Re: tls
by Patrick Dupre
> ----- Original Message -----
> From: Matthew J. Roth
> Sent: 09/09/13 11:24 PM
> To: Community support for Fedora users
> Subject: Re: tls
>
> >>> Patrick Dupre wrote:
> >>>
> >>> ssh works fine. However, I have a possible explaination.
> >>> This machine is behind a firewall and to be able to make ssh, I
> >>> add to ask to have the ssh port open. Probably, the ftp port is
> >>> closed. Should I ask to have it open to use ssl/tls?
> >>> Is it port 21? or 990? how can I check the port 22 is open
> >>> while the other ones are closed on the firewall (I do not have
> >>> admin access to this machine).
> >>
> >> Matthew J. Roth wrote:
> >>
> >> Do you have a compelling reason to use FTPS. If not, SFTP provides the same
> >> functionality (encrypted file transfers) and it runs over SSH, so it should
> >> *just work* in your environment.
> >
> > Patrick Dupre wrote:
> >
> > Yes, I know, but ssh/tls seems more secure!
Thank Matthew.
I probably need to learn more how to use sftp for having best secure transfers
using my own key.
>
> Patrick,
>
> Both FTPS and SFTP utilize essentially the same techniques to secure a
> connection and provide similar levels of security. FTPS has a slight edge
> when it comes to authentication, because it uses X.509 certificates while SFTP
> uses SSH keys. However, this is only relevant if personally verifying the
> authenticity of keys (e.g. issuing a key yourself or verbally confirming its
> fingerprint by phone) isn't sufficient and you require a CA to verify the
> authenticity of certificates instead.
>
> On the other hand, SFTP is easier to administer from a network perspective
> since only port 22/tcp must be opened in the firewall. This is the same port
> used by SSH, so in many cases (including yours) it's already open.
>
> In my opinion, FTPS is slightly less secure than SFTP because its risks (running
> an additional daemon and opening multiple firewall ports) outweigh its benefit
> (X.509 authentication). Considering that SFTP is probably already available on
> your computer (it's enabled by default), it's the obvious choice unless you
> absolutely require X.509 authentication for file transfers.
>
> Regards,
>
> Matthew Roth
> InterMedia Marketing Solutions
> Software Engineer and Systems Developer
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
===========================================================================
Patrick DUPRÉ | | email: pdupre(a)gmx.com
Laboratoire de Physico-Chimie de l'Atmosphère | |
Université du Littoral-Côte d'Opale | |
Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44
189A, avenue Maurice Schumann | | 59140 Dunkerque, France
===========================================================================
10 years, 9 months
Video Driver locking boot process
by Mickey
Fedora 18
Failed to start Wait for Plymouth Boot Screen to Quit.
Systemctl Status- Plymouth-quit-wait.service.
I'm sure it is the Video driver I installed using Fedora-utils.
How can I disable this so I can get back into Desktop to use
Fedora-utils to uninstall the driver ?
It is not the Nvidia driver.
10 years, 9 months
Re: tls
by Patrick Dupre
> ----- Original Message -----
> From: Matthew J. Roth
> Sent: 09/09/13 04:55 PM
> To: Community support for Fedora users
> Subject: Re: tls
>
> Patrick Dupre wrote:
> >
> > ssh works fine. However, I have a possible explaination.
> > This machine is behind a firewall and to be able to make ssh, I
> > add to ask to have the ssh port open. Probably, the ftp port is
> > closed. Should I ask to have it open to use ssl/tls?
> > Is it port 21? or 990? how can I check the port 22 is open
> > while the other ones are closed on the firewall (I do not have
> > admin access to this machine).
>
>
> Patrick,
>
> Do you have a compelling reason to use FTPS. If not, SFTP provides the same
> functionality (encrypted file transfers) and it runs over SSH, so it should
> *just work* in your environment.
Yes, I know, but ssh/tls seems more secure!
>
> Regards,
>
> Matthew Roth
> InterMedia Marketing Solutions
> Software Engineer and Systems Developer
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
===========================================================================
Patrick DUPRÉ | | email: pdupre(a)gmx.com
Laboratoire de Physico-Chimie de l'Atmosphère | |
Université du Littoral-Côte d'Opale | |
Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44
189A, avenue Maurice Schumann | | 59140 Dunkerque, France
===========================================================================
10 years, 9 months
Kernel 3.11 and Fedora 19...
by Fernando Cassia
Hi folks,
A few questions considering the nice improvements [1] in Kernel 3.11
1. Is there a kernel spec file for Fedora 19 that could be used to compile
a 3.11 kernel with the same build parameters as the F19 one?
2. Which kernel does F20 expect to use?
3. Anyone on this list running kernel 3.11 with F19? Did you build it
yourself or did you use one provided by someone else? In the latter case:
who/where? :)
Thanks in advance,
FC
[1] http://www.phoronix.com/scan.php?page=news_item&px=MTQ1MDI
--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
- George Orwell
10 years, 9 months
RE: free CA?
by J.Witvliet@mindef.nl
-----Original Message-----
From: users-bounces(a)lists.fedoraproject.org [mailto:users-bounces@lists.fedoraproject.org] On Behalf Of Mike Wright
Sent: Saturday, September 07, 2013 8:02 PM
To: Fedora Users
Subject: free CA?
Hi all,
Does anybody know of a free CA (Certificate Authority) that is
recognized by common browsers? I have some very low volume
non-commercial sites and cannot justify spending $100/year on
certificates for them.
I tried CAcert by no matter what I did they said they could not contact
my mail server in order to verify me. (Same server where my Fedora
Users mail arrives w/o problems.) tcpdump shows they came and carried
on some sort of conversation. Given all that I gave up on them.
Any help would be greatly appreciated,
Mike Wright
-----Original Message-----
Hi Mike,
Perhaps worthwhile spending some more time on your email issue....
You did get certified? And subscribed to their M.L.? (there were some technical issues lately)
At least your primary email-address should remain reachable by cacert.
You can test that, by issuing a client certificate: you should get notified for that.
In case there is something odd with the email-address itself: You can expect the same by other CA-providers, as anyone needs to be able to verify your address.
Hans (in private live also assurer for CAcert)
______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
10 years, 9 months
Native Nvidia Optimus and Fedora 19
by Powell, Michael
Has anyone tried to get native Optimus running on a Fedora 19 box? When I attempt it, I get a blank black screen. I posted on the Nvidia forums, but no one has replied yet and I'm getting anxious ;-)
The general consensus is that the kernel must be 3.9 or higher, and I am running 3.9.9-302. The Nvidia readme<http://us.download.nvidia.com/XFree86/Linux-x86-ARM/319.32/README/randr14...> indicates CONFIG_DRM has to be enabled and the following driver interfaces present:
drm_gem_prime_export
drm_gem_prime_import
gem_prime_pin
gem_prime_get_sg_table
gem_prime_import_sg_table
gem_prime_vmap
gem_prime_vunmap
I have verified that CONFIG_DRM is enabled within the kernel as a module and it's loaded, but when I attempted to verify the list of module symbols, I only found two (the ones in bold).
The way I determined this information was through:
`cat /boot/config-3.9.9-302.fc19.x86_64 | grep CONFIG_DRM`
`cat /lib/modules/3.9.9-302.fc19.x86_64/modules.symbols | grep gem_prime`
Am I missing something or does it appear that F19 kernel is missing vital parts for native Nvidia Optimus support?
For those more interested, here is the post<https://devtalk.nvidia.com/default/topic/551709/linux/319-23-the-infamous...> on the nvidia forums.
10 years, 9 months
Turning off SELINUX
by Javier Perez
After reading this, I am turning off SELINUX
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-se...
Until I hear of a thorough code review by a non-USA team of this code, I
do not feel safe using it, privacy wise.
It's a pity because SELINUX is a good idea.
--
------------------------------
/\_/\
|O O| pepebuho(a)gmail.com
~~~~ Javier Perez
~~~~ While the night runs
~~~~ toward the day...
m m Pepebuho watches
from his high perch.
10 years, 9 months
grub2 how to change menuentry's in 10_linux section of grub.cfg
by Jackson Byers
from fedora docs:
"Changes to grub.cfg are enacted by editing etc/default/grub and files in
the etc/grub.d directory, particularly 10_linux and 40_custom, and then
running the grub2-mkconfig command with root privileges."
BUT 10_linux in /etc/grub.d has no menuentry's, just a lot of coding I don't
understand and looks like it is not intended to be modified by normal users.
I have no trouble modifying /etc/grub.d/40_custom
and getting the changes to appear in grub.cfg
But how to change 10_linux menuentry's?
what am I missing? The documentation above
clearly says /etc/grub.d/10_linux can be edited., but I can't see how.
FWIW, still in f16, xfce
had f17 working for awhile but it got messed up.
now trying to clean up, in preparation for f19
10 years, 9 months
Re: Fedora/Redhat and perfect forward secrecy
by Reindl Harald
Am 09.09.2013 18:12, schrieb Paul Wouters:
> On Mon, 9 Sep 2013, Reindl Harald wrote:
>>> I don't get it, either
>>
>> google "dhe versus ecdhe performance"
>>
>> http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
>>>> Let’s focus on the server part. Enabling DHE-RSA-AES128-SHA cipher suite
>>>> hinders the performance of TLS handshakes by a factor of 3. Using
>>>> ECDHE-RSA-AES128-SHA instead only adds an overhead of 27%. However, if we
>>>> use the 64bit optimized version, the cost is only 15%
>>
>> is that enough to understand why nobody on this world is using DHE and so your
>> "Current Fedora supports perfect forward secrecy just fine" is *far* away
>> from the reality?
>
> Not for me. I thought TLS was latency bound. The above "factor 3" does
> not state whether TLS client/server were in the same LAN (or even VMs on
> the same host).
it does not matter, the world measures CPU load here
> For the client, clearly CPU is not the limiting factor
if you stay on topic you realize that this does not matter
you can't do PFS to *any* major website these days
> For regular TLS servers, this should also not matter. For fully loaded TLS
> servers or TLS accelerators, the factor 3 on the CPU load will matter, but
> we're talking clusters of machines here. Dropping in a few extra machines
> shouldn't be that hard to give your patent-encumbered endusers PFS.
*you* are talking clusters here
>> it does not help much support forward secrecy in a way *nobody* else on this
>> planet is supporting it and so you repsonse below is uneducated - period
>
> Ignoring the obvious legal (and now potential backdoor) problems with
> ECC is also not very educated
we are speaking about the real world, not about therory
*you can't* do PFS to *any* relevant target because nobody
offers negotiation with DHE - so stay on topic and as long
nothing is *proven* ignore it while it *is* proven that
PFS doe snot work with Redhat/Fedora systems to the rest
of the world
10 years, 9 months