[plug] Looking for assistance with a recent Debian upgrade

Chris Hoy Poy chris at hoypoy.id.au
Wed Dec 18 12:55:58 AWST 2019 

Ahh you are using the PAE branch , which doesn't have a later kernel in
Buster

Time to make the jump to amd64 !

/Chris



On Wed, 18 Dec 2019, 12:52 pm Chris Hoy Poy, <chris at hoypoy.id.au> wrote:

> Given that other users have reported similiar issues with that exact
> kernel coupled with updated openssl + openssh, you want to update that
> kernel to something a bit more recent.
>
> Should be a straight forward apt-get install <linux-image> from memory, as
> suggested here :
>
> https://wiki.debian.org/HowToUpgradeKernel
>
> It's a pretty safe process these days, though you are making some big
> jumps (3.16 to 4.19.x (Buster latest)) - so have some get out of jail cards
> handy (backups, console access, coffee, etc)
>
>
> If it was just recently upgraded to buster, you shouldn't have any issues
> on latest kernel(s) Being on 686 as opposed to amd64 (pretty much the
> default these days, and I guarantee amd64 gets better testing with stuff
> then 686 ! ). I wouldn't mangle that unless you feel like a reinstall tho,
> it should be fine for 99% of use cases.
>
> Enjoy
> /Chris
>
>
> On Wed, 18 Dec 2019, 12:41 pm Joe Aquilina, <joe at chem.com.au> wrote:
>
>> I think that is a default sshd_config. I have tried removing (and later
>> purging) it recently and that is pretty much as it was after the latest
>> reinstall.
>>
>> The kernel is an older one, which surprises me. It doesn't seem to have
>> been updated as part of the upgrade from stretch to buster, which I was
>> expecting to have happened. The kernel is still 3.16.0-4-686-pae.
>>
>> I have never updated a kernel, is there a link to a procedure for this? I
>> have found one that suggests using ukuu, but I have not been able to
>> install that, there seems to be a problem with the repository.
>>
>> Cheers.
>>
>> Joe Aquilina
>>
>>
>> On 18/12/19 12:19 pm, Chris Hoy Poy wrote:
>>
>> That line shouldn't bother it (the nologin is fine, you don't want it
>> logging in)
>>
>> I can't see "usePrivilegeSeparation" in that config, it's probably
>> default.
>>
>> How old is the overall install, and has the kernel been upgraded recently?
>>
>> I see a number of recent minor issues around openssl versions + kernel
>> versions
>>
>> Probably want to be a later kernel if possible, just to be sure.
>>
>> https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html
>>
>> https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html
>>
>>
>> On Wed, 18 Dec 2019, 12:05 pm Joe Aquilina, <joe at chem.com.au> wrote:
>>
>>> Chris
>>>
>>> Her is the sshd_config file on the server:
>>>
>>> $ cat /etc/ssh/sshd_config
>>> #       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
>>>
>>> # This is the sshd server system-wide configuration file.  See
>>> # sshd_config(5) for more information.
>>>
>>> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>>>
>>> # The strategy used for options in the default sshd_config shipped with
>>> # OpenSSH is to specify options with their default value where
>>> # possible, but leave them commented.  Uncommented options override the
>>> # default value.
>>>
>>> Port 22
>>> #AddressFamily any
>>> #ListenAddress 0.0.0.0
>>> #ListenAddress ::
>>>
>>> #HostKey /etc/ssh/ssh_host_rsa_key
>>> #HostKey /etc/ssh/ssh_host_ecdsa_key
>>> #HostKey /etc/ssh/ssh_host_ed25519_key
>>>
>>> # Ciphers and keying
>>> #RekeyLimit default none
>>>
>>> # Logging
>>> #SyslogFacility AUTH
>>> #LogLevel INFO
>>>
>>> # Authentication:
>>>
>>> #LoginGraceTime 2m
>>> #PermitRootLogin prohibit-password
>>> AllowUsers joe
>>> #StrictModes yes
>>> #MaxAuthTries 6
>>> #MaxSessions 10
>>>
>>> #PubkeyAuthentication yes
>>>
>>> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
>>> #AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
>>>
>>> #AuthorizedPrincipalsFile none
>>>
>>> #AuthorizedKeysCommand none
>>> #AuthorizedKeysCommandUser nobody
>>>
>>> # For this to work you will also need host keys in
>>> /etc/ssh/ssh_known_hosts
>>> #HostbasedAuthentication no
>>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>>> # HostbasedAuthentication
>>> #IgnoreUserKnownHosts no
>>> # Don't read the user's ~/.rhosts and ~/.shosts files
>>> #IgnoreRhosts yes
>>>
>>> # To disable tunneled clear text passwords, change to no here!
>>> #PasswordAuthentication yes
>>> #PermitEmptyPasswords no
>>>
>>> # Change to yes to enable challenge-response passwords (beware issues
>>> with
>>> # some PAM modules and threads)
>>> ChallengeResponseAuthentication no
>>>
>>> # Kerberos options
>>> #KerberosAuthentication no
>>> #KerberosOrLocalPasswd yes
>>> #KerberosTicketCleanup yes
>>> #KerberosGetAFSToken no
>>>
>>> # GSSAPI options
>>> #GSSAPIAuthentication no
>>> #GSSAPICleanupCredentials yes
>>> #GSSAPIStrictAcceptorCheck yes
>>> #GSSAPIKeyExchange no
>>>
>>> # Set this to 'yes' to enable PAM authentication, account processing,
>>> # and session processing. If this is enabled, PAM authentication will
>>> # be allowed through the ChallengeResponseAuthentication and
>>> # PasswordAuthentication.  Depending on your PAM configuration,
>>> # PAM authentication via ChallengeResponseAuthentication may bypass
>>> # the setting of "PermitRootLogin without-password".
>>> # If you just want the PAM account and session checks to run without
>>> # PAM authentication, then enable this but set PasswordAuthentication
>>> # and ChallengeResponseAuthentication to 'no'.
>>> UsePAM yes
>>> UseLogin no
>>>
>>> #AllowAgentForwarding yes
>>> #AllowTcpForwarding yes
>>> #GatewayPorts no
>>> X11Forwarding yes
>>> #X11DisplayOffset 10
>>> #X11UseLocalhost yes
>>> #PermitTTY yes
>>> PrintMotd no
>>> #PrintLastLog yes
>>> #TCPKeepAlive yes
>>> #PermitUserEnvironment no
>>> #Compression delayed
>>> #ClientAliveInterval 0
>>> #ClientAliveCountMax 3
>>> #UseDNS no
>>> #PidFile /var/run/sshd.pid
>>> #MaxStartups 10:30:100
>>> #PermitTunnel no
>>> #ChrootDirectory none
>>> #VersionAddendum none
>>>
>>> # no default banner path
>>> #Banner none
>>>
>>> # Allow client to pass locale environment variables
>>> AcceptEnv LANG LC_*
>>>
>>> # override default of no subsystems
>>> Subsystem       sftp    /usr/lib/openssh/sftp-server
>>>
>>> # Example of overriding settings on a per-user basis
>>> #Match User anoncvs
>>> #       X11Forwarding no
>>> #       AllowTcpForwarding no
>>> #       PermitTTY no
>>> #       ForceCommand cvs server
>>>
>>> I just checked the passwd file on the server and both accounts I use to
>>> login finish with /bin/bash. However, I also noticed that the last line of
>>> the passwd file looks like this:
>>>
>>> sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>>>
>>> Looking at the passwd file from a backup done before the upgrade, and
>>> when ssh logins were working, this line is a recent addition - it does not
>>> appear in past instances of the passwd file. Is this the cause of my
>>> problems? Can I simply delete this line and try again?
>>>
>>> Cheers.
>>>
>>> Joe Aquilina
>>>
>>>
>>> On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>>>
>>> Hey Joe,
>>>
>>> Can you check what "usePrivilegeSeparation" is defined as in the server
>>> sshd_config is ?
>>>
>>> Cheers
>>> /Chris
>>>
>>> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina, <joe at chem.com.au> wrote:
>>>
>>>> sestatus and getenforce both show selinux as disabled.
>>>>
>>>> There is already another account that is occasionally used to login to
>>>> the server - it fails exactly the same as my (joe) account. I don't believe
>>>> that any scripts at login.
>>>>
>>>> And yes I did edit the output to protect the "guilty" ... replaced the
>>>> real server name with <server> and the server's IP address. I presumed that
>>>> is what was requested when it was suggested that I post a sanitised copy of
>>>> the login attempt output.
>>>>
>>>> Cheers.
>>>>
>>>> Joe Aquilina
>>>>
>>>> On 18/12/19 11:08 am, mike wrote:
>>>>
>>>> On 18/12/2019 10:43, Joe Aquilina wrote:
>>>>
>>>> I have no idea about selinux, whether it is installed/enabled. How do I
>>>> check that and disable it if necessary, and then re-enable?
>>>>
>>>>
>>>> sestatus or getenforce
>>>>
>>>> If file not found then not in use.
>>>>
>>>> Are you removing details from the output? IE:
>>>> Authenticated to <server> ([ip.address of server]:22).
>>>>
>>>> Mine says
>>>> debug1: Authentication succeeded (publickey).
>>>> Authenticated to nos ([10.222.0.4]:22).
>>>>
>>>> Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>>>
>>>> What user are you trying to login as?
>>>>
>>>> Are you running any scripts at login that may be failing?
>>>>
>>>> Have you tried another user?
>>>>
>>>> Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>>>
>>>>
>>>> --
>>>> 'ooroo
>>>>
>>>> Mike...(:)-)
>>>> ---------------------------------------------------
>>>> Email: mike at wolf-rock.com         o
>>>> You need only two tools.        o /////
>>>> A hammer and duct tape. If it    /@   `\  /) ~
>>>> doesn't move and it should use  >  (O)  X<  ~  Fish!!
>>>> the hammer. If it moves and      `\___/'  \) ~
>>>> shouldn't, use the tape.           \\\
>>>> ---------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Joe Aquilina
>>>> Central Chemical Consulting Pty Ltd
>>>> PO Box 2546 Malaga WA 6944 Australia
>>>> 1/11 Narloo St Malaga 6090 Australia
>>>> Tel: +61  8 9248 2739  Fax: +61  8 9248 2749joe at chem.com.au  www.chem.com.au	
>>>>
>>>> _______________________________________________
>>>> PLUG discussion list: plug at plug.org.au
>>>> http://lists.plug.org.au/mailman/listinfo/plug
>>>> Committee e-mail: committee at plug.org.au
>>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>>
>>> --
>>> Joe Aquilina
>>> Central Chemical Consulting Pty Ltd
>>> PO Box 2546 Malaga WA 6944 Australia
>>> 1/11 Narloo St Malaga 6090 Australia
>>> Tel: +61  8 9248 2739  Fax: +61  8 9248 2749joe at chem.com.au  www.chem.com.au
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> PLUG Membership: http://www.plug.org.au/membership
>>
>>
>> --
>> Joe Aquilina
>> Central Chemical Consulting Pty Ltd
>> PO Box 2546 Malaga WA 6944 Australia
>> 1/11 Narloo St Malaga 6090 Australia
>> Tel: +61  8 9248 2739  Fax: +61  8 9248 2749joe at chem.com.au  www.chem.com.au
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/fe2efd6e/attachment.html>

More information about the plug mailing list