October 2010 - Roundtable

MUUG Online is back online!
by Gilbert E. Detillieux 26 Oct '10

26 Oct '10

Hi all. Some of you have probably noticed that the MUUG server was inaccessible from the Internet since sometime last Thursday. This was affecting access not only to the web and FTP services, but also to all the mailman mailing lists. The problem now appears to be resolved! The U of M campus network has a packet shaper that sits between the internal network and the pipe to the commercial Internet. If it detects too many very heavy traffic flows, it black-lists the host addresses involved. For some reason, this happened to the MUUG server, possibly due to a DoS attempt on it... (We're still investigating.) Anyway, the networking group has now added the MUUG server to an exceptions list, so this will (hopefully) not happen again. Sorry for any inconvenience this extended outage may have caused. -- Gilbert E. Detillieux E-mail: <gedetil(a)muug.mb.ca> Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609

1 0

Shaw packet loss
by John Lange 19 Oct '10

19 Oct '10

Just wondering if anyone else has noticed that Shaw seems to be having systemic problems with their network? I've run tests from several different locations and all of them seem to show significant intermittent packet loss to the first hop (gateway). It comes and goes and some days are worse than others but it is persistent. -- John Lange www.johnlange.ca

5 16

MUUG board election results
by Gilbert E. Detillieux 13 Oct '10

13 Oct '10

The ballots were collected and the votes counted at last night's MUUG general meeting, and here (for the sake of those who couldn't be there in person) are the results. Your board for the 2010-2011 year will be... Sean Cody Trevor Cordes Gilbert Detillieux Michael Doob Robert Keizer Katherine Scrupa Doug Shewfelt Adam Thompson A big "thank you" to all the nominees who let their names stand for election, and an even bigger thanks to Kevin McGregor and Montana Quiring, who resigned from the board this year after many years of valuable service to the group. -- Gilbert E. Detillieux E-mail: <gedetil(a)muug.mb.ca> Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609

1 0

MUUG Meeting, Oct 12, 7:30pm -- The Wireless Neighbourhood
by gedetil＠cs.umanitoba.ca 05 Oct '10

05 Oct '10

The Manitoba UNIX User Group (MUUG) will be holding its next monthly meeting on Tuesday, October 12. The meeting topic for this month is as follows: The Wireless Neighbourhood Over three years ago, neighbours and MUUG members Kevin McGregor and Kelly Leveille thought they had some cool ideas for data sharing that would work well via a direct link between their homes. They had briefly experimented with using their broadband Internet connection, but they were disappointed by the asymmetric connection speeds. This month, Kelly and Kevin will discuss the hardware, firmware, topology, trials and tribulations, configuration and eventual successful implementation of their private, wireless-connected network. With pictures, and demo-free! Plus, this month's meeting is the MUUG annual general meeting, which will include the election of the MUUG board of directors for the 2010-2011 year. You must be a MUUG member in good standing, and be present at the meeting, in order to vote. The group holds its general meetings at 7:30pm on the second Tuesday of every month from September to June. (There are no meetings in July and August.) Meetings are open to the general public; you don't have to be a MUUG member to attend. ********************************************************************** Please note our meeting location: The IBM offices, at 400 Ellice Ave. (between Edmonton and Kennedy). When you arrive, you will have to sign in at the reception desk, and then wait for someone to take you (in groups) to the meeting room. Please try to arrive by about 7:15pm, so the meeting can start promptly at 7:30pm. Don't be late, or you may not get in. (But don't come too early either, since security may not be there to let you in before 7:15 or so.) Non-members may be required to show photo ID at the security desk. Limited parking is available for free on the street, either on Ellice Ave. or on some of the intersecting streets. Indoor parking is also available nearby, at Portage Place, for $5.00 for the evening. Bicycle parking is available in a bike rack under video surveillance located behind the building on Webb Place. ********************************************************************** For more information about MUUG, and its monthly meetings, check out their Web server: http://www.muug.mb.ca/ Help us promote this month's meeting, by putting this poster up on your workplace bulletin board or other suitable public message board: http://www.muug.mb.ca/meetings/MUUGmeeting.pdf -- Gilbert E. Detillieux E-mail: <gedetil(a)muug.mb.ca> Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609

1 0

Re: [RndTbl] ssh host checking
by Trevor Cordes 01 Oct '10

01 Oct '10

On 2010-09-10 Sean Walberg wrote: > Hey Trevor, > > If you're connecting with a password to a compromised box or > otherwise being hit with an MITM attack, you'll give up your > password. If you're connecting to the same server with a key, you > won't compromise your key because the private key isn't sent over the > channel. It's only used to decrypt a challenge encrypted by the > public key. Thanks for the response, sorry for my delay I haven't had time to deal with this again until now. I'm using rsa & dsa keys to login. No passwords. > In both cases, the data channel will also be visible to the attacker. Oops, that would be bad. > The .ssh/known hosts file will work on hostnames, so I'm not sure why > a change in IP is flagging the host key checks because the key > shouldn't change. Hmm, my known hosts file is almost all IP's (no hostnames) even though I'm pretty sure I'm connecting with hostnames. The DNS is all dynamic DNS so the hostname->IP mapping changes a lot (for DSL anyhow). Maybe I'll look into getting ssh to use hostnames, not IPs, in knownhosts. Unless, perhaps it is using IPs when it is finding duplicate hostname/IP tuples. Your thought about the key was my thought exactly. I'm not sure why it even needs the tuple at all. Why not just store the key and say "this key is good no matter the IP/hostname". > One alternative that might be a good middle ground would be to run > with both parameters set to "yes". If an event happens, the ssh will > fail. You could then run some checks to make sure things are OK Not good for my automated script. It's mission-critical and I would be bugged several times a day probably (I hate MTS DSL...) with failures. I really need to FaF. > ($old_ip != $new_ip) and then do a token "ssh $hostname -o > StrictHostKeyChecking=no -o CheckHostIP=no /bin/false " which would > be enough to save the key on your management station. Re-try the ssh > with full security. Log the event somewhere. Hmm, perhaps using expect or something to automatically interface with ssh and check the fingerprint when things fail might be a solution. You've given me some good ideas. > I did something similar in the EC2 environment, but I could guarantee > the IP address was new so there might be some tweaking needed if you > stomp on a previously known IP. Perhaps I could make a script to associate dates with IPs and delete any old ones, or any where it can determine the IP was the last one used by a certain host. > There also might be options outside of SSH but that would depend on > what you're trying to do. Sounds like the only options will be outside of ssh :-( Not ideal, but certainly doable. > On Fri, Sep 10, 2010 at 3:09 AM, Trevor Cordes <trevor(a)tecnopolis.ca> > wrote: > > > What security will I lose by using ssh with: > > -o StrictHostKeyChecking=no -o CheckHostIP=no > > ? > > > > I have a script that connects automatically to dozens of linux > > boxen (that I control) on the internet using dsa/rsa keys. Many of > > these are on MTS DSL and so change their IP's frequently (often > > many times a week). They all have dynamic dns setup so I can > > always access them via a DNS domain name (rather than IP). > > > > If I use the ssh defaults of StrictHostKeyChecking=ask and > > CheckHostIP=yes, it mostly works as expected, but sometimes my > > script will hang with ssh waiting for tty input with the usual: > > > > The authenticity of host 'foo.com (141.162.215.81)' can't be > > established. Are you sure you want to continue connecting (yes/no)? > > > > I don't mind this for new boxes where I haven't confirmed the > > fingerprint yet, but for existing boxes where the IP has changed, > > it sometimes gives me grief. I can't recall all the particular > > instances, but the one that just hit me was one of my MTS boxes > > cycled onto an IP that was previously used by a different box! > > Seems rather unlikely, but with DSL hanging up all the time, it's > > bound to happen. I see no way around this occurrence except to use > > the above -o options to disable all checks. > > > > So what attacks am I really opening myseful up to with those > > settings? Is the worst case that a MitM captures my commands? Or > > is the worst case that they gain my password/key and access to the > > remote system? > > > > What else? > > > > It sure would be nice if I could, on my local box, install a key or > > something from each of the remote boxen and say that I never care > > about what IP it has at the moment, just check the key and be happy > > & secure. > > > > For all scenarios assume local + remote boxes have not been > > compromised.

1 0

SIP for business
by Montana Quiring 01 Oct '10

01 Oct '10

Hello, Any suggestions for a decent SIP provider in Canada. I want a Winnipeg phone number to use for business calls, but I want it to be VOIP with a soft phone client option. I want people to be able to call this phone number from their land line/mobile phone. I would like the softphone client to be non proprietary (multi-platform). I don't want to run an Asterisk server in my basement (at this point). ;) I want it to be reliable. -Montana Blog and Aggregation Site: http://montanaquiring.info iPhone/Touch Apps I have bought: http://appshopper.com/feed/user/antikx/myapps

4 5