From rdeenen at home.nl Sun Mar 4 16:54:14 2007 From: rdeenen at home.nl (Rolf Deenen) Date: Sun, 4 Mar 2007 17:54:14 +0100 (CET) Subject: [Classic-discuss] about tinysofa end of live Message-ID: <1491.10.1.1.139.1173027254.squirrel@storehouse> dear list, First of all i want want to thank all contributors of the tinysofa distribution for the fine distro they?ve put together. I am very sorry it will dissapear. I recieved the notice in my mailbox just one day after getting y (home-) server running :-( . I have a few questions about the "end of life": - As it seems no updates will be made available. Will the current packages be available for download in the future? - What happend to "tinysofa"? The last time i looked (long time ago) there were "tinysofa" and "tinysofa classic". I can?t find any trace of tinysofa anymore. - As tinysofa will cease to exist: What are the most obvious alternatives? Probably trustix, but perhaps anybody has idea?s about others to... greetings, Rolf Deenen From rdeenen at home.nl Sun Mar 4 16:59:23 2007 From: rdeenen at home.nl (Rolf Deenen) Date: Sun, 4 Mar 2007 17:59:23 +0100 (CET) Subject: [Classic-discuss] =?iso-8859-1?q?can=B4t_login_locally_without_o?= =?iso-8859-1?q?penldap_running?= Message-ID: <1500.10.1.1.139.1173027563.squirrel@storehouse> Hello list, I have a tinysofa server running with all the "normal" users stored in a ldap directory. Accounts like "httpd", "postfix" and also "root" are stored locally in "shadow". I have noticed i am unable to login locally as root whan ldap is not running (despite root being a local account). Does anybody know how to let me login without ldap running? I want to tighten the security of my ldap directory but i am afraid i will accidentilly lock my self out. Thanks in advance, Rolf Deenen From mikael at tinysofa.org Sun Mar 4 17:29:29 2007 From: mikael at tinysofa.org (Mikael Bak) Date: Sun, 4 Mar 2007 18:29:29 +0100 Subject: [Classic-discuss] about tinysofa end of live In-Reply-To: <1491.10.1.1.139.1173027254.squirrel@storehouse> References: <1491.10.1.1.139.1173027254.squirrel@storehouse> Message-ID: <200703041829.38532.mikael@tinysofa.org> On Sunday 04 March 2007 17:54, Rolf Deenen wrote: > dear list, > > First of all i want want to thank all contributors of the tinysofa > distribution for the fine distro they?ve put together. I am very sorry it > will dissapear. I recieved the notice in my mailbox just one day after > getting y (home-) server running :-( . I have a few questions about the > "end of life": > > - As it seems no updates will be made available. Will the current packages > be available for download in the future? I will still host the tinysofa master repository server. I still hope to collect some interest in continuing the development of this great distribution. Additionally the mirror in Budapest will be online. I don't think the other mirrors close down if we can announce that we'll continue development in some extent. > - What happend to "tinysofa"? The last time i looked (long time ago) there > were "tinysofa" and "tinysofa classic". I can?t find any trace of tinysofa > anymore. I don't know either. It just silently disappeared. At least I never saw any notice about it. > - As tinysofa will cease to exist: What are the most obvious alternatives? > Probably trustix, but perhaps anybody has idea?s about others to... > Perhaps Trustix, but as a matter of fact tinysofa and trustix have gone in quite different directions. If I were you, I'd still be on this list. As I said, I'd like to try to have at least bug fixes and security patches still online for quite some time. Maybe there will be no tinysofa 2.1 or 3.0 in a while but 2.0 with security fixes and patches should be possible to have going. At least this is my goal. Therefore I suggest that everybody who is still interested in having tinysofa classic 2.0 updates and security fixes in the future send a request to me in a private email (so we don't spam the list) with some notes about skills and I try to talk to the developers about perhaps restructure the development process and lift most of the burden from the 2-4 developers doing all the hard work. I think with a little help we can still have this boat floating for quite some time :-) At least I hope so. > greetings, > Rolf Deenen > Mikael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.tinysofa.org/pipermail/classic-discuss/attachments/20070304/6d51b4a2/attachment.bin From mikael at tinysofa.org Mon Mar 5 08:57:18 2007 From: mikael at tinysofa.org (Mikael Bak) Date: Mon, 5 Mar 2007 09:57:18 +0100 Subject: [Classic-discuss] =?iso-8859-1?q?can=B4t_login_locally_without_openldap?= running In-Reply-To: <1500.10.1.1.139.1173027563.squirrel@storehouse> References: <1500.10.1.1.139.1173027563.squirrel@storehouse> Message-ID: <200703050957.27303.mikael@tinysofa.org> On Sunday 04 March 2007 17:59, Rolf Deenen wrote: > Hello list, > Hi, > I have a tinysofa server running with all the "normal" users stored in a > ldap directory. Accounts like "httpd", "postfix" and also "root" are > stored locally in "shadow". You'll also need them in /etc/passwd > I have noticed i am unable to login locally as root whan ldap is not > running (despite root being a local account). Does anybody know how to let > me login without ldap running? I want to tighten the security of my ldap > directory but i am afraid i will accidentilly lock my self out. > Maybe I don't understand your problem. You have lots of users in LDAP and some system users in /etc/passwd and of course /etc/shadow. Why are you turning off the LDAP service? Perhaps you can check /etc/nsswitch.conf to see in what order "files" and "ldap" has for passwd, shadow and group. Mine looks something like this: [snip] passwd: files ldap shadow: files ldap group: files ldap [snip] I can't turn off LDAP service to check what happens here because this is a heavily loaded server and that would result in the users can't access the services. Right now I don't have access to a working LDAP test environment. > Thanks in advance, > Rolf Deenen > Please tell us more about your setup. HTH, Mikael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.tinysofa.org/pipermail/classic-discuss/attachments/20070305/5deb168f/attachment.bin From mikael at tinysofa.org Mon Mar 5 10:27:54 2007 From: mikael at tinysofa.org (Mikael Bak) Date: Mon, 5 Mar 2007 11:27:54 +0100 Subject: [Classic-discuss] =?iso-8859-1?q?can=B4t_login_locally_without_openldap?= running In-Reply-To: <52354.195.35.224.250.1173088966.squirrel@storehouse.homeip.net> References: <1500.10.1.1.139.1173027563.squirrel@storehouse> <200703050957.27303.mikael@tinysofa.org> <52354.195.35.224.250.1173088966.squirrel@storehouse.homeip.net> Message-ID: <200703051128.01452.mikael@tinysofa.org> On Monday 05 March 2007 11:02, Rolf Deenen wrote: > Hi Mikael, list, > Hi, The list never got your message :-) > Thanks for the reply. I asked this question because i am concerned that in > the case of a failure with ldap (like an error in my security setup, > locking myself out or a network error preventing openldap to start, which > has happened to me in the recent past) I won't be able to login as root to > troubleshoot and fix the problem. I am not intending to turn off ldap. > I see. > To clearivy my problem i did the following test today. I am not at home > now so i did it through ssh. The problem is the same when sitting by the > console. > > 1. using ssh i log in to the server as root. This works fine. > 2. as root i excecute: service ldap stop. > 3. Now i start a second ssh session and i try to login as root > 4. Now it gives me "access denied". 3 times than the connection is > terminated. > 5. When, in my first ssh session i start ldap again, i am able to log in > as root. > First of all. I always turn off the possibility to directly log in as root via ssh. I always have an extra user (in /etc/passwd) who is able to login and then I use "su -" to turn myself into root. This is for security. I tried exactly what you described. The only difference is that I can't login directly as root. So I did this: 1. ssh to my box as normal user in /etc/passwd (let's call this user mikael) 2. su - 3. service ldap stop 4. new ssh session and log in as mikael - success 5. su - (su: incorrect password) If I turn on LDAP again from the other console then I'm able to su -. It seems to me that it's a problem with root priviledges when the LDAP is turned off. I will take a look at this. Can you confirm similar behaviour? Additionally, can you please chech if youre able to log in from console? I do not have physical access to my machine, so I can't check that. Mikael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.tinysofa.org/pipermail/classic-discuss/attachments/20070305/6d1e6efa/attachment.bin From rdeenen at home.nl Mon Mar 5 10:59:22 2007 From: rdeenen at home.nl (Rolf Deenen) Date: Mon, 5 Mar 2007 11:59:22 +0100 (CET) Subject: [Classic-discuss] =?iso-8859-1?Q?can=B4t_login_locally_without_openldap_running?= In-Reply-To: <200703051128.01452.mikael@tinysofa.org> References: <1500.10.1.1.139.1173027563.squirrel@storehouse> <200703050957.27303.mikael@tinysofa.org> <52354.195.35.224.250.1173088966.squirrel@storehouse.homeip.net> <200703051128.01452.mikael@tinysofa.org> Message-ID: <59066.195.35.224.250.1173092362.squirrel@storehouse.homeip.net> Hello Mikeal I am sorry i replied to you directly. I didn't notice. Should we continue this thread on the list? When writing my last reply is asked myself whether i should make notice off the fact that i normally can't login to ssh as root directly, but during testing I had left this option open :-) . I will verify whether i am able to log in locally this evening and let you know. Thanks, Rolf On Mon, March 5, 2007 11:27, Mikael Bak wrote: > On Monday 05 March 2007 11:02, Rolf Deenen wrote: > >> Hi Mikael, list, >> >> > > Hi, > The list never got your message :-) > > >> Thanks for the reply. I asked this question because i am concerned that >> in the case of a failure with ldap (like an error in my security setup, >> locking myself out or a network error preventing openldap to start, >> which has happened to me in the recent past) I won't be able to login as >> root to troubleshoot and fix the problem. I am not intending to turn off >> ldap. >> > > I see. > > >> To clearivy my problem i did the following test today. I am not at home >> now so i did it through ssh. The problem is the same when sitting by >> the console. >> >> 1. using ssh i log in to the server as root. This works fine. >> 2. as root i excecute: service ldap stop. >> 3. Now i start a second ssh session and i try to login as root >> 4. Now it gives me "access denied". 3 times than the connection is >> terminated. 5. When, in my first ssh session i start ldap again, i am >> able to log in as root. >> > > First of all. I always turn off the possibility to directly log in as > root via ssh. I always have an extra user (in /etc/passwd) who is able to > login and then I use "su -" to turn myself into root. This is for > security. > > I tried exactly what you described. The only difference is that I can't > login directly as root. So I did this: > > 1. ssh to my box as normal user in /etc/passwd (let's call this user > mikael) 2. su - > 3. service ldap stop > 4. new ssh session and log in as mikael - success > 5. su - (su: incorrect password) > > > If I turn on LDAP again from the other console then I'm able to su -. > > > It seems to me that it's a problem with root priviledges when the LDAP is > turned off. I will take a look at this. > > Can you confirm similar behaviour? > Additionally, can you please chech if youre able to log in from console? I > do not have physical access to my machine, so I can't check that. > > Mikael > > From rdeenen at home.nl Mon Mar 5 19:24:32 2007 From: rdeenen at home.nl (Rolf Deenen) Date: Mon, 5 Mar 2007 20:24:32 +0100 (CET) Subject: [Classic-discuss] =?iso-8859-1?Q?can=B4t_login_locally_without_openldap_running?= In-Reply-To: <200703051128.01452.mikael@tinysofa.org> References: <1500.10.1.1.139.1173027563.squirrel@storehouse> <200703050957.27303.mikael@tinysofa.org> <52354.195.35.224.250.1173088966.squirrel@storehouse.homeip.net> <200703051128.01452.mikael@tinysofa.org> Message-ID: <38384.10.1.1.137.1173122672.squirrel@storehouse> Hello Mikael, list I got exactly the ame as you. I did the following: 1.) At the console log in as root 2.) Create a local user: useradd lclusr 3.) add a password to the user: passwd lclusr 4.) Verify it's existence in /etc/passwd and /etc/shadow. It exists. 5.) Open a second virtual console (ALT-F2). 6.) login as lclusr. This succeeds. Stay logged in. 7.) In the first (root) console: service ldap stop 8.) To a third virtual console, log in as lclusr again 9.) Error: Authentication service cannot retrive authentication info. 10.) Go to the second (still logged in) console. 11.) su to become root: Incorrect password Over ssh it is exactly the same. Only with openldap stopped and trying a new login as "lclusr" now results in 3 three times "Password:" and after that it says "Permission denied" and it gives a new login prompt. Rolf Deenen On Mon, March 5, 2007 11:27, Mikael Bak wrote: > On Monday 05 March 2007 11:02, Rolf Deenen wrote: > >> Hi Mikael, list, >> >> > > Hi, > The list never got your message :-) > > >> Thanks for the reply. I asked this question because i am concerned that >> in the case of a failure with ldap (like an error in my security setup, >> locking myself out or a network error preventing openldap to start, >> which has happened to me in the recent past) I won't be able to login as >> root to troubleshoot and fix the problem. I am not intending to turn off >> ldap. >> > > I see. > > >> To clearivy my problem i did the following test today. I am not at home >> now so i did it through ssh. The problem is the same when sitting by >> the console. >> >> 1. using ssh i log in to the server as root. This works fine. >> 2. as root i excecute: service ldap stop. >> 3. Now i start a second ssh session and i try to login as root >> 4. Now it gives me "access denied". 3 times than the connection is >> terminated. 5. When, in my first ssh session i start ldap again, i am >> able to log in as root. >> > > First of all. I always turn off the possibility to directly log in as > root via ssh. I always have an extra user (in /etc/passwd) who is able to > login and then I use "su -" to turn myself into root. This is for > security. > > I tried exactly what you described. The only difference is that I can't > login directly as root. So I did this: > > 1. ssh to my box as normal user in /etc/passwd (let's call this user > mikael) 2. su - > 3. service ldap stop > 4. new ssh session and log in as mikael - success > 5. su - (su: incorrect password) > > > If I turn on LDAP again from the other console then I'm able to su -. > > > It seems to me that it's a problem with root priviledges when the LDAP is > turned off. I will take a look at this. > > Can you confirm similar behaviour? > Additionally, can you please chech if youre able to log in from console? I > do not have physical access to my machine, so I can't check that. > > Mikael > >