OT - was Re: My machine was hacked - possibly via sshd?
David Pastern wrote: On Wed, 2005-03-30 at 17:55 +1000, Andrew M.A. Cater wrote: On Tue, Mar 29, 2005 at 05:08:32PM -0500, Noah Meyerhans wrote: On Wed, Mar 30, 2005 at 07:16:31AM +1000, David Pastern wrote: And this, in reality, is why Woody is so old. I cannot imagine any other distro providing such an old kernel. You've got cause and effect mixed up. Debian is not outdated *because* we support ancient versions of software. We support ancient versions of software because we are outdated. No distribution provides support for their development branch before their stable branch. It may be noticed that other distributions are switching to a longer release cycle for "commercial/enterprise" products. Mandrake is to switch to one release a year (and they don't commit to support for old releases for more than about a year), Novell/SUSE are moving to an 18 month release cycle and five year support, Red Hat are moving to 18 month/two year cycle and seven year support. Given the effort that it takes to support something through even two years of hardware change - Debian is actually doing "the right thing" for support by releasing on its current release cycle and the big distributions will soon start to feel the pain of extended support cycles as well. Debian point releases when they come fix security and other issues. Potato had seven - one a couple of weeks before the new release. Woody has had four and a fifth is in preparation. Let me point, that meanig of word "stable" is differnet for RedHat/SUSE. Debian "stable" is more like "frozen" - no bugfixes, no new drivers no new features. Just security fixes a and some "critical" fixes. RedHat "stable" is more like solid usable system. RH actualizes device drivers, fixes memory leaks and in case of mozilla they push newer version into distribution rather then having unsecured version. I am not big fan of RH, but I must point that they are more pragmatic. RH AS 2.1 contains actualized drivers for PERC so you can install it on DELL servers. Last week they have fixed telnet so you can use portnumber a -8 option together. Such "evil" patches can never get into "stable". Look at http://www.openldap.org/software/release/changes.html. Openldap team had fixed dozens of memory leaks and deaklocks. How many of them got into stable? None. If you are really looking for "stable" system you should install "testing". Ivan PS: sorry about offtopic post. PS: sorry about my english -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
Haim Ashkenazi wrote: Hi I'm running a web (ssl) server with several virtual domains. at the moment they are name based (non-ip) which of course produce a warning in the user's browser when he try to connect to a host that is not the default one (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. I was wondering if there is a way around that (like using rewrite rules). say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? this could result in having to buy a few hundred IP's... Best solution is to have IP for each virtual domain. Tricky solution is to use X509v3 extension in certificate called alternativeHostname. You can have many alternativeHostname records in one certificate. Usig this you can use one certificate for all domains. But this is realy ugly solution. You have to regenarate certificate each time some of your domains changes. And of course some clients do not understand X509v3 extensions. Ivan Brezina
Re: name based virtual host and apache-ssl
Haim Ashkenazi wrote: Hi I'm running a web (ssl) server with several virtual domains. at the moment they are name based (non-ip) which of course produce a warning in the user's browser when he try to connect to a host that is not the default one (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. I was wondering if there is a way around that (like using rewrite rules). say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? this could result in having to buy a few hundred IP's... Best solution is to have IP for each virtual domain. Tricky solution is to use X509v3 extension in certificate called alternativeHostname. You can have many alternativeHostname records in one certificate. Usig this you can use one certificate for all domains. But this is realy ugly solution. You have to regenarate certificate each time some of your domains changes. And of course some clients do not understand X509v3 extensions. Ivan Brezina -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help! File permissions keep changing...
Kristopher Matthews wrote: This is a security nightmare. I would *not* recommend doing any such thing in a user filesystem. You're making the assumption that he LIKES his users. :) On Wed, 18 Feb 2004, Michael Stone wrote: On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fernández-Sanguino Peña wrote: DIR_TO_FIX=/home/groupX GROUP=mygroup PERM=g+rwX find $DIR_TO_FIX -type f -o -type d | xargs chown $GROUP # or chown -hR $GROUP $DIR_TO_FIX find $DIR_TO_FIX -type f -o -type d | xargs chmod $PERM # or chmod -hR $PERM $DIR_TO_FIX This is a security nightmare. I would *not* recommend doing any such thing in a user filesystem. hmm, xargs does not use quotes when executing commands. This causes problems with dirs with spaces in name. If user has directory named "dummy root", he can easily get accsess to /root directory. Ivan
Re: Help! File permissions keep changing...
Kristopher Matthews wrote: This is a security nightmare. I would *not* recommend doing any such thing in a user filesystem. You're making the assumption that he LIKES his users. :) On Wed, 18 Feb 2004, Michael Stone wrote: On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fernández-Sanguino Peña wrote: DIR_TO_FIX=/home/groupX GROUP=mygroup PERM=g+rwX find $DIR_TO_FIX -type f -o -type d | xargs chown $GROUP # or chown -hR $GROUP $DIR_TO_FIX find $DIR_TO_FIX -type f -o -type d | xargs chmod $PERM # or chmod -hR $PERM $DIR_TO_FIX This is a security nightmare. I would *not* recommend doing any such thing in a user filesystem. hmm, xargs does not use quotes when executing commands. This causes problems with dirs with spaces in name. If user has directory named "dummy root", he can easily get accsess to /root directory. Ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
On Fri, 8 Nov 2002, Joseph Pingenot wrote: > >From Norbert Preining on Friday, 08 November, 2002: > >I think that vim-gtk tries to open a window, recognizes that this > >doesn't work (authorization) and starts normal text mode vi. > > Probably the easiest way to do this is, instead of using su/sudo, run > ssh -X localhost. It'll tunnel your X apps back over the tunnel. Not > as efficient, but it'll solve permissions problems. Or, you > can have root snag your user .Xauthority file to steal the user cookies. > Then you can just set display:0.0. > Another possibility is: su -c vim-gtk you can also use xhost +username for allowing users to connect to our Xserver. But this does not work for me on Debian. Ivan
Re: XFree86 4.2 bug in Debian Testing
On Fri, 8 Nov 2002, Joseph Pingenot wrote: > >From Norbert Preining on Friday, 08 November, 2002: > >I think that vim-gtk tries to open a window, recognizes that this > >doesn't work (authorization) and starts normal text mode vi. > > Probably the easiest way to do this is, instead of using su/sudo, run > ssh -X localhost. It'll tunnel your X apps back over the tunnel. Not > as efficient, but it'll solve permissions problems. Or, you > can have root snag your user .Xauthority file to steal the user cookies. > Then you can just set display:0.0. > Another possibility is: su -c vim-gtk you can also use xhost +username for allowing users to connect to our Xserver. But this does not work for me on Debian. Ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kerberos...
I thing you will have to write own pam module. I recomend you ncpfs from ftp://platan.vc.cvut.cz We use similar system using LDAP Gateway for NDS download all novell users from NDS via LDAP. For authetication we use login with added ability to authenticate against NDS. Trere is ale pam_ncp, I thing. There is also posibility to authenticate directy against LDAP2NDS gateway. Unfortunetly there is a bug in Novell software. When gateway logs as a user into NDS to check the password it sometimes forgets to logout that user. It hapens approx. in 5% cases. If you have limits for concurent logins in Novell this is a serious problem. If you know how to force Novell to fix this bug let me know. Ivan Brezina On Thu, 1 Aug 2002, Daniel Swärd wrote: > Is there a way to configure Kerberos so the server if the user doesn't > exist (or maybe the password is incorrect) will try to authenticate against > NDS and then create a local Linux-account? > > I'm supposed to set up a Linux-server and in some way integrate it with the > existing Novell-servers. The thing is that I don't want to be too dependant > of the Novell-servers. > > /Daniel > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: More SSH Fun (X11 forwarding)
> Hi all, > > I'm having really weird problem with X11 forwarding and two > Debian boxes. > > I can login with OpenSSH and scp and everything else no > problem. > > However, when I try to launch an xterm, I get either: > can't open DISPLAY > > Or the display is set to server:10.0. > If DISPLAY=server:10.0 it means it is correct. But may be, that xterm cannot resolve the name "server". Try "ping server". May be, you have to modify /etc/hosts. Ivan Brezina -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: IPSec questions...
On Wed, 9 Jan 2002, VERBEEK, FRANCOIS wrote: > Well what you propose here is not exactly IPSec. It's an encrypted way to > communicate but not IPSec. Don't expect it to work with a Cisco router/VPN > concentrator or a Win2K machine. > FreeSwan is quite a good product, quite inter-operable with all paltforms I > tested it with. (It's been a while now, but I can find you the info about how > I did it if you'd like). > > I do not find FreeSwan good enough. FreeBSD(OpenBSD) implemetation seems to me better. FreeSwan has serious problem with packet fragmentation and setting MTU. Thas why finaly gave up trying to use FreeSwan against other IPSEC implemetations. For few computers IPSEC is too robust. CIPE is easier to understand and configure. I think that there is WIN NT implementation of CIPE. Ivan Brezina
RE: IPSec questions...
On Wed, 9 Jan 2002, VERBEEK, FRANCOIS wrote: > Well what you propose here is not exactly IPSec. It's an encrypted way to >communicate but not IPSec. Don't expect it to work with a Cisco router/VPN >concentrator or a Win2K machine. > FreeSwan is quite a good product, quite inter-operable with all paltforms I tested >it with. (It's been a while now, but I can find you the info about how I did it if >you'd like). > > I do not find FreeSwan good enough. FreeBSD(OpenBSD) implemetation seems to me better. FreeSwan has serious problem with packet fragmentation and setting MTU. Thas why finaly gave up trying to use FreeSwan against other IPSEC implemetations. For few computers IPSEC is too robust. CIPE is easier to understand and configure. I think that there is WIN NT implementation of CIPE. Ivan Brezina -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]