date:20111229

Hi all,

We're running RHEV as our main virtualization platform. Most of our
guests are CentOS though. Do you guys know if there's a guest tools
package for CentOS available like there is for Windows for example?
Can't really find an answer here.

-- 
Met vriendelijke groeten / With kind regards,
Johan Kooijman

T +31(0) 6 43 44 45 27
F +31(0) 162 82 00 01
E m...@johankooijman.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ad integration with centos 6

I wrote an article some time ago for CentOS 6 and have been using this
setup in production since.
http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/

My servers that interact with AD allow both AD based file sharing and also
SSH access.  The most updated configs I use can be found here,
https://github.com/treydock/puppet-samba.  I just added recent changes
where I use AD groups to delegate access to the Linux server.  This works
with 2008 R2.

- Trey

On Fri, Dec 23, 2011 at 12:23 AM, dnk d.k.emailli...@gmail.com wrote:

 Can anyone point me to a tutorial on using Active Directory to authenticate
 a centos 6 server? I just want to use it to authenticate, ssh and restrict
 access to a particular ad group. I prefer to use the lightest method
 possible. I know you can use ldap, or winbind, etc. I have been trying to
 follow the ones I have been googling, but none of them seem quit complete.
 My issue is that I have no ldap experience.

 Dnk
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

On Dec 29, 2011 2:25 AM, Johan Kooijman m...@johankooijman.com wrote:

 Hi all,

 We're running RHEV as our main virtualization platform. Most of our
 guests are CentOS though. Do you guys know if there's a guest tools
 package for CentOS available like there is for Windows for example?
 Can't really find an answer here.

 --
 Met vriendelijke groeten / With kind regards,
 Johan Kooijman

 T +31(0) 6 43 44 45 27
 F +31(0) 162 82 00 01
 E m...@johankooijman.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

I dont use RHEV (yet) but being that its based on KVM and libvirt I dont
think you need guest tools.  When you configure in RHEV Manager does it
identify the paravirtual devices as virtio?  If so then its standard in the
kernel used by CentOS since around 5.5.  I run all my CentOS VMs on the KVM
/ libvirt platform and systems install fine without any additional tools.
The only additional thing I install is acpid to allow the VM manager to
perform shutdowns and reboots.

- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

 I dont use RHEV (yet) but being that its based on KVM and libvirt I dont
 think you need guest tools.  When you configure in RHEV Manager does it
 identify the paravirtual devices as virtio?  If so then its standard in the
 kernel used by CentOS since around 5.5.  I run all my CentOS VMs on the KVM
 / libvirt platform and systems install fine without any additional tools.
 The only additional thing I install is acpid to allow the VM manager to
 perform shutdowns and reboots.

My bad, indeed, the guest OS works perfect. What I'm looking for is
the extra data RHEVM can provide that it get's from the guest tools,
like IP, memory use etc. See
http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a
Windows machine with the guest tools installed.

-- 
Met vriendelijke groeten / With kind regards,
Johan Kooijman

T +31(0) 6 43 44 45 27
F +31(0) 162 82 00 01
E m...@johankooijman.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS options in fstab

2011-12-29 Thread Daniel Bird

On 29/12/2011 14:25, Daniel Bird wrote:
 Hi All,
 I've a quick question I'm hoping someone can help out on; One of our NFS
 servers has an intermittent hard lock problem under high load. This is a
 CentOS 5.7 box. It's due for replacement sometime next year. However...

 The issue is when this box dies the boxes that mount the NFS exports
 have trouble with the mount and some processes time out casing the
 system mounting the file system to become unresponsive also.  Of course
 un-monuting the file system with -l fixes it.

 This is an example of our current mount options in fstab

 hostname:/share1/ /mountpoint nfs rw,intr,soft,bg 0 0

 The question is, what (other) options should we be using to allow the
 mounting server to ignore/fail/timeout the mount, or at least continue
 normal processing, when the NFS server packs up?
Ahhh, I should read the man pages more carefully!!

Just found this

retry=n   The  number of minutes to retry an NFS mount operation in the
foreground or background before giving up.  The default
value for forground mounts is 2 minutes.  The default
value for background mounts is 1 minutes, which is  roughly
one week.

So retry=2 would give the same behavior on background mounts as
foreground mounts I reckon.

 FYI we can't move to NFS4 since we've some old boxes running Solaris 8 
 mounting this filesystem also, which cannot be upgraded Solaris 10 to
 support v4.

 All the best

 Dan

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] asus-wmi.ko for Asus G73Sw running CentOS 6.2

2011-12-29 Thread Ned Slider

On 29/12/11 04:27, Rob Kampen wrote:
 Hi List,
 Just loaded our favorite OS onto my new ASUS laptop.
 Practically everything worked out of the box - I used the live DVD to
 check things out and installed from there.
 I have followed
 http://forum.notebookreview.com/asus-gaming-notebook-forum/553474-g73-asus-wmi-linux-driver-i-need-your-help-6.html
 to get suspend working and also to get function keys working for LCD
 screen backlight controls working (Fn F5 and Fn F6).
 Upon further searches I find that there is a kernel module asus-wmi.ko
 available in some distros that also allows some of the other Asus
 functions to operate - of particular interest is the keyboard backlight
 (Fn F3 and Fn F4) as well as the master backlight on/off key to function.

 Question, does anyone know where and how to locate this (asus-wmi.ko)
 and get it functioning under CentOS 6.2?


Well, lets see if it's a part of el6:

$ find /lib/modules/ -name asus-wmi.ko

No, that doesn't find it.

Looking at more recent kernel sources, I see it's present in 
kernel-2.6.39 but not present in 2.6.35, so it was introduced somewhere 
between the two.

 I am prepared to set up the required build environment - but need some
 assistance as this is really at the limits of my experience. I have
 rebuilt the kernel to remove patches with some success previously and
 will have to dust off this knowledge if required.


As mentioned previously, this is exactly what elrepo.org does, so if you 
pop over to:

http://elrepo.org/bugs

and file an RFE against el6 for asus-wmi.ko we will attempt to backport 
the module to el6 for you. All we ask in return is that you test the 
module and provide feedback as to whether it works for you.

Thanks.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

å¤ç¥ãå²©ç· wrote:
 On 12/30/2011 12:00 AM, m.r...@5-cent.us wrote:
 Ã¥Â¤ÅÃ§Â¥Å¾Ã£â¬â¬Ã¥Â²Â©Ã§âÂ· wrote:
 On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
snip
 When traveling I log in to my home server and work servers with my
 laptop. Its really a *lot* easier than using a bunch of pasword
 schemes.
 snip
 Ah, that brings to mind another issue with only passwords:
 synchronization. I worked as a subcontractor for a *huge* US co a few
 years ago. I've *never* had to write passwords down... but for there, I
 had a page of them! Our group's, the corporate test systems, the
 corporate *production* systems, and *each* had their own, along with
 their own password aging (there was *no* single sign-on), the
 contracting co's

 Ah, forgot about that because its no longer a problem for me anymore.
 Using the same password on two systems is a religiously-to-be-observed
 rule that *most* users violate.
snip
Yeah, but this was *corporate*: systems I had no access to other than as a
user, with very limited sudo. I was *appalled* that they didn't have
single sign-on.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.2 release: a thank you

2011-12-29 Thread Leonard den Ottolander

On Thu, 2011-12-29 at 11:42 +0100, Leonard den Ottolander wrote:
 The pango warning is an issue with the old package that got removed, but
 the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from
 the CR repo) still has that incorrect directory
 (/etc/gtk-2.0/x86_64-unknown-linux-gnu/)

After downloading the same package from the 6.2 tree I see this got
fixed. How do I update old packages from CR to the current tree again?

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

On 12/29/2011 01:19 PM, m.r...@5-cent.us wrote:
 Johnny Hughes wrote:
 On 12/29/2011 01:01 PM, John Broome wrote:
 On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com
 wrote:
 On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86
 and X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however
 RHEL6 (and all versions of CentOS) are completely unsupported by
 Oracle, so I wouldn't plan on using it for any sort of production
 where you expect support.  there were some minor ignorable issues in
 install, like it claimed the system is missing some old packages

 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?

 No, they rolled it out as a Linux distribution.  Believe it or not,
 people do other things besides run Oracle databases on Linux :)

 I am sure they will certify their database systems on OEL 6.x in the
 future.

 They can't very well (at least not with a straight face) tell Red Hat
 that RHEL6 is not certified while saying that OEL6 is certified can
 they?  If they do that for very long, they will be breaching their
 support agreements.
 snip
 Let me also note that whatever else Oracle is, they're not stupid when it
 comes to selling, and there are many, many more RHEL installations than
 there are OUL.
 

But if you have a license for rhel6, you can also run rhel5 ...
therefore, they get their supported sales by supporting rhel5, while
still claiming their kernel is better and trying to drive people to
their product.

Where is their incentive to support rhel6 until much closer to March 31,
2017 (rhel5 EOL Date).




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

On 12/29/2011 10:26 AM, Trey Dockendorf wrote:
 On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote:

 On 12/29/2011 02:21 PM, Johnny Hughes wrote:

 Would this spec file (and source tar ball) built the proper package?

 If not, where would I get it.

 I would be happy to build the proper source for centos extras for CentOS
 guests.

 lets see if we can get the entire ovirt stack done - its quite a pain
 building it at the moment though, but if a couple of people want to help
 - we might be able to get that in

 - KB
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 I can attest to the difficulty of that build.  I tried using FC16 srpms
 against 6.1 using mock and I spent an entire day with no luck.  Wrote
 scripts that would yumdownload srpms then attempt a build the download
 missing deps and retry.  Got to the point where only one new package would
 build then failed on kernel versions.  Though 6.2 should much more closely
 match what upstream uses as I believe RHEV 3 will be released for 6.2.
 
 Any idea if the full RHEV suite will be open sourced and eventually
 available in CentOS?  Both the rhev hypervisor and manager.  Ive lost the
 fight at my org to buy the product.
 
 If you need any extra help with the build Id be willing to assist.  Been
 following Ovirt closely.

Do you specifically have the guest tools SRPMS, which is something we
can do first and also come up with the whole stack later.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos 6.X compatible to ORACLE DB verssion????

2011-12-29 Thread mcclnx mcc

Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
X86_64) version like 9.X, 10GR2, 11G and 11GR2.

Any official document say that?

Thanks.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

On 12/29/2011 01:01 PM, John Broome wrote:
 On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote:
 On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
 X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however
 RHEL6 (and all versions of CentOS) are completely unsupported by Oracle,
 so I wouldn't plan on using it for any sort of production where you
 expect support.  there were some minor ignorable issues in install, like
 it claimed the system is missing some old packages
 
 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?

No, they rolled it out as a Linux distribution.  Believe it or not,
people do other things besides run Oracle databases on Linux :)

I am sure they will certify their database systems on OEL 6.x in the future.

They can't very well (at least not with a straight face) tell Red Hat
that RHEL6 is not certified while saying that OEL6 is certified can
they?  If they do that for very long, they will be breaching their
support agreements.

If their goal is to move people off RHEL and to OEL (I think it is),
then not certifying the latest version while trying to convert people
seems like the way to go.  Once they have a bunch of converts, then they
certify OEL6 and some short time later RHEL6. They need to wait though,
until they make the kernel better support the Oracle database though,
like they did for OEL5.

In the meantime, they get their super whamidyne kernel for OEL5 in the
press ... the only real thing they promote as different between RHEL5
and OEL5 ... which gives their linux better and quicker Oracle database
support and they try grabbing customers with that difference.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] why not have yum-updatesd running by default?

2011-12-29 Thread Les Mikesell

On Thu, Dec 29, 2011 at 1:10 PM, Bennett Haselton benn...@peacefire.org wrote:

 If your service is important, then it is worth testing changes before
 making them on your important server.   But no one else can tell you
 whether your server is that important or not...   It's fairly trivial
 to run a 'yum update' on a lab server daily, and if anything  updates,
 make sure that things still work before repeating it on the production
 box(es).   The update checks can be scripted, but the does it still
 work test will be unique to your services.


 But these are all considerations mainly for power users; I'm still talking
 just about the vast majority of hosting company customers who just lease a
 dedicated or virtual private server, and don't even have a test server
 and a production server.  Why wouldn't it be best for those servers just
 to pick up and install updates automatically?

There's a chance it will break your service.  If that isn't important
enough for you to test, then yes, you should update automatically, but
you don't get to blame someone else when it does break.  It has to be
your choice.  But you are pretty much guaranteed to have known
vulnerabilities if you don't update.  All you have to do is look at
the changelogs to see that.

 Mine is to assume that there are very good reasons for 'Enterprise'
 distributions to go to the trouble of publishing updates.  Install
 them.  Always assume that there are still more vulnerabilities that
 you don't know about yet - and if you have to ask the question, you
 aren't going to do better than the developers and Red Hat at keeping
 up with them.


 Yes this is good advice for the individual user; what I was asking is what
 set of *defaults* would improve security the most for the vast majority of
 users (who cannot be counted on to change defaults -- or, indeed, to follow
 any advice that anyone thinks everyone should do!).

There is always a tradeoff between convenience and security and one
size doesn't fit all.  If everything on the site is public anyway then
the most you have to lose is the service of the machine.   If there is
something valuable to steal then you should be prepared to do some
extra work to protect it.  In any case don't install or expose any
services that aren't absolutely needed.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] why not have yum-updatesd running by default?

Bennett Haselton wrote:
 On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell
 lesmikes...@gmail.comwrote:

  Would it not be best for the vast majority of those users to have
 updates turned on by default?  If not, why not?  (Power users can
 always turn them off, after all.)

 If your service is important, then it is worth testing changes before
 making them on your important server.   But no one else can tell you
 whether your server is that important or not...   It's fairly trivial
 to run a 'yum update' on a lab server daily, and if anything  updates,
 make sure that things still work before repeating it on the production
 box(es).   The update checks can be scripted, but the does it still
 work test will be unique to your services.

 But these are all considerations mainly for power users; I'm still talking
 just about the vast majority of hosting company customers who just lease a
 dedicated or virtual private server, and don't even have a test server
 and a production server.  Why wouldn't it be best for those servers just
snip
A. If you are a business, and don't have a test/development server, you're
an idiot, and will be out of business shortly, broke, after too many
errors in production. And before you say anything, in addition to huge
companies, I've worked for companies as small as 12 and even 6, and
*everyone* had a test/development servers.

B. Hosting providers, if you're not buying colo, do the testing and
rollout of updates themselves, not trusting to the vast majority of
hosting company customers to update with bug and security fixes.

 mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

Johnny Hughes wrote:
 On 12/29/2011 01:01 PM, John Broome wrote:
 On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com
 wrote:
 On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86
 and X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however
 RHEL6 (and all versions of CentOS) are completely unsupported by
 Oracle, so I wouldn't plan on using it for any sort of production
 where you expect support.  there were some minor ignorable issues in
 install, like it claimed the system is missing some old packages

 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?

 No, they rolled it out as a Linux distribution.  Believe it or not,
 people do other things besides run Oracle databases on Linux :)

 I am sure they will certify their database systems on OEL 6.x in the
 future.

 They can't very well (at least not with a straight face) tell Red Hat
 that RHEL6 is not certified while saying that OEL6 is certified can
 they?  If they do that for very long, they will be breaching their
 support agreements.
snip
Let me also note that whatever else Oracle is, they're not stupid when it
comes to selling, and there are many, many more RHEL installations than
there are OUL.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] why not have yum-updatesd running by default?

2011-12-29 Thread Bennett Haselton

On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell lesmikes...@gmail.comwrote:

  Would it not be best for the vast majority of those users to have updates
  turned on by default?  If not, why not?  (Power users can always turn
 them
  off, after all.)

 If your service is important, then it is worth testing changes before
 making them on your important server.   But no one else can tell you
 whether your server is that important or not...   It's fairly trivial
 to run a 'yum update' on a lab server daily, and if anything  updates,
 make sure that things still work before repeating it on the production
 box(es).   The update checks can be scripted, but the does it still
 work test will be unique to your services.


But these are all considerations mainly for power users; I'm still talking
just about the vast majority of hosting company customers who just lease a
dedicated or virtual private server, and don't even have a test server
and a production server.  Why wouldn't it be best for those servers just
to pick up and install updates automatically?


  What would your proposal be?  (Remembering that you can't change human
  nature, so if it relies on the majority of end users devoting time that
 you
  think they should do, it won't happen :) )

 Mine is to assume that there are very good reasons for 'Enterprise'
 distributions to go to the trouble of publishing updates.  Install
 them.  Always assume that there are still more vulnerabilities that
 you don't know about yet - and if you have to ask the question, you
 aren't going to do better than the developers and Red Hat at keeping
 up with them.




Yes this is good advice for the individual user; what I was asking is what
set of *defaults* would improve security the most for the vast majority of
users (who cannot be counted on to change defaults -- or, indeed, to follow
any advice that anyone thinks everyone should do!).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Refresh all packages?

2011-12-29 Thread Ken godee

 Hello, I have dedicated server on CentOS Linux 6.1 with
 webmin/virtualmin and it tell me:

 Package updates   145 updates to system packages are available. Use the
 Virtualmin Package Updates module to install them selectively.

 4 updates to Virtualmin packages are available. Use the Virtualmin
 Package Updates module to install them selectively.

 Should I update all packages?

Sure, if you want to stay current and move along
to 6.2

Update Webmin too.

Yum update should take care of it.

Of coarse it's always nice to make a snapshot/backup
in case things go screwy. Which really should not unless
you've gone off the standard install. (beside Webmin)




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

2011-12-29 Thread John R Pierce

On 12/29/11 11:01 AM, John Broome wrote:
 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?

who knows?   You'd need to ask them, and I doubt you'd get an answer.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Peter Eckel

Hi Marko, 

 Using the ssh key can be problematic because it is too long and too random to 
 be memorized --- you have to carry it on a usb stick (or whereever). This 
 provides an additional point of failure should your stick get lost or stolen.

this is only correct when you use SSH keys without a sufficiently secure 
passphrase. Which you obviously should never do. If you have a passphrase with 
your key, finding or stealing the USB stick is completely useless, and even if 
someone gets at your key, your no worse off than with password authentication. 

 Human brain is still by far the most secure information-storage device. :-)

I strongly disgree. Social engineering is a very efficient way to get at other 
people's data.

 It is very inconvenient for people who need to login to their servers from 
 random remote locations (ie. people who travel a lot or work in hardware-
 controlled environment).

Agreed.

 Besides, it is essentially a question of overkill. If password is not good 
 enough, you could argue that the key is also not good enough --- two keys (or 
 a larger one) would be more secure. Where do you draw the line?

One key is indefinitely better than a password. The additional security you 
gain when you add another key is, however, disputable. 

Best regards, 

  Peter.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Refresh all packages?

2011-12-29 Thread John R Pierce

On 12/29/11 10:33 AM, Weplica wrote:
 Hello, I have dedicated server on CentOS Linux 6.1 with
 webmin/virtualmin and it tell me:

 Package updates   145 updates to system packages are available. Use the
 Virtualmin Package Updates module to install them selectively.

 4 updates to Virtualmin packages are available. Use the Virtualmin
 Package Updates module to install them selectively.


 Should I update all packages?

this is a production system?  you should test any and all packages on an 
identically configured test or staging platform and verify your workload 
is compatible before deploying any updates in production.

webmin/virtualmin is not part of CentOS Linux, so you're on your own there.

-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

2011-12-29 Thread John R Pierce

On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
 X86_64) version like 9.X, 10GR2, 11G and 11GR2.

11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however 
RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, 
so I wouldn't plan on using it for any sort of production where you 
expect support.  there were some minor ignorable issues in install, like 
it claimed the system is missing some old packages


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

2011-12-29 Thread John Broome

On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote:
 On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
 X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however
 RHEL6 (and all versions of CentOS) are completely unsupported by Oracle,
 so I wouldn't plan on using it for any sort of production where you
 expect support.  there were some minor ignorable issues in install, like
 it claimed the system is missing some old packages

So if oracle isn't certified to run on OEL 6, did oracle roll it out
just for shits and giggles?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

Reindl Harald wrote:
 Am 29.12.2011 14:21, schrieb Marko Vojinovic:
 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

 Using the ssh key can be problematic because it is too long and too
 random to be memorized --- you have to carry it on a usb stick (or
 whereever). This provides an additional point of failure should your
 stick get lost or stolen.
 Human brain is still by far the most secure information-storage device.
 :-)

 this is bullshit
 most people have their ssh-key on a usb-stick

 normally a ssh-key is protected by a password
 this can be your 12-char password
snip
Many US companies have gone past that. A number that I've worked for, and
the one I work for, all have used RSA keyfobs. To open the VPN link, you
need three pieces of information: userid, PIN (which is up to 8 chars min)
and the six digit code from the fob.

The US gov't has gone a different way: it issues CaC or PIV-II cards, and
you need a) a card reader attached or builtin to your system, b) the card,
and c) your PIN (8 digits).

In both cases, once you've got your VPN, *then* it will frequently be
asking for username  passwords for each different kind of access.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

2011-12-29 Thread John Broome

On Dec 29, 2011, at 7:30, mcclnx mcc mcc...@yahoo.com.tw wrote:

 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
 X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 Any official document say that?

OEL6 is rebuilt RHEL6. CentOS 6 is rebuilt RHEL6.

I think it'll be ok.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Ned Slider

On 29/12/11 03:38, Craig White wrote:
 On Wed, 2011-12-28 at 00:40 -0700, Bennett Haselton wrote:
 On Tue, Dec 27, 2011 at 10:17 PM, Rilindo Fosterrili...@me.com  wrote:

 What was the nature of the break-in, if I may ask?


 I don't know how they did it, only that the hosting company had to take the
 server offline because they said it was sending a DOS attack to a remote
 host and using huge amounts of bandwidth in the process.  The top priority
 was to get the machine back online so they reformatted it and re-connected
 it, so there are no longer any logs showing what might have happened.
 (Although of course once the server is compromised, presumably the logs can
 be rewritten to say anything anyway.)
 
 the top priority was to get the machine back online?

 Seems to me that you threw away the only opportunity to find out what
 you did wrong and to correct that so it doesn't happen again. You are
 left to endlessly suffer the endless possibilities and the extreme
 likelihood that it will happen again.



I'm with Craig on this, you need to re-evaluate your priorities.

Top priority is to ensure it doesn't happen again. In order to achieve 
the top priority it is important to understand what happened and how it 
happened. If you don't understand that how do you expect to possibly 
prevent it happening again.

The problem is that your security was flawed - that is what you need 
to fix. A symptom of the problem was the DoS attack. That will only ever 
be fixed by addressing the problem that caused it. You have confused the 
symptom with the problem.

A symptom of the DoS attack was excessively high bandwidth usage and 
that is probably why your host intervened - they probably don't care 
your server was hacked and they probably don't care you are DoSing 
someone else - all they care about is you're using too much of their 
bandwidth. That all sounds to me like you need to choose another more 
responsible hosting provider.

Last priority is getting the server back online after you have fixed the 
problem.

Case in point - earlier this year kernel.org had a break in. Did they a) 
make it top priority to get kernel.org back online as quickly as 
possible, or b) take the time necessary to fully investigate the 
incident and put in place procedures so as to prevent it happening 
again. I'll give you a clue - the website was off line for well over a 
month.

Lets consider an analogy, the regular highway vs the information 
superhighway. Are you allowed to run a vehicle on the highway that isn't 
fit for purpose? No, because it endangers others. But you expect to be 
able to put a server on the information superhighway that isn't fit for 
purpose and expect no repercussions.

If I were a large (rich) corporation and I experienced a DoS attack of 
the nature your server participated in I would sue you for damages, and 
my job would be made significantly easier if I could demonstrate wilful 
neglect on your part to take even the most rudimentary steps to ensure 
your server was fit for purpose and not a danger to others. Sooner or 
later someone big will sue someone little for this kind of neglect and 
the whole game will change. Do you have the funds to defend such an 
action? Until then security will continue to remain as an afterthought 
and/or inconvenience.

Your wilful neglect makes you complicit and puts me at risk as we both 
share the same Internet. Ignorance is no defence in law. Act responsibly 
or get off the net. You may find this harsh but next time it might be my 
servers on the other end of your DoS attack.

Disclaimer: my rant is aimed as much towards the thousands of others out 
there that would no doubt have done exactly as you did, as it is 
directly at you, so please don't take it as a personal attack of your 
actions as it is not intended as such.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

Johnny Hughes wrote:
 On 12/29/2011 01:19 PM, m.r...@5-cent.us wrote:
 Johnny Hughes wrote:
 On 12/29/2011 01:01 PM, John Broome wrote:
 On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com
 wrote:
 On 12/29/11 4:30 AM, mcclnx mcc wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software
 (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2.

 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1,
 however RHEL6 (and all versions of CentOS) are completely
 unsupported by Oracle, so I wouldn't plan on using it for any sort
 of production where you expect support.  there were some minor
 ignorable issues in install, like it claimed the system is missing
 some old packages

 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?

 No, they rolled it out as a Linux distribution.  Believe it or not,
 people do other things besides run Oracle databases on Linux :)

 I am sure they will certify their database systems on OEL 6.x in the
 future.

 They can't very well (at least not with a straight face) tell Red Hat
 that RHEL6 is not certified while saying that OEL6 is certified can
 they?  If they do that for very long, they will be breaching their
 support agreements.
 snip
 Let me also note that whatever else Oracle is, they're not stupid when
 it comes to selling, and there are many, many more RHEL installations
 than there are OUL.

 But if you have a license for rhel6, you can also run rhel5 ...
 therefore, they get their supported sales by supporting rhel5, while
 still claiming their kernel is better and trying to drive people to
 their product.

 Where is their incentive to support rhel6 until much closer to March 31,
 2017 (rhel5 EOL Date).

As I said, there are many, many more RHEL installations, and most of them
will want to go to RHEL6 within the coming year. And, of course, some of
those installations are LARGE$$$ customers of Oracle (for example, I
have personal knowledge that ATT uses RHEL extensively). When they lean,
Oracle will fall all over themselves, if only to make more money.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/30/2011 12:41 AM, Marc Deop wrote:
On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
the hughe difference is: while having the same password (for the key)
it can not be used directly for brute-force und you need the password
and at least one time access to the key file

Explain me how having a key protected by a password avoids brute forcing if
you loose the usb stick holding that key?

Technology is developing at a scary pace, have a look at this:
http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/

And this is with a simple card, imagine what you can do with a system with
multiple paralel cards...

Just to be clear: I'm not arguing which system is better/more secure. I'm
just pointing out one downside of having the key in a usb memory.

And bruteforcing against ssh servers are really difficult as some others have
commented (and even more difficult if you limit failed connections...)

My IC card fries itself after 10 unsucessful attempts.

That is one way.

The military CACs fry themselves after 3.

They are not just disks, they are tiny 8-bit systems embedded in the
chip. The key never actually leaves the card. The benefit is that your
key is never exposed, even in an encrypted state. The downside is that
signing really huge things can take a few seconds (like ~5 secs for,
say, signing a decent sized RPM or email attachment, 15 secs or so for
signing the a kernel RPM) because the card processor, not the host
system, is doing the signing.

I don't know about the security of USB dongles. I've never used them
before, but I'm sure that secured versions of them are much more than
simple USB drives with a directory full of keys, but rather discrete USB
devices which probably operate in the same way. I'm speculating, but I
can't imagine this isn't the case with good USB systems.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NFS options in fstab

2011-12-29 Thread Daniel Bird

Hi All,
I've a quick question I'm hoping someone can help out on; One of our NFS
servers has an intermittent hard lock problem under high load. This is a
CentOS 5.7 box. It's due for replacement sometime next year. However...

The issue is when this box dies the boxes that mount the NFS exports
have trouble with the mount and some processes time out casing the
system mounting the file system to become unresponsive also.  Of course
un-monuting the file system with -l fixes it.

This is an example of our current mount options in fstab

hostname:/share1/ /mountpoint nfs rw,intr,soft,bg 0 0

The question is, what (other) options should we be using to allow the
mounting server to ignore/fail/timeout the mount, or at least continue
normal processing, when the NFS server packs up?
FYI we can't move to NFS4 since we've some old boxes running Solaris 8 
mounting this filesystem also, which cannot be upgraded Solaris 10 to
support v4.

All the best

Dan

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/30/2011 01:33 AM, m.r...@5-cent.us wrote:
 Marko Vojinovic wrote:
 On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
 Am 29.12.2011 14:21, schrieb Marko Vojinovic:
 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

 Using the ssh key can be problematic because it is too long and too
 random to be memorized --- you have to carry it on a usb stick (or
 whereever). This provides an additional point of failure should your
 stick get lost or stolen. Human brain is still by far the most secure
 information-storage device. :-)
 this is bullshit
 most people have their ssh-key on a usb-stick

 And how are you going to access your servers if the stick gets broken or
 lost? I guess you would have to travel back to where the server is
 hosted, in order to copy/recreate the key.

 Um, yep: you're SOL, same as if you spilled coffee on your laptop, or
 whatever. And if you loose it, you should then create a new one.

 I did not argue that the key is not more secure than a password. I was
 just pointing out that sometimes it can be more inconvenient.

 All security is inconvenient. What's implemented is a balance between
 convenience and security - really secure is a system not connected to any
 network, and with no USB ports, that runs off a DVD

...at the bottom of the ocean...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

2011-12-29 Thread John Broome

On Thu, Dec 29, 2011 at 04:07, Johan Kooijman m...@johankooijman.com wrote:

 My bad, indeed, the guest OS works perfect. What I'm looking for is
 the extra data RHEVM can provide that it get's from the guest tools,
 like IP, memory use etc. See
 http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a
 Windows machine with the guest tools installed.

I'm getting everything you mentioned in RHEV-M from my linux guests
except ip address with no guest tools installed.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

2011-12-29 Thread Karanbir Singh

On 12/29/2011 02:21 PM, Johnny Hughes wrote:
 
 Would this spec file (and source tar ball) built the proper package?
 
 If not, where would I get it.
 
 I would be happy to build the proper source for centos extras for CentOS
 guests.

lets see if we can get the entire ovirt stack done - its quite a pain
building it at the moment though, but if a couple of people want to help
- we might be able to get that in

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/29/2011 05:17 PM, Bennett Haselton wrote:
 On Wed, Dec 28, 2011 at 6:10 AM, Johnny Hughesjoh...@centos.org  wrote:
 On 12/27/2011 10:42 PM, Bennett Haselton wrote:
 2.  Why have password logins at all?  Using a secure ssh key only for
 logins makes the most sense.


 Well that's something that I'm curious about the reasoning behind -- if
 you're already using a completely random 12-character password, why would
 it be any more secure to use an ssh key?  Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

I'm almost afraid to see the responses to this comment...

If you believe that passwords are as secure as SSH2 keys, then you've 
got some homework to do before second guessing anyone's security policy. 
I don't say that as a jab, I'm being totally serious.

The good side of this conversation is that you may become motivated to 
learn about security as a hobby after this. Its a lot more interesting 
than watching TV after work (but a lot less interesting than playing 
with real people (friends, kids, wife, whatever)).

 3.  Please do not top post.


 My bad.  Gmail default. :)

It is the devil.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Marko Vojinovic

On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
 Am 29.12.2011 14:21, schrieb Marko Vojinovic:
  so explain me why discuss to use or not to use the best
  currently availbale method in context of security?
  
  Using the ssh key can be problematic because it is too long and too
  random to be memorized --- you have to carry it on a usb stick (or
  whereever). This provides an additional point of failure should your
  stick get lost or stolen. Human brain is still by far the most secure
  information-storage device. :-)
 this is bullshit
 most people have their ssh-key on a usb-stick

And how are you going to access your servers if the stick gets broken or lost? 
I guess you would have to travel back to where the server is hosted, in order 
to copy/recreate the key.

I did not argue that the key is not more secure than a password. I was just 
pointing out that sometimes it can be more inconvenient.

Your question was why discuss to use or not to use the best currently 
availbale method in context of security?, and my answer was there can be a 
tradeoff between security and convenience. I don't see why do you consider 
this to be bullshit.

Best, :-)
Marko


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.2 release: a thank you

On 12/29/2011 04:47 AM, Leonard den Ottolander wrote:
 On Thu, 2011-12-29 at 11:42 +0100, Leonard den Ottolander wrote:
 The pango warning is an issue with the old package that got removed, but
 the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from
 the CR repo) still has that incorrect directory
 (/etc/gtk-2.0/x86_64-unknown-linux-gnu/)
 
 After downloading the same package from the 6.2 tree I see this got
 fixed. How do I update old packages from CR to the current tree again?

I have since released a new version of pango into updates ... a yum
update will pull the new version in.





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.2 release: a thank you

2011-12-29 Thread Leonard den Ottolander


On Wed, 2011-12-21 at 14:11 -0600, Johnny Hughes wrote:
 There was also the fact that several packages did not build correctly
 because of a change in the default environment:
 https://bugzilla.redhat.com/show_bug.cgi?id=743229

That reminds me. I saw this recently on yum update:

Non-fatal POSTUN scriptlet failure in rpm package gtk2   Cleanup:
1:cups-libs-1.4.2-39.el6_1.1.x86_64
146/230  /usr/bin/update-gdk-pixbuf-loaders: line
54: /etc/gtk-2.0/x86_64-unknown-linux-gnu/gdk-pixbuf.loaders: No such
file or directory /usr/bin/update-gtk-immodules: line
54: /etc/gtk-2.0/x86_64-unknown-linux-gnu/gtk.immodules: No such file or
directory warning: %postun(gtk2-2.18.9-6.el6.x86_64) scriptlet failed,
exit status 1

/var/tmp/rpm-tmp.QyhGhF: line
23: /etc/pango/x86_64-unknown-linux-gnu/pango.modules: No such file or
directory 

The pango warning is an issue with the old package that got removed, but
the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from
the CR repo) still has that incorrect directory
(/etc/gtk-2.0/x86_64-unknown-linux-gnu/)

And yes, of course, thank you team for all the hard work you put into
CentOS!

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/29/2011 08:06 AM, Reindl Harald wrote:
 
 
 Am 29.12.2011 14:59, schrieb Johnny Hughes:
 That flaw as absolutely no access component.  It allows a DDOS attack,
 not provide remote access to a machine.

 From the bug:

 A flaw was found in the way the Apache HTTP Server handled Range HTTP
 headers. A remote attacker could use this flaw to cause httpd to use an
 excessive amount of memory and CPU time via HTTP requests with a
 specially-crafted Range header. (CVE-2011-3192)

 How is that relevant to allowing access to someone's server.
 
 and if you have a webserver and the webserver can be easily
 killed with a DOS the bug is CRITICAL, if you can kill any
 PUBLIC SERVICE remote a bug is CRITICAL

I did not define it bozo, so stop your bullshit on this list.  I have
already pointed to how the classifications are done.

 
 what exactly do you not understand while these are
 simple facts - your definition of critical is broken
 if you think anything where you can not get into the
 machine is not

Who the hell do you think yo0u are?  You will be banned from posting on
this list of you can not act appropriately.

 
 and yes i tried the demo-exploits which killed a quad-core with 16
 GB memory within some seconds



For those of you who did not see how the categories are defined, here it is:

https://access.redhat.com/security/updates/classification/





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Ljubomir Ljubojevic

On 12/29/2011 03:53 PM, 夜神　岩男 wrote:
 On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 Hello Reindl,

 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security

 Bennett clearly states that he understands the ssh key is more random,
 but wonders why a 12 char password (of roughly 6 bits entropy per byte
 assuming upper   lower case characters and numbers) wouldn't be
 sufficient.

 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

 Using the ssh key can be problematic because it is too long and too random to
 be memorized --- you have to carry it on a usb stick (or whereever). This
 provides an additional point of failure should your stick get lost or stolen.
 Human brain is still by far the most secure information-storage device. :-)

 It is very inconvenient for people who need to login to their servers from
 random remote locations (ie. people who travel a lot or work in hardware-
 controlled environment).

 Besides, it is essentially a question of overkill. If password is not good
 enough, you could argue that the key is also not good enough --- two keys (or
 a larger one) would be more secure. Where do you draw the line?

 Best, :-)
 Marko

 Hi Marko!
 What about IC cards? I use that a lot, and its reduced my need for a
 password to something tiny (6 numbers) and requires a physical key (my
 card). I have the root certificates, private keys, etc. stored offline
 just in case my card goes nuts, which has happened before, but I've
 never had a problem with this.

 When traveling I log in to my home server and work servers with my
 laptop. Its really a *lot* easier than using a bunch of pasword schemes.
 I was initially worried that I'd run into a situation where I'd either
 lose my card traveling, or it would get crushed, or whatever -- but that
 hasn't happened in 5 years. What has happened in 5 years of doing this
 is intermittent network outages, work server crashing, web applications
 failing, database corruption, etc.

 So from experience (mine and coworkers, at least), it is a lot more
 likely that problems will arise from totally different vectors than
 having ssh keys and ic cards making life complicated -- because from
 this user's perspective its made things a LOT simpler.

 But it requires a bit of study. Which most people don't do. More to the
 point most people don't even read popups on the screens, even the big
 red scary ones, so...
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos



I like to use serial numbers from MB, HDD, etc., as passwords. I never 
use normal words for my passwords, and few other users (with ssh/cli 
access) are carefully checked for their passwords.

If this formula is true (1/2 . 2 ^ 54 . 1s / 10) for 9 *random* 
character password, then 0.5 * 18014398509481984 /10 gives 
900719925474099 seconds to crack it, or 10424999137 days per attacker.

If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that 
never attacked any denyhosts or fail2ban server in recent time.

So for army of 10,000 attacker PC's, bruteforce ssh needs 1042499 days, 
or 2856 years to crack it. Is this correct figure?

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/28/2011 08:57 PM, Craig White wrote:
 On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote:
 
 There have been NO critical kernel updates.  A critical update is one
 where someone can remotely execute items at the root users.

 Almost all critical updates are Firefox, Thunderbird, telnetd (does
 anyone still allow telnet?), or samba (never expose that directly to the
 internet either :D).  There was one critical issue on CentOS-5.x for exim:

 http://rhn.redhat.com/errata/RHSA-2010-0970.html

 All the other issues (non-critical) will require the user to get a user
 shell and then elevate their privileges some way
 
 perhaps he is referring to RHSA 2011:1245
 http://lists.centos.org/pipermail/centos/2011-September/118075.html
 
 which CentOS was very slow in getting the update out the door but as you
 said, it was labeled 'important' and not 'critical'  and of course
 concerned apache and not kernel.
 


That flaw as absolutely no access component.  It allows a DDOS attack,
not provide remote access to a machine.

From the bug:

A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)

How is that relevant to allowing access to someone's server.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

Ljubomir Ljubojevic wrote:
snip
 I like to use serial numbers from MB, HDD, etc., as passwords. I never

The one problem with this is that *if* the attacker has the slightest idea
of the hardware, their task is vastly smaller. I trust, for example, that
you don't use Dell's s/n/express code; Penguin, not having sold 5
gazillion servers, has the first few digits all the same, for years
(they're being optimistic with s/n's that long).
snip
   mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?



Am 29.12.2011 09:17, schrieb Bennett Haselton:
 2.  Why have password logins at all?  Using a secure ssh key only for
 logins makes the most sense.

 Well that's something that I'm curious about the reasoning behind -- if
 you're already using a completely random 12-character password, why would
 it be any more secure to use an ssh key?  Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

because the key is MUCH longer than 12 chars
becasue it is NOT bruteforceable
because brute-force-attacks are trying password-login

if you really think your 12-chars password is as secure
as a ssh-key protcected with this password you should
consider to take some education in security



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS options in fstab

2011-12-29 Thread Marc Deop

On Thursday 29 December 2011 14:35:34 Daniel Bird wrote:
 retry=n   The  number of minutes to retry an NFS mount operation in the
 foreground or background before giving up.  The default
 value for forground mounts is 2 minutes.  The default
 value for background mounts is 1 minutes, which is  roughly
 one week.
 
 So retry=2 would give the same behavior on background mounts as
 foreground mounts I reckon.

Have you tried this? I'd love to know if it really works.

You could as well try automount with your nfs shares...


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

On 29 December 2011 12:30, mcclnx mcc mcc...@yahoo.com.tw wrote:
 Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and 
 X86_64) version like 9.X, 10GR2, 11G and 11GR2.
It is not.

 Any official document say that?
See Metalink 1304727.1.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/29/2011 07:21 AM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 Hello Reindl,

 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security

 Bennett clearly states that he understands the ssh key is more random,
 but wonders why a 12 char password (of roughly 6 bits entropy per byte
 assuming upper  lower case characters and numbers) wouldn't be
 sufficient.

 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?
 
 Using the ssh key can be problematic because it is too long and too random to 
 be memorized --- you have to carry it on a usb stick (or whereever). This 
 provides an additional point of failure should your stick get lost or stolen.
 Human brain is still by far the most secure information-storage device. :-)
 
 It is very inconvenient for people who need to login to their servers from 
 random remote locations (ie. people who travel a lot or work in hardware-
 controlled environment).
 
 Besides, it is essentially a question of overkill. If password is not good 
 enough, you could argue that the key is also not good enough --- two keys (or 
 a larger one) would be more secure. Where do you draw the line?
 

This is absolutely ludicrous.  Requiring a physical key to be present
for access can not be compared to a 12 character password, random or not.

Bottom line ... if you want people to crack your server, use passwords
and they way.

For the love of God, do not allow password access your machines people.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Leonard den Ottolander

Hello Reindl,

On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
  Even though the ssh key is more
  random, they're both sufficiently random that it would take at least
  hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security

Bennett clearly states that he understands the ssh key is more random,
but wonders why a 12 char password (of roughly 6 bits entropy per byte
assuming upper  lower case characters and numbers) wouldn't be
sufficient.

I'm fairly confident the 9 to 12 char (54 to 72 bit) passwords I use are
sufficiently strong to protect my machines against remote brute force
attacks via ssh. Seeing that every login attempt takes at least a second
and in the default setup sshd allows a maximum of 10 threads at a time a
remote brute force is not really feasible (1/2 . 2 ^ 54 . 1s / 10). Imho
of course :)

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?



Am 29.12.2011 14:21, schrieb Marko Vojinovic:
 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?
 
 Using the ssh key can be problematic because it is too long and too random to 
 be memorized --- you have to carry it on a usb stick (or whereever). This 
 provides an additional point of failure should your stick get lost or stolen.
 Human brain is still by far the most secure information-storage device. :-)

this is bullshit
most people have their ssh-key on a usb-stick

normally a ssh-key is protected by a password
this can be your 12-char password

if you put an non-proctected key on a stick this is really
your problem - per default it is requestet from ssh-keygen

the hughe difference is: while having the same password (for the key)
it can not be used directly for brute-force und you need the password
and at least one time access to the key file





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?



Am 29.12.2011 14:59, schrieb Johnny Hughes:
 That flaw as absolutely no access component.  It allows a DDOS attack,
 not provide remote access to a machine.
 
 From the bug:
 
 A flaw was found in the way the Apache HTTP Server handled Range HTTP
 headers. A remote attacker could use this flaw to cause httpd to use an
 excessive amount of memory and CPU time via HTTP requests with a
 specially-crafted Range header. (CVE-2011-3192)
 
 How is that relevant to allowing access to someone's server.

and if you have a webserver and the webserver can be easily
killed with a DOS the bug is CRITICAL, if you can kill any
PUBLIC SERVICE remote a bug is CRITICAL

what exactly do you not understand while these are
simple facts - your definition of critical is broken
if you think anything where you can not get into the
machine is not

and yes i tried the demo-exploits which killed a quad-core with 16
GB memory within some seconds



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

On Thu, Dec 29, 2011 at 1:05 PM, Johnny Hughes joh...@centos.org wrote:

 On 12/29/2011 10:26 AM, Trey Dockendorf wrote:
  On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote:
 
  On 12/29/2011 02:21 PM, Johnny Hughes wrote:
 
  Would this spec file (and source tar ball) built the proper package?
 
  If not, where would I get it.
 
  I would be happy to build the proper source for centos extras for
 CentOS
  guests.
 
  lets see if we can get the entire ovirt stack done - its quite a pain
  building it at the moment though, but if a couple of people want to help
  - we might be able to get that in
 
  - KB
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
  I can attest to the difficulty of that build.  I tried using FC16 srpms
  against 6.1 using mock and I spent an entire day with no luck.  Wrote
  scripts that would yumdownload srpms then attempt a build the download
  missing deps and retry.  Got to the point where only one new package
 would
  build then failed on kernel versions.  Though 6.2 should much more
 closely
  match what upstream uses as I believe RHEV 3 will be released for 6.2.
 
  Any idea if the full RHEV suite will be open sourced and eventually
  available in CentOS?  Both the rhev hypervisor and manager.  Ive lost the
  fight at my org to buy the product.
 
  If you need any extra help with the build Id be willing to assist.  Been
  following Ovirt closely.

 Do you specifically have the guest tools SRPMS, which is something we
 can do first and also come up with the whole stack later.


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I don't have the guest tools no.  I only got as far as about 1/2 of the
Maven2 deps and maybe half the jboss deps.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

On 29 December 2011 12:42, John Broome jbro...@gmail.com wrote:
 OEL6 is rebuilt RHEL6. CentOS 6 is rebuilt RHEL6.
Funnily enough, OEL6 is excluded from the certified list of Linux
distributions hence no, it is not a good idea to install it and then
expect Oracle to support it even though RedHat has submitted it for
certification in August 2011. It looks like Oracle has no incentive to
get on with the certification. RHEL/OEL 6 has been out for ages now,
the only obvious thing is merge with Sun must have given them an other
OS to push instead of Oracle. Baffles me.

11.2
OS versions and minimum levels:
Asianux 3 SP2 and higher
Oracle Linux 4 Update 7 and higher
Oracle Linux 5 Update 2 and higher
Red Hat Enterprise 4 Update 7 and higher
Red Hat Enterprise 5 Update 2 and higher
SLES 10 SP2 and higher
SLES 11
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

å¤ç¥ãå²©ç· wrote:
 On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security
snip
 It is very inconvenient for people who need to login to their servers
 from random remote locations (ie. people who travel a lot or work in
 hardware-controlled environment).

 Besides, it is essentially a question of overkill. If password is not
 good enough, you could argue that the key is also not good enough ---
 two keys (or a larger one) would be more secure. Where do you draw the
 line?
snip
 When traveling I log in to my home server and work servers with my
 laptop. Its really a *lot* easier than using a bunch of pasword schemes.
snip
Ah, that brings to mind another issue with only passwords:
synchronization. I worked as a subcontractor for a *huge* US co a few
years ago. I've *never* had to write passwords down... but for there, I
had a page of them! Our group's, the corporate test systems, the corporate
*production* systems, and *each* had their own, along with their own
password aging (there was *no* single sign-on), the contracting co's

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Ljubomir Ljubojevic

On 12/29/2011 06:45 PM, m.r...@5-cent.us wrote:
 Ljubomir Ljubojevic wrote:
 snip
 I like to use serial numbers from MB, HDD, etc., as passwords. I never

 The one problem with this is that *if* the attacker has the slightest idea
 of the hardware, their task is vastly smaller. I trust, for example, that
 you don't use Dell's s/n/express code; Penguin, not having sold 5
 gazillion servers, has the first few digits all the same, for years
 (they're being optimistic with s/n's that long).
 snip
 mark


No. I got the idea from my first second-hand MB for NOC router/firewall, 
while I was on the grain silo needing to reinstall ClarkConnect on it 
(don't ask :-D ). You can use s/n from some old PC you have at your 
home, or discarded MB (or whatever).

Of course, using s/n's would be same as using some good random-generator 
script.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Marko Vojinovic

On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
  Hello Reindl,
  
  On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
  Am 29.12.2011 09:17, schrieb Bennett Haselton:
  Even though the ssh key is more
  random, they're both sufficiently random that it would take at least
  hundreds of years to get in by trial and error.
  
  if you really think your 12-chars password is as secure
  as a ssh-key protcected with this password you should
  consider to take some education in security
  
  Bennett clearly states that he understands the ssh key is more random,
  but wonders why a 12 char password (of roughly 6 bits entropy per byte
  assuming upper  lower case characters and numbers) wouldn't be
  sufficient.
 
 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

Using the ssh key can be problematic because it is too long and too random to 
be memorized --- you have to carry it on a usb stick (or whereever). This 
provides an additional point of failure should your stick get lost or stolen.
Human brain is still by far the most secure information-storage device. :-)

It is very inconvenient for people who need to login to their servers from 
random remote locations (ie. people who travel a lot or work in hardware-
controlled environment).

Besides, it is essentially a question of overkill. If password is not good 
enough, you could argue that the key is also not good enough --- two keys (or 
a larger one) would be more secure. Where do you draw the line?

Best, :-)
Marko


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

 You are using RHEV2.2 right?
 There are no such tools for this version.

That's right, explains why I haven't been able to find 'em.

 RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the 
 sources should be open in ovirt.org in the near future
 http://www.ovirt.org/project/subprojects/
 If you use CentOS as the guest then you'll have to compile it yourself :)

Thanks, that's helpful!

-- 
Met vriendelijke groeten / With kind regards,
Johan Kooijman

T +31(0) 6 43 44 45 27
F +31(0) 162 82 00 01
E m...@johankooijman.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] why not have yum-updatesd running by default?

2011-12-29 Thread Les Mikesell

On Thu, Dec 29, 2011 at 2:01 AM, Bennett Haselton benn...@peacefire.org wrote:

 (Side note: my friend replied to clarify that the kernel exploit he was
 talking about that was found in March of this year, was one that allowed a
 local user to gain root privilege, not one that allowed a remote user to
 get in through the webserver or sshd.

Look back through the changelogs if you  want to see what
vulnerabilities have existed for long intervals before being fixed -
but perhaps not long after being found and published.   If you have a
web service running, I'd say it is a fairly safe bet that there is a
vulnerability somewhere in the server, language(s), libraries, or the
application itself that can be exploited to execute some arbitrary
command.  That turns what is classified as a local root exploit into
something anyone on the internet can do.  And I've seen some very
sophisticated attempts show up in the logs...

 So let's say it really is true
 that running automatic yum updates is not the most important thing to
 keep out remote users, and that the majority of webserver hacks do occur
 through out-of-date web apps.

I'm not convinced.  Assume that some people  will know the
vulnerabilities before they are published (otherwise they obviously
would never be published/fixed) and that a lot of other people will
start attempting exploits immediately after publication.   Look
through your logs to see how many hits you are getting that are likely
to be probes for vulnerabilities to get a feeling for how much of this
is going on.

 Would it not be best for the vast majority of those users to have updates
 turned on by default?  If not, why not?  (Power users can always turn them
 off, after all.)

If your service is important, then it is worth testing changes before
making them on your important server.   But no one else can tell you
whether your server is that important or not...   It's fairly trivial
to run a 'yum update' on a lab server daily, and if anything  updates,
make sure that things still work before repeating it on the production
box(es).   The update checks can be scripted, but the does it still
work test will be unique to your services.

 What would your proposal be?  (Remembering that you can't change human
 nature, so if it relies on the majority of end users devoting time that you
 think they should do, it won't happen :) )

Mine is to assume that there are very good reasons for 'Enterprise'
distributions to go to the trouble of publishing updates.  Install
them.  Always assume that there are still more vulnerabilities that
you don't know about yet - and if you have to ask the question, you
aren't going to do better than the developers and Red Hat at keeping
up with them.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

2011-12-29 Thread Simon Grinberg



- Original Message -
 From: Johan Kooijman m...@johankooijman.com
 To: CentOS mailing list centos@centos.org
 Sent: Thursday, December 29, 2011 11:07:57 AM
 Subject: Re: [CentOS] RHEV guest tools
  I dont use RHEV (yet) but being that its based on KVM and libvirt I
  dont
  think you need guest tools. When you configure in RHEV Manager does
  it
  identify the paravirtual devices as virtio? If so then its standard
  in the
  kernel used by CentOS since around 5.5. I run all my CentOS VMs on
  the KVM
  / libvirt platform and systems install fine without any additional
  tools.
  The only additional thing I install is acpid to allow the VM manager
  to
  perform shutdowns and reboots.
 
 My bad, indeed, the guest OS works perfect. What I'm looking for is
 the extra data RHEVM can provide that it get's from the guest tools,
 like IP, memory use etc. See
 http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a
 Windows machine with the guest tools installed.

You are using RHEV2.2 right?
There are no such tools for this version.

RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the sources 
should be open in ovirt.org in the near future
http://www.ovirt.org/project/subprojects/
If you use CentOS as the guest then you'll have to compile it yourself :) 

 
 --
 Met vriendelijke groeten / With kind regards,
 Johan Kooijman
 
 T +31(0) 6 43 44 45 27
 F +31(0) 162 82 00 01
 E m...@johankooijman.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Refresh all packages?

2011-12-29 Thread Weplica

Hello, I have dedicated server on CentOS Linux 6.1 with  
webmin/virtualmin and it tell me:

Package updates 145 updates to system packages are available. Use the  
Virtualmin Package Updates module to install them selectively.

4 updates to Virtualmin packages are available. Use the Virtualmin  
Package Updates module to install them selectively.


Should I update all packages?



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?



Am 29.12.2011 15:24, schrieb m.r...@5-cent.us:
 Reindl Harald wrote:
 Am 29.12.2011 14:21, schrieb Marko Vojinovic:
 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

 Using the ssh key can be problematic because it is too long and too
 random to be memorized --- you have to carry it on a usb stick (or
 whereever). This provides an additional point of failure should your
 stick get lost or stolen.
 Human brain is still by far the most secure information-storage device.
 :-)

 this is bullshit
 most people have their ssh-key on a usb-stick

 normally a ssh-key is protected by a password
 this can be your 12-char password
 snip
 Many US companies have gone past that.

 A number that I've worked for, and
 the one I work for, all have used RSA keyfobs. To open the VPN link, you
 need three pieces of information: userid, PIN (which is up to 8 chars min)
 and the six digit code from the fob.
 
 The US gov't has gone a different way: it issues CaC or PIV-II cards, and
 you need a) a card reader attached or builtin to your system, b) the card,
 and c) your PIN (8 digits).
 
 In both cases, once you've got your VPN, *then* it will frequently be
 asking for username  passwords for each different kind of access.

why do you not tell this the idiot who is argumentating against kyes
and thinks using password-login is smart?




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] asus-wmi.ko for Asus G73Sw running CentOS 6.2

2011-12-29 Thread Ljubomir Ljubojevic

On 12/29/2011 05:27 AM, Rob Kampen wrote:
Hi List,
Just loaded our favorite OS onto my new ASUS laptop.
Practically everything worked out of the box - I used the live DVD to
check things out and installed from there.
I have followed
http://forum.notebookreview.com/asus-gaming-notebook-forum/553474-g73-asus-wmi-linux-driver-i-need-your-help-6.html
to get suspend working and also to get function keys working for LCD
screen backlight controls working (Fn F5 and Fn F6).
Upon further searches I find that there is a kernel module asus-wmi.ko
available in some distros that also allows some of the other Asus
functions to operate - of particular interest is the keyboard backlight
(Fn F3 and Fn F4) as well as the master backlight on/off key to function.

Question, does anyone know where and how to locate this (asus-wmi.ko)
and get it functioning under CentOS 6.2?

I am prepared to set up the required build environment - but need some
assistance as this is really at the limits of my experience. I have
rebuilt the kernel to remove patches with some success previously and
will have to dust off this knowledge if required.

Best course of action is to ask help from ElRepo repository. they build
and maintain many kernel modules.

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/30/2011 12:00 AM, m.r...@5-cent.us wrote:
 å¤œç¥žã€€å²©ç”· wrote:
 On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security
 snip
 It is very inconvenient for people who need to login to their servers
 from random remote locations (ie. people who travel a lot or work in
 hardware-controlled environment).

 Besides, it is essentially a question of overkill. If password is not
 good enough, you could argue that the key is also not good enough ---
 two keys (or a larger one) would be more secure. Where do you draw the
 line?
 snip
 When traveling I log in to my home server and work servers with my
 laptop. Its really a *lot* easier than using a bunch of pasword schemes.
 snip
 Ah, that brings to mind another issue with only passwords:
 synchronization. I worked as a subcontractor for a *huge* US co a few
 years ago. I've *never* had to write passwords down... but for there, I
 had a page of them! Our group's, the corporate test systems, the corporate
 *production* systems, and *each* had their own, along with their own
 password aging (there was *no* single sign-on), the contracting co's

 mark

Ah, forgot about that because its no longer a problem for me anymore. 
Using the same password on two systems is a religiously-to-be-observed 
rule that *most* users violate.

I can put my public keys on any system and not worry about it. Hitting 
the number pad for my digits is a lot faster than typing in a password, 
a lot more convenient than remembering a bunch of them (and a big 
motivator to buy laptops with full-blown 10-keys, which is common now 
anyway, as are internal card readers...).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS options in fstab

2011-12-29 Thread Daniel Bird

On 29/12/2011 15:23, Marc Deop wrote:
 On Thursday 29 December 2011 14:35:34 Daniel Bird wrote:
 retry=n   The  number of minutes to retry an NFS mount operation in the
 foreground or background before giving up.  The default
 value for forground mounts is 2 minutes.  The default
 value for background mounts is 1 minutes, which is  roughly
 one week.

 So retry=2 would give the same behavior on background mounts as
 foreground mounts I reckon.
 Have you tried this? I'd love to know if it really works.
I've got it down to a reasonable timeout (1m 30 sec) now with these options

proto=udp,timeo=1,retrans=0,retry=1,intr,soft,bg

with proto=tcp it's about 4mins


 You could as well try automount with your nfs shares...
Yes, that is an option. We use it for some services.

Cheers

D

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?



Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 Hello Reindl,
 
 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.
 
 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security
 
 Bennett clearly states that he understands the ssh key is more random,
 but wonders why a 12 char password (of roughly 6 bits entropy per byte
 assuming upper  lower case characters and numbers) wouldn't be
 sufficient.

so explain me why discuss to use or not to use the best
currently availbale method in context of security?

this is a secure configuration with no costs
so why not use it?

PasswordAuthentication  no
ChallengeResponseAuthentication no
GSSAPIAuthenticationno
GSSAPICleanupCredentialsno
RSAAuthentication   yes
PubkeyAuthenticationyes
PermitEmptyPasswordsno
PermitRootLogin without-password
AllowGroups root verwaltung
AllowUsers  root harry
IgnoreRhostsyes
HostbasedAuthentication no
StrictModes yes
UseDNS  no
UsePrivilegeSeparation  yes
UsePAM  yes
LoginGraceTime  25
MaxAuthTries10
MaxStartups 25



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
 On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
 Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
 Hello Reindl,

 On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
 Am 29.12.2011 09:17, schrieb Bennett Haselton:
 Even though the ssh key is more
 random, they're both sufficiently random that it would take at least
 hundreds of years to get in by trial and error.

 if you really think your 12-chars password is as secure
 as a ssh-key protcected with this password you should
 consider to take some education in security

 Bennett clearly states that he understands the ssh key is more random,
 but wonders why a 12 char password (of roughly 6 bits entropy per byte
 assuming upper  lower case characters and numbers) wouldn't be
 sufficient.

 so explain me why discuss to use or not to use the best
 currently availbale method in context of security?

 Using the ssh key can be problematic because it is too long and too random to
 be memorized --- you have to carry it on a usb stick (or whereever). This
 provides an additional point of failure should your stick get lost or stolen.
 Human brain is still by far the most secure information-storage device. :-)

 It is very inconvenient for people who need to login to their servers from
 random remote locations (ie. people who travel a lot or work in hardware-
 controlled environment).

 Besides, it is essentially a question of overkill. If password is not good
 enough, you could argue that the key is also not good enough --- two keys (or
 a larger one) would be more secure. Where do you draw the line?

 Best, :-)
 Marko

Hi Marko!
What about IC cards? I use that a lot, and its reduced my need for a 
password to something tiny (6 numbers) and requires a physical key (my 
card). I have the root certificates, private keys, etc. stored offline 
just in case my card goes nuts, which has happened before, but I've 
never had a problem with this.

When traveling I log in to my home server and work servers with my 
laptop. Its really a *lot* easier than using a bunch of pasword schemes. 
I was initially worried that I'd run into a situation where I'd either 
lose my card traveling, or it would get crushed, or whatever -- but that 
hasn't happened in 5 years. What has happened in 5 years of doing this 
is intermittent network outages, work server crashing, web applications 
failing, database corruption, etc.

So from experience (mine and coworkers, at least), it is a lot more 
likely that problems will arise from totally different vectors than 
having ssh keys and ic cards making life complicated -- because from 
this user's perspective its made things a LOT simpler.

But it requires a bit of study. Which most people don't do. More to the 
point most people don't even read popups on the screens, even the big 
red scary ones, so...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

 I'm getting everything you mentioned in RHEV-M from my linux guests
 except ip address with no guest tools installed.

Hm, that's odd. I'm seeing only CPU, but no memory for example. See
screenshort earlier in the thread.

-- 
Met vriendelijke groeten / With kind regards,
Johan Kooijman

T +31(0) 6 43 44 45 27
F +31(0) 162 82 00 01
E m...@johankooijman.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

Marko Vojinovic wrote:
 On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
 Am 29.12.2011 14:21, schrieb Marko Vojinovic:
  so explain me why discuss to use or not to use the best
  currently availbale method in context of security?
 
  Using the ssh key can be problematic because it is too long and too
  random to be memorized --- you have to carry it on a usb stick (or
  whereever). This provides an additional point of failure should your
  stick get lost or stolen. Human brain is still by far the most secure
  information-storage device. :-)
 this is bullshit
 most people have their ssh-key on a usb-stick

 And how are you going to access your servers if the stick gets broken or
 lost? I guess you would have to travel back to where the server is
 hosted, in order to copy/recreate the key.

Um, yep: you're SOL, same as if you spilled coffee on your laptop, or
whatever. And if you loose it, you should then create a new one.

 I did not argue that the key is not more secure than a password. I was
 just pointing out that sometimes it can be more inconvenient.

All security is inconvenient. What's implemented is a balance between
convenience and security - really secure is a system not connected to any
network, and with no USB ports, that runs off a DVD
snip
   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what percent of time are there unpatched exploits against default config?

2011-12-29 Thread Marc Deop

On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
 the hughe difference is: while having the same password (for the key)
 it can not be used directly for brute-force und you need the password
 and at least one time access to the key file

Explain me how having a key protected by a password avoids brute forcing if you 
loose the usb stick holding that key?

Technology is developing at a scary pace, have a look at this:
http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/

And this is with a simple card, imagine what you can do with a system with 
multiple paralel cards...


Just to be clear: I'm not arguing which system is better/more secure. I'm just 
pointing out one downside of having the key in a usb memory.

And bruteforcing against ssh servers are really difficult as some others have 
commented (and even more difficult if you limit failed connections...)

Regards
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

On 12/29/2011 04:34 AM, Johan Kooijman wrote:
 You are using RHEV2.2 right?
 There are no such tools for this version.
 
 That's right, explains why I haven't been able to find 'em.
 
 RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the 
 sources should be open in ovirt.org in the near future
 http://www.ovirt.org/project/subprojects/
 If you use CentOS as the guest then you'll have to compile it yourself :)
 
 Thanks, that's helpful!
 

Would this spec file (and source tar ball) built the proper package?

If not, where would I get it.

I would be happy to build the proper source for centos extras for CentOS
guests.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RHEV guest tools

On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote:

 On 12/29/2011 02:21 PM, Johnny Hughes wrote:
 
  Would this spec file (and source tar ball) built the proper package?
 
  If not, where would I get it.
 
  I would be happy to build the proper source for centos extras for CentOS
  guests.

 lets see if we can get the entire ovirt stack done - its quite a pain
 building it at the moment though, but if a couple of people want to help
 - we might be able to get that in

 - KB
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

I can attest to the difficulty of that build.  I tried using FC16 srpms
against 6.1 using mock and I spent an entire day with no luck.  Wrote
scripts that would yumdownload srpms then attempt a build the download
missing deps and retry.  Got to the point where only one new package would
build then failed on kernel versions.  Though 6.2 should much more closely
match what upstream uses as I believe RHEV 3 will be released for 6.2.

Any idea if the full RHEV suite will be open sourced and eventually
available in CentOS?  Both the rhev hypervisor and manager.  Ive lost the
fight at my org to buy the product.

If you need any extra help with the build Id be willing to assist.  Been
following Ovirt closely.

- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????

On 29 December 2011 19:01, John Broome jbro...@gmail.com wrote:
 So if oracle isn't certified to run on OEL 6, did oracle roll it out
 just for shits and giggles?
coughsolariscough
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????