On 01/02/2024 08:12, Pancho wrote:
>> Generate a new key on each device with ssh-keygen
>> and copy it to your primary machine with ssh-copy-id Then replicate
>> the primary machines .ssh/authorized_keys file to all the others, so
>> you can login from any machine to any other.
>>
>
> Yes, but in practice that meant everytime I installed a new OS on an
> experimental Orange Pi5 I had to alter the set up of seven or eight
> machines. Sometimes I was doing this a few times a day.

Not it you have a way of replicating the .ssh/authorized_keys file
between machines. You can do it with a cron script that does a copy
every few minutes if the master changes.

---druck

Chris Green <cl@isbd.net> wrote:
> Theo <theom+news@chiark.greenend.org.uk> wrote:
> > Chris Green <cl@isbd.net> wrote:
> > If the keylogger is on your machine, it can get the passphrase but it
> > doesn't get the private key unless it is specifically designed for attacking
> > ssh and can read your private keys. eg you might see the following in the
> > keylog:
> >
> > ssh chris@server.bigcorp.com
> > abr@cad4bra
> > ls
> >
> > and it's clear that abr@cad4bra is your password. If that was your
> > passphrase it wouldn't help attack anyone.
> >
> Not true, you're advocating separate keys for each remote and not
> keeping thenm in an agent so login isn't 'passwordless' or automatic.

I wasn't advocating that. The agent's purpose is so you only have to type
the passphrase once per session - if that makes keys easier to use and maybe
helps you have a stronger passphrase (since you don't need to type it so
often), then why not?

There may be some threat models where you don't want your machine holding
unlocked keys in RAM, in which case fair enough and you need to type the
passphrase each time, but for many use cases ssh-agent (and its integration
into things like KDE KWallet or MacOS keychain) is fine.

> Thus, when I login I see:-
>
> chris@esprimo$ ssh backup
> Enter passphrase for key '/home/chris/.ssh/backup_id_rsa':
> chris@backup$
>
> ... the keylogger will see 'ssh backup' followed by the passphrase.

If the keylogger is running locally, stealing the passphrase from a key
won't help the attacker because they don't have the private key.

If the keylogger in an infected SSH daemon on the server (which is where SSH
passwords are typically harvested) it will see parts of the public key
exchange but it doesn't see your passphrase or private key and the protocol
is designed so you can't replay what it does see. If it has passwords it
can replay them on other sites.

> > etckeeper will keep track of changes to /etc in a git repo
> >
> I use Mercurial.

etckeeper supports that too.

> > If you want to do this to a lot of machines, it's worth learning Ansible as
> > it'll keep your fleet of machines in sync. Just write an ansible recipe
> > and it will ensure it is applied (and only once) across all your
> > machines.
> >
> I may take a look, though I already have a common Mercurial repository
> where I keep everything like .bashrc, .profile, .ssh/config and so on.
> The Mercurial repository is shared across systems using syncthing.

I suppose you could push/pull your etckeeper repo to keep your /etc in sync,
but probably not ideal since things like hostnames will be different between
machines. Ansible is a better bet.

Theo

On 2/1/24 9:40 AM, The Natural Philosopher wrote:
> On 01/02/2024 06:32, 68g.1499 wrote:
>> On 1/30/24 6:05 PM, Scott Alfter wrote:
>>> In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
>>> Chris Green  <cl@isbd.net> wrote:
>>>> I can't us Pi Imager because it's very broken on Ubuntu:-
>>>
>>> Sounds like something you should take up with the Ubuntu packagers.  I
>>> maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo
>>> eselect
>>> repository enable salfter && sudo emaint sync -r salfter), and it
>>> works like
>>> a champ.
>>>
>>> More recently, I've migrated my print server (an ancient RPi Model B)
>>> from
>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.  The
>>> Alpine install needed to be done on a spare Raspberry Pi, but once it
>>> was up
>>> and running with ssh access, I was able to do the rest of the setup
>>> over the
>>> network.  Once I had it configured as I wanted it, I brought the
>>> MicroSD card
>>> over to another computer to image it and shipped the image home so I
>>> could
>>> blast it onto an SD card.  It's a much lighter-weight system
>>> now...could put
>>> it on a 128MB SD card, if I had one that small. :) The server runs
>>> headless,
>>> with just two printers, a network cable, and a power supply plugged in.
>>
>>
>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>    print server, based on an old Pi, rather than just printing
>>    directly from/to whatever   :-)
>>
> It avoids massively long printer cables obviously, when you have a
> pre-existent network of some sort...

