X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/503eaa90b477154d9c9caeb7258eaf45ff05fcc7..655f8ec3745d3d85f3b03af7d42e7e7e28e7d200:/blog/archive/2010/05/index.html diff --git a/blog/archive/2010/05/index.html b/blog/archive/2010/05/index.html index fc51f8f8a4..3209f42fd7 100644 --- a/blog/archive/2010/05/index.html +++ b/blog/archive/2010/05/index.html @@ -23,88 +23,57 @@
- Forcing new users to change their password on first login + Parallellized boot seem to hold up well in Debian/testing
- 2nd May 2010 + 27th May 2010
-

One interesting feature in Active Directory, is the ability to -create a new user with an expired password, and thus force the user to -change the password on the first login attempt.

- -

I'm not quite sure how to do that with the LDAP setup in Debian -Edu, but did some initial testing with a local account. The account -and password aging information is available in /etc/shadow, but -unfortunately, it is not possible to specify an expiration time for -passwords, only a maximum age for passwords.

- -

A freshly created account (using adduser test) will have these -settings in /etc/shadow:

- -
-root@tjener:~# chage -l test
-Last password change                                    : May 02, 2010
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 99999
-Number of days of warning before password expires       : 7
-root@tjener:~#
-
+

A few days ago, parallel booting was enabled in Debian/testing. +The feature seem to hold up pretty well, but three fairly serious +issues are known and should be solved: -

The only way I could come up with to create a user with an expired -account, is to change the date of the last password change to the -lowest value possible (January 1th 1970), and the maximum password age -to the difference in days between that date and today. To make it -simple, I went for 30 years (30 * 365 = 10950) and January 2th (to -avoid testing if 0 is a valid value).

+

-

If you want to comment on or help out with implementing this for -Debian Edu, please contact us on debian-edu@lists.debian.org.

+

All in all not many surprising issues, and all of them seem +solvable before Squeeze is released. In addition to these there are +some packages with bugs in their dependencies and run level settings, +which I expect will be fixed in a reasonable time span.

-

Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the -shadow(8) page in Debian/testing now state that setting the date of -last password change to zero (0) will force the password to be changed -on the first login. This was not mentioned in the manual in Lenny, so -I did not notice this in my initial testing. I have tested it on -Squeeze, and 'chage -d 0 username' do work there. I have not -tested it on Lenny yet.

+

If you report any problems with dependencies in init.d scripts to +the BTS, please usertag the report to get it to show up at +the +list of usertagged bugs related to this.

-

Update 2010-05-02-19:05: Jim Paris tells me via email that an -equivalent command to expire a password is 'passwd -e -username', which insert zero into the date of the last password -change.

+

Update: Correct bug number to file-rc issue.

- Tags: debian edu, english, nuug, sikkerhet. + Tags: bootsystem, debian, debian edu, english.
@@ -113,53 +82,59 @@ change.

- Parallellizing the boot in Debian Squeeze - ready for wider testing + More flexible firmware handling in debian-installer
- 6th May 2010 + 22nd May 2010
-

These days, the init.d script dependencies in Squeeze are quite -complete, so complete that it is actually possible to run all the -init.d scripts in parallell based on these dependencies. If you want -to test your Squeeze system, make sure -dependency -based boot sequencing is enabled, and add this line to -/etc/default/rcS:

- -
-CONCURRENCY=makefile
-
+

After a long break from debian-installer development, I finally +found time today to return to the project. Having to spend less time +working dependency based boot in debian, as it is almost complete now, +definitely helped freeing some time.

-

That is it. It will cause sysv-rc to use the startpar tool to run -scripts in parallel using the dependency information stored in -/etc/init.d/.depend.boot, /etc/init.d/.depend.start and -/etc/init.d/.depend.stop to order the scripts. Startpar is configured -to try to start the kdm and gdm scripts as early as possible, and will -start the facilities required by kdm or gdm as early as possible to -make this happen.

+

A while back, I ran into a problem while working on Debian Edu. We +include some firmware packages on the Debian Edu CDs, those needed to +get disk and network controllers working. Without having these +firmware packages available during installation, it is impossible to +install Debian Edu on the given machine, and because our target group +are non-technical people, asking them to provide firmware packages on +an external medium is a support pain. Initially, I expected it to be +enough to include the firmware packages on the CD to get +debian-installer to find and use them. This proved to be wrong. +Next, I hoped it was enough to symlink the relevant firmware packages +to some useful location on the CD (tried /cdrom/ and +/cdrom/firmware/). This also proved to not work, and at this point I +found time to look at the debian-installer code to figure out what was +going to work.

-

Give it a try, and see if you like the result. If some services -fail to start properly, it is most likely because they have incomplete -init.d script dependencies in their startup script (or some of their -dependent scripts have incomplete dependencies). Report bugs and get -the package maintainers to fix it. :)

+

The firmware loading code is in the hw-detect package, and a closer +look revealed that it would only look for firmware packages outside +the installation media, so the CD was never checked for firmware +packages. It would only check USB sticks, floppies and other +"external" media devices. Today I changed it to also look in the +/cdrom/firmware/ directory on the mounted CD or DVD, which should +solve the problem I ran into with Debian edu. I also changed it to +look in /firmware/, to make sure the installer also find firmware +provided in the initrd when booting the installer via PXE, to allow us +to provide the same feature in the PXE setup included in Debian +Edu.

-

Running scripts in parallel could be the default in Debian when we -manage to get the init.d script dependencies complete and correct. I -expect we will get there in Squeeze+1, if we get manage to test and -fix the remaining issues.

+

To make sure firmware deb packages with a license questions are not +activated without asking if the license is accepted, I extended +hw-detect to look for preinst scripts in the firmware packages, and +run these before activating the firmware during installation. The +license question is asked using debconf in the preinst, so this should +solve the issue for the firmware packages I have looked at so far.

-

If you report any problems with dependencies in init.d scripts to -the BTS, please usertag the report to get it to show up at -the -list of usertagged bugs related to this.

+

If you want to discuss the details of these features, please +contact us on debian-boot@lists.debian.org.

- Tags: bootsystem, debian, english. + Tags: debian, debian edu, english.
@@ -168,50 +143,72 @@ list of usertagged bugs related to this.

- systemd, an interesting alternative to upstart + Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten
- 13th May 2010 + 21st May 2010
-

The last few days a new boot system called -systemd -has been -introduced +

For en stund tilbake kjøpte jeg en magnetkortleser for å kunne +titte på hva som er skrevet inn på magnetstripene til ulike kort. Har +ikke hatt tid til å analysere mange kort så langt, men tenkte jeg +skulle dele innholdet på to kort med mine lesere.

-to the free software world. I have not yet had time to play around -with it, but it seem to be a very interesting alternative to -upstart, and might prove to be -a good alternative for Debian when we are able to switch to an event -based boot system. Tollef is -in the process of getting -systemd into Debian, and I look forward to seeing how well it work. I -like the fact that systemd handles init.d scripts with dependency -information natively, allowing them to run in parallel where upstart -at the moment do not.

+

For noen dager siden tok jeg flyet til Harstad og Hurtigruten til +Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med +magnetstripe. Påtrykket finner jeg følgende informasjon:

-

Unfortunately do systemd have the same problem as upstart regarding -platform support. It only work on recent Linux kernels, and also need -some new kernel features enabled to function properly. This means -kFreeBSD and Hurd ports of Debian will need a port or a different boot -system. Not sure how that will be handled if systemd proves to be the -way forward.

+
+Flytoget Airport Express Train
 
-
In the mean time, based on the
-input
-on debian-devel@ regarding parallel booting in Debian, I have
-decided to enable full parallel booting as the default in Debian as
-soon as possible (probably this weekend or early next week), to see if
-there are any remaining serious bugs in the init.d dependencies.  A
-new version of the sysvinit package implementing this change is
-already in experimental.  If all go well, Squeeze will be released
-with parallel booting enabled by default.

+Fra - Til        : Oslo Sentralstasjon
+Kategori         : Voksen
+Pris             : Nok 170,00
+Herav mva. 8,00% : NOK 12,59
+Betaling         : Kontant
+Til - Fra        : Oslo Lufthavn
+Utstedt:         : 08.05.10
+Gyldig Fra-Til   : 08.05.10-07.11.10
+Billetttype      : Enkeltbillett
+
+102-1015-100508-48382-01-08
+
+ +

På selve magnetstripen er innholdet +;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?. +Aner ikke hva innholdet representerer, og det er lite overlapp mellom +det jeg ser trykket på billetten og det jeg ser av tegn i +magnetstripen. Håper det betyr at de bruker kryptografiske metoder +for å gjøre det vanskelig å forfalske billetter.

+ +

Den andre billetten er fra Hurtigruten, der jeg mistenker at +strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert +fall den biten vi stakk inn i dørlåsen).

+ +

Påtrykket forsiden er følgende:

+ +
+Romnummer 727
+Hurtigruten
+Midnatsol
+Reinholdtsen
+Petter
+Bookingno: SAX69   0742193
+Harstad-Bergen
+Dep: 09.05.2010 Arr: 12.05.2010
+Lugar fra Risøyhamn
+Kost: FRO=4
+
+ +

På selve magnetstripen er innholdet +;1316010007421930=00000000000000000000?+E?. Heller ikke her +ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

- Tags: bootsystem, debian, english, nuug. + Tags: norsk, nuug, sikkerhet.
@@ -220,43 +217,69 @@ with parallel booting enabled by default.

- Sitesummary tip: Listing MAC address of all clients + Pieces of the roaming laptop puzzle in Debian
- 14th May 2010 + 19th May 2010
-

In the recent Debian Edu versions, the -sitesummary -system is used to keep track of the machines in the school -network. Each machine will automatically report its status to the -central server after boot and once per night. The network setup is -also reported, and using this information it is possible to get the -MAC address of all network interfaces in the machines. This is useful -to update the DHCP configuration.

+

Today, the last piece of the puzzle for roaming laptops in Debian +Edu finally entered the Debian archive. Today, the new +libpam-mklocaluser +package was accepted. Two days ago, two other pieces was accepted +into unstable. The +pam-python +package needed by libpam-mklocaluser, and the +sssd package +passed NEW on Monday. In addition, the +libpam-ccreds +package we need is in experimental (version 10-4) since Saturday, and +hopefully will be moved to unstable soon.

-

To give some idea how to use sitesummary, here is a one-liner to -ist all MAC addresses of all machines reporting to sitesummary. Run -this on the collector host:

+

This collection of packages allow for two different setups for +roaming laptops. The traditional setup would be using libpam-ccreds, +nscd and libpam-mklocaluser with LDAP or Kerberos authentication, +which should work out of the box if the configuration changes proposed +for nscd in BTS report +#485282 is implemented. The alternative setup is to use sssd with +libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take +care of the caching of passwords and group information.

-
-perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
-
+

I have so far been unable to get sssd to work with the LDAP server +at the University, but suspect the issue is some SSL/GnuTLS related +problem with the server certificate. I plan to update the Debian +package to version 1.2, which is scheduled for next week, and hope to +find time to make sure the next release will include both the +Debian/Ubuntu specific patches. Upstream is friendly and responsive, +and I am sure we will find a good solution.

-

This will list all MAC addresses assosiated with all machine, one -line per machine and with space between the MAC addresses.

+

The idea is to set up the roaming laptops to authenticate using +LDAP or Kerberos and create a local user with home directory in /home/ +when a usre in LDAP logs in via KDM or GDM for the first time, and +cache the password for offline checking, as well as caching group +memberhips and other relevant LDAP information. The +libpam-mklocaluser package was created to make sure the local home +directory is in /home/, instead of /site/server/directory/ which would +be the home directory if pam_mkhomedir was used. To avoid confusion +with support requests and configuration, we do not want local laptops +to have users in a path that is used for the same users home directory +on the home directory servers.

-

To allow system administrators easier job at adding static DHCP -addresses for hosts, it would be possible to extend this to fetch -machine information from sitesummary and update the DHCP and DNS -tables in LDAP using this information. Such tool is unfortunately not -written yet.

+

One annoying problem with gdm is that it do not show the PAM +message passed to the user from libpam-mklocaluser when the local user +is created. Instead gdm simply reject the login with some generic +message. The message is shown in kdm, ssh and login, so I guess it is +a bug in gdm. Have not investigated if there is some other message +type that can be used instead to get gdm to also show the message.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

- Tags: debian, debian edu, english, sitesummary. + Tags: debian edu, english, nuug.
@@ -311,69 +334,95 @@ list of usertagged bugs related to this.

- Pieces of the roaming laptop puzzle in Debian + Sitesummary tip: Listing MAC address of all clients
- 19th May 2010 + 14th May 2010
-

Today, the last piece of the puzzle for roaming laptops in Debian -Edu finally entered the Debian archive. Today, the new -libpam-mklocaluser -package was accepted. Two days ago, two other pieces was accepted -into unstable. The -pam-python -package needed by libpam-mklocaluser, and the -sssd package -passed NEW on Monday. In addition, the -libpam-ccreds -package we need is in experimental (version 10-4) since Saturday, and -hopefully will be moved to unstable soon.

+

In the recent Debian Edu versions, the +sitesummary +system is used to keep track of the machines in the school +network. Each machine will automatically report its status to the +central server after boot and once per night. The network setup is +also reported, and using this information it is possible to get the +MAC address of all network interfaces in the machines. This is useful +to update the DHCP configuration.

-

This collection of packages allow for two different setups for -roaming laptops. The traditional setup would be using libpam-ccreds, -nscd and libpam-mklocaluser with LDAP or Kerberos authentication, -which should work out of the box if the configuration changes proposed -for nscd in BTS report -#485282 is implemented. The alternative setup is to use sssd with -libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take -care of the caching of passwords and group information.

+

To give some idea how to use sitesummary, here is a one-liner to +ist all MAC addresses of all machines reporting to sitesummary. Run +this on the collector host:

-

I have so far been unable to get sssd to work with the LDAP server -at the University, but suspect the issue is some SSL/GnuTLS related -problem with the server certificate. I plan to update the Debian -package to version 1.2, which is scheduled for next week, and hope to -find time to make sure the next release will include both the -Debian/Ubuntu specific patches. Upstream is friendly and responsive, -and I am sure we will find a good solution.

+
+perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+
-

The idea is to set up the roaming laptops to authenticate using -LDAP or Kerberos and create a local user with home directory in /home/ -when a usre in LDAP logs in via KDM or GDM for the first time, and -cache the password for offline checking, as well as caching group -memberhips and other relevant LDAP information. The -libpam-mklocaluser package was created to make sure the local home -directory is in /home/, instead of /site/server/directory/ which would -be the home directory if pam_mkhomedir was used. To avoid confusion -with support requests and configuration, we do not want local laptops -to have users in a path that is used for the same users home directory -on the home directory servers.

+

This will list all MAC addresses assosiated with all machine, one +line per machine and with space between the MAC addresses.

-

One annoying problem with gdm is that it do not show the PAM -message passed to the user from libpam-mklocaluser when the local user -is created. Instead gdm simply reject the login with some generic -message. The message is shown in kdm, ssh and login, so I guess it is -a bug in gdm. Have not investigated if there is some other message -type that can be used instead to get gdm to also show the message.

+

To allow system administrators easier job at adding static DHCP +addresses for hosts, it would be possible to extend this to fetch +machine information from sitesummary and update the DHCP and DNS +tables in LDAP using this information. Such tool is unfortunately not +written yet.

+ +
+
+ + + Tags: debian, debian edu, english, sitesummary. + + +
+
+
+ +
+
+ systemd, an interesting alternative to upstart +
+
+ 13th May 2010 +
+
+

The last few days a new boot system called +systemd +has been +introduced + +to the free software world. I have not yet had time to play around +with it, but it seem to be a very interesting alternative to +upstart, and might prove to be +a good alternative for Debian when we are able to switch to an event +based boot system. Tollef is +in the process of getting +systemd into Debian, and I look forward to seeing how well it work. I +like the fact that systemd handles init.d scripts with dependency +information natively, allowing them to run in parallel where upstart +at the moment do not.

