[00:39] lo folks -- im using a preseed.cfg with no user creation (set to false), root login set to true, and root passwd crypted (used a working machine to generate the hash, and have verified it numerous times).... yet i still cannot login on the machine with the expected password... is root login disabled by default in the sshd? even if it is, i would have expected the root login true to have [00:39] changed/over-ridden that setting? [00:39] dunno if anyone else has ever seen similar issues [00:57] pretty sure root is disabled always except for key logins [01:02] patdk-lap: then whats the point of setting root login to enable in a preseed and why even bother having the option ? [01:02] it is entirely possible that this is the issue im hitting, but im not positive [01:03] preseed comes from redhat land and kinda works in the debian installer, which ubuntu has kept in some form.. [01:03] so not all options that preseed offers necessarily make the most sense on ubuntu installs [01:03] hmm, it clearly says in the preseed file, root login is for setting a local root user [01:03] not giving it ssh access [01:04] sarnold: preseed comes from the debian side of things, redhat uses kickstart? [01:04] dude. can I start the weekend yet? [01:04] xD [01:05] it's gonna be along week [01:05] lol [01:05] that much fun already, eh ? [01:05] patdk-lap: got it, will use the 'post' equivalent to sed change the ssh login option, going to laugh if thats the problem [01:05] https://askubuntu.com/questions/935565/install-openssh-server-package-from-preseed-file [01:07] heh, duckduckgo is great for privacy, but misses a TON of results to things that google seems to nail xD [01:07] :| [01:08] ya, but root-login only creates the root user in /etc/passwd and shadow [01:08] nothing to do with ssh [01:08] ahh, id have thought it would have been paired together, honestly [01:09] I normally use it, but only login to root using console with password, and keys over ssh if I need to for something [01:09] mainly for syncs and backup or something like that I need root and sudo just isn't cutting it [06:18] Good morning [08:41] tomreyn: Hi there! How are you? [08:42] i am continueing where i stopped yesterday: with your "foreign_packages" section [08:48] tomreyn: i ran the script and found a number of packages that are "No available version in archive" [08:48] so i guess that mean orphaned? [08:49] shall i just remove them? [08:49] https://paste.ubuntu.com/p/2D6GVsK8s5/ [08:59] Pick one of those packages, could you give the output of `apt-cache policy `? [09:03] https://paste.ubuntu.com/p/pVwS2kKJ7v/ [09:04] Right, looks like left over from several dist-upgrades. `apt-get autoremove` does not mark it for deletion? [09:04] nope, does not [09:04] yeah, its a "VERY" old vm [09:05] i am about to perform the next release upgrade [09:05] ^^ [09:05] Well, if nothing depends on them they can be removed. [09:05] looks like [09:06] You might want to run `apt` with the `-n` flag first, to see what it wants to remove. [09:06] If the set is larger than what you expect. [09:08] whats the -n flag? [09:08] i didnt find it in "man apt" [09:09] -s for simulate? [09:09] Ah, that is the one. [09:09] Haven't used it in a while... [09:10] no problem [09:10] well, it tells me that its about to remove the single package that i entered [09:10] so no dependencies [09:11] Go for it 😉 [09:11] just created a snapshot to be on the safe side :) [09:13] ah, found one that would remove more than i want to get removed [09:13] how do i handle that case, apart from not removing [09:14] Do you need that other package? [09:14] As in, is it a program you use? [09:20] yes [09:22] In that case you want to see if there is an update for that package available which depends on a newer version (one that is in the repo). [09:23] its the icinga2 agent and it needs to be on the same version as the server... as far as i got it [09:26] ah, no. just figured out its from an old icinga2 deployment [09:26] so... lets remove that [09:31] That is the easier route 😉 [09:49] is ubuntu LTS a good distro for servers? [09:50] 'Good' is very subjective. Does it work? Yes. [09:51] does it break too often because of updates? [09:52] lordievader: apparently it is more 'unstable' [09:52] Back when I used it, rarely. [09:53] LTS more unstable? LTS is meant to be stable. [09:55] I dont see anything wrong with ubuntu, many people say it is better to run debian as the server os though [09:55] they say it is more stable, the OS doesn't undergo huge unexpected changes [09:56] I am not sure how true that is [09:56] Ubuntu and Debian are largely the same. Ubuntu comes with more packages preinstalled. Which is why I typically prefer Debian. [09:59] i am looking to install ISPconfig as my web panel [09:59] it doesn't however install on the newswet debian 10 for whatever reason [10:00] at least not with nginx [10:00] there is one guy in ##ispconfig that uses debian 10 with apache and ISPconfig [10:00] I don't understand how someone picks debian as the OS of choice and apache as the server [10:01] that got me thinking that maybe choosing ubuntu is not that strange [10:01] What is wrong with that choice? [10:03] nothing [10:03] lordievader: apache is not the fastest [10:04] Apache can be quite fast if properly configured. [10:09] https://w3techs.com/blog/entry/ubuntu_became_the_most_popular_linux_distribution_for_web_servers [10:09] friendlyguy: i think all of these packages can probably be removed. no harm if you snapshotted it. [10:09] I don't know if ubuntu was the most popular server distro in 2016 [10:10] friendlyguy: be sure to run apt update && apt full-upgrade afterwards since those installations *could* have help newer packages back. [10:22] tomreyn: i did that went all fine [10:22] i am currently performing a release upgrade [10:22] that didnt went too well [10:28] Does the machine need to be restarted after a distro upgrade? (From one LTS to the next one?) [10:37] yes [10:38] at least from 16.04 to 18.04 [10:42] friendlyguy: "didn't went to well" how? did it fail? did you have PPAs? [10:43] i had problems with systemd-shim (or whatever it was called) [10:43] but i fixed that by manually renaming a file [10:46] there's bug 1773859 [10:46] bug 1773859 in systemd (Ubuntu Bionic) "upgrades to 18.04 fail" [Undecided,Triaged] https://launchpad.net/bugs/1773859 [10:51] hmmm. most websites still work [10:51] i didnt expect that :) [10:52] interesting, it still tells me to perform a release upgrade to 18.04 [10:52] but lsb_release tells me i am on 18.04 ^^ [12:13] Debian Server vs Ubuntu Server [12:13] ROUND 1 [12:13] FIGHT [12:22] emOne: I think you will be perfectly fine with either pick. [12:23] me too [12:24] I will stick with Ubuntu [12:24] depends on what u r running. debian packages are often very old [12:26] debian 1 : ubuntu 1 [12:26] ROUND 2 [12:26] FIGHT [12:26] Nah. === lotus|i5 is now known as lotuspsychje [19:16] I'm trying to setup RFC7217-style ipv6.addr-gen-mode stable_privacy addresses, and setting the stable_secret in sysctl doesn't seem to be working. I'm wondering if this is netplan/cloud_init interference, or is there another standard way of doing that? [19:17] I'm trying to have both RFC4862 style SLAAC privacy addresses, and have my stable address be RFC7217-style non-MAC-based (non-eui64) === Xbert is now known as Guest82547 [22:01] what does it mean that I have a bunch of established connections from random locations around the world on sshd [22:01] one of them is me [22:02] you reached the internet. [22:05] emOne: check your auth logs; there's probably hundreds or thousands of failures in there [22:06] emOne: you can expect a huge number of brute force scans [22:06] what has me worried is that it says ESTABLISHED [22:06] emOne: some probably from the irc networks you connect to, to try a handful of usernames/passwords to try to guess if your connection is from a compromised machine or not [22:06] CP to #ubuntu [22:07] ta [22:08] ha yes [22:09] theyre not recommending 2fa [22:09] is that bad? [22:23] emOne: I assume by ESTABLISHED you mean in a tool like netstat; that means there is a TCP/IP connection, and you need that before you can send a password or a key, so it's not unusual [22:24] netstat -tupn [22:24] yes [22:25] these are people trying to hack into badly protected SSH setups [22:26] http://www.linuxscrew.com/2008/01/18/fun-windows-vs-linux-for-toasters/ [22:26] oops wrong chan lol [22:26] that was supposed to go into #ubuntu [22:26] you might want to disable password authentication after checking key authentication works properly [22:27] JanC is key authentication the default way how big companies log into ssh these days? [22:28] that or some sort of single-sign-on, I suppose [22:28] which probably also uses some sort of keys :) [22:30] if you use keys, make sure the key is encrypted (needs a password to use it) and make sure to have backups of it :) [22:30] bigger enterprises use an ssh CA with one time signed certs [22:30] wow [22:30] but using that for one or a handful of servers is... probably overkill, except for education [22:31] I feel like private/public keys for ssh is already overkill [22:31] for personal use, use a yubikey-based ssh key [22:31] * emOne goes back to his telnet [22:32] * emOne types his username admin an password ... admin [22:32] no one is going to guess that O.O [22:32] analogist: I think some also use Kerberos [22:32] funny enough I shared this link just an hour ago in another channel https://github.com/cloudtools/ssh-cert-authority [22:50] emOne: always use a keyfile whenever possible [22:50] emOne: https://infosec.mozilla.org/guidelines/openssh [22:50] JanC analogist thanks