Well, hasn't it been a long time since I've posted here! Just a quick announcement that I've posted kernel 3.18.14-1 in the el6-testing repo with the aim to replace the current 3.14.x based kernels with 3.18.x. Current testing shows a seemless upgrade and as of right now, no issues have been reported. As always, feedback is welcome!
After a week of hard work, I'm happy to announce Xen 4.5.0 testing packages for both EL6 and EL7. These work on CentOS, Scientific Linux and RHEL. Packages can be downloaded from:
So the openjdk in most linux distros has now been upgraded to v1.8. This has a good bug fix regarding the whole SSLv3 Poodle vulnerability.
This has one problem. The Dell DRAC remote management cards installed in a lot of Dell servers relies on SSLv3 to operate. Without this, you can get into the web interface - but when you get an error stating Error when reading from SSL socket connection and no further.
Thankfully, it is simple to re-enable SSLv3 to allow the connection to succeed.
Open up /usr/lib/jvm/*/jre/lib/security/java.security in your favourite editor as root, and change the following line:
jdk.tls.disabledAlgorithms=SSLv3
to
jdk.tls.disabledAlgorithms=
This enables SSLv3 to all java applications - however it exposes yourself to the MITM attack as defined in CVE-2014-3566. I suggest having a read of the CVE to understand if you want to leave this setting as default on your system or disable it again afterwards.
A while ago I wrote about how to do this exact thing but with an older version of openssh.
If you're running a newer version of SSH, then the command syntax has been updated somewhat.
Firstly, once you've got your yubikey, you'll need to enable EPEL for EL6/7 and install the pam_yubico package.
You'll then need to modify the sshd pam file /etc/pam.d/sshd. There are two options here.
1) You require just the OTP; or
2) You want the OTP and a password.
If you want just the OTP, you add this just after the #%PAM-1.0 header:
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
If you want both password AND OTP, you add this:
auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
Now to create the /etc/yubikey_mappings user to key mapping. The README says:
Create a /etc/yubikey_mappings, the file must contain a user name and the Yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a Yubikey. The mappings should look like this, one per line: ------ first user name:yubikey token ID1:yubikey token ID2:…. second user name:yubikey token ID3:yubikey token ID4:…. ------Now, if you want to go further and require both a ssh key AND an OTP, you can add the following to /etc/ssh/sshd_config:
AuthenticationMethods publickey,password
Now after you supply a valid ssh key you will be asked for your password. If you've set this up correctly, this will either be your password + OTP or just OTP.
Enjoy!
Update 21/Jun/2015
One common question I get is how they can allow access without a yubikey while in the office, but force its usage outside of the office. This has a couple of parts - mainly, you'll probably want to use a public key from inside, but force say a publickey + yubikey outside.
We do this by using a Match block in /etc/ssh/sshd_config as follows:
AuthenticationMethods publickey,keyboard-interactive
Match Address 10.1.1.0/24
AuthenticationMethods publickey
In this method, we set that EVERYONE must use a public key and a keyboard-interactive method to authenticate, then we allow exceptions for small address spaces that we trust. I also recommend making the following changes:
PasswordAuthentication no
ChallengeResponseAuthentication yes
This disallows skipping the yubikey auth and just using a password. Although, now we're using PAM as the auth source, you can *still* use a password via PAM - so we need to disable this in /etc/pam.d/sshd:
#auth substack password-auth
#password include password-auth
Hope this helps.
So I've been a bit paranoid of late when reading of the actions of the NSA - and looking at the default configs of sshd that ship with distros like EL6, there is a lot that can be done - however it requires updating to a newer openssh version than the ones that ship with EL6.
I now build openssh (currently v6.7p1) in my testing repo: http://au1.mirror.crc.id.au/repo/el6-testing/x86_64/
After installing this, I use the following to change options as required for 'best practices'. A lot of these come from here. There is a bit more discussion on this by Aaron Toponce.
Firstly, remove existing SSH server keys and only create the following two. Also set AUTOCREATE_SERVER_KEYS=NO in /etc/sysconfig/sshd to stop missing keys being automatically recreated on start.
cd /etc/ssh/
rm -f ssh_host_*key*
echo AUTOCREATE_SERVER_KEYS=NO > /etc/sysconfig/sshd
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 16384 -f ssh_host_rsa_key < /dev/null
Then add some config to /etc/sshd/sshd_config. If you have any Match blocks, this needs to come before them. If not, add the following to /etc/sshd/sshd_config:
## Change key exchange preferences to pick secure methods.
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
Then eventually restart the sshd service:
service sshd restart
Remember to always keep an SSH session open to a server as you do these - as if you get it wrong, a failed start of sshd may lock you out of that system!
I'd like to just quote this post from Whirlpool - as it sums up perfectly the current state of the NBN.
fttnvdsl2 writes... to date I doubt very much that anyone has any appreciation of the amount of work that has gone into getting the network up and running from zero. with all due respect, only someone heckling from the sidelines with no knowledge of the project would think so.Lets see now after 15 months! TurnBULL and Co still haven't delivered a) A Corporate Plan for the next 3 years b) A 3 year rollout Plan c) Even a coherent 12 month rollout Plan is still being formulated d) No idea of how much remediation of Telstra's copper will be required e) No idea of how much repair and replacement of HFC networks will be required f) No idea of how much they are going to have to charge for the USO and the billions that will have to be pissed down the gurgler maintaining obsolete copper g) A revenue model which the financial industry won't piss themselves laughing at (which I might ADD is now in complete disarray) h) TPG openly ripping into the LNP's FRAUDBAND network with it unguaranteed UPTO 25Mbps by deploying their own FTTB network i) No 1Gbps retail plans on the market j) No migration of the existing 12/1 base tier to 25/5Mbps (Noting that Labor's NBN was to start the migration to a 10Gbps network in 2016) k) A plethora of product designs not delivered l) A legislative program that is questionable to say the least not to mention the reality that much of it may be blocked in the Senate due to being what can only be described as piss poor value for Australian citizens As for the work that Labor did do prior to the vandals demolishing the NBN well that's simple for those of who actually do understand what has been done! eg Built from scratch a company of close to 3000 people with all of the processes and systems with the ability to:- a) Work through, develop and construct the legislative programs that would be required to deliver the statement of expectations of the Government together with the necessary recommendations to assist in that process. b) Delivered the Interim Satellite service on "time" and on "budget" – to replace the dial up Satellite service that the LNP were previously responsible for which I might add that the LNP were happy to see continue being delivered by the private sector! c) Built the Long Term Satellite solution that is on ""schedule"" and on ""budget"" for services beginning in mid 2015 in the face of the LNP's opposition who called it the Rolls Royce of all Satellite services and that we didn't need it because and wait for this – because there was enough capacity in the private Satellite market to service all of Australian's needs! d) Contracted for, trialled and were rolling out a Fixed Wireless network on budget! e) Delivering the National Transit Network to support all access technologies, which was on budget and on schedule for completion by 2015 under him. f) Designed and delivered the OSS/BSS systems through to the production environment and commissioned these to function at scale. g) Designed and delivered the National Test Facility and a Network Operations Centre which is an important component in the management of National network h) Responsible for the successful development and launch of a suite of Products covered by WBAs. i) The successful negotiation of the Telstra agreement for access to their pit and pipe infrastructure that would avoid the requirement to duplicate existing infrastructure nationally together with gaining access to their dark fibre network which would over the lifecyle of the project reduce capex expenditure together with progressively allowing the project to meet its prescribed targets and timelines. j) Completed the very technical finalisation of the SAU and were awaiting the sign off from the ACCC. k) Reworked the Fixed Wireless network to allow for the additional delivery of a 25Mbps speed tier component to that network l) Included additional technology into both the Satellite and Fixed Wireless platforms to allow for the delivery of a "minimum" 25Mbps to all users of those networks. m) Provided for the introduction of a 250Mbps 500Mbps and 1Gbps service to be delivered from December 2013 into the project's deliverables n) Included into the scope of the project the responsibility for the Building of a Greenfields fibre capability which wasn't part of the original project that can complete more than 30 new developments a week, anywhere in the country. o) Were building a Customer Connect capability that had connected more than 100k end users and which was rapidly growing the ability to deal with with the exceptionally high take-up rates that were being experienced. p) And finally, responsible for implementing and growing the capability to build the LN/DN component of the Brownfields network at a cost that preserves the integrity of NBN Co’s financial plan. q) etc etc etc ALL THIS WAS DONE ON BUDGET! And as Mike Quigley stated the initial slippage in the initial volume rollout into the brownfields environment see p) was being addressed with the private contractors having publicly stated thier intention to deliver what it was they were contracted to deliver not to mention Telstra accepting thier own complicity in initially holding the project up by not allocating the appropriate resources! And as we see now Mike had catered for the adoption of new deployment processes that have been successfully trialled which provide for
The evaluation, contained in an internal presentation document dated August 2014 and seen by Fairfax Media, shows a team combining telecommunications firms Cemetrix, CommsConnect and Linktech Telecom was on track to complete the Melton rollout in just 104 days, compared with an average of 344 days in other areas. Ninety per cent of buildings were serviceable by fibre by the end of August – 61 per cent faster and 50 per cent more cheaply than in areas using previous rollout models, the document said.And to think that all this was in place 15 months ago when turnBULL and Co took the reigns of control on NBN Co and ground the rollout to a halt in some area's and cancelled existing contracts wholus bolus! And yet given their fully costed ready to go faster and cheaper alternative they LIED to the public about! Not 1 customer connected to FRAUDBAND! Fttnnnnnn unbelievable huh! Where's the financial imperative for ICT to develop Web 3 applications to run on unguaranteed UPTO 25Mbps obsolete copper networks when we already see sunset clauses being effected to shut down PSTN networks as provided in America and Europe?
I've been seriously looking at the Google Play Store for my source of Movies & TV viewing. The range is great - and the prices usually fair. There is one catch in the system though. HD doesn't mean HD.
When you go to purchase something - you get two options - SD or HD. They usually differ in price - the HD item being a few dollars more than the SD version - which makes some sense - as it requires more bandwidth and storage for the HD version.
The interesting part is when you go to watch these purchases. You'll note on the buy options, you'll see the magic phrase "supported devices". This is where it gets interesting. If you purchase from the web interface, you'll see this:
So - even if you buy HD - you can't watch HD in your web browser. So what does play HD?
Good question - and Google do a very bad job of explaining this. The Google Support page says:
There we go with the 'supported devices' part again. This answer doesn't give any decent information either:
So what does Google actually mean? For the moment, it seems that purchasing in HD format only gives more of your money to Google. My conversations with Google Support over the phone seem to indicate that the only 'supported device' that will play HD is the Chromecast.
Thankfully, Google seem to be quiet happy to refund your purchases if you point out that you're unable to watch them in HD on your PC - being the reason you purchased them in the first place. I got caught out on this again with my purchase of Parks & Recreation as shown above - and only being able to watch it in 480p - and the video quality looks awful - even for 480p. So, we have more refund requests waiting.
Play Store is a great idea, and implemented well - but the phoney restrictions on quality vs devices cripple its usefulness. It's still easier and better to download via a torrent and get a properly formatted and encoded 720p video that you can do anything you wish with - and more importantly, watch on any device.
And they say piracy is killing the industry....
The more I dig into the proceedings of the Senate Committee focusing on the NBN, I am more and more convinced that the Liberal Party has intentionally sabotaged NBN Co to fail. When the Abbott lead Liberal Party won the election in September 2013, Malcolm Turnbull gutted the board of NBN Co and (with sadly little review) installed a heap of his mates to run the company. Since then - looking at the many hours of Senate hearings, very little has been achieved. There is no financial plan for beyond 6 months from now. There is no rollout estimate. I could say many words on this - and it could easily be seen as bias. The best way is to highlight via actual footage from the Senate Committee overseeing NBN Co. This is the first NBN Co board answering questions to the Senate Committee - starting with the Chief Financial Officer:
Sadly, you can't make this stuff up. In the recent Senate hearing for the Environment and Communications Legislation Committee on the 20th November, Senator Conroy launched into some scathing details of how Malcolm Turnbull has hired his mates to oversee the NBN Co implementation. Lets put some context in here... Justin Milne was the CEO of Ozemail - of which, Malcolm Turnbull was a part owner. Malcolm bought in to Ozemail in 1994 for $500,000 and sold his share to Worldcom in 1999 for $57m. Now, Malcolm Turnbull is the Minister for Communications, and Justin Milne ends up on the NBN Co board of directors. That isn't the whole story however - it gets even more incestuous. CICOMILNE PTY LTD was awarded a contract for $14,000 for advice in 2013 between September and December for "Provision of advice in NBN transition issues". The consultant and 100% owner of CICOMILNE PTY LTD is Justin Milne. This contract was awarded one week after the Liberals were elected. What the advice was is still missing - as at the moment, nobody is sure what services were actually provided. Senator Conroy rightly inquires "So out of nowhere, the Ministers absolute best mate gets a $14,000 contract a week after being appointed, is that correct? ... Who gave Mr Milne's name to Mr Clarke or Mr Robinson given that Mr Clarke had never met him?" This is even more interesting when Justin Milne was appointed onto the NBN Co board in November 2013. So, how many other contracts are awarded to Malcolm Turnbull's mates to get his way with NBN Co?
Recently, I purchased a new Dell Inspiron 15 (3537) - however one of the worst things about this laptop was the fact it only had a 2.4GHz wireless card. While my first change to this system was to replace the 750Gb hard drive with a 256Gb SSD - to get a massive performance boost, the slow wireless was a killer. To make matters worse, the wireless card was also tied into the bluetooth adapter. After a bit of hunting around, I found that the Intel AC-7260 was a PCIe Half Mini Card with bluetooth onboard. This would make it a drop in replacement for the card that Dell shipped with the laptop. It would also allow me to connect at the full 300Mbit speeds of my WD MyNet N750. I ordered the card and it arrived quickly, but I soon started to find issues with this card. The main one being that randomly fails to work properly when the laptop resumes from sleep. When I did some searching about this problem, I was very surprised to find that this and many other problems seem to plague this range of card from Intel. There are threads on whirlpool, and multiple threads on the Intel Communities support site. This seems to be either a hardware problem that Intel refuse to admit (as they'd have to replace all these cards with OEMs), or a driver problem - either way, it seems to have been ongoing for over a year. I specifically bought an Intel wifi card thinking that a big name like Intel would make a decent wireless card - but it seems that I was mistaken :(