pam ssh authentication via ldap
Tim Dunphy
bluethundr at gmail.com
Mon Feb 28 01:06:20 UTC 2011
Hello Krad and thank you for your reply!
Well it seems that I am still unable to login to this machine using an
LDAP account. I have tried applying the configurations you have
provided and the result doesn't seem to have changed just yet.
Here is my /usr/local/etc/ldap.conf file
uri ldap://LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret
scope sub
ssl start tls
tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
pam_login_attribute uid
bind_timelimit 1
timelimit 1
bind_policy soft
pam_password exop
nss_base_passwd dc=summitnjhome,dc=com
nss_base_shadow dc=summitnjhome,dc=com
nss_base_group dc=summitnjhome,dc=com
nss_base_sudo dc=summitnjhome,dc=com
nss_initgroups_ignoreusers root,slapd
#ls -l /usr/local/etc/nss_ldap.conf
lrwxr-xr-x 1 root wheel 24 Feb 28 00:10
/usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
#cat /usr/local/etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
passwd: cache files ldap [notfound=return]
passwd_compat: files ldap
group: cache files ldap [notfound = return]
group_compat: nis
sudoers: ldap
hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Here is my slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/sudo.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 296
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.key
TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_hdb
# moduleload back_ldap
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
access to *
by read
access to attrs=userPassword by self write
by anonymous auth
access to * by self write
by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com"
write
by users read
by anonymous auth
access to * by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=summitnjhome,dc=com"
rootdn "cn=Manager,dc=summitnjhome,dc=com"
rootpw {SSHA}secret
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/summitnjhome.com
# Indices to maintain
index objectClass,uid,uidNumber eq
index sudoUser eq
these are the packages I have installed
nss_ldap-1.265_4 RFC 2307 NSS module
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5 A pam module for authenticating with LDAP
And this is what happens in the ldap logs after making those changes:
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH
base="dc=summitnjhome,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uidNumber=1001))"
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: OR
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
first=106 last=137
Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
first=106 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=106 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=1 last=0
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on:
Feb 26 19:58:43 LBSD2 slapd[54891]: 425r
Feb 26 19:58:43 LBSD2 slapd[54891]:
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
This is what's going on in the secure logs:
Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for
user root by bluethundr(uid=10001)
And this is my /etc/pam.d/sshd file:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06
kensmith Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_ldap.so
#auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_ldap.so
#account required pam_unix.so
# session
#session optional pam_ssh.so
session sufficient pam_ldap.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_ldap.so
#password required pam_unix.so no_warn try_first_pass
I really appreciate your input Krad and I appreciate any advice anyone may have
thanks
tim
On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk at gmail.com> wrote:
> On 27 February 2011 11:05, krad <kraduk at gmail.com> wrote:
>> On 26 February 2011 20:01, Tim Dunphy <bluethundr at gmail.com> wrote:
>>> Hey list,
>>>
>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>>> nsswitch file because I thought they might be helpful in dispensing
>>> advice as to what is going on:
>>>
>>> uri ldap://LBSD2.summitnjhome.com
>>> base ou=staff,ou=Group,dc=summitnjhome,dc=com
>>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
>>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
>>> bindpw secret
>>> scope sub
>>> pam_password exop
>>> nss_base_passwd dc=summitnjhome,dc=com
>>> nss_base_shadow dc=summitnjhome,dc=com
>>> nss_base_group dc=summitnjhome,dc=com
>>> nss_base_sudo dc=summitnjhome,dc=com
>>>
>>>
>>> # nsswitch.conf(5) - name service switch configuration file
>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>>> kensmith Exp $
>>> #
>>> passwd: files ldap
>>> passwd_compat: files ldap
>>> group: files ldap
>>> group_compat: nis
>>> sudoers: ldap
>>> hosts: files dns
>>> networks: files
>>> shells: files
>>> services: compat
>>> services_compat: nis
>>> protocols: files
>>> rpc: files
>>>
>>>
>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>>>> Hello List!!
>>>>
>>>> I have an OpenLDAP 2.4 server functioning very nicely that
>>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>>
>>>> But at the moment I am attempting to setup pam authentication for ssh
>>>> via LDAP and having some difficulty.
>>>>
>>>> My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>>
>>>> # PAM configuration for the "sshd" service
>>>> #
>>>>
>>>> # auth
>>>> auth sufficient pam_opie.so no_warn no_fake_prompts
>>>> auth requisite pam_opieaccess.so no_warn allow_local
>>>> #auth sufficient pam_krb5.so no_warn try_first_pass
>>>> #auth sufficient pam_ssh.so no_warn try_first_pass
>>>> auth required pam_ldap.so
>>>> #auth required pam_unix.so no_warn try_first_pass
>>>>
>>>> # account
>>>> account required pam_nologin.so
>>>> #account required pam_krb5.so
>>>> account required pam_login_access.so
>>>> account required pam_ldap.so
>>>> #account required pam_unix.so
>>>>
>>>> # session
>>>> #session optional pam_ssh.so
>>>> session sufficient pam_ldap.so
>>>> session required pam_permit.so
>>>>
>>>> # password
>>>> #password sufficient pam_krb5.so no_warn try_first_pass
>>>> password required pam_ldap.so
>>>> #password required pam_unix.so no_warn try_first_pass
>>>>
>>>>
>>>> And if I'm reading the logs correctly LDAP is searching for and
>>>> finding the account information when I am making the login attempt:
>>>>
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
>>>> base="dc=summitnjhome,dc=com" scope=2 deref=0
>>>> filter="(&(objectClass=posixAccount)(uidNumber=1001
>>>> ))"
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>>> description objectCla
>>>> ss
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>> first=0 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
>>>> first=106 last=137
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>> first=0 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
>>>> first=106 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>> first=106 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>> first=0 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>> first=1 last=0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
>>>> tag=101 err=0 nentries=0 text=
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>>> error=-2 id=34715, closing.
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>>> conn=34715 sd=212 for close
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>> active_threads=0 tvp=NULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)
>>>>
>>>>
>>>> But logins fail every time. Could someone offer an opinion as to what
>>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>>
>>>> Thanks in advance!
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>
>>>
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>>
>>
>> these are my files and are from a working setup
>>
>> # cat /usr/local/etc/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> BASE dc=XXX,dc=net
>> URI ldap://XXX.net
>>
>> #SIZELIMIT 12
>> #TIMELIMIT 15
>> #DEREF never
>>
>> ssl start_tls
>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>>
>> pam_login_attribute uid
>>
>> sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net
>> bind_timelimit 1
>> timelimit 1
>> bind_policy soft
>>
>> nss_initgroups_ignoreusers root,slapd,krad
>>
>>
>> # ls -l /usr/local/etc/nss_ldap.conf
>> lrwxr-xr-x 1 root wheel 24 Jan 16 22:31
>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>>
>> # nsswitch.conf
>>
>>
>> group: cache files ldap [notfound=return]
>> passwd: cache files ldap [notfound=return]
>>
>> these packages are installs
>>
>> nss_ldap-1.265_4 RFC 2307 NSS module
>> openldap-client-2.4.23 Open source LDAP client implementation
>> openldap-server-2.4.23 Open source LDAP server implementation
>> pam_ldap-1.8.6 A pam module for authenticating with LDAP
>>
>
> and my slapd.conf
>
> security ssf=128
>
> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> #include /usr/local/etc/openldap/schema/ldapns.schema
> include /usr/local/etc/openldap/schema/samba.schema
> include /usr/local/etc/openldap/schema/sudo.schema
> logfile /var/log/slapd.log
> loglevel stats
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> modulepath /usr/local/libexec/openldap
> moduleload back_bdb
> database bdb
> directory /var/db/openldap-data
> #index uid pres,eq
> index cn,sn,uid pres,eq,sub
> index objectClass eq
> #index sudoUser
> suffix "dc=XXX,dc=net"
> rootdn "cn=krad,dc=XXX,dc=net"
> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
> access to attrs=userPassword
> by self write
> by anonymous auth
> by dn.base="cn=krad,dc=XXX,dc=net" write
> by * none
> access to *
> by self write
> by dn.base="cn=krad,dc=XXX,dc=net" write
> by * read
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
More information about the freebsd-questions
mailing list