Re: erreur dernière ligne avant extinction
On 1/5/23 06:46, Olivier backup my spare wrote: Bonjour Sur mon ordinateur personnel j'ai constaté un "ERROR" en rouge, mais c'est la dernière ligne avant l'extinction. D'après vos connaissances dans quel fichier son logués les informations lors de l'extinction? Je fais amende honorable, je ne lis plus les fichiers logs depuis que je ne compile plus le kernel et ça, ça date des années 2005... This is an English mailing list! :) Have a look in /var/log. -- John Doe
Re: Limiting ssh access: by MAC Address?
On Wed, 4 Jan 2023, ?ngel wrote: There are no transparent proxies for https. They would either pass traffic without inspecting it, or they would need to break the TLS connection to MITM it, and -unless the client has installed a CA for the proxy- cause all https connections to fail due to untrusted certificate. I suggest you read up about the problem that ESNI is supposed to solve. As someone who runs a https transparent proxy that does SNI inspection and egress filtering, I can assure you they do exist and will break ovpn running on port 443. You might argue that it's not a proxy - it doesn't and cannot cache content - but so much content is dynamic now anyway that caching isn't particularly useful except for things like debian packages. Egress filtering is still possible. It's frustrating that so much effort goes into defeating government level inspection of end user traffic and so little goes into defeating the countless IoT trojan horses in our homes. Indeed, I wouldn't be surprised if the long term result of the current trajectory is authoritarian regimes using phones to spy on people in their homes with no way to block it (other than turn the phone off - but that already works today so ESNI isn't needed)
Re: Limiting ssh access: by MAC Address?
On Wed, 4 Jan 2023, Jeffrey Walton wrote: The preauth scheme does not hide the service like your TOTP scheme. However, it looks like both schemes achieve the same thing - they both avoid the costly key exchange. Avoiding the key exchange is a big win since those public key operations are so costly. My scheme doesn't remove the need for any auth. What it does do is limit the noise in the logs. Given that the DNS query won't come from the same address as the intended connection you have to open the service to everything temporarily. I was getting anything from thousands to hundreds of thousands of login attempts per day on a service that didn't accept passwords. I now have an aggressive firewall policy that blocks any ip that sends three SYN that dont get an ACK in an hour. (with a couple of ports that will remove a ban where external connections are expected) Roughly 300 ips got added yesterday and 30 managed to remove themselves. (incoming connections are totally blocked from china, russia and a handful of other countries along with some netblocks that I've manually added) My quick grep of the firewall logs suggests than I'm seeing 10x as many attempts to connect to telnet than I am to ssh so I guess ssh is finally becoming secured from password guessing and people are giving up on trying (except possibly targetted attacks on servers that accept passwords) I'm also, as far as possible, moving to ipv6. That also cuts down on the noise a lot. So hiding services just isn't as valuable to me now as it was four years ago. I'm still generating 40MB of firewall logs a day that get backed up though.
erreur dernière ligne avant extinction
Bonjour Sur mon ordinateur personnel j'ai constaté un "ERROR" en rouge, mais c'est la dernière ligne avant l'extinction. D'après vos connaissances dans quel fichier son logués les informations lors de l'extinction? Je fais amende honorable, je ne lis plus les fichiers logs depuis que je ne compile plus le kernel et ça, ça date des années 2005... -- AI Gestionnaire d'infrastructure/ Gestionnaire de Parc. Centre d'économie S** Monero (XMR) - The secure, private, untraceable cryptocurrency that keeps your money confidential. Grassroots. Open source. Dedicated to privacy & freedom. Monero || #xmrBEGIN:VCARD VERSION:4.0 N:P.;Olivier;;; NICKNAME:Backup my Spare EMAIL;PREF=1:backup.my.sp...@gmail.com URL:https://Deployadmin.com TZ:Europe/Paris FN:Olivier P. ADR:;;;Rambouillet;;78120;France END:VCARD smime.p7s Description: Signature cryptographique S/MIME
Re: Limiting ssh access: by MAC Address?
On 5/1/23 12:56, Jeffrey Walton wrote: On Wed, Jan 4, 2023 at 11:34 PM Gareth Evans wrote: On 3 Jan 2023, at 22:07, Tom Browder wrote: I ... would like to access my home server from my laptop ... On 5 Jan 2023, at 04:13, Jeffrey Walton wrote: ... Avoiding the key exchange is a big win since those public key operations are so costly. Costly in what sense and circumstances? Public key operations for key exchange dominate the cpu cost of a session. Key exchange is the limiting factor in how many connections a server can handle. It has always been this way, even for SSL/TLS and IPSec. For your typical home user with no expectation of high numbers of connections, the issue is more to limit the crap that turns up in the logs from failed login attempts. Requiring a valid client certificate to be presented before, or instead of, a username/password works perfectly for this. I have some recollection that the validation of a client certificate is not a high cost exercise? -- Jeremy
Re: Limiting ssh access: by MAC Address?
