[00:25] !ebox [00:25] ebox is a web-based GUI interface for administering a server. It is designed to work with Ubuntu/Debian style configuration management. See https://help.ubuntu.com/community/eBox [00:45] Deeps following the DHCP conversation we had, there's no way of define different subnets behind the same router using DHCP right? Is just that I keep reading examples of people that define a subnet by just changing one part of the IP address, which lead me to think that the machines in the example are behind the same router. for example here: http://en.wikipedia.org/wiki/Subnetwork#Subnets_and_host_count or here http://searchnetworking.techta [00:45] rget.com/sDefinition/0,,sid7_gci213065,00.html [00:45] sorry: http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213065,00.html [00:46] in my house i have 1 router and 3 subnets [00:47] the router has 3 network interfaces though [00:48] if you're attempting to use a single router with a single network interface, you need vlan aware switches between your router and your clients [00:51] Deeps that's supported by any router? multiple interfaces? because I can't find it in mine [00:53] i have 3 network cards in my router [00:53] with 3 wires coming out [00:53] ok [00:54] eth0 runs to the gbit switch for wired connections, eth1 to the wireless access point, eth2 to the neighbours flat [00:55] (we'll skip past the atm, sit, tap and tun interfaces, heh) [00:57] ok, that explain it to me, thanks [00:58] I just wanted to know which are the posibilities [00:58] how come you need multiple subnets? [01:06] I don't need it. I just didn't knew how could I set differents subnets behind one router [01:06] since the definitions and examples I found lead me to think that, was pretty confusing [01:06] very* === jjesse_ is now known as jjesse [02:40] New bug: #230147 in openssh (main) "package openssh-server 1:4.7p1-8ubuntu1.1 failed to install/upgrade: " [Undecided,New] https://launchpad.net/bugs/230147 [03:15] I'm going to install xubuntu on my server as a sort of backup/mantaince mode, should i install ubuntu-server then the xubuntu metapackage, or install from the xubuntu (from the alt cd if it matters) and then switch to the server kernel? [03:18] up to you [03:18] So it doesn't make a difference? [03:21] Ashfire908: I'd highly recommend not installing a gui on your server ... but if you must ... install ubuntu-server first, and then xfce on top of it [03:22] Well this is not going to be the primary system [03:22] there's nothing useful about a gui for "backup/maintenance" -- in fact, it's likely to break far more often than the rest of the OS [03:23] I will/have use/used it to do full backups of the drives and to do stuuf like manual fsck..... [03:23] that's not related to xfce though, nor can it be done with xfce [03:24] what does it matter if when i'm using that system if it has a gui? [03:24] I'm not going to run services while in it. [03:25] alright ... I have no idea what you're talking about now [03:25] but go ahead [03:25] i'm installing a second os onto the server, and it's only going to be used to do stuff that i mentioned. [03:26] wait, a second OS? [03:26] second install of ubuntu [03:26] you mean, you're planning to dual-boot different installs of ubuntu? [03:27] one is a gui-less ubuntu server hardy, for when running it normally, then a second for only mantinece stuff of ubutnu server/xubuntu [03:27] there's really no need to do that [03:27] it's excessive, and will add to management time, security update efforts, and a whole host of things [03:28] a) you don't need a separate OS to do anything you've described ... b) for the things you've described, separating partitions would be the best way to handle fsck and backup/permissions issues on partitions [03:29] c) if you really did need a separate os ... a live cd would be much better for those instances than an entire install [03:29] ubuntu livecds fail at boot [03:29] what command should i be occasionly running to do security updates? [03:29] they drop into busybox, and fail to fully create the file system [03:29] it doesn't need to be an ubuntu cd -- but you don't need a separate OS to do anything you've described [03:30] slicslak: apt-get update && apt-get upgrade (as root) [03:30] fine, whatever. [03:30] but ... I wouldn't really advise putting that in cron, if that's what you're planning [03:30] put what in cron? [03:31] that was directed at slicslak [03:31] oh [03:31] lol [03:31] sorry [03:32] giovani, thanks. just read https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html it seems after upgrading i just need to restart ssh server and it iwll generate new keys correct? [03:32] slicslak: you'll need to do an -- apt-get update && apt-get dist-upgrade for that particular security update (because it installs a new package, rather than just updated ones) [03:32] Ok everyone, I don't know where else to turn here. I have a mySQL database on a server that does not allow remote access to it. I need to be able to access it via OpenOffice Base but I have no idea how to go about that! Is there a way to import/address the .sql backup file? [03:33] yes, it will restart the ssh server, and regenerate for you ... it'll notify you ... so you can't do it in an automated fashion [03:33] When i boot i get an error about an address not initialized, and to update the bios or force the addr. [03:33] Ashfire908: I wouldn't know anything about the ubuntu live cd ... it's hardly the best option for server mainenance -- something with a lot of disk-fixing tools oriented at server-rescue would be better [03:34] wow! ya, it really get's your attention on [03:34] no, this is at normal hard drive install. [03:34] *at a [03:34] Ashfire908: you should be using the alternate install cd [03:34] I do. [03:34] so the install cd isn't functioning at all? [03:34] no [03:35] this is with the already installed system [03:35] did you check the md5 of the iso? and verify the burn? [03:35] wait, are you trying to boot from the install cd? [03:35] no [03:35] i've already installed [03:35] the atl and server cds work fine. [03:35] then what are you trying to do? [03:36] It's a notice on boot. [03:36] in the section where it loads the drives [03:36] *drivers [03:36] does it fail to boot? [03:36] or does it just issue a warning, and continue? [03:36] issues a warning [03:37] then I suggest you get a word-for-word copy of the error, and bring it here [03:37] the server also temp. hangs at one of two places at boot. [03:37] one sec... [03:37] er about 3 min [03:41] I took a picture, one sec [03:44] piix4_smbus 0000:00:f.0: SMB base address uninitialized - upgrade BIOS or use force_addr=0xaddr [03:44] (I removed the kernel timestamp from the front of it) [03:45] During boot it either hangs for a bit after displaying that message, or after "Loading, please wait..." [03:48] well I'd take out the situation-specific parts of the errors ... and google it [03:48] i am [03:49] -- piix4_smbus SMB base address uninitialized upgrade BIOS -- should suffice as a search term [04:05] Do you know is force_addr is a kernel/boot option? [04:09] nvm [04:20] with the openssl bug fixed today there's nothing to do to the apache certificates ?? [04:25] These are SSL/TLS certificates? [04:25] ScottK: are the https certs [04:26] Yes. It does affect those. [04:26] ScottK: so we need to regenerate those certs ? [04:27] ScottK: or just reload with the new openssl? [04:27] Both. [04:32] ScottK: I know that when using public key auth the attacker can log on the system but for https ?? what can be done ? [04:32] leonel: you can check your private key with openssl-vulnkey. If it is ok, than you do not need to regenerate [04:33] leonel: Ask yourself why you have https and would you care if you didn't all of a sudden. [04:33] If the key is vulnerable ... [04:33] leonel: it is part of the openssl-blacklist package [04:33] dendrobates-: thanks [04:34] ScottK: so for the attack on https the attacker needs to be in the middle and can decrypt the data ?? [04:35] leonel: that or a tcpdump of the session. and then they would have to brute force it. [04:35] leonel: Yes. But for the attacks https is meant to defend against, that's always the case. [04:36] dendrobates-: openssl-blacklist ?? or is openssh-blacklist ? [04:36] One sarcastic comment from another forum today, "I wouldn't worry too much about SSH key cracking. It's not like the bad-guys have access to millions of compromised CPUs......" [04:37] dendrobates-: Is that going to work for