Re: [PLUG] FreeGeek...

[Thomas Groman]

Do stuff that can be externally verifiable. FO example show people that
you can get A+ on QualSYS SSL Labs.


On 04/12/2017 12:49 PM, Michael Christopher Robinson wrote:
> If I do a 3-6 month Internship at FreeGeek, what is the minimum number
> of hours needed to put it on my resume and become employable?  I have a
> CS degree, but I don't have work place experience and can't get a job
> anywhere in the Portland area.  I want to specialize in network
> security and I want to work on Unix and Linux based systems.  Another
> option is learning how to build web sites that are fancy and properly
> encrypted.  I'm trained in programming, but without training I can't
> break into the industry.  Nobody in Portland seems interested in
> inexperienced computer scientists.
>
> One problem, I have recurring costs where FreeGeek can't pay anything
> to their volunteers.  The longer I work at FreeGeek the better it
> looks, but the less time I have to earn money.  I can drop
> Comcast Internet and use my father's DSL, but that's about it.  
> I need my smartphone, $40.75/month, and I'm paying for a burial policy,
> $11.20/month.  Once a year I incur significant cost paying for
> robinson-west.com hosting at Eskimo North, the domain name through
> register.com, and the security certificate.  I also pay for a VoIP
> phone once a year through Phonepower.  That should be coming up in 
> May.  I have about $10k in student loan debt on income based repayment,
> I've been paying about $100/month on it even though I don't have to pay
> anything for a while longer and I can apply for more IBR deferment. 
> This is enough complication, but I'm engaged and hoping to get married
> seven months from now.  I probably need to be taking home a minimum of
> $2000/month to live on my own in Portland.
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Is the linked to article accurate or not?

[Michael Christopher Robinson]

http://www.npr.org/sections/alltechconsidered/2016/12/27/507098713/outs
ourced-in-a-twist-some-san-francisco-tech-jobs-are-moving-to-india

While the above article doesn't affect Portland area tech, the
cancerous outsourcing of high wage jobs may spread.

Why is outsourcing technology jobs so bad?

1)  It is a national security issue.  If the people we outsource
control of critical infrastructure to decide they want to exercise
leverage over us, they can.  Who is going to stop them?  They are
writing and supporting the critical software that we use.

2)  It makes foreigners hate us because outsourcing isn't appealing if
you have to pay a foreigner the same wage you would pay an American. 
If foreigner workers hate us in an outsourcing landscape, 1 becomes a
more serious concern.

3)  Jobs that pay well are drying up.  Service sector jobs cannot pay
what tech jobs pay.  Are we ready to pay waitresses and personal care
assistants a living wage?  How about people working at McDonalds,
WalMart, Dairy Queen, BiMart, Kentucky Fried Chicken, Chevron gas
stations, etcetera?  Forget about manufacturing, many of those jobs are
gone and have been for a long time.

4)  Poverty and housing shortages are serious issues in Portland.  Go
under practically any overpass and you will find tent cities.  Affluent
people tend to not live in tents, especially in Portland where it rains
so much.  The loss of middle wage jobs has serious consequences. 
Hopefully, Trump will tariff foreign technology and reduce the number
of visas that result in Americans giving their high tech jobs to
foreigners.

5)  Public universities that accept taxpayer dollars have no right to
outsource American jobs to people who have not pledged allegiance to
our country.

6)  Outsourcing high tech is bad for the environment.  Foreign
countries have to be networked with people over 3000 miles away 
which means: satellites, transoceanic cables, and ultimately
significant electrical power.  If the tech support is on site or
closer, less power is needed.

7)  Death and taxes are the two things no person can escape, but if
there are no jobs available to pay the taxes there will be more tent
cities.
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] FreeGeek...

[Mike C.]

"Nobody in Portland seems interested in inexperienced computer scientists."

Color me skeptical about this claim. I find it hard to believe you can find
even a software tech support, QA or DevOps job wouldn't at least pay
$15/hr, especially as a contractor. I recently quit a contract gig at Intel
as Network Software Test Technician that paid $30/hr. Although I was a CS
major prior to the Internet, I don't have any real world programming
experience and just have some now expired SysAdmin / Networking certs.
Their ideal candidate would have some programming knowledge from
Powershell, Bash up to C / C++.

It's interesting to me that almost every Sys Admin job I look at or get
contacted about wants someone with programming skills that I don't have and
somehow I'm able to still get jobs. Not the dream jobs. Although I have a
few good references and a lot of varied work experience on my resume due to
my struggle to stay at a job longer than a year and a half or so. But I'm
nothing special in today's IT world. In fact I've been struggling with
finding a Linux Sys Admin job because I don't have any
scripting/programming experience.

Anywho, here's some ideas that might be more fruitful in your job search
than an internship at Free Geek.

1. Go to some of the many daily Tech events in Portland that are listed on
http://calagator.org/events . Some are meetup groups, some are study
groups, some actually work on projects and others are talks. But all of
them will provide you with the opportunity to network with people who work
in the Tech industry in Portland. I import the Calagator calendar into my
Thunderbird email client via gmail to stay abreast of all the events.

2.  There's a Portland tech job fair coming up on April 27th.
https://portland.craigslist.org/wsc/sad/6066445489.html

3. LinuxFest NW is coming up. May 6th & 7th. Another networking
opportunity.

In my 20 years of working in the tech field, I've found nary evidence that
finding an IT job isn't much more than doing the work to get a job. That's
a good resume, cover letter, phone calls, emails, networking, interviews
and good ol' fashioned persistence. I dare say that being a decent human
being, with a well written resume and cover letter who knows how to take an
interview that is so often stiff and awkward and turn into a conversation
about the problems the hiring manager is currently trying to solve and that
you have the skills, knowledge, experience and/or personality
characteristics to help solve those problems gets the job.

I hope that's helpful.

Cheers,

Mike
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] FreeGeek...

[Rich Shepard]

On Wed, 12 Apr 2017, benjamin barber wrote:

> An internship at FreeGeek will not teach you anything relevant to your
> computer science degree. If you would have looked at the trends, you may
> have noticed that programming jobs are shrinking. Furthermore building
> websites is a possibility, but there is a plethora of easy wordpress and
> wix templates, and alot of the rest of the work has been outsourced and
> offshored. If you have the said degree and have a github of your work, you
> may be able to get a job with the said experience. Most of the (good) jobs
> in the webdev industry are "software as a service", for example jobs that
> automate some process, or provide a service to people willing to pay for
> it.

   There may be greater employment potential outside the computer industry.
Many years ago a neighbor wrote software (and built controllers) to convert
sawmills from large log use to small log use. Manufacturers often need
embedded computers in their products and folks to write the software or
maintain it.

   What Michael should consider is attending some general Portland business
networking events with a bunch of self-printed business cards. I've been at
several in which hotel/restaurant/hospitality managers as well as other
business folks look for help (as well as potential clients). Perhaps a
Chamber of Commerce breakfast/after-work gettogether would be worth
attending. Perhaps no attendee needs his expertise but might know of someone
else who does.

   The majority of 'good' jobs come from referrals or direct contact and are
never advertised. Look outside the traditional (and very crowded)
CS/IT/programming arena and there are likely to be many hidden
opportunities.

Rich
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Public SSH server configs

[Tom]

In my mind - trust, security, privacy, power, cooperation,  - are
the fundamental friction points in this society. Given how important it
is for the human kind, it is surprising how many people do not
understand it.
If you are after technical stuff - stop reading here and do something
better with your time.
Access control to data and services, firewall, audits and monitoring
should help you to stop, discover and trigger response to malicious
attacks and actors.
Identify sensitive and business critical data sources and the services
allowed to use them - and set up p2p controls and authentication for
their use.
Encrypt sensitive data at rest and in transport, especially in "cloud".
Ironically, ssh on ports >1024 is good way to do this for some use
cases, so are other services which can be used to secure your data as
well as malicious communications.
Delete and not collect data you absolutely do not need - example: SSN
or address + credit card - you only need it to complete a transaction -
give users the choice to decide their level of risk - to store or not
their data for the future use.
This maybe old school and definitely not 100% effective - Setup and
enforce the use of proxy and network protocols at the perimeter. Do not
decrypt/manInTheMiddle ssl/tls data - this breaks security and creates
monumental and well advertized attack target. Create DMZ for services
that needs it. Make it easy for users to work and communicate, so they
are not forced to come up with innovative ways to bypass your controls.
Monitor and learn what normal/heathy baseline looks like. Make it too
restrictive and you will waste peoples work time and their desire to be
productive and innovate. If you do not trust your users and show it to
them at every opportunity - they will know it, and will be asking
themselves why were they hired and for what purpose - they will not not
be part of your security/team/company, you will alienate them. It is
fine line to walk - ask yourself what your priorities are, what you
want to achieve at the end of it all.
I work in engineering, development and data analysis environment -
being able to use network ports is essential to being able to work
productively. Without that, we are be restricted to single computing
process on a single machine or passing data through the file system
(which is essentially slow and high latency network) - that leaves you
in 20th century in terms of productivity a capabilities. On the top of
all that above - restrictions on using computers effectively - leads us
back to architecture/security review boards and that stalls any kind of
progress in its tracks, including security.
I hope that you see the trade offs here, use your full toolbox to
provide safe and productive work environment. The only real 100%
effective IT security is not to have IT, turn off power and networks. 
Alternatively, I've that HugesNet has very good service for keeping
networks, citizens, children and internet safe from bad actors. LOL
Tomas
On Wed, 2017-04-12 at 13:08 -0500, Cryptomonkeys.org wrote:
> Sure. and that would be fine for all the people who aren’t malicious.
> 
> 
> > On Apr 11, 2017, at 7:53 PM, Tom 
> > wrote:
> > 
> > That is what contracts, firewalls, monitoring and compliance tools
> > are
> > for.
> > If you do not trust users to start a process or use network ports -
> > disable their login and physical access to computers.
> > There are so many avenues which can be exploited beside ssh or any
> > myriad of other server processes.
> > Tomas
> > On Tue, 2017-04-11 at 18:41 -0500, Cryptomonkeys.org <
> > http://cryptomonkeys.org/> wrote:
> > > On Apr 10, 2017, at 2:17 PM, Jim Garrison  wrote:
> > > > 
> > > > On 4/10/2017 8:22 AM, Paul Heinlein wrote:
> > > > > I've got a CentOS 7 VM running off in the cloud. It exposes
> > > > > SSH
> > > > > on 
> > > > > port 22 to the world. I've thought about moving it to an
> > > > > alternate 
> > > > > port, and may someday do so, but in the meantime I've tried
> > > > > to
> > > > > keep up 
> > > > > with best practices for sshd configuration.
> > > > > 
> > > > > I recently changed the KexAlgorithms setting, removing all 
> > > > > key-exchange algorithms based on NIST curves. (Google
> > > > > variants of
> > > > > "ed25519 nist ssh ecdh" for my reasoning.) Anyway, the new
> > > > > setting:
> > > > > 
> > > > > KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman
> > > > > -group
> > > > > -exchange-sha256
> > > > > 
> > > > > All of my machines (MacOS 10.12, CentOS 6, CentOS 7) can work
> > > > > with 
> > > > > this setting, so I don't have to worry about infinite
> > > > > backward 
> > > > > compatibility.
> > > > > 
> > > > > One interesting and unintended result of this change is that
> > > > > many
> > > > > SSH 
> > > > > scanners will fail while trying to negotiate a key exchange.
> > > > > The
> > > > > log 
> > > > > entries are short and sweet:
> > > > > 
> > > > > 

Re: [PLUG] Reality collides with Linux worldview

[Richard Owlett]

On 04/12/2017 01:51 PM, Larry Brigman wrote:
> Maybe with automount and udev rules it could get set automatically.

traduzey en anglais s'il vous plait



>
> On Apr 12, 2017 8:39 AM, "Richard Owlett"  wrote:
>
>> On 04/11/2017 01:13 PM, Richard Owlett wrote:
>>> On 04/11/2017 12:30 PM, Paul Mullen wrote:
 On Tue, Apr 11, 2017 at 11:02:37AM -0500, Richard Owlett wrote:
> Can fstab cause the partition's owner to 'universal' of group
>> 'universe'?
> NOTE BENE: spelling of 'universal'/'universe' intentional.
>
> The intention being that *all* users would *AUTOmagically* be members
>> of
> group 'universe'. Would require attention to creating same gid
> automatically.

 FAT-based file systems have no concept of file ownership.  The Linux
 msdos and vfat file systems provide the ability to set static values
 for user, group, and permissions, though.  The "umask" option in your
 fstab entry is one of them.

 You can specify the owning user and group by adding the "uid" and
 "gid" options.  If left unset, they default to the user that mounts
 the partition (root, in your case).  Note that the value assigned to
 these options are the user's and group's numeric identifiers, not
 their names (e.g., "uid=1000").

 You can also specify permission mode masks separately for files and
 directories, which will eliminate your difficulty with file creation
 and deletion.  (A user must have execute permission for a directory
 before he can add to or delete from it.)  Adding "dmask=022"
 (resulting in a directory mode of 0755) and "umask=133" (resulting in
 a file mode of 0644) should suffice.

 So try changing your fstab entry to this:

   UUID=E90C-65B4  /media/common vfat auto,exec,rw,flush,uid=YOUR_
>> UID_HERE,gid=YOUR_GID_HERE,dmask=022,fmask=133  0 0
>>
>> Based on the man page for mount saying:
>>
>> uid=value and gid=value
>>  Set the owner and group of all files. (Default: the uid and gid of
>> the current process.)
>>
>> I experimentally deleted "uid=YOUR_UID_HERE,gid=YOUR_GID_HERE,".
>> I got something closer to my mental image of how things should work.
>> It required the partition be manually mounted.
>> That resulted with the existing files on the partition being "owned" by
>> the user triggering the mount - a near ideal situation.
>> HOWEVER :<
>> I managed to lose that configuration - I THOUGHT I'd saved all my
>> iterations.
>> I'll try again tomorrow morning. Right now I've got myself going in
>> non-productive circles.
>>
>>
>>>
>>> That worked.
>>> It raised some questions that I'll have to experiment with.
>>> Can't just now as I'm leaving for an appointment.
>>>

 It's probably safe to remove the "exec" and "flush" options, unless
 you have specific reasons to include them.
>>>
>>> I don't recall why I included exec.
>>> However flush was explicitly recommended in a "HOWTO" I saw somewhere.
>>> It specifically aimed at uses with vfat.
>>>
  The mount manpage has all
 of the details on the various options.  Search for "Mount options for
 fat" and "Mount options for vfat".


>>>
>>> More later.
>>> Thanks.
>>>
>>
>>
>> ___
>> PLUG mailing list
>> PLUG@lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] FreeGeek...

[Bynoe, Ronald J]

You can submit a resume to a staffing agency like Cinder, and list your 
skillset and desired work environment. I know that CS graduates can get 
contracting positions (not ideal, but it is a foot in the door) that will 
provide that key experience that everyone wants before they're willing to risk 
hiring someone as an FTE. It's at least a potential (income generating) route 
while you get situated with what you want to do with your career. Unless you 
want to be a system administrator or IT guy though, I'll second Benjamin's 
response, that FreeGeek is awesome for A+ skills and general Linux skills, but 
not for programmer job training.

Pleasantly,
Ronald Bynoe
On Wed, 2017-04-12 at 12:49 -0700, Michael Christopher Robinson wrote:

If I do a 3-6 month Internship at FreeGeek, what is the minimum number
of hours needed to put it on my resume and become employable?  I have a
CS degree, but I don't have work place experience and can't get a job
anywhere in the Portland area.  I want to specialize in network
security and I want to work on Unix and Linux based systems.  Another
option is learning how to build web sites that are fancy and properly
encrypted.  I'm trained in programming, but without training I can't
break into the industry.  Nobody in Portland seems interested in
inexperienced computer scientists.

One problem, I have recurring costs where FreeGeek can't pay anything
to their volunteers.  The longer I work at FreeGeek the better it
looks, but the less time I have to earn money.  I can drop
Comcast Internet and use my father's DSL, but that's about it.
I need my smartphone, $40.75/month, and I'm paying for a burial policy,
$11.20/month.  Once a year I incur significant cost paying for
robinson-west.com hosting at Eskimo North, the domain name through
register.com, and the security certificate.  I also pay for a VoIP
phone once a year through Phonepower.  That should be coming up in
May.  I have about $10k in student loan debt on income based repayment,
I've been paying about $100/month on it even though I don't have to pay
anything for a while longer and I can apply for more IBR deferment.
This is enough complication, but I'm engaged and hoping to get married
seven months from now.  I probably need to be taking home a minimum of
$2000/month to live on my own in Portland.
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] FreeGeek...

[benjamin barber]

An internship at FreeGeek will not teach you anything relevant to your
computer science degree. If you would have looked at the trends, you may
have noticed that programming jobs are shrinking.  Furthermore building
websites is a possibility, but there is a plethora of easy wordpress and
wix templates, and alot of the rest of the work has been outsourced and
offshored.  If you have the said degree and have a github of your work, you
may be able to get a job with the said experience. Most of the (good) jobs
in the webdev industry are "software as a service", for example jobs that
automate some process, or provide a service to people willing to pay for
it.

Also knowing how to program is the basics, you also need to have an
understanding of the tools, and how to properly implement the tools.
Network security is one of those jobs where programming is less relevant
than understanding the tools. That is unless you intend on designing the
tools, in which case you may need more than a bachelors, and you will need
to know all sorts of protocols intimately. For example do you know how to
use a software defined radio, in order to spoof a cell phone tower, and try
to MITM the traffic as its being sent, or how you would know you're being
MITM'd?

On Wed, Apr 12, 2017 at 12:49 PM, Michael Christopher Robinson <
mich...@robinson-west.com> wrote:

> If I do a 3-6 month Internship at FreeGeek, what is the minimum number
> of hours needed to put it on my resume and become employable?  I have a
> CS degree, but I don't have work place experience and can't get a job
> anywhere in the Portland area.  I want to specialize in network
> security and I want to work on Unix and Linux based systems.  Another
> option is learning how to build web sites that are fancy and properly
> encrypted.  I'm trained in programming, but without training I can't
> break into the industry.  Nobody in Portland seems interested in
> inexperienced computer scientists.
>
> One problem, I have recurring costs where FreeGeek can't pay anything
> to their volunteers.  The longer I work at FreeGeek the better it
> looks, but the less time I have to earn money.  I can drop
> Comcast Internet and use my father's DSL, but that's about it.
> I need my smartphone, $40.75/month, and I'm paying for a burial policy,
> $11.20/month.  Once a year I incur significant cost paying for
> robinson-west.com hosting at Eskimo North, the domain name through
> register.com, and the security certificate.  I also pay for a VoIP
> phone once a year through Phonepower.  That should be coming up in
> May.  I have about $10k in student loan debt on income based repayment,
> I've been paying about $100/month on it even though I don't have to pay
> anything for a while longer and I can apply for more IBR deferment.
> This is enough complication, but I'm engaged and hoping to get married
> seven months from now.  I probably need to be taking home a minimum of
> $2000/month to live on my own in Portland.
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] FreeGeek...

[Michael Christopher Robinson]

If I do a 3-6 month Internship at FreeGeek, what is the minimum number
of hours needed to put it on my resume and become employable?  I have a
CS degree, but I don't have work place experience and can't get a job
anywhere in the Portland area.  I want to specialize in network
security and I want to work on Unix and Linux based systems.  Another
option is learning how to build web sites that are fancy and properly
encrypted.  I'm trained in programming, but without training I can't
break into the industry.  Nobody in Portland seems interested in
inexperienced computer scientists.

One problem, I have recurring costs where FreeGeek can't pay anything
to their volunteers.  The longer I work at FreeGeek the better it
looks, but the less time I have to earn money.  I can drop
Comcast Internet and use my father's DSL, but that's about it.  
I need my smartphone, $40.75/month, and I'm paying for a burial policy,
$11.20/month.  Once a year I incur significant cost paying for
robinson-west.com hosting at Eskimo North, the domain name through
register.com, and the security certificate.  I also pay for a VoIP
phone once a year through Phonepower.  That should be coming up in 
May.  I have about $10k in student loan debt on income based repayment,
I've been paying about $100/month on it even though I don't have to pay
anything for a while longer and I can apply for more IBR deferment. 
This is enough complication, but I'm engaged and hoping to get married
seven months from now.  I probably need to be taking home a minimum of
$2000/month to live on my own in Portland.
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Reality collides with Linux worldview

[Larry Brigman]

Maybe with automount and udev rules it could get set automatically.

On Apr 12, 2017 8:39 AM, "Richard Owlett"  wrote:

> On 04/11/2017 01:13 PM, Richard Owlett wrote:
> > On 04/11/2017 12:30 PM, Paul Mullen wrote:
> >> On Tue, Apr 11, 2017 at 11:02:37AM -0500, Richard Owlett wrote:
> >>> Can fstab cause the partition's owner to 'universal' of group
> 'universe'?
> >>> NOTE BENE: spelling of 'universal'/'universe' intentional.
> >>>
> >>> The intention being that *all* users would *AUTOmagically* be members
> of
> >>> group 'universe'. Would require attention to creating same gid
> >>> automatically.
> >>
> >> FAT-based file systems have no concept of file ownership.  The Linux
> >> msdos and vfat file systems provide the ability to set static values
> >> for user, group, and permissions, though.  The "umask" option in your
> >> fstab entry is one of them.
> >>
> >> You can specify the owning user and group by adding the "uid" and
> >> "gid" options.  If left unset, they default to the user that mounts
> >> the partition (root, in your case).  Note that the value assigned to
> >> these options are the user's and group's numeric identifiers, not
> >> their names (e.g., "uid=1000").
> >>
> >> You can also specify permission mode masks separately for files and
> >> directories, which will eliminate your difficulty with file creation
> >> and deletion.  (A user must have execute permission for a directory
> >> before he can add to or delete from it.)  Adding "dmask=022"
> >> (resulting in a directory mode of 0755) and "umask=133" (resulting in
> >> a file mode of 0644) should suffice.
> >>
> >> So try changing your fstab entry to this:
> >>
> >>   UUID=E90C-65B4  /media/common vfat auto,exec,rw,flush,uid=YOUR_
> UID_HERE,gid=YOUR_GID_HERE,dmask=022,fmask=133  0 0
>
> Based on the man page for mount saying:
>
> uid=value and gid=value
>  Set the owner and group of all files. (Default: the uid and gid of
> the current process.)
>
> I experimentally deleted "uid=YOUR_UID_HERE,gid=YOUR_GID_HERE,".
> I got something closer to my mental image of how things should work.
> It required the partition be manually mounted.
> That resulted with the existing files on the partition being "owned" by
> the user triggering the mount - a near ideal situation.
> HOWEVER :<
> I managed to lose that configuration - I THOUGHT I'd saved all my
> iterations.
> I'll try again tomorrow morning. Right now I've got myself going in
> non-productive circles.
>
>
> >
> > That worked.
> > It raised some questions that I'll have to experiment with.
> > Can't just now as I'm leaving for an appointment.
> >
> >>
> >> It's probably safe to remove the "exec" and "flush" options, unless
> >> you have specific reasons to include them.
> >
> > I don't recall why I included exec.
> > However flush was explicitly recommended in a "HOWTO" I saw somewhere.
> > It specifically aimed at uses with vfat.
> >
> >>  The mount manpage has all
> >> of the details on the various options.  Search for "Mount options for
> >> fat" and "Mount options for vfat".
> >>
> >>
> >
> > More later.
> > Thanks.
> >
>
>
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Public SSH server configs

[Cryptomonkeys.org]