On Wed, Jan 4, 2023 at 11:34 PM Gareth Evans wrote: > > > On 3 Jan 2023, at 22:07, Tom Browder wrote: > > I ... would like to access my home server from my laptop ... > > > > On 5 Jan 2023, at 04:13, Jeffrey Walton wrote: > > ... > > Avoiding the key exchange is a big win > > since those public key operations are so costly. > > Costly in what sense and circumstances? Public key operations for key exchange dominate the cpu cost of a session. Key exchange is the limiting factor in how many connections a server can handle. It has always been this way, even for SSL/TLS and IPSec. In contrast, bulk encryption is cheap. Bulk encryption is the block or stream cipher, and the mac calculations. One of the reasons x25519 is so valuable is how efficient it is. Here are some benchmarks from Crypto++ on a Core i5 10th gen Ice Lake machine: Scheme |ms/op| megacycle/op DH-2048|0.565| 1.977 ECDH p256 |0.456| 1.595 x25519 |0.039| 0.138 In the numbers above, lower is better. x25519 is about 15x faster than DH over integers, and about 11x faster than DH over EC. Key exchange is measured in megacycles per operation. That is, how many million-cycles is needed for an operation. Here, the operation is exponentiation in a finite field. In contrast, bulk encryption is measured in cycles per byte. Jeff
Re: Limiting ssh access: by MAC Address?
> On 3 Jan 2023, at 22:07, Tom Browder wrote: > I ... would like to access my home server from my laptop ... > On 5 Jan 2023, at 04:13, Jeffrey Walton wrote: > ... > Avoiding the key exchange is a big win > since those public key operations are so costly. Costly in what sense and circumstances? For interactive, real-user-at-the-end ssh logins, key checking delays are negligible in my experience - certainly no longer than it would take to type a password... Kind regards, Gareth > > Jeff
Re: debian sid no boot after this morning's update
On Wed, Jan 04, 2023 at 11:03:15PM -0500, Frank wrote: > ** (process:734): WARNING **: 22:32:38.355: Error reading existing > Xauthority: Failed to open file ?/var/lib/lightdm/.Xauthority?: Permission > denied > Error writing X authority: Failed to open X authority > /var/lib/lightdm/.Xauthority: Permission denied Does that file exist? If so, ls -ld /var/lib/lightdm/.Xauthority If not, ls -ld /var/lib/lightdm Hell, just do both regardless of whether the file currently exists. It's one command with two lines of output. Should be the first thing you do. See if you can figure out which user lightdm is trying to run as. Try to make it so that user can write that file, either by removing the existing file, or chowning it, or fixing the permissions on the directory. Whatever is indicated by the lightdm changelog. Hopefully there's a note in the lightdm changelog about this. Or in NEWS.
Re: Limiting ssh access: by MAC Address?
On Wed, Jan 4, 2023 at 5:45 PM Tim Woodall wrote: > > On Wed, 4 Jan 2023, Jeffrey Walton wrote: > > > On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall wrote: > >> ... > >> > >> I've also thought about TOTP dns requests as a type of port knocking : a > >> dns request to .knock.example.com would open the ssh port for a > >> minute. Small local webpage to do the TOTP port knock in javascript > >> should work anywhere. Something else that has been on my todo list for > >> years. > > > > That is kind of clever. Do you know of any papers that discuss it? > > I don't know of any papers that discuss it and I certainly didn't write > one. > > This is what I imagined: > > .knock.example.com > > bind (because that's what I use) configured to forward knock.example.com > to an internal address. > > Small program listens and responds to all queries with 127.0.0.1 (just > found my c++ program to do this written in 2018 - I'd probably use > python now). Because this program is only hit from a trusted server, > it's unlikely to suffer exploitable issues. Malformed packets, for > example, will not make it past the bind instance. > > program also checks totp and if it matches expected value (possibly with > a threshold) then update an ipset with a catchall address. > > iptables rule something like > iptables -t filter -A INPUT -m set --match-set sshok src -m state --state NEW > -j ACCEPT > (you probably don't want to open everything) > > and some sort of cron job to delete the catchall address > > You could, of course, also do the same by hitting a webserver that > checks the URL for the totp but DNS is more reliable - you can usually > get DNS packets through even where ISPs block running servers and that > can trigger constructing a tunnel to a server that can listen to > incoming connections. Also DNS better hides where you're connecting > from. > > Finally, dns port knocking will work with anything that connects to a > dns name as the name lookup must happen before the connection although > in that case the returned address needs to be the target address, not > 127.0.0.1 I was talking to Peter Gutmann about SSH hardening. He shared a recent RFC pro SSH preauth: https://datatracker.ietf.org/doc/draft-gutmann-ssh-preauth/ . The preauth scheme does not hide the service like your TOTP scheme. However, it looks like both schemes achieve the same thing - they both avoid the costly key exchange. Avoiding the key exchange is a big win since those public key operations are so costly. Jeff
Re: debian sid no boot after this morning's update
On 2023-01-04 7:30 p.m., Frank wrote: Just went back to my Debian Sid installation this evening to discover it won't boot. There were 88 updates this morning so I suspect my problem is related to that. Has anyone else run into this? How would I go about diagnosing what's wrong? I tried booting in emergency mode but don't know what to look for. Adding more info. All i get is a flashing cursor on a black screen. Digging around in the emergency shell I found two logs related to lightdm. It seems it is having problems running the greeter. This is part of the lightdm log [+0.33s] DEBUG: Seat seat0: Display server ready, starting session authentication [+0.33s] DEBUG: Session pid=734: Started with service 'lightdm-greeter', username 'lightdm' [+0.35s] DEBUG: Session pid=734: Authentication complete with return value 0: Success [+0.35s] DEBUG: Seat seat0: Session authenticated, running command [+0.35s] DEBUG: Session pid=734: Running command /usr/sbin/lightdm-gtk-greeter [+0.35s] DEBUG: Creating shared data directory /var/lib/lightdm/data/lightdm [+0.35s] DEBUG: Session pid=734: Logging to /var/log/lightdm/seat0-greeter.log [+0.37s] DEBUG: Activating VT 7 [+0.37s] DEBUG: Activating login1 session c5 [+0.37s] DEBUG: Seat seat0 changes active session to c5 [+0.37s] DEBUG: Session c5 is already active [+0.37s] DEBUG: Greeter closed communication channel [+0.37s] DEBUG: Session pid=734: Exited with return value 1 [+0.37s] DEBUG: Seat seat0: Session stopped [+0.37s] DEBUG: Seat seat0: Stopping; failed to start a greeter [+0.37s] DEBUG: Seat seat0: Stopping [+0.37s] DEBUG: Seat seat0: Stopping display server [+0.37s] DEBUG: Sending signal 15 to process 720 [+0.38s] DEBUG: Seat seat0 changes active session to [+0.52s] DEBUG: Process 720 exited with return value 0 [+0.52s] DEBUG: XServer 0: X server stopped This is the greeter log ** (process:734): WARNING **: 22:32:38.355: Error reading existing Xauthority: Failed to open file ?/var/lib/lightdm/.Xauthority?: Permission denied Error writing X authority: Failed to open X authority /var/lib/lightdm/.Xauthority: Permission denied
Re: Debian release criteria.
>> From: "Andrew M.A. Cater" >> Date: Wed, 4 Jan 2023 16:32:37 + >> > All software is buggy: it is a matter of luck whether bugs hit you. >> =8~/ A hacker might be satisfied with luck. An engineer should not >> be. If I claim to be a package maintainer, I test as broadly as >> feasible. A 32 bit machine is easily found. > Sorry, I respectfully disagree. A 32 bit AMD/Intel machine has barely > been manufactured for >10 years now. If you happen to have a pure 32 > bit machine sitting around, you're probably living on borrowed time. Indeed. I'm still happily using Debian on my trusty Thinkpad X30, which is my last 32bit-only i386 machine. But regarding the larger meaning of "32bit", such machines are still manufactured (in the armhf family, for example). > If you mean running 32 bit on a 64 bit capable machine - why is that > better than running 64 bit code anyway? I upgraded my Thinkpad T60 with a Core 2 Duo (i.e. 64bit capable), but with 3GB of RAM, I prefer to stay with a 32bit userland. It's definitely older than 10 years, admittedly. > Debian is possibly the last major Linux distribution to support 32 bit > on x86 - the others have all given up now. Yes, I'm preparing psychologically for the time when my X30 will not be able to run Debian testing any more. This said, it'll turn 20 this summer, which I think is quite remarkable: I never imagined back then that the end of Dennard's scaling would keep this machine (marginally) usable for 20 years. Stefan
Re: Debian release criteria.
On Wed 04 Jan 2023 at 14:26:47 (-0800), pe...@easthope.ca wrote: > Andrew M.A. Cater wrote: > dpkg -l | grep fire > ii firefox-esr 102.6.0esr-1~deb11u1 > i386 Mozilla Firefox web browser - Extended Support Release (ESR) > > > All software is buggy: it is a matter of luck whether bugs hit you. > > =8~/ A hacker might be satisfied with luck. An engineer should not > be. If I claim to be a package maintainer, I test as broadly as > feasible. But you wrote "Firefox has become slow and crashes frequently." Well, yes, FF 102.x is quite likely to be bigger, and hence slower than 91.x, and 78.x, and so on. > A 32 bit machine is easily found. What, you expect someone to obtain an i386 machine just to replicate that it's slow? And make it crash in some unspecified manner? I ran FF on a 500MB i386 laptop to the end of buster, and it was exceedingly slow, but didn't actually crash. You just had to stick to no more than a couple of tabs, and avoid the temptation of waving the cursor around (which would mean waiting for all those movements to be processed so that you regained control of its position). You don't appear to have posted what the spec of /your/ i386 machine is: in particular, how much memory and how much swap? > > the pace of Firefox change is such that releases age very quickly > > Bulk of the software and frequent updates are evident but what changes > in functionality? The Web site of my credit union works as it did > five years ago. What's that got to do with Firefox? OK, it's good that the CU hasn't run with every fad that some web developers seem to want, so that they get what I call a high "coo-rating". (Coo, look at that.) > Wikipedia pages are still text with pictures and > occasional video. Sure, they tend to be no more complex than required for what's being displayed. I assume that's their policy, very sensible. > Flakey Web sites still have annoying animations and > distracting slide shows. What's improved? Countless other websites that aren't flaky. But many websites that I remember having real difficulties displaying (like many newspapers), are rendered much more smoothly by today's Firefox. And the quality of printing from web pages has improved quite a lot recently; even those like the interactive ones that the NY Times often uses. > Not long ago the release criterion was "release when ready". > What's become of that? Where's your evidence that Firefox 102.6 is not ready? You haven't posted anything specific, and your criticism seems more like a whine, with a provocative subject line that appears to suggest that Debian's quality standards have slipped. I now run my i386 laptop just for its portability. I have eight xterms open in fvwm, and use it to set things going on the four or five other machines scattered through the house (all 64-bit). I'm not sure why you run Firefox on 32-bits: any particular reason, or just for old times sake? Cheers, David.
Re : documentation optimisation économie d'énergie
Bonjour, Cette page Debian devrait pouvoir vous aider ? https://debian-handbook.info/browse/fr-FR/stable/sect.power-management.html Bonne continuation Cassis - Mail d'origine - De: Olivier backup my spare À: Debian user french Envoyé: Wed, 04 Jan 2023 05:46:17 +0100 (CET) Objet: documentation optimisation économie d'énergie Bonjour Je vais bientôt recevoir mon ordinateur portable Tuxedo computer J'al clé usb Debian pour l'installation. Ca, pas de problème. Toutefois, hormis les réglages de "Mate", je ne sais pas configurer l'économie d'énergie avancé. Auriez vous un lien à partager, svp, pour la debian 11. J'ai demandé à duck-duck mais ce sont sur des anciennes versions. Je n'ai pas envie de casser la fresh install lorsque j'aurais mon portable personnel. -- AI Gestionnaire d'infrastructure/ Gestionnaire de Parc. Centre d'économie S** Monero (XMR) - The secure, private, untraceable cryptocurrency that keeps your money confidential. Grassroots. Open source. Dedicated to privacy & freedom. Monero || #xmr
debian sid no boot after this morning's update
Just went back to my Debian Sid installation this evening to discover it won't boot. There were 88 updates this morning so I suspect my problem is related to that. Has anyone else run into this? How would I go about diagnosing what's wrong? I tried booting in emergency mode but don't know what to look for. The emergency prompt suggested journalctl -xb so that's what I did but I didn't see anything obviously wrong. Right now I am at my wits end. Good thing I have a working Fedora partition. Help!
Re: Debian release criteria.
On Wed, Jan 04, 2023 at 02:26:47PM -0800, pe...@easthope.ca wrote: > From: "Andrew M.A. Cater" > Date: Wed, 4 Jan 2023 16:32:37 + > > > All software is buggy: it is a matter of luck whether bugs hit you. > > =8~/ A hacker might be satisfied with luck. An engineer should not > be. If I claim to be a package maintainer, I test as broadly as > feasible. A 32 bit machine is easily found. > Sorry, I respectfully disagree. A 32 bit AMD/Intel machine has barely been manufactured for >10 years now. If you happen to have a pure 32 bit machine sitting around, you're probably living on borrowed time. If you mean running 32 bit on a 64 bit capable machine - why is that better than running 64 bit code anyway? Debian is possibly the last major Linux distribution to support 32 bit on x86 - the others have all given up now. All best, as ever, Andy Cater > > Hope this helps, > > Thx,... P. > > > mobile: +1 778 951 5147 > VoIP: +1 604 670 0140 > https://en.wikibooks.org/wiki/User:PeterEasthope >
Re: VLC not ejecting CD/DVDs
On Tue 03 Jan 2023 at 21:22:00 (-0700), Charles Curley wrote: > VLC is not ejecting CD/DVDs when I run it as my regular user, charles. > I get the error message "qt interface error: could not eject /dev/sr0". > I have not tried it as root. eject, however, does work when run by the > same user. In the past, I used cdtool's cdplay to play background music (though more modern hardware seems to lack the necessary internal analogue cable). If I tried to eject the disc with cdeject, I'd get an I/O error and the drive's door would lock. Workaround: I just aliased cdeject to eject, as the latter always worked. I'm afraid I didn't try to track down the error. Cheers, David.
Re: request a replacement for Thunderbird + Enigmail
On 2023-01-03 at 14:12 -0700, Charles Curley wrote: > On Tue, 3 Jan 2023 09:04:12 -0500 > Jeffrey Walton wrote: > > > Claws email with the GPG plugin is popular. It may be a good fit > > for > > you, too. > > > > https://www.claws-mail.org/plugin.php?plugin=gpg > > Concur. You didn't indicate whether you use mbox or maildir format (or > something else). Claws-mail will likely be able to read your existing > emails with no issues. evolution also has good support for OpenPGP mail. Both Claws and evolution use GnuPG as backend (as did the old Enigmail), so you should see no difference wrt. keeping keys in memory without requiring the password (handled by gpg-agent), or trusting the keys of the recipients. I see that evolution filters support playing a sound as an action. I don't know what the Virtual Identity plugin does. Apparently, it's no longer on AMO.
Re: Debian release criteria.
From: "Andrew M.A. Cater" Date: Wed, 4 Jan 2023 16:32:37 + > Is this a bug that you are experiencing? Yes. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562765#55 > This is only the case for IPv6 - is this something that affects you? I don't need IPv6 but need 4. This is the pertinent stanza in /etc/network/interfaces. # bridge to connect QEMU guest. auto br0 iface br0 inet static address 10.0.2.1/24 Reboot. ip addr show br0 4: br0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 92:e0:54:07:2a:e2 brd ff:ff:ff:ff:ff:ff Assignment of 10.0.2.1 failed. Correct? It worked in 2021 or early 2022. Ideas aside from this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993716 > For Firefox, we take what upstream releases as firefox-esr ... dpkg -l | grep fire ii firefox-esr 102.6.0esr-1~deb11u1 i386 Mozilla Firefox web browser - Extended Support Release (ESR) > All software is buggy: it is a matter of luck whether bugs hit you. =8~/ A hacker might be satisfied with luck. An engineer should not be. If I claim to be a package maintainer, I test as broadly as feasible. A 32 bit machine is easily found. > the pace of Firefox change is such that releases age very quickly Bulk of the software and frequent updates are evident but what changes in functionality? The Web site of my credit union works as it did five years ago. Wikipedia pages are still text with pictures and occasional video. Flakey Web sites still have annoying animations and distracting slide shows. What's improved? I use Dillo whenever possible. Any other ideas to avoid wasted communications? Can Firefox imitate a mobile device app? Does any search engine prioritizes inversely to volume of HTML and JavaScript? > Hope this helps, Thx,... P. mobile: +1 778 951 5147 VoIP: +1 604 670 0140 https://en.wikibooks.org/wiki/User:PeterEasthope
Re: Limiting ssh access: by MAC Address?
On 2023-01-04 at 19:20 +, Tim Woodall wrote: > It doesn't work through a transparent proxy unfortunately (at least the > android client doesn't) which I assume was doing SNI snooping - but I've > only encountered that once in the UK so far. > > My plan was to write something that used a dns request to tell ovpn to > expect an HTTPS wrapped ovpn stream - but it's one of those projects > that I'll probably never actually get around to. You can do this with stunnel, see https://www.stunnel.org/static/stunnel.html#EXAMPLES However, openvpn supports running directly as https://, so if you place it on port 443 it is indistinguishable from a normal https server for networks restricting the ports.* (Maybe you were using udp?) There are no transparent proxies for https. They would either pass traffic without inspecting it, or they would need to break the TLS connection to MITM it, and -unless the client has installed a CA for the proxy- cause all https connections to fail due to untrusted certificate. (*) an advanced filtering solution might be able to notice that the traffic patterns don't match with those of https but are likely a VPN.
Re: Limiting ssh access: by MAC Address?
On Wed, 4 Jan 2023, Jeffrey Walton wrote: On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall wrote: ... I've also thought about TOTP dns requests as a type of port knocking : a dns request to .knock.example.com would open the ssh port for a minute. Small local webpage to do the TOTP port knock in javascript should work anywhere. Something else that has been on my todo list for years. That is kind of clever. Do you know of any papers that discuss it? I don't know of any papers that discuss it and I certainly didn't write one. This is what I imagined: .knock.example.com bind (because that's what I use) configured to forward knock.example.com to an internal address. Small program listens and responds to all queries with 127.0.0.1 (just found my c++ program to do this written in 2018 - I'd probably use python now). Because this program is only hit from a trusted server, it's unlikely to suffer exploitable issues. Malformed packets, for example, will not make it past the bind instance. program also checks totp and if it matches expected value (possibly with a threshold) then update an ipset with a catchall address. iptables rule something like iptables -t filter -A INPUT -m set --match-set sshok src -m state --state NEW -j ACCEPT (you probably don't want to open everything) and some sort of cron job to delete the catchall address You could, of course, also do the same by hitting a webserver that checks the URL for the totp but DNS is more reliable - you can usually get DNS packets through even where ISPs block running servers and that can trigger constructing a tunnel to a server that can listen to incoming connections. Also DNS better hides where you're connecting from. Finally, dns port knocking will work with anything that connects to a dns name as the name lookup must happen before the connection although in that case the returned address needs to be the target address, not 127.0.0.1
Re: Limiting ssh access: by MAC Address?
On 2023-01-04 at 16:03 +, Joe wrote: > I actually use ssh for remote access if I can, but it only allows TCP > forwarding, so I can get to email but not to anything that requires > DNS or UDP. A VPN connection gives full access to all network > protocols. > The VPN will have a pre-defined IP address in your private network, so > access can be fine-tuned using a firewall if required. The VPN endpoint > appears in the server as another network interface. Actually, you can do the same with ssh. Have a look at -w and Tunnel configuration option of ssh. It is a little known feature, but this allows you to use ssh like a VPN. It does however require some configuration at *both* sides of the ssh connection, specially if you want to run it as non-root. Regards
Re: Debian release criteria.
From: Eric S Fraga Date: Wed, 04 Jan 2023 09:25:02 + > According to that bug report, the problem is on sid. Was on sid. The report originated in 2009 when sid = squeeze = Debian 6. sid is a floating codename. Helps to confuse us. =8~) https://www.debian.org/releases/ 'The "unstable" distribution is always called sid.' I neglected mentioning Debian 11 on an old 32 bit machine here but see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562765#55 . In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562765#45 Petter Reinholdtsen also mentioned a 32 bit machine. Seems to be a pattern involving "32". =8~) > cheese works perfectly for me and has done so for a very long time. Great. This is a Logitech M/N: V-U0006, P/N: 860-000177, PID: LZ944BN. Spherical, about 54 mm diameter. If you happen to find one, please add to the bug report. Thx,... P. mobile: +1 778 951 5147 VoIP: +1 604 670 0140 https://en.wikibooks.org/wiki/User:PeterEasthope
Re: Limiting ssh access: by MAC Address?
On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall wrote: > ... > > I've also thought about TOTP dns requests as a type of port knocking : a > dns request to .knock.example.com would open the ssh port for a > minute. Small local webpage to do the TOTP port knock in javascript > should work anywhere. Something else that has been on my todo list for > years. That is kind of clever. Do you know of any papers that discuss it? Jeff
Re: Limiting ssh access: by MAC Address?
On Wed, 4 Jan 2023, Joe wrote: On Tue, 3 Jan 2023 17:06:30 -0500 Tom Browder wrote: Is it possible to use UFW to limit ssh access to a server by an external host by its MAC address? I now have a permanent IPv4 address for my home IP router and would like to access my home server from my laptop when away from home, but allow no other external access. Is that possible? Another thought is to use a VPN. Indeed. I use openvpn and take advantage of its feature that it can listen on port 443 and then forward web traffic to a server. One thing this can do is help hide the ovpn instance (in my case I also listen on the default port so not really relevant) but also can help where public wifi restricts the ports that can connect. It doesn't work through a transparent proxy unfortunately (at least the android client doesn't) which I assume was doing SNI snooping - but I've only encountered that once in the UK so far. My plan was to write something that used a dns request to tell ovpn to expect an HTTPS wrapped ovpn stream - but it's one of those projects that I'll probably never actually get around to. I've also thought about TOTP dns requests as a type of port knocking : a dns request to .knock.example.com would open the ssh port for a minute. Small local webpage to do the TOTP port knock in javascript should work anywhere. Something else that has been on my todo list for years.
Re: Debian release criteria.
On 03/01/2023 21:36, pe...@easthope.ca wrote: Can't comment on Cheese camera software or Qemu bridge, I don't use that. Firefox has become slow and crashes frequently. Firefox works perfectly well for me, on both Debian Stable and Debian Testing systems. I don't restart Firefox for days and weeks sometimes. I am glad they have ESR version, which is much more mature than break-neck normal release cycle. I install ESR on every OS I use, and for all my friends. Not long ago the release criterion was "release when ready". What's become of that? I am absolutely glad that Debian Stable is stable as much as it can be, I don't experience any major breakdowns or issues, apart from chronic instabilities unrelated to Debian itself, for example bugs in Radeon GPU drivers and in KDE. If you experience issues with particular package, like Cheese, Qemu or Firefox, you should concentrate on those three areas, Debian maintainers package software to best of their ability, but bugs upstream from Debian will always exist. -- With kindest regards, Piotr. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄
Re: Debian release criteria.
On Tue, Jan 03, 2023 at 01:36:31PM -0800, pe...@easthope.ca wrote: > Hi, > > A few years ago a USB camera worked with Cheese, a bridge interface > worked as documented and Firefox was fairly stable. > > Now Cheese cashes immediately upon startup. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562765 > Is this a bug that you are experiencing? > QEMU documents a bridge for connecting the guest, > https://wiki.qemu.org/Documentation/Networking But creation of a > but creation of a bridge interface fails in Debian 11. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993716 > This is only the case for IPv6 - is this something that affects you? > Firefox has become slow and crashes frequently. > The steady state of disks is full - the steady state of software is to increase in size and complexity. Firefox changes regularly - which version of Firefox is particularly buggy for you and are you allowing software to update? > Not long ago the release criterion was "release when ready". > What's become of that? > This is certainly the case for a major release: so, for example, Debian 12 freeze process starts on 12th January and will take as long as it takes. For Firefox, we take what upstream releases as firefox-esr by and large: the pace of Firefox change is such that releases age very quickly - there isn't a "stop everything for a few months" - upstream doesn't work like that. All software is buggy: it is a matter of luck whether bugs hit you. It's also entirely possible that system requirements increase and running newer versions on very old hardware becomes more and more infeasible. With every good wish, as ever, Andy Cater Hope this helps, > Thanks, ... P. > > > mobile: +1 778 951 5147 > VoIP: +1 604 670 0140 > https://en.wikibooks.org/wiki/User:PeterEasthope >
Re: Peut ton faire du raid 10 logiciel?
Le 4 janvier 2023 Olivier backup my spare a écrit : > Là, la carte refuse de faire du raid 10 > > Puis je le faire avec la debian. Je n'ai jamais fait de raid logiciel sous > linux, alors je demande. Oui ça marche très bien avec mdadm.
Re: How to get Debian OS support
Pradeep Pal wrote: > Hi Team, > > Need to understand how to get a debian os pro support and also if debian > team support samba active directory features. https://www.debian.org/consultants/ There is no official paid Debian support organization. https://www.freexian.com/about/ I think Freexian deserves a special mention; they run the extended LTS program. -dsr-
Re: Limiting ssh access: by MAC Address?
On Wed, Jan 4, 2023 at 01:06 john doe wrote: > On 1/3/23 23:06, Tom Browder wrote: ... This is in addition to the other answers. > > If you have a server which is publicly available, you can only > "restrict" by IP, rate limiting, port nocking and having your server... Thanks, John Doe, and all the others who answered. FYI, I have other remote servers and all use PKI for access and do they do not allow password access. I do use fail2ban. I also will follow the other suggestions. Thanks for all the help. Debian users are the best! -Tom
RE: documentation optimisation économie d'énergie
Bonjour, Pour ma part, sur un portable récent, j’installe l’outil « powertop », qui permet de voir les aspects consommation d’énergie. Il peut suggérer des modifs système pour activer les modes d’économie d’énergie des différents périphériques qu’il reconnait. Ce n’est pas toujours fiable à 100 %, il faut tester (j’ai eu des soucis avec une souris USB qui devenait inopérante une fois mis en mode économe ). Après, tu peux rendre permanent ces réglages en les plaçant dans un script lancé au boot (genre rc-local, mais pas sûr que cela existe encore sur une Debian 11 fraîchement installée). Si tu veux des réglages plus fins (du genre différents suivant que tu es sur batterie ou sur secteur), il faudra installer un outil qui gère cela, j’avais testé le paquet tlp un moment… Cdlt, Fred.
Re: Debian release criteria.
On Tuesday, 3 Jan 2023 at 13:36, pe...@easthope.ca wrote: > A few years ago a USB camera worked with Cheese, a bridge interface > worked as documented and Firefox was fairly stable. > > Now Cheese cashes immediately upon startup. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562765 According to that bug report, the problem is on sid. This is not surprising? If you want stability, stick to stable releases? cheese works perfectly for me and has done so for a very long time. I cannot comment on qemu. -- Eric S Fraga via gnus (Emacs 30.0.50 2023-01-02) on Debian 11.5
How to get Debian OS support
Hi Team, Need to understand how to get a debian os pro support and also if debian team support samba active directory features. -- Thanks & Best Regards *Pradeep Pal* System Admin ☏ +91-22-61966383 | ☏ +91-9820142327
Re: request a replacement for Thunderbird + Enigmail
On Tuesday, 3 Jan 2023 at 21:27, Michel Verdier wrote: > I use Gnus (on emacs). I fetch mails with pop3s from different providers, > send mails to corresponding smtp servers based on sending address (could > be different criteria). I use nnml backend which store 1 mail per file, > so no big database, best perf, easy backup and no mail losses. Gnus use > standard gpg for encryption. I use swish for indexing and searching mails. Pretty much the same for me except for notmuch instead of swish for indexing/searching. Works very well in all respects including gpg. -- Eric S Fraga via gnus (Emacs 30.0.50 2023-01-02) on Debian 11.5
Re: VLC not ejecting CD/DVDs
Hi, Charles Curley wrote: > If I read the source for VLC correctly, VLC uses a SCSI ioctl to attempt to > eject. > https://github.com/videolan/vlc/blob/master/modules/gui/eject.c Yes. EjectSCSI() in line 67 does what a burn program would do for ejecting an optical medium. But the ioctl SCSI_IOCTL_SEND_COMMAND is the dull way to perform an SCSI transaction. If the drive does not like the command, then the caller of this ioctl gets no specific error indication. (I wonder about the middle ioctl SCSI_IOCTL_SEND_COMMAND which tells the drive to speed up. The third ioctl then tells it to slow down and to eject the tray.) (The call of ioctl( i_fd, BLKRRPART ) will do nothing with /dev/sr. Regrettably Linux does not offer an ioctl to re-assess optical media.) The message "could not eject" seems to come from a combined attempt in line 163 with ioctl( fd, CDROMEJECT, 0 ) and above SCSI gesture. The ioctl CDROMEJECT will in the kernel cause similar SCSI commands as EjectSCSI() emits. > One of those four methods is via SCSI. When I specify that method, > eject ejects the CD/DVD. > charles@jhegaala:~$ eject -s /dev/sr0 Does eject -r /dev/sr0 work too ? > Any thoughts? One would have to modify the code to learn which errno comes back from the ioctls when one of them fails. I.e.: Line 163: Separate the call of ioctl( fd, CDROMEJECT, 0 ) from the call of EjectSCSI( fd ) and print the errno value after each of them. Lines 85, 96, 107: Print the failed SCSI command name ("ALLOW_MEDIA_REMOVAL", "START", or "STOP_EJECT") and the errno value before returning VLC_EGENERIC. If one of the ioctls SCSI_IOCTL_SEND_COMMAND indicates failure, then one would have to replace it by ioctl(SG_IO) with its more elaborate struct sg_io_hdr_t , which would return the SCSI error code triple. I could make proposals how to do that.But this will be no picknick. Have a nice day :) Thomas