[00:32] <rapha> What about a Ubuntu Classroom lecture on how to package software for Ubuntu?
[00:38] <HymnToLife> there's been a lot of them already IIRC
[00:49] <bodhi_zazen> 10 min or so ..
[00:49] <bodhi_zazen> I will be demo on a shared session :)
[00:49] <bodhi_zazen> to log on : http://paste.ubuntu.com/156798/
[00:49] <bodhi_zazen> if we can get people connected to the server in advance - woot
[00:50] <bodhi_zazen> If people need help connecting , ask
[00:50] <bodhi_zazen> If you know how to connect, please help in a /msg ;)
[00:54] <bodhi_zazen> don't all connect all at once now :)
[00:54] <bodhi_zazen> welcmoe ibuclaw , thanks for coming ;)
[00:55] <bodhi_zazen> ibuclaw: do you know how to use my shared ssh session ?
[00:56] <WastePotato> Hallo.
[00:56] <bodhi_zazen> 'lo WastePotato , thank you for coming as well
[00:57] <bodhi_zazen> do you recall how to connect to my ssh session ?
[00:57] <WastePotato> Hey bodhi_zazen.
[00:57] <WastePotato> I still have your key, but I don't remember the command.
[00:58] <bodhi_zazen> http://paste.ubuntu.com/156798/
[00:58] <bodhi_zazen> 2 min or so ;)
[00:58] <bodhi_zazen> who is here for the session ?
[00:58] <bodhi_zazen> I am hoping to have a more interactive session, as they are more fun ;)
[00:58] <WastePotato> Present.
[00:58] <WastePotato> bodhi_zazen... is that.. screen?
[00:59] <bodhi_zazen> yes WastePotato ;)
[00:59] <bodhi_zazen> screen FTW
[00:59] <WastePotato> Dang. o:
[00:59] <bodhi_zazen> ?
[01:00] <WastePotato> Looks nice. :D
[01:00] <bodhi_zazen> >:)
[01:00] <HymnToLife> bodhi_zazen: can we run commands in your SSH session?
[01:00] <WastePotato> Lawl no.
[01:00] <HymnToLife> :(
[01:00] <bodhi_zazen> no, but if you ask I will run them for you ;)
[01:00] <WastePotato> It's read only. |:
[01:01] <bodhi_zazen> If too many people enter stuff at the same time it gets confusing
[01:01] <bodhi_zazen> Shall we start ?
[01:01] <bodhi_zazen> ssh is one of my favorite topics :)
[01:02] <bodhi_zazen> Brief into to ssh ?
[01:02] <WastePotato> SSH \o/
[01:02] <bodhi_zazen> ssh == Secure SHell
[01:02] <bodhi_zazen> it allows one to log into a server and execute commands
[01:03] <bodhi_zazen> one can forward X applications, an entire desktop, ports, sockets, etc
[01:03] <bodhi_zazen> I would like to cover some of the basics today ;)
[01:03] <WastePotato> Cool. :)
[01:03] <bodhi_zazen> the computer you log into will be called "the server" today
[01:04] <bodhi_zazen> You first need to install ssh onto the server
[01:04] <ibuclaw> bodhi_zazen, I know vaguely how to use it...
[01:04] <bodhi_zazen> apt-get install ssh-server
[01:04] <HymnToLife> openssh-server*
[01:04] <HymnToLife> (or does ssh-server work too?)
[01:04] <WastePotato> ?
[01:04] <bodhi_zazen> thanks HymnToLife , lol
[01:04] <WastePotato> Oh.
[01:04] <bodhi_zazen> you then ssh user@server
[01:05] <bodhi_zazen> if you are on *unix , and have the same account name on clinet and server, you can ssh server
[01:05] <bodhi_zazen> to execute a command on the server
[01:05] <bodhi_zazen> ssh server command
[01:05] <HymnToLife> not only on *nix :o
[01:06] <HymnToLife> it works on Windows too
[01:06] <bodhi_zazen> does it work on Windows ?
[01:06] <bodhi_zazen> nice
[01:06] <WastePotato> PuTTy?
[01:06] <bodhi_zazen> yes, use putty on windows
[01:06] <HymnToLife> WastePotato: you can also install OpenSSH on Windows
[01:06] <bodhi_zazen> although if you like putty you can install it on Linux as well
[01:06] <HymnToLife> putty is a bit more convenient though
[01:06] <WastePotato> I see...
[01:06] <bodhi_zazen> putty is nice in that it stores servers and idents :)
[01:07] <WastePotato> Putty on Linux as well? Nice.
[01:07] <bodhi_zazen> OK, want to see a demo of ssh on my session ?
[01:07] <WastePotato> Yes!
[01:07] <bodhi_zazen> or shall we move on
[01:07] <bodhi_zazen> kk ..
[01:07] <WastePotato> \o/
[01:08] <bodhi_zazen> see how the first time we connect to the server, we are asked to accept the server key ?
[01:08] <bodhi_zazen> the key is stored in ~/.ssh/known_hosts
[01:08] <bodhi_zazen> now we will not be asked to accept the key , watch
[01:09] <bodhi_zazen> see ?
[01:09] <bodhi_zazen> OK, lets run a command on the server :)
[01:09] <bodhi_zazen> ::)
[01:09] <bodhi_zazen> you forward application with -X
[01:10] <WastePotato> Ah. Didn't know you could specify a command on connection. o:
[01:10] <bodhi_zazen> ssh -X user@server xeyes
[01:10] <kklimonda> any idea why i can't forward firefox this way?
[01:10] <bodhi_zazen> will run xeyes on your local client, assuming you have X installed ;)
[01:10] <bodhi_zazen> yes kklimonda
[01:10] <HymnToLife> WastePotato: actually, if you   ssh server command
[01:10] <bodhi_zazen> firefox is an exception to this
[01:10] <bodhi_zazen> firefox will run LOCAL
[01:11] <HymnToLife> only that command will be run on the server
[01:11] <bodhi_zazen> unless you tell it NOT to
[01:11] <HymnToLife> you won't get a prompt
[01:11] <kklimonda> bodhi_zazen: why is that?
[01:11] <bodhi_zazen> it is the way they built firefox
[01:11] <HymnToLife> kklimonda: actually, the "firefox" command runs a shell script that in turn runs Firefox itself
[01:11] <kklimonda> bodhi_zazen: is it ssh problem or generally X forwarding?
[01:12] <kklimonda> HymnToLife: and that's the reason?
[01:12] <HymnToLife> so if you do that, you'll run the shell script that is on the server
[01:12] <kklimonda> i see
[01:12] <bodhi_zazen> this is a firefox problem kklimonda
[01:12] <HymnToLife> but it will then run the firefox that is on the client
[01:13] <HymnToLife> kklimonda: see for example   gedit `which firefox`
[01:13] <bodhi_zazen> Try ssh server /usr/bin/firefox -p -no-remote
[01:13] <bodhi_zazen> :)
[01:13] <HymnToLife> that's what is run when you type "firefox" at your prompt
[01:13] <kklimonda> HymnToLife: i thought that wrapper script will pass everything that is needed to firefox binary
[01:13] <bodhi_zazen> you need to tell firefox -no-remote to run it on server and forward it back over ssh
[01:14] <bodhi_zazen> OK, if you run a ssh server, BE SURE YOU SECURE IT :)
[01:14] <bodhi_zazen> https://help.ubuntu.com/community/AdvancedOpenSSH
[01:14] <HymnToLife> it is already fairly secure by default though
[01:14] <bodhi_zazen> shall I show you how to use keys ?
[01:14] <kklimonda> bodhi_zazen: is it possible to disable login by password for some users?
[01:14] <bodhi_zazen> you use a key pair to log onto the server, then disable password logins
[01:15] <bodhi_zazen> kklimonda: I do not think you can disable password logins per user
[01:15] <MattJ> SSH is only as secure as the password you use (I learnt that the hard way)
[01:15] <bodhi_zazen> you can do it for root
[01:15] <bodhi_zazen> +1 MattJ
[01:16] <kklimonda> bodhi_zazen: i can set up that root and only root doesn't use password login?
[01:16] <bodhi_zazen> shall we demo a key ?
[01:16] <HymnToLife> kklimonda: yes, but it's really better to disable it altogether
[01:16] <kklimonda> HymnToLife: i know
[01:16] <bodhi_zazen> yes kklimonda
[01:16] <kklimonda> HymnToLife: but it is the case that I don't want to do it
[01:16] <HymnToLife> may I ask why?
[01:16] <bodhi_zazen> I think it is AllowRootLogin nopassword
[01:16] <bodhi_zazen> something like that
[01:16] <bodhi_zazen> do not let "nopassword" fool you
[01:17] <bodhi_zazen> see man sshd_config
[01:17] <bodhi_zazen> OK, everyone on my shared ssh session ?
[01:17] <bodhi_zazen> want to see how to make a key ?
[01:18] <kklimonda> HymnToLife: other users doesn't use linux, configuring keys in putty isn't as easy, they don't want to do it.
[01:18] <bodhi_zazen> Command : ssh-keygen -t rsa -b 4096 -f root
[01:18] <bodhi_zazen> enter your desired password
[01:19] <bodhi_zazen> now we have 2 files , root and root.pub
[01:19] <bodhi_zazen> we transfer root.pub to the server
[01:19] <kklimonda> bodhi_zazen: can I force password login by passing an argument to ssh ?
[01:19] <kklimonda> i'd like to test PermitRootLogin without-password
[01:19] <bodhi_zazen> into /root/.ssh/authorized_keys
[01:19] <bodhi_zazen> kklimonda: I can show you this ;)
[01:20] <kklimonda> sure
[01:20] <bodhi_zazen> watch in the session and we can config
[01:21] <bodhi_zazen> Command : ssh-copy-id -i ./root.pub root@192.168.1.14
[01:21] <bodhi_zazen> the command ssh-copy-id does all this for us automatically
[01:21] <bodhi_zazen> now let us ssh into server again ;)
[01:22] <bodhi_zazen> that went by fast :)
[01:22] <bodhi_zazen> see we get 1 attempt w/ key, then if the wrong PW is entered, fall back to password ?
[01:22] <bodhi_zazen> let us change that on the server :)
[01:23] <bodhi_zazen> now kklimonda :)
[01:24] <bodhi_zazen> see kklimonda , no log in w/o key :)
[01:24] <bodhi_zazen> but with key :)
[01:24] <bodhi_zazen> lol
[01:24] <kklimonda> bodhi_zazen: but what when I have key already on server, password already in seahorse cache and I want to simulate password login? :)
[01:24] <kklimonda> can I use -i /dev/null or something?
[01:25] <kklimonda> (i should check but if you are already here to poke... ;) )
[01:25] <bodhi_zazen> that change will disable passwords :)
[01:25] <bodhi_zazen> test it out kklimonda :)
[01:25] <bodhi_zazen> OK , now a bit of security
[01:26] <bodhi_zazen> the key from the server insures against a "man in the middle" attack
[01:26] <bodhi_zazen> let us change the stored server key :)
[01:26] <bodhi_zazen> I changed the key
[01:26] <bodhi_zazen> now let us log in
[01:27] <bodhi_zazen> OH NO !!!
[01:27] <bodhi_zazen> now what everyone says , just delete ~/.ssh/known_hoses
[01:27] <bodhi_zazen> *hosts
[01:27] <bodhi_zazen> DO NOT DO THIS
[01:27] <bodhi_zazen> first  contact the sys admin on the server
[01:27] <bodhi_zazen> and make sure the keys changed
[01:27] <bodhi_zazen> we know we changed the key
[01:28] <bodhi_zazen> so how to remove the key ?
[01:28] <bodhi_zazen> easily ?
[01:28] <bodhi_zazen> without removing all your keys ?
[01:28] <bodhi_zazen> ssh-keygen -R 192.168.1.14
[01:28] <bodhi_zazen> now watch :)
[01:28] <bodhi_zazen> >:)
[01:29] <bodhi_zazen> easy as pie
[01:29] <kklimonda> indeed
[01:29] <bodhi_zazen> now ...
[01:29] <bodhi_zazen> want to log in w/o entering a password ?
[01:29] <bodhi_zazen> use ssh-agent / ssh-add
[01:29] <bodhi_zazen> Normally you use ssh-add in an X session
[01:29] <bodhi_zazen> ie seahorse
[01:29] <bodhi_zazen> but in a terminal ?
[01:30] <bodhi_zazen> Could not open a connection to your authentication agent.
[01:30] <bodhi_zazen> anyone know what to do in a terminal w/o X ?
[01:30] <bodhi_zazen> ???
[01:30] <HymnToLife> yup
[01:30] <kklimonda> you should tell about keys without password - it's still common to see it as a solution in some guides
[01:30] <bodhi_zazen> ssh-agent bash
[01:30] <bodhi_zazen> or ssh-agent zsh
[01:31] <HymnToLife> that's not how I do it
[01:31] <HymnToLife> I have this in my crontab:
[01:31] <HymnToLife> @reboot ssh-agent -s | grep -v echo > $HOME/.ssh-agent
[01:31] <bodhi_zazen> now :)
[01:31] <HymnToLife> and a   source ~/.ssh-agent
[01:31] <HymnToLife> in my .zshrc
[01:31] <bodhi_zazen> lol HymnToLife :)
[01:31] <bodhi_zazen> see, I ssh into server w/o entering a PW
[01:32] <bodhi_zazen> and look ma, no empty key :)
[01:32] <bodhi_zazen> now when I close the shell
[01:32] <ibuclaw> hehe
[01:32] <bodhi_zazen> password is forgotten :)
[01:33]  * ibuclaw is running a remote upgrade
[01:33] <HymnToLife> I also have keyon/keyoff as aliases for ssh-add
[01:33] <bodhi_zazen> if you use ssh, you should look at screen
[01:33] <HymnToLife> to just make it "forget" the pasphrase in one command
[01:33] <HymnToLife> instead of exitting the shell
[01:34] <bodhi_zazen> screen allows you to run a command in the server, exit the ssh session, and the command keeps on running ;)
[01:34] <bodhi_zazen> we shall save screen for another day ?
[01:34] <kklimonda> bodhi_zazen: is you screen profile the same bundled with ubuntu screen package?
[01:35] <bodhi_zazen> here is how to use putty :
[01:35] <bodhi_zazen> http://wiki.amahi.org/index.php/Key-based_SSH_Logins_With_Putty
[01:35] <bodhi_zazen> works on windows and linux :)
[01:35] <bodhi_zazen> kklimonda: for this session it is
[01:35] <bodhi_zazen> OK, that is ssh 101 :)
[01:35] <bodhi_zazen> questions ?
[01:36] <kklimonda> i think you have answered all mine.
[01:36] <kklimonda> thanks :)
[01:36] <bodhi_zazen> np :)
[01:36] <bodhi_zazen> I think there were some additional questions ?
[01:37] <kklimonda> hmm.. weird.. i can't remove ssh key pass phase from seahorse cache
[01:37] <kklimonda> at least not from any gui
[01:38] <bodhi_zazen> I have not been a huge fan of seahorse :)
[01:38] <bodhi_zazen> yes it makes it easy, but if you want to change something it is a pain :(
[01:39] <bodhi_zazen> Any other questions on ssh ?
[01:39] <kklimonda> nope
[01:39] <bodhi_zazen> and HymnToLife I made a rsa key "just for your" , lol
[01:39] <bodhi_zazen> *you
[01:40] <bodhi_zazen> I will hold another session in 2 weeks
[01:40] <bodhi_zazen> suggestions for topic ?
[01:40] <kklimonda> about?
[01:40] <kklimonda> oh :)
[01:40] <kklimonda> hmm.. screen magic would be nice
[01:40] <kklimonda> But I won't be here probably
[01:40] <bodhi_zazen> screen would be fun :)
[01:40] <kklimonda> or maybe..
[01:40] <kklimonda> yeah
[01:40] <bodhi_zazen> other suggestions ?
[01:40] <kklimonda> I know some basics etc. but I know that screen has a lot of potential..
[01:41] <bodhi_zazen> kklimonda: http://www.pixelbeat.org/lkdb/screen.html
[01:41] <bodhi_zazen> http://blog.bodhizazen.net/linux/shared-ssh-sessions-update-for-jaunty-ubuntu-904/
[01:42] <kklimonda> thanks for this post - i'll read it later.
[01:42] <kklimonda> i was going to ask how you did it :)
[01:42] <bodhi_zazen> ;)
[01:43] <bodhi_zazen> It is a very nice, secure teaching tool ;)
[01:43] <kklimonda> exactly
[01:43] <bodhi_zazen> I had to open a few small holes to allow this session in fact ;)
[01:44] <bodhi_zazen> ibuclaw: questions ?
[01:44] <bodhi_zazen> WastePotato: you ?
[01:44] <ibuclaw> bodhi_zazen, not any from me...
[01:44] <bodhi_zazen> aww ...
[01:45] <kklimonda> bodhi_zazen: why is apparmor policy modification needed?
[01:46] <bodhi_zazen> what ?
[01:46] <bodhi_zazen> you mean why did I write an apparmor policy for the shared session ?
[01:46] <kklimonda> oh, i see - jailbash is used instead of rbash?
[01:46] <ibuclaw> bodhi_zazen, I've actually not paid a great amount of attention. Just picked up the `ssh iain@192.168.1.8`, `ssh -X iain@192.168.1.4 gui-app`, `ssh-keygen -t rsa -b 4096 -f root` and `ssh-copy-id -i ./iain.pub iain@192.168.1.8` commands and have been playing about ever since ;)
[01:47] <bodhi_zazen> nice ibuclaw
[01:47] <bodhi_zazen> jailzsh actually
[01:47] <bodhi_zazen> I can give out the guru key to members of the BT for teaching
[01:47] <bodhi_zazen> and this allows them to do a whole ton
[01:47] <bodhi_zazen> but I restrict what they can do
[01:47] <ibuclaw> since I'm behind a router, and I don't plan on port forwarding, I don't think I need to look too deep into the security side... yet. But I've learnt something today, that's for sure ;)
[01:48] <bodhi_zazen> for example, you still in the shared session ?
[01:48] <bodhi_zazen> want to see a demo of apparmor ?
[01:48] <kklimonda> no, i can login again
[01:48] <ibuclaw> kklimonda, you can break out of rbash in less than 3 seconds
[01:48] <bodhi_zazen> kk
[01:48] <kklimonda> ibuclaw: nice :)
[01:48] <bodhi_zazen> you in ?
[01:48] <kklimonda> yes
[01:49] <bodhi_zazen> see how I allow root access ?
[01:49] <bodhi_zazen> but apparmor will restrict even root
[01:50] <bodhi_zazen> :)
[01:50] <kklimonda> bodhi_zazen: btw.. there is a lot of discussion about apparmor vs. selinux - do you know what do ubuntu developers think about it?
[01:50] <bodhi_zazen> see how I restrict the access to the net w/ iptables
[01:51] <kklimonda> yeh
[01:51] <bodhi_zazen> apparmor does not allow root to turn it off
[01:51] <bodhi_zazen> he he he
[01:51] <bodhi_zazen> nor read sshd-config, let alone change
[01:52] <bodhi_zazen> so I am resticting what this machine can do no my LAN
[01:52] <bodhi_zazen> I specifically allowed access to 192.168.1.14 for this session ;)
[01:53] <kklimonda> oh :)
[01:53] <bodhi_zazen> see, apparmor blocks access to .bashrc as well >:)
[01:53] <bodhi_zazen> lol
[01:54] <bodhi_zazen> and everyone likes that command :)
[01:54] <kklimonda> this one should be default :)
[01:54] <bodhi_zazen> this shell ?
[01:54] <kklimonda> nah, preventing rm -rf / ;)
[01:54] <bodhi_zazen> preventing rm -rf /
[01:54] <bodhi_zazen> is default as of 8.10
[01:54] <kklimonda> oh? damn :)
[01:54] <kklimonda> nice
[01:55] <bodhi_zazen> but do not
[01:55] <bodhi_zazen> rm -rf /*
[01:55] <bodhi_zazen> lol
[01:55] <kklimonda> it still works? :)
[01:55] <bodhi_zazen> see ?
[01:55] <kklimonda> yes
[01:55] <bodhi_zazen> >:)
[01:55] <bodhi_zazen> shh, don't tell anyone
[01:55] <kklimonda> :D
[01:56] <bodhi_zazen> I like to see everyone's response when root is restricted by apparmor
[01:56] <bodhi_zazen> as you can see, it is not a "fake" root account
[01:56] <bodhi_zazen> uid = 0
[01:57] <bodhi_zazen> 3 min left
[01:57] <bodhi_zazen> questions ?
[01:57] <bodhi_zazen> other things to see and do ?
[01:57] <bodhi_zazen> kklimonda: you still loged in ?
[01:57] <kklimonda> yes
[01:57] <bodhi_zazen> watch this :)
[01:57] <bodhi_zazen> see that command ?
[01:58] <kklimonda> *nods*
[01:58] <kklimonda> :)
[01:58] <bodhi_zazen> see what happened ?
[01:58] <kklimonda> yup - nice feature
[01:58] <bodhi_zazen> if I am not running a shared session -> no guest log in
[01:58] <bodhi_zazen> try it
[01:59] <bodhi_zazen> my iptables rules will block you for 10 min or so, nothing serious :)
[01:59] <bodhi_zazen> go ahead, hit it 3 times or so :p
[01:59] <kklimonda> ;)
[02:00] <kklimonda> bodhi_zazen: great job with this screen setup.
[02:00] <kklimonda> It works great and looks nice :)
[02:00] <kklimonda> ok, time for my
[02:00] <kklimonda> good night everyone
[02:01] <bodhi_zazen> thanks kklimonda :)
[02:05] <bodhi_zazen> thank  you all for coming :)
[02:10] <WastePotato> o/
[02:11] <WastePotato> Damn. Missed half of it. I'll read the scrollback. :S