Coin,
As Usual, we are so busy, we didn't really have time to give much
news. Follows a few
unsorted news, to quickly feel the gap.
=== Security Problem ===
Due to a "BIG security issue"[1] in Debian, our software was quickly
upgraded to fix the
issue, but this is not sufficient, and keys/certificates are weak and
must be regenerated.
For the SSH host keys, they are being regenerated today, and new
fingerprints will be
advertised in DNS via SSHFP entries (there is no validation of such
entries yet, but
better than nothing). That is to say: you SHOULD verify you get the
following message
when you try to log back to our machines after removing the old keys in
'~/.ssh/known_hosts' :
Matching host key fingerprint found in DNS.
Complete session initialization would be like the following :
# ssh root(a)toushirou.duckcorp.org
The authenticity of host 'toushirou.duckcorp.org
(2001:7a8:800:6666::1)' can't be
established.
RSA key fingerprint is 77:40:c9:c1:f3:cc:17:22:67:50:8d:3d:1f:39:bd:46.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
For the user's SSH keys, you should take care of them yourself, and
verify your ones are
not weak with the Debian provided tool. Soon they will be blacklisted
and won't work
anymore (and you know you cannot log into DC's machine with
passwords). If you could not
fix your keys and '~/.ssh/authorized_keys' in time, just contact us to
manually insert a
new key.
For the services' certificates, they are being regenerated soon too,
and as our CA
(certificate authority) is not compromized, it should be invisible to you.
=== HQ Unavailability ===
A few weeks ago, you might have expirienced unavailabilit of the HQ
ans the few public
services services hosted in there. The ADSL problem seems to be
closed, and we are trying
to improve service redondancies for the future.
=== Jabber Issues ===
As said above, we are trying to improve HQ hosted services
availability, and Jabber is
one of the most important ones. We added another jabber server to make
a cluster, which
is totaly invisible to the users. Unfortunately, it was more difficult
than expected, and
the downtime was followed by a long time with screwed up rosters. We
managed to reinject
rosters, but with a not so fresh backup. Most of our contacts were
retrieved, thought,
and it should be working fine now.
=== Backup Downtime ===
We just managed to restart our backup server which was down because of
hardware problems
during about 3 weeks. Seems fresher stuff is needed here.
=== Homes Synchronization ===
Arnau worked well coding a nice script which daily synchronize hidden
files/directories
in you home (those begining with a dot, mostly configuration files)
accross our machines.
People allowed to log into several machines won't have to manually copy their
configuration files and keys and stuff.
Have FUN... :-/
[1] http://www.us.debian.org/security/2008/dsa-1571
--
Marc Dequènes (Duck)