On Apr 12, 2017, at 8:57 AM, Paul Heinlein  wrote:
> 
> On Tue, 11 Apr 2017, Cryptomonkeys.org wrote:
> 
>> Any thoughts on the consequences of arbitrary users being able to 
>> run their own sshd on port numbers >1024? Would that mean that if 
>> somebody got access to your machine, they could replace the 
>> listening sshd with their own?
> 
> I've never run sshd without root privileges, so I'm speculating here, 
> but that sshd would
> 
>  * need its own keys; the system keys should be locked down
> 
>  * be unable to authenticate user passwords, since PAM requires
>root-level privileges
> 
>  * would be unable to switch user IDs.
> 
> But it's an interesting idea; I just don't have time to experiment 
> right now.
> 
I imagine that one could chroot sshd in $HOME or /tmp, create the necessary 
directory structure and files, and run sshd on any port >1024.
I believe this is part of the rationale for running trustworthy services on 
ports <1024, because the service must be run as root.

Anyway, not telling anybody how to do things, just wondering outloud about how 
things might work.

--
Louis Kowolowskilou...@cryptomonkeys.com
Cryptomonkeys:   http://www.cryptomonkeys.com/ 




___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Public SSH server configs

[Cryptomonkeys.org]

Sure. and that would be fine for all the people who aren’t malicious.


> On Apr 11, 2017, at 7:53 PM, Tom  wrote:
> 
> That is what contracts, firewalls, monitoring and compliance tools are
> for.
> If you do not trust users to start a process or use network ports -
> disable their login and physical access to computers.
> There are so many avenues which can be exploited beside ssh or any
> myriad of other server processes.
> Tomas
> On Tue, 2017-04-11 at 18:41 -0500, Cryptomonkeys.org 
>  wrote:
>> On Apr 10, 2017, at 2:17 PM, Jim Garrison  wrote:
>>> 
>>> On 4/10/2017 8:22 AM, Paul Heinlein wrote:
 I've got a CentOS 7 VM running off in the cloud. It exposes SSH
 on 
 port 22 to the world. I've thought about moving it to an
 alternate 
 port, and may someday do so, but in the meantime I've tried to
 keep up 
 with best practices for sshd configuration.
 
 I recently changed the KexAlgorithms setting, removing all 
 key-exchange algorithms based on NIST curves. (Google variants of
 "ed25519 nist ssh ecdh" for my reasoning.) Anyway, the new
 setting:
 
 KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group
 -exchange-sha256
 
 All of my machines (MacOS 10.12, CentOS 6, CentOS 7) can work
 with 
 this setting, so I don't have to worry about infinite backward 
 compatibility.
 
 One interesting and unintended result of this change is that many
 SSH 
 scanners will fail while trying to negotiate a key exchange. The
 log 
 entries are short and sweet:
 
 sshd[18200]: fatal: Unable to negotiate a key exchange method
 [preauth]
 
 The number of scanners that even get through to the stage of
 'Invalid 
 user' has dropped from a couple hundred per day to less than a
 dozen.
 
 Everyone's situation is different, of course, and this alteration
 may 
 not work in your environment -- but you may find it worthwhile
 raising 
 the bar on the KexAlgorithm, Ciphers, and MACs in your
 sshd_config, 
 especially if your SSH daemon is exposed to the world at large.
 
>>> 
>>> I've been running sshd on a non-standard port above 5000 for about
>>> 7
>>> years, on various hosting services, both real hardware and more
>>> recently
>>> virtual machines.  I think in 7 years I've seen only **two**
>>> attempted
>>> connections and I think those were from someone just doing a
>>> portscan,
>>> as the log messages were one-offs and not repeated.
>>> 
>>> There has never been any effort from anybody to actually connect.
>>> 
>> Any thoughts on the consequences of arbitrary users being able to run
>> their own sshd on port numbers >1024? Would that mean that if
>> somebody got access to your machine, they could replace the listening
>> sshd with their own?
>> 
>> --
>> Louis Kowolowski
>> lou...@cryptomonkeys.com
>> Cryptomonkeys:   
>> http://www.cryptomonkeys.com/  
>> >
>> 
>> 
>> 
>> ___
>> PLUG mailing list
>> PLUG@lists.pdxlinux.org 
>> http://lists.pdxlinux.org/mailman/listinfo/plug 
>> 
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org 
> http://lists.pdxlinux.org/mailman/listinfo/plug 
> 
--
Louis Kowolowskilou...@cryptomonkeys.com
Cryptomonkeys:   http://www.cryptomonkeys.com/ 




___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Reality collides with Linux worldview

[Richard Owlett]

On 04/11/2017 01:13 PM, Richard Owlett wrote:
> On 04/11/2017 12:30 PM, Paul Mullen wrote:
>> On Tue, Apr 11, 2017 at 11:02:37AM -0500, Richard Owlett wrote:
>>> Can fstab cause the partition's owner to 'universal' of group 'universe'?
>>> NOTE BENE: spelling of 'universal'/'universe' intentional.
>>>
>>> The intention being that *all* users would *AUTOmagically* be members of
>>> group 'universe'. Would require attention to creating same gid
>>> automatically.
>>
>> FAT-based file systems have no concept of file ownership.  The Linux
>> msdos and vfat file systems provide the ability to set static values
>> for user, group, and permissions, though.  The "umask" option in your
>> fstab entry is one of them.
>>
>> You can specify the owning user and group by adding the "uid" and
>> "gid" options.  If left unset, they default to the user that mounts
>> the partition (root, in your case).  Note that the value assigned to
>> these options are the user's and group's numeric identifiers, not
>> their names (e.g., "uid=1000").
>>
>> You can also specify permission mode masks separately for files and
>> directories, which will eliminate your difficulty with file creation
>> and deletion.  (A user must have execute permission for a directory
>> before he can add to or delete from it.)  Adding "dmask=022"
>> (resulting in a directory mode of 0755) and "umask=133" (resulting in
>> a file mode of 0644) should suffice.
>>
>> So try changing your fstab entry to this:
>>
>>   UUID=E90C-65B4  /media/common vfat 
>> auto,exec,rw,flush,uid=YOUR_UID_HERE,gid=YOUR_GID_HERE,dmask=022,fmask=133  
>> 0 0

Based on the man page for mount saying:

uid=value and gid=value
 Set the owner and group of all files. (Default: the uid and gid of 
the current process.)

I experimentally deleted "uid=YOUR_UID_HERE,gid=YOUR_GID_HERE,".
I got something closer to my mental image of how things should work.
It required the partition be manually mounted.
That resulted with the existing files on the partition being "owned" by 
the user triggering the mount - a near ideal situation.
HOWEVER :<
I managed to lose that configuration - I THOUGHT I'd saved all my 
iterations.
I'll try again tomorrow morning. Right now I've got myself going in 
non-productive circles.


>
> That worked.
> It raised some questions that I'll have to experiment with.
> Can't just now as I'm leaving for an appointment.
>
>>
>> It's probably safe to remove the "exec" and "flush" options, unless
>> you have specific reasons to include them.
>
> I don't recall why I included exec.
> However flush was explicitly recommended in a "HOWTO" I saw somewhere.
> It specifically aimed at uses with vfat.
>
>>  The mount manpage has all
>> of the details on the various options.  Search for "Mount options for
>> fat" and "Mount options for vfat".
>>
>>
>
> More later.
> Thanks.
>


___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Public SSH server configs

[Paul Heinlein]

On Tue, 11 Apr 2017, Cryptomonkeys.org wrote:

> Any thoughts on the consequences of arbitrary users being able to 
> run their own sshd on port numbers >1024? Would that mean that if 
> somebody got access to your machine, they could replace the 
> listening sshd with their own?

I've never run sshd without root privileges, so I'm speculating here, 
but that sshd would

  * need its own keys; the system keys should be locked down

  * be unable to authenticate user passwords, since PAM requires
root-level privileges

  * would be unable to switch user IDs.

But it's an interesting idea; I just don't have time to experiment 
right now.

-- 
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug