/srv/irclogs.ubuntu.com/2008/06/02/#ubuntu-server.txt

bimberiThe_Kernel: Yes, Ubuntu installs with no root password set so logins to it are disabled.01:21
bimberiThe_Kernel: Not sure about the denied login.  It could be in the sshd configuration on that server.  Or /etc/hosts.[allow|deny]01:23
Kamping_KaiserThe_Kernel, try with -vv you might have been blacklisted01:30
christefanohas anyone known ssl-blacklist to have false positives?02:20
Kamping_Kaiseri've heard of it, but not with any sort of proof02:21
christefanohmm.02:21
christefanohow do I test my SSL certificate against the openssh-blacklist?02:43
Kamping_Kaiseropenssl-vulnkey ?02:43
christefanoI'm not sure how to pass a certificate to openssh-vulnkey. it seems to only check SSH keys02:44
Kamping_Kaiserssl. not ssh02:45
christefanoah, I don't have that.02:45
Kamping_Kaiserhm.02:45
Kamping_Kaiseropenssl-blacklist: /usr/sbin/openssl-vulnkey02:45
Kamping_Kaiser  Installed: 0.1-0ubuntu0.7.10.402:46
emgentmorning02:50
=== jjesse_ is now known as jjesse
m11hello05:28
Litefiremorning all09:47
Litefirei am having a little trouble with my server instal recognizing a sata2 hd09:48
Litefirei have an ibm 330 server i installed ubuntu on  and cant seem to figure it out when i start it up i get  ata2: srst failed errno-16  for the data hd09:49
Litefirethe raid that ubuntu is installed on starts up fine but the sata2 drive i have attached to a pci card isnt discoverable from what i can figure out09:50
osmosisanyone know if it is possible to do a raid 10 with software raid?09:51
_rubenosmosis: yes .. there's a raid10 kmod .. or you could do it 'manually' with raid1 and raid009:52
osmosis_ruben: is it reliable?09:53
osmosis_ruben: can you recommend some instructions ?09:53
_rubenthe basics are as simple as : sudo mdadm --build /dev/md0 --level=10 -- raid-devices=4 /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd109:56
_rubenoops, kill the space between -- and raid-devices09:56
_rubenthe installer doesnt support raid10, so if you want to install the system to raid10, you'll have to drop down to a shell during the install to give that command09:56
_rubenand reliable, well, the raid10 kmod is one of there newer raid kmods, so hasnt aged as much as plain raid1+0, but offers some nice enhancements as well (like doing raid10 over 3 disks for example)09:58
_rubenhttp://cgi.cse.unsw.edu.au/~neilb/0109360742409:58
=== fredrik__ is now known as frippz
NineTeen67CometHello, is there a way to get aptitude to install smartmontools w/out exim4, mailx etc etc etc?12:43
* NineTeen67Comet sudo aptitude install smartmontools = exim4 exim4-base exim4-config exim4-daemon-light liblockfile1 mailx12:43
ikonianealmcb: it just needs an mta12:45
ikoniaoops12:45
ikoniaNineTeen67Comet: it just needs an mta12:45
NineTeen67Cometaha .. no mail on this server, but I guess it can just use it as it pleases ..12:45
* NineTeen67Comet would have e-mail if me isp would crack the ports open ..12:46
ikoniaNineTeen67Comet: let it install exim and then use local mail only12:46
NineTeen67Cometikonia: prolly what I'll do ..12:47
ikoniaNineTeen67Comet: make it easy on yourself12:47
cjsstableshello all.  I can't resolve internal names on my network.  I'm able to resolve external names.  If I do a lookup on my internal nameserver I get an SOA record for prisoner.iana.org.  Can someone help here12:53
cjsstablesbtw I used lookup with an ip address of my name server12:53
ikoniacjsstables: ok - so if your domain is "domain1" your saying you can't resolve box1.domain113:10
cjsstablesthat's correct13:10
cjsstablesbut I can resolve anything on the outside13:10
ikoniacjsstables: ok - so have you setup your own domain zone file ?13:12
ikoniacjsstables: are you using anything like views ?13:12
cjsstablesno views.  I have dns forwarding zone13:13
ikoniacjsstables: so where is the domain your wanting to resolve kept13:14
cjsstablesdns server addy is 192.168.0.1,  lynksys router is 192.168.0.213:14
ikoniaok - but where is your domain zone file ?13:15
cjsstablesit is kept on 192.168.0.1 / srv1.soho.cjs13:15
cjsstablesinternal private network13:15
ikoniacjsstables: ok, so if you do nslookup server=192.168.0.1 then "box1.soho.cjs" does it respond ?13:16
ikoniacjsstables: do you have "ns" lines in your one file ?13:16
ikoniazone13:16
cjsstableshold on13:17
cjsstablesnslookup srv1.soho.cjs13:17
cjsstablesServer:         192.168.0.113:17
cjsstablesAddress:        192.168.0.1#5313:17
cjsstables** server can't find srv1.soho.cjs: NXDOMAIN13:17
ikoniacjsstables: no - type nslookup13:18
ikoniacjsstables: then do server=192.168.0.113:18
ikoniacjsstables: then do serv1.soho.cjs13:18
ikoniaoops srv1.soho.cjs13:18
ikoniajust want to check it step by step13:19
ikonia(I appriciate thats the same as your output)13:19
cjsstablesserver=192.168.0.113:19
cjsstablesServer:         192.168.0.113:19
cjsstablesAddress:        192.168.0.1#5313:19
cjsstables** server can't find server=192.168.0.1: NXDOMAIN13:19
cjsstables> srv1.soho.cjs13:19
cjsstablesServer:         192.168.0.113:19
ikoniacjsstables: does your zone file contain ns records, does it have an entry for srv113:19
cjsstablesAddress:        192.168.0.1#5313:19
cjsstables** server can't find srv1.soho.cjs: NXDOMAIN13:19
cjsstablesyes it has an entry for srv113:19
ikoniaserver=192.168.0.1 ; ** server can't find server=192.168.0.1: NXDOMAIN13:20
ikoniathats worrying13:20
ikoniadoes your zone file have ns lines ?13:20
cjsstableswhat are ns lines?13:20
ikoniacjsstables: the say the name servers for the zone13:20
cjsstablesI can't answer that i'll have to look.13:21
cjsstableswhere do I look at?13:21
cjsstablesI have webmin installed to administer the name server13:21
ikoniaughhh webmin13:21
ikoniaand this is me backing away13:21
cjsstablesits ok. i can use command line also13:22
ikoniacjsstables: I can't support products with webmind - it's the devils tool13:22
ikoniacjsstables: webmin changes the way things can work13:22
cjsstablesso do you want me to open bind.conf13:23
ikonianot really13:23
ikoniaI wanted you to look at your zone file for "NS" entries13:23
ikoniabut it certainly wouldn't hurt to look if your bind.conf file contains an entry for your domain either13:24
ikoniathat way you can see where it expects the zone file to be13:24
cjsstablesok.13:24
cjsstablesbrb13:24
cjsstablesexit13:24
cjsstablesoops.. sorry13:24
cjsstablesikonia:  my named conf doesn't point to any zones.  looks like the zones are included through named.conf.options13:27
ikoniacjsstables: ok - so follow that through13:28
cjsstablesk brb13:28
cjsstablesok.  in my named.conf.local I have the following zone13:31
cjsstableszone "soho.cjs" {13:31
cjsstables        type master;13:31
cjsstables        file "/etc/bind/soho.cjs.hosts";13:31
cjsstables        };13:31
sommermorning all13:34
jjessemorning sommer13:35
ikoniacjsstables: ok, do you have /etc/bind/soho.cjs.hosts13:35
cjsstablesikonia:  inside my soho.cjs.hosts file I have a SOA record for srv1.soho.cjs13:35
ikoniacjsstables: ok, I suggest you put an NS line in13:35
ikoniacjsstables: I'm worried at why nslookup; server=192.168.0.1 tried to resolve server= rather than set the server to be used13:36
cjsstablesok .  there is an ns line for srv1.soho.cjs and an A record for 192.168.0.113:36
cjsstableswhat bothers me is this line.....soho.cjs.       IN      SOA     srv1.soho.cjs. cjsadmin.soho.cjs. (13:37
cjsstablesbecause there is no machine anywhere called cjsadmin.soho.cjs13:38
cjsstablescjsadmin is actually a username on the server13:38
cjsstablesikonia: can I instant message you?13:42
ikoniacjsstables: I'm not signed into one at the moment, sorry13:42
ikoniacjsstables: don't worry about the cjsadmin.soho.cjs. line13:43
cjsstablesok13:43
ikoniacjsstables: can you pastebin the zone file please ?13:44
cjsstablesyoul'll have to re-instruct me on using pastebin.  i forget how to use it.13:44
cjsstablesis it pastbin.org or com13:45
cjsstablesactually.  I'll paste all of my bind config files13:47
=== mdz_ is now known as mdz
cjsstablesikonia: ok named.conf...http://pastebin.com/m648cf8b913:49
ikoniano - the zone file13:50
cjsstableswhich one would that be?13:50
ikoniathe one with cjsadmin.soho.cjs line in it13:50
cjsstablesok...13:50
cjsstablesIkonia:  http://pastebin.com/d4728359f13:51
ikoniacjsstables: did you incriment the serial when you changed it ?13:52
cjsstablesyes13:52
cjsstablesI sent a whole new pastebin13:52
ikoniacjsstables: no the serial on the zone file13:52
cjsstablesthen no I didn't.  I haven't changed it at all13:53
ikoniabut you did add the "NS" line ?13:55
cjsstablesno.  those ns  and a records were already there13:55
ikoniaoh right13:55
ikoniathats odd13:55
ikoniacjsstables: I suggest you restart bind, look at the file /var/log/messages and check out if it loadds your file ok13:55
cjsstablesok13:56
cjsstablesbrb13:56
cjsstablesikonia:  looking at the message log I show no messages since last boot at7:22 am.  (Oh I did restart the bind9 server like you said)13:59
cjsstablesis there any other log that I can look at for bind errors?14:00
ikoniayou see no updates on restarting bind ?14:01
cjsstablesnope.  none14:01
ikoniathats worrying you should at least see bind shutdown / start time stamps14:01
cjsstablesok I'll look again14:02
cjsstablesikonia: sorry...  I thought messages were listed latest first.  hold on while I page to the bottom of the file14:04
ikoniano problem14:07
cjsstablesikonia:  believe it or not there are no other entries in the log after June 2 08:4514:08
ikoniaI do believe it, but that is quite worrying14:08
cjsstableswhy?14:08
ikoniathere should be a time stamp for bind stopping and starting14:08
cjsstables.  I have rebooted multiple times since 8:45 also.  no of those are in there either14:09
cjsstablesunless Jun  2 08:45:53 srv1 -- MARK --  is a valid entry for reboot14:09
cjsstablesI'll restart bind again and see if the messages is updated14:11
cjsstablesikonia: I did a restart on bind, and there was no new entry....14:13
ikoniacjsstables: one moment14:14
cjsstablesk14:14
ikoniacjsstables: thats my mistake - bind in ubuntu doesn't log14:15
ikoniacjsstables: I may log that as an enchancment14:15
cjsstableswheh...  I was worrying14:15
cjsstablesit is funny.  I am ssh'ing into the server with ssh cjsadmin@192.168.0.1,  I then sudo su, and my terminal window from my client shows root@srv1.soho.cjs14:17
ikoniacjsstables: sudo su  ???14:18
ikoniacjsstables: you shouldn't be doing that14:18
ikoniacjsstables: your client name is probably being picked up form your host file resoution14:19
cjsstablesI know, but I'm not on a production environment yet and also on a private net right now14:19
cjsstablesone other bit of info when logged onto the server, I can ping srv1 and get resulst returned.14:21
cjsstablesping soho.cjs14:21
cjsstablesreturns no host found14:21
cjsstablesping srv1.soho.cjs returns good results14:22
cjsstablesso the server itself is resolving names to ip's14:22
cjsstablesbut my clients cannot resolve names to ip on the local net14:23
ikoniacjsstables: and your using the FQD on your clients ?14:24
cjsstablesyes14:24
ikoniacjsstables: have you setup the recersive permissions correctly (they should be ok by default for SOA zones)14:24
cjsstablesI don't think there is a reverse zone ...I don't know what recursive permissions are14:25
ikoniayou don't need reverse zone14:31
cjsstablesikonia:  should I have a file called soho.cjs.db in my /etc/bind/ directory?  because I don't.  the only thing I have is a db.014:32
ikoniacjsstables: thats normally a cache file (I don't have an ubuntu server to hand to verify this, hence why I'm working from memory)14:32
cjsstablesah ok.14:32
cjsstablesikonia:  I found a how to to manually create a caching name server in ubuntu.  I'm going to stop dns and rebuild using that.14:36
cjsstableshopefully that works14:36
ikoniacaching name server isn't for hosting zones14:36
cjsstablesno but it will still allow me to resolve local IP's won't it?14:36
cjsstablesoops local names...14:37
_rubenno, only non-local ones14:37
ikoniacjsstables: your problem is that your box doesn't seem aware that it's hosting the domain14:40
cjsstablesit looks as though this how to has a revers lookup file that has named.conf.local that specifies the zone14:40
cjsstablesand then referes to a reverse zone14:40
cjsstablesalso has the forwarders in it14:40
ikoniacjsstables: ahhhhh I have it14:41
cjsstablesok...14:41
ikoniacjsstables: your server can do it because it's doing the lookup locally14:41
cjsstablesok14:42
cjsstablesmakes sense14:42
ikoniayour clients hit the box - get forwarded on, but the NS record is 192.168.0.1, which is non-routable so routes to no-where14:42
Libertine-hi14:42
ikoniacjsstables: take the forward of that zone14:42
cjsstablesyou mean remove the forwarding part14:42
ikoniaon that domain14:43
ikoniaso that it knows its local to the box14:43
cjsstableshold on I gotta think though this a sec....14:44
cjsstablesand recall what file holds the forarder14:44
cjsstablesikonia:  Ok I'm lost.14:47
ikoniacjsstables: one moment14:47
ikoniaI'm going to see if I can gain access to an ubuntu box from where I am14:47
cjsstablesok14:47
cjsstablesikonia:  I have to go outside for a minute...  smoke break..  LOL.  I'll be back14:48
=== ewook_ is now known as ewook
cjsstablesikonia:  back now15:01
=== good_dana1 is now known as good_dana
cyris|morning everyone15:30
=== jjesse_ is now known as jjesse
zuljdstrand: ping16:22
jdstrandzul: pong16:24
zuljdstrand: you were the last one to touch openldap2.3 in hardy do you mind if I take the merge off your hands?16:25
jdstrandzul: that would be very much appreciated :)16:25
zuljdstrand: consider it done :)16:25
jdstrand\o/16:25
jdstrandthanks16:25
emgentheya :)16:26
=== jjesse_ is now known as jjesse
uvirtbotNew bug: #236830 in samba (main) "cifs does not support kerberos authentication" [Undecided,New] https://launchpad.net/bugs/23683017:06
afief_Could someone tell me what's wrong with the following crontab? 53 18* * *rootmysqldump --all-databases -uroot -pmightyrhapsody | bzip2 > /media/backup/mysql/`date \+%d-%m-%y`.bz217:07
InsomniaCityyou might be better off moving the commands out into a script somewhere17:14
afief_InsomniaCity, thanks, I'll try that17:15
InsomniaCityalso, my crontab doesn't have usernames in it17:15
delcoyotehi all17:19
delcoyotehave an issue to connect lan server through putty or ssh, server has monitor, mouse,keyboard, through a kvm switch(4 pc's) if its connected it connects, if its disconnected from monitor, mouse, keyboard, can't connect to it, and if keyboard and mouse(not monitor) are connected I can connect also, what is wrong, what I shold be looking for?17:20
hackeronhey, I'm trying to text kexec to boot another kernel on kernel panic, the documentation says to echo c > /proc/sysrq-trigger but it isn't causing a kernel panic on my ubuntu server - how do I cause a kernel panic?17:42
hackeronerr, I mean I'm trying to get kexec to boot another kernel on kernel panic17:42
=== kees_ is now known as kees
spiekey_Hi18:16
spiekey_is anyone here using some tool to monitor the CPU, Harddrive and motherboard teperature?18:17
mathiazsommer: is there anything about nss-ldap and how to setup an ubuntu client to use an ldap server instead of NIS in the docs ?18:34
sommermathiaz: nope, not in the serverguide, but there are some good guides in help.u.c18:39
timboyssh stopped working on my my main computer... when I try to connect it says connection refused...18:39
sommermathiaz: expanding the LDAP section is on the list for Intrepid though :)18:40
timboyi removed it with apt-get remove and reinstalled it but still no go... is there something else I should look at?18:41
sommertimboy: is the sshd service running?18:42
timboysommer, in /etc/init.d/ there is no ssh there is ssh though18:44
timboyi restarted it and it said ok but still says refused18:45
sommertimboy: try ps -ef | grep sshd, and see if it gives you some process numbers18:45
sommertimboy: you could also try ssh -vvv hostname, to give more debugging output18:45
timboyroot 25684 1 10:50 ? 00:00:00 /usr/sbin/sshd18:46
timboysame message. connection refused no more useful data18:47
timboynot running a firewall18:47
sommertimboy: did you use the -vvv option?  you might also check /var/log/auth.log on the server18:48
timboysommer, in /var/lob/auth.log it says error: bind to port 22 on 0.0.0.0 failed: address already in use. I'm sure that's from when I restarted ssh18:49
timboyso something is already using ssh port?18:49
sommertimboy: you might have another service running on that port then18:49
timboyok how do I tell18:49
blue-frogmathiaz: very simple. install ldap-auth-client, make sure you enter the ldap admin passord during conf, run: sudo auth-client-config -a -p lac_ldap, change bind_policy hard by bind_policy soft in /etc/ldap.conf and off you go18:49
sommertimboy: I'd try sudo /etc/init.d/ssh stop, and then ps -ef | grep ssh to make sure all the process are stopped18:50
timboy6583 6545 0 may 30 ? 00:00:00 /usr/bin/ssh-agent x-session-manager18:51
timboysommer, what's that mean?18:55
timboycan someone help me troubleshoot my ssh issues?18:59
timboysomething appears to be hogging port 22...19:00
sommertimboy: is that ssh-agent running on the server?19:04
timboyi don't know... it's in my init.d directory19:05
timboyok nevermind it's not in my init.d directory19:07
sommertimboy: which machine did you run find the process on?  the one you're trying to connect to or the machine you're trying to connect from?19:07
sommertimboy: I'd try restarting ssh on the machine you're trying to connect to19:07
timboythe one i'm trying to connect to19:07
timboyi've done that several times though...19:08
sommertimboy: are there any errors in /var/log/syslog after you restart ssh?19:09
timboyno just the error I get in auth.log19:10
timboyi just purged the ssh and openssh-server programs with aptitude and reinstalled them and no go. so there is something else using port 2219:11
ScottKtimboy: Does netstat list anything?19:12
sommercan you pastebin the output of ssh -vvv servername ?  replacing servername with the host you're trying to connect to19:12
timboysommer, http://rafb.net/p/2yFLIv70.html19:16
sommertimboy: have you upgraded both the server and the client... it may be because of the week sshkey issue19:18
timboynot upgraded client but have upgraded server...19:19
timboysommer, I can't even do ssh localhost19:20
sommertimboy: as ScottK said try netstat -a and see what is listening19:21
timboysommer, doesn't appear that anything is...19:23
sommerand you still get the error about something already listening on port 22?19:24
timboyyes19:25
timboyweird19:25
sommerhrrmmm, maybe try restarting... that'll be sure and stop all the services19:25
timboyok...19:26
sommertimboy: you might also try setting the LogLevel attribute in /etc/ssh/sshd_config to DEBUG, to produce more output19:27
timboysommer, still no go19:45
