/srv/irclogs.ubuntu.com/2008/05/14/#ubuntu-server.txt

Deeps	!ebox	00:25
ubottu	ebox is a web-based GUI interface for administering a server. It is designed to work with Ubuntu/Debian style configuration management. See https://help.ubuntu.com/community/eBox	00:25
Konam	Deeps following the DHCP conversation we had, there's no way of define different subnets behind the same router using DHCP right? Is just that I keep reading examples of people that define a subnet by just changing one part of the IP address, which lead me to think that the machines in the example are behind the same router. for example here: http://en.wikipedia.org/wiki/Subnetwork#Subnets_and_host_count or here http://searchnetworking.techta	00:45
Konam	rget.com/sDefinition/0,,sid7_gci213065,00.html	00:45
Konam	sorry: http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213065,00.html	00:45
Deeps	in my house i have 1 router and 3 subnets	00:46
Deeps	the router has 3 network interfaces though	00:47
Deeps	if you're attempting to use a single router with a single network interface, you need vlan aware switches between your router and your clients	00:48
Konam	Deeps that's supported by any router? multiple interfaces? because I can't find it in mine	00:51
Deeps	i have 3 network cards in my router	00:53
Deeps	with 3 wires coming out	00:53
Konam	ok	00:53
Deeps	eth0 runs to the gbit switch for wired connections, eth1 to the wireless access point, eth2 to the neighbours flat	00:54
Deeps	(we'll skip past the atm, sit, tap and tun interfaces, heh)	00:55
Konam	ok, that explain it to me, thanks	00:57
Konam	I just wanted to know which are the posibilities	00:58
Deeps	how come you need multiple subnets?	00:58
Konam	I don't need it. I just didn't knew how could I set differents subnets behind one router	01:06
Konam	since the definitions and examples I found lead me to think that, was pretty confusing	01:06
Konam	very*	01:06
=== jjesse_ is now known as jjesse
uvirtbot	New bug: #230147 in openssh (main) "package openssh-server 1:4.7p1-8ubuntu1.1 failed to install/upgrade: " [Undecided,New] https://launchpad.net/bugs/230147	02:40
Ashfire908	I'm going to install xubuntu on my server as a sort of backup/mantaince mode, should i install ubuntu-server then the xubuntu metapackage, or install from the xubuntu (from the alt cd if it matters) and then switch to the server kernel?	03:15
mralphabet	up to you	03:18
Ashfire908	So it doesn't make a difference?	03:18
giovani	Ashfire908: I'd highly recommend not installing a gui on your server ... but if you must ... install ubuntu-server first, and then xfce on top of it	03:21
Ashfire908	Well this is not going to be the primary system	03:22
giovani	there's nothing useful about a gui for "backup/maintenance" -- in fact, it's likely to break far more often than the rest of the OS	03:22
Ashfire908	I will/have use/used it to do full backups of the drives and to do stuuf like manual fsck.....	03:23
giovani	that's not related to xfce though, nor can it be done with xfce	03:23
Ashfire908	what does it matter if when i'm using that system if it has a gui?	03:24
Ashfire908	I'm not going to run services while in it.	03:24
giovani	alright ... I have no idea what you're talking about now	03:25
giovani	but go ahead	03:25
Ashfire908	i'm installing a second os onto the server, and it's only going to be used to do stuff that i mentioned.	03:25
giovani	wait, a second OS?	03:26
Ashfire908	second install of ubuntu	03:26
giovani	you mean, you're planning to dual-boot different installs of ubuntu?	03:26
Ashfire908	one is a gui-less ubuntu server hardy, for when running it normally, then a second for only mantinece stuff of ubutnu server/xubuntu	03:27
giovani	there's really no need to do that	03:27
giovani	it's excessive, and will add to management time, security update efforts, and a whole host of things	03:27
giovani	a) you don't need a separate OS to do anything you've described ... b) for the things you've described, separating partitions would be the best way to handle fsck and backup/permissions issues on partitions	03:28
giovani	c) if you really did need a separate os ... a live cd would be much better for those instances than an entire install	03:29
Ashfire908	ubuntu livecds fail at boot	03:29
slicslak	what command should i be occasionly running to do security updates?	03:29
Ashfire908	they drop into busybox, and fail to fully create the file system	03:29
giovani	it doesn't need to be an ubuntu cd -- but you don't need a separate OS to do anything you've described	03:29
giovani	slicslak: apt-get update && apt-get upgrade (as root)	03:30
Ashfire908	fine, whatever.	03:30
giovani	but ... I wouldn't really advise putting that in cron, if that's what you're planning	03:30
Ashfire908	put what in cron?	03:30
giovani	that was directed at slicslak	03:31
Ashfire908	oh	03:31
Ashfire908	lol	03:31
Ashfire908	sorry	03:31
slicslak	giovani, thanks. just read https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html it seems after upgrading i just need to restart ssh server and it iwll generate new keys correct?	03:32
giovani	slicslak: you'll need to do an -- apt-get update && apt-get dist-upgrade for that particular security update (because it installs a new package, rather than just updated ones)	03:32
gregbrady	Ok everyone, I don't know where else to turn here. I have a mySQL database on a server that does not allow remote access to it. I need to be able to access it via OpenOffice Base but I have no idea how to go about that! Is there a way to import/address the .sql backup file?	03:32
giovani	yes, it will restart the ssh server, and regenerate for you ... it'll notify you ... so you can't do it in an automated fashion	03:33
Ashfire908	When i boot i get an error about an address not initialized, and to update the bios or force the addr.	03:33
giovani	Ashfire908: I wouldn't know anything about the ubuntu live cd ... it's hardly the best option for server mainenance -- something with a lot of disk-fixing tools oriented at server-rescue would be better	03:33
slicslak	wow! ya, it really get's your attention on	03:34
Ashfire908	no, this is at normal hard drive install.	03:34
Ashfire908	*at a	03:34
giovani	Ashfire908: you should be using the alternate install cd	03:34
Ashfire908	I do.	03:34
giovani	so the install cd isn't functioning at all?	03:34
Ashfire908	no	03:34
Ashfire908	this is with the already installed system	03:35
giovani	did you check the md5 of the iso? and verify the burn?	03:35
giovani	wait, are you trying to boot from the install cd?	03:35
Ashfire908	no	03:35
Ashfire908	i've already installed	03:35
Ashfire908	the atl and server cds work fine.	03:35
giovani	then what are you trying to do?	03:35
Ashfire908	It's a notice on boot.	03:36
Ashfire908	in the section where it loads the drives	03:36
Ashfire908	*drivers	03:36
giovani	does it fail to boot?	03:36
giovani	or does it just issue a warning, and continue?	03:36
Ashfire908	issues a warning	03:36
giovani	then I suggest you get a word-for-word copy of the error, and bring it here	03:37
Ashfire908	the server also temp. hangs at one of two places at boot.	03:37
Ashfire908	one sec...	03:37
Ashfire908	er about 3 min	03:37
Ashfire908	I took a picture, one sec	03:41
Ashfire908	piix4_smbus 0000:00:f.0: SMB base address uninitialized - upgrade BIOS or use force_addr=0xaddr	03:44
Ashfire908	(I removed the kernel timestamp from the front of it)	03:44
Ashfire908	During boot it either hangs for a bit after displaying that message, or after "Loading, please wait..."	03:45
giovani	well I'd take out the situation-specific parts of the errors ... and google it	03:48
Ashfire908	i am	03:48
giovani	-- piix4_smbus SMB base address uninitialized upgrade BIOS -- should suffice as a search term	03:49
Ashfire908	Do you know is force_addr is a kernel/boot option?	04:05
Ashfire908	nvm	04:09
leonel	with the openssl bug fixed today there's nothing to do to the apache certificates ??	04:20
ScottK	These are SSL/TLS certificates?	04:25
leonel	ScottK: are the https certs	04:25
ScottK	Yes. It does affect those.	04:26
leonel	ScottK: so we need to regenerate those certs ?	04:26
leonel	ScottK: or just reload with the new openssl?	04:27
ScottK	Both.	04:27
leonel	ScottK: I know that when using public key auth the attacker can log on the system but for https ?? what can be done ?	04:32
dendrobates-	leonel: you can check your private key with openssl-vulnkey. If it is ok, than you do not need to regenerate	04:32
ScottK	leonel: Ask yourself why you have https and would you care if you didn't all of a sudden.	04:33
ScottK	If the key is vulnerable ...	04:33
dendrobates-	leonel: it is part of the openssl-blacklist package	04:33
leonel	dendrobates-: thanks	04:33
leonel	ScottK: so for the attack on https the attacker needs to be in the middle and can decrypt the data ??	04:34
dendrobates-	leonel: that or a tcpdump of the session. and then they would have to brute force it.	04:35
ScottK	leonel: Yes. But for the attacks https is meant to defend against, that's always the case.	04:35
leonel	dendrobates-: openssl-blacklist ?? or is openssh-blacklist ?	04:36
ScottK	One sarcastic comment from another forum today, "I wouldn't worry too much about SSH key cracking. It's not like the bad-guys have access to millions of compromised CPUs......"	04:36
ScottK	dendrobates-: Is that going to work for X.509 certs (openssl-vulnkey)?	04:37
dendrobates-	leonel: openssl-vulnkey for ssl keys and ssh-vulnkey for ssh keys	04:37
ScottK	Ah.	04:38
dendrobates-	ScottK: it should work on the private key that encrypts the cert, so yes.	04:38
ScottK	OK.	04:38
ScottK	Maybe in my copious free time I'll go into my backups and check. By the time those were out today, I'd already regenerated everything.	04:39
ScottK	dendrobates-: I'm guessing you've had a 'fun' day.	04:40
leonel	dendrobates-: openssl-blacklist is in gutsy ??	04:43
ScottK	leonel: After you install the security updates.	04:43
leonel	I've installed the updates and there wasn't a openssl-blacklist did apt-get update and there it is	04:46
ScottK	You need so apt-get dist-upgrade to get the new package.	04:47
leonel	ScottK: did that for openssh and installed openssh-blacklist	04:48
leonel	didn't installed openssl-blacklist	04:48
leonel	installed now	04:48
ScottK	Ah. I don't think I've seen the openssl-blacklist either now that you mention it.	04:48
ScottK	dendrobates-: ??	04:48
ajmitch	I don't think it's depended on like openssh-blacklist is	04:51
ajmitch	hm, openvpn depends on it	04:52
ajmitch	(at least on hardy)	04:52
dendrobates-	ScottK ajmitch: it will be a dependancy of the ssl-cert package	04:54
dendrobates-	which will be updated soon.	04:54
dendrobates-	leonel: yes it is in gutsy	04:55
ScottK	I just say "Caedite eos. Novit enim Dominus qui sunt eius."	04:56
ajmitch	sounds fair for some	04:58
ajmitch	though getting new SSL certificates signed isn't necessarily simple	04:58
ScottK	Yeah. I don't have to deal with anything that's not self-signed.	04:58
ajmitch	I do, but it's only a couple of ssh host keys that I really need to replace	05:00
ScottK	Two hours of bug hunting... Slap of the forehead.... Add one line of code... It works ... Head desk.	05:04
ajmitch	that sounds like a usual day for me	05:07
* ajmitch is glad to not get paid by lines of code :)		05:07
ScottK	Unfortunately in this instance I'm providing a service, so the less time I have to spend on it, the more profitable it is for me.	05:09
ajmitch	and people don't really see much of a service in 1-line fixes, usually	05:10
ScottK	This was service working and customer happy versus service not working and customer annoyed.	05:15
ScottK	My code for my service. No hourly rates at all.	05:16
Bambi_BOFH	hi all	05:16
Bambi_BOFH	when i use keybased ssh and change the keys on my client, the server should refuse entry. is that correct?	05:16
ScottK	Unless you give it the new cert. Yes.	05:18
Bambi_BOFH	sigh. bad start	05:19
Bambi_BOFH	thanks ScottK	05:19
Bambi_BOFH	odd. i changed my user+laptop keys, but the server kept allowing me in until i removed the .authorized_hosts file	05:22
Bambi_BOFH	hope that was pebkac on me	05:22
nealmcb	Bambi_BOFH: was an ssh-agent (or seahorse-agent?) caching the key for you	06:00
Bambi_BOFH	nealmcb: good though - i do have seahorse running. that might be what caused that... anomaly	06:03
* Bambi_BOFH cleans his cache		06:03
leonel	ScottK: dendrobates- Thank YOU !	06:23
spiekey	hello!	07:32
spiekey	could someone please check what mx address bortal.de has?	07:32
soren	spiekey: /msg'ed.	07:40
spiekey	thanks!	07:43
spiekey	that looks good, but i still get mil on the old server grrr	07:44
\sh	spiekey, dns cache is awesome...and sometimes doesn't honour ttls	07:51
Bambi_BOFH	want a 2nd report? :) (dont know if the dns will look different this side of the world)	07:53
InsomniaCity	Hi! Am I safe to do the openssh-server updates over an ssh connection?	08:11
Bambi_BOFH	assuming your link is stable yes	08:11
InsomniaCity	so it does depend on keeping that ssh connection open?	08:12
Bambi_BOFH	if it drops out you cant/will have trouble settin up a new one.	08:12
Bambi_BOFH	also make sure you can log in using passwords before doing the sshd restart	08:12
Bambi_BOFH	s/restart/upgrade	08:13
InsomniaCity	ok, thanks.	08:13
Bambi_BOFH	no worries.	08:14
falstaff_	Hello	08:23
falstaff_	Guys I really need help: I have regenerated my openvpn certificates and keys, but still ERROR: 'xxxxx.key' is a known vulnerable key. See 'man openssl-vulnkey' for details.	08:23
falstaff_	Im not alone: http://forum.ubuntuusers.de/topic/174817/?p=1405337	08:26
falstaff_	Anyone an idea? OpenVPN seems to be unusable since this security update...	08:27
Bambi_BOFH	i dont know, but i'm about to try setting up ovpn again too	08:28
pschulz01	falstaff_: Same here!!!	08:29
falstaff_	As far as I see the things, the log message is generated by the openvpn binary	08:31
falstaff_	So my guess is that the openvpn binary does _NOT_ use the /usr/sbin/openvpnssl-vulnkey to verify if it is an vulnerable key or not	08:32
falstaff_	/usr/sbin/openvpnssl-vulnkey says to me that the key is not blacklistet...	08:33
pschulz01	falstaff_: yup.. same here.	08:34
pschulz01	openvpn client is not restarting after upgrade.	08:34
falstaff_	Which ubuntu version are you using? Im still on 7.10....	08:35
Bambi_BOFH	us too	08:36
falstaff_	pschulz01: And you?	08:38
Bambi_BOFH	falstaff_: us is me and pschulz01 :)	08:39
_ruben	hrm .. bug in init script of openipmi .. lets see if there's a lp entry yet for it	08:43
_ruben	(cant touch lockfile due lack of /var/lock/subsys/)	08:43
falstaff_	ok :-)	08:44
falstaff_	http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.1.diff.gz is interessting	08:45
falstaff_	openvpn is using "/usr/sbin/openssl-vulnkey -q %s"	08:45
falstaff_	to check the keyfile... do you use shared keyfile or private keyfiles?	08:46
pschulz01	falstaff_: Bambi_BOFH recreating new keys..	08:46
Bambi_BOFH	generated new keys and the client starts	08:49
Bambi_BOFH	so its a case of 'ignore helper tool'	08:49
kraut	moin	08:50
_ruben	ah crap .. /var/lock is a tmpfs mount .. so even if a pkg would create /var/lock/subsys/ it'd be destroyed	08:52
NineTeen67Comet	Hello all, I'm having an irritating issue with a couple packages on my server. aptitude full-upgrade works, except for: update-manager-core depends on python-apt (>= 0.6.16.2); however:	08:58
NineTeen67Comet	Package python-apt is not configured yet.	08:58
NineTeen67Comet	I've ran dpkg --configure -a .. and it kicks back the same'ish error .. help?	08:58
_ruben	i wonder what would be the best way of making sure /var/lock/subsys/ is created at boot time (after its mounted with tmpfs)	08:58
NineTeen67Comet	I've tried to re-install both packages, and they both tell me they can't be configured ..	08:58
Bambi_BOFH	our vpn is working again \o/ i'im heading off for dinner ;)	08:59
falstaff_	Bambi_BOFH: Just regenerating keys? i regenertad the keys too, but doesn't work for me...	09:07
lupinsky	hello i have problem configuring cupd server	09:33
lupinsky	i can't access from the web interface	09:33
lupinsky	i have added Listen 631	09:33
lupinsky	DefaultEncryption Never	09:34
lupinsky	and in the <location />	09:35
lupinsky	allow from 192.168.1.0/24	09:35
falstaff_	Okey fixing a vulnerable and build a new one is not what ubuntu should do, isnt it?	09:38
_ruben	bah .. my hardy machine hangs on shutdown, reboot works fine tho	10:57
ScottK	Are the cert changes the SSL tool makes logged anywhere?	13:35
nealmcb	ScottK: good question. The place to start looking seems to be /var/lib/dpkg/info/openssh-server.postinst and I guess the ssh-vulnkey code	13:44
ScottK	Well I wish the process were transparent.	13:45
ScottK	I went through (I thought) and regenerated everything that needed doing yesterday.	13:45
ScottK	My laptop told me it was fixing something, but I have on idea what (I'm guessing snakeoil).	13:46
ScottK	This would have been the ssl one, not the ssh one anyway.	13:46
nealmcb	you can look for *.broken files	13:46
ScottK	I'm certainly not going to run that tool on a server with production SSL/TLS certs without some clue.	13:47
ScottK	OK. Thanks.	13:47
nealmcb	oops - right - ssl...	13:47
ScottK	Nothing .broken.	13:48
nijaba	ScottK: afaik ssh-vulnkey by itself does not change anything	13:49
nealmcb	yeah - the consequences of vulnerable .ssh keys used for login are very different from the consequences of bad ssh host keys or ssl certs....	13:49
ScottK	nijaba: The ssl tool does regenerate something.	13:50
johnnybravo	I am trying to ssh into my server at home but I get the following :@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	13:57
johnnybravo	@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @	13:57
johnnybravo	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	13:57
johnnybravo	IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!	13:57
johnnybravo	Someone could be eavesdropping on you right now (man-in-the-middle attack)!	13:57
johnnybravo	It is also possible that the RSA host key has just been changed.	13:57
johnnybravo	The fingerprint for the RSA key sent by the remote host is	13:57
johnnybravo	How to solve?	13:57
pablasso	i have the $PS1 vas setup un /etc/bash.bashrc aswell as each user ~/.bashrc, and it works fine while anyone logins via ssh, but when someone is already logged and changes users with 'su someone' the $PS1 is lost, where is that default located?	13:57
pablasso	johnnybravo: just delete that key in ~/.ssh/known_hosts	13:58
=== Navop__ is now known as Navop
emgent	johnnybravo: see usn-2	13:59
emgent	wait for link	14:00
emgent	johnnybravo: http://www.ubuntu.com/usn/usn-612-2	14:00
johnnybravo	pablasso, that did it thanks.	14:01
johnnybravo	emgent I'm looking into the link now....	14:02
nealmcb	johnnybravo: note also the -R option to ssh-keygen - may be easier than editing the file	14:07
johnnybravo	I assume that this warning is just that, a warning. I've check my logs and nobody has logged in by brute force	14:10
nealmcb	johnnybravo: given the recent USN, that is most likely. but for the paranoid, of course, an attacker could often fix the logs to cover traces	14:22
johnnybravo	nealmcb, true enough, and if that would be the case they are sharper than I, so let them go nuts	14:26
mok0	johnnybravo: delete the machines entry in ~/.ssh/known_hosts	14:50
cyris\|	Morning everyone	15:01
pteague	if i have several physical drives... would it be better to put swap across multiple drives or just dump it on the 1?	15:01
=== sergevn_ is now known as sergevn
Mastacheata	pteague, I think splitting it up will give you better write performance of the swap but less read performance, so this might just be a personal decision	15:03
_ruben	pteague: add more ram so swap becomes a (nearly) non-issue	15:03
dennda	Hi. I just upgraded a freshly installed dapper system to hardy using update-manager-core and now the kernel log daemon, klogd, needs ages to restart itself. Is that a known issue?	15:04
_ruben	and i dont think there's much performance difference, there's no raid logic applied afaik	15:04
pteague	old hardware i'm repurposing as a mythbuntu box - amd 2.6ghz with 1gb ram i think	15:04
dennda	\sh: didn't you manage to do that? :)	15:05
dennda	gnarf. I restarted and can't login now because it (most likely) hangs loading the klogd	15:08
* dennda restores and tries again... annoying		15:12
cyris\|	Hey everyone. Installing the openssh-blacklist package will prevent users with weak ssl keys from connecting to my server correct?	15:13
\sh	dennda, nope :)	15:13
\sh	dennda, I need to do it still on my old rooty ;)	15:13
ScottK	cyris\|: ssh/ssh, but yes.	15:14
cyris\|	ScottK, ah yes that what i ment :D	15:14
dennda	\sh: I was under the impression that I read a posting of yours where you happily claimed you updated your ubuntu boxes to hardy RC	15:14
dennda	if this fails again I'll need to annoy somebody :)	15:15
ScottK	He did, but from Gutsy, not Dapper. I've done a bunch of Gutsy -> Hardy upgrades with no trouble I didn't bring on myself.	15:15
dennda	ScottK: this is a completely basic dapper install. I did not do anything to it other than adding dapper-updates, installing update-manager-core and executing the upgrade dapper -> hardy. and that failed. I'll give it another shot	15:17
\sh	dennda, nope...I installed the RCs on a virgin box...	15:17
dennda	ah ok	15:17
dennda	I don't have physical access	15:17
ScottK	dennda: Reporting bugs is useful. It's 8.04.1 that's aimed at supported Dapper -> Hardy upgrades.	15:18
emgent	someone know who is DaD sysadmin ?	15:18
ScottK	emgent: Lutin or Adri2000	15:18
dennda	ScottK: oh. that's the first time I read that	15:18
emgent	ScottK: thanks	15:18
cyris\|	I'm not findnig the openssh-blacklist package in the repo's, anyone else having this problem?	15:18
dennda	http://www.ubuntu.com/getubuntu/upgrading#head-e059d5452a24b50d09c64df48058ef2d834eb197-2 <-- doesn't say anything about it	15:18
ScottK	dennda: It's in the Hardy release notes.	15:19
immesys	I'm setting up a high load samba server. What is the best filesystem to use?	15:20
dennda	gnah, 3rd of july	15:20
dennda	definitely can't wait that long	15:20
ScottK	Actually I looked and it's not in the release notes. I swear it was there at one point.	15:23
ScottK	In any case developers are still working on making upgrades go better, so reporting bugs in Dapper -> Hardy upgrades is useful.	15:23
dennda	any way I'll need a punching ball in case it fails again :)	15:24
dennda	yeah I'll do that	15:24
dennda	.oO(though I am a bit surprised how recent the django version of dapper is...)	15:25
dennda	again... starting klogd lasts forever	15:29
ogra	sounds like a missing loopback device or broken localhost entry in /etc/hosts	15:32
cyris\|	after installing the openssh-blacklist, is a restart of the openssh-server required? or another futher configuration?	15:34
dennda	ogra: are you talking to me, oliver?	15:35
ScottK	cyris\|: When you install the update it gets restarted.	15:36
ogra	dennda, well, was just a comment generally spoken o the room ... :) but yes, referring to your klogd	15:36
ogra	s/o/to/	15:36
dennda	ogra: I can tell you what the contents of the files are if you like	15:37
dennda	maybe you have an idea what is wrong	15:37
ogra	ifconfig -a .... check if loopback is up	15:37
ogra	and look into /etc/hosts	15:37
dennda	UP LOOPBACK RUNNING	15:38
dennda	aaand:	15:38
cyris\|	ScottK, ok I think I have a problem then. I know that a particular user account has a weak ssl key, and yet after installing the blacklist package they can still shell in.	15:39
dennda	ogra: http://paste.pocoo.org/show/50164/	15:39
ogra	cyris\|, sudo ssh-vulnkey -a	15:39
ogra	cyris\|, what does that give you ?	15:39
cyris\|	ogra, hello :D um I don't have ssh-vulnkey, I was using the dowkd.pl script to test for weak keys	15:40
ogra	dennda, hm, looks fine	15:40
dennda	after 10 minutes or so it is now reported that restarting of klogd FAILed	15:40
ogra	cyris\|, dont do that and finish your upgrae first :)	15:40
ogra	(dont use dowkd.pl i mean, its known to not catch all keys)	15:41
ScottK	cyris\|: Do what ogra says.	15:41
dennda	at least I let it finish now	15:41
dennda	let's see what happens	15:41
cyris\|	Wow, ok I ran apt-get upgrade yesterday and I'm sure it updated openssl, but now there is new upgrades?	15:42
ogra	they were held because you didnt install the blacklist package yet	15:42
cyris\|	OH! makes sense I guess	15:42
cyris\|	Ok so with this update, will it regenerate all keys detected as weak? or am I going to have to do this?	15:43
ogra	(and thats why i asked you to check with the vulnkey proggy, that comes only with the upgrade, so i know you are outdated still ;))	15:43
pteague	GRUB loading, please wait... \ Error 17	15:44
ogra	it will regenerate what it can ... i.e. ssh server/host keys but not the user keys	15:44
pteague	woohoo!	15:44
dennda	gnarfgnarfgnarf	15:44
* dennda files a bugreport and curses		15:44
cyris\|	Ok. so now I'm up to date. So it regenerates the host keys for this server correct?	15:45
ogra	dennda, thats a real machine or one of the hosteurope vhosts ?	15:45
=== joerlend_ is now known as XiXaQ
ogra	cyris\|, sudo ssh-vulnkey -a will now tell you	15:45
ogra	it checks all keys it can find	15:46
dennda	ogra: vps	15:46
ogra	you know that doesnt allow to upgrade the kernel right ?	15:47
dennda	yes	15:47
ogra	it uses the host kernel	15:47
dennda	I know	15:47
ogra	which definately leads to probs	15:47
dennda	what do you suggest? disabling klogd?	15:47
cyris\|	ogra, Some compromised keys were detected	15:47
ogra	dennda, talk to hosteurope support	15:48
ogra	dennda, well, and as short term solution yes, disable what breaks	15:48
ogra	cyris\|, fix these then	15:49
ogra	the output should tell you the filenames	15:50
dennda	ogra: they will tell me that hardy is not supported	15:50
ogra	well, they know why	15:51
dennda	ogra: just put exit 0; before anything else in the startscript?	15:51
ogra	mv the S file in /etc/rc2.d to be a K file	15:52
ogra	else upgrades will overwrite your changes	15:52
ogra	or rcS.d wherever klogd sits	15:52
cyris\|	ogra, the only problem i'm having now is the entries in my /root/.ssh/authorized_keys2 . should I just remove this file or clear it?	15:55
ogra	or the lines in doubt	15:55
ogra	as you like	15:55
dennda	ogra: mv S11klogd K11klogd ?	15:58
ogra	dennda, right	15:58
ogra	that way update-rc.d in the package wont touch the setup (just removing it or changing the content would bring it back on updates)	15:58
* dennda just left repair mode. let's see if it works		15:59
ogra	dennda, the question is really what else is broken	16:00
ogra	i bet udev might run into probs with an old kernel as well for example	16:00
dennda	so you suggest using dapper until the problems are sorted out?	16:01
dennda	(if they are ever being sorted out)	16:01
cyris\|	alright, so if ssh-vulkey -a doesn't detect any compromised keys, am I good to go get a coffee? :D	16:01
ogra	well, the problem is on hosteurope side nothing ubuntu could do about that	16:01
ogra	cyris\|, enjoy as long as its hot :)	16:01
dennda	didn't work anyway	16:02
dennda	well, let's hope that dappers packages are recent enough for me then	16:02
dennda	django seems to be	16:02
cyris\|	ogra, one more question tho if you don't mind. Do each of my users have a ssl key since they use ssh ? I have about 20 users who shell in.	16:02
ogra	well, you should check their keys as well indeed	16:03
ogra	ssh-vulnkey takes filenames as option	16:04
cyris\|	ogra, ssh-vulkey won't detect these keys?	16:04
cyris\|	ogra, hrm no fast way to do this?	16:04
dennda	ogra: I shall not report a bug then?	16:04
cyris\|	ogra, as you can see, i have some reading to do, but im just wanting to get this machine all patched up :D	16:05
dennda	whilst we are at it: dapper is not affected by those ssl bugs, is it?	16:05
ogra	dapper isnt	16:06
ogra	dennda, well, ymmv no idea where you get with such a bug, mention in any case the setup and the vhost	16:06
cyris\|	ogra, do users use the host keys on the system ?	16:08
ogra	users use their keys in ~/.ssh usualy	16:09
cyris\|	ogra, hrm ok. so can a user shell in if they dont have a .ssh directory?	16:10
uvirtbot	New bug: #230174 in openssh (main) "[Gutsy] ssh installation results in COMPROMISED keys" [Undecided,New] https://launchpad.net/bugs/230174	16:11
cyris\|	ogra, or are those directories used to store know_hosts ?	16:11
ogra	that as well	16:12
zul	mathiaz: for the dovecot SRU im just writing up the testcase now so they setup dovecot with SSL, Run the create user script and then they run the test script correct?	16:15
mathiaz	zul: yeah - you could also add to set the login_max_process_count option to 4	16:16
mathiaz	zul: hardy should timeout quickly	16:17
zul	coolio thanks	16:17
cyris\|	ogra, thanks for your help today, going to have a coffee and I'm going to start fixing up this other machine now :S	16:19
ogra	good luck :)	16:25
zul	mathiaz: dovecot uploaded	16:25
zul	to hardy-proposed	16:25
pteague	whee! grub error 17 again... guessing i need to fix an mbr	16:34
troja	Hi all	16:46
troja	Anyone with info about held back packages, OpenSSH server and client for Hardy. Launchpad nada	16:47
troja	Sorry kept back packages	16:48
Deeps	install openssh-blacklist	16:48
ScottK	troja: sudo apt-get dist-upgrade	16:49
ScottK	That will install the new package.	16:49
troja	Yup... installing :)	16:49
troja	We have a mess in Sweden with archive servers 1 week behind and all the notes about this issue. USN 614-1 to 4	16:50
ScottK	Security updates should come from security.ubuntu.com, not from a mirror.	16:52
* delcoyote hi		16:52
troja	ScottK... nope nada but after changing sources.list it was OK except the blacklist package and kept back packages....	16:53
_Nicke_	ScottK: My upgrade from Gutsy to Hardy changed my sources.list to use se.archive for hardy-security too, fwiw	16:53
_Nicke_	not sure if that's caused by me or something...	16:54
_Nicke_	uhm, never mind.. gutsy-security was handeled by se. for me too it seems (now I wonder when that happened)	16:55
ScottK	Dunno. Mine all say http://security.ubuntu.com/ubuntu.	16:57
_Nicke_	yeah.. I have security. commented out for feisty-security.. but that's it.. oh well, probably my fault somewhere	16:57
Koon	Hmm. in my case it also downloads from fr.archive.ubuntu.com	16:58
Koon	for security	16:58
Koon	I suppose when you select a specific source server in the GUI it changes them all	16:59
giovani	another reason not to use that gui	16:59
giovani	mine is security.ubuntu.com for gutsy	16:59
mathiaz	Koon: I don't think that the -security are changed.	17:00
troja	Mine was totally default, installed 1 week ago.	17:00
troja	Bug ?	17:00
Koon	mathiaz: testing right now	17:00
SuperLag	Okay. The LVM configuration during the install doesn't make sense to me.	17:00
mathiaz	better to always point to security.ubuntu.com for -security.	17:00
mathiaz	security updates are copied to -updates and thus hit the mirrors in a matter of days.	17:00
Koon	mathiaz: it changes them all	17:02
Koon	all uncommented deb abd deb-src lines	17:02
SuperLag	I thought you'd create the PV, then you'd partition	17:04
SuperLag	but you separate the PV into partitions, then add them to LVM??	17:05
troja	SSH restarded but	17:18
troja	"Read from socket failed: Connection reset by peer"	17:18
troja	Client keys removed within the host_known file ...	17:18
troja	The client also got a bunch of packages....installed	17:18
troja	Time for the keyboard and screen again for the server....???	17:18
giovani	did you regenerate the keys on the server-side like the ubuntu package forces you to do during installation?	17:19
Koon	mathiaz: that's strange... I fixed the file and changed again from the GUI : it didn't touch the security deb lines	17:20
Koon	mathiaz: so that would mean it only replaces last servername by the new (which is good)	17:21
Koon	mathiaz: but I clearly didn't modify the deb security lines myself... and it's a very recent 8.04 new install	17:21
troja	giovani...I got the Debconf screen on the client but not the server.	17:22
troja	Probably time for the keyboard and screen... :)	17:22
Koon	I suspect some installer thing. for localized installs it replaces all lines with the local server	17:22
Koon	I'll recheck with a fresh install next time I do one	17:23
giovani	troja: ... that's not good -- what release?	17:24
troja	giovani ... Hardy well it was a package mess within the SSH server, dpkg --reconfigure -a solved it.	17:27
troja	I can talk to my magic box again...:)	17:27
troja	Thanks all !	17:27
Deeps	trying to write a shell script, got a line abcd.12.34.efgh, trying to match using ([a-z]+).([0-9]+) and pull out abcd and 12 into separate variables. any tips?	17:32
Deeps	the regex itself works, i just cant work out how to make it return match values based on the parenthesis	17:32
uvirtbot	New bug: #230344 in openssh-blacklist (main) "bug in ssh-vulnkey - ref USN-612-2 (dup-of: 230029)" [Undecided,New] https://launchpad.net/bugs/230344	17:36
good_dana	where can i find out if i'm affected by the ssh vulnerability? i just updated 2 of my servers and neither of them had any ssh updates	17:48
giovani	good_dana: what ubuntu release are you running?	17:52
good_dana	6.06 LTS	17:54
good_dana	server	17:54
giovani	good_dana: any keys generated by that machine are not affected	17:54
giovani	however, you may have vulnerable keys for users sitting on that server generated elsewhere -- there's a utility from debian that can check keys (although it's far from perfect -- lots of false positives and negatives) http://security.debian.org/project/extra/dowkd/dowkd.pl.gz	17:56
good_dana	giovani: thanks for your help	17:56
giovani	good_dana: no problem	17:56
giovani	the debian wiki has more comprehensive documentation on checking all sorts of keys on your system: http://wiki.debian.org/SSLkeys	17:58
giovani	worth reading	17:59
Fenix\|work	Greetings	18:07
Fenix\|work	how do I find a fast mirror?	18:07
Fenix\|work	Is there a tool?	18:07
sergevn	people going to NLUUG in Ede tomorrow?	18:11
giovani	Fenix\|work: pick a mirror close to you ... and test the speed -- mirrors have varying bandwidth, and it depends on the time of day, and changes over time ... there aren't THAT many to test nearby	18:11
Fenix\|work	giovani, I have no problem with testing mirrors myself... I was curious if there was a utility that picked a regional set of mirrors and did a test on which was most efficient	18:12
giovani	never heard of such a utility, nope	18:12
giovani	although googling quickly returned this: http://ubuntuforums.org/showthread.php?t=251398	18:13
giovani	definitely not official	18:13
Fenix\|work	k... coming from gentoo, I guess I was spoiled :)	18:13
giovani	not really ... there's little point	18:14
giovani	I max out 50Mbps lines with my local mirror	18:14
Deeps	i get better speeds from distant mirrors than i do from my local mirror	18:14
Fenix\|work	I have a 10Mbps line and I'm only downloading at about 80KB/s from my locals	18:15
giovani	Fenix\|work: if you're testing during a big use time ... like during a new ubuntu release, most mirrors are packed	18:15
giovani	Fenix\|work: where are you located?	18:16
Fenix\|work	Toronto Canada	18:16
giovani	try MIT	18:16
giovani	I'm pulling over 30Mbps from them right now	18:18
Fenix\|work	k	18:18
Fenix\|work	so I just add the mirror to /etc/apt/sources.list?	18:18
giovani	http://ubuntu.media.mit.edu/ubuntu/	18:18
giovani	yup -- and do a 'sudo apt-get update'	18:18
giovani	(you'll want to replace your other mirror with that one)	18:19
giovani	not just add it	18:19
Fenix\|work	deb http://ubuntu.media.mit.edu/ubuntu/ gutsy main restricted	18:19
giovani	that'll do it for the main gutsy set ...	18:20
giovani	I have gutsy, gutsy-updates, gutsy-backports -- with main, restricted, universe, multiverse for all of them	18:20
Fenix\|work	I have a huge long list in my sources.list	18:20
giovani	right ...	18:21
giovani	that's normal	18:21
Fenix\|work	can I safely remove all the deb entries and replace with what you suggest?	18:21
giovani	... not ALL of them	18:21
Fenix\|work	(or comment out)	18:21
giovani	just the ones that are currently set to your mirror	18:21
giovani	i.e. deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted universe multiverse becomes deb http://ubuntu.media.mit.edu/ubuntu/ gutsy main restricted universe multiverse	18:22
Fenix\|work	ok, so I can comment out the 4 multiverse the 4 universe and 2 gutsy-updates?	18:22
giovani	I'm confused	18:23
giovani	pastebin your sources.list	18:23
giovani	that'll be easier	18:23
Fenix\|work	http://rafb.net/p/DpGDGx33.html	18:24
giovani	yeah, let me clean that up for ya	18:25
Fenix\|work	sweet. thanks	18:25
giovani	backup that file	18:26
giovani	and start fresh with this: http://rafb.net/p/Wo1ELu40.html	18:26
Fenix\|work	weee ... aptitude update right now	18:28
giovani	apt-get > aptitude :)	18:28
Fenix\|work	yeah... aptitude remove ubuntu-desktop will at least remove all packages in the metapackage if used with aptitude install ubuntu-desktop :)	18:29
Fenix\|work	can't say the same with apt-get remove ubuntu-deskop	18:29
uvirtbot	New bug: #230393 in mysql-dfsg-5.0 (main) "Mysql socket file breaks PHP/Perl/etc..." [Undecided,New] https://launchpad.net/bugs/230393	18:31
giovani	Fenix\|work: that's just because you don't know how to use it :)	18:31
giovani	apt-get autoremove	18:31
Fenix\|work	doesn't work	18:31
Fenix\|work	I tried it :)	18:31
giovani	it does work ...	18:31
Fenix\|work	just removed the meta package, nothing else	18:31
Fenix\|work	but I ended up removing all the packages from within the meta package manually so I'm clean	18:33
giovani	why did you want to do that in the first place?	18:33
giovani	if you don't want the desktop metapackage ... that's what the alternate/server install is for	18:33
Fenix\|work	yeah... someone else thought using XDMCP and a windows X-server would be nice	18:34
Fenix\|work	out of curiousity ... any particular reason why aptitude is holding back openssh-client, openssh-server and ssl-cert ?	18:36
reya276	my company is currently running a fiesty fawn (7.04) with Postfix installed and apache2, can I upgrade to hardy 8.04 without any problems, Fiesty install was was excellent with no issues at all. So can I upgrade this particular sever/distribution?	18:36
lamont	reya276: the supported path is "via gutsy (7.10)"	18:37
giovani	reya276: upgrades are often messy, I would never do them on a live business-critical server unless you're quite experienced and confident in fixing problems	18:37
\sh	bah....#230393 is not mysql..it's the app fault to not look in the right location	18:37
reya276	ok so I can't upgrade the server to hardy unless 7.10 is installed	18:38
giovani	you CAN, but that's not the supported method, according to lamont	18:38
reya276	oh crap, this mean I will loose my postfix config complete with all the users on the server, oh man this is not good	18:39
giovani	... who said that?	18:39
reya276	no just me panicking that's all :-D	18:39
giovani	reya276: I think you're misinterpreting what's been said	18:39
giovani	nobody said you'd lose your configuration	18:39
reya276	right	18:39
giovani	so then why did you just say that?	18:40
reya276	ok so how should I go about this?	18:40
lamont	reya276: do-release-upgrade is your friend	18:40
reya276	huh?	18:40
reya276	what do you mean?	18:40
giovani	reya276: http://www.ubuntu.com/getubuntu/upgrading	18:41
\sh	reya276: the fun part about sysadmin ship is: knowing the path is not going the path..you need to test your upgrade with a similar install first...then you can plan your downtimes and know about the pitfalls	18:41
Fenix\|work	reya276, I think he's referring to this	18:41
Fenix\|work	https://help.ubuntu.com/community/HardyUpgrades	18:41
lamont	reya276: one of those urls...	18:41
Fenix\|work	I'm now ready to do-releasy-upgrade	18:41
giovani	well first he needs to do this: https://help.ubuntu.com/community/GutsyUpgrades	18:41
reya276	oh that's not good, I have no other servers with the same hardware specs to test this on, hell no other server period	18:41
lamont	apt-get install update-manager-core; do-release-upgrade (note that do-release-upgrade from gutsy->hardy still wants the -d (development) flag, which I understand will go away in 8.04.1 time	18:42
ScottK	reya276: Then bulid a similar software configuration on a desktop box.	18:42
\sh	reya276: the hardware is not that important...use a vmware instanz with feisty and upgrade via gutsy to hardy...you need the same software layout	18:42
giovani	reya276: business-critical servers always need upgrade testing ... you can't ever do upgrades on live systems and hope everything to come up 100% perfect	18:42
\sh	s/instanz/instance/	18:42
* \sh hates speaking denglish		18:43
lamont	if it's real live scary "can't afford any downtime and no way to pre-test" production, then you have a real problem, regardless of what you're running...	18:43
lamont	giovani: depends on how you define "business criticial"	18:43
giovani	lamont: well "business critical" is self-defining	18:44
* lamont just did a reasonably blindish (remote) dapper->hardy upgrade on a machine after confirming that 2-4 hours down time was "no problem".		18:44
giovani	if it's critical to your business ... you cannot afford hours of downtime ... in any business I've seen	18:44
\sh	"if you fcking bloody spam sending software is not working again, I'm jobless"...is this business critical ? ,->	18:44
lamont	and it's the primary mail server for that organization	18:44
\sh	giovani: you can afford hours of downtime, when you announce it correctly to your customers and clients...	18:45
giovani	lamont: a botched upgrade with a novice admin could mean a hell of a lot more than 2-4 hours of downtime	18:45
\sh	giovani: regarding a mailserver, you should have backup	18:45
giovani	\sh: why are you directing this at me? it's not my server we're talking about	18:45
reya276	well this server just host our email that is all nothing else really	18:45
\sh	giovani: it was a general remark	18:45
giovani	I run redundant mx servers ...	18:45
lamont	giovani: "2-4 hours of downtime" == me rebuilding the machine from scratch	18:45
reya276	so I can take an entire saturday and sunday to do it	18:46
giovani	lamont: and recovering email and users? congrats ... that's a lot of work	18:46
lamont	after driving the 10 minutes to the site	18:46
\sh	lamont: don't compare your experience with starting admins	18:46
Fenix\|work	giovani, that's what backups are for :)	18:46
ScottK	For a mail server I've done it in 2 hours including assembling the hardware for a new box.	18:46
Deeps	\sh: if your customers and clients are the members of staff working within the organisation, and the server in question is where they collect their mail from, i think you'll find it doesn't matter how many hours days or months notice you give ;)	18:46
lamont	they're all on a separate disk	18:46
lamont	which happens to have spare partitions, waiting for me to migrate off of the current root partition to the new drive(s)	18:46
\sh	Deeps: as I said...backup is needed for essential parts of your infrastructure...but people do learn only with pain ;)	18:47
reya276	well we are not a huge company we have only 15 people	18:47
\sh	reya276: excuses...excuses ;)	18:47
Deeps	\sh: difference between backups and high availability	18:47
giovani	we don't do strict "backups" on our mail servers	18:47
lamont	reya276: if the machine is business critical, management needs to provide at least a cold spare, if not a hot one. or one blown powersupply can ruin your whole week.	18:48
\sh	Deeps: backups here == I have 4 servers doing my smtp/imap stuff	18:48
reya276	the critical apps that can't have any downtime at all are on windows server(hah hah hah, what a joke)	18:48
giovani	we have redundant mx ... and they both feed into separate redundant SANs	18:48
Deeps	\sh: last org i worked for had a total of 4 servers for the office, wasn't an option	18:48
lamont	reya276: and yeah, don't compare me to any expectation.... if you're not _really_ comfortable, I'd probably leave it where it is until 8.04.1 comes out	18:48
lamont	reya276: I've maintained postfix for over a decade, you see....	18:48
reya276	I have had to reboot those things so many times I'm surprise no one has complaint	18:48
\sh	giovani: now it's getting more professional...;)	18:49
giovani	\sh: ?	18:49
Fenix\|work	reya276, that's not particularly true. I use Exchange for mail ... and it's been rock solid. I only reboot when patching, and even then on the hardware, a reboot only takes 2 minutes from pillar to post	18:49
reya276	oh so just leave it until 8.04.1? when is that coming out	18:49
\sh	giovani: sans are nothing for low profile companies...here we are talking about more money then they spend in their desktops ;)	18:49
Deeps	reya276: 3 months after 8.04 did	18:49
giovani	\sh: I didn't say we used big iron commercial sans	18:49
Deeps	reya276: with each subsequent point release 6 months later	18:49
reya276	huh?	18:49
giovani	they're home-brew	18:49
\sh	giovani: you mean low coast storage servers and iscsi technique?	18:50
reya276	3 months so August	18:50
\sh	s/coast/cost/	18:50
\sh	damn I'm overworked	18:50
Fenix\|work	iSCSI has been quite effective for my place	18:50
giovani	\sh: we use SAS drives and hardware iSCSI	18:50
Fenix\|work	as it is, I have 28TB of iSCSI storage, and another 30TB with SAS	18:51
reya276	oh crap, I just check the version of the server and is the actul desktop version of feisty, oh boy this is not good	18:51
\sh	giovani: I'm using areca raid6 + 16 sata drives on a special sas backplane...makes 7TB brutto	18:51
\sh	per machine	18:51
giovani	\sh: yeah, I use areca's stuff at home ... on my 14TB media server	18:51
giovani	it's pretty nice	18:51
\sh	giovani: which release? somehow we got bad arecas these days (= areca host adaptor raid6 first release crap)	18:52
Fenix\|work	we've been using iSCSI products from Promise	18:52
Fenix\|work	their vTrak product line	18:52
giovani	\sh: release?	18:52
giovani	release of what?	18:52
Fenix\|work	giovani, he's using a desktop version of feisty	18:52
Fenix\|work	not alt/svr	18:52
\sh	giovani: of the adaptor...they send out different hw layout releases with the same model no.	18:53
giovani	Fenix\|work: I just saw that :) -- I'm putting my head in the sand, I don't want anyone to see me cry ;)	18:53
Fenix\|work	haha	18:53
giovani	\sh: I don't know ... I'd have to look it up	18:53
reya276	on postfix is it possible to backup the existing config and then restore it	18:53
Fenix\|work	\sh, what do you use for the iSCSI HBA? Software or hardware?	18:53
giovani	\sh: I've considered moving to Solaris and ZFS for my next media server installation	18:53
reya276	because if I can do that then I should be able to just wipe out the system and do a fresh install	18:54
giovani	and doing software raid	18:54
\sh	Fenix\|work: I'm now using openiscsi software...or if hardware -> netapp	18:54
Fenix\|work	would you consider qlogic?	18:55
* Fenix\|work sighs		18:55
Fenix\|work	netapp = qlogic	18:55
Fenix\|work	tough day	18:55
giovani	Fenix\|work: yeah, qlogic has looked good to us	18:55
giovani	netapp is not equal to qlogic	18:55
giovani	Fenix\|work: ever consider moving from iSCSI to FCoE?	18:56
giovani	we've been looking into it	18:56
Fenix\|work	same here	18:56
Fenix\|work	but from a price/performance point it was too expensive	18:57
giovani	yeah	18:57
Fenix\|work	we don't need high-availablity	18:57
Fenix\|work	we need lower speed storage	18:57
giovani	are you guys virtualized at all?	18:57
Fenix\|work	partially	18:57
giovani	vmware? xen?	18:58
Fenix\|work	vmware	18:58
Fenix\|work	using 6 ace	18:58
giovani	ohh, desktops	18:58
Fenix\|work	integrating with the intel virtualization	18:58
\sh	development == yes...but product runs on real hw...	18:58
giovani	why not VDI?	18:58
Fenix\|work	well I'm using ACE	18:58
Fenix\|work	haven't reached that level yet :)	19:00
giovani	ah :)	19:00
Fenix\|work	we started looking at virtualization quite recently actually	19:00
giovani	what industry are you in?	19:00
Fenix\|work	we've been buying up HP DL380 G5's a lot lately and when they come with a quad core standard... it made sense to look at virtualization	19:01
Fenix\|work	that is a very good question. I don't quite know how to describe it	19:01
Fenix\|work	I guess we're in the Remote Sensing / Positioning / Orientation market	19:01
Fenix\|work	lots of data aquisition, engineering, manufacturing, etc	19:01
giovani	ESP? ;)	19:01
giovani	alright	19:02
Fenix\|work	ESP? Extrasensory perception?	19:02
giovani	well you said "remote sensing"	19:02
giovani	(it was a joke)	19:02
Fenix\|work	you hear of the DARPA Urban Challenge?	19:03
giovani	yea	19:03
Fenix\|work	our product was on 20 of the competitor vehicals	19:03
Fenix\|work	vehicles	19:03
giovani	ah, nice	19:03
giovani	we're a bit more industrial than that	19:03
Fenix\|work	and was onboard the 1st place, 2nd place and 4th place vehicle	19:03
giovani	but in manufacturing	19:03
\sh	Fenix\|work: use the DL385 with dual quad core...or if intel finally scales with the memory channels...hmm...	19:04
Fenix\|work	giovani, and we were bought out a couple of years ago by Trimble	19:04
Fenix\|work	\sh, we have no real need for dual quads yet	19:04
Fenix\|work	our servers are more for storage than processing	19:05
\sh	Fenix\|work: for esx it just nice..just setup one of the new dl365 with dual quad...	19:05
Fenix\|work	although I've got my eye on 2 dual quad proliants for a SQL server cluster	19:05
Fenix\|work	run 64bit, 32GB RAM each...	19:06
Fenix\|work	but that's on next years budget wishlist	19:06
Fenix\|work	anyone have some better docs on setting up a cvs server on ubuntu?	19:07
\sh	cvs?	19:07
Fenix\|work	the info I've been able to find is a little on the sparse side	19:07
Fenix\|work	some use cvsd, others no.	19:08
Fenix\|work	yeah... you heard me... no typo	19:08
Fenix\|work	cvs	19:08
giovani	:)	19:08
\sh	cvsd is the hell...why not cvs + ssh and a nice little ldap setup? ,-)	19:08
Fenix\|work	that may work	19:08
Fenix\|work	have no frakin' clue how to implement it	19:08
giovani	SVN > CVS ;)	19:09
Fenix\|work	giovani, you have to know the situation here	19:09
\sh	Fenix\|work: apt-get install openssh-server cvs	19:09
\sh	and think about a good group structure first	19:09
giovani	Fenix\|work: no, my opinion is the gospel truth ;)	19:09
\sh	then you implement ldap and add it to ldap and nsswitch.conf ... don't ever use sudo-ldap	19:10
Fenix\|work	Engineering Dept asked me to set up a cvs server as a pilot project... which then turned out to go live right under my nose	19:10
Fenix\|work	it's on a clone, using Gentoo ...	19:10
Fenix\|work	so we're moving the exisiting repository to new hardware and Ubuntu... then they'll look at SVN	19:10
giovani	ok	19:10
\sh	I had it running on around 2000 servers....sudo-ldap is crap...and I didn't want to pay the dev the implementation of the "!" and "host" sudo stuff	19:10
Fenix\|work	\sh, I'm presently in the middle of do-release-upgrade	19:11
Fenix\|work	I initially set up the box with gutsy	19:12
Fenix\|work	so hardy here I come :)	19:12
giovani	heh	19:12
\sh	Fenix\|work: fun :)	19:12
Fenix\|work	oh... is this putting me on LTS?	19:12
cyris\|	it will	19:13
Fenix\|work	yay	19:13
giovani	of course it is	19:13
giovani	LTS is the good-ness	19:13
cyris\|	these openssl updates seemed to have screwed up my slapd.conf :S	19:13
\sh	cyris\|: yeah...this was fun this morning..	19:14
Fenix\|work	brb	19:14
=== joerlend_ is now known as XiXaQ
cyris\|	\sh, yeah, mind you I only have 2 ubuntu servers to fix up and man I don't know a heck of a lot about openssl and openssh, only that I should use them :D ogra helped out alot.	19:14
cyris\|	err HAD 2 servers to fix	19:15
\sh	cyris\|: yeah ogra fixed me, too, in 2005 ;)	19:17
cyris\|	\sh, any idea why I can't specify TLSCipherSuite in my slapd.conf ?	19:17
cyris\|	if I comment it out, slapd runs fine, but im having problems with pgina (windows clients) authenticating	19:17
\sh	cyris\|: no...:( at least not now anymore...I'm too tired	19:18
\sh	I'm happy if I'm able to update my ubuntu mirrors still...	19:19
cyris\|	\sh, I hear ya	19:19
* \sh needs to talk to my ISP to upgrade from 32mbit/s to more then that for less money		19:19
\sh	and /me needs to talk to doko	19:20
cyris\|	\sh, crap, what you doing with all that bw :D ?	19:21
cyris\|	\sh, I'm loving my 7mbit down 1mbit up at home	19:21
\sh	cyris\|: that's my private line :) cable tv internet connection	19:21
\sh	cyris\|: problem is the more down the more up I have...which I need	19:22
\sh	and sdsl is no option where I'm living	19:22
cyris\|	\sh, i believe only adsl is available in my area	19:23
giovani	\sh: where do you live?	19:23
Fenix\|work	ah maaaaaan... it installed x and gnome	19:24
\sh	giovani: in germany, in the south, near to the rhine and round about 6KM from france...a 600 soul village, where you can get 6Mbit/s adsl of our beloved german telekom, or 32Mbit/s down/2Mbit/s up of our local cable tv provider :)	19:25
cyris\|	UGH another openssh update ?	19:25
giovani	\sh: ah, I have a bit of family in germany	19:25
\sh	giovani: everyone has as I learned from people living in NC ;)	19:25
giovani	cyris\|: fixing bugs in the tools	19:25
giovani	\sh: haha	19:25
cyris\|	giovani, yeah	19:25
giovani	\sh: well, family I visit frequently :)	19:26
\sh	giovani: where are you living?	19:26
giovani	New York City	19:26
\sh	giovani: ah...that was next on my list of "need to visit locations" since they changed the law	19:27
giovani	which law would that be?	19:27
\sh	giovani: actually there are many laws they changed since 9/11	19:27
giovani	ah, I'm sure	19:28
giovani	all crazy	19:28
\sh	yes...	19:28
Fenix\|work	what's the difference between server install cd and alt install cd?	19:28
giovani	I haven't been to South Germany in many years ... probably 12 or so	19:28
infinity	Fenix\|work: Which packages are installed by default, and which are shipped on the ISO.	19:28
infinity	Fenix\|work: The installer is the same, though.	19:28
giovani	Fenix\|work: the alt install cd is oriented at desktop users, the server install is oriented at servers	19:29
\sh	I was visiting dubai in october 2001...that was fun going through heathrow	19:29
Fenix\|work	so aside from the 5 points they make for the alt install... nothing	19:29
infinity	Fenix\|work: Server gives you a different default kernel, and offers some server-specific tasks.	19:29
\sh	giovani: if you are around and you want to meet some fellow ubuntu guys, just ping...a bed is always free here at my place :)	19:30
Fenix\|work	the upgrade from gutsy to hardy has reinstalled ubuntu-desktop it appears	19:30
giovani	\sh: hah, thanks for the offer, my german is god-awful	19:30
giovani	I always forget most of what I learn as soon as I leave	19:30
giovani	most of my family is near Offenbach	19:31
giovani	some a bit more north near Kassel	19:31
\sh	giovani: my future wife comes from cameroon, I was living 8 years with a ZA born indian..so a) I know english (well not enough to write and speak and can b) communicate and c) there is still the piece of paper ;) you could also try some french .. but don't expect an answer..:)	19:33
Fenix\|work	\sh, does the server install automatically detect cciss!c0d0?	19:33
\sh	Fenix\|work: yes	19:33
Fenix\|work	weeee	19:33
Fenix\|work	nice	19:33
Fenix\|work	I may just reinstall	19:34
giovani	\sh: that is an incredibly varied history your family has :)	19:34
jimcooncat	opinion please: courier-imap or dovecot or ?	19:35
\sh	Fenix\|work: smart arrays are known to work since anges for debian...the problem we had during dapper?feisty?gutsy? was lilo not to know anything about cciss devices...so colin fixed it in lilo maintainer script and I tested it on HP hw so..yes, it knows anything about smartarrays..it does even know something about 64bit lba stuff on smartarrays regarding dl320s machines of hp	19:36
\sh	giovani: at least, when you visit offenbach, just give a ring and come around :)	19:36
giovani	\sh: haha, will do	19:36
\sh	s/anges/ages/	19:37
Fenix\|work	nice, I think I'm just going to reinstall	19:37
giovani	jimcooncat: personal preference -- dovecot	19:37
\sh	jimcooncat: cyrus imapd ;)	19:38
Fenix\|work	nice... downloading at 1.0MB/s on torrent	19:38
\sh	jimcooncat: it depends on what you want and expect for your imap server ;)	19:39
jimcooncat	not much, just to have it work with imapsync, and provide occasional access with Tbird. I'm going to be using it as a backup to our hosted Zimbra.	19:40
maek	anyone happen to know how to get apache to serve up the contents of a mounted iso? I keep getting 403's perm denied but all the permissions are fine.	19:42
* \sh tends always to cyrus, because it's stable and not using maildir		19:42
\sh	but it really depends on the usecase	19:42
jimcooncat	thanks giovani \sh	19:43
giovani	maek: the permissions are probably not fine ... #apache is more relevant though	19:43
JanC	\sh: I never used Cyrus, what does it use instead of maildir?	19:44
\sh	if nothing helps...mount -t iso9660 -U www-data /dev/cdrom /foobarmnt	19:44
JanC	mbox ?	19:45
\sh	JanC: it uses single files for the mails (just like maildir) but /var/spool/mail/user/<imap userid> and libdb* index	19:45
JanC	hm, and the advantage over maildir?	19:46
\sh	JanC: so you don't need to add user homes for the accounts...(and yes I know it's not needed for maildir, but since I got rid of qmail I'm tired of <whatever>/Maildir/{new,cur,tmp}/	19:46
JanC	hehe	19:47
\sh	JanC: for me? I have a (only for my user) an imap spool of round about 5G...it's just speed...and it fits perfectly with my postfix+mysql+imap setup since my gentoo times, means since 2002	19:47
maek	giovani: ok, just wondering if someone knew a trick. thanks	19:48
JanC	my maildirs only take ± 2 GiB for now ;)	19:48
\sh	fun part...apache2 stopped working, but postfix+mysql+cyrus was just working as expected when I had a load of 100	19:48
JanC	(using dovecot)	19:48
JanC	nice	19:50
\sh	JanC: as I said, it depends on the usecase...cyrus is something for really big setup..the cluster configuration for cyrus is great	19:50
JanC	I don't think I need a cluster yet ;)	19:50
\sh	I have a customer who needs it now....and something for lawful interception...	19:50
JanC	I'm running all of my stuff on a VPS with 300 MiB RAM ATM ;)	19:50
\sh	Mem: 1545424k total, 1462468k used, 82956k free, 4k buffers	19:51
\sh	Swap: 3903752k total, 50968k used, 3852784k free, 537632k cached	19:51
\sh	that's an old athlon XP ...	19:51
\sh	and it's running also some webservers + the whole xmpp stuff named ejabberd	19:51
* \sh needs to find the time to move most of the services to the new rooty		19:55
cyris\|	man this tlsciphersuite option in slapd.conf is still killing me, slowly, i feel myself melting... hah	19:55
JanC	Mem: 307200 290940 16260 0 56556 77604	19:56
JanC	-/+ buffers/cache: 156780 150420	19:56
JanC	Swap: 262136 9280 252856	19:56
\sh	cyris\|: the pragmatic part of my soul says: sleep over it, and run without it until you find the solution ;)	19:56
JanC	that's running the GParted forum and my mailserver, mostly	19:56
cyris\|	\sh, that is generally good advice. I understand what the option does, I just don't get why after installing all these updates that the option just doesn't seem to work anymore :D	19:57
cyris\|	\sh but its 12:57pm here so I got another 3hrs of work left :D	19:57
\sh	-8 hours...west coast?	19:59
giovani	\sh: he's in Alberta, it looks like (from the hostname)	20:02
\sh	giovani: so it's more west ... yeah fits ;)	20:03
Fenix\|work	for ssh daemon... I need to install openssh-server?	20:05
\sh	Fenix\|work: yes	20:06
Fenix\|work	why does openssh-server want to install X libs?	20:08
\sh	hmm?	20:08
\sh	since when?	20:08
Fenix\|work	fresh 8.04 install and it's wanting to install x11-common	20:08
Fenix\|work	and libxdmcp	20:08
\sh	Fenix\|work: not the server install, no	20:10
Fenix\|work	yes, the server install	20:10
\sh	never	20:10
\sh	no way	20:10
Fenix\|work	I just downloaded ubuntu-8.04-server-amd64.iso	20:11
infinity	Certainly not on my hardy/amd64 server...	20:15
infinity	adconrad@loki:~$ dpkg -l openssh-server x11-common libxdmcp	20:15
\sh	bah	20:15
infinity	ii openssh-server 1:4.7p1-8ubuntu1.2 secure shell server, an rshd replacement	20:15
infinity	No packages found matching x11-common.	20:15
infinity	No packages found matching libxdmcp.	20:15
\sh	shermann@newzealand:~$ dpkg -l openssh-server x11-common libxdmcp	20:15
\sh	ii openssh-server 1:4.7p1-8ubuntu1.1 secure shell server, an rshd replacement	20:15
\sh	ii x11-common 1:7.3+10ubuntu10 X Window System (X.Org) infrastructure	20:15
\sh	WTF?	20:15
infinity	Now, if you're installing with recommends, you'd get "xauth", which installs some X libs.	20:15
infinity	But apt-get won't do that by default....	20:15
Fenix\|work	using apt-get install openssh-server, installs 3 packages...	20:16
Fenix\|work	using aptitude install openssh-server wants to install 11	20:16
infinity	Right, aptitude installs recommends by default.	20:16
infinity	And openssh-server recommends xauth.	20:16
\sh	infinity: it does by default now... /etc/apt/apt.conf.d/01ubuntu says something about Install-Recommends-Section	20:16
\sh	infinity: and yes...my rootserver provider did something really wrong	20:16
infinity	\sh: That's only for metapackages.	20:16
infinity	\sh: (specifically, for stuff like ubuntu-desktop, ubuntu-standard, etc)	20:17
infinity	\sh: Definitely not for openssh-server. :)	20:17
\sh	infinity: ubuntu-minimal ?	20:17
infinity	root@loki:~# apt-cache show ubuntu-minimal \| grep ^Section	20:17
infinity	Section: metapackages	20:17
infinity	(Yes)	20:17
\sh	infinity: and yes...not for the normal server install	20:17
\sh	infinity: it's da bloody bug of rootserver provider...<mail...>	20:17
\sh	mv 01ubuntu out of the way	20:17
uvirtbot	New bug: #230466 in likewise-open (main) "Likewise uninstall, Lock login to system" [Undecided,New] https://launchpad.net/bugs/230466	20:17
\sh	apt-get remove --purge x11-common <Y>	20:17
\sh	infinity: btw...what do you think about bug #230393 ?	20:18
uvirtbot	Launchpad bug 230393 in mysql-dfsg-5.0 "Mysql socket file breaks PHP/Perl/etc..." [Undecided,New] https://launchpad.net/bugs/230393	20:18
* Fenix\|work is going through brain cramps... how the hell do I set a static IP again...		20:21
Fenix\|work	through /etc/network/interfaces right?	20:21
\sh	vi /etc/network/interface	20:21
\sh	auto eth0	20:21
\sh	iface eth0 inet static	20:21
\sh	the rest is man	20:21
Fenix\|work	address / netmask / gateway	20:22
\sh	yes	20:22
\sh	broadcast you forgot	20:22
Fenix\|work	don't need to specify broadcast with an ip and netmask do I?	20:22
Fenix\|work	it should be smart enough	20:22
Fenix\|work	:)	20:22
Fenix\|work	and how do I get ssh to start on boot?	20:23
\sh	Fenix\|work: regarding cisco ios...there is always 'no ip-classless' so I'm not convinced ;)	20:23
Fenix\|work	hehe	20:23
\sh	Fenix\|work: it should work out of the box after reboot	20:23
\sh	if not it's a bug, but really this time, it does start after the installation	20:24
Fenix\|work	so I was right about x11-common?	20:24
\sh	Fenix\|work: only if you do something which is not coming from ubuntu-server ;)	20:25
\sh	Fenix\|work: move /etc/apt/apt.conf.d/01ubuntu out of the way, deinstall x11-common (apt-get remove --purge x11-common) and everything is ok	20:26
\sh	Fenix\|work: a plain standard ubuntu-server iso cd installation IS NOT DOING THAT	20:26
Fenix\|work	I have no clue	20:27
Fenix\|work	I wasn't making up stuff	20:27
Fenix\|work	:)	20:27
\sh	Fenix\|work: telling you...ubuntu is not so "stupid" ;)	20:27
Fenix\|work	hey... for http://rafb.net/p/Wo1ELu40.html	20:27
Fenix\|work	replace gutsy with hardy?	20:28
\sh	Fenix\|work: remove the deb-src lines, you don't need them (or you are compiling your own stuff from src deb ubuntu packages) and do you really need the -partner repos? vmware running?	20:29
Fenix\|work	no and no	20:29
Fenix\|work	this was compliments of giovani	20:29
\sh	Fenix\|work: so get rid of the deb-src and partner löine	20:31
\sh	line	20:31
Fenix\|work	other than that... /gutsy/hardy	20:31
giovani	\sh: I just gave him a copy of my config -- there's nothing wrong with having deb-src in there	20:33
\sh	giovani: it wastes bandwidth for meta stuff ;) but no...	20:34
giovani	:)	20:34
J_P	hi all	21:33
J_P	I install aosftware (plone 3.1) and would like put it one rcs scripts.. There are one app the put that automatically right ? what is the name ? something liek as updaterc ?	21:34
Fenix\|work	giovani, question... I forgot to enter the FQDN of the box on setup... do I just modify /etc/hostname and /etc/hosts to use the FQDN?	21:44
giovani	Fenix\|work: that should do it	21:55
Fenix\|work	yeah, then to make it happen /etc/init.d/hostname.sh	21:55
LeChacal	hey everyone i want to add a user account to my mail/web server and the account is only there for mail what groups should i put it in	21:56
giovani	Fenix\|work: or reboot -- that scripts gets run every boot-time	21:57
giovani	LeChacal: you might look into virtual users if you don't want the user to be a system user	21:57
giovani	common setup	21:58
LeChacal	giovani: ok ill look at that, thank you	21:59
giovani	LeChacal: what mail server are you running?	22:00
LeChacal	giovani: what do you mean what programs or what mailbox type?	22:00
giovani	LeChacal: you're MTA/MDA	22:02
giovani	your*	22:02
LeChacal	giovani: Postfix and Dovecot it will be a small server at most 5 accounts	22:03
giovani	alright, well dovecot has a very simple flat-file config for virtual users	22:03
giovani	that you can hook postfix into	22:03
giovani	http://wiki.dovecot.org/HowTo/SimpleVirtualInstall	22:05
giovani	it's quite easy	22:05
giovani	don't follow that word-for-word ... as ubuntu's setup is slightly different, but you'll get the general idea to play with	22:06
LeChacal	yea i had the Dovecot ubuntu documentation page up also and i see what i need to do	22:08
specialK	I was wondering if anybody ran into problems of not being able to ssh into a server after fixing the ssl vuln	22:08
giovani	specialK: we had one person in here earlier who must've had a botched package install -- he dpkg reconfigured it -- and it was fine ... what problem are you having?	22:08
specialK	http://pastebin.ca/1018327	22:09
specialK	I get that error when I try to ssh in	22:09
giovani	wait, you just upgraded the server or your client?	22:10
specialK	the server	22:10
specialK	and no clients can ssh in	22:10
giovani	and did you personally do the apt-get dist-upgrade?	22:10
giovani	also, what release of ubuntu is the server?	22:10
specialK	yea	22:10
specialK	its hardy	22:10
specialK	sorry that one is gutsy	22:11
giovani	and did you regen the keys then when it asked you to?	22:11
specialK	but its also happening on my hardy one	22:11
specialK	I have just been working on fixing my gutsy one right now	22:11
specialK	giovani: yea	22:11
giovani	and there were no complaints from dpkg?	22:11
giovani	no, that one is hardy	22:12
specialK	nope	22:12
giovani	you're running 4.7p1	22:13
specialK	giovani: yea sorry that was my hardy server	22:13
specialK	but I get the same error on my gutsy server	22:13
giovani	can you log into the server another way and do a "dpkg --reconfigure -a"?	22:13
giovani	well	22:14
giovani	not -a I suppose	22:14
giovani	try dpkg-reconfigure openssh-server	22:14
specialK	I will try that	22:16
specialK	I was just gonna ask about why -a	22:16
specialK	brb	22:16
giovani	it was a bad paste, best not to run it	22:16
specialK	ok so now it just appears to hang with I try to ssh in	22:25
specialK	nevermind I still get the same error	22:25
specialK	my network connection just dropped	22:25
giovani	specialK: you reconfigured openssh-server?	22:28
giovani	did you check to see if there's an updated package?	22:28
giovani	sudo apt-get update && sudo apt-get dist-upgrade	22:28
specialK	giovani: I just updated	22:29
giovani	there have been new packages fixing others all day ... you just updated today, or just an hour ago?	22:29
specialK	giovani: when I ran dpkg-reconfigure it just told me the keys were blacklisted and then restarted ssh and told me the keys were blacklisted again	22:30
specialK	it didn't appear to regen any keys this time	22:30
specialK	giovani: I updated less than an hour ago	22:30
giovani	did you just do an upgrade minutes ago? or earlier today?	22:30
giovani	ok	22:30
giovani	there are known false-positives with the blacklists ... but obviously something is wonky with your setup	22:31
giovani	I'd submit a bug report	22:31
specialK	what data should I all submit	22:31
specialK	and also this is happening on 2 of my machines at work and then my personal dedicated server	22:31
giovani	... hmm	22:32
specialK	which is gutsy	22:32
giovani	I've updated 5 servers, no problems	22:32
giovani	the fact that ALL of your servers have had problems ... implies you have some special setup perhaps?	22:32
specialK	yea everybody else I talked to hasn't had any problems	22:32
specialK	well there isn't anything out of the ordinary setup in my ssh configs	22:33
ogra	and sudo ssh-vulnkey -a still sees them compromised ?	22:33
specialK	ogra: its doesn't show any keys as compromised	22:34
ogra	(dd you regenerate all your user keys =	22:34
ogra	)	22:34
specialK	ogra: do you mean on the clients	22:34
giovani	ogra: you'd have to see the error he's getting though	22:34
ogra	well, you usually store the pub part of a key on the server in the authrized_keys file to log in via keys	22:35
ogra	(in the users ~/.ssh dir)	22:35
specialK	ogra: I moved .ssh to ~/ssh	22:35
ogra	hmm	22:35
specialK	ogra: http://pastebin.ca/1018394	22:36
ogra	and ssh-vulnkeys only reports proper keys on your system ?	22:36
specialK	that is the error I am getting	22:36
specialK	ogra: I don't get any output from ssh-vulnkeys, I will go run it again and verify	22:37
ogra	you should get output if you run it as: sudo ssh-vulnkeys -a	22:37
specialK	yep no output	22:37
ogra	then you dont have any keys	22:37
ogra	it should tell you about proper keys as well as broken ones	22:38
cyris\|	specialK are you using the -q switch ?	22:38
specialK	cyris\|: for what	22:38
ogra	err. sorry its ssh-vulnkey	22:38
ogra	no s in the end	22:38
cyris\|	specialK: for ssh-vulnkey	22:38
specialK	ogra: when I run dpkg-reconfigure it just says my host keys are blacklisted restarts ssh and then says that again	22:39
cyris\|	specialK: cause using -q would cause no output	22:39
specialK	cyris\|: no I was using the -a switch	22:39
ogra	it should list all keys as "Not blacklisted: " or "Unknown (no blacklist information): " if they are not compromised	22:39
cyris\|	specialK: ok	22:39
specialK	anybody have any ideas/suggestions	22:43
ogra	specialK, ls /etc/ssh/ssh_host_key	22:43
ogra	or /etc/ssh/ssh_host_rsa_key	22:43
ogra	or /etc/ssh/ssh_host_dsa_key	22:43
=== c1\|freaky_ is now known as c1\|freaky
ogra	specialK, do you have these ?	22:45
specialK	so both rsa_key and dsa_key are there	22:45
ogra	and the host key ?	22:46
ogra	hmm, and why doesnt ssh-vulnkey list them ?	22:46
specialK	ok so I got it fixed	23:04
specialK	for some reason it wouldn't wipe my old ssh keys on reconfigure	23:04
specialK	and this is the case on all the machines	23:05
ogra	it only wipes them if it can	23:07
ogra	i.e. it wont wipe protected keys	23:07
owh	Here's a moral dilemma for me. A client who abruptly severed our relationship by refusing to pay his last invoice in full, is running a server that I installed which is likely to be affected by the latest security notice. Am I obliged to inform him of the security notice or not?	23:39
InsomniaCity	nice one	23:42
InsomniaCity	did you follow legal action for the last invoice?	23:43
owh	It was not financially responsible to do so.	23:43
InsomniaCity	hmm, fair enough.	23:43
Nafallo	owh: depends on the contract I would say.	23:43
InsomniaCity	well, the contract is over.	23:43
owh	Nafallo: There is no contract.	23:43
Nafallo	owh: then you're not :-)	23:43
InsomniaCity	owh: I'd say you should tell him	23:43
InsomniaCity	owh: goodwill is hard to come by	23:44
InsomniaCity	and thats a dead easy way for you to generate some	23:44
owh	InsomniaCity: It's not my goodwill that is at issue, it's his.	23:44
InsomniaCity	he could end up referring you to someone, or making up part of his bill.	23:44
InsomniaCity	well yes	23:44
InsomniaCity	I still think you should do it, but then i'm a Nice Guy (tm).	23:45
owh	InsomniaCity: The issue then becomes, what happens after I tell him?	23:45
InsomniaCity	nothing that involves you, you're not obliged to.	23:45
InsomniaCity	also, you may be over analysing - for all you know he hired someone else to look after the server, and its already patched.	23:46
owh	InsomniaCity: While possible, I think that it is unlikely.	23:46
InsomniaCity	I think you should tell him, with a postscript that you'll fix it for the last invoice owed, plus an appropriate hourly consulting fee.	23:47
owh	So, you're basically saying that it would be morally responsible to notify him, but not legally required.	23:47
InsomniaCity	Then once he coughs up, you do the work, then say goodbye.	23:47
InsomniaCity	IANAL, especially not an ozzie one.	23:47
owh	Heh	23:47
InsomniaCity	Morally, yes, I think you should tell him.	23:47
InsomniaCity	I'd even say you should business-wise.	23:48
InsomniaCity	make it clear its not a threat, but offer to fix it if he brings your relationship up to date, so to speak.	23:48
InsomniaCity	could be win/win.	23:48
owh	Thank you for your guidance sensai InsomniaCity :)	23:49
InsomniaCity	lol	23:49
InsomniaCity	np	23:49
* owh wanders off to compose an email.		23:50
arooni-mobile	is ubuntu-server affected by that guessability in the sshd-rsa keys generated?	23:57
soren	yes	23:57
arooni-mobile	ok what do i need to do to fix?	23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!