Talk:Sysadmin

From Computer Club Wiki

Contents 1 UberYakko decisions 1.1 SSH/SSL Keys 1.2 Copying expired users 1.3 Separation by year 1.4 Separate machine 1.5 GB card on rita 1.6 boxes in parkview 1.7 separation 1.8 Gb nic for office/PV 1.9 Rollover time table 1.9.1 New time table 1.10 IRC 1.11 Passwords 1.12 Version

UberYakko decisions

SSH/SSL Keys

• copy our keys to new server?
• vulnerable?
• if not, post fingerprints to website and warn users

Thoughts

• probably best to make fresh keys. 'starting over' from a security standpoint could be helpful Hacknight 17:56, 14 October 2008 (EDT)

• The temporary yakko replacement has had new keys generated already, those keys would probably be safe to use to avoid people needing to clear out entries from their known_hosts files a 2nd time. The original keys are also probably (mostly) safe since the suspected attackers aren't really in a position to eavesdrop our encrypted traffic, but we've already moved on, so no point going back to those. I do not have a preference current keys vs. whatever keys are on uber yakko, but I would ask that the home page contain a news item with the new finger print on the day of the switch (ideally the home page would also have a valid SSL cert signed by a trusted CA, but Meh.) drc 11:03, 05 December 2008 (EDT)

Copying expired users

• archive old users
• remove old users from ldap
• chris suggests we keep them

Thoughts

• copy all users, deal with 'archiving' later Hacknight 17:57, 14 October 2008 (EDT)

Separation by year

• why we started to do it
• will it simplify or complicate ldap
• broken hard paths
• decision to make: change or keep separation by year?

Thoughts

• keep separation, saves a lot of upgrade headache Hacknight 17:49, 14 October 2008 (EDT)

Separate machine

• parallel or from LDAP only
• separate machine - not secure otherise
• decision to make: LDAP or parallel? separate machines?

Thoughts

• LDAP would be ideal, perhaps supplemented by a few accounts in /etc/passwd in case things get borked. how about only turning on ldap for particular machines on a case-by-case basis. ie: members can all access yakko/rita, but dot only if they ask nicely Hacknight 18:01, 14 October 2008 (EDT)

GB card on rita

• VLAN? maybe. ask cotton
• get a switch? use the existing 1gb?

Thoughts

• don't bother, what does rita need 1gb for? Hacknight 17:54, 14 October 2008 (EDT)

• I think the club needs to have gig-e going at some point since it's in the wall. We just need a switch and 2 Intel Pro cards cards for Rita, or whatever else becomes the vpn box in the club. Crowbar 3:30, 16 October 2008 (EDT)

• Rita now does have dual Intel gig-e cards that were implemented at the beginning of the semester by myself, Crowbar, and drc. I think the next thing to think about is upgrading to a gig-e switch for the office because as of right now, we are using a gigabit uplink card in a Cisco fast Ethernet switch. The media server (batman), my pc, kyle's pc, uberServer (1U dual 2.8ghz rack server) all have gigabit cards and could make use of a switch. aka_butters 14:45, 3 February 2009 (EST)

boxes in parkview

• VPN/GW(?) (900mHz p3) = asterisk, diskspace, syslong
• yakko (new)
• Kerb/LDAP (master) no need
• available nics (2 in sentinel, 2 free), 1 in uber, (1 or 2?) built in, in each rack mounted machine

Thoughts

• installed a second nic intel pro gig-e card in uber yakko. crowbar

separation

• no real issue according to ed.

separate LDAP/Kerb

• no real advantage to keeping separate box

Gb nic for office/PV

• 2 Gb nics for PV
• machine Rita will need 2 + switch
  • this is a wishlist item
  • see if we need it
  • maybe vlan the kohrman room

Rollover time table

• december is realistic
• rollover issues - version differences

Thoughts

• rollover issues - we won't catch them all. better to just set a date and tell people to pay attention when things get lit up. Hacknight 18:05, 14 October 2008 (EDT)
• december - how about december 6th? (first saturday) Hacknight 18:07, 14 October 2008 (EDT)

New time table

• I think we need to set up a new time table and actually follow it. aka_butters 14:49, 3 February 2009 (EST)

IRC

• backup on the Vm for univad

Passwords

• Jay recommends 8+ long passwords with at least 1 cap 1 lower and 1 number
• force all old passwords to expire after 30 days when we move
• make it 180 days after that
• remove similar, palindrome, rote and similar
• Install Deny Hosts to lower the chance of a brute force via SSH

Version

• Upgrade to Ubuntu 8.10 server edition 8.10 Features