Notes on software, astronomy, machine learning, and infrastructure.

The Two-Factor Authentication System at CERN

This blog post is a summary of my project at the European Organization for Nuclear Research (CERN) where I worked in their Identity and Access Management (IAM) team.

My project was to introduce Two-Factor Authentication (2FA) in the Keycloak system. CERN started migration to the Keycloak Identity Provider (IdP) as part of the MALT project which aimed to move away from Microsoft products. The project was cancelled in late 2021, however, some services were allowed to continue development. The IAM team was allowed to continue development for the CERN SSO, which was based on Keycloak.

We developed a custom 2FA implementation with Keycloak which allowed users to optionally login from the SSO login page. Internally, this setup posed a few …

Read more →

Rate limiting in HAProxy and Nginx

Rate-limiting is a common strategy for safe guarding a server from potential DDoS attacks or sudden peaks in network traffic. Rate-limiting instructs the server to block requests from certain IP addresses that are sending an unusual number of requests to the system.

We can apply rate-limiting to both Nginx and HAProxy. Nginx runs on each end node hosting the service, while HAProxy serves as the load-balancer and distributes incoming requests among available nodes. This post describes how to rate-limit requests on both Nginx and HAProxy and shows how to whitelist IPs and rate-limit a single URL. The final section shows how to apply this configuration in Puppet.

1. Rate-limiting in HAProxy

This section describes how to configure HAProxy to rate-limit …

Read more →

Creating a JSON logger for Flask

By default Flask writes logs to the console in plain-text format. This can be limiting if you intend to store your logs in a text file and periodically send them to a central monitoring service. For example, Kibana, only accepts JSON logs by default.

You might also want to enrich your logs with additional metadata, e.g. timestamps, method names, log type (Warn, Debug, etc.). In this post we will use the Python logging library to modify Flask’s logging format and write them to a text file. In the end we will see how to periodically send these logs to an external service using Flume.

In our app we would like to setup two types of loggers. One for …

Read more →

My course portfolio for Computational Photography

This semester I took Georgia Tech’s Computational Photography course. It was a very hands-on course, mostly comprising of assignments and projects. This post includes the results for all its assignments and projects.

1. Pyramid blending

The goal of this assignment was to combine two separate images into a seamlessly blended image, using a mask. The input took a left image, a right image, and a mask, which was a binary image used to overlap the two inputs.

Pyramid blending

2. Panoramas

For this assignment we wrote code to align & stitch together a series of images into a panorama. We followed the text from Computer Vision: Algorithms and Applications book. The assignment followed homography techniques to create the output picture.

panorama_1 panorama_2 panorama_3

After stitching …

Read more →

Building a Camera Obscura

A camera obscura is the predecessor of modern day cameras. It works by letting light in through a small pinhole and projects it onto a surface (e.g. a wall).

To build a room obscura we need to choose a room which gets plenty of sunlight. I chose my bedroom for this.

scene

Next we need to identify all the sources of light and completely seal them. In my case I used garbage bags to cover my two windows.

setup_2 setup_3

I used packing tape instead of duct tape as it can tear off paint from the wood. However, this led to some light bleeding in from the edges. I fixed this using aluminum foil.

failed

I experimented with three pinholes of various sizes …

Read more →

Passwordless logins with Yubikey

Yubikey is currently the de facto device for U2F authentication. It enables adding an extra layer of security on top of SSH, system login, signing GPG keys, and so on. It is also compatible with several other authentication methods, such as WebAuthn and PAM.

This post will show how to leverage your Yubikey for unlocking the system lock-screen, both with and without using a password. It will then delve into how to automatically lock the screen when the Yubikey is unplugged.

To achieve logins with Yubikeys we require a PAM configuration. PAM or Pluggable Authentication Modules define the authentication flow for common Linux utilities, such as sudo, su, and passwd. We will override the default authentication flow for the xlock …

Read more →

Plotting graphical data using RRDtool and a Python Collectd plugin

Collectd is Unix daemon used for periodically collecting system usage statistics, which can include identifying CPU or memory bottleneck issues. The collected data can then be transformed to graphs using RRDtool or a Grafana dashboard (Grafana provides real time graphs and complex search queries).

The daemon itself is modular and functions through external plugins with each plugin performing a distinct function. This post will explore a plugin which collects weather information of a given city. The first section will explain how the plugin configuration works and how to plot a graph of the output data using RRDtool. Finally, we will delve into the plugin internals and see how it is written.

Note: For an intro on how to setup Collectd …

Read more →

The Kerberos Authentication System for Single Sign-On (SSO)

When working with authentication protocols the commonly used technique in the past was known as authentication by assertion. In this scheme a user logs in to their machine which then authenticates their request to a remote server. Once the authentication is finished the user can then communicate with other services. This provides a very low level of security, which has led to numerous vulnerabilities in the early versions of the rlogin Unix login utility.

An alternative solution is for the user to repeatedly provide their password each time they wish to use a service. This however requires the user to send their plain text password over the network, which could potentially be intercepted by a third-party user and can get …

Read more →

Programmatically organising your backpacking trip using Google My Maps

This blog post has been converted from a presentation I gave during the Thematic CERN School of Computing 2019.

When planning a journey to a new country or a city it helps to mark down all the places you would like to visit and eventually create a travel plan for each day. I personally use Google Maps for finding places of interest including historical buildings, museums, and libraries. As an example, if I was to visit say Split, Croatia I could search for “places to visit split” on Google Maps. It will then list all the attractions based on features such as reviews and popularity.

Things to do in Split

Although it is possible to individually “Save” each place in Google Maps, it does not …

Read more →

Building RPM packages with rpmbuild, Koji, and GitLab-CI

The RPM system facilitates the user to query and update a software package. It also allows examining package interdependencies, and verifying package file permissions. This blog post will describe the process of building an RPM package using the rpmbuild utility and will then explain how to schedule build tasks using Koji. Finally, it will describe how to automate the build pipeline using continuous integration in GitLab.

1. RPM Package Manager

RPM Package Manager is an open-source package management system which was originally designed for Red Hat Linux, but it is now supported on most Linux distributions. RPM packages can generally be of two types:

  • Binary RPM: A binary RPM contains the compiled binary of a complete application (or a library …
Read more →