Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Project

LCFG Project

Recent Activity for the LCFG project

  1. LCFG Project
  2. Uncategorised
  3. Weekly Changes – 04/10/2021

Weekly Changes – 04/10/2021

This is looking like one of our busiest weeks for a while, with quite a range of changes. Mostly these are focussed on the Ubuntu platform which sees changes for the network and openssh components. Here are all the details…

Ubuntu networking

Testing of the network component on a DICE Ubuntu machine with an additional VLAN interface revealed an issue with the way the IP address is found for a hostname when the ipaddr_$ resource for an interface is set to auto (for example ipaddr_eth0=auto). Investigations revealed that this was caused by a misconfiguration of the gai.conf file on DICE Ubuntu machines.

On DICE Ubuntu the gai.conf file is managed using the gaiconf component, this is new for Ubuntu, previously on SL7 it had been managed as part of the dns component (which has not yet been ported to Ubuntu). On SL7 the default precedence rules were taken from RFC 3484, on Ubuntu they come from the newer RFC 6724. When a hostname resolved to multiple addresses a problem arose with the order in which addresses were returned. This was because we had used the same local precedence values on Ubuntu and SL7 but they weren’t actually appropriate for the newer RFC default values.

Further to this, some modifications were made to the Systemd service files for the gaiconf and network components. The gaiconf component needs to start after the network-online.target is reached so that it can check the addresses of the network interfaces. The network component needs to start after gaiconf so that the results of lookups for addresses are in the correct order.

On DICE we have also added the gaiconf component to the install.installmethods resource list (and the package list for the installbase profile). The gai.conf is now configured during the install immediately before the network component so that the netplan configuration is correct for the first reboot.

openssh

On Ubuntu the openssh component schema has been updated to version 2 and the component has gained support for generating conditional match blocks in the server configuration file (sshd_config). This can be used to restrict configuration options by User, Group, Host, LocalAddress, LocalPort, RDomain, and Address.

There is a new sshdmatches tag list which has sub-resources for the pattern to match and the list of options which apply. See the lcfg-openssh(8) manual page for full details, here’s an example:

LCFG_OPENSSH_SSHD_OPT(PermitRootLogin,no)

!openssh.sshdmatches                        mADD(inf)
openssh.sshdmatch_pattern_inf               Host *.lcfg.org
openssh.sshdmatch_opts_inf                  PermitRootLogin
openssh.sshdmatch_opt_inf_PermitRootLogin   prohibit-password

which generates:

PermitRootLogin no

Match Host *.lcfg.org
    PermitRootLogin prohibit-password

This prohibits root logins entirely from hosts which are not in the lcfg.org domain and limits it to password-less logins (e.g. GSSAPI or a key) when connecting from the domain.

It is possible to have multiple Match blocks, order is significant so they will be generated in the order they are specified in the sshdmatches tag list.

The SL7 platform uses a much older version of the openssh component, upgrading to the new version should be possible but will require lots of testing. If you want this feature on SL7 please test it and let us know how you get on.

xscreensaver

We recently discovered that, although xcsreensaver processes the account section of the PAM stack, by default it does NOT honour the result. This means that if any module in the account section for xscreensaver fails it will not block the login. This is considered a feature and can only be changed by recompiling the code with the --enable-pam-check-account-type=yes option. See the driver/passwd-pam.c source file for full details, the comments are:

      /* On most systems, it doesn't matter whether the account modules
         are run, or whether they fail or succeed.

         On some systems, the account modules fail, because they were
         never configured properly, but it's necessary to run them anyway
         because certain PAM modules depend on side effects of the account
         modules having been run.

         And on still other systems, the account modules are actually
         used, and failures in them should be considered to be true!

         So:
         - We run the account modules on all systems.
         - Whether we ignore them is a configure option.

         It's all kind of a mess.
       */

We consider this to be a bug, if a PAM module has problems then the results may be managed appropriately within the PAM configuration file (it’s even possible to redefine failure as success…) so we have recompiled the software and the lcfg/options/xscreensaver.h header now includes the locally-built version. We don’t expect this to cause problems for other sites as it’s likely the account section of the xscreensaver configuration is inherited from the common-account file.

DICE ACLs

On DICE instances where ALL is used to permit login access are being eradicated. They are being replaced with entitlements (i.e. netgroups). In most cases this will not result in any change in the list of users which are allowed access. The new approach has a number of benefits, it is easier to manage if we need to change which users are permitted, it supports grace periods for expiring accounts and it is generally clearer which groups are expected to have access. It also improves security since local accounts, e.g. test users, are not unintentionally given access to lots of machines just because they exist in the KDC.

x509 component

Extra dependencies have been specified for the sixkts package on Ubuntu, this fixes bug#1284.

PostgreSQL

LCFG headers have been added to support the new PostgreSQL version 14 release.

There are also security updates for older versions: 9.6.23, 11.13, 12.8, 13.4.

ca-certificates

The Ubuntu Focal update for the ca-certificates package is now part of the standard updates list so it has been removed from the override package list. This is related to the recent Let’s Encrypt certificate expiration issue.

Weekly Changes – 04/10/2021 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0

Posted by

Categories

Uncategorised

Tags

No tags have been added to this post.

Previous post

Next post

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel