@stacksofplates said in sssd and user ID mapping:

@Pete-S said in sssd and user ID mapping:

@Semicolon said in sssd and user ID mapping:

@Pete-S If it is an issue, its trival enough to prevent public key authentication for users or groups of users, even groups of AD users.

Sure, but the problem for developers and admins is that they usually need their keys. That's why I don't think ad/ldap integration with ssh users really works in that use case.

The other solution, which is what I think is more suitable for developers and admins, is to use your SSO/AD solution with MFA to pickup a short-lived ssh certificate. Then you use the ssh certificate to actually access things.
Many companies with huge infrastructures use this method because it's very scalable.

We forced kerberos for SSH auth after wen enabled AD integration. SSH works like keys then but you don't use the keys.

Never used it but it seems to be a good solution if you want AD integration.

I noticed that gitlab also supports kerberos for pushing and pulling. I assume github does too. That's very convenient.

Side question: When does 23.04 get moved into LTS mode?

LOL...absolutely!

SAM...making IT better for humans...have an extra avatar on us....

@Obsolesce said in Allow Binaries on Linux to Run on Well Known Privileged Ports:

@Pete-S said in Allow Binaries on Linux to Run on Well Known Privileged Ports:

If you search for net_bind you would assume it would find both these post but it finds nothing.

It seems to only search "words", and that isn't a word or part of a word.

That does seem to be the case. It's not smart at all.

@Pete-S said in ProxMox: Set VM to AutoStart from Command Line CLI Start:

Nice but it's even easier with pure kvm as you don't have to go the roundabout way of using VMid.

virsh autostart somevm

Personally I find the number quite a bit easier.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

It's an easy fix. Sometimes the directions for the upgrade don't account for the source location of the APT REPO for ProxMox. Check your /etc/apt files and see where your repo is configured. If you are going from Buster to Bullseye for example, make sure that you have this line somewhere and the error should go away...

deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Thanks, we are up and running again!

@Yonah-S said in Turn server into backup storage for remote servers?:

@Pete-S have you thought of selling it? there is a big market right now for getting rid of old/unused hardware. Especially if you have any SSD's in there.

Thanks, but we're keeping it. Just want to extract the maximum value out of it while it's occupying rack space 🙂

There is a utility called stress for that. I've never used it myself. But here is a guide, should be easy.

https://www.linuxshelltips.com/create-cpu-load-linux/

Youtube Video

@Pete-S said in Save shell session to disk?:

That's why you should launch ssh like this:
ssh [email protected] -t screen -RR
If you don't have a session going it will create one.
If you had a session going but it was interrupted, it will reconnect to it automatically.

@JaredBusch said in Save shell session to disk?:

I do not like to launch screen for no reason.

@travisdh1 said in SUSE Manager for managing CentOS and SUSE servers.:

@openit said in SUSE Manager for managing CentOS and SUSE servers.:

Hi there,

Anyone of you ever came across SUSE Manager?

While it is saying open source and it is letting to download evaluation copy with subscription key on email?

I believe SUSE Manager kind product I'm looking, especially for patching CentOS and SUSE servers.

Any clue?

Why not use Ansible or Salt?

These are what I'd generally recommend.

I love Cockpit, it's so comfortable to use.