Workshop (to be) held on 2021/09/11 at 14:00 in Other Room
Previous workshop: 21 February 2019 18:00:00 Next workshop: [[|]]
- Upgrade Sown-auth2 to Ubuntu 18.04 and possible Ubuntu 20.04
- TimStallard and DavidNewman worked on upgrading to Ubuntu 18.04. A number of problems were hit
- FreeRadius was upgraded to version 3.0.16, so they needed to port and modify the old 2.x.y configuration to work with 3.0.
- OpenVPN was upgraded to 2.4.4. Fortunately, we had already configured the Admin Site to 2.4 configuration so we just switched over the update_openvpn script to use this.
- Check VSTACK status on SOWN switch and other security hardening
- DanTrickey looked into this and although VSTACK setting was OK be found a number of other security concerns that he fixed.
- Fix slow SSH login to servers due to slow motd caching
- Scorpia looked into this. After investigating MOTD and various other issues he resolved to this being something integral to the SSH server but could not narrow this now further.
- The issue seems to only present once, typically after a reboot.
- Upgrading from Ubuntu 18.04 to 20.04 does not fix the issue.
- Investigate why AUTH2/EAPOL-EDUROAM and AUTH2/AUTH checks are failing
- DavidNewman contacted Eduroam UK team to try to debug problems with RADIUS checks, which broke in June/July. This turned out to be us running an old (2.4 or earlier of WPA Supplicant) version of eapol_test, so he compiled the latest version (2.9 of WPA supplicant) and this meant both the checks to eduroam.ac.uk and the ODI started working again.
- DavidNewman has made some changes to the eduroam.ac.uk checks to use the "University of Catford" CA certificate.
- Investigate why AUTH2/SSH checks periodically goes warning
- Renew SSL certificates for various nodes which expire in October
- DavidNewman has renewed certificates for all the nodes that were online:
- Following nodes still outstanding:
- 304 is held by Josh but he replaced with his own hardware as he lost the node. Need to contact to get him to plug in.
- 305 is held by DanTrickey. He needs to plug this in so it can have its certificate renewed or return the node.
- 308 which expired a year or so ago. We need to try to get this back from Matt?
- 444 is DavidYoung's node on his own hardware, so will probably just end this deployment when the certificate fully expires.
- 912 is Cmalton's node. He will try to plug it back into the right VLAN of his home network so this development node's certificate can be renewed.