Re: [DNG] Security Jessie VS ASCII
Adam Borowski - 10.11.18, 23:19: > On Sat, Nov 10, 2018 at 07:41:19PM +0300, Andres Suarez wrote: > > From the security point of view: Is it worth to update from Jessie > > to > > ASCII? Do you see any significant advantage? I do no use any exotic > > software. > Yes. Upstream (Debian) Jessie is only in LTS, which, as discussed in > a recent flamewar, is quite a misleading term compared to general > usage. It should be probably named "extended support" or such. > > Jessie is no longer owned by the regular security team, and sees > nowhere as much attention as Stretch. Packages considered > unimportant are silently neglected and may have unfixed bugs. CVEs > are tracked in general, but you can forget about any reasonable > coverage of non-security fixes. Or for backports in a good shape. > > Consider the LTS/ES a grace period to migrate to Stretch/ASCII rather > than something recommended for use. On Debian machines I usually use both debian-security-support and debsecan packages: debian-security-support has a command check-support-status, that displays packages with limited support. It won't, as far as I guess, not show the limitations of LTS/ES support tough. debsecan send mails which CVEs are unfixed in current set of packages. I did not test any of these on my Devuan server VMs so far. I usually combine this with both apt-listbugs and apt-listchanges :). And needrestart. Thanks, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] A new website for gnuinos.org
Hi all, I'm working on a new website for gnuinos.org: http://gnuinos.org/gnuinos/main.html I was using a CMS for that (concretly joomla!), but now i'm developing it from scratch using html5, css3 and some jquery plugins -for the ToC (Table of Contents)-. In the future, it'll be a dynamic website thanks to Aaron Swartz's python-webpy: http://webpy.org/ Hope you like it :) Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Security Jessie VS ASCII
Thanks both. Server and PC updated. Had only a minor issue that got fixed with this link: https://linuxiswonderful.wordpress.com/2018/05/01/x-broken-as-drmsetmas ter-failed/ Looks quite pretty, I have the impression that even the graphics cardworks faster) Regards, -- Andres Suarez Mobile +79310009732 On Sun, 2018-11-11 at 11:34 +0100, Martin Steigerwald wrote: > Adam Borowski - 10.11.18, 23:19: > > On Sat, Nov 10, 2018 at 07:41:19PM +0300, Andres Suarez wrote: > > > From the security point of view: Is it worth to update from > > > Jessie > > > to > > > ASCII? Do you see any significant advantage? I do no use any > > > exotic > > > software. > > > > Yes. Upstream (Debian) Jessie is only in LTS, which, as discussed > > in > > a recent flamewar, is quite a misleading term compared to general > > usage. It should be probably named "extended support" or such. > > > > Jessie is no longer owned by the regular security team, and sees > > nowhere as much attention as Stretch. Packages considered > > unimportant are silently neglected and may have unfixed bugs. CVEs > > are tracked in general, but you can forget about any reasonable > > coverage of non-security fixes. Or for backports in a good shape. > > > > Consider the LTS/ES a grace period to migrate to Stretch/ASCII > > rather > > than something recommended for use. > > On Debian machines I usually use both debian-security-support and > debsecan packages: > > debian-security-support has a command check-support-status, that > displays packages with limited support. It won't, as far as I guess, > not > show the limitations of LTS/ES support tough. > > debsecan send mails which CVEs are unfixed in current set of > packages. > > I did not test any of these on my Devuan server VMs so far. > > I usually combine this with both apt-listbugs and apt-listchanges > :). > And needrestart. > > Thanks, ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Sat, 10 Nov 2018 at 15:45, Rick Moen wrote: > > Quoting H??ctor Gonz??lez (ca...@genac.org): > > > There is also nslcd, which I remember using with samba-ad, as nscd > > didn´t like that ldap for some reason, and it has a different > > config file /etc/nslcd.conf > > > > I´d use nscd first, and if you run into trouble try nslcd. > > Again, back when I implemented this stuff using CentOS 6.x, you needed > both for some daft reason. > Yes, I went with libnss-ldapd and it pulled in libpam-ldapd, nslcd, and nscd, so it would appear that both are required. nslcd seems to provide the configuration file /etc/nslcd.conf that is used by both libnss-ldapd and libpam-ldapd while nscd seems to be doing the caching side of things. --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 10:02, Héctor González wrote: > > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > [snip] > >>> So my next question is, whats the recommended package to authenticate > >>> with LDAP and allow users to login to a desktop via their LDAP > >>> account? I've seen various options for PAM and NSS, but do I need to > >>> configure both or just one? > > [snip] > > You can use libpam-ldap for this, it handles the authentication part. > NSS is used to "populate" your passwd and group files from ldap, if you > need it. Your users will work with just the PAM part, but It´s easier > to use NSS so you can change permissions using usernames instead of > UIDs. > > A "getent passwd user" will require libnss-ldap (and a working > /etc/libnss-ldap.conf which should be autogenerated) > > If you choose to use nscd, you should replace the suggested-size passwd > option with a sufficient size for your expected amount of users, the > manual says it is a hash table, so it should be a prime number bigger > than double the amount of expected users -hint, the primes package from > bsdgames can find primes for you). > > nscd acts as a cache for nss calls so you don´t flood your ldap server > with queries. > > There is also nslcd, which I remember using with samba-ad, as nscd > didn´t like that ldap for some reason, and it has a different config > file /etc/nslcd.conf > > I´d use nscd first, and if you run into trouble try nslcd. > Thanks, nslcd appears to be working fine here now. I don't think I need to fiddle with any nscd settings at this point in time. --Tom -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 17:20, Martin Steigerwald wrote: > > Héctor González - 09.11.18, 00:02: > > >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > > > [snip] > > > > > >>> So my next question is, whats the recommended package to > > >>> authenticate > > >>> with LDAP and allow users to login to a desktop via their LDAP > > >>> account? I've seen various options for PAM and NSS, but do I need > > >>> to > > >>> configure both or just one? > > > > > > [snip] > > > > You can use libpam-ldap for this, it handles the authentication part. > […] > > There is also nslcd, which I remember using with samba-ad, as nscd > > didn´t like that ldap for some reason, and it has a different config > > file /etc/nslcd.conf > > > > I´d use nscd first, and if you run into trouble try nslcd. > > I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several > advantages¹. Yes, I've tried libnss-ldapd with libpam-ldapd and nslcd, and it seems to be working fine for ldap-based logins. Thanks. > Or use sssd, in case it can be installed without pulling libsystemd0 / > systemd. But for that you'd need to create configuration file by hand. > It is not very difficult, but it would configure with debconf questions > like nslcd does. > > It may be an option to use 389 directory server instead of OpenLDAP. > SUSE just made that move with SLES 15. And it has a GUI. I did not yet > test it more thoroughly, so I have nothing more to say about it. 389 DS is part of the FreeIPA system, and my limited reading of it previously was that it's not so fabulous when running on non-redhat systems, hence why I decided to look at alternatives. > Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or > libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5, > it might work together with it. > Of course Samba as AD DC (ideally together with Heimdal instead of MIT > Kerberos) is also an option. > > From what I saw with preparing training slides for all of these: I'd > like something simpler, still secure for all of that. Kerberos and LDAP > are hefty regarding their complexity. Can kerberos integrate with an existing OpenLDAP database, or would I have to maintain two separate user databases? After a lot of reading, I'm still not sure how to implement Kerberos properly with LDAP. A lot of guides show how to install kerberos as a standalone system, and when they also say "kerberos is often used with OpenLDAP" they always include the proviso "but we won't describe how to do that in this guide". Thanks, --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Network error after upgrading packages on beowulf
I ran a package update on a beowulf server last week, and now when I login via SSH I have noticed that networking appears to be partially broken. I can ping localhost, but no hosts outside of the machine, either from local subnet or external like google. There seems to be no outbound networking working. # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C # host google.com ;; connection timed out; no servers could be reached # cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.067 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.062 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.063 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.063 ms ^C # traceroute localhost traceroute to localhost (127.0.0.1), 30 hops max, 60 byte packets 1 localhost (127.0.0.1) 0.061 ms 0.027 ms 0.023 ms # traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets send: Operation not permitted # wget -O- checkip.dyndns.com --2018-11-12 11:35:02-- http://checkip.dyndns.com/ Resolving checkip.dyndns.com (checkip.dyndns.com)... failed: Temporary failure in name resolution. wget: unable to resolve host address ‘checkip.dyndns.com’ Have there been any problematic package updates for beowulf/buster in the past week? Is there any way to recover from this, or am I stuck with reinstalling? --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Implementing directory services/Kerberos
Quoting wirelessd...@gmail.com (wirelessd...@gmail.com): > nslcd appears to be working fine here now. I don't think I need to > fiddle with any nscd settings at this point in time. nscd is a cache for (a configuable subset of) numerous types of names, including /etc/passwd, /etc/group, /etc/hosts, /etc/services and /etc/netgroup (but pointedly not /etc/shadow) as called through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others. Some time back (it stuck in memory because of being a striking failure[1]), nscd had a longtime implementation flaw where it disregarded TTL (time to live) values on cached DNS reference records, so I'm _still_ not thrilled with the notion of entrusting the 'hosts' caching function to it. Were I to do a significant deployment today, I'd spare a moment to look into alternatives, like, obviously, Unbound / dncsache / pdns-recursor, Deadwood (which albeit much more than just a cache, also don't raise code-quality conerns) -- or maybe just dnsmasq[2]. FWIW, nscd author (and former glibc maintainer) Ulrich Drepper disapproves of views like mine and Kyle Rankin's. https://udrepper.livejournal.com/16362.html [1] nscd has cached TTL since a 2004 source code check-in, but it's appalling that the ability was missing even that long -- not to mention difficulty getting it right, e.g. 2010 bug here: https://bugzilla.redhat.com/show_bug.cgi?id=656014 [2] https://www.linuxjournal.com/content/localhost-dns-cache ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] inconsistent scanner device number on USB bus
On Sat, 10 Nov 2018 13:17:24 -0500 Haines Brown wrote: > I'm running ASCII and attempting to get a Canon LiDE 220 scanner to > work. I don't know enough to help, but thought I might share that I own a Canon LiDE 120. While it was listed as being supported it turns out that Canon quietly swapped out critical components and mine actually has an unsupported chipset. I hope you didn't get hit by the same sort of issue. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
