[gentoo-user] ipv6 config

[jens w]

on gentoo computer with ipv6 forwarding enabled,
it is assigned by router announcements no ipv6 address.
is a future or a bug?

I register a 6in4 tunnel (Hurricane Electric / www.tunnelbroker.net).
I tried a tunnel to create with ifconfig / HE doc / wiki.gentoo.org /
wiki / IPv6_router_guide. while trying ipv6.google.com ping comes the
message: Destination unreachable: Address unreachable.
I need a hint where I have look for.

bye, jens.

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 02/20/2016 02:27 AM, lee wrote:
> Daniel Frey  writes:
>> I looked up x2go and rebuilt openssh on my home server as it suggested
>> to try it out. 

I should mention I undid the hpn USE-flag change (x2go suggested
building without it) and it works fine, the newer versions have patches
that don't require hpn to be disabled.

Still using x2go, still works wonderfully.

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sat, Feb 20, 2016 at 5:55 AM, lee  wrote:
> Rich Freeman  writes:
>
>> develop.  (Before somebody points out LUKS, be aware that Bitlocker
>> lets you do full-disk encyption that is secure without having to
>> actually type a decryption key at any point.  Remove the hard drive or
>> boot from a CD, and the disks are unreadable - you can only read them
>> if you boot off them on the original PC.)
>
> And how do you read the disks when this original machine is broken?
>

Well, in general you still want to have backups.  I believe many of
these sorts of solutions do let you escrow a key elsewhere.

> It doesn't seem very secure, either.  When your laptop that uses
> Bitlocker gets into the wrong hands, whoever has it can read the disks.

Kinda-sorta.  They can boot the machine, but now they're stuck at a
login prompt.  In order to extract data from the computer they need to
defeat password-throttling, the kernel, and so on.  They have to go
through the front-door.  The main protection is against offline
password cracking/etc.

I'd think the biggest vulnerability of something like Bitlocker would
be against direct memory attacks.  I assume that the session keys are
stored in RAM - I can't imagine that all drive reads/writes are
streamed through the TPM.  So, extracting the keys from RAM after
bootup would be the biggest risk.  If the user data is encrypted using
user-entered passwords you're still going to have all the security of
a LUKS-like solution but with the advantage of rate limiting of
attacks.

In ChromeOS they took a different approach.  They use UEFI secure boot
to protect the OS, and then encrypt user data using a key derived from
the user's password and the TPM, using the TPM to rate-limit attacks.
In this design only the user's private data is protected from reading,
but to crack it they still have to boot the system normally and go
through the front door.  There is no way to offline-crack the user's
weak hand-entered password.  They either need to send that password
through the TPM (I'm not sure if they can do that offline or not -
probably they can, but it is still rate-limited by the TPM itself), or
they need to directly brute-force the AES key which is of course
impractical.

The problem with LUKS is that it doesn't do anything to rate-limit
attacks since there is no hardware component to it.  Of course it is
designed to make attacks more expensive using multiple rounds/etc to
make up for the weakness of memorized passwords.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> develop.  (Before somebody points out LUKS, be aware that Bitlocker
> lets you do full-disk encyption that is secure without having to
> actually type a decryption key at any point.  Remove the hard drive or
> boot from a CD, and the disks are unreadable - you can only read them
> if you boot off them on the original PC.)

And how do you read the disks when this original machine is broken?

It doesn't seem very secure, either.  When your laptop that uses
Bitlocker gets into the wrong hands, whoever has it can read the disks.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
>> Rich Freeman  writes:
>>> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
 Rich Freeman  writes:

> However, while an RDP-like solution protects you from some types of
> attacks, it still leaves you open to many client-side problems like
> keylogging.  I don't know any major corporation that lets people RDP
> into their applications in general.

 What do they use instead?

>>>
>>> As I mentioned in my previous email - they just hand all their
>>> employees laptops.  Control the hardware, control the software,
>>> control the security...
>>
>> I mean instead of rdp.  It's a simple solution which works really well
>> on a LAN with Windoze.  What's the equivalent that works with Linux?
>
> Well, I've never been in a company that runs Linux on the desktop, or
> which even provides VDIs for Windows.

I'm doing that at work, and nothing speaks against doing it on the
thin-clients other than that the users would need to get used to it and
the poor graphics performance --- you can't really call that
"performance" --- of thin clients.  Other than that, we'd be much better
off.

What we would need are cheap thin clients that can drive at least two 4k
displays each, and there are none that could even drive one.  I don't
understand why they make thin-clients that aren't usable because their
graphics "performance" is from the '90ies.

> The most common solution is to provide windows laptops to users with
> various software packages for management/security/etc.

Laptops have slightly better graphics and add a maintenance overhead
thin-clients don't have, and they cost more.  Other than that, they
could replace the thin-clients, and nothing speaks against putting
Gentoo onto them.

Desktop machines require too much electricity.  That's another thing I
don't understand:  Why can't they finally manufacture hardware which is
really power efficient /and/ provides decent performance?

> The closest thing to RDP for Linux that I'm aware of us various
> NX-based implementations, like x2go, which I've mentioned a few times.
> It can be somewhat finicky.  And of course there is VNC, which is much
> less efficient.  I don't think either really gets to the level of RDP
> in general.
>
> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

Indeed, it's really strange that there's such a big lack.

Re: [gentoo-user] Re: {OT} Allow work from home?

[lee]

Kai Krakow  writes:

> Am Wed, 20 Jan 2016 01:46:29 +0100
> schrieb lee :
>
>> The time before, it wasn't
>> a VM but a very slow machine, and that also took a week.  You can have
>> the fastest machine on the world and Windoze always manages to bring
>> it down to a slowness we wouldn't have accepted even 20 years ago.
>
> This is mainly an artifact of Windows updates destroying locality of
> data pretty fast and mainly a problem when running on spinning rust.
> DLLs and data files needed for booting or starting specific
> software become spread wide across the hard disk. Fragmentation isn't
> the issue here - NTFS is pretty good at keeping it low. Still, the
> right defragmentation tool will help you:

You can't very well defragment the disk while updates are being
performed.  Updating goes like this:


+ install from an installation media

+ tell the machine to update

+ come back next day and find out that it's still looking for updates or
  trying to download them or wants to be restarted

+ restart the machine

+ start over with the second step until all updates have been installed


That usually takes a week.  When it's finally done, disable all
automatic updates because if you don't, the machine usually becomes
unusable when it installs another update.

It doesn't matter if you have the fastest machine on the world or some
old hardware you wouldn't actually use anymore, it always takes about a
week.

> I always recommend staying away from the 1000 types of "tuning tools",
> they actually make it worse and take away your chance of properly
> optimizing the on-disk file layout.

I'm not worried about that.  One of the VMs is still on an SSD, so I
turned off defragging.  The other VMs that use files on a hard disk
defrag themselves regularly over night.

> And I always recommend using MyDefrag and using its system disk
> defrag profile to reorder the files in your hard disk. It takes ages
> the first time it runs but it brings back your system to almost out of
> the box boot and software startup time performance.

That hasn't been an issue with any of the VMs yet.

> It uses some very clever ideas to place files into groups and into
> proper order - other than using file mod and access times like other
> defrag tools do (which even make the problem worse by doing so because
> this destroys locality of data even more).

I've never heard of MyDefrag, I might try it out.  Does it make updating
any faster?

> But even SSDs can use _proper_ defragmentation from time to time for
> increased lifetime and performance (this is due to how the FTL works
> and because erase blocks are huge, I won't get into detail unless
> someone asks). This is why mydefrag also supports flash optimization.
> It works by moving as few files as possible while coalescing free space
> into big chunks which in turn relaxes pressure on the FTL and allows to
> have more free and continuous erase blocks which reduces early flash
> chip wear. A filled SSD with long usage history can certainly gain back
> some performance from this.

How does it improve performance?  It seems to me that, for practical
use, almost all of the better performance with SSDs is due to reduced
latency.  And IIUC, it doesn't matter for the latency where data is
stored on an SSD.  If its performance degrades over time when data is
written to it, the SSD sucks, and the manufacturer should have done a
better job.  Why else would I buy an SSD.  If it needs to reorganise the
data stored on it, the firmware should do that.

Re: [gentoo-user] Re: {OT} Allow work from home?

[lee]

Kai Krakow  writes:

> Am Fri, 22 Jan 2016 00:52:30 +0100
> schrieb lee :
>
>> Is WSUS of any use without domains?  If it is, I should take a look at
>> it.
>
> You can use it with and without domains. What domains give you through
> GPO is just automatic deployment of the needed registry settings in the
> client.
>
> You can simply create a proper .reg file and deploy it to the clients
> however you like. They will connect to WSUS and receive updates you
> control.
>
> No magic here.

Sounds good :)  Does it also solve the problem of having to make
settings for all users, like when setting up a MUA or Libreoffice?

That means settings on the same machine for all users, like setting up
seamonkey so that when composing an email, it's in plain text rather
than html, a particular email account every user should have and a
number of other settings that need to be the same for all users.  For
Libreoffice, it would be the deployment of a macro for all users and
some making some settings.

Re: [gentoo-user] Re: {OT} Allow work from home?

[lee]

Kai Krakow  writes:

> Am Wed, 20 Jan 2016 01:46:29 +0100
> schrieb lee :
>
>> >> Overcommitting disk space sounds like a very bad idea.
>> >> Overcommitting memory is not possible with xen.  
>> >
>> > Overcommitting diskspace isn't such a bad idea, considering most
>> > installs never utilize all the available diskspace.  
>> 
>> When they do not use it anyway, there is no reason to give it to them
>> in the first place.  And when they do use it, how do the VMs handle
>> the problem that they have plenty disk space available, from their
>> point of view, while the host which they don't know about doesn't
>> allow them to use it?
>> 
>> Besides, overcommitting disk space means to intentionally create a
>> setup which involves that the host can run out of disk space easily.
>> That is not something I would want to create for a host which is
>> required to function reliably.
>> 
>> And how much do you need to worry about the security of the VMs when
>> you build in a way for the users to bring the whole machine, or at
>> least random VMs, down by using the disk space which has been
>> assigned to them?  The users are somewhat likely to do that even
>> unintentionally, the more the more you overcommit.
>
> Overcommitting storage is for setups where it's easy to add storage
> pools when needed, like virtual SAN. You just monitor available space
> and when it falls below a threshold, just add more to the storage pool
> whose filesystem will grow.
>
> You just overcommit to whatever storage requirments you may ever need
> combined over all VMs but you initially only buy what you need to start
> with including short term expected growth.
>
> Then start with clones/snapshots from the same VM image (SANs provide
> that so you actually do not have to care about snapshot dependencies
> within your virtualization software).
>
> SANs usually also provide deduplication and compression, so at any
> point you can coalesce the images back into smaller storage
> requirements.
>
> A sane virtualization solution also provides RAM deduplication and
> compaction so that you can overcommit RAM the same way as storage. Of
> course it will at some point borrow RAM from swap space. Usually you
> will then just migrate one VM to some other hardware - even while it is
> running. If connected to a SAN this means: You don't have to move the
> VM images itself. The migration is almost instant: The old VM host acts
> as some sort of virtualized swap file holding the complete RAM, the new
> host just "swaps in" needed RAM blocks over network and migrates the
> rest during idle time in the background. This can even be automated by
> monitoring the resources and let the VM manager decide and act.
>
> The Linux kernel lately gained support for all this so you could
> probably even home-brew it.

Ok, that makes sense when you have more or less unlimited resources to
pay for all the hardware you need for this.  I wonder how much money
you'd have to put out to even get started with a setup like this ...

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Daniel Frey  writes:

> On 01/17/2016 10:10 AM, Rich Freeman wrote:
>> On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld  wrote:
>>>
>>> I would prefer a method that is independent of OS used. And provides server 
>>> side limitations with regards to filesharing and clipboard access.
>>>
>> 
>> x2go is just X11, so it should be OS-independent as long as you have a
>> client/server for it.  It just logs in as the appropriate user on the
>> remote host, so access beyond that is whatever you'd get if you just
>> logged in on a console.
>> 
>> Now, I can't vouch for how many OSes anybody has bothered to implement it on.
>> 
>
> Thanks for that tip on x2go - I'd struggled with freenx and eventually
> gave up and freenx isn't even in the tree anymore.
>
> I looked up x2go and rebuilt openssh on my home server as it suggested
> to try it out. Other than restarting sshd, I didn't have to do any
> configuration and it just *worked*. I've, like, never ever had that
> happen before. Even when I set up my tigervnc with xinetd it was days of
> experimenting before I got it to work. tigervnc also was hanging up X
> upgrades, so now I can successfully ditch tigervnc.
>
> x2go is so much faster it's unbelievable. I have a gigabit LAN here at
> home and VNC was lagging pretty badly (to the point where I decided
> against even trying to use it remotely.)
>
> Some things to note: there's no android client, but there is one for
> Windows/linux/MacOS. I haven't tried it on my Windows laptop yet, but
> one of these days I'll dig it out and try it.

Thank you for letting us know, I'll keep x2go in mind.

> Makes me wonder if it would be possible to spin up a VM on demand with
> x2go on and preconfigured if OP requires users not to be on the same host.

It probably is; I guess you'd need something to start the VM when a
connection is attempted.