Talk:SAC Meeting 2018-03-02

From OSGeo
Revision as of 16:12, 2 March 2018 by Robe (talk | contribs) (Created page with "== Transcript == 19:59:14 robe2: Everybody ready to meet 19:59:36 TemptorSent: Hello 20:01:52 robe2: Hi TemptorSent 20:03:08 robe2: Well doesn't look like Mart...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Transcript

   19:59:14	robe2:	Everybody ready to meet
   19:59:36	TemptorSent:	Hello
   20:01:52	robe2:	Hi TemptorSent
   20:03:08	robe2:	Well doesn't look like Martin was able to make it but he did provide his list of accomplishments
   20:03:51	robe2:	First on agenda FOSS4G2018 I think I was supposed to be doing something but still have a cold
   20:05:11	TemptorSent:	Okay, I honestly can't make heads or tails as to what that agenda item means :)
   20:05:22	robe2:	Next topic www.osgeo.org website I plan to move this weekend
   20:05:55	robe2:	probably like early morningish on Saturday
   20:06:06	robe2:	TemportSent you mean the FOSS4G2018 one?
   20:06:24	TemptorSent:	Yes, the one on the meeting wiki
   20:08:15	robe2:	TemptorSent I updated it a bit
   20:08:35	robe2:	the main objective is to move it over to webextra and have it under letsencrypt ssl
   20:09:02	TemptorSent:	Ahh, much clearer.
   20:09:04	robe2:	I'm not even quite sure the state of webextra or if it should be moved to new VM we will eventually build
   20:09:59	robe2:	next topic is the new hardware
   20:10:36	robe2:	I'd ask wildintellect but he isn't here. Does anyone know if we are any nearer to having the new hardware. I get the feeling it still has not been purchased
   20:10:56	robe2:	then again I've been drugged up on robitussin so I may have missed some events
   20:11:03	TemptorSent:	I haven't seen any further quotes/PO, nor have I heard anything.
   20:11:29	robe2:	okay so I'll put a note to follow up on mailing list for that
   20:12:19	TemptorSent:	I think we had the configuration solid, and the only thing not nailed down is how much bulk storage we need.
   20:13:48	robe2:	TemptorSent since you are more informed you want to shoot off a SAC list mail detailing status and pushing to nail that so we can get some new hardware
   20:13:52	TemptorSent:	OSGeoLive requests a fair chunk of storage for maintaining their versioned artifacts, and I imagine that the geodata group will need a decent chunk even just for the small stuff, so IMHO, the more the better.
   20:14:07	robe2:	I'm hesitant to bring anything else new on without that small comfort :)\
   20:14:43	robe2:	Yah me too but we should also consider what we have that can be reused as well
   20:15:07	TemptorSent:	The difference is only a few hundred dollars one way or the other from the original quote.
   20:15:42	robe2:	TemportSent we should just buy it then -- propose that so we can be done with it
   20:16:04	robe2:	strk are you awake :)
   20:16:18	robe2:	any movement on drop box replacement?
   20:17:43	TemptorSent:	From my reply to the mailing list a while back, the pricing for larger drives: (+$212 for 4x10he or +$540 for 4x12he)
   20:18:37	robe2:	ping strk
   20:18:45	robe2:	strk is apparently asleep again
   20:19:25	TemptorSent:	That gives us practical double-redundant storage of 12-16TB and 16-20TB respectively, depending how we use it.
   20:19:54	robe2:	TemptorSent that sounds good to me. Want to shoot off email or you want me too?
   20:20:42	TemptorSent:	If you'd like to put out the call to finalize discussion, that would probably be best.
   20:21:40	TemptorSent:	I think I pretty well flogged the dead horse in the thread on the mailing list already :)
   20:23:03	robe2:	okay will do
   20:25:06	robe2:	TemptorSent sent my crying baby email :)
   20:25:18	TemptorSent:	*lol*
   20:26:30	TemptorSent:	Those HDD prices are relative to the first entry on https://drive.google.com/file/d/1X-z66jXXBUZuPqh6EP0d43g2NUCL7xcL/view
   20:26:31	sigabrt:	Title: Silicon_Mechanics_Quote_344069.pdf - Google Drive (at drive.google.com)
   20:30:47	robe2:	Well Alex can clarify if needed
   20:30:55	robe2:	next topic TracSVN
   20:31:14	robe2:	performance seem to be good. Do we still have svn permission issue?
   20:31:16	TemptorSent:	As for reuse, it's difficult to recommend using older hardware for anything other than backup or supporting non-critical service at this point.
   20:31:35	TemptorSent:	I'm not familiar with what's going on as far as perms...
   20:31:43	robe2:	I didn't check I know I did have one trying to pull gdal (it prompted for password) - about a week ago
   20:32:51	TemptorSent:	Was the repo or db behind it down at the time perhaps? It appears that it prompts for password on any private OR non-existent repo.
   20:33:16	robe2:	Well as I recall I could still get into postgis svn
   20:33:41	strk:	sorry I was cooking
   20:33:50	robe2:	it was trying to annonymously pull (e.g from GDAL) where it was an issue
   20:33:53	strk:	(and eating)
   20:34:10	robe2:	strk you always seem busy at this time
   20:34:17	robe2:	maybe we should push meeting time up one hour
   20:34:25	robe2:	or 30 minutes :)
   20:34:40	TemptorSent:	Hiya strk.
   20:34:47	robe2:	strk we were just talking about svn
   20:34:54	strk:	I am, in particular today I've had an incident with pasta (was populated by little flies, so I had to throw it away after cooking for 30 minutes
   20:35:03	robe2:	if people are still having permission issues. Martin said he was investigating
   20:35:19	strk:	I've read that report
   20:35:25	robe2:	strk pasta and flies -- nice combination :)
   20:35:28	strk:	but could not handle to verify it
   20:35:30	TemptorSent:	Has EvenR mentioned any issues with the gdal repo? I suspect he'd be the first to see them.
   20:35:45	strk:	it's supposedly affecting anonymous users
   20:35:48	TemptorSent:	strk - sounds like it was a french dish :)
   20:35:48	strk:	hardly any developer would notice
   20:35:50	robe2:	fly sauce sounds yummy don't need to add any extra meat
   20:36:11	strk:	I'm using "flies" because I don't know the english word for what they were
   20:36:13	robe2:	strk yah that was my experience
   20:36:17	strk:	just very tiny dots, moving
   20:36:25	strk:	"bugs" ?
   20:36:32	robe2:	when I was trying to check out gdal code was only time I had the issue, so I just went for tar ball instead
   20:36:37	TemptorSent:	strk - he wouldn't have problems, but #gdal would get flooded.
   20:36:54	strk:	I don't know how many people would be using SVN in 2018
   20:37:08	TemptorSent:	weevils?
   20:37:15	robe2:	well I think most people probably pull gdal from gasp github unless they commit to gdal
   20:37:19	robe2:	so they wouldn't notice
   20:37:21	strk:	so nobody replicated ?
   20:37:39	TemptorSent:	Was it only a problem from svn itself, not from gitea?
   20:37:39	robe2:	strk?
   20:37:46	robe2:	no I think the replication is fine
   20:37:52	strk:	gitea is unrelated to svn
   20:37:57	robe2:	just couldn't pull from svn anonymously
   20:38:07	strk:	any repo or just gdal ?
   20:38:24	robe2:	TemporSent yah only thing they have in common is LDAP use, so that rules out LDAP I guess
   20:38:42	robe2:	but anyway you don't need to authenticate to annoymously pull
   20:38:50	TemptorSent:	strk - what's bridging the svn/git view then?
   20:39:03	robe2:	strk gdal was the only one besides geos and postgis I use
   20:39:12	robe2:	and gdal is the only one I'm not a committer on so would notice
   20:39:45	robe2:	let me try again hold on
   20:40:50	robe2:	seems fine now - well svn updating a gdal 2.2 branch
   20:41:09	robe2:	so perhaps martin did fix in his investigation
   20:41:12	strk:	I was looking at the configurations, don't see anything different between postgis and gdal
   20:41:25	robe2:	strk well it wouldn't be the configuration
   20:41:26	strk:	TemptorSent: which view ? You mean Trac ?
   20:41:37	strk:	robe2: permissions are also the same
   20:41:46	robe2:	it would be whether you are logging in or anonymous
   20:41:56	TemptorSent:	Huh, I thought it had a gitea connection too -- apparently not.
   20:42:06	robe2:	I do gdal always as a public user since I don't have committ access
   20:42:08	strk:	TemptorSent: Gitea only supports Git
   20:42:53	strk:	are we following an agenda or talking randomly ?
   20:43:14	robe2:	following an agenda until you disrupted our flow :)
   20:43:28	strk:	sorry, I'll be quiet
   20:43:50	robe2:	https://wiki.osgeo.org/wiki/SAC_Meeting_2018-03-02
   20:43:51	sigabrt:	Title: SAC Meeting 2018-03-02 - OSGeo (at wiki.osgeo.org)
   20:43:56	robe2:	we are up to ticket triage
   20:44:11	robe2:	I don't think we want to enforce https on downloads
   20:44:27	strk:	soon browsers will enforce https anyway
   20:44:37	robe2:	people can use http or https now which serves the need and I worry about banning older wget etc.
   20:44:45	robe2:	yah so we really don't need to
   20:44:56	robe2:	as long as we support https which now we do
   20:45:11	strk:	+1
   20:45:33	TemptorSent:	Agreed, http for downloads is perfectly fine, especially if checksums are provided via https when desired.
   20:46:26	TemptorSent:	https everywhere is breaking caching in most places, increasing overhead where there is no particular benefit.
   20:46:53	MartinSpott:	Moin
   20:47:04	strk:	TemptorSent: indeed
   20:47:08	TemptorSent:	Forcing it for login/authenticated use is fine, but for pulling bulk data, it's a waste of resources when the user doesn't want it.
   20:47:12	robe2:	Hey MartinSpott
   20:47:17	robe2:	glad you could join us
   20:47:20	TemptorSent:	Hello MartinSpott.
   20:47:33	robe2:	last we spoke was abou the svn permission issue. But seems fine to me now
   20:47:48	robe2:	I had password prompt for svn gdal before and just tested and seems fine.
   20:48:24	robe2:	TemptorSent yap my feeling too
   20:48:38	MartinSpott:	I can offer approx. 15 minutes
   20:48:53	MartinSpott:	Regarding SVN, as far s I can tell there was one report of failure
   20:49:06	MartinSpott:	Maybe it's the right direction, but not far enough ?
   20:49:08	strk:	MartinSpott: we cannot reproduce (Regina could some time in the past, but cannot anymore)
   20:50:18	robe2:	MartinSpott I'll add my not to that ticket
   20:50:39	robe2:	I was having the same issue around the time the ticket came in, but it was there -- I should have added my antidote
   20:50:46	robe2:	antecdote
   20:51:45	MartinSpott:	Concerning Debian7 upgrades, I'd like to do Web and Wiki as an intermediate step and then take care of moving stuff off the Projects VM
   20:51:50	MartinSpott:	does this sound reasonable ?
   20:52:50	MartinSpott:	Concerning the main website, do you plan to move it to the old Web VM or a different place ?
   20:53:38	robe2:	MartingSpott the main website I'm moving to web18a
   20:53:55	MartinSpott:	Oh, isn't it already hosted there ?
   20:53:59	robe2:	were you ever able to log into web18a or you still have the issue from before?
   20:54:05	TemptorSent:	Sounds reasonable to me.
   20:54:11	strk:	MartinSpott: upgrading all machines which need to sounds reasonable (so to close that SSL ticket once for all)
   20:54:15	robe2:	no it's hosted on cloudvps.com
   20:54:26	robe2:	which we are paying I forget how much for a month
   20:54:38	MartinSpott:	ah, still on cloudvps
   20:54:39	robe2:	something like $50 a month I think
   20:54:45	robe2:	or $40 EUR
   20:55:06	robe2:	yah and it's running PHP5 and MYSQL5 yuck and Debian 8
   20:55:33	MartinSpott:	heh, I'm running my private EMail relay there, they're doing a good job, as far as I can tell
   20:55:40	robe2:	but anyway my plan is to disable editing on it, move it over - change the DNS
   20:55:55	robe2:	so anyone who has the old dns entry can still view the site, but won't be able to edit
   20:56:05	TemptorSent:	Sounds good.
   20:56:13	MartinSpott:	concerning web18a, I have to admit I didn't try again in the meantime
   20:56:32	TemptorSent:	What kind of provisioning do we currently have with cloudvps?
   20:56:58	robe2:	it's the same config as web18a (except it's debian 8 instead of debian 9)
   20:57:16	robe2:	and we don't use any of their backup services or anything
   20:57:43	robe2:	just had baccula installed on it, which MartinSpott is going to install on web18a once he can log in
   20:57:48	MartinSpott:	ssh -l tech_dev web18a.osgeo.osuosl.org still gives me a "Permission denied (publickey)"
   20:57:53	robe2:	strk yah and I probably spelled that wrong
   20:58:16	MartinSpott:	from both machines, private and work
   20:58:29	robe2:	MartinSpott and ssh -l martin
   20:58:41	robe2:	let me check the logs
   20:58:53	strk:	TemptorSent: do you mean "automated deploy" by "provisioning" ?
   20:59:45	TemptorSent:	Resources provisioned -- disk, memory, cores, network
   21:00:15	TemptorSent:	And if it's a volume that can be exported wholesale :)
   21:01:25	robe2:	MartinSpott hmm can you try again, not seeing you in logs though I see my successful log in
   21:01:52	robe2:	or is 84.245.154.74 you
   21:01:57	MartinSpott:	Ok, will now try from 84.245.154.74 as user martin
   21:02:11	MartinSpott:	failure
   21:03:12	robe2:	Mar 2 21:00:48 web18a sshd[21276]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] Mar 2 21:00:48 web18a sshd[21276]: Connection closed by 84.245.154.74 port 48472 [preauth]
   21:03:21	MartinSpott:	TemptorSent: According to my - little - experience with CloudVPS, you can't export a volume
   21:03:23	TemptorSent:	Is that host documented on the wiki anywhere?
   21:03:41	TemptorSent:	MartinSpott - Drat, that would be convenient :)
   21:03:45	robe2:	TemptorSent yes it is but anyway I wouldn't want to export volume
   21:03:49	robe2:	backup file is small
   21:03:52	robe2:	under 2 GB
   21:04:41	MartinSpott:	robe2: I wonder where it gets a dss key from
   21:04:53	MartinSpott:	Let me try again:
   21:04:54	TemptorSent:	Yeah, it just makes it easier to clone the exact deployment back and forth.
   21:04:59	robe2:	TemptorSent here is the CloudVPS - https://wiki.osgeo.org/wiki/SAC:betawebsite
   21:05:00	MartinSpott:	foehn: 22:04:16 ~> ssh -i .ssh/id_rsa.pub -l martin web18a.osgeo.osuosl.org
   21:05:01	sigabrt:	Title: SAC:betawebsite - OSGeo (at wiki.osgeo.org)
   21:05:08	MartinSpott:	Permission denied (publickey).
   21:05:17	robe2:	Yah I wouldn't want to cause it's running PHP 5 yuck
   21:05:35	robe2:	We should never have let the web site contractors set it up
   21:05:54	robe2:	it was using myisam, not utf8, old php old mysql
   21:05:59	strk:	TemptorSent: if it's not in Service_Status wiki page I suggest you file an enhancement ticket to have it added
   21:06:00	TemptorSent:	Ug, that's downright ancient at this point.
   21:07:00	strk:	robe2: SAC:betawebsite is the description of "web18a" hardware and usage etc ? We should try to be consistent with those pages
   21:07:26	robe2:	the web18a I have in gitea wiki - https://git.osgeo.org/gitea/osgeo/www_apache_configs/wiki/Web18a-setup
   21:07:32	strk:	like SAC:OSGeo6, we should have SAC:Web18a (or similar)
   21:07:55	robe2:	strk betawebsite is not web18a it's cloudvps
   21:07:58	strk:	gitea wiki is still not official, please use the mediawiki, with all others
   21:08:00	TemptorSent:	I'm sure it's there somewhere, but I can't find anything reliably on the wiki at all -- pages don't link to other pages and categories seem almost random.
   21:08:23	strk:	TemptorSent: yeah, wiki always needs more love
   21:08:39	robe2:	strk can I put a link to gitea wiki page on mediawiki :)
   21:09:03	robe2:	I like the gitea wiki better cause it's in git and the syntax is a lot easier to deal with
   21:09:54	robe2:	anyway getting back to Martin's problem he can't get into web18a
   21:09:59	TemptorSent:	robe2 - if so, we should probably look at migrating all related materials to the same place so we don't have even MORE of a mess on our hands.
   21:10:16	robe2:	strk I don't think I ever added you key to techdev, but you can get in fine with strk right -- can you log in
   21:10:26	robe2:	just want to compare messages I am seeing in auth
   21:11:11	strk:	robe2: I'm fine with just a link on mediawiki :)
   21:11:44	robe2:	TemporSent I was also concerned cause I was copying from my local scripts where I may have left passwords
   21:12:03	robe2:	and I figured since the gitea one is locked down, only SAC folks would see it anyway should I have made such a mistake
   21:12:06	TemptorSent:	Yeah, good point.
