Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote: > * Marc Haber: > > How would you implement the automatism to trigger the update on the > > incoming e-mail? > > I typically use an Exim .forward file which invokes a special script > using "pipe". The script creates a file, and a cron job which runs > periodically checks for the existence of that file and performs the > desired action when it exists. This means that DSA sent in quick > succession only trigger the action once. So you have debian-security subscribed on all systems, and all systems need to run a publicly reachable mail system? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Password authentication with LDAP and SSH
Historiadores acreditam que em Quarta 01 Fevereiro 2006 04:07, Jonas Liljenfeldt escreveu: > Hello all, > > I run Debian Sarge and I have a problem with my SSH server (in > combination with password authentication and LDAP). It doesn't work > well with password authentication when I try to login as a LDAP user > but it works well for users in /etc/passwd. If I try to login as a LDAP > user via SSH and keyboard interactive as autentication mechanism it > works good. > > In /var/log/auth.log this message appears when a LDAP user tries to > login with password authentication: > > Feb 1 06:54:28 hostname sshd[4691]: Failed password for username > from :::127.0.0.1 port 53071 ssh2 > Hi All, I've th same problem from a few days ago, but the problema are solved just after restarted the nscd service After this, the SSH authentication works fine with or without nscd strange... -- Marcos S. Trazzini -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Password authentication with LDAP and SSH
hello, There is an open bug on login regarding LDAP (http://bugs.debian.org/277767). It may (maybe not) be related. In any case, it would be nice if somebody could have a look at it, or at least indicate if it can be reproduced or not on your environment. The Shadow maintainers lack resources to investigate this bug. Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote: > How would you implement the automatism to trigger the update on the > incoming e-mail? procmail, matching on new mails to the debian-security-announce mailing list .. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote: > On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote: > > * Geoff Crompton: > > > I'm also wondering if security.debian.org has enough resources for every > > > single debian box on the planet checking it every X minutes. > > > > You can use the DSA posting as a trigger. > > Usually, cron-apt has already noticed that there is an update > available before the DSA posting comes in. > > How would you implement the automatism to trigger the update on the > incoming e-mail? How about a procmail rule? There ought to be several ways for an implementation, each one will have to rely on your mailserver or procmail positively identifying a security-announcement. then you can - make the procmail rule call aptitude update && aptitude upgrade directly - save the mail to a special place and make some other program trigger the update (via a db or perhaps FAM or a cron-job) Greetings Horst -- The income tax has made more liars out of the American people than golf has. Even when you make a tax form out on the level, you don't know when it's through if you are a crook or a martyr. -- Will Rogers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
* Marc Haber: > On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote: >> * Geoff Crompton: >> > I'm also wondering if security.debian.org has enough resources for every >> > single debian box on the planet checking it every X minutes. >> >> You can use the DSA posting as a trigger. > > Usually, cron-apt has already noticed that there is an update > available before the DSA posting comes in. This is by design; the DSA is delayed until the archive has been updated properly (which means that it has arrived at all mirrors). > How would you implement the automatism to trigger the update on the > incoming e-mail? I typically use an Exim .forward file which invokes a special script using "pipe". The script creates a file, and a cron job which runs periodically checks for the existence of that file and performs the desired action when it exists. This means that DSA sent in quick succession only trigger the action once. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote: > * Geoff Crompton: > > I'm also wondering if security.debian.org has enough resources for every > > single debian box on the planet checking it every X minutes. > > You can use the DSA posting as a trigger. Usually, cron-apt has already noticed that there is an update available before the DSA posting comes in. How would you implement the automatism to trigger the update on the incoming e-mail? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: avahi-daemon
Hi, On Thu, Feb 23, 2006, Javier Fernández-Sanguino Peña wrote: > IMHO the problem here is having a music program (as rhythmbox) Recommends: > avahi-daemon, when IMHO it should be Suggests: . The functionality > provided by avahi-daemon (a network service for sharing music) is not > something > I would say that all rhythmbox users require (based on rhythmbox' > description, which > looks like a music library organization tool for me). However, it will get it > installed per default by users using 'aptitude' (not 'apt') which is the > recommended tool these days. It would be overly complicated to handle the case of a Suggests instead of a Recommends correctly: even if the code was updated to handle both cases at run time, and would hide the relevant options when these are not available, the documentation would still point at unavailable features. And the popup mixing application level information with package level information would also be awful: "You should install package foo to get this functionality". > If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got > it to reduce the Depends: on that daemon to a Recommends:, I think it would > be better to have that as Suggests: > Disclaimer: I don't know much about rhythmbox and the relationship of > ahavi-daemon You might as well get the issue documented in the RB BTS if you want, I'll simply link to this thread where I clearly state that I think it's a desirable feature which should be working by default. :) The dep was strict because RB wouldn't start without it. Now it will start, but with a warning. I'm quite sure you can get it to crash if avahi isn't there though, but that's a bug. > Maintainers remember: it's much better to *not* install/activate a network > service than to have a service, even if it's chrooted, or running under lower > privileges (like the ahavi maintainers describe in > https://wiki.ubuntu.com/MainInclusionReportAvahi) which, BTW, is not that > common. The keyword here is 'exposure'. The avahi-daemon is nicely chrooted, and runs under a different user. You just can't have the functionality of "plug'n'play" on a network without any central server without listening at some point to something... > Really, do *almost all* rhythmbox users need to share music (and > consequentely need > ahavi)? That's not the point, the point is to make it easy to do so. And yes, a lot of users share music between computers. Those people want that to be simple. You can't cut every feature out because only 10% of the users use it. It's not like you're running Rhythmbox on a firewall, and iptables is still there, you can remove avahi, you can configure it not to start etc. Cheers, -- Loïc Minier <[EMAIL PROTECTED]> Current Earth status: NOT DESTROYED -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
also sprach Michael Stone <[EMAIL PROTECTED]> [2006.03.02.2032 +0100]: > The explanation is far simpler--debian *does* have mirrors of > security.debian.org. At the moment I see three hosts in the rotation. Yeah, push, not pull mirrors. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "if one cannot enjoy reading a book over and over again, there is no use in reading it at all." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.02.2006 +0100]: > By default, package authenticity is not validated in sarge and > earlier releases. From a security POV, it's better to download > those updates from a limited set of well-maintained servers. It > reduces the attack surface somewhat. Sure it does. But it cannot be the reason why there are no officially-endorsed mirrors -- I'd just upload my trojans to sarge's archive with a higher version number then. http://www.debian.org/security/faq#mirror -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "doesn't he know who i think i am?" -- phil collins signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 08:06:07PM +0100, Florian Weimer wrote: * martin f. krafft: Why then do you think security.d.o is not mirrored by Debian? Our mirror network is not actually well-known for its integrity (think The explanation is far simpler--debian *does* have mirrors of security.debian.org. At the moment I see three hosts in the rotation. Why not add more? Well, what problem does that solve? -- Michael Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
* Geoff Crompton: > I'm also wondering if security.debian.org has enough resources for every > single debian box on the planet checking it every X minutes. You can use the DSA posting as a trigger. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
* martin f. krafft: >> One day more or less doesn't really matter. So far, Debian security >> updates predated widespread (semi-)automated exploits by weeks. > > Why then do you think security.d.o is not mirrored by Debian? Our mirror network is not actually well-known for its integrity (think paris.avi). By default, package authenticity is not validated in sarge and earlier releases. From a security POV, it's better to download those updates from a limited set of well-maintained servers. It reduces the attack surface somewhat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Password authentication with LDAP and SSH
Same here, can do anythin, except ssh :/ tijn aflorent wrote: hello i've got exactly the same problem if no objectClass : shadowAccount in ldap database, i get Could not get shadow information for user if i add objectClass : shadowAccount, i get Failed password for user, and getent shadow user return user:x:13208::9:7:::0. i think the thing wrong is the 'x' password but i can't fix it. it used to work on woody without shadowAccount in ldap database. -- View this message in context: http://www.nabble.com/Password-authentication-with-LDAP-and-SSH-t1038158.html#a3184956 Sent from the Debian Security forum at Nabble.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]