[plug] Looking for assistance with a recent Debian upgrade

Joe Aquilina joe at chem.com.au
Wed Dec 18 13:13:55 AWST 2019


I just did an apt-cache search it shows me this:

linux-headers-4.19.0-6-686 - Header files for Linux 4.19.0-6-686
linux-headers-4.19.0-6-686-pae - Header files for Linux 4.19.0-6-686-pae
linux-headers-4.19.0-6-rt-686-pae - Header files for Linux 
4.19.0-6-rt-686-pae
linux-image-4.19.0-6-686-dbg - Debug symbols for linux-image-4.19.0-6-686
linux-image-4.19.0-6-686-pae-dbg - Debug symbols for 
linux-image-4.19.0-6-686-pae
linux-image-4.19.0-6-686-pae-unsigned - Linux 4.19 for modern PCs
linux-image-4.19.0-6-686-unsigned - Linux 4.19 for older PCs
linux-image-4.19.0-6-rt-686-pae-dbg - Debug symbols for 
linux-image-4.19.0-6-rt-686-pae
linux-image-4.19.0-6-rt-686-pae-unsigned - Linux 4.19 for modern PCs, 
PREEMPT_RT
linux-image-i386-signed-template - Template for signed linux-image 
packages for i386
linux-image-4.19.0-6-686 - Linux 4.19 for older PCs (signed)
linux-image-4.19.0-6-686-pae - Linux 4.19 for modern PCs (signed)
linux-image-4.19.0-6-rt-686-pae - Linux 4.19 for modern PCs, PREEMPT_RT 
(signed)
linux-image-686 - Linux for older PCs (meta-package)
linux-image-686-dbg - Debugging symbols for Linux 686 configuration 
(meta-package)
linux-image-686-pae - Linux for modern PCs (meta-package)
linux-image-686-pae-dbg - Debugging symbols for Linux 686-pae 
configuration (meta-package)
linux-image-rt-686-pae - Linux for modern PCs (meta-package), PREEMPT_RT
linux-image-rt-686-pae-dbg - Debugging symbols for Linux rt-686-pae 
configuration (meta-package)
linux-image-3.16.0-4-686-pae - Linux 3.16 for modern PCs

Is that not showing me that there is a 4.19 PAE branch for buster? Or am 
I misinterpreting that output?

I have been reluctant to jump to amd64 on this system because it is a 
rather complicated setup, which I am not confident that I could recreate 
from scratch if the worst happened. But as you say, perhaps it is time 
to do it anyway.

Cheers.

