/srv/irclogs.ubuntu.com/2015/06/11/#ubuntu-server.txt

=== markthomas is now known as markthomas\|away
Zarathuztra\|2	anyone around that can help out?	04:14
sarnold	with what?	04:44
lordievader	Good morning.	08:09
=== Lcawte\|Away is now known as Lcawte
friendlyguy	good morning ;)	09:04
diytto	hi, i have my server set to only accept pubkey ssh connections, but my server seems to not be accpeting those connections for my user	09:08
diytto	i haven't changed anything with ssh configs, and i can still login as another user	09:08
diytto	however, this other user does not have sudo rights	09:09
diytto	any suggestions?	09:09
diytto	i am still open on an sftp connection with the server on the account i am lockedout of	09:09
friendlyguy	diytto: did you add your pubkey to authorized_keys?	09:10
=== markthomas\|away is now known as markthomas
diytto	yeah, i have had it in there since the beginning	09:10
diytto	i have always been able to log in with it	09:10
diytto	i haven't changed it in any way, yet am unable to log in	09:11
friendlyguy	kk, and you were able to connect with ssh via pubkey before? Or did you enter a password upon login?	09:11
diytto	i used pubkey previously	09:11
diytto	i have password disabled	09:11
friendlyguy	k	09:11
friendlyguy	did you change anything at all?	09:11
diytto	no	09:11
diytto	only thing i have done is copy the authorized keys to another user on the server	09:12
friendlyguy	have you tried to login to another host with this keypair? maybe something is broken	09:12
OpenTokix	diytto: what does ssh -vvvvv say?	09:12
diytto	i don't know how that would make a difference	09:12
diytto	same key works on another user	09:12
diytto	OpenTokix: i am getting nothing with that	09:13
diytto	it just tells me correct usage of ssh	09:14
friendlyguy	i think he ment to add verboooooose output to your connection	09:14
diytto	the exact same authorized keys works on a seperate account	09:14
diytto	ah okay hold on	09:14
friendlyguy	maybe you could also check your file permissions in ~/.ssh... should be 700 over the place	09:16
diytto	is there a paste tool you would prefer i use?	09:16
friendlyguy	i don't care, but maybe there are some "rules" in here for which pastebin to use	09:17
friendlyguy	...f you want to show large texts, such as errors, use the pastebin and post the URL to the paste instead.... http://paste.ubuntu.com/	09:17
friendlyguy	from: https://wiki.ubuntu.com/IRC/Guidelines?action=show&redirect=IrcGuidelines	09:17
diytto	http://paste.ubuntu.com/11695170/	09:17
friendlyguy	did you checkt the permissions?	09:18
diytto	how do i check specific permissions	09:19
friendlyguy	ls -la ~/.ssh	09:19
OpenTokix	.ssh should be 700 and files in .ssh 600	09:19
OpenTokix	btw.	09:19
OpenTokix	and owned by your user and your personal group	09:19
diytto	everything looks fine	09:20
diytto	on my end	09:20
friendlyguy	this last "Permission denied (publickey)."...	09:21
diytto	server is fine with permissions too	09:22
diytto	i am able to edit my authorized_hosts	09:23
diytto	i have an sftp connection that was open previously before this issue	09:23
diytto	no cli access	09:24
friendlyguy	could you try to use the -i (together with -vvv) option of ssh, to point directly to the right keyfile?	09:28
davegarath	diytto: the file name for the public keys is authorized_keys, not authorized_hosts	09:28
diytto	davegarath: i am using the authorized_keys file, i am tired atm	09:30
diytto	friendlyguy: let me try	09:30
diytto	http://paste.ubuntu.com/11695216/	09:32
friendlyguy	r u using selinux?	09:36
diytto	no	09:36
friendlyguy	maybe you messed that up	09:36
diytto	i am on OS X, server is ubuntu	09:36
OpenTokix	diytto: debug1: Offering RSA public key: /Users/diytto/.ssh/diyttoaws.pem	09:36
OpenTokix	I am guessing that is the problem	09:36
OpenTokix	diytto: for the -i you have to provide the full path to the key, it will not select that name of key from your .ssh dir	09:37
diytto	OpenTokix: even if i am in the .ssh dir?	09:37
OpenTokix	I think so	09:37
friendlyguy	i just found one mac user with "slightly" the same problem:	09:37
friendlyguy	...on my Mac, the file /etc/ssh_config had the line PubkeyAuthentication = no I commented out that one line, and now everything works fine....	09:37
OpenTokix	friendlyguy: that is not standard behaviour on the mac.	09:38
friendlyguy	kk	09:38
friendlyguy	I've got very little clue about macs	09:38
OpenTokix	diytto: but you might also want to check out your /etc/ssh_config	09:39
diytto	I've never had a problem with logging in before	09:39
OpenTokix	debug3: Could not load "id_rsa.pub" as a RSA1 public key	09:39
diytto	OpenTokix: i get the same thing with the full path	09:39
OpenTokix	diytto: ok, post the debug-output	09:39
friendlyguy	i though: "debug2: key: id_rsa.pub (0x7ff35b700140), explicit" is indicating the use of the keyfile	09:40
friendlyguy	maybe you could also show us some log output from the server	09:40
diytto	http://paste.ubuntu.com/11695243/	09:41
diytto	i can possibly	09:41
diytto	where is log info located	09:41
OpenTokix	debug3: Could not load "/Users/diytto/.ssh/id_rsa.pub" as a RSA1 public key	09:41
OpenTokix	There is your problem	09:41
OpenTokix	do a ls -l /Users/diytto/.ssh/id_rsa.pub	09:41
OpenTokix	oh	09:42
OpenTokix	haha	09:42
OpenTokix	now I get it	09:42
OpenTokix	=)	09:42
diytto	-rw-------+ 1 diytto staff 402 Jul 18 2014 /Users/diytto/.ssh/id_rsa.pub	09:42
OpenTokix	You are trying to login with your public key	09:42
OpenTokix	ssh -i ~/.ssh/id_rsa diytto@de.diytto.com	09:42
OpenTokix	this will work	09:42
friendlyguy	ouch	09:42
OpenTokix	haha, - so easy to miss	09:43
diytto	still denied	09:43
OpenTokix	ok, now with -vvvv and see the output	09:43
diytto	http://paste.ubuntu.com/11695253/	09:44
OpenTokix	debug3: Could not load "/Users/diytto/.ssh/id_rsa" as a RSA1 public key	09:45
OpenTokix	file /Users/diytto/.ssh/id_rsa	09:45
OpenTokix	what does that command output?	09:45
OpenTokix	do _NOT_ paste your private key	09:45
diytto	/Users/diytto/.ssh/id_rsa: ASCII text	09:45
OpenTokix	ok	09:45
OpenTokix	if you look into that file	09:45
diytto	also, this fails with a separate pubkey on my phone	09:46
OpenTokix	does it start with ----BEGIN RSA PRIVATE KEY----	09:46
diytto	if that's helpful	09:46
friendlyguy	whats still bugging me, he tols us he is able to login with this same key to another user	09:46
OpenTokix	and proc-type 4,encrypted - etc.	09:46
OpenTokix	friendlyguy: I am guessing the other user is with the aws-pem-file	09:46
diytto	OpenTokix: it does	09:46
OpenTokix	ls -l /Users/diytto/.ssh/id_rsa	09:47
OpenTokix	What does that output?	09:47
diytto	-rw-------+ 1 diytto staff 1679 Jul 18 2014 /Users/diytto/.ssh/id_rsa	09:48
OpenTokix	looks correct	09:48
diytto	the aws one is for an amazon server	09:49
diytto	fyi	09:49
friendlyguy	guessed that ;)	09:49
diytto	it's not used here	09:49
OpenTokix	yes, I guessed that to	09:49
OpenTokix	and if you do the exact same command, just switchout user@	09:49
OpenTokix	it works?	09:49
diytto	my phone has it's own pubkey and is also unable to log in	09:49
diytto	yeah	09:49
OpenTokix	ie. ssh -i /Users/diytto/.ssh/id_rsa otheruser@sameserver ?	09:49
diytto	to sb1@de....	09:49
skylite	can I enable an apache module only for one vhost?	09:50
OpenTokix	skylite: no	09:50
skylite	never? :(	09:50
OpenTokix	skylite: but you can do the handler only for one vhost	09:50
OpenTokix	skylite: so it will be effectivly "hidden" for others	09:50
diytto	OpenTokix: that works fine	09:50
skylite	so I enable a module and hide it in all the other vhosts but one?	09:51
OpenTokix	skylite: no, you enable module and add the handler for that module only to the vhost that should have it	09:51
friendlyguy	hm... you could verify if your keypair is "cool"	09:51
OpenTokix	diytto: hmmm	09:51
friendlyguy	ssh-keygen -y -e -f <private key>	09:51
friendlyguy	and compare this to your pubkey	09:51
diytto	successful connection http://paste.ubuntu.com/11695290/	09:52
OpenTokix	diytto: im guessing there is something wrong on the serverside in the authorized_keys file, or its rights	09:52
OpenTokix	lunch now, gone	09:52
skylite	OpenTokix this is a quite simple module Is that gonna work the way you suggest? https://github.com/danghvu/mod_dumpost	09:52
diytto	friendlyguy: they appear to be identical	09:53
friendlyguy	weird weird	09:54
diytto	okay, i have shell access through my znc	09:56
diytto	so i can send commands	09:56
diytto	friendlyguy: only the last user i added to the server i am able to log in to	10:00
diytto	i am afraid i must go to sleep. it's 4am here. i will try to figure this out more in the morning	10:03
diytto	thank's for the help you've provided	10:03
friendlyguy	youre welcome	10:03
friendlyguy	gn8	10:03
friendlyguy	ist sdc denn wirklich "sdc"	10:05
friendlyguy	oh, sry... wrong window	10:05
friendlyguy	hmmm :) maybe one can help me to debug my server a little further... there is a "issue" which is driving me crazy. when i first start my server i can see the post until grub is supposed to start. -> thats when my monitor goes blank. IF i restart it (using ctrl-alt-del) i can watch the POST and grub appears	10:07
friendlyguy	AND, if i need to reboot again: i'll get a blank screen opposed to grub. hit ctrl-alt-del again, wait for the post stuff... and grub is there again	10:08
friendlyguy	precisely every 2nd "attempt"	10:08
OpenTokix	skylite: mod_audit already does that for you	10:33
skylite	OpenTokix thx I'll try that one ... already trying with mod_dumpio	10:34
OpenTokix	skylite: http://dev.prositen.com/wp/log-post-data-with-apache/ <--- there you have how mod_security does it.	10:35
skylite	thx a lot	10:35
OpenTokix	skylite: and then you add the Secrules in your vhosts	10:35
OpenTokix	skylite: my collegues site =)	10:36
skylite	OpenTokix great writing thx it works :)	10:50
OpenTokix	skylite: I forwarded your thanks to my collegue	10:52
rbasak	dannf: thanks for the memory corruption fix for MySQL. Any opinions on me pushing this to Debian too? I'm working on Debian mysql-5.6 right now.	11:14
* rbasak goes for a walk/lunch while stuff builds		11:15
=== DenBeiren is now known as zz_DenBeiren
=== wickedpuppy2 is now known as wickedpuppy
=== strikov is now known as strikov-lunch
dannf	rbasak: yeah, i'd definitely +1 applying it to debian	14:12
rbasak	dannf: OK, thanks!	14:12
dannf	rbasak: also, i'd like to get it sru'd back to trusty - should i just go ahead and upload backports?	14:13
rbasak	dannf: that's fine - go for it.	14:14
=== athairus_oops is now known as athairus
=== strikov-lunch is now known as strikov
friendlyguy	anybody got some experience with zfs dedup? i'd like to turn on dedup for a relative small pool ~ 2t where I'm going to store vm backups. i read that dedup takes 1-2 gb ram per tb in pool, so here max 4gb. I've got 16gb ram sitting in this machine, so looks good to me. BUT, I read on the german ubuntu wiki to "NEVER" turn on dedup.	15:01
=== cps0_ is now known as cps0
ogra_	kickinz1, my ownclöoud snappy install constantly pops up an upgrade warning, are you working on a 8.0.3 snap ? (or is anyone)	15:09
=== ideopathic_ is now known as ideopathic
kickinz1	ogra_, no	15:28
=== BrianBlaze420 is now known as help
=== help is now known as LLcoolBERRY
=== LLcoolBERRY is now known as BrianBlaze420
ogra_	kickinz1, well, it would be nice to have that upgraded somehow ...	15:40
kickinz1	ogra_, yes planned around next week.	16:10
ogra_	kickinz1, awesome, thanks :)	16:10
ogra_	if you need a tester, just ping me :)	16:10
kickinz1	ogra_, Ok, I'll do!	16:11
squisher	rbasak, another look at bcache-tools please... someone already spotted a bug :)	16:27
squisher	it's again rather trivial changes	16:27
rbasak	squisher: that looks fine. Is that two separate fixes in one commit or are they related to the same issue?	16:30
rbasak	squisher: and does piuparts pass now?	16:30
squisher	rbasak, hm, yeah, they should probably be separate	16:31
squisher	I'll check piuparts, but I tested it in pbuilder	16:31
rbasak	squisher: "Fix dracut" isn't really helping me. Maybe describe what you're fixing and why?	16:31
rbasak	(well, clearly you're fixing "dracut", but I mean the actual problem you're fixing)	16:32
squisher	rbasak, hmm, I wonder how I can fix that now with the gbp workflow	16:32
rbasak	squisher: don't bother rebasing, it's not worth it. So just add extra commits fixing up the changelog for this time I guess.	16:33
squisher	rbasak, yeah, I agree. I should be more careful with my descriptions (basically dracut wasn't working at all before, I was just being lazy)	16:33
=== braderhart_ is now known as braderhart
Gregor3000	why is the check disk failing and reports corrupted files? i tried 3 different USB image burners - 1. Unetbooting in windows, LinuxliveUSB in windows and startup disk creator in linux. every time checking of disk reported error. despite the fact that md5sum matches, i've tested also USB it has no errors in readin & writing.	16:58
squisher	rbasak, I'll have to fix that later. I don't really like the gbp changelog handling, but on the other hand I would like to automatically generate the changelog :-\	16:59
Gregor3000	i also can not proceed with installer - it stops at 33% when formating /. i have preexisting software RAID1 that holds /swap and /var/log /data	16:59
squisher	Gregor3000, the md5sum of the downloaded image I assume?	17:00
squisher	I'd run memtest over night	17:00
Gregor3000	correct - miniiso or server - it's not memorry as i cretaed and booted the image on different PC's	17:02
Gregor3000	in the end it said it can't even detect the image (eventhough it was botoing from it and running other programs on it)	17:06
Gregor3000	hwo do i report bug with installer? also when reporting it do i add pictures? or what?	17:13
Gregor3000	sorry how	17:13
diytto	Hi, I was here last night with my issue if anyone saw it. Basically my server has locked me out from ssh. It is refusing my pubkey auth on my account, even though I have used previously. I can access a different account on the same server with the exact same authorized_keys, but not my personal account. Any ideas?	18:15
diytto	My account has sudo access, while the account i am able to access does not	18:16
sarnold	diytto: check permissions on your ~/.ssh and ~/.ssh/* files	18:20
sarnold	diytto: the sshd is very picky about e.g. too-wide group write support or files owned by the wrong user	18:20
diytto	permissions are fine, we went over them last night	18:20
diytto	that was the first thing we went over last night :(	18:21
sarnold	hehe nice :)	18:21
sarnold	is there anything in the logs?	18:22
diytto	where can i find the logs on the server	18:23
lordievader	diytto: /var/log/ (from there you want auth.log and the syslog)	18:24
diytto	alright let me take a look	18:24
diytto	well this is a problem	18:25
diytto	i can't read the logs	18:25
sarnold	can you su, sudo, or login, to the account that can read the logs?	18:26
diytto	no	18:27
diytto	unless there is a way to login without sudo	18:27
lordievader	diytto: He means to your user account with sudo powers.	18:27
diytto	no, that is the account i am locked out of	18:27
lordievader	diytto: Your ssh is locked, not local login, right?	18:28
squisher	afaik ubuntu doesn't use wheel for su, right? So you should be able to su into your sudo-able account if you know your local password	18:28
diytto	just ssh is locked	18:29
squisher	diytto, that's probably what lordievader is talking about too :)	18:29
squisher	then you shouldn't have a problem :)	18:29
lordievader	Yes, su'ing into the 'locked' account.	18:29
diytto	ah okay	18:29
diytto	i wasn't aware i could do that	18:30
diytto	okay i am in	18:30
lordievader	diytto: Then read the logs.	18:30
diytto	it looks like permissions for my home directory are wrong?	18:34
squisher	I guess if your home dir is 777 then other people could change the perms of your ~/.ssh dir	18:34
diytto	i am the only one on the server	18:36
lordievader	Still, sshd doesn't like that.	18:36
squisher	hm, I may be wrong on that, but anyway, what lordievader said	18:37
lordievader	As sarnold said, sshd is very picky.	18:37
diytto	i never changed that though, and I've never had an issue logging in previously	18:37
diytto	home dir perms drwxr-xr-x 8 sb1 sb1 4096 Jun 11 01:55 diytto	18:38
squisher	diytto, that's not 777 - you should paste the error from the logs	18:38
diytto	drwx------ 2 diytto diytto 4096 Jun 11 04:04 .ssh	18:38
sarnold	sb1 vs diytto??	18:39
diytto	oh wow i missed that	18:39
diytto	that fixed it	18:40
diytto	wow	18:40
diytto	i have no idea how that happened	18:40
squisher	`history \| grep sb1` ;-)	18:41
diytto	thanks so much guys	18:42
diytto	i never would have found that issue	18:42
sarnold	all sorted?	18:42
diytto	yep, thanks	18:43
sarnold	sweet :)	18:44
shirgall	Hrm, the openssl update seems to have no changlog other than the Debian one.	18:49
sarnold	shirgall: what are you looking at? it should be quite extensive: https://launchpad.net/ubuntu/+source/openssl/+changelog	18:50
shirgall	This -> /usr/share/doc/openssl/changelog.gz has a link to ../libssl1.0.0/changelog.gz which is missing	18:51
shirgall	But, the main thing is that it looks like logjam vulnerability, fixed in 1.0.1n, is not yet integrated, that's what I was trying to determine.	18:53
sarnold	OH!	18:54
sarnold	I see, you're actuyally talking about the changelog.gz file. feel free to ignore that. what you want is the changelog.Debian.gz file	18:54
shirgall	Yeah, it just surprised me that there was a dead link in openssl	18:54
shirgall	At any rate, i was looking for CVE-2015-4000 and didn't find it	18:56
friendlyguy	hmmm. quick question: i've installed htop, but i don't get any percentage numbers of core / ram usage	18:56
=== NomadJim_ is now known as NomadJim
mdeslaur	shirgall: the CVE-2015-4000 is actually about the TLS flaw, I didn't use it in the openssl updates. WIth the last openssl update, the export ciphers were disabled, and today's update rejects shorter than 768 dh params.	18:58
mdeslaur	shirgall: do if you install today's openssl update, you're all set with the logjam mitigations	18:58
shirgall	mdeslaur: yeah, i poked in gnutls, but while I was looking around, I noticed the dead line	18:58
shirgall	link	18:58
shirgall	mdeslaur: ok, cool, thanks	18:59
friendlyguy	is there a way to install mate-core with gdm or lightdm on a ubuntu server? (without actually installing stuff like evolution-server and crap)	19:50
sarnold	friendlyguy: apt-get install the specific leaf packages you want, they ought to drag in whatever they need	19:52
=== Lcawte is now known as Lcawte\|Away
=== pgraner is now known as pgraner-afk
=== Lcawte\|Away is now known as Lcawte
mitfree	I have been using apt to update my 14.04 VPS and now my /boot is full. I've been unable to update. What is the right way to keep my /boot nice and clean?	20:57
hexch	mitfree: clean up boot	21:05
hexch	remove unused kernel.	21:05
RoyK	next time, use a larger /boot	21:05
RoyK	using 200 megs or so for /boot is nonsense	21:05
RoyK	and as hexch said, clean up old stuff	21:06
mitfree	https://img.bi/#/mOFiH0x!YtDlPwylaNEQyiyvgAwkhpoAUTBOpAGqgQlgXood	21:06
sarnold	RoyK: didn't you have a nice short command last time this came up, something that looked way simpler than my usual method?	21:06
RoyK	sometimes you can't remove old kernels easily because of a full filesystem - if so - "> whateverfileyouwanttotruncate" and start over	21:06
mitfree	The image is from cloud at cost, so I didn't choose the size. I'm also having trouble with /tmp	21:07
RoyK	sarnold: if you remove the file, apt will get angry - if you just truncate the file, it'll remove it easily	21:07
=== markthomas is now known as markthomas\|away
RoyK	sarnold: truncate the file with something like "> /boot/thatfile" and do apt-get purge "thatpackage"	21:08
mitfree	I posted the results of df -h	21:09
RoyK	mitfree: tune2fs -m 0 /dev/sda1	21:09
RoyK	mitfree: but remove the old kernels	21:09
sarnold	RoyK: I hadn't heard that about the truncation! that'll save a ton of effort :)	21:09
RoyK	sarnold: we all learn along :)	21:10
mitfree	what do you mean by truncate exactly? is that just changing the file name or actualy editing the file by deleting parts of it.	21:11
RoyK	mitfree: just removing its contents	21:11
RoyK	mitfree: setting filesize to zero	21:11
mitfree	intersting idea, I honestly hadn't thought of that.	21:12
RoyK	mitfree: just don't truncate the live kernel	21:12
_piggy_	Just did a new install of server 14.04. apt-get update says that kernel for utopic (not trusty) is being held back. Any ideas?	21:12
_piggy_	uname -a shows 10.04	21:13
_piggy_	bah 14.04	21:13
_piggy_	Just tested on another 14.04 and it does not show utopic	21:14
RoyK	never had that issue	21:15
_piggy_	Ya. Me neither. Starnge	21:16
_piggy_	Strange that is. One of those days...	21:16
tarpman	_piggy_: run apt-get update and check again. yesterday I had some kernels held back because the metapackages showed up in the archive before the actual kernels did, but all has been ok today	21:17
_piggy_	tarpman, will do thanks. BRB	21:17
tarpman	_piggy_: regarding utopic vs trusty, servers installed from 14.04 or 14.04.1 media will have the trusty (3.13) kernel, servers installed from 14.04.2 media will have the utopic (3.16) kernel	21:18
_piggy_	tarpman: That's the instll media I used. Any idea for change? Repositories show trusty too.	21:20
_piggy_	tarpman: I assume it will be ok to proceed then?	21:20
tarpman	_piggy_: I don't understand "Any idea for change?", sorry	21:21
tarpman	_piggy_: there's no need to downgrade unless something is broken, if that's what you mean	21:21
_piggy_	tarpman: Thanks. You have been a good help. I will see if I can figure out why the kernel change happened. Thanks!	21:22
=== markthomas\|away is now known as markthomas
shirgall	_piggy_: you can learn more about the kernel changes here: https://wiki.ubuntu.com/Kernel/LTSEnablementStack	21:57
=== zz_DenBeiren is now known as DenBeiren
_piggy_	shirgall: Thanks. Saw that not long ago. Thanks for posting.	22:34
=== utlemming is now known as utlemming_away
=== CiPi is now known as cipi

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!