Click on our Sponsors to help Support SunWorld
Sysadmin by Hal Stern

Sysadmin stew: My summer vacation

We catch up on PGP, sysadmin tools, and
rant about Network Computers

September  1996
[Next story]
[Table of Contents]
Subscribe to SunWorld, it's free!

Once a year, SunWorld's editors indulge me as I offer "softer" commentary about management, the state of the union or dissolution of the union in system management, or some other area removed from the Unix command line. This month, I present a trip report -- not of my actual summer vacation, but of the research roads traveled answering reader e-mail and exploring interesting pieces of Internet flotsam and jetsam. I'll do this in true trip report fashion, with numerous bulleted lists connected by topic. Welcome to the USA Today version of Sysadmin. (2,500 words)

Mail this
article to
a friend

Instead of the usual background, exposition, and tips sections, we'll revisit four areas covered by columns of the past year. We'll start with a brief PGP update with both good and bad news for the PGP-literate public. From there we'll do a roundup of some security issues and "seat wrench" type tools -- those utilities that lay around unnoticed until you absolutely, positively need them, and you find that the tool is a perfect fit for the job. (For the uninitiated in home plumbing experiments, a seat wrench exists to do nothing else but remove the inner workings of a leaky faucet.) We'll close out this odd lot with some kind and not-so-kind words for our readership, our collective management, and marketing people cruising in the stratosphere of Internet hype. Read to the end to see who gets what on their plates.

Pretty Good gets pretty much better: A PGP update
Back in February, we covered Phil Zimmermann's Pretty Good Privacy (PGP) package, explaining how to use it to encrypt files and mail, and to use it as the basis for a digital signature and authentication scheme. At the time, Zimmermann was facing Federal prosecution in the United States for allegedly violating an export embargo on the PGP software. Rumors were rife about an upcoming PGP 3.0 release, and one major stumbling block for widespread use of PGP was the lack of a scalable, global, trusted key management scheme. Six months later, the news is mostly good:

Key management remains an open issue for PGP and other services that depend on public keys, such as Sun's Simple Key Management for IP (SKIP) protocol used by the Solstice SunScreen SPF-100 product. Rather than relying on a well-known service or hierarchy of key servers like the Domain Name System (DNS), PGP refers to a key ring maintained somewhere within your filesystem hierarchy. In essence, you take full personal responsibility for collecting and packing the keys you'll need. Generally, you'll add keys to your own keyring if you can prove the identity of the person giving you the key, for example, she hands you the key on a floppy disk while you sip double lattes.

Alternatively, you may accept an electronic copy of a key if it was digitally signed by one or more people to whom you would extend your trust. What you're saying is "I proxy my background check on this key to Bob and Fred; if they signed the key then I will believe it's valid, even if I don't know the key holder personally." Dealing with PGP keys from users you haven't met poses a non-trivial problem.

The USENIX Association offers a key-signing service to help build a web of trust between its members. Operationally, the signing service is elegant in its simplicity. Any USENIX member presents him or herself at the USENIX booth at an industry conference or show, provides two forms of identification, at least one with a picture, and agrees to indemnify USENIX for any misuse of the PGP keys. At the time this agreement is signed, a USENIX representative gives you a "shared secret" containing some sequence information and eight words. The key signing is done electronically, via e-mail, using the shared secret to reconfirm the identity of the human being present at the USENIX booth. You'll need the 1996 USENIX key-signing key, available on the USENIX Web site. Once your sign bits have USENIX written on them, use the Web query interface to find a particular user's key.

Two shameless plugs on behalf of USENIX: First, join if you're not already a member. In addition to the USENIX organization proper, there's the System Administrator's Guild (SAGE), the largest professional organization devoted solely to systems management. Second, the 10th Systems Administration Conference (LISA '96) will be held September 29 through October 2 in Chicago. Get signed, learn something at the same time, and meet your peers in the industry.


Dropping the security blanket
We'll use the preceding good news about PGP and key signing as an opening act for some more somber and pragmatic news on security issues:

The COAST archives at Purdue University, home of the last two items mentioned, contain a plethora of security and network analysis tools. They're worth a visit during your Web travels.

Cool tools and jewels
Here are some other cool tools and management jewels proffered by gentle readers and not-so-gentle mailing lists:

Products like the Integrity Engine show what's possible when you treat your browser like the universal front end. Constantly emphasizing easy and simple access to data, however, may sometimes cloud the real underlying issues.

Return to zero logic: Costs of system management revisited
Tim Steele, a reader from the United Kingdom, chided me for "making [this] sound too easy", where "this" ranged from including PGP support in mail services to editing sendmail configuration files. After a few exchanges of e-mail, I concluded that Tim was right, and I have glossed over implementation details at times. When I go light on the content, it's for one or more of a few reasons: I may not have done it myself, or proven that an idea works; the details would require several dozen pages more than editorial prudence or deadlines allow; or I'm simply offering an idea for digestion, hoping that someone will return a useful pointer (such as the MKS Integrity Engine).

Tim's main point, however, was not to question the competence of himself or his peers, but to underscore that fact that management sees light treatment of a topic as an indication of trivial implementation. Setting proper time, cost, and complexity expectations for users and management has been a recurrent theme in this space. Unix system management expenses, along with mainframe operations or telecommunications costs, are not discretionary expenditures. They're a necessary component of a first-class, reliable operation.

Like mainframes, Unix sysadmins are not easily and safely modified to perform the function du jour; careful implementation of the latest ideas yields a performant and predictable system. Cost issues have sprung up with every new paradigm embraced by the technical press: PCs, client/server computing, and now even Internet access. It's important to focus on the cost of running the show, but it's even more critical to know what kind of show it is: a serious production or a casual operation. Careful design, architecture and implementation hold the costs down in the long run and generate positive value for the organization.

Why the rant? The trade press has been full of talk of Network Computers (NCs), proclaiming their costs of administration to be near zero. From an end-user perspective that may be true -- there's no need to load floppy disks or interfere with system configuration files each time you need a new application. But from the system and network management viewpoint, there's no such thing as a zero-administration device. Someone has to do the network design, performance and capacity planning, and network failure analysis, although that effort is likely to be more centralized than before.

Again, the comparison to mainframe operations is quite strong. Does Unix run the risk of becoming the next legacy environment, ridiculed for its antiquated ways? Hopefully not, since Unix has a long history of encouraging rapid innovation, rapid delivery of that functionality, and a skilled community of professionals -- our readers -- who are responsible for fueling the pace of that change. Realize what re-centralization of services means, and learn from what the mainframes do well and what they don't do so well. It's something to consider on your next vacation.

Click on our Sponsors to help Support SunWorld


What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Subscribe to SunWorld, it's free!
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: