Robie, thanks for commenting.
Note that the ldap-auth-config package does not preclude alternate forms
of managing /etc/ldap.conf. It won't touch an existing config file, nor
complain if the one it creates is modified. Also, while this package
does not exist in Debian, the file is still created wh
I think Thierry's solution in comment #10 is the way to go. It's
appropriate for ldap-auth-client to depend on libpam-ldap, because
that's the intent of the metapackage. But ldap-auth-config provides
/etc/ldap.conf, which you need whether or not you're using LDAP for
authentication. (That package w
** Also affects: ldap-auth-client (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/334374
Title:
libnss-ldap should not depend
Public bug reported:
This is a wishlist item for openssh-client 6.0p1-3ubuntu1 in Ubuntu
Quantal.
Now that XDG_RUNTIME_DIR support is available, it would be nice if the
/etc/X11/Xsession.d/90x11-common_ssh-agent X session startup script
would check to see if the variable is set, and if so, pass a
Public bug reported:
When I install krb5-config 2.3 (along with some other Kerberos-related
packages) on Ubuntu Quantal, I see this:
[...]
Get:8 http://$APTHOST/ubuntu/ quantal/universe krb5-user amd64 1.10.1+dfsg-2
[114 kB]
Get:9 http://$APTHOST/ubuntu/ quantal/universe kstart amd64 4.1-2 [54.3
And a year later, this issue still afflicts OpenSSH 6.1p1 (as packaged
by Ubuntu). Aab's patch still applies, if fuzzily, and still hardens up
ssh-keyscan so that it can deal with my company's network.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
I don't think anyone will fault you for having more momentous matters to
attend to! As it is, I've gone without doing a network scan for that
long anyway.
Thanks for formally submitting the patch; hopefully this issue will be
put to rest soon. Best of luck with the transition to a retired life,
an
(In reply to comment #41)
>
> The number of ways that key access can be terminated keeps increasing,
> doesn't it?
I hope it won't be necessary to enumerate them all before this bug can
be closed!
> My oops. I have had my focus redirected to other projects and,
> besides, I'm very lazy (;-}).
>
Okay, I tried Ubuntu's packaging of OpenSSH (version 1:5.8p1-7ubuntu1)
with your patch, and it powered through everything. Here is a list of
all the error messages I received:
A.B.C.D: Connection closed by remote host
Connection closed by A.B.C.D
Connection to A.B.C.D timed out while waiting to re
(In reply to comment #38)
> I haven't seen this one before. The text you included indicates that
> ssh-keyscan was processing a Protocol 2 key and it should be using the
> modified code to do it. Is there any way that you could send me a
> traceback when the failure occurs?
I'll do that, when I'
Yes, I'm afraid. Joshua's patch has not yet been committed (as of
Natty).
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.
https://bugs.launchpad.net/bugs/382832
Title:
Need comment for line added to /etc/ldap.c
** Bug watch added: OpenSSH Portable Bugzilla #1213
https://bugzilla.mindrot.org/show_bug.cgi?id=1213
** Also affects: openssh via
https://bugzilla.mindrot.org/show_bug.cgi?id=1213
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member
I'm still seeing this with openssh-client 1:5.5p1-4ubuntu5. From a
makefile that invokes "ssh-keyscan -v":
[...]
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH_3.*
# A.B.C.D SSH-1.99-OpenSSH_3.6.1p2
debug1: Enabling comp
Adding "RewriteOptions inherit" doesn't seem to have any effect, whether
in the section or the .htaccess file.
Besides, looking at the documentation... "inherit - This forces the
current configuration to inherit the configuration of the parent. In
per-virtual-server context, this means that the m
Public bug reported:
Binary package hint: apache2.2-bin
Reporting this against version 2.2.16-1ubuntu3.1 in Maverick.
