Re: [gentoo-user] Disabling ssh password login on all accounts?

[Neil Bothwick]

On Tue, 11 Aug 2020 15:14:35 -0400, Walter Dnes wrote:

> Match Address !192.168.1.0/24
>   DenyUsers *
> 
>   One more question... does sshd_config follow the python convention
> that indentinting with spaces or tabs denotes a "block"?

No, the Match line defines the start of a block that continues until the
start of the next block or the end of the file.


-- 
Neil Bothwick

This is a test of the emergency tagline stealing system.


pgpPzoBCu6Px0.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] What is faster: amd64 or x86?

[Grant Taylor]

On 8/11/20 10:37 AM, Gregor A. „schlumpi“ Segner wrote:

it’s total nonsense today to install a 32bit kernel on a 64Bit machine.


I can see some value in having a 32-bit /only/ system if you /must/ 
support 32-bit software with no need for 64-bit and would like to avoid 
the complexity of multi-lib.




--
Grant. . . .
unix || die

Re: [gentoo-user] Disabling ssh password login on all accounts?

[Walter Dnes]

On Tue, Aug 11, 2020 at 01:51:59PM +0100, Victor Ivanov wrote

> Yes that's one of the options you need to disable. The other one is
> "ChallengeResponseAuthentication" which will also disable PAM-based
> authentication (which may include passwords). So you should have the
> following global settings in /etc/ssh/ssd_config:
> 
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponseAuthentication no

  Victor (and Gerrit), in package.mask, I have...

sys-apps/pv
sys-auth/pambase
sys-libs/pam
virtual/pam

  Does that work as well?  Let's just say that years ago, when PAM was
the default on a new install, one of the first things I did after a
fresh install was to remove PAM.  It caused more problems than it was
worth.  "Everything you know is wrong".  man pages and Google searches
for programs would point to the non-PAM version, with different config
files and settings.  It was an absolute pain.

  As for "pv", I occasionally fat-finger things as "emerge pv fubar",
when I actually want to "emerge -pv fubar".  emerge will attempt to
install pv and any other package(s) on the commandline.

> If you so wish, you can also have configurations based on IP address
> and/or network. It can be useful as a "fallback" mechanism from trusted
> clients, e.g.:
> 
> Match Address 192.168.1.0/24
> PasswordAuthentication yes

  Here at home, I can walk 6 feet to the laptop if necessary so no need.
Let's be paranoid and assume that evil characters are scanning RFC 1918
addresses on Wifi networks at the coffee shop or where ever.  BTW, the
only addresses I allow via iptables are the 192.168.1.0/24 range.

  One more level of defense-in-depth.  In case iptables fails due to an
"update", is it possible to "deny all except 192.168.1.0/24" in
sshd_config?  Looking at Google, I think it would be something like...

Match Address !192.168.1.0/24
  DenyUsers *

  One more question... does sshd_config follow the python convention
that indentinting with spaces or tabs denotes a "block"?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] What is faster: amd64 or x86?

[Gregor A. „schlumpi“ Segner]

Hi everybody,

dafuq what in... not sure what we should answer, it’s total nonsense today to 
install a 32bit kernel on a 64Bit machine. Really.

The difference between 32 and 64Bit architecture is _not_ computing speed.

--
Gregor A. „schlumpi“ Segner

> On Dienstag, Aug. 11, 2020 at 4:55 PM, Sid Spry  (mailto:s...@aeam.us)> wrote:
>
>
> On Tue, Aug 11, 2020, at 11:41 AM, Remco Rijnders wrote:
> > On Mon, Aug 10, 2020 at 07:46:36PM -0400, Jack wrote in
> > <46fdde47-4437-5aa4-926d-e42aaed8e...@users.sourceforge.net>:
> > > > On Mon, Aug 10, 2020, at 1:19 PM, Никита Степанов wrote:
> > > > > What is faster: amd64 or x86?
> > >
> > > Nikita, what are you really asking about? Or, are you just looking to
> > > stir the pot?
> >
> > I think the intended or underlying question was: Should I use the x86
> > or amd64 boot media to install Gentoo on my system?
> >
> > And I think the appropiate answer almost always is amd64 if the system
> > supports it. I can see exceptions on severely memory constrained
> > systems or if you need to mainly run software that can only run in 32
> > bit, but both seem rather uncommon to me.
> >
>
> The appropriate answer is always amd64. The last I looked at benchmarks
> was quite a long time ago, but I think there is improvement to running
> 32 bit programs inside a 64 bit OS. The newer chips are more than just a
> new instruction set. They contain a lot of machinery to make boring things,
> like context switching, faster.
>

Re: [gentoo-user] What is faster: amd64 or x86?

[Sid Spry]

On Tue, Aug 11, 2020, at 11:41 AM, Remco Rijnders wrote:
> On Mon, Aug 10, 2020 at 07:46:36PM -0400, Jack wrote in 
> <46fdde47-4437-5aa4-926d-e42aaed8e...@users.sourceforge.net>:
> >>On Mon, Aug 10, 2020, at 1:19 PM, Никита Степанов wrote:
> >>>What is faster: amd64 or x86?
> >
> >Nikita, what are you really asking about? Or, are you just looking to 
> >stir the pot?
> 
> I think the intended or underlying question was: Should I use the x86
> or amd64 boot media to install Gentoo on my system?
> 
> And I think the appropiate answer almost always is amd64 if the system
> supports it. I can see exceptions on severely memory constrained
> systems or if you need to mainly run software that can only run in 32
> bit, but both seem rather uncommon to me.
> 

The appropriate answer is always amd64. The last I looked at benchmarks
was quite a long time ago, but I think there is improvement to running
32 bit programs inside a 64 bit OS. The newer chips are more than just a
new instruction set. They contain a lot of machinery to make boring things,
like context switching, faster.

Re: [gentoo-user] ebuild : how to check for python version

[Mike Gilbert]

On Tue, Aug 11, 2020 at 9:38 AM Helmut Jarausch  wrote:
>
> On 08/11/2020 03:08:16 PM, Mike Gilbert wrote:
> > On Sun, Aug 2, 2020 at 10:47 AM Helmut Jarausch
> > <_ j_ a_ r_ a_ u_ s_ c_ h_ @_ s_ k_ y_ n_ e_ t_ ._ b_ e> wrote:
> >  Hi,
> >  in an ebuild I have to apply a patch only if this package is
> >  installed
> >  for python3.9.
> >  The ebuild should work for PYTHON_COMPAT=( python3_{8,9} )
> >
> >  How can I check for Pythons version in src_prepare or similar
> >  functions.
> >
> >  Many thanks for a hint,
> >  Helmut
> >
> > I would suggest creating a patch that can be applied unconditionally
> > instead.
> >
>
> That would imply different function definitions within an 'if / else'
> clause.
> I don't like this.
>

What will you do when someone wants/needs to install it for both
python3.8 and python3.9 simultaneously?

If you want to support both versions, it's better to have code that
actually works with both of them.

Re: [gentoo-user] ebuild : how to check for python version

[Helmut Jarausch]

On 08/11/2020 03:08:16 PM, Mike Gilbert wrote:
On Sun, Aug 2, 2020 at 10:47 AM Helmut Jarausch  
<_j_a_r_a_u_s_c_h_@_s_k_y_n_e_t_._b_e> wrote:

 Hi,
 in an ebuild I have to apply a patch only if this package is
 installed  
 for python3.9.
 The ebuild should work for PYTHON_COMPAT=( python3_{8,9} )

 How can I check for Pythons version in src_prepare or similar
 functions.

 Many thanks for a hint,
 Helmut

I would suggest creating a patch that can be applied unconditionally  
instead.  




That would imply different function definitions within an 'if / else'  
clause.

I don't like this.

Re: [gentoo-user] External hard drive and idle activity

[Dale]

Wols Lists wrote:
> On 04/08/20 08:42, Wols Lists wrote:
>> Both LVM and btrfs offer snapshotting, so you take a snapshot before
>> doing an in-place rsync, giving you one full backup per snapshot, but
>> the drive is actually only storing the changes between snapshots.
>> Probably run the backup much faster too.
> Just strikes me this would be near ideal for an SMR drive, because this
> would be copy-on-write, so the backup would just be streaming new data
> to disk.
>
> And by judiciously choosing when to delete snapshots, you have
> considerable control over when the drive decides to do a defrag.
>
> Cheers,
> Wol
>
>


I've never used those features of LVM before.  Most likely, I should. 
I've had occasion to do a backup and then wish I had a old file back
that was deleted during the new backup process.  Example.  I have a copy
of a video for a particular show.  I find a better version, HD or
something, and download it.  I then remove the old one and find out
shortly after that it's the wrong episode or something.  At that point,
I'm missing a episode.  I'd rather have a standard definition version
than none at all.  I suspect doing it the way you mention I'd be able to
get that old copy back provided that snapshot hasn't been deleted yet. 
The way I do it now, once I update the backups, old stuff is deleted. 