Um ... printers have come with network ports/wi-fi for at
least 15 or more years now. You don't need "long cables",
except for ethernet, and thus the printer can be 300+ meters
away in the junk shed and work just fine. You can see and
print to it from any PC-like-thing directly.

Now if you have one of those old OKI pin printers (they
still have their place and they still sell them) with RS-232
then you may need a cheap adapter (or two) but you can still
plug 'em into the ethernet or at least a modern box and
share 'em out.

So ... well, I promised not to ask :-)

The increasing difficulty with "headless" is more of an
issue these days IMHO. I rarely did totally headless, but
on a few lower-powered (Pi) units that was the better
way to go to save resources. Even 'simple' GUIs are
cpu/memory-hogs at the least.

For easy headless in the near future ... might want to
look at the BSDs ...... some pain, some gain ......

On 02/02/2024 07:11, 68g.1499 wrote:
> On 2/1/24 9:40 AM, The Natural Philosopher wrote:
>> On 01/02/2024 06:32, 68g.1499 wrote:
>>> On 1/30/24 6:05 PM, Scott Alfter wrote:
>>>> In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
>>>> Chris Green  <cl@isbd.net> wrote:
>>>>> I can't us Pi Imager because it's very broken on Ubuntu:-
>>>>
>>>> Sounds like something you should take up with the Ubuntu packagers.  I
>>>> maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo
>>>> eselect
>>>> repository enable salfter && sudo emaint sync -r salfter), and it
>>>> works like
>>>> a champ.
>>>>
>>>> More recently, I've migrated my print server (an ancient RPi Model
>>>> B) from
>>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.  The
>>>> Alpine install needed to be done on a spare Raspberry Pi, but once
>>>> it was up
>>>> and running with ssh access, I was able to do the rest of the setup
>>>> over the
>>>> network.  Once I had it configured as I wanted it, I brought the
>>>> MicroSD card
>>>> over to another computer to image it and shipped the image home so I
>>>> could
>>>> blast it onto an SD card.  It's a much lighter-weight system
>>>> now...could put
>>>> it on a 128MB SD card, if I had one that small. :) The server runs
>>>> headless,
>>>> with just two printers, a network cable, and a power supply plugged in.
>>>
>>>
>>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>>    print server, based on an old Pi, rather than just printing
>>>    directly from/to whatever   :-)
>>>
>> It avoids massively long printer cables obviously, when you have a
>> pre-existent network of some sort...
>
>
>   Um ... printers have come with network ports/wi-fi for at
>   least 15 or more years now.

Some have, but many people use printers older than that.
Or more recent ones that come without network ports or wifi

--
Religion is regarded by the common people as true, by the wise as
foolish, and by the rulers as useful.

(Seneca the Younger, 65 AD)

On 2/1/24 11:29 AM, Scott Alfter wrote:
> In article <zQKdnaXu1ZFtpyb4nZ2dnZfqn_udnZ2d@earthlink.com>,
> 68g.1499 <68g.1499@etr6.net> wrote:
>> On 1/30/24 6:05 PM, Scott Alfter wrote:
>>> In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
>>> Chris Green <cl@isbd.net> wrote:
>>>> I can't us Pi Imager because it's very broken on Ubuntu:-
>>>
>>> Sounds like something you should take up with the Ubuntu packagers. I
>>> maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo eselect
>>> repository enable salfter && sudo emaint sync -r salfter), and it works like
>>> a champ.
>>>
>>> More recently, I've migrated my print server (an ancient RPi Model B) from
>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless. The
>>> Alpine install needed to be done on a spare Raspberry Pi, but once it was up
>>> and running with ssh access, I was able to do the rest of the setup over the
>>> network. Once I had it configured as I wanted it, I brought the MicroSD card
>>> over to another computer to image it and shipped the image home so I could
>>> blast it onto an SD card. It's a much lighter-weight system now...could put
>>> it on a 128MB SD card, if I had one that small. :) The server runs headless,
>>> with just two printers, a network cable, and a power supply plugged in.
>>
>>
>> Ok ... I'm not gonna ask why you'd want a completely separate
>> print server, based on an old Pi, rather than just printing
>> directly from/to whatever :-)
>
> The printers in question (an HP LaserJet 1320 and a Zebra LP2844) don't have
> built-in network connectivity. The print server is basically a
> JetDirect-compatible box that receives print data on one port for one
> printer and on another port for the other. I have an actual, rather old HP
> JetDirect print server in a box somewhere. It's in a box because its
> 10-Mbps Ethernet on one end and USB 1.x on the other is a bit slow for
> complex print jobs. Fast Ethernet (100 Mbps) and USB 2.0 on the Raspberry
> Pi is a step up.

Um ... check Amazon for adapters. You MIGHT need two.
However you OUGHT to be able to get it on ethernet or
wi-fi or at least USB on some box where you can share
it out. Fifty bucks ?

Now for 1970s/80s printers ... wide Centronics parallel ...
ok, you ARE gonna have problems, serious problems ....

RS-232 printers though, far fewer problems beyond drivers.
Kept an ancient OKI Microline going for 25 years ... THE
thing for multi-page sales forms. They still sell 'em.

Anyway, I promised not to ask ... :-)

On 2/1/24 11:44 AM, The Natural Philosopher wrote:
> On 01/02/2024 16:29, Scott Alfter wrote:
>> In article <zQKdnaXu1ZFtpyb4nZ2dnZfqn_udnZ2d@earthlink.com>,
>> 68g.1499 <68g.1499@etr6.net> wrote:
>>> On 1/30/24 6:05 PM, Scott Alfter wrote:
>>>> In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
>>>> Chris Green  <cl@isbd.net> wrote:
>>>>> I can't us Pi Imager because it's very broken on Ubuntu:-
>>>>
>>>> Sounds like something you should take up with the Ubuntu packagers.  I
>>>> maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo
>>>> eselect
>>>> repository enable salfter && sudo emaint sync -r salfter), and it
>>>> works like
>>>> a champ.
>>>>
>>>> More recently, I've migrated my print server (an ancient RPi Model
>>>> B) from
>>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.  The
>>>> Alpine install needed to be done on a spare Raspberry Pi, but once
>>>> it was up
>>>> and running with ssh access, I was able to do the rest of the setup
>>>> over the
>>>> network.  Once I had it configured as I wanted it, I brought the
>>>> MicroSD card
>>>> over to another computer to image it and shipped the image home so I
>>>> could
>>>> blast it onto an SD card.  It's a much lighter-weight system
>>>> now...could put
>>>> it on a 128MB SD card, if I had one that small. :) The server runs
>>>> headless,
>>>> with just two printers, a network cable, and a power supply plugged in.
>>>
>>>
>>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>>    print server, based on an old Pi, rather than just printing
>>>    directly from/to whatever   :-)
>>
>> The printers in question (an HP LaserJet 1320 and a Zebra LP2844)
>> don't have
>> built-in network connectivity.  The print server is basically a
>> JetDirect-compatible box that receives print data on one port for one
>> printer and on another port for the other.  I have an actual, rather
>> old HP
>> JetDirect print server in a box somewhere.  It's in a box because its
>> 10-Mbps Ethernet on one end and USB 1.x on the other is a bit slow for
>> complex print jobs.  Fast Ethernet (100 Mbps) and USB 2.0 on the
>> Raspberry
>> Pi is a step up.
>>
>
> Yeah I had one of those for a big A1 plotter.
> Pi is a great idea for a print server.

Had an old HP pen plotter and HiPad plotting tablet
- RS-232. A Pi could work them directly, no 'server'
required. You MIGHT want a couple of adapters so you
can use USB ports, but the built-in serial works
just fine. DRIVERS for old serial printers, they
MIGHT still be found ... but the command sets were
pretty simple anyway .......

Also, you don't need to use a Pi intermediary, even
crappy Winders PCs can be convinced to use/share
such devices. Linux/Unix can be even better because
they still understand TTY devices better.

Theo <theom+news@chiark.greenend.org.uk> wrote:
> Chris Green <cl@isbd.net> wrote:
> > Theo <theom+news@chiark.greenend.org.uk> wrote:
> > > Chris Green <cl@isbd.net> wrote:
> > > If the keylogger is on your machine, it can get the passphrase but it
> > > doesn't get the private key unless it is specifically designed for attacking
> > > ssh and can read your private keys. eg you might see the following in the
> > > keylog:
> > >
> > > ssh chris@server.bigcorp.com
> > > abr@cad4bra
> > > ls
> > >
> > > and it's clear that abr@cad4bra is your password. If that was your
> > > passphrase it wouldn't help attack anyone.
> > >
> > Not true, you're advocating separate keys for each remote and not
> > keeping thenm in an agent so login isn't 'passwordless' or automatic.
>
> I wasn't advocating that. The agent's purpose is so you only have to type
> the passphrase once per session - if that makes keys easier to use and maybe
> helps you have a stronger passphrase (since you don't need to type it so
> often), then why not?
>
This is where we came in! :-)

If you use agent then, once the passphrase has been entered, anyone
can walk up and log in to that remote system without know the passphrase.

--
Chris Green
·

On 02/02/2024 07:11, 68g.1499 wrote:
> Um ... printers have come with network ports/wi-fi for at
> least 15 or more years now.

SOME printers have ....

If a guy wants to run a Pi as a print server, who are you to say it's
wrong? They're very good for USB only printers.

--
Chris Elvidge, England
I WILL ONLY DO THIS ONCE A YEAR

On 31/01/2024 03:43, 68g.1499 wrote:
>   "Popular" systems - Win/Android/Mac - are going to be the
>   primary targets, bots and such optimized for them. Linux
>   proper is there, but not super-popular by the percentages.
>   Win in particular is a security disaster and most users
>   are know-nothings, best to put efforts there.
No,these days they are looking to recruit POS Chinese IOT stuff running,
such as security cameras, "smart" kitchen app licences and god knows
what else.
What these things have in common is running a version of Linux with very
poor security, such as hardcoded passwords, insecure protocols, no
firewalls or intrusion detection, and no one logged in running tools to
see why they are slow or are sending data all over the internet (even
more than the telemetry than they are meant to send back to the mothership).
Don't make your Raspberry as easy to crack as these things!
---druck

scott@alfter.diespammersdie.us (Scott Alfter) writes:

> More recently, I've migrated my print server (an ancient RPi Model B) from
> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.

And this works for you? I tried to setup a Pi as a print server but it
was just bad. Printer was a Laserjet but not so old it could take PCL or
postscript. Something proprietary that has been thoroughly reverse
engineered long ago, don't remember exactly what right now.

For me this setup was extremely flaky over the network. Sure, I could
print a test page but actual print jobs were really hit or
miss. Typically Cups on the Pi would say the job printed fine but
nothing actually came out of the printer. Reprinting from the Cups
"completed jobs" list always worked though. Sometimes Cups just decided
the printer wasn't "reachable". Even when it worked it was super slow for
one or two page text only jobs, say something like minutes for a file of
a few dozen kB to a few hundred.

Eventually the Pi ate its SD card and I got a cheapo ink jet. Still,
that old Laserjet should have something like 2000 pages worth of toner
left in its cartridge so sometimes I think about trying again.

On 2024-02-01, Theo wrote:

> Chris Green <cl@isbd.net> wrote:

>> Not true, you're advocating separate keys for each remote and not
>> keeping thenm in an agent so login isn't 'passwordless' or automatic.
>
> I wasn't advocating that. The agent's purpose is so you only have to type
> the passphrase once per session - if that makes keys easier to use and maybe
> helps you have a stronger passphrase (since you don't need to type it so
> often), then why not?
>
> There may be some threat models where you don't want your machine holding
> unlocked keys in RAM, in which case fair enough and you need to type the
> passphrase each time, but for many use cases ssh-agent (and its integration
> into things like KDE KWallet or MacOS keychain) is fine.

You can use `ssh-add -D` to delete all keys from the agent or `ssh-add
-t 1h` (for example) to limit the keys' life in the agent to 1 hour.

--
I only regret that I have but one shirt to give for my country.
---Abbie Hoffman

On 2024-01-31, Charlie Gibbs wrote:

> On 2024-01-31, Adam Funk <a24061@ducksburg.com> wrote:
>
>> On 2024-01-30, The Natural Philosopher wrote:
>>
>>> - "The list of root passwords pinned up behind the receptionist desk
>>> as well as the directory of usernames and DDI extensions is also sub
>>> optimal...
>>
>> Brilliant.
>
> I laughed when the movie WarGames showed the protagonist sitting
> outside the principal's office, sliding out the writing leaf on the
> desk on which a terminal sat, to reveal a piece of paper with the
> password written on it. It was the most realistic part of the movie.

I remember laughing at that at too.

--
A man can't just sit around.
---Larry Walters

In article <ljidnQZAhaC5ACH4nZ2dnZfqnPWdnZ2d@earthlink.com>,
68g.1499 <68g.1499@etr6.net> wrote:
> Also, you don't need to use a Pi intermediary, even
> crappy Winders PCs can be convinced to use/share
> such devices. Linux/Unix can be even better because
> they still understand TTY devices better.

You don't have to, but when your primary computer dual-boots, it makes
things easier. Besides, it was sitting idle, and even the first-gen
Raspberry Pi is more than capable enough for the task.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

In article <sm0jznmlx0d.fsf@lakka.kapsi.fi>,
Anssi Saari <anssi.saari@usenet.mail.kapsi.fi> wrote:
>scott@alfter.diespammersdie.us (Scott Alfter) writes:
>
>> More recently, I've migrated my print server (an ancient RPi Model B) from
>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.
>
>And this works for you? I tried to setup a Pi as a print server but it
>was just bad. Printer was a Laserjet but not so old it could take PCL or
>postscript. Something proprietary that has been thoroughly reverse
>engineered long ago, don't remember exactly what right now.

I had it working at first by (ab)using netcat somewhat, but I eventually
tracked down some ancient print-serving code:

https://web.archive.org/web/20021127142540/http://www.lprng.com/DISTRIB/UNIXTOOLS/lp_server/lp_server-1.1.6.tgz

I had to tweak it a bit to build on modern systems (still have to compile it
with -std=c90, though), and I had to tweak it further to work without glibc
so it'd run on Alpine. The result is up here, along with instructions:

https://gitlab.alfter.us/salfter/lp_server

CUPS (running on Gentoo Linux on another host) has been pretty solid talking
to both of the printers I use with it. Win11 works well with it, too.

I think I'd tried setting up CUPS on the Raspberry Pi before, but ran into
problems. Setting it up as a JetDirect-workalike has worked out much
better.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

In article <lQydnVSjD-c-CCH4nZ2dnZfqnPednZ2d@earthlink.com>,
68g.1499 <68g.1499@etr6.net> wrote:
>On 2/1/24 9:40 AM, The Natural Philosopher wrote:
>> On 01/02/2024 06:32, 68g.1499 wrote:
>>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>>    print server, based on an old Pi, rather than just printing
>>>    directly from/to whatever   :-)
>>>
>> It avoids massively long printer cables obviously, when you have a
>> pre-existent network of some sort...
>
> Um ... printers have come with network ports/wi-fi for at
> least 15 or more years now. You don't need "long cables",
> except for ethernet, and thus the printer can be 300+ meters
> away in the junk shed and work just fine. You can see and
> print to it from any PC-like-thing directly.

The printers I'm connecting that way are definitely older than that. There
was a LaserJet 1320n that had built-in Ethernet connectivity, but that
wasn't what I'd bought the better part of 20 years ago.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

On 02/02/2024 16:29, Scott Alfter wrote:
> In article <sm0jznmlx0d.fsf@lakka.kapsi.fi>,
> Anssi Saari <anssi.saari@usenet.mail.kapsi.fi> wrote:
>> scott@alfter.diespammersdie.us (Scott Alfter) writes:
>>
>>> More recently, I've migrated my print server (an ancient RPi Model B) from
>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.
>>
>> And this works for you? I tried to setup a Pi as a print server but it
>> was just bad. Printer was a Laserjet but not so old it could take PCL or
>> postscript. Something proprietary that has been thoroughly reverse
>> engineered long ago, don't remember exactly what right now.
>
> I had it working at first by (ab)using netcat somewhat, but I eventually
> tracked down some ancient print-serving code:
>
> https://web.archive.org/web/20021127142540/http://www.lprng.com/DISTRIB/UNIXTOOLS/lp_server/lp_server-1.1.6.tgz
>
> I had to tweak it a bit to build on modern systems (still have to compile it
> with -std=c90, though), and I had to tweak it further to work without glibc
> so it'd run on Alpine. The result is up here, along with instructions:
>
> https://gitlab.alfter.us/salfter/lp_server
>
> CUPS (running on Gentoo Linux on another host) has been pretty solid talking
> to both of the printers I use with it. Win11 works well with it, too.
>
> I think I'd tried setting up CUPS on the Raspberry Pi before, but ran into
> problems. Setting it up as a JetDirect-workalike has worked out much
> better.
>
The great thing about JetDirect was the utter lack of cleverness. Not
much could go wrong with it

--
Of what good are dead warriors? … Warriors are those who desire battle
more than peace. Those who seek battle despite peace. Those who thump
their spears on the ground and talk of honor. Those who leap high the
battle dance and dream of glory … The good of dead warriors, Mother, is
that they are dead.
Sheri S Tepper: The Awakeners.

On 2/2/24 11:16 AM, Scott Alfter wrote:
> In article <ljidnQZAhaC5ACH4nZ2dnZfqnPWdnZ2d@earthlink.com>,
> 68g.1499 <68g.1499@etr6.net> wrote:
>> Also, you don't need to use a Pi intermediary, even
>> crappy Winders PCs can be convinced to use/share
>> such devices. Linux/Unix can be even better because
>> they still understand TTY devices better.
>
> You don't have to, but when your primary computer dual-boots, it makes
> things easier. Besides, it was sitting idle, and even the first-gen
> Raspberry Pi is more than capable enough for the task.

Fully agreed - a Pi-1 (and I have a few) is fully capable.
Just questioning the NEED.

But, if you want it that way ...

On 2/2/24 2:15 AM, The Natural Philosopher wrote:
> On 02/02/2024 07:11, 68g.1499 wrote:
>> On 2/1/24 9:40 AM, The Natural Philosopher wrote:
>>> On 01/02/2024 06:32, 68g.1499 wrote:
>>>> On 1/30/24 6:05 PM, Scott Alfter wrote:
>>>>> In article <k4fd8k-d8d71.ln1@esprimo.zbmc.eu>,
>>>>> Chris Green  <cl@isbd.net> wrote:
>>>>>> I can't us Pi Imager because it's very broken on Ubuntu:-
>>>>>
>>>>> Sounds like something you should take up with the Ubuntu packagers.  I
>>>>> maintain a Gentoo ebuild for rpi-imager (it's in my overlay...sudo
>>>>> eselect
>>>>> repository enable salfter && sudo emaint sync -r salfter), and it
>>>>> works like
>>>>> a champ.
>>>>>
>>>>> More recently, I've migrated my print server (an ancient RPi Model
>>>>> B) from
>>>>> Raspbia^H^H^H^H^H^H^HRPi OS to Alpine, and it's running headless.  The
>>>>> Alpine install needed to be done on a spare Raspberry Pi, but once
>>>>> it was up
>>>>> and running with ssh access, I was able to do the rest of the setup
>>>>> over the
>>>>> network.  Once I had it configured as I wanted it, I brought the
>>>>> MicroSD card
>>>>> over to another computer to image it and shipped the image home so
>>>>> I could
>>>>> blast it onto an SD card.  It's a much lighter-weight system
>>>>> now...could put
>>>>> it on a 128MB SD card, if I had one that small. :) The server runs
>>>>> headless,
>>>>> with just two printers, a network cable, and a power supply plugged
>>>>> in.
>>>>
>>>>
>>>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>>>    print server, based on an old Pi, rather than just printing
>>>>    directly from/to whatever   :-)
>>>>
>>> It avoids massively long printer cables obviously, when you have a
>>> pre-existent network of some sort...
>>
>>
>>    Um ... printers have come with network ports/wi-fi for at
>>    least 15 or more years now.
>
> Some have, but many people use printers older than that.
> Or more recent ones that come without network ports or wifi

Which is why I also addressed "old"/RS-232 type
printers.

SERIAL - easy to deal with. Parallel/Centronics,
not so easy these days.

However NEW printers are NOT very expensive.
Let go of the distant past ...... :-)

On 2/2/24 8:01 AM, Chris Elvidge wrote:
> On 02/02/2024 07:11, 68g.1499 wrote:
>>    Um ... printers have come with network ports/wi-fi for at
>>    least 15 or more years now.
>
> SOME printers have ....

LOTS of printers ....

Yea, I fully understand the urge to "keep what works",
but eventually there's a POINT .......

> If a guy wants to run a Pi as a print server, who are you to say it's
> wrong? They're very good for USB only printers.

I didn't say it was bad/stupid.

I just said there may be better solutions.

If he badly WANTS to do it that way ...

So don't put words in my mouth.

On 2/2/24 11:34 AM, Scott Alfter wrote:
> In article <lQydnVSjD-c-CCH4nZ2dnZfqnPednZ2d@earthlink.com>,
> 68g.1499 <68g.1499@etr6.net> wrote:
>> On 2/1/24 9:40 AM, The Natural Philosopher wrote:
>>> On 01/02/2024 06:32, 68g.1499 wrote:
>>>>    Ok ... I'm not gonna ask why you'd want a completely separate
>>>>    print server, based on an old Pi, rather than just printing
>>>>    directly from/to whatever   :-)
>>>>
>>> It avoids massively long printer cables obviously, when you have a
>>> pre-existent network of some sort...
>>
>> Um ... printers have come with network ports/wi-fi for at
>> least 15 or more years now. You don't need "long cables",
>> except for ethernet, and thus the printer can be 300+ meters
>> away in the junk shed and work just fine. You can see and
>> print to it from any PC-like-thing directly.
>
> The printers I'm connecting that way are definitely older than that. There
> was a LaserJet 1320n that had built-in Ethernet connectivity, but that
> wasn't what I'd bought the better part of 20 years ago.

The HPLJ-2 was a damned workin' MACHINE. Almost
indestructible. Good quality, acceptable speed.

But it wasn't Wi-Fi.

But it COULD be Wi-Fi or Ethernet. Just takes a
cheap adapter or two. You can also SHARE it from
a Win or Lin unit. No need for intermediary stuff.