+ +

Unfortunately do systemd have the same problem as upstart regarding +platform support. It only work on recent Linux kernels, and also need +some new kernel features enabled to function properly. This means +kFreeBSD and Hurd ports of Debian will need a port or a different boot +system. Not sure how that will be handled if systemd proves to be the +way forward.

-

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

In the mean time, based on the +input +on debian-devel@ regarding parallel booting in Debian, I have +decided to enable full parallel booting as the default in Debian as +soon as possible (probably this weekend or early next week), to see if +there are any remaining serious bugs in the init.d dependencies. A +new version of the sysvinit package implementing this change is +already in experimental. If all go well, Squeeze will be released +with parallel booting enabled by default.

- Tags: debian edu, english, nuug. + Tags: bootsystem, debian, english, nuug.
@@ -382,72 +431,53 @@ please contact us on debian-edu@lists.debian.org.

- Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten + Parallellizing the boot in Debian Squeeze - ready for wider testing
- 21st May 2010 + 6th May 2010
-

For en stund tilbake kjøpte jeg en magnetkortleser for å kunne -titte på hva som er skrevet inn på magnetstripene til ulike kort. Har -ikke hatt tid til å analysere mange kort så langt, men tenkte jeg -skulle dele innholdet på to kort med mine lesere.

- -

For noen dager siden tok jeg flyet til Harstad og Hurtigruten til -Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med -magnetstripe. Påtrykket finner jeg følgende informasjon:

- -
-Flytoget Airport Express Train
-
-Fra - Til        : Oslo Sentralstasjon
-Kategori         : Voksen
-Pris             : Nok 170,00
-Herav mva. 8,00% : NOK 12,59
-Betaling         : Kontant
-Til - Fra        : Oslo Lufthavn
-Utstedt:         : 08.05.10
-Gyldig Fra-Til   : 08.05.10-07.11.10
-Billetttype      : Enkeltbillett
-
-102-1015-100508-48382-01-08
-
+

These days, the init.d script dependencies in Squeeze are quite +complete, so complete that it is actually possible to run all the +init.d scripts in parallell based on these dependencies. If you want +to test your Squeeze system, make sure +dependency +based boot sequencing is enabled, and add this line to +/etc/default/rcS:

-

På selve magnetstripen er innholdet -;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?. -Aner ikke hva innholdet representerer, og det er lite overlapp mellom -det jeg ser trykket på billetten og det jeg ser av tegn i -magnetstripen. Håper det betyr at de bruker kryptografiske metoder -for å gjøre det vanskelig å forfalske billetter.

+
+CONCURRENCY=makefile
+
-

Den andre billetten er fra Hurtigruten, der jeg mistenker at -strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert -fall den biten vi stakk inn i dørlåsen).

+

That is it. It will cause sysv-rc to use the startpar tool to run +scripts in parallel using the dependency information stored in +/etc/init.d/.depend.boot, /etc/init.d/.depend.start and +/etc/init.d/.depend.stop to order the scripts. Startpar is configured +to try to start the kdm and gdm scripts as early as possible, and will +start the facilities required by kdm or gdm as early as possible to +make this happen.

-

Påtrykket forsiden er følgende:

+

Give it a try, and see if you like the result. If some services +fail to start properly, it is most likely because they have incomplete +init.d script dependencies in their startup script (or some of their +dependent scripts have incomplete dependencies). Report bugs and get +the package maintainers to fix it. :)

-
-Romnummer 727
-Hurtigruten
-Midnatsol
-Reinholdtsen
-Petter
-Bookingno: SAX69   0742193
-Harstad-Bergen
-Dep: 09.05.2010 Arr: 12.05.2010
-Lugar fra Risøyhamn
-Kost: FRO=4
-
+

Running scripts in parallel could be the default in Debian when we +manage to get the init.d script dependencies complete and correct. I +expect we will get there in Squeeze+1, if we get manage to test and +fix the remaining issues.

-

På selve magnetstripen er innholdet -;1316010007421930=00000000000000000000?+E?. Heller ikke her -ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

+

If you report any problems with dependencies in init.d scripts to +the BTS, please usertag the report to get it to show up at +the +list of usertagged bugs related to this.

- Tags: norsk, nuug, sikkerhet. + Tags: bootsystem, debian, english.
@@ -456,118 +486,88 @@ ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

- More flexible firmware handling in debian-installer + Forcing new users to change their password on first login
- 22nd May 2010 + 2nd May 2010
-

After a long break from debian-installer development, I finally -found time today to return to the project. Having to spend less time -working dependency based boot in debian, as it is almost complete now, -definitely helped freeing some time.

- -

A while back, I ran into a problem while working on Debian Edu. We -include some firmware packages on the Debian Edu CDs, those needed to -get disk and network controllers working. Without having these -firmware packages available during installation, it is impossible to -install Debian Edu on the given machine, and because our target group -are non-technical people, asking them to provide firmware packages on -an external medium is a support pain. Initially, I expected it to be -enough to include the firmware packages on the CD to get -debian-installer to find and use them. This proved to be wrong. -Next, I hoped it was enough to symlink the relevant firmware packages -to some useful location on the CD (tried /cdrom/ and -/cdrom/firmware/). This also proved to not work, and at this point I -found time to look at the debian-installer code to figure out what was -going to work.

- -

The firmware loading code is in the hw-detect package, and a closer -look revealed that it would only look for firmware packages outside -the installation media, so the CD was never checked for firmware -packages. It would only check USB sticks, floppies and other -"external" media devices. Today I changed it to also look in the -/cdrom/firmware/ directory on the mounted CD or DVD, which should -solve the problem I ran into with Debian edu. I also changed it to -look in /firmware/, to make sure the installer also find firmware -provided in the initrd when booting the installer via PXE, to allow us -to provide the same feature in the PXE setup included in Debian -Edu.

+

One interesting feature in Active Directory, is the ability to +create a new user with an expired password, and thus force the user to +change the password on the first login attempt.

-

To make sure firmware deb packages with a license questions are not -activated without asking if the license is accepted, I extended -hw-detect to look for preinst scripts in the firmware packages, and -run these before activating the firmware during installation. The -license question is asked using debconf in the preinst, so this should -solve the issue for the firmware packages I have looked at so far.

+

I'm not quite sure how to do that with the LDAP setup in Debian +Edu, but did some initial testing with a local account. The account +and password aging information is available in /etc/shadow, but +unfortunately, it is not possible to specify an expiration time for +passwords, only a maximum age for passwords.

-

If you want to discuss the details of these features, please -contact us on debian-boot@lists.debian.org.

+

A freshly created account (using adduser test) will have these +settings in /etc/shadow:

-
-
- - - Tags: debian, debian edu, english. - - -
-
-
- -
-
- Parallellized boot seem to hold up well in Debian/testing -
-
- 27th May 2010 -
-
-

A few days ago, parallel booting was enabled in Debian/testing. -The feature seem to hold up pretty well, but three fairly serious -issues are known and should be solved: +

+root@tjener:~# chage -l test
+Last password change                                    : May 02, 2010
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 99999
+Number of days of warning before password expires       : 7
+root@tjener:~#
+
-

    +

    The only way I could come up with to create a user with an expired +account, is to change the date of the last password change to the +lowest value possible (January 1th 1970), and the maximum password age +to the difference in days between that date and today. To make it +simple, I went for 30 years (30 * 365 = 10950) and January 2th (to +avoid testing if 0 is a valid value).

    -
  • The wicd package seen to -break NFS mounting and -network setup when -parallel booting is enabled. No idea why, but the wicd maintainer -seem to be on the case.
    • +

    After using these commands to set it up, it seem to work as +intended:

    -
  • The nvidia X driver seem to -have a race condition -triggered more easily when parallel booting is in effect. The -maintainer is on the case.
    • +
    +root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change                                    : Jan 02, 1970
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 10950
+Number of days of warning before password expires       : 7
+root@tjener:~#  
+
    -
  • The sysv-rc package fail to properly enable dependency based boot -sequencing (the shutdown is broken) when old file-rc users -try to switch back to -sysv-rc. One way to solve it would be for file-rc to create -/etc/init.d/.legacy-bootordering, and another is to try to make -sysv-rc more robust. Will investigate some more and probably upload a -workaround in sysv-rc to help those trying to move from file-rc to -sysv-rc get a working shutdown.
    • +

    So far I have tested this with ssh and console, and kdm (in +Squeeze) login, and all ask for a new password before login in the +user (with ssh, I was thrown out and had to log in again).

    -

+

Perhaps we should set up something similar for Debian Edu, to make +sure only the user itself have the account password?

-

All in all not many surprising issues, and all of them seem -solvable before Squeeze is released. In addition to these there are -some packages with bugs in their dependencies and run level settings, -which I expect will be fixed in a reasonable time span.

+

If you want to comment on or help out with implementing this for +Debian Edu, please contact us on debian-edu@lists.debian.org.

-

If you report any problems with dependencies in init.d scripts to -the BTS, please usertag the report to get it to show up at -the -list of usertagged bugs related to this.

+

Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the +shadow(8) page in Debian/testing now state that setting the date of +last password change to zero (0) will force the password to be changed +on the first login. This was not mentioned in the manual in Lenny, so +I did not notice this in my initial testing. I have tested it on +Squeeze, and 'chage -d 0 username' do work there. I have not +tested it on Lenny yet.

-

Update: Correct bug number to file-rc issue.

+

Update 2010-05-02-19:05: Jim Paris tells me via email that an +equivalent command to expire a password is 'passwd -e +username', which insert zero into the date of the last password +change.

- Tags: bootsystem, debian, debian edu, english. + Tags: debian edu, english, nuug, sikkerhet.
@@ -597,7 +597,11 @@ list of usertagged bugs related to this.

  • June (20)
    • -
  • July (3)
    • +
  • July (17)
    • + +
  • August (6)
    • + +
  • September (8)
    • @@ -716,25 +720,29 @@ list of usertagged bugs related to this.

  • bsa (2)
    • -
  • debian (55)
    • +
  • debian (57)
    • -
  • debian edu (106)
    • +
  • debian edu (112)
  • digistan (9)
    • +
  • docbook (7)
    • +
  • drivstoffpriser (4)
    • -
  • english (137)
    • +
  • english (152)
    • -
  • fiksgatami (16)
    • +
  • fiksgatami (17)
  • fildeling (12)
    • -
  • frikanalen (5)
    • +
  • freeculture (8)
    • + +
  • frikanalen (8)
    • -
  • intervju (29)
    • +
  • intervju (31)
    • -
  • kart (16)
    • +
  • kart (17)
  • ldap (8)
    • @@ -742,19 +750,19 @@ list of usertagged bugs related to this.

  • ltsp (1)
    • -
  • multimedia (21)
    • +
  • multimedia (25)
    • -
  • norsk (183)
    • +
  • norsk (196)
    • -
  • nuug (134)
    • +
  • nuug (143)
    • -
  • offentlig innsyn (3)
    • +
  • offentlig innsyn (4)
  • open311 (2)
    • -
  • opphavsrett (30)
    • +
  • opphavsrett (35)
    • -
  • personvern (48)
    • +
  • personvern (49)
  • raid (1)
    • @@ -774,9 +782,9 @@ list of usertagged bugs related to this.

  • sitesummary (4)
    • -
  • skepsis (1)
    • +
  • skepsis (2)
    • -
  • standard (34)
    • +
  • standard (37)
  • stavekontroll (1)
    • @@ -784,13 +792,13 @@ list of usertagged bugs related to this.

  • surveillance (10)
    • -
  • valg (6)
    • +
  • valg (7)
    • -
  • video (30)
    • +
  • video (34)
    • -
  • vitenskap (1)
    • +
  • vitenskap (2)
    • -
  • web (24)
    • +
  • web (25)