Also, I just did another fairly large update on the backups.  Once it
hit around 50GBs or so, it started slowing down again.  It was even
slower than last time.  It was transferring at around 70MBs/sec.  Of
course, it could be partly because that drive is filling up.  It's
around 80% or so. 

Anyway.  I need to look into the snapshot thing.  Gotta find a howto.  ;-)

Dale

:-)  :-) 

Re: [gentoo-user] ebuild : how to check for python version

[Mike Gilbert]

On Sun, Aug 2, 2020 at 10:47 AM Helmut Jarausch  wrote:

> Hi,
> in an ebuild I have to apply a patch only if this package is installed
> for python3.9.
> The ebuild should work for PYTHON_COMPAT=( python3_{8,9} )
>
> How can I check for Pythons version in src_prepare or similar functions.
>
> Many thanks for a hint,
> Helmut
>
> I would suggest creating a patch that can be applied unconditionally
instead.

Re: [gentoo-user] Disabling ssh password login on all accounts?

[Gerrit Kuehn]

On Tue, 11 Aug 2020 06:21:26 -0400
"Walter Dnes"  wrote:

> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> 
>   Is that correct?  If not, what is the correct setting to change?

You might also want to set to "No" the following ones:
ChallengeResponseAuthentication
UsePAM


cu
  Gerrit

Re: [gentoo-user] Disabling ssh password login on all accounts?

[Victor Ivanov]

On 11/08/2020 11:21, Walter Dnes wrote:
>   The one sevice I have listening for external connections on my laptop
> is sshd (192.168.1.0/24).  Before taking it anywhere, I want to prohibit
> password-based login for *ALL* accounts, not just root.  This would
> require users to be listed in ~/.ssh/authorized_keys  Looking through
> /etc/ssh/sshd_config I *THINK* that I need to set "no" at...
> 
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> 
>   Is that correct?  If not, what is the correct setting to change?
> 
Hi Walter,

Yes that's one of the options you need to disable. The other one is
"ChallengeResponseAuthentication" which will also disable PAM-based
authentication (which may include passwords). So you should have the
following global settings in /etc/ssh/ssd_config:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

PubkeyAuthentication should default to "yes" but it doesn't hurt to
explicitly set it in case the defaults ever change.

If you so wish, you can also have configurations based on IP address
and/or network. It can be useful as a "fallback" mechanism from trusted
clients, e.g.:

Match Address 192.168.1.0/24
PasswordAuthentication yes


- Victor



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] What is faster: amd64 or x86?

[Remco Rijnders]

On Mon, Aug 10, 2020 at 07:46:36PM -0400, Jack wrote in 
<46fdde47-4437-5aa4-926d-e42aaed8e...@users.sourceforge.net>:

On Mon, Aug 10, 2020, at 1:19 PM, Никита Степанов wrote:

What is faster: amd64 or x86?


Nikita, what are you really asking about? Or, are you just looking to 
stir the pot?


I think the intended or underlying question was: Should I use the x86
or amd64 boot media to install Gentoo on my system?

And I think the appropiate answer almost always is amd64 if the system
supports it. I can see exceptions on severely memory constrained
systems or if you need to mainly run software that can only run in 32
bit, but both seem rather uncommon to me.

[gentoo-user] Disabling ssh password login on all accounts?

[Walter Dnes]

  The one sevice I have listening for external connections on my laptop
is sshd (192.168.1.0/24).  Before taking it anywhere, I want to prohibit
password-based login for *ALL* accounts, not just root.  This would
require users to be listed in ~/.ssh/authorized_keys  Looking through
/etc/ssh/sshd_config I *THINK* that I need to set "no" at...

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes

  Is that correct?  If not, what is the correct setting to change?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications