| rapha | What about a Ubuntu Classroom lecture on how to package software for Ubuntu? | 00:32 |
|---|---|---|
| HymnToLife | there's been a lot of them already IIRC | 00:38 |
| bodhi_zazen | 10 min or so .. | 00:49 |
| bodhi_zazen | I will be demo on a shared session :) | 00:49 |
| bodhi_zazen | to log on : http://paste.ubuntu.com/156798/ | 00:49 |
| bodhi_zazen | if we can get people connected to the server in advance - woot | 00:49 |
| bodhi_zazen | If people need help connecting , ask | 00:50 |
| bodhi_zazen | If you know how to connect, please help in a /msg ;) | 00:50 |
| bodhi_zazen | don't all connect all at once now :) | 00:54 |
| bodhi_zazen | welcmoe ibuclaw , thanks for coming ;) | 00:54 |
| bodhi_zazen | ibuclaw: do you know how to use my shared ssh session ? | 00:55 |
| WastePotato | Hallo. | 00:56 |
| bodhi_zazen | 'lo WastePotato , thank you for coming as well | 00:56 |
| bodhi_zazen | do you recall how to connect to my ssh session ? | 00:57 |
| WastePotato | Hey bodhi_zazen. | 00:57 |
| WastePotato | I still have your key, but I don't remember the command. | 00:57 |
| bodhi_zazen | http://paste.ubuntu.com/156798/ | 00:58 |
| bodhi_zazen | 2 min or so ;) | 00:58 |
| bodhi_zazen | who is here for the session ? | 00:58 |
| bodhi_zazen | I am hoping to have a more interactive session, as they are more fun ;) | 00:58 |
| WastePotato | Present. | 00:58 |
| WastePotato | bodhi_zazen... is that.. screen? | 00:58 |
| bodhi_zazen | yes WastePotato ;) | 00:59 |
| bodhi_zazen | screen FTW | 00:59 |
| WastePotato | Dang. o: | 00:59 |
| bodhi_zazen | ? | 00:59 |
| WastePotato | Looks nice. :D | 01:00 |
| bodhi_zazen | >:) | 01:00 |
| HymnToLife | bodhi_zazen: can we run commands in your SSH session? | 01:00 |
| WastePotato | Lawl no. | 01:00 |
| HymnToLife | :( | 01:00 |
| bodhi_zazen | no, but if you ask I will run them for you ;) | 01:00 |
| WastePotato | It's read only. |: | 01:00 |
| bodhi_zazen | If too many people enter stuff at the same time it gets confusing | 01:01 |
| bodhi_zazen | Shall we start ? | 01:01 |
| bodhi_zazen | ssh is one of my favorite topics :) | 01:01 |
| bodhi_zazen | Brief into to ssh ? | 01:02 |
| WastePotato | SSH \o/ | 01:02 |
| bodhi_zazen | ssh == Secure SHell | 01:02 |
| bodhi_zazen | it allows one to log into a server and execute commands | 01:02 |
| bodhi_zazen | one can forward X applications, an entire desktop, ports, sockets, etc | 01:03 |
| bodhi_zazen | I would like to cover some of the basics today ;) | 01:03 |
| WastePotato | Cool. :) | 01:03 |
| bodhi_zazen | the computer you log into will be called "the server" today | 01:03 |
| bodhi_zazen | You first need to install ssh onto the server | 01:04 |
| ibuclaw | bodhi_zazen, I know vaguely how to use it... | 01:04 |
| bodhi_zazen | apt-get install ssh-server | 01:04 |
| HymnToLife | openssh-server* | 01:04 |
| HymnToLife | (or does ssh-server work too?) | 01:04 |
| WastePotato | ? | 01:04 |
| bodhi_zazen | thanks HymnToLife , lol | 01:04 |
| WastePotato | Oh. | 01:04 |
| bodhi_zazen | you then ssh user@server | 01:04 |
| bodhi_zazen | if you are on *unix , and have the same account name on clinet and server, you can ssh server | 01:05 |
| bodhi_zazen | to execute a command on the server | 01:05 |
| bodhi_zazen | ssh server command | 01:05 |
| HymnToLife | not only on *nix :o | 01:05 |
| HymnToLife | it works on Windows too | 01:06 |
| bodhi_zazen | does it work on Windows ? | 01:06 |
| bodhi_zazen | nice | 01:06 |
| WastePotato | PuTTy? | 01:06 |
| bodhi_zazen | yes, use putty on windows | 01:06 |
| HymnToLife | WastePotato: you can also install OpenSSH on Windows | 01:06 |
| bodhi_zazen | although if you like putty you can install it on Linux as well | 01:06 |
| HymnToLife | putty is a bit more convenient though | 01:06 |
| WastePotato | I see... | 01:06 |
| bodhi_zazen | putty is nice in that it stores servers and idents :) | 01:06 |
| WastePotato | Putty on Linux as well? Nice. | 01:07 |
| bodhi_zazen | OK, want to see a demo of ssh on my session ? | 01:07 |
| WastePotato | Yes! | 01:07 |
| bodhi_zazen | or shall we move on | 01:07 |
| bodhi_zazen | kk .. | 01:07 |
| WastePotato | \o/ | 01:07 |
| bodhi_zazen | see how the first time we connect to the server, we are asked to accept the server key ? | 01:08 |
| bodhi_zazen | the key is stored in ~/.ssh/known_hosts | 01:08 |
| bodhi_zazen | now we will not be asked to accept the key , watch | 01:08 |
| bodhi_zazen | see ? | 01:09 |
| bodhi_zazen | OK, lets run a command on the server :) | 01:09 |
| bodhi_zazen | ::) | 01:09 |
| bodhi_zazen | you forward application with -X | 01:09 |
| WastePotato | Ah. Didn't know you could specify a command on connection. o: | 01:10 |
| bodhi_zazen | ssh -X user@server xeyes | 01:10 |
| kklimonda | any idea why i can't forward firefox this way? | 01:10 |
| bodhi_zazen | will run xeyes on your local client, assuming you have X installed ;) | 01:10 |
| bodhi_zazen | yes kklimonda | 01:10 |
| HymnToLife | WastePotato: actually, if you ssh server command | 01:10 |
| bodhi_zazen | firefox is an exception to this | 01:10 |
| bodhi_zazen | firefox will run LOCAL | 01:10 |
| HymnToLife | only that command will be run on the server | 01:11 |
| bodhi_zazen | unless you tell it NOT to | 01:11 |
| HymnToLife | you won't get a prompt | 01:11 |
| kklimonda | bodhi_zazen: why is that? | 01:11 |
| bodhi_zazen | it is the way they built firefox | 01:11 |
| HymnToLife | kklimonda: actually, the "firefox" command runs a shell script that in turn runs Firefox itself | 01:11 |
| kklimonda | bodhi_zazen: is it ssh problem or generally X forwarding? | 01:11 |
| kklimonda | HymnToLife: and that's the reason? | 01:12 |
| HymnToLife | so if you do that, you'll run the shell script that is on the server | 01:12 |
| kklimonda | i see | 01:12 |
| bodhi_zazen | this is a firefox problem kklimonda | 01:12 |
| HymnToLife | but it will then run the firefox that is on the client | 01:12 |
| HymnToLife | kklimonda: see for example gedit `which firefox` | 01:13 |
| bodhi_zazen | Try ssh server /usr/bin/firefox -p -no-remote | 01:13 |
| bodhi_zazen | :) | 01:13 |
| HymnToLife | that's what is run when you type "firefox" at your prompt | 01:13 |
| kklimonda | HymnToLife: i thought that wrapper script will pass everything that is needed to firefox binary | 01:13 |
| bodhi_zazen | you need to tell firefox -no-remote to run it on server and forward it back over ssh | 01:13 |
| bodhi_zazen | OK, if you run a ssh server, BE SURE YOU SECURE IT :) | 01:14 |
| bodhi_zazen | https://help.ubuntu.com/community/AdvancedOpenSSH | 01:14 |
| HymnToLife | it is already fairly secure by default though | 01:14 |
| bodhi_zazen | shall I show you how to use keys ? | 01:14 |
| kklimonda | bodhi_zazen: is it possible to disable login by password for some users? | 01:14 |
| bodhi_zazen | you use a key pair to log onto the server, then disable password logins | 01:14 |
| bodhi_zazen | kklimonda: I do not think you can disable password logins per user | 01:15 |
| MattJ | SSH is only as secure as the password you use (I learnt that the hard way) | 01:15 |
| bodhi_zazen | you can do it for root | 01:15 |
| bodhi_zazen | +1 MattJ | 01:15 |
| kklimonda | bodhi_zazen: i can set up that root and only root doesn't use password login? | 01:16 |
| bodhi_zazen | shall we demo a key ? | 01:16 |
| HymnToLife | kklimonda: yes, but it's really better to disable it altogether | 01:16 |
| kklimonda | HymnToLife: i know | 01:16 |
| bodhi_zazen | yes kklimonda | 01:16 |
| kklimonda | HymnToLife: but it is the case that I don't want to do it | 01:16 |
| HymnToLife | may I ask why? | 01:16 |
| bodhi_zazen | I think it is AllowRootLogin nopassword | 01:16 |
| bodhi_zazen | something like that | 01:16 |
| bodhi_zazen | do not let "nopassword" fool you | 01:16 |
| bodhi_zazen | see man sshd_config | 01:17 |
| bodhi_zazen | OK, everyone on my shared ssh session ? | 01:17 |
| bodhi_zazen | want to see how to make a key ? | 01:17 |
| kklimonda | HymnToLife: other users doesn't use linux, configuring keys in putty isn't as easy, they don't want to do it. | 01:18 |
| bodhi_zazen | Command : ssh-keygen -t rsa -b 4096 -f root | 01:18 |
| bodhi_zazen | enter your desired password | 01:18 |
| bodhi_zazen | now we have 2 files , root and root.pub | 01:19 |
| bodhi_zazen | we transfer root.pub to the server | 01:19 |
| kklimonda | bodhi_zazen: can I force password login by passing an argument to ssh ? | 01:19 |
| kklimonda | i'd like to test PermitRootLogin without-password | 01:19 |
| bodhi_zazen | into /root/.ssh/authorized_keys | 01:19 |
| bodhi_zazen | kklimonda: I can show you this ;) | 01:19 |
| kklimonda | sure | 01:20 |
| bodhi_zazen | watch in the session and we can config | 01:20 |
| bodhi_zazen | Command : ssh-copy-id -i ./root.pub root@192.168.1.14 | 01:21 |
| bodhi_zazen | the command ssh-copy-id does all this for us automatically | 01:21 |
| bodhi_zazen | now let us ssh into server again ;) | 01:21 |
| bodhi_zazen | that went by fast :) | 01:22 |
| bodhi_zazen | see we get 1 attempt w/ key, then if the wrong PW is entered, fall back to password ? | 01:22 |
| bodhi_zazen | let us change that on the server :) | 01:22 |
| bodhi_zazen | now kklimonda :) | 01:23 |
| bodhi_zazen | see kklimonda , no log in w/o key :) | 01:24 |
| bodhi_zazen | but with key :) | 01:24 |
| bodhi_zazen | lol | 01:24 |
| kklimonda | bodhi_zazen: but what when I have key already on server, password already in seahorse cache and I want to simulate password login? :) | 01:24 |
| kklimonda | can I use -i /dev/null or something? | 01:24 |
| kklimonda | (i should check but if you are already here to poke... ;) ) | 01:25 |
| bodhi_zazen | that change will disable passwords :) | 01:25 |
| bodhi_zazen | test it out kklimonda :) | 01:25 |
| bodhi_zazen | OK , now a bit of security | 01:25 |
| bodhi_zazen | the key from the server insures against a "man in the middle" attack | 01:26 |
| bodhi_zazen | let us change the stored server key :) | 01:26 |
| bodhi_zazen | I changed the key | 01:26 |
| bodhi_zazen | now let us log in | 01:26 |
| bodhi_zazen | OH NO !!! | 01:27 |
| bodhi_zazen | now what everyone says , just delete ~/.ssh/known_hoses | 01:27 |
| bodhi_zazen | *hosts | 01:27 |
| bodhi_zazen | DO NOT DO THIS | 01:27 |
| bodhi_zazen | first contact the sys admin on the server | 01:27 |
| bodhi_zazen | and make sure the keys changed | 01:27 |
| bodhi_zazen | we know we changed the key | 01:27 |
| bodhi_zazen | so how to remove the key ? | 01:28 |
| bodhi_zazen | easily ? | 01:28 |
| bodhi_zazen | without removing all your keys ? | 01:28 |
| bodhi_zazen | ssh-keygen -R 192.168.1.14 | 01:28 |
| bodhi_zazen | now watch :) | 01:28 |
| bodhi_zazen | >:) | 01:28 |
| bodhi_zazen | easy as pie | 01:29 |
| kklimonda | indeed | 01:29 |
| bodhi_zazen | now ... | 01:29 |
| bodhi_zazen | want to log in w/o entering a password ? | 01:29 |
| bodhi_zazen | use ssh-agent / ssh-add | 01:29 |
| bodhi_zazen | Normally you use ssh-add in an X session | 01:29 |
| bodhi_zazen | ie seahorse | 01:29 |
| bodhi_zazen | but in a terminal ? | 01:29 |
| bodhi_zazen | Could not open a connection to your authentication agent. | 01:30 |
| bodhi_zazen | anyone know what to do in a terminal w/o X ? | 01:30 |
| bodhi_zazen | ??? | 01:30 |
| HymnToLife | yup | 01:30 |
| kklimonda | you should tell about keys without password - it's still common to see it as a solution in some guides | 01:30 |
| bodhi_zazen | ssh-agent bash | 01:30 |
| bodhi_zazen | or ssh-agent zsh | 01:30 |
| HymnToLife | that's not how I do it | 01:31 |
| HymnToLife | I have this in my crontab: | 01:31 |
| HymnToLife | @reboot ssh-agent -s | grep -v echo > $HOME/.ssh-agent | 01:31 |
| bodhi_zazen | now :) | 01:31 |
| HymnToLife | and a source ~/.ssh-agent | 01:31 |
| HymnToLife | in my .zshrc | 01:31 |
| bodhi_zazen | lol HymnToLife :) | 01:31 |
| bodhi_zazen | see, I ssh into server w/o entering a PW | 01:31 |
| bodhi_zazen | and look ma, no empty key :) | 01:32 |
| bodhi_zazen | now when I close the shell | 01:32 |
| ibuclaw | hehe | 01:32 |
| bodhi_zazen | password is forgotten :) | 01:32 |
| * ibuclaw is running a remote upgrade | 01:33 | |
| HymnToLife | I also have keyon/keyoff as aliases for ssh-add | 01:33 |
| bodhi_zazen | if you use ssh, you should look at screen | 01:33 |
| HymnToLife | to just make it "forget" the pasphrase in one command | 01:33 |
| HymnToLife | instead of exitting the shell | 01:33 |
| bodhi_zazen | screen allows you to run a command in the server, exit the ssh session, and the command keeps on running ;) | 01:34 |
| bodhi_zazen | we shall save screen for another day ? | 01:34 |
| kklimonda | bodhi_zazen: is you screen profile the same bundled with ubuntu screen package? | 01:34 |
| bodhi_zazen | here is how to use putty : | 01:35 |
| bodhi_zazen | http://wiki.amahi.org/index.php/Key-based_SSH_Logins_With_Putty | 01:35 |
| bodhi_zazen | works on windows and linux :) | 01:35 |
| bodhi_zazen | kklimonda: for this session it is | 01:35 |
| bodhi_zazen | OK, that is ssh 101 :) | 01:35 |
| bodhi_zazen | questions ? | 01:35 |
| kklimonda | i think you have answered all mine. | 01:36 |
| kklimonda | thanks :) | 01:36 |
| bodhi_zazen | np :) | 01:36 |
| bodhi_zazen | I think there were some additional questions ? | 01:36 |
| kklimonda | hmm.. weird.. i can't remove ssh key pass phase from seahorse cache | 01:37 |
| kklimonda | at least not from any gui | 01:37 |
| bodhi_zazen | I have not been a huge fan of seahorse :) | 01:38 |
| bodhi_zazen | yes it makes it easy, but if you want to change something it is a pain :( | 01:38 |
| bodhi_zazen | Any other questions on ssh ? | 01:39 |
| kklimonda | nope | 01:39 |
| bodhi_zazen | and HymnToLife I made a rsa key "just for your" , lol | 01:39 |
| bodhi_zazen | *you | 01:39 |
| bodhi_zazen | I will hold another session in 2 weeks | 01:40 |
| bodhi_zazen | suggestions for topic ? | 01:40 |
| kklimonda | about? | 01:40 |
| kklimonda | oh :) | 01:40 |
| kklimonda | hmm.. screen magic would be nice | 01:40 |
| kklimonda | But I won't be here probably | 01:40 |
| bodhi_zazen | screen would be fun :) | 01:40 |
| kklimonda | or maybe.. | 01:40 |
| kklimonda | yeah | 01:40 |
| bodhi_zazen | other suggestions ? | 01:40 |
| kklimonda | I know some basics etc. but I know that screen has a lot of potential.. | 01:40 |
| bodhi_zazen | kklimonda: http://www.pixelbeat.org/lkdb/screen.html | 01:41 |
| bodhi_zazen | http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/ | 01:41 |
| kklimonda | thanks for this post - i'll read it later. | 01:42 |
| kklimonda | i was going to ask how you did it :) | 01:42 |
| bodhi_zazen | ;) | 01:42 |
| bodhi_zazen | It is a very nice, secure teaching tool ;) | 01:43 |
| kklimonda | exactly | 01:43 |
| bodhi_zazen | I had to open a few small holes to allow this session in fact ;) | 01:43 |
| bodhi_zazen | ibuclaw: questions ? | 01:44 |
| bodhi_zazen | WastePotato: you ? | 01:44 |
| ibuclaw | bodhi_zazen, not any from me... | 01:44 |
| bodhi_zazen | aww ... | 01:44 |
| kklimonda | bodhi_zazen: why is apparmor policy modification needed? | 01:45 |
| bodhi_zazen | what ? | 01:46 |
| bodhi_zazen | you mean why did I write an apparmor policy for the shared session ? | 01:46 |
| kklimonda | oh, i see - jailbash is used instead of rbash? | 01:46 |
| ibuclaw | bodhi_zazen, I've actually not paid a great amount of attention. Just picked up the `ssh iain@192.168.1.8`, `ssh -X iain@192.168.1.4 gui-app`, `ssh-keygen -t rsa -b 4096 -f root` and `ssh-copy-id -i ./iain.pub iain@192.168.1.8` commands and have been playing about ever since ;) | 01:46 |
| bodhi_zazen | nice ibuclaw | 01:47 |
| bodhi_zazen | jailzsh actually | 01:47 |
| bodhi_zazen | I can give out the guru key to members of the BT for teaching | 01:47 |
| bodhi_zazen | and this allows them to do a whole ton | 01:47 |
| bodhi_zazen | but I restrict what they can do | 01:47 |
| ibuclaw | since I'm behind a router, and I don't plan on port forwarding, I don't think I need to look too deep into the security side... yet. But I've learnt something today, that's for sure ;) | 01:47 |
| bodhi_zazen | for example, you still in the shared session ? | 01:48 |
| bodhi_zazen | want to see a demo of apparmor ? | 01:48 |
| kklimonda | no, i can login again | 01:48 |
| ibuclaw | kklimonda, you can break out of rbash in less than 3 seconds | 01:48 |
| bodhi_zazen | kk | 01:48 |
| kklimonda | ibuclaw: nice :) | 01:48 |
| bodhi_zazen | you in ? | 01:48 |
| kklimonda | yes | 01:48 |
| bodhi_zazen | see how I allow root access ? | 01:49 |
| bodhi_zazen | but apparmor will restrict even root | 01:49 |
| bodhi_zazen | :) | 01:50 |
| kklimonda | bodhi_zazen: btw.. there is a lot of discussion about apparmor vs. selinux - do you know what do ubuntu developers think about it? | 01:50 |
| bodhi_zazen | see how I restrict the access to the net w/ iptables | 01:50 |
| kklimonda | yeh | 01:51 |
| bodhi_zazen | apparmor does not allow root to turn it off | 01:51 |
| bodhi_zazen | he he he | 01:51 |
| bodhi_zazen | nor read sshd-config, let alone change | 01:51 |
| bodhi_zazen | so I am resticting what this machine can do no my LAN | 01:52 |
| bodhi_zazen | I specifically allowed access to 192.168.1.14 for this session ;) | 01:52 |
| kklimonda | oh :) | 01:53 |
| bodhi_zazen | see, apparmor blocks access to .bashrc as well >:) | 01:53 |
| bodhi_zazen | lol | 01:53 |
| bodhi_zazen | and everyone likes that command :) | 01:54 |
| kklimonda | this one should be default :) | 01:54 |
| bodhi_zazen | this shell ? | 01:54 |
| kklimonda | nah, preventing rm -rf / ;) | 01:54 |
| bodhi_zazen | preventing rm -rf / | 01:54 |
| bodhi_zazen | is default as of 8.10 | 01:54 |
| kklimonda | oh? damn :) | 01:54 |
| kklimonda | nice | 01:54 |
| bodhi_zazen | but do not | 01:55 |
| bodhi_zazen | rm -rf /* | 01:55 |
| bodhi_zazen | lol | 01:55 |
| kklimonda | it still works? :) | 01:55 |
| bodhi_zazen | see ? | 01:55 |
| kklimonda | yes | 01:55 |
| bodhi_zazen | >:) | 01:55 |
| bodhi_zazen | shh, don't tell anyone | 01:55 |
| kklimonda | :D | 01:55 |
| bodhi_zazen | I like to see everyone's response when root is restricted by apparmor | 01:56 |
| bodhi_zazen | as you can see, it is not a "fake" root account | 01:56 |
| bodhi_zazen | uid = 0 | 01:56 |
| bodhi_zazen | 3 min left | 01:57 |
| bodhi_zazen | questions ? | 01:57 |
| bodhi_zazen | other things to see and do ? | 01:57 |
| bodhi_zazen | kklimonda: you still loged in ? | 01:57 |
| kklimonda | yes | 01:57 |
| bodhi_zazen | watch this :) | 01:57 |
| bodhi_zazen | see that command ? | 01:57 |
| kklimonda | *nods* | 01:58 |
| kklimonda | :) | 01:58 |
| bodhi_zazen | see what happened ? | 01:58 |
| kklimonda | yup - nice feature | 01:58 |
| bodhi_zazen | if I am not running a shared session -> no guest log in | 01:58 |
| bodhi_zazen | try it | 01:58 |
| bodhi_zazen | my iptables rules will block you for 10 min or so, nothing serious :) | 01:59 |
| bodhi_zazen | go ahead, hit it 3 times or so :p | 01:59 |
| kklimonda | ;) | 01:59 |
| kklimonda | bodhi_zazen: great job with this screen setup. | 02:00 |
| kklimonda | It works great and looks nice :) | 02:00 |
| kklimonda | ok, time for my | 02:00 |
| kklimonda | good night everyone | 02:00 |
| bodhi_zazen | thanks kklimonda :) | 02:01 |
| bodhi_zazen | thank you all for coming :) | 02:05 |
| WastePotato | o/ | 02:10 |
| WastePotato | Damn. Missed half of it. I'll read the scrollback. :S | 02:11 |
| === serverchen is now known as javapi | ||
| === notLight is now known as Light- | ||
| === kenny is now known as Guest91775 | ||
| === iTroll is now known as WastePotato | ||
| === kenny is now known as Guest20760 | ||
| === Guest20760 is now known as KennyM | ||
| === kenny is now known as KennyM | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!