[01:21] The_Kernel: Yes, Ubuntu installs with no root password set so logins to it are disabled. [01:23] The_Kernel: Not sure about the denied login. It could be in the sshd configuration on that server. Or /etc/hosts.[allow|deny] [01:30] The_Kernel, try with -vv you might have been blacklisted [02:20] has anyone known ssl-blacklist to have false positives? [02:21] i've heard of it, but not with any sort of proof [02:21] hmm. [02:43] how do I test my SSL certificate against the openssh-blacklist? [02:43] openssl-vulnkey ? [02:44] I'm not sure how to pass a certificate to openssh-vulnkey. it seems to only check SSH keys [02:45] ssl. not ssh [02:45] ah, I don't have that. [02:45] hm. [02:45] openssl-blacklist: /usr/sbin/openssl-vulnkey [02:46] Installed: 0.1-0ubuntu0.7.10.4 [02:50] morning === jjesse_ is now known as jjesse [05:28] hello [09:47] morning all [09:48] i am having a little trouble with my server instal recognizing a sata2 hd [09:49] i have an ibm 330 server i installed ubuntu on and cant seem to figure it out when i start it up i get ata2: srst failed errno-16 for the data hd [09:50] the raid that ubuntu is installed on starts up fine but the sata2 drive i have attached to a pci card isnt discoverable from what i can figure out [09:51] anyone know if it is possible to do a raid 10 with software raid? [09:52] <_ruben> osmosis: yes .. there's a raid10 kmod .. or you could do it 'manually' with raid1 and raid0 [09:53] _ruben: is it reliable? [09:53] _ruben: can you recommend some instructions ? [09:56] <_ruben> the basics are as simple as : sudo mdadm --build /dev/md0 --level=10 -- raid-devices=4 /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1 [09:56] <_ruben> oops, kill the space between -- and raid-devices [09:56] <_ruben> the installer doesnt support raid10, so if you want to install the system to raid10, you'll have to drop down to a shell during the install to give that command [09:58] <_ruben> and reliable, well, the raid10 kmod is one of there newer raid kmods, so hasnt aged as much as plain raid1+0, but offers some nice enhancements as well (like doing raid10 over 3 disks for example) [09:58] <_ruben> http://cgi.cse.unsw.edu.au/~neilb/01093607424 === fredrik__ is now known as frippz [12:43] Hello, is there a way to get aptitude to install smartmontools w/out exim4, mailx etc etc etc? [12:43] * NineTeen67Comet sudo aptitude install smartmontools = exim4 exim4-base exim4-config exim4-daemon-light liblockfile1 mailx [12:45] nealmcb: it just needs an mta [12:45] oops [12:45] NineTeen67Comet: it just needs an mta [12:45] aha .. no mail on this server, but I guess it can just use it as it pleases .. [12:46] * NineTeen67Comet would have e-mail if me isp would crack the ports open .. [12:46] NineTeen67Comet: let it install exim and then use local mail only [12:47] ikonia: prolly what I'll do .. [12:47] NineTeen67Comet: make it easy on yourself [12:53] hello all. I can't resolve internal names on my network. I'm able to resolve external names. If I do a lookup on my internal nameserver I get an SOA record for prisoner.iana.org. Can someone help here [12:53] btw I used lookup with an ip address of my name server [13:10] cjsstables: ok - so if your domain is "domain1" your saying you can't resolve box1.domain1 [13:10] that's correct [13:10] but I can resolve anything on the outside [13:12] cjsstables: ok - so have you setup your own domain zone file ? [13:12] cjsstables: are you using anything like views ? [13:13] no views. I have dns forwarding zone [13:14] cjsstables: so where is the domain your wanting to resolve kept [13:14] dns server addy is 192.168.0.1, lynksys router is 192.168.0.2 [13:15] ok - but where is your domain zone file ? [13:15] it is kept on 192.168.0.1 / srv1.soho.cjs [13:15] internal private network [13:16] cjsstables: ok, so if you do nslookup server=192.168.0.1 then "box1.soho.cjs" does it respond ? [13:16] cjsstables: do you have "ns" lines in your one file ? [13:16] zone [13:17] hold on [13:17] nslookup srv1.soho.cjs [13:17] Server: 192.168.0.1 [13:17] Address: 192.168.0.1#53 [13:17] ** server can't find srv1.soho.cjs: NXDOMAIN [13:18] cjsstables: no - type nslookup [13:18] cjsstables: then do server=192.168.0.1 [13:18] cjsstables: then do serv1.soho.cjs [13:18] oops srv1.soho.cjs [13:19] just want to check it step by step [13:19] (I appriciate thats the same as your output) [13:19] server=192.168.0.1 [13:19] Server: 192.168.0.1 [13:19] Address: 192.168.0.1#53 [13:19] ** server can't find server=192.168.0.1: NXDOMAIN [13:19] > srv1.soho.cjs [13:19] Server: 192.168.0.1 [13:19] cjsstables: does your zone file contain ns records, does it have an entry for srv1 [13:19] Address: 192.168.0.1#53 [13:19] ** server can't find srv1.soho.cjs: NXDOMAIN [13:19] yes it has an entry for srv1 [13:20] server=192.168.0.1 ; ** server can't find server=192.168.0.1: NXDOMAIN [13:20] thats worrying [13:20] does your zone file have ns lines ? [13:20] what are ns lines? [13:20] cjsstables: the say the name servers for the zone [13:21] I can't answer that i'll have to look. [13:21] where do I look at? [13:21] I have webmin installed to administer the name server [13:21] ughhh webmin [13:21] and this is me backing away [13:22] its ok. i can use command line also [13:22] cjsstables: I can't support products with webmind - it's the devils tool [13:22] cjsstables: webmin changes the way things can work [13:23] so do you want me to open bind.conf [13:23] not really [13:23] I wanted you to look at your zone file for "NS" entries [13:24] but it certainly wouldn't hurt to look if your bind.conf file contains an entry for your domain either [13:24] that way you can see where it expects the zone file to be [13:24] ok. [13:24] brb [13:24] exit [13:24] oops.. sorry [13:27] ikonia: my named conf doesn't point to any zones. looks like the zones are included through named.conf.options [13:28] cjsstables: ok - so follow that through [13:28] k brb [13:31] ok. in my named.conf.local I have the following zone [13:31] zone "soho.cjs" { [13:31] type master; [13:31] file "/etc/bind/soho.cjs.hosts"; [13:31] }; [13:34] morning all [13:35] morning sommer [13:35] cjsstables: ok, do you have /etc/bind/soho.cjs.hosts [13:35] ikonia: inside my soho.cjs.hosts file I have a SOA record for srv1.soho.cjs [13:35] cjsstables: ok, I suggest you put an NS line in [13:36] cjsstables: I'm worried at why nslookup; server=192.168.0.1 tried to resolve server= rather than set the server to be used [13:36] ok . there is an ns line for srv1.soho.cjs and an A record for 192.168.0.1 [13:37] what bothers me is this line.....soho.cjs. IN SOA srv1.soho.cjs. cjsadmin.soho.cjs. ( [13:38] because there is no machine anywhere called cjsadmin.soho.cjs [13:38] cjsadmin is actually a username on the server [13:42] ikonia: can I instant message you? [13:42] cjsstables: I'm not signed into one at the moment, sorry [13:43] cjsstables: don't worry about the cjsadmin.soho.cjs. line [13:43] ok [13:44] cjsstables: can you pastebin the zone file please ? [13:44] youl'll have to re-instruct me on using pastebin. i forget how to use it. [13:45] is it pastbin.org or com [13:47] actually. I'll paste all of my bind config files === mdz_ is now known as mdz [13:49] ikonia: ok named.conf...http://pastebin.com/m648cf8b9 [13:50] no - the zone file [13:50] which one would that be? [13:50] the one with cjsadmin.soho.cjs line in it [13:50] ok... [13:51] Ikonia: http://pastebin.com/d4728359f [13:52] cjsstables: did you incriment the serial when you changed it ? [13:52] yes [13:52] I sent a whole new pastebin [13:52] cjsstables: no the serial on the zone file [13:53] then no I didn't. I haven't changed it at all [13:55] but you did add the "NS" line ? [13:55] no. those ns and a records were already there [13:55] oh right [13:55] thats odd [13:55] cjsstables: I suggest you restart bind, look at the file /var/log/messages and check out if it loadds your file ok [13:56] ok [13:56] brb [13:59] ikonia: looking at the message log I show no messages since last boot at7:22 am. (Oh I did restart the bind9 server like you said) [14:00] is there any other log that I can look at for bind errors? [14:01] you see no updates on restarting bind ? [14:01] nope. none [14:01] thats worrying you should at least see bind shutdown / start time stamps [14:02] ok I'll look again [14:04] ikonia: sorry... I thought messages were listed latest first. hold on while I page to the bottom of the file [14:07] no problem [14:08] ikonia: believe it or not there are no other entries in the log after June 2 08:45 [14:08] I do believe it, but that is quite worrying [14:08] why? [14:08] there should be a time stamp for bind stopping and starting [14:09] . I have rebooted multiple times since 8:45 also. no of those are in there either [14:09] unless Jun 2 08:45:53 srv1 -- MARK -- is a valid entry for reboot [14:11] I'll restart bind again and see if the messages is updated [14:13] ikonia: I did a restart on bind, and there was no new entry.... [14:14] cjsstables: one moment [14:14] k [14:15] cjsstables: thats my mistake - bind in ubuntu doesn't log [14:15] cjsstables: I may log that as an enchancment [14:15] wheh... I was worrying [14:17] it is funny. I am ssh'ing into the server with ssh cjsadmin@192.168.0.1, I then sudo su, and my terminal window from my client shows root@srv1.soho.cjs [14:18] cjsstables: sudo su ??? [14:18] cjsstables: you shouldn't be doing that [14:19] cjsstables: your client name is probably being picked up form your host file resoution [14:19] I know, but I'm not on a production environment yet and also on a private net right now [14:21] one other bit of info when logged onto the server, I can ping srv1 and get resulst returned. [14:21] ping soho.cjs [14:21] returns no host found [14:22] ping srv1.soho.cjs returns good results [14:22] so the server itself is resolving names to ip's [14:23] but my clients cannot resolve names to ip on the local net [14:24] cjsstables: and your using the FQD on your clients ? [14:24] yes [14:24] cjsstables: have you setup the recersive permissions correctly (they should be ok by default for SOA zones) [14:25] I don't think there is a reverse zone ...I don't know what recursive permissions are [14:31] you don't need reverse zone [14:32] ikonia: should I have a file called soho.cjs.db in my /etc/bind/ directory? because I don't. the only thing I have is a db.0 [14:32] cjsstables: thats normally a cache file (I don't have an ubuntu server to hand to verify this, hence why I'm working from memory) [14:32] ah ok. [14:36] ikonia: I found a how to to manually create a caching name server in ubuntu. I'm going to stop dns and rebuild using that. [14:36] hopefully that works [14:36] caching name server isn't for hosting zones [14:36] no but it will still allow me to resolve local IP's won't it? [14:37] oops local names... [14:37] <_ruben> no, only non-local ones [14:40] cjsstables: your problem is that your box doesn't seem aware that it's hosting the domain [14:40] it looks as though this how to has a revers lookup file that has named.conf.local that specifies the zone [14:40] and then referes to a reverse zone [14:40] also has the forwarders in it [14:41] cjsstables: ahhhhh I have it [14:41] ok... [14:41] cjsstables: your server can do it because it's doing the lookup locally [14:42] ok [14:42] makes sense [14:42] your clients hit the box - get forwarded on, but the NS record is 192.168.0.1, which is non-routable so routes to no-where [14:42] hi [14:42] cjsstables: take the forward of that zone [14:42] you mean remove the forwarding part [14:43] on that domain [14:43] so that it knows its local to the box [14:44] hold on I gotta think though this a sec.... [14:44] and recall what file holds the forarder [14:47] ikonia: Ok I'm lost. [14:47] cjsstables: one moment [14:47] I'm going to see if I can gain access to an ubuntu box from where I am [14:47] ok [14:48] ikonia: I have to go outside for a minute... smoke break.. LOL. I'll be back === ewook_ is now known as ewook [15:01] ikonia: back now === good_dana1 is now known as good_dana [15:30] morning everyone === jjesse_ is now known as jjesse [16:22] jdstrand: ping [16:24] zul: pong [16:25] jdstrand: you were the last one to touch openldap2.3 in hardy do you mind if I take the merge off your hands? [16:25] zul: that would be very much appreciated :) [16:25] jdstrand: consider it done :) [16:25] \o/ [16:25] thanks [16:26] heya :) === jjesse_ is now known as jjesse [17:06] New bug: #236830 in samba (main) "cifs does not support kerberos authentication" [Undecided,New] https://launchpad.net/bugs/236830 [17:07] Could someone tell me what's wrong with the following crontab? 53 18 * * * root mysqldump --all-databases -uroot -pmightyrhapsody | bzip2 > /media/backup/mysql/`date \+%d-%m-%y`.bz2 [17:14] you might be better off moving the commands out into a script somewhere [17:15] InsomniaCity, thanks, I'll try that [17:15] also, my crontab doesn't have usernames in it [17:19] hi all [17:20] have an issue to connect lan server through putty or ssh, server has monitor, mouse,keyboard, through a kvm switch(4 pc's) if its connected it connects, if its disconnected from monitor, mouse, keyboard, can't connect to it, and if keyboard and mouse(not monitor) are connected I can connect also, what is wrong, what I shold be looking for? [17:42] hey, I'm trying to text kexec to boot another kernel on kernel panic, the documentation says to echo c > /proc/sysrq-trigger but it isn't causing a kernel panic on my ubuntu server - how do I cause a kernel panic? [17:42] err, I mean I'm trying to get kexec to boot another kernel on kernel panic === kees_ is now known as kees [18:16] Hi [18:17] is anyone here using some tool to monitor the CPU, Harddrive and motherboard teperature? [18:34] sommer: is there anything about nss-ldap and how to setup an ubuntu client to use an ldap server instead of NIS in the docs ? [18:39] mathiaz: nope, not in the serverguide, but there are some good guides in help.u.c [18:39] ssh stopped working on my my main computer... when I try to connect it says connection refused... [18:40] mathiaz: expanding the LDAP section is on the list for Intrepid though :) [18:41] i removed it with apt-get remove and reinstalled it but still no go... is there something else I should look at? [18:42] timboy: is the sshd service running? [18:44] sommer, in /etc/init.d/ there is no ssh there is ssh though [18:45] i restarted it and it said ok but still says refused [18:45] timboy: try ps -ef | grep sshd, and see if it gives you some process numbers [18:45] timboy: you could also try ssh -vvv hostname, to give more debugging output [18:46] root 25684 1 10:50 ? 00:00:00 /usr/sbin/sshd [18:47] same message. connection refused no more useful data [18:47] not running a firewall [18:48] timboy: did you use the -vvv option? you might also check /var/log/auth.log on the server [18:49] sommer, in /var/lob/auth.log it says error: bind to port 22 on 0.0.0.0 failed: address already in use. I'm sure that's from when I restarted ssh [18:49] so something is already using ssh port? [18:49] timboy: you might have another service running on that port then [18:49] ok how do I tell [18:49] mathiaz: very simple. install ldap-auth-client, make sure you enter the ldap admin passord during conf, run: sudo auth-client-config -a -p lac_ldap, change bind_policy hard by bind_policy soft in /etc/ldap.conf and off you go [18:50] timboy: I'd try sudo /etc/init.d/ssh stop, and then ps -ef | grep ssh to make sure all the process are stopped [18:51] 6583 6545 0 may 30 ? 00:00:00 /usr/bin/ssh-agent x-session-manager [18:55] sommer, what's that mean? [18:59] can someone help me troubleshoot my ssh issues? [19:00] something appears to be hogging port 22... [19:04] timboy: is that ssh-agent running on the server? [19:05] i don't know... it's in my init.d directory [19:07] ok nevermind it's not in my init.d directory [19:07] timboy: which machine did you run find the process on? the one you're trying to connect to or the machine you're trying to connect from? [19:07] timboy: I'd try restarting ssh on the machine you're trying to connect to [19:07] the one i'm trying to connect to [19:08] i've done that several times though... [19:09] timboy: are there any errors in /var/log/syslog after you restart ssh? [19:10] no just the error I get in auth.log [19:11] i just purged the ssh and openssh-server programs with aptitude and reinstalled them and no go. so there is something else using port 22 [19:12] timboy: Does netstat list anything? [19:12] can you pastebin the output of ssh -vvv servername ? replacing servername with the host you're trying to connect to [19:16] sommer, http://rafb.net/p/2yFLIv70.html [19:18] timboy: have you upgraded both the server and the client... it may be because of the week sshkey issue [19:19] not upgraded client but have upgraded server... [19:20] sommer, I can't even do ssh localhost [19:21] timboy: as ScottK said try netstat -a and see what is listening [19:23] sommer, doesn't appear that anything is... [19:24] and you still get the error about something already listening on port 22? [19:25] yes [19:25] weird [19:25] hrrmmm, maybe try restarting... that'll be sure and stop all the services [19:26] ok... [19:27] timboy: you might also try setting the LogLevel attribute in /etc/ssh/sshd_config to DEBUG, to produce more output [19:45] sommer, still no go [19:45] ssh localhost is working but in my auth.log i still get the error about binding to port 22 [19:46] sommer, took so long because i had the joyous fsck check [19:48] timboy: you might also try setting the LogLevel attribute in /etc/ssh/sshd_config to DEBUG, to produce more output [19:50] timboy: netstat -nlp may reveal more about which process are using which ports [19:51] sommer, shows nothing with port 22 in netstat [19:52] actually now it's showing up hold on [19:53] timboy: and sshd is running? you should see output from ps -ef | grep sshd listing a proces number [19:54] sommer, ok purged it again!@ and now it doesn't show up... [19:55] timboy: so try starting it again (/etc/init.d/ssh start) [19:56] timboy: can you pastebin the output of ps -ef ? after trying to start ssh [19:56] i'll need to install it again [19:57] yep you'll need openssh-server installed in order to connect [19:57] root 14604 1 0 12:02 ? 00:00:00 /usr/sbin/sshd [19:57] Jun 2 12:02:25 ubuntu sshd[14604]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. [19:57] is this because i'm installing both ssh and openssh-server? [19:58] what's weird is that it says it is running but at the same time tells me that it can't bind to port 22. same PID [19:58] I can do ssh localhost now though [20:03] sommer, about to reformat... === dena_ is now known as timboy_ [20:47] . o O (timboy needs to run sudo netstat -ltp to find out who has the port open) === emgent_ is now known as emgent [21:07] Is there some CLI update-notifier? Aside from the obvious way of just running something like apt-get update or such that is. [21:14] genii: what is your need? [21:15] genii: I'd imagine apt has exit codes or something for non-interative operation [21:15] *interactive [21:17] blue-frog: Basically to have the CLI equivelent of update-notifier feauture which exists otherwise. [21:18] When run unattended perhaps to email admin of which are available [21:19] as I don't know if it exits (certainly es) I would use a workaround myself, apt-get update && apt-get -s dist-upgrade and email the result (or log) [21:20] email upon conditions, only if one of the result has something else than 0 in (0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded) [21:21] well at least 0 upgraded in fact [21:22] whats the alternative CD for ? [21:22] install GUI Ubuntu [21:23] blue-frog: for server ? [21:24] well if you want a GUI server [21:24] but more for desktop [21:26] genii: have a look at man apt-get. what about the -u option? [21:28] Just installed ubuntu server, is there a guide about what I should install when I first get it? [21:29] I would say that only you know what service you want. [21:31] genii: or maybe apt-show-versions -u [21:31] Hmm, perhaps download-only with -u then pipe that to a file which emails off [21:31] You'd think there might be a simpler way though [21:32] in that case -s would be enough, no need to download [21:32] Isn't there a guide, showing the best software for FTP, Web Server, Mail Server etc [21:33] In ubuntu server when I hit the <-- KEY, (backspace), it treats it like I've hit the DEL Key, and removes the character infront (instead of behind) [21:36] genii: apt-show-versions from universe looks nice [21:36] blue-frog: I'm formulating a plan in which if already downloaded, a return email may be parsed and packages indicated there upgraded [21:37] yes yes understood, apt-show-versions -u will list all the upgradeable packages [21:37] and apprently exit 0 if none [21:37] erosion: [21:38] During install you should have been prompted on what type of server you wanted, then it would install the latest supported software for that task [21:38] It's possible to bring up that menu again, but I don't know the command. [21:38] tasksel [21:38] boosh [21:41] Is there any way of getting into my remote ubuntu-server located in the US, from my iMac in the UK? [21:41] Apart from SSH. [21:43] magic? [21:43] erosio [21:43] Erosion: there are a zillion ways, but you have to prepare them before you leave of course ツ [21:43] ...oops [21:44] JanC: You cannot do it in SSH? [21:44] I have root SSH access to it from here [21:44] so, then you can install anything you want I guess, but what's the problem if SSH works ? [21:44] look at the options available with the "tasksel" command [21:45] JanC: I'd like to be able to view the desktop, so I get the full environment. [21:46] vnc? [21:46] What's the quickest way? [21:46] Through an iMac? [21:46] !servergui [21:46] Ubuntu server does not install a desktop environment or X11 by default in order to enhance security, efficiency and performance. !eBox provides a GUI system management option via a web interface. See https://help.ubuntu.com/community/ServerGUI for more background and options. [21:46] Erosion: have you installed a server or desktop? [21:46] Server [21:46] I run OSX here though [21:47] Is it possible? [21:47] run X through ssh -X / ssh -Y or run VNC through ssh or ssl ? [21:47] then to do what you want you would need to install a GUI first [21:47] well, at least the X libs... [21:47] otherwise with ssh you already see the the full environment [21:48] and some X client programs [21:48] OK [21:49] Erosion: why do you need a GUI? [21:52] Was just a thought, it's not necessary, JanC [21:54] What does this mean?: Package libmysqlclient12-dev is not available, but is referred to by another package. [21:55] it means what it says... [21:56] Does Xen have any sort of GUI for administration or any formal manual that discusses remote administration? [21:56] libmysqlclient12 is actually pretty old ? [21:56] lukehasnoname: virt-manager does xen [21:57] JanC: Just got it from a guide. [21:58] k [21:58] Erosion: I guess that's a guide tah twasn't updated for Ubuntu 8.04 [21:58] nealmcb thanks [21:58] kees: hey, you around? [21:58] kirkland: yup, what's goin' on? [21:59] 'libmysqlclient12-dev' was in dapper & edgy [21:59] kees: hey, was wondering if you might give another spec a once-over [21:59] sure, url? [22:00] Erosion: you can probably just use the latest libmysqlclient library? [22:00] kees: https://wiki.ubuntu.com/EncryptedPrivateDirectory [22:05] kees: I tried to follow your use case examples more closely in this spec [22:06] sounds interesting [22:07] I don't know enough to judge how complicated it would be to implement an encrypted fs like that [22:07] kirkland: on a nit-pick, use case 3 seems entirely addressed by DAC (remote users). Not sure how to improve that one, since case 4 seems more compelling (local users). Also, I would recommend discussion of how it relates to the xdg-user-dirs package (see /etc/xdg/user-dirs.defaults). Does it perhaps belong in there? I'd like to see (maybe with another use-case) the option for people to NOT have to have an encrypt ~/Private (i.e. I trust DAC e [22:07] I've always thought that at minimum a 700 folder should be in each uer's dir [22:09] kees: so the only difference between 3 and 4 I intended (in my mind anyway) was SSH logins versus Desktop logins [22:09] kees: and by Desktop, I even mean Remote Desktop or VNC connections [22:09] kees: graphical vs. command line only [22:10] lukehasnoname: thanks. [22:10] heya [22:11] kees: so with respect to 3 & 4, this gives you some cryptographic protection of your data (in addition to DAC) when you're not logged into the system, and a whole lot of protection if someone steals the physical hardware and it's powered off [22:11] kirkland: perhaps add the "stolen hardware" bit? just to help defend it. :) [22:12] kirkland: what do you think of the "allow people to not have an encrypted mount point" option? [22:12] kees: physical abduction of a server is of course unlikely in any major corporate environment; but small to medium business, say a mom-and-pop shop or a dentist office.... [22:12] kees: yeah, i think that's a good idea [22:12] kees: i will definitely add that one [22:12] kees: give me a moment to think on that one......... [22:12] kirkland: cool. yeah, for theft, I think it's a valuable use-case, so it's good to highlight it. :) [22:13] kees: so i was planning on handling this as an "Opt-In" in adduser [22:13] "Do you want an encrypted ~/Private directory for this user?" [22:13] kirkland: oh! even better. [22:13] I'd like to see ~/Private added to xdg-user-dirs regardless [22:13] (and to see the ~/Desktop perms changed for that too) [22:13] kees: perhaps what would be useful is an "undo" operation. basically a reverse of ecryptfs-setup-confidential [22:14] kees: i need to research xdg-user-dirs as I'm not familiar [22:14] kirkland: yeah, it was provides ~/Desktop, Documents, Templates etc [22:14] kees: cool [22:16] kees: if you think it's necessary (or if someone else requests it), i can add an option to ecryptfs-setup-confidential --reverse [22:17] which would kill the entry in /etc/fstab, copy the cleartext data to ~/Private, remove the encrypted .Private directory, and remove the entries from .bash_profile, .bash_logout, and .config/autostart [22:17] it might be nice, yeah. It would certainly make it more complete. [22:17] kees: actually, that would be useful for my testing [22:17] kees: i've been doing that schtuff by hand every time I fvt my scripts :-) [22:23] kees: okay, i added a blanket statement about physical theft and crypto+DAC below the Use Cases, since it actually applies to all of the Use Cases [22:23] kees: i'll add a bit about undoing the cryptographic mountpoint of ~/Private [22:26]