From dpelleg+ at cs.cmu.edu Wed Sep 10 16:20:32 2003 From: dpelleg+ at cs.cmu.edu (Dan Pelleg) Date: Wed, 10 Sep 2003 16:20:32 -0400 Subject: [auton-users] New Windows security vulnerabilities Message-ID: <16223.34704.916381.804392@gs166.sp.cs.cmu.edu> This is from SCS facilities. Based on previous experience I expect them to give you a little bit of time to do the update yourself, and if you don't, try to do it remotely. Here "remotely" means your desktop will suddenly reboot at an inconvenient time. ------------------------------------------------------------ Hello, There are two recent sets of Microsoft security vulnerabilities that administrators of Windows hosts should be aware of. The first one is especially critical: 1) There is a new set of critical RPC/DCOM vulnerabilities that weren't addressed by the latest RPC/DCOM patch. See: http://www.microsoft.com/technet/security/bulletin/MS03-039.asp for details. Additional information is available from: http://support.microsoft.com/?kbid=824146 In theory, these vulnerabilities are as serious as the one that gave us the Blaster and Welchia worms. You should patch any Windows hosts that you have responsibility for (Windows Update has the patch). 2) A set of vulnerabilities in MS Office and related products was recently announced. These vulnerabilities would allow someone to create a a specially-crafted Word (or WordPerfect), PowerPoint, or Excel document that would run arbitrary code on your PC if opened. People using MS Office (along with various other products, see: http://www.microsoft.com/security/security_bulletins/ms03-037.asp for details) should upgrade to a patched version. If you installed Office from your own CD, visit the Office Update site (accessible via a link on the Windows Update page) to get the patches. If you installed Office from Monolith (or have PC that Facilities installed and that came with Office), the installation files on Monolith have been updated with the latest patches. To update/patch the version of Office on your PC, go to the Microsoft Office distribution area on Monolith (pc_dist\Microsoft\Office) and run Setup.exe for the version of Office (2000 or XP) that you have. You will be prompted to upgrade. From sabhnani at cs.cmu.edu Thu Sep 11 17:05:50 2003 From: sabhnani at cs.cmu.edu (Maheshkumar Sabhnani) Date: Thu, 11 Sep 2003 17:05:50 -0400 Subject: [auton-users] Contact number. Message-ID: <3F60E3AE.3090802@cs.cmu.edu> Hello, Just wanted to let you know my office address. Maheshkumar (Robin) Sabhnani 3211 NSH, Robotics Institute Phone (off.) - (412) 268-7035 Cheers, Robin From dpelleg+ at cs.cmu.edu Wed Sep 17 21:29:07 2003 From: dpelleg+ at cs.cmu.edu (Dan Pelleg) Date: Wed, 17 Sep 2003 21:29:07 -0400 Subject: [auton-users] kauthd trouble and near-perpetual kerberos tickets Message-ID: <16233.2659.368392.519189@localhost.localdomain> I have been circulating this little tip for a few months now, but I don't believe I ever sent it to the list. It should help with getting kerberos tickets in ways other than logging in to the console of a facilitized machine. If you're using kauthd, you should know that it is being phased out (more correctly the infrastructure that it's supposed to keep humming is being phased out). What follows are instructions on how to replace it. If you don't know what kauthd is, then you either never need to obtain kerberos tickets, or you do and don't mind typing your kerberos password over and over again. If you're in either category you can stop reading now. What follows will maintain long-living tickets. This means you can ssh into a SCS facilitized host remotely using one of the password-free methods offered by SSH, and still have tickets. [ Note: the topic of password-less ssh-ing was covered in a previous post to this list, and can be found here: http://www.autonlab.org/tips.html . You will need your mailing-list password (and the server will mail it to you on request) ] There are 3 steps. Once you perform them, you will not need to type your kerberos password more often than once a month. When you do, you will get an email reminding you to do so, and it will contain the command you'll need to type. 1. Depending on whether you're a tcsh or bash user, add the following to your startup file. If you don't know then you are probably using tcsh (default for SCS). ------------------------------ tcsh users: add to .login if ( -e /usr/local/bin/aklog) then # Only use one ticket file for everything: (Kerberos v4) setenv KRBTKFILE /tkt/$LOGNAME-ticket # Only use one ticket file for everything: (Kerberos v5) setenv KRB5CCNAME /tkt/$LOGNAME-ticket-v5 # Load that ticket into AFS: /usr/local/bin/aklog endif ------------------------------ tcsh users ------------------------------ bash users: add to .bashrc if [ -e /usr/local/bin/aklog ]; then # Only use one ticket file for everything: # krb4 export setenv KRBTKFILE; KRBTKFILE=/tkt/$LOGNAME-ticket # krb5 export KRB5CCNAME; KRB5CCNAME=/tkt/$LOGNAME-ticket-v5 # Load that ticket into AFS: /usr/local/bin/aklog fi ------------------------------ bash users 2. Log out and back in. (ok, this is really more than one step. But the goal is to have the definitions above take place). Now type: kinit --renewable And then your kerberos password. 3. The following script needs to run every few hours: - Cut it, save it to a file "script/krenew" under your home directory. - Make it executable ("chmod +x script/krenew") - type "crontab -e" and add the following line (a vi editor will open unless you have EDITOR defined to something else): --------------------line to add to crontab 49 5,17 * * * script/krenew -------------------- ------------------------------ file to save as script/krenew #! /bin/sh # Only use one ticket file for everything: # krb4 export KRBTKFILE; KRBTKFILE=/tkt/$LOGNAME-ticket # krb5 export KRB5CCNAME; KRB5CCNAME=/tkt/$LOGNAME-ticket-v5 # Get a renewable ticket /usr/local/bin/kinit --renew || (echo "do a kinit --renewable" ; exit ) /usr/local/bin/aklog || exit ------------------------------ **************************************** For some more information on this matter, and a link to a small GUI program that can also help with this issue, see: http://zarchive.srv.cs.cmu.edu/prog/zquery?zid=2922325 From agray at cs.cmu.edu Tue Sep 23 15:07:52 2003 From: agray at cs.cmu.edu (Alexander Gray) Date: Tue, 23 Sep 2003 15:07:52 -0400 Subject: [auton-users] using loki Message-ID: <20030923190834.3830C4A1@mail.autonlab.org> Hi all, We're wondering if we could hog loki over the next few days to do some timing experiments which will require the RAM that only loki has. This is for the Science paper we're submitting, on the npt algorithms. Thanks very much, and sorry for the inconvenience! Alex ______________________________________________________________ Alexander G. Gray http://www.cs.cmu.edu/~agray Postdoctoral Fellow, CMU office 412-268-6233 9-9pm EST From komarek at cmu.edu Wed Sep 24 12:22:46 2003 From: komarek at cmu.edu (Paul Komarek) Date: 24 Sep 2003 12:22:46 -0400 Subject: [auton-users] loki is reserved for Alex Gray Message-ID: <1064420566.22022.8.camel@laptop> Hello, I have taken measures to insure that only Alex Gray is able to use loki.autonlab.org, since there were no objections to his request. loki should be available again sometime next week for general use. -Paul Komarek From komarek at cmu.edu Sat Sep 27 22:51:05 2003 From: komarek at cmu.edu (Paul Komarek) Date: 27 Sep 2003 22:51:05 -0400 Subject: [auton-users] loki back, limey gone Message-ID: <1064717465.28752.7.camel@laptop> Hi everyone, Loki (the 14GB ram machine) is available for everyone to use again. Limey, the oldest Alpha (500 MHz), was reserved for testing some time ago. We have now permanently decommissioned limey. -Paul Komarek From dpelleg+ at cs.cmu.edu Mon Sep 29 05:58:07 2003 From: dpelleg+ at cs.cmu.edu (Dan Pelleg) Date: Mon, 29 Sep 2003 05:58:07 -0400 Subject: [auton-users] SSH access from home (and other locations) to lab Message-ID: <16248.559.799537.785283@localhost.localdomain> This is a periodic message regarding remote access to the Auton lab from home (or other remote locations). SSH access to the lab machines is restricted to hosts we "know" about. For minimal interference with your work this list should contain all the machines you regularly (or even occasionally) use. So, let us know if: - you're new to the lab - you changed your ISP, or your ISP changed your IP address (see below for dynamically-allocated addresses) - there's a new host that you occasionally use and would like to use to login to the lab from - you have travel plans and know the IP address of the machine you'll use for work there We will need to know the IP address of the machine. Even if you don't know it, or don't know how to determine it, contact us and we'll help you figure it out. IMPORTANT NOTE REGARDING DYNAMICALLY-ALLOCATED ADDRESSES: we can definitely support these. Let us know the netblock your ISP uses to allocate your address. If you don't know it, contact us and we'll help you determine it. To get access, mail your request to admin at autonlab.org. Last note: if you disconnected service or lost access to a machine previously on the access list, please let us know so we can remove it. -- Dan Pelleg