Re: [OpenIndiana-discuss] PAM risk based authentication?
I have not tried this, but if this is only for SSH, did you try "Match" directives as listed under http://serverfault.com/questions/355484/change-the-ssh-authentication-method-depending-on-the-ip-address? Hugh. On 12/10/15 5:40 AM, Stefan Müller-Wilken wrote: Dear all, is there a way in OpenIndiana's PAM implementation to route through PAM modules based on environment conditions, a.k.a risk based authentication? More concretely I'd like to introduce a 2-factor PAM auth module when coming from certain IP ranges while staying with traditional Passwords for others and allow Kerberos while SSH'ing on my private network only. Is this possible today? Thanks for any ideas! :-) Cheers Stefan Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Gesch?ftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] PAM risk based authentication?
Well, also an approach, but restricted to SSH only. My requirement is to conditionally include PAM modules, so tuning httpd will not suffice, I'm afraid. But thanks for the idea! Cheers Stefan Von: Hugh McIntyre [li...@mcintyreweb.com] Gesendet: Freitag, 11. Dezember 2015 09:45 An: openindiana-discuss@openindiana.org Betreff: Re: [OpenIndiana-discuss] PAM risk based authentication? I have not tried this, but if this is only for SSH, did you try "Match" directives as listed under http://serverfault.com/questions/355484/change-the-ssh-authentication-method-depending-on-the-ip-address? Hugh. On 12/10/15 5:40 AM, Stefan Müller-Wilken wrote: > Dear all, > > > > is there a way in OpenIndiana's PAM implementation to route through PAM > modules based on environment conditions, a.k.a risk based authentication? > More concretely I'd like to introduce a 2-factor PAM auth module when coming > from certain IP ranges while staying with traditional Passwords for others > and allow Kerberos while SSH'ing on my private network only. > > > > Is this possible today? Thanks for any ideas! :-) > > > > Cheers > > Stefan > > > > > > Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Gesch?ftsführer: > Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss - Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | USt-IdNr.: DE208833022 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] PAM risk based authentication?
On 12/11/15 4:08 AM, Stefan Müller-Wilken wrote: Well, also an approach, but restricted to SSH only. My requirement is to conditionally include PAM modules, so tuning httpd will not suffice, I'm afraid. But thanks for the idea! I don't think the PAM stack itself can be conditional, but the modules in the stack can do conditional processing. If you have a second-factor authentication mechanism included in the stack and listed as "requisite", then it can do the address range checking work and (if the address is OK) return success to continue the authentication process or (if the address is suspicious) perform additional authentication and deny immediately if bad. I haven't used it, but there's a module called "pam_shield" that might be a good starting point on building such a beast. -- James Carlson 42.703N 71.076W ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] SSD as a dedicated swap device
I have only occasional need to run problems larger than main memory (16 GB at present), so I can't justify replacing all the DRAM for an infrequent need. The drop in SSD prices has me contemplating adding a 128 GB SSD as a swap device. The SSD latency and IOPS specs look as if they might be a useful compromise. Does anyone have any experience with this? The sort of jobs I'm interested in are batch processes that take several hours, not interactive tasks. At present rpool is a ZFS 3 way mirror. It's become a bit unclear to me if it is still possible to control the swap device independently of other parts of the system contained in rpool. Back in SunOS 4.x days I ran with a pair of swap partitions spread across two disks which got me twice the performance on large array operations. Reg ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Reginald Beardsley via openindiana-discuss wrote: I have only occasional need to run problems larger than main memory > (16 GB at present), so I can't justify replacing all the DRAM for an > infrequent need. The drop in SSD prices has me contemplating adding > a 128 GB SSD as a swap device. The SSD latency and IOPS specs look > as if they might be a useful compromise. > > Does anyone have any experience with this? The sort of jobs I'm > interested in are batch processes that take several hours, not > interactive tasks. Even an SSD will be way slower than RAM.. At present rpool is a ZFS 3 way mirror. It's become a bit unclear to > me if it is still possible to control the swap device independently > of other parts of the system contained in rpool. Back in SunOS 4.x > days I ran with a pair of swap partitions spread across two disks > which got me twice the performance on large array operations. I don't think you can add the drive as a drive, but you could create a pool with a single volume on on it and add that volume with "swap -a /dev/zvol/dsk//. -- Ian. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI roadmap (for production)
Stefan Müller-Wilken wrote: Sorry, Nicola, but is _this_ the kind of problems that should be > discussed in the OI community? I would have thought there are more > serious subjects to ponder... There is only one of you writing, but many reading. That's why decent threading and quoting is important on technical lists! -- Ian. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OI roadmap (for production)
On Sat, 12 Dec 2015, Ian Collins wrote: > There is only one of you writing, but many reading. That's why decent > threading and quoting is important on technical lists! This conversation reminds me of this old chestnut: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What's the most annoying thing on Usenet and in email? It's as true today as it has always been. -- Rich Teer, Publisher Vinylphile Magazine www.vinylphilemag.com ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
On 11/12/2015 20:45, Ian Collins wrote: Reginald Beardsley via openindiana-discuss wrote: I have only occasional need to run problems larger than main memory > (16 GB at present), so I can't justify replacing all the DRAM for an > infrequent need. The drop in SSD prices has me contemplating adding > a 128 GB SSD as a swap device. The SSD latency and IOPS specs look > as if they might be a useful compromise. > > Does anyone have any experience with this? The sort of jobs I'm > interested in are batch processes that take several hours, not > interactive tasks. Even an SSD will be way slower than RAM. Yep At present rpool is a ZFS 3 way mirror. It's become a bit unclear to > me if it is still possible to control the swap device independently > of other parts of the system contained in rpool. Back in SunOS 4.x > days I ran with a pair of swap partitions spread across two disks > which got me twice the performance on large array operations. I don't think you can add the drive as a drive, but you could create a pool with a single volume on on it and add that volume with "swap -a /dev/zvol/dsk//. Adding a swap partition or slice from a drive worked just fine last time I did it. You don't have to swap on ZFS (and there have been some good reasons not to in the past). I would expect using a whole drive (the p0 device) would also work, although the danger with doing that is that many tools which don't find FDISK or GPT partitioning on the disk will assume the disk is unused. -- Andrew ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Andrew Gabriel wrote: On 11/12/2015 20:45, Ian Collins wrote:. I don't think you can add the drive as a drive, but you could create a pool with a single volume on on it and add that volume with "swap -a /dev/zvol/dsk//. Adding a swap partition or slice from a drive worked just fine last time I did it. You don't have to swap on ZFS (and there have been some good reasons not to in the past). It's been a long time since I tried adding a swap device! The man page for swap isn't clear whether a disk partition/slice is supported with ZFS root. -- Ian. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
11 декабря 2015 г. 20:45:34 CET, Reginald Beardsley via openindiana-discuss пишет: >I have only occasional need to run problems larger than main memory (16 >GB at present), so I can't justify replacing all the DRAM for an >infrequent need. The drop in SSD prices has me contemplating adding a >128 GB SSD as a swap device. The SSD latency and IOPS specs look as if >they might be a useful compromise. > >Does anyone have any experience with this? The sort of jobs I'm >interested in are batch processes that take several hours, not >interactive tasks. > >At present rpool is a ZFS 3 way mirror. It's become a bit unclear to >me if it is still possible to control the swap device independently of >other parts of the system contained in rpool. Back in SunOS 4.x days I >ran with a pair of swap partitions spread across two disks which got me >twice the performance on large array operations. > >Reg > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss I am hot sure I see a problem here. You can still make a raw partition and swap there, or a separate pool on the ssd and a zvol and swap there (there are some special options to optimize for the swap/dump zvols, see e.g. my OI/illumos wiki pages on "advanced" installs). The swap area does not have to be part of rpool, and you can have more than one, and you can enable/disable them on the fly (free VirtMem space permitting). The only downside is that unlike linux you can't prioritize among your different active swap areas. Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Gee guys, I would have thought from my comment about interleaving swap on two disks in 4.x that it would be obvious that I understand it would be slower. And in fact, know quite a bit about virtual memory implementations. At the time, I tested interleaving 2 & 3 drives. The improvement with 3 was negligible at best and if the drives were not identical it was slower. But I got close to twice the paging speed on my 3/60 & 1+ using 2. An SSD should be faster than a regular hard drive. I can justify $50-60 for a 128 GB SSD. I can't justify buying that much ECC DRAM for a once in a blue moon compute job. Having been a witness to the conflicts over adding virtual memory to Minix I find it ironic that the accepted practice now is to include virtual memory in the OS, but not use it. For a long time everyone used BSD because it had virtual memory and Sys V did not. Reg ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Reginald Beardsley via openindiana-discuss wrote: > Having been a witness to the conflicts over adding virtual memory to > Minix I find it ironic that the accepted practice now is to include > virtual memory in the OS, but not use it. For a long time everyone > used BSD because it had virtual memory and Sys V did not. Eh? every contemporary desktop/server OS has and uses virtual memory. The need for backing store for swapping is much less these days, but it is still used and supported. -- Ian. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
I've used swap plain partitions on zfs-rooted machines as well as multi-disk zfs swap, both to good effect. Even if secondary storage (SSD) can never be as fast as primary (RAM), it'll should allow the job to proceed when the batch process peaks its memory utilisation. Since it's batch processing, the swap delay accrued might not even matter that much. I think the OP's plan is a sensible design compromise and see no problems with giving it a shot. If the swap partition ends up being on ZFS, it'll garner the additional benefit of being able to be periodically scrubbed to check for degradation of the SSD (these only accommodate a finite number of write cycles, but most modern ones have write leveling to distribute the exercise across the whole device). --jake ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
On Fri, Dec 11, 2015 at 3:20 PM, Jacob Ritorto wrote: > If the swap partition ends up being on ZFS, it'll garner the additional > benefit of being able to be periodically scrubbed to check for degradation > of the SSD (these only accommodate a finite number of write cycles, but > most modern ones have write leveling to distribute the exercise across the > whole device). > Yes, and since a swap device is usually never even close to full, the write leveling should work quite well. Even though I size RAM to avoid swapping, I usually configure some swap space. In the event of a memory leak or unexpectedly large process it's usually better to have a server (or desktop) that becomes sluggish rather than one that crashes. Admittedly, with something like a busy web server the two can easily end up being almost the same, as it falls ever farther behind in processing requests. I don't configure 2x the RAM size anymore, though. ;) -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Oh, and additionally, swap can serve as a useful safety valve if memory gets fragmented and the kernel has to allocate a large, contiguous page for some kind of DMA buffer or the like. I don't know if that's a common scenario on OI, but I've seen it happen on Linux. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
Jake, I had not considered creating a ZFS vdev on the SSD, but that's an excellent point. Thanks. I think I'll do some tests with an HDD and an SSD with various configurations. Ian, If swap equal core what's the benefit? I've never considered swapping as "virtual memory", Just part of time sharing the CPU. Unix had swapping for a very long time (V 2 or 3?) before it had paging. That was the big deal about BSD and why no one installed the AT&T VAX code. Swapping is easy to implement relative to paging. Which is why Andy Tannenbaum was opposed to including paging in Minix. Typically I look at the sizes of the caches and how the indexing affects traffic between main memory and the various cache levels. Think multiple passes over really large arrays. Back when you couldn't put a TB of DRAM in a system you suffered through coding explicitly out of core to avoid thrashing. A classic practice when you didn't want to write an explicitly out of core code was alternating going forward and backward through the arrays to minimize how much disk traffic you generated via the paging system. Before I ever touched Unix I tuned a MicroVAX II to run both batch and interactive jobs. I tuned the memory system so that it would run at 100% CPU utilization for weeks but seem like an idle system to an interactive user. If you've got a several day job, even a few hours in turnaround time don't matter. The trick was to reserve a certain amount of core for the interactive user processes. When the users logged out, the batch queue took all 5 MB. I've always wished Unix could do the same. That way I wouldn't have to force a power cycle reboot because Firefox has paralyzed the system. But it's really a feature of a transient process space system that would be very hard to implement in a fork-exec system. I only mention this because I assume you're the same Ian Collins that wrote columns for Unix Today. (At least I *think* that was the name of the trade rag) I've still got some I saved hiding around here somewhere. If you're not that Ian Collins, then please disregard. Reg ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] SSD as a dedicated swap device
My long standing rule is swap = 8 x core. This is primarily to accommodate having a large number of PDFs and other processes open at the same time. Many MCU manuals run 1000+ pages. But sometimes I just want to run a ridiculously large problem. Disk space is cheap, so there's no benefit to saving it. In my case 128 GB of HDD costs under $4. It's not worth the nuisance of running out of space. NB: I am merely commenting on what I do, I am NOT recommending it to others. Make your own decisions based on your needs. I have no desire to revisit the flame wars of the 80's. Reg ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
