Heimdal on Raspberry Pi?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Heimdal on Raspberry Pi?

Henry B Hotz
Since Christmas I’ve been playing (and I do mean just playing) with a Beaglebone. As a matter of curiosity has anyone ever tried to put Heimdal on a machine like that, or a Raspberry Pi? Is it still fast enough to be useful for a small installation?

I have amusing daydreams of some physical hacker trying to steal the KDB and being unable to because the entire server is hidden inside a wall or a cable trough.

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Jeffrey Hutzelman
On Mon, 2015-02-16 at 09:01 -0800, Henry B (Hank) Hotz, CISSP wrote:
> Since Christmas I’ve been playing (and I do mean just playing) with a
> Beaglebone. As a matter of curiosity has anyone ever tried to put
> Heimdal on a machine like that, or a Raspberry Pi? Is it still fast
> enough to be useful for a small installation?
>
> I have amusing daydreams of some physical hacker trying to steal the
> KDB and being unable to because the entire server is hidden inside a
> wall or a cable trough.


We used to run a KDC on a Sun 3/50.  I'm sure a pi has enough cycles.

Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Fredrik Pettai
In reply to this post by Henry B Hotz
Latest heimdal-1-5-branch is in NetBSD 7(_BETA), and it’s pretty simple to install that on RPI:

https://wiki.netbsd.org/ports/evbarm/raspberry_pi/

If you want run the newer heimdal-1-6-branch on NetBSD 7 (or later):

http://www.netbsd.org/~pettai/HEIMDAL-1-6-HOWTO   
 
(this requires rebuilding the distribution from sources)

/P

On 16 Feb 2015, at 18:01 , Henry B (Hank) Hotz, CISSP <[hidden email]> wrote:

> Since Christmas I’ve been playing (and I do mean just playing) with a Beaglebone. As a matter of curiosity has anyone ever tried to put Heimdal on a machine like that, or a Raspberry Pi? Is it still fast enough to be useful for a small installation?
>
> I have amusing daydreams of some physical hacker trying to steal the KDB and being unable to because the entire server is hidden inside a wall or a cable trough.
>
> Personal email.  [hidden email]
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Lars-Johan Liman
In reply to this post by Jeffrey Hutzelman
[hidden email]:
> We used to run a KDC on a Sun 3/50.

Oooh. Memories.

(As a historical sidenote: For more than 20 years I've been technically
in charge of one of internet's root name servers for the DNS -
i.root-servers.net - which, in its very first incarnation in 1991 (then
under the name nic.nordu.net) ran on a ... Sun 3/50! In those days one
could read the query log as it appeared on the console. :-)

> I'm sure a pi has enough cycles.

It should. At least it has a very competent graphics chip - able to push
full HDTV (it's said), so with some creative library hacking, a
substantial GPU is at your hand ... ;-)

                                Cheers,
                                  /Liman

PS. Using my old e-mail addrss, as I've obviously forgotten to change
my membership on this list. Autonomica was merged into its mother
company Netnod 4 years ago. Will fix.

#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.               !  E-mail: [hidden email]
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/
#----------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Dameon Wagner-3
In reply to this post by Jeffrey Hutzelman
On Mon, Feb 16 2015 at 12:52:39 -0500, Jeffrey Hutzelman scribbled
 in "Re: Heimdal on Raspberry Pi?":

> On Mon, 2015-02-16 at 09:01 -0800, Henry B (Hank) Hotz, CISSP wrote:
> > Since Christmas I’ve been playing (and I do mean just playing) with a
> > Beaglebone. As a matter of curiosity has anyone ever tried to put
> > Heimdal on a machine like that, or a Raspberry Pi? Is it still fast
> > enough to be useful for a small installation?
> >
> > I have amusing daydreams of some physical hacker trying to steal the
> > KDB and being unable to because the entire server is hidden inside a
> > wall or a cable trough.
>
>
> We used to run a KDC on a Sun 3/50.  I'm sure a pi has enough cycles.

Sure does, though I guess it depends on what Henry considers "a small
installation".  I have my home KDCs (both Heimdal and a secondary realm
with MIT) running happily on Pis.

Sure, the load and throughput in my home environment is small, but I'm
sure there's enough grunt left over for a reasonable increase in load
to a few thousand principals, and Pis are so cheap that you could
easily spread the load with a few slave KDCs dotted around in other
cable troughs and hidden ducting ... if only they did PoE [0] ;)

Cheers.

Dameon.

