Re: [Newbie] Can ls command format output my way?
On 12/17/2016 05:40 PM, Richard Owlett wrote: [...] > I don't wish anything but full path to all files in a top level directory. > > Followup question how should I found the answer for myself. I looks > basic enough ... > TIA One way would be to use find combined with realpath. find /media/data -exec realpath "{}" \; That's recursive. If you want only that one directory, limit how deep it may go: find /media/data -maxdepth 1 -exec realpath "{}" \; If that's too long to type out each time, you can make a shell alias or function that accepts the path as an option and then passes that to find. /Lars
Re: Symlinking or hard linking additional storage to /home directories
On 11/12/2016 08:30 PM, Nicolas George wrote: > Le duodi 22 brumaire, an CCXXV, Lars Nood�n a �crit�: >> What are the disadvantages of bind mounts? > > They require root privileges for any change. > > They are also more expensive than any individual symlink, but it does > not matter much if there are only a few. > > But I can reverse the question: what advantages do you see to bind > mounts in that particular circumstance? It fits with the /etc/fstab approach, and since Robert mentioned /etc/fstab mount comes to mind. Adding the user option there allows a non-root user to mount or unmount the pair of directories. However, as far as technical advantages proper, I don't know. Regards, Lars
Re: Symlinking or hard linking additional storage to /home directories
On 11/12/2016 08:15 PM, Nicolas George wrote: [snip] > You could use bind mounts, but I really do not recommend it. [snip] What are the disadvantages of bind mounts? Regards, Lars
Re: Symlinking or hard linking additional storage to /home directories
On 11/12/2016 08:09 PM, Robert Menes wrote: [snip] > My question is this: which is the better path to take? Symlinking or hard > linking another > drive to ~/Music and ~/Videos? [snip] Directories can only be symlinked. But you might be interested in mount instead, especially the --bind option. Regards, Lars
Re: My bash script is missing something - what?
On 10/10/2016 04:10 PM, Richard Owlett wrote: > On 10/10/2016 8:00 AM, Robert Parker wrote: >> you need to do: >> ./test.sh >> instead. >> > > That just fails differently by responding: > > : No such file or directory Where ever the script is, it does have to be in the $PATH or else you must run it using including a relative or absolute path to its location. About your error message "bash: test.sh: command not found", you might try putting the full paths to mount and grep in your script. Or else explicitly set the $PATH variable to something useful at the beginning of the script. If that was not it, you can use the set -x option with bash to trace the script's actions. #!/bin/bash -x That prints out each line as it will be run just before it is actually run, to see what precisely is causing the failure. Regards, Lars
Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.
On 10/09/2016 02:28 PM, Tony Baldwin wrote: > > > On 10/09/2016 07:23 AM, Richard Hector wrote: >> On 10/10/16 00:20, Tony Baldwin wrote: >>> What country is .me? here in th US, of course, it could be the State of >>> Maine. >> >> Montenegro, apparently. According to a quick web search ;-) >> >> Richard >> > > Thanks, I was curious, couldn't think of anything, all the Ms I could > think of were thins like Maroc, Moçambique, Macao, and the like, where > .ma, .mc, .mo, or some such think would make more sense. > I kind of think Montenegro should be .Mn, really (or that for the US > stat of Minnesota). > Tony > The complete list is all in ISO-3166. It has two-letter codes as well as three-letter codes. ISO 639, in contrast, covers languages. I'd seen some sites mix them up. Regards, Lars
Re: Issues with SSH pubkey authentication at remote server
On 09/27/2016 06:07 PM, Stephan Beck wrote: > Lars Noodén: >> On 09/27/2016 02:02 PM, Stephan Beck wrote: >> Can you tell more about how your login session is started? > > I connect to the "local ssh account" by ssh from my other user account. Ok. Now I see the arrangement. You are missing a way for "local ssh account" to receive information about any agent(s) it should have. If you use ps you can probably see your main account running ssh-agent, the system having launched it for you and managing the setting of the appropriate environment variables. > Now I've tried it several times always repeating this > eval $(ssh-agent) > ssh-add /path/to/key > ssh-add -L (for checking) > procedure and I do not have to enter the passphrase for this session. You need a way for your "local ssh account" to start and use an agent. I'm not sure of the optimal way for you. Perhaps something in .bashrc? Others here know more about the shells than I. >From my point of view I do not need to have the same env in the "local > ssh account" as I have in the other account. No, but the "local ssh account" instances need to share the ssh-agent variables. If you are logging in multiple times at the same time, you'd want to share the same agent for that account until the last one logs out. Regards, Lars
Re: Issues with SSH pubkey authentication at remote server
On 09/27/2016 02:02 PM, Stephan Beck wrote: > Hi Lars, > > Lars Noodén: >> On 09/26/2016 05:46 PM, Stephan Beck wrote: >>> ... it might >>> not be necessary to fire it up with eval $(ssh-agent). >>> Thanks for the command, makes it more easy. >> >> No problem. If you want to see which keys are available to ssh, you can >> use ssh-add for that: >> >> ssh-add -L >> >> It has to be run in the same shell as you would then run ssh. >> >> That will list the public key matching the private key which has >> actually been loaded into the available agent. But that availability >> might be the issue here, as with the earlier message, I am still >> wondering if ssh is finding the "right" agent. > > I've tried again and detected the following: > No agent is started when I login to the "local ssh user account". It is the one that should be running under your local account that is of relevance, or at least should be. How are you logging in to your "local ssh user account" there? Your processes including the terminal need to be inheriting the environment variables SSH_AGENT_PID and SSH_AUTH_SOCK. If they are not in the environment, then your processes need to be pointed to socket and process id explicitly. > I have to do > eval $(ssh-agent) --> for every single session > ssh-add /path/to/key > ssh-add -L > (outputs the key) > Then I connect to the remote server and it works without having to type > a passphrase. Gee! Ok. So the keys work and it is possible to add on an agent after logging in. Can you tell more about how your login session is started? Regards, Lars
Re: ssh-keygen and rsa Keys
On 09/27/2016 12:19 AM, Martin McCormick wrote: >... > The short story is that the Mac now uses openssh-7 > instead of open-ssh-6. Dsa encryption keys have been declared > obsolete for some time now and openssh-7 defaults to ignoring > any id_dsa.pub keys you might have been using. >... That brings up two things to my mind. First is with client authentication that one should start planning ahead for elliptical curve cryptography : https://www.gnupg.org/faq/gnupg-faq.html#please_use_ecc Ed25519 seems to be the way forward there, for now. Second, the server identification keys ought to be addressed too, so that DSA is also turned off there. The servers are targets for MitM attacks if they leave up the option for host identification via DSA keys. Turning off DSA requires a bit of planning if there are many accounts using the server. Regards, Lars
Re: Issues with SSH pubkey authentication at remote server
On 09/26/2016 05:46 PM, Stephan Beck wrote: > ... it might > not be necessary to fire it up with eval $(ssh-agent). > Thanks for the command, makes it more easy. No problem. If you want to see which keys are available to ssh, you can use ssh-add for that: ssh-add -L It has to be run in the same shell as you would then run ssh. That will list the public key matching the private key which has actually been loaded into the available agent. But that availability might be the issue here, as with the earlier message, I am still wondering if ssh is finding the "right" agent. Regards, Lars
Re: Issues with SSH pubkey authentication at remote server
On 09/26/2016 01:18 PM, Stephan Beck wrote: > ... > Before establishing connection for the first time I did > > eval $(ssh-agent) > PID > ssh-add ~/.ssh/id_rsa > > But it seems that the ssh-agent does not really authenticates to the > remote server and as a fallback password auth is selected. (I anonymized > the output below.) So, pubkey authentication is not working :-( Are you running the SSH client in the same shell as you have run eval? Also, the desktop environment is often set up so that it is launched under an agent already. So how many agents do you have running? pgrep -lf ssh-agent Regards, Lars
Re: Need a tutorial
On 09/22/2016 07:30 PM, Gene Heskett wrote: > On Thursday 22 September 2016 11:16:45 Dominique Dumont wrote: ... >> Others have explained how to generate keys. Then you can simplify the >> process by setting up your ~/.ssh/config file with something like: >> > Interesting, I don't have that file, its all in /etc/ssh. ssh_config is probably the most under-appreciated part of the client. Yet it's very useful. Even a lot of 3rd party tools work with it. The global file is /etc/ssh/ssh_config. Most users have one located in ~/.ssh/config For both, the full documentation is in the manual page for "ssh_config". If you add a lot of options then it saves a lot of work to put them in ~/.ssh/config If the file does not exist, you can make it with your choice of editor. It follows the basic structure of Host + a pattern or name, followed by options for that pattern or name. For example, these blocks add a set of options below for two remote hosts: Host 5501 Hostname 203.0.113.22 IdentitiesOnly yes IdentityFile ~/.ssh/key_22_ed25519 AddKeysToAgent yes ServerAliveCountMax 2 ServerAliveInterval 30 Port 2223 Host 33 User xyzzy HostName 203.0.113.11 ControlPath ~/.ssh/controlmasters/%r@%h:%p ControlMaster autoask ControlPersist yes The first host with its set of options is available via "ssh 5501", just as the second one is available via "ssh 33". The latter would be the equivalent of ssh -o ControlPath=~/.ssh/controlmasters/%r@%h:%p \ -o ControlMaster=autoask \ -o ControlPersist=yes \ xyzzy@203.0.113.11 Or something like that. I recommend grabbing a refreshment, finding a comfy chair, and working through the manual page for ssh_config paragraph by paragraph at least once if you connect to a lot of servers or use a lot of options when connecting. Regards, Lars
Re: Need a tutorial
On 09/22/2016 06:55 PM, Gene Heskett wrote: > Can ssh-keygen make the newer ones above? I see in a key acceptance > conversation that it apparently can do the ecdsa. So maybe I shouldn't > worry. The -t option sets the key type that ssh-keygen will make. These days it you can choose from DSA, ECDSA, RSA, or Ed25519. Any except DSA ought to be ok. If you run into a dongle or helper application which has trouble with Ed25519, then you could file a bug report and ug make an RSA key (with enough bits) for that one instead. Regards, Lars
Re: Need a tutorial
