mkoninckxHey guys, having a bit of trouble setting up ssh pubkey authentication. I've done some research and made sure the permissions are set correctly, etc. I turned on debug-level logging in sshd_config and am getting an error message I'm not seeing mentioned anywhere: debug1: Could not open authorized keys '/home/mkoninckx/.ssh/authorized_keys': No such file or directory04:22
mkoninckxThe file does exist, but I guess the ssh service can't see it for some reason?04:22
masonmkoninckx: Check ownership and permissions.04:25
sarnoldare you sure you checked on the server?04:25
mkoninckxmason, good suggestion. I vaguely remember checking, but I'll do it again.04:25
masonmkoninckx: And check ownership and permissions of /home/mkoninckx and /home/mkoninckx/.ssh too04:25
mkoninckxsarnold, yes04:25
sarnoldnamei -l /home/mkoninckx/.ssh/authorized_keys  is probably the quickest way to find the missing step :)04:26
Neo4mkoninckx: file doesn't exists, you need specify right path to key04:26
masonOh, neat. When did namei pop into existence?04:27
masonNeo4: Nah, that'd be on the client side.04:27
sarnoldmason: dunno but I wish it'd been there two decades ago :)04:27
sarnoldcause I'm bloody tired of ls -l .. ; ls -l ../.. ; ls -l ../../.. and on and on .. :)04:28
Neo4mason: errors with wrong files http://pix.toile-libre.org/?img=1517372972.png04:29
mkoninckx I (mkoninckx) own /home/mkoninckx, /home/mkoninckx/.ssh/, and /home/mkoninckx/.ssh/authorized_keys/.04:31
masonmkoninckx: It's... a directory?04:31
mkoninckxah no sorry that was a typo04:31
masonkk, good04:31
mkoninckxIt's definitely a text file. I can open it with vi and see the public keys.04:31
Neo4mkoninckx: good04:32
mkoninckxPermissions are 755 on my home directory, 700 on .ssh and 600 on authorized_keys04:32
masonAlright, that should all be reasonable. And this is on Ubuntu?04:32
mkoninckxYeah, 16.04 Server04:32
masonI'd say "run restorecon" if the server were EL04:32
Neo4mkoninckx: now you set up it, and you can access server without input password use it04:32
Neo4ssh username@ip-of-server -i /path/to/privet/key04:32
masonNeo4: that's client side, and his error is server side04:33
Neo4mkoninckx: than if it will work good, you can turn off access to server using password04:33
Neo4mason: yes, I confused04:33
mkoninckxNeo4, when I do that, I get a password prompt.04:33
mkoninckxFor comparison, I have another user set up on this server that I've set up pubkey authentication for and it works fine. I don't get the same error messages in the logs, and I get no password prompt.04:34
Neo4mkoninckx: it means your privet can is not right04:34
sarnoldmkoninckx: is it in an encrypted mount?04:34
masonNeo4: It means his authorized_keys file is wrong.04:34
masonmkoninckx: Hey, you haven't turned on chrooting, have you?04:35
Neo4or yes, authorized_keys wrong04:35
mkoninckxsarnold, I think I may have enabled that when installing the server, yes. Is there a good way to check?04:35
masonmkoninckx: mount should show you what's what and where04:35
sarnoldmkoninckx: maybe something like mount | grep ecryptfs   ?04:35
Neo4mkoninckx: one of two authorized_keys wrong or you type wrong path to privet key04:35
masonNeo4: No, it's not anything to do with his client, at all.04:36
mkoninckxI can see it in the output of mount: /home/.ecryptfs/mkoninckx/.Private on /home/mkoninckx type ecryptfs04:36
mkoninckxI was expecting that to be transparent to anything running on the machine, but I'm getting the feeling that was wrong.04:37
* mason bows out and leaves it to sarnold, having only ever used LUKS partition-wide.04:37
Neo4mkoninckx: simply on server put your public key in folder /.ssh/authorized_keys . and then you are able to login using privet key ssh user@ip -i /path-to-privet-key , check yourself where you have made error or repeat it04:38
Neo4one more time04:38
sarnoldmkoninckx: feel free to ignore Neo4 for the moment04:38
sarnoldmkoninckx: this advice looks useful https://askubuntu.com/questions/809186/ssh-public-key-authentication-not-automounting-encrypted-drive -- but it's annoyingly terse04:39
sarnoldthis is a bit better but hilariously gives advice to reboot in the middle for no reason https://unix.stackexchange.com/a/186285/706404:40
sarnoldmkoninckx: but this might not really be pleasant -- you're going to need the password in order to decrypt the key used for the ecryptfs mount04:40
mkoninckxsarnold, I understand the advice in the askubuntu link04:40
sarnoldmkoninckx: alright, good good :)04:40
mkoninckxThanks for your help!04:42
sarnoldmkoninckx: wait a sec04:42
sarnoldmkoninckx: check the other user!04:42
sarnoldyou said you've got another user account on the system where pubkey auth works fine04:43
mkoninckxOh, yes04:43
sarnoldmake sure it still works04:43
sarnoldor fails04:43
sarnoldas you expect :D04:43
mkoninckxI created the other user on the machine after it started, and I don't have that home directory under an encrypted mount.04:43
mkoninckxWhich is I guess why it would work.04:43
sarnoldyou'll have to symlink or handle its authorized_keys similar to your account04:44
sarnoldsame for everyone else on the machine04:44
mkoninckxOK. I think I read that askubuntu article a bit fast. What I'm planning to do is just make the changes to sshd_config and copy, not symlink, the appropriate authorized_keys files into the right places.04:49
mkoninckxIs there a reason not to do that?04:49
sarnoldonce you change the sshd config file, it's going to be looking in a different spot for the authorized_keys files for EVERYONE04:50
mkoninckxYes, I'm expecting that.04:50
sarnoldokay :)04:50
sarnoldthen you're probably prepared for what that means for all the other users on the system04:50
mkoninckxI should be clear - this is not, like, a serious production server or something. It's just a cast-off Dell desktop I'm running a Minecraft server off for my friends.04:50
mkoninckxThe second user is also me, it's just the user for running the Minecraft server.04:51
sarnoldso the stakes are even higher :)04:51
sarnoldit's just that this moment it's obvious what needs to be done; in another six months, it'll be way less obvious.04:51
sarnoldso better to find surprises right now and deal with it04:51
mkoninckxRight, don't get me wrong, I appreciate the double-checking!04:51
mkoninckxThanks for the help, guys. Last time I did this it was an AWS micro instance, so I got a lot of this config done for me behind the scenes.04:53
sarnoldit probably didn't have ecryptfs in place :)04:53
mkoninckxAlmost certainly. I guess this is one of those instances of knowing enough to shoot yourself in the foot, but not enough to un-shoot yourself in the foot04:53
sarnoldright :)04:54
sarnoldthe error message is unhelpful and yet very helpful .. *why* does the file not exist if you're sure it's there... gotta get creative to figure out why you can see it once you're logged in but sshd can't see it :)04:54
mkoninckxActually, that makes me curious - why can't sshd see the file, but I can once I'm connected?04:55
mkoninckxI guess I should rephrase04:55
mkoninckxWhat's different about sshd that it can't see the files that are mounted? I assumed that was transparent and from the perspective of sshd shouldn't be different than the files actually being written there04:56
sarnoldthe file doesn't exist until you login; then the ecryptfs PAM module unlocks the secret key, and mounts your own home directory / filesystem04:56
sarnoldso it might have even worked if you were logged in locally and then ssh'd in.04:57
mkoninckxAh, that makes sense.04:59
cpaelzergood morning05:00
sarnoldhey cpaelzer :) must be time for me to go make dinner, hehe05:02
cpaelzeryep, I'm glad to serve as an alarm bell sarnold :-)05:03
tanukiHow stable is 18.04?05:48
andoltanuki: At this point, approximately 74% stable.06:52
lordievaderGood morning08:45
johan_hedinhi.. i am not where to find apache logs10:45
funabashihi guys ist possible i can see what a guy have done atfter he removed/clean bash_history ?11:02
hateballjohan_hedin: /var/log/ usually11:23
johan_hedinhateball: how can i check that both php5 and php 7 version installed on server ?11:31
johan_hedinas sererver admin tells us that two version running on server11:32
hateballjohan_hedin: what version of Ubuntu is this?11:32
johan_hedinits centos11:32
hateballSo... why are you asking in #ubuntu-server ? :|11:33
johan_hedinand centos group banned me .. dont know why..11:33
johan_hedinwell command is same i think11:33
hateballThey dont have the same package managers or repositories, how would it be the same?11:34
johan_hedincan you we run php5 for a specific folder?11:48
johan_hedincan we do something in apache host file that we can run php5 for specific folder ?11:49
hateballjohan_hedin: you're better off asking in #httpd11:52
coreycbjamespage: hmm nova dep8 tests are failing due to this: https://paste.ubuntu.com/26494870/12:56
coreycbjamespage: in journalctl this error shows up right before the use_tpool error: nova-scheduler.service: Failed to change ownership of session keyring: Permission denied13:09
coreycbjamespage: ok i narrowed the nova failure down to this patch. the error goes away when it's reverted: https://github.com/openstack/nova/commit/910008e2ef5dae1698ff7db791f4816c728c8bd014:26
rbasakpowersj: available for HO?16:44
powersjrbasak: sure16:44
rbasakpowersj: still in standup HO16:44
masonStand-up meetings always remind me of https://www.youtube.com/watch?v=nvks70PD0Rs17:07
masonIt's not quite as good as the "MongoDB is web scale" video, but it's not bad.17:09
dpb1or "the website is down"17:09
Nivexor IPv6 and NATs17:11
masonThat one doesn't ring a bell. Looking.17:11
UssatOMG, have not watched "the website is down" in a while.....love that17:19
dpb1speaking of mongodb, this one is funny: https://sookocheff.com/post/opinion/the-five-stages-of-nosql/18:09
nacc_powersj: hit a snafu with my in-snap testing idea22:24
nacc_tox assumes it can write to where the snap's tox.ini resides22:25
nacc_i wonder if we should just drop tox22:25
nacc_(from the snap in-snap testing)22:26
powersjgiven tox is only running pylint and pytest and you are running very specific versions of those on a very specific version of python I don't find tox as useful for the project22:26
nacc_that's what i'm thinking righ tnow22:26
=== nacc_ is now known as nacc
naccpowersj: ok, got it mostly working, i thinkn23:43
naccrbasak: sigh, 3 of your tests fail in the snap23:43
naccrbasak: a) you assume you can call dpkg-buildpackage :)23:43
naccrbasak: is that just to be sure it's buildable?23:44
naccrbasak: https://paste.ubuntu.com/26497869/23:47
naccwe coulld innclude gcc in the snap, but i'd really rather not :)23:47
rbasaknacc: no, dpkg-buildpackage is needed to actually build the dsc from a Debian source tree23:55
rbasakThough perhaps dpkg-deb directly might be sufficient for our cases23:55
naccrbasak: i think both will end up requiring gcc23:56
naccit is a static check, iirc23:56
rbasakI don't think dpkg-deb needs gcc23:56
naccrbasak: oh it's not perl?23:57
naccit's really dpkg-architecture that needs gcc, iirc23:57
rbasakPerhaps we could stub something out23:58
naccrbasak: and i expect the first failure might be related, since it's all from the source builder/23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!