- <item>
- <title>Forcing new users to change their password on first login</title>
- <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</guid>
- <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
- <description>
-<p>One interesting feature in Active Directory, is the ability to
-create a new user with an expired password, and thus force the user to
-change the password on the first login attempt.</p>
-
-<p>I'm not quite sure how to do that with the LDAP setup in Debian
-Edu, but did some initial testing with a local account. The account
-and password aging information is available in /etc/shadow, but
-unfortunately, it is not possible to specify an expiration time for
-passwords, only a maximum age for passwords.</p>
-
-<p>A freshly created account (using adduser test) will have these
-settings in /etc/shadow:</p>
-
-<blockquote><pre>
-root@tjener:~# chage -l test
-Last password change : May 02, 2010
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 99999
-Number of days of warning before password expires : 7
-root@tjener:~#
-</pre></blockquote>
-
-<p>The only way I could come up with to create a user with an expired
-account, is to change the date of the last password change to the
-lowest value possible (January 1th 1970), and the maximum password age
-to the difference in days between that date and today. To make it
-simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
-avoid testing if 0 is a valid value).</p>
-
-<p>After using these commands to set it up, it seem to work as
-intended:</p>
-
-<blockquote><pre>
-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change : Jan 02, 1970
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 10950
-Number of days of warning before password expires : 7
-root@tjener:~#
-</pre></blockquote>
-
-<p>So far I have tested this with ssh and console, and kdm (in
-Squeeze) login, and all ask for a new password before login in the
-user (with ssh, I was thrown out and had to log in again).</p>
-
-<p>Perhaps we should set up something similar for Debian Edu, to make
-sure only the user itself have the account password?</p>
-
-<p>If you want to comment on or help out with implementing this for
-Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
-
-<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
-shadow(8) page in Debian/testing now state that setting the date of
-last password change to zero (0) will force the password to be changed
-on the first login. This was not mentioned in the manual in Lenny, so
-I did not notice this in my initial testing. I have tested it on
-Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
-tested it on Lenny yet.</p>
-
-<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
-equivalent command to expire a password is '<tt>passwd -e
-username</tt>', which insert zero into the date of the last password
-change.</p>
-</description>
- </item>
-
- <item>
- <title>Thoughts on roaming laptop setup for Debian Edu</title>
- <link>http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</guid>
- <pubDate>Wed, 28 Apr 2010 20:40:00 +0200</pubDate>
- <description>
-<p>For some years now, I have wondered how we should handle laptops in
-Debian Edu. The Debian Edu infrastructure is mostly designed to
-handle stationary computers, and less suited for computers that come
-and go.</p>
-
-<p>Now I finally believe I have an sensible idea on how to adjust
-Debian Edu for laptops, by introducing a new profile for them, for
-example called Roaming Workstations. Here are my thought on this.
-The setup would consist of the following:</p>
-
-<ul>
-
- <li>During installation, the user name of the owner / primary user of
- the laptop is requested and a local home directory is set up for
- the user, with uid and gid information fetched from the LDAP
- server. This allow the user to work also when offline. The
- central home directory can be available in a subdirectory on
- request, for example mounted via CIFS. It could be mounted
- automatically when a user log in while on the Debian Edu network,
- and unmounted when the machine is taken away (network down,
- hibernate, etc), it can be set up to do automatic mounting on
- request (using autofs), or perhaps some GUI button on the desktop
- can be used to access it when needed. Perhaps it is enough to use
- the fish protocol in KDE?</li>
-
- <li>Password checking is set up to use LDAP or Kerberos
- authentication when the machine is on the Debian Edu network, and
- to cache the password for offline checking when the machine unable
- to reach the LDAP or Kerberos server. This can be done using
- <a href="http://www.padl.com/OSS/pam_ccreds.html">libpam-ccreds</a>
- or the Fedora developed
- <a href="https://fedoraproject.org/wiki/Features/SSSD">System
- Security Services Daemon</a> packages.</li>
-
- <li>File synchronisation with the central home directory is set up
- using a shared directory in both the local and the central home
- directory, using unison.</li>
-
- <li>Printing should be set up to print to all printers broadcasting
- their existence on the local network, and should then work out of
- the box with CUPS. For sites needing accurate printer quotas, some
- system with Kerberos authentication or printing via ssh could be
- implemented.</li>
-
- <li>For users that should have local root access to their laptop,
- sudo should be used to allow this to the local user.</li>
-
- <li>It would be nice if user and group information from LDAP is
- cached on the client, but given that there are entries for the
- local user and primary group in /etc/, it should not be needed.</li>
-
-</ul>
-
-<p>I believe all the pieces to implement this are in Debian/testing at
-the moment. If we work quickly, we should be able to get this ready
-in time for the Squeeze release to freeze. Some of the pieces need
-tweaking, like libpam-ccreds should get support for pam-auth-update
-(<a href="http://bugs.debian.org/566718">#566718</a>) and nslcd (or
-perhaps debian-edu-config) should get some integration code to stop
-its daemon when the LDAP server is unavailable to avoid long timeouts
-when disconnected from the net. If we get Kerberos enabled, we need
-to make sure we avoid long timeouts there too.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-</description>
- </item>
-
- <item>
- <title>Great book: "Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future"</title>
- <link>http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</guid>
- <pubDate>Mon, 19 Apr 2010 17:10:00 +0200</pubDate>
- <description>
-<p>The last few weeks i have had the pleasure of reading a
-thought-provoking collection of essays by Cory Doctorow, on topics
-touching copyright, virtual worlds, the future of man when the
-conscience mind can be duplicated into a computer and many more. The
-book titled "Content: Selected Essays on Technology, Creativity,
-Copyright, and the Future of the Future" is available with few
-restrictions on the web, for example from
-<a href="http://craphound.com/content/">his own site</a>. I read the
-epub-version from
-<a href="http://www.feedbooks.com/book/2883">feedbooks</a> using
-<a href="http://www.fbreader.org/">fbreader</a> and my N810. I
-strongly recommend this book.</p>
-</description>
- </item>
-
- <item>
- <title>Kerberos for Debian Edu/Squeeze?</title>
- <link>http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html</guid>
- <pubDate>Wed, 14 Apr 2010 17:20:00 +0200</pubDate>
- <description>
-<p><a href="http://www.nuug.no/aktiviteter/20100413-kerberos/">Yesterdays
-NUUG presentation</a> about Kerberos was inspiring, and reminded me
-about the need to start using Kerberos in Skolelinux. Setting up a
-Kerberos server seem to be straight forward, and if we get this in
-place a long time before the Squeeze version of Debian freezes, we
-have a chance to migrate Skolelinux away from NFSv3 for the home
-directories, and over to an architecture where the infrastructure do
-not have to trust IP addresses and machines, and instead can trust
-users and cryptographic keys instead.</p>
-
-<p>A challenge will be integration and administration. Is there a
-Kerberos implementation for Debian where one can control the
-administration access in Kerberos using LDAP groups? With it, the
-school administration will have to maintain access control using flat
-files on the main server, which give a huge potential for errors.</p>
-
-<p>A related question I would like to know is how well Kerberos and
-pam-ccreds (offline password check) work together. Anyone know?</p>
-
-<p>Next step will be to use Kerberos for access control in Lwat and
-Nagios. I have no idea how much work that will be to implement. We
-would also need to document how to integrate with Windows AD, as such
-shared network will require two Kerberos realms that need to cooperate
-to work properly.</p>
-
-<p>I believe a good start would be to start using Kerberos on the
-skolelinux.no machines, and this way get ourselves experience with
-configuration and integration. A natural starting point would be
-setting up ldap.skolelinux.no as the Kerberos server, and migrate the
-rest of the machines from PAM via LDAP to PAM via Kerberos one at the
-time.</p>
-
-<p>If you would like to contribute to get this working in Skolelinux,
-I recommend you to see the video recording from yesterdays NUUG
-presentation, and start using Kerberos at home. The video show show
-up in a few days.</p>
-</description>
- </item>
-
- <item>
- <title>På vegne av vanvitting mange, Aftenposten!</title>
- <link>http://people.skolelinux.org/pere/blog/P___vegne_av_vanvitting_mange__Aftenposten_.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/P___vegne_av_vanvitting_mange__Aftenposten_.html</guid>
- <pubDate>Sat, 6 Mar 2010 21:15:00 +0100</pubDate>
- <description>
-<p><a href="http://fotball.aftenposten.no/incoming/article163000.ece">Aftenposten
-melder</a> på forsiden av webavisen sin at de tror Erling Fossen
-provoserer nordlendinger med sine uttalelser på
-fotballtinget. Jeg er utflyttet nordlending, og må innrømme at jeg
-ikke kjennet så mye som et snev av provokasjon fra denne litt morsomme
-uttalelsen til Hr. Fossen. Lurer på om Aftenposten har noen kilder
-utenom redaksjonen for sin påstand om at nordledinger er provosert av
-Hr. Fossen. Må innrømme at jeg tviler på det.</p>
-
-<p>Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.</p>
-</description>
- </item>
-
- <item>
- <title>After 6 years of waiting, the Xreset.d feature is implemented</title>
- <link>http://people.skolelinux.org/pere/blog/After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html</guid>
- <pubDate>Sat, 6 Mar 2010 18:15:00 +0100</pubDate>
- <description>
-<p>6 years ago, as part of the Debian Edu development I am involved
-in, I asked for a hook in the kdm and gdm setup to run scripts as root
-when the user log out. A bug was submitted against the xfree86-common
-package in 2004 (<a href="http://bugs.debian.org/230422">#230422</a>),
-and revisited every time Debian Edu was working on a new release.
-Today, this finally paid off.</p>
-
-<p>The framework for this feature was today commited to the git
-repositry for the xorg package, and the git repository for xdm has
-been updated to use this framework. Next on my agenda is to make sure
-kdm and gdm also add code to use this framework.</p>
-
-<p>In Debian Edu, we want to ability to run commands as root when the
-user log out, to get rid of runaway processes and do general cleanup
-after a user. With this framework in place, we finally can do that in
-a generic way that work with all display managers using this
-framework. My goal is to get all display managers in Debian use it,
-similar to how they use the Xsession.d framework today.<p>
-</description>
- </item>
-
- <item>
- <title>Digitale bøker uten digitale restriksjonsmekanismer (DRM) bør få mva-fritak</title>
- <link>http://people.skolelinux.org/pere/blog/Digitale_b__ker_uten_digitale_restriksjonsmekanismer__DRM__b__r_f___mva_fritak.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Digitale_b__ker_uten_digitale_restriksjonsmekanismer__DRM__b__r_f___mva_fritak.html</guid>
- <pubDate>Wed, 3 Mar 2010 19:00:00 +0100</pubDate>
- <description>
-<p>Den norske bokbransjen har
-<a href="http://www.digi.no/823912/nei-til-moms-paa-e-boker">bedt om at
-digitale bøker må få mva-fritak</a> slik papirbøker har det, og
-<a href="http://www.digi.no/836875/moms-paa-alt-digitalt-innhold">finansdepartementet
-har sagt nei</a>. Det er et interessant spørsmål om digitale bøker
-bør ha mva-fritak eller ikke, og svaret er ikke så enkelt som et ja
-eller nei.
-<a href="http://www.digi.no/836925/norske-e-boker-truet-av-moms">Enkelte
-medlemmer</a> av bokbransjen truer med å droppe den planlagte
-lanseringen av norske digitale bøker med digitale restriksjonsmekanismer
-(DRM) som de har snakket om å gjennomføre nå i vår, og det må de
-gjerne gjøre for min del.</p>
-
-<p>Papirbøker har mva-fritak pga. at de fremmer kultur- og
-kunnskapsspredning. Digitale bøker uten digitale
-restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning,
-mens digitale bøker med DRM hindrer kultur og kunnskapsspredning.
-Digitale bøker uten DRM bør få mva-fritak da det er salg av bøker på
-lik linje med salg av papirbøker, mens digitale bøker med DRM ikke bør
-få det da det er utleie av bøker og ikke salg.</p>
-
-<p>Jeg foretrekker å kjøpe bøker, og velger dermed å la være å bruke
-DRM-belastede digitale bøker. Vet ikke helt hva jeg ville være villig
-til å betale for å leie en bok, men tror ikke det er mange kronene.
-Heldigvis er det mye bøker tilgjengelig uten slike restriksjoner, og
-de som vil ha tak i engelske bøker kan laste ned bøker som er
-tilgjengelig uten bruksbegresninger fra <a href="http://www.archive.org/">The
-Internet Archive</a>. Der er det pr. i dag 1 889 313 bøker
-tilgjengelig. De er tilgjengelig i flere formater. Besøk
-<a href="http://www.archive.org/details/texts">oversikten over tekster
-der</a> for å se hva de har.
-</description>
- </item>
-
- <item>
- <title>Debian Edu / Skolelinux based on Lenny released, work continues</title>
- <link>http://people.skolelinux.org/pere/blog/Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html</guid>
- <pubDate>Thu, 11 Feb 2010 17:15:00 +0100</pubDate>
- <description>
-<p>On Tuesday, the Debian/Lenny based version of
-<a href="http://www.skolelinux.org/">Skolelinux</a> was finally
-shipped. This was a major leap forward for the project, and I am very
-pleased that we finally got the release wrapped up. Work on the first
-point release starts imediately, as we plan to get that one out a
-month after the major release, to include all fixes for bugs we found
-and fixed too late in the release process to include last Tuesday.</p>
-
-<p>Perhaps it even is time for some partying?</p>
-
-<p>After this first point release, my plan is to focus again on the
-next major release, based on Squeeze. We will try to get as many of
-the fixes we need into the official Debian packages before the freeze,
-and have just a few weeks or months to make it happen.</p>
-</description>
- </item>
-
projects / homepage.git / blobdiff