I constantly get my users complaining that their FTP server isn't working because port 20 incoming isn't open. I've had to start sending them a diagram of how FTP works.
It is quite common to turn on agent and X11 forwarding in ssh_config though, and then there is a point to those options (and I guess they don't hurt).
Agent forwarding should be selectively enabled only for hosts that you trust completely. A root user on the remote host can use your credentials for as long as you are connected.
I don't think that's obvious. Remote file completion using scp has been working (with the correct packages) for a while now. Here's a bug report for a regression where it used to work, but then something changed and broke the behavior going from Jaunty to Karmic (Major Ubuntu releases.)
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check.
Don't really know, as I haven't had a need to do much advanced configuration on OS X sshd. Sounds like a strange bug, though.
Also it seemed a while back that I would be able to use sftp on even if sftp was disabled on the server.
Is there really a point to disabling sftp? If you have the filesystem-level permissions, you can perform those operations through SSH.
"get" a file: ssh remote "cat rfile" > lfile "put" a file: ssh remote "cat > rfile" lfile
And if the admin does some tricky things to only allow certain commands to be executed from the SSH session, they probably aren't stopping those commands from being called through the shell.
Are you sure they're going through the proxy out of the box? My Firefox had that configuration knob set to "false" by default, and DNS queries are definitely hitting my company's DNS server.
If I tune the knob to true, they go through the proxy.
Both cases verified with tcpdump.
Re:Cygwin's package was updated, too
on
OpenSSH 5.4 Released
·
· Score: 2, Interesting
Arguably, running one less service would be nice. Also, OpenSSH's chrooting is pretty painless for sftp (though arguably, proper chrooting mostly precludes the need for read-only service--having your server read-only does add another layer of security.)
Doesn't that tab completion only work if your key is either not protected by a passphrase or cached by ssh-agent? Unfortunately, the policy where I work is that you cannot cache credentials like that, and they must be protected by a passphrase. The new features are actually good for me!
Re:Cygwin's package was updated, too
on
OpenSSH 5.4 Released
·
· Score: 4, Interesting
Could you not do this with a combination of Match User and ForceCommand directives? Something like:
Match User anonymous
ForceCommand sftp-server -R
ChrootDirectory/home/anonymous
What's happened is that the fringe players added support for a codec that no one uses, and the big guns realize how pointless that is and have decided not to.
Big guns? who,
Microsoft is obviously a big gun. No argument.
Apple is a big gun these days, too. They push a lot of development due to webkit, which covers almost all of the mobile market, and through their push for HTML5. They very obviously have a lot of clout, both on the standards boards and in browser development. Mobile browser developers follow their lead quite a bit.
Though I'll grant you that their marketshare is lower (Chrome recently pulled into third behind Mozilla and all versions of IE), Apple is most certainly a big player in this market. I'd argue that they have more power over the web that Mozilla does.
That's pretty neat. My fingers aren't limber enough to use emacs, though:)
Re:...Now help standardize on non-proprietary code
on
What To Expect From HTML5
·
· Score: 1, Insightful
No one said that Apple was big-hearted. But let's face it. Flash is a steaming pile. Very recently, it's been implicated as the cause of most OS X crashes, as well as as the best vector of attack for web malware. It's installed on almost every computer that surfs the web. It's a huge resource hog, and incidentally, most flash video players are just streaming down h.264.
Now last I'd heard, Microsoft had no intention of supporting video tags in IE. Firefox can't support h.264 (though a plugin could.) But Safari does. So it is certainly clear that Apple is the big winner here, and any fighting that they are doing is certainly in their own interests. But it may still help out people interested in using other browsers eventually.
In fact, speaking of an unencumbered codec, have you noticed that Safari, by deliberate choice, does not support Ogg Theora?
Safari, by deliberate choice, also does not support Vi keystrokes. Nor do they support, by deliberate choice, reading the contents of your flash drive directly from the browser.
Microsoft is blissfully quiet on the matter and doesn't support either yet. But Safari? The odd man out, the only browser that could support both and has chosen not to.
Doublethink alert. Microsoft could support both, and has chosen not to. Windows 7 ships with h.264. Apple/Safari is not the odd man out. What's happened is that the fringe players added support for a codec that no one uses, and the big guns realize how pointless that is and have decided not to.
Did they? I didn't hear about the DRM until after the game was released. If I had not been waiting until it came down in price a bit, I might have purchased it based upon the merits of the first game and some early reviews which didn't mention the DRM.
I might even have failed to notice the small print which said that an Internet connection was needed in order to play it. I certainly wouldn't have expected that to be a requirement.
I bet a lot of people had no idea. This might do more to kill gaming on the PC than DRM, though.
I used to feel the same way. But really, moving the port lets you focus on the real threats.
Look at it this way: if you are being targeted with a sophisticated hack, any dangerous attempts to log in to port 22 will get lost in the massive amount of bot traffic. But if your SSH server is on port 12344, then the reports in your logs will be more meaningful. You'll know that someone was conducting real reconnaissance and you can start worrying. There's no reason that you can't change the port as well as requiring keys to log in.
Relying on a secret port is security through obscurity. Utilizing a non-standard port to filter out bot traffic in your logs logs so that you know when you're really being attacked is actually fairly smart. Sure, maybe one day the bots will start port-scanning first, but for now, it's sound.
Adapting to it is as simple as adding a -p argument to your ssh command./quote?
Even better, add it to your SSH config:
$ cat.ssh/config Host sancho Hostname sancho.dyndns.org Port 12344 User sancho
Now typing "ssh sancho" takes care of my connection, including using the correct hostname, username, and port. Most, if not all command line arguments can be stored in your.ssh/config.
"All shipping Android phones" is a somewhat silly claim to make. Do you tell your clients that your desktop software will run "on all shipping Windows laptops?" Your testing costs must be through the roof. It's amazing that anyone makes any money in this field.
His point is from a flawed premise. The Android emulator lets you target any version of Android with any version of the software. They could have spent 0 in purchase costs in order to effectively test on every conceivable hardware platform. They set unreasonable testing criteria, paid too much to fulfill it, and now they're complaining about it.
Not to mention that disks haven't actually written "zeros and ones" as such for at least 15 years, which is why a single pass of/dev/zero will wipe a recentish disk beyond recovery
I don't see how that follows. Could you elaborate?
It doesn't matter. Do you think they'd be more careful with DRM?
The fact is, the software phoned home to the server. Doesn't matter why, but if you want to go down that road, it was for something that ostensibly benefits the user. Phone-home DRM provides absolutely no benefit to the user, but has the same potential for screwing up.
Are they really trying to kill gaming on all platforms?
I don't know, but they've pretty well made me decide not to get a PS3. I was waffling, so I know I'm not their target demographic in the first place, but I'm frankly sick of phone-home DRM. Here's a perfect example of it failing and locking out legitimate users.
It is your condemnation and interpretation of their beliefs.
Well, no. It's my repetition of their own words.
But in the end, my point got lost in the shuffle. My point is that there are quite a few people who think that if this kid was actually popping pills, then the way he was discovered is irrelevant and a "liberal conspiracy" to get people in trouble who are just looking out for the kids.
But I guess if I can't prove to you that a substantial number of people feel this way, you'll just say I'm bigoted.
Slashdot Mirror
I constantly get my users complaining that their FTP server isn't working because port 20 incoming isn't open. I've had to start sending them a diagram of how FTP works.
It is quite common to turn on agent and X11 forwarding in ssh_config though, and then there is a point to those options (and I guess they don't hurt).
Agent forwarding should be selectively enabled only for hosts that you trust completely. A root user on the remote host can use your credentials for as long as you are connected.
Something like pastebin would have been useful.
http://pastebin.com/
of course
I don't think that's obvious. Remote file completion using scp has been working (with the correct packages) for a while now. Here's a bug report for a regression where it used to work, but then something changed and broke the behavior going from Jaunty to Karmic (Major Ubuntu releases.)
https://bugs.launchpad.net/ubuntu/karmic/+source/bash-completion/+bug/449349
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check.
Don't really know, as I haven't had a need to do much advanced configuration on OS X sshd. Sounds like a strange bug, though.
Also it seemed a while back that I would be able to use sftp on even if sftp was disabled on the server.
Is there really a point to disabling sftp? If you have the filesystem-level permissions, you can perform those operations through SSH.
"get" a file: ssh remote "cat rfile" > lfile
"put" a file: ssh remote "cat > rfile" lfile
And if the admin does some tricky things to only allow certain commands to be executed from the SSH session, they probably aren't stopping those commands from being called through the shell.
Are you sure they're going through the proxy out of the box? My Firefox had that configuration knob set to "false" by default, and DNS queries are definitely hitting my company's DNS server.
If I tune the knob to true, they go through the proxy.
Both cases verified with tcpdump.
Arguably, running one less service would be nice. Also, OpenSSH's chrooting is pretty painless for sftp (though arguably, proper chrooting mostly precludes the need for read-only service--having your server read-only does add another layer of security.)
Doesn't that tab completion only work if your key is either not protected by a passphrase or cached by ssh-agent? Unfortunately, the policy where I work is that you cannot cache credentials like that, and they must be protected by a passphrase. The new features are actually good for me!
Could you not do this with a combination of Match User and ForceCommand directives? Something like:
Match User anonymous /home/anonymous
ForceCommand sftp-server -R
ChrootDirectory
What's happened is that the fringe players added support for a codec that no one uses, and the big guns realize how pointless that is and have decided not to.
Big guns? who,
Microsoft is obviously a big gun. No argument.
Apple is a big gun these days, too. They push a lot of development due to webkit, which covers almost all of the mobile market, and through their push for HTML5. They very obviously have a lot of clout, both on the standards boards and in browser development. Mobile browser developers follow their lead quite a bit.
Though I'll grant you that their marketshare is lower (Chrome recently pulled into third behind Mozilla and all versions of IE), Apple is most certainly a big player in this market. I'd argue that they have more power over the web that Mozilla does.
That's pretty neat. My fingers aren't limber enough to use emacs, though :)
No one said that Apple was big-hearted. But let's face it. Flash is a steaming pile. Very recently, it's been implicated as the cause of most OS X crashes, as well as as the best vector of attack for web malware. It's installed on almost every computer that surfs the web. It's a huge resource hog, and incidentally, most flash video players are just streaming down h.264.
Now last I'd heard, Microsoft had no intention of supporting video tags in IE. Firefox can't support h.264 (though a plugin could.) But Safari does. So it is certainly clear that Apple is the big winner here, and any fighting that they are doing is certainly in their own interests. But it may still help out people interested in using other browsers eventually.
In fact, speaking of an unencumbered codec, have you noticed that Safari, by deliberate choice, does not support Ogg Theora?
Safari, by deliberate choice, also does not support Vi keystrokes. Nor do they support, by deliberate choice, reading the contents of your flash drive directly from the browser.
Microsoft is blissfully quiet on the matter and doesn't support either yet. But Safari? The odd man out, the only browser that could support both and has chosen not to.
Doublethink alert. Microsoft could support both, and has chosen not to. Windows 7 ships with h.264. Apple/Safari is not the odd man out. What's happened is that the fringe players added support for a codec that no one uses, and the big guns realize how pointless that is and have decided not to.
Did they? I didn't hear about the DRM until after the game was released. If I had not been waiting until it came down in price a bit, I might have purchased it based upon the merits of the first game and some early reviews which didn't mention the DRM.
I might even have failed to notice the small print which said that an Internet connection was needed in order to play it. I certainly wouldn't have expected that to be a requirement.
I bet a lot of people had no idea. This might do more to kill gaming on the PC than DRM, though.
Slashdot uses Micropayments, and apparently you don't subscribe to them.
$5 for 1000 page views. With the D2 discussion system, you don't even load pages to get new comments. It's a pretty good deal.
I used to feel the same way. But really, moving the port lets you focus on the real threats.
Look at it this way: if you are being targeted with a sophisticated hack, any dangerous attempts to log in to port 22 will get lost in the massive amount of bot traffic. But if your SSH server is on port 12344, then the reports in your logs will be more meaningful. You'll know that someone was conducting real reconnaissance and you can start worrying. There's no reason that you can't change the port as well as requiring keys to log in.
Relying on a secret port is security through obscurity. Utilizing a non-standard port to filter out bot traffic in your logs logs so that you know when you're really being attacked is actually fairly smart. Sure, maybe one day the bots will start port-scanning first, but for now, it's sound.
Adapting to it is as simple as adding a -p argument to your ssh command. /quote?
Even better, add it to your SSH config:
$ cat .ssh/config
Host sancho
Hostname sancho.dyndns.org
Port 12344
User sancho
Now typing "ssh sancho" takes care of my connection, including using the correct hostname, username, and port. Most, if not all command line arguments can be stored in your .ssh/config.
"All shipping Android phones" is a somewhat silly claim to make. Do you tell your clients that your desktop software will run "on all shipping Windows laptops?" Your testing costs must be through the roof. It's amazing that anyone makes any money in this field.
His point is from a flawed premise. The Android emulator lets you target any version of Android with any version of the software. They could have spent 0 in purchase costs in order to effectively test on every conceivable hardware platform. They set unreasonable testing criteria, paid too much to fulfill it, and now they're complaining about it.
Not to mention that disks haven't actually written "zeros and ones" as such for at least 15 years, which is why a single pass of /dev/zero will wipe a recentish disk beyond recovery
I don't see how that follows. Could you elaborate?
It doesn't matter. Do you think they'd be more careful with DRM?
The fact is, the software phoned home to the server. Doesn't matter why, but if you want to go down that road, it was for something that ostensibly benefits the user. Phone-home DRM provides absolutely no benefit to the user, but has the same potential for screwing up.
He's talking about Java. Does Java have a KeyPressed event?
Are they really trying to kill gaming on all platforms?
I don't know, but they've pretty well made me decide not to get a PS3. I was waffling, so I know I'm not their target demographic in the first place, but I'm frankly sick of phone-home DRM. Here's a perfect example of it failing and locking out legitimate users.
That you know of.
Please link to that post. I never once mentioned the Crusades.
The ones I've interacted with. Every one.
It is your condemnation and interpretation of their beliefs.
Well, no. It's my repetition of their own words.
But in the end, my point got lost in the shuffle. My point is that there are quite a few people who think that if this kid was actually popping pills, then the way he was discovered is irrelevant and a "liberal conspiracy" to get people in trouble who are just looking out for the kids.
But I guess if I can't prove to you that a substantial number of people feel this way, you'll just say I'm bigoted.