Re: RFC2228-only FTP ?
On Tue, Sep 30, 2003 at 04:45:23AM -, [EMAIL PROTECTED] wrote: > The fact is that FTP with security extensions is the > defacto standard way of solving the clear text password > exposure problem in the commercial Web hosting world. > Millions of people use it. SSH2/SFTP may be technologically > superior, but it is not what most places use. If you go to > Barns and Noble or some other large bookstore you will find > dozens and dozens of beginners' books about Web authoring. > They all describe the process of uploading files through > FTP or DAV. Hardly any of them mention SSH2/SFTP at all. If you need transparent FTP encryption, you may look at SafeTP http://safetp.cs.berkeley.edu/ Unfortunately, the development of that software is currently very slow, but its model is well-thought. Marcin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
FSCKFIX=yes
Hi, I administer some machines remotely so I don't have the chance to manually fsck them when an error occurs. I use ext3 and LVM. 1) I've found the following at Debian 3.0 and turned to "yes": # Set FSCKFIX to "yes" if you want to add "-y" to the fsck at startup. FSCKFIX=yes Would you recommend this? Does it work as expected? 2) Pros & Disadvant.? 3) Is it still possible that the system doesn't get started automagically? (well, the response should be "yes", but which chance of failure should I expect?). Thanks. Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RFC2228-only FTP ?
I wrote: >>All they know is someone sold them >> a "secure FTP program" and they can't understand why I want them >> to dump it and use the known-to-be-broken WinSCP instead. Alex replied: >Whats broken in winscp? Its working fine for about 400 clients here I don't have any MS-Windows boxes to test it with, so this is all second hand. My users complain about WinSCP all the time. The #1 issue is it seems to come up with weird file permission defaults. Mostly they are uploading HTML files to a Web server, and it turns off other-read permission. Or it turns off other-execute on directories, so the Web server can't see inside them. There was an issue with WinSCP not really using SSH2's SFTP, but simulating it with some kind of shell stuff. So your users need a shell or they can't use it. I'd like to give some of them /bin/true and just let them upload files but not run any commands. I see that has been fixed in WinSCP3. But the biggest reason people want to use FTP-with-extensions is it is built into Dreamweaver and Go Live and Front Page, and those industry standard programs don't seem to support SSH2/SFTP. Probably for ideological or monopoly enforcement reasons, but that doesn't matter. I don't want to argue with my users about what software they use on their client boxes. They all know Microsoft sucks and they are planning on getting off it someday. But meanwhile they are all very busy and just want to use the same tools they can use with commercial Web hosting companies. If I tell them Debian can't support FTP-with-extensions, they will conclude that Debian is inferior to commercial hosting environements. I have lost about 5% of my users over this, they do not want to use SSH, they want to use integrated Web-authoring software with built in "publish" features that use FTP or DAV. But many of them are on cable modem so I have to prevent them from using FTP with clear text passwords. The fact is that FTP with security extensions is the defacto standard way of solving the clear text password exposure problem in the commercial Web hosting world. Millions of people use it. SSH2/SFTP may be technologically superior, but it is not what most places use. If you go to Barns and Noble or some other large bookstore you will find dozens and dozens of beginners' books about Web authoring. They all describe the process of uploading files through FTP or DAV. Hardly any of them mention SSH2/SFTP at all. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: removabale caddies
On Tue, 2003-09-30 at 11:35, John de Boer wrote: > Hi > > While surfing, you name came up. Have you had responses, information > regarding the removable caddies? I just buy the ones available at computer swapmeets... about $20 each or less, and pretty standard now. I prefer the ones with switches vs keys, and only one fan (multiple fans are noisy and IMHO overkill). If you want something for hot-plugging you will want something fancier. For hotplug I'd probably go for the new cheap external USB 2.0 or firewire caddies. > I am interested for information, specs, and esp uses and suppliers. IS > there a website that you know of? Nope. > thanks any info > > I'm in Australia > > best wishes > > > Regards - John de Boer6772 0456 0403 855 605 -- Donovan Baarda <[EMAIL PROTECTED]> http://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
removabale caddies
Hi While surfing, you name came up. Have you had responses, information regarding the removable caddies? I am interested for information, specs, and esp uses and suppliers. IS there a website that you know of? thanks any info I'm in Australia best wishes Regards - John de Boer6772 0456 0403 855 605 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mixing testing with stable
It's been packported and listed in the archives at www.backports.org (4.0.13, anyway). I've read so many howto's about pinning and backporting, blah blah blah but it always seems to burn me (I obviously am not smart enough to do it right). The packages on backports.org seem really good. I've been using samba 3.0 from there for quite a while. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Rod Rodolico <[EMAIL PROTECTED]>: > I need MySQL 4.x on my server (some new things that are a "must have" for one > of the apps I > wrote), but was burned pretty badly by putting testing on a production box. > But, I do like the > idea of letting apt or something keep track of what I have on the machine, > especially with the > security updates. > > So, is there any way to get MySQL from testing, but keep the rest of the box > on stable? Is > there an apt-get command or something? > > Appreciate it. > > Rod > > -- > Missiles of ligneous or osteal consistency have the potential of fracturing > osseous structure, > but appellations will eternally remain innocuous. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mixing testing with stable
On Tue, 2003-09-30 at 10:37, Rod Rodolico wrote: > I need MySQL 4.x on my server (some new things that are a "must have" for one of the > apps I > wrote), but was burned pretty badly by putting testing on a production box. But, I > do like the > idea of letting apt or something keep track of what I have on the machine, > especially with the > security updates. > > So, is there any way to get MySQL from testing, but keep the rest of the box on > stable? Is > there an apt-get command or something? There are a few options; 1) use MySQL and anything it requires from testing Just add testing to your /etc/apt/sources.list, create a /etc/apt/preferences to pin your system to "stable", then use "apt-get /testing" to install the package. This will raise errors about unmet dependencies for other packages needed from testing. Just add these packages with "/testing" on the end to the command line until it works, or use aptitude to see and resolve the dependencies. The problem with this is stable is so old you will end up pulling in heaps of packages from testing to meet the dependencies. After doing this you might find your system so close to testing that it is better to just upgrade to testing than deal with a mixed system. 2) build a stable MySQL from testing source. This will require that you install everything needed to build MySQL. I've forgotten the exact command line, but there is a tool and/or option (apt-get build-dep ?) that will install all the build-dependencies, download the source, and build the package. The problem with this is you install heaps of additional packages to support the build, and you are likely to find that you need to build other packages from testing to meet all the dependencies. You might even find you need to build packages to meet the build-dependencies. 3) find an unofficial repository for stable backports of MySQL. These are simply builds done as per 2), but done by someone else so you don't have to install/meet all the build-dependencies and deal with any breakages :-) In my experience 1) works OK, 2) is a PITA, and 3) is OK if you can find a repository that is maintained. In my experience testing is pretty good. It breaks less than unstable, and is more up-to-date than stable. The biggest problem is security updates, and occasional missing packages. The solution I've found is to mix testing with either stable (particularly stable-updates) or unstable (or both, but make sure you increase apt's Cache-Limit to about 20,000,000). -- Donovan Baarda <[EMAIL PROTECTED]> http://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
mixing testing with stable
I need MySQL 4.x on my server (some new things that are a "must have" for one of the apps I wrote), but was burned pretty badly by putting testing on a production box. But, I do like the idea of letting apt or something keep track of what I have on the machine, especially with the security updates. So, is there any way to get MySQL from testing, but keep the rest of the box on stable? Is there an apt-get command or something? Appreciate it. Rod -- Missiles of ligneous or osteal consistency have the potential of fracturing osseous structure, but appellations will eternally remain innocuous. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RFC2228-only FTP ?
> But most of these people have commercial Windoze FTP clients > that support some flavor of RFC2228 FTP security extensions. > Of course, they are "not technical" and do not know which > extensions they can use. All they know is someone sold them > a "secure FTP program" and they can't understand why I want them > to dump it and use the known-to-be-broken WinSCP instead. Whats broken in winscp? Its working fine for about 400 clients here -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RFC2228-only FTP ?
I shut off FTP access in January and lost about 10% of my Web-hosting users. It seems almost all of them are on MS-Windows, and they have ongoing problems with their SSH/SFTP clients WinSCP[23] and psftp.exe. I don't want to bring back plain-old FTP because of the clear text password problem. But most of these people have commercial Windoze FTP clients that support some flavor of RFC2228 FTP security extensions. Of course, they are "not technical" and do not know which extensions they can use. All they know is someone sold them a "secure FTP program" and they can't understand why I want them to dump it and use the known-to-be-broken WinSCP instead. Is there an FTP server in woody that I can configure to refuse plain-old FTP but allow those clients who do an FTP AUTH before an FTP PASS ? That is, I want to hang up on FTP clients that don't offer AUTH before they expose a password. Then I want to authorize those FTP users whose clients know how to do the defacto standard encrypted login. I'm not concerned about man-in-the-middle attacks; I just want to defeat evesdroppers observing clear text passwords. Has anyone here done it? What did you use? TIA Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix: Multiple recipients alias?
The best thing to do is set up a mailing list - e.g. mailman. It's easy to maintain and takes care of spoofing when you set it to allow subscribers only to post. We are only ~7 people in our company - still it makes sense for us to use mailman instead of a list in postfix. Hope this helps. Michael R.M. Evers wrote: Thank you all for your input. The method described in the e-mails from the postfix user list (links below) seems to work. The only disadvantage seems to be, that the method is vulnerable for sender-spoofing.. So creating a virtual like '[EMAIL PROTECTED]' will be out of the question.. :-) Thanks again, -Rodi On Fri, 2003-09-26 at 23:17, Christian Kurz wrote: On [26/09/03 13:40], R.M. Evers wrote: Hi, This could be a stupid question, but I'm trying to accomplish the following: In our company, we run a Debian mailserver with Postfix. The server runs a lot of accounts and virtual domains for our customers, but also for our own employees. Now, what i want to do, is make some sort of alias for our employees, so that they can send an e-mail to, for example "[EMAIL PROTECTED]", which would deliver to all of our mailboxes. But, I only want this alias to be available for our own employees. Not for the outside world, of course.. Would this be possible? I'm not sure since I never tested it, but I think using smtpd_restriction_classes might help with this. Take a look at the following e-Mails from the postfix user list: http://archives.neohapsis.com/archives/postfix/2000-02/0819.html http://archives.neohapsis.com/archives/postfix/1999-q4/1617.html Christian
Re: proftpd exploit
Thanks, I checked on security.debian.org but couldn't find anything - so probably a sign not to worry too much. Michael Fraser Campbell wrote: On Friday 26 September 2003 09:33, mimo wrote: I have just discovered this exploit report but couldn't find anything about other distros than Slackware http://proftpd.linux.co.uk/index.html Does any body know if the debian version is affected too? You should always take a look at bug reports if you're worried about a security issue. Here's the bug report on this for Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212416 According to the bug report, woody is not vulnerable. ISS says that versions 1.2.7 through 1.2.9rc2 (and possibly versions prior to 1.2.7) are vulnerable. I suspect that someone somewhere has since tested ealier versions (woody runs a patched 1.2.4) and decided that those versions are not vulnerable. It would be nice if the bug report noted on what evidence stable is not affected. All I could think of for the moment was disabling donwloading via FTP globally. Any ideas? Yes it sounds like denying either uploads or downloads would have saved you.
Re: vmware server with multiple Server OS's on blade servers
> > http://user-mode-linux.sourceforge.net/ > > There is even a list with UML hosting providers on the web site. This > suggests that UML is stable enough to be used even for commercial use. > > Regards, > > Oliver > Short answer is yes it is. You can run each UML as a seperate process and it is lighter than VMWARE (and free) though it can be harder to get upand running Rus -- w: http://www.jvds.com | Free Debian UNIX Shell Accounts e: [EMAIL PROTECTED]| http://www.jvds.com/freeshells t: +44 7919 373537 | t: 1-888-327-6330 | email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: vmware server with multiple Server OS's on blade servers
On 26 Sep 2003, Theodore Knab wrote: > I was wondering if anyone is running multiple versions of Linux > atop of vmware's enterprise server ? I haven't tested this personally, but you should probably be able to do more or less the same using user-mode linux (UML): http://user-mode-linux.sourceforge.net/ There is even a list with UML hosting providers on the web site. This suggests that UML is stable enough to be used even for commercial use. Regards, Oliver -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix: Multiple recipients alias?
Thank you all for your input. The method described in the e-mails from the postfix user list (links below) seems to work. The only disadvantage seems to be, that the method is vulnerable for sender-spoofing.. So creating a virtual like '[EMAIL PROTECTED]' will be out of the question.. :-) Thanks again, -Rodi On Fri, 2003-09-26 at 23:17, Christian Kurz wrote: > On [26/09/03 13:40], R.M. Evers wrote: > > Hi, > > > This could be a stupid question, but I'm trying to accomplish the > > following: > > > In our company, we run a Debian mailserver with Postfix. The server runs > > a lot of accounts and virtual domains for our customers, but also for > > our own employees. Now, what i want to do, is make some sort of alias > > for our employees, so that they can send an e-mail to, for example > > "[EMAIL PROTECTED]", which would deliver to all of our > > mailboxes. But, I only want this alias to be available for our own > > employees. Not for the outside world, of course.. > > > Would this be possible? > > I'm not sure since I never tested it, but I think using > smtpd_restriction_classes might help with this. Take a look at the > following e-Mails from the postfix user list: > > http://archives.neohapsis.com/archives/postfix/2000-02/0819.html > http://archives.neohapsis.com/archives/postfix/1999-q4/1617.html > > Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Gated vs Zebra
On Mon, Sep 29, 2003 at 12:29:58AM +0300, kgb <[EMAIL PROTECTED]> wrote a message of 39 lines which said: > Which software is more good Gated or Zebra? Gated is non-free and non-maintained. Zebra is free but no longer maintained. Use Quagga. Or start with Zebra if you don't want to run sid, it will be easy to switch to Quagga after that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RIPE Autonomously System: Question?
On Mon, Sep 29, 2003 at 12:01:29AM +0300, kgb <[EMAIL PROTECTED]> wrote a message of 56 lines which said: > Yes and i thing that, do you know with mine architecture how traffic can > shift my PC without problem? Very difficult to tell, it depends on many things (for instance, on the typical size of the packets). At Gitoyen, I have no problem with several FastEthernet (100 Mb/s) links on a typical PC but many small packets (a root DNS name server) could be more difficult to process than a few big ones (Web hosting) because interrupts are too slow on a PC. > I mean zebra don't have problem with big traffic if pc architecture > is good? Zebra does not forward at all so it is irrelevant. The kernel (probably Linux in your case) does the forwarding so the limiting factors are the kernel and the hardware. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Gated vs Zebra
On Mon, Sep 29, 2003 at 12:29:58AM +0300, kgb wrote: > Which software is more good Gated or Zebra? Maybe Quagga (www.quagga.net, available as Debian package in unstable)? It's the forked successor of the quite unmaintained Zebra. Like Zebra, too, it has a Cisco like command line language which will help you as you can use the Cisco docs and newsgroups. bye, -christian- -- They gave their lives to clean the gene pool. -Ken Leatherman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RIPE Autonomously System: Question?
I am using all Debian machine as routers and servers on my ISP (no cisco label in the rack). My debian (zebra w/ BGP) machine manage my ASN and connect to Indonesian Internet eXchanges (IIX) and 3 Upstream for International BW. At 11:55 PM 9/28/2003 +0300, kgb wrote: On Sun, 2003-09-28 at 23:27, Andy Coates wrote: > kgb ([EMAIL PROTECTED]) wrote: > > Hello all, > > > > Next week i'll have AS from RIPE i'll be local LIR can i use zebra with > > bgpd on my debian linux to manage my network? i don't want to spend > > money for cisco router. > > Although I can't see why LIR and zebra are in the same sentence, a lot > of people use zebra for BGP routing in small networks - no reason why > it wouldn't work under debian. > > Andy. I don't mean 'zebra don't work on debian' I mean next week I'll become LOCAL REGISTRY and I ask you do I need Cisco router to maintain my AS from RIPE or I can do it with more unexpensive way with zebra because I don't want to spend a lot of money for Cisco router that's it. I seek and stability. -- Feci quod potui, faciant meliora potentes! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]