12.3 I want to run a script every hour. I put it in /etc/cron.hourly Surely it can't be as simple as that. Is there a gotcha? Thanks, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/29/2013 10:53 AM:
12.3 I want to run a script every hour. I put it in /etc/cron.hourly
Surely it can't be as simple as that. Is there a gotcha?
* Did you make the script executable? (chmod +x) * Do you want to run it as root? -- What is wanted is not the will to believe, but the will to find out, which is the exact opposite. --Bertrand Russell, _Skeptical Essays_ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/04/13 17:03, Anton Aylward wrote: > lynn said the following on 04/29/2013 10:53 AM: >> 12.3 >> I want to run a script every hour. I put it in /etc/cron.hourly >> >> Surely it can't be as simple as that. Is there a gotcha? > * Did you make the script executable? (chmod +x) Yes > * Do you want to run it as root? Yes Right that's good enough. I'm going for it. It's just a pity you can't like 'LDAP' this sort of stuff over to all the clients in one fell swoop. Thanks, L x > -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote: > On 29/04/13 17:03, Anton Aylward wrote: >> lynn said the following on 04/29/2013 10:53 AM: >>> 12.3 >>> I want to run a script every hour. I put it in /etc/cron.hourly >>> >>> Surely it can't be as simple as that. Is there a gotcha? >> * Did you make the script executable? (chmod +x) > Yes >> * Do you want to run it as root? > Yes > > Right that's good enough. Do you want to know/control at which time it is being run? > I'm going for it. It's just a pity you can't like 'LDAP' this sort of > stuff over to all the clients in one fell swoop. Thanks, Provided you have a password-less ssh-setup for accessing all clients, this is what I would do: for i in clients* do rsync newcronfile $i:/etc/cron.d done I have a number of such schemes where configs are distributed to multiple clients. If you have a LOT of clients and speed matters, there is also nettee and/or dolly. -- Per Jessen, Zürich (12.6°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Right that's good enough. I'm going for it. It's just a pity you can't like 'LDAP' this sort of stuff over to all the clients in one fell swoop.
Puppet, or systems like that, should help https://puppetlabs.com/ The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error you should not copy it, retransmit it, use it or disclose its contents but should return it to the sender immediately and delete your copy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hearns, John said the following on 04/29/2013 12:13 PM:
Right that's good enough. I'm going for it. It's just a pity you can't like 'LDAP' this sort of stuff over to all the clients in one fell swoop.
Puppet, or systems like that, should help
UNIX and Linux have always been 'tool oriented'. I suspect that its the MS_windows influence that causes people to look for a 'product' (and a GUI product at that) when a few lines of shell, perl, or perhaps python or even ruby, would suffice. -- Business folks don't "respect" the technical folks because they think that the technical folks don't understand the "business" as well as the business folks do. Which might be true. But I am willing to bet that the technical folks understand the business a little better than the business folks understand the technology. -- Darko Gavrilovic, 18th August, 2008 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hearns, John said the following on 04/29/2013 12:13 PM:
Right that's good enough. I'm going for it. It's just a pity you can't like 'LDAP' this sort of stuff over to all the clients in one fell swoop.
Puppet, or systems like that, should help
UNIX and Linux have always been 'tool oriented'. I suspect that its the MS_windows influence that causes people to look for a 'product' (and a GUI product at that) when a few lines of shell, perl, or perhaps python or even ruby, would suffice. Personally, I would use pdsh to push changes out to a set of servers if I had passwordless access: http://sourceforge.net/projects/pdsh/ However, the original poster asked for 'LDAP like' change management - I rather thought she might like to look at Puppet. The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error you should not copy it, retransmit it, use it or disclose its contents but should return it to the sender immediately and delete your copy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hearns, John said the following on 04/29/2013 12:42 PM:
However, the original poster asked for 'LDAP like' change management - I rather thought she might like to look at Puppet.
Where is this "Change management"? I read it as a means of having central administration. "Change management" in a database would mean Git or something like that. Lynn works with LDAP as a central database so she would ask in terms of that. She might as well as "Why aren't the CRON tables implemented in LDAP just like all the other things we see in. for example, /etc/nsswitch.conf?" Its a reasonable question. The trouble is that pretty soon you get to ask why is /bin and /lib there as well? Does anyone remember the days of Novell when all the binaries were off on a central server? The ultimate in 'roving shares'. Well, yes, three such as thing as 'thin clients' and PXE and yes you can have all the binaries actually in 'database' although for convenience the 'database' is a file system and its all NFS mounted. It worked for SUN for a long while :-) I've set it up for varying degrees of 'thin'. See also the Linux Terminal Server Project. Remember, LDAP is only an access method: the database behind it can be implemented any which way, from flat files up to the most grandiose RDBMS. LDAP itself can be 'distributed' and its backing database can be distributed as well. How complicated, or simple, do you want to make it? I can see putting crontabs in a database (and making it LDAP accessible) - that's quite another matter from putting scripts (i.e executables) in there. http://bytes.com/topic/postgresql/answers/400130-large-crontab-database-desi... -- Bullet proof vest vendors do not need to demonstrate that naked people are vulnerable to gunfire. Similarly, a security consultant does not need to demonstrate an actual vulnerability in order to claim there is a valid risk. The lack of a live exploit does not mean there is no risk. - Crispin Cowan, 23 Aug 2002 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hearns, John said the following on 04/29/2013 12:42 PM:
However, the original poster asked for 'LDAP like' change management - I rather thought she might like to look at Puppet. Where is this "Change management"? I read it as a means of having central administration. "Change management" in a database would mean Git or something like that.
Lynn works with LDAP as a central database so she would ask in terms of that. She might as well as "Why aren't the CRON tables implemented in LDAP just like all the other things we see in. for example, /etc/nsswitch.conf?" Hi everyone. Thanks for your interest. Maybe I should explain what I mean by LDAP
On 29/04/13 19:09, Anton Aylward wrote: like. A good example is when I add a user to a group. I don't have to go around altering /etc/group on all the clients. I just do it once in LDAP and let sssd pull it out next the next time the user logs in. On any client. That supposes I already have the sss target for group in nsswitch.conf. If I haven't, I'm in the situation I'm in now. I don't have the script I need in cron.hourly on the clients so I've got to go around them all or use one of the methods you have very kindly suggested. But e.g. to setup ssh, I'd still have to go to each client and do something as root. This sort of situation doesn't occur often enough to justify the time I'd need to do that. Summary. I want to sit at one computer and copy a file to /etc/cron.hourly on all the clients. Without physically walking to each client, I don't think I can do that. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/29/2013 04:27 PM:
Summary. I want to sit at one computer and copy a file to /etc/cron.hourly on all the clients. Without physically walking to each client, I don't think I can do that.
Like I said, that is what Larry wall 'invented' perl for. One of the adages of the perl community is "There's more than one way to do it". Between starting this email and the above line I took a sip of coffee and in that time I thought of another couple of ways to do it. Any and all of them require that you establish some conventions or protocols. For example you might have a directory /usr/share/local which contains all the local scripts and stuff. It is then NFS mounted - that's the convention - on all machines. So when you sync (using perl, ssh, rsync, whatever) or have hacked cron to use ldap for its cronables instead of files in /var/spool... then the scripts are available on all machines. Of course you could just do the same by having all the /etc/cron* stuff NFS'd But, like I said, whatever you do you're going to have to set up come conventions for, and this was the point that Larry made, DISTRIBUTED MACHINE ADMINISTRATION. It doesn't just happen. And yes there are tools and packages that grew out of his original work and other people have cut their own sets of tools How much do you want to have to rebuild your architecture to fit someone else's idea of how such administration should be done? Oh, wait a minute. Are you telling us that your other machines aren't networked, that you CAN'T copy the script with perl, ssh, rsync ... because, in the absence of a network you *HAVE* to physically walk there? -- Never tell people how to do things. Tell them what you want them to achieve, and they will surprise you with their ingenuity. --George Patton -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/29/2013 04:27 PM:
Summary. I want to sit at one computer and copy a file to /etc/cron.hourly on all the clients. Without physically walking to each client, I don't think I can do that.
Oh, wait a minute. Are you telling us that your other machines aren't networked, that you CAN'T copy the script with perl, ssh, rsync ... because, in the absence of a network you *HAVE* to physically walk there?
No. It's AD. We've just switched from nfs to cifs and we need to keep
On 29/04/13 23:16, Anton Aylward wrote: the root cache alive for the automounter. Network or not, I still have to go to each client to do something, whether it's install the 2 line script itself or install something which would install it for me. It's something which is very straightforward. I want this: #!/bin/bash kinit -k cifs-user run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch. You guys know what I'm on about. . .. It comes down to me not having anything in place to do this centrally as I can with the LDAP'y things. from what folk are saying here, there's nothing in a default 12.3 install in place so I can just do it. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch.
How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF/A+QACgkQtTMYHG2NR9VD5wCfV4pAc5TNQiC6xFSuvItA5qbH JzkAmgKIB7xnVfj/06Wq/2UN3+UIcn+W =oZMw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. said the following on 04/29/2013 07:35 PM:
On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch.
How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin.
+1 I don't understand either. -- Whenever men take the law into their own hands, the loser is the law. And when the law loses, freedom languishes. -- JFK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/29/2013 6:19 PM, Anton Aylward wrote:
Carlos E. R. said the following on 04/29/2013 07:35 PM:
On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch.
How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin.
+1 I don't understand either.
Well, since Lynn has to march around to each machine, she could prevent future trips by putting her ssh public key on a flash drive and cat it into root's authorized keys on each machine. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 04/29/2013 09:30 PM:
Well, since Lynn has to march around to each machine, she could prevent future trips by putting her ssh public key on a flash drive and cat it into root's authorized keys on each machine.
She can? I never did that. I'm kinda dumb (Larry "Perl" Wall would say 'lazy') I used "ssh-copy-id" http://linux.die.net/man/1/ssh-copy-id -- If you are using Windows 2000, there is no chance that DES is your weak link. The only justification for using 3DES is that it is cheap. -- William Hugh Murray, CISSP -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 03:30, John Andersen wrote:
On 4/29/2013 6:19 PM, Anton Aylward wrote:
Carlos E. R. said the following on 04/29/2013 07:35 PM:
On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch. How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin.
+1 I don't understand either.
Well, since Lynn has to march around to each machine, she could prevent future trips by putting her ssh public key on a flash drive and cat it into root's authorized keys on each machine.
Hi I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going. As we have Kerberos, maybe there's something I can organise with that instead of the ssh rsa. We have the machine key in the keytab by default so maybe I could just kinit -k without a password. That's how we're authenticating cifs at the moment. Just thinking out loud. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/30/2013 06:36 AM:
I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going.
So: are you telling us that ssh was *NOT* installed *by* *default* on each machine to start with?
As we have Kerberos, maybe there's something I can organise with that instead of the ssh rsa. We have the machine key in the keytab by default so maybe I could just kinit -k without a password. That's how we're authenticating cifs at the moment. Just thinking out loud.
Maybe; its been a while but I used kerberos as a remote admin/remote login base for a cluster of AIX machines with ... heck, it had a lot of "S"s in it's name, way back in the last century. So it can be done. But in a *default* installation, ssh is installed and enabled and as I said "ssh-copy-id" lets you copy tou key across without needing to be physically present. Lets do another take: if you have *ANY* remote login capability, telnet even, then you can use zypper to install ssh. Having used kerberos, vnc and ssh, I'd go with ssh every time. That is mostly because of its flexibility. Buy (or beg or borrow) the O'Reilly book and you'll find some of the fantastic things you can do. For example, when OOTO I have on my laptop a script that sets up a ssh channel so that when I fire up my local copy of thunderbird I don't have to reconfigure it; it reads the mail on my mail server "as if it were local" and uses my smtp server. So I don't have to play games with new settings and authorization. You might call this a VPN but it avoids many of the traditional problems of a VPN. Ssh supports scripting very nicely and isn't that what you're trying for here? As for executing a remote command without a password ... well we ssh users do that all the time :-) -- The major advances in civilization are processes that all but wreck the societies in which they occur. - A.N. Whitehead -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 13:30, Anton Aylward wrote:
lynn said the following on 04/30/2013 06:36 AM:
I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going. So: are you telling us that ssh was *NOT* installed *by* *default* on each machine to start with? There's a bit in the installation where you disable the firewall. It also disables ssh. L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote:
On 30/04/13 13:30, Anton Aylward wrote:
lynn said the following on 04/30/2013 06:36 AM:
I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going. So: are you telling us that ssh was *NOT* installed *by* *default* on each machine to start with?
There's a bit in the installation where you disable the firewall. It also disables ssh. L x
Yes, that one is a bit annoying. At least it doesn't disable sshd when you're also installing over ssh :-) -- Per Jessen, Zürich (11.8°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/30/2013 07:52 AM:
On 30/04/13 13:30, Anton Aylward wrote:
lynn said the following on 04/30/2013 06:36 AM:
I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going. So: are you telling us that ssh was *NOT* installed *by* *default* on each machine to start with? There's a bit in the installation where you disable the firewall. It also disables ssh.
Which gets back to my point: if they could do the install themselves in the first place then thy are capable of running zypper to install ssh by themselves. -- Science is nothing but trained and organized common sense, differing from the latter only as a veteran may differ from a raw recruit: and its methods differ from those of common sense only as far as the guardsman's cut and thrust differ from the manner in which a savage wields his club. Thomas H. Huxley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 14:02, Anton Aylward wrote:
On 30/04/13 13:30, Anton Aylward wrote:
lynn said the following on 04/30/2013 06:36 AM:
I'm going to need ssh to avoid a mess like this in future so I'll use the fact that I'll be physically visiting each client to get ssh going. So: are you telling us that ssh was *NOT* installed *by* *default* on each machine to start with? There's a bit in the installation where you disable the firewall. It also disables ssh. Which gets back to my point: if they could do the install themselves in
lynn said the following on 04/30/2013 07:52 AM: the first place then thy are capable of running zypper to install ssh by themselves.
As soon as I'd hit send, I was certain someone would ask why I disabled the firewall. So well donw. I can see that you guys have been here before;) Anyway, Good news. I've just ssh'd without a password. In fact you don't have to install it. It's already there. Just not configured. It's not too bad considering it was the first time I'd done it in a long while. Around 20 minutes including trying to remember what we used for root passwords on the clients! L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/30/2013 08:26 AM:
As soon as I'd hit send, I was certain someone would ask why I disabled the firewall. So well donw. I can see that you guys have been here before;)
:-)
Anyway, Good news. I've just ssh'd without a password. In fact you don't have to install it. It's already there. Just not configured. It's not too bad considering it was the first time I'd done it in a long while. Around 20 minutes including trying to remember what we used for root passwords on the clients!
Geez, lady, you're a hard sell. -- Try to learn something about everything and everything about something. Thomas H. Huxley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 07:30 -0400, Anton Aylward wrote:
But in a *default* installation, ssh is installed and enabled and as I said "ssh-copy-id" lets you copy tou key across without needing to be physically present.
It is installed by default, yes, but at least it is also firewalled by default, and maybe even the daemon is not started. You have to rememember to click on enable ssh on the firewall on every installation. The default was the other way round some releases ago. Many people complained about this change at the time, but the decission was made and kept :-( (they said something about home users not needing this. How about remote maintenance of home users, for instance? Sigh.) At least, the option to enable ssh is visible on the main installation summary. Just make sure you do read the summary carefully ;-) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF/5dgACgkQtTMYHG2NR9Vh0QCfSTzf88em5XuFgkDvx1eaL25f 4awAn1/vx3/l8B4fwhGl1PBKNkOgEmv7 =WXsL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
The default was the other way round some releases ago. Many people complained about this change at the time, but the decission was made and kept :-(
(they said something about home users not needing this. How about remote maintenance of home users, for instance? Sigh.)
I think the point is that you should not have open network services by default. You should have to explicitly open a weakness in your defences. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 16:44 +0100, Dave Howorth wrote:
Carlos E. R. wrote:
The default was the other way round some releases ago. Many people complained about this change at the time, but the decission was made and kept :-(
(they said something about home users not needing this. How about remote maintenance of home users, for instance? Sigh.)
I think the point is that you should not have open network services by default. You should have to explicitly open a weakness in your defences.
That's true, but there are many ways to see things :-) Like not being able to help somebody remotely because there is no remote access, and he doesn't know how to do it over the phone. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF/7CcACgkQtTMYHG2NR9XpgwCfSjgE6if0CtjyL3lLwvMDoqiV xHYAn2upIl6UDR1XwFy+BMcXqt/+kdHf =HOc/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth said the following on 04/30/2013 11:44 AM:
Carlos E. R. wrote:
The default was the other way round some releases ago. Many people complained about this change at the time, but the decission was made and kept :-(
(they said something about home users not needing this. How about remote maintenance of home users, for instance? Sigh.)
I think the point is that you should not have open network services by default. You should have to explicitly open a weakness in your defences.
I keep saying Context is Everything but that usually the gap. When people pose the problems we have we ask them what system they are running, what revisions etc. We really should have asked Lynn about the context here; I suppose we - we certainly myself - assumed it was her normal system, the one she's posed questions about before. If she'd told us this was a school system to begin with we would have had a better understanding and perhaps more sympathy when she complained about the need to visit each seat. But Dave's assertion above is right in some contexts and "Duh?" in others. In my own context as I type its a nonsense statement. None of my machines, server, workstations, have firewall installed never mind enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-) Context is everything. Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON! That was the great problem with the old Windows machines and the source of so many of the problems that persist to this day. But Context is Everything and some of that context is business needs. I've seen what I consider to be 'broken' high value applications at brokerage firms that require vast ranges of ports to be open on the firewall, so much so that some sites where this is used simply don't bother with a firewall, its too much of a hassle when it comes down to "business as normal". I've heard people in first tell regulatory auditors "Any one of our brokers makes more in a morning that your firm bills in a year to take your advice about security and stick it!". Risk management is about know what risks to accept. That is a matter of context. Perhaps Lynn will now tell us if these workstations at this school are each and individually connected to the Internet or if they are on a LAN and if the latter how the LAN connects to the Big Bad Wild Internet and if there is a firewall of any kind involved. And yes, right, there is the old issue about "academic freedom", which in some learning establishments lets the staff tell the IT people that security measures are an infringement of their rights and must all be disabled... Sorry, Dave, one size doesn't fit all. -- "In those days spirits were brave, the stakes were high, men were real men, women were real women and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 9:22 AM, Anton Aylward wrote:
Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON! That was the great problem with the old Windows machines and the source of so many of the problems that persist to this day.
But Linux isn't windows, and if you know and control exactly what services/ports you have open to the wild woolly world there is no need of a firewall. After all a firewall is usually nothing but a sloppy way of controlling what ports you expose. A closed port is about as secure as it gets. The number of ssh vulnerabilities that can be remotely exploited is vanishingly small and short lived. Disable password login via ssh after you key your public keys installed and the script kiddies can try for years. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 04/30/2013 02:07 PM:
But Linux isn't windows, and if you know and control exactly what services/ports you have open to the wild woolly world there is no need of a firewall. After all a firewall is usually nothing but a sloppy way of controlling what ports you expose.
Ah yes, Steve Bellovin's famous quote from his classic book on firewalls: The firewall is the network's response to poor host security The trouble is that its a bit absolutist. The real world is that its often necessary, as I said but you omitted from my quote, to have ports open FOR BUSINESS REASONS. Yes, closing ports turn off services (and hey, turn of the (x)inet daemon as well) but that doesn't make the machines invulnerable; there are other ways of getting malware in: they are called applications. No, I'm not talking about servers, I mean things like web browsers and email clients. It doesn't even have to be drive0bys or getting the user to click on the url of a html-mail message. To do nifty things people download extensions and plugins. They don't even have to be trojans. Recall the bugs in adobe reader that would let a specially crafted document exploit the vulnerability? Well now firefox has its own built in pdf reader :-) Wanna bet that is "bug free"? -- Engineers aren't boring people; we just get excited over boring things. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 11:22 AM, Anton Aylward wrote:
No, I'm not talking about servers, I mean things like web browsers and email clients. It doesn't even have to be drive0bys or getting the user to click on the url of a html-mail message. To do nifty things people download extensions and plugins. They don't even have to be trojans. Recall the bugs in adobe reader that would let a specially crafted document exploit the vulnerability? Well now firefox has its own built in pdf reader :-) Wanna bet that is "bug free"?
The problems you mention won't be fixed by a firewall. Virtually all malware these days use outbound connections, and unless you do mercenary egress filtering (not piratical in the real world) your firewall will happily allow outbound connections from just about anything on just about any port to just about any target IP. I egress filter a few common ports at the firewall (smtp and a couple others), against the possibility that some visitor to my network will have a spambot on their horribly compromised windows machine. But my laptop I take everywhere, and I know exactly what ports are open and really never bother with a firewall. (I'm more than a little concerned that dropbox is always listening, and I'm, thinking of dumping it for that reason). -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 04/30/2013 02:44 PM:
On 4/30/2013 11:22 AM, Anton Aylward wrote:
No, I'm not talking about servers, I mean things like web browsers and email clients. It doesn't even have to be drive0bys or getting the user to click on the url of a html-mail message. To do nifty things people download extensions and plugins. They don't even have to be trojans. Recall the bugs in adobe reader that would let a specially crafted document exploit the vulnerability? Well now firefox has its own built in pdf reader :-) Wanna bet that is "bug free"?
The problems you mention won't be fixed by a firewall.
YES! RIGHT! That's my point
Virtually all malware these days use outbound connections,
YES! RIGHT! That's my point
and unless you do mercenary egress filtering (not piratical in the real world) your firewall will happily allow outbound connections from just about anything on just about any port to just about any target IP.
Which is the case with most "home firewalls" (think Windows?) and, I'm sorry to say, all to many corporate firewalls. Even those that have DLP. A tool that stops outsiders sending restricted documents out over the Internet is fine, but there are whole pile of things that aren't in that class witch are still .... nasty.
I egress filter a few common ports at the firewall (smtp and a couple others), against the possibility that some visitor to my network will have a spambot on their horribly compromised windows machine.
And it may also be the case that in order to prevent the propogation of spam and other nasty stuff, your ISP blocks you (and its other customers) from sending to port 25 of any machine except its own mail relay. The it can enforce some kind of control, perhaps rate limiting, perhaps content inspection (as some governments are now getting more aggressive about demanding of ISPs) but certainly stopping you using some other 'open relay' host. OK so there are ways round that to, but ... Better to do something ... -- "How well we communicate is determined not by how well we say things but by how well we are understood." -- Andrew S. Grove. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 15:08 -0400, Anton Aylward wrote:
And it may also be the case that in order to prevent the propogation of spam and other nasty stuff, your ISP blocks you (and its other customers) from sending to port 25 of any machine except its own mail relay. The it can enforce some kind of control, perhaps rate limiting, perhaps content inspection (as some governments are now getting more aggressive about demanding of ISPs) but certainly stopping you using some other 'open relay' host.
IIRC, lynn was somewhere in Spain. ISPs here, to my knowledge, do not block port 25, because they also do not allow you to send with a from address not belonging to their servers. IE, even after password ID, they don't do relay for their own customers. But then again, that school might use a transparent VPN to connect to the rest of the school system. Some do here. You get out via proxy set by the state IT staff. There is a *lot* of variance here. As often as not, the schools are provided with Linux machines which are then reformatted with pirated copies of Windows by the teachers, because nobody thought to train teachers in Linux first. Or not enough. Or because the IT staff on call takes days or weeks to come. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGAKcMACgkQtTMYHG2NR9WHyACeMNaa6rjIraPG81JH8dBA/9VJ LO4AnjkT3+fd/alpi8NgHKEMa2bRC+eO =Rfp2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 22:29, Carlos E. R. wrote:
As often as not, the schools are provided with Linux machines which are then reformatted with pirated copies of Windows by the teachers, because nobody thought to train teachers in Linux first. Or not enough. Or because the IT staff on call takes days or weeks to come.
Not far off. Usually, the kids will sort it out during the month or so before anyone turns up. But no one has any idea about heterogeneous networks andway, not even the kids. But it doesn't matter, because every school has the same problem. It works for a few days after it's installed and that's about it. Cloud looks good because you don't need the kerberos, sssd, 2008r2 nonsense. For now we'll make do with mal de muchos, consuelo de tontos. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 4/30/2013 9:22 AM, Anton Aylward wrote:
Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON! That was the great problem with the old Windows machines and the source of so many of the problems that persist to this day.
But Linux isn't windows, and if you know and control exactly what services/ports you have open to the wild woolly world there is no need of a firewall. After all a firewall is usually nothing but a sloppy way of controlling what ports you expose.
A closed port is about as secure as it gets.
Obligatory xckd quote: http://xkcd.com/1200/ You miss the tree for the forest, IMNSHO. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 5:54 PM, Joachim Schrod wrote:
John Andersen wrote:
On 4/30/2013 9:22 AM, Anton Aylward wrote:
Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON! That was the great problem with the old Windows machines and the source of so many of the problems that persist to this day.
But Linux isn't windows, and if you know and control exactly what services/ports you have open to the wild woolly world there is no need of a firewall. After all a firewall is usually nothing but a sloppy way of controlling what ports you expose.
A closed port is about as secure as it gets.
Obligatory xckd quote: http://xkcd.com/1200/
You miss the tree for the forest, IMNSHO.
Joachim
Yeah, true enough. But a firewall won't help in any of the cases mentioned in the cartoon. Those "services" all use outbound connections. And if you egress filter their common ports they step to others. A firewall won't protect you from something already running on your machine. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
Dave Howorth said the following on 04/30/2013 11:44 AM:
Carlos E. R. wrote:
The default was the other way round some releases ago. Many people complained about this change at the time, but the decission was made and kept :-(
(they said something about home users not needing this. How about remote maintenance of home users, for instance? Sigh.)
I think the point is that you should not have open network services by default. You should have to explicitly open a weakness in your defences.
I keep saying Context is Everything but that usually the gap. When people pose the problems we have we ask them what system they are running, what revisions etc. We really should have asked Lynn about the context here;
+1 It's always going to be a problem on a list like this where the common denominator is only "I use openSUSE". Sometimes a home-user is easily recognised, sometimes not. Sometimes the admin-user is easily recognised, sometimes not.
Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON!
Even such machines will very often be sat behind a DSL router with an active/default firewall. -- Per Jessen, Zürich (12.4°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen said the following on 04/30/2013 02:10 PM:
Now when it comes down to single home machines plugged directly into the Big Bad Wild Internet, yes I agree, they need the firewall ON! Even such machines will very often be sat behind a DSL router with an active/default firewall.
And maybe even the ISP will do filtering of malware attachments to email messages. Mine does; or it seems I occasionally get a message from its filtering software telling me that its blocked one such ... -- I agree with Bejtlich on this particular subject Do you want a defensible network or not? - Martin Roesch, developer of Snort and founder of Sourcefire, referencing The Tao of Network Security Monitoring in the #snort IRC channel on 26 January 2005 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 14:24 -0400, Anton Aylward wrote:
And maybe even the ISP will do filtering of malware attachments to email messages.
Mine does; or it seems I occasionally get a message from its filtering software telling me that its blocked one such ...
Mine does a bad job of it. Sometimes it blocks posts I sent with a cryptic "internal error". The same post passes gmail filters. On the other hand, I hate not receiving an email because my ISP thinks it is spam or malware. I prefer doing my own filtering. Sometimes I get a post from my ISP, or somebody else's ISP, telling they blocked an email, but they don't forward enough details to identify it: the from/to addresses, the date, the subject line... Also what kind of malware they detected would be nice. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGQSgwACgkQtTMYHG2NR9Vz5gCdGQ/mbAV74IlyHy7Oj0CIrdDI 0vIAn1J8zThV9CTIzOcLWX3tNLya0PP5 =tkRm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 12:22 -0400, Anton Aylward wrote:
Dave Howorth said the following on 04/30/2013 11:44 AM:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
And yes, right, there is the old issue about "academic freedom", which in some learning establishments lets the staff tell the IT people that security measures are an infringement of their rights and must all be disabled...
And so, you can not imagine the amount of virii the kids get back home on their usb sticks :-) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGAIgwACgkQtTMYHG2NR9Uh5ACgi8RgcGz+6NEGbz74I8GEzN6z ziUAoIZNYjCc/HvfJd5B4B9MU6dTs+Gv =LAFA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 12:56 PM, Carlos E. R. wrote:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
Windows, Yes, I agree. Linux? Not a problem. You do understand, don't you Carlos, that a software firewall (iptables) can only stop packets AFTER they have already entered your machine? And if nothing is listening on a port no packet will be accepted on that port, and it won't get into your machine? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 13:16 -0700, John Andersen wrote:
On 4/30/2013 12:56 PM, Carlos E. R. wrote:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
Windows, Yes, I agree. Linux? Not a problem.
Who knows. Sometimes I have to open files with acrobat, because they don't work with any other reader. O have to run java applications I'm given.
You do understand, don't you Carlos, that a software firewall (iptables) can only stop packets AFTER they have already entered your machine? And if nothing is listening on a port no packet will be accepted on that port, and it won't get into your machine?
I do. Nevertheless, I prefer to be overly cautious. I prefer two layers, nothing listening on a port, and a firewall blocking "just in case" I forget something. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGAKswACgkQtTMYHG2NR9UdzgCdEZ0LRzEyX/2y2N93V9r1JRWU kx0AoIBrTn7BaxzmlXeXdHOmxYRqybDV =gW7j -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 1:34 PM, Carlos E. R. wrote:
Who knows. Sometimes I have to open files with acrobat, because they don't work with any other reader. O have to run java applications I'm given.
But as mentioned elsewhere in this thread, a firewall will not help you here. At best it stops incoming connections, but it won't stop outbound connections from some rogue java application. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 30, 2013 at 4:16 PM, John Andersen <jsamyth@gmail.com> wrote:
On 4/30/2013 12:56 PM, Carlos E. R. wrote:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
Neither would I. I have seen the kind of mischief some students can get into. Fortunately I have not had to deal with an insider attack. But that is why there is IT admin staff, who are, in a sense, gatekeepers, ensuring that no service that isn't needed n a given machine is running, that the firewalls are properly maintained, &c. I would never let users, be they academic staff, students, or even my programmers, change any services or the various security related protocols that we have established. That is the role of the IT admin staff, under the direction of the appropriate management personnelle, and it is ther heads on the line if they make a mistake that compromises security. i
Windows, Yes, I agree. Linux? Not a problem.
You do understand, don't you Carlos, that a software firewall (iptables) can only stop packets AFTER they have already entered your machine? And if nothing is listening on a port no packet will be accepted on that port, and it won't get into your machine?
Yes, yes, but there are other risks that need to be managed; and there are methods that are adequate to deal with mischeivous script kiddies, and others that need well trained IT security experts. A firewall is only one tool in a comprehensive security toolset, intended to support whatever security related policies are deemed appropriate. I do not think even Linux would, in itself, be adequate defense either against an internal attack (or mischeivous, but otherwise competent IT students) or a professional cyber-criminal. Windows has its issues, but so does every other readily available OS. There is no substitue for capable, diligent IT admin staff (they do things I wouldn't even attempt on my own. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 16:36 -0400, Ted Byers wrote:
On Tue, Apr 30, 2013 at 4:16 PM, John Andersen <> wrote:
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
Neither would I. I have seen the kind of mischief some students can get into. Fortunately I have not had to deal with an insider attack. But that is why there is IT admin staff, who are, in a sense, gatekeepers, ensuring that no service that isn't needed n a given machine is running, that the firewalls are properly maintained, &c. I would never let users, be they academic staff, students, or even my programmers, change any services or the various security related protocols that we have established. That is the role of the IT admin staff, under the direction of the appropriate management personnelle, and it is ther heads on the line if they make a mistake that compromises security.
I would not trust IT personel that much. Who knows, I could be that IT myself! >:-p (yes, I have papers that say that I'm trained as such) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGANQQACgkQtTMYHG2NR9UVdQCeKlSzmzgD9a8YI2SIUPOsywqn TsoAoIDD74SCAjjxXa/hSp/iztg7a0zj =9Fi1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday, 2013-04-30 at 12:22 -0400, Anton Aylward wrote:
Dave Howorth said the following on 04/30/2013 11:44 AM:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
In a school I agree. In a normal corp env, no. The 2011 data is 80% of breaches are conducted by external parties. (See the verizon breach report. It's the best report on breaches there is and it's free). Fyi: a breach is defined to be an event where confidential data gets out of the corp network. Btw: the 2012 report came out a week ago. I haven't looked at it yet. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
"Carlos E. R." <robin.listas@telefonica.net> wrote:
On Tuesday, 2013-04-30 at 12:22 -0400, Anton Aylward wrote:
Dave Howorth said the following on 04/30/2013 11:44 AM:
enabled. As my laptop is plugged in here it has its firewall disabled. That's because the LAN is behind a nice big commercial firewall box :-)
I would not dare to connect my machine without firewall on a corporate or school environment. Most successful attacks come from insiders.
In a school I agree. In a normal corp env, no.
+1
The 2011 data is 80% of breaches are conducted by external parties. (See the verizon breach report. It's the best report on breaches there is and it's free).
Fyi: a breach is defined to be an event where confidential data gets out of the corp network.
Yes, breaching network security is only one way of compromising a corporation. -- Per Jessen, Zürich (12.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 01:35, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch.
How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin. I can login to any client on the lan when in front of that client. That doesn't mean that I can log into it remotely simply by having defined a login for myself at install time:( L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/30/2013 03:28 AM:
On 30/04/13 01:35, Carlos E. R. wrote:
On Tuesday, 2013-04-30 at 00:33 +0200, lynn wrote:
run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch.
How come you do not access each machine remotely from your own seat? You should have defined a login for yourself from install time. I'm assuming you are the shop admin. I can login to any client on the lan when in front of that client. That doesn't mean that I can log into it remotely simply by having defined a login for myself at install time:(
Of course not! That would require you to have done a standard - aka 'default' - install that included the ssh server, and the ssh client - again part of the default install - on your own workstation. -- Nearly all men can stand adversity, but if you want to test a man's character, give him power. -- Abraham Lincoln -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 30.04.2013 13:33, schrieb Anton Aylward:
Of course not! That would require you to have done a standard - aka 'default' - install that included the ssh server, and the ssh client - again part of the default install - on your own workstation.
In a standard install ssh access is blocked by the firewall as default. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Martin Helm said the following on 04/30/2013 07:40 AM:
Am 30.04.2013 13:33, schrieb Anton Aylward:
Of course not! That would require you to have done a standard - aka 'default' - install that included the ssh server, and the ssh client - again part of the default install - on your own workstation.
In a standard install ssh access is blocked by the firewall as default.
Is the firewall part of the default install? I don't recall it being so. -- If a little knowledge is dangerous, where is the man who has so much as to be out of danger. Thomas H. Huxley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 30.04.2013 13:49, schrieb Anton Aylward:
Martin Helm said the following on 04/30/2013 07:40 AM:
Am 30.04.2013 13:33, schrieb Anton Aylward:
Of course not! That would require you to have done a standard - aka 'default' - install that included the ssh server, and the ssh client - again part of the default install - on your own workstation.
In a standard install ssh access is blocked by the firewall as default. Is the firewall part of the default install? I don't recall it being so.
In a pure default install the firewall is installed and enabled and blocks everything (inbound), that is true if you install a desktop environment or a minimal server without X. It is an extra mouse click in the installation summary to simultanously enable sshd and open the port in the firewall. Of course only if you install every client manually and not by using some tool like autoyast which would make life easier. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/29/2013 06:33 PM:
lynn said the following on 04/29/2013 04:27 PM:
Summary. I want to sit at one computer and copy a file to /etc/cron.hourly on all the clients. Without physically walking to each client, I don't think I can do that.
Oh, wait a minute. Are you telling us that your other machines aren't networked, that you CAN'T copy the script with perl, ssh, rsync ... because, in the absence of a network you *HAVE* to physically walk there?
No. It's AD. We've just switched from nfs to cifs and we need to keep
On 29/04/13 23:16, Anton Aylward wrote: the root cache alive for the automounter.
NFS or IFS -- its still a remote mount, which was the point I'm trying to make
Network or not, I still have to go to each client to do something, whether it's install the 2 line script itself or install something which would install it for me.
This makes no sense. Did you fail to install ... ssh or rdekstop or vncserver or whatever when you first installed the systems?
It's something which is very straightforward. I want this: #!/bin/bash kinit -k cifs-user run every hour by doing the minimum of walking, leaning over machines, annoying people or else waiting till they've gone for lunch. You guys know what I'm on about. . ..
Is that all? I can't see why you need to dump a script in /etc/cron.hourly to do that. If it was a lcoal machine you'd do .. lets see crontab -l lists what's already in the crontab You want to append @hourly (kinit -k cifs-user) So issue the command echo "\@hourly \(kinit -k cifs-user\)" >> /var/spool/cron/root one each machine.
It comes down to me not having anything in place to do this centrally as I can with the LDAP'y things. from what folk are saying here, there's nothing in a default 12.3 install in place so I can just do it.
So, let me get this right; you never installed ssh, rcpy/rexec or any of its variants, rsync, the vnc tools, the rdesktop tools. You can't configure XDM, KDM or GDM to use remote login. Oh, right, the vnc tools aren't part of the default install in 12.3 and only one of graphical login would be, but ssh etc etc are all part of the default login. So is perl. I can't recall if the library for remote access is part of the default install. -- Vizzini: INCONCEIVABLE! Inigo: You keep using that word. I do not think it means what you think it means. - The Princess Bride -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 03:45, Anton Aylward wrote:
lynn said the following on 04/29/2013 06:33 PM:
lynn said the following on 04/29/2013 04:27 PM:
Summary. I want to sit at one computer and copy a file to /etc/cron.hourly on all the clients. Without physically walking to each client, I don't think I can do that.
Oh, wait a minute. Are you telling us that your other machines aren't networked, that you CAN'T copy the script with perl, ssh, rsync ... because, in the absence of a network you *HAVE* to physically walk there?
No. It's AD. We've just switched from nfs to cifs and we need to keep
On 29/04/13 23:16, Anton Aylward wrote: the root cache alive for the automounter. NFS or IFS -- its still a remote mount, which was the point I'm trying to make
Network or not, I still have to go to each client to do something, whether it's install the 2 line script itself or install something which would install it for me. This makes no sense. Did you fail to install ... ssh or rdekstop or vncserver or whatever when you first installed the systems?
I inherited it. I installed nothing apart from te DC's and file servers. It's a school. I'm only there a few hours now and then. I advised them on openSUSE when they replaced their old xp boxes a while back. It's nice to see the kids using Linux where one time there was only windows. It's just that they don't plan anything. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/30/2013 07:15 AM:
On 30/04/13 03:45, Anton Aylward wrote:
lynn said the following on 04/29/2013 06:33 PM:
Network or not, I still have to go to each client to do something, whether it's install the 2 line script itself or install something which would install it for me. This makes no sense. Did you fail to install ... ssh or rdekstop or vncserver or whatever when you first installed the systems?
I inherited it. I installed nothing apart from te DC's and file servers. It's a school. I'm only there a few hours now and then. I advised them on openSUSE when they replaced their old xp boxes a while back. It's nice to see the kids using Linux where one time there was only windows. It's just that they don't plan anything.
Failing to plan is so common; the paternalistic attitudes implicit with many product/vendors ("You don't get fired for buying ...") and many aspects of society (you've giving us the school system as an example so I won't argue) is getting more pervasive. So, are you also telling us, that these people were sophisticated enough that when they installed Linux they did a detailed pick-and-choose of what components were and were not to be included rather than take the defaults, and in doing so *excluded* ssh and other remote access tools? If they were that sophisticated then they are sophisticated enough to be told to go back and install ssh and don't need you there. Heck, you 'advised' them, but if you didn't do the installations then who did? Now if it were me, I'd do what I've good experience at and PXE'd it all, something like the Linux Terminal Project. A server that dishes out the latest and greatest to all those client workstations. Its well established, well proven and makes administration so much simpler. because somewhere along the line you - or they - are going to be faced with updates and patches and stuff. Having the image managed on a server makes things so much easier and that would mean this whole step and repeat would never have been necessary. The change? Just have those old XP workstations boot PXE rather than from the hard disk. I'll grant you that it all seems strange at first, that is why LTSP is a nicely packaged kit :-) Its worth going off and experimenting -- one server, one workstation -- as it is with anything 'new' to get the feel for it. The same when you buy a new car or light plane. -- Though force can protect in emergency, only justice, fairness, consideration and co-operation can finally lead men to the dawn of eternal peace. -- Dwight D. Eisenhower -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-04-30 at 17:10 +0200, lynn wrote:
On 30/04/13 13:48, Anton Aylward wrote:
So, are you also telling us, that these people were sophisticated No. They're teachers.
I told them to deselect the firewall.
That's dangerous, with kids involved. Fortunately, they are not using Windows XP, otherwise they would learn about the "ping of death" and kill one another. Or a pletora of nasty tricks you can read on places >:-P - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF/5ygACgkQtTMYHG2NR9X+hACcDsmRyXyATWhPIMwdemWvqeii KdIAn2szQBJQKuFnBcidjtbNprXIxIzx =WeMy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/04/13 17:45, Carlos E. R. wrote:
-
I told them to deselect the firewall.
That's dangerous, with kids involved. It's the only way with AD. You can't expect users to configure the firewall that comes with openSUSE.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 8:45 AM, Carlos E. R. wrote:
I told them to deselect the firewall.
That's dangerous, with kids involved.
Its far less dangerous then most people seem to think. Nothing listening on a port is same thing as having a firewall. The port is not open. Linux isn't windows. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hearns, John wrote:
Personally, I would use pdsh to push changes out to a set of servers if I had passwordless access:
Nice. Hmm, I like that - don't think it was around when set up my config distribution some 6-7 years ago. I'll have to take a closer look. John, I seem to recognise your name, from the Beowulf list maybe? Btw, I used to work just across the road from Mclaren, I think it was called Guildford Business Park. -- Per Jessen, Zürich (11.5°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/29/2013 12:04 PM:
Right that's good enough. I'm going for it. It's just a pity you can't like 'LDAP' this sort of stuff over to all the clients in one fell swoop.
That is what Larry Wall developed Perl for, originally. -- Superstitions typically involve seeing order where in fact there is none, and denial amounts to rejecting evidence of regularities, sometimes even ones that are staring us in the face. --Murray Gell-Mann (Quark and the Jaguar) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2013-04-29 at 16:53 +0200, lynn wrote:
12.3 I want to run a script every hour. I put it in /etc/cron.hourly
Surely it can't be as simple as that. Is there a gotcha?
Yes, as simple as that. Why not? :-) Take the files in "/etc/cron.daily" as guides. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF+m60ACgkQtTMYHG2NR9UInwCglb66d8i+KaYDrJIU0R9gkkOx LWAAnivIYJKv0tPLdc2t7uUPtB0Tftyk =MQZm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote:
Surely it can't be as simple as that.
If it is, I'm sure they'll fix it with systemd. ;-) Actually, it is, though you have no control over which minute it runs in. I use it to run a check on an IPv6 connection. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/04/13 13:05, James Knott escribió:
lynn wrote:
Surely it can't be as simple as that.
If it is, I'm sure they'll fix it with systemd. ;-)
Systemd has the equivalent functionality of cron an the at daemon exposed via timer units, that can be either global or per-user. That being said, no changes or wrappers to systemd are planned for cron/at. those who want to use cron/at can and will be able to continue to use it as is. However we will probably migrate all /etc/cron.d* scripts that are shipped with the distribution to systemd native timers and then drop cron from the default installation pattern, but will remain available for people to install if needed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/29/2013 07:29 PM, Cristian Rodríguez pecked at the keyboard and wrote:
El 29/04/13 13:05, James Knott escribió:
lynn wrote:
Surely it can't be as simple as that.
If it is, I'm sure they'll fix it with systemd. ;-)
Systemd has the equivalent functionality of cron an the at daemon exposed via timer units, that can be either global or per-user.
That being said, no changes or wrappers to systemd are planned for cron/at. those who want to use cron/at can and will be able to continue to use it as is. However we will probably migrate all /etc/cron.d* scripts that are shipped with the distribution to systemd native timers and then drop cron from the default installation pattern, but will remain available for people to install if needed.
How long before printing functions are migrated to systemd? And how long before a system registry is made part of systemd? :-) -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ken Schneider - openSUSE wrote:
How long before printing functions are migrated to systemd? And how long before a system registry is made part of systemd?
Next thing you know, they'll roll Emacs into systemd. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/30/2013 4:42 AM, James Knott wrote:
Ken Schneider - openSUSE wrote:
How long before printing functions are migrated to systemd? And how long before a system registry is made part of systemd?
Next thing you know, they'll roll Emacs into systemd. ;-)
I thought systemd was already a part of Emacs... Its almost as obtuse. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/04/13 23:26, Ken Schneider - openSUSE escribió:
How long before printing functions are migrated to systemd?
That has not been brought to attention yet.. haha. not, printers stay in cups. And how long
before a system registry is made part of systemd?
I do not like the idea of a registry, not because it is binary-file backed, or made by microsoft, it is because of Im guessing how it will end being used, as a helper for lazy daemons with no configuration files and dump place for all sorts of workarounds for buggy software, just like sysconfig but 10 times worst. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cristian Rodríguez said the following on 04/30/2013 02:14 PM:
And how long
before a system registry is made part of systemd?
I do not like the idea of a registry, not because it is binary-file backed, or made by microsoft, it is because of Im guessing how it will end being used, as a helper for lazy daemons with no configuration files and dump place for all sorts of workarounds for buggy software, just like sysconfig but 10 times worst.
Ah, you mean like LDAP? -- Last night I played a blank tape at full blast. The mime next door went nuts! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (14)
-
Anton Aylward -
Carlos E. R. -
Cristian Rodríguez -
Dave Howorth -
Greg Freemyer -
Hearns, John -
James Knott -
Joachim Schrod -
John Andersen -
Ken Schneider - openSUSE -
lynn -
Martin Helm -
Per Jessen -
Ted Byers