn’t understand why I would be in Libya, when I was lucky, I had a passport and money, I didn’t have to stay there. He did. He was learning English, maybe he got lucky, and was able to escape.

As an aside, it’s not widely known, but Libya has some of the best Roman ruins anywhere. Hopefully Gaddafi will either see sense and leave, or someone will knock him off, and this can end, without further loss of life, or damage to the archaeological treasures.