X.509 certs (openssl-vulnkey)? [04:37] leonel: openssl-vulnkey for ssl keys and ssh-vulnkey for ssh keys [04:38] Ah. [04:38] ScottK: it should work on the private key that encrypts the cert, so yes. [04:38] OK. [04:39] Maybe in my copious free time I'll go into my backups and check. By the time those were out today, I'd already regenerated everything. [04:40] dendrobates-: I'm guessing you've had a 'fun' day. [04:43] dendrobates-: openssl-blacklist is in gutsy ?? [04:43] leonel: After you install the security updates. [04:46] I've installed the updates and there wasn't a openssl-blacklist did apt-get update and there it is [04:47] You need so apt-get dist-upgrade to get the new package. [04:48] ScottK: did that for openssh and installed openssh-blacklist [04:48] didn't installed openssl-blacklist [04:48] installed now [04:48] Ah. I don't think I've seen the openssl-blacklist either now that you mention it. [04:48] dendrobates-: ?? [04:51] I don't think it's depended on like openssh-blacklist is [04:52] hm, openvpn depends on it [04:52] (at least on hardy) [04:54] ScottK ajmitch: it will be a dependancy of the ssl-cert package [04:54] which will be updated soon. [04:55] leonel: yes it is in gutsy [04:56] I just say "Caedite eos. Novit enim Dominus qui sunt eius." [04:58] sounds fair for some [04:58] though getting new SSL certificates signed isn't necessarily simple [04:58] Yeah. I don't have to deal with anything that's not self-signed. [05:00] I do, but it's only a couple of ssh host keys that I really need to replace [05:04] Two hours of bug hunting... Slap of the forehead.... Add one line of code... It works ... Head desk. [05:07] that sounds like a usual day for me [05:07] * ajmitch is glad to not get paid by lines of code :) [05:09] Unfortunately in this instance I'm providing a service, so the less time I have to spend on it, the more profitable it is for me. [05:10] and people don't really see much of a service in 1-line fixes, usually [05:15] This was service working and customer happy versus service not working and customer annoyed. [05:16] My code for my service. No hourly rates at all. [05:16] hi all [05:16] when i use keybased ssh and change the keys on my client, the server should refuse entry. is that correct? [05:18] Unless you give it the new cert. Yes. [05:19] sigh. bad start [05:19] thanks ScottK [05:22] odd. i changed my user+laptop keys, but the server kept allowing me in until i removed the .authorized_hosts file [05:22] hope that was pebkac on me [06:00] Bambi_BOFH: was an ssh-agent (or seahorse-agent?) caching the key for you [06:03] nealmcb: good though - i do have seahorse running. that might be what caused that... anomaly [06:03] * Bambi_BOFH cleans his cache [06:23] ScottK: dendrobates- Thank YOU ! [07:32] hello! [07:32] could someone please check what mx address bortal.de has? [07:40] spiekey: /msg'ed. [07:43] thanks! [07:44] that looks good, but i still get mil on the old server *grrr* [07:51] <\sh> spiekey, dns cache is awesome...and sometimes doesn't honour ttls [07:53] want a 2nd report? :) (dont know if the dns will look different this side of the world) [08:11] Hi! Am I safe to do the openssh-server updates over an ssh connection? [08:11] assuming your link is stable yes [08:12] so it does depend on keeping that ssh connection open? [08:12] if it drops out you cant/will have trouble settin up a new one. [08:12] also make sure you can log in using passwords before doing the sshd restart [08:13] s/restart/upgrade [08:13] ok, thanks. [08:14] no worries. [08:23] Hello [08:23] Guys I really need help: I have regenerated my openvpn certificates and keys, but still ERROR: 'xxxxx.key' is a known vulnerable key. See 'man openssl-vulnkey' for details. [08:26] Im not alone: http://forum.ubuntuusers.de/topic/174817/?p=1405337 [08:27] Anyone an idea? OpenVPN seems to be unusable since this security update... [08:28] i dont know, but i'm about to try setting up ovpn again too [08:29] falstaff_: Same here!!! [08:31] As far as I see the things, the log message is generated by the openvpn binary [08:32] So my guess is that the openvpn binary does _NOT_ use the /usr/sbin/openvpnssl-vulnkey to verify if it is an vulnerable key or not [08:33] /usr/sbin/openvpnssl-vulnkey says to me that the key is not blacklistet... [08:34] falstaff_: yup.. same here. [08:34] openvpn client is not restarting after upgrade. [08:35] Which ubuntu version are you using? Im still on 7.10.... [08:36] us too [08:38] pschulz01: And you? [08:39] falstaff_: us is me and pschulz01 :) [08:43] <_ruben> hrm .. bug in init script of openipmi .. lets see if there's a lp entry yet for it [08:43] <_ruben> (cant touch lockfile due lack of /var/lock/subsys/) [08:44] ok :-) [08:45] http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.1.diff.gz is interessting [08:45] openvpn is using "/usr/sbin/openssl-vulnkey -q %s" [08:46] to check the keyfile... do you use shared keyfile or private keyfiles? [08:46] falstaff_: Bambi_BOFH recreating new keys.. [08:49] generated new keys and the client starts [08:49] so its a case of 'ignore helper tool' [08:50] moin [08:52] <_ruben> ah crap .. /var/lock is a tmpfs mount .. so even if a pkg would create /var/lock/subsys/ it'd be destroyed [08:58] Hello all, I'm having an irritating issue with a couple packages on my server. aptitude full-upgrade works, except for: update-manager-core depends on python-apt (>= 0.6.16.2); however: [08:58] Package python-apt is not configured yet. [08:58] I've ran dpkg --configure -a .. and it kicks back the same'ish error .. help? [08:58] <_ruben> i wonder what would be the best way of making sure /var/lock/subsys/ is created at boot time (after its mounted with tmpfs) [08:58] I've tried to re-install both packages, and they both tell me they can't be configured .. [08:59] our vpn is working again \o/ i'im heading off for dinner ;) [09:07] Bambi_BOFH: Just regenerating keys? i regenertad the keys too, but doesn't work for me... [09:33] hello i have problem configuring cupd server [09:33] i can't access from the web interface [09:33] i have added Listen 631 [09:34] DefaultEncryption Never [09:35] and in the [09:35] allow from 192.168.1.0/24 [09:38] Okey fixing a vulnerable and build a new one is not what ubuntu should do, isnt it? [10:57] <_ruben> bah .. my hardy machine hangs on shutdown, reboot works fine tho [13:35] Are the cert changes the SSL tool makes logged anywhere? [13:44] ScottK: good question. The place to start looking seems to be /var/lib/dpkg/info/openssh-server.postinst and I guess the ssh-vulnkey code [13:45] Well I wish the process were transparent. [13:45] I went through (I thought) and regenerated everything that needed doing yesterday. [13:46] My laptop told me it was fixing something, but I have on idea what (I'm guessing snakeoil). [13:46] This would have been the ssl one, not the ssh one anyway. [13:46] you can look for *.broken files [13:47] I'm certainly not going to run that tool on a server with production SSL/TLS certs without some clue. [13:47] OK. Thanks. [13:47] oops - right - ssl... [13:48] Nothing .broken. [13:49] ScottK: afaik ssh-vulnkey by itself does not change anything [13:49] yeah - the consequences of vulnerable .ssh keys used for login are very different from the consequences of bad ssh host keys or ssl certs.... [13:50] nijaba: The ssl tool does regenerate something. [13:57] I am trying to ssh into my server at home but I get the following :@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [13:57] @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ [13:57] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [13:57] IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! [13:57] Someone could be eavesdropping on you right now (man-in-the-middle attack)! [13:57] It is also possible that the RSA host key has just been changed. [13:57] The fingerprint for the RSA key sent by the remote host is [13:57] How to solve? [13:57] i have the $PS1 vas setup un /etc/bash.bashrc aswell as each user ~/.bashrc, and it works fine while anyone logins via ssh, but when someone is already logged and changes users with 'su someone' the $PS1 is lost, where is that default located? [13:58] johnnybravo: just delete that key in ~/.ssh/known_hosts === Navop__ is now known as Navop [13:59] johnnybravo: see usn-2 [14:00] wait for link [14:00] johnnybravo: http://www.ubuntu.com/usn/usn-612-2 [14:01] pablasso, that did it thanks. [14:02] emgent I'm looking into the link now.... [14:07] johnnybravo: note also the -R option to ssh-keygen - may be easier than editing the file [14:10] I assume that this warning is just that, a warning. I've check my logs and nobody has logged in by brute force [14:22] johnnybravo: given the recent USN, that is most likely. but for the paranoid, of course, an attacker could often fix the logs to cover traces [14:26] nealmcb, true enough, and if that would be the case they are sharper than I, so let them go nuts [14:50] johnnybravo: delete the machines entry in ~/.ssh/known_hosts [15:01] Morning everyone [15:01] if i have several physical drives... would it be better to put swap across multiple drives or just dump it on the 1? === sergevn_ is now known as sergevn [15:03] pteague, I think splitting it up will give you better write performance of the swap but less read performance, so this might just be a personal decision [15:03] <_ruben> pteague: add more ram so swap becomes a (nearly) non-issue [15:04] Hi. I just upgraded a freshly installed dapper system to hardy using update-manager-core and now the kernel log daemon, klogd, needs ages to restart itself. Is that a known issue? [15:04] <_ruben> and i dont think there's much performance difference, there's no raid logic applied afaik [15:04] old hardware i'm repurposing as a mythbuntu box - amd 2.6ghz with 1gb ram i think [15:05] \sh: didn't you manage to do that? :) [15:08] gnarf. I restarted and can't login now because it (most likely) hangs loading the klogd [15:12] * dennda restores and tries again... annoying [15:13] Hey everyone. Installing the openssh-blacklist package will prevent users with weak ssl keys from connecting to my server correct? [15:13] <\sh> dennda, nope :) [15:13] <\sh> dennda, I need to do it still on my old rooty ;) [15:14] cyris|: ssh/ssh, but yes. [15:14] ScottK, ah yes that what i ment :D [15:14] \sh: I was under the impression that I read a posting of yours where you happily claimed you updated your ubuntu boxes to hardy RC [15:15] if this fails again I'll need to annoy somebody :) [15:15] He did, but from Gutsy, not Dapper. I've done a bunch of Gutsy -> Hardy upgrades with no trouble I didn't bring on myself. [15:17] ScottK: this is a completely basic dapper install. I did not do anything to it other than adding dapper-updates, installing update-manager-core and executing the upgrade dapper -> hardy. and that failed. I'll give it another shot [15:17] <\sh> dennda, nope...I installed the RCs on a virgin box... [15:17] ah ok [15:17] I don't have physical access [15:18] dennda: Reporting bugs is useful. It's 8.04.1 that's aimed at supported Dapper -> Hardy upgrades. [15:18] someone know who is DaD sysadmin ? [15:18] emgent: Lutin or Adri2000 [15:18] ScottK: oh. that's the first time I read that [15:18] ScottK: thanks [15:18] I'm not findnig the openssh-blacklist package in the repo's, anyone else having this problem? [15:18] http://www.ubuntu.com/getubuntu/upgrading#head-e059d5452a24b50d09c64df48058ef2d834eb197-2 <-- doesn't say anything about it [15:19] dennda: It's in the Hardy release notes. [15:20] I'm setting up a high load samba server. What is the best filesystem to use? [15:20] gnah, 3rd of july [15:20] definitely can't wait that long [15:23] Actually I looked and it's not in the release notes. I swear it was there at one point. [15:23] In any case developers are still working on making upgrades go better, so reporting bugs in Dapper -> Hardy upgrades is useful. [15:24] any way I'll need a punching ball in case it fails again :) [15:24] yeah I'll do that [15:25] .oO(though I am a bit surprised how recent the django version of dapper is...) [15:29] again... starting klogd lasts forever [15:32] sounds like a missing loopback device or broken localhost entry in /etc/hosts [15:34] after installing the openssh-blacklist, is a restart of the openssh-server required? or another futher configuration? [15:35] ogra: are you talking to me, oliver? [15:36] cyris|: When you install the update it gets restarted. [15:36] dennda, well, was just a comment generally spoken o the room ... :) but yes, referring to your klogd [15:36] s/o/to/ [15:37] ogra: I can tell you what the contents of the files are if you like [15:37] maybe you have an idea what is wrong [15:37] ifconfig -a .... check if loopback is up [15:37] and look into /etc/hosts [15:38] UP LOOPBACK RUNNING [15:38] aaand: [15:39] ScottK, ok I think I have a problem then. I know that a particular user account has a weak ssl key, and yet after installing the blacklist package they can still shell in. [15:39] ogra: http://paste.pocoo.org/show/50164/ [15:39] cyris|, sudo ssh-vulnkey -a [15:39] cyris|, what does that give you ? [15:40] ogra, hello :D um I don't have ssh-vulnkey, I was using the dowkd.pl script to test for weak keys [15:40] dennda, hm, looks fine [15:40] after 10 minutes or so it is now reported that restarting of klogd FAILed [15:40] cyris|, dont do that and finish your upgrae first :) [15:41] (dont use dowkd.pl i mean, its known to not catch all keys) [15:41] cyris|: Do what ogra says. [15:41] at least I let it finish now [15:41] let's see what happens [15:42] Wow, ok I ran apt-get upgrade yesterday and I'm sure it updated openssl, but now there is new upgrades? [15:42] they were held because you didnt install the blacklist package yet [15:42] OH! makes sense I guess [15:43] Ok so with this update, will it regenerate all keys detected as weak? or am I going to have to do this? [15:43] (and thats why i asked you to check with the vulnkey proggy, that comes only with the upgrade, so i know you are outdated still ;)) [15:44] GRUB loading, please wait... \ Error 17 [15:44] it will regenerate what it can ... i.e. ssh server/host keys but not the user keys [15:44] woohoo! [15:44] gnarfgnarfgnarf [15:44] * dennda files a bugreport and curses [15:45] Ok. so now I'm up to date. So it regenerates the host keys for this server correct? [15:45] dennda, thats a real machine or one of the hosteurope vhosts ? === joerlend_ is now known as XiXaQ [15:45] cyris|, sudo ssh-vulnkey -a will now tell you [15:46] it checks all keys it can find [15:46] ogra: vps [15:47] you know that doesnt allow to upgrade the kernel right ? [15:47] yes [15:47] it uses the host kernel [15:47] I know [15:47] which definately leads to probs [15:47] what do you suggest? disabling klogd? [15:47] ogra, Some compromised keys were detected [15:48] dennda, talk to hosteurope support [15:48] dennda, well, and as short term solution yes, disable what breaks [15:49] cyris|, fix these then [15:50] the output should tell you the filenames [15:50] ogra: they will tell me that hardy is not supported [15:51] well, they know why [15:51] ogra: just put exit 0; before anything else in the startscript? [15:52] mv the S file in /etc/rc2.d to be a K file [15:52] else upgrades will overwrite your changes [15:52] or rcS.d wherever klogd sits [15:55] ogra, the only problem i'm having now is the entries in my /root/.ssh/authorized_keys2 . should I just remove this file or clear it? [15:55] or the lines in doubt [15:55] as you like [15:58] ogra: mv S11klogd K11klogd ? [15:58] dennda, right [15:58] that way update-rc.d in the package wont touch the setup (just removing it or changing the content would bring it back on updates) [15:59] * dennda just left repair mode. let's see if it works [16:00] dennda, the question is really what else is broken [16:00] i bet udev might run into probs with an old kernel as well for example [16:01] so you suggest using dapper until the problems are sorted out? [16:01] (if they are ever being sorted out) [16:01] alright, so if ssh-vulkey -a doesn't detect any compromised keys, am I good to go get a coffee? :D [16:01] well, the problem is on hosteurope side nothing ubuntu could do about that [16:01] cyris|, enjoy as long as its hot :) [16:02] didn't work anyway [16:02] well, let's hope that dappers packages are recent enough for me then [16:02] django seems to be [16:02] ogra, one more question tho if you don't mind. Do each of my users have a ssl key since they use ssh ? I have about 20 users who shell in. [16:03] well, you should check their keys as well indeed [16:04] ssh-vulnkey takes filenames as option [16:04] ogra, ssh-vulkey won't detect these keys? [16:04] ogra, hrm no fast way to do this? [16:04] ogra: I shall not report a bug then? [16:05] ogra, as you can see, i have some reading to do, but im just wanting to get this machine all patched up :D [16:05] whilst we are at it: dapper is not affected by those ssl bugs, is it? [16:06] dapper