[00:39] <mmercer> lo folks -- im using a preseed.cfg with no user creation (set to false),  root login set to true, and root passwd crypted (used a working machine to generate the hash, and have verified it numerous times)....  yet i still cannot login on the machine with the expected password...  is root login disabled by default in the sshd?  even if it is, i would have expected the root login true to have
[00:39] <mmercer> changed/over-ridden that setting?
[00:39] <mmercer> dunno if anyone else has ever seen similar issues
[00:57] <patdk-lap> pretty sure root is disabled always except for key logins
[01:02] <mmercer> patdk-lap: then whats the point of setting root login to enable in a preseed and why even bother having the option ?
[01:02] <mmercer> it is entirely possible that this is the issue im hitting, but im not positive
[01:03] <sarnold> preseed comes from redhat land and kinda works in the debian installer, which ubuntu has kept in some form..
[01:03] <sarnold> so not all options that preseed offers necessarily make the most sense on ubuntu installs
[01:03] <patdk-lap> hmm, it clearly says in the preseed file, root login is for setting a local root user
[01:03] <patdk-lap> not giving it ssh access
[01:04] <mmercer> sarnold: preseed comes from the debian side of things, redhat uses kickstart?
[01:04] <sarnold> dude. can I start the weekend yet?
[01:04] <mmercer> xD
[01:05] <sarnold> it's gonna be  along week
[01:05] <mmercer> lol
[01:05] <mmercer> that much fun already, eh ?
[01:05] <mmercer> patdk-lap: got it, will use the 'post' equivalent to sed change the ssh login option,  going to laugh if thats the problem
[01:05] <patdk-lap> https://askubuntu.com/questions/935565/install-openssh-server-package-from-preseed-file
[01:07] <mmercer> heh,  duckduckgo is great for privacy, but misses a TON of results to things that google seems to nail xD
[01:07] <mmercer> :|
[01:08] <patdk-lap> ya, but root-login only creates the root user in /etc/passwd and shadow
[01:08] <patdk-lap> nothing to do with ssh
[01:08] <mmercer> ahh,  id have thought it would have been paired together, honestly
[01:09] <patdk-lap> I normally use it, but only login to root using console with password, and keys over ssh if I need to for something
[01:09] <patdk-lap> mainly for syncs and backup or something like that I need root and sudo just isn't cutting it
[06:18] <lordievader> Good morning
[08:41] <friendlyguy> tomreyn: Hi there! How are you?
[08:42] <friendlyguy> i am continueing where i stopped yesterday: with your "foreign_packages" section
[08:48] <friendlyguy> tomreyn: i ran the script and found a number of packages that are "No available version in archive"
[08:48] <friendlyguy> so i guess that mean orphaned?
[08:49] <friendlyguy> shall i just remove them?
[08:49] <friendlyguy> https://paste.ubuntu.com/p/2D6GVsK8s5/
[08:59] <lordievader> Pick one of those packages, could you give the output of `apt-cache policy <pkg-name>`?
[09:03] <friendlyguy> https://paste.ubuntu.com/p/pVwS2kKJ7v/
[09:04] <lordievader> Right, looks like left over from several dist-upgrades. `apt-get autoremove` does not mark it for deletion?
[09:04] <friendlyguy> nope, does not
[09:04] <friendlyguy> yeah, its a "VERY" old vm
[09:05] <friendlyguy> i am about to perform the next release upgrade
[09:05] <friendlyguy> ^^
[09:05] <lordievader> Well, if nothing depends on them they can be removed.
[09:05] <friendlyguy> looks like
[09:06] <lordievader> You might want to run `apt` with the `-n` flag first, to see what it wants to remove.
[09:06] <lordievader> If the set is larger than what you expect.
[09:08] <friendlyguy> whats the -n flag?
[09:08] <friendlyguy> i didnt find it in "man apt"
[09:09] <friendlyguy> -s for simulate?
[09:09] <lordievader> Ah, that is the one.
[09:09] <lordievader> Haven't used it in a while...
[09:10] <friendlyguy> no problem
[09:10] <friendlyguy> well, it tells me that its about to remove the single package that i entered
[09:10] <friendlyguy> so no dependencies
[09:11] <lordievader> Go for it 😉
[09:11] <friendlyguy> just created a snapshot to be on the safe side :)
[09:13] <friendlyguy> ah, found one that would remove more than i want to get removed
[09:13] <friendlyguy> how do i handle that case, apart from not removing
[09:14] <lordievader> Do you need that other package?
[09:14] <lordievader> As in, is it a program you use?
[09:20] <friendlyguy> yes
[09:22] <lordievader> In that case you want to see if there is an update for that package available which depends on a newer version (one that is in the repo).
[09:23] <friendlyguy> its the icinga2 agent and it needs to be on the same version as the server... as far as i got it
[09:26] <friendlyguy> ah, no. just figured out its from an old icinga2 deployment
[09:26] <friendlyguy> so... lets remove that
[09:31] <lordievader> That is the easier route 😉
[09:49] <emOne> is ubuntu LTS a good distro for servers?
[09:50] <lordievader> 'Good' is very subjective. Does it work? Yes.
[09:51] <emOne> does it break too often because of updates?
[09:52] <emOne> lordievader: apparently it is more 'unstable'
[09:52] <lordievader> Back when I used it, rarely.
[09:53] <lordievader> LTS more unstable? LTS is meant to be stable.
[09:55] <emOne> I dont see anything wrong with ubuntu, many people say it is better to run debian as the server os though
[09:55] <emOne> they say it is more stable, the OS doesn't undergo huge unexpected changes
[09:56] <emOne> I am not sure how true that is
[09:56] <lordievader> Ubuntu and Debian are largely the same. Ubuntu comes with more packages preinstalled. Which is why I typically prefer Debian.
[09:59] <emOne> i am looking to install ISPconfig as my web panel
[09:59] <emOne> it doesn't however install on the newswet debian 10 for whatever reason
[10:00] <emOne> at least not with nginx
[10:00] <emOne> there is one guy in ##ispconfig that uses debian 10 with apache and ISPconfig
[10:00] <emOne> I don't understand how someone picks debian as the OS of choice and apache as the server
[10:01] <emOne> that got me thinking that maybe choosing ubuntu is not that strange
[10:01] <lordievader> What is wrong with that choice?
[10:03] <emOne> nothing
[10:03] <emOne> lordievader: apache is not the fastest
[10:04] <lordievader> Apache can be quite fast if properly configured.
[10:09] <emOne> https://w3techs.com/blog/entry/ubuntu_became_the_most_popular_linux_distribution_for_web_servers
[10:09] <tomreyn> friendlyguy: i think all of these packages can probably be removed. no harm if you snapshotted it.
[10:09] <emOne> I don't know if ubuntu was the most popular server distro in 2016
[10:10] <tomreyn> friendlyguy: be sure to run    apt update && apt full-upgrade    afterwards since those installations *could* have help newer packages back.
[10:22] <friendlyguy> tomreyn: i did that went all fine
[10:22] <friendlyguy> i am currently performing a release upgrade
[10:22] <friendlyguy> that didnt went too well
[10:28] <emOne> Does the machine need to be restarted after a distro upgrade? (From one LTS to the next one?)
[10:37] <friendlyguy> yes
[10:38] <friendlyguy> at least from 16.04 to 18.04
[10:42] <tomreyn> friendlyguy: "didn't went to well" how? did it fail? did you have PPAs?
[10:43] <friendlyguy> i had problems with systemd-shim (or whatever it was called)
[10:43] <friendlyguy> but i fixed that by manually renaming a file
[10:46] <tomreyn> there's bug 1773859
[10:51] <friendlyguy> hmmm. most websites still work
[10:51] <friendlyguy> i didnt expect that :)
[10:52] <friendlyguy> interesting, it still tells me to perform a release upgrade to 18.04
[10:52] <friendlyguy> but lsb_release tells me i am on 18.04 ^^
[12:13] <emOne> Debian Server vs Ubuntu Server
[12:13] <emOne> ROUND 1
[12:13] <emOne> FIGHT
[12:22] <andol> emOne: I think you will be perfectly fine with either pick.
[12:23] <emOne> me too
[12:24] <emOne> I will stick with Ubuntu
[12:24] <friendlyguy> depends on what u r running. debian packages are often very old
[12:26] <emOne> debian 1 : ubuntu 1
[12:26] <emOne> ROUND 2
[12:26] <emOne> FIGHT
[12:26] <andol> Nah.
[19:16] <analogist> I'm trying to setup RFC7217-style ipv6.addr-gen-mode stable_privacy addresses, and setting the stable_secret in sysctl doesn't seem to be working. I'm wondering if this is netplan/cloud_init interference, or is there another standard way of doing that?
[19:17] <analogist> I'm trying to have both RFC4862 style SLAAC privacy addresses, and have my stable address be RFC7217-style non-MAC-based (non-eui64)
[22:01] <emOne> what does it mean that I have a bunch of established connections from random locations around the world on sshd
[22:01] <emOne> one of them is me
[22:02] <tomreyn> you reached the internet.
[22:05] <sarnold> emOne: check your auth logs; there's probably hundreds or thousands of failures in there
[22:06] <sarnold> emOne: you can expect a huge number of brute force scans
[22:06] <emOne> what has me worried is that it says ESTABLISHED
[22:06] <sarnold> emOne: some probably from the irc networks you connect to, to try a handful of usernames/passwords to try to guess if your connection is from a compromised machine or not
[22:06] <tomreyn> CP to #ubuntu
[22:07] <sarnold> ta
[22:08] <emOne> ha yes
[22:09] <emOne> theyre not recommending 2fa
[22:09] <emOne> is that bad?
[22:23] <JanC> emOne: I assume by ESTABLISHED you mean in a tool like netstat; that means there is a TCP/IP connection, and you need that before you can send a password or a key, so it's not unusual
[22:24] <emOne> netstat -tupn
[22:24] <emOne> yes
[22:25] <JanC> these are people trying to hack into badly protected SSH setups
[22:26] <emOne> http://www.linuxscrew.com/2008/01/18/fun-windows-vs-linux-for-toasters/
[22:26] <emOne> oops wrong chan lol
[22:26] <emOne> that was supposed to go into #ubuntu
[22:26] <JanC> you might want to disable password authentication after checking key authentication works properly
[22:27] <emOne> JanC is key authentication the default way how big companies log into ssh these days?
[22:28] <JanC> that or some sort of single-sign-on, I suppose
[22:28] <JanC> which probably also uses some sort of keys  :)
[22:30] <JanC> if you use keys, make sure the key is encrypted (needs a password to use it) and make sure to have backups of it  :)
[22:30] <analogist> bigger enterprises use an ssh CA with one time signed certs
[22:30] <emOne> wow
[22:30] <analogist> but using that for one or a handful of servers is... probably overkill, except for education
[22:31] <emOne> I feel like private/public keys for ssh is already overkill
[22:31] <analogist> for personal use, use a yubikey-based ssh key
[22:31]  * emOne goes back to his telnet 
[22:32]  * emOne types his username admin an password ... admin
[22:32] <emOne> no one is going to guess that O.O
[22:32] <JanC> analogist: I think some also use Kerberos
[22:32] <sarnold> funny enough I shared this link just an hour ago in another channel https://github.com/cloudtools/ssh-cert-authority
[22:50] <analogist> emOne: always use a keyfile whenever possible
[22:50] <analogist> emOne: https://infosec.mozilla.org/guidelines/openssh
[22:50] <emOne> JanC analogist thanks