Hacker News: gnufx

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Sun, 05 Apr 2026 19:02:49 +0000

Yes, but its authN components only act locally, and PAM is optional for sshd. It can/does call out to network services like Kerberos/LDAP given a password, of course, but I was thinking of network authN connected directly with OIDC somehow, for which I don't know a mechanism in vanilla OpenSSH. (I don't know what Authentik does for this -- I could imagine it's behind the scenes somehow.) I should probably look it up sometime.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Sat, 04 Apr 2026 11:36:25 +0000

I'm happy for anyone who doesn't have MS Windows/Active Directory -- so Kerberos -- in their organization, but I'd need (Free)IPA or similar for user/access management anyway. Certificates are an extra layer of SSH-specific complexity, which concerns me for security even if it doesn't involve some third party. MFA is needed once a day, say, for SSO to all Kerberized services. [As I understand it, "managing an OIDC IdP" includes shipping the contents of Active Directory to Entra, heaven help us.]

> Setting up Kerberos in 2026 feels somewhat close to malpractice to me.

Microsoft (if that means anything, but they've done good work) and Red Hat obviously disagree, along with decades' experience. It is malpractice not to secure NFS mounts (and other network filesystems with sensitive data), and that means Kerberos.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Sat, 04 Apr 2026 11:13:03 +0000

Yes, FreeIPA is Kerberos+LDAP+X.509 CA, and GSSAPI is in OpenSSH (normally with the key exchange patch). SSSD is a local mechanism, not network authentication. I mentioned authorized keys distribution mechanisms elsewhere, but I was thinking authentication (c.f. OIDC), not authorization.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Fri, 03 Apr 2026 23:20:14 +0000

I don't want to have to get a special purpose credential when I have a TGT which can work generally, and is at least required for secure remote filesystem access.

You have to manage extra infrastructure for certificates and, as a user, have the friction of firing up a JavaScript-enabled web browser via an additional tool, assuming "real IdP" means using OIDC. Unfortunately that flow is actually needed for remote systems and something like Edugain federation, since Moonshot/IETF ABFAB failed, but at least Shibboleth can use the TGT, and it's not the Globus horror.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Fri, 03 Apr 2026 19:02:15 +0000

Public keys (for OpenSSH) can be in DNS (VerifyHostKeyDNS) or in, say, LDAP via KnownHostsCommand and AuthorizedKeysCommand.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Fri, 03 Apr 2026 18:57:12 +0000

If you mean using OIDC, in that space there's at least https://github.com/EOSC-synergy/ssh-oidc, https://dianagudu.github.io/mccli/ and OpenPubkey-ssh discussed in https://news.ycombinator.com/item?id=43470906 (which might mention more).

How does SSSD support help with SSH authN? I know you can now get Kerberos tickets from FreeIPA using OIDC(?), but I forget if SSSD is involved.

New comment by gnufx in "SSH certificates: the better SSH experience"

gnufx — Fri, 03 Apr 2026 18:45:23 +0000

Life is easier if you can use Kerberos SSO, i.e. GSSAPIAuthentication in OpenSSH. (If we're talking certificates, presumably it is OpenSSH, or does anything else implement them?)

New comment by gnufx in "The future of version control"

gnufx — Mon, 23 Mar 2026 20:44:58 +0000

As far as I remember, that's just because only the find/replace was implemented, and it could have more sophisticated (semantic?) features.

New comment by gnufx in "The future of version control"

gnufx — Mon, 23 Mar 2026 20:38:18 +0000

Its author says it implements a CRDT in its theory documentation.

New comment by gnufx in "What every computer scientist should know about floating-point arithmetic (1991) [pdf]"

gnufx — Mon, 16 Mar 2026 18:53:01 +0000

Before isnan() the Fortran test for NaN was (x .ne. x), assuming an IEEE 754 implementation.

New comment by gnufx in "GrapheneOS – Break Free from Google and Apple"

gnufx — Tue, 17 Feb 2026 13:57:07 +0000

> I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates

Mine is running /e/ and reporting Android 13, which appears to be the last one Fairphone support. /e/ said it was too difficult to support 14 with the kernel involved. It's had continual security updates apart from the Android version.

Edit: Murena make it clear which phones are officially supported and which have "community" support.

New comment by gnufx in "Ga68, a GNU Algol 68 Compiler"

gnufx — Sat, 07 Feb 2026 23:35:02 +0000

Some of those codebases might be (interesting) operating systems.

https://en.wikipedia.org/wiki/ALGOL_68#Operating_systems_wri...

New comment by gnufx in "Tiny C Compiler"

gnufx — Sat, 07 Feb 2026 23:15:26 +0000

Used in the impressive Guix bootstrap.

https://guix.gnu.org/manual/1.5.0/en/html_node/Full_002dSour...

New comment by gnufx in "Brookhaven Lab's RHIC concludes 25-year run with final collisions"

gnufx — Sat, 07 Feb 2026 23:06:42 +0000

Indeed. The first dedicated light -- for various values of "light" -- source[1] repurposed the tunnel and various bits and techniques from the particle physics accelerator it replaced, and on which parasitic "light" measurements were made previously. See also [2].

1. https://en.wikipedia.org/wiki/Synchrotron_Radiation_Source

2. https://www.ukri.org/publications/new-light-on-science-socio...

New comment by gnufx in "Brookhaven Lab's RHIC concludes 25-year run with final collisions"

gnufx — Sat, 07 Feb 2026 22:48:59 +0000

In the context of the article "collider" means intersecting particle beams, like in RHIC and LHC, which obviously involves rather low probability interactions, as opposed to accelerators which slam a beam into a dense target (like the SLAC accelerator). In a synchrotron light source you want the beam to circulate and specifically not collide with anything; they were developed from particle physics accelerators, of course.

New comment by gnufx in "Brookhaven Lab's RHIC concludes 25-year run with final collisions"

gnufx — Sat, 07 Feb 2026 22:39:20 +0000

You imply that experiment contaminated drinking, and other, water. How? Are you saying the Cs¹³⁷ leaked, and at concentration above that from fallout, say? Its γ-rays don't activate materials — I've used enough of them.

New comment by gnufx in "Brookhaven Lab's RHIC concludes 25-year run with final collisions"

gnufx — Sat, 07 Feb 2026 21:16:11 +0000

Since when were industrial products the purpose? Why do you think my colleagues can't analyse LHC data and discover the Higgs particle? The article says RHIC was a considerable scientific success.

New comment by gnufx in "Brookhaven Lab's RHIC concludes 25-year run with final collisions"

gnufx — Sat, 07 Feb 2026 21:09:42 +0000

As I recall, RHIC itself replaced some cancelled project. I remember the tunnel being at least partly there in the mid-80s, with a plan to trundle ions from the tandem lab through a crazy long beamline across the site and stop nuclear structure research there as a result.

Brookhaven Lab's RHIC concludes 25-year run with final collisions

gnufx — Sat, 07 Feb 2026 19:07:27 +0000

Article URL: https://www.hpcwire.com/off-the-wire/brookhaven-labs-rhic-concludes-25-year-run-with-final-collisions/

Comments URL: https://news.ycombinator.com/item?id=46926576

Points: 100

# Comments: 69

New comment by gnufx in "UK government launches fuel forecourt price API"

gnufx — Mon, 02 Feb 2026 21:28:06 +0000

Good to see. For what it's worth, data were previously available from the Competition and Markets authority, used by https://localfuelprices.co.uk/