Join us now at the IRC channel.
*Condor has quit (Ping timeout: 256 seconds) | May 08 04:10 | |
schestowitz | >> Subject: Fwd: Possible Collaboration | May 08 05:29 |
---|---|---|
schestowitz | >> Another time waster or is it worth it? | May 08 05:29 |
schestowitz | > Too little info to say. A plaintext or non-PDF CV would be interesting. | May 08 05:29 |
schestowitz | > Hi Dr Roy, | May 08 05:31 |
schestowitz | > | May 08 05:31 |
schestowitz | > I saw your profile through your Twitter account, I've been learning | May 08 05:31 |
schestowitz | > Software Development on my own, and I noticed you offer Software | May 08 05:31 |
schestowitz | > Development services. I was wondering if I could join your team as an | May 08 05:31 |
schestowitz | > Intern. I'm willing to provide more information about myself. | May 08 05:31 |
schestowitz | Hi, | May 08 05:31 |
schestowitz | We recently had someone volunteering herself for an internship. After we invested hours teaching her things and preparing she produced nothing at all, so we want some sort of commitment from an intern, assuring it will result in practical things. Do you want to do writing or coding? Have you done internships before? | May 08 05:31 |
schestowitz | > Adding to the backlog, TM is using a very weak, deprecated ssh-rsa | May 08 05:41 |
schestowitz | > public key algorithm for host authentication: | May 08 05:41 |
schestowitz | > | May 08 05:41 |
schestowitz | > $ ssh -o HostKeyAlgorithms=-xxxxxxx | May 08 05:41 |
schestowitz | > Unable to negotiate with xxxport 22: no matching host key type | May 08 05:41 |
schestowitz | > found. Their offer: ssh-rsa,ssh-dss | May 08 05:41 |
schestowitz | > | May 08 05:41 |
schestowitz | > TR is ok, as far as I can tell. | May 08 05:41 |
schestowitz | Is this applicable only to passwordless logins? | May 08 05:41 |
schestowitz | Re: TM and old host keys | May 08 05:41 |
schestowitz | >> Is this applicable only to passwordless logins? | May 08 06:19 |
schestowitz | > Those would be user keys not host keys. | May 08 06:19 |
schestowitz | Security wise, with that VM that's not firewalled, I don't even think that's the greatest of threats. Surely we need a plan of upgrades. We need to think about | May 08 06:19 |
schestowitz | -Drupal upgrade (or shift to another CMS, which might not scale well because there are many nodes) | May 08 06:19 |
schestowitz | -OS upgrade | May 08 06:19 |
schestowitz | -move away from VMs, e.g. to containers | May 08 06:19 |
schestowitz | The upside is, the VMs now seem more stable. I reckon the software update to qemu et al achieved this. But we still need sudoers fixed. I keep pushing for that happen... I suppose until something is very urgent (like HV/VM down) that won't happen... | May 08 06:19 |
schestowitz | > Host keys are the keys that TM uses to authenticate itself to any of us | May 08 06:19 |
schestowitz | > as we try to log in and are where this problem manifests. So, this | May 08 06:19 |
schestowitz | > shortcoming is related to all logins connecting to TM, whether using | May 08 06:19 |
schestowitz | > password authentication or key-authentication. It makes it relatively | May 08 06:19 |
schestowitz | > easy, computationally, to imitate TM for a MitM when authenticating with | May 08 06:19 |
schestowitz | > passwords: | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > "If the host key verification fails and no other | May 08 06:19 |
schestowitz | > supported host key types are available, the server | May 08 06:19 |
schestowitz | > software on that host should be upgraded." | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > https://www.openssh.com/txt/release-8.2 | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > and linked to from there: | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > "Therefore, the same attacks that have been practical | May 08 06:19 |
schestowitz | > on MD5 since 2009 are now practical on SHA-1. In | May 08 06:19 |
schestowitz | > particular, chosen-prefix collisions can break signature | May 08 06:19 |
schestowitz | > schemes and handshake security in secure channel | May 08 06:19 |
schestowitz | > protocols (TLS, SSH). We strongly advise to remove SHA-1 | May 08 06:19 |
schestowitz | > from those type of applications as soon as possible." | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > https://eprint.iacr.org/2020/014.pdf | May 08 06:19 |
schestowitz | Sensitivity of data on that server is limited to user accounts with /hashed/ passwords. AFAIK, there's no direct route from it to TR, only the other way around. | May 08 06:19 |
schestowitz | > CentOS has one update [1] available which predates [2] the above warning | May 08 06:19 |
schestowitz | > by a year. There appear to have been no further updates for that | May 08 06:19 |
schestowitz | > package on CentOS, even in regards to sha-1 versus rsa-sha2-256/512. | May 08 06:19 |
schestowitz | > | May 08 06:19 |
schestowitz | > [1] $ yum info openssh-server | May 08 06:19 |
schestowitz | > Loaded plugins: fastestmirror, security | May 08 06:19 |
schestowitz | > Repository 'addons' is missing name in configuration, using id | May 08 06:20 |
schestowitz | > Loading mirror speeds from cached hostfile | May 08 06:20 |
schestowitz | > * base: mirrors.ocf.berkeley.edu | May 08 06:20 |
schestowitz | > * extras: mirror.chpc.utah.edu | May 08 06:20 |
schestowitz | > * updates: mirror.lax.genesisadaptive.com | May 08 06:20 |
schestowitz | > Installed Packages | May 08 06:20 |
schestowitz | > Name : openssh-server | May 08 06:20 |
schestowitz | > Arch : x86_64 | May 08 06:20 |
schestowitz | > Version : 5.3p1 | May 08 06:20 |
schestowitz | > Release : 118.1.el6_8 | May 08 06:20 |
schestowitz | > Size : 702 k | May 08 06:20 |
schestowitz | > Repo : installed | May 08 06:20 |
schestowitz | > From repo : updates-copilotco | May 08 06:20 |
schestowitz | > Summary : An open source SSH server daemon | May 08 06:20 |
schestowitz | > URL : http://www.openssh.com/portable.html | May 08 06:20 |
schestowitz | > License : BSD | May 08 06:20 |
schestowitz | > Description : OpenSSH is a free version of SSH (Secure SHell), a program for | May 08 06:20 |
schestowitz | > : logging into and executing commands on a remote machine. This | May 08 06:20 |
schestowitz | > : package contains the secure shell daemon (sshd). The sshd | May 08 06:20 |
schestowitz | > daemon | May 08 06:20 |
schestowitz | > : allows SSH clients to securely connect to your SSH server. | May 08 06:20 |
schestowitz | > | May 08 06:20 |
schestowitz | > Available Packages | May 08 06:20 |
schestowitz | > Name : openssh-server | May 08 06:20 |
schestowitz | > Arch : x86_64 | May 08 06:20 |
schestowitz | > Version : 5.3p1 | May 08 06:20 |
schestowitz | > Release : 124.el6_10 | May 08 06:20 |
schestowitz | > Size : 330 k | May 08 06:20 |
schestowitz | > Repo : updates | May 08 06:20 |
schestowitz | > Summary : An open source SSH server daemon | May 08 06:20 |
schestowitz | > URL : http://www.openssh.com/portable.html | May 08 06:20 |
schestowitz | > License : BSD | May 08 06:20 |
schestowitz | > Description : OpenSSH is a free version of SSH (Secure SHell), a program for | May 08 06:20 |
schestowitz | > : logging into and executing commands on a remote machine. This | May 08 06:20 |
schestowitz | > : package contains the secure shell daemon (sshd). The sshd | May 08 06:20 |
schestowitz | > daemon | May 08 06:20 |
schestowitz | > : allows SSH clients to securely connect to your SSH server. | May 08 06:20 |
schestowitz | > | May 08 06:20 |
schestowitz | > | May 08 06:20 |
*TechBytesBot (~b0t@199.19.78.19) has joined #techbytes | May 08 06:20 | |
TechBytesBot | Hello World! I'm TechBytesBot running phIRCe v0.75 | May 08 06:20 |
schestowitz | > [2] | May 08 06:20 |
schestowitz | > https://centos.pkgs.org/6/centos-updates-x86_64/openssh-server-5.3p1-124.el6_10.x86_64.rpm.html | May 08 06:21 |
-TechBytesBot/#techbytes-centos.pkgs.org | openssh-server-5.3p1-124.el6_10.x86_64.rpm CentOS 6 Download | May 08 06:21 | |
schestowitz | TBH, we probably ought to leave centos behind and the sooner, the better, depending on when kaniini finds time because he wants to use containers in alpine. One for each CMS, e.g. wiki, wordpress... | May 08 06:21 |
*Condor (~freenode@e1.nixmagic.com) has joined #techbytes | May 08 06:50 | |
*rianne_ has quit (Ping timeout: 256 seconds) | May 08 13:18 | |
*rianne_ (~rianne@host81-154-174-226.range81-154.btcentralplus.com) has joined #techbytes | May 08 13:18 | |
*liberty_box has quit (Ping timeout: 264 seconds) | May 08 20:01 | |
*rianne has quit (Ping timeout: 264 seconds) | May 08 20:01 | |
*liberty_box (~liberty@host81-154-174-226.range81-154.btcentralplus.com) has joined #techbytes | May 08 20:13 | |
*rianne (~rianne@host81-154-174-226.range81-154.btcentralplus.com) has joined #techbytes | May 08 20:13 |
Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!