Intersting kerberos and ssh troubleshot

There was an interesting kerberos troubleshoot today, someone set up a round-robin DNS solution where host lets call it server-x had a bunch of A records pointing to different IP addresses.

For illustration purposes lets say it looks like this
server-x.domain.com 15 IN A 192.168.1.1
server-x.domain.com 15 IN A 192.168.1.2
server-x.domain.com 15 IN A 192.168.1.3 
server-x.domain.com 15 IN A 192.168.1.4

server1.domain.com 300 IN A  192.168.1.1
server2.domain.com 300 IN A  192.168.1.2
server3.domain.com 300 IN A  192.168.1.3 
server4.domain.com 300 IN A  192.168.1.4

1.1.168.192 300 IN PTR server1.domain.com 
2.1.168.192 300 IN PTR server2.domain.com
3.1.168.192 300 IN PTR server3.domain.com
4.1.168.192 300 IN PTR server4.domain.com

When attempting to ssh to server-x it would sometimes work but sometimes return an error that it filed to initialize gss context.  We finally dug in and found the following

With a completely clean cache (i.e. TGT only) when failure occurred we could tell the server1 was being contacted to but the cache contained a service ticket for server 2.  It turned out that ssh would do it's own resolution separate from GSSAPI's canonicalisation.  The work around we found was to wrap the call in some script that first resolves the name and passes it to ssh.  This way both ssh and GSSAPI skip the resolution step.

A bit later my colleague discovered an option in ssh called GSSAPITrustDns, which makes sure that the name is resolved only once by ssh and then is passed to gssapi, preventing the double resolution.

The longer answer is that if you must use kerberos behind a load balancer do not use round-robin, in fact round-robin is a pretty bad load balancer for just about anything, kerberized or not

A little on verilog

So I am trying to learn verilog, I have a conter,
reg counter;
And am expecting it to reach 15 at some point, but it never does it goes between 1 and 0.  It works when I declare counter as a integer everything works.  Well reg by default is just 1 bit adding 1+0 = 1 and 1+1=0, declaring as reg [31:0] counter fixed the problem.

error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib

Started getting this error today after renewing my fake CA cert im using to test out an app.  No it wasn't the new lines, the problem was a missing '-' character at the end of the last line.

This is what happens when you just copy and paste the cert

Borland C++

Moving can be fun you find all these forgotten gems.  One last look before I throw these out

Russian cryptographic primitives -- the actors

Чебурашка <- Alice
Гена <- Bob
Шапокляк <- Eve

CRC32

Another piece fell into place

calc_adler32 :: String->Int->Int->Int

calc_adler32 [] a b = (b `shiftL` 16) .|. a

calc_adler32 str a b  = 

  let ap = (a + (ord $ head str)) `mod` mod_adler

      bp = (ap + b) `mod` mod_adler

  in calc_adler32 (tail str) ap bp

    

crc32 :: String -> Int

crc32 str = calc_adler32 str 1 0

*Main> crc32 "abc"
38600999

Making shingles

This is starting to get a little boring, it seems that all of my Haskell work consists of recombining lists and folding them, but either way yet another piece of the puzzle is now in place, I can now generate shingles


makeShingle :: [[a]]->[[a]]
makeShingle [] = []
makeShingle zs 
  | length zs >= 4 = (foldl(\acc z -> (acc ++ z)) [] (take 4 zs)) : (makeShingle $ drop 1 zs)
  | otherwise = []



makeShingle $ filter(/="") $ genericRev $ otherTok "this, is a string.  it is a string, like many other.  but i like it, i like it a lot!" standard_delim
["thisisastring","isastringit","astringitis","stringitisa","itisastring","isastringlike","astringlikemany","stringlikemanyother","likemanyotherbut","manyotherbuti","otherbutilike","butilikeit","ilikeiti","likeitilike","itilikeit","ilikeita","likeitalot"]