[plug] Looking for assistance with a recent Debian upgrade
Joe Aquilina
joe at chem.com.au
Wed Dec 18 13:13:55 AWST 2019
I just did an apt-cache search it shows me this:
linux-headers-4.19.0-6-686 - Header files for Linux 4.19.0-6-686
linux-headers-4.19.0-6-686-pae - Header files for Linux 4.19.0-6-686-pae
linux-headers-4.19.0-6-rt-686-pae - Header files for Linux
4.19.0-6-rt-686-pae
linux-image-4.19.0-6-686-dbg - Debug symbols for linux-image-4.19.0-6-686
linux-image-4.19.0-6-686-pae-dbg - Debug symbols for
linux-image-4.19.0-6-686-pae
linux-image-4.19.0-6-686-pae-unsigned - Linux 4.19 for modern PCs
linux-image-4.19.0-6-686-unsigned - Linux 4.19 for older PCs
linux-image-4.19.0-6-rt-686-pae-dbg - Debug symbols for
linux-image-4.19.0-6-rt-686-pae
linux-image-4.19.0-6-rt-686-pae-unsigned - Linux 4.19 for modern PCs,
PREEMPT_RT
linux-image-i386-signed-template - Template for signed linux-image
packages for i386
linux-image-4.19.0-6-686 - Linux 4.19 for older PCs (signed)
linux-image-4.19.0-6-686-pae - Linux 4.19 for modern PCs (signed)
linux-image-4.19.0-6-rt-686-pae - Linux 4.19 for modern PCs, PREEMPT_RT
(signed)
linux-image-686 - Linux for older PCs (meta-package)
linux-image-686-dbg - Debugging symbols for Linux 686 configuration
(meta-package)
linux-image-686-pae - Linux for modern PCs (meta-package)
linux-image-686-pae-dbg - Debugging symbols for Linux 686-pae
configuration (meta-package)
linux-image-rt-686-pae - Linux for modern PCs (meta-package), PREEMPT_RT
linux-image-rt-686-pae-dbg - Debugging symbols for Linux rt-686-pae
configuration (meta-package)
linux-image-3.16.0-4-686-pae - Linux 3.16 for modern PCs
Is that not showing me that there is a 4.19 PAE branch for buster? Or am
I misinterpreting that output?
I have been reluctant to jump to amd64 on this system because it is a
rather complicated setup, which I am not confident that I could recreate
from scratch if the worst happened. But as you say, perhaps it is time
to do it anyway.
Cheers.
Joe Aquilina
On 18/12/19 12:55 pm, Chris Hoy Poy wrote:
> Ahh you are using the PAE branch , which doesn't have a later kernel
> in Buster
>
> Time to make the jump to amd64 !
>
> /Chris
>
>
>
> On Wed, 18 Dec 2019, 12:52 pm Chris Hoy Poy, <chris at hoypoy.id.au
> <mailto:chris at hoypoy.id.au>> wrote:
>
> Given that other users have reported similiar issues with that
> exact kernel coupled with updated openssl + openssh, you want to
> update that kernel to something a bit more recent.
>
> Should be a straight forward apt-get install <linux-image> from
> memory, as suggested here :
>
> https://wiki.debian.org/HowToUpgradeKernel
>
> It's a pretty safe process these days, though you are making some
> big jumps (3.16 to 4.19.x (Buster latest)) - so have some get out
> of jail cards handy (backups, console access, coffee, etc)
>
>
> If it was just recently upgraded to buster, you shouldn't have any
> issues on latest kernel(s) Being on 686 as opposed to amd64
> (pretty much the default these days, and I guarantee amd64 gets
> better testing with stuff then 686 ! ). I wouldn't mangle that
> unless you feel like a reinstall tho, it should be fine for 99% of
> use cases.
>
> Enjoy
> /Chris
>
>
> On Wed, 18 Dec 2019, 12:41 pm Joe Aquilina, <joe at chem.com.au
> <mailto:joe at chem.com.au>> wrote:
>
> I think that is a default sshd_config. I have tried removing
> (and later purging) it recently and that is pretty much as it
> was after the latest reinstall.
>
> The kernel is an older one, which surprises me. It doesn't
> seem to have been updated as part of the upgrade from stretch
> to buster, which I was expecting to have happened. The kernel
> is still 3.16.0-4-686-pae.
>
> I have never updated a kernel, is there a link to a procedure
> for this? I have found one that suggests using ukuu, but I
> have not been able to install that, there seems to be a
> problem with the repository.
>
> Cheers.
>
> Joe Aquilina
>
>
> On 18/12/19 12:19 pm, Chris Hoy Poy wrote:
>> That line shouldn't bother it (the nologin is fine, you don't
>> want it logging in)
>>
>> I can't see "usePrivilegeSeparation" in that config, it's
>> probably default.
>>
>> How old is the overall install, and has the kernel been
>> upgraded recently?
>>
>> I see a number of recent minor issues around openssl versions
>> + kernel versions
>>
>> Probably want to be a later kernel if possible, just to be sure.
>>
>> https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html
>>
>> https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html
>>
>>
>> On Wed, 18 Dec 2019, 12:05 pm Joe Aquilina, <joe at chem.com.au
>> <mailto:joe at chem.com.au>> wrote:
>>
>> Chris
>>
>> Her is the sshd_config file on the server:
>>
>> $ cat /etc/ssh/sshd_config
>> # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22
>> tj Exp $
>>
>> # This is the sshd server system-wide configuration
>> file. See
>> # sshd_config(5) for more information.
>>
>> # This sshd was compiled with
>> PATH=/usr/bin:/bin:/usr/sbin:/sbin
>>
>> # The strategy used for options in the default
>> sshd_config shipped with
>> # OpenSSH is to specify options with their default value
>> where
>> # possible, but leave them commented. Uncommented
>> options override the
>> # default value.
>>
>> Port 22
>> #AddressFamily any
>> #ListenAddress 0.0.0.0
>> #ListenAddress ::
>>
>> #HostKey /etc/ssh/ssh_host_rsa_key
>> #HostKey /etc/ssh/ssh_host_ecdsa_key
>> #HostKey /etc/ssh/ssh_host_ed25519_key
>>
>> # Ciphers and keying
>> #RekeyLimit default none
>>
>> # Logging
>> #SyslogFacility AUTH
>> #LogLevel INFO
>>
>> # Authentication:
>>
>> #LoginGraceTime 2m
>> #PermitRootLogin prohibit-password
>> AllowUsers joe
>> #StrictModes yes
>> #MaxAuthTries 6
>> #MaxSessions 10
>>
>> #PubkeyAuthentication yes
>>
>> # Expect .ssh/authorized_keys2 to be disregarded by
>> default in future.
>> #AuthorizedKeysFile .ssh/authorized_keys
>> .ssh/authorized_keys2
>>
>> #AuthorizedPrincipalsFile none
>>
>> #AuthorizedKeysCommand none
>> #AuthorizedKeysCommandUser nobody
>>
>> # For this to work you will also need host keys in
>> /etc/ssh/ssh_known_hosts
>> #HostbasedAuthentication no
>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>> # HostbasedAuthentication
>> #IgnoreUserKnownHosts no
>> # Don't read the user's ~/.rhosts and ~/.shosts files
>> #IgnoreRhosts yes
>>
>> # To disable tunneled clear text passwords, change to no
>> here!
>> #PasswordAuthentication yes
>> #PermitEmptyPasswords no
>>
>> # Change to yes to enable challenge-response passwords
>> (beware issues with
>> # some PAM modules and threads)
>> ChallengeResponseAuthentication no
>>
>> # Kerberos options
>> #KerberosAuthentication no
>> #KerberosOrLocalPasswd yes
>> #KerberosTicketCleanup yes
>> #KerberosGetAFSToken no
>>
>> # GSSAPI options
>> #GSSAPIAuthentication no
>> #GSSAPICleanupCredentials yes
>> #GSSAPIStrictAcceptorCheck yes
>> #GSSAPIKeyExchange no
>>
>> # Set this to 'yes' to enable PAM authentication, account
>> processing,
>> # and session processing. If this is enabled, PAM
>> authentication will
>> # be allowed through the ChallengeResponseAuthentication and
>> # PasswordAuthentication. Depending on your PAM
>> configuration,
>> # PAM authentication via ChallengeResponseAuthentication
>> may bypass
>> # the setting of "PermitRootLogin without-password".
>> # If you just want the PAM account and session checks to
>> run without
>> # PAM authentication, then enable this but set
>> PasswordAuthentication
>> # and ChallengeResponseAuthentication to 'no'.
>> UsePAM yes
>> UseLogin no
>>
>> #AllowAgentForwarding yes
>> #AllowTcpForwarding yes
>> #GatewayPorts no
>> X11Forwarding yes
>> #X11DisplayOffset 10
>> #X11UseLocalhost yes
>> #PermitTTY yes
>> PrintMotd no
>> #PrintLastLog yes
>> #TCPKeepAlive yes
>> #PermitUserEnvironment no
>> #Compression delayed
>> #ClientAliveInterval 0
>> #ClientAliveCountMax 3
>> #UseDNS no
>> #PidFile /var/run/sshd.pid
>> #MaxStartups 10:30:100
>> #PermitTunnel no
>> #ChrootDirectory none
>> #VersionAddendum none
>>
>> # no default banner path
>> #Banner none
>>
>> # Allow client to pass locale environment variables
>> AcceptEnv LANG LC_*
>>
>> # override default of no subsystems
>> Subsystem sftp /usr/lib/openssh/sftp-server
>>
>> # Example of overriding settings on a per-user basis
>> #Match User anoncvs
>> # X11Forwarding no
>> # AllowTcpForwarding no
>> # PermitTTY no
>> # ForceCommand cvs server
>>
>> I just checked the passwd file on the server and both
>> accounts I use to login finish with /bin/bash. However, I
>> also noticed that the last line of the passwd file looks
>> like this:
>>
>> sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>>
>> Looking at the passwd file from a backup done before the
>> upgrade, and when ssh logins were working, this line is a
>> recent addition - it does not appear in past instances of
>> the passwd file. Is this the cause of my problems? Can I
>> simply delete this line and try again?
>>
>> Cheers.
>>
>> Joe Aquilina
>>
>>
>> On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>>> Hey Joe,
>>>
>>> Can you check what "usePrivilegeSeparation" is defined
>>> as in the server sshd_config is ?
>>>
>>> Cheers
>>> /Chris
>>>
>>> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina,
>>> <joe at chem.com.au <mailto:joe at chem.com.au>> wrote:
>>>
>>> sestatus and getenforce both show selinux as disabled.
>>>
>>> There is already another account that is
>>> occasionally used to login to the server - it fails
>>> exactly the same as my (joe) account. I don't
>>> believe that any scripts at login.
>>>
>>> And yes I did edit the output to protect the
>>> "guilty" ... replaced the real server name with
>>> <server> and the server's IP address. I presumed
>>> that is what was requested when it was suggested
>>> that I post a sanitised copy of the login attempt
>>> output.
>>>
>>> Cheers.
>>>
>>> Joe Aquilina
>>>
>>> On 18/12/19 11:08 am, mike wrote:
>>>> On 18/12/2019 10:43, Joe Aquilina wrote:
>>>>> I have no idea about selinux, whether it is
>>>>> installed/enabled. How do I check that and disable
>>>>> it if necessary, and then re-enable?
>>>>
>>>> sestatus orgetenforce
>>>>
>>>> If file not found then not in use.
>>>>
>>>> Are you removing details from the output? IE:
>>>> Authenticated to <server> ([ip.address of server]:22).
>>>>
>>>> Mine says
>>>> debug1: Authentication succeeded (publickey).
>>>> Authenticated to nos ([10.222.0.4]:22).
>>>>
>>>> Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>>>
>>>> What user are you trying to login as?
>>>>
>>>> Are you running any scripts at login that may be failing?
>>>>
>>>> Have you tried another user?
>>>>
>>>> Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>>>
>>>> --
>>>> 'ooroo
>>>>
>>>> Mike...(:)-)
>>>> ---------------------------------------------------
>>>> Email:mike at wolf-rock.com <mailto:mike at wolf-rock.com> o
>>>> You need only two tools. o /////
>>>> A hammer and duct tape. If it /@ `\ /) ~
>>>> doesn't move and it should use > (O) X< ~ Fish!!
>>>> the hammer. If it moves and `\___/' \) ~
>>>> shouldn't, use the tape. \\\
>>>> ---------------------------------------------------
>>>
>>>
>>> --
>>> Joe Aquilina
>>> Central Chemical Consulting Pty Ltd
>>> PO Box 2546 Malaga WA 6944 Australia
>>> 1/11 Narloo St Malaga 6090 Australia
>>> Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
>>> joe at chem.com.au <mailto:joe at chem.com.au> www.chem.com.au <http://www.chem.com.au>
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> <mailto:plug at plug.org.au>
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> <mailto:committee at plug.org.au>
>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>> --
>> Joe Aquilina
>> Central Chemical Consulting Pty Ltd
>> PO Box 2546 Malaga WA 6944 Australia
>> 1/11 Narloo St Malaga 6090 Australia
>> Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
>> joe at chem.com.au <mailto:joe at chem.com.au> www.chem.com.au <http://www.chem.com.au>
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> <mailto:plug at plug.org.au>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> <mailto:committee at plug.org.au>
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
> --
> Joe Aquilina
> Central Chemical Consulting Pty Ltd
> PO Box 2546 Malaga WA 6944 Australia
> 1/11 Narloo St Malaga 6090 Australia
> Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
> joe at chem.com.au <mailto:joe at chem.com.au> www.chem.com.au <http://www.chem.com.au>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> <mailto:committee at plug.org.au>
> PLUG Membership: http://www.plug.org.au/membership
>
--
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
joe at chem.com.au www.chem.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/1084e2f1/attachment.html>
More information about the plug
mailing list