Re: [gentoo-user] {OT} Allow work from home?

[Neil Bothwick]

On Sun, 6 Mar 2016 12:05:17 -0800, Daniel Frey wrote:

> >> Ah, I wasn't aware. I am using it with KDE and haven't seen any
> >> issues.  
> > 
> > It works with KDE4 but not KDE5, so if you're on stable you'll be OK,
> > for now.
> > 
> > http://wiki.x2go.org/doku.php/doc:de-compat
> > 
> >   
> 
> Good to know, thanks for that link. If it really comes down to it I can
> move to xfce on that server for what I use it for. I'm going to wait out
> on KDE5 anyhow, I did make an early jump to KDE4 (knowing there was
> issues) and don't particularly want to go through that again.

I held off on KDE4 and still fund it unusable for a few more releases.
KDE5 is nowhere near such a dramatic change, there were a few issues at
first but it's good now. I installed LXDE for x2go but XFCE will do just
as well.


-- 
Neil Bothwick

When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.


pgpeY4xmMaepc.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 03/06/2016 09:36 AM, Neil Bothwick wrote:
> On Sun, 6 Mar 2016 08:43:09 -0800, Daniel Frey wrote:
> 
>>> I'm using it with the latest testing xorg-server and it works fine.
>>> There are some DEs it has problems with, which are well documented,
>>> but not the X server.
> 
>> Ah, I wasn't aware. I am using it with KDE and haven't seen any issues.
> 
> It works with KDE4 but not KDE5, so if you're on stable you'll be OK, for
> now.
> 
> http://wiki.x2go.org/doku.php/doc:de-compat
> 
> 

Good to know, thanks for that link. If it really comes down to it I can
move to xfce on that server for what I use it for. I'm going to wait out
on KDE5 anyhow, I did make an early jump to KDE4 (knowing there was
issues) and don't particularly want to go through that again.

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Neil Bothwick]

On Sun, 6 Mar 2016 08:43:09 -0800, Daniel Frey wrote:

> > I'm using it with the latest testing xorg-server and it works fine.
> > There are some DEs it has problems with, which are well documented,
> > but not the X server.

> Ah, I wasn't aware. I am using it with KDE and haven't seen any issues.

It works with KDE4 but not KDE5, so if you're on stable you'll be OK, for
now.

http://wiki.x2go.org/doku.php/doc:de-compat


-- 
Neil Bothwick

Most software is about as user-friendly as a cornered rat!


pgpc9DmrzS6Nh.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 03/05/2016 01:22 AM, Neil Bothwick wrote:
> On Sat, 05 Mar 2016 00:55:17 +0100, lee wrote:
> 
>>> I'm using the most recent stable and it works for me:
>>>
>>> $ equery list xorg-server
>>>  * Searching for xorg-server ...
>>> [IP-] [  ] x11-base/xorg-server-1.17.4:0/1.17.4  
>>
>> Maybe the problem has been recently fixed entirely.
> 
> I'm using it with the latest testing xorg-server and it works fine. There
> are some DEs it has problems with, which are well documented, but not the
> X server.
> 
> 

Ah, I wasn't aware. I am using it with KDE and haven't seen any issues.

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Neil Bothwick]

On Sat, 05 Mar 2016 00:55:17 +0100, lee wrote:

> >>> Still using x2go, still works wonderfully.  
> >> 
> >> IIRC, I wanted to try it, and it turned out to be incompatible with
> >> current X servers --- perhaps they fixed that in the meantime ...
> >>   
> >
> > What version are you using?  
> 
> I'm not using it because I would have had to downgrade the X server to
> be able to install it.  There was a bug report about something which
> lead to mark the package as incompatible with current X servers.
> 
> > I'm using the most recent stable and it works for me:
> >
> > $ equery list xorg-server
> >  * Searching for xorg-server ...
> > [IP-] [  ] x11-base/xorg-server-1.17.4:0/1.17.4  
> 
> Maybe the problem has been recently fixed entirely.

I'm using it with the latest testing xorg-server and it works fine. There
are some DEs it has problems with, which are well documented, but not the
X server.


-- 
Neil Bothwick

 Q:  How does a Zen Master order a hot dog?
 A: "Make me one with everything."


pgpEfGTAFbVLF.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Daniel Frey  writes:

> On 02/21/2016 04:36 PM, lee wrote:
>> Daniel Frey  writes:
>> 
>>> On 02/20/2016 02:27 AM, lee wrote:
 Daniel Frey  writes:
> I looked up x2go and rebuilt openssh on my home server as it suggested
> to try it out. 
>>>
>>> I should mention I undid the hpn USE-flag change (x2go suggested
>>> building without it) and it works fine, the newer versions have patches
>>> that don't require hpn to be disabled.
>>>
>>> Still using x2go, still works wonderfully.
>> 
>> IIRC, I wanted to try it, and it turned out to be incompatible with
>> current X servers --- perhaps they fixed that in the meantime ...
>> 
>
> What version are you using?

I'm not using it because I would have had to downgrade the X server to
be able to install it.  There was a bug report about something which
lead to mark the package as incompatible with current X servers.

> I'm using the most recent stable and it works for me:
>
> $ equery list xorg-server
>  * Searching for xorg-server ...
> [IP-] [  ] x11-base/xorg-server-1.17.4:0/1.17.4

Maybe the problem has been recently fixed entirely.

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 02/21/2016 04:36 PM, lee wrote:
> Daniel Frey  writes:
> 
>> On 02/20/2016 02:27 AM, lee wrote:
>>> Daniel Frey  writes:
 I looked up x2go and rebuilt openssh on my home server as it suggested
 to try it out. 
>>
>> I should mention I undid the hpn USE-flag change (x2go suggested
>> building without it) and it works fine, the newer versions have patches
>> that don't require hpn to be disabled.
>>
>> Still using x2go, still works wonderfully.
> 
> IIRC, I wanted to try it, and it turned out to be incompatible with
> current X servers --- perhaps they fixed that in the meantime ...
> 

What version are you using?

I'm using the most recent stable and it works for me:

$ equery list xorg-server
 * Searching for xorg-server ...
[IP-] [  ] x11-base/xorg-server-1.17.4:0/1.17.4

Dan

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Daniel Frey  writes:

> On 02/20/2016 02:27 AM, lee wrote:
>> Daniel Frey  writes:
>>> I looked up x2go and rebuilt openssh on my home server as it suggested
>>> to try it out. 
>
> I should mention I undid the hpn USE-flag change (x2go suggested
> building without it) and it works fine, the newer versions have patches
> that don't require hpn to be disabled.
>
> Still using x2go, still works wonderfully.

IIRC, I wanted to try it, and it turned out to be incompatible with
current X servers --- perhaps they fixed that in the meantime ...

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 02/20/2016 02:27 AM, lee wrote:
> Daniel Frey  writes:
>> I looked up x2go and rebuilt openssh on my home server as it suggested
>> to try it out. 

I should mention I undid the hpn USE-flag change (x2go suggested
building without it) and it works fine, the newer versions have patches
that don't require hpn to be disabled.

Still using x2go, still works wonderfully.

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sat, Feb 20, 2016 at 5:55 AM, lee  wrote:
> Rich Freeman  writes:
>
>> develop.  (Before somebody points out LUKS, be aware that Bitlocker
>> lets you do full-disk encyption that is secure without having to
>> actually type a decryption key at any point.  Remove the hard drive or
>> boot from a CD, and the disks are unreadable - you can only read them
>> if you boot off them on the original PC.)
>
> And how do you read the disks when this original machine is broken?
>

Well, in general you still want to have backups.  I believe many of
these sorts of solutions do let you escrow a key elsewhere.

> It doesn't seem very secure, either.  When your laptop that uses
> Bitlocker gets into the wrong hands, whoever has it can read the disks.

Kinda-sorta.  They can boot the machine, but now they're stuck at a
login prompt.  In order to extract data from the computer they need to
defeat password-throttling, the kernel, and so on.  They have to go
through the front-door.  The main protection is against offline
password cracking/etc.

I'd think the biggest vulnerability of something like Bitlocker would
be against direct memory attacks.  I assume that the session keys are
stored in RAM - I can't imagine that all drive reads/writes are
streamed through the TPM.  So, extracting the keys from RAM after
bootup would be the biggest risk.  If the user data is encrypted using
user-entered passwords you're still going to have all the security of
a LUKS-like solution but with the advantage of rate limiting of
attacks.

In ChromeOS they took a different approach.  They use UEFI secure boot
to protect the OS, and then encrypt user data using a key derived from
the user's password and the TPM, using the TPM to rate-limit attacks.
In this design only the user's private data is protected from reading,
but to crack it they still have to boot the system normally and go
through the front door.  There is no way to offline-crack the user's
weak hand-entered password.  They either need to send that password
through the TPM (I'm not sure if they can do that offline or not -
probably they can, but it is still rate-limited by the TPM itself), or
they need to directly brute-force the AES key which is of course
impractical.

The problem with LUKS is that it doesn't do anything to rate-limit
attacks since there is no hardware component to it.  Of course it is
designed to make attacks more expensive using multiple rounds/etc to
make up for the weakness of memorized passwords.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> develop.  (Before somebody points out LUKS, be aware that Bitlocker
> lets you do full-disk encyption that is secure without having to
> actually type a decryption key at any point.  Remove the hard drive or
> boot from a CD, and the disks are unreadable - you can only read them
> if you boot off them on the original PC.)

And how do you read the disks when this original machine is broken?

It doesn't seem very secure, either.  When your laptop that uses
Bitlocker gets into the wrong hands, whoever has it can read the disks.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
>> Rich Freeman  writes:
>>> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
 Rich Freeman  writes:

> However, while an RDP-like solution protects you from some types of
> attacks, it still leaves you open to many client-side problems like
> keylogging.  I don't know any major corporation that lets people RDP
> into their applications in general.

 What do they use instead?

>>>
>>> As I mentioned in my previous email - they just hand all their
>>> employees laptops.  Control the hardware, control the software,
>>> control the security...
>>
>> I mean instead of rdp.  It's a simple solution which works really well
>> on a LAN with Windoze.  What's the equivalent that works with Linux?
>
> Well, I've never been in a company that runs Linux on the desktop, or
> which even provides VDIs for Windows.

I'm doing that at work, and nothing speaks against doing it on the
thin-clients other than that the users would need to get used to it and
the poor graphics performance --- you can't really call that
"performance" --- of thin clients.  Other than that, we'd be much better
off.

What we would need are cheap thin clients that can drive at least two 4k
displays each, and there are none that could even drive one.  I don't
understand why they make thin-clients that aren't usable because their
graphics "performance" is from the '90ies.

> The most common solution is to provide windows laptops to users with
> various software packages for management/security/etc.

Laptops have slightly better graphics and add a maintenance overhead
thin-clients don't have, and they cost more.  Other than that, they
could replace the thin-clients, and nothing speaks against putting
Gentoo onto them.

Desktop machines require too much electricity.  That's another thing I
don't understand:  Why can't they finally manufacture hardware which is
really power efficient /and/ provides decent performance?

> The closest thing to RDP for Linux that I'm aware of us various
> NX-based implementations, like x2go, which I've mentioned a few times.
> It can be somewhat finicky.  And of course there is VNC, which is much
> less efficient.  I don't think either really gets to the level of RDP
> in general.
>
> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

Indeed, it's really strange that there's such a big lack.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Daniel Frey  writes:

> On 01/17/2016 10:10 AM, Rich Freeman wrote:
>> On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld  wrote:
>>>
>>> I would prefer a method that is independent of OS used. And provides server 
>>> side limitations with regards to filesharing and clipboard access.
>>>
>> 
>> x2go is just X11, so it should be OS-independent as long as you have a
>> client/server for it.  It just logs in as the appropriate user on the
>> remote host, so access beyond that is whatever you'd get if you just
>> logged in on a console.
>> 
>> Now, I can't vouch for how many OSes anybody has bothered to implement it on.
>> 
>
> Thanks for that tip on x2go - I'd struggled with freenx and eventually
> gave up and freenx isn't even in the tree anymore.
>
> I looked up x2go and rebuilt openssh on my home server as it suggested
> to try it out. Other than restarting sshd, I didn't have to do any
> configuration and it just *worked*. I've, like, never ever had that
> happen before. Even when I set up my tigervnc with xinetd it was days of
> experimenting before I got it to work. tigervnc also was hanging up X
> upgrades, so now I can successfully ditch tigervnc.
>
> x2go is so much faster it's unbelievable. I have a gigabit LAN here at
> home and VNC was lagging pretty badly (to the point where I decided
> against even trying to use it remotely.)
>
> Some things to note: there's no android client, but there is one for
> Windows/linux/MacOS. I haven't tried it on my Windows laptop yet, but
> one of these days I'll dig it out and try it.

Thank you for letting us know, I'll keep x2go in mind.

> Makes me wonder if it would be possible to spin up a VM on demand with
> x2go on and preconfigured if OP requires users not to be on the same host.

It probably is; I guess you'd need something to start the VM when a
connection is attempted.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> >> > However, this won't do away with XSS, or other similar attack vectors
>> >> > if
>> >> > the users are not careful with their browsing habits.
>> >>
>> >> Can you give me an example?
>> >
>> > If your coder has another website page open in his/her browser which
>> > contains for example XSS or CSRF code, then the webpage of your company's
>> > web app could be potentially compromised by your user inadvertently
>> > executing state changing commands on it.  By providing a XSS payload the
>> > attacker could execute commands to change username/passwd, change email
>> > address, etc.  This is one reason that Internet Banking providers always
>> > advise their users to log out and then exit their browser when they have
>> > finished their online banking.
>
>> The other obvious attack would be simply stealing your session cookies
>> or SSL client certificate+key out of the browser's RAM, or off of
>> disk.
>
> Yes, session hi/sidejacking is possible, as well as obtaining sensitive
> information that the browser has happened to cache.  High value information
> like credit card details should have a no-cache, no-store, Expires:0, but I
> bet there are some websites out there which do not guard against this threat.
> I would have thought SSL certificates/keys would be protected in RAM, but if
> you have a Man-In-The-Browser attack I guess they wouldn't be.
>
> If you are using a VPN connection as a split-tunnel then although your
> connection to the LAN would be secure, browser credentials could still be
> stolen by browser sessions connecting to suspect websites outside the tunnel.
> It has to be a full VPN tunnel with forwarding Internet access blocked at the
> VPN gateway, for clients to mitigate this threat.


So the user is safe if I send all internet requests from her remote
laptop through the Zerotier connection (instead of only sending
requests to my server through Zerotier)?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 24, 2016 at 10:56 AM, Grant  wrote:
>
> So the user is safe if I send all internet requests from her remote
> laptop through the Zerotier connection (instead of only sending
> requests to my server through Zerotier)?
>

It depends on what you mean by "safe."  If you mean that there is no
possibility of malware stealing or messing with your data this is the
case if:

As long as:
1.  You ensure that no malware enters through zerotier.
2.  No malware is present before you set up zerotier.
3.  No network connections are ever used other than zerotier.

If you mean safe to mean that nothing bad happens to the user's system
that wouldn't have happened if they use their own internet connect,
there is no real harm in using yours, assuming you don't leak your own
malware onto their system.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 24, 2016 at 1:36 PM, Mick  wrote:
> On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote:
>> On Sun, Jan 24, 2016 at 10:56 AM, Grant  wrote:
>> > So the user is safe if I send all internet requests from her remote
>> > laptop through the Zerotier connection (instead of only sending
>> > requests to my server through Zerotier)?
>>
>> It depends on what you mean by "safe."  If you mean that there is no
>> possibility of malware stealing or messing with your data this is the
>> case if:
>>
>> As long as:
>> 1.  You ensure that no malware enters through zerotier.
>> 2.  No malware is present before you set up zerotier.
>> 3.  No network connections are ever used other than zerotier.
>>
>> If you mean safe to mean that nothing bad happens to the user's system
>> that wouldn't have happened if they use their own internet connect,
>> there is no real harm in using yours, assuming you don't leak your own
>> malware onto their system.
>
> As Rich alludes to if through Zerotier the user can only connect to your
> webserver and no connections of the user are forwarded (through your Zerotier-
> LAN, or your webserver) to the Internet, the XSS kind of threats will be
> contained.
>
> However, as I understand it the Zerotier provides a split tunnel arrangement.
> The user will be able to use their browser to connect through Zerotier to your
> LAN, while through another window on the same browser they will be able to
> connect to the Internet using their own network.

That, and after they disconnect from zerotier the malware that has
been logging everything can go ahead and phone home to report in
without going through whatever protections you'd have on your own
network for outbound connections.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Sunday 24 Jan 2016 13:44:12 Rich Freeman wrote:
> On Sun, Jan 24, 2016 at 1:36 PM, Mick  wrote:
> > On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote:
> >> On Sun, Jan 24, 2016 at 10:56 AM, Grant  wrote:
> >> > So the user is safe if I send all internet requests from her remote
> >> > laptop through the Zerotier connection (instead of only sending
> >> > requests to my server through Zerotier)?
> >> 
> >> It depends on what you mean by "safe."  If you mean that there is no
> >> possibility of malware stealing or messing with your data this is the
> >> case if:
> >> 
> >> As long as:
> >> 1.  You ensure that no malware enters through zerotier.
> >> 2.  No malware is present before you set up zerotier.
> >> 3.  No network connections are ever used other than zerotier.
> >> 
> >> If you mean safe to mean that nothing bad happens to the user's system
> >> that wouldn't have happened if they use their own internet connect,
> >> there is no real harm in using yours, assuming you don't leak your own
> >> malware onto their system.
> > 
> > As Rich alludes to if through Zerotier the user can only connect to your
> > webserver and no connections of the user are forwarded (through your
> > Zerotier- LAN, or your webserver) to the Internet, the XSS kind of
> > threats will be contained.
> > 
> > However, as I understand it the Zerotier provides a split tunnel
> > arrangement. The user will be able to use their browser to connect
> > through Zerotier to your LAN, while through another window on the same
> > browser they will be able to connect to the Internet using their own
> > network.
> 
> That, and after they disconnect from zerotier the malware that has
> been logging everything can go ahead and phone home to report in
> without going through whatever protections you'd have on your own
> network for outbound connections.

To cover most eventualities big corporates I know use:

a) Company issued laptops, which are completely locked down in terms of 
applications and settings and connect to the corporate LAN via VPN with client 
SSL certificate authentication.

b) For BYODs, Virtualised Citrix XenDesktop, totally controlled by the 
corporate sysadmins, with DPI and webfiltering at the corporate firewall for 
outgoing connections.  Connections to Facebook, Twitter, prawn, etc. are 
blocked.

Both of the above are provided as work tools and the users understand that 
restrictions are part of their employment contract and at company time they 
are not meant to spend their mornings organising junior's birthday party on 
Facebook.

I don't know to what extent your users can be trusted and relied upon to 
follow good working practices.  Full VPN tunnel to the corporate LAN, plus up 
to date antivirus products if they are using MSWindows and up to date Linux 
PCs should protect from most attack vectors.  Alternatively, locked down 
Chrome books as Rich has already suggested and regular back ups should 
hopefully protect your corporate data from irretrievable damage.
 
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Sunday 24 Jan 2016 11:40:04 Rich Freeman wrote:
> On Sun, Jan 24, 2016 at 10:56 AM, Grant  wrote:
> > So the user is safe if I send all internet requests from her remote
> > laptop through the Zerotier connection (instead of only sending
> > requests to my server through Zerotier)?
> 
> It depends on what you mean by "safe."  If you mean that there is no
> possibility of malware stealing or messing with your data this is the
> case if:
> 
> As long as:
> 1.  You ensure that no malware enters through zerotier.
> 2.  No malware is present before you set up zerotier.
> 3.  No network connections are ever used other than zerotier.
> 
> If you mean safe to mean that nothing bad happens to the user's system
> that wouldn't have happened if they use their own internet connect,
> there is no real harm in using yours, assuming you don't leak your own
> malware onto their system.

As Rich alludes to if through Zerotier the user can only connect to your 
webserver and no connections of the user are forwarded (through your Zerotier-
LAN, or your webserver) to the Internet, the XSS kind of threats will be 
contained.

However, as I understand it the Zerotier provides a split tunnel arrangement.  
The user will be able to use their browser to connect through Zerotier to your 
LAN, while through another window on the same browser they will be able to 
connect to the Internet using their own network.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Tuesday 19 Jan 2016 15:59:25 Grant wrote:
> >> > I'm sorry, I meant can I lock down access to my web stuff so that a
> >> > particular user can only come from a particular device (or from any
> >> > device containing a key).
> > 
> > You can use apache client authentication with SSL certificates only.  Of
> > course you will need to create a self-signed CA, which you will use to
> > create the web server public/private key pair and also sign each client's
> > certificate and upload it along with your CA certificate to the user's
> > browser.  This explains the principle:
> > 
> > http://wiki.cacert.org/HELP/9
> > 
> > 
> > Ditto with the VPN connection - should you still want to use VPN.
> 
> Let me see if I'm following.  I could create a certificate and point
> the browser to it in config and configure my web server to require the
> certificate for HTTP basic authentication?  

Well, yes, but it won't be HTTP.  It will be HTTPS.  The server will request a 
client certificate, verify that it has been signed by the CA you defined in 
SSLCACertificateFile and allow it to access the web directory.  You can allow 
different certificates per directory on your server, if you so wish and define 
in SSLRequire directive which SSL_CLIENT_S_DN_OU values are acceptable; e.g.

SSLRequire   %{SSL_CLIENT_S_DN_O}  eq "Grant's Software, Ltd." \
   and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Testers", "Dev"}


You will need to have the Client Certificate and private key imported in the 
user's browser, or in MSWindows also import them using certmgr.msc to make 
them available to any Windows-centric applications.


> Can I require a
> username/password along with the certificate?  Can I require the
> certificate only for certain users?

Yes, but for specifics have a look under SSLOptions:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions

Read FakeBasicAuth and StrictRequire.  So, for example:

SSLOptions   +FakeBasicAuth +StrictRequire

will allow client SSL certificate authentication as an alternative to Basic 
passwd authentication.


> > If a user certificate is lost of feared compromised, you revoke it with
> > your CA and upload the CRL to the server.
> > 
> > However, this won't do away with XSS, or other similar attack vectors if
> > the users are not careful with their browsing habits.
> 
> Can you give me an example?

If your coder has another website page open in his/her browser which contains 
for example XSS or CSRF code, then the webpage of your company's web app could 
be potentially compromised by your user inadvertently executing state changing 
commands on it.  By providing a XSS payload the attacker could execute 
commands to change username/passwd, change email address, etc.  This is one 
reason that Internet Banking providers always advise their users to log out 
and then exit their browser when they have finished their online banking.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sat, Jan 23, 2016 at 8:25 AM, Mick  wrote:
> On Tuesday 19 Jan 2016 15:59:25 Grant wrote:
>
>> > If a user certificate is lost of feared compromised, you revoke it with
>> > your CA and upload the CRL to the server.
>> >
>> > However, this won't do away with XSS, or other similar attack vectors if
>> > the users are not careful with their browsing habits.
>>
>> Can you give me an example?
>
> If your coder has another website page open in his/her browser which contains
> for example XSS or CSRF code, then the webpage of your company's web app could
> be potentially compromised by your user inadvertently executing state changing
> commands on it.  By providing a XSS payload the attacker could execute
> commands to change username/passwd, change email address, etc.  This is one
> reason that Internet Banking providers always advise their users to log out
> and then exit their browser when they have finished their online banking.
>

The other obvious attack would be simply stealing your session cookies
or SSL client certificate+key out of the browser's RAM, or off of
disk.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Thursday, January 21, 2016 11:17:05 PM lee wrote:
> "J. Roeleveld"  writes:
> > On Tuesday, January 19, 2016 11:22:02 PM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > [...]
> >> > If disk-space is considered too expensive, you could even have every VM
> >> > use
> >> > the same base image. And have them store only the differences of the
> >> > disk.
> >> > eg:
> >> > 1) Create a VM
> >> > 2) Snapshot the disk (with the VM shutdown)
> >> > 3) create a new VM based on the snapshot
> >> > 
> >> > Repeat 2 and 3 for as many clones you want.
> >> > 
> >> > Most installs don't change that much when dealing with standardized
> >> > desktops.
> >> 
> >> How does that work?  IIUC, when you created a snapshot, any changes you
> >> make to the snapshotted (or how that is called) file system are being
> >> referenced by the snapshot which you can either destroy or abandon.
> >> When you destroy it, the changes you made are being applied to the
> >> file system you snapshotted (because someone decided to use a very
> >> misleading terminology), and when you abandon it, the changes are thrown
> >> away and you end up with the file system as it was before the snapshot
> >> was created.
> >> 
> >> In any case, you do not get multiple versions (which only reference the
> >> changes made) of the file system you snapshotted but only one current
> >> version.
> >> 
> >> Do you need to use a special file system or something which provides
> >> this kind of multiple copies when you make snapshots?
> > 
> > I use LVM for this.
> > 
> > Steps are simple:
> > 1) Create a LV (lv_1)
> > 2) Create and install a VM using this LV (lv_1)
> > 3) Stop the VM
> > 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..)
> > 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b,
> > slv_1b,.)
> > 
> > Start the VMs
> > 
> > This way you can overcommit on the actual diskspace as only changes are
> > taking up diskspace.
> > If you force everyone on the same base-image, the differences should not
> > be too large.
> 
> I don't use lvm anymore.  It requires you to have unused space in the
> same VG to make a snapshot (which, of course, I didn't have), and when
> you need to move a volume from one machine to another, you're screwed
> because you can't get the volume out of the volume group other than
> moving it to a different media after attaching this media to the VG and
> detaching it after the move.  Moving the volume to the new machine is
> likewise a pita.  I lost a whole VM when I did that, and I have no idea
> what might have happened to it.  I did copy it, and yet it somehow
> disappeared.

Keeping unassigned space available for growth and snapshots is common practice 
for me. I always have unassigned space which can be assigned quickly.
And when wanting the option to move VMs, put the "disks" on SANs.
If you want to do it on the cheap, you need to do a lot more manually.

> > If you also force users to store files on a shared filesystem, it
> > shouldn't be too much of a difficulty to occasionally move everyone to a
> > new base-image when the updates are causing the snapshots to grow too
> > much.
> 
> How do you force users to do that?  I tried that with some windoze 7
> VMs, and according to the rules, users are not allowed to save anything
> on their desktops, and nonetheless they can do that.  The installed
> applications also create data in the disk space of the VM.  Their MUAs
> do that, for example, and you may find users who have accumulated over
> 300GB for email storage.  Make the disk read-only, and the VM probably
> won't even start.

Not difficult, as long as you do NOT make everyone local admin and limit 
permissions.
Do not give them write-permissions everywhere and put a limited quota on their 
profiles.
And for email, do not allow the MUAs to store all the email locally, enforce a 
central mailserver.

I'm sorry, but you are expecting people on this list to provide you with all 
the answers which a simple google search should be able to answer.
And which is also covered in basic sys-admin documentation and courses.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Saturday 23 Jan 2016 09:55:35 Rich Freeman wrote:
> On Sat, Jan 23, 2016 at 8:25 AM, Mick  wrote:
> > On Tuesday 19 Jan 2016 15:59:25 Grant wrote:
> >> > If a user certificate is lost of feared compromised, you revoke it with
> >> > your CA and upload the CRL to the server.
> >> > 
> >> > However, this won't do away with XSS, or other similar attack vectors
> >> > if
> >> > the users are not careful with their browsing habits.
> >> 
> >> Can you give me an example?
> > 
> > If your coder has another website page open in his/her browser which
> > contains for example XSS or CSRF code, then the webpage of your company's
> > web app could be potentially compromised by your user inadvertently
> > executing state changing commands on it.  By providing a XSS payload the
> > attacker could execute commands to change username/passwd, change email
> > address, etc.  This is one reason that Internet Banking providers always
> > advise their users to log out and then exit their browser when they have
> > finished their online banking.

> The other obvious attack would be simply stealing your session cookies
> or SSL client certificate+key out of the browser's RAM, or off of
> disk.

Yes, session hi/sidejacking is possible, as well as obtaining sensitive 
information that the browser has happened to cache.  High value information 
like credit card details should have a no-cache, no-store, Expires:0, but I 
bet there are some websites out there which do not guard against this threat.  
I would have thought SSL certificates/keys would be protected in RAM, but if 
you have a Man-In-The-Browser attack I guess they wouldn't be.

If you are using a VPN connection as a split-tunnel then although your 
connection to the LAN would be secure, browser credentials could still be 
stolen by browser sessions connecting to suspect websites outside the tunnel.  
It has to be a full VPN tunnel with forwarding Internet access blocked at the 
VPN gateway, for clients to mitigate this threat.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sat, Jan 23, 2016 at 12:17 PM, Mick  wrote:
> I would have thought SSL certificates/keys would be protected in RAM, but if
> you have a Man-In-The-Browser attack I guess they wouldn't be.
>

As far as I'm aware linux doesn't do anything to protect process RAM
from other processes with the same UID, at least not without SELinux
and such.  But, I could be wrong on that.  I'd expect that malware
running under your uid or of course as root could read your browser's
RAM.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Tuesday, January 19, 2016 11:22:02 PM lee wrote:
>> "J. Roeleveld"  writes:
>> > [...]
>> > If disk-space is considered too expensive, you could even have every VM
>> > use
>> > the same base image. And have them store only the differences of the disk.
>> > eg:
>> > 1) Create a VM
>> > 2) Snapshot the disk (with the VM shutdown)
>> > 3) create a new VM based on the snapshot
>> > 
>> > Repeat 2 and 3 for as many clones you want.
>> > 
>> > Most installs don't change that much when dealing with standardized
>> > desktops.
>> How does that work?  IIUC, when you created a snapshot, any changes you
>> make to the snapshotted (or how that is called) file system are being
>> referenced by the snapshot which you can either destroy or abandon.
>> When you destroy it, the changes you made are being applied to the
>> file system you snapshotted (because someone decided to use a very
>> misleading terminology), and when you abandon it, the changes are thrown
>> away and you end up with the file system as it was before the snapshot
>> was created.
>> 
>> In any case, you do not get multiple versions (which only reference the
>> changes made) of the file system you snapshotted but only one current
>> version.
>> 
>> Do you need to use a special file system or something which provides
>> this kind of multiple copies when you make snapshots?
>
> I use LVM for this.
>
> Steps are simple:
> 1) Create a LV (lv_1)
> 2) Create and install a VM using this LV (lv_1)
> 3) Stop the VM
> 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..)
> 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, 
> slv_1b,.)
>
> Start the VMs
>
> This way you can overcommit on the actual diskspace as only changes are 
> taking 
> up diskspace.
> If you force everyone on the same base-image, the differences should not be 
> too 
> large.

I don't use lvm anymore.  It requires you to have unused space in the
same VG to make a snapshot (which, of course, I didn't have), and when
you need to move a volume from one machine to another, you're screwed
because you can't get the volume out of the volume group other than
moving it to a different media after attaching this media to the VG and
detaching it after the move.  Moving the volume to the new machine is
likewise a pita.  I lost a whole VM when I did that, and I have no idea
what might have happened to it.  I did copy it, and yet it somehow
disappeared.

> If you also force users to store files on a shared filesystem, it shouldn't 
> be 
> too much of a difficulty to occasionally move everyone to a new base-image 
> when 
> the updates are causing the snapshots to grow too much.

How do you force users to do that?  I tried that with some windoze 7
VMs, and according to the rules, users are not allowed to save anything
on their desktops, and nonetheless they can do that.  The installed
applications also create data in the disk space of the VM.  Their MUAs
do that, for example, and you may find users who have accumulated over
300GB for email storage.  Make the disk read-only, and the VM probably
won't even start.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Wednesday, January 20, 2016 01:46:29 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> >> "J. Roeleveld"  writes:
>
>> >> > 
>> >> > Yes
>> >> > 
>> >> >> That would be a huge waste of resources,
>> >> > 
>> >> > Diskspace and CPU can easily be overcommitted.
>> >> 
>> >> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> >> memory is not possible with xen.
>> > 
>> > Overcommitting diskspace isn't such a bad idea, considering most installs
>> > never utilize all the available diskspace.
>> 
>> When they do not use it anyway, there is no reason to give it to them in
>> the first place.  And when they do use it, how do the VMs handle the
>> problem that they have plenty disk space available, from their point of
>> view, while the host which they don't know about doesn't allow them to
>> use it?
>
> 1 word: Monitoring.
> When you overcommit any resource, you need to put monitoring in place.
> Then you also need to ensure you have the ability to increase that resource 
> when required.

So you more or less frequently shrink your VMs back when the monitoring
informs you that you need to do that?  Isn't it more reasonable not to
overcommit but to increase the resource when required?

>> Besides, overcommitting disk space means to intentionally create a setup
>> which involves that the host can run out of disk space easily.  That is
>> not something I would want to create for a host which is required to
>> function reliably.
>
> The host should not crash when a VM does or when the storage assigned to VMs 
> fills up.
> If it does, go back to the drawing board and fix your design.

I didn't say that the host would crash.  I wouldn't consider a VM which
is bound to run out of disk space as reliable, especially when it is
bound run out of disk space because other VMs which are also bound to
run out of disk space use the disk space which the VM would need that's
running out.

>> And how much do you need to worry about the security of the VMs when you
>> build in a way for the users to bring the whole machine, or at least
>> random VMs, down by using the disk space which has been assigned to
>> them?  The users are somewhat likely to do that even unintentionally,
>> the more the more you overcommit.
>
> See comment about monitoring.
> If all your users tend to fill up all available diskspace, you obviously can 
> not overcommit on diskspace.

Have you ever seen a disk that doesn't fill up, the larger the disk, the
more it fills?

>> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At
>> > least, I seem to remember reading that somewhere)
>> 
>> That would be a nice feature.
>
> For VDIs, I might consider using it.
> But considering most OSs tend to fill up all available memory with caches, I 
> expect performance issues.

It depends on how you use it.

>> >> >> plus having to take care of a lot of VMs,
>> >> > 
>> >> > Automated.
>> >> 
>> >> Like how?
>> > 
>> > How do you manage a large amount of physical machines?
>> > Just change physical to VMs and do it the same.
>> > With VMs you have more options for automation.
>> 
>> Individually, in lack of a better way.  Per user when it comes to
>> setting up their MUAs and the like, in lack of any better way.  It
>> doesn't make a difference if it's a VM or not, provided that you have
>> remote access to the machine.
>
> This is where management tools come into play. (Same methods apply to 
> physical 
> and virtual)
>
> When talking MS Windows, domains with their policies are very useful. Couple 
> that with WSUS for the patching and software distribution tools for the 
> additional software installs, and you have a very nice setup.

I don't like what they call "domains".  They tend to get in the way, and
when you want to take a machine out of one, all the users need to be set
up anew.

Is WSUS of any use without domains?  If it is, I should take a look at
it.

> For Linux, I would recommend tools like Ansible or Puppet to control the 
> software on the machines.

Does it really have an advantage over logging in remotely?

> For any OS, I would prevent my users from installing random software. And 
> what 
> is installed, would be mostly pre-configured out-of-the-box.

And how do you preconfigure everything for each user?  It would sure be
nice if I could, say, install seamonkey and have every existing and new
user set up they way they are supposed to be set up without having to do
that for every user individually, on a number of VMs.

>> When you one VM for many users, you install the MUA only once, and when
>> you need to do updates, you do them only once.  When you have many VMs,
>> like one for each user, you have to install and update many times, once
>> on each VM.
>

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Tue, Jan 19, 2016 at 5:08 PM, lee  wrote:
>>
>> BTW, is it as easy to give a graphics card to a container as it is to
>> give it a network card?
>
> I've never tried it, but I'd think that the container could talk to a
> graphics card.

Maybe ... it's really easy with network cards.

>> What if you have a container for each user who
>> somehow logs in remotely to an X session?  Do (can) you run X sessions
>> that do not have a console and do not need a (dedicated) graphics card
>> (just for users logging in remotely)?
>
> You don't need to even have a graphics card to serve X11 via vnc or
> nx.  You could probably serve them even if your only server console
> was a serial console.  Just run x11vnc or whatever it is called - it
> is an X server whose only framebuffer is a VNC session.  I think NX
> uses the same server, but I'd have to check.  Of course, you wouldn't
> have 3D accelleration with this server, not that you'd be using it
> over NX/VNC.

That might be a problem when you want to use kde or gnome?

And I thought vnc sends a copy of what is displayed on the screen, so if
you were running a program that renders something on the screen and
uses/requires a graphics card for that, you should be able to see what
it renders.  If you can't see that, vnc is of very limited use.  How
does RDP deal with this?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
>> "J. Roeleveld"  writes:
>>
>> How does that work?  IIUC, when you created a snapshot, any changes you
>> make to the snapshotted (or how that is called) file system are being
>> referenced by the snapshot which you can either destroy or abandon.
>> When you destroy it, the changes you made are being applied to the
>> file system you snapshotted (because someone decided to use a very
>> misleading terminology), and when you abandon it, the changes are thrown
>> away and you end up with the file system as it was before the snapshot
>> was created.
>>
>> In any case, you do not get multiple versions (which only reference the
>> changes made) of the file system you snapshotted but only one current
>> version.
>>
>> Do you need to use a special file system or something which provides
>> this kind of multiple copies when you make snapshots?
>>
>
> And that is exactly what zfs and btrfs provide. Snapshots are full
> citizens.  If I create a snapshot of a directory in btrfs it is
> essentially indistinguishable from running cp -a on the directory,
> except the snapshot takes only seconds to create almost entirely
> regardless of size, and takes almost no space until changes are made.
> Later I can delete the snapshot, or delete the original, or keep both
> indefinitely making changes to either.

Hm, I must be misunderstanding snapshots entirely.

What happens when you remove a snapshot after you modified the
"original" /and/ the snapshot?  You destroy at least one of them, so you
can never get rid of the snapshot in a non-destructive way?

My understanding is that when you make a snapshot, you get a copy that
doesn't change which you can somehow use to make backups.  When the
backup is finished, you can remove the snapshot, and the changes that
were made in the meantime are not lost --- unless you decide to throw
them away when removing the snapshot, in which case you get a rollback.

To make things more complicated, I've seen zfs refusing to remove a
snapshot and saying that something is recursive (IIRC), and it didn't
make any sense anymore.  So I left everything as it was because I didn't
want to loose data, and a while later, I removed this very same snapshot
without getting issues as before.  Weird behaviour makes snapshots
rather scary, so I avoid them now.

There seems to be some sort of relationship between a snapshot and the
"original" which limits what you can do with a snapshot, like the
snapshot is somehow attached to the "original".  At least that makes
some sense to me because no real copy is created when you make a
snapshot.  But how do you detach a snapshot from the "original" so that
you could savely modify both?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Alec Ten Harmsel  writes:

> On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote:
>> Alec Ten Harmsel  writes:
>> >
>> > Depends on how the load is. Right now I have a 500GB HDD at work. I use
>> > VirtualBox and vagrant for testing various software. Every VM in
>> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
>> > Add in all the other stuff on my system, which includes a 200GB dataset,
>> > and the disk is overcommitted. Of course, none of the VirtualBox disks
>> > use anywhere near 50GB.
>> 
>> True, that's for testing when you do know that the disk space will not
>> be used and have no trouble when it is.  When you have the VMs in
>> production and users (employees) using them, you don't know when they
>> will run out of disk space and trouble ensues.
>
> Almost. Here is an equal example: I am an admin on an HPC cluster. We
> have a shared Lustre filesystem that people store work files in while
> they are running jobs. It has around 1PB of capacity. As strange as this
> may sound, this filesystem is overcommitted (we have 20,000 cores,
> that's only 52GB per core, not even close to enough for more than half a
> year of data accumulation).  Unused data is deleted after 90 days, which
> is why it can be overcommitted.

Why do you need to overcommit in the first place when you don't need
that much disk space anyway?  And it only works because you "shrink" the
disk space used by deleting data.

> Extending this to a more realistic example without automatic data
> deletion is trivial. Imagine you are a web hosting provider. You allow
> each client unlimited disk space, so you're automatically overcommitted.
> In the aggregate, even though one client may increase their usage
> extremely quickly, total usage rises slowly, giving you more than enough
> time to increase the storage capacity of whatever backing filesystem is
> hosting their files.

I'm a customer of such a provider that used to do that, and they stopped
giving their customers unlimited disk space years ago.  I guess they
found out that they can't possibly keep up with the demand, at least not
without charging more.

>> > All Joost is saying is that most resources can be overcommitted, since
>> > all the users will not be using all their resources at the same time.
>> 
>> How do you overcommit disk space and then shrink the VMs automatically
>> when disk usage gets lower again?
>> 
>
> Sorry, my previous example was bad, since the normal strategy is to
> expand when necessary as far as I know. See above.

Well, that's exactly the problem.  Once a VM has grown, it won't shrink
automatically, which soon breaks the overcommitment.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Thu, Jan 21, 2016 at 4:35 PM, lee  wrote:
> And I thought vnc sends a copy of what is displayed on the screen, so if
> you were running a program that renders something on the screen and
> uses/requires a graphics card for that, you should be able to see what
> it renders.  If you can't see that, vnc is of very limited use.  How
> does RDP deal with this?

VNC sends a copy of what is in the framebuffer, which may or may not
be displayed on a physical screen.  You can have a framebuffer on a
machine that has no display outputs at all.  You can have 10,000
different framebuffers running on the PC you're working on right now
assuming you have the RAM for it.  I haven't set this up recently, but
I believe that's basically what x2go does out of the box (except it
uses NX instead of VNC).

RDP is capable of functioning without physical console attached.
Consumer versions of windows may block doing much of this for
licensing reasons, but certainly at work we've had 20+ users connected
a single citrix server at once.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Thu, Jan 21, 2016 at 5:00 PM, lee  wrote:
> Hm, I must be misunderstanding snapshots entirely.
>

Well, in the case of zfs/btrfs you are.  Different implementations
have different snapshotting features.

> What happens when you remove a snapshot after you modified the
> "original" /and/ the snapshot?  You destroy at least one of them, so you
> can never get rid of the snapshot in a non-destructive way?

If you remove a snapshot it goes away.  If you remove the original it
goes away.  There isn't anything strange going on.

With btrfs I can do this:

btrfs su create a
touch a/file
btrfs su snap a b
touch b/file2
echo "hello" >> a/file

a now contains file with the text hello in it.  b now contains file
which is empty and file2 which is empty.

If I delete a then it disappears.  If I delete b then it disappears.
They exist completely independently of each other.

In btrfs the command "btrufs su snap a b" is somewhat equivalent to
"cp -a a b" unless you look at what is going on closely.  The main
difference is that the first command takes almost zero time to
execute, and consumes little additional space.  This is true even if a
is a directory containing a million text files or 10TB of video.

Snapshots in btrfs just look like directories.  They're subvolumes,
and only subvolumes can be snapshotted.  I imagine that zfs is
slightly different, but with the same overall concept.

> My understanding is that when you make a snapshot, you get a copy that
> doesn't change which you can somehow use to make backups.

You can certainly use snapshots to make backups.  The snapshot is
already a backup, though stored on the same media.

> When the
> backup is finished, you can remove the snapshot, and the changes that
> were made in the meantime are not lost --- unless you decide to throw
> them away when removing the snapshot, in which case you get a rollback.

With btrfs at least there is no way to rollback a snapshot.  You can
of course just "mv a a.old ; mv b a ; btrfs su del a.old" and now your
snapshot has replaced the original copy (aside from any files which
happen to be open).

>
> To make things more complicated, I've seen zfs refusing to remove a
> snapshot and saying that something is recursive (IIRC), and it didn't
> make any sense anymore.  So I left everything as it was because I didn't
> want to loose data, and a while later, I removed this very same snapshot
> without getting issues as before.  Weird behaviour makes snapshots
> rather scary, so I avoid them now.

I couldn't tell you what that means.  Perhaps you discovered a bug.

Btrfs should always allow you to remove a subvolume (including one
created as a snapshot).  I believe they can be removed if they're in
use, and the effect is similar to removing a file that is in use.

> There seems to be some sort of relationship between a snapshot and the
> "original" which limits what you can do with a snapshot, like the
> snapshot is somehow attached to the "original".  At least that makes
> some sense to me because no real copy is created when you make a
> snapshot.  But how do you detach a snapshot from the "original" so that
> you could savely modify both?
>

In btrfs there is no relationship between a snapshot and the original
subvolume, other than them happening to share the same tree nodes
initially.  It isn't unlike what happens in git when you create a new
branch.  You end up with a new reference pointing to the same commit
and everything below that is shared between the two branches
initially.  If you touch one file then most of trees/blobs between the
branches are still shared, but the modified blob and all of its parent
trees are now separated.

Btrfs does mark snapshots as snapshots for some reason, but other than
a yes/no flag snapshots are the same as any subvolume.  They're not
linked in any way to the original and there is no straightforward way
to tell where a snapshot came from (well, other than either comparing
it against all the other subvolumes, ideally looking for shared tree
nodes).

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[covici]

lee  wrote:

> Rich Freeman  writes:
> 
> > On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
> >> "J. Roeleveld"  writes:
> >>
> >> How does that work?  IIUC, when you created a snapshot, any changes you
> >> make to the snapshotted (or how that is called) file system are being
> >> referenced by the snapshot which you can either destroy or abandon.
> >> When you destroy it, the changes you made are being applied to the
> >> file system you snapshotted (because someone decided to use a very
> >> misleading terminology), and when you abandon it, the changes are thrown
> >> away and you end up with the file system as it was before the snapshot
> >> was created.
> >>
> >> In any case, you do not get multiple versions (which only reference the
> >> changes made) of the file system you snapshotted but only one current
> >> version.
> >>
> >> Do you need to use a special file system or something which provides
> >> this kind of multiple copies when you make snapshots?
> >>
> >
> > And that is exactly what zfs and btrfs provide. Snapshots are full
> > citizens.  If I create a snapshot of a directory in btrfs it is
> > essentially indistinguishable from running cp -a on the directory,
> > except the snapshot takes only seconds to create almost entirely
> > regardless of size, and takes almost no space until changes are made.
> > Later I can delete the snapshot, or delete the original, or keep both
> > indefinitely making changes to either.
> 
> Hm, I must be misunderstanding snapshots entirely.
> 
> What happens when you remove a snapshot after you modified the
> "original" /and/ the snapshot?  You destroy at least one of them, so you
> can never get rid of the snapshot in a non-destructive way?
> 
> My understanding is that when you make a snapshot, you get a copy that
> doesn't change which you can somehow use to make backups.  When the
> backup is finished, you can remove the snapshot, and the changes that
> were made in the meantime are not lost --- unless you decide to throw
> them away when removing the snapshot, in which case you get a rollback.
> 
> To make things more complicated, I've seen zfs refusing to remove a
> snapshot and saying that something is recursive (IIRC), and it didn't
> make any sense anymore.  So I left everything as it was because I didn't
> want to loose data, and a while later, I removed this very same snapshot
> without getting issues as before.  Weird behaviour makes snapshots
> rather scary, so I avoid them now.
> 
> There seems to be some sort of relationship between a snapshot and the
> "original" which limits what you can do with a snapshot, like the
> snapshot is somehow attached to the "original".  At least that makes
> some sense to me because no real copy is created when you make a
> snapshot.  But how do you detach a snapshot from the "original" so that
> you could savely modify both?

In zfs you can clone the snapshot and it will be independent, but I am
new at zfs, so check it out.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com

Re: [gentoo-user] {OT} Allow work from home?

[Neil Bothwick]

On Wed, 20 Jan 2016 16:21:42 -0800, Grant wrote:

> I would
> need to be able to rsync to the laptop and I'd rather not be involved
> in the remote employee's router config.  Is there an easier solution
> for that than OpenVPN?

There is ZeroTier as a replacement for OpenVPN, and Syncthing for
syncing. Both are P2P solutions and you can run your own discovery
servers if you don't want any traffic going through a 3rd party (although
they don't send data through the servers).

I've no idea whether that would meet your security criteria but it
certainly fulfils the "easier than OpenVPN" one. It will take only a few
minutes to install and setup using the public servers, although, as I
said, your network is never public, so you can check whether they do what
you want. Then you can look at hosting your own server for security.

https://www.zerotier.com/
https://syncthing.net/


-- 
Neil Bothwick

Software: (n.) That which hardware manufacturers can blame for physical
failures.


pgpGms6Ipu1S5.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 01/17/2016 10:10 AM, Rich Freeman wrote:
> On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld  wrote:
>>
>> I would prefer a method that is independent of OS used. And provides server 
>> side limitations with regards to filesharing and clipboard access.
>>
> 
> x2go is just X11, so it should be OS-independent as long as you have a
> client/server for it.  It just logs in as the appropriate user on the
> remote host, so access beyond that is whatever you'd get if you just
> logged in on a console.
> 
> Now, I can't vouch for how many OSes anybody has bothered to implement it on.
> 

Thanks for that tip on x2go - I'd struggled with freenx and eventually
gave up and freenx isn't even in the tree anymore.

I looked up x2go and rebuilt openssh on my home server as it suggested
to try it out. Other than restarting sshd, I didn't have to do any
configuration and it just *worked*. I've, like, never ever had that
happen before. Even when I set up my tigervnc with xinetd it was days of
experimenting before I got it to work. tigervnc also was hanging up X
upgrades, so now I can successfully ditch tigervnc.

x2go is so much faster it's unbelievable. I have a gigabit LAN here at
home and VNC was lagging pretty badly (to the point where I decided
against even trying to use it remotely.)

Some things to note: there's no android client, but there is one for
Windows/linux/MacOS. I haven't tried it on my Windows laptop yet, but
one of these days I'll dig it out and try it.

Makes me wonder if it would be possible to spin up a VM on demand with
x2go on and preconfigured if OP requires users not to be on the same host.

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Wed, Jan 20, 2016 at 7:21 PM, Grant  wrote:
> Despite Rich's best efforts (thank you Rich! :-) ) I'm still
> considering a Gentoo laptop for this along with a Chromebook.

No worries.  Gentoo laptops are great.  There's a reason that Google
decided to use them as the starting point for creating the Chromebook.
:)

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>>> > I'm sorry, I meant can I lock down access to my web stuff so that a
>>> > particular user can only come from a particular device (or from any
>>> > device containing a key).
>>>
>> You can use apache client authentication with SSL certificates only.  Of
>> course you will need to create a self-signed CA, which you will use to create
>> the web server public/private key pair and also sign each client's 
>> certificate
>> and upload it along with your CA certificate to the user's browser.  This
>> explains the principle:
>>
>> http://wiki.cacert.org/HELP/9
>>
>>
>> Ditto with the VPN connection - should you still want to use VPN.
>
>
> Let me see if I'm following.  I could create a certificate and point
> the browser to it in config and configure my web server to require the
> certificate for HTTP basic authentication?  Can I require a
> username/password along with the certificate?  Can I require the
> certificate only for certain users?
>
>
>> If a user certificate is lost of feared compromised, you revoke it with your
>> CA and upload the CRL to the server.
>>
>> However, this won't do away with XSS, or other similar attack vectors if the
>> users are not careful with their browsing habits.
>
>
> Can you give me an example?


Despite Rich's best efforts (thank you Rich! :-) ) I'm still
considering a Gentoo laptop for this along with a Chromebook.  I would
need to be able to rsync to the laptop and I'd rather not be involved
in the remote employee's router config.  Is there an easier solution
for that than OpenVPN?  If not, perhaps OpenVPN is the way to go since
I could use it both to provide rsync access and for authentication.
Still I'd love to avoid it if possible.

Can I have OpenVPN prompt the desktop user on the client for login credentials?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 12:22 AM,   wrote:
>
> I'm an absolute windows noop. I only use it for graphics work. I even
> didn't know that such a kind of file sharing is possible with it. :-)
>

No worries - I think that is a great place to be.  However, it is
useful to understand what ideas are out there, since some of them are
actually good ones.

The foundation of these kinds of features in windows is that their
user IDs are essentially GUIDs (a combination of an authentication
server and a unique ID I believe):
https://en.wikipedia.org/wiki/Security_Identifier

This is in contrast to a linux UID, which is just a small number.  You
might be UID 0 on your box, and I'm UID on mine.  The UID of the
administrator account of every windows box out there is unique.  That
avoids all kinds of issues, like the whole nfs root-is-nobody design.
You can "chown" a windows file to a UID which isn't native to the
machine - the machine would authenticate anybody trying to read it
against the machine that assigned the UID.

It isn't perfect, but it seems like a better foundation for this sort of thing.

>
> That's right. I think that the effort and the outlay to implement all
> these features into Linux is relative high. It seems that no vendor
> is willing to assume such a financial risk.
>
> Maybe it is time for another crowd founding campaign? ;-)
>

Well, changing how user IDs would be a big task (as far as I'm aware).

However, the bit about Bitlocker isn't actually.  You just need to use
trusted grub, some vanilla kernel config options, and probably some
logic in the initramfs and userspace.  There is already a linux
solution for TPM at every layer of the boot chain, which allows a
userspace program in an initramfs to store an encryption key in the
TPM and retrieve it only if the boot chain isn't tampered with.  You
just need to put together the pieces.

I could probably hack something together in a few days.  The trick is
getting it to survive things like kernel updates and for it to be
robust.  You need to ensure that anything that legitimately changes
your boot chain updates all the settings in the TPM so that on the
next boot the keys are still delivered.  Otherwise your drive becomes
unreadable, and difficult to recover (well, unless you escrow the
encryption keys somewhere, which you certainly can do).

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 2:32 PM, Grant  wrote:
>
> I'm sorry, I meant can I lock down access to my web stuff so that a
> particular user can only come from a particular device (or from any
> device containing a key).
>

It looks like this hasn't been widely implemented, but it looks like
they do have the ability to generate TPM-backed client certificates
which could then be used for authentication (and you can set a policy
to auto-authenticate using the certificate).  It looks like you need
to use an extension to generate the key and csr, and load the
certificate.  Google wrote an extension that does this for active
directory, but for any other certificate authority it looks like you
basically have to write your own (and probably publish it as FOSS).

So, the idea would be that you'd provision the device and then log
into it.  The device would auto-install the certificate installer and
then you'd run that extension to load a certificate and mark it for
use for all users on the device.  Then any user on that device could
authenticate using the certificate.  The key would be stored in the
TPM and would never leave the device, and wiping the device would
destroy the key.

You mentioned GPG keys, and this stuff is all RSA-backed, but SSL
client certificates don't use GPG itself.  All of this is FOSS as far
as I can tell.  All browsers can load and use client certificates, but
the advantage of a chromebook is that the key can be generated by the
TPM and never leave it.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> If that's the case then it sounds like 2FA doesn't really provide any
>> extra assurance.  It's another layer but if the machine is hacked then
>> it sounds like it becomes a very thin layer.
>>
>> I'd most like to allow the remote employee to use their own computer,
>> but is there any way to have reasonable assurance that a remote
>> attacker can't log into my web stuff if the employee's computer is
>> compromised?
>>
>> With a Chromebook, how can I be assured that the employee is only able
>> to log into my web stuff with the Chromebook?
>>
>
> It looks like this is possible to do with a Google Apps account:
> https://www.google.com/intl/en/chrome/business/devices/features-management-console.html
> https://support.google.com/chrome/a/answer/2657289
> https://support.google.com/chrome/a/answer/1375678
>
> You can control who can log in, and what sites they can visit (just
> blacklist * and then whitelist specific sites).  Schools commonly use
> this so that they don't have to deal with kids visiting sites of ill
> repute.  You can also control application/extension installation.


I'm sorry, I meant can I lock down access to my web stuff so that a
particular user can only come from a particular device (or from any
device containing a key).


> It looks like you can also use remote attestation if your application
> supports it which prevents access from a tampered device even if it
> has the right credentials/etc.  (That's the whole "trusted/treacherous
> computing" thing.)  You could in theory have security such that your
> application works with single-sign-on but doesn't work unless
> connected to using a trusted device (but I'd have to do more research
> on that).


It seems like that would be necessary in my case or the remote
employee might prefer working from their own device instead of using
the Chromebook.  Can I somehow require something like a PGP key in
order to authenticate successfully in a browser?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 9:02 AM, Grant  wrote:
>
> If that's the case then it sounds like 2FA doesn't really provide any
> extra assurance.  It's another layer but if the machine is hacked then
> it sounds like it becomes a very thin layer.
>
> I'd most like to allow the remote employee to use their own computer,
> but is there any way to have reasonable assurance that a remote
> attacker can't log into my web stuff if the employee's computer is
> compromised?
>
> With a Chromebook, how can I be assured that the employee is only able
> to log into my web stuff with the Chromebook?
>

It looks like this is possible to do with a Google Apps account:
https://www.google.com/intl/en/chrome/business/devices/features-management-console.html
https://support.google.com/chrome/a/answer/2657289
https://support.google.com/chrome/a/answer/1375678

You can control who can log in, and what sites they can visit (just
blacklist * and then whitelist specific sites).  Schools commonly use
this so that they don't have to deal with kids visiting sites of ill
repute.  You can also control application/extension installation.

It looks like you can also use remote attestation if your application
supports it which prevents access from a tampered device even if it
has the right credentials/etc.  (That's the whole "trusted/treacherous
computing" thing.)  You could in theory have security such that your
application works with single-sign-on but doesn't work unless
connected to using a trusted device (but I'd have to do more research
on that).

The one thing you will have to be careful about is printing.  They can
only print to PDF, or to cloud print.  I'm not sure if that is an
issue for your use case.

I've never used it personally, but it is apparently quite popular with
schools.  I'd suggest looking into it.  The service isn't free - you
need google apps to make it work.  However, it sounds like it is
relatively cheap.  I'd certainly be interested in hearing from anybody
who knows more about it, but if I had a small business that was purely
web-based I'd strongly consider a solution like this.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Tuesday 19 Jan 2016 08:42:07 J. Roeleveld wrote:
> On Tuesday, January 19, 2016 01:57:38 AM lee wrote:
> > Rich Freeman  writes:
> > > On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> > >> Rich Freeman  writes:
> > >>> However, while an RDP-like solution protects you from some types of
> > >>> attacks, it still leaves you open to many client-side problems like
> > >>> keylogging.  I don't know any major corporation that lets people RDP
> > >>> into their applications in general.
> > >> 
> > >> What do they use instead?
> > > 
> > > As I mentioned in my previous email - they just hand all their
> > > employees laptops.  Control the hardware, control the software,
> > > control the security...
> > 
> > I mean instead of rdp.  It's a simple solution which works really well
> > on a LAN with Windoze.  What's the equivalent that works with Linux?
> > 
> > I wouldn't try it over an internet connection, though, it requires too
> > much bandwidth.
> 
> RDP works over an internet connection, even when running it through a VPN
> using a dodgy wifi link over a busy road and a slowish ADSL link.
> 
> VNC also, but only when reducing the quality of the display a lot.
> 
> Not tried other methods yet.
> 
> --
> Joost

As far as I understand it RDP is different to VNC, in the sense that instead 
of sending every pixel down the line it only sends compressed semantic 
information *about* a desktop component (e.g. the start button, a control 
signal, etc.) and the client interprets this locally as a button or a control 
command. It is also using caching to minimise retransmission.

In some sense it is similar with x2go's NoMachine's NX technology (caching and 
compressing) but as far as I know NX is not as 'intelligent' as RDP.  It just 
sends X protocol data with synchronous round trips and although cached and 
compressed it is not as efficient as the latest versions of RDP.

In many companies MSWindows desktops have been virtualised (XenDesktop) 
running on MSWindows (VM) Servers and accessed using thin-clients, or with 
BYOD remotely, using icaclient as a browser plugin, or a desktop client 
application (Citrix Receiver).  The OS is a standardised MSWindows image and 
an individual user's profile (with all their personal settings, approved apps, 
policy settings, etc.) are loaded whenever a desktop instance boots up and the 
customer logs in.

I'm guessing that the Citrix Receiver is using RDP for MSWindows, but I don't 
really know.  It feels quite efficient when I use it, even over slow bandwidth 
connections.

In any case, the opensource equivalent to this is what I was suggesting Grant 
may find useful and it can work over VPN if required, although the session 
between client and server is encrypted over SSL anyway.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> You can use apache client authentication with SSL certificates only.  Of
>> course you will need to create a self-signed CA, which you will use to create
>> the web server public/private key pair and also sign each client's 
>> certificate
>> and upload it along with your CA certificate to the user's browser.  This
>> explains the principle:
>>
> Now, a solution a more traditional desktop is to use an SSL key stored
> on a smartcard, which I'm sure Diego has blogged about on
> planet.gentoo.org as he is into those.  That has all the advantage of
> the TPM as far as key security goes.  However, you're still vulnerable
> to xss and keyloggers and such.


Is an SSL key stored on a smartcard better than a TOTP password?  They
seem roughly equivalent to me.  I don't think either would restrict
access by device.

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On 17 January 2016 18:35:20 CET, Mick 
>> >> > wrote:
>> >> > 
>> >> > [...]
>> >> > 
>> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >> >>work,
>> >> >>but have never tried to set up something similar at home.  What
>> >> >>opensource
>> >> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >> >>
>> >> > I'd love to do this myself as well.
>> >> > 
>> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
>> >> > need
>> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
>> >> > the
>> >> > VM display. (Spice or VNC)
>> >> > 
>> >> > Then you need some way of authenticating users and providing access to
>> >> > the
>> >> > client software. [...]
>> >> 
>> >> You would have a full VM for each user?
>> > 
>> > Yes
>> > 
>> >> That would be a huge waste of resources,
>> > 
>> > Diskspace and CPU can easily be overcommitted.
>> 
>> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> memory is not possible with xen.
>
> Overcommitting diskspace isn't such a bad idea, considering most installs 
> never utilize all the available diskspace.

When they do not use it anyway, there is no reason to give it to them in
the first place.  And when they do use it, how do the VMs handle the
problem that they have plenty disk space available, from their point of
view, while the host which they don't know about doesn't allow them to
use it?

Besides, overcommitting disk space means to intentionally create a setup
which involves that the host can run out of disk space easily.  That is
not something I would want to create for a host which is required to
function reliably.

And how much do you need to worry about the security of the VMs when you
build in a way for the users to bring the whole machine, or at least
random VMs, down by using the disk space which has been assigned to
them?  The users are somewhat likely to do that even unintentionally,
the more the more you overcommit.

> Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At 
> least, I seem to remember reading that somewhere)

That would be a nice feature.

>> >> plus having to take care of a lot of VMs,
>> > 
>> > Automated.
>> 
>> Like how?
>
> How do you manage a large amount of physical machines?
> Just change physical to VMs and do it the same.
> With VMs you have more options for automation.

Individually, in lack of a better way.  Per user when it comes to
setting up their MUAs and the like, in lack of any better way.  It
doesn't make a difference if it's a VM or not, provided that you have
remote access to the machine.

When you one VM for many users, you install the MUA only once, and when
you need to do updates, you do them only once.  When you have many VMs,
like one for each user, you have to install and update many times, once
on each VM.

>> >> plus having to buy  a lot of Windoze licenses
>> > 
>> > Volume licensing takes care of that.
>> 
>> expensive
>
> Depends on the requirements. It's cheaper then a few hundred seperate windows 
> licenses.

It's still more expensive than one, or than a handful, isn't it?

>> >> and taking about a week to install the updates
>> >> after installing a VM.
>> > 
>> > Never heard of VM templates?
>> 
>> It still takes a week to put the updates onto the template.
>
> Last time I had to fully reinstall a windows machine it took me a day to do 
> all the updates. Microsoft even has server software that will keep them 
> locally and push them to the clients.

That would be useful to have.  Where could I download that?

Last time I installed a VM, it took a week until the updates where
finally installed, and you have to check on it every now and then to
find out if it's even doing anything at all.  The time before, it wasn't
a VM but a very slow machine, and that also took a week.  You can have
the fastest machine on the world and Windoze always manages to bring it
down to a slowness we wouldn't have accepted even 20 years ago.

>> >> Add to that that the xen host goes down at
>> >> random time intervals (because the sending queue of the network card
>> >> times out for reasons that cannot be determined) which can be as long as
>> >> a day, a week or even up to three weeks, and you are likely to become a
>> >> rather unhappy administrator.
>> > 
>> > Sorry, but I consider that a bug in your hardware. If it's really that
>> > unstable, replace it.
>> > I've been running Xen enabled servers for nearly 15 years. Never had
>> > issues
>> > like that. If it were truly that unstable, it wouldn't be gaining
>> > popularity.
>> The hardware has already been replaced, and the problem persists.  Other
>> 

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel
>  wrote:
>>
>> All Joost is saying is that most resources can be overcommitted, since
>> all the users will not be using all their resources at the same time.
>>
>
> Don't want to sound like a broken record, but this is precisely why
> containers are so attractive.  You can set hard limits wherever you
> want, but otherwise absolutely everything can be
> over-comitted/shared/etc to the degree you desire.  They're just
> processes and namespaces and cgroups and so on.  You just have to be
> willing to live with whatever kernel is running on the host.  Of
> course, it isn't a solution for Windows, and there aren't any mature
> VDI-oriented solutions I'm aware of.  However, running as non-root in
> a container should be very secure so there is no reason it couldn't be
> done.  I just spun up a new container yesterday to test out burp
> (alas, ago beat me to the stablereq) and the server container is using
> all of 54M total / 3M RSS (some of that because I like to run sshd and
> so on inside).  I can afford to run a LOT of those.

Yes, I prefer containers over xen and kvm.  They are easy to set up,
have basically no overhead, no noticeable performance impact or loss,
and handing over devices, like a network card, to a container is easy
and painless.  Unfortunately, as you say, you can't use them when you
need Windoze VMs.

BTW, is it as easy to give a graphics card to a container as it is to
give it a network card?  What if you have a container for each user who
somehow logs in remotely to an X session?  Do (can) you run X sessions
that do not have a console and do not need a (dedicated) graphics card
(just for users logging in remotely)?

Having a container for each user would be much less painful than having
a VM for each user.  That brings back the question what to use when you
want to log in remotely to an X session ...

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Alec Ten Harmsel  writes:

> On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
>> "J. Roeleveld"  writes:
>> 
>> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On 17 January 2016 18:35:20 CET, Mick  wrote:
>> >> > 
>> >> > [...]
>> >> > 
>> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >> >>work,
>> >> >>but have never tried to set up something similar at home.  What
>> >> >>opensource
>> >> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >> >>
>> >> > I'd love to do this myself as well.
>> >> > 
>> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you 
>> >> > need
>> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into 
>> >> > the
>> >> > VM display. (Spice or VNC)
>> >> > 
>> >> > Then you need some way of authenticating users and providing access to 
>> >> > the
>> >> > client software. [...]
>> >> 
>> >> You would have a full VM for each user?
>> >
>> > Yes
>> >
>> >> That would be a huge waste of resources,
>> >
>> > Diskspace and CPU can easily be overcommitted.
>> 
>> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> memory is not possible with xen.
>> 
>
> Depends on how the load is. Right now I have a 500GB HDD at work. I use
> VirtualBox and vagrant for testing various software. Every VM in
> VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> Add in all the other stuff on my system, which includes a 200GB dataset,
> and the disk is overcommitted. Of course, none of the VirtualBox disks
> use anywhere near 50GB.

True, that's for testing when you do know that the disk space will not
be used and have no trouble when it is.  When you have the VMs in
production and users (employees) using them, you don't know when they
will run out of disk space and trouble ensues.

> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.

How do you overcommit disk space and then shrink the VMs automatically
when disk usage gets lower again?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:


> [...]
> If disk-space is considered too expensive, you could even have every VM use 
> the same base image. And have them store only the differences of the disk.
> eg:
> 1) Create a VM
> 2) Snapshot the disk (with the VM shutdown)
> 3) create a new VM based on the snapshot
>
> Repeat 2 and 3 for as many clones you want.
>
> Most installs don't change that much when dealing with standardized desktops.

How does that work?  IIUC, when you created a snapshot, any changes you
make to the snapshotted (or how that is called) file system are being
referenced by the snapshot which you can either destroy or abandon.
When you destroy it, the changes you made are being applied to the
file system you snapshotted (because someone decided to use a very
misleading terminology), and when you abandon it, the changes are thrown
away and you end up with the file system as it was before the snapshot
was created.

In any case, you do not get multiple versions (which only reference the
changes made) of the file system you snapshotted but only one current
version.

Do you need to use a special file system or something which provides
this kind of multiple copies when you make snapshots?

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 6:26 PM, Mick  wrote:
>
> You can use apache client authentication with SSL certificates only.  Of
> course you will need to create a self-signed CA, which you will use to create
> the web server public/private key pair and also sign each client's certificate
> and upload it along with your CA certificate to the user's browser.  This
> explains the principle:
>
> If a user certificate is lost of feared compromised, you revoke it with your
> CA and upload the CRL to the server.

The problem is, how would you know?  In a traditional browser
(including Mozilla and Chrome on anything but a Chromebook) the key
associated with the certificate is stored in a file on disk.  Sure, it
might be encrypted with a hand-typed password, but those passwords are
not hard to brute force, and susceptible to keyloggers anyway.  Those
keys also are unencrypted in RAM while in use.  If something stole a
copy of your key, you'd likely never know.

But, I agree they can be revoked if you discover the issue.

Now, a solution a more traditional desktop is to use an SSL key stored
on a smartcard, which I'm sure Diego has blogged about on
planet.gentoo.org as he is into those.  That has all the advantage of
the TPM as far as key security goes.  However, you're still vulnerable
to xss and keyloggers and such.

Sorry to nitpick.  I'd love to see more linux-based options for an
ultra-secure platform.  It is impressive that Google managed to
commercialize one - you can accomplish quite a lot with FOSS tools if
you put the time into it.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
> "J. Roeleveld"  writes:
>
> How does that work?  IIUC, when you created a snapshot, any changes you
> make to the snapshotted (or how that is called) file system are being
> referenced by the snapshot which you can either destroy or abandon.
> When you destroy it, the changes you made are being applied to the
> file system you snapshotted (because someone decided to use a very
> misleading terminology), and when you abandon it, the changes are thrown
> away and you end up with the file system as it was before the snapshot
> was created.
>
> In any case, you do not get multiple versions (which only reference the
> changes made) of the file system you snapshotted but only one current
> version.
>
> Do you need to use a special file system or something which provides
> this kind of multiple copies when you make snapshots?
>

And that is exactly what zfs and btrfs provide. Snapshots are full
citizens.  If I create a snapshot of a directory in btrfs it is
essentially indistinguishable from running cp -a on the directory,
except the snapshot takes only seconds to create almost entirely
regardless of size, and takes almost no space until changes are made.
Later I can delete the snapshot, or delete the original, or keep both
indefinitely making changes to either.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Tuesday 19 Jan 2016 17:46:27 Rich Freeman wrote:
> On Tue, Jan 19, 2016 at 2:32 PM, Grant  wrote:
> > I'm sorry, I meant can I lock down access to my web stuff so that a
> > particular user can only come from a particular device (or from any
> > device containing a key).
> 
> It looks like this hasn't been widely implemented, but it looks like
> they do have the ability to generate TPM-backed client certificates
> which could then be used for authentication (and you can set a policy
> to auto-authenticate using the certificate).  It looks like you need
> to use an extension to generate the key and csr, and load the
> certificate.  Google wrote an extension that does this for active
> directory, but for any other certificate authority it looks like you
> basically have to write your own (and probably publish it as FOSS).
> 
> So, the idea would be that you'd provision the device and then log
> into it.  The device would auto-install the certificate installer and
> then you'd run that extension to load a certificate and mark it for
> use for all users on the device.  Then any user on that device could
> authenticate using the certificate.  The key would be stored in the
> TPM and would never leave the device, and wiping the device would
> destroy the key.
> 
> You mentioned GPG keys, and this stuff is all RSA-backed, but SSL
> client certificates don't use GPG itself.  All of this is FOSS as far
> as I can tell.  All browsers can load and use client certificates, but
> the advantage of a chromebook is that the key can be generated by the
> TPM and never leave it.

You can use apache client authentication with SSL certificates only.  Of 
course you will need to create a self-signed CA, which you will use to create 
the web server public/private key pair and also sign each client's certificate 
and upload it along with your CA certificate to the user's browser.  This 
explains the principle:

http://wiki.cacert.org/HELP/9


Ditto with the VPN connection - should you still want to use VPN.

If a user certificate is lost of feared compromised, you revoke it with your 
CA and upload the CRL to the server.

However, this won't do away with XSS, or other similar attack vectors if the 
users are not careful with their browsing habits.

This won't resolve problems with lost laptops and the like either, so previous 
suggestions for disk encryption, or chromebooks apply, if this is a 
considerable risk with your users.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> > I'm sorry, I meant can I lock down access to my web stuff so that a
>> > particular user can only come from a particular device (or from any
>> > device containing a key).
>>
> You can use apache client authentication with SSL certificates only.  Of
> course you will need to create a self-signed CA, which you will use to create
> the web server public/private key pair and also sign each client's certificate
> and upload it along with your CA certificate to the user's browser.  This
> explains the principle:
>
> http://wiki.cacert.org/HELP/9
>
>
> Ditto with the VPN connection - should you still want to use VPN.


Let me see if I'm following.  I could create a certificate and point
the browser to it in config and configure my web server to require the
certificate for HTTP basic authentication?  Can I require a
username/password along with the certificate?  Can I require the
certificate only for certain users?


> If a user certificate is lost of feared compromised, you revoke it with your
> CA and upload the CRL to the server.
>
> However, this won't do away with XSS, or other similar attack vectors if the
> users are not careful with their browsing habits.


Can you give me an example?


> This won't resolve problems with lost laptops and the like either, so previous
> suggestions for disk encryption, or chromebooks apply, if this is a
> considerable risk with your users.


No sensitive data on the client systems.  They're actually auto-wiped daily.

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote:
> Alec Ten Harmsel  writes:
> >
> > Depends on how the load is. Right now I have a 500GB HDD at work. I use
> > VirtualBox and vagrant for testing various software. Every VM in
> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> > Add in all the other stuff on my system, which includes a 200GB dataset,
> > and the disk is overcommitted. Of course, none of the VirtualBox disks
> > use anywhere near 50GB.
> 
> True, that's for testing when you do know that the disk space will not
> be used and have no trouble when it is.  When you have the VMs in
> production and users (employees) using them, you don't know when they
> will run out of disk space and trouble ensues.

Almost. Here is an equal example: I am an admin on an HPC cluster. We
have a shared Lustre filesystem that people store work files in while
they are running jobs. It has around 1PB of capacity. As strange as this
may sound, this filesystem is overcommitted (we have 20,000 cores,
that's only 52GB per core, not even close to enough for more than half a
year of data accumulation).  Unused data is deleted after 90 days, which
is why it can be overcommitted.

Extending this to a more realistic example without automatic data
deletion is trivial. Imagine you are a web hosting provider. You allow
each client unlimited disk space, so you're automatically overcommitted.
In the aggregate, even though one client may increase their usage
extremely quickly, total usage rises slowly, giving you more than enough
time to increase the storage capacity of whatever backing filesystem is
hosting their files.

> > All Joost is saying is that most resources can be overcommitted, since
> > all the users will not be using all their resources at the same time.
> 
> How do you overcommit disk space and then shrink the VMs automatically
> when disk usage gets lower again?
> 

Sorry, my previous example was bad, since the normal strategy is to
expand when necessary as far as I know. See above.

Alec

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 5:08 PM, lee  wrote:
>
> BTW, is it as easy to give a graphics card to a container as it is to
> give it a network card?

I've never tried it, but I'd think that the container could talk to a
graphics card.

> What if you have a container for each user who
> somehow logs in remotely to an X session?  Do (can) you run X sessions
> that do not have a console and do not need a (dedicated) graphics card
> (just for users logging in remotely)?

You don't need to even have a graphics card to serve X11 via vnc or
nx.  You could probably serve them even if your only server console
was a serial console.  Just run x11vnc or whatever it is called - it
is an X server whose only framebuffer is a VNC session.  I think NX
uses the same server, but I'd have to check.  Of course, you wouldn't
have 3D accelleration with this server, not that you'd be using it
over NX/VNC.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 7:18 PM, Grant  wrote:
>
> Is an SSL key stored on a smartcard better than a TOTP password?  They
> seem roughly equivalent to me.  I don't think either would restrict
> access by device.
>

They'd be roughly equivalent, especially if the TOTP is backed by a smartcard.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 11:22:02 PM lee wrote:
> "J. Roeleveld"  writes:
> > [...]
> > If disk-space is considered too expensive, you could even have every VM
> > use
> > the same base image. And have them store only the differences of the disk.
> > eg:
> > 1) Create a VM
> > 2) Snapshot the disk (with the VM shutdown)
> > 3) create a new VM based on the snapshot
> > 
> > Repeat 2 and 3 for as many clones you want.
> > 
> > Most installs don't change that much when dealing with standardized
> > desktops.
> How does that work?  IIUC, when you created a snapshot, any changes you
> make to the snapshotted (or how that is called) file system are being
> referenced by the snapshot which you can either destroy or abandon.
> When you destroy it, the changes you made are being applied to the
> file system you snapshotted (because someone decided to use a very
> misleading terminology), and when you abandon it, the changes are thrown
> away and you end up with the file system as it was before the snapshot
> was created.
> 
> In any case, you do not get multiple versions (which only reference the
> changes made) of the file system you snapshotted but only one current
> version.
> 
> Do you need to use a special file system or something which provides
> this kind of multiple copies when you make snapshots?

I use LVM for this.

Steps are simple:
1) Create a LV (lv_1)
2) Create and install a VM using this LV (lv_1)
3) Stop the VM
4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..)
5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, 
slv_1b,.)

Start the VMs

This way you can overcommit on the actual diskspace as only changes are taking 
up diskspace.
If you force everyone on the same base-image, the differences should not be too 
large.

If you also force users to store files on a shared filesystem, it shouldn't be 
too much of a difficulty to occasionally move everyone to a new base-image when 
the updates are causing the snapshots to grow too much.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Wednesday, January 20, 2016 01:46:29 AM lee wrote:
> "J. Roeleveld"  writes:
> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> >> "J. Roeleveld"  writes:

> >> > 
> >> > Yes
> >> > 
> >> >> That would be a huge waste of resources,
> >> > 
> >> > Diskspace and CPU can easily be overcommitted.
> >> 
> >> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> >> memory is not possible with xen.
> > 
> > Overcommitting diskspace isn't such a bad idea, considering most installs
> > never utilize all the available diskspace.
> 
> When they do not use it anyway, there is no reason to give it to them in
> the first place.  And when they do use it, how do the VMs handle the
> problem that they have plenty disk space available, from their point of
> view, while the host which they don't know about doesn't allow them to
> use it?

1 word: Monitoring.
When you overcommit any resource, you need to put monitoring in place.
Then you also need to ensure you have the ability to increase that resource 
when required.

> Besides, overcommitting disk space means to intentionally create a setup
> which involves that the host can run out of disk space easily.  That is
> not something I would want to create for a host which is required to
> function reliably.

The host should not crash when a VM does or when the storage assigned to VMs 
fills up.
If it does, go back to the drawing board and fix your design.

> And how much do you need to worry about the security of the VMs when you
> build in a way for the users to bring the whole machine, or at least
> random VMs, down by using the disk space which has been assigned to
> them?  The users are somewhat likely to do that even unintentionally,
> the more the more you overcommit.

See comment about monitoring.
If all your users tend to fill up all available diskspace, you obviously can 
not overcommit on diskspace.

> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At
> > least, I seem to remember reading that somewhere)
> 
> That would be a nice feature.

For VDIs, I might consider using it.
But considering most OSs tend to fill up all available memory with caches, I 
expect performance issues.

> >> >> plus having to take care of a lot of VMs,
> >> > 
> >> > Automated.
> >> 
> >> Like how?
> > 
> > How do you manage a large amount of physical machines?
> > Just change physical to VMs and do it the same.
> > With VMs you have more options for automation.
> 
> Individually, in lack of a better way.  Per user when it comes to
> setting up their MUAs and the like, in lack of any better way.  It
> doesn't make a difference if it's a VM or not, provided that you have
> remote access to the machine.

This is where management tools come into play. (Same methods apply to physical 
and virtual)

When talking MS Windows, domains with their policies are very useful. Couple 
that with WSUS for the patching and software distribution tools for the 
additional software installs, and you have a very nice setup.

For Linux, I would recommend tools like Ansible or Puppet to control the 
software on the machines.

For any OS, I would prevent my users from installing random software. And what 
is installed, would be mostly pre-configured out-of-the-box.

> When you one VM for many users, you install the MUA only once, and when
> you need to do updates, you do them only once.  When you have many VMs,
> like one for each user, you have to install and update many times, once
> on each VM.

Management tools.

> > Depends on the requirements. It's cheaper then a few hundred seperate
> > windows licenses.
> 
> It's still more expensive than one, or than a handful, isn't it?

The same cost applies to running physical boxes instead of VMs.

> > Last time I had to fully reinstall a windows machine it took me a day to
> > do
> > all the updates. Microsoft even has server software that will keep them
> > locally and push them to the clients.
> 
> That would be useful to have.  Where could I download that?
> 
> Last time I installed a VM, it took a week until the updates where
> finally installed, and you have to check on it every now and then to
> find out if it's even doing anything at all.  The time before, it wasn't
> a VM but a very slow machine, and that also took a week.  You can have
> the fastest machine on the world and Windoze always manages to bring it
> down to a slowness we wouldn't have accepted even 20 years ago.

Google for "WSUS".
It's been around for a very long time now (since 2005).

> >> The hardware has already been replaced, and the problem persists.  Other
> >> machines of identical hardware that don't run xen don't show any issues.
> > 
> > I still say the hardware is buggy. With replacing, I meant replace it with
> > different hardware, not a different version of the same buggy stuff.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

> In any case, if you aren't going to own the client hardware, you
> basically are going to have to assume it is vulnerable since nobody
> maintains their PCs well.  That means keyboard sniffing, cookie
> stealing, and so on.  If you're web-based a hostile browser could just
> open another session in the background after the user authenticates
> (2-factor or otherwise) and do whatever it wants to.  Granted, I don't
> know if anything is out in the wild which actually does this, and it
> would probably need to be somewhat targeted to work (unless somebody
> has a rootkit that just lets them interactively fire up another
> browser on a VNC display or something using the same browser session).


If that's the case then it sounds like 2FA doesn't really provide any
extra assurance.  It's another layer but if the machine is hacked then
it sounds like it becomes a very thin layer.

I'd most like to allow the remote employee to use their own computer,
but is there any way to have reasonable assurance that a remote
attacker can't log into my web stuff if the employee's computer is
compromised?

With a Chromebook, how can I be assured that the employee is only able
to log into my web stuff with the Chromebook?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 12:06 PM, Grant  wrote:
>
> I am 100% web-based.  I don't want to administrate machines outside of
> my LAN so I can imagine a Chromebook would end up vulnerable
> eventually.

The whole point of chromebooks is that they auto-update in a timely
fashion, and have a guaranteed end-of-life policy years into the
future.  Sure, not quite as far as Microsoft guarantees, but nobody
runs a Windows laptop for even the length of a typical Chromebook EOL.
The chromebook also has secure boot and a signed OS, so if it is
corrupted it will go into recovery mode.  You just stick a USB drive
with a rescue image on it (which you can create from any PC with a
chrome browser or an installer) and it fixes itself.  I don't think
you can even turn off auto-updates - they're designed to be
idiot-proof.  I'm not sure if as an enterprise administrator you can
set up a policy to force a reboot to update within n days or such if
it hasn't been shut down already after an update.

In any case, if you aren't going to own the client hardware, you
basically are going to have to assume it is vulnerable since nobody
maintains their PCs well.  That means keyboard sniffing, cookie
stealing, and so on.  If you're web-based a hostile browser could just
open another session in the background after the user authenticates
(2-factor or otherwise) and do whatever it wants to.  Granted, I don't
know if anything is out in the wild which actually does this, and it
would probably need to be somewhat targeted to work (unless somebody
has a rootkit that just lets them interactively fire up another
browser on a VNC display or something using the same browser session).

Sure, a Chromebook will cost you $150, but that seems like a token
expense for an employee and it buys you a LOT of security.  You can do
the same thing on another OS, but you're going to end up adding on a
lot of stuff on top of the OS to make it work, and I'm certain the
administrative overhead would be much higher.  A chromebook is
basically what you get if you take a linux desktop and lock everything
down with TPM support and secure boot - they're even based on Gentoo.
Sure, you can DIY, but you're not going to do better without the
hardware support.

> Someone mentioned 2-factor authentication which sounds interesting.
> Are there good options for that besides SMS and Google Authenticator
> (or a similar mobile app)?  Is there a good 2FA server in Portage?  Is
> 2FA ever defeated in real life without the user's phone?

Do you mean you don't want something that involves typing in a TOTP or
similar?  Google Authenticator just uses RFC 6238 so you can use any
other compliant client to generate the codes - I'm sure those exist
for Linux, but if you're going to do that you might as well just use
an RSA-based authentication since if you can steal the client key you
can steal the RFC6238 key.  The whole point of 2-factor is that the
second factor tends to be something that isn't on the same PC as the
client.

There is a PAM-based authenticator in portage for Google
Authenticator, which again should work with anything RFC 6238
compliant.  I use it for ssh password logins and it works great (well,
aside from having to reach for my phone anytime I log in via an
untrusted computer).

A much older option is s/key.  I'm sure that is still around as well,
but I don't think it really has any advantages over RFC6238.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld  wrote:
> On Monday, January 18, 2016 02:02:27 AM lee wrote:
>>
>> You would have a full VM for each user?
>
> Yes
>
>> That would be a huge waste of resources,
>
> Diskspace and CPU can easily be overcommitted.
>...
> The biggest reason why I don't use KVM is the lack of full snapshot
> functionality. Snapshotting disks is nice, but you end up with an unclean-
> shutdown situation and anything that's not yet committed to disk is gone.
>

Seems like on linux a straightforward design would be spinning up
containers on demand, with snapshots underneath.  Granted, somebody
still needs to build it, but spinning up a container per user isn't
much more resource-intensive than just running x2go with multiple
users in a single namespace which is how it works today.  It certainly
would be less wasteful than a full VM.  They also launch and shutdown
super-fast.

Of course, this is a linux-only solution (or BSD I believe).  You're
not going to be able to do this with OSX/Windows guests.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 06:07:33 AM Rich Freeman wrote:
> On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld  wrote:
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> You would have a full VM for each user?
> > 
> > Yes
> > 
> >> That would be a huge waste of resources,
> > 
> > Diskspace and CPU can easily be overcommitted.
> >
> >...
> >
> > The biggest reason why I don't use KVM is the lack of full snapshot
> > functionality. Snapshotting disks is nice, but you end up with an unclean-
> > shutdown situation and anything that's not yet committed to disk is gone.
> 
> Seems like on linux a straightforward design would be spinning up
> containers on demand, with snapshots underneath.  Granted, somebody
> still needs to build it, but spinning up a container per user isn't
> much more resource-intensive than just running x2go with multiple
> users in a single namespace which is how it works today.  It certainly
> would be less wasteful than a full VM.  They also launch and shutdown
> super-fast.
> 
> Of course, this is a linux-only solution (or BSD I believe).  You're
> not going to be able to do this with OSX/Windows guests.

A similar solution is generally done with VDI implementations as well.
Replace "container" with VM and you have the same.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> Suppose you use a VPN connection.  How do does the client (employee)
>> secure their own network and the machine they're using to work remotely
>> then?
>
> Poorly, most likely.  Your data is probably not nearly as important to
> them as their data is, and most people don't take great care of their
> own data.


This is the same mentality I have.


> As I mentioned in my other post, there might be some exceptions if
> you're dealing with highly-skilled IT security employees or something
> like that, but most people don't take nearly the level of care with
> their clients as you're probably going to want them to.


Generally my employees are not technically inclined.


> It sounds like Grant is concerned enough about his application to
> restrict logins to a specific IP (presumably it uses SSL and sign-ons
> as well).  If you care THAT much about where valid users can connect
> from, I don't see why you'd just let them VPN into your LAN running
> who-knows-what-rootkit on their workstations.
>
> If you're truly 100% web-based I'd just go the chromebook route.  If
> not, I'd issue laptops that you control with full-disk encryption, and
> you can then set them up however you need to.


I am 100% web-based.  I don't want to administrate machines outside of
my LAN so I can imagine a Chromebook would end up vulnerable
eventually.

Someone mentioned 2-factor authentication which sounds interesting.
Are there good options for that besides SMS and Google Authenticator
(or a similar mobile app)?  Is there a good 2FA server in Portage?  Is
2FA ever defeated in real life without the user's phone?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On 17 January 2016 18:35:20 CET, Mick  wrote:
>> > 
>> > [...]
>> > 
>> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >>work,
>> >>but have never tried to set up something similar at home.  What
>> >>opensource
>> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >>
>> > I'd love to do this myself as well.
>> > 
>> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need
>> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the
>> > VM display. (Spice or VNC)
>> > 
>> > Then you need some way of authenticating users and providing access to the
>> > client software. [...]
>> 
>> You would have a full VM for each user?
>
> Yes
>
>> That would be a huge waste of resources,
>
> Diskspace and CPU can easily be overcommitted.

Overcommitting disk space sounds like a very bad idea.  Overcommitting
memory is not possible with xen.

>> plus having to take care of a lot of VMs,
>
> Automated.

Like how?

>> plus having to buy  a lot of Windoze licenses
>
> Volume licensing takes care of that.

expensive

>> and taking about a week to install the updates
>> after installing a VM.
>
> Never heard of VM templates?

It still takes a week to put the updates onto the template.

>> Add to that that the xen host goes down at
>> random time intervals (because the sending queue of the network card
>> times out for reasons that cannot be determined) which can be as long as
>> a day, a week or even up to three weeks, and you are likely to become a
>> rather unhappy administrator.
>
> Sorry, but I consider that a bug in your hardware. If it's really that 
> unstable, replace it.
> I've been running Xen enabled servers for nearly 15 years. Never had issues 
> like that. If it were truly that unstable, it wouldn't be gaining popularity.

The hardware has already been replaced, and the problem persists.  Other
machines of identical hardware that don't run xen don't show any issues.

>> Try kvm instead, and you'll find that
>> it's impossible to migrate the VMs from xen to to kvm when you want to
>> use virtio drivers because you can't install them on an existing Windoze
>> VM.
>
> Not a problem with the virtualisation technology. It is an issue with driver 
> management inside MS Windows.
> There are ways to migrate VMs succesfully, I just don't see the point in 
> wasting time for that.

It's time consuming when you have to reinstall the VMs to migrate them
to kvm.  And when you don't have the installers of all the software
that's on some of the VMs and can't get them, you either have to run
them without virtio drivers or you can't migrate them.

> The biggest reason why I don't use KVM is the lack of full snapshot 
> functionality. Snapshotting disks is nice, but you end up with an unclean-
> shutdown situation and anything that's not yet committed to disk is gone.

I'm not sure what you mean.  When you take a snapshot while the VM is not
shut down, what difference does it make whether you use xen or kvm?

>> Then there's the question how well vnc or spice connections work over a
>> VPN that goes over the internet.
>
> VNC works quite well, as long as you use a minimal desktop. (like blackbox).
> Don't expect KDE or Gnome to be usable.
> I haven't tried Spice yet, but I've read that it performs better.

It's not like you had a choice when you have Windoze VMs.

>> It's not like the employees could get
>> reliable internet connections with sufficient bandwidth, not to mention
>> that the company would have to get one in the first place, which isn't
>> much easier to get, if any.
>
> That depends on where you are.

In this country, you have to be really lucky to find a place where you
can get a decent internet connection.

> The company could host the servers in a decent datacentre, which should take 
> care of the bandwidth issues.

And give all their data out of hands?  And how much does that cost?

> For the employees, if they want to work from home, it's up to them to ensure 
> they have a reliable connection.

It is as much problem of the company when they want the employees to
work at home.  And the employees don't have a choice, they can only get
a connection they can get.

>> It might work in theory.  How would it be feasible in practise?
>
> Plenty of companies do it this way. If you don't want to pay for software 
> like 
> XenDesktop, you need to do all the work setting it up yourself.

VNC is somewhat slow over a 1Gbit LAN.  Did they find some way to
overcome this problem?

This sounds like it is for people with unlimited resources.

BTW, access a VM through VNC, and you don't even have any way to make
the mouse pointer in the VNC window actually follow the mouse pointer
you're using, which makes it rather annoying to do anything in the VM
you're 

Re: [gentoo-user] {OT} Allow work from home?

[lee]

 writes:

> lee  wrote:
>
>> Rich Freeman  writes:
>> 
>> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
>> >> Suppose you use a VPN connection.  How do does the client
>> >> (employee) secure their own network and the machine they're using
>> >> to work remotely then?
>> >
>> > Poorly, most likely.  Your data is probably not nearly as important
>> > to them as their data is, and most people don't take great care of
>> > their own data.
>> 
>> That's not what I meant to ask.  Assume you are an employee supposed
>> to work from home through a VPN connection:  How do you protect your
>> LAN?
>
> Depends on the VPN connection. If you use an OpenVPN client on your PC
> then it is sufficient to use a well configured firewall (ufw, iptables 
> or whatever) on this PC.

The PC would be connected to the LAN, even if only to have an internet
connection for the VPN.  I can only guess: Wouldn't that require to put
this PC behind a firewall that separates it from the LAN to protect the
LAN?

> If you use a VPN gateway then you could 
> configure this gateway (or a firewall behind) in a way that it blocks 
> incoming connections from the VPN tunnel. 

Hm.  I'd prefer to avoid having to run another machine as such a
firewall because electricity is way too expensive here.  And I don't
know if the gateway could be configure in such a way.

> IMHO there is no more risk to use a VPN connection than with any other
> Internet connection.

But it's a double connection, one to the internet, and another one to
another network, so you'd have to somehow manage to set up some sort of
double protection.  Setting up a VPN alone is more than difficult enough
already.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
>> Rich Freeman  writes:
>>
>>> However, while an RDP-like solution protects you from some types of
>>> attacks, it still leaves you open to many client-side problems like
>>> keylogging.  I don't know any major corporation that lets people RDP
>>> into their applications in general.
>>
>> What do they use instead?
>>
>
> As I mentioned in my previous email - they just hand all their
> employees laptops.  Control the hardware, control the software,
> control the security...

I mean instead of rdp.  It's a simple solution which works really well
on a LAN with Windoze.  What's the equivalent that works with Linux?

I wouldn't try it over an internet connection, though, it requires too
much bandwidth.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
> Rich Freeman  writes:
>> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
>>> Rich Freeman  writes:
>>>
 However, while an RDP-like solution protects you from some types of
 attacks, it still leaves you open to many client-side problems like
 keylogging.  I don't know any major corporation that lets people RDP
 into their applications in general.
>>>
>>> What do they use instead?
>>>
>>
>> As I mentioned in my previous email - they just hand all their
>> employees laptops.  Control the hardware, control the software,
>> control the security...
>
> I mean instead of rdp.  It's a simple solution which works really well
> on a LAN with Windoze.  What's the equivalent that works with Linux?

Well, I've never been in a company that runs Linux on the desktop, or
which even provides VDIs for Windows.  The most common solution is to
provide windows laptops to users with various software packages for
management/security/etc.

The closest thing to RDP for Linux that I'm aware of us various
NX-based implementations, like x2go, which I've mentioned a few times.
It can be somewhat finicky.  And of course there is VNC, which is much
less efficient.  I don't think either really gets to the level of RDP
in general.

I do sometimes wonder how the #1 server OS in the world somehow lacks
decent facilities for graphical remote login, and for sharing files
across the network.  (For the latter NFS is a real pain to set up in a
remotely secure fashion - part of the problem is that it is hard to
use some kind of a UUID to drive file permissions, and kerberos/etc is
a pain to set up.  There is certainly nothing approaching the ease of
just setting a password on a share or connecting to a windows domain
(even a samba-driven one)).

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel
 wrote:
>
> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.
>

Don't want to sound like a broken record, but this is precisely why
containers are so attractive.  You can set hard limits wherever you
want, but otherwise absolutely everything can be
over-comitted/shared/etc to the degree you desire.  They're just
processes and namespaces and cgroups and so on.  You just have to be
willing to live with whatever kernel is running on the host.  Of
course, it isn't a solution for Windows, and there aren't any mature
VDI-oriented solutions I'm aware of.  However, running as non-root in
a container should be very secure so there is no reason it couldn't be
done.  I just spun up a new container yesterday to test out burp
(alas, ago beat me to the stablereq) and the server container is using
all of 54M total / 3M RSS (some of that because I like to run sshd and
so on inside).  I can afford to run a LOT of those.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 10:33 PM,   wrote:
>
> Sharing files can be done via SCP/SFTP. If a VPN connection is used,
> then even NFS or FTP are possibilities.

I have 100 computers.  I want a user on those 100 computers to be able
to share a file on their computer with just me.  On windows they just
right-click and pick sharing, search for my name on the domain, and
grant me permissions.  You're not going to get an experience anything
like that with scp or nfs or ftp.  Heck, nfs is almost completely
insecure in the way most people use it.

I don't just want to copy a file from point A to point B.  I want to
have a robust set of permissions and security and so on behind that.
If a user changes their password, that password gets them access to
everything they used to have access to, and none of those random
clients ever see the password.

Sure, you can do it on linux with lots of NFSv4 and kerberos and all
that.  But it is painful to set up and almost nobody actually seems to
do it as a result.  You can also do something like Bitlocker on linux,
but there isn't a single distro that supports it out of the box
because it uses a lot of features nobody has bothered to seriously
develop.  (Before somebody points out LUKS, be aware that Bitlocker
lets you do full-disk encyption that is secure without having to
actually type a decryption key at any point.  Remove the hard drive or
boot from a CD, and the disks are unreadable - you can only read them
if you boot off them on the original PC.)

It is just a bit frustrating to behold.  But, I'm getting what I'm
paying for, so...  :)

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

Rich Freeman  wrote:

> On Mon, Jan 18, 2016 at 10:33 PM,   wrote:
> >
> > Sharing files can be done via SCP/SFTP. If a VPN connection is used,
> > then even NFS or FTP are possibilities.
> 
> I have 100 computers.  I want a user on those 100 computers to be able
> to share a file on their computer with just me.  On windows they just
> right-click and pick sharing, search for my name on the domain, and
> grant me permissions.  You're not going to get an experience anything
> like that with scp or nfs or ftp.  Heck, nfs is almost completely
> insecure in the way most people use it.

I'm an absolute windows noop. I only use it for graphics work. I even
didn't know that such a kind of file sharing is possible with it. :-)
 
> I don't just want to copy a file from point A to point B.  I want to
> have a robust set of permissions and security and so on behind that.
> If a user changes their password, that password gets them access to
> everything they used to have access to, and none of those random
> clients ever see the password.
> 
> Sure, you can do it on linux with lots of NFSv4 and kerberos and all
> that.  But it is painful to set up and almost nobody actually seems to
> do it as a result.  You can also do something like Bitlocker on linux,
> but there isn't a single distro that supports it out of the box
> because it uses a lot of features nobody has bothered to seriously
> develop.  (Before somebody points out LUKS, be aware that Bitlocker
> lets you do full-disk encyption that is secure without having to
> actually type a decryption key at any point.  Remove the hard drive or
> boot from a CD, and the disks are unreadable - you can only read them
> if you boot off them on the original PC.)

I never thought about such operating ranges. But maybe these are some 
of the reasons why windows held 43% of the server OS market share in 
Q4/2013, according to an article that I read some months ago.

> It is just a bit frustrating to behold.  But, I'm getting what I'm
> paying for, so...  :)

That's right. I think that the effort and the outlay to implement all
these features into Linux is relative high. It seems that no vendor
is willing to assume such a financial risk.

Maybe it is time for another crowd founding campaign? ;-)

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

Rich Freeman  wrote:

> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

I think Linux is only #1 in the area of web services. For this you 
don't really need a graphical remote login. I think the main reason for 
the windows terminal server is that windows couldn't be configured via 
console login (SSH) in the same way as Linux could.

But of course it would be very nice to have a RDP like feature for 
Linux with the same efficiency as RDP under Windows. This would really 
expand the facilities of Linux as a desktop based server.

Sharing files can be done via SCP/SFTP. If a VPN connection is used, 
then even NFS or FTP are possibilities. For all of these connections 
you can also use graphical clients.

Just my two cents. I'm sure that you are already aware of this.

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
> "J. Roeleveld"  writes:
> 
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On 17 January 2016 18:35:20 CET, Mick  wrote:
> >> > 
> >> > [...]
> >> > 
> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
> >> >>work,
> >> >>but have never tried to set up something similar at home.  What
> >> >>opensource
> >> >>software would I need for this?  Is there a wiki somewhere to follow?
> >> >>
> >> > I'd love to do this myself as well.
> >> > 
> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need
> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the
> >> > VM display. (Spice or VNC)
> >> > 
> >> > Then you need some way of authenticating users and providing access to 
> >> > the
> >> > client software. [...]
> >> 
> >> You would have a full VM for each user?
> >
> > Yes
> >
> >> That would be a huge waste of resources,
> >
> > Diskspace and CPU can easily be overcommitted.
> 
> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> memory is not possible with xen.
> 

Depends on how the load is. Right now I have a 500GB HDD at work. I use
VirtualBox and vagrant for testing various software. Every VM in
VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
Add in all the other stuff on my system, which includes a 200GB dataset,
and the disk is overcommitted. Of course, none of the VirtualBox disks
use anywhere near 50GB.

All Joost is saying is that most resources can be overcommitted, since
all the users will not be using all their resources at the same time.

Alec

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

lee  wrote:

>  writes:
> 
> > lee  wrote:
> >
> >> Rich Freeman  writes:
> >> 
> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> >> >> Suppose you use a VPN connection.  How do does the client
> >> >> (employee) secure their own network and the machine they're
> >> >> using to work remotely then?
> >> >
> >> > Poorly, most likely.  Your data is probably not nearly as
> >> > important to them as their data is, and most people don't take
> >> > great care of their own data.
> >> 
> >> That's not what I meant to ask.  Assume you are an employee
> >> supposed to work from home through a VPN connection:  How do you
> >> protect your LAN?
> >
> > Depends on the VPN connection. If you use an OpenVPN client on your
> > PC then it is sufficient to use a well configured firewall (ufw,
> > iptables or whatever) on this PC.
> 
> The PC would be connected to the LAN, even if only to have an internet
> connection for the VPN.  I can only guess: Wouldn't that require to
> put this PC behind a firewall that separates it from the LAN to
> protect the LAN?

Of course a separate firewall is better than a firewall on the PC, 
because it may protect the LAN even when the PC is compromised. But 
if the PC is compromised and has access to the LAN through the 
separate firewall (what is mostly the case) then the protection is 
more ore less porous (depending on the firewall rules).

If you don't have a separate firewall but only a firewall on the (not 
compromised) PC, then the LAN should be safe as long as you don't
have enabled IP forwarding on the PC and as long as the VPN is 
configured in a way that there is only a route to your PC and not
to the rest of your LAN. 

Even if you have enabled IP forwarding on the PC and even if the VPN 
has a route to the whole LAN, the LAN should nevertheless be safe 
when the firewall on the PC is configured to block all incoming 
connections. 

Of course the blocking of all incoming connections implies, that the 
PC is acting as a client only.

> > If you use a VPN gateway then you could 
> > configure this gateway (or a firewall behind) in a way that it
> > blocks incoming connections from the VPN tunnel. 
> 
> Hm.  I'd prefer to avoid having to run another machine as such a
> firewall because electricity is way too expensive here.  And I don't
> know if the gateway could be configure in such a way.

All VPN gateways that I know have also a build in firewall. If your
gateway hasn't, then you should ask yourself, what is more expensive -
a separate firewall or a hacked LAN?
But in this case I would prefer to use the PC as OpenVPN client.

> > IMHO there is no more risk to use a VPN connection than with any
> > other Internet connection.
> 
> But it's a double connection, one to the internet, and another one to
> another network, so you'd have to somehow manage to set up some sort
> of double protection. 

See above.

> Setting up a VPN alone is more than difficult enough already.

This depends on the VPN that you (have to) use. If you set up the VPN 
on both sides then you probably can choose what kind of VPN you wanna 
use.

OpenVPN isn't really difficult to set up. If you don't wanna use PSK
but X509 authorization, then the most complicated thing is the creation
of the certs. But with the help of Google (or DuckDuckGo), this is 
quick done. There are lots of information about setting up an OpenVPN 
connection.

--
Regards
wabe 

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 09:45:28 PM Alec Ten Harmsel wrote:
> On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
> > "J. Roeleveld"  writes:
> > > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> > >> "J. Roeleveld"  writes:
> > >> > On 17 January 2016 18:35:20 CET, Mick 
> > >> > wrote:
> > >> > 
> > >> > [...]
> > >> > 
> > >> >>I use the icaclient provided by Citrix to access my virtual desktop
> > >> >>at
> > >> >>work,
> > >> >>but have never tried to set up something similar at home.  What
> > >> >>opensource
> > >> >>software would I need for this?  Is there a wiki somewhere to follow?
> > >> >>
> > >> > I'd love to do this myself as well.
> > >> > 
> > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
> > >> > need
> > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
> > >> > the
> > >> > VM display. (Spice or VNC)
> > >> > 
> > >> > Then you need some way of authenticating users and providing access
> > >> > to the
> > >> > client software. [...]
> > >> 
> > >> You would have a full VM for each user?
> > > 
> > > Yes
> > > 
> > >> That would be a huge waste of resources,
> > > 
> > > Diskspace and CPU can easily be overcommitted.
> > 
> > Overcommitting disk space sounds like a very bad idea.  Overcommitting
> > memory is not possible with xen.
> 
> Depends on how the load is. Right now I have a 500GB HDD at work. I use
> VirtualBox and vagrant for testing various software. Every VM in
> VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> Add in all the other stuff on my system, which includes a 200GB dataset,
> and the disk is overcommitted. Of course, none of the VirtualBox disks
> use anywhere near 50GB.
> 
> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.

If disk-space is considered too expensive, you could even have every VM use 
the same base image. And have them store only the differences of the disk.
eg:
1) Create a VM
2) Snapshot the disk (with the VM shutdown)
3) create a new VM based on the snapshot

Repeat 2 and 3 for as many clones you want.

Most installs don't change that much when dealing with standardized desktops.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
> "J. Roeleveld"  writes:
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On 17 January 2016 18:35:20 CET, Mick 
> >> > wrote:
> >> > 
> >> > [...]
> >> > 
> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
> >> >>work,
> >> >>but have never tried to set up something similar at home.  What
> >> >>opensource
> >> >>software would I need for this?  Is there a wiki somewhere to follow?
> >> >>
> >> > I'd love to do this myself as well.
> >> > 
> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
> >> > need
> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
> >> > the
> >> > VM display. (Spice or VNC)
> >> > 
> >> > Then you need some way of authenticating users and providing access to
> >> > the
> >> > client software. [...]
> >> 
> >> You would have a full VM for each user?
> > 
> > Yes
> > 
> >> That would be a huge waste of resources,
> > 
> > Diskspace and CPU can easily be overcommitted.
> 
> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> memory is not possible with xen.

Overcommitting diskspace isn't such a bad idea, considering most installs 
never utilize all the available diskspace.
Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At 
least, I seem to remember reading that somewhere)

> >> plus having to take care of a lot of VMs,
> > 
> > Automated.
> 
> Like how?

How do you manage a large amount of physical machines?
Just change physical to VMs and do it the same.
With VMs you have more options for automation.

> >> plus having to buy  a lot of Windoze licenses
> > 
> > Volume licensing takes care of that.
> 
> expensive

Depends on the requirements. It's cheaper then a few hundred seperate windows 
licenses.

> >> and taking about a week to install the updates
> >> after installing a VM.
> > 
> > Never heard of VM templates?
> 
> It still takes a week to put the updates onto the template.

Last time I had to fully reinstall a windows machine it took me a day to do 
all the updates. Microsoft even has server software that will keep them 
locally and push them to the clients.

> >> Add to that that the xen host goes down at
> >> random time intervals (because the sending queue of the network card
> >> times out for reasons that cannot be determined) which can be as long as
> >> a day, a week or even up to three weeks, and you are likely to become a
> >> rather unhappy administrator.
> > 
> > Sorry, but I consider that a bug in your hardware. If it's really that
> > unstable, replace it.
> > I've been running Xen enabled servers for nearly 15 years. Never had
> > issues
> > like that. If it were truly that unstable, it wouldn't be gaining
> > popularity.
> The hardware has already been replaced, and the problem persists.  Other
> machines of identical hardware that don't run xen don't show any issues.

I still say the hardware is buggy. With replacing, I meant replace it with 
different hardware, not a different version of the same buggy stuff.

> >> Try kvm instead, and you'll find that
> >> it's impossible to migrate the VMs from xen to to kvm when you want to
> >> use virtio drivers because you can't install them on an existing Windoze
> >> VM.
> > 
> > Not a problem with the virtualisation technology. It is an issue with
> > driver management inside MS Windows.
> > There are ways to migrate VMs succesfully, I just don't see the point in
> > wasting time for that.
> 
> It's time consuming when you have to reinstall the VMs to migrate them
> to kvm.  And when you don't have the installers of all the software
> that's on some of the VMs and can't get them, you either have to run
> them without virtio drivers or you can't migrate them.

There are Howtos on the internet describing how to migrate VMs from 1 
technology to another. Shouldn't be too hard.
And keeping the installers at hand is, in my opinion, a requirement of sane 
system management.
I have installers for all the versions of software I deal with.

> > The biggest reason why I don't use KVM is the lack of full snapshot
> > functionality. Snapshotting disks is nice, but you end up with an unclean-
> > shutdown situation and anything that's not yet committed to disk is gone.
> 
> I'm not sure what you mean.  When you take a snapshot while the VM is not
> shut down, what difference does it make whether you use xen or kvm?

A "snapshot" for KVM is ONLY the disks.
With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's in 
memory. It's that which makes the difference.

> >> Then there's the question how well vnc or spice connections work over a
> >> VPN that goes over the internet.
> > 
> > VNC works quite well, as long as you use a minimal desktop. (like
> > blackbox). Don't expect KDE or Gnome to be usable.
> > I haven't tried Spice yet, 

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 08:35:20 PM Rich Freeman wrote:
> On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
> > Rich Freeman  writes:
> >> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> >>> Rich Freeman  writes:
>  However, while an RDP-like solution protects you from some types of
>  attacks, it still leaves you open to many client-side problems like
>  keylogging.  I don't know any major corporation that lets people RDP
>  into their applications in general.
> >>> 
> >>> What do they use instead?
> >> 
> >> As I mentioned in my previous email - they just hand all their
> >> employees laptops.  Control the hardware, control the software,
> >> control the security...
> > 
> > I mean instead of rdp.  It's a simple solution which works really well
> > on a LAN with Windoze.  What's the equivalent that works with Linux?
> 
> Well, I've never been in a company that runs Linux on the desktop, or
> which even provides VDIs for Windows.  The most common solution is to
> provide windows laptops to users with various software packages for
> management/security/etc.

VDIs are gaining ground in bigger companies as part of the BYOD push.
Especially using Citrix XenDesktop with the icaclient, this works really well.

> The closest thing to RDP for Linux that I'm aware of us various
> NX-based implementations, like x2go, which I've mentioned a few times.
> It can be somewhat finicky.  And of course there is VNC, which is much
> less efficient.  I don't think either really gets to the level of RDP
> in general.
> 
> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

I'd love to get something similar to RDP working on linux.
But I'm not sufficiently skilled to implement it all myself.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 01:57:38 AM lee wrote:
> Rich Freeman  writes:
> > On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> >> Rich Freeman  writes:
> >>> However, while an RDP-like solution protects you from some types of
> >>> attacks, it still leaves you open to many client-side problems like
> >>> keylogging.  I don't know any major corporation that lets people RDP
> >>> into their applications in general.
> >> 
> >> What do they use instead?
> > 
> > As I mentioned in my previous email - they just hand all their
> > employees laptops.  Control the hardware, control the software,
> > control the security...
> 
> I mean instead of rdp.  It's a simple solution which works really well
> on a LAN with Windoze.  What's the equivalent that works with Linux?
> 
> I wouldn't try it over an internet connection, though, it requires too
> much bandwidth.

RDP works over an internet connection, even when running it through a VPN 
using a dodgy wifi link over a busy road and a slowish ADSL link.

VNC also, but only when reducing the quality of the display a lot.

Not tried other methods yet.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 02:15:17 AM lee wrote:
>  writes:
> > lee  wrote:
> >> Rich Freeman  writes:
> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> >> >> Suppose you use a VPN connection.  How do does the client
> >> >> (employee) secure their own network and the machine they're using
> >> >> to work remotely then?
> >> > 
> >> > Poorly, most likely.  Your data is probably not nearly as important
> >> > to them as their data is, and most people don't take great care of
> >> > their own data.
> >> 
> >> That's not what I meant to ask.  Assume you are an employee supposed
> >> to work from home through a VPN connection:  How do you protect your
> >> LAN?
> > 
> > Depends on the VPN connection. If you use an OpenVPN client on your PC
> > then it is sufficient to use a well configured firewall (ufw, iptables
> > or whatever) on this PC.
> 
> The PC would be connected to the LAN, even if only to have an internet
> connection for the VPN.  I can only guess: Wouldn't that require to put
> this PC behind a firewall that separates it from the LAN to protect the
> LAN?
> 
> > If you use a VPN gateway then you could
> > configure this gateway (or a firewall behind) in a way that it blocks
> > incoming connections from the VPN tunnel.
> 
> Hm.  I'd prefer to avoid having to run another machine as such a
> firewall because electricity is way too expensive here.  And I don't
> know if the gateway could be configure in such a way.
> 
> > IMHO there is no more risk to use a VPN connection than with any other
> > Internet connection.
> 
> But it's a double connection, one to the internet, and another one to
> another network, so you'd have to somehow manage to set up some sort of
> double protection.  Setting up a VPN alone is more than difficult enough
> already.

Some of the companies I work with have the laptops set up that when they are 
not connected to the office-LAN, they will only talk via a VPN link to the 
company.
No network connectivity (apart from what's necessary for the VPN) will work 
till the VPN is set up.

Any ideas on how to do this using Linux without having to become root to set 
it up myself?
I like network manager for the ease of setting up WIFI links.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 02:02:27 AM lee wrote:
> "J. Roeleveld"  writes:
> > On 17 January 2016 18:35:20 CET, Mick  wrote:
> > 
> > [...]
> > 
> >>I use the icaclient provided by Citrix to access my virtual desktop at
> >>work,
> >>but have never tried to set up something similar at home.  What
> >>opensource
> >>software would I need for this?  Is there a wiki somewhere to follow?
> >>
> > I'd love to do this myself as well.
> > 
> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need
> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the
> > VM display. (Spice or VNC)
> > 
> > Then you need some way of authenticating users and providing access to the
> > client software. [...]
> 
> You would have a full VM for each user?

Yes

> That would be a huge waste of resources,

Diskspace and CPU can easily be overcommitted.

> plus having to take care of a lot of VMs,

Automated.

> plus having to buy  a lot of Windoze licenses

Volume licensing takes care of that.

> and taking about a week to install the updates
> after installing a VM.

Never heard of VM templates?

> Add to that that the xen host goes down at
> random time intervals (because the sending queue of the network card
> times out for reasons that cannot be determined) which can be as long as
> a day, a week or even up to three weeks, and you are likely to become a
> rather unhappy administrator.

Sorry, but I consider that a bug in your hardware. If it's really that 
unstable, replace it.
I've been running Xen enabled servers for nearly 15 years. Never had issues 
like that. If it were truly that unstable, it wouldn't be gaining popularity.

> Try kvm instead, and you'll find that
> it's impossible to migrate the VMs from xen to to kvm when you want to
> use virtio drivers because you can't install them on an existing Windoze
> VM.

Not a problem with the virtualisation technology. It is an issue with driver 
management inside MS Windows.
There are ways to migrate VMs succesfully, I just don't see the point in 
wasting time for that.

The biggest reason why I don't use KVM is the lack of full snapshot 
functionality. Snapshotting disks is nice, but you end up with an unclean-
shutdown situation and anything that's not yet committed to disk is gone.

> Then there's the question how well vnc or spice connections work over a
> VPN that goes over the internet.

VNC works quite well, as long as you use a minimal desktop. (like blackbox).
Don't expect KDE or Gnome to be usable.
I haven't tried Spice yet, but I've read that it performs better.

> It's not like the employees could get
> reliable internet connections with sufficient bandwidth, not to mention
> that the company would have to get one in the first place, which isn't
> much easier to get, if any.

That depends on where you are.
The company could host the servers in a decent datacentre, which should take 
care of the bandwidth issues.
For the employees, if they want to work from home, it's up to them to ensure 
they have a reliable connection.

> It might work in theory.  How would it be feasible in practise?

Plenty of companies do it this way. If you don't want to pay for software like 
XenDesktop, you need to do all the work setting it up yourself.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 17, 2016 at 12:35 PM, Mick  wrote:
> I use the icaclient provided by Citrix to access my virtual desktop at work,
> but have never tried to set up something similar at home.  What opensource
> software would I need for this?  Is there a wiki somewhere to follow?
>

There might be something newer, but something along the line of x2go
is what you'd want.  It just tunnels over ssh (with a built-in ssh
client) and runs an X server on the remote host which the clients
connect to (you can just launch xfce or whatever for your DM - I'd
avoid anything with fancy 3D), and then it compresses the X11 protocol
and does the presentation on your local workstation.  The X server can
provide immediate replies to clients on its side so that the effects
of latency are greatly diminished.  But, if you launch something like
chromium be prepared to watch the screen paint since it uses
client-side rendering.  All you'll get is big blobs of images sent
over the wire for that window.  However, for anything rendered
server-side you'll get a very interactive experience since the
component on your workstation can do much of the rendering
independently of the actual X11 server, which operates on a delay.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Sunday 17 Jan 2016 13:10:42 Rich Freeman wrote:
> On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld  wrote:
> > I would prefer a method that is independent of OS used. And provides
> > server side limitations with regards to filesharing and clipboard access.
> x2go is just X11, so it should be OS-independent as long as you have a
> client/server for it.  It just logs in as the appropriate user on the
> remote host, so access beyond that is whatever you'd get if you just
> logged in on a console.
> 
> Now, I can't vouch for how many OSes anybody has bothered to implement it
> on.

I am not sure what Grant's requirements are, but I would think that devs will 
require their own desktop environment and OS instance, rather than x2go's 
shared OS.  Instead of a remote display presentation layer, how could one 
setup a fully virtualised desktop?

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On 17 January 2016 18:35:20 CET, Mick  wrote:
>On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote:
>> On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote:
>> > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld 
>wrote:
>> > > Actually, there are several large corporations that use RDP-like
>> > > technologies. Although those are called "VDI" and usually use
>XenDesktop
>> > > on the server side and "icaclient" on the client.
>> > > Runs through HTTPS and apart from keyloggers and screenloggers,
>there is
>> > > not much that can be done.
>> > > Using 2-factor authentication (RSA-type keys or similar) they're
>pretty
>> > > secure.
>> > 
>> > Yeah, I would agree with that.  I've set up a few thin client
>citrix
>> > boxes ages ago.  These days I'd say the web is the bigger trend,
>and I
>> > agree that 2-factor can greatly reduce the impact of keylogging. 
>One
>> > of the nice things with one of the SaaS applications we're using at
>> > work is that if we're having connection issues I can just wake up
>my
>> > console on my home PC next to my VPN'ed laptop and see if the
>> > application is accessible with a complete different route (suffice
>it
>> > to say I sometimes dread using the office LAN for this reason -
>I've
>> > seen file transfers go faster over the VPN than the local WiFi).
>> > 
>> > But, if you're still stuck with win32 applications Citrix is
>certainly
>> > a solution.  I was thinking it might take over the corporate
>desktop
>> > until everything started moving more towards the web.
>> 
>> XenDesktop is actually a lot nicer than the classical "Citrix".
>> You end up with a full VM rather than a multi-user hack on top of a
>single
>> user OS.
>> 
>> I prefer to work using VDI/icaclient than with the company supplied
>laptops.
>> Especially since my own laptop and desktop is nicer to type with and
>the
>> screen is better quality...
>> 
>> --
>> Joost
>
>I use the icaclient provided by Citrix to access my virtual desktop at
>work, 
>but have never tried to set up something similar at home.  What
>opensource 
>software would I need for this?  Is there a wiki somewhere to follow?

I'd love to do this myself as well.

Citrix sells the full package as 'XenDesktop'. To do it yourself you need a 
VMserver (Xen or similar) and a remote desktop tool that hooks into the VM 
display. (Spice or VNC)

Then you need some way of authenticating users and providing access to the 
client software.

I have not been able to set all that up myself yet, but it is on my wish/todo 
list.

Ideally, I'd like an affordable XenDesktop licencing scheme for a few 
simultaneous users.

--
Joost


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld  wrote:
>
> I would prefer a method that is independent of OS used. And provides server 
> side limitations with regards to filesharing and clipboard access.
>

x2go is just X11, so it should be OS-independent as long as you have a
client/server for it.  It just logs in as the appropriate user on the
remote host, so access beyond that is whatever you'd get if you just
logged in on a console.

Now, I can't vouch for how many OSes anybody has bothered to implement it on.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On 17 January 2016 18:59:36 CET, Rich Freeman  wrote:
>On Sun, Jan 17, 2016 at 12:35 PM, Mick 
>wrote:
>> I use the icaclient provided by Citrix to access my virtual desktop
>at work,
>> but have never tried to set up something similar at home.  What
>opensource
>> software would I need for this?  Is there a wiki somewhere to follow?
>>
>
>There might be something newer, but something along the line of x2go
>is what you'd want.  It just tunnels over ssh (with a built-in ssh
>client) and runs an X server on the remote host which the clients
>connect to (you can just launch xfce or whatever for your DM - I'd
>avoid anything with fancy 3D), and then it compresses the X11 protocol
>and does the presentation on your local workstation.  The X server can
>provide immediate replies to clients on its side so that the effects
>of latency are greatly diminished.  But, if you launch something like
>chromium be prepared to watch the screen paint since it uses
>client-side rendering.  All you'll get is big blobs of images sent
>over the wire for that window.  However, for anything rendered
>server-side you'll get a very interactive experience since the
>component on your workstation can do much of the rendering
>independently of the actual X11 server, which operates on a delay.

X2go and similar works like RDP for windows allowing multiple users on the same 
host.

I would prefer a method that is independent of OS used. And provides server 
side limitations with regards to filesharing and clipboard access.

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On 17 January 2016 18:35:20 CET, Mick  wrote:

> [...]
>>I use the icaclient provided by Citrix to access my virtual desktop at
>>work, 
>>but have never tried to set up something similar at home.  What
>>opensource 
>>software would I need for this?  Is there a wiki somewhere to follow?
>
> I'd love to do this myself as well.
>
> Citrix sells the full package as 'XenDesktop'. To do it yourself you need a 
> VMserver (Xen or similar) and a remote desktop tool that hooks into the VM 
> display. (Spice or VNC)
>
> Then you need some way of authenticating users and providing access to the 
> client software.
> [...]

You would have a full VM for each user?  That would be a huge waste of
resources, plus having to take care of a lot of VMs, plus having to buy
a lot of Windoze licenses and taking about a week to install the updates
after installing a VM.  Add to that that the xen host goes down at
random time intervals (because the sending queue of the network card
times out for reasons that cannot be determined) which can be as long as
a day, a week or even up to three weeks, and you are likely to become a
rather unhappy administrator.  Try kvm instead, and you'll find that
it's impossible to migrate the VMs from xen to to kvm when you want to
use virtio drivers because you can't install them on an existing Windoze
VM.

Then there's the question how well vnc or spice connections work over a
VPN that goes over the internet.  It's not like the employees could get
reliable internet connections with sufficient bandwidth, not to mention
that the company would have to get one in the first place, which isn't
much easier to get, if any.

It might work in theory.  How would it be feasible in practise?

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

lee  wrote:

> Rich Freeman  writes:
> 
> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> >> Suppose you use a VPN connection.  How do does the client
> >> (employee) secure their own network and the machine they're using
> >> to work remotely then?
> >
> > Poorly, most likely.  Your data is probably not nearly as important
> > to them as their data is, and most people don't take great care of
> > their own data.
> 
> That's not what I meant to ask.  Assume you are an employee supposed
> to work from home through a VPN connection:  How do you protect your
> LAN?

Depends on the VPN connection. If you use an OpenVPN client on your PC
then it is sufficient to use a well configured firewall (ufw, iptables 
or whatever) on this PC. If you use a VPN gateway then you could 
configure this gateway (or a firewall behind) in a way that it blocks 
incoming connections from the VPN tunnel. 

IMHO there is no more risk to use a VPN connection than with any other
Internet connection.

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
>> Suppose you use a VPN connection.  How do does the client (employee)
>> secure their own network and the machine they're using to work remotely
>> then?
>
> Poorly, most likely.  Your data is probably not nearly as important to
> them as their data is, and most people don't take great care of their
> own data.

That's not what I meant to ask.  Assume you are an employee supposed to
work from home through a VPN connection:  How do you protect your LAN?


> [...]
>> What's the Linux equivalent of RDP sessions?  Some sort of VNC seems to
>> usually require a lot of bandwidth, and I wouldn't know how to run it as
>> a service so that someone could just start a client (like rdesktop) and
>> log in to the server as they can do with Windoze servers. --- I only
>> found x11rdp which appears to be incompatible with current X servers.
>
> There is stuff like xtogo and other NX-like technologies, but the
> trend seems to be towards client-side rendering which makes them
> perform about as well as VNC.  I mostly gave up on it ages ago - it
> was fairly fragile to keep working as well.  I do know one of the
> maintainers - perhaps it has gotten better in recent years.
>
> However, while an RDP-like solution protects you from some types of
> attacks, it still leaves you open to many client-side problems like
> keylogging.  I don't know any major corporation that lets people RDP
> into their applications in general.

What do they use instead?

This sounds as if it's basically impossible to work from a remote
location, at least when Linux comes into it at some point.

> [...]

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> Rich Freeman  writes:
>
>> However, while an RDP-like solution protects you from some types of
>> attacks, it still leaves you open to many client-side problems like
>> keylogging.  I don't know any major corporation that lets people RDP
>> into their applications in general.
>
> What do they use instead?
>

As I mentioned in my previous email - they just hand all their
employees laptops.  Control the hardware, control the software,
control the security...


-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> Suppose you use a VPN connection.  How do does the client (employee)
> secure their own network and the machine they're using to work remotely
> then?

Poorly, most likely.  Your data is probably not nearly as important to
them as their data is, and most people don't take great care of their
own data.

As I mentioned in my other post, there might be some exceptions if
you're dealing with highly-skilled IT security employees or something
like that, but most people don't take nearly the level of care with
their clients as you're probably going to want them to.


> What's the Linux equivalent of RDP sessions?  Some sort of VNC seems to
> usually require a lot of bandwidth, and I wouldn't know how to run it as
> a service so that someone could just start a client (like rdesktop) and
> log in to the server as they can do with Windoze servers. --- I only
> found x11rdp which appears to be incompatible with current X servers.

There is stuff like xtogo and other NX-like technologies, but the
trend seems to be towards client-side rendering which makes them
perform about as well as VNC.  I mostly gave up on it ages ago - it
was fairly fragile to keep working as well.  I do know one of the
maintainers - perhaps it has gotten better in recent years.

However, while an RDP-like solution protects you from some types of
attacks, it still leaves you open to many client-side problems like
keylogging.  I don't know any major corporation that lets people RDP
into their applications in general.

It sounds like Grant is concerned enough about his application to
restrict logins to a specific IP (presumably it uses SSL and sign-ons
as well).  If you care THAT much about where valid users can connect
from, I don't see why you'd just let them VPN into your LAN running
who-knows-what-rootkit on their workstations.

If you're truly 100% web-based I'd just go the chromebook route.  If
not, I'd issue laptops that you control with full-disk encryption, and
you can then set them up however you need to.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Mick  writes:

> On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote:
>> On 16/01/2016 06:17, Grant wrote:
>> > I'm considering allowing some employees to work from home but I'm
>> > concerned about the security implications.  Currently everybody shows up
>> > and logs into their locked down Gentoo system and from there is able to
>> > access the company webapps which are restricted to the office IP
>> > address.  I guess I would have to allow webapp access from any IP for
>> > those users and trust that their computer is secure?  Should that not be
>> > scary?
>> > 
>> > - Grant
>> 
>> I have experience in this area. I work at ISPs where working from home
>> is routine and required for overnight standby.
>> 
>> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers
>> the security levels you need. Use the Layer3 routing option that uses
>> tun drivers (not tap) and issue the certificates to the users yourself.
>> Then allow your servers to accept connections from the VPN range as well
>> as the internal office range
>> 
>> As for the security levels of their personal machines, tell them what
>> you require and from that point on you really have to trust your people
>> so be security aware and with the program.
>
> Some other alternatives and thoughts to solutions already proposed are:
>
> 1.  Only allow access through the office firewall and webapp servers to the 
> IP 
> addresses of your employees.  This would only work if your employees have 
> static IP addresses and are few in number - otherwise you are creating an 
> administrative burden.  I assume that the client connection to the webapp 
> server will be over some secure protocol, e.g. SSH, SSL/TLS.  Otherwise, 
> you'll need an encrypted tunnel (see below).
>
> 2. Instead of OpenVPN which has been recommended I suggest that you take a 
> look at IPSec with IKEv2.  IPSec + IKEv2 provides higher throughout because 
> encryption/decryption is performed in the kernel, rather than userspace and 
> because it allows for multi-threading, which last time I looked OpenVPN does 
> not.  In addition, IKEv2 employs the MOBIKE protocol which allows mobile 
> client roaming.  Changing client IP addresses is handled automatically, 
> without having to restart manually the VPN session.  All this said, if your 
> use case has low throughput demand then OpenVPN would work fine.  In both 
> cases, use strong encryption.  
>
> 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of 
> tap, I should add that if you have deployed MSWindows or other clients and 
> services with non-IP protocols, then you'll probably need a tap bridge to 
> make 
> sure that all services can get through.  The client machines will then become 
> part of your LAN.  Depending on client numbers you may need more than one 
> VLAN 
> segment and multiple OpenVPN servers.
>
> 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the 
> server and proxychains on the clients.  Any software run with proxychains on 
> the client will be tunnelled via SSH to the server and from a network 
> perspective will be connected to the office LAN.  Webapps should be able to 
> run quite efficiently in this way and connect to the LAN server.  Public key 
> authentication and an SSH high port should keep pests away.

Suppose you use a VPN connection.  How do does the client (employee)
secure their own network and the machine they're using to work remotely
then?

What's the Linux equivalent of RDP sessions?  Some sort of VNC seems to
usually require a lot of bandwidth, and I wouldn't know how to run it as
a service so that someone could just start a client (like rdesktop) and
log in to the server as they can do with Windoze servers. --- I only
found x11rdp which appears to be incompatible with current X servers.

Then there's LTSP.  Letting aside that there are no thin clients with
sufficient graphics performance:  would it be possible to do that over a
VPN connection, provided that the VPN connection doesn't put the rest of
the network on the client side at risk?

Having that said, I'm finding OpenVNC anything but easy to set up.  How
is that with IPsec and IKEv2?

Proxychains sounds interesting.  Is it possible to run rdesktop through
that?

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Sunday, January 17, 2016 07:27:45 AM Rich Freeman wrote:
> On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> > Suppose you use a VPN connection.  How do does the client (employee)
> > secure their own network and the machine they're using to work remotely
> > then?
> 
> Poorly, most likely.  Your data is probably not nearly as important to
> them as their data is, and most people don't take great care of their
> own data.
> 
> As I mentioned in my other post, there might be some exceptions if
> you're dealing with highly-skilled IT security employees or something
> like that, but most people don't take nearly the level of care with
> their clients as you're probably going to want them to.
> 
> > What's the Linux equivalent of RDP sessions?  Some sort of VNC seems to
> > usually require a lot of bandwidth, and I wouldn't know how to run it as
> > a service so that someone could just start a client (like rdesktop) and
> > log in to the server as they can do with Windoze servers. --- I only
> > found x11rdp which appears to be incompatible with current X servers.
> 
> There is stuff like xtogo and other NX-like technologies, but the
> trend seems to be towards client-side rendering which makes them
> perform about as well as VNC.  I mostly gave up on it ages ago - it
> was fairly fragile to keep working as well.  I do know one of the
> maintainers - perhaps it has gotten better in recent years.
> 
> However, while an RDP-like solution protects you from some types of
> attacks, it still leaves you open to many client-side problems like
> keylogging.  I don't know any major corporation that lets people RDP
> into their applications in general.

Actually, there are several large corporations that use RDP-like technologies.
Although those are called "VDI" and usually use XenDesktop on the server side 
and "icaclient" on the client.
Runs through HTTPS and apart from keyloggers and screenloggers, there is not 
much that can be done.
Using 2-factor authentication (RSA-type keys or similar) they're pretty 
secure.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote:
> On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld  wrote:
> > Actually, there are several large corporations that use RDP-like
> > technologies. Although those are called "VDI" and usually use XenDesktop
> > on the server side and "icaclient" on the client.
> > Runs through HTTPS and apart from keyloggers and screenloggers, there is
> > not much that can be done.
> > Using 2-factor authentication (RSA-type keys or similar) they're pretty
> > secure.
> 
> Yeah, I would agree with that.  I've set up a few thin client citrix
> boxes ages ago.  These days I'd say the web is the bigger trend, and I
> agree that 2-factor can greatly reduce the impact of keylogging.  One
> of the nice things with one of the SaaS applications we're using at
> work is that if we're having connection issues I can just wake up my
> console on my home PC next to my VPN'ed laptop and see if the
> application is accessible with a complete different route (suffice it
> to say I sometimes dread using the office LAN for this reason - I've
> seen file transfers go faster over the VPN than the local WiFi).
> 
> But, if you're still stuck with win32 applications Citrix is certainly
> a solution.  I was thinking it might take over the corporate desktop
> until everything started moving more towards the web.

XenDesktop is actually a lot nicer than the classical "Citrix".
You end up with a full VM rather than a multi-user hack on top of a single 
user OS.

I prefer to work using VDI/icaclient than with the company supplied laptops. 
Especially since my own laptop and desktop is nicer to type with and the 
screen is better quality...

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld  wrote:
>
> Actually, there are several large corporations that use RDP-like technologies.
> Although those are called "VDI" and usually use XenDesktop on the server side
> and "icaclient" on the client.
> Runs through HTTPS and apart from keyloggers and screenloggers, there is not
> much that can be done.
> Using 2-factor authentication (RSA-type keys or similar) they're pretty
> secure.
>

Yeah, I would agree with that.  I've set up a few thin client citrix
boxes ages ago.  These days I'd say the web is the bigger trend, and I
agree that 2-factor can greatly reduce the impact of keylogging.  One
of the nice things with one of the SaaS applications we're using at
work is that if we're having connection issues I can just wake up my
console on my home PC next to my VPN'ed laptop and see if the
application is accessible with a complete different route (suffice it
to say I sometimes dread using the office LAN for this reason - I've
seen file transfers go faster over the VPN than the local WiFi).

But, if you're still stuck with win32 applications Citrix is certainly
a solution.  I was thinking it might take over the corporate desktop
until everything started moving more towards the web.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote:
> On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote:
> > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld  wrote:
> > > Actually, there are several large corporations that use RDP-like
> > > technologies. Although those are called "VDI" and usually use XenDesktop
> > > on the server side and "icaclient" on the client.
> > > Runs through HTTPS and apart from keyloggers and screenloggers, there is
> > > not much that can be done.
> > > Using 2-factor authentication (RSA-type keys or similar) they're pretty
> > > secure.
> > 
> > Yeah, I would agree with that.  I've set up a few thin client citrix
> > boxes ages ago.  These days I'd say the web is the bigger trend, and I
> > agree that 2-factor can greatly reduce the impact of keylogging.  One
> > of the nice things with one of the SaaS applications we're using at
> > work is that if we're having connection issues I can just wake up my
> > console on my home PC next to my VPN'ed laptop and see if the
> > application is accessible with a complete different route (suffice it
> > to say I sometimes dread using the office LAN for this reason - I've
> > seen file transfers go faster over the VPN than the local WiFi).
> > 
> > But, if you're still stuck with win32 applications Citrix is certainly
> > a solution.  I was thinking it might take over the corporate desktop
> > until everything started moving more towards the web.
> 
> XenDesktop is actually a lot nicer than the classical "Citrix".
> You end up with a full VM rather than a multi-user hack on top of a single
> user OS.
> 
> I prefer to work using VDI/icaclient than with the company supplied laptops.
> Especially since my own laptop and desktop is nicer to type with and the
> screen is better quality...
> 
> --
> Joost

I use the icaclient provided by Citrix to access my virtual desktop at work, 
but have never tried to set up something similar at home.  What opensource 
software would I need for this?  Is there a wiki somewhere to follow?

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Sat, Jan 16, 2016 at 2:39 AM, Alan McKinnon  wrote:
>
> As for the security levels of their personal machines, tell them what
> you require and from that point on you really have to trust your people
> so be security aware and with the program.
>

Most employers just issue laptops to their employees for this reason.
Set them up with full disk encryption and VPN access.  While I
wouldn't recommend this to a general employer you might get away with
the use of personal laptops if your employees all know what they're
doing - I have no idea what line of business you're in.  Most
businesses are not 100% staffed by people who are qualified to
properly maintain a workstation in a secure manner.

I also view this as a matter of principle.  If you're going to make
employees provide their own hardware, you don't really have that much
of a right to tell them exactly how you want it run.  If you're the
one providing the hardware, then you can provide it exactly how you
need it to be.

VPN is probably the easiest way to manage security though.  It is far
more secure than whitelisting IP addresses.  It isn't the only
solution - if you literally only need them to access a single
web-based application you could use client ssl certificates or
something like that, but you still need to control the security of the
client either way.  Just remember that laptops get lost so they really
do need full disk encryption.  Unfortunately on linux it seems LUKS
and a hand-entered password is the only common solution for this (it
looks like doing something TPM-based should be possible, but you
basically have to DIY).

Oh, if you are 100% web-based another solution is to just issue
chromebooks.  Those allow central provisioning/etc if you have a
google apps account, and they do support VPN.  Those have TPM-backed
full disk encryption out of the box, and are probably going to be way
easier for you to maintain, and certainly a lot cheaper.  As far as I
can tell (not having done this myself) they let you centrally
provision VPN certificates and such and set up the networking
settings.  You just boot a new chromebook, hit Ctrl-Alt-E or whatever,
and type in a google apps username/password that you gave access to
provision devices.  You also get remote wipe and all that other fun
stuff, and from everything I've read the security on those is about as
good as it gets.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote:
> On 16/01/2016 06:17, Grant wrote:
> > I'm considering allowing some employees to work from home but I'm
> > concerned about the security implications.  Currently everybody shows up
> > and logs into their locked down Gentoo system and from there is able to
> > access the company webapps which are restricted to the office IP
> > address.  I guess I would have to allow webapp access from any IP for
> > those users and trust that their computer is secure?  Should that not be
> > scary?
> > 
> > - Grant
> 
> I have experience in this area. I work at ISPs where working from home
> is routine and required for overnight standby.
> 
> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers
> the security levels you need. Use the Layer3 routing option that uses
> tun drivers (not tap) and issue the certificates to the users yourself.
> Then allow your servers to accept connections from the VPN range as well
> as the internal office range
> 
> As for the security levels of their personal machines, tell them what
> you require and from that point on you really have to trust your people
> so be security aware and with the program.

Some other alternatives and thoughts to solutions already proposed are:

1.  Only allow access through the office firewall and webapp servers to the IP 
addresses of your employees.  This would only work if your employees have 
static IP addresses and are few in number - otherwise you are creating an 
administrative burden.  I assume that the client connection to the webapp 
server will be over some secure protocol, e.g. SSH, SSL/TLS.  Otherwise, 
you'll need an encrypted tunnel (see below).

2. Instead of OpenVPN which has been recommended I suggest that you take a 
look at IPSec with IKEv2.  IPSec + IKEv2 provides higher throughout because 
encryption/decryption is performed in the kernel, rather than userspace and 
because it allows for multi-threading, which last time I looked OpenVPN does 
not.  In addition, IKEv2 employs the MOBIKE protocol which allows mobile 
client roaming.  Changing client IP addresses is handled automatically, 
without having to restart manually the VPN session.  All this said, if your 
use case has low throughput demand then OpenVPN would work fine.  In both 
cases, use strong encryption.  

3. If you go with OpenVPN, following Alan's suggestion to use tun instead of 
tap, I should add that if you have deployed MSWindows or other clients and 
services with non-IP protocols, then you'll probably need a tap bridge to make 
sure that all services can get through.  The client machines will then become 
part of your LAN.  Depending on client numbers you may need more than one VLAN 
segment and multiple OpenVPN servers.

4. An easier and simpler alternative may be to run SSH SOCKS proxy on the 
server and proxychains on the clients.  Any software run with proxychains on 
the client will be tunnelled via SSH to the server and from a network 
perspective will be connected to the office LAN.  Webapps should be able to 
run quite efficiently in this way and connect to the LAN server.  Public key 
authentication and an SSH high port should keep pests away.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

Grant  wrote:

> I'm considering allowing some employees to work from home but I'm
> concerned about the security implications.  Currently everybody shows
> up and logs into their locked down Gentoo system and from there is
> able to access the company webapps which are restricted to the office
> IP address.  I guess I would have to allow webapp access from any IP
> for those users and trust that their computer is secure?  Should that
> not be scary?
> 
> - Grant

I would use OpenVPN for that. If you don't trust their systems, you 
could provide a Live-System media for them if that is possible.

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[Daniel Frey]

On 01/15/2016 09:18 PM, waben...@gmail.com wrote:
> Grant  wrote:
> 
>> I'm considering allowing some employees to work from home but I'm
>> concerned about the security implications.  Currently everybody shows
>> up and logs into their locked down Gentoo system and from there is
>> able to access the company webapps which are restricted to the office
>> IP address.  I guess I would have to allow webapp access from any IP
>> for those users and trust that their computer is secure?  Should that
>> not be scary?
>>
>> - Grant
> 
> I would use OpenVPN for that. If you don't trust their systems, you 
> could provide a Live-System media for them if that is possible.
> 
> --
> Regards
> wabe
> 
> 

I would use VPN + an X server that can spawn sessions on demand. This
way it all stays internal on the work network.

I do something similar at work for our Windows clients, it was simple to
set up there.

I've set up my home server to act as a Windows-type terminal server
using X and tigervnc. It actually works well, but I never got into
multiuser and dealing with logon scripts and the like (you may or may
not need this to deal with user documents and the like.)

Dan

Re: [gentoo-user] {OT} Allow work from home?

[Alan McKinnon]

On 16/01/2016 06:17, Grant wrote:
> I'm considering allowing some employees to work from home but I'm
> concerned about the security implications.  Currently everybody shows up
> and logs into their locked down Gentoo system and from there is able to
> access the company webapps which are restricted to the office IP
> address.  I guess I would have to allow webapp access from any IP for
> those users and trust that their computer is secure?  Should that not be
> scary?
> 
> - Grant


I have experience in this area. I work at ISPs where working from home
is routine and required for overnight standby.

You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers
the security levels you need. Use the Layer3 routing option that uses
tun drivers (not tap) and issue the certificates to the users yourself.
Then allow your servers to accept connections from the VPN range as well
as the internal office range

As for the security levels of their personal machines, tell them what
you require and from that point on you really have to trust your people
so be security aware and with the program.

-- 
Alan McKinnon
alan.mckin...@gmail.com