| --- Log opened Wed Mar 17 00:00:36 2010 |
| 00:28 | <@Vornicus> | I should probably change up some names in the decoder, I have current_code, working_code, and previous_code. |
| 00:31 | < gnolam> | Hmm. Moral dilemma. To use a solution that's not guaranteed to ever work, but works /in practice/ pretty much everywhere or not. |
| 00:33 | <@Vornicus> | Math, or engineering? |
| 00:42 | < gnolam> | Occultism. |
| 00:42 | < gnolam> | In other words, C++. |
| 00:42 | < celticminstrel> | ... |
| 00:43 | <@Vornicus> | Not the question. |
| 00:44 | <@Vornicus> | The question is whether the parts that aren't in "pretty much everywhere", it's okay for it to fail. |
| 01:03 | | Attilla [Attilla@FBC920.0EA685.2404F0.127022] has quit [Connection reset by peer] |
| 01:15 | <~Reiver> So, Vorn |
| 01:15 | <~Reiver> I need to store two values in my trees, right |
| 01:15 | <~Reiver> A Value which is its Letter, and a Pointer which is its Next Node Down. Correct? |
| 01:15 | <~Reiver> Well, not letter, but youknowwhatImean |
| 01:20 | < celticminstrel> | You'll want more than one pointer; otherwise it's just a linked list. |
| 01:27 | <~Reiver> Oh. I have two tree pointers too |
| 01:27 | <~Reiver> I was listing the data each node needed to store. |
| 01:27 | <~Reiver> As, y'know, /data/. |
| 01:28 | < celticminstrel> | If you are just using the tree to store a set of sorted objects, then just one data value is needed. |
| 01:29 | < celticminstrel> | One data value and a minimum of two pointers. |
| 01:29 | < celticminstrel> | (And most cases would only need two pointers.) |
| 01:33 | <~Reiver> I am using the tree to create a Trie |
| 01:33 | <~Reiver> Thus, the tree legs are used to create the Trie itself; I think I need a second value to store the next Trie it actually links to. |
| 01:36 | <@Vornicus> | Value, Index, and Pointer |
| 01:37 | <@Vornicus> | (and Left and Right) |
| 01:38 | <~Reiver> OK |
| 01:38 | <~Reiver> What is Index. |
| 01:38 | <@Vornicus> | Index is the actual /number/ that you're using for LZW |
| 01:38 | <~Reiver> Aaah |
| 01:38 | <~Reiver> Also, my understanding is that we want to make the whole Trie to start with |
| 01:38 | <~Reiver> So we create the Trie as a whole, using the Index to store each step? |
| 01:39 | <@Vornicus> | nnnnnm. |
| 01:39 | <@Vornicus> | How do I put this. |
| 01:39 | <@Vornicus> | You make the entire /first level/ of the Trie to start with. |
| 01:40 | <@Vornicus> | and the Index tells you the number that you'll store in the compressed data. |
| 01:41 | <~Reiver> right |
| 01:43 | <@Vornicus> | And that first level will include indices too - I used ord(c) + 1 for the indices, so that 0 is reserved for the stop code. |
| 01:45 | <~Reiver> Indice? |
| 01:46 | <@Vornicus> | indices: plural of index. |
| 01:46 | < celticminstrel> | ...what's a Trie? |
| 01:46 | <~Reiver> Aha, right |
| 01:46 | <@Vornicus> | a Trie is a... how do I put it. |
| 01:46 | | * Reiver leaves that one for Vorn, he's getting ready for class |
| 01:46 | <~Reiver> Actually, shit, I should get going now. Damn. Sorry Vorn >.< |
| 01:47 | <~Reiver> BBL. |
| 01:47 | | * Reiver goes. |
| 01:47 | <@Vornicus> | a Trie stores things of variable length via prefixes. |
| 01:48 | <@Vornicus> | So for instance one level of the tree could be "a" "i" and then directly under "a" would be "ad" "ah" "al" "am" "an" "as" "at"... |
| 01:59 | <@Vornicus> | Each entry in the trie represents not only the data at that level, but the data in all the nodes above it. |
| 02:05 | <~Reiver> o/~ Happy Birthday to me, / I've a flat car bat'try, / I feel like an arse / 'cuz I've just missed my class. o/~ |
| 02:09 | <~Reiver> So, anyway. These tries, Vorn... >_> |
| 02:16 | <@Vornicus> | (though actually if you wanted /usr/share/dict/words there'd be a lot more nodes than that - you need one not only for every word, but for every prefix of every word.) |
| 02:28 | <@Vornicus> | I don't know what else to say about a trie. |
| 02:41 | < Zed_> | Anyone know if there's a windows 7 XCACLS or subinACL or whatever tool? |
| 02:43 | <@Vornicus> | http://pastebin.starforge.co.uk/156 <--- My LZW encoder and decoder. |
| 02:44 | <@Vornicus> | Where I use dictionaries in the encoder you'll want to use tries. |
| 02:44 | <@Vornicus> | er, binary trees, not tries; the dictionaries form the trie, together. |
| 02:46 | | * Reiver stares. |
| 02:46 | | * Reiver weeps. |
| 02:46 | <~Reiver> Vorn you bastige, you make it look so easy~ |
| 02:47 | <@Vornicus> | It is surprisingly simple. |
| 02:50 | <~Reiver> ...wait, my class didn't start till 4 today |
| 02:50 | <~Reiver> I could have made it by taking a bus. >_< |
| 02:50 | | * Reiver aaaaaaaaarg. |
| 02:51 | <~Reiver> Sigh. Oh well. I go to see if I can salvage this somehow. Wish me luck. >.> |
| 02:51 | <@Vornicus> | There was a bit of fighting with the decoder; I forgot that you can't add a new element to the vector until the /second/ code value, because the second value tells me the correct first letter. |
| 03:13 | <~Reiver> And now, having had my car break down, my timetable mixed up, and the sudden realisation I could have salvaged the entire evening? I miss the bus by about fifty meters. |
| 03:14 | | gnolam [lenin@Nightstar-38637aa0.priv.bahnhof.se] has quit [[NS] Quit: Z?] |
| 03:28 | | * Reiver attempts to calm down, and get on with his coding so he can spend tomorrow catching up on the lecture. Non-optimal in both cases, but there you go. |
| 04:02 | <@Vornicus> | So let's see what you've got right now. |
| 04:13 | | celticminstrel [celticminstre@Nightstar-f8b608eb.cable.rogers.com] has quit [[NS] Quit: *hums* Can't stay now!] |
| 04:17 | <@Vornicus> | ....shiiiit, there's a problem with using a binary trees for this. |
| 04:17 | <@Vornicus> | Without automatic balancing, the trie root will be degenerate. |
| 04:22 | <~Reiver> Why will it degenerate? |
| 04:22 | <~Reiver> We're not expected to balance the tree. |
| 04:24 | <~Reiver> Indeed, if you balanced the tree it would break, AFAICT |
| 04:25 | <@Vornicus> | It'll be just a linked list, instead of a binary tree. |
| 04:26 | <~Reiver> Er. Oh. |
| 04:26 | <~Reiver> Because if we start with 'a', everything will go off the right hand branch won't it |
| 04:27 | <@Vornicus> | Right |
| 04:27 | <@Vornicus> | And it's guaranteed to screw up like this if you don't rebalance the binary tree at all. We could write a rebalance routine but it's a pain |
| 04:28 | <@Vornicus> | I wouldn't worry about it unless you /really/ feel like it. |
| 04:34 | | SmithKurosaki [Smith@Nightstar-84502f6d.dsl.teksavvy.com] has quit [Ping timeout: 121 seconds] |
| 04:34 | | ToxicFrog [ToxicFrog@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 04:35 | | SmithKurosaki [Smith@Nightstar-4c721de7.dsl.teksavvy.com] has joined #code |
| 04:35 | | ToxicFrog [ToxicFrog@ServerAdministrator.Nightstar.Net] has joined #code |
| 04:36 | | mode/#code [+o ToxicFrog] by Reiver |
| 04:36 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [Ping timeout: 121 seconds] |
| 04:57 | | Serah [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 05:17 | < Orthia> | ...And, of course, the bus was running late. As in, "I saw two buses head the other way before mine arrived" late. >.< |
| 05:18 | < Orthia> | So, uh, yeah. |
| 05:18 | < Orthia> | Anyway. |
| 05:18 | < Orthia> | Best bet: We go with a linked list for our tries? |
| 05:18 | < Orthia> | Simpler that way, etc? |
| 05:19 | < Orthia> | Is it a sorted trie, or an ad-hoc one? |
| 05:21 | < Orthia> | A sorted linked list shouldn't be too hard, actually |
| 05:22 | < Orthia> | If(NewValue < NextValue); NextValue.Next = this.Next; this.Next = this.New(NewValue); yes? |
| 05:24 | | Orthia is now known as Reivthia |
| 05:24 | <@Vornicus> | No, no |
| 05:25 | <@Vornicus> | We use a binary tree for our trie node. |
| 05:25 | <@Vornicus> | We'll not bother with the rebalancing, because it's painful, which makes the root node /equivalent/ to a linked list, but that's okay. |
| 05:26 | <@Vornicus> | (my Python code is using dictionaries, obviously, which are technically what Java would call a HashMap. You're building a TreeMap by hand.) |
| 05:29 | <@Vornicus> | (except that you're not implementing the full algorithm used by TreeMap, which uses red-black to dynamically rebalance the tree.) |
| 05:31 | | Rhamphoryncus [rhamph@Nightstar-8931f88f.abhsia.telus.net] has quit [Client exited] |
| 05:42 | < Reivthia> | Vorn: So if we're not using the left half of the tree, why not go with a linked list instead? |
| 05:42 | <@Vornicus> | Because of Generality |
| 05:42 | < Reivthia> | OK? |
| 05:43 | <@Vornicus> | This is only the root node of the trie that's going degenerate |
| 05:43 | <@Vornicus> | Other nodes of the trie - which are independent binary trees in themselves - are /not/ necessarily degenerate. |
| 05:44 | <@Vornicus> | We want to be able to use the same code on all the trie nodes, no matter what happens. |
| 05:45 | < Reivthia> | Oh, ok. |
| 05:45 | < Reivthia> | Though if we're pre-seeding the trie, won't we be sticking a-z in beforehand? |
| 05:46 | <@Vornicus> | We're pre-seeding /the first level/ of the tree. |
| 05:46 | <@Vornicus> | trie. |
| 05:46 | <@Vornicus> | The later levels will be built as we encode. |
| 05:56 | | AnnoDomini [annodomini@Nightstar-ad089503.adsl.tpnet.pl] has joined #code |
| 05:56 | | mode/#code [+o AnnoDomini] by Reiver |
| 05:56 | < Reivthia> | Oh. I thought you pre-seeded every level |
| 05:56 | < Reivthia> | And that was how the Trick worked. |
| 06:01 | <@Vornicus> | Nope. |
| 06:03 | < Reivthia> | OK, so how does the Trick work then? |
| 06:03 | < Reivthia> | (Also: Once I get my head around this frakking tree, how long will the rest take? I've got till the end of next week, and my non-progress is starting to scare me.) |
| 06:06 | <@Vornicus> | Once the tree is figured out, the rest is... relatively simple. |
| 06:07 | <@Vornicus> | The Trick to LZW is that you're building a table of symbols to look for and using that table at the same time. |
| 06:08 | < Reivthia> | Okay. That's mildly comforting. |
| 06:08 | < Reivthia> | How scary is bitpacking? |
| 06:08 | < Reivthia> | >_> |
| 06:11 | <@Vornicus> | Not too terribly scary. |
| 06:12 | < Reivthia> | OK then. |
| 06:13 | <@Vornicus> | It may be fiddly and unweildy, but it's a damn sight easier to put together than the encoder and decoder. |
| 06:33 | < Reivthia> | OK. I will attempt to poke at it more tomorrow; it is evident that today my brain is too distractable and shot given it's All Gone Wrong, Jim. |
| 06:33 | < Reivthia> | Thank you, Vorn. You're really helpful! |
| 06:52 | <@Vornicus> | bedtime |
| 06:57 | | Vornicus is now known as Vornicus-Latens |
| 08:39 | | Thaqui [Thaqui@27B34E.D54D49.F53FA1.6A113C] has quit [Connection closed] |
| 08:57 | | You're now known as TheWatcher |
| 10:26 | | AnnoDomini [annodomini@Nightstar-ad089503.adsl.tpnet.pl] has quit [Ping timeout: 121 seconds] |
| 10:28 | | AnnoDomini [annodomini@Nightstar-fdc81046.adsl.tpnet.pl] has joined #code |
| 10:28 | | mode/#code [+o AnnoDomini] by Reiver |
| 10:39 | | Attilla [Attilla@FBC920.0EA685.2404F0.127022] has joined #code |
| 10:39 | | mode/#code [+o Attilla] by Reiver |
| 13:30 | | AD[WarWalk] [Administrator@Nightstar-2367ae35.gprs.plus.pl] has joined #code |
| 13:31 | | * AD[WarWalk] wonders how to secure an SSH server on his home box. |
| 13:35 | <@TheWatcher> | one method I do suggest you look at is to DROP any packets to port 22 that don't come from specific IPs or ranges you might need to connect from |
| 13:35 | <@TheWatcher> | (using iptables) |
| 13:37 | <@TheWatcher> | This reduced my ssh hack attempt rate to 0 |
| 13:38 | <@TheWatcher> | Also consider looking at AllowUsers in sshd_config |
| 13:39 | <@TheWatcher> | If you can, you might also want to use ChrootDirectory to restrict users once they log in |
| 13:40 | <@TheWatcher> | (also, never, ever, for any reason whatsoever, set PermitRootLogin to anything other than 'no'.) |
| 13:44 | < Namegduf> | TheWatcher: Psh. |
| 13:44 | < Reivthia> | So you cannot SSH in as root? |
| 13:44 | < Reivthia> | Logical. |
| 13:45 | < Namegduf> | Move SSH to a non-22 port. |
| 13:45 | < Namegduf> | Rather than messing with IP range restrictions. |
| 13:48 | < Reivthia> | 1) Security Through Obscurity Is Not Security. |
| 13:48 | < Reivthia> | 2) A university may have allowed port 22, and not others. What then? |
| 14:07 | <@TheWatcher> | Also, moving it is bugger all use if they portscan you |
| 14:08 | < Reivthia> | That would be the specific method of defeating it, which I was generalising to #1, yes. :) |
| 14:09 | < Reivthia> | oi TW |
| 14:09 | <@TheWatcher> | Yis? |
| 14:09 | < Reivthia> | PhPBB syntax to get a numbered list instead of bulletpoints? >_> |
| 14:10 | <@TheWatcher> | [list=1][*]... etc..[/list] |
| 14:10 | < Reivthia> | Ah, danke |
| 14:10 | | * Reivthia knew it must be one of those Simple things. |
| 14:11 | <@TheWatcher> | (you can also use [list=i] if you want roman numerals, or [list=a] to use a, b, c, etc) |
| 14:11 | < Reivthia> | Oh, awesome. |
| 14:11 | < Reivthia> | Cheers! |
| 14:14 | < Reivthia> | No way to get an image to shrink, is there? |
| 14:16 | < Namegduf> | TheWatcher: They can't portscan everyone. |
| 14:16 | < Namegduf> | Reivthia: It's not security through obscurity. |
| 14:16 | < Namegduf> | Security == Your password or SSH key. |
| 14:17 | < Namegduf> | As for 2, your own administrator/site's policies are not really the concern of general security advice |
| 14:18 | < Reivthia> | I would question that 'change the port number' really counts as 'securing an SSH server' nonetheless, however. |
| 14:18 | < Namegduf> | Reivthia: It reduces brute force attacks to 0. |
| 14:18 | < Namegduf> | This allows you to actually pay attention to them if they do start happening. |
| 14:18 | < Reivthia> | Unless they portscan you first, and /then/ brute force it. |
| 14:19 | | gnolam [lenin@Nightstar-38637aa0.priv.bahnhof.se] has joined #code |
| 14:19 | < Namegduf> | No, that's incorrect. |
| 14:19 | < Namegduf> | There's no "unless". |
| 14:19 | < Namegduf> | It practically does. |
| 14:19 | | * Reivthia will leave this to TheWatcher to sort out, for he is going to bed. |
| 14:19 | < Namegduf> | The reason for this is that portscanning is really slow, and they're brute forcing *everyone* |
| 14:19 | < Namegduf> | So it doesn't happen. |
| 14:19 | < Namegduf> | Moving off 22, at least to a non-obvious, not very low port, entirely removes the normal, constant hammering. |
| 14:20 | < Namegduf> | I run on 2012, and have observed it over over a year to be so. |
| 14:21 | < Namegduf> | I'd suggest "this lets you actually pay attention if people do start" as the closest thing to a security gain, but honestly if you're using the real answer, proper passwords and keys, the background brute forcing isn't a threat anyway, so shutting up the noise isn't security-related. |
| 14:22 | < Namegduf> | More "it's annoying" related. |
| 14:22 | < Namegduf> | I think it's silly to rely on "decrease the probability of brute force attacks" for strong security. |
| 14:24 | | * TheWatcher would rather just prevent everyone except specific locations try to access it |
| 14:24 | <@TheWatcher> | better to whitelist IPs than to trust nobody will work out your move |
| 14:25 | | ToxicFrog [ToxicFrog@ServerAdministrator.Nightstar.Net] has quit [Operation timed out] |
| 14:25 | < Namegduf> | I'm not trusting no one will work it out. |
| 14:25 | | SmithKurosaki [Smith@Nightstar-4c721de7.dsl.teksavvy.com] has quit [Ping timeout: 121 seconds] |
| 14:25 | < Namegduf> | If I was, I would neither have said it here, nor have the SSH port as part of the instructions for connecting to the NetHack server. |
| 14:25 | < Namegduf> | I'm trusting that the "brute force all server IP space" constant brute forcing will not care to adjust for my port difference |
| 14:26 | < Namegduf> | Which has been true. |
| 14:26 | | * TheWatcher would rather not trust /that/ either |
| 14:26 | < Namegduf> | Well, good thing, you're not, and you'd be silly to. |
| 14:26 | < Namegduf> | You'd also be silly to trust that you're not going to be brute forced by someone in your whitelisted IP ranges. |
| 14:27 | < Namegduf> | They serve much the same function of screening noise and reducing visibility |
| 14:27 | < Namegduf> | With password/key for the actual "trusted" security |
| 14:28 | <@TheWatcher> | My whitelisted IP ranges correspond to precisely 6 computers around the world |
| 14:28 | < Namegduf> | Why not just use private key only login? |
| 14:29 | < Namegduf> | If you have the luxury of that level of control, you can do that, and password brute forcing becomes immediately irrelevant |
| 14:29 | < Namegduf> | I'll admit that IP whitelisting is a lot better "weak" security in that case, but it's still weak security. |
| 14:30 | < Namegduf> | Because SSH is not supposed to trust everyone running networks between you and the server |
| 14:30 | < Namegduf> | And IP whitelisting does |
| 14:30 | <@TheWatcher> | For all but one of those machines, I do use key logins. |
| 14:30 | <@TheWatcher> | (the remaining one is a special case) |
| 14:31 | < Namegduf> | That is a case where IP whitelisting makes particular sense, and is probably recommendable. |
| 14:31 | <@TheWatcher> | PArt of my decision to stay on 22 and drop packets is because I specifically *want* the bastards to waste their time tryin. |
| 14:31 | < Namegduf> | I think generally, though, it's of the same class of security as port moving and other measures to reduce attacks, as it is not reliably strong; which fits easier varies. |
| 14:31 | < Namegduf> | They probably won't. |
| 14:32 | < Namegduf> | No response, move along. |
| 14:32 | < Namegduf> | If they're covering server IP ranges the way they seem to be, they probably hit a lot of blank holes. |
| 14:32 | <@TheWatcher> | Yep, but they have to wait to be sure there's no response |
| 14:32 | < AD[WarWalk]> | Oookay. Guess I must delve into iptables again. |
| 14:32 | <@TheWatcher> | so if I can add to that, yay! |
| 14:32 | < Namegduf> | Heh. |
| 14:32 | < Namegduf> | It's pretty minor, but okay. |
| 14:33 | <@TheWatcher> | Some might even call it petty |
| 14:33 | < AD[WarWalk]> | Last time I used it, I managed to create a firewall that permitted NOTHING but communication between apache and a browser. |
| 14:33 | < AD[WarWalk]> | When I wanted to run apt-get, I had to turn it off. |
| 14:33 | <@TheWatcher> | But frankly, it's just that little extra way of saying "Thanks for trying, smartarse" to them. ¬¬ |
| 14:33 | < Namegduf> | I never play with iptables much aside to redirect specific <1024 ports to >1024 ports. |
| 14:33 | < Namegduf> | TheWatcher: I used to get logs emailed to me when it happened. |
| 14:34 | < Namegduf> | They're not really a threat to a competently run box. |
| 14:34 | < Namegduf> | "root" was the only username they hit that actually existed and was non-system and usable |
| 14:34 | | SmithKurosaki [Smith@Nightstar-136edb74.cable.rogers.com] has joined #code |
| 14:34 | < Namegduf> | And I never have *passworded* SSH to root allowed. |
| 14:34 | < Namegduf> | I do use private key auth to root, with an encrypted SSH key. |
| 14:34 | | SmithKurosaki is now known as SK |
| 14:35 | < Namegduf> | Mostly because if it's decrypted and in memory, I'm already trusting the system for me to use to open SSH sessions, and if I've open SSH sessions, the game is already lost. |
| 14:35 | < Namegduf> | (And they compromise the system with the key, I mean) |
| 14:36 | < Namegduf> | Really, the best and only really "true" security as opposed to noise reduction advice I've heard is "if you can, use only key authentication" |
| 14:36 | < Namegduf> | Because it makes bruteforcing by password no longer even relevant; if you wanted to slow them up, you'd be best to just let them try. |
| 14:36 | < Namegduf> | But for a lot of people, that isn't realistic. |
| 14:37 | < Namegduf> | It involves only connecting from wherever you have your key, and only people with keys ever connecting. |
| 14:38 | < Namegduf> | Hmm. I think the most practical advice I'd really give is "restrict SSHable accounts, DO set good passwords, and as TheWatcher said, never ever make root bruteforcable" |
| 14:38 | < Namegduf> | Aside those I think almost all measures are just reducing the noise so you can watch it better. |
| 14:39 | < AD[WarWalk]> | At the moment, what I want from SSH is being able to tap into irssi running from home. |
| 14:39 | < Namegduf> | Yeah, that's what I use it for. |
| 14:39 | < Namegduf> | Hrm. |
| 14:39 | < AD[WarWalk]> | Likely only ever from my laptop. |
| 14:40 | < Namegduf> | Yeah, just disallow root login outright. |
| 14:41 | < AD[WarWalk]> | I thought it was disallowed by default. |
| 14:41 | < Namegduf> | Nope. |
| 14:41 | < AD[WarWalk]> | That's silly. |
| 14:41 | < Namegduf> | Well, by default, non-root users don't exist. |
| 14:41 | < Namegduf> | Strictly speaking. |
| 14:41 | < Namegduf> | But it is kinda silly. |
| 14:42 | < Namegduf> | Honestly, the only cases I've heard the server hosting guys talk about with SSH compromise involved people setting terrible passwords. |
| 14:42 | | * TheWatcher shudders |
| 14:42 | < AD[WarWalk]> | asd? :P |
| 14:43 | < Namegduf> | AD[WarWalk]: I've reset people's passwords here and there to "just the letter a" before |
| 14:43 | < Namegduf> | It's my way of saying "Yeah, the last one I reset it to, I don't think you can type." |
| 14:43 | < Namegduf> | What's more, it was true. |
| 14:43 | < Namegduf> | These are people I know and actually trust to fix it to something real after, though. |
| 14:43 | <@TheWatcher> | I don't even want to think of the number of times I've seen 'password' or '12345' as passwords on things >.< |
| 14:43 | < Namegduf> | Yeah. |
| 14:43 | < Namegduf> | The only real times I've heard of it happening were idiots who set that kind of thing as their root pass |
| 14:44 | < Namegduf> | AND left it on 22, unsecured in any other respect, and SSHable |
| 14:45 | < Namegduf> | Admittably, it's probably an artifact of the way server hosting hands out things with an SSHable root as standard, just with a decent randomly generated pass. |
| 14:45 | < Namegduf> | It's begging for people to just change that pass to "one they can remember" and not secure it at all. |
| 14:45 | | Reivthia [orthianz@Nightstar-3980e5bc.xnet.co.nz] has quit [Ping timeout: 121 seconds] |
| 14:45 | < Namegduf> | I've had that happen *every* time I've gotten hosting. |
| 14:46 | < Namegduf> | I don't know if I'm just having really weird luck, but I doubt it. |
| 14:46 | < AD[WarWalk]> | Dropping packets from everything but specified IPs seems unrealistic for me, since I connect to the tubes with my laptop via several networks. |
| 14:47 | < Namegduf> | Me too. I think it depends on usage. |
| 14:47 | < PinkFreud> | on any public-facing ssh servers, root *should*, at the very least, be restricted to key-only |
| 14:47 | < AD[WarWalk]> | Will having a sudo set up for a SSHable user be a problem? |
| 14:47 | < Namegduf> | AD[WarWalk]: IMO, yes |
| 14:48 | < AD[WarWalk]> | Hmm. |
| 14:48 | < Namegduf> | But you can probably rely on "strong security" in your case for a decent pass/key for it |
| 14:48 | < Namegduf> | Well, assuming its passwordless/own password sudo. |
| 14:48 | < AD[WarWalk]> | Own password sudo. |
| 14:48 | < AD[WarWalk]> | I don't know how to set up a different password sudo. |
| 14:49 | < Namegduf> | The third, more unusual configuration is "target user's password" |
| 14:49 | < Namegduf> | In which case it works like being able to use su, mostly. |
| 14:52 | | You're now known as TheWatcher[afk] |
| 14:54 | < Namegduf> | AD[WarWalk]: Sorry, misread. |
| 14:55 | < Namegduf> | The answer is that I think a sudo for an SSHable user is the equivalent of SSHable root |
| 14:55 | < Namegduf> | In terms of real security; it's less likely to be brute forced at random, but in the scenario of someone getting your username and trying... |
| 14:56 | < Namegduf> | It may or may not be a problem, but should probably be considered as such, basically, in my view. |
| 14:56 | < Namegduf> | I would do it, but be aware of the need to make sure the password was a strong one, if I wasn't using key auth. |
| 14:57 | < Namegduf> | I wonder whether anyone else has any more advanced opinions on it. |
| 14:57 | < AD[WarWalk]> | Is it possible to simply whitelist commands that may be issued to the terminal via SSH? |
| 15:00 | < Namegduf> | Hmm. |
| 15:00 | < Namegduf> | Sort of. |
| 15:01 | < Namegduf> | You can force them to run a specific command on connect-at least if using a key- which can give them a restricted shell or similar. |
| 15:01 | < Namegduf> | But can you stop them using irssi's /exec? |
| 15:01 | < Namegduf> | It's rather hard to do reliable security that way. |
| 15:02 | < AD[WarWalk]> | I see. |
| 15:03 | < AD[WarWalk]> | Pity there isn't a built-in way, like a normal user getting 'command not found' on trying to perform a su-only action or something. |
| 15:22 | | Rhamphoryncus [rhamph@Nightstar-8931f88f.abhsia.telus.net] has joined #code |
| 15:22 | | AD[WarWalk] [Administrator@Nightstar-2367ae35.gprs.plus.pl] has quit [[NS] Quit: GONE.] |
| 15:53 | | Serah [Z@3A600C.A966FF.5BF32D.8E7ABA] has quit [Ping timeout: 121 seconds] |
| 17:20 | <@AnnoDomini> | Is it even possible to get key authentication using PuTTY on Windows, to connect? |
| 17:23 | < PinkFreud> | yes |
| 17:23 | < PinkFreud> | use pageant |
| 17:23 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has joined #code |
| 17:45 | | You're now known as TheWatcher |
| 17:54 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [Ping timeout: 121 seconds] |
| 18:10 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has joined #code |
| 18:22 | | ToxicFrog [ToxicFrog@ServerAdministrator.Nightstar.Net] has joined #code |
| 18:22 | | mode/#code [+o ToxicFrog] by Reiver |
| 18:22 | | SK [Smith@Nightstar-136edb74.cable.rogers.com] has quit [[NS] Quit: Leaving] |
| 18:23 | | SmithKurosaki [Smith@Nightstar-e241a42d.dsl.teksavvy.com] has joined #code |
| 19:27 | <@TheWatcher> | Anyone run into problems with sending Ctrl+D to processes reading from stdin under cygwin on Vista. I have a student saying that it's not sending eof as expected... |
| 19:27 | <@ToxicFrog> | N/A, don't have vista. |
| 19:57 | <@McMartin> | TW: If they aren't running in bash, but instead under cmd.exe, they should maybe try the DOS/Win32 EOF key, Ctrl+Z |
| 19:57 | <@McMartin> | This is untested as I stick with MSYS whenever possible, but it's at least worth a shot |
| 19:58 | <@TheWatcher> | McM: Cygwin was installed as Ctrl+Z was apparently just echoing ^Z to the screen under cmd.exe |
| 19:58 | <@McMartin> | OK, *that* is weird. |
| 19:58 | <@McMartin> | Oop, or not |
| 19:58 | | * McMartin tests on Windows 7. |
| 19:59 | <@McMartin> | If you're in line input mode, Ctrl-Z then Enter to make it go. |
| 19:59 | <@McMartin> | (That's with the Python terp, which uses this as its cmdline exit.) |
| 20:00 | <@TheWatcher> | I'll pass that on, thanks |
| 20:07 | <@McMartin> | Again, that's without cygwin and just a stock terp |
| 20:08 | <@McMartin> | But if it's not the UNIX standard and it doesn't work in cmd.exe, it's unlikely to work under cygwin either |
| 20:30 | | Tarinaky [Tarinaky@Nightstar-84ed18c5.adsl.virginmedia.net] has quit [Ping timeout: 121 seconds] |
| 20:37 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [[NS] Quit: The world is so funny sometimes; I often forget to laugh.] |
| 20:41 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has joined #code |
| 20:41 | | celticminstrel [celticminstre@Nightstar-f8b608eb.cable.rogers.com] has joined #code |
| 20:44 | | Tarinaky [Tarinaky@Nightstar-c3db101d.adsl.virginmedia.net] has joined #code |
| 21:07 | | * Vornicus-Latens pokes a bit at LZW bitpacking. |
| 21:25 | | Serah [Z@26ECB6.A4B64C.298B52.D80DA0] has quit [Ping timeout: 121 seconds] |
| 21:34 | | Vornicus-Latens is now known as Vornicus |
| 22:20 | | AnnoDomini [annodomini@Nightstar-fdc81046.adsl.tpnet.pl] has quit [[NS] Quit: Blurgh.] |
| 22:30 | | Thaqui [Thaqui@27B34E.D54D49.F53FA1.6A113C] has joined #code |
| 22:56 | | Serah [Z@3A600C.A966FF.5BF32D.8E7ABA] has joined #code |
| 23:31 | | You're now known as TheWatcher[T-2] |
| 23:42 | | Tarinaky [Tarinaky@Nightstar-c3db101d.adsl.virginmedia.net] has quit [Ping timeout: 121 seconds] |
| 23:43 | | Tarinaky [Tarinaky@Nightstar-c3db101d.adsl.virginmedia.net] has joined #code |
| 23:46 | | celticminstrel [celticminstre@Nightstar-f8b608eb.cable.rogers.com] has quit [[NS] Quit: *hums* Can't stay now!] |
| 23:47 | | Alek [omegaboot@Nightstar-c531ef76.il.comcast.net] has quit [[NS] Quit: ] |
| 23:48 | | Tarinaky [Tarinaky@Nightstar-c3db101d.adsl.virginmedia.net] has quit [Ping timeout: 121 seconds] |
| 23:50 | | Alek [omegaboot@Nightstar-c531ef76.il.comcast.net] has joined #code |
| 23:50 | | You're now known as TheWatcher[zZzZ] |
| 23:50 | < Alek> | hah |
| 23:50 | < Alek> | Chrome still has leaks. |
| 23:50 | < Alek> | even in private mode. |
| 23:52 | < Alek> | if a window freezes, it freezes the whole shebang. you can still switch between some items, and there's minor functionality in full-screen stuff that grabs all the attention, but it freezes on state transitions too. |
| 23:55 | | Tarinaky [Tarinaky@Nightstar-c3db101d.adsl.virginmedia.net] has joined #code |
| --- Log closed Thu Mar 18 00:00:37 2010 |