   21:12:10	TemptorSent:	I can't even see it :)
   21:12:30	strk:	I do can login to web18a
   21:13:09	robe2:	TemptorSent now you can :)
   21:13:10	MartinSpott:	strk: Can you look into the "martin" account as root ?
   21:13:31	TemptorSent:	Ahh, much better -- thank's robe2.
   21:13:38	robe2:	MartinSpott when strk logs in I see him authenticating with ssh2 like me
   21:14:04	strk:	I cannot become root (don't have a password to "sudo")
   21:14:13	robe2:	but yours gives that ssh-dss thingy
   21:14:21	strk:	uhm, I'm silly
   21:14:22	robe2:	strk password is your password
   21:14:29	MartinSpott:	ok, that would made made it easier to debut during daytime hours
   21:14:37	strk:	(it's my LDAP)
   21:14:44	robe2:	yap
   21:14:55	MartinSpott:	debug
   21:14:59	robe2:	I didn't add you to the main techdev account which doesn't use ldap
   21:15:00	strk:	MartinSpott: you have 2 keys authorized
   21:15:07	robe2:	but all other accounts use LDAP
   21:15:17	strk:	ok, now you do MartinSpott
   21:15:26	strk:	authorized_key was in your home, rather than under .ssh
   21:15:34	MartinSpott:	ouch
   21:15:41	robe2:	oh no don't tell me I screwed that
   21:15:44	robe2:	:(
   21:16:05	TemptorSent:	Details, details -- why don't computers just do what we mean, not what we tell them?
   21:16:09	strk:	I dunno who screwed that, it was around Feb 21 20:42
   21:16:09	MartinSpott:	IÄm in
   21:16:32	robe2:	TemptorSent that's my next project RegOS does what you mean not what you tell it to
   21:16:35	MartinSpott:	both keys working
   21:16:40	TemptorSent:	*cheers*
   21:16:59	robe2:	MartinSpott so sorry for my ineptness
   21:17:07	robe2:	so I must have screwed up the techdev one somehow
   21:17:18	strk:	I added my key to root's authorized keys too
   21:17:30	strk:	just in case LDAP breaks
   21:17:32	TemptorSent:	So rm -rf will just cause the computer to burst into flames without wiping the drive robe2? :)
   21:17:39	robe2:	strk you can't log in with root
   21:17:48	robe2:	you need to add it to tech_dev
   21:17:53	robe2:	root login is not allowed
   21:18:08	strk:	ah, ok
   21:18:34	MartinSpott:	robe2: intentionally disabled ?
   21:18:41	robe2:	yes
   21:18:41	strk:	what's the point ?
   21:18:43	TemptorSent:	The only time direct root login should be allowed is directly from the hardware console.
   21:18:46	robe2:	by osuosl staff
   21:18:49	strk:	do we all share "tech_dev" password then ?
   21:18:55	robe2:	but Alex and I thought that was probably for best anyway
   21:19:03	TemptorSent:	No, just add all keys to tech_dev
   21:19:16	strk:	ok but what for ?
   21:19:17	robe2:	strk well technically we only need tech_dev if ldap is down
   21:19:20	TemptorSent:	remote root login should NEVER be enabled, EVER.
   21:19:20	robe2:	so yes we do
   21:19:43	robe2:	and it's in the file called password which we were going to delete but is in secure/access if you need it
   21:19:50	MartinSpott:	TemptorSent: I know, and the more often you repeat it, the less I care about it
   21:20:20	strk:	ok, found tech_dev password
   21:20:24	MartinSpott:	If I need a teacher, I'll ask for one
   21:20:32	TemptorSent:	MartinSpott - I know you do MartinSpott, I was telling strk.
   21:21:22	strk:	so shall we drop root's authorized_keys ?
   21:21:42	robe2:	who's in it?
   21:21:58	TemptorSent:	You can still use them from localhost if you like as opposed to sudo
   21:21:59	robe2:	I guess you can
   21:22:12	robe2:	oh okay so we should keep them
   21:22:22	robe2:	osuosl staff keys might be in there
   21:22:38	MartinSpott:	they are - and for a good reason
   21:22:56	TemptorSent:	If you ever watch the logs for a while, you'll see hundreds of attempts to port 22 as root per day.
   21:23:20	robe2:	yah among others
   21:23:45	robe2:	anyway been 1.5 hrs
   21:23:53	TemptorSent:	Those should be getting blocked before they ever get a chance to try anything, which makes brute-force attacks mostly worthless.
   21:24:02	MartinSpott:	TemptorSent: Indeed, and, as a super clever gou you'll know that disabling root SSH logins won't change that
   21:24:10	robe2:	I think only thing left to cover is LDAP ssh keys - which I presume we are no closer to accomplishing
   21:24:37	TemptorSent:	I never use password logins to remote machines for exactly that reason.
   21:24:57	strk:	it looks like MartinSpott is too busy with upgrades to look at LDAP ?
   21:25:02	TemptorSent:	AFAIK, there is nothing preventing the use of ssh ldap keys other than adding the schema.
   21:25:02	MartinSpott:	TemptorSent: I don't use password logins to remote machines either
   21:25:06	robe2:	and GeoForALL -- jmckenna anything to say about that
   21:25:21	MartinSpott:	We're not talking about password logins, we're talking about root logins
   21:25:32	strk:	TemptorSent: are you familiar with LDAP ? Do you want to be our LDAP resident maintainer ?
   21:26:05	TemptorSent:	I'm rusty with ldap, but 20ish years ago I maintained a multi-master auth service that worked pretty well :)
   21:26:11	MartinSpott:	Oh, don't do that, next day he's going to disable another vital feature
   21:26:31	robe2:	someone put a note about some bug in debian to be cautious of with the LDAP ssh thingy
   21:26:49	MartinSpott:	That's history
   21:27:06	MartinSpott:	overcome with replacing pam_ldap by pam_ldapd
   21:27:10	TemptorSent:	Goodbye.
   21:27:32	strk:	MartinSpott: waht's this fight with TemporSent ?
   21:27:44	MartinSpott:	pam_ldap was running as root and modern GnuTLS doesn't do sensitive stuff as root
   21:27:54	robe2:	strk oh I wasn't imaging things I thought I was looking at a cat fight
   21:27:57	robe2:	but wasn't sure
   21:28:00	MartinSpott:	pam_ldapd is using nslcd as a helper daemon
   21:28:08	jmckenna:	no update here from GeoForAll team (still no response from Jason)
   21:28:38	robe2:	jmckenna want to send him another note just to be a little annoying to show we care :)
   21:29:12	strk:	MartinSpott: what vital feature was disabled by TemporSent ?
   21:29:51	jmckenna:	robe2: willdo ;)
   21:29:55	MartinSpott:	If you completely disable root logins via SSH, we're locked out if LDAP authentication fails because the way it's set up it relies on LDAP for sudo
   21:30:08	MartinSpott:	that's the point
   21:30:24	strk:	did he have a role in that ?
   21:30:32	MartinSpott:	And that won't change by notoriously repeating that root SSH is bad
   21:31:09	robe2:	MartinSpott I'm lost though what is wrong with having a local account, not in ldap that is not root but has sudo
   21:31:29	strk:	anyway I've understood the "tech_dev" account still works w/out LDAP
   21:31:32	robe2:	Doesn't that server the same purpose (so you can disable root ssh like what web18a has in place)
   21:32:04	MartinSpott:	strk: and how does "tech_dev" authenticate sudo ?
   21:32:12	strk:	local password
   21:32:18	strk:	or so I understood (didn't verify)
   21:32:18	robe2:	but anyway there is a point at which you are so secure your lock yourself out of your house.
   21:32:39	robe2:	I'm always more worried about locking myself out that preventing others from getting in.
   21:34:43	MartinSpott:	The moszt critical point in terms of IT security is that the SSH daemon is running as root user
   21:34:57	MartinSpott:	and we're unlikely going to change that soon
   21:36:50	robe2:	but SSH can still run under root without allowing remote SSH logins right
   21:37:05	MartinSpott:	sure, it does
   21:38:05		* MartinSpott -> family time
   21:38:30	MartinSpott:	mmh, turned out to be a little more than 15 minutes
   21:38:41	robe2:	yah it's been long enough here too got some bulk emails to send and applications to launch
   21:39:06	robe2:	MartinSpott it's always more than 15 minutes. We are lucky if we can keep it below an hour
   21:39:06	MartinSpott:	for the root login, I suggest thinking about passphrase protected Ed25519 keys
   21:39:11	MartinSpott:	in the long term
   21:40:09	robe2:	Anyway I call meeting over