timboyssh localhost is working but in my auth.log i still get the error about binding to port 2219:45
timboysommer, took so long because i had the joyous fsck check19:46
sommertimboy: you might also try setting the LogLevel attribute in /etc/ssh/sshd_config to DEBUG, to produce more output19:48
sommertimboy: netstat -nlp may reveal more about which process are using which ports19:50
timboysommer, shows nothing with port 22 in netstat19:51
timboyactually now it's showing up hold on19:52
sommertimboy: and sshd is running?  you should see output from ps -ef | grep sshd listing a proces number19:53
timboysommer, ok purged it again!@ and now it doesn't show up...19:54
sommertimboy: so try starting it again (/etc/init.d/ssh start)19:55
sommertimboy: can you pastebin the output of ps -ef ?  after trying to start ssh19:56
timboyi'll need to install it again19:56
sommeryep you'll need openssh-server installed in order to connect19:57
timboyroot     14604     1  0 12:02 ?        00:00:00 /usr/sbin/sshd19:57
timboyJun  2 12:02:25 ubuntu sshd[14604]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.19:57
timboyis this because i'm installing both ssh and openssh-server?19:57
timboywhat's weird is that it says it is running but at the same time tells me that it can't bind to port 22. same PID19:58
timboyI can do ssh localhost now though19:58
dena_sommer, about to reformat...20:03
=== dena_ is now known as timboy_
nealmcb. o O (timboy needs to run sudo netstat -ltp to find out who has the port open)20:47
=== emgent_ is now known as emgent
geniiIs there some CLI update-notifier? Aside from the obvious way of just running something like apt-get update or such that is.21:07
blue-froggenii: what is your need?21:14
InsomniaCitygenii: I'd imagine apt has exit codes or something for non-interative operation21:15
InsomniaCity*interactive21:15
geniiblue-frog: Basically to have the CLI equivelent of update-notifier feauture which exists otherwise.21:17
geniiWhen run unattended perhaps to email admin of which are available21:18
blue-frogas I don't know if it exits (certainly es) I would use a workaround myself, apt-get update && apt-get -s dist-upgrade and email the result (or log)21:19
blue-frogemail upon conditions, only if one of the result has something else than 0 in (0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded)21:20
blue-frogwell at least 0 upgraded in fact21:21
osmosiswhats the alternative CD for ?21:22
blue-froginstall GUI Ubuntu21:22
osmosisblue-frog: for server ?21:23
blue-frogwell if you want a GUI server21:24
blue-frogbut more for desktop21:24
blue-froggenii: have a look at man apt-get. what about the -u option?21:26
ErosionJust installed ubuntu server, is there a guide about what I should install when I first get it?21:28
blue-frogI would say that only you know what service you want.21:29
blue-froggenii: or maybe  apt-show-versions -u21:31
geniiHmm, perhaps download-only with -u then pipe that to a file which emails off21:31
geniiYou'd think there might be a simpler way though21:31
blue-frogin that case -s would be enough, no need to download21:32
ErosionIsn't there a guide, showing the best software for FTP, Web Server, Mail Server etc21:32
ErosionIn ubuntu server when I hit the <-- KEY, (backspace), it treats it like I've hit the DEL Key, and removes the character infront (instead of behind)21:33
blue-froggenii: apt-show-versions from universe looks nice21:36
geniiblue-frog: I'm formulating a plan in which if already downloaded, a return email may be parsed and packages indicated there upgraded21:36
blue-frogyes yes understood, apt-show-versions -u will list all the upgradeable packages21:37
blue-frogand apprently exit 0 if none21:37
lukehasnonameerosion:21:37
