Announcements

These announcements are also avaiable over RSS. Just add .rss to the path here.
Also, all announcements are signed with the following PGP key:

67A3 9437 8618 B72E B4D5  CC69 B0EB E117 49B9 9367 alpha@unix.dog

so you can verify their authenticity. When a new announcement is out, you should also recieve an email if you're registered.

Hello woofers!!

I will be performing system maintenance which will
involve shutting off the server on Friday, August 11th.

I'm going to create a full system root backup of a snapshot so that
in the event of something catastrophic happening to the VPS, I have
a fully-working systemroot to extract on a new machine to reduce
downtime.

In addition, I will be performing a routine emerge -avuDN and updating
all the services. It seems that due to some PHP shenanigans Movim is
being buggy and not fully-working, so I'll also attempt to fix that.

Thank you, and remember, keep barking!

WOOF ~ Kayden

Hello woofers!

This Friday, 26th of May at 4PM PST, UNIX.dog will be unavailable for
maintenance. I am going to migrate to Postgres 15 and reboot the server
then to ensure all the software works fine, so services might be unavailable
for max a couple hours.

Also, I am going to be removing Keycloak. It was an interesting little
experiment but I believe it caused more mess and confusion than it was
worth.

Thank you all!

~ Kayden

Hello woofers!
I'm testing a new thing on the server right now, and I'd like
to know what y'all think of it :3

If you go to cloud.unix.dog or git.unix.dog, you'll see a new
option to "log in with UNIX.dog." This will redirect you to
the Keycloak instance (with some cool custom theme I've made!)
and prompt you to log in through there. Then you won't have to
enter your password again for a little while.

I'm hoping to integrate this into the other services, but it may
be a bit. For example, the Forgejo integration doesn't let me
have LDAP be the user source and OIDC as the authentication source
automatically. But I could also implement it into the SSH server
as another way to authenticate.

It also brings WebAuthn + 2FA to the table. If you go to:

https://sso.unix.dog/realms/master/account/authentication

you're able to add either Passwordless Security Key, a 2FA key,
or use traditional OTP generators (this one uses SHA512). This is why,
ideally everything would go through Keycloak so that your 2FA settings
would be respected.

As always, please let me know what you think of this! I'm
happy to hear feedback.

~ Kayden

Contabo just sent me an email saying there will be
maintenance on the VPS unit at the following time:

2022-03-24T15:00Z

That's March 24th, 10AM CST. The maintenance is
expected to last 75 minutes at max, but we will see
when it comes to Contabo.

Beyond that, I've been pretty happy with running UNIX.dog
so far. We now have a mov.im instance at movim.unix.dog.
Movim is another web interface for XMPP that aims to be
a lot more full featured. Check it out if you need a web
client and find Conversations unappealing.

Also, don't forget to e-mail alpha@unix.dog or join the
UNIX.dog MUC (discuss@muc.unix.dog) on XMPP if you need any
assistance. Helpful mutts are always available :3

~ Kayden

On 2023-01-25, ~yosh emailed me about a security hole with SSH
authentication. Before that day, anyone could gain SSH shell access as
any LDAP user with a blank or invalid password. This didn't affect any
other service, including sudo or passwd, so it wasn't possible to gain
access to any other service except an SSH shell.

As far as I know, this issue didn't affect plain UNIX users in
/etc/passwd, and I have no reason to believe this was ever actually
abused.

The misconfiguration occured with PAM and OpenSSH. Despite
PasswordAuthentication being disabled in OpenSSH,
KbdInteractiveAuthentication was still enabled by default allowing PAM
to display a login prompt for a password; modifying the PAM and OpenSSH
configuration fixed the password validation error and also disabled
plaintext authentication for good.

Since passwords are stored hashed in LDAP with proper authentication
required to view the hash, I don't believe any password hashes were
accessed. Root access was not possible directly, and I think a targeted
attack was unlikely. WTMP logs show no unusual logins, SSH logs
indicate that root login was disabled and common automated botnet
scanning only attempts password and not keyboard interactive auth
(usually with invalid users as well).

In any case, I would reccomend that you update your password or at the
very least change it to the same one if you haven't in the past month or
so. New users or users that changed their password after December 2022
should have passwords hashed with ARGON2ID, otherwise PBKDF2-SHA512 with
10000 iterations.

I'm sorry this wasn't noticed earlier. In any case, it seems other
systems were properly configured, and I've learned PAM is a beast that
you should probably avoid messing with too much lest confusing security
holes rear their head.

~ Kayden