Hi, I’m Malcolm

This post covers setting up SSH public key authentication on AD-joined Linux hosts using SSSD and sss_ssh_authorizedkeys, and two security issues I found in a common SSSD configuration while testing the setup in a lab environment. The pattern stores SSH public keys in Active Directory. SSSD fetches them at login time via the ldap_user_ssh_public_key attribute mapping and hands them to sshd. The relevant snippet in /etc/ssh/sshd_config: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u AuthorizedKeysCommandUser nobody During testing two issues surfaced that are worth documenting: disabled AD accounts could authenticate via SSH key, and revoked keys remained valid for up to 90 minutes after removal from AD. ...

Two NICs, one subnet. Seems fine. It isn’t. I frequently run into this on Linux servers, PTP Grandmaster clocks, telemetry acquisition and analysis servers, industrial controllers and other appliances where Linux is running under the hood whether the vendor advertises it or not. Most of them cover this limitation somewhere in their published documentation. It is worth reading before you plug in the second cable. The symptoms are always the same: traffic arrives on one interface, replies leave on another, sessions drop for no apparent reason, and nothing in the logs explains it. ...

SSH session timeouts looked like a straightforward CMMC Level 2 control. After digging through man pages, source code, bug trackers, and a fair amount of testing, I had a completely different solution than I started with. This is what happened. The Controls Two CMMC Level 2 controls are directly relevant here: AC.L2-3.1.11 (NIST SP 800-171 3.1.11): Automatically terminate user sessions after a defined condition. This means a full termination, not a screen lock, not a network disconnect. The user’s processes must be cleaned up and re-authentication required. For SSH on Linux, the shell must actually exit. ...

I inherited a set of Ubuntu servers that were provisioned outside of our normal provisioning and configuration methods of Foreman and Ansible, talking to Windows DHCP servers that use DHCP Option 81 for dynamic DNS registration. The problem was that some servers were getting their DNS A records registered correctly and some were not. The inconsistency was problematic, and the more I dug into it, the worse it got. This is the story of chasing that inconsistency, finding a workaround, realising the workaround was unnecessary, and ending up with a PR open against systemd upstream to fix a man page that has been inconsistent and ambiguous for years. ...

First post, the stack. This is a static site deployed to AWS via a fully automated pipeline. No servers, no databases, no CMS. Every post is a Markdown file in a git repo. Stack Overview Hugo - static site generator PaperMod - theme S3 - origin storage for built site files CloudFront - CDN, HTTPS, caching ACM - TLS certificate Route 53 - DNS GitHub Actions - CI/CD Terraform - all infrastructure as code Hugo and PaperMod Hugo is a static site generator written in Go. Write Markdown, get HTML. No runtime, no application server, nothing to patch or exploit. ...