info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
So how's your Monday?
72 views
Skip to first unread message
Peter H. Coffin
Apr 6, 2015, 6:55:05 PM4/6/15
to
"Please install new clients! Servers upgrading Tuesday" Includes link to
FixThingy (external patch repository for products).
Okay, the organization has been going through some admirable, if
occasionally misguided[1], attempts at making everything require secure
connections, which has involved a flurry of little patches and upgrades.
This is probably part of that.
*install upgrade from internal source because that's on a nfs share and
thus does not need downloading to my workstation, then upload to
departmental x86box*
*client fails to work -- it can't find libssl.so.6*
Hmm... When did THAT ship? OpenSSL 0.9.8e? This SUSE 11 SP 3 was
released in 2013 and it came with 0.9.8j, which was the old, stable
version even then.. So they built this upgrade against a hardwired
generation of at-least-five-year-old encryption?
*checks FixThingy for an updated version of patch -- patch gone, prior
patch level now most current*
*email "please install new clients!" requester to ask "what now?"*
----------------
[1] Such as requiring all ssh keys to be either passworded or limited
as to what IP addresses they could protect connections from, and
identified as to owner. There were two problems with this that put it
into the "misguided" category. a) Owners of the accounts where these
keys where notified only that their ssh keys were not in compliance,
not in what way. And the corporate directive cited in the notification
only discussed minumum bit-length and requirements to reject automatic
connections to hosts with unknown host keys. The labelling requirement
and connection-from IP requirements could be found by performing a
knowledgebase search on an un-linked and unexpanded acronym in the body
text, which got to the personnel page of the team lead of the group and
a link to HIS working documents of the project. 2) The second "you are
not in compliance" email also had attached a thing that would generate
the identification string. The quirk is how they generated it: LDAP
lookups managed by spreadsheet macros. Because the way to REALLY inspire
confidence in editing your ssh keys is to start by saying "Run this
spreadsheet full of macros!"
--
"Only Irish coffee provides in a single glass all four essential food
groups: alcohol, caffeine, sugar, and fat."
-Alex Levine
FixThingy (external patch repository for products).
Okay, the organization has been going through some admirable, if
occasionally misguided[1], attempts at making everything require secure
connections, which has involved a flurry of little patches and upgrades.
This is probably part of that.
*install upgrade from internal source because that's on a nfs share and
thus does not need downloading to my workstation, then upload to
departmental x86box*
*client fails to work -- it can't find libssl.so.6*
Hmm... When did THAT ship? OpenSSL 0.9.8e? This SUSE 11 SP 3 was
released in 2013 and it came with 0.9.8j, which was the old, stable
version even then.. So they built this upgrade against a hardwired
generation of at-least-five-year-old encryption?
*checks FixThingy for an updated version of patch -- patch gone, prior
patch level now most current*
*email "please install new clients!" requester to ask "what now?"*
----------------
[1] Such as requiring all ssh keys to be either passworded or limited
as to what IP addresses they could protect connections from, and
identified as to owner. There were two problems with this that put it
into the "misguided" category. a) Owners of the accounts where these
keys where notified only that their ssh keys were not in compliance,
not in what way. And the corporate directive cited in the notification
only discussed minumum bit-length and requirements to reject automatic
connections to hosts with unknown host keys. The labelling requirement
and connection-from IP requirements could be found by performing a
knowledgebase search on an un-linked and unexpanded acronym in the body
text, which got to the personnel page of the team lead of the group and
a link to HIS working documents of the project. 2) The second "you are
not in compliance" email also had attached a thing that would generate
the identification string. The quirk is how they generated it: LDAP
lookups managed by spreadsheet macros. Because the way to REALLY inspire
confidence in editing your ssh keys is to start by saying "Run this
spreadsheet full of macros!"
--
"Only Irish coffee provides in a single glass all four essential food
groups: alcohol, caffeine, sugar, and fat."
-Alex Levine
0 new messages