| mmercer | lo folks -- im using a preseed.cfg with no user creation (set to false), root login set to true, and root passwd crypted (used a working machine to generate the hash, and have verified it numerous times).... yet i still cannot login on the machine with the expected password... is root login disabled by default in the sshd? even if it is, i would have expected the root login true to have | 00:39 |
|---|---|---|
| mmercer | changed/over-ridden that setting? | 00:39 |
| mmercer | dunno if anyone else has ever seen similar issues | 00:39 |
| patdk-lap | pretty sure root is disabled always except for key logins | 00:57 |
| mmercer | patdk-lap: then whats the point of setting root login to enable in a preseed and why even bother having the option ? | 01:02 |
| mmercer | it is entirely possible that this is the issue im hitting, but im not positive | 01:02 |
| sarnold | preseed comes from redhat land and kinda works in the debian installer, which ubuntu has kept in some form.. | 01:03 |
| sarnold | so not all options that preseed offers necessarily make the most sense on ubuntu installs | 01:03 |
| patdk-lap | hmm, it clearly says in the preseed file, root login is for setting a local root user | 01:03 |
| patdk-lap | not giving it ssh access | 01:03 |
| mmercer | sarnold: preseed comes from the debian side of things, redhat uses kickstart? | 01:04 |
| sarnold | dude. can I start the weekend yet? | 01:04 |
| mmercer | xD | 01:04 |
| sarnold | it's gonna be along week | 01:05 |
| mmercer | lol | 01:05 |
| mmercer | that much fun already, eh ? | 01:05 |
| mmercer | patdk-lap: got it, will use the 'post' equivalent to sed change the ssh login option, going to laugh if thats the problem | 01:05 |
| patdk-lap | https://askubuntu.com/questions/935565/install-openssh-server-package-from-preseed-file | 01:05 |
| mmercer | heh, duckduckgo is great for privacy, but misses a TON of results to things that google seems to nail xD | 01:07 |
| mmercer | :| | 01:07 |
| patdk-lap | ya, but root-login only creates the root user in /etc/passwd and shadow | 01:08 |
| patdk-lap | nothing to do with ssh | 01:08 |
| mmercer | ahh, id have thought it would have been paired together, honestly | 01:08 |
| patdk-lap | I normally use it, but only login to root using console with password, and keys over ssh if I need to for something | 01:09 |
| patdk-lap | mainly for syncs and backup or something like that I need root and sudo just isn't cutting it | 01:09 |
| lordievader | Good morning | 06:18 |
| friendlyguy | tomreyn: Hi there! How are you? | 08:41 |
| friendlyguy | i am continueing where i stopped yesterday: with your "foreign_packages" section | 08:42 |
| friendlyguy | tomreyn: i ran the script and found a number of packages that are "No available version in archive" | 08:48 |
| friendlyguy | so i guess that mean orphaned? | 08:48 |
| friendlyguy | shall i just remove them? | 08:49 |
| friendlyguy | https://paste.ubuntu.com/p/2D6GVsK8s5/ | 08:49 |
| lordievader | Pick one of those packages, could you give the output of `apt-cache policy <pkg-name>`? | 08:59 |
| friendlyguy | https://paste.ubuntu.com/p/pVwS2kKJ7v/ | 09:03 |
| lordievader | Right, looks like left over from several dist-upgrades. `apt-get autoremove` does not mark it for deletion? | 09:04 |
| friendlyguy | nope, does not | 09:04 |
| friendlyguy | yeah, its a "VERY" old vm | 09:04 |
| friendlyguy | i am about to perform the next release upgrade | 09:05 |
| friendlyguy | ^^ | 09:05 |
| lordievader | Well, if nothing depends on them they can be removed. | 09:05 |
| friendlyguy | looks like | 09:05 |
| lordievader | You might want to run `apt` with the `-n` flag first, to see what it wants to remove. | 09:06 |
| lordievader | If the set is larger than what you expect. | 09:06 |
| friendlyguy | whats the -n flag? | 09:08 |
| friendlyguy | i didnt find it in "man apt" | 09:08 |
| friendlyguy | -s for simulate? | 09:09 |
| lordievader | Ah, that is the one. | 09:09 |
| lordievader | Haven't used it in a while... | 09:09 |
| friendlyguy | no problem | 09:10 |
| friendlyguy | well, it tells me that its about to remove the single package that i entered | 09:10 |
| friendlyguy | so no dependencies | 09:10 |
| lordievader | Go for it 😉 | 09:11 |
| friendlyguy | just created a snapshot to be on the safe side :) | 09:11 |
| friendlyguy | ah, found one that would remove more than i want to get removed | 09:13 |
| friendlyguy | how do i handle that case, apart from not removing | 09:13 |
| lordievader | Do you need that other package? | 09:14 |
| lordievader | As in, is it a program you use? | 09:14 |
| friendlyguy | yes | 09:20 |
| lordievader | In that case you want to see if there is an update for that package available which depends on a newer version (one that is in the repo). | 09:22 |
| friendlyguy | its the icinga2 agent and it needs to be on the same version as the server... as far as i got it | 09:23 |
| friendlyguy | ah, no. just figured out its from an old icinga2 deployment | 09:26 |
| friendlyguy | so... lets remove that | 09:26 |
| lordievader | That is the easier route 😉 | 09:31 |
| emOne | is ubuntu LTS a good distro for servers? | 09:49 |
| lordievader | 'Good' is very subjective. Does it work? Yes. | 09:50 |
| emOne | does it break too often because of updates? | 09:51 |
| emOne | lordievader: apparently it is more 'unstable' | 09:52 |
| lordievader | Back when I used it, rarely. | 09:52 |
| lordievader | LTS more unstable? LTS is meant to be stable. | 09:53 |
| emOne | I dont see anything wrong with ubuntu, many people say it is better to run debian as the server os though | 09:55 |
| emOne | they say it is more stable, the OS doesn't undergo huge unexpected changes | 09:55 |
| emOne | I am not sure how true that is | 09:56 |
| lordievader | Ubuntu and Debian are largely the same. Ubuntu comes with more packages preinstalled. Which is why I typically prefer Debian. | 09:56 |
| emOne | i am looking to install ISPconfig as my web panel | 09:59 |
| emOne | it doesn't however install on the newswet debian 10 for whatever reason | 09:59 |
| emOne | at least not with nginx | 10:00 |
| emOne | there is one guy in ##ispconfig that uses debian 10 with apache and ISPconfig | 10:00 |
| emOne | I don't understand how someone picks debian as the OS of choice and apache as the server | 10:00 |
| emOne | that got me thinking that maybe choosing ubuntu is not that strange | 10:01 |
| lordievader | What is wrong with that choice? | 10:01 |
| emOne | nothing | 10:03 |
| emOne | lordievader: apache is not the fastest | 10:03 |
| lordievader | Apache can be quite fast if properly configured. | 10:04 |
| emOne | https://w3techs.com/blog/entry/ubuntu_became_the_most_popular_linux_distribution_for_web_servers | 10:09 |
| tomreyn | friendlyguy: i think all of these packages can probably be removed. no harm if you snapshotted it. | 10:09 |
| emOne | I don't know if ubuntu was the most popular server distro in 2016 | 10:09 |
| tomreyn | friendlyguy: be sure to run apt update && apt full-upgrade afterwards since those installations *could* have help newer packages back. | 10:10 |
| friendlyguy | tomreyn: i did that went all fine | 10:22 |
| friendlyguy | i am currently performing a release upgrade | 10:22 |
| friendlyguy | that didnt went too well | 10:22 |
| emOne | Does the machine need to be restarted after a distro upgrade? (From one LTS to the next one?) | 10:28 |
| friendlyguy | yes | 10:37 |
| friendlyguy | at least from 16.04 to 18.04 | 10:38 |
| tomreyn | friendlyguy: "didn't went to well" how? did it fail? did you have PPAs? | 10:42 |
| friendlyguy | i had problems with systemd-shim (or whatever it was called) | 10:43 |
| friendlyguy | but i fixed that by manually renaming a file | 10:43 |
| tomreyn | there's bug 1773859 | 10:46 |
| ubottu | bug 1773859 in systemd (Ubuntu Bionic) "upgrades to 18.04 fail" [Undecided,Triaged] https://launchpad.net/bugs/1773859 | 10:46 |
| friendlyguy | hmmm. most websites still work | 10:51 |
| friendlyguy | i didnt expect that :) | 10:51 |
| friendlyguy | interesting, it still tells me to perform a release upgrade to 18.04 | 10:52 |
| friendlyguy | but lsb_release tells me i am on 18.04 ^^ | 10:52 |
| emOne | Debian Server vs Ubuntu Server | 12:13 |
| emOne | ROUND 1 | 12:13 |
| emOne | FIGHT | 12:13 |
| andol | emOne: I think you will be perfectly fine with either pick. | 12:22 |
| emOne | me too | 12:23 |
| emOne | I will stick with Ubuntu | 12:24 |
| friendlyguy | depends on what u r running. debian packages are often very old | 12:24 |
| emOne | debian 1 : ubuntu 1 | 12:26 |
| emOne | ROUND 2 | 12:26 |
| emOne | FIGHT | 12:26 |
| andol | Nah. | 12:26 |
| === lotus|i5 is now known as lotuspsychje | ||
| analogist | I'm trying to setup RFC7217-style ipv6.addr-gen-mode stable_privacy addresses, and setting the stable_secret in sysctl doesn't seem to be working. I'm wondering if this is netplan/cloud_init interference, or is there another standard way of doing that? | 19:16 |
| analogist | I'm trying to have both RFC4862 style SLAAC privacy addresses, and have my stable address be RFC7217-style non-MAC-based (non-eui64) | 19:17 |
| === Xbert is now known as Guest82547 | ||
| emOne | what does it mean that I have a bunch of established connections from random locations around the world on sshd | 22:01 |
| emOne | one of them is me | 22:01 |
| tomreyn | you reached the internet. | 22:02 |
| sarnold | emOne: check your auth logs; there's probably hundreds or thousands of failures in there | 22:05 |
| sarnold | emOne: you can expect a huge number of brute force scans | 22:06 |
| emOne | what has me worried is that it says ESTABLISHED | 22:06 |
| sarnold | emOne: some probably from the irc networks you connect to, to try a handful of usernames/passwords to try to guess if your connection is from a compromised machine or not | 22:06 |
| tomreyn | CP to #ubuntu | 22:06 |
| sarnold | ta | 22:07 |
| emOne | ha yes | 22:08 |
| emOne | theyre not recommending 2fa | 22:09 |
| emOne | is that bad? | 22:09 |
| JanC | emOne: I assume by ESTABLISHED you mean in a tool like netstat; that means there is a TCP/IP connection, and you need that before you can send a password or a key, so it's not unusual | 22:23 |
| emOne | netstat -tupn | 22:24 |
| emOne | yes | 22:24 |
| JanC | these are people trying to hack into badly protected SSH setups | 22:25 |
| emOne | http://www.linuxscrew.com/2008/01/18/fun-windows-vs-linux-for-toasters/ | 22:26 |
| emOne | oops wrong chan lol | 22:26 |
| emOne | that was supposed to go into #ubuntu | 22:26 |
| JanC | you might want to disable password authentication after checking key authentication works properly | 22:26 |
| emOne | JanC is key authentication the default way how big companies log into ssh these days? | 22:27 |
| JanC | that or some sort of single-sign-on, I suppose | 22:28 |
| JanC | which probably also uses some sort of keys :) | 22:28 |
| JanC | if you use keys, make sure the key is encrypted (needs a password to use it) and make sure to have backups of it :) | 22:30 |
| analogist | bigger enterprises use an ssh CA with one time signed certs | 22:30 |
| emOne | wow | 22:30 |
| analogist | but using that for one or a handful of servers is... probably overkill, except for education | 22:30 |
| emOne | I feel like private/public keys for ssh is already overkill | 22:31 |
| analogist | for personal use, use a yubikey-based ssh key | 22:31 |
| * emOne goes back to his telnet | 22:31 | |
| * emOne types his username admin an password ... admin | 22:32 | |
| emOne | no one is going to guess that O.O | 22:32 |
| JanC | analogist: I think some also use Kerberos | 22:32 |
| sarnold | funny enough I shared this link just an hour ago in another channel https://github.com/cloudtools/ssh-cert-authority | 22:32 |
| analogist | emOne: always use a keyfile whenever possible | 22:50 |
| analogist | emOne: https://infosec.mozilla.org/guidelines/openssh | 22:50 |
| emOne | JanC analogist thanks | 22:50 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!