[06:10] <lordievader> Good morning
[09:05] <lucido> ning
[09:05] <lotuspsychje> lucido: can we help you?
[09:07] <lucido> I can't figure out permissions for sshd. Trying to get pubkey authentiacation working. I execute ssh with sudo (as admin user) and if I sed 600 permissions on the user's autorized_keys then I get can't access file and if I set 755 then I get wrong permissions
[09:07] <lucido> the files in the user's directory have user.user ownership
[09:11] <lordievader> SSH doesn't like it if someone else  that the owner can read the files.
[09:13] <lucido> lordievader, how can root(sshd) read the keyfile then?
[09:13] <lordievader> Which keyfile exactly?
[09:13] <lucido> authorized_keys
[09:14] <lordievader> Oh, sshd runs as root and can therefore read `~/.ssh/authorized_keys`.
[09:14] <lucido> I changed the permission of that file to 640 and added root as group and now it seems to be able to read the keyfile
[09:14] <lucido> debug1: trying public key file /var/services/homes/borg-backup/.ssh/authorized_keys
[09:14] <lucido> debug1: fd 4 clearing O_NONBLOCK
[09:15] <lucido> but it still prompts for passwd
[09:15] <lordievader> Yes, because you set it to 640.
[09:16] <lordievader> Authorized keys file should be 600.
[09:16] <lordievader> rw for only the owner.
[09:16] <blackflow> infact, permissions are not an issue at all. ownership is.
[09:17] <lucido> I see, so now sshd can read the keyfile and it still prompts for password. How can I debug that?
[09:18] <blackflow> lucido: look at the server side logs
[09:19] <blackflow> lucido: oh btw... what prompts for what password exactly? Sure that's not just the client-side key passphrase?
[09:21] <lucido> blackflow, I entered a null password (no passphrase). Logs show debug1: fd 4 clearing O_NONBLOCK
[09:21] <blackflow> lucido: pastebin the full log please. these excerpts out of context are not meaningful
[09:24] <lucido> blackflow, https://paste.ubuntu.com/p/kDvDxJvDk2/
[09:25] <blackflow> lucido: looks like the authorized_keys does not contain the key sent from the client.
[09:25] <blackflow> what exactly did you put into authorized_keys?
[09:27] <blackflow> and you can also raise verbosity, iirc invalid keys would be logged. just put LogLevel=DEBUG3, restart sshd and try again
[09:36] <lucido> blackflow, https://paste.ubuntu.com/p/FKPXYWsf96/
[09:37] <blackflow> lucido: looks broken, you ahve the same key twice, and the second one doesn't start on its own line
[09:38] <blackflow> (look at the raw source, not formatting done by paste.ubuntu.com)
[09:41] <lucido> blackflow, ok, heres the sshd output with -ddd: https://paste.ubuntu.com/p/CcJFN5QMCf/
[09:41] <blackflow> lucido: line 114: debug2: key not found
[09:45] <lucido> blackflow, what I did now was, I took the .pub file from the client and copied it's contents into the authorized_keys file on the host
[09:47] <lucido> so now I have in authorized keys: https://paste.ubuntu.com/p/vwkKFdbqwv/
[09:48] <blackflow> lucido: where does that new line after "ssh-rsa" come from?
[09:48] <blackflow> I don't think that's right. one key should be on a single line.
[09:49] <blackflow> openssh-keygen definitely will not put a newline, so I don't know how you created it.
[09:50] <lucido> https://paste.ubuntu.com/p/7CdMqRfHFw/
[09:50] <lucido> there is no newline, it's formatting only
[09:51] <blackflow> lucido: debug2: key not found
[09:52] <lucido> blackflow, sorry, there was a newline. no clue how it got there
[09:52] <blackflow> yup.
[09:54] <lucido> blackflow, now there is no pwd prompt, but I get permission denied. sshd output: https://paste.ubuntu.com/p/PzJkBRtDGR/
[09:58] <blackflow> that output doesn't mention permission denied, it only says the daemon received sigchld and the client closed connection.
[09:59] <blackflow> can you pastebin your effective server-side sshd_config? are you using a ssh chroot setup? are all path members to the user's home dir accessible by the user?
[10:00] <lucido> one sec. very strange, sshd exits if I try to connect to it
[10:02] <lucido> blackflow, https://paste.ubuntu.com/p/TTqhnggMDS/
[10:10] <blackflow> lucido: sshd_config doesn't look bad at a first glance. you don't have AllowUser|Group limits, no ForceCommand for sftp-only access. what does the client side say? try using ssh with -vv
[10:12] <lucido> blackflow, I changed the user's shell from nologin to sh on the server and tried again with -vv (no apparent change)
[10:12] <lucido> https://paste.ubuntu.com/p/st4mHhcbKS/
[10:13] <blackflow> lucido: are you sure all path components allow access to the user's home?
[10:16] <lucido> blackflow, yes, I've checked them all
[10:17] <blackflow> you have permission denied right after shell request. so something about that user and that shell and that home dir, is not right.
[10:17] <lucido> borg-backup:x:1033:100::/var/services/homes/borg-backup:/sbin/sh
[10:18] <lucido> drwx------  1 borg-backup            root  336 May 21 10:29 borg-backup
[10:18] <blackflow> lucido: it should be /bin/sh
[10:18] <lucido> noooooooooooooooooooooooooo
[10:18] <lucido> :)
[10:19] <blackflow> so problem solved?
[10:20] <lucido> blackflow, I thought so but no
[10:21] <lucido> same crap
[10:21] <lucido> debug2: shell request accepted on channel 0
[10:21] <lucido> Permission denied, please try again.
[10:21] <blackflow> try another shell, like /bin/bash
[10:22] <blackflow> lucido: also, by all path components I meant /var and /var/services/ and /var/services/homes/ .... are they rx (read and execute, as dirs) acessible to "borg-backup" user?
[10:22] <lucido> nope
[10:23] <lucido> blackflow, for path permissions I checked them all
[10:23] <lucido> they are readable and executable to other
[10:23] <blackflow> so 755 all of them?
[10:24] <lucido> found one that is drwx--x--x+ 1 root         root         1.6K May 21 10:06 homes
[10:24] <blackflow> can you also please  ls -la ~/   (feel free to censor sensitive dir names, but not anything else)
[10:24] <blackflow> lucido: yup, fix that
[10:24] <lucido> blackflow, it works for another user
[10:25] <blackflow> lucido: also check that + .... you have ACLs on that homes dir
[10:25]  * blackflow bets a pizza that's the cause
[10:25] <lucido> blackflow, this is a synology DSM and it ahs it's own ACL version
[10:26] <blackflow> ......................... so ...................... not ......................... Ubuntu ?
[10:26] <lucido> I think I'm missing some custom permissions on the device that is synology specific and has been granted for the working user and not for this one
[10:26] <lucido> sorry, the client is Ubuntu
[10:26] <lucido> forgot to mention...
[10:26] <blackflow> and you're asking in #ubuntu-server .......
[10:26] <blackflow> if only you could see my face now. thanks for wasting my time.
[10:26] <blackflow> good luck.
[10:27] <lucido> thank you for your help so far and sorry for the misunderstanding
[10:28] <blackflow> who knows what kind of crap that synology did there. could be infinite reasons why you have issues. you should've lead with that first, you'd be told immediately we cannot know what synology did there.
[11:28] <lucido> blackflow, I know. I'm sorry
[11:30] <marcoceppi> Looking to get some help with TFTP / Preseed for Ubuntu 18.04. I've sync'd down this entire directory: http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/installer-amd64/current/images/netboot/ and setup tftpd to read it as it's root. I can netboot into an installer but whenever I try to specify a preseed as either tftp or http and made some progress with this preseed file and this boot-screens/txt.cfg: preseed (http://paste.
[11:30] <marcoceppi> ubuntu.com/p/HXsMDWWQzX/) boot-screens/txt.cfg (http://paste.ubuntu.com/p/rjqDV4Gbd7/)
[11:32] <marcoceppi> Is there a better example for this other than https://help.ubuntu.com/lts/installation-guide/amd64/apbs02.html? I've used that example preseed with my own values and the directions covered within
[11:38] <DJ-ArcAngel> lotuspsychje: heh.. ofcourse there is not "trusty" on old-releases.ubuntu.com
[11:38] <DJ-ArcAngel> think i am screwed
[11:39] <lotuspsychje> DJ-ArcAngel: if you run ubuntu server, please mind the end of life times, try always to upgrade before it
[11:39] <DJ-ArcAngel> pls.. do not remind me
[11:39] <DJ-ArcAngel> i inherited this shit
[11:39] <DJ-ArcAngel> i know about eol
[11:39] <DJ-ArcAngel> this company just didn't care for 8 years
[11:39] <DJ-ArcAngel> now i can fix it
[11:40] <lotuspsychje> DJ-ArcAngel: also take a look at the 16.04 releasenotes alot of new things changed since 14.04
[11:41] <DJ-ArcAngel> old-releases goes back to  2006, so why is there no "trusty" ?
[11:42] <DJ-ArcAngel> there is no 14.04
[11:42] <DJ-ArcAngel> ah
[11:42] <DJ-ArcAngel> found it
[11:43] <lotuspsychje> DJ-ArcAngel: https://wiki.ubuntu.com/XenialXerus/ReleaseNotes
[11:44] <DJ-ArcAngel> hmm no
[11:44] <DJ-ArcAngel> that is install cd
[11:44] <DJ-ArcAngel> no repo dir
[11:44] <DJ-ArcAngel> http://old-releases.ubuntu.com/ubuntu/dists/trusty
[11:45] <DJ-ArcAngel> 404
[11:45] <DJ-ArcAngel> guess i will have to re-install
[11:48] <Ussat> I would reinstall instead of trying to upgrade from that anyway
[11:49] <marcoceppi> DJ-ArcAngel: I believe, since 16.04 (and 14.04 EOL) Canonical provides extended security maintenance as a feature of Ubuntu Advantage https://blog.ubuntu.com/2019/02/05/ubuntu-14-04-trusty-tahr However, there is still a trusty in the archive http://archive.ubuntu.com/ubuntu/dists/trusty/ not sure if that helps you
[11:50] <lotuspsychje> id go with Ussat aswell, backup and go fresh 16.04 or 18.04
[11:51] <lotuspsychje> why take risk of eol/security
[11:51] <Ussat> yup...I generally dont like upgrading major versions with prod systems, at verey least, make a snap (assumning a VM) before you try it
[11:54] <DJ-ArcAngel> thanks marcoceppi, it's worth a try
[12:10] <DJ-ArcAngel> hangs on grub-common again.. i give up
[12:10] <DJ-ArcAngel> will be a rebuild
[14:48] <DJ-ArcAngel> i did it!.. damn thing is 16.04 now.. and site has moved off php5
[14:48] <DJ-ArcAngel> to php7
[14:48] <DJ-ArcAngel> system 0 - DJ-ArcAngel 1
[16:53] <figgis> Hello, I wrote out my question in a paste since it's a bit long winded: https://paste.ubuntu.com/p/WchRcH3fZ4/ tldr; looking for assistance in getting a server with 3 ip's assigned to it. to use the same outgoing ip as the connection was made on. (directed here from #ubuntu)
[16:53] <lordcirth_> figgis, firstly, why do you need to have 3 IPs?
[16:54] <DJ-ArcAngel> multi homed.. for webhosting?
[16:54] <DJ-ArcAngel> or other services
[16:55] <figgis> A few reasons but biggest is I am trying to tie each individual ip to a single user. Which is what the proxy is for.
[16:55] <lordcirth_> I suspect there might be easier ways to do what they actually need, than having 3 IPs on the same NIC.
[16:55] <lordcirth_> figgis, so, you want to treat traffic differently based on user, and so you give each user a different IP to connect to?
[16:56] <figgis> correct that is what I am attempting to do. But outgoing traffic is all done under a single ip
[16:56] <figgis> which is not the goal
[16:57] <weedmic> how is it possible my cpus are pegged near 100%, yet the load average is 3.66 3.56 3.61?  https://pasteboard.co/IfKCWFz.png  help me understand
[17:02] <lordcirth_> weedmic, The simplified version is, at any given time, on average, there are 3.66 processes requesting CPU time. Load average can easily exceed the number of cores you have.
[17:02] <figgis> weedmic - That picture is actually showing a pretty high load averages for 2 cores. Some info on load averages: https://scoutapm.com/blog/understanding-load-averages
[17:03] <weedmic> ok, it's requests on average - not %/cpu use on average - that was a great answer - ty
[17:06] <rbasak> figgis: so you want that when a user connects to the server, that user can request a SOCKS forward, and those forwarded connections are to be originated from the same IP the user is connected on?
[17:07] <figgis> Correct! Much better way to explain it than I have
[17:07] <rbasak> figgis: and second question: is this to be enforced server side?
[17:07] <figgis> Not enforced exactly, just as a default
[17:07] <rbasak> figgis: or is something voluntarily done by the user acceptable?
[17:07] <rbasak> OK
[17:08] <rbasak> Interesting challenge :)
[17:08]  * rbasak ponders
[17:09] <lordcirth_> I am unconvinced that 3 IPs is the best way, but it's certainly do-able
[17:09] <rbasak> Ideally sshd/ssh would be configurable to arrange that. I don't think it is.
[17:09] <figgis> In no rush whatsoever :), been pondering this for days. If it's easier to make the incoming connections all on one IP and route outgoing based on user that is acceptable as well. But I don't really see that making much of a difference
[17:10] <rbasak> My next thought is that some advanced routing is possible such that you could key the outbound IP on something. But you'd need some way to connect that to the user.
[17:11] <rbasak> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html comes to mind but isn't exactly the same thing
[17:11] <lordcirth_> figgis, what do you need to do differently, based on which user it is?
[17:12] <rbasak> figgis: what if the outbound IP were based on the uid of the originating user process, rather than on the IP the user connected to? Would that be acceptable?
[17:12] <figgis> Ooh I suppose I could use incoming port as well.
[17:13] <figgis> Yep that would be completely okay
[17:13] <rbasak> Then I think I have a solution for you :)
[17:13] <rbasak> Take http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html
[17:14] <rbasak> But instead of pointing to the correct table based on IP, you could do it based on fwmark
[17:15] <rbasak> Then in iptables/ip6tables use -m owner --uid-owner ... and set fwmark
[17:17] <rbasak> lordcirth_: IPs have reputations, so it seems reasonable for different users to segregated into different IPs. I don't know if that's figgis' reason, but I think that use case at least makes his request a reasonable thing to want.
[17:17] <lordcirth_> rbasak, to prevent one user getting the whole server banned? I can see that, yeah
[17:18] <rbasak> figgis: the only catch I have is: will the SOCKS connection originate from the current uid in the case of ssh socks forwarding? I think it will because of privsep and ssh's mechanism for arranging it, but it would need to be tested to be sure.
[17:18] <figgis> Yeah missed that question lordcirth_, rbasak is correct. I have no intentions of doing anything malicious but I also do want to do my best to make sure my users aren't screwing eachother over without knowingly doing so (which is another problem in itself)
[17:19] <figgis> good question, i'll let you know
[17:19] <rbasak> figgis: so then the uid based method would be even better, since it would work for all user connections and not just the ones originating from ssh socks forwarding
[17:19] <lordcirth_> figgis, makes sense. You could also spawn an LXC container with each IP and a daemon for each user, then bridge them all together. The routing would probably be simpler.
[17:20] <rbasak> lordcirth_: yeah I was wondering about something along the lines. Rather than a whole container I was going to suggest one network namespace per user, and an sshd operating in each. But I think doing it through the routing tables matches the use case better.
[17:21] <figgis> I didn't even think about using containers, yeah. Going to give routing with iptables a shot first and see how this goes and if that doesn't work containers may actually be the best bet
[17:24] <lordcirth_> I don't know if it's relevant, but containers would also allow you to move clients to other servers easily, and some other flexibilities
[17:26] <figgis> So to answer the uid questions - the socks5 connection does correctly have the users uid when creating the connection as a specific user
[17:26] <figgis> the container idea is growing on me now though :P
[17:26] <figgis> awesome though, think I got what I needed so far. Thank you for the suggestions all
[17:39] <rbasak> \o/
[17:39] <rbasak> I can't think of a way to ensure that each container only uses the assigned IP, assuming that all three IPs are on the same interface. That's what's putting me off the container idea.
[17:40] <rbasak> Perhaps pushing everything into a bridge and using iptables would work.
[17:42]  * codefriar thinks iptables is confusing af
[17:52] <lordcirth_> rbasak, what do you mean? If the containers are bridged onto the same physical NIC, they will each have their own MAC, and the host bridge will act like a switch.
[17:57] <rbasak> lordcirth_: I mean that each container configures its own interface, so one user could "take over" the IP of another.
[17:57] <rbasak> lordcirth_: to avoid that either some different configuration is required, or some enforcement at the bridge.
[17:59] <lordcirth_> rbasak, but the users don't have root in the container, as I understand it? They are just connecting to a SOCKS proxy?
[18:01] <codefriar> I have an interesting situation. I've a nearly constant running process taking 55% of a cpu core. dpkg-reconfigure -f noninteractive slapd any idea on how to fix that?
[18:02] <lordcirth_> codefriar, how long has it been running?
[18:02] <codefriar> 54 hours
[18:02] <codefriar> lordcirth_ since shortly after the last boot time
[18:02] <lordcirth_> codefriar, I would SIGTERM it and run it again interactive
[18:07] <rbasak> lordcirth_: yeah, fair enough if they don't have root.
[18:08] <codefriar> lordcirth_ so interestingly enough, slapd isn't installed.
[18:09] <lordcirth_> codefriar, could it have been rolled back when dpkg-reconfigure failed?
[18:09] <catbadger> hi all
[18:12] <catbadger> I have a docker container based off of wheezy. I built apache1 and mod_perl 1.3 from source in there, but apache1 isn't starting. anyone know how to start it?
[18:15] <lordcirth_> catbadger, If it's wheezy, why is this an #ubuntu-server question?
[18:19] <sarnold> catbadger: at this point I think you're the apache 1 expert :)
[18:19] <sarnold> you've worked more with it in the last month than anyone else in thelast decade I think..
[18:19] <tomreyn> rbasak: it's rather late, but do you think we could have a short notice on mysql defaulting to socket authentication on new installations on the 18.04 release notes? during the past ~ week (maybe 10 days) alone, i saw three people asking (in #ubuntu) how they could login because there was no password set.
[18:21] <catbadger> sigh
[18:21] <catbadger> oh look i r'ed the f'ing m.
[18:21] <tomreyn> (the change seems to have been introduced in 5.7.20-2)
[18:23] <rbasak> tomreyn: yes, please edit. This rings a bell - perhaps we release noted this in a previous non-LTS release that we could copy the notes from?
[18:24] <tomreyn> you mean a non lts?
[18:25] <rbasak> Isn't that what I said?
[18:26] <tomreyn> oh it's in 16.04's
[18:26]  * rbasak is puzzled by the question
[18:26] <rbasak> Ah
[18:26] <rbasak> If we did it in 16.04, it's probably not correct to release note it in 18.04.
[18:26] <lordcirth_> Yeah, I thought this was default in 16.04 too?
[18:26] <rbasak> But you could point people asking to the 16.04 release note even if they're using 18.04.
[18:26] <tomreyn> sorry yes you said "non-LTS", i need to re-learn to read
[18:27] <tomreyn> yup, will do so from now on
[18:27] <rbasak> Thank you for the idea and for checking!
[18:27] <tomreyn> i was really thinking this hadn't been introduced in 16.04, yet
[18:28] <tomreyn> https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#MySQL_5.7 prooves me wrong there
[18:28] <tomreyn> the news-file link is a 404
[18:28] <rbasak> It's moved to Salsa
[18:29] <tomreyn> right, i'll see if it can find the new location
[18:29] <rbasak> tomreyn: https://salsa.debian.org/mariadb-team/mysql/blob/mysql-5.7/debian/master/debian/NEWS
[18:29] <rbasak> Perhaps it should be tied to the commit like the old link
[18:30] <rbasak> https://salsa.debian.org/mariadb-team/mysql/blob/14349b00e322f0448f80b2fe472596620349f413/debian/NEWS
[18:33] <tomreyn> hmm thats a different commit hash?
[18:33] <rbasak> It's the hash of the blob I think.
[18:33] <rbasak> The commit hash will encompass it.
[18:33] <rbasak> To verify you'd need to use ls-tree the commit hash, etc.
[18:34] <rbasak> (commit tree -> source tree -> debian/ subdirectory tree -> NEWS file blob)
[18:34] <tomreyn> https://salsa.debian.org/mariadb-team/mysql/blob/1025a9fa9c6c112913c59138db49dbc94891d20f/debian/NEWS uses the old hash
[18:34] <rbasak> Oh
[18:35] <rbasak> That might be more correct depending on the version?
[18:35] <tomreyn> i have no idea what i'm doing, just clicking ;)
[18:35] <rbasak> Ah :)
[18:36] <tomreyn> i'll point to your link in https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#MySQL_5.7 - ok?
[18:36] <rbasak> rmadison says the bionic release pocket has 5.7.21-1ubuntu1, so the release note should refer to that.
[18:36] <rbasak> So I think my link is the correct one.
[18:36] <rbasak> tomreyn: yes please - you could just edit the old link
[18:37] <tomreyn> oh i think putting it into the bionic release notes is actually nonsense now that we learnt that it had been in the xenial release notes already
[18:37] <tomreyn> so i'm suggesting to just fix the link on the xenial release notes
[18:37] <rbasak> tomreyn: agreed
[18:37] <rbasak> tomreyn: your wiki link above said Xenial, not Bionic :)
[18:38] <tomreyn> yes, but you said "rmadison says the *bionic* release pocket has 5.7.21-1ubuntu1, so the release note should refer to that."
[18:39] <tomreyn> so i wanted to point out i'll edit the xenial release notes, not bionic's
[18:39] <rbasak> Oh
[18:39] <rbasak> Sorry!
[18:40] <rbasak> tomreyn: in that case _your_ link is the correct one.
[18:40] <rbasak> (of the blob hash)
[18:40] <tomreyn> great. all fine, thanks for your time.
[18:40] <rbasak> tomreyn: thank you for double checking :)
[18:45] <tomreyn> the same, thanks :)
[18:48] <xibalba> in netplan, what is the option to modify the search domain
[18:48] <xibalba> can't find it for the life of me
[18:50] <xibalba> found it
[18:55] <blackflow> life saved!
[19:17] <DammitJim> is it true that openjdk 8 will be supported by Ubuntu until 04/2021?
[19:21] <lordcirth_> DammitJim, it's in main on 16.04, and universe on 18.04, so it's guaranteed support until 16.04 EOL
[19:21] <lordcirth_> Which would indeed be 2021
[19:24] <DammitJim> oh ok, thanks!
[19:25] <DammitJim> and then for openjdk 11 there is no EOL< right?
[19:28] <lordcirth_> !info openjdk-11-jdk bionic
[19:28] <lordcirth_> If it's in 18.04 main, then at a minimum it's supported until 18.04 eol
[19:28] <lordcirth_> !bionic
[19:29] <lordcirth_> 2023 at a minimum.
[19:30] <DammitJim> gotcha
[19:30] <DammitJim> oh, but if i wanted to run openjdk-11 on an Ubuntu 16 server, that wouldn't be supported, right?
[19:31] <lordcirth_> !info openjdk-11-jdk xenial
[19:31] <lordcirth_> !info openjdk-10-jdk xenial
[19:31] <lordcirth_> Apparently not?
[19:31] <DammitJim> blah
[19:32] <lordcirth_> But 18.04 is already out, so I don't see why you'd need to?
[19:32] <DammitJim> there are some issues associated with 18.04 for me... (other dependencies)
[19:33] <DammitJim> like tomcat 7
[19:34] <lordcirth_> Ah, I see
[20:36] <catbadger> whoop apache1 running with mod_perl1.3 in docker on 18.04 whoop!
[20:36] <catbadger> it 500's and the project does not stand up yet though. have to figure out what they were doing in their dumpster to host this fire.
[20:38] <sarnold> oh man :(
[20:40] <catbadger> lol
[20:41] <catbadger> haha
[20:41] <_KaszpiR_> :D