Discuss June 2015

discuss@lists.centos.org

157 participants
170 discussions

LUKS encypted partition using --key-file can only be decrypted with --key-file
by Digimer 15 Sep '15

15 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen. The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase. Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong. Thanks for any insight! digimer - -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU93ZLAAoJECChztQA3mh0swwP/2PX3Y3TmEEIeN7WxWQjnbX0 B+hdp3Yk1PBqaQ/FsOzGsnKnxOUu73fB25gDksEWnNedBru4ayJuYPW644rH8Ivr fS8Pz3y6buGqUaggzsGNaGfDOKtiLOp722OeuPUmaNHnGCE3qJbhE3RKBRrMl4SP Yi/otL8+85cp4isMESOYs3F5qw/osDmmKxktPbULbTrne94EWHHl+9RoSFDZFNCj JBsNE122WUtn+2JPV8it8nlIS/Kzqzv3qGR88lYiBj3y3F+zIbpix/8wyCgRVSw6 /LQwLSTmGKYdvLw2Td7oIqMrW69ZsgujAonnbyx2nl9WN3KSqr799SxL4n2M7ZOj a1MjcLdLr0kM28eu+/A3LyHQRkBVsz7f27e7M+drEVa4OHFS3KuL4EM47xkTGyps veljkNmZ8elL7PX+dmWsVGYyo4XH/bTFDcW8ZLhr+bc55xLplMRrhPNNFGQ+5k3R ev7HRhSqHD9Ub39KTea4WCJOsm0hJJgKYneWYmQJ1aVYmrFMHLJaJBzCqU+W751O GkXvU24eoajNKnIAcY9wrC/WzVru8dM2JwBefcatxCsWFhpcpSyrh0zhCAiZKOga hjskIq/54Il8YyzSVy5Xvwv8WACBUwoiPv6ZqVm3oKRkoZI3E14vVYTcG+b0cPqn S30qAHntsjFA70Hpedt5 =YYFB -----END PGP SIGNATURE-----

3 3

SAMBA as AD DC
by Sergio Belkin 11 Sep '15

11 Sep '15

Hi folks, Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If it's not, what is the recommended way of doing? Compiling from sources? Install packages from SerNet? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org

9 14

How to setup own i686 buildenv for CentOS7
by Robin Lee 07 Sep '15

07 Sep '15

Hi, all! How to setup own i686 mock for CentOS7? Or, is there any public i686 repo for CentOS7? I found i686 repo available in internal CentOS building environment, from a root.log from a mock build result[1]. [1] http://buildlogs.centos.org/c7-updates/glibc/20141218212615/2.17-55.el7_0.3… Cheers, -robin

3 5

whois command in c6
by John R Pierce 09 Aug '15

09 Aug '15

the whois command in c6 references whois.v6nic.net for ip addresses in the 43.0.0.0/8 range (and maybe others). v6nic is no longer a valid whois server, any nets delegated to it should instead be delegated to apnic. i have no upstream connections... this change was made in the generic sources for jwhois some time ago I see this fix was introduced in F20 here, https://bugzilla.redhat.com/show_bug.cgi?id=1121512 -- john r pierce, recycling bits in santa cruz

5 7

centos 7.1 and compiz
by Wes James 17 Jul '15

17 Jul '15

I have compiz installed on centos 6.6, and I’ve been testing 7.1, but I can't find any info on installing compiz on 7.1. Is there any info for this or is it not supported yet? Thanks, -wes

3 10

CentOS 7 + Dell Latitude E6420 laptop = thermal shutdown
by deoten 13 Jul '15

13 Jul '15

Hi, Thanks for reading this. I installed CentOS 7 (tried the latest ISO image and the previous build) on the laptop and got to the point where I am logging into the desktop environment and the laptop just shuts down. I check the event log in BIOS and find that a thermal event has occurred and the system powered off to prevent damage. I can take the same laptop with Windows 7 installed and run graphically intensive tests for an hour solid and it doesn't lock up. I installed Ubuntu 15.04 and that seemed solid too. Is this a known issue with CentOS 7? Should I be using a particular boot option? It does not seem to matter whether Gnome or KDE is chosen as the desktop environment. Any help you can provide is appreciated. Thanks.

10 17

PXE question
by isdtor 13 Jul '15

13 Jul '15

I was wondering, where is the format and options of files like /usr/share/system-config-netboot/pxelinux.cfg/default from system-config-netboot-cmd described? There are plenty of PXE tutorials with examples out there, but nothing that looks like actual documentation.

3 3

Re: [CentOS] puppet files denied by SELinux
by Tim Dunphy 12 Jul '15

12 Jul '15

Hi all, Thanks for all your suggestions. Here's where I'm at with this. Can you give details about your puppetmasterd setup ? it seems that > you're using Foreman as puppet ENC. > Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using foreman, sorry I hadn't thought to mention it! > Foreman works fine with selinux enabled : that's what we use for the > centos.org infra :-) > Which version of puppet/foreman are you using ? Note that foreman has > the foreman-selinux package that is used to automatically tune > contexts and booleans needed for this. > You can still reapply those settings with > /usr/sbin/foreman-selinux-{disable,enable,relabel} > There is no need to recompile a custom selinux policy for > foreman/puppet those days > I didn't recompile any custom selinux policies. All I did to try to resolve the issue is to consult audit2allow and install the module it suggested. I did try running /usr/sbin/foreman-selinux-enable but that didn't seem to have an effect. Knowing nothing of your scenario, look at the source and target context. > > Looks like you copied a crt from an nfs location and you don't have a > file context defined to transition labels, maybe something like: > > semanage fcontext -a -t passenger_t "/etc/puppet/environments(/.*)?" > > However, I know nothing of puppets selinux infrastructure, you may need > a more applicable type. > > In these cases, audit2allow can't possibly guess the right thing and will > certainly produce a rule that is either unsafe or simply wrong. > You are correct that I copied the key and cert from an NFS share! Both the puppet server and the monitor1 client share the same /home directory via NFS. Pretty cool that you picked up on that! I do suspect you're probably right that this may be causing the problem. Just on a hunch, I tried copying the certs and keys from the montior1 host over to the puppet host to the /tmp directory on the puppet server. That leaves out NFS altogether. And when I do that, my bacula puppet module WORKS!! Puppet doesn't complain at all! But if I check out another host where I copied the cert and key from the NFS home directory I still get the error: Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor2.mydomain.com.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.key Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor2.mydomain.com.crt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.crt Also when I try to set context using the line you suggested I get an error: #semanage fcontext -a -t passenger_t "/etc/puppet/environments(/.*)?" ValueError: Type passenger_t is invalid, must be a file or device type So I googled around and found what seems to be the correct syntax: semanage fcontext -a -t passenger_exec_t "/etc/puppet/environments(/.*)?" Because when I applied that line, I didn't get any errors or complaints. However the problem still existed on the monitor2 host which had the key pair copied from the NFS share. So in summary it appears that there is some interaction between SELinux and NFS that is causing the issue. Any thoughts? Thanks, Tim On Sun, Jun 21, 2015 at 11:09 AM, Tim Dunphy <bluethundr(a)gmail.com> wrote: > Yes, you did when you used the audit2allow with the -M option argument >> of "puppet", which is confirmed by the command you issued to try to load >> it "semodule -i puppet.pp" (which you stated in your original message). >> I'm okay with you asserting otherwise and not following my first >> suggestion -- my second is to use a totally different name, e.g., "barf" >> and thus "semodule -i barf.pp". > > > Haha!! Ok man. I get you now. Thanks. Also I meant to send this to the > list.. Whoops! I'll try doing it again with something like 'my' in the > front. I remember having a similar problem with Zabbix last week that I > solved this way. > > On Sun, Jun 21, 2015 at 12:19 AM, Mark Milhollan <mlm(a)pixelgate.net> > wrote: > >> On Sat, 20 Jun 2015, Tim Dunphy wrote: >> >I wrote: >> >> >> That suggests there's already a module named puppet, and thus you are >> >> replacing it with the one you made which does not supply the >> >> puppet_var_lib_t type. Always prefix your own modules with something >> >> that makes them almost certain to be unique, e.g., yourdom_puppet. >> >> >> > >> >No, actually I didn't compile my own selinux module. :) Not sure how you >> >got that idea, but that is not the case. >> >> Yes, you did when you used the audit2allow with the -M option argument >> of "puppet", which is confirmed by the command you issued to try to load >> it "semodule -i puppet.pp" (which you stated in your original message). >> I'm okay with you asserting otherwise and not following my first >> suggestion -- my second is to use a totally different name, e.g., "barf" >> and thus "semodule -i barf.pp". >> >> >> /mark >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

2 3

ssh -X versus -Y
by Stuart Barkley 06 Jul '15

06 Jul '15

On Fri, 26 Jun 2015 at 03:16 -0000, Alexandru Chiscan wrote: > On 06/25/2015 11:51 PM, Stuart Barkley wrote: > > Then from your desktop (assuming Linux already running X) in a > > local xterm do something like: > > > > ssh -Y remote-system > > Do not use that because any user logged on the server can connect to > your X server display and snoop what you are doing, open windows > etc. > > -Y disables all the X server authentication mechanisms > (http://www.x.org/wiki/Development/Documentation/Security/) I believe this is incorrect. The authentication protocols are still used (thus the need for the xorg-x11-xauth package on CentOS). This is not the same as 'xhost +' which should never be used. Both -X and -Y require read access to the ~/.Xauthority file on the remote system in order to connect back to the X server. You can see this by using the 'xauth remove' command to remove the authentication token for the display and clients can no longer connect. > > Note about -X versus -Y with ssh: > > > > -X enables basic X forwarding, It disables some X functionality > > making it "safer" to allow. -X also stops working after about 20 > > minutes (this is by design but not well documented). I only > > recently learned why it would stop working after pulling out the > > last of my hair. > > I have been using ssh X forwarding for current work use (local > betwork) for more than 15 years and never got into this kind of > problem from RH 7 to Centos 7, AIX and Solaris. Likewise, I've used ssh/X for 20+ years on a variety of systems. In most cases -X is sufficient, but some applications seem to require -Y and I have not dug into all of the reasons. > Maybe it is some other issue that is closing your ssh connection > (maybe you should use the KeepAlive options on the ssh > server/client); just guessing. On Debian and FreeBSD 'man ssh_config' now shows: ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of sshd_config(5). X11 connections received by ssh(1) after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. This option seems to have appeared in OpenSSH 6.0 [See more at the end of this email]. > > -Y allows the full X protocol which might be a security risk. > > Some applications will only work with -Y. With this, remote X > > applications can grab keyboard interactions, grab passwords, put > > windows on top of other windows (obscuring security messages), > > etc. > > > > For my own choice I use -Y (although I only enable it occasionally > > to specific systems). This is a recent behaviour change on my part with limited use to system I trust. Now that I know about the timeout I can probably just live with -X and will consider moving back to -X for my occasional use, The documentation of the practical differences between -X and -Y is pretty obscure (mostly defering to the X Security extension documentation). I would like to see better clarification of the differences. ...some additional research looking at the source code and revision history... The ForwardX11Timeout change was 5 years ago in OpenSSH 6.0. CentOS 6 still has OpenSSH 5.3 without this change (or if a patch was applied the documentation was not also patched). CentOS 7 has OpenSSH 6.6 which includes this change. http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?… Prior to that there was an intended hard coded 20 minute timeout since at least 2005: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?… Based upon the comments in the June 2010 revision it appears that the timeout was not working correctly and perhaps was falling back to trusted authentication after 20 minutes: Add X11ForwardTimeout option to specify timeout for untrusted X11 authentication cookies to avoid fallback in X11 code to fully-trusted implicit authentication using SO_PEERCRED described at: http://lists.x.org/archives/xorg-devel/2010-May/008636.html After the X11ForwardTimeout has expired the client will now refuse incoming X11 channel opens. I will need to see it this is an unpatched security issue on CentOS/RedHat 6. If so, I claim credit for observing it as a possibility. Stuart -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone

5 6

OT Advantage of running DNS server?
by Timothy Murphy 05 Jul '15

05 Jul '15

What is the advantage, if any, of running one's own DNS server? Surely the link between domain name and IP address must already have been established? -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin

7 6

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss June 2015