isnt [16:06] dennda, well, ymmv no idea where you get with such a bug, mention in any case the setup and the vhost [16:08] ogra, do users use the host keys on the system ? [16:09] users use their keys in ~/.ssh usualy [16:10] ogra, hrm ok. so can a user shell in if they dont have a .ssh directory? [16:11] New bug: #230174 in openssh (main) "[Gutsy] ssh installation results in COMPROMISED keys" [Undecided,New] https://launchpad.net/bugs/230174 [16:11] ogra, or are those directories used to store know_hosts ? [16:12] that as well [16:15] mathiaz: for the dovecot SRU im just writing up the testcase now so they setup dovecot with SSL, Run the create user script and then they run the test script correct? [16:16] zul: yeah - you could also add to set the login_max_process_count option to 4 [16:17] zul: hardy should timeout quickly [16:17] coolio thanks [16:19] ogra, thanks for your help today, going to have a coffee and I'm going to start fixing up this other machine now :S [16:25] good luck :) [16:25] mathiaz: dovecot uploaded [16:25] to hardy-proposed [16:34] whee! grub error 17 again... guessing i need to fix an mbr [16:46] Hi all [16:47] Anyone with info about held back packages, OpenSSH server and client for Hardy. Launchpad nada [16:48] Sorry kept back packages [16:48] install openssh-blacklist [16:49] troja: sudo apt-get dist-upgrade [16:49] That will install the new package. [16:49] Yup... installing :) [16:50] We have a mess in Sweden with archive servers 1 week behind and all the notes about this issue. USN 614-1 to 4 [16:52] Security updates should come from security.ubuntu.com, not from a mirror. [16:52] * delcoyote hi [16:53] ScottK... nope nada but after changing sources.list it was OK except the blacklist package and kept back packages.... [16:53] <_Nicke_> ScottK: My upgrade from Gutsy to Hardy changed my sources.list to use se.archive for hardy-security too, fwiw [16:54] <_Nicke_> not sure if that's caused by me or something... [16:55] <_Nicke_> uhm, never mind.. gutsy-security was handeled by se. for me too it seems (now I wonder when that happened) [16:57] Dunno. Mine all say http://security.ubuntu.com/ubuntu. [16:57] <_Nicke_> yeah.. I have security. commented out for feisty-security.. but that's it.. oh well, probably my fault somewhere [16:58] Hmm. in my case it also downloads from fr.archive.ubuntu.com [16:58] for security [16:59] I suppose when you select a specific source server in the GUI it changes them all [16:59] another reason not to use that gui [16:59] mine is security.ubuntu.com for gutsy [17:00] Koon: I don't think that the -security are changed. [17:00] Mine was totally default, installed 1 week ago. [17:00] Bug ? [17:00] mathiaz: testing right now [17:00] Okay. The LVM configuration during the install doesn't make sense to me. [17:00] better to always point to security.ubuntu.com for -security. [17:00] security updates are copied to -updates and thus hit the mirrors in a matter of days. [17:02] mathiaz: it changes them all [17:02] all uncommented deb abd deb-src lines [17:04] I thought you'd create the PV, then you'd partition [17:05] but you separate the PV into partitions, then add them to LVM?? [17:18] SSH restarded but [17:18] "Read from socket failed: Connection reset by peer" [17:18] Client keys removed within the host_known file ... [17:18] The client also got a bunch of packages....installed [17:18] Time for the keyboard and screen again for the server....??? [17:19] did you regenerate the keys on the server-side like the ubuntu package forces you to do during installation? [17:20] mathiaz: that's strange... I fixed the file and changed again from the GUI : it didn't touch the security deb lines [17:21] mathiaz: so that would mean it only replaces last servername by the new (which is good) [17:21] mathiaz: but I clearly didn't modify the deb security lines myself... and it's a very recent 8.04 new install [17:22] giovani...I got the Debconf screen on the client but not the server. [17:22] Probably time for the keyboard and screen... :) [17:22] I suspect some installer thing. for localized installs it replaces all lines with the local server [17:23] I'll recheck with a fresh install next time I do one [17:24] troja: ... that's not good -- what release? [17:27] giovani ... Hardy well it was a package mess within the SSH server, dpkg --reconfigure -a solved it. [17:27] I can talk to my magic box again...:) [17:27] Thanks all ! [17:32] trying to write a shell script, got a line abcd.12.34.efgh, trying to match using ([a-z]+).([0-9]+) and pull out abcd and 12 into separate variables. any tips? [17:32] the regex itself works, i just cant work out how to make it return match values based on the parenthesis [17:36] New bug: #230344 in openssh-blacklist (main) "bug in ssh-vulnkey - ref USN-612-2 (dup-of: 230029)" [Undecided,New] https://launchpad.net/bugs/230344 [17:48] where can i find out if i'm affected by the ssh vulnerability? i just updated 2 of my servers and neither of them had any ssh updates [17:52] good_dana: what ubuntu release are you running? [17:54] 6.06 LTS [17:54] server [17:54] good_dana: any keys *generated* by that machine are not affected [17:56] however, you may have vulnerable keys for users sitting on that server generated elsewhere -- there's a utility from debian that can check keys (although it's far from perfect -- lots of false positives and negatives) http://security.debian.org/project/extra/dowkd/dowkd.pl.gz [17:56] giovani: thanks for your help [17:56] good_dana: no problem [17:58] the debian wiki has more comprehensive documentation on checking all sorts of keys on your system: http://wiki.debian.org/SSLkeys [17:59] worth reading [18:07] Greetings [18:07] how do I find a fast mirror? [18:07] Is there a tool? [18:11] people going to NLUUG in Ede tomorrow? [18:11] Fenix|work: pick a mirror close to you ... and test the speed -- mirrors have varying bandwidth, and it depends on the time of day, and changes over time ... there aren't THAT many to test nearby [18:12] giovani, I have no problem with testing mirrors myself... I was curious if there was a utility that picked a regional set of mirrors and did a test on which was most efficient [18:12] never heard of such a utility, nope [18:13] although googling quickly returned this: http://ubuntuforums.org/showthread.php?t=251398 [18:13] definitely not official [18:13] k... coming from gentoo, I guess I was spoiled :) [18:14] not really ... there's little point [18:14] I max out 50Mbps lines with my local mirror [18:14] i get better speeds from distant mirrors than i do from my local mirror [18:15] I have a 10Mbps line and I'm only downloading at about 80KB/s from my locals [18:15] Fenix|work: if you're testing during a big use time ... like during a new ubuntu release, most mirrors are packed [18:16] Fenix|work: where are you located? [18:16] Toronto Canada [18:16] try MIT [18:18] I'm pulling over 30Mbps from them right now [18:18] k [18:18] so I just add the mirror to /etc/apt/sources.list? [18:18] http://ubuntu.media.mit.edu/ubuntu/ [18:18] yup -- and do a 'sudo apt-get update' [18:19] (you'll want to replace your other mirror with that one) [18:19] not just add it [18:19] deb http://ubuntu.media.mit.edu/ubuntu/ gutsy main restricted [18:20] that'll do it for the main gutsy set ... [18:20] I have gutsy, gutsy-updates, gutsy-backports -- with main, restricted, universe, multiverse for all of them [18:20] I have a huge long list in my sources.list [18:21] right ... [18:21] that's normal [18:21] can I safely remove all the deb entries and replace with what you suggest? [18:21] ... not ALL of them [18:21] (or comment out) [18:21] just the ones that are currently set to your mirror [18:22] i.e. deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted universe multiverse becomes deb http://ubuntu.media.mit.edu/ubuntu/ gutsy main restricted universe multiverse [18:22] ok, so I can comment out the 4 multiverse the 4 universe and 2 gutsy-updates? [18:23] I'm confused [18:23] pastebin your sources.list [18:23] that'll be easier [18:24] http://rafb.net/p/DpGDGx33.html [18:25] yeah, let me clean that up for ya [18:25] sweet. thanks [18:26] backup that file [18:26] and start fresh with this: http://rafb.net/p/Wo1ELu40.html [18:28] weee ... aptitude update right now [18:28] apt-get > aptitude :) [18:29] yeah... aptitude remove ubuntu-desktop will at least remove all packages in the metapackage if used with aptitude install ubuntu-desktop :) [18:29] can't say the same with apt-get remove ubuntu-deskop [18:31] New bug: #230393 in mysql-dfsg-5.0 (main) "Mysql socket file breaks PHP/Perl/etc..." [Undecided,New] https://launchpad.net/bugs/230393 [18:31] Fenix|work: that's just because you don't know how to use it :) [18:31] apt-get autoremove [18:31] doesn't work [18:31] I tried it :) [18:31] it does work ... [18:31] just removed the meta package, nothing else [18:33] but I ended up removing all the packages from within the meta package manually so I'm clean [18:33] why did you want to do that in the first place? [18:33] if you don't want the desktop metapackage ... that's what the alternate/server install is for [18:34] yeah... someone else thought using XDMCP and a windows X-server would be nice [18:36] out of curiousity ... any particular reason why aptitude is holding back openssh-client, openssh-server and ssl-cert ? [18:36] my company is currently running a fiesty fawn (7.04) with Postfix installed and apache2, can I upgrade to hardy 8.04 without any problems, Fiesty install was was excellent with no issues at all. So can I upgrade this particular sever/distribution? [18:37] reya276: the supported path is "via gutsy (7.10)" [18:37] reya276: upgrades are often messy, I would never do them on a live business-critical server unless you're quite experienced and confident in fixing problems [18:37] <\sh> bah....#230393 is not mysql..it's the app fault to not look in the right location [18:38] ok so I can't upgrade the server to hardy unless 7.10 is installed [18:38] you CAN, but that's not the supported method, according to lamont [18:39] oh crap, this mean I will loose my postfix config complete with all the users on the server, oh man this is not good [18:39] ... who said that? [18:39] no just me panicking that's all :-D [18:39] reya276: I think you're misinterpreting what's been said [18:39] nobody said you'd lose your configuration [18:39] right [18:40] so then why did you just say that? [18:40] ok so how should I go about this? [18:40] reya276: do-release-upgrade is your friend [18:40] huh? [18:40] what do you mean? [18:41] reya276: http://www.ubuntu.com/getubuntu/upgrading [18:41] <\sh> reya276: the fun part about sysadmin ship is: knowing the path is not going the path..you need to test your upgrade with a similar install first...then you can plan your downtimes and know about the pitfalls [18:41] reya276, I think he's referring to this [18:41] https://help.ubuntu.com/community/HardyUpgrades [18:41] reya276: one of those urls... [18:41] I'm now ready to do-releasy-upgrade [18:41] well first he needs to do this: https://help.ubuntu.com/community/GutsyUpgrades [18:41] oh that's not good, I have no other servers with the same hardware specs to test this on, hell no other server period [18:42] apt-get install update-manager-core; do-release-upgrade (note that do-release-upgrade from gutsy->hardy still wants the -d (development) flag, which I understand will go away in 8.04.1 time [18:42] reya276: Then bulid a similar software configuration on a desktop box. [18:42] <\sh> reya276: the hardware is not that important...use a vmware instanz with feisty and upgrade via gutsy to hardy...you need the same software layout [18:42] reya276: business-critical servers always need upgrade testing ... you can't ever do upgrades on live systems and hope everything to come up 100% perfect [18:42] <\sh> s/instanz/instance/ [18:43] * \sh hates speaking denglish [18:43] if it's real live scary "can't afford any downtime and no way to pre-test" production, then you have a real problem, regardless of what you're running... [18:43] giovani: depends on how you define "business criticial" [18:44] lamont: well "business critical" is self-defining [18:44] * lamont just did a reasonably blindish (remote) dapper->hardy upgrade on a machine after confirming that 2-4 hours down time was "no problem". [18:44] if it's critical to your business ... you cannot afford hours of downtime ... in any business I've seen [18:44] <\sh> "if you fcking bloody spam sending software is not working again, I'm jobless"...is this business critical ? ,-> [18:44] and it's the primary mail server for that organization [18:45] <\sh> giovani: you can afford hours of downtime, when you announce it correctly to your customers and clients... [18:45] lamont: a botched upgrade with a novice admin could mean a hell of a lot more than 2-4 hours of downtime [18:45] <\sh> giovani: regarding a mailserver, you should have backup [18:45] \sh: why are you directing this at me? it's not my server we're talking about [18:45] well this server just host our email that is all nothing else really [18:45] <\sh> giovani: it was a general remark [18:45] I run redundant mx servers ... [18:45] giovani: "2-4 hours of downtime" == me rebuilding the machine from scratch [18:46] so I can take an entire saturday and sunday to do it [18:46] lamont: and recovering email and users? congrats ... that's a lot of work [18:46] after driving the 10 minutes to the site [18:46] <\sh> lamont: don't compare your experience with starting admins [18:46] giovani, that's what backups are for :) [18:46] For a mail server I've done it in 2 hours including assembling the hardware for a new box. [18:46] \sh: if your customers and clients are the members of staff working within the organisation, and the server in question is where they collect their mail from, i think you'll find it doesn't matter how many hours days or months notice you give ;) [18:46] they're all on a separate disk [18:46] which happens to have spare partitions, waiting for me to migrate off of the current root partition to the new drive(s) [18:47] <\sh> Deeps: as I said...backup is needed for essential parts of your infrastructure...but people do learn only with pain ;) [18:47] well we are not a huge company we have only 15 people [18:47] <\sh> reya276: excuses...excuses ;) [18:47] \sh: difference between backups and high availability [18:47] we don't do strict "backups" on our mail servers [18:48] reya276: if the machine is business critical, management needs to provide at least a cold spare, if not a hot one. or one blown powersupply can ruin your whole week. [18:48] <\sh> Deeps: backups here == I have 4 servers doing my smtp/imap stuff [18:48] the critical apps that can't have any downtime at all are on windows server(hah hah hah, what a joke) [18:48] we have redundant mx ... and they both feed into separate redundant SANs [18:48] \sh: last org i worked for had a total of 4 servers for the office, wasn't an option [18:48] reya276: and yeah, don't compare me to any expectation.... if you're not _really_ comfortable, I'd probably leave it where it is until 8.04.1 comes out [18:48] reya276: I've maintained postfix for over a decade, you see.... [18:48] I have had to reboot those things so many times I'm surprise no one has complaint [18:49] <\sh> giovani: now it's getting more professional...;) [18:49] \sh: ? [18:49] reya276, that's not particularly true. I use Exchange for mail ... and it's been rock solid. I only reboot when patching, and even then on the hardware, a reboot only takes 2 minutes from pillar to post [18:49] oh so just leave it until 8.04.1? when is that coming out [18:49] <\sh> giovani: sans are nothing for low profile companies...here we are talking about more money then they spend in their desktops ;) [18:49] reya276: 3 months after 8.04 did [18:49] \sh: I didn't say we used big iron commercial sans [18:49] reya276: with each subsequent point release 6 months later [18:49] huh? [18:49] they're home-brew [18:50] <\sh> giovani: you mean low coast storage servers and iscsi technique? [18:50] 3 months so August [18:50] <\sh> s/coast/cost/ [18:50] <\sh> damn I'm overworked [18:50] iSCSI has been quite effective for my place [18:50] \sh: we use SAS drives and hardware iSCSI [18:51] as it is, I have 28TB of iSCSI storage, and another 30TB with SAS [18:51] oh crap, I just check the version of the server and is the actul desktop version of feisty, oh boy this is not good [18:51] <\sh> giovani: I'm using areca raid6 + 16 sata drives on a special sas backplane...makes 7TB brutto [18:51] <\sh> per machine [18:51] \sh: yeah, I use areca's stuff at home ... on my 14TB media server [18:51] it's pretty nice [18:52] <\sh> giovani: which release? somehow we got bad arecas these days (= areca host adaptor raid6 first release *crap*) [18:52] we've been using iSCSI products from Promise [18:52] their vTrak product line [18:52] \sh: release? [18:52] release of what? [18:52] giovani, he's using a desktop version of feisty [18:52] not alt/svr [18:53] <\sh> giovani: of the adaptor...they send out different hw layout releases with the same model no. [18:53] Fenix|work: I just saw that :) -- I'm putting my head in the sand, I don't want anyone to see me cry ;) [18:53] haha [18:53] \sh: I don't know ... I'd have to look it up [18:53] on postfix is it possible to backup the existing config and then restore it [18:53] \sh, what do you use for the iSCSI HBA? Software or hardware? [18:53] \sh: I've considered moving to Solaris and ZFS for my next media server installation [18:54] because if I can do that then I should be able to just wipe out the system and do a fresh install [18:54] and doing software raid [18:54] <\sh> Fenix|work: I'm now using openiscsi software...or if hardware -> netapp [18:55] would you consider qlogic? [18:55] * Fenix|work sighs [18:55] netapp = qlogic [18:55] tough day [18:55] Fenix|work: yeah, qlogic has looked good to us [18:55] netapp is not equal to qlogic [18:56] Fenix|work: ever consider moving from iSCSI to FCoE? [18:56] we've been looking into it [18:56] same here [18:57] but from a price/performance point it was too expensive [18:57] yeah [18:57] we don't need high-availablity [18:57] we need lower speed storage [18:57] are you guys virtualized at all? [18:57] partially [18:58] vmware? xen? [18:58] vmware [18:58] using 6 ace [18:58] ohh, desktops [18:58] integrating with the intel virtualization [18:58] <\sh> development == yes...but product runs on real hw... [18:58] why not VDI? [18:58] well I'm using ACE [19:00] haven't reached that level yet :) [19:00] ah :) [19:00] we started looking at virtualization quite recently actually [19:00] what industry are you in? [19:01] we've been buying up HP DL380 G5's a lot lately and when they come with a quad core standard... it made sense to look at virtualization [19:01] that is a very good question. I don't quite know how to describe it [19:01] I guess we're in the Remote Sensing / Positioning / Orientation market [19:01] lots of data aquisition, engineering, manufacturing, etc [19:01] ESP? ;) [19:02] alright [19:02] ESP? Extrasensory perception? [19:02] well you said "remote sensing" [19:02] (it was a joke) [19:03] you hear of the DARPA Urban Challenge? [19:03] yea [19:03] our product was on 20 of the competitor vehicals [19:03] vehicles [19:03] ah, nice [19:03] we're a bit more industrial than that [19:03] and was onboard the 1st place, 2nd place and 4th place vehicle [19:03] but in manufacturing [19:04] <\sh> Fenix|work: use the DL385 with dual quad core...or if intel finally scales with the memory channels...hmm... [19:04] giovani, and we were bought out a couple of years ago by Trimble [19:04] \sh, we have no real need for dual quads yet [19:05] our servers are more for storage than processing [19:05] <\sh> Fenix|work: for esx it just nice..just setup one of the new dl365 with dual quad... [19:05] although I've got my eye on 2 dual quad proliants for a SQL server cluster [19:06] run 64bit, 32GB RAM each... [19:06] but that's on next years budget wishlist [19:07] anyone have some better docs on setting up a cvs server on ubuntu? [19:07] <\sh> cvs? [19:07] the info I've been able to find is a little on the sparse side [19:08] some use cvsd, others no. [19:08] yeah... you heard me... no typo [19:08] cvs [19:08] :) [19:08] <\sh> cvsd is the hell...why not cvs + ssh and a nice little ldap setup? ,-) [19:08] that may work [19:08] have no frakin' clue how to implement it [19:09] SVN > CVS ;) [19:09] giovani, you have to know the situation here [19:09] <\sh> Fenix|work: apt-get install openssh-server cvs [19:09] <\sh> and think about a good group structure first [19:09] Fenix|work: no, my opinion is the gospel truth ;) [19:10] <\sh> then you implement ldap and add it to ldap and nsswitch.conf ... don't ever use sudo-ldap [19:10] Engineering Dept asked me to set up a cvs server as a pilot project... which then turned out to go live right under my nose [19:10] it's on a clone, using Gentoo ... [19:10] so we're moving the exisiting repository to new hardware and Ubuntu... then they'll look at SVN [19:10] ok [19:10] <\sh> I had it running on around 2000 servers....sudo-ldap is crap...and I didn't want to pay the dev the implementation of the "!" and "host" sudo stuff [19:11] \sh, I'm presently in the middle of do-release-upgrade [19:12] I initially set up the box with gutsy [19:12] so hardy here I come :) [19:12] heh [19:12] <\sh> Fenix|work: fun :) [19:12] oh... is this putting me on LTS? [19:13] it will [19:13] yay [19:13] of course it is [19:13] LTS is the good-ness [19:13] these openssl updates seemed to have screwed up my slapd.conf :S [19:14] <\sh> cyris|: yeah...this was fun this morning.. [19:14] brb === joerlend_ is now known as XiXaQ [19:14] \sh, yeah, mind you I only have 2 ubuntu servers to fix up and man I don't know a heck of a lot about openssl and openssh, only that I should use them :D ogra helped out alot. [19:15] err HAD 2 servers to fix [19:17] <\sh> cyris|: yeah ogra fixed me, too, in 2005 ;) [19:17] \sh, any idea why I can't specify TLSCipherSuite in my slapd.conf ? [19:17] if I comment it out, slapd runs fine, but im having problems with pgina (windows clients) authenticating [19:18] <\sh> cyris|: no...:( at least not now anymore...I'm too tired [19:19] <\sh> I'm happy if I'm able to update my ubuntu mirrors still... [19:19] \sh, I hear ya [19:19] * \sh needs to talk to my ISP to upgrade from 32mbit/s to more then that for less money [19:20] <\sh> and /me needs to talk to doko [19:21] \sh, crap, what you doing with all that bw :D ? [19:21] \sh, I'm loving my 7mbit down 1mbit up at home [19:21] <\sh> cyris|: that's my private line :) cable tv internet connection [19:22] <\sh> cyris|: problem is the more down the more up I have...which I need [19:22] <\sh> and sdsl is no option where I'm living [19:23] \sh, i believe only adsl is available in my area [19:23] \sh: where do you live? [19:24] ah maaaaaan... it installed x and gnome [19:25] <\sh> giovani: in germany, in the south, near to the rhine and round about 6KM from france...a 600 soul village, where you can get 6Mbit/s adsl of our beloved german telekom, or 32Mbit/s down/2Mbit/s up of our local cable tv provider :) [19:25] UGH another openssh update ? [19:25] \sh: ah, I have a bit of family in germany [19:25] <\sh> giovani: everyone has as I learned from people living in NC ;) [19:25] cyris|: fixing bugs in the tools [19:25] \sh: haha [19:25] giovani, yeah [19:26] \sh: well, family I visit frequently :) [19:26] <\sh> giovani: where are you living? [19:26] New York City [19:27] <\sh> giovani: ah...that was next on my list of "need to visit locations" since they changed the law [19:27] which law would that be? [19:27] <\sh> giovani: actually there are many laws they changed since 9/11 [19:28] ah, I'm sure [19:28] all crazy [19:28] <\sh> yes... [19:28] what's the difference between server install cd and alt install cd? [19:28] I haven't been to South Germany in many years ... probably 12 or so [19:28] Fenix|work: Which packages are installed by default, and which are shipped on the ISO. [19:28] Fenix|work: The installer is the same, though. [19:29] Fenix|work: the alt install cd is oriented at desktop users, the server install is oriented at servers [19:29] <\sh> I was visiting dubai in october 2001...that was fun going through heathrow [19:29] so aside from the 5 points they make for the alt install... nothing [19:29] Fenix|work: Server gives you a different default kernel, and offers some server-specific tasks. [19:30] <\sh> giovani: if you are around and you want to meet some fellow ubuntu guys, just ping...a bed is always free here at my place :) [19:30] the upgrade from gutsy to hardy has reinstalled ubuntu-desktop it appears [19:30] \sh: hah, thanks for the offer, my german is god-awful [19:30] I always forget most of what I learn as soon as I leave [19:31] most of my family is near Offenbach [19:31] some a bit more north near Kassel [19:33] <\sh> giovani: my future wife comes from cameroon, I was living 8 years with a ZA born indian..so a) I know english (well not enough to write and speak and can b) communicate and c) there is still the piece of paper ;) you could also try some french .. but don't expect an answer..:) [19:33] \sh, does the server install automatically detect cciss!c0d0? [19:33] <\sh> Fenix|work: yes [19:33] weeee [19:33] nice [19:34] I may just reinstall [19:34] \sh: that is an incredibly varied history your family has :) [19:35] opinion please: courier-imap or dovecot or ? [19:36] <\sh> Fenix|work: smart arrays are known to work since anges for debian...the problem we had during dapper?feisty?gutsy? was lilo not to know anything about cciss devices...so colin fixed it in lilo maintainer script and I tested it on HP hw so..yes, it knows anything about smartarrays..it does even know something about 64bit lba stuff on smartarrays regarding dl320s machines of hp [19:36] <\sh> giovani: at least, when you visit offenbach, just give a ring and come around :) [19:36] \sh: haha, will do [19:37] <\sh> s/anges/ages/ [19:37] nice, I think I'm just going to reinstall [19:37] jimcooncat: personal preference -- dovecot [19:38] <\sh> jimcooncat: cyrus imapd ;) [19:38] nice... downloading at 1.0MB/s on torrent [19:39] <\sh> jimcooncat: it depends on what you want and expect for your imap server ;) [19:40] not much, just to have it work with imapsync, and provide occasional access with Tbird. I'm going to be using it as a backup to our hosted Zimbra. [19:42] anyone happen to know how to get apache to serve up the contents of a mounted iso? I keep getting 403's perm denied but all the permissions are fine. [19:42] * \sh tends always to cyrus, because it's stable and not using maildir [19:42] <\sh> but it really depends on the usecase [19:43] thanks giovani \sh [19:43] maek: the permissions are probably not fine ... #apache is more relevant though [19:44] \sh: I never used Cyrus, what does it use instead of maildir? [19:44] <\sh> if nothing helps...mount -t iso9660 -U www-data /dev/cdrom /foobarmnt [19:45] mbox ? [19:45] <\sh> JanC: it uses single files for the mails (just like maildir) but /var/spool/mail/user/ and libdb* index [19:46] hm, and the advantage over maildir? [19:46] <\sh> JanC: so you don't need to add user homes for the accounts...(and yes I know it's not needed for maildir, but since I got rid of qmail I'm tired of /Maildir/{new,cur,tmp}/ [19:47] hehe [19:47] <\sh> JanC: for me? I have a (only for my user) an imap spool of round about 5G...it's just speed...and it fits perfectly with my postfix+mysql+imap setup since my gentoo times, means since 2002 [19:48] giovani: ok, just wondering if someone knew a trick. thanks [19:48] my maildirs only take ± 2 GiB for now ;) [19:48] <\sh> fun part...apache2 stopped working, but postfix+mysql+cyrus was just working as expected when I had a load of 100 [19:48] (using dovecot) [19:50] nice [19:50] <\sh> JanC: as I said, it depends on the usecase...cyrus is something for really big setup..the cluster configuration for cyrus is great [19:50] I don't think I need a cluster yet ;) [19:50] <\sh> I have a customer who needs it now....and something for lawful interception... [19:50] I'm running all of my stuff on a VPS with 300 MiB RAM ATM ;) [19:51] <\sh> Mem: 1545424k total, 1462468k used, 82956k free, 4k buffers [19:51] <\sh> Swap: 3903752k total, 50968k used, 3852784k free, 537632k cached [19:51] <\sh> that's an old athlon XP ... [19:51] <\sh> and it's running also some webservers + the whole xmpp stuff named ejabberd [19:55] * \sh needs to find the time to move most of the services to the new rooty [19:55] man this tlsciphersuite option in slapd.conf is still killing me, slowly, i feel myself melting... hah [19:56] Mem: 307200 290940 16260 0 56556 77604 [19:56] -/+ buffers/cache: 156780 150420 [19:56] Swap: 262136 9280 252856 [19:56] <\sh> cyris|: the pragmatic part of my soul says: sleep over it, and run without it until you find the solution ;) [19:56] that's running the GParted forum and my mailserver, mostly [19:57] \sh, that is generally good advice. I understand what the option does, I just don't get why after installing all these updates that the option just doesn't seem to work anymore :D [19:57] \sh but its 12:57pm here so I got another 3hrs of work left :D [19:59] <\sh> -8 hours...west coast? [20:02] \sh: he's in Alberta, it looks like (from the hostname) [20:03] <\sh> giovani: so it's more west ... yeah fits ;) [20:05] for ssh daemon... I need to install openssh-server? [20:06] <\sh> Fenix|work: yes [20:08] why does openssh-server want to install X libs? [20:08] <\sh> hmm? [20:08] <\sh> since when? [20:08] fresh 8.04 install and it's wanting to install x11-common [20:08] and libxdmcp [20:10] <\sh> Fenix|work: not the server install, no [20:10] yes, the server install [20:10] <\sh> never [20:10] <\sh> no way [20:11] I just downloaded ubuntu-8.04-server-amd64.iso [20:15] Certainly not on my hardy/amd64 server... [20:15] adconrad@loki:~$ dpkg -l openssh-server x11-common libxdmcp [20:15] <\sh> bah [20:15] ii openssh-server 1:4.7p1-8ubuntu1.2 secure shell server, an rshd replacement [20:15] No packages found matching x11-common. [20:15] No packages found matching libxdmcp. [20:15] <\sh> shermann@newzealand:~$ dpkg -l openssh-server x11-common libxdmcp [20:15] <\sh> ii openssh-server 1:4.7p1-8ubuntu1.1 secure shell server, an rshd replacement [20:15] <\sh> ii x11-common 1:7.3+10ubuntu10 X Window System (X.Org) infrastructure [20:15] <\sh> WTF? [20:15] Now, if you're installing with recommends, you'd get "xauth", which installs some X libs. [20:15] But apt-get won't do that by default.... [20:16] using apt-get install openssh-server, installs 3 packages... [20:16] using aptitude install openssh-server wants to install 11 [20:16] Right, aptitude installs recommends by default. [20:16] And openssh-server recommends xauth. [20:16] <\sh> infinity: it does by default now... /etc/apt/apt.conf.d/01ubuntu says something about Install-Recommends-Section [20:16] <\sh> infinity: and yes...my rootserver provider did something really wrong [20:16] \sh: That's only for metapackages. [20:17] \sh: (specifically, for stuff like ubuntu-desktop, ubuntu-standard, etc) [20:17] \sh: Definitely not for openssh-server. :) [20:17] <\sh> infinity: ubuntu-minimal ? [20:17] root@loki:~# apt-cache show ubuntu-minimal | grep ^Section [20:17] Section: metapackages [20:17] (Yes) [20:17] <\sh> infinity: and yes...not for the normal server install [20:17] <\sh> infinity: it's da bloody bug of rootserver provider... [20:17] <\sh> mv 01ubuntu out of the way [20:17] New bug: #230466 in likewise-open (main) "Likewise uninstall, Lock login to system" [Undecided,New] https://launchpad.net/bugs/230466 [20:17] <\sh> apt-get remove --purge x11-common [20:18] <\sh> infinity: btw...what do you think about bug #230393 ? [20:18] Launchpad bug 230393 in mysql-dfsg-5.0 "Mysql socket file breaks PHP/Perl/etc..." [Undecided,New] https://launchpad.net/bugs/230393 [20:21] * Fenix|work is going through brain cramps... how the hell do I set a static IP again... [20:21] through /etc/network/interfaces right? [20:21] <\sh> vi /etc/network/interface [20:21] <\sh> auto eth0 [20:21] <\sh> iface eth0 inet static [20:21] <\sh> the rest is man [20:22] address / netmask / gateway [20:22] <\sh> yes [20:22] <\sh> broadcast you forgot [20:22] don't need to specify broadcast with an ip and netmask do I? [20:22] it should be smart enough [20:22] :) [20:23] and how do I get ssh to start on boot? [20:23] <\sh> Fenix|work: regarding cisco ios...there is always 'no ip-classless' so I'm not convinced ;) [20:23] hehe [20:23] <\sh> Fenix|work: it should work out of the box after reboot [20:24] <\sh> if not it's a bug, but really this time, it does start after the installation [20:24] so I was right about x11-common? [20:25] <\sh> Fenix|work: only if you do something which is not coming from ubuntu-server ;) [20:26] <\sh> Fenix|work: move /etc/apt/apt.conf.d/01ubuntu out of the way, deinstall x11-common (apt-get remove --purge x11-common) and everything is ok [20:26] <\sh> Fenix|work: a plain standard ubuntu-server iso cd installation IS NOT DOING THAT [20:27] I have no clue [20:27] I wasn't making up stuff [20:27] :) [20:27] <\sh> Fenix|work: telling you...ubuntu is not so "stupid" ;) [20:27] hey... for http://rafb.net/p/Wo1ELu40.html [20:28] replace gutsy with hardy? [20:29] <\sh> Fenix|work: remove the deb-src lines, you don't need them (or you are compiling your own stuff from src deb ubuntu packages) and do you really need the -partner repos? vmware running? [20:29] no and no [20:29] this was compliments of giovani [20:31] <\sh> Fenix|work: so get rid of the deb-src and partner löine [20:31] <\sh> line [20:31] other than that... /gutsy/hardy [20:33] \sh: I just gave him a copy of my config -- there's nothing wrong with having deb-src in there [20:34] <\sh> giovani: it wastes bandwidth for meta