Joe Aquilina


On 18/12/19 12:55 pm, Chris Hoy Poy wrote:
> Ahh you are using the PAE branch , which doesn't have a later kernel 
> in Buster
>
> Time to make the jump to amd64 !
>
> /Chris
>
>
>
> On Wed, 18 Dec 2019, 12:52 pm Chris Hoy Poy, <chris at hoypoy.id.au 
> <mailto:chris at hoypoy.id.au>> wrote:
>
>     Given that other users have reported similiar issues with that
>     exact kernel coupled with updated openssl + openssh, you want to
>     update that kernel to something a bit more recent.
>
>     Should be a straight forward apt-get install <linux-image> from
>     memory, as suggested here :
>
>     https://wiki.debian.org/HowToUpgradeKernel
>
>     It's a pretty safe process these days, though you are making some
>     big jumps (3.16 to 4.19.x (Buster latest)) - so have some get out
>     of jail cards handy (backups, console access, coffee, etc)
>
>
>     If it was just recently upgraded to buster, you shouldn't have any
>     issues on latest kernel(s) Being on 686 as opposed to amd64
>     (pretty much the default these days, and I guarantee amd64 gets
>     better testing with stuff then 686 ! ). I wouldn't mangle that
>     unless you feel like a reinstall tho, it should be fine for 99% of
>     use cases.
>
>     Enjoy
>     /Chris
>
>
>     On Wed, 18 Dec 2019, 12:41 pm Joe Aquilina, <joe at chem.com.au
>     <mailto:joe at chem.com.au>> wrote:
>
>         I think that is a default sshd_config. I have tried removing
>         (and later purging) it recently and that is pretty much as it
>         was after the latest reinstall.
>
>         The kernel is an older one, which surprises me. It doesn't
>         seem to have been updated as part of the upgrade from stretch
>         to buster, which I was expecting to have happened. The kernel
>         is still 3.16.0-4-686-pae.
>
>         I have never updated a kernel, is there a link to a procedure
>         for this? I have found one that suggests using ukuu, but I
>         have not been able to install that, there seems to be a
>         problem with the repository.
>
>         Cheers.
>
>         Joe Aquilina
>
>
>         On 18/12/19 12:19 pm, Chris Hoy Poy wrote:
>>         That line shouldn't bother it (the nologin is fine, you don't
>>         want it logging in)
>>
>>         I can't see "usePrivilegeSeparation" in that config, it's
>>         probably default.
>>
>>         How old is the overall install, and has the kernel been
>>         upgraded recently?
>>
>>         I see a number of recent minor issues around openssl versions
>>         + kernel versions
>>
>>         Probably want to be a later kernel if possible, just to be sure.
>>
>>         https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html
>>
>>         https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html
>>
>>
>>         On Wed, 18 Dec 2019, 12:05 pm Joe Aquilina, <joe at chem.com.au
>>         <mailto:joe at chem.com.au>> wrote:
>>
>>             Chris
>>
>>             Her is the sshd_config file on the server:
>>
>>             $ cat /etc/ssh/sshd_config
>>             #       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22
>>             tj Exp $
>>
>>             # This is the sshd server system-wide configuration
>>             file.  See
>>             # sshd_config(5) for more information.
>>
>>             # This sshd was compiled with
>>             PATH=/usr/bin:/bin:/usr/sbin:/sbin
>>
>>             # The strategy used for options in the default
>>             sshd_config shipped with
>>             # OpenSSH is to specify options with their default value
>>             where
>>             # possible, but leave them commented.  Uncommented
>>             options override the
>>             # default value.
>>
>>             Port 22
>>             #AddressFamily any
>>             #ListenAddress 0.0.0.0
>>             #ListenAddress ::
>>
>>             #HostKey /etc/ssh/ssh_host_rsa_key
>>             #HostKey /etc/ssh/ssh_host_ecdsa_key
>>             #HostKey /etc/ssh/ssh_host_ed25519_key
>>
>>             # Ciphers and keying
>>             #RekeyLimit default none
>>
>>             # Logging
>>             #SyslogFacility AUTH
>>             #LogLevel INFO
>>
>>             # Authentication:
>>
>>             #LoginGraceTime 2m
>>             #PermitRootLogin prohibit-password
>>             AllowUsers joe
>>             #StrictModes yes
>>             #MaxAuthTries 6
>>             #MaxSessions 10
>>
>>             #PubkeyAuthentication yes
>>
>>             # Expect .ssh/authorized_keys2 to be disregarded by
>>             default in future.
>>             #AuthorizedKeysFile .ssh/authorized_keys
>>             .ssh/authorized_keys2
>>
>>             #AuthorizedPrincipalsFile none
>>
>>             #AuthorizedKeysCommand none