Anyway, just saying that there ARE solutions beyond
a dedicated print server. Easier, more future
utility.

On 01/02/2024 08:43, Richard Kettlewell wrote:

>
> 3) Use certificate-based authentication. Instead of copying public keys
> everywhere, just sign them once, and get each endpoint to trust the
> CA.
>
Thanks, I think the idea of certificate-based authentication sounds
interesting.

I will give it a go, I should at least understand what it means, even if
it is ultimately not appropriate.

On 01/02/2024 21:19, druck wrote:
> On 01/02/2024 08:12, Pancho wrote:
>>> Generate a new key on each device with ssh-keygen and copy it to your
>>> primary machine with ssh-copy-id Then replicate the primary machines
>>> .ssh/authorized_keys file to all the others, so you can login from
>>> any machine to any other.
>>>
>>
>> Yes, but in practice that meant everytime I installed a new OS on an
>> experimental Orange Pi5 I had to alter the set up of seven or eight
>> machines. Sometimes I was doing this a few times a day.
>
> Not it you have a way of replicating the .ssh/authorized_keys file
> between machines. You can do it with a cron script that does a copy
> every few minutes if the master changes.
>

Yep replication seems a good idea, I'm a little scared of roll your own
security automation. It's a topic that is both boring and tricky, a bad
combination. I can't see anyting wrong with it, but that often isn't a
good guide.

For the moment I think I'll investigate Richard's certificate base
authority idea. Thanks.

On 1/31/24 12:09 PM, The Natural Philosopher wrote:
> On 31/01/2024 16:55, Theo wrote:
>> I'll leave you to follow through the logic (ss4-7), but RPi OS gets
>> used in
>> a number of consumer and industrial products.
>
> Then their *adapted* version of software will have its own username and
> password .
>
> A raspberry pi does not come equipped with even an operating system

Neither does your commercial laptop. Someone PUTS Winders
on it.

For a Pi you PUT Linux (or a few other options) on it.

Now C-64s came "equipped" ... the "OS" was burned into
the factory ROMs.

On 02/02/2024 14:47, druck wrote:
> On 31/01/2024 03:43, 68g.1499 wrote:
>>    "Popular" systems - Win/Android/Mac - are going to be the
>>    primary targets, bots and such optimized for them. Linux
>>    proper is there, but not super-popular by the percentages.
>>    Win in particular is a security disaster and most users
>>    are know-nothings, best to put efforts there.
>
> No,these days they are looking to recruit POS Chinese IOT stuff running,
> such as security cameras, "smart" kitchen app licences and god knows
> what else.
Not even your toothbrush is safe!
https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages
---druck

druck <news@druck.org.uk> wrote:
> On 02/02/2024 14:47, druck wrote:
> > On 31/01/2024 03:43, 68g.1499 wrote:
> >>    "Popular" systems - Win/Android/Mac - are going to be the
> >>    primary targets, bots and such optimized for them. Linux
> >>    proper is there, but not super-popular by the percentages.
> >>    Win in particular is a security disaster and most users
> >>    are know-nothings, best to put efforts there.
> >
> > No,these days they are looking to recruit POS Chinese IOT stuff running,
> > such as security cameras, "smart" kitchen app licences and god knows
> > what else.
>
> Not even your toothbrush is safe!
>
> https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages

That may not actually be true. One of the 'major brands' of smart
toothbrushes just does Bluetooth to the phone app, and the data sent is just
things like battery level and head pressure:
https://filestore.fortinet.com/fortiguard/research/toothbrush.pdf

Which is not to say that some other brand doesn't have an internet-enabled
chip in there, but battery life would be bad and these things tend to
operate from small batteries which are wirelessly-charged once a week or
less. Also, to have the world's largest botnet outed in an obscure Swiss
newspaper seems a bit suspect.

The presentation above has some valid points about dumb cloud apps and
smart-toothbrush-linked dental insurance ("the better you brush the less you
pay") but that's a different thing from a botnet.

Theo