[0]: http://www.silvertel.com/news/latest/22-latest-news/304-raspberry-pi-poe.html

--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Systems Development and Support
IT Services, University of Oxford
:Beta tester for Pegasus & Mercury/32 (www.pmail.com):
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Paul Robert Marino
Generally Kerberos is fairly light when it comes to CPU requirements,
so long as you have enough RAM for efficient read cache you should be
good.
The one catch I can think of is for Apache if you use the Kerberos
authorization module make sure you turn on credential caching or you
will flood the KDC with requests for every image, css file, java
script file, json query, etc. etc.. The reason for this problem is  in
the Apache module if the browser is not utilizing GSSAPI the fall back
mechanism will do a full auth for every get and or post unless it was
configured with credential caching enabled and they add up quickly
instead of just doing a validation check of the ticket.



On Tue, Feb 17, 2015 at 7:31 AM, Dameon Wagner <[hidden email]> wrote:

> On Mon, Feb 16 2015 at 12:52:39 -0500, Jeffrey Hutzelman scribbled
>  in "Re: Heimdal on Raspberry Pi?":
>> On Mon, 2015-02-16 at 09:01 -0800, Henry B (Hank) Hotz, CISSP wrote:
>> > Since Christmas I’ve been playing (and I do mean just playing) with a
>> > Beaglebone. As a matter of curiosity has anyone ever tried to put
>> > Heimdal on a machine like that, or a Raspberry Pi? Is it still fast
>> > enough to be useful for a small installation?
>> >
>> > I have amusing daydreams of some physical hacker trying to steal the
>> > KDB and being unable to because the entire server is hidden inside a
>> > wall or a cable trough.
>>
>>
>> We used to run a KDC on a Sun 3/50.  I'm sure a pi has enough cycles.
>
> Sure does, though I guess it depends on what Henry considers "a small
> installation".  I have my home KDCs (both Heimdal and a secondary realm
> with MIT) running happily on Pis.
>
> Sure, the load and throughput in my home environment is small, but I'm
> sure there's enough grunt left over for a reasonable increase in load
> to a few thousand principals, and Pis are so cheap that you could
> easily spread the load with a few slave KDCs dotted around in other
> cable troughs and hidden ducting ... if only they did PoE [0] ;)
>
> Cheers.
>
> Dameon.
>
> [0]: http://www.silvertel.com/news/latest/22-latest-news/304-raspberry-pi-poe.html
>
> --
>><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
> Dr. Dameon Wagner, Systems Development and Support
> IT Services, University of Oxford
> :Beta tester for Pegasus & Mercury/32 (www.pmail.com):
>><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
>
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal on Raspberry Pi?

Henry B Hotz
In reply to this post by Dameon Wagner-3

On Feb 17, 2015, at 4:31 AM, Dameon Wagner <[hidden email]> wrote:

> On Mon, Feb 16 2015 at 12:52:39 -0500, Jeffrey Hutzelman scribbled
> in "Re: Heimdal on Raspberry Pi?":
>> On Mon, 2015-02-16 at 09:01 -0800, Henry B (Hank) Hotz, CISSP wrote:
>>> Since Christmas I’ve been playing (and I do mean just playing) with a
>>> Beaglebone. As a matter of curiosity has anyone ever tried to put
>>> Heimdal on a machine like that, or a Raspberry Pi? Is it still fast
>>> enough to be useful for a small installation?
>>>
>>> I have amusing daydreams of some physical hacker trying to steal the
>>> KDB and being unable to because the entire server is hidden inside a
>>> wall or a cable trough.
>>
>>
>> We used to run a KDC on a Sun 3/50.  I'm sure a pi has enough cycles.
>
> Sure does, though I guess it depends on what Henry considers "a small
> installation".  I have my home KDCs (both Heimdal and a secondary realm
> with MIT) running happily on Pis.

I was thinking order of 1k principals with corresponding traffic, i.e. smaller than JPL, but still Enterprise grade. Nice to confirm a real-world case, though I note that AS requests using PKINIT are around 2 orders of magnitude slower.

<off topic>
I’m no longer at JPL, and I’m becoming less enamored with the constant hunting needed for consulting. If anyone knows of a crypto/identity-management kind of position please email me off-list?
</off topic>

> Sure, the load and throughput in my home environment is small, but I'm
> sure there's enough grunt left over for a reasonable increase in load
> to a few thousand principals, and Pis are so cheap that you could
> easily spread the load with a few slave KDCs dotted around in other
> cable troughs and hidden ducting ... if only they did PoE [0] ;)

I thought of that as soon as I wrote it. ;-)  Might be a fun hobby project. (Beaglebone, not Pi, and I’d want the power breakout on a cape that fits inside the case.) Getting back into playing with hardware was the real reason I bought the thing.

> Cheers.
>
> Dameon.
>
> [0]: http://www.silvertel.com/news/latest/22-latest-news/304-raspberry-pi-poe.html
>
> --
>> <> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
> Dr. Dameon Wagner, Systems Development and Support
> IT Services, University of Oxford
> :Beta tester for Pegasus & Mercury/32 (www.pmail.com):
>> <> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

Personal email.  [hidden email]