On 09/22/2016 02:09 PM, Gene Heskett wrote: > On Thursday 22 September 2016 03:44:28 Lars Noodén wrote: ... >> As far as the key choices go, DSA is considered deprecated, at least >> in the more recent versions: >> >> "Support for ssh-dss, ssh-dss-cert-* host and user keys >> will be run-time disabled by default" >> - http://www.openssh.com/txt/release-6.9 >> >> So that leaves RSA if you have old versions of the OpenSSH server to >> deal with. Probably 2048 bits or more is good for a while. >> Otherwise, consider Ed25519. >> > This I am not familiar with. Is there an explanatory url? Well, it was officially turned off in 7.0, just like warned above: http://www.openssh.com/txt/release-7.0 and there was a bit of discussion around the net like this one: http://meyering.net/nuke-your-DSA-keys/ But as far as explanations go, that's like the others I've seen to phase out any remaining DSA use due to weaknesses. The articles I've seen are either cryptographer level (and thus beyond me) or very generic, but the there are multiple problems with DSA at this point. Ed25519 claims these benefits: https://ed25519.cr.yp.to/ OpenSSH 6.5 or later will support it. Wheezy had 6.0 (but 6.6 is in the backports), and Jessia has 6.7, and Stretch is getting 7.3. The release notes for 6.5 just mention that it is "better" for security and performance. Regards, Lars
Re: Need a tutorial
On 09/21/2016 11:39 PM, Gene Heskett wrote: > On Wednesday 21 September 2016 10:23:09 Greg Wooledge wrote: ... >> man ssh-keygen >> http://mywiki.wooledge.org/SshKeys > > I knew there was something about generating keys, but not the sticky > details. If you have multiple servers or multiple remote accounts, you will end up with at least one key pair per account+server. So you will also need a way to keep track of them. One way it to make use of the -C and -f options to add a comment inside the key and to name the key files to something mnemonic. As far as the key choices go, DSA is considered deprecated, at least in the more recent versions: "Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default" - http://www.openssh.com/txt/release-6.9 So that leaves RSA if you have old versions of the OpenSSH server to deal with. Probably 2048 bits or more is good for a while. Otherwise, consider Ed25519. Regards, /Lars
Re: Using serial console as a poor mans IP kvm?
On 09/08/2016 10:26 PM, Jarle Aase wrote: >... > So I'm thinking about serial consoles. My gateway router will reboot > after an outage, and it can act as a VPN endpoint. So I can access IP > devices. With a rasberry pi and some relays, I can probably trigger a > cold reboot whenever I need to. If I could log on to the grub console on > the servers over a serial link, that's all I need, really. > > Does anyone here have any experience with remote control with Debian > boxes over serial? Will it work reliable? Quite a while back (Etch) I had some Debian machines running via serial console. As far as I know everything should still work just as nicely over serial console. From what I recall, you'll have to set console settings several places in the system to cover all contingencies for booting and recovery. I've used USB-to-serial adapters with the Prolific chipset. They've worked fine for me, in various models. (I haven't tried FTDI and am suspicious of them.) There are also specialized PCI and PCIe serial console servers which add 4 or 8 extra serial ports to a machine. But if you're going to run everything off of a single rpi then a USB-to-serial adapter is the way to go. There are ones that go USB to 4 or 8 serial ports, but they are hard to find affordably any more. About the power relays, I did that before and had a lot of help to make some custom ones, nothing being on the market back then. I found someone with skill to build a custom setup that worked over GPIO. However, nowadays there are several devices that look interesting. One pre-made series that caught my eye a few weeks ago was this one: https://unipi.technology/shop/ However, I have not evaluated any units so that is just to point to what's on the market and not any endorsement. You'll need to wire plugs and such, too, and I can't see any fuses on those units. Regards, Lars
Re: Problem selecting options for cp command
On 09/05/2016 05:21 PM, Richard Owlett wrote: > "archive" had brought up mental image of dusty back rooms where things > were being preserved for posterity. Not making a copy to actually be used. > > Someone had suggested rsync but that has too many options for me to > bungle. "cp" may be slower but appears more comfortable. > > Thanks to all. For rsync, the only options that you need to worry about are -a and -v. Even then the -v is optional. rsync -av /media/richard/myrepo/ /media/richard/test/ Just remember the trailing slash on the directories and it will go fine. Regards, Lars
Re: Reuniting disks in a raid1 array
> On 08/30/2016 08:33 AM, Frédéric Marchal wrote: >> How can I do this safely? PS. It goes without saying, and thus I forgot to say it, but start this by making a fresh backup of your new system. Preferably you have multiple, older backups around, too, and not just one. Sorry if that's obvious but its importance can't be overemphasized. Regards, Lars
Re: Reuniting disks in a raid1 array
On 08/30/2016 08:33 AM, Frédéric Marchal wrote: >... > Now, it's time for the old computer to retire and sdb to join its partner in > the new raid1 on the new computer. > > How can I do this safely? Here is what I did when I restored a drive to a RAID 1 array. I'm not an expert, so you'll want to verify these steps. First I cleared the start of the drive-to-be-added using "dd" reading from /dev/zero for 1MB (probably unnecessarily large). Then I copied the partition table from the existing disk in the array to the disk-to-be-added. I used a different method, but looking around the correct way might have been to pipe output from "sfdisk -d" on the existing drive to "sfdisk" on the drive-to-be-added. That put the partition(s) in the right place(s). Then I added the "new" RAID partition to the array using "mdadm". e.g. mdadm --add /dev/md129 /dev/sdb3 Then it was just a matter of waiting and checking. e.g. mdadm -D /dev/md129 When it was finished, it showed that it was again clean and that both devices were present and in use. State : clean Active Devices : 2 Working Devices : 2 Failed Devices : 0 Spare Devices : 0 YMMV Regards, Lars
Re: Limiting internet access by time
On 08/05/2016 03:02 AM, Mark Fletcher wrote: > On a stretch box I have, I want to allow access to the Internet between the > hours of 9am and 9pm and block it between 9pm and 9am. Ideally allow local > network access throughout but block Internet access between 9pm and 9am, > but I can accept total network blockage in the off times if necessary. [snip] iptables has some match extensions that will work with UTC time, specifically the extensions --timestart and --timestop Using those you should be able to make rules that operate all the time but block traffic during the specified hours. The only issues there are the UTC itself and, maybe, problems with standard time versus daylight savings time locally. It can also be modified to vary for certain days of the week using --weekdays See the manual page for iptables-extensions(8) for the details on those. Regards, Lars
Re: ssh again
On 06/15/2016 02:54 AM, emetib wrote: [snip] > dan has a good point about having your own nameserver. yet with only > three computers in your home network it's not necessarily needed. > > wait i did that before. > > they are easy to set up and [snip] Even easier is dnsmasq. It has both DHCP and some DNS. It is very easy to set up and very useful for small and, probably medium, networks. It will allow hosts on the LAN to get specific names if the hosts identify themselves with the same MAC address each time. Many routers have it built-in like openwrt, lede, and dd-wrt For the remote routers, it's still a matter of either choosing a dynamic DNS service (which is also commonly supported by routers) or else taking advantage of the one static IP and having the others phone home in some way, shape, or form. Regards, Lars
Re: ssh again
On 06/14/2016 05:32 PM, Lisi Reisz wrote: > peter@Nyx-II:~/Lisi$ cp Ken-Blue-10.jpg Lisi@192.168.0.2:~/Pictures/ > cp: cannot create regular file ‘Lisi@192.168.0.2:~/Pictures/’: No such file > or > directory > peter@Nyx-II:~/Lisi$ cp Ken-Blue-10.jpg > Lisi@192.168.0.2:~/Pictures/Ken-Blue-test > cp: cannot create regular file ‘Lisi@192.168.0.2:~/Pictures/Ken-Blue-test’: > No > such file or directory > peter@Nyx-II:~/Lisi$ There's a typo there. It should be scp rather than cp, to get from one machine to the other. You might consider using sftp since that tool gives more to work with. About the dynamic ip numbers, there are several ways to solve that. One is to get them an account with a dynamic DNS service. There are some free, with conditions, there are some that cost, and there are some regular registrars that even offer it as part of their regular service. Regards, Lars
Re: granular acl in tmux
On 06/12/2016 01:53 PM, Bob wrote: > Hello Lars, > > Thanks for your attention. I can see tmux presently doesn't have the > read-only solution as screen. And I like to make it simple without > touching sshd. I appreciate your solution regarding rwx by socket. > Though in screen we can change the acl through command mode. Say many > users including you are attached with my session with rwx and I can > specifically change your acl to r-- . I haven't found it in tmux, hope I > haven't miss it in config I'm quite sure it's not there in tmux. A way I used sudo to share one of root's tmux sessions read-only was to lock the user into specific options in specific order for a specific session: %lars ALL=(ALL) NOPASSWD: /usr/bin/tmux attach-session -rt rclocal, \ /usr/bin/tmux kill-window -t rclocal Something similar could be done for non-root targets as well. But either way, that is counting heavily on tmux to keep the read-only session in its place. Regards, Lars
Re: granular acl in tmux
On 06/10/2016 02:11 PM, Bob wrote: > How can I start a screen session as read-only at server end (now it is a > voluntary option during attach). Setting a session+user read-only from the server end is a feature I wish tmux had. Joining a tmux session read-only seems possible by restricting the account. One way is to do it via the SSH server, either by modifying the key with a command= or by modifying sshd_config with a ForcedCommand. Another way, which I have been using, can be using sudo where access to another user's session can only be accessed when the read-only option is set and the specific session is named. Whether you want a third account for that or not, I don't know, but to share a session even read-only needs write permissions to the socket. > how to control rwx ? Are those possible in tmux ? Controlling rwx is done by setting the privileges for the tmux session's socket. If it helps, you can specify which socket to use when tmux is started and that can easily be worked into a short script or shell function. -S is socket name with full path, but any directories in the path must pre-exist. > How can I detach a user from the session, In which situation? Attaching to a session while detaching any other clients already attached is "tmux a -d". But there are more options if you look at the "detach" command in the manual page for tmux. Regards, Lars
Re: bash help please
On 06/10/2016 05:41 AM, Gene Heskett wrote: > gene@coyote:~$ echo `test [${InMail} = "gene"]` > > All I get is the linefeed. Obviously I'm losing it, so how do I > translate and get usefull output for troubleshooting? One option is to use 'set -x' there in the script. It can go anywhere above your problem and will show each line as it is executed. The contents of ${InMail} that are actually getting passed to test will be visible. Regards, Lars
Re: enable telnetd?
On 06/03/2016 05:20 AM, Felix Miata wrote: [snip] > When I wrote, I hadn't yet learned that the problem that made me want to > use Telnet was known, and a patch already submitted, but not yet > included in an update available on the mirrors: > https://github.com/systemd/systemd/issues/3339 [snip] > Dan Purgert composed on 2016-06-02 19:57 (UTC): >> Would a serial console (i.e. /dev/ttyS0) suit your needs? > > Probably not well, something yet else to configure that I haven't needed > to do in more than two decades, another cable to locate and connect, and > likely for a one time only use. Or can serial connection be shared over > existing ethernet? If the machines have two serial ports, they can be grouped pairs such that the serial console of one is connected to the second port of the other. Then you can do just about everything except turn the power on again (unless you have Wake-on-LAN set up too) from the other machine using cu, tip, or minicom or screen. But anything you can do from the console itself you can then do from the other machine in the pair. If it was just a matter of having a different daemon available to the outside world (or other machines on the LAN) then maybe you could have had the dropbear SSH daemon running on another port. If some of the system is not working maybe the shell could be busybox, but I don't know if that would work for you in this situation. Regards, Lars
Re: RECOMMEND: Wireless Home Router with VPN Built-In
On 04/26/2016 03:46 AM, Patrick Bartek wrote: > On Mon, 25 Apr 2016, Lars Noodén wrote:> >> On 04/25/2016 05:01 AM, Patrick Bartek wrote: >> Keep in mind that SSH can do a SOCKS proxy itself and thus you might >> not even want to go to the trouble of setting up OpenVPN on top of >> whatever you have. > > I just want something simple for security when I use public wifi on my > phone or laptop for personal web and email. It doesn't have to be > NSA-proof. ;-) But I'll look into that. It's easy and simple, just use the SSH client the -D option and choose a port and log into your router. If you keep your SSH key in an agent, which many desktop environments have available for your, then you can just re-connect automatically. One addendum, whether you use VPN or SOCKS proxy, is that if you have a dynamic IP address you'll probably want to set up an account at a dynamic DNS service. That way if (when) your IP address changes while you are away you wont have to cause suspicion by scanning your ISP's whole network for your proxy. ddclient, for example, is in the repository. Regards, Lars
Re: RECOMMEND: Wireless Home Router with VPN Built-In
On 04/25/2016 05:01 AM, Patrick Bartek wrote: > Hi! all, > > Toying with the idea of setting up a personal, that is, non-business, > VPN for a device or two for those rare times I use public wifi. For > improved security, mind you. Want to keep it simple, but it must > work outside the U.S. (I foresee a change coming.) So, figured a new > home router with the server built-in would be better than a > for-charge (or free) VPN service. (After 8 years of continuous use, > I'm getting nervous about my old router anyway, and want to replace > it.) > > What routers would you all recommend? And why? > > Thanks. > > B > I'd look at the list of routers that support OpenWRT or DD-WRT and choose from that subset, if you want an off-the-shelf product. However, you can build a router with more normal hardware with full Debian (or Devuan) and add what you like. I have an old Soekris myself, though others might be more in fashion these days. Keep in mind that SSH can do a SOCKS proxy itself and thus you might not even want to go to the trouble of setting up OpenVPN on top of whatever you have. Regards, Lars
Re: ssh Problem using it for SFTP
On 01/14/2016 12:32 PM, Steve Matzura wrote: > debug1: sshd version OpenSSH_6.7, OpenSSL 1.0.1k 8 Jan 2015 >... > debug1: Client protocol version 2.0; client software version > FTP-Voyager-15.2.0.15 > debug1: no match: FTP-Voyager-15.2.0.15 > debug1: Enabling compatibility mode for protocol 2.0 > ... > debug1: SSH2_MSG_KEXINIT received [preauth] > no matching cipher found: client > aes192-cbc,3des-cbc,blowfish-cbc,aes128-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-...@lysator.liu.se,des-cbc,des-...@ssh.com > server > aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com > [preauth] > ... Can you update the client to one that uses the safer ciphers and avoids the deprecated ones? [since 6.6] "Potentially-incompatible changes * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default..." from http://www.openssh.com/txt/release-6.7 regards, Lars
Re: Whitelist security.debian.org
On 10/21/2015 09:47 PM, Mario Castelán Castro wrote: >... > There seems to be a geographical dependent load balancing DNS server for > security.debian.org; maybe that is the source of the OP's problem. From > Mexico I get this: > ... I, too, get different answers depending on the country I check from with dig. It seems to be described here briefly: "For each service it produces a set of zonefiles, one for each out of a set of different geographic regions. These individual zonefiles are then transferred using rsync to our GEO-IP enabled nameservers. This enables us to give users a list of security mirrors closer to them and thus hopefully faster for them." https://dsa.debian.org/dsablog/ But that doesn't answer why APT is getting a different IP than a regular nslookup. Regards, Lars
Re: how to sum a column in openoffice calc
On 09/16/2015 04:02 PM, Li Wei wrote: > I want sum of a column of values > I enter "SUM(N1:N8)" in cell N9 > but can't get cell N9 to display sum > > Thanks in advance!!! > > PS: I'm in China and can't use google to find answer > > Wouldn't that be "=SUM(N1:N8)" instead, with an equal sign? Regards, Lars
Re: Have I been hacked?
On 10.01.2015 13:39, Joel Rees wrote: On Sat, Jan 10, 2015 at 12:24 PM, scott redhowlingwol...@gmx.com wrote: [snip] I would much rather use a key with a passphrase. What you do when you use an SSH key is introduce two stages of authentication. [snip] In wheezy (7) you have to choose one or the other, keys or password unless you are using openssh-server 6.6 from backports. Since 6.3, the server will allow both a key and a password to be required¹. See the option AuthenticationMethods in the manual page for sshd_config. In testing, (upcoming jessie aka debian 8) you have a newer version of the server, 6.7. Further down the line, in 6.8, it looks like the option even for requiring multiple keys will be allowed². Regards, /Lars ¹ http://www.openssh.com/txt/release-6.3 ² https://bugzilla.mindrot.org/show_bug.cgi?id=2323 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b1333a.9070...@gmail.com
Re: How is typical home computer used today?
On 12/08/2014 08:14 PM, Richard Owlett wrote: Exactly what is meant by Multi-seat PC? I'm working on defining a heavily customized personal installation of Debian. One of the *STRONG* underlying assumptions is the the machine would only ever be used by a specific individual. One of the underlying motivations is personally understanding the the guts of Linux. Multi-seat is where one machine is physically used by multiple users concurrently. One display, keyboard and mouse per user are plugged in to a single box and configured (with various amounts of fiddling) in X. It is used to good effect in classrooms and libraries, especially as thin clients. IIRC Brazil has some very large deployments. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54861239.6060...@gmail.com
Re: hosts based open ssh authentication
On 11/2/14, Gary Dale garyd...@torfree.net wrote: On 01/11/14 05:50 PM, Bhasker C V wrote: Hi all I have a system in a cluster (experimental) and there are a lot of debian machines which depend on this system and must be able to ssh into this system I wanted password-less authentication and looked on the internet. Almost all the examples and help shown involves setting up ssh_known_hosts which I am trying to avoid (cumbersome in a large network where we dont know who will need access). Anyone got this working just plain without adding known hosts ? I do not want to add each and every host to ssh_known_host. Essentially I want to have an open access to one of the servers via ssh. I tried running sshd as root and adding auth sufficient pam_rootok.so to pam ssh and login but that did not help. Thanks Bhasker C V Trying hard to understand what you want but failing. It almost sounds like you want anyone to be able to connect (don't know who will need access want to have open to one of the servers) from anywhere (I do want to add each and every host to ssh_known_host). Which begs the question why use any kind of security? However, if you want to protect the network traffic, have you tried to use ssl/tls and close down the unencrypted access? There is host-based authentication in sshd where users on one host are vouched for on another. It is a little fiddly to set up http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication but once in place it allows users to move seamlessly around in the pool of servers, assuming all the users / uids are the same throughout the pool. Regardless of whether you do that method or another, there will need to be some data synchornization. Are you using puppet, ansible or something similar? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cacq_q0dn9khx1vud0zp6ejyzhub61jz+3l+6qg_cqj6cl7a...@mail.gmail.com
Re: XFCE4 Power Manager Brightness Panel Plugin
On 10/06/2014 09:41 PM, Jape Person wrote: On 10/06/2014 10:49 AM, Lars Noodén wrote: ... What needs to be added or configured to get a brightness slider or other brightness control for the backlight? ... I think at this version they switched from using a notification area applet for the power manager and eliminated the old display brightness applet from the items available for the panel. Try adding xfce4-power-manager-plugins to the panel. You should see a display brightness setting in the menu you get when you left-click on this item in the panel. I've also got xfce4-power-manager-plugins 1.4.1-1 installed. Adding it to the panel gives me only battery status. There should also be a checkbox on the Xfce Power Manager dialog's Display tab that might re-enable your display brightness buttons. ... I've rummaged around there again. There are four tabs in the power manager dialog (general, system, display, devices) and though some can turn off the screen or put the machine into hibernate or suspend, none seem to offer the option of changing the display brightness. Maybe it's in another package. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54366dd4.5070...@gmail.com
XFCE4 Power Manager Brightness Panel Plugin
I've got xfce4-power-manager 1.4.1-1 in xfce4 on jessie and would like to find a way to dim the LCD backlight. I'm not seeing a brightness panel anywhere like this one: http://docs.xfce.org/xfce/xfce4-power-manager/brightness nor does the backlight respond to the usual shortcut keys for dimming. What needs to be added or configured to get a brightness slider or other brightness control for the backlight? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5432abfd.7060...@gmail.com
Re: XFCE4 screen resolution stuck too low
Thanks. On 09/26/2014 01:19 AM, Chris Bannister wrote: Maybe X isn't getting the correct resolution from the monitor. Check the xorg log file and see if that helps. The Xorg log file ( /var/log/Xorg.0.log ) shows no relevant errors and only a few items that seem to relate to the resolution. e.g. [ 101.814] Mode: 143 (1400x1050) ... [ 101.814] Mode: 145 (1400x1050) ... [ 101.815] *Mode: 146 (1400x1050) ... I do see one hopeful piece? $ grep -i modeline /var/log/Xorg.0.log [23.821] (II) VESA(0): Printing DDC gathered Modelines: [23.821] (II) VESA(0): Modeline 1680x1050x0.0 119.00 1680 1728 1760 1840 1050 1053 1059 1080 -hsync -vsync (64.7 kHz eP) You may need to set a modeline config in an xorg.conf file. The wiki ( https://wiki.debian.org/Xorg ) mentions to run cd /etc/X11/ Xorg -configure I've tried that with X turned off as well as from single-user mode and gotten only a core dump and a skeletal xorg.conf then appears in /root. I suppose I add the modeline info to that. Where would I find the official instructions about creating a proper modeline for the hardware I have? #lspci |grep VGA 01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Seymour [Radeon HD 6400M/7400M Series] Have you googled this issue? i.e using monitor model linux resolution Extensively over the last two days. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5425a446.6040...@gmail.com
XFCE4 screen resolution stuck too low
In XFCE4, on Jessie, I am getting a display resolution of 1400x1050 instead of 1680x1050. If I go to the XFCE Menu - Settings - Display, it gives me only a single choice, that of 1400x1050, not higher or lower. xrandr seems to be able to see the maximum resolution: $ xrandr xrandr: Failed to get size of gamma for output default Screen 0: minimum 1400 x 1050, current 1400 x 1050, maximum 1400 x 1050 default connected 1400x1050+0+0 0mm x 0mm 1400x1050 60.00* 1680x1050 (0x186) 146.250MHz h: width 1680 start 1784 end 1960 total 2240 skew0 clock 65.29KHz v: height 1050 start 1053 end 1059 total 1089 clock 59.95Hz What should I be looking at to get this set in XFCE? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54244c26.2040...@gmail.com
Re: XFCE4 screen resolution stuck too low
On 09/25/2014 08:28 PM, Steve Litt wrote: First, how confident are you that this is *only* in Xfce, and not in LXDE and Openbox and who knows what other window managers? Perhaps it's an X thing, plain and simple. There are still some configuration options I have missed that are needed to try LXDE or Openbox. However, I'm in FVWM just now and the resolution is only 1400x1050 here, too. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5424558b.3030...@gmail.com
Re: Booting Debian GNU/kFreeBSD on MacBookPro 8.2
On Sun, 21 Sep 2014 19:02:39 +0300 Lars Noodén lars.noo...@gmail.com wrote: On 09/21/2014 06:54 PM, Chris Bannister wrote: On Sun, Sep 21, 2014 at 03:43:40PM +0300, Lars Noodén wrote: I've installed Debian GNU/kFreeBSD 7.6 (wheezy) from a mini.iso CD image on a MacBookPro 8.2. The installation seemed to go smoothly, including What was url from where you got the mini.iso CD? From the link on the Debian wiki: http.debian.net/debian/dists/wheezy/main/installer-kfreebsd-amd64/current/images/netboot/mini.iso Regards, /Lars I tried again with a more recent installation image. http://d-i.debian.org/daily-images/kfreebsd-amd64/ The one from 2014-09-20 figured out Grub properly. It takes a while to find Grub but other than that it boots fine. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140922164832.13f640e7dd07e268bbf70...@gmail.com
Booting Debian GNU/kFreeBSD on MacBookPro 8.2
I've installed Debian GNU/kFreeBSD 7.6 (wheezy) from a mini.iso CD image on a MacBookPro 8.2. The installation seemed to go smoothly, including installing Grub, but when it is time to boot, the machine only ever shows a blinking folder with a question mark, indicating no system. The system can be booted from the installation CD via the choice to boot from first hard disk, so that part of the installation worked. What additional step is needed so that the system boots on its own from the internal drive without intervention from the installation CD? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541ec7fc.9090...@gmail.com
Re: Booting Debian GNU/kFreeBSD on MacBookPro 8.2
On 09/21/2014 06:54 PM, Chris Bannister wrote: On Sun, Sep 21, 2014 at 03:43:40PM +0300, Lars Noodén wrote: I've installed Debian GNU/kFreeBSD 7.6 (wheezy) from a mini.iso CD image on a MacBookPro 8.2. The installation seemed to go smoothly, including What was url from where you got the mini.iso CD? From the link on the Debian wiki: http.debian.net/debian/dists/wheezy/main/installer-kfreebsd-amd64/current/images/netboot/mini.iso Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541ef69f.7020...@gmail.com
Re: Booting Debian GNU/kFreeBSD on MacBookPro 8.2
On 09/21/2014 09:05 PM, Andrew Winnenberg wrote: On Sunday, September 21, 2014 05:43:40 AM Lars Noodén wrote: I've installed Debian GNU/kFreeBSD 7.6 (wheezy) from a mini.iso CD image on a MacBookPro 8.2. The installation seemed to go smoothly, including installing Grub, but when it is time to boot, the machine only ever shows a blinking folder with a question mark, indicating no system. The system can be booted from the installation CD via the choice to boot from first hard disk, so that part of the installation worked. What additional step is needed so that the system boots on its own from the internal drive without intervention from the installation CD? Regards, /Lars It sounds like the install went okay, but the mac is unsure what device to boot from. Try holding down the left 'option' key during boot and see if you can select your hard disk from the list that appears. Andrew That was one of the first things I did try. There might be some problem related to EFI or UEFI and it needing a special /boot partition. But that is a new area for me. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541f2384.9060...@gmail.com
Re: Backup's to DVD
On 03/17/2014 05:06 PM, Steve Litt of Troubleshooters.Com wrote: ... So far, I haven't had readability problems on old CDs and DVDs. Blu-Rays seem a little squirrelly over time, but CDs and DVDs seem readable for many years. ... 3) Magnetic disks can be (accidentally) erased. Not so with write-once optical media. ... CDs and DVDs are physically different media than CD R and DVD R which are in turn different from CD RW and DVD RW. CDs will last a long time, as they have a layer of physically dented metal between slabs of plastic. But you can't press one yourself. For anecdotes, I have some pushing 30 years that play but I don't have MD5 checksums or anything to verify them. I've had some CD R last only a few years, starting from the date of manufacture not date of burn. The claim is 5 to 10 years, from date of manufacture, but I have yet to see a date on the packages. CD R uses a layer of dye which is then burned opaque. Those with higher quality dyes should last longer before data loss begins but the dyes oxidize over time and the rate depends on storage conditions and atmosphere. About the only advantage is that they cannot be re-written so, while they last, can serve as proof or evidence if a proper chain of custody is also maintained. CD RW is more complex having a phase-changing layer but max out at a theoretical 25 years under ideal storage and handling conditions, starting from quality manufacturing. See: http://www.clir.org/pubs/reports/pub121/sec4.html The longevity of flash is still a big unknown. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/532719f3.3020...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/12/2014 02:59 PM, Brian wrote: On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. The -F option should tell you what is in known_hosts; the hostname can be a name or an IP address. If ssh name is used two lines are entered into known_hosts and two invocations with 'ssh-keygen -R' are needed to clear the file. With ssh IP address only one line is produced. Running 'ssh-keygen -R' multiple times was one of the things I tried early on. 'ssh-keygen -F' finds nothing, but grep for the hostname finds one entry, and then the same key is found many times with different ip addresses. With the dynamic hostnames is that known_host appears to accumulate only one entry with the hostname and then uses the ip address alone for subsequent encounters of the same key. Could this explain your observation? On this question, it appears that port plays a role. If the default port is used, then -F and -R find the hostname. If a non-standard port is used, then that has to be included in the search query. ssh-keygen -F foobar.example.com ssh-keygen -F [foobar.example.com]:1234 So -F and -R get only specific host+port combinations, not all keys. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fb7725.5050...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/12/2014 07:34 PM, Paul E Condon wrote: ... Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? ... The key rather than the address is the authoritative identifier of a host. So a changing IP should be ok as long as the host key remains the same. It is the host key which is used as identification and proof against a man in the middle attack. So if the host key is the same, it is not a MITM. Or if it is a MITM, it's more serious in that you've lost your key. A changing IP leads to filling known_hosts with lots of entries, which is what Zenaan's original question was about. After the first entry for a named host gets the name along with the IP, the subsequent known_host entries for that key do not contain the hostname. sed works for clearing them out but upon thinking about it, awk might be better since it would allow keeping one copy of the key, sed would remove them all. However, awk must work via a temporary file and cannot work directly on the known_hosts file. With either, the pattern to search for would be a key or a key fragment. awk /$key/ c++ { next } { print } \ ~/.ssh/known_hosts ~/.ssh/known_hosts.new; It's going to be a short script, including extracting the key to use in sed or awk. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fbb768.3020...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/11/2014 02:56 PM, Zenaan Harkness wrote: On 2/11/14, Brian a...@cityscape.co.uk wrote: On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. Sounds great! (also, the CheckHostIP = no option looks very useful in this regard, thanks Karl) However - it seems to not work for me? : $ HOST=raptor $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 $ ssh-keygen -R $HOST /home/justa/.ssh/known_hosts updated. Original contents retained as /home/justa/.ssh/known_hosts.old $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 So it looks like the host raptor is not removed from known_hosts.. ?? ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa2412.3020...@gmail.com
Re: ssh host ip/id management for dynamic dns servers [OT?]
On 02/11/2014 03:52 PM, Paul E Condon wrote: ... Known host checking is done, I think, to defend against 'man in the middle', so when the known host key changes because of some event down in the bowels of dynamic dns, does one have any possibility of determining that it is truly *not* a man-in-the-middle attack? Is there some method for checking up on dynamic dns changes other than merely noting the new value and adapting to it? ... The host key does not change in this case, it's just that with dynamic DNS the same host gets a new IP address. That means that the same key can have multiple entries in known_hosts. known_hosts can get long and unwieldy, filling with ip numbers that will never be used again. In the case where the host key does get changed (system replaced without backing up keys, for example) then StrictHostKeyChecking set to 'yes' or 'ask' shows the fingerprint before adding it to known_hosts. It is also possible to pre-load in advance the user's known_hosts or the system's known host with the appropriate public key. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa3a23.3040...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/11/2014 01:10 AM, Zenaan Harkness wrote: On Feb 10, 2014 2:53 PM, Zenaan Harkness z...@freedbms.net wrote: With a dyndns type server, each time a new ip address happens, ssh login adds a new entry to .known_hosts Is there a recommended way to handle this? On 2/11/14, Schlacta, Christ aarc...@aarcane.org wrote: Configure static dhcp leases for your server systems. Every dhcp daemon had a configuration entry for this. Thank you for the suggestion, however it's the public side that's the problem - I do have the server set up (internally) with static config. The publicly visible IP changes every so often, using a dynamic dns service. Accessing the server from this public domain name obviously results in a new IP address every now and then. I'm wondering: 1) how to easily clean known_hosts 2) is there some configuration to automate/simplify this PS Please reply to the list in general, unless it really is a personal email - I just made the same mistake, although there was no debian address to reply to :) One way might be to paste the key into sed and use //d to delete the lines with the key. Since / can occur in a key, # is used here as the delimiter: sed '\#B3NzaC1yc2EDAQABAAABAQDK...#d' ~/.ssh/known_hosts If that does what you want then add -i Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52f9d0be.1090...@gmail.com
Re: How can I secure a Debian installation?
On 31.01.2014 08:17, Артур Истомин wrote: Also, SSH: passwords or keys? - http://lwn.net/Articles/369703/ It's no longer an XOR choice now that Wheezy has OpenSSH-server 6.4 in the backports repository. With 6.2 and later it is possible to require both a key and a password. See the configuration option AuthenticationMethods with the arguments publickey,password Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52eb96d2.5010...@gmail.com
Re: notify if a process take more than X time
On 27.01.2014 19:43, Pol Hallen wrote: Hi all, I need add to my script a notify if a process take more than X time, so using ps I can see what time take a process: [snip] Maybe use timeout(1) to send a signal (e.g. USR1) and have your script trap that signal and send a mail when it receives it? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e69f51.4040...@gmail.com
Re: Shutdown computer after a specific command has been executed
On 12/09/2013 01:42 PM, Muntasim-Ul-Haque wrote: Hi, I need a tool that would make sure that, my computer would shutdown after a specific command has been executed. This tool would just wait for the Terminal for executing a command, like '/sudo apt-get upgrade/' and then after the command has been executed, my computer would shutdown. Is that possible? Is there a tool or anything out there that can do this for me? Let me know. It would be of great help. Thanks in advance. Muntasim-Ul-Haque This would do it, but only if apt succeeds: sudo apt-get upgrade sudo shutdown -h now If you want it shut down regardless of the outcome of apt, then this should do it: sudo apt-get upgrade; sudo shutdown -h now regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a5bc14.7030...@gmail.com
Re: Shutdown computer after a specific command has been executed
On 12/09/2013 03:30 PM, Ralf Mardorf wrote: On Mon, 2013-12-09 at 14:48 +0200, Lars Noodén wrote: If you want it shut down regardless of the outcome of apt, then this should do it: sudo apt-get upgrade; sudo shutdown -h now Wrong, if the upgrade should take to long, then you need to type the password after the upgrade. Better run $ sudo -i # apt-get update ; apt-get upgrade ; shutdown -h now Regards, Ralf It depends on how you have sudoers configured. On some systems certain combinations of programs+options need no password. It's up to the sysadmin and the users. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a5c6eb.8060...@gmail.com
Re: about MS email retrieve
On 11/23/2013 06:41 PM, Joe wrote: has to live with it as there are no MS alternatives. Not quite. Citadel and Kolab offer the same functionality, but in a more secure, modular architecture. Recently OpenChange is a transparent replacement: http://www.zentyal.org/2013/10/zentyal-launches-the-only-native-microsoft-exchange-replacement/ though hopefully it is not as insecure and bugridden. I don't know when, if or how it would be ported to Debian. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5290ef1f.6000...@gmail.com
Re: [OT] P* language web page (Was: Re: P* - New language for web programming)
On 11/19/2013 01:50 AM, Atle Solbakken wrote: Den 18. nov. 2013 22:45, skrev Alois Mahdal: I haven't seen the old one, but this one looks OK to me, except that the fonts are about 2x as big as should be. For example, the main title in header does not even fit my screen (1280x800), it cuts at Prog Ironically, while sometimes I do use zoom in feature on various pages from time to time, on your page I actually had to zoom out to 50% :) I guess this means that it's a very bad idea to design web pages on a 50 Full-HD TV :) I should have noticed that the fonts were too big when I didn't have to zoom in like I do on all other pages. Anyway, I changed the page and used the good old 900px wide centered page with 16px font size-trick, looks better now? Use relative measurements like 'em', it allows the user's to adjust the page to fit the viewing device. Screens come in all kinds of sizes, resolutions and aspect ratios nowadays. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/528b0803.9080...@gmail.com
Re: Run script for each ssh login
You could try making a script and then calling it with ForceCommand. Have it fail to abort the session or call a shell to allow it to proceed. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5283db46.90...@gmail.com
Re: No space left on device (28) but device is NOT full!
On Tue, Nov 05, 2013 at 03:13:10PM +0400, Reco wrote: perl -e 'for(popularity-*){((stat)[9](unlink))}' I have two questions. Why before unlink and why stat[9] there? stat[9] is mtime. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5278ffc9.4000...@gmail.com
Re: No space left on device (28) but device is NOT full!
On 11/05/2013 05:33 PM, Reco wrote: Hi. On Tue, Nov 05, 2013 at 04:25:13PM +0200, Lars Noodén wrote: On Tue, Nov 05, 2013 at 03:13:10PM +0400, Reco wrote: perl -e 'for(popularity-*){((stat)[9](unlink))}' I have two questions. Why before unlink and why stat[9] there? You have to pass unlink something to delete. Stat is called without an argument, hence $_ is used for stat too. '' is used to give unlink something to work with. Try it like this: perl -e 'for(*){((stat)[9])(printf)}' Ok. It's just there and does not play any functional role. perl -e 'for(*){((stat)[9]);printf}' stat[9] is mtime. Files are sorted in directory inode by mtime. That saves you sorting all the file list in directory. Interesting. Thanks, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52791242.7050...@gmail.com
Re: sudo and UNIXes
On 10/28/2013 03:47 PM, Reco wrote: On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: [snip] You also have to add to the picture such a vulnerability, and I haven't noticed any. If we're speaking of public vulnerabilities: CVE-2010-0427. CVE-2013-1775 (allows bypass sudoders modification to retain root privileges). CVE-2010-0427 may be the better example of the two, though it relies on a special configuration. CVE-2013-1775 is a rather contrived case and needs physical access. The general perception is that the game is over anyway when there is physical access. /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526e6d10.5070...@gmail.com
Re: How to format the command output like MySQL output
On 21.10.2013 01:33, Shawn Wilson wrote: Lars Noodén lars.noo...@gmail.com wrote: On 20.10.2013 04:17, 陶治江 wrote: 于 2013-10-20 0:53, Lars Noodén 写道: On 19.10.2013 19:35, 陶治江 wrote: [snip] I think it seems good like this, but I do not know how to make out it.(someone says awk, sed may help, but the environment does not permit it). Is there some libs or tools can help make output result good and elegent? [snip] Perl would be the next step up, but if awk is not allowed then perl certainly won't be. Regards, /Lars yes, the whole system size a extremely limited, so the only possible way is to find a suitable C lib to handle this. What a big task What about the PCRE library? http://www.pcre.org/ That's written in C and gives you the power of perl's regular expressions. We use libpcre in some projects and it might be useful but it does not give a perl compatible regex engine. It might have up to perl 4 regex support but there might even be some missing features there too. So no, not the power of perl regex here. Ok. My mistake. I see it in all kinds of package dependencies and thought it was further along than it was. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5264c42f.3020...@gmail.com
Re: How to format the command output like MySQL output
On 20.10.2013 04:17, 陶治江 wrote: 于 2013-10-20 0:53, Lars Noodén 写道: On 19.10.2013 19:35, 陶治江 wrote: [snip] I think it seems good like this, but I do not know how to make out it.(someone says awk, sed may help, but the environment does not permit it). Is there some libs or tools can help make output result good and elegent? [snip] Perl would be the next step up, but if awk is not allowed then perl certainly won't be. Regards, /Lars yes, the whole system size a extremely limited, so the only possible way is to find a suitable C lib to handle this. What a big task What about the PCRE library? http://www.pcre.org/ That's written in C and gives you the power of perl's regular expressions. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52639636.60...@gmail.com
Re: web-gui for scripts
On 18.10.2013 20:56, Pol Hallen wrote: [snip] But is boring everytime connect to ssh and put new domain using command line... :-/ [snip] You could try a single-purpose key. You are logging in using keys already, I hope? If you combine the single-purpose key with some changes to ~/.ssh/config then you can log in and launch the script with two words. It would take only a few steps to set up. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52624d25@gmail.com
Re: How to format the command output like MySQL output
On 19.10.2013 19:35, 陶治江 wrote: [snip] I think it seems good like this, but I do not know how to make out it.(someone says awk, sed may help, but the environment does not permit it). Is there some libs or tools can help make output result good and elegent? [snip] Perl would be the next step up, but if awk is not allowed then perl certainly won't be. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5262b8f3.4030...@gmail.com
Re: web-gui for scripts
On 18.10.2013 15:35, Pol Hallen wrote: Howdy :-) I searching for what is the way to create a gui interface for my scripts (security web-gui). So, a script could be something like this (execute by root user): #!/bin/bash # pr.sh /etc/postfix reload So, I must create a gui do reload postfix service /bin/sh will be a little less load on the system, not that it matters. I would put the script in /usr/local/sbin or something like that, owned by root and not writable by anyone else. Then add a line in /etc/sudoers that allows www-data to run just that script and without any options. %www-data ALL=(ALL) NOPASSWD: /usr/local/sbin/postfix_reloader The is important because it disallows any other parameters, not that your script should use them. I can write a php script like this: ?php $output = shell_exec('/root/bin/.pr.sh'); echo pre$output/pre; ? But I'm afraid about security issue I've also ssl on apache web. What is the best way to create a web security gui? Using post/put apache commands? using php code? Thanks for help! The easiest thing is to make sure there no user-submitted data can be passed on to the system and no system output can be passed on directly to the user. Use if-then statements, case statements, and even scrubbing via regex if it is necessary to pass data. Also, if these are maintenance scripts, you might want to put them behind TLS and a password http://httpd.apache.org/docs/2.2/howto/auth.html Ignore guides that tell you to put authentication in .htpassword. That advice is for people without access to the web server's configuration file. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52612e96.5040...@gmail.com
Re: block a program from access the Internet.
On 10.09.2013 01:54, Pascal Hambourg wrote: Lars Noodén a écrit : Vincent's link suggests that --cmd-owner was removed from iptables entirely. Actually it was removed from the kernel part of iptables, not from the iptables userland. It would be important to find a more authoritative source on that like the netfilter list or the kernel list. Is the Linux 2.6.14 changelog authoritative enough ? That would do it. :) commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig h...@lst.de Date: Sun Aug 14 17:33:59 2005 -0700 [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. 2.6.14 was a while ago, so I guess it's not coming back. Is it the concept itself that is broken or the implementation? FWIW BSD's PF doesn't have that option either, so I'm guessing the former. One work-around would be to make a unique user or group for the process which shall be filtered and then use that with owner match options --uid-owner or --gid-owner. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522ee763.1090...@gmail.com
Re: block a program from access the Internet.
On 09.09.2013 14:01, atar wrote: Hi there!! Just wanted to know please if there's a way to block a specific program from accessing the Internet while preserving at the same time the ability of other programs to access the Internet, and if there's a way, so how? Thanks in advance!! atar. You could try with iptables using -m owner --cmd-owner http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TABLE.OWNERMATCH But that will only work on a system where everyone behaves themselves. It would be trivial to rename or make a copy of the program and run it under a new name. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d86e4.9020...@gmail.com
Re: block a program from access the Internet.
On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid] Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d9ac3.8070...@gmail.com
Re: avoid starting a program during reboot
On 9/9/13 1:16 PM, lina wrote: Hi, I do not want to start some program, such as apache server, during reboot, shall I simply remove it from /etc/init.d/ ? haha ... is it a bit brutal? or lack elegance? THanks with best regards, Your default runlevel is 2, so you would look in /etc/rc2.d/ for the script to remove, actually it is a symlink there. If you want to do it officially, you could use 'update-rc.d' update-rc.d -f apache2 remove That should get it from all the rc?.d directories. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522da1e2.2050...@gmail.com
Re: avoid starting a program during reboot
On 9/9/13 1:39 PM, lina wrote: update-rc.d -f apache2 remove That should get it from all the rc?.d directories. Gorgeous, thanks both of you. An after thought: If you want it to stick permanently even after upgrades you will also have to re-populate the directories with stop scripts: update-rc.d apache2 stop 17 0 1 2 3 4 5 6 . Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522da73d.5080...@gmail.com
Re: avoid starting a program during reboot
On 9/9/13 1:51 PM, lina wrote: I notice apach2 still in /etc/init.d/, it is good, so I can restart it when I need it (only occasionally). Yes. You can use that script to start (and then stop) the service on demand. /etc/init.d/apache2 start That directory is where the template script resides. You can restore the defaults later if you need to. update-rc.d apache2 defaults Or use some custom selection of sequence and runlevels. The defaults are fished out of the template script and you can view them there in the script. BTW, how do I know, my runlevel is 2? $ nice 0 runlevel is kind of an anachronism. You can find it by running 'runlevel' and you can change it by running 'telinit' It is/was used to have different constellations of services running, effectively putting the machine into different modes of operation. and what does 17 stand for? 17 is the sequence in which the script is executed. It can be anything 00 - 99. Look at the numbers of the other scripts in /etc/rc2.d/ The manual pages for update-rc.d, runlevel, and telinit cover a lot of details and some background. The whole mess is referred to as SystemV init scripts. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522daa12.7070...@gmail.com
Re: block a program from access the Internet.
On 09.09.2013 14:58, ken wrote: On 09/09/2013 05:54 AM Lars Noodén wrote: On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid]Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Hmmm. I get this: # iptables -V iptables v1.3.5 # iptables -m owner --help ... OWNER match v1.3.5 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name NOTE: pid, sid and command matching are broken on SMP FWIW mine is also iptables 1.4.14, $ lsb_release -rd Description:Debian GNU/Linux 7.0 (wheezy) Release:7.0 $ iptables -V iptables v1.4.14 So somewhere between the 1.3.5 and 1.4.14, the capability disappeared Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522dc402.9050...@gmail.com
Re: block a program from access the Internet.
On 09.09.2013 14:58, ken wrote: On 09/09/2013 05:54 AM Lars Noodén wrote: On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid]Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Hmmm. I get this: # iptables -V iptables v1.3.5 # iptables -m owner --help ... OWNER match v1.3.5 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name NOTE: pid, sid and command matching are broken on SMP One possible explanation might be SMP: $ uname -a Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2+deb7u2 i686 GNU/Linux Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522dc5c9.1080...@gmail.com
Re: avoid starting a program during reboot
On 09.09.2013 17:22, Brian wrote: On Mon 09 Sep 2013 at 13:47:25 +0300, Lars Noodén wrote: On 9/9/13 1:39 PM, lina wrote: update-rc.d -f apache2 remove That should get it from all the rc?.d directories. Gorgeous, thanks both of you. An after thought: If you want it to stick permanently even after upgrades you will also have to re-populate the directories with stop scripts: update-rc.d apache2 stop 17 0 1 2 3 4 5 6 . Nobody appears to be taking any notice of what update-rc.dD(8) says: A common system administration error is to delete the links with the thought that this will disable the service, i.e., that this will prevent the service from being started. However, if all links have been deleted then the next time the package is upgraded, the package's postinst script will run update-rc.d again and this will reinstall links at their factory default locations. The correct way to disable services is to configure the service as stopped in all runlevels in which it is started by default. In the System V init system this means renaming the service's symbolic links from S to K. So update-rc.d apache2 disable should be used. Thanks. R egards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522ddaa5.3010...@gmail.com
Re: Apache2 neds to ne reset
On 09.09.2013 19:43, John W. Foster wrote: I have an installation of Apache2 that is misconfigured no longer works. One way would be to remove the package apache2 and then move the config files out of the way. Then reinstall apache2 to get the default settings back. apt-get remove apache2 mv /etc/apache2/ /etc/apache2.old/ apt-get install apache2 That allows you to at least use the old, broken config files as references. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522e0aac.6020...@gmail.com
Re: block a program from access the Internet.
On 10.09.2013 00:36, atar wrote: Lars wrote: One possible explanation might be SMP: $ uname -a Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2+deb7u2 i686 GNU/Linux Regards, /Lars Sorry, but what's your meaning by 'SMP'? Regards, atar. Ken's message had this line: NOTE: pid, sid and command matching are broken on SMP SMP is symmetric multiprocessing[1] and the kernel I have is using it. You can see what kernel you are running with 'uname' uname -a Vincent's link suggests that --cmd-owner was removed from iptables entirely. It would be important to find a more authoritative source on that like the netfilter list or the kernel list. But for now, it is enough to know that your particular version does not have it. You'll have to find another way. Regards, /Lars [1] http://en.wikipedia.org/wiki/Symmetric_multiprocessing -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522e1b76.2030...@gmail.com
Re: difference Debian, solaris, freebsd
On 29.08.2013 16:15, Muhammad Yousuf Khan wrote: what are the major differences btw the three OS. Debian, Solaris, Freebsd [snip] Well the most obvious difference is package management. Aside from that you can always add GNU utilities to Solaris and FreeBSD so that the differences from a user perspective can be quite small. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521f4ceb.7070...@gmail.com
Re: difference Debian, solaris, freebsd
On 29.08.2013 17:20, Muhammad Yousuf Khan wrote: Well the most obvious difference is package management. Aside from that you can always add GNU utilities to Solaris and FreeBSD so that the differences from a user perspective can be quite small. thanks for your response, but i am asking in server perspective. not GUI. in my opinion Ubuntu/Debian are the best in GUI's however i am more interested to know about server side think, I'm not talking about GUI. Even without the GUI the underlying package management systems are different, though they are less different than they used to be. Debian uses APT, which I like better. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521f59fc.7000...@gmail.com
Re: sudo questions
On 14.08.2013 17:36, Jerry Stuckle wrote: I agree in principle that sudo is better then su. The problem I have with it is security; when you use sudo you type in your own password. So if your password is compromised, the hacker can do anything the sudo user can do - which may be very bad. [snip] One way around that is to not use the administrator's account for your daily tasks. Make a separate account without such privileges for daily use and only use the other one when you actually need root privileges. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/520b96e5.3080...@gmail.com
Re: Continuous brute force attempt from own server !!!
On 07/26/2013 11:26 PM, Brian wrote: On Fri 26 Jul 2013 at 12:55:04 +0300, Lars Noodén wrote: disabling that key and making a new one for yourself. It's a good idea for keys to be rotated periodically anyway. Does this 'good idea' have reasons to support it? It is for much the same reasons that passwords are rotated. It was mainly this draft that convinced me: http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 It mentions rotating the keys in several places. There is also this one, which is about storage, but IMHO applies also to connection. https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Rekey_data_at_least_every_one_to_three_years Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51f38d41.1000...@gmail.com
Re: Continuous brute force attempt from own server !!!
On 07/26/2013 12:05 PM, J B wrote: accepted public key from username_of_my_local_box from WAN_IP_of_my_local_box port 50574 ssh2 That looks like a valid log in from WAN_IP_of_my_local_box using one of your keys. If it is not you or one of your scripts then start by disabling that key and making a new one for yourself. It's a good idea for keys to be rotated periodically anyway. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51f24778.1080...@gmail.com
Re: How do you manage encrypted mail?
On 07/04/2013 03:00 AM, Richard Lawrence wrote: On Tue, Jul 02, 2013 at 03:18:54PM -0400, Rob Owens wrote: Icedove/Thunderbird has the Enigmail extension to handle encryption. You might want to give that a try as well, particularly since you are trying to encourage others to use encryption and Thunderbird is available for both Linux and Windows (and Mac?). Yes, I used to use Thunderbird/Enigmail, and it is what I recommend to non-technical people, though I haven't used it recently myself (I don't much like GUI mail clients). Does Thunderbird/Enigmail have a way to search through encrypted mail? I don't remember this being available last time I used it. [snip] Searching like that is a sorely needed function. It is unfortunately missing. I guess the way to go about it would be to have one index per key and to use the key to encrypt the index. The need has been out there for a long time. See points 29 - 33 from 2001: http://www.europarl.europa.eu/sides/getDoc.do?type=TAreference=P5-TA-2001-0441format=XMLlanguage=EN Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d59658.7060...@gmail.com
Re: wacky question
On 06/24/2013 02:41 PM, Lisi Reisz wrote: So it is remarkable that he was able to predict so accurately what would be done with computers and CCTV (which had not of course been invented). I think some of that has less to do with actual prediction than it has to do with many individuals misinterpreting the message. They have been using his books as templates of how things should be and working to make a world described in his books. Regards /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51c83155.5040...@gmail.com
Re: From Squeeze to Wheezy: An upgrade problem
On 06/21/2013 01:04 AM, John wrote: 1. #dpkg --get-selections \* | grep -e install -e hold | grep -v deinstall ~/my-selections-$(date +%Y%m%d) I'd go with the raw output of dpkg: $ dpkg --get-selections ~/my-selections-$(date +'%F') Sometimes it is important to know which packages have been removed. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51c42203.4080...@gmail.com
Re: Debian is the best!
On 06/18/2013 05:03 PM, Dirk wrote: you are clearly talking out of your ass... a boot loader doesn't need features other than loading the kernel... what crucial work do you do with the features of grub? spreadsheets? presentations? project managing? or do you play it like a text adventure figuring out what the grub rescue console actually does? *primitive is the best thing about lilo*... if you don't realize that then you don't care if a part as stupid as the boot loader doesn't work... because you have alternatives to linux.. Having just involuntarily bumped into the grub rescue console, I can say that LILO was much easier to work with and to figure out. In the case of grub I eventually had to give up and nuke the MBR from the rescue mode of the installation CD. grub is complex, grub2 more so. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51c07032.3090...@gmail.com
Sound from scratch on desktop
What do I need to add to get sound on Wheezy? I've installed pulseaudio but can't find any application added to the menus Sound Video, Accessories, or Preferences. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51bebcc7.4000...@gmail.com
Enabling laptop suspend
I've selected 'Laptop' in taskel and had it install the packages that go with that selection. When I close the lid of the laptop, the screen light goes out for a while but then seems to come back on after a minute or two. How can I get it to go into sleep or hibernate mode automatically when I shut the lid? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51bec30f.7040...@gmail.com
Ubuntu's Unity desktop
Not that I would consider running it myself, but is Ubuntu's Unity desktop available in any way for Debian? Or is it staying downstream? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b74f10.1090...@gmail.com
Re: From Cameron AFRICA
On 5/25/13 5:54 PM, Slavko wrote: You can try some Window Managers (without DE) too, as OpenBox, FluxBox or FVWM crystal, but for these you will need some learning. These are reported as nicely worked in the 128 MB RAM environments. If you have very low RAM, these window managers (Openbox, Fluxbox, FVWM) will be the best fit for you. The configuration is not point and click, but once you understand the config files, they are easy to use and easy to teach to others. There are real limitations when there is only a small amount of RAM. But if you keep your activities simple, the machines will work well. e.g. one document or web page open at a time About Ubuntu usage, please use the Ubuntu community or the Canonical support. In todays i am not sure about where is Ubuntu going and if it will be community or commercial distro in next days. I also have reservations about Ubuntu these days. Many of the decisions are, to put it politely, puzzling. Debian is always a good choice but Mint is a little more pre-packaged if you like that and comes highly recommended. How is your network connectivity? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51a0e6d8.10...@gmail.com
Re: ssh tunnel help
On 5/22/13 4:15 PM, Nelson Green wrote: ... connect my psql client directly to that development server, on it's port 5432. So I want to be able to locally run a command similar to: [me@mymachine]$ psql -U dbusername -h dev1 -p xxx where, if I remember correctly, xxx is the port I tunnel into the public system on. I know I've done this before, but since I rarely work from home like this I've forgotten the steps. Would someone care to enlighten me? One way you could try is like this[1]: ssh -L 5432:localhost:5432 \ -o 'ProxyCommand=ssh -W %h:%p pub1.example.org' \ devel.example.org Then you would connect to the local host: psql -U dbusername -h localhost -p 5432 On a related note, how do I kill the tunnel after I am done with it. I've just killed the process in the past, but I'm wondering if there is not a more elegant way? You can close the connection and the tunnel will close. Or, depending on which version of ssh you have, you can try one of the ssh escape sequences: ~C KL5432 Where K is for kill and L or R is the type of forwarding and 5432 is the actual port. Press ~C? to get the full list of options that are/aren't available. Regards, /Lars [1] https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/519cd3f2.7000...@gmail.com
Re: About installation DVD's
On 5/17/13 7:39 PM, Rupesh Reddy wrote: No one of you have answered my question ie., what's the process going on. I am relatively new to Debian. As I am living in remote area I am asking the questions above and also I can't use jidigo. Cheers, Rupesh. I missed whether you were planning on buying the DVDs or burning your own. If you are looking to buy, here is a list of vendors: http://www.debian.org/CD/vendors/ Some ship internationally, if you don't have anything suitable locally. I don't know if it is an option for you but you could set up a portable hard drive with Debian. Then take it on a visit to an area with good connectivity and build your own repository to take back home. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51966513.8040...@gmail.com
Re: Secure way of voice communication between two PCs
If you both have access to eachother's computers then the method in the thread below might be portable in some way to Debian if an alternative to aucat can be found. http://kerneltrap.org/mailarchive/openbsd-misc/2009/6/5/5882003 Otherwise, you could go SIP. Jitsi claims to have good encryption. https://jitsi.org/ The transmission should probably be ok, but how vulnerable the endpoints are is another matter. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CACq_q0eC=y5NpA1byF40o=kes-MA=nQf5C+r=jrwcamcr+p...@mail.gmail.com
Re: Without SKYPE?
On 5/2/13 11:08 PM, Brian wrote: On Thu 02 May 2013 at 22:20:28 +0300, Lars Nooden wrote: On Thu, 2 May 2013, Doug wrote: On 05/02/2013 12:29 PM, Lars Nooden wrote: There are Blink, Linphone, Ekiga, Jitsi, and maybe a few others. Jitsi is quite useful. These are all SIP phones so they can all talk to each other, not locked into a single company like Skype. Regards, /Lars But can they talk to folks using SKYPE? --doug They can all talk to eachother using SIP. Only Skype can talk to Skype, that's part of the lock-in. You are obviously unconcerned about SIP providers who lock their users into using their service. SIP may be an open protocol but its users can bend it to their own uses. Isn't that what it is all about? SIP-to-SIP uses the network; the protocol works. Users on SIP-network-X can only communicate with SIP-network-Y is not an unknown situation. How does that differ from Skype? I haven't run into that yet. Which SIP networks are to be avoided? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51835bf9.7060...@gmail.com
Re: Without SKYPE?
On 5/2/13 11:40 PM, Brian wrote: On Thu 02 May 2013 at 16:22:55 -0400, staticsafe wrote: On 5/2/2013 16:14, Brian wrote: On Thu 02 May 2013 at 15:28:08 -0400, staticsafe wrote: On 5/2/2013 15:24, Brian wrote: I did. How does it allow someone not running the *Skype spoftware* to conect with the Skype network? It doesn't. The Skype protocol is proprietary. Really! :) So XMPP isn't in the picture? Not if you want to talk to users on the Skype network. To reiterate: Only the official Skype client provided by Skype can be used to communicate with other Skype clients. XMPP is a separate protocol. We are in agreement. If you want to get in touch with somone on the Skype network then the Skype software has to be used somewhere along the line. In terms of Free software this is unfortunate - but such is life. You can also get them to expand. There are no technical reasons they could not also install a SIP client along side their Skype client. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51835c54.1020...@gmail.com
Re: what's your Debian uptime?
On 4/17/13 3:12 PM, Brad Rogers wrote: [snip] ksplice can be used for security patching the kernel. [snip] What's the status of ksplice in Debian? Oracle hasn't been the best steward for the other FOSS projects and it's been a while since ksplice was in the news. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/516eb409.2040...@gmail.com
Re: Using unstable for certain packages
On 4/12/13 2:33 PM, Tom Browder wrote: Is it possible to fine tune the package sources so as to use unstable only for certain packages? Best regards, -Tom If the package you want is not in backports, then you could try apt-pinning: http://wiki.debian.org/AptPreferences Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5167f253.9040...@gmail.com
Re: Using unstable for certain packages
I suggest to get the source packages instead and rebuild them for your environment. Check first to see if it is in backports. If it is there that will save having to build it from source. Not everything is there, but if it is, it will save time. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/516805f0.2030...@gmail.com
Re: slow ssh prompt
On 4/11/13 1:45 PM, binary dreamer wrote: Hi. I am running debian 6.0.7 and i am facing a problem with slow response when asking to ssh. once i do a ssh root@192.168.1.77 then the prompt for the passwd it takes around 30 secs to respond. after that everything is fine. is there a way to fix that delay? As mentioned, it might be the DNS lookup. Is your client machine properly registered in DNS for the server to be able to easily look it up? If not, you might try changing UseDNS from yes to no in /etc/ssh/sshd_config. Also, it's not such a good idea to leave remote root logins enabled. It is possible to tune sudo vi /etc/sudoers so that you can accomplish a specific task without giving away access to the whole show. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5166a288.9080...@gmail.com
Re: slow ssh prompt
On 4/11/13 5:16 PM, binary dreamer wrote: [snip] here is the output /etc/ssh# more ssh_config [snip] any ideas? That's ssh_config, for the client. The file to look in is sshd_config, which is for the server. It will be on the machine you are connecting to, rather than on the machine you are connecting from. If you do not have access, you may have to work something out with the system administrator. Did you check the output of ssh -v for possible clues also? Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5166cd03.3010...@gmail.com
Re: Data Archiving
On 4/8/13 7:30 PM, Gary Roach wrote: Ok, the organization is the Unitarian Universalist Church of Long Beach CA. We have been around since 1913. I recently got stuck with the job of Church Historian and am concerned about the closet full of records going back to day one. [snip] Is there a historical archive in the region where you might get advice? Or perhaps a library school with an archival line with students in need of projects or practical training? Helping solve this kind of problem can be very interesting for the right people, if you can find them. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5162f19e.8010...@gmail.com
Re: encrypt connection pc to proxy server
On 03/06/2013 11:53 AM, oxy wrote: Thus, it has to be a solution for 8hs/day straightforward use, best not too slow and not too expensive, but a fair price I'd pay. These are the requirements. So which are the possible options for me in this case? The easiest and least complex solution was suggested. It would be a simple SSH tunnel over to your proxy/cache. ssh -L 3128:localhost:3128 -fNT proxy.example.com From there you would point your browser at port 3128 (or whatever) on the local host. Regards /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5137144d.9080...@gmail.com