I have apache2 configured in the following way:
1. mod_rewrite is enabled;
2. "AllowOverride All" is set (on /var/www) to enable the use of
.htaccess files;
3. "RewriteEngine
I think this would need an explicit decision to de-support IE6, as far
as compressed JS is concerned. (I can't remember offhand which clients
couldn't handle compressed CSS; was it anything newer than Netscape 4?)
http://www.cforcoding.com/2009/05/supercharging-javascript-part-6.html
("Sup
Yep! That's the idea.
I would tack on the "(8)" man-section suffix to the program name, but at
any rate, this is all that's needed.
--
Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
https://bugs.launchpad.net/bugs/382832
You received this bug notification because
> I don't think moving parts of the user configuration out of the config
files is acceptable, and if you disable and then re-enable a module, I
don't see any reason that the config options *should* be sticky.
I wasn't so much proposing an alternative, just going over the
shortcomings I see of this
Happy to give it a try, Steve. I just commented in that bug report.
This is a potential solution, but putting aside the tricky case of "what
happens if the common-* files have customized options, and then the PAM
profile changes?", another problem with this approach is the fragility
of the customi
> Er, how is it silent when pam-auth-update asks you a question?
Silent, in the sense that when you run p-a-u, it doesn't indicate that
the common-* files have been modified in any way; it just presents you
with the same checkbox-list of profiles. You leave everything as-is, hit
OK, look at the fi
> No, it's persistent unless you disable pam_krb5 entirely. Have you
tried it?
Yeah, where pam-auth-update asks you "Override local changes to
/etc/pam.d/common-*?" I see the man page says something about preserving
module options, but if I add an option to (say) common-auth, and re-run
p-a-u, the
> They may want to, but I don't think the added complexity of debconf
solely for what I believe is a rarely-used option makes sense. [...] I
don't think debconf offers much benefit here.
Fair enough, though I hope you're not suggesting direct modification of
the /etc/pam.d/common-* files as a prac
> I guess I'm a bit baffled by why fixing your PAM configuration is a
workaround but installing a custom krb5.conf is a desired configuration
step.
krb5.conf is a config file under /etc. That's the ideal place to make
configuration changes. As it is, right now, adding the minimum_uid bit
involves
> But I suppose that's what NEWS.Debian is for.
You could also stick in a debconf notice, like what x11-common had for a
while ("Major possible upgrade issues").
> Right -- if you're already distributing a krb5.conf with this setting,
surely the same mechanism could be used to override the PAM
co
Isn't it possible to use debconf to change around the enabled profiles,
via the libpam-runtime/profiles selection?
Steve: I'm not sure I understand what you mean by "automatically apply
... by the same mechanism." I can set minimum_uid in krb5.conf, but I
also have to toss the minimum_uid= options
Thought about the upgrade process a bit. How about this:
1. kerberos-configs starts generating new krb5.conf files with
minimum_uid=1000. Then a little later...
2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On
upgrade, it checks to see if this is in krb5.conf. If yes, great. If no
You can see why I'm pushing on this. It's pay now, or pay later... no
real gain in waiting :-]
Ah, yes, users who've been dist-upgrading their Ubuntu installs since
Warty... I guess there's no such thing as "temporary" postinst logic, if
those need to be handled.
A warning wouldn't be so bad. The
What about just punting on upgrades altogether, and putting in the
rearranged config only on a new install? Could that be done with
appropriate postinst magic?
Alternately, you could pop up a big scary debconf warning... there's
ample precedent for that.
--
Why is /usr/share/pam-configs/krb5 spe
No no, the goal is not to have Kerberos users with uid < 1000. It's to
push minimum_uid higher, so that you can have normal 1000-something-uid
local users authenticate without any Kerberos interaction. Same argument
as for the root user and ignore_root.
As for doing the upgrade, isn't pam-configs/
I know this isn't a big deal in the larger scheme of things, but it's
the difference between being able to use the stock krb5 profile, and
having to maintain a custom one. (And remember, the current behavior
involves headaches if you have any non-root local users.)
Please bring this up with Sam wh
Hi Dustin. I just noticed you're the author of nssldap-update-
ignoreusers(8) ^_^
Does this look like a reasonable thing to add?
--
Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
https://bugs.launchpad.net/bugs/382832
You received this bug notification because you
Can we get minimum_uid out of pam-configs/krb5 for Lucid?
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.
-
Public bug reported:
This concerns libpam-krb5 3.15-1 in Karmic.
If you use the "krb5" profile for pam-auth-update, password changing
works correctly---unless another profile goes above it, and the
"Password" clause is used instead of "Password-Initial". (I simulated
this by bumping the priority
Public bug reported:
Binary package hint: openssh-client
This concerns openssh-client 1:5.1p1-5ubuntu1 in Karmic.
I am using ssh-keyscan(1) for its intended purpose: building an
ssh_known_hosts file for a large network. Most of the hosts on this
network are well-maintained systems, with properly
Please let me know if any further information is needed.
** Changed in: kerberos-configs (Ubuntu)
Status: Incomplete => New
--
Cannot elide admin_servers from debconf config
https://bugs.launchpad.net/bugs/452461
You received this bug notification because you are a member of Ubuntu
Server
Sorry for not following up sooner.
I want to set up my /etc/krb5.conf file via debconf, as is currently
implemented, but I want to do things a little differently from what the
scripts have been written to do.
Normally, you'd specify something like this in debconf:
krb5-config/kerberos_server
Public bug reported:
Binary package hint: krb5-config
I want to set up /etc/krb5.conf via debconf so that the file specifies
"kdc" for my Kerberos realm, but not "admin_server" (nor "kpasswd")
because I want those to be found via DNS.
If I do the logical thing, however---give a value for
krb5-co
The system in question, along with several others, was recently
decommissioned and cannot be brought back online. (Honestly, we don't
even know which physical machine it was.)
This bug was trivially reproducible at the time that the report was
filed, but I no longer have the means of doing so.
**
This bug report needs a visual aid.
** Attachment added: "Current dependency graph (black edge = Depends, red edge
= Recommends)"
http://launchpadlibrarian.net/30386089/depgraph.png
--
libnss-ldap should not depend on libpam-ldap
https://bugs.launchpad.net/bugs/334374
You received this bug n
Public bug reported:
Binary package hint: openssh-client
This concerns openssh-client 1:5.1p1-5ubuntu1 in Ubuntu Jaunty.
I use ssh-keyscan(1) at a company site to create a global
ssh_known_hosts file. I've found, however, that the program comes to a
halt when it scans one particular system, an a
Public bug reported:
Binary package hint: libnss-ldap
(This is an issue as of libnss-ldap 261-2.1ubuntu1 in Ubuntu Jaunty.)
The nss_initgroups_ignoreusers line added by nssldap-update-
ignoreusers(8) to the end of /etc/ldap.conf needs a comment at least
indicating what added it. For those who ke
minimum_uid in krb5.conf, and ignore_root in .../pam-configs/krb5 sounds
like a good way to go. For sites that distribute a global krb5.conf,
they can always add the minimum_uid option if they like---if it's not
already there, the distribution is likely passing that in as a PAM
module option anyway
Public bug reported:
Binary package hint: smbfs
Looking at smbfs 2:3.2.3-1ubuntu3 in Intrepid.
Samba's CIFS kernel module (as invoked via mount.cifs(8), in smbfs)
makes use of the kernel's new request-key infrastructure, but there is
nothing at the package-description level to indicate the criti
Unfortunately, CIFS with Kerberos auth is broken in Intrepid, due to bug
298208. Has anyone here gotten the upcall business to work in 8.10?
--
cifs does not support kerberos authentication
https://bugs.launchpad.net/bugs/236830
You received this bug notification because you are a member of Ubunt
Bug 51774 is about silent-failure behavior when forwarding X11 without
xauth(1) on the remote side, which is a separate issue. Colin, you
yourself said that a package dependency doesn't address that, and I
agree.
I also agree with Thierry's premise that those X11-related packages
should not be pul
45 matches
Mail list logo