lukehasnonameDuring install you should have been prompted on what type of server you wanted, then it would install the latest supported software for that task21:38
lukehasnonameIt's possible to bring up that menu again, but I don't know the command.21:38
blue-frogtasksel21:38
lukehasnonameboosh21:38
ErosionIs there any way of getting into my remote ubuntu-server located in the US, from my iMac in the UK?21:41
ErosionApart from SSH.21:41
blue-frogmagic?21:43
nealmcberosio21:43
JanCErosion: there are a zillion ways, but you have to prepare them before you leave of course  ツ21:43
nealmcb...oops21:43
ErosionJanC: You cannot do it in SSH?21:44
ErosionI have root SSH access to it from here21:44
JanCso, then you can install anything you want I guess, but what's the problem if SSH works ?21:44
nealmcblook at the options available with the "tasksel" command21:44
ErosionJanC: I'd like to be able to view the desktop, so I get the full environment.21:45
nealmcbvnc?21:46
ErosionWhat's the quickest way?21:46
ErosionThrough an iMac?21:46
nealmcb!servergui21:46
ubottuUbuntu server does not install a desktop environment or X11 by default in order to enhance security, efficiency and performance.  !eBox provides a GUI system management option via a web interface.  See https://help.ubuntu.com/community/ServerGUI for more background and options.21:46
blue-frogErosion: have you installed a server or desktop?21:46
ErosionServer21:46
ErosionI run OSX here though21:46
ErosionIs it possible?21:47
JanCrun X through ssh -X / ssh -Y or run VNC through ssh or ssl ?21:47
blue-frogthen to do what you want you would need to install a GUI first21:47
JanCwell, at least the X libs...21:47
blue-frogotherwise with ssh you already see the the full environment21:47
JanCand some X client programs21:48
ErosionOK21:48
JanCErosion: why do you need a GUI?21:49
ErosionWas just a thought, it's not necessary, JanC21:52
ErosionWhat does this mean?: Package libmysqlclient12-dev is not available, but is referred to by another package.21:54
JanCit means what it says...21:55
lukehasnonameDoes Xen have any sort of GUI for administration or any formal manual that discusses remote administration?21:56
JanClibmysqlclient12 is actually pretty old ?21:56
nealmcblukehasnoname: virt-manager does xen21:56
ErosionJanC: Just got it from a guide.21:57
lukehasnonamek21:58
JanCErosion: I guess that's a guide tah twasn't updated for Ubuntu 8.0421:58
lukehasnonamenealmcb thanks21:58
kirklandkees: hey, you around?21:58
keeskirkland: yup, what's goin' on?21:58
JanC'libmysqlclient12-dev' was in dapper & edgy21:59
kirklandkees: hey, was wondering if you might give another spec a once-over21:59
keessure, url?21:59
JanCErosion: you can probably just use the latest libmysqlclient library?22:00
kirklandkees: https://wiki.ubuntu.com/EncryptedPrivateDirectory22:00
kirklandkees: I tried to follow your use case examples more closely in this spec22:05
lukehasnonamesounds interesting22:06
lukehasnonameI don't know enough to judge how complicated it would be to implement an encrypted fs like that22:07
keeskirkland: on a nit-pick, use case 3 seems entirely addressed by DAC (remote users).  Not sure how to improve that one, since case 4 seems more compelling (local users).  Also, I would recommend discussion of how it relates to the xdg-user-dirs package (see /etc/xdg/user-dirs.defaults).  Does it perhaps belong in there?  I'd like to see (maybe with another use-case) the option for people to NOT have to have an encrypt ~/Private (i.e. I trust DAC e22:07
lukehasnonameI've always thought that at minimum a 700 folder should be in each uer's dir22:07
kirklandkees: so the only difference between 3 and 4 I intended (in my mind anyway) was SSH logins versus Desktop logins22:09
kirklandkees: and by Desktop, I even mean Remote Desktop or VNC connections22:09
kirklandkees: graphical vs. command line only22:09
kirklandlukehasnoname: thanks.22:10
emgentheya22:10
kirklandkees: so with respect to 3 & 4, this gives you some cryptographic protection of your data (in addition to DAC) when you're not logged into the system, and a whole lot of protection if someone steals the physical hardware and it's powered off22:11
keeskirkland: perhaps add the "stolen hardware" bit?  just to help defend it.  :)22:11
keeskirkland: what do you think of the "allow people to not have an encrypted mount point" option?22:12
kirklandkees: physical abduction of a server is of course unlikely in any major corporate environment; but small to medium business, say a mom-and-pop shop or a dentist office....22:12
kirklandkees: yeah, i think that's a good idea22:12
kirklandkees: i will definitely add that one22:12
kirklandkees: give me a moment to think on that one.........22:12
keeskirkland: cool.  yeah, for theft, I think it's a valuable use-case, so it's good to highlight it.  :)22:12
kirklandkees: so i was planning on handling this as an "Opt-In" in adduser22:13
kirkland"Do you want an encrypted ~/Private directory for this user?"22:13
keeskirkland: oh! even better.22:13
keesI'd like to see ~/Private added to xdg-user-dirs regardless22:13
kees(and to see the ~/Desktop perms changed for that too)22:13
kirklandkees: perhaps what would be useful is an "undo" operation.  basically a reverse of ecryptfs-setup-confidential22:13
kirklandkees: i need to research xdg-user-dirs as I'm not familiar22:14
keeskirkland: yeah, it was provides ~/Desktop, Documents, Templates etc22:14
kirklandkees: cool22:14
kirklandkees: if you think it's necessary (or if someone else requests it), i can add an option to ecryptfs-setup-confidential --reverse22:16
kirklandwhich would kill the entry in /etc/fstab, copy the cleartext data to ~/Private, remove the encrypted .Private directory, and remove the entries from .bash_profile, .bash_logout, and .config/autostart22:17
keesit might be nice, yeah.  It would certainly make it more complete.22:17
kirklandkees: actually, that would be useful for my testing22:17
kirklandkees: i've been doing that schtuff by hand every time I fvt my scripts :-)22:17
kirklandkees: okay, i added a blanket statement about physical theft and crypto+DAC below the Use Cases, since it actually applies to all of the Use Cases22:23
kirklandkees: i'll add a bit about undoing the cryptographic mountpoint of ~/Private22:23
keescool22:26
kirklandwiki is so painfully sloooooooow :-/22:32
kirklandkees: fyi, use case 7 added (undo ~/Private encryption), as well as a note below all Use Cases regarding physical theft22:47
kirklandkees: https://wiki.ubuntu.com/EncryptedPrivateDirectory22:47
kirklandkees: I'm going to push it onto ubuntu-server@ for comments22:47
keeskirkland: sounds good.  :)22:49
kirklandkees: i even found  (in retrospect) a bug report supporting this BluePrint: https://bugs.edge.launchpad.net/bugs/21017922:49
uvirtbotLaunchpad bug 210179 in ecryptfs-utils "encrypting part of a file system is way too hard" [Wishlist,In progress]22:49
keeshaha, nice.22:51
nijabanealmcb, ajmitch: thanks a lot for your support on my ubuntu membership!23:02
hackeronhey, I'm trying to get kexec to boot another kernel on kernel panic, the documentation says to echo c > /proc/sysrq-trigger to trigger a kernel panic to test if kexec starts another kernel, but it isn't causing a panic :( - how do I cause a kernel panic to test if kexec is working?23:07
uvirtbotNew bug: #236931 in openssh (main) "openssh-server does not find dsa keys authorized_keys file" [Undecided,New] https://launchpad.net/bugs/23693123:11
ajmitchnijaba: not that I really helped :)23:12
mathiaznijaba: congrats !23:18
* nealmcb appreciates nijaba23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!