Re: UEFI
Please, guys! Surely there's a better place to have this discussion? I do not want the same boring old arguments clogging up my inbox every time M$ sneezes.
Re: UEFI
2011/10/20 Phong Nguyen pho...@fnal.gov Microsoft does not control UEFI. While they are (rightfully) mandating Secure Boot as part of the Windows 8 certification process, they are not mandating that it remain always on. The OEM/VARs should be providing a UEFI configuration option to disable Secure Boot. At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision. http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx Secure boot is simply a design mistake. Instead of giving everyone the opportunity to upload own certificates to the certificate store (like browsers do), they implemented a hard coded list of certificates so that only a few systems benefit from secure boot (the general idea of secure boot is fine). This is the problem, the root of trust is moved to the vendors instead of the owner. Unfortunately a lot of commercial interests will most likely push it to the market as it is, so the only hope will be to be able to switch it off. Regards, Thomas -- Linux ... enjoy the ride!
Re: UEFI
On 20 October 2011 04:19, Always Learning scienti...@u61.u22.net wrote: Wise people, before disagreeing, usually become informed especially if the subject matter is unknown to them. One should disagree (or agree) only when possessing sufficient information to make a balanced judgement. This is completely off-topic. Perhaps you should learn from your experiences on the CentOS mailing lists, Paul - it would be a shame if that were to be repeated here. Regards, Mike
Note about this Scientific Linux Mailing List (Was: UEFI)
Try Dawson posted a note about the Scientific Linux mailing list on July 1, 2011. I am posting part of his note here because I see some new faces who probably have not read it. Also for those who have been on the list for a while, this is a reminder. Akemi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ fromTroy Dawson daw...@fnal.gov to SL users scientific-linux-us...@fnal.gov dateFri, Jul 1, 2011 at 6:51 AM Hello, The scientific-linux-users mailing list has always been a place that people could go to for technical help. It is supposed to have fairly low traffic, and it has had that for quite a while. I know that we have recently had an influx of new SL users, and so it is expected that the technical questions and answer go up. But we have also had a very high upswing of *frivolous* emails. (snip) This mailling list is for people to bring questions about Scientific Linux, and hopefully they will get answers. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ There was a comment by Steven Haigh who suggested using the SL forums: I would also suggest that people wanting to continue the whole posting style debate or just general things not specifically related to SL do so on the unofficial forums. Here is a good start: http://scientificlinuxforum.org/index.php?showforum=7 -- Steven Haigh =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ And a follow-up by John H. Outlan who oversees the forums: That's fine. But any rudeness will result in a ban. That's why we are there in the first place. Just kill 'em with kindness ;)
Re: UEFI
On Thu, Oct 20, 2011 at 4:58 AM, Thomas Bendler thomas.bend...@gmail.com wrote: Secure boot is simply a design mistake. Instead of giving everyone the opportunity to upload own certificates to the certificate store (like browsers do), they implemented a hard coded list of certificates so that only a few systems benefit from secure boot (the general idea of secure boot is fine). This is the problem, the root of trust is moved to the vendors instead of the owner. Unfortunately a lot of commercial interests will most likely push it to the market as it is, so the only hope will be to be able to switch it off. The only intelligent post in this totally OT thread...
Re: Note about this Scientific Linux Mailing List (Was: UEFI)
On 20 October 2011 15:58, Akemi Yagi amy...@gmail.com wrote: Troy Dawson posted a note about the Scientific Linux mailing list on July 1, 2011. I am posting part of his note here because I see some new faces who probably have not read it. Also for those who have been on the list for a while, this is a reminder. Akemi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ from Troy Dawson daw...@fnal.gov to SL users scientific-linux-us...@fnal.gov date Fri, Jul 1, 2011 at 6:51 AM Hello, The scientific-linux-users mailing list has always been a place that people could go to for technical help. It is supposed to have fairly low traffic, and it has had that for quite a while. I know that we have recently had an influx of new SL users, and so it is expected that the technical questions and answer go up. But we have also had a very high upswing of *frivolous* emails. (snip) This mailling list is for people to bring questions about Scientific Linux, and hopefully they will get answers. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ There was a comment by Steven Haigh who suggested using the SL forums: I would also suggest that people wanting to continue the whole posting style debate or just general things not specifically related to SL do so on the unofficial forums. Here is a good start: http://scientificlinuxforum.org/index.php?showforum=7 -- Steven Haigh =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ And a follow-up by John H. Outlan who oversees the forums: That's fine. But any rudeness will result in a ban. That's why we are there in the first place. Just kill 'em with kindness ;) Thank you for posting the reminder to the list, Akemi. I hope that the one person who has, predominately, been the instigator of a lot of noise on this mailing-list will now find another outlet for his pontifications. Alan.
Re: UEFI
On 10/20/2011 08:10 AM, Tom H wrote: On Thu, Oct 20, 2011 at 4:58 AM, Thomas Bendler thomas.bend...@gmail.com wrote: Secure boot is simply a design mistake. Instead of giving everyone the opportunity to upload own certificates to the certificate store (like browsers do), they implemented a hard coded list of certificates so that only a few systems benefit from secure boot (the general idea of secure boot is fine). This is the problem, the root of trust is moved to the vendors instead of the owner. Unfortunately a lot of commercial interests will most likely push it to the market as it is, so the only hope will be to be able to switch it off. The only intelligent post in this totally OT thread... I respectfully disagree -- although a number of the intelligent posts were not related to the engineering/design issues. Secure boot as being forced by Microsoft is a deliberate design, a mistake for those of us who want some vendor independence (market competition with licensed-for-free, including full source distribution, variants allowed to compete), but a profit enforcer for those whose for-profit products are allowed to be installed as the operating environment. The reason I posted this item -- a reason that no one has yet addressed -- was twofold: 1. To stop the current UEFI approach so that licensed-for-fee environments, such as Linux or BSD, can be installed on any hardware platform. This does involve getting the community to be aware of the problem. It does not appear at this time that there is any USA or EU movement equivalent to the Australian approach of lawsuit to stop secure boot -- but we may still be able to do something -- suggestions welcome. These include demanding a way for entities such as CentOS or SL (Fermilab/CERN) to provide acceptable certificates, albeit this would still restrict small developers that would not want to pay to a Certificate Authority. 2. To find/develop a workaround -- the only hope will be to be able to switch it off will not work without possibly a way to reprogram the UEFI replacement for the BIOS. I can provide several business/market sector/security scenarios indicating why the hope of some motherboards to be UEFI open will not address the issues. Is anyone starting to look at workarounds? I apologize for the firestorm -- but if UEFI as proposed is implemented, it is likely that Linux on the desktop/laptop in the USA effectively will cease -- only MS Windows and Mac OS X will continue, provided Apple does not run into trouble (always an issue for a single for-profit corporation that is not regarded as too big or vital to fail). Yasha Karant
Re: UEFI
On Oct 20, 2011, at 17:47 , Yasha Karant wrote: [more stuff with no bearing on SL whatsoever] Could this person please be banned from the list. Thanks, Stephan
Re: UEFI
On Thu, 2011-10-20 at 18:02 +0200, Stephan Wiesand wrote: On Oct 20, 2011, at 17:47 , Yasha Karant wrote: [more stuff with no bearing on SL whatsoever] Could this person please be banned from the list. Thanks, Stephan (Apologies for the noise, but as a mail list admin, I know that figuring out how to do certain things can sometimes be difficult. :-) Moderating individual list members should be straightforward. LISTSERV - Instructions for List Owners: http://listserv.fnal.gov/owners.asp which links at the bottom to: L-Soft international, Inc. - List Owner's Manual http://www.lsoft.com/manuals/1.8d/owner/owner.html#5 and specifically to 5.3.13. REVIEW/NOREVIEW: [quote] When a subscriber is set to REVIEW, all postings from that subscriber are forwarded to the list editor or list owner for approval. Approval for these postings is always via the OK mechanism -- there is no need to forward the posting to the list, simply reply to the approval confirmation with OK. Note that if a list is unmoderated, it is still possible to direct REVIEW postings to a specific person by adding an Editor= or Moderator= keyword to the list header. The list owner or LISTSERV maintainer may issue the SET listname NOREVIEW FOR userid@host command to reverse a previously-set REVIEW. Setting REVIEW for a user cancels any previous NOPOST or EDITOR setting for that user. [/quote] Steve
Get Kerberos Tickets at login
Hi, How can I get Kerberos tickets at login? When I login to my workstation, the account is authenticated against AD. But with klist, no ticket is displayed, so to get a Kerberos ticket, an additional call to kinit is required. Which configuration options can be used on SL 5.5, to get Kerberos tickets immediately after login? Kind regards, Dr. Peter Stauffert Boehringer Ingelheim Pharma GmbH Co. KG mailto:peter.stauff...@boehringer-ingelheim.com
Re: Get Kerberos Tickets at login
On Thu, Oct 20, 2011 at 01:07:45PM -0600, peter.stauff...@boehringer-ingelheim.com wrote: Hi, How can I get Kerberos tickets at login? When I login to my workstation, the account is authenticated against AD. Peter, How is the account authenicated against AD? We're doing this here but accessing AD as an LDAP server. But with klist, no ticket is displayed, so to get a Kerberos ticket, an additional call to kinit is required. It sounds like your /etc/krb5.conf file is correct as you are able to get Kerberos tickets. Which configuration options can be used on SL 5.5, to get Kerberos tickets immediately after login? In System - Administration - Authentication, there is a checkbox to enable Kerberos support for Authentication as well as Configure your Kerberos settings. It's been quite a while since we set this up and I can't remember if this was sufficient or additional manual configuration was required. The important part of Kerberos getting tickets automatically is in /etc/pam.d/system-auth. Here we have the following line in the auth section: authsufficientpam_krb5.so use_first_pass (There are similar lines in other sections.) This works for us here, and has worked with a different (ie non-AD) LDAP server. The only caveat to this, is that for this to work properly, passwords must be synchronized between LDAP and AD. If you have any other questions on this, please feel free to ask. I hope this helps. Steven Leikeim -- Steven Leikeim, GSEC-Gold| We, the willing Schulich School of Engineering | led by the unknowing Information Technologies | are doing the impossible | for the ungrateful. University of Calgary| We have done so much Calgary, Alberta | for so long with so little | we are now qualified Phone: (403) 220-5373| to do anything with nothing.
Re: UEFI
On 2011/10/20 08:10, Tom H wrote: On Thu, Oct 20, 2011 at 4:58 AM, Thomas Bendler thomas.bend...@gmail.com wrote: Secure boot is simply a design mistake. Instead of giving everyone the opportunity to upload own certificates to the certificate store (like browsers do), they implemented a hard coded list of certificates so that only a few systems benefit from secure boot (the general idea of secure boot is fine). This is the problem, the root of trust is moved to the vendors instead of the owner. Unfortunately a lot of commercial interests will most likely push it to the market as it is, so the only hope will be to be able to switch it off. The only intelligent post in this totally OT thread... By definition there have been no intelligent posts to this thread. It does not belong here. That it was posted here indicates the utter lack of intelligence (can't read and follow directions) of the people wheezing in and starting this thread. {o.o}
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
We subscribe to this list because we are interested in Scientific Linux *per se*, and even a mention about Red Hat (from which it is derived) does not legitimize off topic rants. Please find your gratification in another forum where others wish to read your opinions. On Thu, Oct 20, 2011 at 3:58 PM, Yasha Karant ykar...@csusb.edu wrote: Although a number of comments on and off the SL list have opined that any discussion of UEFI is off-limits to this list, below is a popular press article concerning a view from Red Hat (the beloved TUV of this list) that presumably is on-limits. Again -- is there a workaround were efforts to prevent the MS version of UEFI fail?
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
On 10/20/2011 08:58 PM, Yasha Karant wrote: the practical issue the practical issue is that you are posting links that have nothing to due with intent of this list as they are off topic. what is even more aggravating and irritating about your posting is that you post a link and then quote that link. please stop posting what *you think* is interesting. *it is not*. -- peace out. tc.hago, g . *please reply plain text. html text are deleted* in a free world without fences, who needs gates. ** help microsoft stamp out piracy - give linux to a friend today. ** to mess up a linux box, you need to work at it. to mess up an ms windows box, you just need to *look* at it. ** The installation instructions stated to install Windows 2000 or better. So I installed Linux. ** learn linux: 'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html 'The Linux Documentation Project' http://www.tldp.org/ 'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html 'HowtoForge' http://howtoforge.com/ signature.asc Description: OpenPGP digital signature
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
On 20 October 2011 21:58, Yasha Karant ykar...@csusb.edu wrote: Although snip I will be brutally frank and straightforward. Please stop posting links and verbatim quotations from items previously posted elsewhere. I have already read them -- and, I suspect, so have many other of this list's subscribers -- in the original location, when initially published. Do you regards all other subscribers to this mailing-list as imbeciles? We do not require some pontificating professor to instruct us as to how we are to act. react, think or otherwise behave. You have been asked before. Now I shall tell you -- Go and read the archives for this mailing list and stop trying to manipulate its usage for your own personal glorification. If you do not wish to fit in with the established social norm then please depart. An interesting link -- http://www.ratemyprofessors.com/ShowRatings.jsp?tid=142948 One of the more amusing quotations from the above: [quote] avoid at all costs and whatever you do don't mention microsoft or bill gates. Just rambles on and on and on... seriously avoid him if you can [/quote] Alan.
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
Somebody ought to complain to the CSUSB and to Verizon about his spam. Or maybe configure the spam filter being used to block CSUSB until he is removed. That's a little harsh. But, what is there to do when it's really easy for him to simply setup a new alias and have more of his fun? (Sadly lunch mobs result in way too much paperwork for the mob members.) {^_^} On 2011/10/20 17:27, g wrote: On 10/20/2011 08:58 PM, Yasha Karant wrote: the practical issue the practical issue is that you are posting links that have nothing to due with intent of this list as they are off topic. what is even more aggravating and irritating about your posting is that you post a link and then quote that link. please stop posting what *you think* is interesting. *it is not*.
Re: Re: Red Hat engineer renews attack on Windows 8-certified secure boot
On Thu, Oct 20, 2011 at 6:16 PM, Yasha Karant ykar...@csusb.edu wrote: Any idea how to get persons such as Victor Helsing to understand the issue here? -- this is NOT a rant. If we ignore it, we shall all be in the soup. It's a rant. By continuing to rant, you discourage people from paying attention to such issues where and when they *are* relevant, such as (hopefully) the material below. A discussion of the UEFI technology and its direct effects on Linux or Scientific Linux based hardware management might be useful. What are our favorite upstream vendor's plans? And ave you actually laid hands on the technology or attempted to use it, to see the implications of it. For example, it avoids the 63 block DOS compatiliby chunk of space at the beginning of your available disk space, avoiding the 4096 byte block alignment problem for both real and virtualized hardware on more modern hard drives. And boot loaders have suffered from a great deal of awkwardness in backwards compatiblity requirements, for example with the 8 1023 cylinder limitation with earlier versions of LILO and motherboards, and with various other complex schema to work around legacy requirements. So a new, well defined boot loader architecture can make eminent sense. The problem is the lockdown features. It's completely understandable that people who buy computers, and maintain them, do *not* want arbitrary script kiddies or laptop thieves to be able to boot a live CD or USB stick and read everything off their drive. My Windows and other friends are *shocked* when I walk in with a live CD, including ones very like Scientific Linux's, and help them recover lost data or change relevant passwords. In general, if I can access your hardware, I own your data. The need for freedom and access to our own tools conflicts with this. Being able to change a kernel or OS freely is vital to developers, students, and people who need their tools modified for reasons software vendors don't agree with. It's also *vital* for anonymity. Too many systems record too much data. But this conflicts with desires for security. We've seen things like this play out with SELinux. The toolkit is powerful, flexible, and so unpredictable and poorly integrated and complex that most developers would actively *fire* me if I tried to make them work with it. I'll be very curious to see if UEFI's vaunted security features suffer from the same flaws in the long term. Support for UEFI *is* built into recent releases of grub and various virtualization technologies, so I don't anticipate it being too much of a Linux issue unless the lock down features are enforced.
Is removing selinux a bad idea?
Hi All, I have always found selinux a pain in the neck, and in past have just removed it to get my stuff working. Question: what are the ramifications of just removing selinux from SL 6.1? Is selinux worth the effort? Many thanks, -T
Re: Is removing selinux a bad idea?
On Thu, 20 Oct 2011, Todd And Margo Chester wrote: Hi All, I have always found selinux a pain in the neck, and in past have just removed it to get my stuff working. Question: what are the ramifications of just removing selinux from SL 6.1? Is selinux worth the effort? You can simply disable selinux, /etc/selinux/config, or simply type setup at the shell prompt and select the appropriate config module to disable selinux. Mike
Re: Is removing selinux a bad idea?
On 10/20/2011 07:35 PM, Mike's List wrote: On Thu, 20 Oct 2011, Todd And Margo Chester wrote: Hi All, I have always found selinux a pain in the neck, and in past have just removed it to get my stuff working. Question: what are the ramifications of just removing selinux from SL 6.1? Is selinux worth the effort? You can simply disable selinux, /etc/selinux/config, or simply type setup at the shell prompt and select the appropriate config module to disable selinux. Mike Much easier way to do it. Thank you! Back to my original question: is selinux worth the effort? or is it just a nuisance? -T
Re: Is removing selinux a bad idea?
SELinux is just a couple of more of steps when configuring the system. Its a not a large deal once you figure out the basic command set. In fact, come of the steps configuring an app for SELinux is even outlined in the man pages and some of the application docs, (notably Samba). Worse case, you can use the audit file as well as the SELinux Troubleshooter utility to diagnose the issue. In most case, it is easy to resolve. - Rilindo On Oct 20, 2011, at 10:30 PM, Todd And Margo Chester wrote: Hi All, I have always found selinux a pain in the neck, and in past have just removed it to get my stuff working. Question: what are the ramifications of just removing selinux from SL 6.1? Is selinux worth the effort? Many thanks, -T
Re: Is removing selinux a bad idea?
On Oct 20, 2011, at 10:30 PM, Todd And Margo Chester wrote: Hi All, I have always found selinux a pain in the neck, and in past have just removed it to get my stuff working. Question: what are the ramifications of just removing selinux from SL 6.1? Is selinux worth the effort? Many thanks, -T On 10/20/2011 07:50 PM, RILINDO FOSTER wrote: SELinux is just a couple of more of steps when configuring the system. Its a not a large deal once you figure out the basic command set. In fact, come of the steps configuring an app for SELinux is even outlined in the man pages and some of the application docs, (notably Samba). Not finding it in man smb.conf. Am I blind? Worse case, you can use the audit file as well as the SELinux Troubleshooter utility to diagnose the issue. In most case, it is easy to resolve. - Rilindo What are the ramifications of just disabling selinux? Good idea? Bad Idea? -T
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
On 10/21/2011 02:13 AM, jdow wrote: Somebody ought to complain to the CSUSB and to Verizon about his spam. it is not truly spam, and complaining to above, as you suggest, is not really necessary. i will give op credit to have enough intelligence to re-frame after he sees the post that are against his posting of such needless emails. should he be a 'd.a.', then yes. :-) -- peace out. tc.hago, g . *please reply plain text only. html text are deleted* in a free world without fences, who needs gates. ** help microsoft stamp out piracy - give linux to a friend today. ** to mess up a linux box, you need to work at it. to mess up an ms windows box, you just need to *look* at it. ** The installation instructions stated to install Windows 2000 or better. So I installed Linux. ** learn linux: 'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html 'The Linux Documentation Project' http://www.tldp.org/ 'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html 'HowtoForge' http://howtoforge.com/ signature.asc Description: OpenPGP digital signature
Re: Red Hat engineer renews attack on Windows 8-certified secure boot
On 10/21/2011 03:37 AM, jdow wrote: Your rant is an off topic rant, too, sir. Please stop it lest you issue further proof of your dysfunctional personality. so which is worse, a rant or a slander? think about it. -- peace out. tc.hago, g . *please reply plain text only. html text are deleted* in a free world without fences, who needs gates. ** help microsoft stamp out piracy - give linux to a friend today. ** to mess up a linux box, you need to work at it. to mess up an ms windows box, you just need to *look* at it. ** The installation instructions stated to install Windows 2000 or better. So I installed Linux. ** learn linux: 'Rute User's Tutorial and Exposition' http://rute.2038bug.com/index.html 'The Linux Documentation Project' http://www.tldp.org/ 'LDP HOWTO-index' http://www.tldp.org/HOWTO/HOWTO-INDEX/index.html 'HowtoForge' http://howtoforge.com/ signature.asc Description: OpenPGP digital signature
Re: Is removing selinux a bad idea?
On Thu, 20 Oct 2011, Todd And Margo Chester wrote: Back to my original question: is selinux worth the effort? or is it just a nuisance? It depends on your environment, i.e. government, financial sectors, but for most, the answer is no. I'm in the higher education sector and most vendors do not recommend turning selinux on, requirement to turn it off. While it's not that much of an issue to configure selinux, etc. it's more of a vendors and their applications (and other applications) that's an issue. Hope this helps. Mike
Re: Is removing selinux a bad idea?
On Thu, 20 Oct 2011, Todd And Margo Chester wrote: Is selinux effective enough as an extra line of defense against intruders? or mostly just a pain in the neck. I would like the extra line of defense, but only if it works. It depends on what you're running on the server and your IT environment. A good iptables rule/s should go a long way. Allowing, or not allowing, certain users access to certain services, applications, etc. is another good way to start. Mike