=== Lcawte is now known as Lcawte|Away [00:04] sarnold, teward: ssh-keygen -t rsa -b 4096 [00:04] this files was generated: http://pastie.org/10517125 [00:04] wich copy to remote server? [00:05] jak2000: id_rsa.pub [00:05] jak2000: you'd save it as ~/.ssh/authorized_keys [00:06] jak2000: normally you want to append these public keys to the authorized_keys, to keep any that you already have stored there [00:06] in the remote server? [00:06] jak2000: the ssh-copy-id program automates this [00:06] jak2000: yes [00:06] ok [00:09] sarnold, create the file without password right? [00:09] if you don't want to provide a password then yes [00:09] jak2000: yeah, for automated backup systems that's probably best [00:09] i have a few ssh keys that i use for passwordless autosyncs of data :) [00:10] jak2000: you can jump through some hoops to run an ssh-agent that works for cron, but it's a big hassle. [00:10] isnt dangerous? [00:10] without password? [00:10] slightly dangerous, yes [00:11] but your id_rsa key is mode 600 in a directory that is mode 700 -- it's a bit safer than a password in a shell script in /usr/local/bin :) [01:43] Hello [01:46] There are peapol know move pilote graphique ? i work in ubuntu 14.04 and i run in driver i915 [01:53] but my real pilot for my hardware is the i965, i have download and setup package i965 jessie debian. All depandency are successfull [01:54] i would like to know if modprobe work for disable and enabel after reboot system ? [01:57] sallon: if you need to load a module after every reboot, /etc/modules or /etc/modules-load.d/ might help you === markthomas is now known as markthomas|away [02:01] sarnold yes know but i would like to confirm of dev or user have successfull avec ubuntu 14.04 [02:01] sarnold yes know but i would like to confirm of dev or user have successfull with ubuntu 14.04 [02:04] sarnold thank you for your time readen [02:06] anyone know how to get /usr/bin/beep to work from a udev script? [02:07] It works just fine when I run the script manually. The script runs just fine when run by udev, but it fails to beep the pc speaker. [02:14] nbros652: modprobe pcspkr and try again? [02:15] I believe if that's not loaded, 'beep' will default to just echoing ^G to the terminal, which does the traditional beep - but won't work if the parent process doesn't own a terminal [02:21] nbros652: failing that, man beep and check out the section 'ioctl wackiness', there's a run-down on what conditions have to be met for beep to be allowed [02:21] did that in the script. It works just fine and beeps when I run the script manually. [02:22] shauno: ^^ [02:39] shauno, I can't find any clear reason why it's not beeping when run by udev. I even changed the permissions on /usr/bin/beep to allow everyone to beep. It still fails to beep when run by udev while manually running the script produces a beep. [03:12] shauno, it's working now. I didn't make any changes. It just went from not working to working, I'll take that as a win. I just wish I knew what changed. [03:13] yeah, it'd be nice to know. but the system bell is a very weird beast, being still handled by the tty for reasons that are older than either of us [03:19] shauno, okay, this is strange. It consistently beeps on some USB sticks but not others! Any thoughts on that one? [03:20] Perhaps, the script is not running with the insert of certain usb devices [03:20] none at all. that'd be squarely in udev's court, which I'm still unfamiliar with [03:20] okay, thanks. [03:21] strange... it is running. I can see the USB get mounted and unmounted... I guess I'll just have to play around with it and see if I can figure out what's going on. [04:39] sarnold? are you there? [05:52] i am try copy a file from server1 to server 2: http://postimg.org/image/5e385aizd/ with ssh-keygen -t rsa cant, i do: 1) in server 1, typed: ssh-keygen -t rsa, generated 2 files on: /home/jak/.ssh id_rsa and id_rsa.pub, 2) next step, i do: cat /home/jak/.ssh/id_rsa.pub and copied the contento to server 2 ton: /home/jak/.ssh/authorized_keys then server1 file /home/jak/.ssh/id_rsa.pu [05:52] b is exact same on server2: /home/jak/.ssh/authorized_keys i do this command: rsync -avzP /backup/tari.sql jak@domain.noip.me:/home/jak/sql/ asked something yes/no, typed yes, and then ask me the jak's password, typed correctly, and the file was copied, rerun again the rsyn command and again ask me a password, wich i am do wrong? thanks === cpaelzer_ is now known as cpaelzer [07:26] NSS can't resolve local hosts using their FQDN, what could be wrong? dig/host can resolve normally but not e.g. ping/firefox [07:42] noregret: what order is the 'hosts' setting in /etc/nsswitch.conf ? maybe mdns is getting in first? [07:46] TJ-: hosts: files mdns4_minimal [NOTFOUND=return] dns [07:48] noregret: So possibly mdns4_minimal is answering first, especially likely if the domain is .local [07:49] TJ-: it is .local [07:49] TJ-: how can i check mdns4 ? [07:49] TJ-: btw, the configured dns servers on my machine are a local one and google's [07:50] so could it be using googe's to resolve those? [07:50] noregret: see "man nsswitch.conf" [07:50] can I configure priority ? [07:51] noregret: the order of services is first-come, first-served, so if mdns4_minimal answers for .local and says NXDOMAIN (in DNS speak) then dns will never be tried [07:53] TJ-: sorry but i don't know what mdns4_minimal is, is it also a "minimal" dns server? [07:55] noregret: it's serviced by the package "libnss-mdns" [07:55] !info libnss-mdns [07:55] libnss-mdns (source: nss-mdns): NSS module for Multicast DNS name resolution. In component main, is optional. Version 0.10-6 (wily), package size 20 kB, installed size 125 kB [08:13] TJ-: where can configure it? [08:14] noregret: configure what? [08:15] TJ-: libnss-mdns package, could it be reading an incorrect dns? (only google's) [08:16] noregret: I already told you, see "man nsswitch.conf" === cz2 is now known as ntoskrnl === cz2 is now known as ntoskrnl [10:56] hi [10:56] anyone has a checklist for lsi megaraid cards/perc cards ? [10:56] i have a server going at 1mb/s [11:47] pascal: Which checklist? [11:50] stgraber: http://askubuntu.com/questions/691860/how-to-upgrade-lxc-container-after-do-release-upgrade-to-wily [11:51] stgraber: run do-release-upgrade inside the container I presume? I've not actually tried this though. I know dist-upgrade would work. [11:51] dist-upgrade doesnt upgrade releases. === Lcawte|Away is now known as Lcawte [12:52] Hello, I want to install php, which version should I install? [12:53] !info php | atralheaven_ [12:53] atralheaven_: Package php does not exist in wily [12:53] Yay :) [12:53] ...? [12:53] !info php5 | atralheaven_ [12:53] atralheaven_: php5 (source: php5): server-side, HTML-embedded scripting language (metapackage). In component main, is optional. Version 5.6.11+dfsg-1ubuntu3.1 (wily), package size 1 kB, installed size 10 kB [12:53] is php5 the last version? [12:54] Which version do you need? [13:13] bekks: I don't know, thats why I asked [13:14] which version is regular version? [13:14] atralheaven_: Then whats your actual goal? [13:14] What do you need php for? [13:15] wordpress, mainly [13:16] I have not worked with php before [13:16] Then you'll be fine with the version in the ubuntu repos. [13:17] bekks: you mean php5 package? because there is no php package [13:17] Yes. [13:18] bekks: just for knowing, what's the last version? I think there is a php7 but its still under development, right? [13:18] www.php.net tells you about the last version out there. Just use te version available from the Ubuntu repos. [13:19] bekks: I installed php5, Thanks :) [13:21] bekks: it seems that php7 will be out about two weeks later [13:22] bekks: I will ask my other questions on #php [13:27] how can I install "mod_rewrite apache module" on ubuntu server 14.04 [13:28] a2enmod mod_rewrite [13:30] hateball: "ERROR: Module mod_rewrite does not exist!" [13:32] its a2enmod rewrite [13:32] yes, my bad [13:33] Thanks :0 [13:33] :) === Lcawte is now known as Lcawte|Away [15:05] what's the difference between the ubuntu and ubuntu-cloud LXC images? [15:05] Technically they are different templates, not images. [15:05] The "ubuntu" template builds you a rootfs using debootstrap. [15:05] The "ubuntu-cloud" template uses cloud images. [15:06] With the latter you get a cloud-init based system, with the former a more "traditional" system. [15:06] For most things it should make little difference except that the latter is much quicker. [15:06] (to create) [15:13] yeah, meant templates, sorry. So the major difference is the init system? [15:15] @ rbasak === CiPi is now known as cipi [15:20] phre4k: I guess so. Perhaps the set of default installed packages too, and some other minor configuration pieces. Note that the "init system" as in upstart or systemd is the same. cloud-init adds on to either. [15:22] "ubuntu-cloud" will get you an environment much closer to what you'd get on an OpenStack VM, Amazon EC2 instance, etc. [15:22] Or Ubuntu deployed with MAAS. [15:22] "ubuntu" will get you somehting close to what the server installer does. [15:22] If you install from CD image. [15:42] aaah ok, thanks for clearing that up. Using the cloud template :) === beck is now known as designbybeck === genii is now known as zombiegenii [15:53] why can't I create a LXC container with -r wily? It seems that it didn't find the release... === zombiegenii is now known as genii [15:55] hello community. I have a question for you. I have to set a server on a company, I dont want them to mess with my code but they change network settings very often, so I need to let them access the server to change that, is there a way that I can create a user that can only change the network settings and maybe ping or something like that? [15:56] herrkin: how do you want them to change the network settings? [15:57] with networkmanager, editing /etc/network/interfaces, ...? [15:57] herrkin: on a server only root can change network settings by default. You can write a wrapper and then configure sudo to provide a particular user access to run only your wrapper as root. [15:57] herrkin: Create a user for that and then give them access to specific application in sudoers file [15:57] Yeah basically what genii said - same thing :) [15:58] ok honestly I havent used networkmanager so I use the /etc/network aproach [15:58] Note that wrappers are finicky to get secure. [15:58] So I wouldn't rely on them for strong security unless you really know what you're doing. [15:58] ok now I am confused [15:58] how do I do it? [15:59] But if they have physical access then they have root anyway. [15:59] why? [15:59] if they have physical access there is a log in screen [15:59] There's also a box with screws on it. [15:59] no root unless you log as root [16:00] And a BIOS that lets me boot something else to reset the root password with [16:00] (or just change the kernel boot parameters) [16:00] not if I have the encrypted partition [16:00] I think [16:00] What if they lose power? They can't use the server until you come in and type the decryption password? [16:01] What if you get hit by a bus on the way in to do that? [16:01] so there is no way to deny access to root? [16:01] And even then I could trojan the password prompt. [16:01] Google "evil maid attack". [16:01] Not if they have physical access. [16:01] And if they know what they're doing. [16:01] found the solution to my LXC issue: you have to do lxc-create -n name -t ubuntu-cloud -- -r wily (note the double dashes) [16:01] And they want to get root. [16:02] thats bad, I thought there ways a way to deliver a secured box so that noone could log in and even if I they wanted to get access to the partition it was encrypted [16:02] herrkin: do you know a scripting language, e.g. python? Install python, write a small script which can change the network settings and only give them the right to exec that particular script [16:03] why don't you trust the company? They shouldn't trust you [16:03] either you install them a black box or they can configure it. Just charge them to change the network settings. They shouldn't do that anyway. [16:03] phre4k: the problem is that I could add a "up" line in the /etc/network/interfaces file I give to the Python script, for example, and then I have root. [16:04] phre4k: so everything needs to be sanitized and that is non-trivial to explain on IRC :) [16:04] rbasak: that's why you don't specify free-form variables, you only ask for IP and mode and whatnot. They don't need up/down scripts. [16:04] herrkin: You can lock out root password login and only make it by ssh with key. Then the machine is effectively locked out except from another box with acceptable key where you could re-enable password [16:04] herrkin: why do you want an unprivileged user be able to create a network interface? [16:04] rbasak: but yeah, your point is valid as f**k [16:04] phre4k: my IP address is "10.0.0.4\n\tup ..." [16:05] phre4k: just ask my friend Bobby Tables. He knows all about this type of thing :) [16:05] TJ-: that's what I ask myself too [16:05] rbasak: haha, classic xkcd reference [16:05] see, the companies always want to make an excuse to keep the code. I dont want that. [16:05] the normal excuse is that they need to change the ip address because whatever reason [16:05] herrkin: best thing to do then is run the server somewhere else where you have control of it. [16:05] ^ [16:06] so if there is no network I can log into I cant configure it myself [16:06] herrkin: sounds like they need a DHCP server. Allows them to change network settings on all of their network at once as they wish. [16:06] herrkin: DHCP [16:06] so I have to do something so that they can change it themselves whithout letting them touch the code [16:06] if there is no network, they have to call you in and you have to fix it. For moneys. [16:07] yeah thats out of topic I work nationwide in venezuela. [16:07] so it is inneficient that they have to wait for me. [16:07] I cannot imagige NOT using DHCP for this kind of situation [16:07] s/imagige/imagine/ [16:07] me too. but they are always doing these things. [16:07] DHCP static reservation; sorted [16:08] I can manage the server because they do intranet. its not internet service. [16:08] herrkin: sell them some consultancy on configuring DHCP :) [16:08] so the service has to be in their premises [16:08] tell them they have to fire their current network admin if he can't figure something out this simple [16:08] (or she) [16:08] (or it) [16:08] ^ [16:08] ok lol [16:08] just leave the ip as it is [16:08] period [16:08] lol [16:08] or this [16:09] herrkin: or you could be sneaky and make the password the required IP address :D [16:09] whyever they don't know that fancy thing called "hostnames" [16:09] TJ-, I dont know what you mean [16:10] actually... I can picture a pam_user_to_ip module that looks for a username of the form ip:A.B.C.D and assigns it :D [16:10] As a bonus you'll have a list of IP addresses they have used in /home :) [16:10] LOL [16:10] I am installing a box, I am on the company, they have changed the ip like 3 times because problems of access [16:10] thats a very annoying thing. [16:11] they have the dns disabled for now [16:11] DHCP has to be answer [16:11] herrkin: who owns this PC, you or your customer? [16:11] they [16:12] herrkin: you can't really deny them access then if they want it [16:12] but the contract says we manage it.they cant access it. [16:12] while we are in contract. if they want to leave it then they can. [16:12] herrkin: I was going to suggest installing a small, cheap, router in front of it that they can access the web console of, and then have 'your' box take an IP from the router :) [16:12] TJ-, that seems like a good ide [16:13] idea [16:13] to eliminate that problem [16:13] herrkin: that way the router just does NAT from their IP to the known static IP subnet the 'box' is on [16:13] yeah [16:13] so there is no touching the console at all. [16:13] herrkin: although, then you have the problem of controlling what they can change in the router! [16:13] herrkin: but yes, that stops them needing login access to the 'box' [16:14] they can do whatever they want with that. I think that is not a problem. [16:14] as long as they dont screw the nat [16:14] herrkin: precisely; you could exchange one set of issues for another :) [16:15] herrkin: although, if you choose the router careful so it runs something open(wrt) like, you could provide a modified unprivileged log-on which only allows entering the router's 'WAN' side IP [16:17] herrkin: another option... on the 'box' itself. install your own software in a VM guest, then they can log-in to the host, change it's LAN-side IP. NAT/bridge host/guest and they can change the IP but can't mess with the encrypted guest nor need its password === markthomas|away is now known as markthomas [16:22] something like a docker container_ [16:22] ? [16:22] I thought of that [16:23] LXC possibly [16:24] or KVM for a full guest. That way you could keep an identical copy in your premises modify it, and ship revisions easily, too [16:25] good I have to look that up. [16:26] Xen is also on option for the hypervisor, with ubuntu in dom0, and your application in a guest in domU [16:27] I guess lxc is better than kvm, for it doesnt emulate hardware. its faster, uses less resources as I have seen. [16:28] herrkin: buy a Ubiquiti EdgeRouter, they're "cheap" and have pretty extensive features [16:29] TJ-: if they can login onto the host, they have access to the guest, even if it's encrypted. You could however route only the interfaces file through to an LXC container [16:29] and then they logon to the container [16:29] All in all I think a front-router would solve the issue easiest [16:31] or I could make it a web service. phre4k I can make for example node.js change those settings [16:32] there is no need to log on the system. [16:34] herrkin: do they change their sub-net? what network changes do they make that need the PC IP address to change? === Lcawte|Away is now known as Lcawte [16:37] herrkin: yeah, it's an idea [16:37] but still, suggest they fire their network admin [16:45] TJ-: I also am curious why they need to change their IP all the time, sounds a bit fishy [16:46] genii: makes you think 'ulterior motive' [16:47] * genii makes more coffee === ntoskrnl is now known as cz2 === cipi is now known as CiPi === Lcawte is now known as Lcawte|Away [18:43] hi all. question. adding ubuntu to AD following https://help.ubuntu.com/lts/serverguide/sssd-ad.html resulted in the server being added, however, it was added without the windows admin needing to enter a username and password. pretty strange. most times when adding windows laptops to AD, an admin needs to type username and password, but when adding ubuntu server to our domain, it was not needed? [18:43] anyone else experience this? [18:53] hello. I have a virsh/kvm/qemu virtual disk in qcow2 format. It's 6.7 gigs. I have to convert it to vmdk to send to the windows guys, and it goes from 6.7 gigs to 27 gigs when I convert using qemu-img convert. Is there an option that I can specify so that the size doesn't grow out of control? [18:56] toyotapie: you could try compressing it afterwards; if you're lucky the difference is largely filled with zeros... [18:56] toyotapie: or, you could send your pals an ubuntu ISO image and tell them how to use qemu-img themselves? :) [18:56] that'd still be ~23 gigabytes smaller, hehe [18:57] Yea, but even my ubuntu users use virtualbox which doesn't recognize qcow2. [20:20] Hello, I want to setup PPTP vpn on my VPS, on the "/etc/pptpd.conf" file, there is "localip" and "remoteip", what should I use for localip? server ip or 192.168.0.1? and I don't know what my clients IP would be, what should I do for that? Thank you [20:20] btw, https://help.ubuntu.com/community/PPTPServer [20:25] atralheaven_: just don't use pptp [20:25] atralheaven_: openvpn is vastly better and more secure [20:26] RoyK: I know, I have OpenVPN already set up [20:26] RoyK: I need to have PPTP too [20:27] atralheaven_: ptpp is defined in RFC 2637 from 1999, written by Microsoft, and has status as "informational". It's not secure, not by far [20:27] when something doesn't even get into the standards track, stay away [20:28] RoyK: Im aware of this but I really have to, may you help me get this done? [20:28] I don't think I've setup pptp for 10+ years, sorry [20:29] RoyK: may you take a look at "https://help.ubuntu.com/community/PPTPServer" and tell me what do you think about "localip" and "remoteip" part? [20:30] atralheaven_: not sure, but I guess the remoteip part is about what addresses to hand out as in a dhcp fasion, where the localip is the ip given to the local server's virtual nic === genii is now known as zombiegenii [20:44] RoyK: Have you worked with l2tp? === zombiegenii is now known as genii [20:46] atralheaven_: just for testing. usually it's problematic in terms of low-end gear that doesn't allow for other protocols than udp/tcp [20:47] RoyK: Im trying to set up this too, OpenVPN was the best... [20:50] openvpn just uses https, so it will work with all sorts of cheap NAT stuff === genii is now known as zombiegenii [21:07] May someone please test my openvpn? I can't connect to it but everything seems to be fine, I thought it can be from country firewalling. I can give the .ovpn file, I want to see if you can connect to it === zombiegenii is now known as genii === genii is now known as zombiegenii === zombiegenii is now known as genii [23:34] Hi, when applying security updates to Apache, is the Apache version number suppose to change? [23:34] soulisson_: version number as reported where/how? [23:36] tarpman, reported by Apache [23:36] why would it [23:36] its still the same version, just with a backported security fix [23:37] (the package version changes though, it gets a suffix bump for the .1 suffix) [23:37] I'm really new to this, what does it mean to be backported? [23:37] the fix gets taken from the newer version and added to the one that is in the release [23:38] to add to that, some people oppose including the exact package version in the apache version reported over the internet, because bad people could use that to decide which attacks to attempt on you [23:39] ogra_, ok, so when a vulnerability is found Apache, Apache releases a new version of its product? [23:40] they release a fix to the vulnerability ... most likely for the most recent version [23:40] and then that fix is applied to the older version, if possible [23:40] right [23:41] ogra_, RoyK, ok, I see [23:41] not all fixes are backportable, some are design changes, but most fixes gets backported [23:42] well, security fixes usually get backported :) [23:43] ogra_: my point, but some issues may need to be fixed by design changes [23:43] yeah [23:43] and some depend on newer features [23:44] ogra_: with RHEL, we see that with cryptography changes, where redhat doesn't backport the changes to take out weak ciphers or methods or hashes. I'm not sure how that applies to debian/ubuntu [23:44] heh, me neither, you have to ask the security team :) [23:45] * RoyK dislikes working with redhat systems - no such thing as a do-release-upgrade [23:46] though i think highly insecure ciphers would surely be dropped [23:46] heh [23:46] Does Ubuntu Server provided the latest releases or does it only backport the fixes? [23:46] * ogra_ looks forward to snappy on servers ... [23:46] soulisson_: only fixes are backported [23:47] soulisson_: if you want the bleeding edge, use 15.10 [23:47] i just upgraded my laptop to wily ... 2h wasted ... snappy could do it in 30min [23:47] ogra_: Did you try it using snappy? [23:47] ogra_: heh - running on spinning rust? [23:47] old XPS13 ... but slow internet (2MBit) [23:48] * RoyK uses spinning rust for large data and loathes it for everything else [23:48] bekks, nah, but i know that snappy has no separate packages and no maintainer scripts ... upgrading package by package (and coordinating all the interactions) is awfully time consuming [23:49] RoyK, Ok, so for intance if my server comes with let's say Apache 2.4.16, the Apache version will stay the same but the fixes will be applied [23:49] ogra_: If snappy has no separate packages - it wouldnt work I guess :) [23:49] a snappy desktop would perhaps consist of 100 packages ... and have no delay for package configuration [23:49] ogra_: It has separate packages, but a different package management system. [23:49] whereas my laptop upgraded ~2500 packages, downloaded each of them and configured each of them [23:50] bekks, i know, i work on it ;) [23:50] :P [23:50] the point is that snaps have more bundled in them ... [23:51] soulisson_: right [23:51] and no delay after install ... they just get dumped in place ... [23:51] RoyK, ok, thanks for the help [23:52] soulisson_, if you need to check if a certain security hole was fixed http://www.ubuntu.com/usn/ has all the links to the respective trackers and info pages [23:53] ogra_, thanks