stuff ;) but no... [20:34] :) [21:33] hi all [21:34] I install aosftware (plone 3.1) and would like put it one rcs scripts.. There are one app the put that automatically right ? what is the name ? something liek as updaterc ? [21:44] giovani, question... I forgot to enter the FQDN of the box on setup... do I just modify /etc/hostname and /etc/hosts to use the FQDN? [21:55] Fenix|work: that should do it [21:55] yeah, then to make it happen /etc/init.d/hostname.sh [21:56] hey everyone i want to add a user account to my mail/web server and the account is only there for mail what groups should i put it in [21:57] Fenix|work: or reboot -- that scripts gets run every boot-time [21:57] LeChacal: you might look into virtual users if you don't want the user to be a system user [21:58] common setup [21:59] giovani: ok ill look at that, thank you [22:00] LeChacal: what mail server are you running? [22:00] giovani: what do you mean what programs or what mailbox type? [22:02] LeChacal: you're MTA/MDA [22:02] your* [22:03] giovani: Postfix and Dovecot it will be a small server at most 5 accounts [22:03] alright, well dovecot has a very simple flat-file config for virtual users [22:03] that you can hook postfix into [22:05] http://wiki.dovecot.org/HowTo/SimpleVirtualInstall [22:05] it's quite easy [22:06] don't follow that word-for-word ... as ubuntu's setup is slightly different, but you'll get the general idea to play with [22:08] yea i had the Dovecot ubuntu documentation page up also and i see what i need to do [22:08] I was wondering if anybody ran into problems of not being able to ssh into a server after fixing the ssl vuln [22:08] specialK: we had one person in here earlier who must've had a botched package install -- he dpkg reconfigured it -- and it was fine ... what problem are you having? [22:09] http://pastebin.ca/1018327 [22:09] I get that error when I try to ssh in [22:10] wait, you just upgraded the server or your client? [22:10] the server [22:10] and no clients can ssh in [22:10] and did you personally do the apt-get dist-upgrade? [22:10] also, what release of ubuntu is the server? [22:10] yea [22:10] its hardy [22:11] sorry that one is gutsy [22:11] and did you regen the keys then when it asked you to? [22:11] but its also happening on my hardy one [22:11] I have just been working on fixing my gutsy one right now [22:11] giovani: yea [22:11] and there were no complaints from dpkg? [22:12] no, that one is hardy [22:12] nope [22:13] you're running 4.7p1 [22:13] giovani: yea sorry that was my hardy server [22:13] but I get the same error on my gutsy server [22:13] can you log into the server another way and do a "dpkg --reconfigure -a"? [22:14] well [22:14] not -a I suppose [22:14] try dpkg-reconfigure openssh-server [22:16] I will try that [22:16] I was just gonna ask about why -a [22:16] brb [22:16] it was a bad paste, best not to run it [22:25] ok so now it just appears to hang with I try to ssh in [22:25] nevermind I still get the same error [22:25] my network connection just dropped [22:28] specialK: you reconfigured openssh-server? [22:28] did you check to see if there's an updated package? [22:28] sudo apt-get update && sudo apt-get dist-upgrade [22:29] giovani: I just updated [22:29] there have been new packages fixing others all day ... you just updated today, or just an hour ago? [22:30] giovani: when I ran dpkg-reconfigure it just told me the keys were blacklisted and then restarted ssh and told me the keys were blacklisted again [22:30] it didn't appear to regen any keys this time [22:30] giovani: I updated less than an hour ago [22:30] did you just do an upgrade minutes ago? or earlier today? [22:30] ok [22:31] there are known false-positives with the blacklists ... but obviously something is wonky with your setup [22:31] I'd submit a bug report [22:31] what data should I all submit [22:31] and also this is happening on 2 of my machines at work and then my personal dedicated server [22:32] ... hmm [22:32] which is gutsy [22:32] I've updated 5 servers, no problems [22:32] the fact that ALL of your servers have had problems ... implies you have some special setup perhaps? [22:32] yea everybody else I talked to hasn't had any problems [22:33] well there isn't anything out of the ordinary setup in my ssh configs [22:33] and sudo ssh-vulnkey -a still sees them compromised ? [22:34] ogra: its doesn't show any keys as compromised [22:34] (dd you regenerate all your user keys = [22:34] ) [22:34] ogra: do you mean on the clients [22:34] ogra: you'd have to see the error he's getting though [22:35] well, you usually store the pub part of a key on the server in the authrized_keys file to log in via keys [22:35] (in the users ~/.ssh dir) [22:35] ogra: I moved .ssh to ~/ssh [22:35] hmm [22:36] ogra: http://pastebin.ca/1018394 [22:36] and ssh-vulnkeys only reports proper keys on your system ? [22:36] that is the error I am getting [22:37] ogra: I don't get any output from ssh-vulnkeys, I will go run it again and verify [22:37] you should get output if you run it as: sudo ssh-vulnkeys -a [22:37] yep no output [22:37] then you dont have any keys [22:38] it should tell you about proper keys as well as broken ones [22:38] specialK are you using the -q switch ? [22:38] cyris|: for what [22:38] err. sorry its ssh-vulnkey [22:38] no s in the end [22:38] specialK: for ssh-vulnkey [22:39] ogra: when I run dpkg-reconfigure it just says my host keys are blacklisted restarts ssh and then says that again [22:39] specialK: cause using -q would cause no output [22:39] cyris|: no I was using the -a switch [22:39] it should list all keys as "Not blacklisted: " or "Unknown (no blacklist information): " if they are not compromised [22:39] specialK: ok [22:43] anybody have any ideas/suggestions [22:43] specialK, ls /etc/ssh/ssh_host_key [22:43] or /etc/ssh/ssh_host_rsa_key [22:43] or /etc/ssh/ssh_host_dsa_key === c1|freaky_ is now known as c1|freaky [22:45] specialK, do you have these ? [22:45] so both rsa_key and dsa_key are there [22:46] and the host key ? [22:46] hmm, and why doesnt ssh-vulnkey list them ? [23:04] ok so I got it fixed [23:04] for some reason it wouldn't wipe my old ssh keys on reconfigure [23:05] and this is the case on all the machines [23:07] it only wipes them if it can [23:07] i.e. it wont wipe protected keys [23:39] Here's a moral dilemma for me. A client who abruptly severed our relationship by refusing to pay his last invoice in full, is running a server that I installed which is likely to be affected by the latest security notice. Am I obliged to inform him of the security notice or not? [23:42] nice one [23:43] did you follow legal action for the last invoice? [23:43] It was not financially responsible to do so. [23:43] hmm, fair enough. [23:43] owh: depends on the contract I would say. [23:43] well, the contract is over. [23:43] Nafallo: There is no contract. [23:43] owh: then you're not :-) [23:43] owh: I'd say you should tell him [23:44] owh: goodwill is hard to come by [23:44] and thats a dead easy way for you to generate some [23:44] InsomniaCity: It's not my goodwill that is at issue, it's his. [23:44] he could end up referring you to someone, or making up part of his bill. [23:44] well yes [23:45] I still think you should do it, but then i'm a Nice Guy (tm). [23:45] InsomniaCity: The issue then becomes, what happens after I tell him? [23:45] nothing that involves you, you're not obliged to. [23:46] also, you may be over analysing - for all you know he hired someone else to look after the server, and its already patched. [23:46] InsomniaCity: While possible, I think that it is unlikely. [23:47] I think you should tell him, with a postscript that you'll fix it for the last invoice owed, plus an appropriate hourly consulting fee. [23:47] So, you're basically saying that it would be morally responsible to notify him, but not legally required. [23:47] Then once he coughs up, you do the work, then say goodbye. [23:47] IANAL, especially not an ozzie one. [23:47] Heh [23:47] Morally, yes, I think you should tell him. [23:48] I'd even say you should business-wise. [23:48] make it clear its not a threat, but offer to fix it if he brings your relationship up to date, so to speak. [23:48] could be win/win. [23:49] Thank you for your guidance sensai InsomniaCity :) [23:49] lol [23:49] np [23:50] * owh wanders off to compose an email. [23:57] is ubuntu-server affected by that guessability in the sshd-rsa keys generated? [23:57] yes [23:59] ok what do i need to do to fix?