Hi list!
Here is some stuff about the new servers.
I installed the three 1U Celeron 600 servers with Debian testing, after a short talk on #mediawiki about what to install. The configuration is the following : - 20Gb HD divided in 3 parts : 100Mb for /boot (ext2), 2Gb for swap and the rest for / (xfs) - minimum install. I just added ntp to keep the time and ssh to allow developers to set up the squid remotely - vi and emacs both installed to avoid trolls ;) - net access through eth1 using dhcp and my home computer connection. I reserve eth0 for the colo - timezone is GMT+0 and locale is US
The first thing needed to be done is to give the developers access to the machine to set up the squid. So i need to know who needs access, and who needs root access. For everyone i'll create an account. These people will have to send me their public ssh key that i will put in ~/.ssh/authorized_keys . For the people with root access, i'll send the password of each server (preferably different passwords or the same password? Who said paranoid? ;) ) through a secure channel (anyone knows a « GPG for the dummies? » for me?). The access to the server is made by dnat through my computer. If some more ports need to be open to test the squids, i can do that in 10 seconds upon request. My connection is 5.5Mbps/384kbps, i hope it is sufficient. I also can't sleep with the noise of 4 computers near my bed so i turn them off during the night (from 2h00 to 10h00, Paris time, very approximatively), but during the remaining of the day all computers can be turned on with no problem.
If things go well, i think it would be a good idea to buy quite fast some more RAM before I bring the computers to the colo. Right now, they only have 128Mb each.
About the 6-Xeon, it is laying in my room now, waiting for someone to pick it up. I was told it runs Mandrake 10 (installed by Mandrakesoft to make the tests) and installation of a different OS can apparently only be done by pxe.
If i am not clear in what i said, just ask, i'm often on irc (especially in the evening, from 22h00) #fr.wikipedia and #mediawiki . I'm also ready to do things differently if necessary.
Med
On Sat, 24 Jul 2004 18:47:15 +0200, Médéric BOQUIEN mederic.boquien@laposte.net wrote:
For the people with root access, i'll send the password of each server
Not trying to start a flame-war or anything.. but I really suggest just using RSA/DSA keys for root access as well.
The traditional policy of "log in as a regular user, then su to root" is actually less secure than just using key access. People only stick with it because of inertia.
In ye olden days before strong public key encryption, passwords were sent in plaintext, so it made sense not to log in directly as root (to make things slightly more difficult for packet sniffers).
Using su is more secure than direct login with plaintext passwords. But we don't use plaintext passwords anymore. We use strong encryption. Strong encryption is more secure than su. Using su is a security risk nowadays. Your security is only as strong as the weakest link, and su is a weak link.
If somebody compromises a user account capable of using su, then it's trivial to modify that user's PATH and put in a fake su script that spoofs a failed login, sends the password to Bad Guy, and then removes all traces of itself.
It also makes it simpler to add or remove root access, if you only have to worry about changing the authorized_keys file, rather than changing the password and re-notifying everyone. Passwords are a security risk, and should basically never be used (I actually disable password logins entirely on most of my production machines, and force everybody to use pub keys for everything).
Just my $0.02 (US).
-Bill Clark
Le Sunday 25 July 2004 23:52, Bill Clark a écrit :
On Sat, 24 Jul 2004 18:47:15 +0200, Médéric BOQUIEN
mederic.boquien@laposte.net wrote:
For the people with root access, i'll send the password of each server
Not trying to start a flame-war or anything.. but I really suggest just using RSA/DSA keys for root access as well.
And just to add my 2 bits, you want to use sudo whenever possible.
Yann
On Mon, 26 Jul 2004 10:45:02 +0200, Yann Forget yann@forget-me.net wrote:
And just to add my 2 bits, you want to use sudo whenever possible.
Yes, if sudo does the job, that's the best solution of all.
(Of course, we're not talking about "sudo bash" right? That's crazy talk!)
-Bill Clark
Médéric BOQUIEN mederic.boquien@laposte.net writes:
password of each server (preferably different passwords or the same password? Who said paranoid? ;) ) through a secure channel (anyone knows a « GPG for the dummies? » for me?). The access to the server is made by dnat
This article may be helpful for you :
Médéric BOQUIEN mederic.boquien@laposte.net writes:
password of each server (preferably different passwords or the same password? Who said paranoid? ;) ) through a secure channel (anyone knows a « GPG for the dummies? » for me?). The access to the server is made by dnat
This article may be helpful for you :
wikitech-l@lists.wikimedia.org