Major service changes
From OCFwiki
PHP upgrade - March 21st, 2008
The OCF is switching its default PHP interpreter from PHP 4.4 to PHP 5.2, beginning March 21st, 2008. Support for PHP 4 will end on May 12th, 2008, due to the PHP developers' decision to end support for PHP 4. All PHP users should review their web applications for compatibility with PHP 5 as soon as possible. Most widely-used web applications already support PHP 5, so in many cases, no action is needed; in most others, an application upgrade will be sufficient to ensure proper continued functionality. Check with the developer of your PHP web application to see whether or not it needs upgrading to work correctly with PHP 5.
Users who use custom-written PHP applications need to review their code for PHP 5 compatibility; see [1] for information on what's changed between PHP 4 and 5, and [2] and [3] for the (many fewer) differences between PHP 5.0 and 5.2.
Between now and March 21st, you may test your applications with PHP 5 using these instructions. After March 21, users who require more time to review their code may continue to use the PHP 4 interpreter by doing one of the following:
- Rename your PHP CGI scripts to end with a .php4 extension.
- If you're treating your PHP scripts as regular CGI scripts, use /opt/ocf/bin/php4 as the path to the PHP interpreter.
- Place an .htaccess file in the root of your PHP script directory (for example, in public_html) with the following contents:
AddHandler cgiwrap-php4 .php
This PHP 4 support will NOT work after May 12th.
If you already configure your PHP scripts to use PHP 5 (as per these instructions for instance), they will not be broken by this change. However, after March 21, you should undo your configuration changes so that you are running the OCF default configuration.
Mail server settings - August 1, 2007
The OCF is requiring users who use POP or IMAP to read their OCF email to use TLS- or SSL-secured connections to OCF's mailservers. This change significantly reduces the risk of an attacker hijacking your account by intercepting your password, slightly improves the security of your email, and brings us into compliance with the campus Minimum Security Standards for Networked Devices. Webmail and local mail access are unaffected, but users using POP or IMAP to read their mail will need to reconfigure their mail clients to use secure connections in order to continue using them to read their OCF mail.
See Using secure POP and IMAP for instructions on how to configure your mail client to read your OCF mail.
SSH upgrade - March 15, 2007
The default SSH binary for most users on the OCF's Solaris machines (ssh) has become a symlink to OpenSSH 4.6p1 (openssh), instead of commercial SSH 1.2.33. This change brings SSH protocol version 2 support to the OCF's default SSH client, improving security and compatibility with other machines. The old SSH 1 binary will continue to be available as ssh1, as will the commercial SSH client available as ssh2 (version 3.2.9.1). Most users will not notice the change. However, X forwarding is no longer be enabled by default, for security reasons; pass the -X option to enable it (or better yet, -XC, which enables compression, speeding up your X session).
Users with SSH keys generated for the SSH version 1 client can continue to use them using ssh1 or ssh -1 (OpenSSH), generate new SSH version 2 keys for use with OpenSSH or the commercial SSH client using ssh-keygen (OpenSSH) or ssh-keygen2 (commercial SSH), or convert their existing SSH version 1 key to an SSH version 2 key. See SSH key management for information on creating a new SSH version 2 key or converting your existing SSH version 1 key.
Note that if you have never logged into a host before using SSH2, you may see a message asking you to verify the host's key fingerprint, as if you had never logged into the host before using any version of SSH. You should try to verify this key fingerprint, as always; one way to do this, assuming you've logged into the host in the past via SSH1, is to log in to the host using ssh1 or ssh -1 (OpenSSH) and displaying the fingerprint with something like ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub.
Mail server settings - March 9, 2007
The OCF is requiring users to log in with their username and password in order to send mail through the OCF. This change decreases the likelihood of spam being relayed via the OCF, and brings us into compliance with the campus Minimum Security Standards for Networked Devices. Webmail and local mail access are unaffected, but users sending mail via the OCF from outside the OCF need to reconfigure their mail clients to provide a username and password when sending mail.
Note that SMTP relaying via port 25, the default configuration for most mail clients, has been disabled for the last few months for anti-spam purposes. We apologize for this inconvenience; sending mail via the OCF should work provided you follow the instructions provided.
See Using secure authenticated SMTP for instructions on how to configure your mail client to send mail via the OCF.
SSH host keys change - August 22, 2006
Most OCF machines, including the login servers (apocalypse, conquest) serving OCF.Berkeley.EDU, have been reinstalled. As a result, SSH host keys have changed; see SSH host keys if you'd like to verify the fingerprints. Most SSH clients will complain loudly about this as a security feature (this prevents someone from impersonating an OCF machine), so you will probably need to replace the old host keys in your known hosts database with the new ones; see the documentation for your SSH client for more information on how to do this.
Webserver upgrade - August 6, 2006
The OCF has migrated to a new web server setup on a new machine; this brings much faster server response times. Static content and most web applications should be unaffected; however, there is a possibility that the upgrade will break some web applications. For more information, see Major service changes/August 2006 web server migration.
New disk array in service - October 22, 2005
The move of home and web directories to a new disk array with ~1 terabyte of space was completed. The major user-visible change is that home and web quotas are now consolidated, so users may use their total allocated space as they see fit. Note that the email inbox quota remains separate.
PHP register_globals turn off - August 10, 2005
The default value of the PHP directive register_globals has been changed to OFF. This is a long overdue security change. Some user-written PHP scripts may be affected. Commonly used PHP applications should have been updated to account for this change long ago.
For details about what register_globals is and what changes you may need to make in your PHP code, see this page.
Major MySQL and Perl upgrade - April 2, 2005
The following changes have been made:
- MySQL has been upgraded to version 4.1.10a (it was previously 3.23.58).
- Perl has been upgraded to version 5.8.6 (the default version was previously 5.005_03).
These upgrades should improve performance and compatibility with modern applications. Note that some older applications may have compatibility issues with either of these newer versions. For information on technical differences between these software versions, see for example:
Note that you may have to visit release notes for previous versions to see the full history of what has changed between an old version and the current version.
Additional notes
PHP has been rebuilt to use libraries from the new MySQL version, but it should otherwise be unaffected. Our new default Perl installation may not have certain modules built that were in our previous default Perl installation; if this is the case, please contact us with specific details of the problem you have run into, what module you believe is missing, etc.
Telnet and FTP turn off - January 15, 2004
Unsecured telnet and ftp services have been discontinued. Unsecured POP and IMAP mail services will be discontinued at a later date, to be announced. This is because these services send passwords over the network in plain view of any persons who may be monitoring transmissions, allowing them to access your account if they desire. There are secure (encrypting or one-time password) alternatives readily available for the most common platforms.
Note that SafeTP, although believed to be secure, has also been discontinued because it would provide no significant benefit over sftp. Also note that we now support the S/Key one-time-password system as an authentication method for telnet and ftp. S/Key is not a very convenient method of authentication for the average user, but if you wish, you can view a brief introduction and tutorial on S/Key here. You can find a JavaScript-based online S/Key calculator here. Please connect to skey.OCF.Berkeley.EDU for S/Key logins (whether telnet or ftp). Note that our systems are configured to use MD5 hashing. We may consider supporting ftp over SSL if there is sufficient demand for it; let us know if this would be very useful to you.
Replacement for Telnet
Instead of telnet, please use SSH (Secure SHell).
Replacement for FTP
Instead of ftp, please use sftp (SSH File Transfer Protocol).
- Windows users -- the ssh client mentioned in the preceding section includes an sftp client; please refer to the aforementioned page for details. This client is the one we recommend. However, if this is not satisfactory to you, some alternatives you might consider include WinSCP and FileZilla. In the case of FileZilla, remember to set it to connect using SFTP instead of FTP.
- MacOS X users -- sftp is available from the Terminal as 'sftp'. Fugu is a free graphical interface to sftp that can be downloaded here.
- Unix users -- sftp is usually accessible from the command line on Unix or Unix-like systems as 'sftp'. If you have no sftp client installed, you can get it as part of the OpenSSH package. You may find the 'scp' and 'rsync' commands to be useful as well.
If you find it difficult to give up your existing ftp client (perhaps because it's integrated with Dreamweaver or whatever), you may consider trying the "FTP to SFTP bridge" feature of MindTerm SSH. MindTerm is a Java-based program that runs on many different platforms that have a Java runtime (including Windows, Mac, and many Unix-like systems). You will need a Java runtime installed before you can run MindTerm (try double-clicking on the .jar file; if the program runs, you don't need to download a separate Java runtime). Otherwise, try downloading a Java runtime from java.com.
The "bridge" feature basically creates a virtual FTP server on your local computer. When you log into this virtual server, the server translates the commands your FTP client gives it to corresponding SFTP commands on our SFTP server. You can either download MindTerm from the MindTerm page, or OCF maintains a local copy in this directory. This guide should give you a good idea of how to set up the bridge; simply replace "ssh.hcc.hawaii.edu" with "ocf.berkeley.edu", "monir" with your real username, and "/home/fac6/monir/web" with "public_html".
Note to Dreamweaver users: As far as we know, only Dreamweaver MX 2004 provides built-in support for SFTP. For users of earlier versions of Dreamweaver MX or Dreamweaver, if you want to use the built-in FTP client, then the "FTP to SFTP bridge" described above is your best bet.
