Re: [CentOS] How to correct LiveKDE stick?

[Fabian Arrotin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/01/16 13:10, Timothy Murphy wrote:
> CentOS-7-x86_64-LiveKDE-1511.iso crashes on my AMD/ATI Radeon
> machine. I installed CentOS-7.2 by first installing 
> CentOS-7-x86_64-LiveKDE-1503.iso, then appending 
> GRUB_CMDLINE_LINUX_DEFAULT="initcall_blacklist=clocksource_done_booting"
>
> 
to /etc/default/grub and running update-grub.
> 
> My question is: would there be any way, short of re-compiling the
> ISO, of altering the grub.cfg seen when booting from a USB stick?
> 

That issue is very specific to some older/lighter AMD cpus, and the
bug report is here : https://bugs.centos.org/view.php?id=9860
(probably where you found the workaround)
I don't think that it's worth a respin, nor a custom iso for that
issue, as one can just edit the Live image boot parameters (through
isolinux config), and then apply the parameter through grub (as you did)

- -- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaTbdoACgkQnVkHo1a+xU4TlwCgmB/cZqBBLZE/XbCRJtDJ2Loi
YaUAn15wJ536vFbRBrSjejlv065bcXtR
=7/fG
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] nsswitch.conf question

[Nicholas Geovanis]

I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf
file specify "files sss". I'm not familiar with the "sss" source, would
someone please give me an idea what that is? Many thanksNick
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nsswitch.conf question

[Leon Fauster]

Am 11.01.2016 um 21:44 schrieb Nicholas Geovanis :
> I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf
> file specify "files sss". I'm not familiar with the "sss" source, would
> someone please give me an idea what that is? Many thanksNick

https://fedorahosted.org/sssd/

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nsswitch.conf question

[Alexander Dalloz]

Am 11.01.2016 um 21:44 schrieb Nicholas Geovanis:

I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf
file specify "files sss". I'm not familiar with the "sss" source, would
someone please give me an idea what that is? Many thanksNick


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/SSSD-AD.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 3.8 Server Questions, SeaMonkey Mozilla and Java

[Johnny Hughes]

On 01/09/2016 01:59 PM, H wrote:
> But I did not ask for a current version of Centos to support my usecase, did 
> I?

All I can tell you is that CentOS 3.(anything) is no longer secure at
all.  If this machine in any way touches the internet, expect that it
will be hacked.  You can try to minimize the issues by only opening
ports that are absolutely required, but there issues that would be rated
critical if that branch was being maintained.

On top of that, java is one of the least secure packages out there, and
they have critical updates all the time .. which means if that is what
you want to do on this box, then it is doubly insecure.

But that is your call, not mine.

EPEL was never released for RHEL-3 / CentOS-3 (that I can find).  There
were not even any of these extra packages for EL3:
http://centos.karan.org

If you must use a CentOS-3.x .. you should use 3.9, which is 3.8 + the
updates from here:

http://vault.centos.org/3.9/updates/

But, I want to reiterate, it will in no way be even close to secure.

Thanks,
Johnny Hughes



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.

[James B. Byrne]

Our firm uses a dedicated virtual host to provide ssh tunnels for
remote employee access to various internal services and for http/s
access to the outside world.  For security reasons I would like to
have the remote users forward their dns lookups over the tunnel as
well.  However, we recently chrooted a number of ssh users and these
accounts cannot resolve dns queries passed over the tunnel.

I infer from previous experience that the necessary libraries/binaries
are not installed in the chroot home. I can install whatever is
missing using yum  --installroot=[path/to/chroot/home] but what I
cannot determine is exactly what package(s) is/are required.

What is the minimal package set needed to enable chrooted users to
perform dns lookups on CentOS-6?


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes

[James B. Byrne]

On Sat, January 9, 2016 19:48, Gordon Messmer wrote:
> On 01/09/2016 03:30 PM, isdtor wrote:
>> Search for policy routing.
>
> Policy routing isn't relevant.
>
> In order to communicate across a LAN, two hosts must be in the same
> broadcast domain.  Hosts in 192.168.51.0/24 cannot communicate with
> hosts in 192.168.52.0/24.
>
>

If I have all of the kvm guests on both hosts, together with the br0
bridge on both hosts, configured with addresses on the same a.b.c.0/24
network then will all communication on a.b.c.0/24 pass over br0 if the
target address is on the other host?

kvmh1g1 eth0=192.168.51.100
kvmh1   br0=192.168.51.41

kvmh2   br0=192.168.51.42
kvmh2g1 eth0=192.168.51.200

In other words, with the address configuration given above, will
traffic from 192.168.51.200 reach 192.168.51.100 via the cross-over
cable between 192.168.51.42/192.168.51.41?


