Re: Finding the appropriate manpage [Re: Can't find the DNS Servers]

2017-09-27 Thread Lck Ras 
On 09/27/2017 06:16 AM, Don Armstrong wrote:
> In almost every case, if you don't know the right man page, apropos (or
> man -k) will help you find it. If that's not good enough, man -K
> dhclient will eventually find all of them.
> 
> dhclient (8) - Dynamic Host Configuration Protocol Client
> dhclient-script (8)  - DHCP client network configuration script
> dhclient.conf (5)- DHCP client configuration file
> dhclient.leases (5)  - DHCP client lease database

Plus the dhclient(8) manpage lists other related manuals in its SEE ALSO
section:

SEE ALSO
   dhcpd(8),  dhcrelay(8),  dhclient-script(8),  dhclient.conf(5),
   dhclient.leases(5), dhcp-eval(5).

Re: On another (but related) note: Zip files

2017-08-29 Thread Lck Ras 
On 08/30/2017 07:57 AM, James H. H. Lampert wrote:
> I know that the tradition for Linux is GZipped tarballs, but I also know
> that, at least from the Gnome desktop, I can open a PKZip-compatible Zip
> file, and create a (presumably also) PKZip-compatible Zip file.
> 
> I don't, however, see a way to do so from the command line (or within a
> script) without doing an apt-get to install the zip package (and
> presumably also the unzip package).
> 
> Can somebody explain this? It seems a bit puzzling.
> 
> -- 
> JHHL
> 

File-roller, the gnome archive utility, depends on p7zip-full, which
provides support for quite a few formats. If you want to work with these
from the terminal, the pz7ip* packages provide various binaries like 7z,
7za, 7zr, and p7zip, which all do similar but slightly different things.

List of supported formats: (in p7zip-full)
 * Packing / unpacking: 7z, ZIP, GZIP, BZIP2, XZ and TAR
 * Unpacking only: APM, ARJ, CAB, CHM, CPIO, CramFS, DEB, DMG, FAT, HFS,
ISO, LZH, LZMA, LZMA2, MBR, MSI, MSLZ, NSIS, NTFS, RAR (only if non-free
p7zip-rar package is installed), RPM, SquashFS,
   UDF, VHD, WIM, XAR and Z.

Re: One-line password generator

2017-08-23 Thread Lck Ras 
On 08/24/2017 02:11 AM, Brian wrote:
> You should never reveal how your passwords are generated. In detail,
> that is; in principle there might be no harm done.

But how do you know how much you can reveal about it until there is real
harm done? You can't really know for sure how much entropy your password
has, unlike a randomly generated password, where it is significantly
easier to estimate. Revealing as much as "my passwords are 30 random
alphanumeric characters" will be fine in that case, but there is no such
measure with passwords like the ones you have described.

>> Eg. knowing that you create your passwords like that can make it
>> significantly easier for someone else to guess your password, which
>> could potentially be dangerous, especially if done by someone who knows
>> you well.
> 
> Agreed. Account passwords being guessed can surely only happen when the
> account owner is known to the perpetrator.

Sure, but the problem is that the account owner may not even be aware
that this is happening. For example, with human-generated passwords,
telling a joke, talking about your mother's maiden name, or talking
about your favorite band may be leaking information about your
passwords, and it is really hard to understand how much(or how little)
damage it has done. With passwords, you should be sure, not guess, that
you are safe.

> How does one know
> 
>  MyDogHasNoNose.HowDoesItSmell?Terrible!
> 
> (old jokes are vey memorable) is a safe password?

You don't, and that's the problem, I believe.

Re: One-line password generator

2017-08-22 Thread Lck Ras 
On 08/23/2017 07:31 AM, Brian wrote:
> On Tue 22 Aug 2017 at 15:14:37 -0500, Mario Castelán Castro wrote:
> You can recommend what you want but give me
> 
>  IhaveaMemorablePasswordwhichIwillnotforget!
> 
> as opposed to
> 
>  WVAq7XLM4va6e1A4Bb4+Zw
> 
> You will now explain why the first one will be broken in the next
> 100 years. I'm past caring after that.

The problem with that kind of password generation is that it leaks in
unexpected ways, and it can be hard to understand how much it matters.

When you know nothing about a password, it can be quite hard to guess,
but as you reveal more information about it and its construction (max
length, character set, format, etc.) it becomes easier and easier.

With randomly generated passwords, you still have an easy-to-understand
"hard limit" on how easy it will be to guess, unless you start leaking
individual characters of it, even if you reveal how the password is
constructed.

In the other hand, with passwords like the ones you described, it can be
quite difficult to gauge how hard it is to guess, and how much you can
reveal about it before it being unsafe.

Eg. knowing that you create your passwords like that can make it
significantly easier for someone else to guess your password, which
could potentially be dangerous, especially if done by someone who knows
you well.

I personally use diceware, which is relatively memorable and secure
enough. Revealing the fact that I use diceware makes guessing my
passwords significantly easier, but it still is very far in the
"impossible" territory.

I don't think leaving your passwords up to chance is a good idea. You
should know, not guess, whether it is safe or not.

Re: Limiting resource usage

2017-08-22 Thread Lck Ras 
On 08/23/2017 06:48 AM, ju...@tutanota.com wrote:
> - i cannot change the default setting.
> is it a secure feature/the best option or a sign that something is wrong.

limits.conf contains the "default" ulimits if it is set as "soft", and
absolute limits if set as "hard", so if you want to change the defaults,
you will need to configure limits.conf.

> - have i to configure limits.conf ?
> my /etc/security/limits.conf is not set (all is marked as # comment)
> i do not know how-to-do that & i have not found (desktop default user / no 
> server) something that i could copy & past or a soft/script which should 
> generate the best option for me.

Check out limits.conf(5). In short, you can add lines to
/etc/security/limits.conf to impose global limits (except for systemd
services). The format is.

: Who is affected by the limit? can be * for everyone, a
specific user, etc.

: Either "hard", "soft", or "-". "hard" and "soft" are as I
described above, "-" combines both.

: The "thing" to limit. Stuff like # of processes, memory used,
etc. See the manpage for a complete list.

: The value you want to set as the limit.

All the lines already in that file are either explaining how to use it
or examples.

Re: How to get sha256 digest for jessie, without a dist-upgrade?

2017-08-10 Thread Lck Ras 
On 08/10/2017 06:08 PM, Neo wrote:
> Hi folks
> 
> How to get sha256 digest for jessie, without a dist-upgrade?
>

I'd use sha256sum, but if you must use openssl, the version in
jessie-security has sha256.

> $ openssl version
> OpenSSL 1.0.1t  3 May 2016> $ echo test | sha256sum
> f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2  -
> $ echo test | openssl dgst -sha256
> (stdin)= f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2

Even though sha256 is not listed in the openssl output, it works if it
pass it to the command. try 'openssl list-message-digest-algorithms |
grep SHA256'. I'd think that 1.0.2 supports it, since 1.0.1 does.

Re: cannot get node dns program to work externally

2017-08-05 Thread Lck Ras 
On 08/06/2017 10:42 AM, Aaron Gray wrote:
> Hi,
> 
> I have a node.js based dns program on port 53 and have it working as
> localhost on debian 8.5 but I cannot seem to get it to work externally
> despite getting the firewall rules right having tested them with Bind9.

Check if it's listening on localhost. Make sure that the server is not
listening on 127.0.0.1 'ss -unl'. Otherwise, you need to do a bit of
forwarding magic, but listening on the proper interface is a cleaner
solution, I believe.

> I have mainly been using :-
> 
> https://github.com/tjfontaine/node-dns/blob/master/examples/forwarder.js

>From what I can see from the code you linked, 127.0.0.1 is hardcoded.
Make sure you change that.

Re: determining which apps have entries in the applications menu in xfce

2017-08-02 Thread Lck Ras 
On 08/02/2017 02:12 PM, Dan Hitt wrote:
> There's a program that i have on my system whose name i cannot find in
> the Applications menu.
> 
> However, that might just be because i conducted a defective search.
> 
> So i'm wondering if there's a systematic way to determine if the
> program is in the menu.  (Presumably it is a matter of looking in
> /usr/bin or something like that, although that cannot be the complete
> solution as there are a few thousand programs in /usr/bin, and they
> cannot all fit in the menu.  So i suspect there's a list somewhere . .
> . )

The applications list is from .desktop files in various locations in
your system, so searching for .desktop files in the packages (with
apt-file or dpkg) should work.

Try something like 'dpkg -L $package | grep desktop' or 'apt-file search
-F $package | grep desktop'.

Some applications also generate .desktop files and install themselves in
$HOME/.local/share/applications, so look in there as well.

Hope it helps.

Unstable WiFi

2017-07-30 Thread Lck Ras 
Hello list,

I'm running Debian 9, and I'm having issues with WiFi being occasionally
unstable. It will run just fine for a while, but sometimes it will
suddenly fail.

/etc/network/interfaces:
> allow-hotplug wlo1
> iface wlo1 inet manual
>   wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
> 
> # default wireless interface
> iface default inet dhcp
>   openvpn-client chaos
> 
> # home
> iface home inet static
>   address 192.168.0.2/24
>   gateway 192.168.0.1
>   openvpn-client chaos

openvpn-client is just a modified version of
/etc/network/if-up.d/openvpn that uses openvpn-client@* units instead of
openvpn@*.

/etc/wpa_supplicant/wpa_supplicant.conf:
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> country=KR

then the network blocks, like so:
> network={
>   ssid=""
>   psk=""
>   id_str="home"
> }

dmesg:
> [ 6919.168438] rt2x00mmio_regbusy_read() Indirect register access failed: 
> offset=0x101c, value=0x
> [ 6921.211274] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 0 
> failed to flush
> [ 6921.410607] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 2 
> failed to flush
> [ 6921.813303] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 0 
> failed to flush
> [ 6922.016635] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 2 
> failed to flush
> [ 6922.215970] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 0 
> failed to flush
> [ 6922.419375] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 2 
> failed to flush
> [ 6926.407143] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 0 
> failed to flush
> [ 6926.610495] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 2 
> failed to flush
> [ 6926.857821] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 0 
> failed to flush
> [ 6927.061267] ieee80211 phy0: rt2x00queue_flush_queue: Warning - Queue 2 
> failed to flush
> [ 6928.433354] ieee80211 phy0: rt2800_wait_csr_ready: Error - Unstable 
> hardware

lspci -vvv:
> 09:00.0 Network controller: Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe
>   Subsystem: Hewlett-Packard Company Ralink RT3290LE 802.11bgn 1x1 Wi-Fi 
> and Bluetooth 4.0 Combo Adapter
>   Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- 
> Stepping- SERR- FastB2B- DisINTx-
>   Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-  SERR-Interrupt: pin A routed to IRQ 16
>   Region 0: [virtual] Memory at b251 (32-bit, non-prefetchable) 
> [size=64K]
>   Capabilities: [40] Power Management version 3
>   Flags: PMEClk- DSI- D1- D2- AuxCurrent=375mA 
> PME(D0+,D1-,D2-,D3hot+,D3cold-)
>   Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME+
>   Capabilities: [50] MSI: Enable- Count=1/32 Maskable- 64bit+
>   Address:   Data: 
>   Capabilities: [70] Express (v2) Endpoint, MSI 00
>   DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s <128ns, 
> L1 <2us
>   ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- 
> SlotPowerLimit 0.000W
>   DevCtl: Report errors: Correctable- Non-Fatal- Fatal- 
> Unsupported-
>   RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
>   MaxPayload 128 bytes, MaxReadReq 512 bytes
>   DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq+ AuxPwr- 
> TransPend-
>   LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit 
> Latency L0s <512ns, L1 <64us
>   ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp-
>   LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk-
>   ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
>   LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ 
> DLActive- BWMgmt- ABWMgmt-
>   DevCap2: Completion Timeout: Not Supported, TimeoutDis+, LTR-, 
> OBFF Not Supported
>   DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, 
> OBFF Disabled
>   LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
>Transmit Margin: Normal Operating Range, 
> EnterModifiedCompliance- ComplianceSOS-
>Compliance De-emphasis: -6dB
>   LnkSta2: Current De-emphasis Level: -6dB, 
> EqualizationComplete-, EqualizationPhase1-
>EqualizationPhase2-, EqualizationPhase3-, 
> LinkEqualizationRequest-
>   Capabilities: [100 v1] Advanced Error Reporting
>   UESta:  DLP- SDES- TLP- FCP- CmpltTO+ CmpltAbrt- UnxCmplt- 
> RxOF- MalfTLP- ECRC- UnsupReq+ ACSViol-
>   UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- 
> RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
>   UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- 
> RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
>   CESta:  RxErr+ BadTLP- BadDLLP+ Rollover+ Timeout+ NonFatalErr+
>

Re: Cannot read my draft emails.

2017-07-29 Thread Lck Ras 
On 07/30/2017 08:13 AM, Ken Heard wrote:
> I now in Drafts emails which I now want to edit and send.  When I try to
> open them for editing in the text section nothing appears except this
> message:

This is controlled by the "Encrypt draft messages on saving" setting in
your account settings, under "OpenPGP options".

> This is an encrypted OpenPGP message.
> In order to decrypt this mail, you need to install an OpenPGP add-on.
> 
> In addition to Enigmail I also have  gnupg 1.4.18-7+deb8u3,
> gnupg-agent 2.0.26-6+deb8u1 and gnupg2 installed, as well as six
> packages with pgp in their names.  I find it however strange that
> apt-cache no longer finds those packages. I also find it strange none of
> the options in the Thunderbird Enigmail menu is operative.  If something
> else is needed, what would it be?

I haven't had this problem at all, but I've also not been using the
add-on in the debian repositories, and instead grabbed enigmail through
the add-on manager. I am currently on Stretch, so that might be it, too,
with gpg2 being the default in Stretch and such.

Re: Q: systemd is restarting demons?

2017-07-20 Thread Lck Ras 
On 07/20/2017 07:23 PM, Hans wrote:
> Hello, 
> 
> I am wondering, if it is normal, that systemd is restarting a service, which 
> I as root did 
> stop. In may case it is laptools-mode. 
> 
> See the output of syslog:
> Jul 20 12:16:47 localhost laptop-mode: enabled, not active 

laptop-mode-tools installs udev rules at
/lib/udev/rules.d/99-laptop-mode.rules that restarts lmt when you
plug/unplug your laptop or a usb device. It's how it determines whether
to enable or disable laptop-mode when the power supply changes or set
autosuspend on usb devices.

lmt also runs the script /lib/udev/lmt-udev every 150 seconds through
the systemd timer /lib/systemd/system/laptop-mode.timer to detect
battery changes. This script reloads/restarts the systemd service. You
may stop this timer, but lmt will still be restarted when you plug in
your laptop or a usb device.

Stopping laptop-mode.service and masking it through 'systemctl mask
laptop-mode.service' might stop lmt, but I'm not 100% sure, and I
haven't tested it. If it does work, you would need to unmask it
(systemctl unmask ...) in order to be able to enable it again.

Re: user shutingdown/rebooting system w/wo sudo

2017-07-20 Thread Lck Ras 
On 07/20/2017 05:39 PM, Fungi4All wrote:
> Apart from what different wm/dm do, should a user without sudo
> priviledges be able to stop or restart a system?
> In most wm I have seen the user is able to do this without being
> asked for root priviledges and I believe this is wrong and should
> not be done.

As far as I know, this is done by policykit (policykit-1 in the repos).
Among other things, it allows users that are logged in locally to
shutdown/reboot the system, unless there are other users logged in.
Pretty sure it's possible to override this if you don't want this to happen.

> As I see contradictory reading material on the issue from the
> point of view of a single user personal system to an enterprise
> system, why would any desktop come with this activated as
> default and not be the other way around but with a simple option
> for root to change/activate this ability.

If the user has physical access to the machine, there isn't really a
point to stopping them from shutting the system down, really. I can't
really think of instances where this could be a security issue, and it
can be overridden if you don't want it.

Also, for users coming from other OSes, it may be odd that they are
unable to shut down their system without being an administrator, and it
wouldn't allow shared laptops/computers.