>>             #AuthorizedKeysCommandUser nobody
>>
>>             # For this to work you will also need host keys in
>>             /etc/ssh/ssh_known_hosts
>>             #HostbasedAuthentication no
>>             # Change to yes if you don't trust ~/.ssh/known_hosts for
>>             # HostbasedAuthentication
>>             #IgnoreUserKnownHosts no
>>             # Don't read the user's ~/.rhosts and ~/.shosts files
>>             #IgnoreRhosts yes
>>
>>             # To disable tunneled clear text passwords, change to no
>>             here!
>>             #PasswordAuthentication yes
>>             #PermitEmptyPasswords no
>>
>>             # Change to yes to enable challenge-response passwords
>>             (beware issues with
>>             # some PAM modules and threads)
>>             ChallengeResponseAuthentication no
>>
>>             # Kerberos options
>>             #KerberosAuthentication no
>>             #KerberosOrLocalPasswd yes
>>             #KerberosTicketCleanup yes
>>             #KerberosGetAFSToken no
>>
>>             # GSSAPI options
>>             #GSSAPIAuthentication no
>>             #GSSAPICleanupCredentials yes
>>             #GSSAPIStrictAcceptorCheck yes
>>             #GSSAPIKeyExchange no
>>
>>             # Set this to 'yes' to enable PAM authentication, account
>>             processing,
>>             # and session processing. If this is enabled, PAM
>>             authentication will
>>             # be allowed through the ChallengeResponseAuthentication and
>>             # PasswordAuthentication. Depending on your PAM
>>             configuration,
>>             # PAM authentication via ChallengeResponseAuthentication
>>             may bypass
>>             # the setting of "PermitRootLogin without-password".
>>             # If you just want the PAM account and session checks to
>>             run without
>>             # PAM authentication, then enable this but set
>>             PasswordAuthentication
>>             # and ChallengeResponseAuthentication to 'no'.
>>             UsePAM yes
>>             UseLogin no
>>
>>             #AllowAgentForwarding yes
>>             #AllowTcpForwarding yes
>>             #GatewayPorts no
>>             X11Forwarding yes
>>             #X11DisplayOffset 10
>>             #X11UseLocalhost yes
>>             #PermitTTY yes
>>             PrintMotd no
>>             #PrintLastLog yes
>>             #TCPKeepAlive yes
>>             #PermitUserEnvironment no
>>             #Compression delayed
>>             #ClientAliveInterval 0
>>             #ClientAliveCountMax 3
>>             #UseDNS no
>>             #PidFile /var/run/sshd.pid
>>             #MaxStartups 10:30:100
>>             #PermitTunnel no
>>             #ChrootDirectory none
>>             #VersionAddendum none
>>
>>             # no default banner path
>>             #Banner none
>>
>>             # Allow client to pass locale environment variables
>>             AcceptEnv LANG LC_*
>>
>>             # override default of no subsystems
>>             Subsystem       sftp /usr/lib/openssh/sftp-server
>>
>>             # Example of overriding settings on a per-user basis
>>             #Match User anoncvs
>>             #       X11Forwarding no
>>             #       AllowTcpForwarding no
>>             #       PermitTTY no
>>             #       ForceCommand cvs server
>>
>>             I just checked the passwd file on the server and both
>>             accounts I use to login finish with /bin/bash. However, I
>>             also noticed that the last line of the passwd file looks
>>             like this:
>>
>>             sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>>
>>             Looking at the passwd file from a backup done before the
>>             upgrade, and when ssh logins were working, this line is a
>>             recent addition - it does not appear in past instances of
>>             the passwd file. Is this the cause of my problems? Can I
>>             simply delete this line and try again?
>>
>>             Cheers.
>>
>>             Joe Aquilina
>>
>>
>>             On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>>>             Hey Joe,
>>>
>>>             Can you check what "usePrivilegeSeparation" is defined
>>>             as in the server sshd_config is ?
>>>
>>>             Cheers
>>>             /Chris
>>>
>>>             On Wed, 18 Dec 2019, 11:42 am Joe Aquilina,
>>>             <joe at chem.com.au <mailto:joe at chem.com.au>> wrote:
>>>
>>>                 sestatus and getenforce both show selinux as disabled.
>>>
>>>                 There is already another account that is
>>>                 occasionally used to login to the server - it fails
>>>                 exactly the same as my (joe) account. I don't
>>>                 believe that any scripts at login.
>>>
>>>                 And yes I did edit the output to protect the
>>>                 "guilty" ... replaced the real server name with
>>>                 <server> and the server's IP address. I presumed
>>>                 that is what was requested when it was suggested
>>>                 that I post a sanitised copy of the login attempt
>>>                 output.
>>>
>>>                 Cheers.
>>>
>>>                 Joe Aquilina
>>>
>>>                 On 18/12/19 11:08 am, mike wrote:
>>>>                 On 18/12/2019 10:43, Joe Aquilina wrote:
>>>>>                 I have no idea about selinux, whether it is
>>>>>                 installed/enabled. How do I check that and disable
>>>>>                 it if necessary, and then re-enable?
>>>>
>>>>                 sestatus orgetenforce
>>>>
>>>>                 If file not found then not in use.
>>>>
>>>>                 Are you removing details from the output? IE:
>>>>                 Authenticated to <server> ([ip.address of server]:22).
>>>>
>>>>                 Mine says
>>>>                 debug1: Authentication succeeded (publickey).
>>>>                 Authenticated to nos ([10.222.0.4]:22).
>>>>
>>>>                 Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>>>
>>>>                 What user are you trying to login as?
>>>>
>>>>                 Are you running any scripts at login that may be failing?
>>>>
>>>>                 Have you tried another user?
>>>>
>>>>                 Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>>>
>>>>                 -- 
>>>>                 'ooroo
>>>>
>>>>                 Mike...(:)-)
>>>>                 ---------------------------------------------------
>>>>                 Email:mike at wolf-rock.com  <mailto:mike at wolf-rock.com>          o
>>>>                 You need only two tools.        o /////
>>>>                 A hammer and duct tape. If it    /@   `\  /) ~
>>>>                 doesn't move and it should use  >  (O)  X<  ~  Fish!!
>>>>                 the hammer. If it moves and      `\___/'  \) ~
>>>>                 shouldn't, use the tape.           \\\
>>>>                 ---------------------------------------------------
>>>
>>>
>>>                 -- 
>>>                 Joe Aquilina
>>>                 Central Chemical Consulting Pty Ltd
>>>                 PO Box 2546 Malaga WA 6944 Australia
>>>                 1/11 Narloo St Malaga 6090 Australia
>>>                 Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
>>>                 joe at chem.com.au  <mailto:joe at chem.com.au>   www.chem.com.au  <http://www.chem.com.au>	
>>>
>>>                 _______________________________________________
>>>                 PLUG discussion list: plug at plug.org.au
>>>                 <mailto:plug at plug.org.au>
>>>                 http://lists.plug.org.au/mailman/listinfo/plug
>>>                 Committee e-mail: committee at plug.org.au
>>>                 <mailto:committee at plug.org.au>
>>>                 PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>>             -- 
>>             Joe Aquilina
>>             Central Chemical Consulting Pty Ltd
>>             PO Box 2546 Malaga WA 6944 Australia
>>             1/11 Narloo St Malaga 6090 Australia
>>             Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
>>             joe at chem.com.au  <mailto:joe at chem.com.au>   www.chem.com.au  <http://www.chem.com.au>
>>
>>             _______________________________________________
>>             PLUG discussion list: plug at plug.org.au
>>             <mailto:plug at plug.org.au>
>>             http://lists.plug.org.au/mailman/listinfo/plug
>>             Committee e-mail: committee at plug.org.au
>>             <mailto:committee at plug.org.au>
>>             PLUG Membership: http://www.plug.org.au/membership
>>
>
>         -- 
>         Joe Aquilina
>         Central Chemical Consulting Pty Ltd
>         PO Box 2546 Malaga WA 6944 Australia
>         1/11 Narloo St Malaga 6090 Australia
>         Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
>         joe at chem.com.au  <mailto:joe at chem.com.au>   www.chem.com.au  <http://www.chem.com.au>
>
>         _______________________________________________
>         PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>         http://lists.plug.org.au/mailman/listinfo/plug
>         Committee e-mail: committee at plug.org.au
>         <mailto:committee at plug.org.au>
>         PLUG Membership: http://www.plug.org.au/membership
>

-- 
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
joe at chem.com.au  www.chem.com.au

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/1084e2f1/attachment.html>


More information about the plug mailing list