Andrew Case's questions

We set up a two-factor authentication system that uses Google Authenticator to use OTP via mobile phone apps. Some of our users however don't have smart phones so we want to be able to use hardware tokens with it.

If the secret key/seed set by the manufacturer, then someone else obviously may know your secret key. This doesn't seem secure. So wouldn't it make sense if they were re-seedable. Can these types of hardware tokens be reset with a new secret key when you get them? Does it just depend on the key manufacturer?

We use a lot of GPGPU computing (mostly with CUDA, but some OpenCL). Often when users are running code, the code errors out with a memory error on only one of our hosts. I suspect one of the cards is faulty. Sometimes it brings down the whole system and sometimes the program just bombs out.

What are the easiest, fastest, and most thorough ways to fully test GPUs for possible failures?

I know there are programs that are part of nvidia's CUDA SDK:

   deviceQuery
   nvidia-smi

But I need something much more thorough. Suggestions? Experiences?

What's the easiest/quickest way to clone a VM from one server onto another if you don't have shared storage between the two servers (so you can't do a standard migration)?

I have a production ready VM installed on one server, and I want to clone it onto another system. I don't have shared storage between the two hosts, but I've copied the disk image between the two hosts and added a config for it (virsh defined it). When I try to start it however it doesn't take:

# virsh create /etc/libvirt/qemu/cloned-vm.xml 
error: Failed to create domain from /etc/libvirt/qemu/cloned-vm.xml
error: Unable to read from monitor: Connection reset by peer

I'm using KVM on RHEL6. Here is the duplicated config

<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE 
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit 
or other application using the libvirt API.
-->

<domain type='kvm'>
  <name>cloned-vm</name>
  <uuid>NEW_UUID_HERE</uuid>
  <memory>15360000</memory>
  <currentMemory>15360000</currentMemory>
  <vcpu>7</vcpu>
  <os>
    <type arch='x86_64' machine='rhel6.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/local/vm/cloned-vm.img'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <interface type='bridge'>
      <mac address='NE:W_:MA:C_:AD:DR'/>
      <source bridge='br2'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>

On Solaris, there the command 'fwtmp' provide the year information from the wtmp logs. For example:

host # /usr/lib/acct/fwtmp < /var/adm/wtmpx > tmp_wtmpx_file
host # head -1 tmp_wtmpx_file
user123 sshd 1258 7 0000 0000 1226072918 230489 0 29 host123.desktop.ourhost.com Fri Nov  7 09:48:38 2008

On Linux, the 'last' outputs the data without the year information, and I don't seem to be able to find a utility similar to 'fwtmp' on Linux to add the year data. The 'lastlog' command includes year in the output, but only looks up the users that are in the passwd file (not against ldap or other user databases by default). Is there a utility on Linux that will output the year along with the other data from 'last'?

Running Solaris/Apache/PHP.

Our user base needs to be able to upload files to the web servers, so we have to have php uploads enabled. Problem comes when users provide upload scripts that aren't restricted and an attacker uploads their own data. Often the attacker will upload their own data they want to serve up on the web server, or will upload another php script that gives them further access on the system.

• Is there a way to prevent PHP from uploading other php scripts from the system side (I know users could do this, but can't be certain they will)?
• What are some general security precautions that others take or best practice with handling the allowing of file uploads? How can we stop these scripts from being abused?

We have thousands of users, so checking that every upload script (be it custom, wiki, etc.) is secure seems just about impossible. I've have a script that checks for web writable directories and looks to see if there are appropriate .htaccess setting restrictions for those directories, but systems that have their own login systems that aren't .htaccess/.htpasswd based (wikis, etc.) won't use these, so these scripts don't really help in that regard.

I have firefox installed system-wide for all our users. Unfortunately the Adobe Reader Plug-in is rather flakey and doesn't work some of the time. As a result I want to disable the plug-in by default for all our users, but still allow them to enable it if they want via the standard Tools->Add-ons->Plug-ins menu option. How can I have this plug-ins enabled/disabled status be disabled by default?

I've been able to configure system-wide configurations before by setting preferences in the mozilla root folder file defaults/pref/all.js, but enabled/disabled plugins doesn't appear to be configured in the preferences.

[edit 1]: I found 'How to manage firefox plugins in pluginreg.dat file' which explained some of the formatting of the pluginreg.dat file. From there I could see flags are masked as follows (from nsPluginHostImpl.h):

#define NS_PLUGIN_FLAG_ENABLED 0x0001 // is this plugin enabled?
#define NS_PLUGIN_FLAG_OLDSCHOOL 0x0002 // is this a pre-xpcom plugin?
#define NS_PLUGIN_FLAG_FROMCACHE 0x0004 // this plugintag info was loaded from cache
#define NS_PLUGIN_FLAG_UNWANTED 0x0008 // this is an unwanted plugin
#define NS_PLUGIN_FLAG_BLOCKLISTED 0x0010 // this is a blocklisted plugin

But is there a way to add this to the defaults so that that NS_PLUGIN_FLAG_ENABLED is removed by default?

When I try to connect to a host either locally or remotely the machine denies logins thinking that the shutdown command has been initiated:

[~]$ ssh somehost
The system is going down for reboot in 1 minute!
This machine requires an immediate reboot. 

Connection closed by somehost

But the machine never goes down and no shutdown command is running:

[root@somehost ~]# shutdown -c
shutdown: Cannot find pid of running shutdown

If I reboot the host using the shutdown or reboot commands, the machine reboots just fine, but once it comes back up it still thinks the machine is going down for reboot in 1 minute. How do I stop it from being in a shutdown mode state?

I want to monitor whenever any of our machines run the shutdown command so that it can send an email or notification of an imminent reboot/shutdown. I figured that when shutdown was run it probably relayed the broadcast message to syslog, but I don't see it being stored in any of the logs. Is there a way to log whenever this command is run?

[edit] For clarification, by when the shutdown command is run, I mean when it starts running (or when it first broadcasts about the shutdown) NOT when the shutdown of the system actually starts. So I want to be able to catch when it sends this type of message: The system is going down for reboot in 5 minutes!

My users are all on NFS home directories and with hundreds of users all using Firefox it generates a bit of traffic reading/writing to the disk cache. As a result, I'd like to move the default Firefox disk cache over to a local file system just to reduce extraneous NFS traffic and lighten the load on my NFS server too.

I know I can set system wide default preferences in a file called my_firefox_path/defaults/pref/all.js of the following form:

pref("browser.cache.disk.parent_directory", string)

For testing I had it set to the following:

pref("browser.cache.disk.parent_directory", "/tmp/firefox/");

Unfortunately that doesn't work well as there are multiple users on each system. Is there a way to include a user and a profile in that preference file so that I can tweak this system wide and it will apply to all my users? Something like:

pref("browser.cache.disk.parent_directory", "/tmp/firefox/$USER/$PROFILE");

I want to dynamically block specific connections that use the same IP address based on a rate or connection limit. Is this possible using Solaris/IPF or some sendmail extension? I want to limit sendmail login attempts to prevent brute force attacks.

In Linux it's easily handled on the iptables firewall layer, but I haven't been able to figure out a way to use ipf to limit it on the firewall layer. Sendmail has a built-in rate limit and connection limit, but it appears to be applied to all users so if we're experiencing a DOS or DDOS it would block all our users instead of just the attacker.