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Learned something today

[Valeri Galtsev]

On Mon, January 11, 2016 9:38 am, Gordon Messmer wrote:
> On 01/11/2016 06:50 AM, Always Learning wrote:
>> Why not, on start-up, create a 'ram disk' and do your sensitive work in
volatile RAM or is this what 'tmpfs' implies ?
>
> I think that's what OP expected tmpfs to be, but it should be noted that
tmpfs *can* be swapped to disk, so it should not be used for data that you
don't want to ever hit non-volatile storage (unless you have no swap
space).

One thing just asks to be added: "volatile" memory is not that volatile,
so relying purely on keeping sensitive stuff in plain text in volatile
memory may be not too good idea. Still, it is much more secure that the
case when sensitive data may hit the hard drive. What I mention, is best
explained here (the whole paper is very instructive, for RAM go directly
to chapter 8):

https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247








___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.

[John R Pierce]

On 1/11/2016 9:25 AM, James B. Byrne wrote:

Our firm uses a dedicated virtual host to provide ssh tunnels for
remote employee access to various internal services and for http/s
access to the outside world.  For security reasons I would like to
have the remote users forward their dns lookups over the tunnel as
well.  However, we recently chrooted a number of ssh users and these
accounts cannot resolve dns queries passed over the tunnel.


use a proper VPN, like OpenVPN.   ssh tunnels have way too many limitations.

--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Learned something today

[Always Learning]

On Sun, 2016-01-10 at 06:52 -0800, Alice Wonder wrote:

> For me, I only need /tmp as tmpfs on my Bitcoin box - and then only when 
> generating private keys for cold storage, SSDs are often not very good 
> at securely deleting files. So I use tmpfs for /tmp and generate the 
> private keys for cold storage to a file in /tmp and then print it from 
> there (for storage in safe deposit box) - so that the private keys can't 
> be recovered from the SSD.

Why not, on start-up, create a 'ram disk' and do your sensitive work in
volatile RAM or is this what 'tmpfs' implies ?


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Learned something today

[Gordon Messmer]

On 01/11/2016 06:50 AM, Always Learning wrote:

Why not, on start-up, create a 'ram disk' and do your sensitive work in
volatile RAM or is this what 'tmpfs' implies ?


I think that's what OP expected tmpfs to be, but it should be noted that 
tmpfs *can* be swapped to disk, so it should not be used for data that 
you don't want to ever hit non-volatile storage (unless you have no swap 
space).

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes

[Gordon Messmer]

On 01/11/2016 09:34 AM, James B. Byrne wrote:

In other words, with the address configuration given above, will
traffic from 192.168.51.200 reach 192.168.51.100 via the cross-over
cable between 192.168.51.42/192.168.51.41?


Yes.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.

[Warren Young]

On Jan 11, 2016, at 10:25 AM, James B. Byrne  wrote:
> 
> Our firm uses a dedicated virtual host to provide ssh tunnels for
> remote employee access to various internal services and for http/s
> access to the outside world.  For security reasons I would like to
> have the remote users forward their dns lookups over the tunnel as
> well.

If by “ssh tunnel” you mean -L and -R, then you can’t do this.  Those only 
support TCP, but you need UDP for DNS.

DNS can also run over TCP, but it’s basically only done for bulk transfers, 
like zone updates between DNS servers.  There may be a way to force your client 
OS’s DNS resolver to TCP-only, but you’ll miss out on third-party resolvers 
like the ones in Firefox and Chrome.  (Yup!  They don’t use the OS’s DNS 
resolver!)

Another option with SSH is SOCKS5, which *does* support UDP, but requires that 
all the programs that use it speak SOCKS, which has been a dying protocol since 
NAT routers became common.

FreeBSD and Mac OS X have OS-level SOCKS support that can force *most* 
application traffic across the configured SOCKS link, but as far as I can tell, 
such an OS-level SOCKS setting does not exist on Windows and Linux.  Some 
Windows apps obey IE’s proxy settings, but it’s not universal, and on Linux, 
it’s pretty much every app for itself.

SOCKS and SSH tunnels are fine for ad hoc VPN-like behavior, but if you really 
need to force all traffic through the tunnel, John’s right: a proper VPN is the 
correct solution.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] X and NUC5i3ryk on 7.2

[Jerry Geis]

I just received my NUC5i3 and tried to get X working using 7.2, it has
Intel HD 5500 graphics.

Not so much...

lspci | grep VGA provides
0:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated
Graphics (rev 09)

I download this package
xf86-video-intel-1-2.99.917+519+g8229390-1-x86_64.pkg.tar.xz
rebooted and X is running - but not "well".

Tried to play a 1080p video and its jerky.

Do I not have the correct setup yet?
Anyone have the NUC5i3 and have X running correctly?

Any thoughts, Thanks so much.

jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos