Re: Firewall - Limit Geographic Area
On 15 Oct 2003, Jason Dixon wrote: On Wed, 2003-10-15 at 16:47, lrnobs wrote: You could instead say... I don't like cars that are not Blue. In other words, exclude all traffic that is not from America instead of the other way around. Does anyone know of a way to do this? Are the IP ranges assigned to American networks published somewhere? It's easier to go the reverse route, exclude some known foreign networks. See http://www.iana.org/assignments/ipv4-address-space My strategy was to block RIPE, APNIC and LACNIC, as those networks I KNOW have no business talking to my servers via ssh (for example). The list is fairly small once input in iptables, performance is a non issue. This type of information could probably be gathered via NANOG or the ICANN site. However, if I haven't stressed it enough already, I highly suggest you avoid this route. IT WILL NOT WORK like you intend. Remember, IP addresses are easily spoofed. I disagree. You're correct, this is no defense against spoofing, but it certainly does raise the bar for potential attackers. And for the cost of setting it up, the payoff is more than enough. Blocking these IP ranges is certainly no replacement for good practices (patching, thoughtful configuration, etc.). $.02 Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
Re: Numlock
On 20 Jul 2003, Celso Pinto wrote: Hi all, i think i've searched everywhere but i can't find an answer for this: how do i turn numlock on when logging into gnome or starting xfree? I use numlockx (http://freshmeat.net/projects/numlockx/). Stick it in ~/.Xclients or local equivalent. Later, Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
RE: Download Redhat 9 right now
On 2 Apr 2003, Ezra Nugroho wrote: dude, that's from RHN! On Tue, 2003-04-01 at 17:38, Bill Carlson wrote: On 1 Apr 2003, Ezra Nugroho wrote: Binary Disc 1 638M 400c7fb292c73b793fb722532abd09ad Binary Disc 2 646M 6b8ba42f56b397d536826c78c9679c0a Binary Disc 3 485M af38ac4316ba20df2dec5f990913396d Source Disc 1 608M 0727c51ab359dafa9ab31e0c50958aa6 Source Disc 2 645M 2ddd8e6a8502869cd2e78d47590b9be1 Source Disc 3 424M f378cf68b22c3b9a64c86b5067511630 Ok, but how do we KNOW those are really the OFFICIAL ones? :) I can just see this whole bitorrent thing being a massive trojan attackit IS April 1st after all. :) - note, smiley, turn on humor filter. But how do I KNOW that? They're not GPG signed, all I have is your word on a mailing list. Do you see the point? BitTorrent is all good, but you should be careful in verifying what is downloaded, preferably against a source other than the .torrent provider. I'm certainly not implying you are supplying fake MD5SUMs, Ezra. However, from a security perspective one should realize that you COULD be supplying fakes and one currently has no way to verify they are not fake. In this case, a GPG signed list of MD5SUMs from Redhat would be the thing, which those of us without RHN will probably get next week. Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Redhat 9 not 9.0 ?
On Tue, 1 Apr 2003, T. Ribbrock wrote: * RH for home/student/entusiast users, which will be based on this new bleeding edge like technology for Open Source software included in the distro. It will be the RH we are accustomed to. [...] ITYM: It will *not* be the RH we are accustomed to. Less emphasis on stability, no point releases - that's definitely not the RH I'm accustomed to... On the money. I'm a long time Redhat supporter, frankly this new direction sounds like a very bad thing. As a company, your choice is either: a) The still free version, with less testing, less focus on stability and less Redhat resources directed at it. b) The Pay version, which will be well supported, built with stability in mind and become more outdated than Debian stable ever thought about. Neither choice is for me. It's not a question of money, either. Neither branch sounds like the Redhat I want to admin and use. Time will tell I guess. Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Download Redhat 9 right now
On 1 Apr 2003, Ezra Nugroho wrote: Binary Disc 1 638M 400c7fb292c73b793fb722532abd09ad Binary Disc 2 646M 6b8ba42f56b397d536826c78c9679c0a Binary Disc 3 485M af38ac4316ba20df2dec5f990913396d Source Disc 1 608M 0727c51ab359dafa9ab31e0c50958aa6 Source Disc 2 645M 2ddd8e6a8502869cd2e78d47590b9be1 Source Disc 3 424M f378cf68b22c3b9a64c86b5067511630 Ok, but how do we KNOW those are really the OFFICIAL ones? :) I can just see this whole bitorrent thing being a massive trojan attackit IS April 1st after all. Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Ssh and root risk
On Sun, 9 Mar 2003, Mikkel L. Ellertson wrote: I preferrer to set root to PermitRootLogin without-password so you can only log in with a valid key pair. As long as you have a good password on the private key, it makes it hard for anyone to log in. They have to get the private key, and crack the password... The only disadvantage is that if they do manage to crack your machine, and get your private key, the can crack the password on their machine, instead of over the Internet. Not a real big problem for me, as the machines with the private keys do not accept incomming Internet connections... Another benefit: If your password for root gets horked for some reason, you can still ssh in and fix it without having to boot single user. Not that I've ever had to do that. *cough* Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Default font error
On Tue, 28 Jan 2003, John Duke wrote: I have RH8. Recently the graphical system stopped working -- on boot, I get an I cannot start X server message. When I look at the log file, I see: Could not init font path element unix/:7100, removing from list! Fatal server error: could not open default font 'fixed' In addition, some of the text messages I am getting back have gibberish characters where it is asking for a response. The command line interface seems ok. It looks to me like a font was corrupted or deleted -- right? More to the point, how do I get it back short of re-installing everything? Please be gentle -- I'm just learning this stuff! I've had this happen on some RH 7.3 machines, I suspect an upgrade of something caused the problem. If you stop and start xfs and check the logs, it will complain about some fonts. X is failing because it is asking xfs for a default font and not getting it. From a shell, go to the directory listed for the font in the xfs error message and run 'mkfontdir', then stop/start xfs again. Alternately, one could reinstall the fonts, but if you look at install scripts for the fonts, they just run mkfontdir as well. Later, Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: RPM dependency hell
On Tue, 14 Jan 2003, Larry Brown wrote: For local RPM collections, RH8 has the Red Hat package manager. It's still a bit limited, but I believe they are working to make it better and more flexible. We'll see. But this is not the issue that is preventing RHL from taking over the world, and it's not so easy to fix that someone else has already done it. Admittedly everything sounds on the mark, I just have to say that I could justify some of the problems/solutions one of my client has to go through in Linux to use it as their desktop. There is no way I could justify spending 3 hours of downloads and installs to get a new application to work when adding a new one to M$ wouldn't take any of that. If they have the same problems, they do a good job of masking it. If I get something that says it runs on win2k, I run install and it is done. I think this is the biggest hurdle for Linux. That is for it to take over the world and all. For me to use it..here I am. Please, don't feed the troll. Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat, RPMS, and updates
On 13 Dec 2002, Ben Russo wrote: The source packages have the change logs and notes in them, and I could swear I remember reading an RPM command option somewhere that would give that info too??? rpm -q package name --changelog | less rpm -qp filename --changelog | less Redhat has a history of making very good changelog entries as well as doing the Right Thing for security updates. I'd say Redhat's only problem at the moment is instances of security problems that DON'T exist in the Redhat package. Crying Bug! Here's a fix is no big deal; quitely stating Bug, but not in our yard is a fine line to walk. Perhaps a source where users can query by CAN/CVE number and find current Redhat status. Still a lot of work to say Non issue. Later, Bill Carlson -- Systems Administrator[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: I've been hacked??
On Tue, 3 Dec 2002, Michael Schwendt wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 3 Dec 2002 11:31:11 -0600 (CST), Bill Carlson wrote: $ su -l root # rpm -qa | xargs -n 1 -t rpm -V rpm-Va.txt # less rpm-Va.txt ?!? No need for xargs. rpm -Va | tee /tmp/verify.log Nah, try it. ;) Then you'll understand why I recommend the xargs version. If you know an equivalent version that doesn't use xargs, please post it. Ah, I see what you mean. In case anyone else is wondering, Michael's use of xargs (with the -t, echo command line to stderr) will allow one to see which rpm the verify output is from. There isn't an option for rpm -V that will do that. Another good example of Unix at work: Small tools that can be chained together for accomplishing a variety of tasks. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: I've been hacked??
On Tue, 3 Dec 2002, Michael Schwendt wrote: $ su -l root # rpm -qa | xargs -n 1 -t rpm -V rpm-Va.txt # less rpm-Va.txt ?!? No need for xargs. rpm -Va | tee /tmp/verify.log Commonly if I'm suspicious of a system, I verify just a few rpms, such as: procps net-tools fileutils Takes a lot less time and assures some base utilities might be trustworthy. Then I usually rpm -V rpm or apache to make sure the verify function is still working. Can't be too careful:) Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: WAS installing from hard drive
On Sat, 28 Sep 2002, Kalin Mintchev wrote: On Fri, 27 Sep 2002, Kalin Mintchev wrote: On Fri, 27 Sep 2002, Matthew Saltzman wrote: Good luck. I did a hard-disk install once (not with 7.3) and IIRC it did work with a bit of fiddling around. thanks.. i'll try that too... i did all the possible options. i tried NFS install (sat up an NFS server and exporting directories) and ftp install from another linux box that had the RedHat files copied from an ISO. in both cases it fails to connect. and i know that the ftp account works. i can ftp to it from the command line on the same box i'm trying to install the 7.3. but the installer fails to connect. i'm starting to have serious doubts that one can install RH 7.3 from anything else but the CDs you buy... anyway thanks... i guess nobody from redhat actually reads the posts on this list... just for the record: the html install doesn't work either. i started an apache just for this installer. i get: File /rh/RedHat/base/netstg1.img not found on server... and it's right ^#@(*@#(* there... i just downloaded a brand new one from redhat's site... it says it's not there hail the RedHat documentation Kalin, Hopefully you've taken a few minutes to catch your breath. I've installed 7.3 from HTTP and NFS more times than I like to think about, so it's not that it doesn't work, it's that it isn't working for YOU. Take a step back and describe exactly what you've done and what results you've seen. For HTTP/FTP/NFS, some basics to check: 1. Check that the box you're installing is REALLY working. Once you get past the network configuration, try to ping the box from another machine, ideally from the server with your install sources. Anything from a buggy network driver to a bad cable could cause problems here. 2. Check the logs of the HTTP/FTP/NFS server. Permissions are the usual cause of problems. I recommend HTTP since it's easy to verify it works from web browser. 3. Check the other virtual consoles on machine being installed (Left CTRL-Left ALT-F3, Left CTRL-Left ALT-F4 ). There will be error messages on these screens that will help troubleshoot the problem. Left CTRL-Left ALT-F1 gets you back to the installer screen. (I'm hoping you understand virtual consoles somewhat, if not please do some google searches if what I've written isn't clear). Start there and then give us the details. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Patching Linux Servers
On Mon, 16 Sep 2002, Emmanuel Seyman wrote: On Mon, Sep 16, 2002 at 12:17:16PM -0400, Paul DiMarco wrote: That sounds like something I might be interested in Emmanuel. Can you provide some more details to mirroring redhat distro's please? I use the application mirror which you'll find on the Powertools 7.1 CD. Install the rpm, edit /etc/mirror.defaults to match yours needs and make a mirror configuration file. Mine looks like: On top of this setup autorpm on all your machines. Safety Feature: Point autorpm at a directory other than your mirrored updates. Once satisfied that the RPMs are ok, symlink then to your autorpm target directory. Works for me. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Email question
On Tue, 27 Aug 2002, Aly Dharshi wrote: I think that Qmail maybe secure but its a stagnant application. It has to be patched to get various things to work, I don't know about Postfix its used by a number of persons, when I looked at it last when choosing there wasn't any LDAP features builtin. Sendmail was one of the first smtp server programs, it has alot of features but the ease of Hold on there a second, hoss. Just because qmail doesn't suffer from feature of the week doesn't mean development is stagnant. The old adage applies, If it ain't broke, don't fix it. There are patches that people have made available IF and ONLY IF you actually want/need the additional features. I may differ with the author on his licensing terms, but the patch system works well; if I need a simple null relay, one package and I'm there. If I need to auth against LDAP, virus scan every mail, black hole some servers and have email swiss cheesed before it hits the inbox, a few well chosen patches and done. Or better yet, I roll my own code to do it, qmail makes that easy. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Hard Drive Help
On Tue, 27 Aug 2002, Rick Forrister wrote: [EMAIL PROTECTED] wrote: I need some help. 1. I have a server that has been up for 100+ days and I need to do some hard drive work on. I know that the server has an available 33 gig scsi drive on it, but I'm not sure how linux saw the drive. Unfortunately due to the amount of uptime, dmesg no longer shows the bootstrap sequence. Is there anyway to get linux to do something like a re-scan of the drives and report to me what it finds? Since this machine is in production, I can not bounce it without a lot of headache. 2. When the drive is detected and I partition it, is there a way to get linux to see the partitions w/o a reboot? Chris, suggest you take a look in /etc/sysconfig/hwconf, the file generated by kudzu. You'll find a listing in there that looks like: /proc is also your friend here, look at the files in /proc/scsi. When in doubt, ask the kernel. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: disk usage
On Tue, 30 Jul 2002, Christensen Tom wrote: FilesystemSize Used Avail Use% Mounted on /dev/hda2 21G 15G 6.0G 71% / /dev/hda1 23M 20M 1.9M 92% /boot /dev/hda5 14G 1.8G 11G 13% /home none 250M 0 250M 0% /dev/shm but, like I said, I can only account for about 7GB used on the / partition. Try this: find / -type d -maxdepth 1 | egrep -v home|proc|^/$ | xargs du -sh That should show usage of each directory in /, not including /home and /proc. It's possible you need to fsck /. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: numlock key !!!
On Wed, 10 Jul 2002, Mohd Irfan R Khan wrote: You Can Lock Numlock key from the setup of the BIOS of Your Machine. *sigh* It would be nice if this worked, but such is not the case. The kernel resets the Numlock state on boot. See man setleds for a small script that will set Numlock on for the Virtual Consoles. That only applies until the next reboot, add the script to /etc/rc.d/rc.local to set on every boot. setleds is part of console-tools, in case you don't have it installed. For X, numlockx as previously mentioned works just fine, for those not running Gnome/KDE as well. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: which NIC is which
On Wed, 10 Jul 2002, John Telford wrote: Interesting possibility. Fortunately I haven't experienced eth(n) assignments changing between reboot. My experience is adding another *may* change eth(n) assignments. I'll second this John, I've never seen the order change without a hardware change of some type. I did have troubles with a certain brand of NIC (which I forget, of course) that would get a randomly generated MAC address when the driver loaded. Didn't affect the order eth* was assigned, but sure caused problems on a reboot. :) Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Please Help - Frustrated Newbie!
On Wed, 10 Jul 2002, Dale Scott wrote: Where can I find a newer version of Apache in RPM format for RH 7.2? 1.3.22 is the latest Redhat supplied version. The security fix was applied as a patch rather than supply 1.3.26. Redhat frequently does this for security fixes, such as the recent OpenSSH incident and others. Why do this? Stability. Rather than rush out a security fix with additional untested code, get out JUST the fix. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: BIND Vulnerabilities
On 9 Jul 2002, Samuel Flory wrote: http://rhn.redhat.com/errata/RHSA-2002-105.html This is dated 2002-06-04, way before the CERT advisory. CERT lists those things affected as libbind and BSD libc. Redhat uses GNU libc and no libbind that I know of. I'm assuming this is a non-issue OR Redhat is still in the process of determining if there is a problem. Considering any given application COULD use libbind, it would take time to comb through the apps (I'm guessing here). Note there has been discussions that the CERT recommendation to use BIND 9 as a central cache to help 'filter' potentially problem DNS responses does NOT in fact help the situation at all. See http://marc.theaimsgroup.com/?l=djbdnsm=102614840819438w=2 $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: which NIC is which
On Tue, 9 Jul 2002, Anthony Abby wrote: Could you not add eth0 first... then add eth1 after you finish configuring the first NIC? That way there'd be no confusion which was which. It doesn't work that way, especially when you have multiple, identical NICs. In the boxes I've had with multiple, identical NICs, the assignment order is usually in the same order up or down the bus. Can't say I've tried more than 2 NICs, though, all the same type. The good news is that the assignment order doesn't change that I've seen. The best method I've found is to use different chipset NICs, the put entries in /etc/modules.conf for each, ie 'alias eth0 8139too'. When the modules loads, the correct device will be associated with that NIC. Granted, with 5 NICs that will be a pain. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: OpenSSH bug workaround *NOT NEEDED*
On 26 Jun 2002, Gordon Messmer wrote: On Wed, 2002-06-26 at 09:05, M A Young wrote: In case people haven't seen it, according to http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 You can secure your system from the recent ssh security hole by turning off challenge-response authentication and restarting sshd. Reviewing the announcement, I wonder if this affects Red Hat's OpenSSH at all... The output of the configure process indicates positively that the affected BSD Auth and S/KEY authentication mechanisms are not available (see below), and connecting to a RHL machine with 'ssh -v' does not indicate that any challenge-response authentication mechanisms are available. The bug does not appear to affect Redhat supplied OpenSSH, neither S/KEY not BSD Auth is configured. Gordon is correct as far as I can tell, THERE IS NO VUNLERABILITY for Redhat supplied OpenSSH for this particular issue. There is NO NEED to upgrade yet. I've heard of at least one possible hole in the 3.3 version (sorry, lost the link) so don't upgrade blindly. I haven't grabbed a SRPM yet to absolutely verify this, but I will do so and I would expect an announcement from Redhat soon as well. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: OpenSSH bug workaround *NOT NEEDED*
On Wed, 26 Jun 2002, Bill Carlson wrote:
I haven't grabbed a SRPM yet to absolutely verify this, but I will do so
and I would expect an announcement from Redhat soon as well.
Verified, openssh-3.1p1-3 does not use BSD_AUTH or S/KEY.
From the spec file:
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
%if %{scard}
--with-smartcard \
%endif
%if %{noip6}
--with-ipv4-default \
%endif
%if %{build6x}
--with-ipv4-default \
%endif
%if %{rescue}
--without-pam --with-md5-passwords
%else
--with-pam --with-kerberos5=/usr/kerberos
%endif
No --with-skey, no --with-bsd-auth. A lot of todo about nothing!!
$.02
Bill Carlson
--
Systems Programmer[EMAIL PROTECTED] | Anything is possible,
Virtual Hospital http://www.vh.org/ | given time and money.
University of Iowa Hospitals and Clinics |
Opinions are mine, not my employer's. |
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Revised OpenSSH Security Advisory (adv.iss) (fwd)
Here we go again!
According to this latest advisory, the PAMAuthenticationViaKbdInt bug
could be a problem IF and ONLY IF it's enabled.
I checked both 7.3 and 7.2, PAMAuthenticationViaKbdInt is disabled by
default. This was openssh-3.1p1-3 and openssh-3.1p1-2, respectively. Both
sshd man pages verify that 'PAMAuthenticationViaKbdInt no' is the default.
Not that I'm the expert or anything, but this appears to be a non-issue
for anyone using stock Redhat-supplied openssh, unless you specifically
enabled PAMAuthenticationViaKbdInt.
Bill Carlson
--
Systems Programmer[EMAIL PROTECTED] | Anything is possible,
Virtual Hospital http://www.vh.org/ | given time and money.
University of Iowa Hospitals and Clinics |
Opinions are mine, not my employer's. |
-- Forwarded message --
Date: Wed, 26 Jun 2002 21:08:17 +0200
From: Markus Friedl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Revised OpenSSH Security Advisory (adv.iss)
This is the 2nd revision of the Advisory.
1. Versions affected:
Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
contain an input validation error that can result in an
integer overflow and privilege escalation.
All versions between 2.3.1 and 3.3 contain a bug in the
PAMAuthenticationViaKbdInt code.
All versions between 2.9.9 and 3.3 contain a bug in the
ChallengeResponseAuthentication code.
OpenSSH 3.4 and later are not affected.
OpenSSH 3.2 and later prevent privilege escalation if
UsePrivilegeSeparation is enabled in sshd_config. OpenSSH
3.3 enables UsePrivilegeSeparation by default.
Although some earlier versions are not affected upgrading
to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
checks for a class of potential bugs.
2. Impact:
This bug can be exploited remotely if
ChallengeResponseAuthentication
is enabled in sshd_config.
Affected are at least systems supporting s/key over
SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
as well as other systems supporting s/key with SSH).
Exploitablitly of systems using
PAMAuthenticationViaKbdInt
has not been verified.
3. Short-Term Solution:
Disable ChallengeResponseAuthentication in sshd_config.
and
Disable PAMAuthenticationViaKbdInt in sshd_config.
Alternatively you can prevent privilege escalation
if you enable UsePrivilegeSeparation in sshd_config.
4. Solution:
Upgrade to OpenSSH 3.4 or apply the following patches.
5. Credits:
ISS.
Appendix:
A:
Index: auth2-chall.c
===
RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
retrieving revision 1.18
diff -u -r1.18 auth2-chall.c
--- auth2-chall.c 19 Jun 2002 00:27:55 - 1.18
+++ auth2-chall.c 26 Jun 2002 09:37:03 -
@@ -256,6 +256,8 @@
authctxt-postponed = 0;/* reset */
nresp = packet_get_int();
+ if (nresp 100)
+ fatal(input_userauth_info_response: nresp too big %u, nresp);
if (nresp 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i nresp; i++)
B:
Index: auth2-pam.c
===
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.12
diff -u -r1.12 auth2-pam.c
--- auth2-pam.c 22 Jan 2002 12:43:13 - 1.12
+++ auth2-pam.c 26 Jun 2002 10:12:31 -
@@ -140,6 +140,15 @@
nresp = packet_get_int(); /* Number of responses. */
debug(got %d responses, nresp);
+
+ if (nresp != context_pam2.num_expected)
+ fatal(%s: Received incorrect number of responses
+ (expected %u, received %u), __func__, nresp,
+ context_pam2.num_expected);
+
+ if (nresp 100)
+ fatal(%s: too many replies, __func__);
+
for (i = 0; i nresp; i++) {
int j = context_pam2.prompts[i];
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: stopping email at the firewall for an IP
On Wed, 13 Mar 2002, Mike Burger wrote: You have to actually use the full netmask, not the CIDR bit notation. Try $IPTABLES -A INPUT --source 63.27.139.0/255.255.255.0 -j silent instead. No, you don't have to use the full netmask. I would suggest he should look at where this rule is being added to his ruleset, it's probably being preempted by a preceding rule. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Openssh on RH7.2
On 7 Mar 2002, Bret Hughes wrote: When I have problems like this it is usually either permisions on the .shh directory or the authorized_keys file. BTW it is not authenticated_keys :) ssh is very particular about this. you can try running the ssh daemon in debug mode to get more information : Be warned the Redhat RPMs of openssh look for authorized_keys2 in some cases. I've found a symlink to authorized_keys works fine. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Announcing a beta release of Red Hat Linux Pensacola
On 27 Feb 2002, Jeff Bearer wrote: I can't help but notice that this announcement carefully omits the fact that the final release won't be available for free download (according to the article I've linked). Of course you will be able to put pieces together to get a similar product, but you have to buy Red Hat Advanced Server if you want all the pieces in a bundled together. I'm not knocking Red Hat, just stating that if somebody has the impression that these features will be a part of RH 7.3 or 8.0 they may be a disappointed CNET: Red Hat to offer high-end Linux version http://news.com.com/2100-1001-823736.html This is indeed for the Advanced Server edition. From the CNET article, the key is that an ISO won't be available publicly. That doesn't necessarily mean the product license will be any different, but it does imply one would have to buy a box set to get the CDs. The question is does the rest fall under GPL, meaning does purchasing a box set a) include all the source b) allow installation to any number of PCs. In theory, if the thing is GPL, I should be able to buy one box set and distribute an ISO image made from said CDs. Of course, I couldn't all it Red Hat due to trademark infringement. But, IANAL, so who knows. :) I think it is VERY important Red Hat be very clear about this, especially when asking the public to Beta test AND bug report on the thing. I looked on the pensacola list, the question about the ISO has been raised and not answered at this time. Red Hat, now is the time to show your true colors. Be honest and tell the truth, don't try to hide it by omission. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: can't boot upgrade from 6.0 to 7.2
On Tue, 26 Feb 2002, doug piper wrote: Thanks Ed, I realize that what you are saying is right on but I have a hard time believing that Linux people would be so forgetting of what was happening a year to a year and a half ago. This seems like the ultimate of the Microsoft philisophy, i.e. f**k them if they did upgrade and if they didn't upgrade then f**k them doubly.. I will do a fresh install of 7.2. I have no problem backing up files on my Linux hard drive although I haven't done so previously as I can still mount all of my linux drives and backup any data which is important to my Windows drive using Linux rescue. But it does seem kinda extreme. I'll disagree with Ed here, I mostly do upgrades and have had very little problem. Granted, right after the upgrade there is usually some minor tweaking and maybe a recompile or two, especially when jumping major numbers. That said, I've had some problems with RH 7.2 and a trashed ext3 journal file while booting. I think you can save your current system, you need to boot rescue and get the file system to fsck. As I recall, reverting to ext2 didn't help in my situation, but recreating the ext3 journal did. My specific situation was cloning an install of 7.2 to new drives. Hang in there, think and take your time, you'll get the system back. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: anyone tried spong?
On Wed, 6 Feb 2002, Matthew Boeckman wrote: periods. Much much more stable, and easier to write custom stuff for. I would recommend netsaint 3 times over spong once. I'll second what Matthew said, only I'd recommend netsaint 10 times over spong. Netsaint is much more flexible and just works. Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Changing from Red Hat to another distro: recommendations?
On Tue, 29 Jan 2002, Rodolfo J. Paiz wrote: I'm sorry (really!) that this discussion makes Trond uncomfortable, yet I still believe that it's more than relevant since it provides a wonderful window for Red Hat personnel to learn about what their customers like about the competition. My God... free market research! I agree, I've used RedHat for years at home as well as work. Seeing the news about the potential for an AOL buyout made me see red and not RedHat. The only difference between AOL/TW and Microsoft is the color of the tines on the pitchfork. What better way to get the word back to Redhat that a sellout would result in a swift change to another distro? $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Cheapbytes
On Wed, 19 Dec 2001, rpjday wrote: On Wed, 19 Dec 2001, Leonard den Ottolander wrote: clearly, red hat itself it calling the downloaded product red hat linux, yet just as clearly, they will not be offering support for it. IMHO, red hat is just confusing the bejeezus out of everyone by now. they should take a deep breath, step back, and try to come up with a coherent policy that *they* can follow. all i got out of the linuxtoday story is that red hat is still trying to figure out what to do. i sincerely hope they can come up with a solution that doesn't antagonize loyal users. Clearly the real solution is for Red Hat to give a name to the downloadable version. At this point, Red Hat Linux doesn't indicate a boxed set or the download version; it's totally gray. Take a point from Turbolinux, where you have Turbolinux Server and Turbolinux Server, GPL edition. A simple branding fix is all that's needed here, not lawyers making a mess of things. I won't even go into the whole Linux isn't Red Hat's trademark thing. $.02, Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Private LANs FQDN
On Wed, 14 Nov 2001, Patrick Nelson wrote: I'm just not sure what is the best way to name systems on the private side of our LAN. We tried using just single names but some programs seem to have problems with it. Like NIS and SendMail. What is the best way to name systems on a LAN behind a firewall that don't have internet names? Personally, being an incredibly lazy typist, I use i (for internal) I have seen very few programs that can't handle that, but they do exist and are usually easy to patch. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Micro$oft strikes again!
On Wed, 4 Apr 2001, Bret Hughes wrote: Mike Chambers wrote: My linux box changed over but once I rebooted it went back to the other time. I had to go in this morning to the BIOS and change it. Mike This occurs if you set your machine to "local" time rather than UCT (GMT). Using UTC the time never changes only the way the OS displays it. AMkes a lot more sense if you think about it. A more general method is to have the machine sync it's time to the time of another machine on the network. Great work around for machines with BIOS that can't handle Y2k, bad clock chips and the like. ntpdate or rdate! $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Adore worm
Hey all, Note that the worm attacks LPRng, not plain lprd. As well as rpc-statd, wu-ftpd and BIND. See the details at: http://www.sans.org/y2k/adore.htm Thanks to Chuck at http://www.moongroup.com/stories.php?story=01/04/04/3482479 Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Is it possible to use 2 gateways?
On Wed, 4 Apr 2001, Jonathan Wilson wrote: Hey, We have a server that I'd like to set up to start using our new T1 as a gateway, but we have it running CVS on our ISDN line still. I thought that if I switched the gateway it could still receive connections from the ISDN line but for some reason is cannot, so I have to leave the gateway set to ISDN. I'm wondering, though, if it's possible to have more then one gateway? Would it actually utilize the second one for more bandwidth? At that point you're talking routing or load balancing. You'd like to be able to use one link if the other is down, right? Plus it would be nice to send traffic over the idle link if the other becomes congested? Prepare to enter a gray world. See http://www.linuxdoc.org/HOWTO/HOWTO-INDEX/networking.html#NETROUTING for some starters. Good Luck! Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Is it possible to use 2 gateways?
On Wed, 4 Apr 2001, Jonathan Wilson wrote: At 03:30 PM 4/4/2001 -0500, you wrote: At that point you're talking routing or load balancing. You'd like to be able to use one link if the other is down, right? Plus it would be nice to send traffic over the idle link if the other becomes congested? Prepare to enter a gray world. My apologies, I should have been clearer. This is not a server in the classic sense. the only thing it server to the outside world is CVS, and that only one or two updates a week. Load balancing is not the point. The 6 employees here on our local LAN using as a test box of sorts however, so for that and other reason's (including stability) we'd like it to utilize the T1 for bandwidth, without cutting off the CVS-ISDN connection like to does when we switch the default gateway over to the T1. I hope that is a better explanation, sorry. Ok, let me see if I have this straight. You have a ISDN line. You have a T1 line. These both come into the same box, ie each is a seperate interface on the box. Correct? You wish all traffic to come over the T1 except some CVS stuff, which should come over the ISDN. Hmmm. I would think DNS would take care of this, the CVS server should resolve to the IP of the ISDN interface. You should be seeing only incoming connections for CVS, so your default gateway shouldn't matter. I must be wrong about the way TCP works in that case, I thought it followed the route established on connection. Ah! I suppose your box is doing the right thing and telling the remote box about a better route for the connection (ICMP redirect). I would say looking at trafficshaper would be what you're after, you need to be able to direct traffic based on the port involved. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Linux Frustration Rant: two problems in one
On Mon, 26 Feb 2001, Michael R. Jinks wrote: Matthew Melvin wrote: Finally a word on philosophy: Don't forget who's in charge here. When "The Documentation" says that "CommandX is a restricted, system-administration command," don't forget who owns the machine. You Are Root. This is your house, so to speak. Of course it's a terrible idea to log in as root too often, because sooner or later you will make a mistake and cause yourself grief. Segmentation of user permissions is Additionally, don't treat root as the plague, but rather as a very big gun. Yes, you can shoot almost anything with root. Including your own foot. That doesn't mean you WILL shoot it off. The safe advice is just don't carry the gun in the first place, but many people routinely do and get along just fine. I usually have a root shell open somewhere, but then I watch where the thing is pointed. :) Whether you should or not is up to you. My other piece of advice covers the "My system is single user behind a firewall, I don't care about security". I agree, security is probably not a concern. TODAY. One thing I've noticed is that Linux/UNIX systems tend to live a lot longer, and go longer between fresh installations than other OSes. So the compromises made today may be okay, but not for six months from now, when you let a friend or 12 login to your machine or something along that line. Better to learn good habits now, as the learning applies to both today as well as the future. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Need good tape backup software
On Wed, 21 Feb 2001, Bret Hughes wrote: I have used amanda for about a year and A half now. I have only had to revcover files that I accidently deleted well, one time most of a 10GB partiton rm -f is not your friend in all cases :) Any way I believe the amanda approcah is not necessarily one of restore this machine entirely, but more of put an os on here and then restore the data kind of deal. Amanda is targetted at a 'bare-metal' restore. One needs the basic OS tools installed on the machine to allow: 1. Tape media to be accessed 2. Filesystem restore program used That's about it. Further instructions on amanda.org. I've been running amanda for 4+ years, no complaints. I would say that for backuping up a single machine, amanda is overkill. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Odd crashes
On Tue, 13 Feb 2001, Lingel, Jason wrote: We just brought up 4 dual gigahertz processor Dell 1400 RedHat Linux 7.0 machines with memory ranging from 256Mb to 1GB. I can't remember the kernel number off hand but I used the kernel that Red Hat sent on CD. Installed as a server from the gui, added nsf server services and didn't include web, news or nis. These are all networked computers. I don't run X on any of these. They are used to run numerical models that generally tend to pound the processors, but that shouldn't be a problem. I look at them today and 2 of them are dead in the water -- they're on but you can't ping, rsh or telnet. They are looking at dns servers, but not NIS maps. No samba. If anybody has any ideas as to why, I would like to hear them. If anybody has any methodology for troubleshooting these kinds of things, I would appreciate that as well. Before setting up a machine for real, it is good to verify the hardware is working properly. I usually do this by making a basic install with compiler and the kernel source. Then compile the kernel several times. If that works, then add a '-j' parameter to the MAKE variable in Makefile for the kernel (see Documentation/smp.txt in the kernel source). Recompile the kernel several more times and examine top and such to make sure the load is high and ALL RAM is in use for something. For your level of machines, having several different kernel compiles running at the same time might be needed, depends whether all RAM is finally used for caching or not. If the kernel compile fails with SIG 11s or just at different points in the run, you are looking at several potential problems, all of which are hardware related: 1) Corrupt RAM. This leads to corrupted files from file caching. Run something like memtest86 to verify the RAM. You won't typically see kernel error messages for this, rather the machine just locks up. 2) I/O subsystem problems. Something is corrupting files on their way to disk. Usually you'll see error messages if this is the case. 3) Heat. Drives, CPU's or power supply. Anything that starts to wheeze when the machine is busy could affect the stability of the machine. CPU's overheating typically won't produce error messages and certainly not in any traceable pattern. Same for a flaky power supply, once the voltages start fluctuating, nothing will work quite right. Drives, again, will usually get a kernel messages. That covers 99% of the cases, after that comes driver issues though well written drivers produce error messages that make sense. HTH, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: help me!
On Tue, 13 Feb 2001, Jos Antonio Aceituno Jimnez wrote: Yes, but in this URL just I can subscribe At the bottom of the page is a box where you can modify your options and unsubscribe. "To change your subscription (set options like digest and delivery modes, get a reminder of your password, or unsubscribe from Redhat-list), enter your subscription email address:" Enter your email address in the box and click Edit Options. NOTE TO REDHAT: This is a failing of Mailman, that information and input box are not very clear. Please change your templates to make this process more obvious. A simple fix is to move this dialog to the top of the page as shown here: http://mail.vh.org/mailman/listinfo/pediatricradiologynews Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: multitrunk network card
On Mon, 12 Feb 2001, Graham Hemmings wrote: At 11:04 12/02/2001, you wrote: I don't know what etherchannel is.. I want to add a second network card to a server to add more bandwidth. Right now it is 100mbit and i want to add another one to have 200mbit (400 mbit Full Duplex). My switch supports this by calling it multitrunk. Do I need any special network card to do this or it achieved by "etherchannel". If etherchannel is the solution do you have any links to a howto? Spyros FastEtherchannel is a standard method of allowing you to combine several 100Mbps links into one logical link. It has to be supported by both the switch you connect to and the NICs you use in the PC. Most Cisco switches will do etherchannel and I know that Intel Pro 100 ethernet cards support it - but whether they support it under Linux is another matter. FastEtherchannel is a CISCO standard method.in other words, not a standard at all. Multilink trunking is the more generic method used by most ethernet switch vendors. As of several years ago, they knew very little about their own technology, I had a devil of a time talking to anyone about how to actually set it up (Bay Networks). One of the requirements at that time was that 2 NICs could be assigned the same MAC address. One also had to run special drivers on the server side. I would think by now they have gotten the information down to tech support, a call to your vendor might be your best bet. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AMD K6-2 400
On Tue, 9 Jan 2001, Austin wrote: Has anyone had any problems with the AMD K6 processor? Any compilation problems, Seg faults, and/or things breaking randomly? I want to set up a database server using RH7.0 and I just want to make sure that the AMD K6-2 is a stable CPU and is compatible with Red Hat. I've been running on a AMD K6-2/450 for 6 months, works great. Windows 95, however, will not. Or should I say the original End User version of Windows 95. This was the infamous AMD vs Microsoft bug from a couple years back, basically a timing routine in Win95 barfs as it can't handle the clock speed of the AMD. Only solution is an upgrade to either OEM Win95 and apply a patch or upgrade to 98. The funny part is that I didn't know this for several months after I upgraded my dual boot machine, as I hadn't needed Windows in that long. :) $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: tape drive.
On Wed, 10 Jan 2001, Steve Lee wrote: what is the difference between the device /dev/nst0 and /dev/st0 /dev/nst0 is the non-rewinding version of /dev/st0. Meaning after it's closed the tape position stays put. When using /dev/st0, the tape is automatically rewound when closed. Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: What should the proper output of hostname be?
On 8 Jan 2001, Harry Putnam wrote: "Anthony E . Greene" [EMAIL PROTECTED] writes: with out the -fqdn flag. Maybe this might explain unexpected trouble that may occur regarding hostname lookups like done by sendmail and lots of other apps. I've set the hostname to fqdn for a long while now... Anyone know what trouble this may cause? On most of the systems I admin, hostname outputs the FQDN. On the couple of boxes that don't, some software broke because FQDN output was expected. Whether one would consider the system misconfigured or the software poorly written is open to debate, my solution was to make all my hosts uniform. So, FQDN output is what I use. RedHat also defaults that way when networking is setup at installation time, (4.x-6.x anyway, haven't played with 7.0 much yet). $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: IDE RAID
On Sat, 16 Dec 2000, Adam Sleight wrote:
On Fri, 15 Dec 2000 21:55:15 -0500
Edward Schernau [EMAIL PROTECTED] wrote:
| The only IDE RAID to work under Linux is the 3Ware controller.
Anyone ever try that raidzone.com openNAS device?...UltraDMA/100 hardrives /
RAID 5. They advertise in linux magazine. I have yet to find an idepedent
review of it in any magazine and I've searched all over the net with google.
I attempted to buy some Raidzone equipment, but their sales people rubbed
me the wrong way. They misquoted the piece of equipment I specified ("I
want product A". "Ok, here is quote for product B") and were not very
friendly about getting that a requote.
Now if their sales force sucks, imagine what the rest of the company is
like!
*shudder*
$.02
Bill Carlson
--
Systems Programmer[EMAIL PROTECTED]| Opinions are mine,
Virtual Hospital http://www.vh.org/| not my employer's.
University of Iowa Hospitals and Clinics|
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Best backup system/plan for maximum safety - what do y'all do?
On Thu, 14 Dec 2000, Jonathan Wilson wrote: I can think of several considerations: 1. At least some level of backup needs to happen every day, i.e. at least a back up of /etc to a local tarball. 2. Though we have lots of space and can get more, we can't keep archives forever. There probably should be some sort of trailing increments (whatever that means..) like every day for the past 4 weeks, every other day of 2 and 3 months ago, Sunday and Wednesday of 4 and 5 months ago, once a month for a year back after that. Or whatever. maybe some sort of versioning system like CVS 3. We need to be able to get single files back out of the archive without a big to-do. You know, like if someone edit's Apache's conf file right before they leave and we find out the next morning that it's screwed up and we want to go back a day. This is my primary reason for not wanting to use tapes, and wanting to use hard disks. For part of handling 1 and 3 and configuration files, I'd recommend getting all your admins in the habit of using rcs. This gives you more benefits than just backup in case someone makes a goof, such as logging of who did what and why, ability to see exactly what was changed all the way back to the first version of the file, etc. Very handy, but one does have to develop the habit to actually use it. I've had good luck with amanda as a backup solution, but then you don't want to rely on tapes. To each his own. Amanda is moving towards supporting more than just tapes, I don't know when that support is due, however. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Best backup system/plan for maximum safety - what do y'all do?
On Fri, 15 Dec 2000, Jonathan Wilson wrote: For everyone who has suggested RAID: I like RAID, it's very cool. However, the kind of things are servers currently do are not "worthy" of the price. What's valuable here, is not what it does, but the long hours we've spent setting up. Also, while RAID and mirroring are great for hard drive failer, it does helps not a whit if you're cracked. Or when someone types rm /etc/* and says "Oops." :) Every tool in its place. Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
sendmail:What are they trying to do?
Hey all, I've been seeing the following about 4 or 5 times a week, any idea what they are trying to accomplish? --- Dec 7 07:30:32 backup sendmail[8699]: HAA08699: [EMAIL PROTECTED]... User unknown Dec 7 07:30:33 backup sendmail[8699]: HAA08699: [EMAIL PROTECTED]... User unknown snipped another 30 lines of this type stuff Dec 7 07:30:34 backup sendmail[8699]: HAA08699: [EMAIL PROTECTED]... User unknown Dec 7 07:30:34 backup sendmail[8699]: HAA08699: from=[EMAIL PROTECTED], size=0, class=0, pri=0, nrcpt s=0, proto=SMTP, relay=3Cust77.tnt4.krk1.da.uu.net [63.27.2.77] --- I had thought they were trying to find addresses on the machine via brute force, but I haven't seen any increase in SPAM. What are they trying to do? I usually block the IP, but the same thing will show up from another IP. They due tend to come from uu.net, bellsouth.net and uswest.net. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: finding files 15 days old or older.
On Thu, 7 Dec 2000, Vidiot wrote:
You can find and delete at the same time using
find /tmp -mtime +15 -print | xargs rm
Tom Churchward
No need to pipe into anything, because find can run commands using exec:
find /tmp -mtime +15 -print -exec rm {} \;
MB
The xargs method is much more efficient, as rm is run with as many
arguments as it can handle on the command line. The exec method spawns one
instance of rm for EACH file found. In the case of 10 files, no biggie. In
the base of 1000, you'll notice the difference.
Bill Carlson
--
Systems Programmer[EMAIL PROTECTED]| Opinions are mine,
Virtual Hospital http://www.vh.org/| not my employer's.
University of Iowa Hospitals and Clinics|
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: level S on serial console
On Thu, 7 Dec 2000, Matthew Melvin wrote: On Wed, 6 Dec 2000, Bill Carlson wrote: Okay cool... In /etc/inittab I've got... S0:2345:respawn:/sbin/getty ttyS0 DT9600 vt102 ... for multiuser mode and... ~~:S:wait:/sbin/getty ttyS0 DT9600 vt102 Ok, I have a couple of boxes with this setup (good thing you brought this up, I would not have had a console for single user!) and tested some things. What I did was just add S and 1 to your 'multiuser' line: S0:S12345:respawn:/sbin/getty ttyS0 DT9600 vt102 This works for me, plus I can logout and back in for those times when I get carried away with CTRL-D. :) Problem: What if the libraries are messed up? getty won't work. So how does rc.sysinit handle it? Poking around in there, you'll find that when fsck fails, /sbin/sulogin is called to do that " Give root password for system maintenance\(or type Control-D for normal startup): " and handle login that way. However, that again depends on libraries working, logins enables, etc. I think the best way around this is to compile a static getty and allow it to login without a password, then only run it in runlevel 1 or S. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: sendmail:What are they trying to do?
On Thu, 7 Dec 2000, Michael Burger wrote: Alphabet spam...they take a ton of combinations, and go in alphabetical order. I've seen systems with improperly configured swap space literally come to a crawl, because the mailserver winds up chewing up so much memory while trying to process this crap. I thought that was it, but they never actually send anything. The message ends up 0 bytes. I even ran sniffit to capture exactly what they were sending the mail server, there isn't an actual message sent. Not exactly the way to send SPAM. My only other thought is a DOS attack, but it's doesn't even come close. I have noticed the addresses are never repeated. I tried setting up some valid aliases so I would at least get a copy of the message, no dice. *shrugs* Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: sendmail:What are they trying to do?
On Thu, 7 Dec 2000, Burke, Thomas G. wrote: But doesn't sendmail bounce back a "invalid address" message for every one that doesn't find a valid address? I'd get their ISP involved in this, as it certainly no better than a port scan. I did get with their ISP and included log files with time/date and all that good stuff. No response yet (it's been a couple weeks). There isn't a bounce as the message is 0 bytes. Basically, the traffic goes like this, from the remote machine: --- HELO mail.nowhere.com MAIL From: [EMAIL PROTECTED] RCPT To:[EMAIL PROTECTED] RCPT To:[EMAIL PROTECTED] snip, more of the same, 30 lines worth or so RCPT To:[EMAIL PROTECTED] RCPT To:[EMAIL PROTECTED] RCPT To:[EMAIL PROTECTED] --- Hmmm, could be sendmail cutting off the message because of too many RCPTs I suppose... You know, it's always easier to the find the answer by trying to explain the problem to someone else. :) Thanks! Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: level S on serial console
On Wed, 6 Dec 2000, Matthew Melvin wrote: But when I go to single user mode init shows me the "bash#" prompt but thats it. I can't use the bash prompt or anything. Anyone who's struck this problem or knows what's going on.. I'd love to hear from you. :) A serial console that doens't work in single user mode is rather pointless. Hey Matthew, Can you give some more details, like the contents of /etc/lilo.conf for the kernel in question and the line from /etc/inittab where you start getty for the serial console? Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Run program on boot?
On Wed, 6 Dec 2000, Tim Smolen wrote: How do I have Linux execute a program when it boots? Basically I want to turn the pc on, have linux boot, and then run my program until it's shutdown. I'd like not to have to log in or anything. Is this possible? That really depends on the program and what it is supposed to do. If it's a server-type program that doesn't need interaction, starting it from /etc/rc.d/rc.local should work fine. If it is something that needs interaction, there are a couple of ways to go. One way is to use open (included with Redhat, but typically not installed by default). Read the man page, but basically you can do this: open -c 11 -- top -s to open top in secure mode (-s) on /dev/tty11 (virtual console 11). I usually stick that command in /etc/rc.d/rc.local on my server machines so I can get to top in a hurry when alarms start going off. :) HTH, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: screen blanking
On Mon, 4 Dec 2000, Mitchell K. Smith wrote: I am using Red Har 7.0. When working at the command line (without X) I can turn off screen blanking by doing a setterm -blank off I have two questions. Does the setterm option "stick" upon rebooting? No. And sometimes sticking 'setterm -blank off' in /etc/rc.local doesn't work, I believe something in the console VGA font support startup resets it as I recall. You could add it to your .bash_profile though. Can I turn off screen blanking when using Gnome? xset s 0 HTH, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: boot floppy question
On Fri, 1 Dec 2000, Statux wrote: method works). It's also the option to use if you want to bypass the bootloader and start things up quickly from disk. mkbootdisk will give you lilo and will boot very slowly. So, there is a major difference. It all mkbootdisk is handy if you require modules to boot, for example for a SCSI controller. However, most of the people who compile their own kernels don't use modules for their primary boot device (though including some alternate drivers as modules would be a good idea). $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Chicken-and-egg problem with glibc and rpm
On Thu, 30 Nov 2000, John N. Alegre wrote: will work for packages that are mutually dependent. But when I tried this with rpm and glibc going from RedHat 5.2 6.0 the exact thing Thomas is pointing out happened and it took me a week to get the system back to where it was to begin with. Is there anyone who has taken RedHat 6.2 rpm and glibc to the 7.0 level using rpm. If so please share the way you did it. It might be necessary to build and install glibc from the tarball, upgrade rpm, remove the tarball files and then upgrade glibc with the rpm. John, I haven't done it, sorry. But, you could try rebuilding the RPM source rpm on your machine, I'm guessing that the original was built on a machine with the newer glibc, which is why it is causing you problems. Try installing the RPM source rpm and checking it's spec file for a requirement on glibc, my guess would be there isn't any. I've done this in the past with various contributed RPMs that needed some weird library versions, rebuilding the rpm in my environment usually does the trick. HTH, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: pop3 email + web admin
On Wed, 29 Nov 2000 [EMAIL PROTECTED] wrote: We're in the process of setting up a basic POP3 email system for around 20,000 users. This is going to be on a fairly large RedHat Linux 6.2 system. I can setup the POP3/MTA servers myself, but I'm running into trouble deciding on administration tools. We're going to have some fairly inexperienced people doing basic user account stuff (password resets and name changes, etc.) This means teaching them about "usermod" and other things using sudo might be tough. Are there any web based admin tools that let you admin just users info like passwords, name, etc (or can be RESTRICTED to assign a user to just manage that) I looked at webmin, but it seems to offer too much in this case, and doesn't let you change users passwords from its web interface. Webmin can be restricted to certain functions, though I'm not clear on how fine grained it is. Might be worth a closer look, remember that you'll get the benefit of remote administration as well. Email forwarding will be a big issue also, since many people will simply want to forward their email to another address. Are there any web interfaces that let the user login with their ID and password and type in a new email address that'll create the .forward file in their home dir? If you haven't already setup the POP3/MTA, a good combination I've found: qmail + vmailmgr + Courier IMAP + omail-admin + TWIG This combo gives you mailboxes that don't need a system account, web based management for both the individual users as well as an admin. I threw in IMAP and TWIG as usually the next thing needed is web-based email. You'll find all the related sites via freshmeat.net. Good Luck, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: SMTP mail realy problem. Please help.
On Fri, 24 Nov 2000, John N. Alegre wrote: An error occurred while sending mail. The mail server responded: [EMAIL PROTECTED] ... Relaying denied Please check the message recipients and try again. Now when sending mail to [EMAIL PROTECTED] from the machine running sendmail this address will work just fine. What am I missing? There must be some config file that tells sendmail to relay all mail from other IPs on this LAN just as it does for mail from that same machine. What is it? Hey John, Put the IP address of the Mac in /etc/mail/ip_allow. You may have to HUP sendmail to get it to see this change. This says to allow relaying from Mac. NOTE: If that file doesn't exist, then your setup is different from my Redhat 6.x. I'm assuming you're using the stock sendmail that comes with Redhat. Good Luck, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Athlon Thunderbird RH6.2
On Mon, 27 Nov 2000, Stu Owen wrote: For those that are interested, I found the solution by using the parameter 'x86_serial_nr=1' at the lilo prompt. I can then atleast get into the system and rebuild the kernel to remove the problem. Stu Owen wrote: I am trying to install RedHat 6.2 on a machine running an Athlon Thunderbird 850MHz (Socket A), with an Asus A7V motherboard. The installation programs works fine but once thr process is complete and I try to boot into my new OS the kernel crashes with a general protection fault right at the beginning. The error occurs when it is trying to 'disable CPUID serial number'. The processor has been correctly identified as AMD Athlon. Hey Stu, Just clarifying, what kernel did you select for the installation? I would not expect a kernel compiled for i386 to include that serial number business. Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Controlling Process Order/Timing
On Mon, 27 Nov 2000, Cameron Simpson wrote: On Sat, Nov 25, 2000 at 04:31:23PM -0700, SoloCDM [EMAIL PROTECTED] wrote: | I'm trying to force commands following each other in a script to | execute one at a time once the preceding command has finished. But this is the _normal_ behaviour! command1 command2 command3 will execute in sequence. | I applied the command nice with the options to a list of commands and | didn't get the results I was seeking. Perhaps what SoloCDM really wanted was to execute the command only if the original command succeeded, in which case you'd want: command1 command2 command3 assuming the shell is /bin/sh or /bin/bash. In order to nice those processes, you'd have to tell the shell you meant all of them: nice /bin/sh -c "command1 command2 command3" or make it a shell script (which is essentially what the above does). HTH, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Bash questions
On Tue, 21 Nov 2000, Stan Isaacs wrote: The full comment in /etc/bashrc on my machine (RH6.0) is: # For some unknown reason bash refuses to inherit # PS1 in some circumstances that I can't figure out.B # Putting PS1 here ensures that it gets loaded every time. PS1="[\u@\h \W]\\$ " Sounds pretty clear to me. Thanks for quoting it for me. That's exactly the question I'm asking: What is the "unknown reason"? Has anybody figured out the circumstances? Then maybe I could decide if it's worth while to pull the setting out of /etc/bashrc. I don't have an older box handy, but IIRC that comment has been there for quite a while, it might be an old bug in bash that whomever created the comment worked around rather than figure out. One could try commenting it out in /etc/bashrc and see what happens. Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Bash questions
On Mon, 20 Nov 2000, Stan Isaacs wrote: A beginner simply takes the "|" to work like a ";", and their limited testing seems to show that to be correct. They are likely never to get processes that take enough time to show the mistake, in simple testing. Perhaps you are correct, that we should give up shell scripting and go directly to perl! I would say that this is perfect thing to cover in your class. This 'bug/feature' illustrates three things: 1) The shell does exactly what you tell it, even if it makes no sense. 2) Just because something works doesn't mean it's right. 3) It is important to know how things work, rather than just what motions to go through. The PS1 thing is another opportunity, show how it really gets set and why. On RedHat, .bash_profile sources .bashrc which sources /etc/bashrc. So, where should one set PS1? At the end of .bashrc or .bash_profile, depending on how subshells should behave. The full comment in /etc/bashrc on my machine (RH6.0) is: # For some unknown reason bash refuses to inherit # PS1 in some circumstances that I can't figure out.B # Putting PS1 here ensures that it gets loaded every time. PS1="[\u@\h \W]\\$ " Sounds pretty clear to me. $.02 Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
New Pine 4.30 RPM
Hey all, If you're a pine user like myself and want to upgrade to the latest 4.30 pine (which you should for the security fix), you'll find the update RPM wants a bunch of things installed that you probably don't want. Things like: error: failed dependencies: krb5-libs is needed by pine-4.30-1.62 libcom_err.so.3 is needed by pine-4.30-1.62 libcrypto.so.0 is needed by pine-4.30-1.62 libgssapi_krb5.so.2 is needed by pine-4.30-1.62 libk5crypto.so.2 is needed by pine-4.30-1.62 libkrb5.so.2 is needed by pine-4.30-1.62 libssl.so.0 is needed by pine-4.30-1.62 To get around this without installing SSL, LDAP and Kerberos libraries, get the source rpm and add this to the top of /usr/src/redhat/pine.spec: %define nossl 1 %define noldap 1 %define nokerberos 1 Then you'll be able to build pine without any of these development libraries installed. Good Luck, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Primary and Alternate Web Site
On Thu, 9 Nov 2000, Ed Lazor wrote: What you need is the second server to assume the primary server's IP address. What if they the two servers are at different ISP's? This is a sticky problem, one that I've been working on for a year (off and on). When a DNS entry points to more than one IP address, the server typically alternates between the IPs for each request. Unfortunately, the root servers do the same thing, meaning the term Primary Name Server as used by Network Solutions and company is wrong, the root servers point requests to ALL the name server entries for a domain. They do NOT check to see if a name server is up before responding (which makes sense, there are way too many name servers out there to be doing that). If the goal is strictly high availability, not load balancing, it could be handled with DNS. First, make each server the primary. In other words, both machines should act like they are the proper server. Let's call them A and B, though you could have A,B,C and D, etc. Setup DNS such that A and B are both authoritative, ie, the root DNS servers list A and B as name servers. Then config A's DNS such that www.some.where points to A and B's DNS so that www.some.where points to B. When a web request is made, the client will first have to resolve the DNS, which will control which server is eventually accessed. If the client can't reach A, it won't resolve www.some.where - A and will eventually have to ask B. Caveats: If you have a web-based application that tries to maintain state information, this will not work. Fail over time in the case that A dies is controlled by the time to live (TTL) of the DNS records. Set the TTL really low, you'll get lots of DNS traffic; set TTL high and the fail over will take a while. Traffic will be distributed amongst the web servers, but not evenly nor based on load. Not a great solution, but it is a solution. Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Wierd Happenings....
On Thu, 9 Nov 2000, Thomas Ribbrock wrote: On Thu, Nov 09, 2000 at 09:46:08AM -0600, Bill Carlson wrote: [...] So, is there a consensus, should rpm -Va be trusted after a successful attack? I'd say, the easiest way to accomplish that would be to take a copy of the RPM database (onto an external medium, e.g. floppy) each time you change something. Ick. Might as well use tripwire instead. Other than that my guess would be that if up to now noone has yet changed that database, it's probably only a matter of time until they start doing so... (Hm, wouldn't it suffice to simply delete the database to foil using rpm -Va?) True, they could just delete it. But it seems like many people, including myself, use rpm -Va to answer 'Have I been cracked?'. Deleting the rpm database leaves no doubts. :) Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Wierd Happenings....
On Thu, 9 Nov 2000, Rick Warner wrote: 1) Find out what has changed on the machine. Use 'rpm -V' against all packages and see what was modified. If they had root access, it is likely they changed some system utils to add a backdoor. Sorry to hear you've been hacked Fred. On a related note, has anyone had their RPM database scrambled during an attack? Since there is nothing protecting the database once root access is obtained, rpm -Va shouldn't be trusted. But, I've not heard of any attack yet they bothered to fixup the rpm db, it seems to me that would be a fairly difficult thing to do. So, is there a consensus, should rpm -Va be trusted after a successful attack? Later, Bill Carlson -- Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Kind of OT: (Redhat) Linux vs NetWare?
On Wed, 1 Nov 2000, Dan Harrington wrote: my _personal_ view of novell netware is that it is a simply RIDICULOUS solution. It is so pathetic. Drop it like a hot potato. Just to ride the other side of the fence, Netware is great at what it is meant for: file and print sharing. Simple to admin and works well given good hardware and such. I've seen Netware servers with 1 year of uptime. Granted, with the recent releases like 5.x, they've included way more features that simply add bloat, but you can turn most of them off. Now, if you were deciding a new solution, the story would be different. But in this case, if it ain't broke, don't fix it. $.02 -- Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Serial connection to another box
On Wed, 1 Nov 2000, Todd A. Jacobs wrote: I need to use a null-modem cable to connect my Linux box as a terminal to a Solaris box. In the Windows world, I'd use Hyperterminal or (better yet) SecureCRT to run the terminal session. On Linux, I can't seem to find anything that does the same sort of job. As far as I've been able to see, minicom works ONLY as a modem dialer, and doesn't seem to support non-modem serial lines. Can it be used this way? If not, what programs can? minicom will do what you want. When setting up the connection, remove the init string and set the handshake and speed appropriately. When you start minicom, it should see that the line is already up and you're in business. -- Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Key-combo to send process to background?
On Tue, 31 Oct 2000, kf wrote: Yeah, but you have to do the nohup at the beginning. I.e., you'll have to Ctrl-C out of the app and restart it inside of the nohup [app args ...] If you're doing much of this, see man screen. The "screen" utility allows you to start an app in a "window" close the window, go to another net node, and open it back up again there. hth, kf If you happen to be running bash 2.x, you can also use the 'disown' builtin. 'disown -h' is handy, as it keeps the job from getting killed when you log out, but keeps it in your jobs list. man bash for details. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Headless linux boxes, monitors through serial ports? Plus Q onWyse 30,50,60,150 models as monitors
On Mon, 16 Oct 2000, Dan Browning wrote: I've read recently about running linux boxes that can use mgetty, vgetty, or something-getty on certain serial ports as monitors (instead of using a normal vga video card / monitor combo). How is this done? Is there a website for it? Where can I learn more? Hmmm, I would have sworn there was a HOWTO that covered this, but I can't seem to locate it. At any rate, take a look at: http://www.linuxhq.com/kernel/v2.2/doc/serial-console.txt.html This may not be related, but is there anyway to use old WYSE 30's, 50's, 60's, and 150's and have either green, amber or white screens as monitors for linux boxes? Is it as simple as a WYSE-serial converter device, or does it require an internal ISA or PCI card, or is it just not possible? You'll certainly be able to reuse those WYSEs assuming they are all serial terminals. The fun part is getting the proper cables, spending $5 for one of those serial line analyzers is well worth it when troubleshooting these things. I use an old DEC vt520 as a console for several rack mounted machines, the only thing you can't do is access the BIOS. Some recent x86 motherboards/chipsets allow for BIOS access over the serial port as well. Good Luck! Thanks, Dan Browning Network Database Administrator Cyclone Computer Systems ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: solaris or linux
On Mon, 16 Oct 2000, Martin A. Marques wrote: Well, thankfully I was asking for that kind of information. HOW-TOs, articles, papers, etc. Benchmarks would be appreciated. Does somebody know where I can search the linux-kernel archives? The Solaris user license specifically forbids publishing any kind of benchmarks of Solaris, which is why you won't find many. SUN also tends to only enter their stuff in benchmarks/tests they feel they'll win. One reason to use Linux over Solaris: Solaris is all about money in the end, Linux is not (though it can be if your only support is through a vendor). I'm not saying being profit-motivated is a Bad Thing (tm), but it is a good idea to consider motives when dealing with anyone. $.02 Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Linux firewall/router on 420M drive? Plus other questions...
On Thu, 12 Oct 2000 [EMAIL PROTECTED] wrote: I want to setup a Linux firewall/router to share my internet connection between several computers. Problem is, I only have an old 420meg harddrive to use (rest of system is Cyrix 166 w/64meg RAM). Is this possible? You might want to take a look at Smoothwall (http://www.smoothwall.org/) It will run on as little as a 150 MB drive and includes a web-based admin package for the firewall part. If doesn't include as much as the regular distributions, but then it is intended soley for the purpose you indicated: sharing a dialup connection securely with other machines. I've set it up, it's fairly easy to get going. Word of Warning: The drive you install on will be erased and used for Smoothwall! I found it a little on the basic side in the 20 minutes I spent digging around, but if all you need is a simple firewall that others can fireup from a webpage, it does the job. Good Luck, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Network Design
On Tue, 3 Oct 2000, Gordon Messmer wrote: On Tue, 3 Oct 2000, Jason Costomiris wrote: don't care about the extra i/f's. Does IPchains not like that? ipchains is fine with multiple interfaces, you can specify rules by interface or network address. The two firewall approach is probably over the top, and potentially more troublesome. MSG I've run a two firewall setup, it was no more troublesome than a single setup. The advantage is that an attacker would have to crack two boxes to get to the private LAN as opposed to one. In this case it would be three! My external webserver is less important then my entire internal network. :) $.02 Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: console System monitor?
On Thu, 14 Sep 2000, Mikkel L. Ellertson wrote: On Thu, 14 Sep 2000, Charles Galpin wrote: Hey chuck, are working or playing over there? :) He said *no* X btw. charles One other posibility that he may not have thought of is to use an X based program, but have it display on another machine. That way, it wouldn't put any load to speak of on the server, and you could check it from a workstation on the network. Another thought, you probably want to monitor several machines in this fashion, so a network monitoring package like Netsaint (http://www.netsaint.org/) or Big Brother (http://bb4.com) might be a better fit for what you want to do. See also http://freshmeat.net/appindex/Console/Monitoring.html $.02 Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: is this true??
On Thu, 14 Sep 2000, Kurt A. Brust wrote: Sorry, but going from 5.x to 6.x , does (IN REALITY) need to be fresh installed... the install overites just about everything... dont mean to burst your bubble... Stop the madness! This is simply not true. There are better ways to go about this than installing from scratch. We ain't talking Windows here. Upgrade 5.2 to 6.0 (which worked pretty well as I recall), then 6.0 - 6.2. This is a good reason to grab older CDROMS at your local LUG (you do have a Linux User Group nearby, right?). Somethings will need some tweaking, but you certainly do not need to reinstall the machine everytime a major version comes along. I've upgraded a machine from 4.0 to 6.0...minor tweaking to get some things working, a recompile here and there, but not too bad. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Centralized Network Security
On Tue, 12 Sep 2000, Jamin Collins wrote: I've been looking for a good means of centralizing my network login and passwords. Currently each system has it's own list of local users and passwords. I've looked at NIS as a possibility, but the HOWTO indicates a few items that concern me. Such as, shadow password security being is lost if it is used over NIS. Is there something more secure/preferred than NIS? LDAP seems to be the current vogue. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Apache not finding Virtual Host doc (What's the trick?)
On Tue, 12 Sep 2000, Jonathan Wilson wrote: Well, I'm trying to set up this virtual host, and I'm getting "Forbidden" messages: here, I'm using the IP directly: Forbidden You don't have permission to access / on this server Apache/1.3.12 Server at bogus_host_without_reverse_dns Port 80 Here's my directory listing: [admin@claborn1 admin]$ ls -ld /Webhomes drwxrwxr--4 admincscadmin 1024 Sep 12 11:14 /Webhomes [admin@claborn1 admin]$ ls -ld /Webhomes/Test/ drwxrwxr-x2 admincscadmin 1024 Sep 12 11:20 /Webhomes/Test/ [admin@claborn1 admin]$ ls -l /Webhomes/Test/ total 2 -rw-rw-r--1 admincscadmin 142 Sep 12 11:20 index.html What user does Apache run as? I would guess your problem is /Webhomes, without execute permissions for 'other', the webserver can't get a directory listing for /Webhomes. Try 'chmod o+x /Webhomes'. This assumes the webserver is not running as user admin or group cscadmin. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Two ethernets in same box question
On Tue, 5 Sep 2000, Vidiot wrote: Charles responded: I think you could just switch the slots the cards are in if you find the order changes on you. Also if it does change, it's really not that big a deal to change eth0 to eth1. I suspect that if it does turn the configurations around, I can just swap the cables :-) As long as every reboot results in the same, then that is no big deal. I've got a similar setup running with identical NICs, which one is assigned eth0 depends on the BIOS, but unless the BIOS changes (Flash upgrade, new motherboard, etc.) the assignment stays the same. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: [OT] perl question [answered]
On Wed, 6 Sep 2000, Bret Hughes wrote: Thanks for the tips guys. As I was looking at my code, I realied that I had not actually tried the combination that I posted. What i did try was: @resarray= split /"\n"/, $resstring; Which for some reason I can not discern, puts everything (multiple lines) in the first element of the array. If some one would care to educate me on why that is I relly would like to know. I thought the " allowed interpolation of the special backslashed chars. Bret, You don't need the quotes in a regex expression. The string is in the first element of the array because your expression didn't match anything, ie there are no sequences "\n" in the string. You want: @resarray = split /\n/, $resstring; Now, whether that actually does what you want depends on what is in $resstring to begin with. You might try running the app with perl in debug mode (a good thing to learn). HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Ark Ethernet 10/100 card supported?
On Tue, 29 Aug 2000 [EMAIL PROTECTED] wrote: Hello, Does anyone know if the Ark 10/100 ethernet card is supported? Does it emulate another card/chip? Depends on the model of Ark card. The ones that Computer Gate sells use the RealTek 8139 chipset, I've get 4 or 5 of these running. From the box I have, model is: "NX10/100D" The Redhat 6.2 kernel has the driver built for it, though it is marked experimental in the kernel sources. Works great, especially for $8 a pop. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: RH 5.0., RH 5.2 functionality
On Mon, 28 Aug 2000, Ward William E PHDN wrote: The thing is, even if the system is NOT Y2K proof, the OS is. Therefore, boot the system, and reset the clock... voila, it should work (worst case) or not even need to have the clock reset (it just couldn't handle roll over, best case). Just picked up a surplused PC for $30 complete with NIC, SVGA monitor, 340 MB HD, 16 MB RAM (yeah, a 486, but the monitor alone was worth $30) for use as a SAMBA print server/ firewall/IP MASQ box that the government surplused as non Y2K compliant I bet it'll work fine with 6.2 (I start the install tonight). Bill Ward Word of warning Bill, the new installer seems to require a good deal more memory than the older versions (pre 6.1). I think 16 MB is the cutoff point though, so you should be fine. I worked around this on an 8 MB machine by installing with the drive in a different machine and moving it once I was done. That was 6.1 and an early release of 6.2, the latest images may be better. Good Luck! Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Webmail interface for multiple domains.
On Fri, 25 Aug 2000, UK Jaiswal wrote: Hi, I have to install one Web-mail interface like hotmail where users of multiple domains can log in and check their mail. This is required where : # an organisation has assigned its 3-4 departments different domains/ sub-domains # it is using a single mail-server for all the domains/ departments. I guess it is better to use exim (as it supports virtual domains) and cyrus-imapd (as it does not need users to be created on the system). I hear that imp is good for the web-mail interface but I understand that it does not support multiple, virtual domains. I've recently been through installing the following: qmail + vmailmgr + Courier IMAP + omail-admin + IMAP Web client of choice The combination of Courier and vmailmgr allows virtual domains, complete with unique usernames per domain (user@domain1 and user@domain2 are 2 seperate boxes). And qmail is a great piece of software. The omail-admin piece gives a web-based administration for all the email accounts, very handy. Start at www.qmail.org. Later, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: ssh without password
On Mon, 21 Aug 2000, Kevin Wood wrote: If you look at the command ssh-keygen, this is what you will need. Run the command ssh-keygen as the user you will be logging into the remote machine with. This will produce a identity key and an identity.pub key located in the ~/.ssh/ directory. Now on the remote machine, make a directory called ~/.ssh with the same user name again. Copy the identity.pub key to ~/.ssh/authorized_keys. Then try to login again. This should allow you remote access without a password. If I am mistaken or have missed any steps, would someone let me know. Thanks Kevin The step you missed is permissions on the .ssh directory and .ssh/authorized_keys. Set both to be rw for the user only: chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys ssh checks the permissions before checking the keypair and will fail if they are too open. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: ssh without password
On Tue, 22 Aug 2000, Steve Manuel wrote: This is correct but there is one little wrinkle that needs to be addressed. When you run ssh-keygen it will create the public/private keypair then ask you for a password. You should *not* type a password. Just press the enter key. I believe it asks for the password twice so press enter twice. I struck me as odd that ssh would ask for a password for something that was to automate logging in. However there is a reason. The idea behind using ssh-keygen is so that you not only have to use a password but you also have to have the matching private key of the public key on the system you are logging into (this is what is in the authorized_keys file). The default usage of ssh only asks for a password which means that if I knew your password I could easily login to a remote system using 'ssh -l yourusername host.domain.com'. However, if you have generated the public/private keypair I now *have* to be on the system that has that private key because ssh is doing two things: verifying password and matching the keys. The up-shot of all this is if you generate the public/private keypair without specifying a password, ssh will just do a keypair check. If they match, you're in. If they don't, you're not. The reason for using a pass phrase (it can be lng) is to protect the key. If the account with the private key without a pass phrase is compromised, so is any account that accepts that key (and a quick run through ~/.ssh/known_hosts will point those out). Anyone (say, root) that has access to ~/.ssh/identity can hijack that key. What to do about scripting? Look at man ssh-agent, basically it will allow the pass phrase to be entered once per login rather than once per ssh session. As always, it's a trade-off between security and convenience. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: how does one successfully Adding PHP4 as a DSO to a stock 6.2apache and stock mod_perl
On Tue, 15 Aug 2000, Pete Lancashire wrote: edit the httpd.conf file to move the Load/Add module and start httpd. Thats as far as it gets. Are you starting httpd manually or via /etc/rc.d/init.d/httpd? Try httpd -t , that will check for syntax errors, though I doubt that's the problem. That's something I've noticed in DSO support, if one of the modules croaks, they are no errors posted, the thing just dies. I just did this on a Turbolinux box, I'd look and see what I did but it's power supply kind of caught on fire (well, charred really well anyway). I seem to remember I moved the LoadModule line before the AddModule to get it going, but that was a week ago. Do you have mod_php3 installed? I found the two would not live happily together, removing the php3 support got it doing. Good Luck, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: https server and web mail interface
On Wed, 16 Aug 2000, Dan Horth wrote: Hi - I'd like to set up a web mail interface for our mail server for remote users to check and send mail. I'm looking into this as a way of increasing the security of our server - by stopping off-site users from using POP to check their mail. I'm intending on blocking POP connections from off-site once webmail is implemented... a) I can set up https on our apache server with available info at http://www.apacheweek.com/ but I don't know where to start in setting up a web mail interface - can you suggest one that works well with a redhat 6.2 server? b) so long as I force all web mail transactions to be through the secure server then this will provide a better level of security than POP with cleartext passwords - specially when our users are using systems such as hotmail or yahoo mail to fetch their pop mail - or am I being deluded here? c) is there a better way of approaching this security issue? any pointers, how-tos, urls or horror stories would be greatly appreciated! thanks in advance, dan. Dan, What is your security concern? Expliots against the POP daemon? Cleartext passwords over the Net? Do your users have login privledges on the box? Depending on the answers to those question, the solution shall reveal itself. :) First thing I would do is move to a setup that allows POP accounts without having to have a system account for each user. There are plenty of ways to do this, check http://linuxdoc.org/HOWTO/Qmail-VMailMgr-Courier-imap-HOWTO.html This setup gives you an IMAP server and switches the MTA from sendmail to qmail (which I have been very happy with). Once this is setup, you can install any web client that supports IMAP. Imp is one that I've heard is very good (though it can be tricky to setup). Another is SquirrelMail (http://www.squirrelmail.org/), I had this one setup with 10 minutes. Good Luck, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: athlon socket a
On Tue, 15 Aug 2000, Hidong Kim wrote: Hi, Is anyone here using the socket A athlon with Linux? I'm thinking about getting one. Thanks, I have an Athlon machine, runs well. It's slot A though, 800 MHz. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Most stable window manager?
On Wed, 16 Aug 2000, Thomas R. Shannon wrote: In addition to the suggestions which have been made (all good so far), I can say that once set up, Sawfish has never crashed on me. That's saying quite a bit for such a young program. I run GNOME with Sawfish but I'm also going to chime in here. If you aren't running GNOME, WindowMaker is the best stand alone WM out there. Absolutely hands down. I prefer Afterstep out of all that I tried. I didn't spend all that much time with WindowMaker, I admit. I've had AfterStep stay up for several month's at a time (ie, login once and work work work). Limited KDE or Gnome support, but then those are a little bloated for my tastes anyway. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Modular kernel and SCSI host nightmare.....
On Thu, 10 Aug 2000, Gordon Messmer wrote: On Wed, 9 Aug 2000, kevin wrote: How do I change the boot sequence from loading Advansys to AIC-7xxx? I've tried changing /etc/conf.modules which appears to work after boot as the network card adjustments are ok, but no such luck with the SCSI host. cd /boot mv -f initrd-`uname -r`.img /tmp mkinitrd initrd-`uname -r`.img `uname -r` lilo This assumes your "new" kernel is the same version as the currently running kernel. If you are upgrading the kernel, replace the `uname -r` with the version number listed in /lib/modules for your new kernel and skip the "mv -f initrd-`uname -r`.img /tmp" step, unless the file already exists of course (mkinitrd will warn you of that). You'll want to make sure your lilo.conf correctly reflects the initrd file name as well. Good Luck! Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: namebased vs ipbased hosting
On Fri, 11 Aug 2000, Robert Friberg wrote: Hi, I'm setting up a server that is hosting several sites. The number of sites will most likely increase in the near future. I'm using name based virtual hosts. I understand this can be a problem with http clients not sending a Host-header. I like not having to bother with ip-adresses. Are there any other major issues? tia, -- robert friberg, ensofus ab +46(0)708 98 57 01 With name based hosts, anyone using a browser that doesn't support HTTP/1.1 will not be able to access any site except the default (typically the first virtual host). Whether this is an issue depends on your user base. I believe Netscape 3.0 was the first version to support HTTP/1.1, it is generally not an issue except for some tools like linklint or similiar scripts that don't support HTTP/1.1. I've found adding support is usually a very minor thing. HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Redirection of URL
On Fri, 4 Aug 2000, kapil sharma wrote:
Hi,
I am using apache 1.3.12 with Redhat 6.2. I want to redirect one url to
other url. For example if some request comes for
http://foo.com
then the url should redirect to
http://www.foo.com
What should i do for that?
Assuming foo.com is running apache and answering HTTP requests, Apache can
provide the rewriting with mucking up your pages. Use something like the
following in httpd.conf (I stick this within a VirtualHost block):
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.foo.com
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*) http://www.foo.com:%{SERVER_PORT}/$1 [L,R]
RewriteCond %{HTTP_HOST} !^www.foo.com
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://www.foo.com/$1 [L,R]
In my case, foo.com and www.foo.com resolve to the same IP. These rules
rewrite everything that isn't already http://www.foo.com, very handy when
your webserver has a dozen different names, keeps the logs clean.
One could probably do that all in one set of conditions and rewrite rule,
that is left as an exercise for the reader. :)
Bill Carlson
Systems Programmer[EMAIL PROTECTED]| Opinions are mine,
Virtual Hospital http://www.vh.org/| not my employer's.
University of Iowa Hospitals and Clinics|
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Multi-part install question
On Wed, 2 Aug 2000, Larry Pesce wrote: I've managed to get a hold of an old Multitech Communications gateway cheap (read as free). It has several 486 SBCs with 8mb ram and NICs - it also has a few 386es. I thought that this would make a neat project to have a bunch of machines in the corner in a small form factor. I put in some hard drives and floppies that I had laying around. Has anyone successfully installed on these puppies? Now the problem starts. I'm trying to install 6.1 (because that's what I had handy), and I do a text install (I have no idea on the video, and I don't want X on it anyways). It asks me for a driver disk, I cancel it, and then it starts to load stuff from the cd. After about 7-8 minutes, I get a signal 7, and then tells me I can shut down. Any ideas why? Larry, You might start by taking a look at: http://www.redhat.com/support/docs/gotchas/6.1/gotchas-6.1-4.html#ss4.17 The machines might also be light on RAM, see: http://www.redhat.com/support/docs/faqs/rhl_general_faq/FAQ-4.html#ss4.1 I don't know how hard that 16 MB limit is. I would recommend skipping 6.1 and getting the latest copy of 6.2, www.cheapbytes.com can have them to you in a few days for less than $5. The installer has been revamped quite a bit, 6.1 was kind of the 0.1 release for the new installer. HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
RE: mouse through switchbox
On Wed, 5 Jul 2000, Mike Lewis wrote: Hey Charles, I've used Cybex (www.cybex.com) for quite a few years now. They are generally pricey and do require their own cables (also pricey). They do have a cheaper model 2 or 4 port though that does NOT require special cables and is quite affordable. One of my clients is using one of these quite happily. I'll second Cybex, the Switchview is the best KVM I've used. It doesn't require an external power supply, uses standard cables and has a hot-key sequence that's easy on the fingers. It supports both PS/2 or serial mice at each machine and the console (in other words, you can mix and match). I had a setup of 6 of them plugged into every variety of PC from an ancient 386 to a Dual Processor box, no problems. You can get a 4 port version with 2 cable sets for around $200. *plink plink* Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
Re: Damn RPM! - HELP!
On Thu, 22 Jun 2000, Burke, Thomas G. wrote: Ok, Got all the new kernel sources, bianries, headers, etc : -rw---1 root root 5958211 Jun 22 09:55 kernel-2.2.16-3.i386.rpm -rw---1 root root 3432045 Jun 22 08:07 kernel-BOOT-2.2.16-3.i386.rpm -rw---1 root root 976658 Jun 22 08:11 kernel-doc-2.2.16-3.i386.rpm -rw---1 root root 1155706 Jun 22 08:15 kernel-headers-2.2.16-3.i386.rpm -rw---1 root root52723 Jun 22 08:15 kernel-ibcs-2.2.16-3.i386.rpm -rw---1 root root 258519 Jun 22 08:16 kernel-pcmcia-cs-2.2.16-3.i386.rpm -rw---1 root root 5813683 Jun 22 08:38 kernel-smp-2.2.16-3.i386.rpm -rw---1 root root 15116357 Jun 22 09:33 kernel-source-2.2.16-3.i386.rpm -rw---1 root root 171035 Jan 11 2004 kernel-utils-2.2.16-3.i386.rpm Ran "rpm -Fvh Kernel*" [root@tomii /boot]# rpm -q kernel kernel-headers kernel-ibcs kernel-pcmcia-cs kernel-source kernel-2.2.16-3 package kernel-headers is not installed kernel-ibcs-2.2.16-3 kernel-pcmcia-cs-2.2.16-3 package kernel-source is not installed [root@tomii linux errata]# rpm -Fvh kernel-headers-2.2.16-3.i386.rpm no packages require freshening [root@tomii linux errata]# rpm -q kernel-headers-2.2.16-3.i386.rpm package kernel-headers-2.2.16-3.i386.rpm is not installed [root@tomii linux errata]# rpm -i kernel-headers-2.2.16-3.i386.rpm [root@tomii linux errata]# rpm -q kernel-headers-2.2.16-3.i386.rpm package kernel-headers-2.2.16-3.i386.rpm is not installed [root@tomii linux errata]# rpm -F (freshen) only updates rpms that are already installed. As indicated, you don't have kernel-headers installed. I imagine you do have kernel-headers installed now, but "rpm -q kernel-headers-2.2.16-3.i386.rpm" would be looking for a package by the name, you need to use the package name, not the file name. Try rpm -q kernel-headers again. Also, consider using -ih when installing, so you know something happened. HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
Re: a fortress in the DMZ
On Sat, 17 Jun 2000, Alan Mead wrote: I know it's not what the client asked for... but since its free and worked well for me, each of the client boxes should run portsentry to detect portscans. Is the DMZ a hubbed LAN? You could sniff all the traffic and try to match patterns. But really the better place for this would be on a firewall seperating the DMZ from the Internet. Assuming the LAN is a single collision domain, as Alan asks, snort (http://www.clark.net/~roesch/security.html) is an excellent tool. It is basically a sniffer with a packet analysis engine. See http://rootprompt.org/article.php3?article=520 for a good writeup on snort and passive monitoring in general. If the network is switched, you'd have to run snort on each segment or connect the fortress to each segment. HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
Re: Root partition disk full question
On Tue, 13 Jun 2000, M. Neidorff wrote: I've done the same and had no problem--even as root. BTW, you don't have to re-boot to see if everything is OK. I consider that a Windows thing which linux doesn't need. The most you may need to do is unmount a partition and fsck it after you are done deleting things. I'll counter this, if you do manage to fill up the file system, it is not a bad idea to reboot if you can. Some services assume the disk will never be full and don't handle running out of space nicely. And they may or may not complain about the fact. Same thing goes for exhausting swap space, some services recover just fine, some just die, and some just don't work quite the same. Better to start from a fresh boot if you can. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
RE: MS Breakup
On Wed, 7 Jun 2000, Joel Lansden wrote: Personally, I'm just waiting for MS-UX or some other Microsoft violation of Unix that eliminates the command line and turns the kernel into some kind of clusterf**k of icons and sounds and animations. shudder It has been here for years. It is called Windows NT. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
Re:
On Mon, 5 Jun 2000, eric clover wrote: ok , ill try to redirect this. i Work at an isp. every users at the isp gets spam from: . we all get the same spam. we get this spam around every 3 weeks.i am requesting a way to block someone sending a spam from: with a return address of: from ever getting sent to any of our users. procmail seems to rate highly with most people, but how does procmail block ? thank you eric Hey Eric, Look at the full headers for the email to get a clue where it really came from. Then lookup the admin contacts for the domains in question and email them with your complaint, usually works for me. Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
Re: RH on a 386?
On Tue, 9 May 2000, Jim Baxter wrote: Hi Gang I have been asked if RH 6.2 ( or 5.2 even) will run on a 386 with 32 mb memory and 40mb hard disk. Can't say why he wants to but I suspect it is some old junk he is wanting to get some use out of. It will run Linux, but not Redhat because of the hard drive, it's too small. Depending on what he wants to use it for (would make an ok firewall for a modem connection or low traffic webserver) perhaps one of the small Linux distributions would work. Maybe hook it up to a weather station setup and have it record weather information and spit graphs...but I digress...:) Check freshmeat at http://freshmeat.net/appindex/console/mini%20distributions.html for mini distributions. Does any one think it can be done and still do anything like run a browser? With a larger hard drive it could, but it would be painfully slow. I bet there is no CD on it. NFS or FTP install would work there, need a network working though... HTH, Bill Carlson Systems Programmer[EMAIL PROTECTED]| Opinions are mine, Virtual Hospital http://www.vh.org/| not my employer's. University of Iowa Hospitals and Clinics| -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
